Hackers suspected of working on behalf of the Chinese government exploited a maximum-severity vulnerability, which had received a patch 16 months earlier, to compromise a telecommunications provider in Canada, officials from that country and the US said Monday. ArsTechnica: "The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies," officials for the center, the Canadian government's primary cyber security agency, said in a statement. "The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon." The FBI issued its own nearly identical statement.

Salt Typhoon is the name researchers and government officials use to track one of several discreet groups known to hack nations all over the world on behalf of the People's Republic of China. In October 2023, researchers disclosed that hackers had backdoored more than 10,000 Cisco devices by exploiting CVE-2023-20198, a vulnerability with a maximum severity rating of 10. Any switch, router, or wireless LAN controller running Cisco's iOS XE that had the HTTP or HTTPS server feature enabled and exposed to the Internet was vulnerable. Cisco released a security patch about a week after security firm VulnCheck published its report.

The U.S. House chief administrative officer has banned WhatsApp from congressional staffers' government devices citing data vulnerability concerns. The cybersecurity office deemed the messaging app "high-risk" due to lack of transparency in data protection, absence of stored data encryption, and potential security risks, according to an email obtained by Axios.

Staff cannot download or keep WhatsApp on any House device, including mobile, desktop, or web browser versions.

The Python Software Foundation ("made up of, governed, and led by the community") does more than just host Python and its documnation, the Python Package Repository, and the development workflows of core CPython developers. This week the PSF released its 28-page Annual Impact Report this week, noting that 2024 was their first year with three CPython developers-in-residence — and "Between Lukasz, Petr, and Serhiy, over 750 pull requests were authored, and another 1,500 pull requests by other authors were reviewed and merged." Lukasz Langa co-implemented the new colorful shell included in Python 3.13, along with Pablo Galindo Salgado, Emily Morehouse-Valcarcel, and Lysandros Nikolaou.... Code-wise, some of the most interesting contributions by Petr Viktorin were around the ctypes module that allows interaction between Python and C.... These are just a few of Serhiy Storchaka's many contributions in 2024: improving error messages for strings, bytes, and bytearrays; reworking support for var-arguments in the C argument handling generator called "Argument Clinic"; fixing memory leaks in regular expressions; raising the limits for Python integers on 64-bit platforms; adding support for arbitrary code page encodings on Windows; improving complex and fraction number support...

Thanks to the investment of [the OpenSSF's security project] Alpha-Omega in 2024, our Security Developer-in-Residence, Seth Larson, continued his work improving the security posture of CPython and the ecosystem of Python packages. Python continues to be an open source security leader, evident by the Linux kernel becoming a CVE Numbering Authority using our guide as well as our publication of a new implementers guide for Trusted Publishers used by Ruby, Crates.io, and Nuget. Python was also recommended as a memory-safe programming language in early 2024 by the White House and CISA following our response to the Office of the National Cyber Directory Request for Information on open source security in 2023... Due to the increasing demand for SBOMs, Seth has taken the initiative to generate SBOM documents for the CPython runtime and all its dependencies, which are now available on python.org/downloads. Seth has also started work on standardizing SBOM documents for Python packages with PEP 770, aiming to solve the "Phantom Dependency" problem and accurately represent non-Python software included in Python packages.

With the continued investment in 2024 by Amazon Web Services Open Source and Georgetown CSET for this critical role, our PyPI Safety & Security Engineer, Mike Fiedler, completed his first full calendar year at the PSF... In March 2024, Mike added a "Report project as malware" button on the website, creating more structure to inbound reports and decreasing remediation time. This new button has been used over 2,000 times! The large spike in June led to prohibiting Outlook email domains, and the spike in November was driven by a persistent attack. Mike developed the ability to place projects in quarantine pending further investigation. Thanks to a grant from Alpha-Omega, Mike will continue his work for a second year. We plan to do more work on minimizing time-on-PyPI for malware in 2025...

