Iphone

Apple Fixes Zero-Day Exploited In 'Extremely Sophisticated' Attacks (bleepingcomputer.com) 8

Apple has released emergency security updates for iOS 18.3.1 and iPadOS 18.3.1 to patch a zero-day vulnerability (CVE-2025-24200) that was exploited in "extremely sophisticated," targeted attacks. The flaw, which allowed a physical attack to disable USB Restricted Mode on locked devices, was discovered by Citizen Lab and may have been used in spyware campaigns; users are strongly advised to install the update immediately. BleepingComputer reports: USB Restricted Mode is a security feature (introduced almost seven years ago in iOS 11.4.1) that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.

In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software. The zero-day vulnerability (tracked as CVE-2025-24200 and reported by Citizen Lab's Bill Marczak) patched today by Apple is an authorization issue addressed in iOS 18.3.1 and iPadOS 18.3.1 with improved state management.

The list of devices this zero-day impacts includes: - iPhone XS and later,
- iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later

AMD

How To Make Any AMD Zen CPU Always Generate 4 As a Random Number (theregister.com) 62

Slashdot reader headlessbrick writes: Google security researchers have discovered a way to bypass AMD's security, enabling them to load unofficial microcode into its processors and modify the silicon's behaviour at will. To demonstrate this, they created a microcode patch that forces the chips to always return 4 when asked for a random number.

Beyond simply allowing Google and others to customize AMD chips for both beneficial and potentially malicious purposes, this capability also undermines AMD's secure encrypted virtualization and root-of-trust security mechanisms.

Obligatory XKCD.
Crime

California Tech Founder Admits to Defrauding $4M For His Luxury Lifestyle (sfgate.com) 47

The tech startup "purported to make smart home and business products," writes America's Justice Department — products that were "meant to stop package theft, prevent weather damage to packages, and make it easier for emergency responders and delivery services to find homes and businesses." Royce Newcomb "developed prototypes of his products and received local and national media attention for them. For example, Time Magazine included his eLiT Address Box & Security System, which used mobile networks to pinpoint home and business locations, on its Best Inventions of 2021 list."

But then he told investors he'd also received a grant by the National Science Foundation — one of "several false representations to his investors to deceive and cheat them out of their money... Newcomb used the money to pay for gambling, a Mercedes and Jaguar, and a mansion." He also used the money to pay for refunds to other investors who wanted out, and to pay for new, unrelated projects without the investors' authorization. During this period, Newcomb also received a fraudulent COVID-19 loan for more than $70,000 from the Small Business Administration and fraudulent loans for more than $190,000 from private lenders. He lied about Strategic Innovations having hundreds of thousands and even millions in revenue to get these loans.

Newcomb was previously convicted federally in 2011 for running a real estate fraud scheme in Sacramento. He was sentenced to more than five years in prison for that offense, and he was on federal supervised release for that offense when he committed the offenses charged in this case... Newcomb faces maximum statutory penalties of 20 years in prison and a $250,000 fine for the wire fraud charge, and 10 years in prison and a $250,000 fine for the money laundering charge...

This effort is part of a California COVID-19 Fraud Enforcement Strike Force operation, one of five interagency COVID-19 fraud strike force teams established by the U.S. Department of Justice.

SFGate writes that "Despite receiving significant funding, his startup, Strategic Innovations, never made a dime or released any products to market, according to legal documents." The owner of a California tech startup has pleaded guilty to stealing over $4 million from investors, private lenders and the U.S. government in order to live a luxurious lifestyle, the United States Attorney's Office announced Monday... When investors asked about product delays and when they'd be paid back, Newcomb made excuses and provided conflicting info, telling them that there were supply chain issues or software problems, according to the indictment. In reality, federal prosecutors said, he was using the money to travel and continue to make these lavish personal expenses.
AI

DeepSeek IOS App Sends Data Unencrypted To ByteDance-Controlled Servers (arstechnica.com) 68

An anonymous Slashdot reader quotes a new article from Ars Technica: On Thursday, mobile security company NowSecure reported that [DeepSeek] sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it's in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said. What's more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok...

[DeepSeek] is "not equipped or willing to provide basic security protections of your data and identity," NowSecure co-founder Andrew Hoog told Ars. "There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company's data and identity at risk...." This data, along with a mix of other encrypted information, is sent to DeepSeek over infrastructure provided by Volcengine a cloud platform developed by ByteDance. While the IP address the app connects to geo-locates to the US and is owned by US-based telecom Level 3 Communications, the DeepSeek privacy policy makes clear that the company "store[s] the data we collect in secure servers located in the People's Republic of China...."

