An anonymous reader quotes a report from The Register: The US Cybersecurity and Infrastructure Security Agency has lost another senior leader: executive director Bridget Bean departed on Wednesday. Bean, who served as the de facto agency boss for five months between former CISA director Jen Easterly's departure in January and Madhu Gottumukkala's appointment to the deputy director post last month, said she was "officially retiring from Federal service once again" in a LinkedIn post. "My time at CISA has been truly remarkable," she wrote. "Having had the privilege to serve as the Senior Official Performing the Duties of Director of CISA for 5 months has been a profound honor."

CISA's executive leadership page now lists Gottumukkala as its acting director, and the agency remains without a Senate-confirmed leader. President Trump nominated Sean Plankey to serve as the agency's director, and his nomination is scheduled for consideration (PDF) by the Senate's Homeland Security and Governmental Affairs Committee today. However, his appointment still requires a full Senate vote. Senator Ron Wyden (D-OR) has said he will continue to block Plankey's confirmation until CISA releases an unclassified report on American telecommunications networks' weak security.

At the time of her departure, Bean had spent three and a half years with CISA and more than three decades with the federal government, including a job as the Federal Emergency Management Agency's third-ranking official. Before accepting the executive director post, she was CISA's first chief integration officer. In this position, she "led the integration of the agency's operations and ensured CISA's frontline of regional staff seamlessly supported the critical infrastructure that Americans rely on every hour of every day," according to her bio on the agency's website. [...] Bean's retirement comes during a talent exodus from CISA -- and other federal government agencies -- with some folks getting fired and others taking the Trump administration's buyout offer to resign from public service. As of May 30, the heads of five of CISA's six operational divisions and six of its 10 regional offices had left the agency, and around 1,000 people, nearly one-third of its total staff, have reportedly left CISA since Trump took office.

BrianFagioli writes: Barbie is getting a brain upgrade. Mattel has officially partnered with OpenAI in a move that brings artificial intelligence to the toy aisle. Yes, you read that right, folks. Barbie might soon be chatting with your kids in full sentences, powered by ChatGPT.

This collaboration brings OpenAI's advanced tools into Mattel's ecosystem of toys and entertainment brands. The goal? To launch AI-powered experiences that are fun, safe, and age-appropriate. Mattel says it wants to keep things magical while also respecting privacy and security. Basically, Barbie won't be data-mining your kids... yet.

More than a dozen private browsing apps on Apple and Google's app stores have undisclosed ties to Chinese companies, leaving user data at risk of exposure to the Chinese government, according to a new report from the Tech Transparency Project. From a report: Thirteen virtual private network (VPN) apps on Apple's App Store and 11 apps on Google's Play Store have ties to Chinese companies, the tech watchdog group said in the report released Thursday.

Chinese law requires Chinese companies to share data with the government upon request, creating privacy and security risks for American users. Several of the apps, including two on both app stores and two others on Google Play Store, have ties to Chinese cybersecurity firm Qihoo 360, which has been sanctioned by the U.S. government, according to the report. The Tech Transparency Project previously identified more than 20 VPN apps on Appleâ(TM)s App Store with Chinese ties in an April report. The iPhone maker has since removed three apps linked to Qihoo 360.

Google has removed device trees and driver binaries for Pixel phones from the Android 16 source code release, significantly complicating custom ROM development for those devices. The Android-maker intentionally omitted these resources as it shifts its Android Open Source Project reference target from Pixel hardware to a virtual device called "Cuttlefish."

The change forces custom ROM developers to reverse-engineer configurations they previously received directly from Google. Nolen Johnson from LineageOS said the process will become "painful," requiring developers to "blindly guess and reverse engineer from the prebuilt binaries what changes are needed each month." Google also squashed the Pixel kernel source code's commit history, eliminating another reference point developers used for features and security patches.

Google VP Seang Chau dismissed speculation that AOSP itself is ending, stating the project "is NOT going away." However, the changes effectively bring Pixel devices down to the same difficult development level as other Android phones.