In 2024, PyPI saw an 84% growth in download counts and 48% growth in bandwidth, serving 526,072,569,160 downloads for the 610,131 projects hosted there, requiring 1.11 Exabytes of data transfer, or 281.6 Gbps of bandwidth 24x7x365. In 2024, 97k new projects, 1.2 million new releases, and 3.1 million new files were uploaded to the index.

"The worlds of Linux and Windows finally came together in real life..." writes The Verge: Microsoft co-founder Bill Gates and Linus Torvalds, the creator of the Linux kernel, have surprisingly never met before. That all changed at a recent dinner hosted by Sysinternals creator Mark Russinovich... "No major kernel decisions were made," jokes Russinovich in a post on LinkedIn.
More from the Linux news blog Linuxiac: The man on the left is Mark Russinovich, a software engineer, author, and co-founder of Sysinternals, now CTO of Azure, Microsoft's cloud computing platform. He has become synonymous with deep Windows diagnostics and cloud-scale management. In the late 1990s, his suite of tools (Process Explorer, Autoruns, Procmon) revolutionized the way administrators and security professionals understood Windows internals.

The man on the far right is another living legend: Dave Cutler. Let me put it this way — he's one of the key people behind OpenVMS and the brilliant lead architect who designed Windows NT's kernel and hardware-abstraction layer — technologies that remain at the heart of every current Windows release, from server farms to laptops. So, it's no surprise that people often call him the "father of Windows NT."

An anonymous reader quotes a report from MacRumors: To comply with a new regulation that takes effect today, Apple has added an energy efficiency label to its iPhone and iPad pages in EU countries. Apple is also required to start including a printed version of the label with the devices sold there. The label grades a given iPhone or iPad model's energy efficiency from a high of A to a low of G, based on the EU's testing parameters. However, Apple said that certain aspects of the testing methods outlined by the European Commission are "ambiguous," so it chose to be conservative with its scores until testing is standardized.

In a 44-page document (PDF) detailing its testing methodology for the labels, Apple said its current iPhone models qualified for the highest energy efficiency grade of A, but the company voluntarily downgraded these scores to a B as a cautionary measure. The label also provides details about a given iPhone or iPad model's battery life per full charge cycle, repairability grade, impact resistance, ingress protection rating for water and dust resistance, and how many full charge cycles the battery is rated for. Likewise, this information is based on Apple's interpretation of the EU's testing parameters.

On the web, the label can be viewed by clicking or tapping on the colorful little tag icon on various iPhone and iPad pages on Apple's localized websites for EU countries. It is shown on both Apple's main product marketing pages for all iPhone and iPad models that are currently sold in the EU, and on the purchase page for those devices. The label is accompanied by a product information sheet (PDF) that provides a comprehensive overview of even more details, such as the device's battery capacity in mAh, screen scratch resistance based on the Mohs hardness scale, the minimum guaranteed timeframe for availability of security updates, and much more.

An anonymous reader quotes a report from Ars Technica: Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare. The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost incomprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.

Cloudflare said the attackers "carpet bombed" an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack. [...] Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call. Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.

The Department of Homeland Security is concerned about the rate at which outlawed signal-jamming devices are being found across the US. From a report: In a warning issued on Wednesday, it said it has seen an 830 percent increase in seizures of these signal jammers since 2021, specifically those made in China. Signal-jamming devices are outlawed in the US, mainly because they can interfere with communications between emergency services and law enforcement.

While the Communications Act of 1934 effectively prohibits such devices, signal jammers of the type DHS is concerned about have only circulated in the last 20 to 30 years. Authorities have paid special attention to relay attack devices in recent years -- the types of hardware that can be used to clone signals used by systems such as remote car keys, although the first examples of these devices date back to the 1980s.

BrianFagioli writes: In a move that could quietly wreak havoc across the Windows ecosystem, Microsoft is purging outdated drivers from Windows Update. The company claims it is doing this for security and reliability, but the result might be broken hardware for users who rely on legacy devices.