US lawmakers began pushing to immediately ban DeepSeek from all government devices, citing national security concerns that the Chinese Communist Party may have built a backdoor into the service to access Americans' sensitive private data. If passed, DeepSeek could be banned within 60 days.

Chrome

Google's 7-Year Slog To Improve Chrome Extensions Still Hasn't Satisfied Developers (theregister.com) 30

The Register's Thomas Claburn reports: Google's overhaul of Chrome's extension architecture continues to pose problems for developers of ad blockers, content filters, and privacy tools. [...] While Google's desire to improve the security, privacy, and performance of the Chrome extension platform is reasonable, its approach -- which focuses on code and permissions more than human oversight -- remains a work-in-progress that has left extension developers frustrated.

Alexei Miagkov, senior staff technology at the Electronic Frontier Foundation, who oversees the organization's Privacy Badger extension, told The Register, "Making extensions under MV3 is much harder than making extensions under MV2. That's just a fact. They made things harder to build and more confusing." Miagkov said with Privacy Badger the problem has been the slowness with which Google addresses gaps in the MV3 platform. "It feels like MV3 is here and the web extensions team at Google is in no rush to fix the frayed ends, to fix what's missing or what's broken still." According to Google's documentation, "There are currently no open issues considered a critical platform gap," and various issues have been addressed through the addition of new API capabilities.

Miagkov described an unresolved problem that means Privacy Badger is unable to strip Google tracking redirects on Google sites. "We can't do it the correct way because when Google engineers design the [chrome.declarativeNetRequest API], they fail to think of this scenario," he said. "We can do a redirect to get rid of the tracking, but it ends up being a broken redirect for a lot of URLs. Basically, if the URL has any kind of query string parameters -- the question mark and anything beyond that -- we will break the link." Miagkov said a Chrome developer relations engineer had helped identify a workaround, but it's not great. Miagkov thinks these problems are of Google's own making -- the company changed the rules and has been slow to write the new ones. "It was completely predictable because they moved the ability to fix things from extensions to themselves," he said. "And now they need to fix things and they're not doing it."

Privacy

OpenAI Investigating Claim of 20 Million Stolen User Credentials 15

OpenAI says it's investigating after a hacker claimed to have stolen login credentials for 20 million OpenAI accounts and advertised the data for sale on a dark web forum. Though security researchers doubt on the legitimacy of the breach, the AI company stated that it takes the claims seriously, advising users to enable two-factor authentication and stay vigilant against phishing attempts. Decrypt reports: Daily Dot reporter Mikael Thalan wrote on X that he found invalid email addresses in the supposed sample data: "No evidence (suggests) this alleged OpenAI breach is legitimate. At least two addresses were invalid. The user's only other post on the forum is for a stealer log. Thread has since been deleted as well."

"We take these claims seriously," the spokesperson said, adding: "We have not seen any evidence that this is connected to a compromise of OpenAI systems to date."
Medicine

US Health System Notifies 882,000 Patients of August 2023 Breach 8

An anonymous reader quotes a report from BleepingComputer: Hospital Sisters Health System notified over 882,000 patients that an August 2023 cyberattack led to a data breach that exposed their personal and health information. Established in 1875, HSHS works with over 2,200 physicians and has around 12,000 employees. It also operates a network of physician practices and 15 local hospitals across Illinois and Wisconsin, including two children's hospitals. The non-profit healthcare system said in data breach notifications sent to those impacted that the incident was discovered on August 27, 2023, after detecting that the attacker had gained access to HSHS' network.

After the security breach, its systems were also impacted by a widespread outage that took down "virtually all operating systems" and phone systems across Illinois and Wisconsin hospitals. HSHS also hired external security experts to investigate the attack, assess its impact, and help its IT team restore affected systems. [...] While the incident and the resulting outage have all the signs of a ransomware attack, no ransomware operation has claimed the breach. Following the forensic investigation, HSHS found that the attackers had accessed files on compromised systems between August 16 and August 27, 2023.

The information accessed by the threat actors while inside HSHS' systems varies for each impacted individual, and it includes a combination of name, address, date of birth, medical record number, limited treatment information, health insurance information, Social Security number, and/or driver's license number. While HSHS added that there is no evidence that the victims' information has been used in fraud or identity theft attempts, it warned affected individuals to monitor their account statements and credit reports for suspicious activity. The health system also offers those affected by the breach one year of free Equifax credit monitoring.
The Internet

India To Launch New Domain Name For Banks To Fight Digital Fraud (techcrunch.com) 8

An anonymous reader shares a report: India's central bank is introducing an exclusive ".bank.in" domain for banks from April 2025 as part of efforts to combat rising digital payment frauds and bolster trust in online banking services.

