serisec

Category: privacy

  • Smashing Security podcast #470: This AI security flaw might be impossible to fix

    Smashing Security podcast #470: This AI security flaw might be impossible to fix A website called “UK visa portal” has been quietly collecting passport scans, selfies, and personal data from thousands of travellers who thought they were applying through official channels. They weren’t. And when a journalist tried to warn the company, it was lawyers…

  • What to consider before asking an AI chatbot for health advice

    What to consider before asking an AI chatbot for health advice Using chatbots for medical advice could elicit hallucinations and even expose you to security and privacy risks. Here’s what’s at stake and how to stay safe. Go to eset

  • Smashing Security podcast #469: What your Oura ring won’t tell you

    Smashing Security podcast #469: What your Oura ring won’t tell you CISA, the US government agency whose entire job is keeping America’s critical infrastructure safe from hackers, has had a contractor publish dozens of plain-text credentials to a public GitHub profile. Meanwhile, your Oura ring is quietly transmitting some of its data unencrypted – and…

  • Identifying People Using Wi-Fi Routers

    Identifying People Using Wi-Fi Routers Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals. This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment. When radio signals like WiFi travel through a space, they interact…

  • When ransomware gets physical: cybercriminals turn to threats of violence

    When ransomware gets physical: cybercriminals turn to threats of violence Pay up, or we’ll pay someone to pay you a visit. Cybercrime gangs are increasingly turning to real-world threats – and even hiring local muscle to deliver the message. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities

    Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities Welcome to the largest educational data breach in history – affecting nearly 9,000 institutions, every Ivy League university, and 30 million students mid-finals. When Canvas’s parent company refused to pay and announced they had deployed “security patches” instead, the hackers were less than impressed.…

  • Eyes wide open: How to mitigate the security and privacy risks of smart glasses

    Eyes wide open: How to mitigate the security and privacy risks of smart glasses Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk. Go to eset

  • Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired

    Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired Meta’s smart glasses promise privacy “designed for you” – but everything they record was being beamed off to workers in Nairobi to label by hand. When those workers blew the whistle, Meta sacked all 1,108 of them. Meanwhile, the IT press…

  • Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions

    Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions A developer at an AI startup wanted to cheat at Roblox. They downloaded a dodgy script on their work laptop. That one decision triggered a cascade of failures that ended with a $2 million data breach affecting hundreds of thousands of…

  • ICE Uses Graphite Spyware

    ICE Uses Graphite Spyware ICE has admitted that it uses spyware from the Israeli company Graphite. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not

    Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not A company that ran anonymous tip lines for 35,000 American schools – handling reports of bullying, weapons, and self-harm – boasted on its website that it had suffered zero security breaches in over 20 years. A hacker called…

  • Mexican Surveillance Company

    Mexican Surveillance Company Grupo Seguritech is a Mexican surveillance company that is expanding into the US. Bruce Schneier Go to bruce schneier

  • Sometimes changing the password on your email mailbox isn’t enough

    Sometimes changing the password on your email mailbox isn’t enough Have you ever taken a look at your Microsoft 365 mailbox rules? If not, it might be worth a few minutes of your time. Because newly released research reveals that hackers may already have beaten you to it. Read more in my article on the…

  • Sen. Sanders Talks to Claude About AI and Privacy

    Sen. Sanders Talks to Claude About AI and Privacy Claude is actually pretty good on the issues. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing

    Smashing Security podcast #462: LinkedIn is spying on you, and you agreed to nothing LinkedIn has been secretly scanning your browser for over 6,000 installed extensions — on every single click you make. It can tell if you’re job hunting, what religion you are, and whether you have ADHD. And none of this is mentioned…

  • LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions

    LinkedIn Hidden Code Secretly Searches Your Browser for Installed Extensions Every time you open LinkedIn in a Chrome-based browser, hidden JavaScript silently scans your computer for installed software without your knowledge, without your consent, and without a single word in LinkedIn’s privacy policy. A revealing investigation conducted by the European advocacy group Fairlinked e.V., under…

