EP 236

For the Biggest Crypto Hacks it turns out “HODL” doesn’t protect you from miscreants with social engineering degrees.
Hackers are now coding in Rust and Go, because multilingual malware is harder to catch.
An esteemed University Computer Scientist simply disappears. (See if you can pick up on the clues.)
Anthropic expands into AI workplace cleaning, but before you get too excited, they're only sweeping offices for now.
Cloudflare slams the door making one well known transfer protocol vanish.
Then, design one anti-CEO shirt and "boom" a lifetime ban from Madison Square Garden.
Millions of spicy selfies spilled online, and now your privates may be public.
And we finish with the burning question of who blew up national security... the intern or GCHQ?
Let's go find some explanations.

Find the full transcript to this podcast here.

Privacy Risks of 23andMe Bankruptcy

A breach impacting 7 million users, coupled with lawsuits and financial distress, means 23andMe’s 15 million genetic profiles could be sold or misused under a new buyer. The California Attorney General has urged users to delete their data and destroy physical samples, highlighting the vulnerability of storing sensitive genetic information with for‑profit entities under financial strain.

Clearview AI’s Data Acquisition Attempts

Clearview AI tried to buy a massive database of arrest records, mugshots, and personal details (like social security numbers). This would greatly expand its controversial facial recognition repository, fueling concerns about privacy, consent, and misuse by governments or private actors.

Hungary’s Use of Facial Recognition at Pride Events

Hungary banned Pride events and authorized facial recognition to identify attendees, who may face fines under “child protection” laws. Critics view this as an attack on free assembly and expression, especially for LGBTQ+ communities, creating a chilling effect on peaceful protests.

China’s New Facial Recognition Rules

Facial recognition is banned without consent and in private spaces, requiring privacy assessments and encryption. However, these rules exclude “algorithm training,” meaning facial images may still be collected for AI development, undermining the intended privacy protections given China’s widespread CCTV presence.

US Coordination on Russian Cyber Threats Halted

US national security agencies ceased joint efforts against Russian cyberattacks, disinformation, and oligarch asset seizures. This abrupt stop raises concerns over weakened defenses against foreign interference, though official explanations remain unclear.

Microsoft’s Unpatched .LNK Exploit

An eight‑year‑old Windows shortcut (.LNK) exploit persists, with Microsoft labeling it a “UI issue” rather than a security flaw. Attackers, including state‑sponsored groups, hide malicious commands in whitespace, leaving users vulnerable to spying and data theft.

Windows 10 End of Support

With support ending in October 2025, Microsoft urges users—over half of its Windows base—to buy new hardware for Windows 11. This approach overlooks the financial burden on many and disregards feasible upgrades or affordable alternatives for existing devices.

Dutch Universities Shifting Away from WhatsApp

Schools such as Utrecht and Avans recommend moving to Signal over privacy and misinformation concerns tied to WhatsApp’s data‑sharing practices. Signal’s strong encryption, open‑source nature, and non‑profit status align with the need for secure, private communication in educational settings.

EP 235

The IT Privacy and Security Weekly Update and a Gene Genie for the Week Ending March 25th., 2025

3/25/2025

0 Comments

EP 235. ​- click the pic to hear the podcast -
DNA of 15 Million People For Sale. Turns out your great-great-grandparents' DNA is now a going-out-of-business clearance sale!"
Clearview Tried to Buy Social Security Numbers and Mugshots. Shopping list: milk, eggs, 690 million arrest records, and a side of your soul.
Hungary Uses Facial Recognition to Suppress a Pride March—because nothing says “freedom” like being fined for your face.
China says no facial recognition in hotel rooms—so go ahead and enjoy your surveillance-free shower while it lasts.
US Agencies Halt Counter-Russian Cyberattack Coordination to stop Russian cyber sabotage and, what could possibly go wrong?
Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit. Maybe it's a new cybersecurity policy, "If we ignore it long enough, perhaps it'll go away!"
Then, If you have a Windows 10 machine and can’t install Windows 11, Microsoft suggests a fix. Buy a new computer and maybe get a second job.
And finally, Dutch universities to WhatsApp, "It's not you, it's us. We just can't get comfortable with your data hoarding."
Let's go try on some genes!

Find the full transcript to this podcast here.

1. Why Should I Change My Passwords Immediately?

Recent studies show that around 50% of online passwords are already compromised, and 41% of successful logins involve breached credentials. Common passwords like “123456” and password reuse make it easy for cybercriminals—especially with automated bots—to access multiple accounts. Changing passwords and using unique, strong credentials with multi-factor authentication is critical for security.

