Because the Israel-Hamas struggle continues, with Israeli troops shifting into the Gaza Strip and encircling Gaza Metropolis, one piece of expertise is having an outsized influence on how we see and perceive the struggle. Messaging app Telegram, which has a historical past of lax moderation, has been utilized by Hamas to share ugly photographs and movies. The data has then unfold to different social networks and tens of millions extra eyeballs. Sources inform WIRED that Telegram has been weaponized to unfold horrific propaganda.
Microsoft has had a tough few months with regards to the corporate’s personal safety, with Chinese language-backed hackers stealing its cryptographic signing key, continued points with Microsoft Alternate Servers, and its prospects being impacted by failings. The corporate has now unveiled a plan to cope with the ever-growing vary of threats. It’s the Safe Future Initiative, which plans, amongst a number of parts, to make use of AI-driven instruments, enhance its software program improvement, and shorten its response time to vulnerabilities.
Additionally this week, we’ve regarded on the privateness practices of Bluesky, Mastodon, and Meta’s Threads as the entire social media platforms jostle for house in a world the place X, previously referred to as Twitter, continues to implode. And issues aren’t precisely nice with this subsequent era of social media. With November arriving, we now have an in depth breakdown of the safety vulnerabilities and patches issued final month. Microsoft, Google, Apple, and enterprise corporations Cisco, VMWare, and Citrix all mounted main safety flaws in October.
And there is extra. Every week, we spherical up the safety and privateness information we didn’t cowl in depth ourselves. Click on the headlines to learn the complete tales, and keep secure on the market.
The Flipper Zero is a flexible hacking software designed for safety researchers. The pocket-size pen-testing machine can intercept and replay every kind of wi-fi indicators—together with NFC, infrared, RFID, Bluetooth, and Wi-Fi. Meaning it is attainable to learn microchips and examine indicators being admitted from gadgets. Barely extra nefariously, we have discovered it will probably simply clone building-entry playing cards and skim bank card particulars via individuals’s garments.
Over the previous few weeks, the Flipper Zero, which prices round $170, has been gaining some traction for its skill to disrupt iPhones, notably by sending them into denial of service (DoS) loops. As Ars Technica reported this week, the Flipper Zero, with some customized firmware, is ready to ship “a relentless stream of messages” asking iPhones to attach through Bluetooth gadgets comparable to an Apple TV or AirPods. The barrage of notifications, which is distributed by a close-by Flipper Zero, can overwhelm an iPhone and make it nearly unusable.
“My cellphone was getting these pop-ups each jiffy, after which my cellphone would reboot,” safety researcher Jeroen van der Ham instructed Ars a couple of DoS assault he skilled whereas commuting within the Netherlands. He later replicated the assault in a lab atmosphere, whereas different safety researchers have additionally demonstrated the spamming skill in current weeks. In van der Ham’s assessments, the assault solely labored on gadgets working iOS 17—and in the intervening time, the one method to forestall the assault is by turning off Bluetooth.
In 2019, hackers linked to Russia’s intelligence service broke into the community of software program agency SolarWinds, planting a backdoor and in the end discovering their method into 1000’s of programs. This week, the US Securities and Alternate Fee charged Tim Brown, the CISO of SolarWinds, and the corporate with fraud and “inside management failures.” The SEC alleges that Brown and the corporate overstated SolarWinds’ cybersecurity practices whereas “understating or failing to reveal identified dangers.” The SEC claims that SolarWinds knew of “particular deficiencies” within the firm’s safety practices and made public claims that weren’t mirrored in its personal inside assessments.
“Relatively than tackle these vulnerabilities, SolarWinds and Brown engaged in a marketing campaign to color a false image of the corporate’s cyber controls atmosphere, thereby depriving traders of correct materials data,” Gurbir S. Grewal, director of the SEC’s Division of Enforcement mentioned in an announcement. In response, Sudhakar Ramakrishna, the CEO of SolarWinds, mentioned in a weblog put up that the allegations are a part of a “misguided and improper enforcement motion.”
For years, researchers have proven that face recognition programs, educated on tens of millions of images of individuals, can misidentify ladies and folks of shade at disproportionate charges. The programs have led to wrongful arrests. A brand new investigation from Politico, specializing in a yr’s value of face recognition requests made by police in New Orleans, has discovered that the expertise was virtually completely used to attempt to determine Black individuals. The system additionally “did not determine suspects a majority of the time,” the report says. Evaluation of 15 requests for the usage of face recognition expertise discovered that solely considered one of them was for a white suspect, and in 9 instances the expertise did not discover a match. Three of the six matches have been additionally incorrect. “The info has just about confirmed that [anti-face-recognition] advocates have been principally right,” one metropolis councilor mentioned.
Id administration firm Okta has revealed extra particulars about an intrusion into its programs, which it first disclosed on October 20. The corporate mentioned the attackers, who had accessed its buyer assist system, accessed information belonging to 134 prospects. (In these cases, prospects are particular person firms that subscribe to Okta’s providers). “A few of these information have been HAR information that contained session tokens which may in flip be used for session hijacking assaults,” the corporate disclosed in a weblog put up. These session tokens have been used to “hijack” the Okta periods of 5 separate firms. 1Password, BeyondTrust, and Cloudflare have all beforehand disclosed they detected suspicious exercise, however it’s not clear who the 2 remaining firms are.