Hey passbolt community,
It’s that time again— our ‘This Month in Cybersecurity’ is here. September brought its share of cybersecurity and data privacy roundups that’s worth a second look. Whether you’re just looking to stay informed or here to learn some newer security tips, we’ve got you covered with these short summaries.
Let’s dive in!
1. Europe’s privacy watchdog probes Google over data used for AI training
Europe’s privacy watchdog has launched an investigation into Google’s use of personal data for AI training, focusing on its Pathways Language Model 2 (PaLM 2). Ireland’s Data Protection Commission (DPC) will assess whether Google complied with GDPR, including requirements for data protection impact assessments when processing sensitive information. This follows similar scrutiny of other tech giants like Meta and X (formerly Twitter), highlighting growing regulatory concerns over Big Tech’s AI development practices and their potential risks to individual privacy rights in Europe. Google has pledged to cooperate with the investigation.
Date: | Sep 12, 2024 |
---|---|
Source: | Ars TECHNICA |
Author: | Christina Criddle |
2. Apple’s new macOS Sequoia update is breaking some cybersecurity tools
Apple’s latest macOS 15 “Sequoia” update, released on 16th September, has caused problems for several cybersecurity tools, including those from CrowdStrike, SentinelOne, and Microsoft. Various security experts and companies reported issues with these tools, including delays in providing support for the new macOS version. CrowdStrike, for example, acknowledged difficulties with the update, while SentinelOne initially warned customers to delay upgrading until compatible versions of its software were available. Other security researchers and users reported problems with network connections, firewalls, and even web browsers like Firefox. Apple has yet to comment on the issue.
Date: | Sep 19, 2024 |
---|---|
Source: | Tech Crunch |
Author: | Lorenzo Franceschi-Bicchierai |
3. Infostealer malware bypasses Chrome’s new cookie-theft defenses
Infostealer malware developers have found ways to bypass Google Chrome’s new App-Bound Encryption feature, which was introduced in Chrome 127 to protect sensitive data like cookies and passwords. Despite Chrome’s encryption using a Windows service with system privileges, malware developers, including those behind Lumma Stealer, Meduza, Whitesnake, and others, have claimed to bypass this security measure. Some, like Lumma Stealer, have even achieved cookie theft without requiring admin privileges, reducing detection chances. Security researchers have confirmed that these bypasses work on Chrome’s latest version, though details on how the encryption is circumvented remain undisclosed.
Date: | Sep 24, 2024 |
---|---|
Source: | Bleeping Computer |
Author: | Bill Toulas |
4. Hacker plants false memories in ChatGPT to steal user data in perpetuity
Security researcher Johann Rehberger discovered a vulnerability in ChatGPT’s long-term memory feature that allowed attackers to plant false information and persistently exfiltrate user data. By exploiting this flaw through prompt injection, attackers could manipulate ChatGPT into storing and using false memories, impacting future conversations. Rehberger demonstrated a proof-of-concept showing how malicious links could capture all user input and output. While OpenAI addressed part of the issue by preventing memory abuse for data exfiltration, prompt injection attacks that alter long-term memories remain a concern, requiring users to monitor and manage their stored memories carefully.
Date: | Sep 24, 2024 |
---|---|
Source: | Ars TECHNICA |
Author: | Dan Goodin |
5. Firefox tracks you with “privacy preserving” feature
noyb has filed a complaint against Mozilla for enabling a “Privacy Preserving Attribution” (PPA) feature in its Firefox browser without user consent. This feature allows Firefox to track user behavior for ad measurement, making it a tool for website tracking. While Mozilla claims this is a privacy-friendly alternative to traditional tracking, noyb argues it still violates user rights under GDPR by being enabled by default without transparency or consent. Mozilla, known for its privacy-focused reputation, is being criticized for not offering an opt-in system and failing to properly inform users of the tracking.
Date: | Sep 25, 2024 |
---|---|
Source: | noyb |
Author: | noyb |
6. WordPress.org bans WP Engine, blocks it from accessing its resources
WordPress.org has banned WP Engine, a major hosting provider, from accessing its resources like themes and plugins, due to legal disputes. WordPress co-creator Matt Mullenweg accused WP Engine of trying to control the WordPress experience while profiting without contributing enough to the open-source community. As a result, WP Engine customers are blocked from installing updates, leaving them vulnerable to security risks. WP Engine criticized Mullenweg for misusing his control over WordPress, while both companies have exchanged cease-and-desist letters over trademark violations and financial disputes.
Date: | Sep 25, 2024 |
---|---|
Source: | Tech Crunch |
Author: | Ivan Mehta |
7. Over 90 million French records exposed: mysterious data hoarder leaves instance open
A massive data leak has exposed over 95 million records of French citizens, including phone numbers, emails, and partial payment information, making them vulnerable to cyberattacks. The data, compiled from at least 17 separate breaches, was discovered on an unsecured Elasticsearch server by the Cybernews team and researcher Bob Dyachenko. The database appears to have been created by an unknown actor hoarding personal information from various French companies across sectors like telecommunications, e-commerce, and social media. The exposure poses significant risks, including identity theft and fraud, due to the sensitive nature of the data and its potential for misuse.
Date: | Sep 27, 2024 |
---|---|
Source: | Cybernews |
Author: | Ernestas Naprys |
Conclusion
Well, that’s it for ‘This month in Cybersecurity - September 2024.’
Staying on top of these developments helps us all make better security decisions, and we hope this roundup offers valuable insights for you and your team. If any of these stories piqued your interest, or if you have your own cybersecurity news to share, let’s keep the conversation going in the Passbolt community forum. In the news - Passbolt community forum.