1. What are some recent major cryptocurrency hacks, and how were they carried out?

High-profile crypto breaches include Bybit (~$1.5B), Ronin Network ($625M), and Poly Network ($611M). Attackers exploited vulnerabilities via social engineering (notably in the Bybit case), smart contract flaws, phishing, and targeted blockchain bridges. State-backed groups are increasingly active in this space.

2. How is malware evolving to bypass traditional antivirus tools, and what languages are favored by attackers?

Cybercriminals are turning to languages like Rust and Go to create or recompile malware, exploiting blind spots in antivirus tools that rely on static signature detection. These languages also offer cross-platform capabilities and security features that can be weaponized.

3. What happened to computer scientist Xiaofeng Wang, and why is it significant?

The FBI raided Wang’s home—he's a well-known Indiana University expert in cryptography and privacy. Since the raid, he’s gone missing, with his online presence scrubbed. The secrecy surrounding his disappearance, combined with his sensitive field of work and Chinese background, raises serious questions.

4. Why is AI firm Anthropic sweeping its offices for hidden devices?

To combat rising concerns about espionage and IP theft, Anthropic is conducting physical security sweeps. This move reflects heightened tensions in the competitive AI landscape and the growing risk of surveillance and corporate spying in the industry.

5. What API security change is Cloudflare making, and why does it matter?

Cloudflare is enforcing HTTPS-only access for its API domain by shutting down HTTP ports entirely. This ensures encrypted communication, protecting API tokens and user data, and sets a strong precedent for better internet-wide encryption standards.

6. How did Madison Square Garden use surveillance tech to ban a fan, and what does it imply?

MSG banned a fan for life after facial recognition identified him as the creator of a CEO-critical T-shirt. This incident underscores the growing use of surveillance in private venues and its implications for free expression and long-term personal tracking.

7. What data exposure was found in several dating apps?

Researchers found ~1.5M unprotected, sensitive photos—some explicit—exposed by five dating apps from M.A.D Mobile. Images included private messages and content believed to be deleted. This highlights the dangers of poor data hygiene and storage practices.

8. What security failure occurred at the UK’s GCHQ involving an intern?

A GCHQ intern copied top-secret data from a secure system to his personal phone, then transferred it to a home hard drive. This breach reveals critical weaknesses in internal controls, particularly around device security and data exfiltration prevent

EP 236

For the Biggest Crypto Hacks it turns out “HODL” doesn’t protect you from miscreants with social engineering degrees.
Hackers are now coding in Rust and Go, because multilingual malware is harder to catch.
An esteemed University Computer Scientist simply disappears. (See if you can pick up on the clues.)
Anthropic expands into AI workplace cleaning, but before you get too excited, they're only sweeping offices for now.
Cloudflare slams the door making one well known transfer protocol vanish.
Then, design one anti-CEO shirt and "boom" a lifetime ban from Madison Square Garden.
Millions of spicy selfies spilled online, and now your privates may be public.
And we finish with the burning question of who blew up national security... the intern or GCHQ?
Let's go find some explanations.

Find the full transcript to this podcast here.

Privacy Risks of 23andMe Bankruptcy

A breach impacting 7 million users, coupled with lawsuits and financial distress, means 23andMe’s 15 million genetic profiles could be sold or misused under a new buyer. The California Attorney General has urged users to delete their data and destroy physical samples, highlighting the vulnerability of storing sensitive genetic information with for‑profit entities under financial strain.

Clearview AI’s Data Acquisition Attempts

Clearview AI tried to buy a massive database of arrest records, mugshots, and personal details (like social security numbers). This would greatly expand its controversial facial recognition repository, fueling concerns about privacy, consent, and misuse by governments or private actors.

Hungary’s Use of Facial Recognition at Pride Events

Hungary banned Pride events and authorized facial recognition to identify attendees, who may face fines under “child protection” laws. Critics view this as an attack on free assembly and expression, especially for LGBTQ+ communities, creating a chilling effect on peaceful protests.

China’s New Facial Recognition Rules

Facial recognition is banned without consent and in private spaces, requiring privacy assessments and encryption. However, these rules exclude “algorithm training,” meaning facial images may still be collected for AI development, undermining the intended privacy protections given China’s widespread CCTV presence.

US Coordination on Russian Cyber Threats Halted

US national security agencies ceased joint efforts against Russian cyberattacks, disinformation, and oligarch asset seizures. This abrupt stop raises concerns over weakened defenses against foreign interference, though official explanations remain unclear.

Microsoft’s Unpatched .LNK Exploit

An eight‑year‑old Windows shortcut (.LNK) exploit persists, with Microsoft labeling it a “UI issue” rather than a security flaw. Attackers, including state‑sponsored groups, hide malicious commands in whitespace, leaving users vulnerable to spying and data theft.