  • Company that Secretly Records and Publishes Zoom Meetings

    Company that Secretly Records and Publishes Zoom Meetings WebinarTV searches the internet for public Zoom invites, joins the meetings, secretly records them, and publishes (alternate link) the recordings. It doesn’t use the Zoom record feature, so Zoom can’t do anything about it. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #461: This man hid $400 million in a fishing rod. Then it vanished

    Smashing Security podcast #461: This man hid $400 million in a fishing rod. Then it vanished A cannabis-growing, beekeeping, gyrocopter-flying Irishman invested his drug money in Bitcoin back in 2011 – and now sits on a fortune worth $400 million. There’s just one small problem: the access codes were tucked inside his fishing rod case,…

  • Iranian hackers breach FBI director’s personal email, and post his CV and photos online

    Iranian hackers breach FBI director’s personal email, and post his CV and photos online It’s not every day that you read that the head of America’s top law enforcement agency has been hacked, but then – these aren’t ordinary times. Read more in my article on the Hot for Security blog. Graham Cluley Go to…

  • Sen. Wyden Warns of Another Section 702 Abuse

    Sen. Wyden Warns of Another Section 702 Abuse Sen. Ron Wyden is warning us of an abuse of Section 702: Wyden took to the Senate floor to deliver a lengthy speech, ostensibly about the since approved (with support of many Democrats) nomination of Joshua Rudd to lead the NSA. Wyden was protesting that nomination, but…

  • Proton Mail Shared User Information with the Police

    Proton Mail Shared User Information with the Police 404 Media has a story about Proton Mail giving subscriber data to the Swiss government, who passed the information to the FBI. It’s metadata—payment information related to a particular account—but still important knowledge. This sort of thing happens, even to privacy-centric companies like Proton Mail. Bruce Schneier…

  • Meta’s AI Glasses and Privacy

    Meta’s AI Glasses and Privacy Surprising no one, Meta’s new AI glasses are a privacy disaster. I’m not sure what can be done here. This is a technology that will exist, whether we like it or not. Meanwhile, there is a new Android app that detects when there are smart glasses nearby. Bruce Schneier Go…

  • Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID

    Smashing Security podcast #459: This clever scam nearly hijacked a tech CEO’s Apple ID In episode 459 of Smashing Security, we dive into a chillingly clever account takeover attempt targeting WordPress co-founder Matt Mullenweg – involving MFA fatigue, real Apple alerts, a convincing support call, and a phishing page that oh-so-nearly worked. If a famous…

  • Face value: What it takes to fool facial recognition

    Face value: What it takes to fool facial recognition ESET’s Jake Moore used smart glasses, deepfakes and face swaps to ‘hack’ widely-used facial recognition systems – and he’ll demo it all at RSAC 2026 Go to eset

  • Smashing Security podcast #456: How to lose friends and DDoS people

    Smashing Security podcast #456: How to lose friends and DDoS people When the mysterious operator of an internet archiving-service decided to silence a curious Finnish blogger, they didn’t just send a stroppy email – they allegedly weaponised their own CAPTCHA page to launch a DDoS attack, threatened to invent an entirely new genre of AI…

  • $10,000 bounty offered if you can hack Ring cameras to stop them sharing your data with Amazon

    $10,000 bounty offered if you can hack Ring cameras to stop them sharing your data with Amazon Amid a privacy backlash, a US $10,000 reward has been offered for anyone who can find a way to run Ring doorbell cameras locally, cutting off the flow of video data to Amazon’s servers. Read more in my…

  • Ring Cancels Its Partnership with Flock

    Ring Cancels Its Partnership with Flock It’s a demonstration of how toxic the surveillance-tech company Flock has become when Amazon’s Ring cancels the partnership between the two companies. As Hamilton Nolan advises, remove your Ring doorbell. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #455: Face off: Meta’s Glasses and America’s internet kill switch