If you're using older peripherals or custom-built PCs, you could soon find yourself hunting for drivers that have vanished into the digital abyss. This initiative, buried in a low-profile blog post, is part of Microsoft's new cleanup program. The first wave targets legacy drivers that already have newer replacements available. But the real kicker is that Microsoft isn't warning individual users about which drivers are going away.

Starting mid-July 2025, Microsoft 365 will begin blocking legacy authentication protocols like Remote PowerShell and FrontPage RPC to enhance security under its "Secure by Default" initiative. Admins must now grant explicit consent for third-party app access, which could disrupt workflows but aims to reduce unauthorized data exposure. The Register reports: First in line for the chop is legacy browser authentication to SharePoint and OneDrive using the Remote PowerShell (RPS) protocol. According to Microsoft, legacy authentication protocols like RPS "are vulnerable to brute-force and phishing attacks due to non-modern authentication." The upshot is that attempting to access OneDrive or SharePoint via a browser using legacy authentication will stop working.

Also being blocked is the FrontPage Remote Procedure Call (RPC) protocol. Microsoft FrontPage was a web authoring tool that was discontinued almost two decades ago. However, the protocol for remote web authoring has lived on until now. Describing legacy protocols like RPC as "more susceptible to compromise," Microsoft will block them to prevent their use in Microsoft 365 clients.

Finally, third-party apps will need administrator consent to access files and sites. Microsoft said: "Users allowing third-party apps to access file and site content can lead to overexposure of an organization's content. Requiring admins to consent to this access can help reduce overexposure." "While laudable, shifting consent to the administrator could disrupt some workflows," writes The Register's Richard Speed. "The Microsoft-managed App Consent Policies will be enabled, and users will be unable to consent to third-party applications accessing their files and sites by default. Need consent? A user will need to request an administrator to consent on their behalf."

An anonymous reader quotes a report from Cybernews: Several collections of login credentials reveal one of the largest data breaches in history, totaling a humongous 16 billion exposed login credentials. The data most likely originates from various infostealers. Unnecessarily compiling sensitive information can be as damaging as actively trying to steal it. For example, the Cybernews research team discovered a plethora of supermassive datasets, housing billions upon billions of login credentials. From social media and corporate platforms to VPNs and developer portals, no stone was left unturned.

Our team has been closely monitoring the web since the beginning of the year. So far, they've discovered 30 exposed datasets containing from tens of millions to over 3.5 billion records each. In total, the researchers uncovered an unimaginable 16 billion records. None of the exposed datasets were reported previously, bar one: in late May, Wired magazine reported a security researcher discovering a "mysterious database" with 184 million records. It barely scratches the top 20 of what the team discovered. Most worryingly, researchers claim new massive datasets emerge every few weeks, signaling how prevalent infostealer malware truly is.

"This is not just a leak -- it's a blueprint for mass exploitation. With over 16 billion login records exposed, cybercriminals now have unprecedented access to personal credentials that can be used for account takeover, identity theft, and highly targeted phishing. What's especially concerning is the structure and recency of these datasets -- these aren't just old breaches being recycled. This is fresh, weaponizable intelligence at scale," researchers said. The only silver lining here is that all of the datasets were exposed only briefly: long enough for researchers to uncover them, but not long enough to find who was controlling vast amounts of data. Most of the datasets were temporarily accessible through unsecured Elasticsearch or object storage instances. Key details to be aware of: - The records include billions of login credentials, often structured as URL, login, and password.
- The datasets include both old and recent breaches, many with cookies, tokens, and metadata, making them especially dangerous for organizations without multi-factor authentication or strong credential practices.
- Exposed services span major platforms like Apple, Google, Facebook, Telegram, GitHub, and even government services.
- The largest dataset alone includes 3.5 billion records, while one associated with the Russian Federation has over 455 million; many dataset names suggest links to malware or specific regions.
- Ownership of the leaked data is unclear, but its potential for phishing, identity theft, and ransomware is severe -- especially since even a - Basic cyber hygiene -- such as regularly updating strong passwords and scanning for malware -- is currently the best line of defense for users.