An anonymous reader quotes a report from ZDNet: Denmark's Minister of Digitalization, Caroline Stage, has announced that the Danish government will start moving away from Microsoft Office to LibreOffice. Why? It's not because open-source is better, although I would argue that it is, but because Denmark wants to claim "digital sovereignty." In the States, you probably haven't heard that phrase, but in the European Union, digital sovereignty is a big deal and getting bigger.

A combination of security, economic, political, and societal imperatives is driving the EU's digital sovereignty moves. EU leaders are seeking to reduce Europe's dependence on foreign technology providers, primarily those from the United States, and to assert greater control over its digital infrastructure, data, and technological future. Why? Because they're concerned about who controls European data, who sets the rules, and who can potentially cut off access to essential services in times of geopolitical tension. "Money issues have also played a decisive role," writes ZDNet's Steven Vaughan-Nichols. "Copenhagen's Microsoft software bill has soared from 313 million kroner in 2018 to 538 million kroner -- about $53 million in 2023, a 72% increase in just five years.

David Heinemeier Hansson (DHH), a Dane, inventor of Ruby on Rails, and co-owner of the software developer company 37Signals, has said: "Denmark is one of the most highly digitalized countries in the world. It's also one of the most Microsoft-dependent. In fact, Microsoft is by far and away the single biggest dependency, so it makes perfect sense to start the quest for digital sovereignty there."

BrianFagioli shares a report from NERDS.xyz: Apple has released a new developer tool on GitHub called Container, offering a fresh approach to running Linux containers directly on macOS. Unlike Docker or Podman, this tool is designed to feel at home in the Apple ecosystem and hooks into frameworks already built into the operating system. Container runs standard OCI images, but it doesn't use a single shared Linux VM. Instead, it creates a small Linux virtual machine for every container you spin up. That sounds heavy at first, but the VMs are lightweight and boot quickly. Each one is isolated, which Apple claims improves both security and privacy. Developers can run containerized workloads locally with native macOS support and without needing to install third-party container platforms.

Since filing for bankruptcy in March, 23andMe has received data deletion requests from 1.9 million users -- around 15% of its customer base. That number was revealed by 23andMe's interim chief executive Joseph Selsavage during a House Oversight Committee hearing, during which lawmakers scrutinized the company's sale following an earlier bankruptcy auction. "The bankruptcy sparked concerns that the data of millions of Americans who used 23andMe could end up in the hands of an unscrupulous buyer, prompting customers to ask the company to delete their data," adds TechCrunch. From the report: Pharmaceutical giant Regeneron won the court-approved auction in May, offering $256 million for 23andMe and its banks of customers' DNA and genetic data. Regeneron said it would use the 23andMe data to aid the discovery of new drugs, and committed to maintain 23andMe's privacy practices. Truly deleting your personal genetic information from the DNA testing company is easier said than done. But if you were a 23andMe customer and are interested, MIT Technology Review outlines that steps you can take.

Hong Kong authorities have invoked national security laws for the first time to ban the Taiwan-made video game Reversed Front: Bonfire, accusing it of promoting "secessionist agendas, such as 'Taiwan independence' and 'Hong Kong independence.'" Engadget reports: Reversed Front: Bonfire was developed by a group known as ESC Taiwan, who are outspoken critics of the China's Communist Party. The game disappeared from the Apple App Store in Hong Kong less than 24 hours after authorities issued the warning. Google already removed the game from the Play Store back in May, because players were using hate speech as part of their usernames. ESC Taiwan told The New York Times that that the game's removal shows that apps like theirs are subject to censorship in mainland China. The group also thanked authorities for the free publicity on Facebook, as the game experienced a surge in Google searches.

The game uses anime-style illustrations and allows players to fight against China's Communist Party by taking on the role of "propagandists, patrons, spies or guerrillas" from Hong Kong, Taiwan, Tibet, Mongolia and Xinjiang, which is home to ethnic minorities like the Uyghur. That said, they can also choose to play as government soldiers. In its warning, Hong Kong Police said that anybody who shares or recommends the game on the internet may be committing several offenses, including "incitement to secession, "incitement to subversion" and "offenses in connection with seditious intention." Anybody who has downloaded the game will be considered in "possession of a publication that has a seditious intention," and anybody who provides financial assistance to it will be violating national security laws, as well. "Those who have downloaded the application should uninstall it immediately and must not attempt to defy the law," the authorities wrote.