    Smashing Security podcast #455: Face off: Meta’s Glasses and America’s internet kill switch Could America turn off Europe’s internet? That’s one of the questions that Graham and special guest James Ball will be exploring as they discuss tech sovereignty. Could Gmail, cloud services, and critical infrastructure really become geopolitical leverage? And is anyone actually building…

  • Dutch police arrest man for “hacking” after accidentally sending him confidential files

    Dutch police arrest man for “hacking” after accidentally sending him confidential files Police in The Netherlands say they have arrested a 40-year-old man on suspicion of hacking… after police officers accidentally sent him a link granting him access to their own confidential documents Read more in my article on the Hot for Security blog. Graham…

  • 3D Printer Surveillance

    3D Printer Surveillance New York is contemplating a bill that adds surveillance to 3D printers: New York’s 2026­2027 executive budget bill (S.9005 / A.10005) includes language that should alarm every maker, educator, and small manufacturer in the state. Buried in Part C is a provision requiring all 3D printers sold or delivered in New York…

  • iPhone Lockdown Mode Protects Washington Post Reporter

    iPhone Lockdown Mode Protects Washington Post Reporter 404Media is reporting that the FBI could not access a reporter’s iPhone because it had Lockdown Mode enabled: The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson,…

  • Smashing Security podcast #453: The Epstein Files didn’t hide this hacker very well

    Smashing Security podcast #453: The Epstein Files didn’t hide this hacker very well Supposedly redacted Jeffrey Epstein files can still reveal exactly who they’re talking about – especially when AI, LinkedIn, and a few biographical breadcrumbs do the heavy lifting. Sloppy redaction leads to explosive claims, and difficult reputational consequences for cybersecurity vendors, and we…

  • Microsoft is Giving the FBI BitLocker Keys

    Microsoft is Giving the FBI BitLocker Keys Microsoft gives the FBI the ability to decrypt BitLocker in response to court orders: about twenty times per year. It’s possible for users to store those keys on a device they own, but Microsoft also recommends BitLocker users store their keys on its servers for convenience. While that…

  • Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock

    Smashing Security podcast #452: The dark web’s worst assassins, and Pegasus in the dock In episode 452, a London-based YouTuber wins a landmark court case against Saudi Arabia after his phone was hacked with Pegasus spyware — exposing how a single, seemingly harmless text message can turn a smartphone into a round-the-clock surveillance device. Plus,…

  • Ireland Proposes Giving Police New Digital Surveillance Powers

    Ireland Proposes Giving Police New Digital Surveillance Powers This is coming: The Irish government is planning to bolster its police’s ability to intercept communications, including encrypted messages, and provide a legal basis for spyware use. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #451: I hacked the government, and your headphones are next

    Smashing Security podcast #451: I hacked the government, and your headphones are next In episode 451 of “Smashing Security,” we meet the cybercriminal who hacked the US Supreme Court, Veterans Affairs, and more – and then helpfully posted screenshots (and even someone’s blood type) on an account called “I hacked the government.” Plus we discuss…

  • AI-Powered Surveillance in Schools

    AI-Powered Surveillance in Schools It all sounds pretty dystopian: Inside a white stucco building in Southern California, video cameras compare faces of passersby against a facial recognition database. Behavioral analysis AI reviews the footage for signs of violent behavior. Behind a bathroom door, a smoke detector-shaped device captures audio, listening for sounds of distress. Outside,…

  • Your personal information is on the dark web. What happens next?

