Wearable technology like Ray-Ban Meta glasses presents significant privacy concerns by enabling frequent data collection without clear user controls, potentially capturing personal information of users and bystanders unknowingly.

TikTok received a €530 million fine from the EU primarily because user data was remotely accessible from China, raising surveillance risks, and the platform failed to transparently disclose data transfer practices, violating EU regulations.

Recent password security analysis reveals an ongoing epidemic of weak password reuse, with easily guessable passwords like "123456" and "password" remaining common, exposing users to dictionary and brute-force attacks. Microsoft aims to combat this by making new accounts passwordless by default starting May 2025, promoting secure authentication methods like passkeys and security keys to mitigate password-based threats.

Trusted social media accounts, such as the New York Post's X account, can be exploited for scams by cybercriminals who hijack them to spread fraudulent links, often involving cryptocurrency schemes. These attacks leverage social engineering tactics, underscoring the need for vigilance even with messages from reputable sources.

Supply-chain attacks in e-commerce, such as those involving compromised Magento plug-ins, pose serious risks by embedding malware into widely used software. This malware can remain dormant for years before activating to steal payment card data, impacting thousands of unsuspecting websites and customers simultaneously.

Modern vehicles collect extensive driver data (speed, location, braking habits) and may share this information with third parties, including insurance companies, without explicit user consent. Legal actions against automakers like Toyota highlight concerns over privacy violations and unauthorized commercial use of sensitive personal data.

U.S. Customs and Border Protection (CBP) seeks to enhance surveillance by implementing facial recognition technology to capture and match passenger faces to government records at border crossings. This raises civil liberties issues due to widespread tracking and potential misidentification.

EP 241. In this week's update:
Smile, You’re Training Zuck’s AI. Meta quietly rewrote the fine print so your Ray-Bans can help train its AI by default—just say "Hey Meta" and wave goodbye to meaningful opt-outs.
The Irish DPC slapped TikTok with a $600M wake-up call after finding the app's transparency was more filter than fact—China got the data, and Europe got the breach of trust.
Billions of leaked passwords confirm that "123456" and "password" still reign supreme—proving users learned absolutely nothing since 2011 except how to get breached faster.
So... Microsoft now defaults new accounts to passwordless sign-ins, putting the final nail in the coffin for “admin123” and celebrating the slow, glorious death of World Password Day.
Hackers turned the Post’s X account into a crypto scam magnet—demonstrating that even legacy media isn’t immune to modern-day digital pickpocketing.
A supply-chain attack silently lurked in Magento plug-ins for six years before hijacking hundreds of sites—because patience is a virtue, especially for cybercriminals.
Toyota faces a class action for allegedly letting Progressive peek under the hood—tracking your driving habits before you even knew data was in the fast lane.
U.S. border agents are hunting for tech that can photograph every passenger in every car—because nothing says “welcome” like full-surveillance road tripping.

Find the full transcript to this podcast here.

Recent data breaches have had significant impacts. WorkComposer, an employee monitoring app, exposed over 21 million sensitive employee screenshots due to a misconfigured cloud storage bucket. This breach compromised data such as emails, internal chats, and login credentials, leading to risks like phishing attacks, identity theft, corporate espionage, and legal consequences under GDPR and CCPA. In a separate incident, Oracle engineers caused a multi-day outage at U.S. hospitals by disrupting electronic health record systems, forcing hospitals to revert to paper-based systems. This highlighted vulnerabilities in critical healthcare infrastructure due to human error.

The rise of Artificial Intelligence (AI) is reshaping both cybersecurity and the workforce. AI-powered virtual employees, expected soon, pose security risks, such as account misuse and rogue behavior. At the same time, malicious actors are using AI tools like the Darcula phishing-as-a-service kit to launch sophisticated, multilingual phishing campaigns. This kit exploits messaging protocols like RCS and iMessage, making phishing attacks harder to detect. In the tech workforce, employees without AI expertise are facing heavier workloads, stagnant pay, and job insecurity amid restructuring, while AI specialists command higher salaries.

Phishing attacks are becoming more advanced, thanks to tools like Darcula. This phishing kit allows criminals to easily create convincing fake websites and bypass security filters. The kit uses AI to generate multilingual scam pages and exploits messaging protocols like RCS and iMessage, which are more difficult to monitor than traditional SMS, making phishing attacks more sophisticated and challenging to detect.