[...] The central bank plans to roll out a separate 'fin.in' domain for non-bank financial institutions. "Increased instances of fraud in digital payments are a significant concern," said RBI Governor Sanjay Malhotra, adding that the new domain system aims to reduce cyber security threats and malicious activities like phishing.

Security

Phishing Tests, the Bane of Work Life, Are Getting Meaner (msn.com) 99

U.S. employers are deploying increasingly aggressive phishing tests to combat cyber threats, sparking backlash from workers who say the simulated scams create unnecessary panic and distrust in the workplace. At the University of California, Santa Cruz, a test email about a fake Ebola outbreak sent staff scrambling before learning it was a security drill. At Lehigh Valley Health Network, employees who fall for phishing tests lose external email access, with termination possible after three failures.

Despite widespread use, recent studies question these tests' effectiveness. Research from ETH Zurich found that phishing tests combined with voluntary training actually made employees more vulnerable, while a University of California, San Diego study showed only a 2% reduction [PDF] in phishing success rates. "These are just an ineffective and inefficient way to educate users," said Grant Ho, who co-authored the UCSD study.
Security

'Zombie Devices' Raise Cybersecurity Alarm as Consumers Ignore Smart Tech Expiry Dates 54

A survey of 2,130 Americans has revealed widespread vulnerability to cyber attacks through unsupported smart devices, with 43% unaware their devices might lose software support. The security threat was underscored in December 2023 when U.S. authorities disrupted a Chinese state-sponsored botnet targeting home routers and cameras that had stopped receiving security updates. Cloudflare separately reported a record-breaking DDoS attack in late 2023, primarily originating from compromised smart TVs and set-top boxes.

The survey, conduced by Consumer Reports, found that only 39% of consumers learned about lost software support from manufacturers, with most discovering issues when devices stopped working (40%) or through media reports (15%). Most consumers expect their smart devices to retain functionality after losing software support, particularly for large appliances (70%). However, Consumer Reports' research found only 14% of 21 smart appliance brands specify support timeframes, while an FTC study of 184 devices showed just 11% disclose support duration.
Encryption

UK Orders Apple To Let It Spy on Users' Encrypted Accounts (msn.com) 96

The UK government has ordered Apple to create a backdoor allowing access to encrypted cloud backups of users worldwide, Washington Post reported Friday, citing multiple sources familiar with the matter. The unprecedented demand, issued last month through a technical capability notice under the UK Investigatory Powers Act, requires Apple to provide blanket access to fully encrypted material rather than assistance with specific accounts.

Apple is likely to discontinue its encrypted storage service in the UK rather than compromise user security globally, the report said. The company would still face pressure to provide backdoor access for users in other countries, including the United States. The order was issued under Britain's 2016 Investigatory Powers Act, which makes it illegal to disclose such government demands, according to the report. While Apple can appeal to a secret technical panel and judge, the law requires compliance during any appeal process. The company told Parliament in March that the UK government should not have authority to decide whether global users can access end-to-end encryption.
Security

Ransomware Payments Dropped 35% In 2024 (therecord.media) 44

An anonymous reader quotes a report from CyberScoop: Ransomware payments saw a dramatic 35% drop last year compared to 2023, even as the overall frequency of ransomware attacks increased, according to a new report released by blockchain analysis firm Chainalysis. The considerable decline in extortion payments is somewhat surprising, given that other cybersecurity firms have claimed that 2024 saw the most ransomware activity to date. Chainalysis itself warned in its mid-year report that 2024's activity was on pace to reach new heights, but attacks in the second half of the year tailed off. The total amount in payments that Chainalysis tracked in 2024 was $812.55 million, down from 2023's mark of $1.25 billion.

The disruption of major ransomware groups, such as LockBit and ALPHV/BlackCat, were key to the reduction in ransomware payments. Operations spearheaded by agencies like the United Kingdom's National Crime Agency (NCA) and the Federal Bureau of Investigation (FBI) caused significant declines in LockBit activity, while ALPHV/BlackCat essentially rug-pulled its affiliates and disappeared after its attack on Change Healthcare. [...] Additionally, [Chainalysis] says more organizations have become stronger against attacks, with many choosing not to pay a ransom and instead using better cybersecurity practices and backups to recover from these incidents. [...]
Chainalysis also says ransomware operators are letting funds sit in wallets, refraining from moving any money out of fear they are being watched by law enforcement.