    Your personal information is on the dark web. What happens next? If your data is on the dark web, it’s probably only a matter of time before it’s abused for fraud or account hijacking. Here’s what to do. Go to eset

  • pcTattletale founder pleads guilty in rare stalkerware prosecution

    pcTattletale founder pleads guilty in rare stalkerware prosecution The founder of a spyware company that encouraged customers to secretly monitor their romantic partners has pleaded guilty to federal charges – marking one of the few successful US prosecutions of a stalkerware operator. Read more in my article on the Hot for Security blog. Graham Cluley…

  • The Wegman’s Supermarket Chain Is Probably Using Facial Recognition

    The Wegman’s Supermarket Chain Is Probably Using Facial Recognition The New York City Wegman’s is collecting biometric information about customers. Bruce Schneier Go to bruce schneier

  • Flock Exposes Its AI-Enabled Surveillance Cameras

    Flock Exposes Its AI-Enabled Surveillance Cameras 404 Media has the story: Unlike many of Flock’s cameras, which are designed to capture license plates as people drive by, Flock’s Condor cameras are pan-tilt-zoom (PTZ) cameras designed to record and track people, not vehicles. Condor cameras can be set to automatically zoom in on people’s faces as…

  • Urban VPN Proxy Surreptitiously Intercepts AI Chats

    Urban VPN Proxy Surreptitiously Intercepts AI Chats This is pretty scary: Urban VPN Proxy targets conversations across ten AI platforms: ChatGPT, Claude, Gemini, Microsoft Copilot, Perplexity, DeepSeek, Grok (xAI), Meta AI. For each platform, the extension includes a dedicated “executor” script designed to intercept and capture conversations. The harvesting is enabled by default through hardcoded…

  • Surveillance at sea: Cruise firm bans smart glasses to curb covert recording

    Surveillance at sea: Cruise firm bans smart glasses to curb covert recording If you’re planning a cruise for your holidays, and cannot bear the idea of being parted from your Ray-Ban Meta smart glasses, you may want to avoid sailing with MSC Cruises. The cruise line has updated its list of prohibited items, specifically banning…

  • Chinese Surveillance and AI

    Chinese Surveillance and AI New report: “The Party’s AI: How China’s New AI Systems are Reshaping Human Rights.” From a summary article: China is already the world’s largest exporter of AI powered surveillance technology; new surveillance technologies and platforms developed in China are also not likely to simply stay there. By exposing the full scope…

  • Building Trustworthy AI Agents

    Building Trustworthy AI Agents The promise of personal AI assistants rests on a dangerous assumption: that we can trust systems we haven’t made trustworthy. We can’t. And today’s versions are failing us in predictable ways: pushing us to do things against our own best interests, gaslighting us with doubt about things we are or that…

  • Smashing Security podcast #447: Grok the stalker, the Louvre heist, and Microsoft 365 mayhem

    Smashing Security podcast #447: Grok the stalker, the Louvre heist, and Microsoft 365 mayhem On this week’s show we learn that AI really can be a stalker’s best friend, as we explore a strange tale that starts with a manatee-shaped mailbox on a millionaire’s lawn and ends with Grok happily doxxing real people, mapping out…

  • Privacy concerns raised as Grok AI found to be a stalker’s best friend

    Privacy concerns raised as Grok AI found to be a stalker’s best friend Grok, the AI chatbot developed by Elon Musk’s xAI, has been found to exhibit more alarming behaviour – this time revealing the home addresses of ordinary people upon request. Read more in my article on the Hot for Security blog. Graham Cluley…

  • New Anonymous Phone Service

    New Anonymous Phone Service A new anonymous phone service allows you to sign up with just a zip code. Bruce Schneier Go to bruce schneier

  • Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service

    Smashing Security podcast #446: A hacker doxxes himself, and social engineering-as-a-service A teenage cybercriminal posts a smug screenshot to mock a sextortion scammer… and accidentally hands over the keys to his real-world identity. Meanwhile, we look into the crystal ball for 2026 and consider how stolen data is now the jet fuel of cybercrime –…