Nation-states continue to be significant players in cyberattacks, particularly through zero-day vulnerabilities. Google’s research reveals that government-backed hacking groups were behind most zero-day exploits used in real-world cyberattacks last year, with China and North Korea responsible for many of these attacks. These state-sponsored actors exploit undiscovered vulnerabilities to achieve strategic goals, highlighting the ongoing threat posed by nation-state cyberattacks.

Connected vehicles and subscription-based features are raising privacy concerns. Automakers are increasingly collecting data through connected features like heated seats and advanced driving assistance. Law enforcement is training to access this data, including location history and driving habits, raising privacy risks. Even when drivers decline subscription services, pre-installed devices with cellular connections can still collect data, potentially increasing surveillance.

Employee monitoring software, like WorkComposer, can pose security risks if not properly secured. The breach at WorkComposer exposed sensitive data, such as internal communications and login credentials. When employee data is not adequately protected, it becomes a target for cybercriminals, leading to identity theft, corporate espionage, and reputational damage. This emphasizes the need for strong security practices when using such tools.

The tech workforce is facing significant challenges, including job insecurity, stagnant pay, and increased workloads. After a period of rapid growth, companies like Meta and Salesforce have implemented mass layoffs, leading employees to take on the responsibilities of former colleagues. While AI specialists are in high demand, those without AI expertise struggle to secure raises or better compensation, creating a divide in the workforce.

Finally, targeted malicious activity has been observed in geopolitical contexts. For example, new Android spyware has been discovered targeting Russian military personnel. Hidden in a modified version of the Alpine Quest mapping app, the malware steals sensitive data like phone numbers, accounts, contacts, and geolocation information... Highlighting the increasing use of cyber tools in geopolitical conflicts.

EP 240. For this week's update:
A major employee monitoring tool suffered a data breach, exposing over 21 million sensitive screenshots due to a misconfigured cloud storage bucket. An example of when your productivity app tracks everything — and accidentally shares it with the world.
Anthropic warns that AI-based virtual employees may arrive within a year, bringing unprecedented operational and security challenges. Meet your new colleague: tireless, credentialed, and occasionally rogue.
New reporting shows tech industry employees are facing increased workloads, stagnant compensation, and persistent layoff fears amid shifting market dynamics — just like every other job.
A sophisticated new phishing-as-a-service kit, Darcula, uses AI and modern messaging platforms to scale and personalize cyberattacks. Malware just got a UX upgrade — and it speaks 14 languages.
Oracle engineers accidentally caused a multi-day outage at U.S. hospitals, disrupting electronic health records and operations — just a regular Tuesday in enterprise IT.
Google reports that most real-world zero-day cyberattacks in the past year were linked to government-backed hacking groups. Nation-states still top the leaderboard for exploiting what vendors haven’t patched.
New Android spyware is targeting Russian military personnel, using a trojanized mapping app to exfiltrate sensitive data — looks like someone's tracking the trackers.
As automakers push subscription-based features, law enforcement is tapping into connected car data, raising privacy and surveillance concerns. You're not just paying monthly for heated seats — you're funding roadside surveillance.
​Thank you. Next...

Find the full transcript for the podcast here.

“Crocodilus” is a new Android malware aimed at cryptocurrency wallet users, notably in Spain and Turkey but potentially worldwide. It impersonates legitimate apps and tricks users into disclosing seed phrases. By exploiting Android’s accessibility services, it can monitor screens, simulate gestures, bypass two-factor authentication, and drain assets.

ChatGPT’s latest models can analyze images in detail to determine real-world locations—raising privacy concerns, especially around doxxing. OpenAI imposes safeguards, but they may not fully prevent misuse.

“Shadow AI” refers to employees secretly using unauthorized AI tools at work to enhance speed and efficiency. Nearly half admit to it, suggesting organizations must provide better AI solutions rather than simply banning them.

The EU has banned autonomous AI agents in official online meetings over privacy and transparency risks, echoing the broader AI Act’s emphasis on mitigating high-risk AI scenarios.

Serious NFC vulnerabilities allow attackers to exploit firmware in contactless readers with oversized data packets, enabling remote code execution that can crash terminals, steal information, and even force ATMs to dispense cash. Many older systems remain unpatched.

Ransomware attackers significantly increase demands upon finding evidence of a victim’s cyber-insurance—potentially more than five times higher—highlighting the need to secure insurance documents.