You can read the full report here.
AI

DeepSeek's AI App Will 'Highly Likely' Get Banned in the US, Jefferies Says 64

DeepSeek's AI app will highly likely face a US consumer ban after topping download charts on Apple's App Store and Google Play, according to analysts at US investment bank Jefferies. The US federal government, Navy and Texas have already banned the app, and analysts expect broader restrictions using legislation similar to that targeting TikTok.

While consumer access may be blocked, US developers could still be allowed to self-host DeepSeek's model to eliminate security risks, the analysts added. Even if completely banned, DeepSeek's impact on pushing down AI costs will persist as US companies work to replicate its technology, Jefferies said in a report this week reviewed by Slashdot.

The app's pricing advantage remains significant, with OpenAI's latest o3-mini model still costing 100% more than DeepSeek's R1 despite being 63% cheaper than o1-mini. The potential ban comes amid broader US-China tech tensions. While restrictions on H20 chips appear unlikely given their limited training capabilities, analysts expect the Biden administration's AI diffusion policies to remain largely intact under Trump, with some quota increases possible for overseas markets based on their AI activity levels.
China

Researchers Link DeepSeek To Chinese Telecom Banned In US (apnews.com) 86

An anonymous reader quotes a report from the Associated Press: The website of the Chinese artificial intelligence company DeepSeek, whose chatbot became the most downloaded app in the United States, has computer code that could send some user login information to a Chinese state-owned telecommunications company that has been barred from operating in the United States, security researchers say. The web login page of DeepSeek's chatbot contains heavily obfuscated computer script that when deciphered shows connections to computer infrastructure owned by China Mobile, a state-owned telecommunications company. The code appears to be part of the account creation and user login process for DeepSeek.

In its privacy policy, DeepSeek acknowledged storing data on servers inside the People's Republic of China. But its chatbot appears more directly tied to the Chinese state than previously known through the link revealed by researchers to China Mobile. The U.S. has claimed there are close ties between China Mobile and the Chinese military as justification for placing limited sanctions on the company. [...] The code linking DeepSeek to one of China's leading mobile phone providers was first discovered by Feroot Security, a Canadian cybersecurity company, which shared its findings with The Associated Press. The AP took Feroot's findings to a second set of computer experts, who independently confirmed that China Mobile code is present. Neither Feroot nor the other researchers observed data transferred to China Mobile when testing logins in North America, but they could not rule out that data for some users was being transferred to the Chinese telecom.

The analysis only applies to the web version of DeepSeek. They did not analyze the mobile version, which remains one of the most downloaded pieces of software on both the Apple and the Google app stores. The U.S. Federal Communications Commission unanimously denied China Mobile authority to operate in the United States in 2019, citing "substantial" national security concerns about links between the company and the Chinese state. In 2021, the Biden administration also issued sanctions limiting the ability of Americans to invest in China Mobile after the Pentagon linked it to the Chinese military.
"It's mindboggling that we are unknowingly allowing China to survey Americans and we're doing nothing about it," said Ivan Tsarynny, CEO of Feroot. "It's hard to believe that something like this was accidental. There are so many unusual things to this. You know that saying 'Where there's smoke, there's fire'? In this instance, there's a lot of smoke," Tsarynny said.

Further reading: Senator Hawley Proposes Jail Time For People Who Download DeepSeek
Security

First OCR Spyware Breaches Both Apple and Google App Stores To Steal Crypto Wallet Phrases (securelist.com) 24

Kaspersky researchers have discovered malware hiding in both Google Play and Apple's App Store that uses optical character recognition to steal cryptocurrency wallet recovery phrases from users' photo galleries. Dubbed "SparkCat" by security firm ESET, the malware was embedded in several messaging and food delivery apps, with the infected Google Play apps accumulating over 242,000 downloads combined.

This marks the first known instance of such OCR-based spyware making it into Apple's App Store. The malware, active since March 2024, masquerades as an analytics SDK called "Spark" and leverages Google's ML Kit library to scan users' photos for wallet recovery phrases in multiple languages. It requests gallery access under the guise of allowing users to attach images to support chat messages. When granted access, it searches for specific keywords related to crypto wallets and uploads matching images to attacker-controlled servers.

The researchers found both Android and iOS variants using similar techniques, with the iOS version being particularly notable as it circumvented Apple's typically stringent app review process. The malware's creators appear to be Chinese-speaking actors based on code comments and server error messages, though definitive attribution remains unclear.
Windows

Microsoft's Windows 10 Extended Security Updates Will Start at $61 per PC for Businesses 70

Microsoft will charge commercial customers $61 per device in the first year to continue receiving Windows 10 security updates after support ends, The Register wrote in a PSA note Wednesday, citing text, with costs doubling each subsequent year for up to three years.

