AI
“ChatGPT Tainted Memories:” LayerX Discovers The First Vulnerability in OpenAI Atlas Browser, Allowing Injection of Malicious Instructions into ChatGPT (P)
They tested many phishing attacks, and Atlas only stopped 6% of them, while Edge and Chrome stopped 50% of them. Other AI bnrowsers, Comet, Dia, and Genspark were similarly vulnerable. Also the effects of phishing were larger, since a CSRF request can add malicious instructions into the ChatGPT history. This leaves persistent malware like a rootkit in ChatGPT, affecting future sessions.
Introducing Aardvark: OpenAI’s agentic security researcher
Aardvark continuously analyzes source code repositories to identify vulnerabilities, assess exploitability, prioritize severity, and propose targeted patches.
Google says Search AI Mode will know everything about you
In the future, AI Mode will pull details from your emails, documents, and other Google apps to give truly customized responses.
Politics
Tesla Regret Syndrome (Video)
ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship
ICE has a new app called Mobile Fortify, which scans someone’s face and is built on a database of 200 million images. The app queries an unprecedented number of government databases to return the subject’s name, date of birth, alien number, and whether they’ve been given an order of deportation.
ICE officials have told us that an apparent biometric match by Mobile Fortify is a ‘definitive’ determination of a person’s status and that an ICE officer may ignore evidence of American citizenship—including a birth certificate—if the app says the person is an alien.
U.S. agencies back banning popular home WiFi device, citing national security risk
The Commerce Department has proposed barring sales of TP-Link products, citing a national security risk from ties to China.
Revealed: Israel demanded Google and Amazon use secret ‘wink’ to sidestep legal orders
The deals prohibit the US companies from restricting how Israeli agencies use their cloud services, even if they violate the terms of service. It also requires them to send "wink" messages revealing the identity of the country they had been compelled to hand over Israeli data to, but were gagged from saying so. The "winks" were payments in amounts that contained the area code of the country.
Several experts described the mechanism as a “clever” workaround that could comply with the letter of the law but not its spirit. “It’s kind of brilliant, but it’s risky,” said a former senior US security official.
How a hacking gang held Italy’s political elites to ransom
Wiretaps and arrest warrants reveal the intricate plot to build a database of high-level secrets — and blackmail Italy’s rich and powerful.
Python rejects $1.5M grant from U.S. govt. fearing ethical compromise
Specifically, the terms required recipients to affirm that they would not operate programs that “advance or promote diversity, equity, and inclusion (DEI).” All PSF activities would be impacted by the clause, not just the grant-funded work, and a violation could permit requesting back the previously approved and transferred funds, creating a financial risk for the foundation.
OpenAI data suggests 1 million users discuss suicide with ChatGPT weekly
After police used Flock cameras to accuse a Denver woman of theft, she had to prove her own innocence
Chrisanna Elser spent days collecting evidence, from apps on her phone to dashcam footage in her vehicle, to prove her whereabouts.
Infosec
VPNs from Cisco and Citrix Riskiest Products for Ransomware: At-Bay Rankings Report
The two most prominent cyber threat vectors are email and remote access. These two threat vectors together accounted for 90% of cyber claims in 2024, when excluding incidents caused by third-party compromises or non-cyber events.
Email fraud is now one of the biggest drivers of losses, yet most security tools are still focused on phishing links and malware.
In 2024, 80% of ransomware attacks had a remote access tool as the entry vector, with 83% of those cases involving a VPN device. Businesses using on-premise VPN solutions are nearly 4X more likely to be a victim of a ransomware attack than those using a cloud-based VPN or no VPN at all.
Hacking India’s largest automaker: Tata Motors (P)
AWS keys in the source code of the website, unprotected API, other exposed secrets. Outrageous Security 101 errors.
Mazda shows a rotary hybrid concept for Tokyo with evolved design language
Ideas include algae-based fuels and capturing carbon from the exhaust while driving.
Leaker reveals which Pixels are vulnerable to Cellebrite phone hacking
GrapheneOS is much more secure.
Tap-and-Steal: The Rise of NFC Relay Malware on Mobile Devices
What began as just a few isolated samples has now expanded to more than 760 malicious apps observed in the wild.
Approximately 20 institutions have been impersonated - primarily Russian banks and financial services, but also targets organizations in Brazil, Poland, Czech Republic, and Slovakia
Windows 11 KB5067036 update rolls out Administrator Protection feature
Administrator protection requires that a user verify their identity with Windows Hello integrated authentication before allowing any action that requires administrator privileges.
PhantomRaven: NPM Malware Hidden in Invisible Dependencies
By linking dependencies directly to URLs, the dependencies are hidden from the dependency analysis that most security tools rely on.
|