Windows 10 End of Support

With support ending in October 2025, Microsoft urges users—over half of its Windows base—to buy new hardware for Windows 11. This approach overlooks the financial burden on many and disregards feasible upgrades or affordable alternatives for existing devices.

Dutch Universities Shifting Away from WhatsApp

Schools such as Utrecht and Avans recommend moving to Signal over privacy and misinformation concerns tied to WhatsApp’s data‑sharing practices. Signal’s strong encryption, open‑source nature, and non‑profit status align with the need for secure, private communication in educational settings.

EP 235

The IT Privacy and Security Weekly Update and a Gene Genie for the Week Ending March 25th., 2025

3/25/2025

0 Comments

EP 235. ​- click the pic to hear the podcast -
DNA of 15 Million People For Sale. Turns out your great-great-grandparents' DNA is now a going-out-of-business clearance sale!"
Clearview Tried to Buy Social Security Numbers and Mugshots. Shopping list: milk, eggs, 690 million arrest records, and a side of your soul.
Hungary Uses Facial Recognition to Suppress a Pride March—because nothing says “freedom” like being fined for your face.
China says no facial recognition in hotel rooms—so go ahead and enjoy your surveillance-free shower while it lasts.
US Agencies Halt Counter-Russian Cyberattack Coordination to stop Russian cyber sabotage and, what could possibly go wrong?
Microsoft Isn't Fixing 8-Year-Old Shortcut Exploit. Maybe it's a new cybersecurity policy, "If we ignore it long enough, perhaps it'll go away!"
Then, If you have a Windows 10 machine and can’t install Windows 11, Microsoft suggests a fix. Buy a new computer and maybe get a second job.
And finally, Dutch universities to WhatsApp, "It's not you, it's us. We just can't get comfortable with your data hoarding."
Let's go try on some genes!

Find the full transcript to this podcast here.

1. Why Should I Change My Passwords Immediately?

Recent studies show that around 50% of online passwords are already compromised, and 41% of successful logins involve breached credentials. Common passwords like “123456” and password reuse make it easy for cybercriminals—especially with automated bots—to access multiple accounts. Changing passwords and using unique, strong credentials with multi-factor authentication is critical for security.

Starting March 28th, all Alexa requests will be processed in Amazon’s cloud, regardless of previous settings. Amazon claims this supports new AI features, but it means even users who opted out of saving voice recordings will now have all interactions recorded and sent to Amazon. This also impacts features like Voice ID, which won’t function without stored voice data. While Amazon encrypts transmissions and provides some privacy controls, this shift raises concerns about increased data collection and potential personalization for shopping.

Microsoft will stop providing free security updates for Windows 10 in October 2025, leaving charities that refurbish and donate older PCs with limited options. Many of these computers cannot run Windows 11, forcing organizations to choose between using an insecure OS, transitioning to Linux, or discarding hardware—contributing to electronic waste. While Linux is a secure, free alternative, its unfamiliar interface may pose usability challenges for some recipients, especially seniors.

StilachiRAT is a newly discovered remote access trojan (RAT) targeting cryptocurrency wallets like MetaMask and Coinbase Wallet. This malware remains undetected on infected systems, stealing sensitive data, including credentials stored in browsers like Chrome. By accessing login credentials, attackers can drain funds from wallets. StilachiRAT also collects system data, increasing victims' exposure. While not widespread yet, its advanced capabilities make it a serious threat to crypto users.

A Chinese state-sponsored hacking group remained undetected in a small Massachusetts power utility for over 300 days, showing that even lesser-known infrastructure is a target for cyber espionage. Attackers can use these breaches to test methods, gain footholds in critical networks, and extract operational data such as grid layouts. This underscores the need for robust security measures, continuous monitoring, and multi-factor authentication for all organizations, especially in critical sectors.

Anthropic CEO Dario Amodei warns that state-sponsored actors, likely from China, are trying to steal “algorithmic secrets” from US AI firms. Some critical algorithms, despite representing massive investments (potentially $100 million), are just a few lines of code, making them easy to exfiltrate if security is breached. Amodei argues that the US government should take stronger action to protect these assets from industrial espionage.

Allstate Insurance's National General unit had websites that displayed personally identifiable information (PII) in plaintext during the quote process. When users entered their name and address, the system exposed full driver’s license numbers (DLNs) of the applicant and other residents at that address. Attackers used bots to harvest at least 12,000 DLNs, leading to fraudulent claims. This highlights the importance of secure website design and responsible data handling to prevent unauthorized access.