  • Like Social Media, AI Requires Difficult Choices

    Like Social Media, AI Requires Difficult Choices In his 2020 book, “Future Politics,” British barrister Jamie Susskind wrote that the dominant question of the 20th century was “How much of our collective life should be determined by the state, and what should be left to the market and civil society?” But in the early decades…

  • Banning VPNs

    Banning VPNs This is crazy. Lawmakers in several US states are contemplating banning VPNs, because…think of the children! As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B. 105/S.B. 130. It’s an age verification bill that requires all websites distributing material that…

  • State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns

    State-backed spyware attacks are targeting Signal and WhatsApp users, CISA warns CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram. Read more in my article…

  • Shadow AI security breaches will hit 40% of all companies by 2030, warns Gartner

    Shadow AI security breaches will hit 40% of all companies by 2030, warns Gartner Shadow AI – the use of artificial intelligence tools by employees without a company’s approval and oversight – is becoming a significant cybersecurity risk. Read more in my article on the Fortra blog. Graham Cluley Go to grahamcluley

  • The OSINT playbook: Find your weak spots before attackers do

    The OSINT playbook: Find your weak spots before attackers do Here’s how open-source intelligence helps trace your digital footprint and uncover your weak points, plus a few essential tools to connect the dots Go to eset

  • Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that?

    Smashing Security podcast #444: We’re sorry. Wait, did a company actually say that? Stop the press – a company has actually said “sorry” after a data breach, and hotels are helping hackers phish their own guests. We examine a refreshingly honest breach response (and why legacy systems are still going to ruin your week), dig…

  • What if your romantic AI chatbot can’t keep a secret?

    What if your romantic AI chatbot can’t keep a secret? Does your chatbot know too much? Think twice before you tell your AI companion everything. Go to eset

  • Smashing Security podcast #443: Tinder’s camera roll and the Buffett deepfake

    Smashing Security podcast #443: Tinder’s camera roll and the Buffett deepfake Tinder has got a plan to rummage through your camera roll, and Warren Buffett keeps popping up in convincing deepfakes dishing “number one investment tips.” Meanwhile, will agentic AI replace your co-hosts before you can say “EDR for robots”? and why you should still…

  • Smashing Security podcast #441: Inside the mob’s million-dollar poker hack, and a Formula 1 fumble

    Smashing Security podcast #441: Inside the mob’s million-dollar poker hack, and a Formula 1 fumble Basketball stars have allegedly joined forces with the mafia to fleece high-rollers in a poker scam involving hacked shufflers, covert cameras, and an X-ray card table. Meanwhile, researchers have found they could poke around an FIA driver portal to pull…

  • First Wap: A Surveillance Computer You’ve Never Heard Of

    First Wap: A Surveillance Computer You’ve Never Heard Of Mother Jones has a long article on surveillance arms manufacturers, their wares, and how they avoid export control laws: Operating from their base in Jakarta, where permissive export laws have allowed their surveillance business to flourish, First Wap’s European founders and executives have quietly built a…

  • The Trump Administration’s Increased Use of Social Media Surveillance

    The Trump Administration’s Increased Use of Social Media Surveillance This chilling paragraph is in a comprehensive Brookings report about the use of tech to deport people from the US: The administration has also adapted its methods of social media surveillance. Though agencies like the State Department have gathered millions of handles and monitored political discussions…

  • Flok License Plate Surveillance

    Flok License Plate Surveillance The company Flok is surveilling us as we drive: A retired veteran named Lee Schmidt wanted to know how often Norfolk, Virginia’s 176 Flock Safety automated license-plate-reader cameras were tracking him. The answer, according to a U.S. District Court lawsuit filed in September, was more than four times a day, or…

  • Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience

    Smashing Security podcast #438: When your mouse turns snitch, and hackers grow a conscience Your computer’s mouse might not be as innocent as it looks – and one ransomware crew has a crisis of conscience that nobody saw coming. We talk about how something as ordinary as a web page could turn your mouse into…

