The U.K. government appears to have quietly scrubbed encryption advice from government web pages, just weeks after demanding backdoor access to encrypted data stored on Apple's cloud storage service, iCloud. From a report: The change was spotted by security expert Alec Muffett, who wrote in a blog post on Wednesday that the U.K.'s National Cyber Security Centre (NCSC) is no longer recommending that high-risk individuals use encryption to protect their sensitive information.

The NCSC in October published a document titled "Cybersecurity tips for barristers, solicitors & legal professionals," that advised the use of encryption tools such as Apple's Advanced Data Protection (ADP). ADP allows users to turn on end-to-end encryption for their iCloud backups, effectively making it impossible for anyone, including Apple and government authorities, to view data stored on iCloud. The URL hosting the NCSC document now redirects to a different page that makes no mention of encryption or ADP. Instead, it recommends that at-risk individuals use Apple's Lockdown Mode, an "extreme" security tool that restricts access to certain functions and features.

An anonymous reader shares a report: YouTube is warning creators about a new phishing scam that attempts to lure victims using an AI-generated video of its CEO Neal Mohan. The fake video has been shared privately with users and claims YouTube is making changes to its monetization policy in an attempt to steal their credentials, according to an announcement on Tuesday.

"YouTube and its employees will never attempt to contact you or share information through a private video," YouTube says. "If a video is shared privately with you claiming to be from YouTube, the video is a phishing scam." In recent weeks, there have been reports floating around Reddit about scams similar to the one described by YouTube.

Citigroup nearly credited about $6 billion to a customer's account in its wealth-management business by accident. From a report: The near-error occurred after a staffer handling the transfer copied and pasted the account number into a field for the dollar figure, which was detected on the next business day, the report added. The wealth division's near-miss was reported to regulators and the company has since set up a tool to help vet large, anomalous payments and transfers, according to the report. The error was related to an attempted transfer of funds between internal accounts, the report said. Last week, the Financial Times reported that Citigroup erroneously credited $81 trillion, instead of $280, to a customer's account and took hours to reverse the transaction.

Apple is stepping up its fight with the British government over a demand to create a "back door" in its most secure cloud storage systems, by filing a legal complaint that it hopes will overturn the order. Financial Times: The iPhone maker has made its appeal to the Investigatory Powers Tribunal, an independent judicial body that examines complaints against the UK security services, according to people familiar with the matter. The Silicon Valley company's legal challenge is believed to be the first time that provisions in the 2016 Investigatory Powers Act allowing UK authorities to break encryption have been tested before the court.

The Investigatory Powers Tribunal will consider whether the UK's notice to Apple was lawful and, if not, could order it to be quashed. The case could be heard as soon as this month, although it is unclear whether there will be any public disclosure of the hearing. The government is likely to argue the case should be restricted on national security grounds. Apple received a "technical capability notice" under the act in January.

After California's bar exams were plagued last week with technical problems, the State Bar of California is recommending that the agency return to in-person tests as it scrutinizes whether the vendor behind the new testing system met the obligations of its contract. From a report: "Based on the administration of the February Bar Exam, staff cannot recommend going forward with Meazure Learning," Donna Hershkowitz, chief of admissions for the State Bar, wrote to the agency's Board of Trustees in a staff memo, referring to the vendor. Instead, she wrote, staff recommend reverting to in-person testing for the next round of exams in July.

The State Bar's 13-member board, which is scheduled to meet March 5, will ultimately decide on plans for the July bar exam and remedies for test takers who faced problems. In a statement Monday, the State Bar said it is "closely scrutinizing whether Meazure Learning met its contractual obligations" in administering the February State Bar exam and will be "actively working with its psychometrician and other stakeholders to determine the full scope of necessary remediation measures for February 2025 bar exam test takers."

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

An anonymous reader quotes a report from TechCrunch: The United States has suspended its offensive cyber operations against Russia, according to reports, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine. The reported order to halt U.S.-launched hacking operations against Russia was authorized by U.S. Defense Secretary Pete Hegseth, according to The Record. The new guidance affects operations carried out by U.S. Cyber Command, a division of the Department of Defense focused on hacking and operations in cyberspace, but does not apply to espionage operations conducted by the National Security Agency. The reported order has since been confirmed by The New York Times and The Washington Post.

The order was handed down before Friday's Oval Office meeting between U.S. President Donald Trump, Vice President JD Vance, and Ukrainian President Volodymyr Zelenskyy, according to the reports. The New York Times said that the instruction came as part of a broader effort to draw Russian President Vladimir Putin into talks about the country's ongoing war in Ukraine. The Guardian also reports that the Trump administration has signaled it no longer views Russian hackers as a cybersecurity threat, and reportedly ordered U.S. cybersecurity agency CISA to no longer report on Russian threats. The newspaper cites a recent memo that set out new priorities for CISA, including threats faced by China and protecting local systems, but the memo did not mention Russia. CISA employees were reportedly informed verbally that they were to pause any work on Russian cyber threats.

