The Guardian: ‘It’s dangerous and it’s going to erode trust’: redesign of US government websites stokes surveillance fears

The National Design Studio, staffed by Doge veterans, installed visitor-tracking software on vital federal websites

"...An opaque White House office staffed largely by veterans of Elon Musk’s “department of government efficiency” (Doge) has quietly rebuilt some of the federal government’s most sensitive websites – for passport applications, voter registration, prescription-drug pricing and children’s savings – in ways critics say appear to violate federal law...."

theguardian.com/us-news/2026/j…

#cybersecurity #privacy #bigbrother #doge #fascism

LOL

circumstances.run/@davidgerard…

#AI #cybersecurity

Fortinet, is that the company that sells security breaches? 🤔

arstechnica.com/security/2026/…

#cybersecurity

✈️ New Blog Post: Your Boarding Pass Is a Skeleton Key. Frontier Airlines Doesn't Care.

Frontier's mobile API returns full passport numbers, home addresses, children's DOB, credit card details, and KTNs for any booking. The only auth? A PNR and last name. Printed on every boarding pass.

Reported March 3rd. 105 days later, still live. They fixed the least important vuln and ghosted me on the rest. They also updated the website code and somehow made the leaks worse.

Full writeup: bobdahacker.com/blog/frontier-…

#InfoSec #BugBounty #ResponsibleDisclosure #FrontierAirlines #Security #CyberSecurity #Privacy #Aviation #PCIDSS #DataExposure

Oh, good thing it's so hard to install packages in Arch Linux, I hadn't yet loaded AUR 🤪

bleepingcomputer.com/news/secu…

#linux #cybersecurity

Oooh, AI performing at scale! /s

techhub.social/@Techmeme/11672…

#cybersecurity #AI #AIpocalypse

Techmeme

2026-06-09 20:50:55

Docs: ~34K Instagram accounts, including Obama's White House account, were affected in the attack tied to Meta's AI chatbot; 3,500+ usernames were changed (New York Times)

nytimes.com/2026/06/09/technol…
techmeme.com/260609/p39#a26060…

Docs: ~34K Instagram accounts, including Obama's White House account, were affected in the breach tied to Meta's AI chatbot; attackers changed 3,500+ usernames

From New York Times. View the full context on Techmeme.

^Techmeme

404 Media: This Company Will Add Phone, AirPod, and Smartwatch Trackers to License Plate Readers

404media.co/this-company-will-…

#alpr #privacy #cybersecurity #bigbrother

Ouch, DD-WRT botnet

bleepingcomputer.com/news/secu…

#ddwrt #cybersecurity

Wired: Meta Silently Added Face-Recognition Code for Its Smart Glasses to Millions of Phones

Code reviewed by WIRED uncovered an unreleased face-recognition system embedded in Meta’s smart glasses platform. It’s designed to identify people via biometric data stored on users’ phones.

wired.com/story/meta-smart-gla…

#privacy #cybersecurity #meta

LOL Meta AI is hackable to change someone's registered email,, classic.

infosec.exchange/@briankrebs/1…

#ai #aipocalypse #cybersecurity

BrianKrebs

2026-06-01 17:40:20

New, by me: A number of high-profile and/or valuable Instagram accounts, including those of the Obama White House and the Chief Master Sergeant for the U.S. Space Force, got hacked and defaced with pro-Iran messaging in the past 24h after people figured out that Meta's AI support assistant could be tricked into resetting account passwords.

From the story:

"A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target's usual hometown, requesting a password reset for the account, and then choosing to chat with Meta's AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset."

krebsonsecurity.com/2026/06/ha…

#meta #instagram #hack #ai #security

Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick M…

^{krebsonsecurity.com}

Malwarebytes: "A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware designed to steal passwords, browser data, cryptocurrency wallets, and other sensitive information."

malwarebytes.com/blog/threat-i…

#chatgpt #ai #cybersecurity #malware

Bwahahahahahahaha

404 Media: Hackers Simply Asked Meta AI to Give Them Access to High-Profile Instagram Accounts. It Worked

404media.co/hackers-simply-ask…

#aipocalypse #ai #cybersecurity

😬

"...How bad is this?

A minimal POC:
curl -i -H ‘Host: foo’ http://target/admin # 403, blocked
curl -i -H ‘Host: foo?’ http://target/admin # 200, served

"

ostif.org/disclosing-the-badho…

#cybersecurity

LOL

"...“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,”..."

#cybersecurity

Arstechnica: Millions of AI agents imperiled by critical vulnerability in open source package

arstechnica.com/information-te…

#ai #cybersecurity #vulnerability

Oooh, this could be loads of fun.

IEEE Spectrum: Voice AI Systems Are Vulnerable to Hidden Audio Attacks

Research shows sounds unheard by human ears can hijack models’ behavior

spectrum.ieee.org/voice-ai-aud…

#cybersecurity #AI

❗ We’ve observed a scammer clearly abusing Microsoft's 'msonlineservicesteam@microsoftonline[. ]com' for spam distribution.