  • Digital Threat Modeling Under Authoritarianism

    Digital Threat Modeling Under Authoritarianism Today’s world requires us to make complex and nuanced decisions about our digital security. Evaluating when to use a secure messaging app like Signal or WhatsApp, which passwords to store on your smartphone, or what to share on social media requires us to assess risks and make judgments accordingly. Arriving…

  • Details About Chinese Surveillance and Propaganda Companies

    Details About Chinese Surveillance and Propaganda Companies Details from leaked documents: While people often look at China’s Great Firewall as a single, all-powerful government system unique to China, the actual process of developing and maintaining it works the same way as surveillance technology in the West. Geedge collaborates with academic institutions on research and development,…

  • Vastaamo psychotherapy hack: US citizen charged in latest twist of notorious data breach

    Vastaamo psychotherapy hack: US citizen charged in latest twist of notorious data breach 28-year-old Daniel Lee Newhard, an American citizen living in Estonia, has been charged in relation to the notorious hack of Vastaamo, the biggest data breach in Finnish history. Read more in my article on the Hot for Security blog. Graham Cluley Go…

  • Smashing Security podcast #435: Lights! Camera! Hacktion!

    Smashing Security podcast #435: Lights! Camera! Hacktion! When “bad actors” stop being hackers and start being… actual actors. This week, Graham and special guest Jenny Radcliffe play “Hacker or Ham?” (yes, Steven Seagal, we’re looking at you), before diving into a campaign which saw an Iranian gang luring Israeli performers with fake casting calls for…

  • The AI Fix #68: AI telepathy, and rights for robots

    The AI Fix #68: AI telepathy, and rights for robots In episode 68 of The AI Fix, our hosts open the show by launching the thing nobody asked for but everybody wanted: our shiny new merch store – yes, including the “Would YOU trust a pigeon???” t-shirt for when you need fashion alongside health and…

  • Smashing Security podcast #434: Whopper Hackers, and AI Whoppers

    Smashing Security podcast #434: Whopper Hackers, and AI Whoppers Ever wondered what would happen if Burger King left the keys to the kingdom lying around for anyone to use? Ethical hackers did – and uncovered drive-thru recordings, hard-coded passwords, and even the power to open a Whopper outlet on the moon. Meanwhile, over in Silicon…

  • Parents warned that robot toys spied on children’s location without consent

    Parents warned that robot toys spied on children’s location without consent Parents are being reminded to exercise caution about the toys that they purchase their children, after the United States Federal Trade Commission (FTC) announced it had taken action against a robot toy maker. Read more in my article on the Hot for Security blog.…

  • Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner

    Smashing Security podcast #432: Oops! I auto-filled my password into a cookie banner We unpack how some password managers can be tricked into coughing up your secrets, with a clickjacking sleight-of-hand, what website owners can do to prevent it, and how to lock down your personal password vault. Then we time-hope to the post-quantum scramble:…

  • Automatic License Plate Readers Are Coming to Schools

    Automatic License Plate Readers Are Coming to Schools Fears around children is opening up a new market for automatic license place readers. Bruce Schneier Go to bruce schneier

  • TeaOnHer copies everything from Tea – including the data breaches

    TeaOnHer copies everything from Tea – including the data breaches TeaOnHer hasn’t stopped at copying the functionality of the original Tea app (albeit skewed towards men rating women). It also appears to have carelessly mimicked the Tea dating advice app’s recklessness when it comes to data security. Read more in my article on the Hot…

  • Hospital fined after patient data found in street food wrappers

    Hospital fined after patient data found in street food wrappers A hospital in Thailand has been fined after patient’s printed records were recycled as snack bags to hold crispy crepes. Graham Cluley Go to grahamcluley

  • Surveilling Your Children with AirTags

    Surveilling Your Children with AirTags Skechers is making a line of kid’s shoes with a hidden compartment for an AirTag. Bruce Schneier Go to bruce schneier