An anonymous reader shares a report: A data broker owned by the country's major airlines, including Delta, American Airlines, and United, collected U.S. travellers' domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest's air travel across the country, in a purchase that has alarmed civil liberties experts. The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

"The big airlines -- through a shady data broker that they own called ARC -- are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used," Senator Ron Wyden said in a statement. ARC is owned and operated by at least eight major U.S. airlines, other publicly released documents show. The company's board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada's Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

WhatsApp has applied to submit evidence in Apple's legal battle against the UK Home Office over government demands for access to encrypted user data. The messaging platform's boss Will Cathcart told the BBC the case "could set a dangerous precedent" by "emboldening other nations" to seek to break encryption protections.

The confrontation began when Apple received a secret Technical Capability Notice from the Home Office earlier this year demanding the right to access data from its global customers for national security purposes. Apple responded by first pulling its Advanced Data Protection system from the UK, then taking the government to court to overturn the request.

Cathcart said WhatsApp "would challenge any law or government request that seeks to weaken the encryption of our services." US Director of National Intelligence Tulsi Gabbard has called the UK's demands an "egregious violation" of American citizens' privacy rights.

An anonymous reader quotes a report from Axios: President Trump quietly took a red pen to much of the Biden administration's cyber legacy in a little-noticed move late Friday. Under an executive order signed just before the weekend, Trump is tossing out some of the major touchstones of Biden's cyber policy legacy -- while keeping a few others. The order preserves efforts around post-quantum cryptography, advanced encryption standards, and border gateway protocol security, along with the Cyber Trust Mark program -- an Energy Star-type labeling initiative for consumer smart devices. But hallmark programs tied to software bills of materials, zero-trust implementation, and space contractor cybersecurity requirements have been either rescinded or left in limbo. The new executive order amends both the Biden cyber executive order signed in January and an Obama administration order.

Each of the following Biden-era programs is now out the door or significantly rolled back:
- A broad requirement for federal software vendors to provide a software bill of materials - essentially an ingredient list of code components - is gone.
- Biden-era efforts to encourage federal agencies to accept digital identity documents and help states develop mobile driver's licenses were revoked.
- Several AI cybersecurity research mandates, including those focused on AI-generated code security and AI-driven patch management pilots, have been scrapped or deprioritized.
- The requirement that software contractors formally attest they followed secure development practices - and submit those attestations to a federal repository - has been cut. Instead, the National Institute of Standards and Technology will now coordinate a new industry consortium to review software security guidelines.

Connor Jones reports via The Register: Security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what's possible. Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese espionage campaigns, the team at Bitsight was able to tap into feeds of sensitive locations. The US was the most affected region, with around 14,000 of the total feeds streaming from the country, allowing access to the inside of datacenters, healthcare facilities, factories, and more. Bitsight said these feeds could potentially be used for espionage, mapping blind spots, and gleaning trade secrets, among other things.

Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals. Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications. "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," said Bitsight in a report. "Some don't even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera's interface."

HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.

To protect yourself or your company, Bitsight says you should secure your surveillance cameras by changing default passwords, disabling unnecessary remote access, updating firmware, and restricting access with VPNs or firewalls. Regularly monitoring for unusual activity also helps to prevent your footage from being exposed online.

Cisco is updating its networking and security products to make AI networks speedier and more secure, part of a broader push to capitalize on the AI spending boom. From a report: A new generation of switches -- networking equipment that links computer systems -- will offer a 10-fold improvement in performance, the company said on Tuesday. That will help prevent AI applications from suffering bottlenecks when transferring data, Cisco said. Networking speed has become a bigger issue as data center operators try to manage a flood of AI information -- both in the cloud and within the companies' own facilities. Slowdowns can hinder AI models, Cisco President and Chief Product Officer Jeetu Patel said in an interview. That applies to the development phase -- known as training -- and the operation of the models, a stage called inference. A massive build-out of data centers has made Cisco more relevant, he said. "AI is going to be network-bound, both on training and inference," Patel said. Having computer processors sit idle during training because of slow networks is "just throwing away money."

