Security

The alliance managing the passwordless login standard is working on a way to securely move passkeys between password managers offered by 1Password, Apple, Google, Microsoft, Okta, etc. The draft specifications for secure credential exchange are now in community review.

Hopefully this will get sorted soon as passkeys inch closer to going mainstream. The last thing users want is to have their passwords locked to a tech ecosystem.

The hackers worked their way into the networks of AT&T, Verizon, Lumen Technologies, and others, according to anonymous sources cited by The Wall Street Journal:

For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications data, according to people familiar with the matter ... The attackers also had access to other tranches of more generic internet traffic, they said.

The US DHS recently said thwarting Chinese hackers was a top security priority.

An X post spotted by The Brick Fan flagged to the company yesterday that its online shop was displaying a “LEGO Coin” cryptocurrency banner.

Naturally, there is no such thing; Lego tells Engadget that the situation was quickly resolved and no user data was compromised.

Crypto businesses keep accidentally hiring IT workers from North Korea. This is a problem because it is, first of all, against US law but second, “CoinDesk encountered multiple examples of companies hiring DPRK IT workers and subsequently getting hacked.”

The Irish Data Protection Commission (DPC) announced the fine against Meta’s EU branch, saying the company “failed to notify”. the DPC that it “inadvertently” stored user passwords without encryption in 2019.

The embattled New York City mayor allegedly attempted to use this excuse to keep the FBI from searching his phone. It didn’t help: he was indicted Wednesday on charges of fraud, bribery, and soliciting donations from foreign nationals.

Generally speaking, though, it’s a good idea not to give the cops your phone — even if you’re not under investigation for your relationship with the Turkish government.

The verification marks will now appear in Gmail’s mobile apps for senders who have adopted BIMI, Google’s Brand Indicators for Message Identification feature. They were previously only visible on the Gmail web client.

Gmail now also supports Common Mark Certificates (CMC) which will allow a “broader range of senders to utilize BIMI” according to Google.

A joint statement from ODNI, FBI, and CISA follows up on last month’s reports about Iranian Election Influence Efforts, which Iran’s government has denied.

Iranian malicious cyber actors in late June and early July sent unsolicited emails to individuals then associated with President Biden’s campaign that contained an excerpt taken from stolen, non-public material from former President Trump’s campaign as text in the emails. There is currently no information indicating those recipients replied.

From a blog post:

Initially, Russian influence operations struggled to evolve their efforts following President Biden’s departure from the 2024 US presidential race. However, in late August and September, we observed two Russian actors MTAC tracks closely — previously reported as Storm-1516 and Storm-1679 — using videos designed to discredit Harris and stoke controversy around her campaign.

The FCC investigated AT&T’s “supply chain integrity” after hackers stole customer data from a vendor’s cloud environment in January 2023. “AT&T failed to ensure the vendor: (1) adequately protected the customer information, and (2) returned or destroyed it as required by contract,” the FCC says.

AT&T also entered into a consent decree as part of the settlement.

“Today, we’ll start migrating voice and video in DMs, Group DMs, voice channels, and Go Live streams to use E2EE,” Discord’s Stephen Birarda writes in a blog post. Discord is rolling out the ability to log in to Discord using passkeys, too.

Wired weighs in against the theory that pager batteries were overheated by a cyberattack to cause today’s fatal explosions, concluding an electronics shipment was more likely compromised and packed with explosives — and noting it wouldn’t be the first time that’s happened.

With the “GAZEploit” attack, researchers found they could predict what somebody was typing on the Vision Pro’s virtual keyboard by analyzing the eye movements of their Persona, according to Wired.

Apple fixed the issue with visionOS 1.3 by suspending a Persona when the person is using the virtual keyboard.

A hacker tricked ChatGPT to share details on how to make a bomb in part by instructing it to play a game, TechCrunch reports. It’s the latest loophole to get around ChatGPT’s safety guardrails.