Hackers have stolen hundreds of millions of dollars from cryptocurrency holders and disrupted major retailers by targeting outsourced call centers used by American corporations to reduce costs, WSJ reported Thursday. The attackers exploit low-paid call center workers through bribes and social engineering to bypass two-factor authentication systems protecting bank accounts and online portals.

Coinbase faces potential losses of $400 million after hackers compromised data belonging to 97,000 customers by bribing call center workers in India with payments of $2,500. The criminals also used malicious tools that exploited vulnerabilities in Chrome browser extensions to collect customer data in bulk.

TaskUs, which handled Coinbase support calls, shut down operations at its Indore, India facility and laid off 226 workers. Retail attacks targeted Marks & Spencer and Harrods with hackers impersonating corporate executives to pressure tech support workers into providing network access. The same technique compromised MGM Resorts systems in 2023. Call center employees typically possess sensitive customer information including account balances and recent transactions that criminals use to masquerade as legitimate company representatives.

An anonymous reader quotes a report from The Guardian: Foreign students will be required to unlock their social media profiles to allow US diplomats to review their online activity before receiving educational and exchange visas, the state department has announced. Those who fail to do so will be suspected of hiding that activity from US officials. The new guidance, unveiled by the state department on Wednesday, directs US diplomats to conduct an online presence review to look for "any indications of hostility toward the citizens, culture, government, institutions, or founding principles of the United States."

A cable separately obtained by Politico also instructs diplomats to flag any "advocacy for, aid or support for foreign terrorists and other threats to US national security" and "support for unlawful antisemitic harassment or violence." The screening for "antisemitic" activity matches similar guidance given at US Citizenship and Immigration Services under the Department of Homeland Security and has been criticized as an effort to crack down on opposition to the conduct of Israel's war in Gaza.

The new state department checks are directed at students and other applicants for visas in the F, M and J categories, which refer to academic and vocational education, as well as cultural exchanges. "It is an expectation from American citizens that their government will make every effort to make our country safer, and that is exactly what the Trump administration is doing every single day," said a senior state department official, adding that Marco Rubio was "helping to make America and its universities safer while bringing the state Department into the 21st century."

An anonymous reader quotes a report from Ars Technica: Tech support scammers have devised a method to inject their fake phone numbers into webpages when a target's web browser visits official sites for Apple, PayPal, Netflix, and other companies. The ruse, outlined in a post on Wednesday from security firm Malwarebytes, threatens to trick users into calling the malicious numbers even when they think they're taking measures to prevent falling for such scams. One of the more common pieces of security advice is to carefully scrutinize the address bar of a browser to ensure it's pointing to an organization's official website. The ongoing scam is able to bypass such checks.

The unknown actors behind the scam begin by buying Google ads that appear at the top of search results for Microsoft, Apple, HP, PayPal, Netflix, and other sites. While Google displays only the scheme and host name of the site the ad links to (for instance, https://www.microsoft.com/ the ad appends parameters to the path to the right of that address. When a target clicks on the ad, it opens a page on the official site. The appended parameters then inject fake phone numbers into the page the target sees.

Google requires ads to display the official domain they link to, but the company allows parameters to be added to the right of it that aren't visible. The scammers are taking advantage of this by adding strings to the right of the hostname. The parameters aren't displayed in the Google ad, so a target has no obvious reason to suspect anything is amiss. When clicked on, the ad leads to the correct hostname. The appended parameters, however, inject a fake phone number into the webpage the target sees. The technique works on most browsers and against most websites. Malwarebytes.com was among the sites affected until recently, when the site began filtering out the malicious parameters.

Austria's coalition government has agreed on a plan to enable police to monitor suspects' secure messaging in order to thwart militant attacks, ending what security officials have said is a rare and dangerous blind spot for a European Union country. From a report: Because Austria lacks a legal framework for monitoring messaging services like WhatsApp, its main domestic intelligence service and police rely on allies with far more sweeping powers like Britain and the United States alerting them to chatter about planned attacks and spying.