  • Why the tech industry needs to stand firm on preserving end-to-end encryption

    Why the tech industry needs to stand firm on preserving end-to-end encryption Restricting end-to-end encryption on a single-country basis would not only be absurdly difficult to enforce, but it would also fail to deter criminal activity Go to eset

  • Search Engines are Indexing ChatGPT Conversations! – Here is our OSINT Research

    Search Engines are Indexing ChatGPT Conversations! – Here is our OSINT Research ChatGPT shared conversations are being indexed by major search engines, effectively turning private exchanges into publicly discoverable content accessible to millions of users worldwide. The issue first came to light through investigative reporting by Fast Company, which revealed that nearly 4,500 ChatGPT conversations…

  • Smashing Security podcast #428: Red flags, leaked chats, and a final farewell

    Smashing Security podcast #428: Red flags, leaked chats, and a final farewell The viral women-only dating safety app Tea, built to flag red flags, gets flagged itself – after leaking over 70,000 private images and chat logs. We are talking full-on selfies, ID docs, private DMs, and a dash of 4chan creepiness. Yikes. Plus, Carole…

  • How Solid Protocol Restores Digital Agency

    How Solid Protocol Restores Digital Agency The current state of digital identity is a mess. Your personal information is scattered across hundreds of locations: social media companies, IoT companies, government agencies, websites you have accounts on, and data brokers you’ve never heard of. These entities collect, store, and trade your data, often without your knowledge…

  • New Mobile Phone Forensics Tool

    New Mobile Phone Forensics Tool The Chinese have a new tool called Massistant. Massistant is the presumed successor to Chinese forensics tool, “MFSocket”, reported in 2019 and attributed to publicly traded cybersecurity company, Meiya Pico. The forensics tool works in tandem with a corresponding desktop software. Massistant gains access to device GPS location data, SMS…

  • Security Vulnerabilities in ICEBlock

    Security Vulnerabilities in ICEBlock The ICEBlock tool has vulnerabilities: The developer of ICEBlock, an iOS app for anonymously reporting sightings of US Immigration and Customs Enforcement (ICE) officials, promises that it “ensures user privacy by storing no personal data.” But that claim has come under scrutiny. ICEBlock creator Joshua Aaron has been accused of making…

  • Tradecraft in the Information Age

    Tradecraft in the Information Age Long article on the difficulty (impossibility?) of human spying in the age of ubiquitous digital surveillance. Bruce Schneier Go to bruce schneier

  • Yet Another Strava Privacy Leak

    Yet Another Strava Privacy Leak This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public? Bruce Schneier Go to bruce schneier

  • Catwatchful stalkerware app spills secrets of 62,000 users – including its own admin

    Catwatchful stalkerware app spills secrets of 62,000 users – including its own admin Another scummy stalkerware app has spilled its guts, revealing the details of its 62,000 users – and data from thousands of victims’ infected devices. Graham Cluley Go to grahamcluley

  • Surveillance Used by a Drug Cartel

    Surveillance Used by a Drug Cartel Once you build a surveillance system, you can’t control who will use it: A hacker working for the Sinaloa drug cartel was able to obtain an FBI official’s phone records and use Mexico City’s surveillance cameras to help track and kill the agency’s informants in 2018, according to a…

  • Smashing Security podcast #424: Surveillance, spyware, and self-driving snafus

    Smashing Security podcast #424: Surveillance, spyware, and self-driving snafus A Mexican drug cartel spies on the FBI using traffic cameras and spyware — because “ubiquitous technical surveillance” is no longer just for dystopian thrillers. Graham digs into a chilling new US Justice Department report that shows how surveillance tech was weaponised to deadly effect. Meanwhile,…

  • When hackers become hitmen

    When hackers become hitmen So, you think hacking is just about stealing information, extorting ransoms, or wiping out company data? The truth is, sometimes it’s about killing people too… Graham Cluley Go to grahamcluley