Starting March 28th, all Alexa requests will be processed in Amazon’s cloud, regardless of previous settings. Amazon claims this supports new AI features, but it means even users who opted out of saving voice recordings will now have all interactions recorded and sent to Amazon. This also impacts features like Voice ID, which won’t function without stored voice data. While Amazon encrypts transmissions and provides some privacy controls, this shift raises concerns about increased data collection and potential personalization for shopping.

Microsoft will stop providing free security updates for Windows 10 in October 2025, leaving charities that refurbish and donate older PCs with limited options. Many of these computers cannot run Windows 11, forcing organizations to choose between using an insecure OS, transitioning to Linux, or discarding hardware—contributing to electronic waste. While Linux is a secure, free alternative, its unfamiliar interface may pose usability challenges for some recipients, especially seniors.

StilachiRAT is a newly discovered remote access trojan (RAT) targeting cryptocurrency wallets like MetaMask and Coinbase Wallet. This malware remains undetected on infected systems, stealing sensitive data, including credentials stored in browsers like Chrome. By accessing login credentials, attackers can drain funds from wallets. StilachiRAT also collects system data, increasing victims' exposure. While not widespread yet, its advanced capabilities make it a serious threat to crypto users.

A Chinese state-sponsored hacking group remained undetected in a small Massachusetts power utility for over 300 days, showing that even lesser-known infrastructure is a target for cyber espionage. Attackers can use these breaches to test methods, gain footholds in critical networks, and extract operational data such as grid layouts. This underscores the need for robust security measures, continuous monitoring, and multi-factor authentication for all organizations, especially in critical sectors.

Anthropic CEO Dario Amodei warns that state-sponsored actors, likely from China, are trying to steal “algorithmic secrets” from US AI firms. Some critical algorithms, despite representing massive investments (potentially $100 million), are just a few lines of code, making them easy to exfiltrate if security is breached. Amodei argues that the US government should take stronger action to protect these assets from industrial espionage.

Allstate Insurance's National General unit had websites that displayed personally identifiable information (PII) in plaintext during the quote process. When users entered their name and address, the system exposed full driver’s license numbers (DLNs) of the applicant and other residents at that address. Attackers used bots to harvest at least 12,000 DLNs, leading to fraudulent claims. This highlights the importance of secure website design and responsible data handling to prevent unauthorized access.

EP 234

For the other 50%. The IT Privacy and Security Weekly Update for the Week Ending March 18th., 2025

3/18/2025

0 Comments

EP 234
- click the pic to hear the podcast -For our first story, Apparently there’s a 50% chance your password is headlining a hacker convention. Perhaps it's time to change up from ‘123456' (still the most commonly used password).
Starting On March 28, Everything You Say To Your Echo Will Be Sent To Amazon. Alexa’s new motto: ‘Anything you say can and will be used—to personalize your shopping cart, and we mean potentially anything!’
The end of Windows 10 Leaves PC Charities With Tough Choice: Risk Windows 10, embrace Linux, or send Grandma’s old PC straight to the tech graveyard?
Then Microsoft flags a new threat draining crypto from top wallets. Meet StilachiRAT, the malware so enthusiastic about your crypto it’ll snatch it faster than you can configure your wallet software!
Chinese Hackers Sat Undetected in a small Massachusetts power utility for months. Who knew a cozy little power company could double as the perfect 300-day Airbnb for homeless cyber-spies?
Anthropic CEO Says Spies Are After $100 Million AI Secrets in a 'Few Lines of Code'. So when your fortune fits in a handful of lines, hitting Ctrl+C could be the new diamond heist.
Finally, Allstate Insurance gets sued for delivering PII in plaintext. You’re in good hands with Allstate, we just can't tell you whose.
Let's update the other 50%!

Find the full transcript to this podcast here.

EP 233.5

Key Cryptocurrency Threats & Scams
In 2025, crypto remains a hotspot for scams like Ponzi schemes, fake ICOs, pump-and-dumps, phishing attacks, and malicious wallets or exchanges designed to steal funds. Social media is often used for deceptive giveaways, impersonations, and investment scams. Other risks include fake mining operations, rug pulls, fraudulent apps, SIM swapping, and impostor tech support.

• 
  

• AI Skills Demand in the Tech Job Market
  AI expertise is increasingly sought after, with about one in four U.S. tech job postings requiring AI-related skills. This trend cuts across industries like healthcare, finance, and professional services. Although overall tech job postings have dipped, AI job listings have surged since ChatGPT’s launch, offering premium pay and higher job security.

• What Is Free95?
  Free95 is an open-source operating system on GitHub aiming for Windows compatibility without the bloat. It currently supports basic Win32 programs, with future plans for DirectX and gaming. Its creators prioritize security, simplicity, and independence from major corporate control, positioning it as a leaner alternative to systems like ReactOS.