That kind of tip-off led to police unravelling what they say was a planned attack on a Taylor Swift concert in Vienna, which prompted the cancellation of all three of her planned shows there in August of last year. "The aim is to make people planning terrorist attacks in Austria feel less secure - and increase everyone else's sense of security," Joerg Leichtfried of the Social Democrats, the junior minister in charge of overseeing the Directorate for State Security and Intelligence (DSN), told a news conference.

Facebook now supports passkeys for login, offering users a more secure, phishing-resistant alternative to passwords by using biometrics or a PIN stored on their device. The feature is rolling out to iOS and Android "soon," while Messenger will get the feature "in the coming months." Lifehacker reports: Meta seems pretty excited about the news -- and not just because the company happens to be a member of the FIDO Alliance, the organization that developed passkeys. Aside from logging into your Facebook account, Meta says you'll be able to use passkeys to autofill your payment info when buying things with Meta Pay. You'll also be able to use the same passkey between both Facebook and Messenger, and your passkey will act as a key to lock out your encrypted Messenger chats.

The UK Information Commissioner's Office has issued its first guidance demanding manufacturers of air fryers, smart speakers, fertility trackers, and smart TVs respect users' privacy rights after reports of excessive data collection in homes.

The regulator requires companies to ensure data security, provide transparency to consumers, and regularly delete collected information. Stephen Almond, the ICO's executive director for regulatory risk, said smart products know who users live with, their music preferences, and medication details. The guidance addresses "internet of things" devices, including fertility trackers that record menstrual dates and body temperature before sending data to manufacturer servers.

Additionally, smart speakers that monitor family members and visitors must allow users to configure settings that minimize personal information collection. The ICO warned manufacturers it stands ready to take enforcement action in the event of noncompliance.

An anonymous reader quotes a report from Time Magazine: While AI could offer transformative benefits, without proper safeguards it could facilitate nuclear and biological threats and cause "potentially irreversible harms," a new report commissioned by California Governor Gavin Newsom has warned. "The opportunity to establish effective AI governance frameworks may not remain open indefinitely," says the report, which was published on June 17 (PDF). Citing new evidence that AI can help users source nuclear-grade uranium and is on the cusp of letting novices create biological threats, it notes that the cost for inaction at this current moment could be "extremely high." [...]

"Foundation model capabilities have rapidly advanced since Governor Newsom vetoed SB 1047 last September," the report states. The industry has shifted from large language AI models that merely predict the next word in a stream of text toward systems trained to solve complex problems and that benefit from "inference scaling," which allows them more time to process information. These advances could accelerate scientific research, but also potentially amplify national security risks by making it easier for bad actors to conduct cyberattacks or acquire chemical and biological weapons. The report points to Anthropic's Claude 4 models, released just last month, which the company said might be capable of helping would-be terrorists create bioweapons or engineer a pandemic. Similarly, OpenAI's o3 model reportedly outperformed 94% of virologists on a key evaluation. In recent months, new evidence has emerged showing AI's ability to strategically lie, appearing aligned with its creators' goals during training but displaying other objectives once deployed, and exploit loopholes to achieve its goals, the report says. While "currently benign, these developments represent concrete empirical evidence for behaviors that could present significant challenges to measuring loss of control risks and possibly foreshadow future harm," the report says.

While Republicans have proposed a 10 year ban on all state AI regulation over concerns that a fragmented policy environment could hamper national competitiveness, the report argues that targeted regulation in California could actually "reduce compliance burdens on developers and avoid a patchwork approach" by providing a blueprint for other states, while keeping the public safer. It stops short of advocating for any specific policy, instead outlining the key principles the working group believes California should adopt when crafting future legislation. It "steers clear" of some of the more divisive provisions of SB 1047, like the requirement for a "kill switch" or shutdown mechanism to quickly halt certain AI systems in case of potential harm, says Scott Singer, a visiting scholar in the Technology and International Affairs Program at the Carnegie Endowment for International Peace, and a lead-writer of the report.