  • DuckDuckGo Rolls Out New Scam Blocker to Protect Users from Online Threats

    DuckDuckGo Rolls Out New Scam Blocker to Protect Users from Online Threats DuckDuckGo has significantly upgraded its Scam Blocker feature to protect users against a broader range of digital threats, including sham e-commerce platforms, fake cryptocurrency exchanges, and “scareware” tactics.  This enhancement comes as consumers reported $12.5 billion in fraud losses to the FTC in…

  • Surveillance in the US

    Surveillance in the US Good article from 404 Media on the cozy surveillance relationship between local Oregon police and ICE: In the email thread, crime analysts from several local police departments and the FBI introduced themselves to each other and made lists of surveillance tools and tactics they have access to and felt comfortable using,…

  • Self-Driving Car Video Footage

    Self-Driving Car Video Footage Two articles crossed my path recently. First, a discussion of all the video Waymo has from outside its cars: in this case related to the LA protests. Second, a discussion of all the video Tesla has from inside its cars. Lots of things are collecting lots of video of lots of…

  • Paragon Spyware Used to Spy on European Journalists

    Paragon Spyware Used to Spy on European Journalists Paragon is an Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is the name of its product. Citizen Lab caught it spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of…

  • Why Denmark is breaking up with Microsoft

    Why Denmark is breaking up with Microsoft Relying too heavily on a US tech giant for your nation’s digital infrastructure is starting to feel a bit… well, risky. Graham Cluley Go to grahamcluley

  • Airlines Secretly Selling Passenger Data to the Government

    Airlines Secretly Selling Passenger Data to the Government This is news: A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where…

  • Smashing Security podcast #421: Toothpick flirts, Google leaks, and ICE ICE scammers

    Smashing Security podcast #421: Toothpick flirts, Google leaks, and ICE ICE scammers What do a sleazy nightclub carpet, Google’s gaping privacy hole, and an international student conned by fake ICE agents have in common? This week’s episode of the “Smashing Security” podcast obviously. Graham explains how a Singaporean bug-hunter cracked Google’s defences and could brute-force…

  • Surveillance Via Smart Toothbrush

    Surveillance Via Smart Toothbrush The only links are from The Daily Mail and The Mirror, but a marital affair was discovered because the cheater was recorded using his smart toothbrush at home when he was supposed to be at work. Bruce Schneier Go to bruce schneier

  • TeleMessage, the Signal clone used by US government officials, suffers hack

    TeleMessage, the Signal clone used by US government officials, suffers hack TeleMessage, an encrypted messaging app based upon Signal, has been temporarily suspended out of “an abundance of caution” after a hacker reportedly gained access to US government communications. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley

  • Privacy for Agentic AI

    Privacy for Agentic AI Sooner or later, it’s going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it’s worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing…

  • US as a Surveillance State

    US as a Surveillance State Two essays were just published on DOGE’s data collection and aggregation, and how it ends with a modern surveillance state. It’s good to see this finally being talked about. Bruce Schneier Go to bruce schneier

  • Windscribe Acquitted on Charges of Not Collecting Users’ Data

    Windscribe Acquitted on Charges of Not Collecting Users’ Data The company doesn’t keep logs, so couldn’t turn over data: Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in…

  • Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing

    Smashing Security podcast #412: Signalgate sucks, and the quandary of quishing QR codes are being weaponised by scammers — so maybe think twice before scanning that parking meter. And in a blunder so dumb it makes autocorrect look smart, the White House explains how it leaked war plans on Signal because an iPhone mistook a…

  • DIRNSA Fired

    DIRNSA Fired In “Secrets and Lies” (2000), I wrote: It is poor civic hygiene to install technologies that could someday facilitate a police state. It’s something a bunch of us were saying at the time, in reference to the vast NSA’s surveillance capabilities. I have been thinking of that quote a lot as I read…