U.S. border agents can search electronic devices without warrants. Refusing to unlock can lead to confiscation for citizens or denial of entry for non-citizens. Travelers are advised to minimize stored data, disable biometric locks, and power down devices before crossing borders.

EP 239. This week:
Emerging Android malware “Crocodilus” is targeting crypto wallet users in Spain and Turkey with deceptive apps that hijack seed phrases and device access through sophisticated accessibility exploits.
ChatGPT’s new models are impressively accurate at identifying real-world locations from images, sparking both admiration for AI capabilities and concern over potential misuse.
A new study reveals that 50% of employees secretly use unauthorized generative AI tools, highlighting the urgent need for smarter, sanctioned workplace solutions.
The EU has banned AI agents in official virtual meetings, citing privacy and transparency concerns in line with its broader push for responsible AI use.
Researchers have exposed critical NFC flaws that allow attackers to manipulate ATMs and payment terminals using only a smartphone, raising alarms about contactless payment security.
Dutch research shows ransomware actors hike demands—up to 5.5x—when they discover cyber-insurance documents on victims’ systems, underscoring the importance of discreet data handling.
With U.S. border agents empowered to inspect devices without a warrant, travelers are advised to minimize data exposure and take proactive digital hygiene steps to safeguard personal information.
Let's go discover this week's update.... just be careful where you step!

Find the full transcript to this podcast here.

What personal information was compromised in the Hertz breach?

The breach exposed customer names, birth dates, contact info, driver's licenses, payment cards, and some Social Security numbers. It stemmed from a cyberattack on Cleo, a third-party vendor previously targeted in a mass-hacking campaign.

How is air travel changing, and what are the privacy implications?

ICAO aims to replace boarding passes with digital travel credentials using facial recognition and mobile passport data. While data is reportedly deleted quickly, the expansion of biometric surveillance raises major privacy and security concerns.

Why is the EU giving staff burner phones for U.S. trips?

To mitigate potential U.S. surveillance risks, the EU is issuing burner phones to officials visiting for IMF/World Bank meetings—echoing similar precautions for China and Ukraine. It signals growing distrust in transatlantic cybersecurity.

How are North Korean hackers using LinkedIn?

Groups like Lazarus use fake recruiter profiles to trick targets into opening malware-laden job materials. These campaigns steal credentials and crypto, funding North Korea’s sanctioned activities and highlighting the rise of social engineering threats.

Why is Let's Encrypt shortening TLS certificate lifespans?

Let's Encrypt now issues 6-day certificates, down from 90. Benefits include improved security and automation; drawbacks involve more frequent renewals, which could create dependency on issuing infrastructure.

What is the "Smishing Triad" targeting now?

This group has moved from fake delivery texts to targeting banks via iMessage and RCS phishing. They steal banking info to load stolen cards into mobile wallets, illustrating more advanced and lucrative phishing tactics.

What’s the significance of China acknowledging U.S. infrastructure hacks?

China’s tacit admission of involvement in Volt Typhoon cyberattacks marks a shift in tone. The U.S. sees these as strategic signals, intensifying concerns about critical infrastructure security amid geopolitical tension.

What is Android’s new auto-reboot security feature?

Android phones will now reboot automatically after three days of inactivity. This clears memory, closes apps, and requires re-authentication—reducing the risk of unauthorized access.

This week, Hertz lost your driver's license, birthday, and maybe your Social Security number—but don’t worry, it was their vendor’s fault.
Boarding passes and check-ins are going extinct, and your face is the new passport—because what could possibly go wrong with global biometric surveillance?
The EU is now handing out burner phones for U.S. trips, because apparently D.C. is the new Beijing when it comes to digital paranoia.
North Korea’s job recruiters are on LinkedIn now—offering dream gigs and delivering malware instead of paychecks.
Certbot now supports six-day certs because nothing says ‘secure’ like constantly renewing your identity before your SSL gets a chance to age.
The China-Based Smishing Triad has moved from fake shipping notices to bank fraud—because stealing your toll bill just wasn’t profitable enough.
China basically winked at the U.S. and said “yeah, that was us” after hacking critical infrastructure.
Google wants your Android to restart itself after three days of neglect—finally, a reward for ignoring your phone.
​Come on! Let's go get changed!

Find the full transcript to this podcast here.