Apple announced that macOS 26 "Tahoe" will be the final version to support Intel-based Macs, with future macOS releases running exclusively on Apple Silicon devices (that is, 2020 M1 models and newer). They will, however, continue to receive security updates for a few more years. 9to5Mac reports: In some ways, Apple has already stopped supporting some non-Apple Silicon models of its lineup. macOS Tahoe does not work with any Intel MacBook Air or Mac mini for instance. But Tahoe does still support some Intel Macs. That includes compatibility with the 2019 16-inch MacBook Pro, the 2020 Intel 13-inch MacBook Pro, 2020 iMac, and the 2019 Mac Pro.

Based on Apple's warning, you can expect that macOS 27 will drop support for all of these legacy machines, and therefore macOS 26 will be the last compatible version. These devices will continue to receive security updates for another three years, however. Going forward, the minimum support hardware generations will be from 2020 onwards, as that is when Apple began the Apple Silicon transition with the M1. M1 Pro and M1 Max MacBook Pros followed in 2021.

United Natural Foods (UNFI), a major distributor of groceries to Whole Foods and other retailers, said on Monday that it was hit by a cyberattack, warning of disruptions to its ability to fulfill and distribute customer orders. From a report: UNFI said in a Monday filing with the U.S. Securities and Exchange Commission that it became aware of unauthorized access to its IT systems last Thursday, and began shutting down portions of its network. The filing added that the company has "implemented workarounds for certain operations in order to continue servicing its customers where possible," but noted that the intrusion has caused ongoing disruptions to its business operations.

The Providence, Rhode Island-based company is one of the largest grocery distributors in North America, selling fresh produce, goods, and food products to more than 30,000 stores and supermarket locations across the U.S. and Canada. UNFI also serves as the "primary distributor" to Whole Foods, the Amazon-owned grocery chain. Last year, the two companies extended their long-running contract until May 2032.

A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media's own tests. From a report: The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples' personal information. "I think this exploit is pretty bad since it's basically a gold mine for SIM swappers," the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email.

[...] In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account. "Essentially, it's bruting the number," brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they're after. Typically that's in the context of finding someone's password, but here brutecat is doing something similar to determine a Google user's phone number.

Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said. In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target's Google display name. They find this by first transferring ownership of a document from Google's Looker Studio product to the target, the video says. They say they modified the document's name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.

An anonymous reader shared this report from The New York Times: Russian counterintelligence agents are analyzing data from the popular Chinese messaging and social media app WeChat to monitor people who might be in contact with Chinese spies, according to a Russian intelligence document obtained by The New York Times. The disclosure highlights the rising level of concern about Chinese influence in Russia as the two countries deepen their relationship. As Russia has become isolated from the West over its war in Ukraine, it has become increasingly reliant on Chinese money, companies and technology. But it has also faced what the document describes as increased Chinese espionage efforts.

The document indicates that the Russian domestic security agency, known as the F.S.B., pulls purloined data into an analytical tool known as "Skopishche" (a Russian word for a mob of people). Information from WeChat is among the data being analyzed, according to the document... One Western intelligence agency told The Times that the information in the document was consistent with what it knew about "Russian penetration of Chinese communications...." By design, [WeChat] does not use end-to-end encryption to protect user data. That is because the Chinese government exercises strict control over the app and relies on its weak security to monitor and censor speech. Foreign intelligence agencies can exploit that weakness, too...

WeChat was briefly banned in Russia in 2017, but access was restored after Tencent took steps to comply with laws requiring foreign digital platforms above a certain size to register as "organizers of information dissemination." The Times confirmed that WeChat is currently licensed by the government to operate in Russia. That license would require Tencent to store user data on Russian servers and to provide access to security agencies upon request.

