- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° Your Weekly Security Update
- 𤨠This Should Be on Your Radar đĄ
- đ Security Fail of the Week đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Lock your Apple Account with a security key. If youâre able to invest in one, a physical security key is the most secure option for locking your account, since physical access to the key is required when logging in.
- Hide sensitive notifications from your Lock Screen. You can turn off notification previews so that others cannot read them when youâre out and about in public.
- Protect the Notes app by setting a password. In the Settings app, you can set a unique password for your Notes app, preventing others from accessing your private notes.
What should you do in the following scenario?
A website asks you to set up multifactor authentication. Which style is best? đ¤Â
- SMS codes
- Email codes
- Generated codes using an authenticator app
- Passkeys
Scroll to the bottom to see how you did!
GenAI tools are incredibly useful to scammers. The main way that scammers rely on GenAI is for translation. Focusing their scam efforts on targets who are geographically distant helps protect the scammer from legal repercussions, but that same geographic distance means that the scammer is likely to be less savvy to the language and customs of their victim. Enter Generative AI, which the scammer can use to generate natural-sounding, culturally relevant text in their victimâs language of choice.
There is another aspect to using commercial GenAI systems though: they are surveillance technologies. Every major commercial GenAI system polices the activity of its users. The result is that OpenAI, which makes ChatGPT, has practically unprecedented visibility into some scam operations. As scammers use their chat agent to create scam text, the companyâs employees can see complete logs of the scammersâ activity and queries. OpenAI publishes a periodic report on scams theyâve detected and foiled, and it makes for good reading. The company breaks all the scam activity it sees down into three phases: the ping, which is the cold call; the zing, which is an effort to create a strong emotion that can be exploited; and the zing, which is the effort to extract money. Check out the OpenAI scam report; itâs a great breakdown of basic scam mechanics.
This monthâs report also offers this gem of a sentence: âIn isolated cases, individual users self-identified as scam workers in Cambodia, such as when asking the model for tax advice and stating their occupation as âscammer.ââ
Incredible.
The Bottom Line: Scammers depend on emotionally manipulative language to create heightened emotions: fear, love, anger, etc, which can then be exploited. While most people will recognize this kind of manipulation most of the time, those suffering from loneliness, isolation, exhaustion, or other mental health challenges are much more vulnerableâand that means all of us, at least some of the time. Learning to identify the patterns of scammers by reading reports like this can help, as does using a password manager. When it comes to handing over money to someone online, always vet contacts with live video calls and get a second opinion from a disinterested third party before you send money to a contact made online.
Millions of Social Security Numbers Leaked in Health Insurance Breach
Last year, a company called Conduent, which offers payment and document processing services to some of the largest health insurance companies in the US, was hacked and its data stolen. Initially, it was reported that 15.4 million people were affected by this breach, but according to TechCrunch, that number has increased to more than 25 million. The majority of affected individuals reside in Texas and Oregon, and the stolen data includes names and Social Security numbers. Read more about this breach at Inc.
The Bottom Line: If you were affected by this breach, you should be hearing from Conduent around April. As weâve reported in the past, with a vast amount of social security numbers already leaked from the National Public Data breach in 2024, itâs best to assume theyâre no longer private information. You can protect yourself against identity theft by freezing your credit and using credit monitoring services.
OpenAI to Begin Working with the Department of Defense
The United States Department of Defense entered into an agreement with OpenAI for the military to start using the companyâs AI models after its deal with Anthropic fell through. OpenAI and the DoD have agreed not to use AI for surveillance against US citizens or to power fully autonomous weapons. Those were the same two red lines that Anthropic refused to cross, which caused the US government to cease using Anthropicâs services, but for some reason, the government has agreed to the conditions in its deal with OpenAI. Shortly after the new deal was signed, Secretary of Defense Pete Hegseth designated Anthropic a supply chain risk, a label usually reserved for foreign companies that are a threat to national security. Read more at The Hill.
The Bottom Line: Despite OpenAIâs claims that it wonât allow its AI models to be used for surveillance against citizens, the company has historically been willing to hand user data over to law enforcement. You should never tell AI chatbots anything you wouldnât want made public, regardless of whether itâs owned by OpenAI or Anthropic.