Instead, the approach centers around enhancing transparency, for example through legally protecting whistleblowers and establishing incident reporting systems, so that lawmakers and the public have better visibility into AI's progress. The goal is to "reap the benefits of innovation. Let's not set artificial barriers, but at the same time, as we go, let's think about what we're learning about how it is that the technology is behaving," says Cuellar, who co-led the report. The report emphasizes this visibility is crucial not only for public-facing AI applications, but for understanding how systems are tested and deployed inside AI companies, where concerning behaviors might first emerge. "The underlying approach here is one of 'trust but verify,'" Singer says, a concept borrowed from Cold War-era arms control treaties that would involve designing mechanisms to independently check compliance. That's a departure from existing efforts, which hinge on voluntary cooperation from companies, such as the deal between OpenAI and Center for AI Standards and Innovation (formerly the U.S. AI Safety Institute) to conduct pre-deployment tests. It's an approach that acknowledges the "substantial expertise inside industry," Singer says, but "also underscores the importance of methods of independently verifying safety claims."

President Trump will extend the deadline for ByteDance to divest TikTok's U.S. operations by another 90 days, marking the third extension since taking office. The extension aims to prevent a TikTok ban while negotiations with potential buyers like Oracle and Project Liberty continue. CNBC reports: "President Trump will sign an additional Executive Order this week to keep TikTok up and running," White House Press Secretary Karoline Leavitt said in a statement. "As he has said many times, President Trump does not want TikTok to go dark. This extension will last 90 days, which the Administration will spend working to ensure this deal is closed so that the American people can continue to use TikTok with the assurance that their data is safe and secure."

ByteDance was nearing the deadline of June 19, to sell TikTok's U.S. operations in order to satisfy a national security law that the Supreme Court upheld just a few days before Trump's second presidential inauguration. Under the law, app store operators like Apple and Google and internet service providers would be penalized for supporting TikTok. ByteDance originally faced a Jan. 19 deadline to comply with the national security law, but Trump signed an executive order when he first took office that pushed the deadline to April 5. Trump extended the deadline for the second time a day before that April mark. Trump told NBC News in May that he would extend the TikTok deadline again if no deal was reached, and he reiterated his plans on Thursday.

An anonymous reader quotes a report from Ars Technica: Subscribers in Southern California of Spectrum's Internet service experienced outages over the weekend following what company officials said was an attempted theft of copper lines located in Van Nuys, a suburb located 20 miles from downtown Los Angeles. The people behind the incident thought they were targeting copper lines, the officials wrote in a statement Sunday. Instead, they cut into fiber optic cables. The cuts caused service disruptions for subscribers in Van Nuys and surrounding areas. Spectrum has since restored service and is offering a $25,000 reward for information leading to the apprehension of the people responsible. Spectrum will also credit affected customers one day of service on their next bill.

"Criminal acts of network vandalism have become an issue affecting the entire telecommunications industry, not just Spectrum, largely due to the increase in the price of precious metals," the officials wrote in a statement issued Sunday. "These acts of vandalism are not only a crime, but also affect our customers, local businesses and potentially emergency services. Spectrum's fiber lines do not include any copper." Outage information service Downdetector showed that thousands of subscribers in and around Van Nuys reported outages starting a little before noon on Sunday. Within about 12 hours, the complaint levels returned to normal. Spectrum officials told the Los Angeles Times that personnel had to splice thousands of fiber lines to restore service to affected subscribers.

Researchers are cautioning users against clicking unsubscribe links embedded in email bodies, citing new data showing such actions can expose recipients to malicious websites and confirm active email addresses to attackers. DNSFilter found that one in every 644 clicks on unsubscribe links leads users to potentially malicious websites.

"You've left the safe, structured environment of your email client and entered the open web," TK Keanini, DNSFilter's chief technology officer, told WSJ. The risks range from confirming to bad actors that an email address belongs to an active user to redirecting victims to fake websites designed to steal login credentials or install malware. Clicking such links "can make you a bigger target in the future," said Michael Bargury, CTO of security company Zenity.