The header and message body appear completely legitimate - the abuse is happening through injection into the Subject:

✉️ Here's an example:
"Your PayPal order for 0.0092 BTC ($699.99) is complete. Not you? Call +1 (803) 237-5050 account email verification code."

At this point, it appears the attacker may have simply set the malicious text as either the account name or the organization name.

This also appears to line up with what @zackwhittaker TechCrunch Security Editor identified last week:
mastodon.social/@zackwhittaker…

....although the activity we’re seeing appears to stretch back several months.

Takeaway: automated notification systems should not allow this level of customization.

Microsoft has been informed of this abusive activity.

#ThreatIntel #Spam #InfoSec #CyberSecurity

Ooooh--found it!

So, this URL

hxxp://www.lwfinger.com/b43-firmware/ resolves to a URL that has been taken over by... who knows what. The below package has not been touched in 11 years.

github.com/mikhirev/b43-firmwa…

The firmware install then installs whatever it finds there. If it's got the right SHA checksum...

Anyone know what the right approach here is... (this is not my day job, lol).

cc @Viss

#cybersecurity #oopsie

This smacks of a compromised something or other... why is an apt upgrade of firmware-b43-installer going to a childcare blog. A violin shop? Hmm... reinstalling this entirely.

(Update: this apparently WAS a bug, but has been fixed in more recent versions of Debian... but not old ones h/t @alienghic )

salsa.debian.org/debian/b43-fw…

#Linux #cybersecurity

Oops

infosec.exchange/@briankrebs/1…

#cybersecurity #CISA

BrianKrebs

2026-05-18 20:55:23

New, by me: CISA Admin Leaked AWS GovCloud Keys on GitHub

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

krebsonsecurity.com/2026/05/ci…

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA …

^{krebsonsecurity.com}

Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase

cybersecuritynews.com/grafana-…

#cybersecurity #grafana

Hmm, having heard of people who couldn't recover their computer (no bitlocker key), actually, that could be handy, lol. (ps. BACK UP YOUR BITLOCKER RECOVERY KEY if you have a Windows PC, lest you suddenly lose access to your PC because of some hardware repair...)

cyberplace.social/@GossiTheDog…

#cybersecurity #bitlocker

Kevin Beaumont

2026-05-13 05:40:57

So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. github.com/Nightmare-Eclipse/Y…

Mitigation = BitLocker PIN and BIOS password lock.

GitHub - Nightmare-Eclipse/YellowKey: YellowKey Bitlocker Bypass Vulnerability

YellowKey Bitlocker Bypass Vulnerability. Contribute to Nightmare-Eclipse/YellowKey development by creating an account on GitHub.

^GitHub

Anyway, the answer (after signing in) is searching for "Calculator.app" is a straightforward way of finding where people have posted CVE exploit code, lol. (all the cybersecurity people probably knew this, but I did not)

#cybersecurity

Oh boy, this is going to put a dent in the semester...

LA Times: Massive Canvas data breach hits colleges across California and nation, crippling student work

latimes.com/california/story/2…

#canvas #cybersecurity

Wow... interesting these things work by overloading cell phone towers.

techcrunch.com/2026/05/07/poli…

#sms #cybersecurity

I can’t believe with Mastodon being as techie as it is, that I am one of the only people warning about this new bill in #Canada 🇨🇦
#tech #cdnpoli #privacy #cybersecurity

reclaimthenet.org/cybersecurit…

We've all seen those obvious deepfakes online picturing Trump or Musk getting arrested by the FBI. The latest AI tools are now so advanced that looking for the usual signs like extra digits on hands is no longer helpful when trying to spot them. The Atlantic's Lila Shroff experiments with photorealistic images of bank alerts, passports and tax forms and explains how deepfakes are coming for our bank accounts.

flip.it/Kv7S1A

#AI #Deepfakes #Cybersecurity #PersonalFinance #Scams

New book, released under a Creative Commons BY-NC-ND license: "Don't Get Hacked! Protecting Yourself at Home": cs.columbia.edu/~smb/homesec/i…

Retoot for reach!

#cybersecurity #homeCybersecurity #dontGetHacked

LOL tempted to pick up the nonfunctional washer and try to pentest the Wi-Fi on this thing. 🤪

#cybersecurity

Anthropic secretly installs spyware when you install Claude Desktop
thatprivacyguy.com/blog/anthro…

#claude #ai #llm #privacy #cybersecurity #spyware #fuckai #stopai #dataprivacy #anthropic

Cyberattacks are spiking across the globe, thanks to Artificial Intelligence. We recently learned the extent of internet security vulnerability when Anthropic deemed its Claude Mythos Preview too dangerous for release because of how well it could spot security flaws. How long with these powerful tool remain in the hands of the “good guys?” @sciencefocus has more:

flip.it/XfycLi

#ArtificialIntelligence #Science #Tech #AI #Technology #Anthropic #CyberSecurity

Google announced several months ago that its Chrome browser would make secure connections the standard in October 2026. But you can already block shady websites by taking one simple step. PC World tells us how to do it in Chrome, Edge and Firefox:

flip.it/Tl04k8

#Tech #CyberSecurity #Chrome #Edge #Firefox #Technology #Security