AI-Powered Islamic State Propaganda Showing Up in Minecraft, Roblox & Social Media
Last year, Meta cut back on content moderation, leaving the door open to an increase in disinformation and propaganda on its platforms. Researchers at the Institute for Strategic Dialogue, a policy think tank devoted to studying disinformation and combating extremism, have a new report looking at the extremist propaganda of the Islamic State. The Islamic State no longer holds territory in West Asia, but related groups do hold territory in Africa, and there is still a propaganda operation highly active online on social media and in some video games. Theyâre apparently using AI to emulate the speech and writing of some of their deceased leaders in efforts to drive recruitment. Read more at 404 Media.
In a related story, researchers discovered a cluster of fully automated pro-China propaganda accounts on Metaâs Threads platform. Read more at NewsGuardâs Reality Check newsletter.
The Bottom Line: Every forum, online or in person, requires some form of moderation to police malicious actors, disinformation, and lies. It is much easier to lie than to refute a lie, and so moderation is always a difficult task. GenAI is magnifying this problem by making it even easier to generate disinformation. Because of the scale of modern social media, there will always be some element of propaganda circulating there. Preferring forums that employ fair and capable moderators can help, but the antidote to propaganda is literacyâthe more educated you are, the easier it is to identify influence operations and make your own informed opinions. A healthy information diet, including diverse viewpoints and newsletters like this one, can help (we hope).
Researchers Discover Way to Snoop on Any Encrypted Wi-Fi
A recent paper published at the Network and Distributed System Security Symposium shows how researchers worked out a way to bypass the encryption system used to secure modern Wi-Fi. The exploit works on corporate Wi-Fi networks and home Wi-Fi routers and would potentially allow a hacker to attack computers on a Wi-Fi network just by being near enough to catch the radio signals. There is no known malicious exploitation of this vulnerability yet, and router makers have already begun patching the exploit. Read more at Ars Technica.
The Bottom Line: Itâs important to keep your Wi-Fi router up to date with the latest patches. Many home Wi-Fi routers will update automatically, but not all, so make sure you know how to log in to your home Wi-Fiâs admin panel to check for updates.
Google Wonât Send You Prizes for Being the 5 Billionth Search
Confiant is a cybersecurity research firm focusing on understanding and combating malvertisingâthe practice of using malicious ads to scam victims in various ways. Confiant discovered a network of malicious ads all served by the same actor, dubbed D-Shortiez. Itâs easy for a single bad actor to generate thousands of scams, and thatâs what happened here. Confiant identified two scam types: gift card scams in which victims are offered gift cards in exchange for completing surveys where they are forced to view affiliate ads, and giveaway scams in which victims are told theyâve won a prize but must pay a fee to claim it. You can see example images, illustrating the scams, in Confiantâs blog post. One of the giveaway scams tells the victim that theyâve won a prize for being the 5 billionth person to perform a Google search. There is no prize. Read more from Confiant.
The Bottom Line: If youâre browsing the internet and a website suddenly offers you a âprizeâ or an opportunity to get a gift card for completing a survey, itâs almost certainly a scam. Double-check the URL youâre visiting to go back to the official website, and then check to see if any browser extensions are operating that you donât recognize, or any downloads initiated that you didnât mean to start.
Greek Court Sentences 4 for Illegal Use of Predator SpywareÂ
Four people have been sentenced in a Greek court after illegally using the Predator spyware to target politicians and journalists. Predator is a smartphone spyware developed by Intellexa that allows government agencies to remotely access iPhones and Android phones. It is still in active development and use, though the full extent is not public. Multiple political scandals have arisen from misuse of the spyware in Greece, Egypt, and other locationsâread more about Intellexa and Predator at Amnesty International.
The Bottom Line: Predator is an expensive spyware intended for intelligence and law enforcement agencies to use against specific high-value targets. It remains a threat to civil societyâjournalists and activists with reason to worry about the intrusion of their current government into their personal devices can protect against Predator by enabling Lockdown Mode on all their Apple devices. This is done in Settings > Privacy & Security > Lockdown Mode. Lockdown Mode defeats all known spyware, including Predator, but at the cost of some functionality. Most users do not need to activate Lockdown Mode.
iPhone and iPad Secure Enough to Handle NATO Classified Information
The NATO certification agency has decided that iPhones and iPads may be used out of the box (that is, without special hardware profiles or settings) to handle classified material up to the NATO restricted level, the 4th and least restrictive of the 4 NATO classification levels. Apple has a press release on this. No other mass consumer device has achieved this certificationâusually, devices have to be carefully managed and upgraded to achieve certification. Read more at Security Week.