A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.

Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.

Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...

Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...
"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."

Active since 1995, the Comprehensive Perl Archive Network (or CPAN) hosts 221,742 Perl modules written by 14,548 authors. This week they announced that the CPAN Security Group "was authorized by the CVE Program as a CVE Numbering Authority (CNA)" to assign and manage CVE vulnerability identifications for Perl and CPAN Modules.

"This is great news!" posted Linux kernel maintainer Greg Kroah-Hartman on social media, saying the announcement came "Just in time for my talk about this very topic in a few weeks about how all open source projects should be doing this" at the Linux Foundation Member Summit in Napa, California. And Curl creator Daniel Stenberg posted "I'm with Greg Kroah-Hartman on this: all Open Source projects should become CNAs. Or team up with others to do it." (Also posting "Agreed" to the suggestion was Seth Larson, the Python Software Foundation's security developer-in-residence involved in their successful effort to become a CNA in 2023.)

444 CNAs have now partnered with the CVE Program, according to their official web site. The announcement from PerlMonks.org: Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete Perl ecosystem from core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore. That group has grown stable over the past years and is now known as CPANSec.

The group has several focus areas, and one of them is channeling CVE vulnerability issues. In that specific goal, a milestone has been reached: CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN

Memory safety bugs are "eroding trust in technology and costing billions," argues a new post on Google's security blog — adding that "traditional approaches, like code auditing, fuzzing, and exploit mitigations — while helpful — haven't been enough to stem the tide."

So the blog post calls for a "common framework" for "defining specific, measurable criteria for achieving different levels of memory safety assurance." The hope is this gives policy makers "the technical foundation to craft effective policy initiatives and incentives promoting memory safety" leading to "a market in which vendors are incentivized to invest in memory safety." ("Customers will be empowered to recognize, demand, and reward safety.")

In January the same Google security researchers helped co-write an article noting there are now strong memory-safety "research technologies" that are sufficiently mature: memory-safe languages (including "safer language subsets like Safe Buffers for C++"), mathematically rigorous formal verification, software compartmentalization, and hardware and software protections. (With hardware protections including things like ARM's Memory Tagging Extension and the (Capability Hardware Enhanced RISC Instructions, or "CHERI", architecture.) Google's security researchers are now calling for "a blueprint for a memory-safe future" — though Importantly, the idea is "defining the desired outcomes rather than locking ourselves into specific technologies."

Their blog post this week again urges a practical/actionable framework that's commonly understood, but one that supports different approaches (and allowing tailoring to specific needs) while enabling objective assessment: At Google, we're not just advocating for standardization and a memory-safe future, we're actively working to build it. We are collaborating with industry and academic partners to develop potential standards, and our joint authorship of the recent CACM call-to-action marks an important first step in this process... This commitment is also reflected in our internal efforts. We are prioritizing memory-safe languages, and have already seen significant reductions in vulnerabilities by adopting languages like Rust in combination with existing, wide-spread usage of Java, Kotlin, and Go where performance constraints permit. We recognize that a complete transition to those languages will take time. That's why we're also investing in techniques to improve the safety of our existing C++ codebase by design, such as deploying hardened libc++.

This effort isn't about picking winners or dictating solutions. It's about creating a level playing field, empowering informed decision-making, and driving a virtuous cycle of security improvement... The journey towards memory safety requires a collective commitment to standardization. We need to build a future where memory safety is not an afterthought but a foundational principle, a future where the next generation inherits a digital world that is secure by design.
The security researchers' post calls for "a collective commitment" to eliminate memory-safety bugs, "anchored on secure-by-design practices..." One of the blog post's subheadings? "Let's build a memory-safe future together."

And they're urging changes "not just for ourselves but for the generations that follow."

An anonymous reader quotes a report from Ars Technica: Amnesty International on Friday said it determined that a zero-day exploit sold by controversial exploit vendor Cellebrite was used to compromise the phone of a Serbian student who had been critical of that country's government. [...] The chain exploited a series of vulnerabilities in device drivers the Linux kernel uses to support USB hardware. "This new case provides further evidence that the authorities in Serbia have continued their campaign of surveillance of civil society in the aftermath of our report, despite widespread calls for reform, from both inside Serbia and beyond, as well as an investigation into the misuse of its product, announced by Cellebrite," authors of the report wrote.