• DOJ Push for Google to Sell Chrome
  The U.S. Department of Justice still wants Google to divest Chrome, citing an illegal monopoly in search. The DOJ argues that selling Chrome would create room for genuine competition. While it continues to push for restrictions on Google’s paid search placement deals, it has dropped calls for Google to shed AI start-up investments.

• Edge Computing on the ISS
  Axiom Space and Red Hat’s AxDCU-1 data center on the ISS tests cloud, AI, and cybersecurity in orbit. Red Hat’s Device Edge software enables real-time data processing in space, crucial due to limited satellite links with Earth. This development could boost AI training, imaging, cybersecurity, and overall autonomy in space operations.

• Undocumented ‘Backdoor’ in a Chinese Bluetooth Chip
  Researchers found hidden commands in the ESP32 microcontroller, used in over a billion devices. Attackers could exploit these commands to impersonate devices, steal data, or infiltrate networks. The chip’s widespread adoption in smartphones, locks, and medical equipment heightens the security risk, as attackers might gain long-term control.

• Security & Privacy Concerns of ‘Agentic AI’
  Signal President Meredith Whittaker warns that agentic AI requires broad system access, potentially gathering financial, scheduling, and messaging data with near-root permissions. This could break down privacy barriers between apps and introduce significant security risks, especially if sensitive data is processed in the cloud.

• Expanded Social Media Screening for Non-Citizens
  The U.S. is considering extending social media checks beyond new arrivals to all non-citizens applying for benefits like permanent residency or citizenship. This raises privacy concerns, as individuals who entered before such screenings were routine may now face additional digital scrutiny when adjusting their immigration status.

EP 233

This week... is seized Crypto Linked to LastPass? Feds pocket $23M in hot crypto—but with hackers still sitting on hundreds of millions, it’s like finding loose change in the couch.
Signal’s boss says our ‘magic AI butler’ needs root access to everything. What could possibly go wrong?
AI is Reshaping Tech Jobs and with nearly one in four tech gigs demanding AI skills, either learn to talk to robots or prepare to serve them coffee."
Your Bluetooth toaster might secretly be dialing up hackers—because who doesn’t love a little espionage with their morning bagel?
With the UK quietly removing encryption advice, Brits wake up to find official security tips gone, like a polite note saying ‘We’d prefer you in clear text, chaps.’
Indian tax officials are granted sweeping digital access and can now dig through socials, emails, and maybe grandma’s recipe folder. Nothing’s sacred if there’s tax to be had.
Elon’s empire takes another DDoS beating—Dark Storm claims credit, X users just want their snarky tweets back."
We finish with the discovery of a Fake Website Spewing AI Slop that topped Google Search. AI conjures space fantasies that outrank real news and it turns out that even Google can’t spot the Millennium Falcon imposter.
Let's keep it safe.

Find the full transcript to this podcast here.

How did Microsoft's Copilot expose private GitHub repositories, and what are the risks?

Copilot accessed over 20,000 private GitHub repositories due to cached data from when they were public. Even after repos were made private, Copilot could still generate responses using this cached data, risking exposure of sensitive information like credentials and corporate secrets.

What is the "nRootTag" exploit in Apple's Find My network?

The "nRootTag" exploit allows attackers to track Bluetooth devices like AirTags without owners knowing. While AirTags use cryptographic keys to change Bluetooth addresses, attackers can rapidly compute these keys using GPUs, achieving a 90% tracking success rate.

Why is the UK demanding an iCloud backdoor, and how has Apple responded?

The UK wants access to encrypted iCloud data for law enforcement, but Apple opposes it, withdrawing its Advanced Data Protection from the UK. The US has also criticized the demand as a privacy and legal overreach.

Why is Signal withdrawing from Sweden?

Signal is leaving Sweden over proposed laws requiring backdoor access to encrypted chats. The company refuses to weaken encryption, emphasizing its commitment to user privacy.

Why has the US reportedly halted offensive cyber operations against Russia?

The US Cyber Command, under Defense Secretary orders, has paused cyber attacks on Russia, possibly for diplomatic reasons. Supporters see it as de-escalation; critics worry it weakens deterrence against Russian cyber threats.

Why has Australia banned Kaspersky Lab products?

Australia banned Kaspersky from government systems, citing espionage and foreign interference risks. The move signals concerns over antivirus software’s deep system access and the company's Russian ties.

How was a Cellebrite exploit used to hack a Serbian student's phone?

A Cellebrite zero-day targeting Android's Linux kernel USB drivers allowed attackers with physical access to bypass the lock screen. This raises concerns over surveillance tools being misused against activists.

What changes did Mozilla make to Firefox Terms of Use, and why was there backlash?

Mozilla initially claimed broad rights over user-submitted content, sparking fears of data monetization. After criticism, they revised the terms, clarifying user ownership and denying AI data harvesting.