Organizations can't skip initial years to save money, as the updates are cumulative. Some users may avoid fees if they connect Windows 10 endpoints to Windows 365 Cloud PCs. The program also covers Windows 10 virtual machines running on Windows 365 or Azure Virtual Desktop for three years with an active Windows 365 subscription.
The Internet

Thailand Cuts Internet and Power Supply To Some Areas in Myanmar in Blow To Scam Centers (yahoo.com) 17

Thailand cut power supply, fuel and internet to some border areas with Myanmar on Wednesday. It's an attempt to choke scam syndicates operating out of there that have become a growing security concern. Reuters: Scam compounds in Southeast Asia are suspected to have entrapped hundreds of thousands of people in illegal online and telecom operations, generating billions of dollars annually, according to a 2023 U.N. report. Thai Interior Minister Anutin Charnvirakul visited the Provincial Electricity Authority headquarters in Bangkok on Wednesday to oversee the effort to fight the crime rings. "They may turn to other sources of power supply or generate their own electricity. In the Thai Security Council orders, it also includes the halt in supplying oil and internet to them, which means that from now on any damage that occurs will have no connection to any resources in Thailand."
Google

Google Removes Pledge To Not Use AI For Weapons From Website 58

Google has updated its public AI principles page to remove a pledge to not build AI for weapons or surveillance. TechCrunch reports: Asked for comment, the company pointed TechCrunch to a new blog post on "responsible AI." It notes, in part, "we believe that companies, governments, and organizations sharing these values should work together to create AI that protects people, promotes global growth, and supports national security." Google's newly updated AI principles note the company will work to "mitigate unintended or harmful outcomes and avoid unfair bias," as well as align the company with "widely accepted principles of international law and human rights." Further reading: Google Removes 'Don't Be Evil' Clause From Its Code of Conduct
The Internet

Popular Linux Orgs Freedesktop, Alpine Linux Are Scrambling For New Web Hosting (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: In what is becoming a sadly regular occurrence, two popular free software projects, X.org/Freedesktop.org and Alpine Linux, need to rally some of their millions of users so that they can continue operating. Both services have largely depended on free server resources provided by Equinix (formerly Packet.net) and its Metal division for the past few years. Equinix announced recently that it was sunsetting its bare-metal sales and services, or renting out physically distinct single computers rather than virtualized and shared hardware. As reported by the Phoronix blog, both free software organizations have until the end of April to find and fund new hosting, with some fairly demanding bandwidth and development needs.

An issue ticket on Freedesktop.org's GitLab repository provides the story and the nitty-gritty needs of that project. Both the X.org foundation (home of the 40-year-old window system) and Freedesktop.org (a shared base of specifications and technology for free software desktops, including Wayland and many more) used Equinix's donated space. [...] Alpine Linux, a small, security-minded distribution used in many containers and embedded devices, also needs a new home quickly. As detailed in its blog, Alpine Linux uses about 800TB of bandwidth each month and also needs continuous integration runners (or separate job agents), as well as a development box. Alpine states it is seeking co-location space and bare-metal servers near the Netherlands, though it will consider virtual machines if bare metal is not feasible.

Crime

Senator Hawley Proposes Jail Time For People Who Download DeepSeek 226

Senator Josh Hawley has introduced a bill that would criminalize the import, export, and collaboration on AI technology with China. What this means is that "someone who knowingly downloads a Chinese developed AI model like the now immensely popular DeepSeek could face up to 20 years in jail, a million dollar fine, or both, should such a law pass," reports 404 Media. From the report: Hawley introduced the legislation, titled the Decoupling America's Artificial Intelligence Capabilities from China Act, on Wednesday of last year. "Every dollar and gig of data that flows into Chinese AI are dollars and data that will ultimately be used against the United States," Senator Hawley said in a statement. "America cannot afford to empower our greatest adversary at the expense of our own strength. Ensuring American economic superiority means cutting China off from American ingenuity and halting the subsidization of CCP innovation."

Hawley's statement explicitly says that he introduced the legislation because of the release of DeepSeek, an advanced AI model that's competitive with its American counterparts, and which its developers claimed was made for a fraction of the cost and without access to as many and as advanced of chips, though these claims are unverified. Hawley's statement called DeepSeek "a data-harvesting, low-cost AI model that sparked international concern and sent American technology stocks plummeting." Hawley's statement says the goal of the bill is to "prohibit the import from or export to China of artificial intelligence technology, "prohibit American companies from conducting AI research in China or in cooperation with Chinese companies," and "Prohibit U.S. companies from investing money in Chinese AI development."

Slashdot Top Deals