Amnesty International first discovered evidence of the attack chain last year while investigating a separate incident outside of Serbia involving the same Android lockscreen bypass. [...] The report said that one of the vulnerabilities, tracked as CVE-2024-53104, was patched earlier this month with the release of the February 2025 Android Security Bulletin. Two other vulnerabilities -- CVE-2024-53197 and CVE-2024-50302 -- have been patched upstream in the Linux kernel but have not yet been incorporated into Android. Forensic traces identified in Amnesty International's analysis of the compromised phone showed that the Serbian authorities tried to install an unknown application after the device had been unlocked. The report authors said the installation of apps on Cellebrite-compromised devices was consistent with earlier cases the group has uncovered in which spyware tracked as NoviSpy spyware were installed.

As part of the attack, the USB port of the targeted phone was connected to various peripherals during the initial stages. In later stages, the peripherals repeatedly connected to the phone so they could "disclose kernel memory and groom kernel memory as part of the exploitation." The people analyzing the phone said the peripherals were likely special-purpose devices that emulated video or sound devices connecting to the targeted device. The 23-year-old student who owned the phone regularly participates in the ongoing student protests in Belgrade. Any Android users who have yet to install the February patch batch should do so as soon as possible.

President Trump has directly criticized the UK government's approach to encryption, comparing recent actions to those of China. Speaking to The Spectator, Trump said he confronted UK Prime Minister Keir Starmer about the Home Office's request for "backdoor access" to encrypted iCloud data, which led Apple to remove its Advanced Data Protection feature from British services entirely.

"We told them you can't do this... That's incredible. That's something, you know, that you hear about with China," Trump said after his meeting with Starmer. The remarks come as the Trump administration has directed Treasury and Commerce officials to examine UK tech regulations, including the Online Safety Act, for potential free speech violations and discrimination against US companies.

Google changed its rules around how product-review sites appear in its search engine. In the process, it devastated a once-lucrative corner [non-paywalled source] of the news media world. From a report: Sites including CNN Underscored and Forbes Vetted offer tips on everything from mattresses and knife sets to savings accounts, making money when users click on links and buy products.

They depend on Google to drive much of their traffic, and therefore revenue. But over the past year, Google created stricter rules that dinged certain sites that farm out articles to freelancers, among other things. The goal, Google has said, was to give users higher-quality search results. The outcome was a crisis for some sites. Traffic for Forbes Advisor, a personal-finance recommendation site, fell 83% in January from the same month the year before, according to data firm Similarweb.

CNN Underscored and Buy Side from WSJ, which is operated by Wall Street Journal parent Dow Jones, were both down by more than 25% in that period. Time magazine's Time Stamped and the Associated Press's AP Buyline, powered by Taboola Turnkey Commerce, ended their efforts in recent months. Taboola closed the commerce operation.

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

An anonymous reader quotes a report from TechCrunch: Security researchers are warning that data exposed to the internet, even for a moment, can linger in online generative AI chatbots like Microsoft Copilot long after the data is made private. Thousands of once-public GitHub repositories from some of the world's biggest companies are affected, including Microsoft's, according to new findings from Lasso, an Israeli cybersecurity company focused on emerging generative AI threats.

Lasso co-founder Ophir Dror told TechCrunch that the company found content from its own GitHub repository appearing in Copilot because it had been indexed and cached by Microsoft's Bing search engine. Dror said the repository, which had been mistakenly made public for a brief period, had since been set to private, and accessing it on GitHub returned a "page not found" error. "On Copilot, surprisingly enough, we found one of our own private repositories," said Dror. "If I was to browse the web, I wouldn't see this data. But anyone in the world could ask Copilot the right question and get this data."

After it realized that any data on GitHub, even briefly, could be potentially exposed by tools like Copilot, Lasso investigated further. Lasso extracted a list of repositories that were public at any point in 2024 and identified the repositories that had since been deleted or set to private. Using Bing's caching mechanism, the company found more than 20,000 since-private GitHub repositories still had data accessible through Copilot, affecting more than 16,000 organizations. Lasso told TechCrunch ahead of publishing its research that affected organizations include Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. [...] For some affected companies, Copilot could be prompted to return confidential GitHub archives that contain intellectual property, sensitive corporate data, access keys, and tokens, the company said.

What Chris Horsley expected to be a 10-minute washing machine installation stretched to four hours and required five trips to the hardware store. The CTO of security consultancy firm documented how unexpected obstacles -- drilling through shelves, replacing incompatible hoses, and removing hidden caps -- derailed his timeline.

Horsley draws a direct parallel to software development, where estimation regularly fails despite experience. "While 90% of the project will be the same, there's going to be one critical difference between the last 5 projects and this project that seemed trivial at the time of estimation but will throw off our whole schedule," he writes in a blog.