The Bottom Line: If you happen to serve in a job that requires NATO security clearance and the handling of NATO classified materials, your next work phone might be an iPhone. For the rest of us, this is just a verification of the hard work Apple has put into securing iPhones and iPads.Â
GenAI Can Easily De-Anonymize Online Accounts
Researchers have compellingly demonstrated that custom GenAI models can be trained to quickly match the writings of an anonymous online account with the authorâs real social media accounts using syntax and style matching. The technique is not perfectly accurate (nothing GenAI does is ever going to be perfectly accurate), but it does provide an avenue to help researchers decloak account authorsâfor good or ill. Read the paper here.Â
The Bottom Line: True anonymity is almost as impossible as true security: no defense is perfect. Instead, defense is always a matter of increasing the costs of trying to impose on you. If this technology makes de-anonymizing social media accounts trivial, and the only way to avoid being unmasked by this kind of technique is to simply not post writing that can be analyzed, then that will have a chilling effect on online speech.
New Apple Update Encrypts Your Messages with Android Phones
Apple introduced RCS messaging, the text messaging standard used by Android phones, back in iOS 18, allowing iPhones and Android devices to communicate as efficiently as two iPhones using iMessage. However, one thing missing from the iPhoneâs version of RCS messaging was end-to-end encryption. Now, Apple is currently testing iOS 26.4, which has integrated encrypted RCS messaging. This would, of course, only work on the latest version of iOS and Android. Read more at 9to5Google.
The Bottom Line: Once iOS 26.4 is released to the public, we recommend installing the update right away. This will ensure most messages you send to Android devices will be encrypted.
Malware Delivered Through Fake Captchas
A new malware delivery campaign is gaining traction. The method of delivery uses fake Cloudflare âHuman Verificationâ checkboxes (similar to Google Captchas), which then prompts the user to copy and paste a command prompt into their computerâs Terminal. The command prompt looks harmless at first glance, but it contains a hidden command to download and install Atomic, a macOS infostealer malware. Atomic can be used to steal login credentials from your password manager or browser, and has also been used to steal crypto wallets. Check out Neil Loflandâs breakdown for more information.
The Bottom Line: A real human verification checkbox will never ask you copy and paste anything into your computerâs Terminal. If you encounter a Cloudflare or Captcha check like this, close the window immediately.
California Air Quality Agency Subjected to AI-Powered Astroturfing Campaign
Last year, in an effort to reduce air pollution, the Southern California Air Quality Management District (SCAQMD) sought to impose fees on the manufacturing, distribution, and installation of gas-powered appliances. The goal was to phase out gas appliances in favor of electric ones instead. That is, until tens of thousands of emails flooded the SCAQMD inbox opposing these new rules, leading to the agency halting its plans. However, a closer look at these emails has revealed that many of them originated from CiviClick, a company that uses artificial intelligence to run opposition campaigns. AI is infamously harmful to the environment due to the massive amount of energy required to power it, meaning the company effectively harmed the environment to oppose rules that would have helped the environment. Read more at Phys.org.
The Bottom Line: Artificial intelligence is making astroturfing campaigns much easier for the companies that run them. AI-powered bots are rampant on social media, making it easy for us to read information from seemingly ordinary, trustworthy people and take it as fact. Always double-check sources and verify anything you read online.
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.3
- The most recent macOS is 26.3
- The most recent tvOS is 26.3
- The most recent watchOS is 26.3
- The most recent visionOS is 26.3
Read about the latest updates from Apple.
The correct answer is D: Passkeys. The worst answer is probably B: Email codes, but A: SMS Codes is also fairly weak. Of course, any multifactor authentication method is better than none, because any method will mean that guessing your password isnât enough to break into the account. Email is weak because most email is fairly easy to intercept. The same is true for SMS codes. But even âfairly easyâ is relative; itâs still not all that easy. C: Generated codes using an authenticator app is stronger than A or B, but can still be phished by modern phishing kits. Only Passkeys are phishing resistant, and theyâre more convenient, too!
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Interested in browsing the web privately? Check out:
|