EP 234

For the other 50%. The IT Privacy and Security Weekly Update for the Week Ending March 18th., 2025

3/18/2025

0 Comments

EP 234
- click the pic to hear the podcast -For our first story, Apparently there’s a 50% chance your password is headlining a hacker convention. Perhaps it's time to change up from ‘123456' (still the most commonly used password).
Starting On March 28, Everything You Say To Your Echo Will Be Sent To Amazon. Alexa’s new motto: ‘Anything you say can and will be used—to personalize your shopping cart, and we mean potentially anything!’
The end of Windows 10 Leaves PC Charities With Tough Choice: Risk Windows 10, embrace Linux, or send Grandma’s old PC straight to the tech graveyard?
Then Microsoft flags a new threat draining crypto from top wallets. Meet StilachiRAT, the malware so enthusiastic about your crypto it’ll snatch it faster than you can configure your wallet software!
Chinese Hackers Sat Undetected in a small Massachusetts power utility for months. Who knew a cozy little power company could double as the perfect 300-day Airbnb for homeless cyber-spies?
Anthropic CEO Says Spies Are After $100 Million AI Secrets in a 'Few Lines of Code'. So when your fortune fits in a handful of lines, hitting Ctrl+C could be the new diamond heist.
Finally, Allstate Insurance gets sued for delivering PII in plaintext. You’re in good hands with Allstate, we just can't tell you whose.
Let's update the other 50%!

Find the full transcript to this podcast here.

EP 233.5

Key Cryptocurrency Threats & Scams
In 2025, crypto remains a hotspot for scams like Ponzi schemes, fake ICOs, pump-and-dumps, phishing attacks, and malicious wallets or exchanges designed to steal funds. Social media is often used for deceptive giveaways, impersonations, and investment scams. Other risks include fake mining operations, rug pulls, fraudulent apps, SIM swapping, and impostor tech support.

• 
  

• AI Skills Demand in the Tech Job Market
  AI expertise is increasingly sought after, with about one in four U.S. tech job postings requiring AI-related skills. This trend cuts across industries like healthcare, finance, and professional services. Although overall tech job postings have dipped, AI job listings have surged since ChatGPT’s launch, offering premium pay and higher job security.

• What Is Free95?
  Free95 is an open-source operating system on GitHub aiming for Windows compatibility without the bloat. It currently supports basic Win32 programs, with future plans for DirectX and gaming. Its creators prioritize security, simplicity, and independence from major corporate control, positioning it as a leaner alternative to systems like ReactOS.

• DOJ Push for Google to Sell Chrome
  The U.S. Department of Justice still wants Google to divest Chrome, citing an illegal monopoly in search. The DOJ argues that selling Chrome would create room for genuine competition. While it continues to push for restrictions on Google’s paid search placement deals, it has dropped calls for Google to shed AI start-up investments.

• Edge Computing on the ISS
  Axiom Space and Red Hat’s AxDCU-1 data center on the ISS tests cloud, AI, and cybersecurity in orbit. Red Hat’s Device Edge software enables real-time data processing in space, crucial due to limited satellite links with Earth. This development could boost AI training, imaging, cybersecurity, and overall autonomy in space operations.

• Undocumented ‘Backdoor’ in a Chinese Bluetooth Chip
  Researchers found hidden commands in the ESP32 microcontroller, used in over a billion devices. Attackers could exploit these commands to impersonate devices, steal data, or infiltrate networks. The chip’s widespread adoption in smartphones, locks, and medical equipment heightens the security risk, as attackers might gain long-term control.

• Security & Privacy Concerns of ‘Agentic AI’
  Signal President Meredith Whittaker warns that agentic AI requires broad system access, potentially gathering financial, scheduling, and messaging data with near-root permissions. This could break down privacy barriers between apps and introduce significant security risks, especially if sensitive data is processed in the cloud.

• Expanded Social Media Screening for Non-Citizens
  The U.S. is considering extending social media checks beyond new arrivals to all non-citizens applying for benefits like permanent residency or citizenship. This raises privacy concerns, as individuals who entered before such screenings were routine may now face additional digital scrutiny when adjusting their immigration status.

EP 233

This week... is seized Crypto Linked to LastPass? Feds pocket $23M in hot crypto—but with hackers still sitting on hundreds of millions, it’s like finding loose change in the couch.
Signal’s boss says our ‘magic AI butler’ needs root access to everything. What could possibly go wrong?
AI is Reshaping Tech Jobs and with nearly one in four tech gigs demanding AI skills, either learn to talk to robots or prepare to serve them coffee."
Your Bluetooth toaster might secretly be dialing up hackers—because who doesn’t love a little espionage with their morning bagel?
With the UK quietly removing encryption advice, Brits wake up to find official security tips gone, like a polite note saying ‘We’d prefer you in clear text, chaps.’
Indian tax officials are granted sweeping digital access and can now dig through socials, emails, and maybe grandma’s recipe folder. Nothing’s sacred if there’s tax to be had.
Elon’s empire takes another DDoS beating—Dark Storm claims credit, X users just want their snarky tweets back."
We finish with the discovery of a Fake Website Spewing AI Slop that topped Google Search. AI conjures space fantasies that outrank real news and it turns out that even Google can’t spot the Millennium Falcon imposter.
Let's keep it safe.

Find the full transcript to this podcast here.