Meta's Facebook and Instagram apps "were siphoning people's data through a digital back door for months," writes a Washington Post tech columnist, citing researchers who found no privacy setting could've stopped what Meta and Yandex were doing, since those two companies "circumvented privacy and security protections that Google set up for Android devices.

"But their tactics underscored some privacy vulnerabilities in web browsers or apps. These steps can reduce your risks." Stop using the Chrome browser. Mozilla's Firefox, the Brave browser and DuckDuckGo's browser block many common methods of tracking you from site to site. Chrome, the most popular web browser, does not... For iPhone and Mac folks, Safari also has strong privacy protections. It's not perfect, though. No browser protections are foolproof. The researchers said Firefox on Android devices was partly susceptible to the data harvesting tactics they identified, in addition to Chrome. (DuckDuckGo and Brave largely did block the tactics, the researchers said....)

Delete Meta and Yandex apps on your phone, if you have them. The tactics described by the European researchers showed that Meta and Yandex are unworthy of your trust. (Yandex is not popular in the United States.) It might be wise to delete their apps, which give the companies more latitude to collect information that websites generally cannot easily obtain, including your approximate location, your phone's battery level and what other devices, like an Xbox, are connected to your home WiFi.

Know, too, that even if you don't have Meta apps on your phone, and even if you don't use Facebook or Instagram at all, Meta might still harvest information on your activity across the web.

Apple has urged Australia not to follow the European Union in mandating iPhone app sideloading, warning that such policies pose serious privacy and security risks. "This communication comes as the Australian federal government considers new rules that could force Apple to open up its iOS ecosystem, much like what happened in Europe with recent legislation," notes Neowin. Apple claims that allowing alternative app stores has led to increased exposure to malware, scams, and harmful content. From the report: Apple, in its response to this Australian paper (PDF), stated that Australia should not use the EU's Digital Markets Act "as a blueprint". The company's core argument is that the changes mandated by the EU's DMA, which came into full effect in March 2024, introduce serious security and privacy risks for users. Apple claims that allowing sideloading and alternative app stores effectively opens the door for malware, fraud, scams, and other harmful content. The tech company also highlighted specific concerns from its European experience, alleging that its compliance there has led to users being able to install pornography apps and apps that facilitate copyright infringement, things its curated App Store aims to prevent. Apple maintains that its current review process is vital for user protection, and that its often criticized 30% commission applies mainly to the highest earning apps, with most developers paying a lower 15% rate or nothing.

The Register's Thomas Claburn reports: The Linux Foundation on Friday introduced a new method to distribute WordPress updates and plugins that's not controlled by any one party, in a bid to "stabilize the WordPress ecosystem" after months of infighting. The FAIR Package Manager project is a response to the legal brawl that erupted last year, pitting WordPress co-creator Matthew Mullenweg, his for-profit hosting firm Automattic, and the WordPress Foundation that he controls, against WP Engine, a rival commercial WordPress hosting firm. [...]

The Linux Foundation says the FAIR Package Manager, a mechanism for distributing open-source WordPress plugins, "eliminates reliance on any single source for core updates, plugins, themes, and more, unites a fragmented ecosystem by bringing together plugins from any source, and builds security into the supply chain." In other words, it can't be weaponized against the WordPress community because it won't be controlled by any one entity. "The FAIR Package Manager project paves the way for the stability and growth of open source content management, giving contributors and businesses additional options governed by a neutral community," said Jim Zemlin, Executive Director of the Linux Foundation, in a canned press statement. "We look forward to the growth in community and contributions this important project attracts."

The FAIR Package Manager repo explains the software's purpose more succinctly. The software "is a decentralized alternative to the central WordPress.org plugin and theme ecosystem, designed to return control to WordPress hosts and developers. It operates as a drop-in WordPress plugin, seamlessly replacing existing centralized services with a federated, open-source infrastructure." In addition to providing some measure of stability, the Linux Foundation sees the FAIR Package Manager as advancing WordPress' alignment with Europe's General Data Protection Regulation by reducing automatic browser data transmission and telemetry sent to commercial entities, while also supporting modern security practices and strengthening the open source software supply chain.