These disruptions often appear as unmaintained frameworks, obsolete development tools, or incompatible infrastructure components that weren't visible during planning. The software development environment changes rapidly, creating what Horsley describes as "unknown unknowns." Despite thorough requirements gathering, developers inevitably encounter unanticipated blockers, transforming familiar-looking tasks into complex challenges.

The JavaScript package world is heating up as startups attempt to challenge npm's long-standing dominance. While npm remains the backbone of JavaScript dependency management, Deno's JSR and vlt's vsr have entered the scene with impressive backing and even more impressive leadership -- JSR comes from Node.js creator Ryan Dahl, while npm's own creator Isaac Schlueter is behind vsr. Neither aims to completely replace npm, instead building compatible layers that promise better developer experiences.

Many developers feel GitHub has left npm to stagnate since its 2020 acquisition, doing just enough to keep it running while neglecting innovations. Security problems and package spam have only intensified these frustrations. Yet these newcomers face the same harsh reality that pushed npm into GitHub's arms: running a package registry costs serious money -- not just for servers, but for lawyers handling trademark fights and content moderation.

ZDNet's Steven Vaughan-Nichols shares some of the latest improvements to ExpressVPN following its codebase transition from C to Rust. An anonymous reader quotes an excerpt from the report: ExpressVPN is one of ZDNET's favorite Virtual Private Networks (VPNs). The popular VPN's transformation of its Lightway codebase from C to Rust promises to make the service faster and more secure. For now, the updated Lightway 2.0 is only available via ExpressVPN's Aircove router with the February 4 AircoveOS v5 update. The Aircove, which we rate as the best VPN router, costs $189. With this device, you can protect your tech from unwanted snoopers without installing a VPN on each gadget. So, how much faster is the updated ExpressVPN? In my tests, I connected to the internet via my updated router over my 2 Gigabit per second (Gbps) AT&T Internet using a 2.5 Gbps Ethernet-connected Linux Mint desktop with a Wi-Fi 6 connection over my Samsung Galaxy 25 Plus smartphone.

Without the VPN engaged, I saw 1.6 Gbps speeds, which is about par. With the VPN switched on and using Lightway 2.0, I saw speeds in the 290 to 330 Megabit per second (Mbps) range to Toronto and London, England. Farther afield, I saw speeds around 250 to 280Mbps to Hong Kong and Seoul. That's about 20% faster than I had seen with earlier Lightway versions. I was impressed. This version of the VPN should also be more secure. As Pete Membrey, ExpressVPN's chief research officer, said in a statement: "At ExpressVPN, we innovate to solve the challenges of tomorrow. Upgrading Lightway from its previous C code to Rust was a strategic and straightforward decision to enhance performance and security while ensuring longevity."

The updated Lightway VPN protocol also uses ML-KEM, the newly finalized NIST standard for post-quantum encryption. This feature, wrote Membray in a blog post, "ensures your connection is secured by encryption designed not just for today's threats but for the quantum-powered challenges of the future." To ensure the integrity of the recoded Lightway protocol, ExpressVPN commissioned two independent security audits from cybersecurity firms Cure53 and Praetorian. Both audits yielded positive results, with only minor vulnerabilities identified and promptly addressed by ExpressVPN. In short, ExpressVPN is technically about as safe a VPN as they come.

Cellebrite says it has stopped Serbia from using its technology following allegations that Serbian police and intelligence used Cellebrite's technology to unlock the phones of a journalist and an activist, and then plant spyware. From a report: In December 2024, Amnesty International published a report that accused Serbian police of using Cellebrite's forensics tools to hack into the cellphones of a local journalist and an activist. Once their phones were unlocked, Serbian authorities then installed an Android spyware, which Amnesty called Novispy, to keep surveilling the two.

In a statement, Cellebrite said that "after a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time."

A Disney employee's download of an AI image generation tool from GitHub led to a massive data breach in July 2024, exposing over 44 million internal Slack messages. The software contained infostealer malware that compromised Matthew Van Andel's computer [non-paywalled source] for five months, giving hackers access to his 1Password manager.

The attackers used the stolen credentials to access Disney's corporate systems, publishing sensitive information including customer data, employee passport numbers, and revenue figures from Disney's theme parks and streaming services. The breach also devastated Van Andel personally. Hackers exposed his Social Security number, financial login details, and even credentials for his home's Ring cameras. Shortly after the incident, Disney fired Van Andel following a forensic analysis of his work computer, citing misconduct he denies. Security researchers believe the attacker, who identified as part of a Russia-based hacktivist group called Nullbulge, is likely an American individual.