- đď¸â Your Security Checklist
- đđď¸ Test Your Security Skills
- đ° The Best Stories of 2025 đ
- đ Security Fail of the Year đ
- đđą Security Updates from Apple đ
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Use a password manager if you are not already. Password managers are the most secure way to create and store your passwords. If youâre not sure which password manager to use, the Passwords app is a great option.
- Use multi/two-factor authentication wherever possible. Using a second form of authentication makes it harder for hackers to access your accounts even if your password is compromised. The Passwords app can generate 2FA codes for you.
- Double-check suspicious emails. If you receive an email warning you about a large purchase that you made, that you won a large sum of money, or that just generally seems too good to be true, take a few minutes to check if the email is legitimate.
What should you do in the following scenario?
You download a third-party calendar app from an independent developer. When opening the app for the first time, it asks for all kinds of permissions, including access to your photo library. What should you do? đ¤Â
- Grant the app access to your photos.
- Check the app reviews to see if anyone has had any problems with the app accessing their photos.
- Research the developer to determine if they are trustworthy.
- Deny access to your photo library.
Scroll to the bottom to see how you did!
Australia Fights Back Against Scammers
Back in February, Australia passed legislation to combat scammers. This new framework requires banks, telecommunications companies, and social media companies to âproactively detect and disrupt scams and report scam activity.â Some of the ways this works is that social media companies must verify their advertisers, and when banks process transactions, they must verify who the payee is. We should find out over the next year or so how effective this framework really is, but it certainly sounds like a step in the right direction.
The Bottom Line: If youâre an Australian citizen, hopefully this legislation has been or will be beneficial to you. Weâd certainly like to see this framework implemented in other countries as well.
World Governments Taking Action Against Scam Centers
One of the darkest problems weâve reported over the past few years has been the spread of scam compounds growing up along the Thailand-Myanmar border. These facilities operate by luring foreign workers with false promises of good salaries or other benefits, but the workers are effectively enslaved and forced to run scams online. Throughout the year, weâve seen quite a few positive stories about scam centers being shut down and workers being freed. In Myanmarâs Karen State, more than 250 people were freed by an armed militia group. Thailand itself took action as well, cutting off power to multiple locations along the border and shutting down several scam operations. The country also helped to free 7,000 victims and return each of them to their home countries. China handed out sentences to 39 members of the Ming family, a family known for running scam centers throughout Myanmar.Â
Many of these scam centers rely on satellite internet provided by Starlink. After this was discovered by journalists and Congress began to take an interest, SpaceX finally took action to disable thousands of Starlink devices throughout Myanmar, crippling many scam centers. The United States has also put together a strike force to combat cryptocurrency scam centers in Myanmar. With pressure from both the US and China, the Karen State Border Guard Force (BGF) has also begun conducting raids on scam centers along the border.
The Bottom Line: Shutting down scam centers is an immense task. Itâs good to see these countries working together, taking action, and freeing thousands of people.
Hacker Extradited to the United States
Back in April, a member of the Scattered Spider hacking group, Tyler Robert Buchanan, was extradited to the US from Spain. Scattered Spider is responsible for cyberattacks against many tech companies, including Twilio, LastPass, DoorDash, and Mailchimp. More specifically, US prosecutors connected Buchanan with a 2022 SMS phishing campaign to steal cryptocurrency funds. Read more about Scattered Spider at Krebs on Security.
The Bottom Line: While Buchanan is only one member of Scattered Spider, even a small win is still a win. Not to mention, a few other members of the hacking group have since been identified and arrested.
The EU Funds Cybersecurity Protection for Healthcare Providers
Earlier this year, the European Union announced that it would be allocating âŹ145.5 million (around $168 million USD) to fund cybersecurity solutions and research for hospitals and healthcare providers. Healthcare providers are often targeted by hackers and other threat actors since the data they have is so valuable, and healthcare industry budgets donât always prioritize cybersecurity. Hospitals are typically quick to pay ransomware demands to ensure patients can get the care they need. Reinforcing cybersecurity protections in these sectors should certainly help mitigate cyberattacks.
The Bottom Line: Hospitals need all the help they can get, so itâs nice to see some effort to provide it.
YouTube Cracks Down on AI Content
This past summer, YouTube adjusted its monetization policies to curb the rise of AI-generated content on the platform. Since July 15, âinauthenticâ content uploaded to YouTube has not been eligible for monetization. That means YouTubers making low-effort videos generated using artificial intelligence wonât be making any money off of them. According to YouTubeâs Head of Editorial & Creator Liaison, Rene Ritchie, this is actually not that big of a change, as YouTube has always had rules against âinauthenticâ content. However, this update to the policy clarifies what âinauthenticâ content means.
The Bottom Line: Itâs great that YouTube is taking action against AI-generated content. While youâll likely still come across this type of content when browsing YouTube, you can report it, and hopefully connect more with genuine human creativity.
Passkey Portability Comes to iOS 26
Swapping password managers is now easier than ever with the iOS and macOS 26 updates. Apple has integrated passkey portability into the Passwords app, which means that now, if you want to switch password managers, you can take your passkeys with you without any trouble. This works both with moving passkeys to and from the Passwords app.
The Bottom Line: You can move your passwords and passkeys between password managers much more easily than before. If you were considering switching to the Passwords app from a third-party password manager (or vice versa), you should have no trouble doing so.
African & UK Authorities Shut Down Scam Network
Like the scam centers in Myanmar being shut down, the United Kingdom and 18 African countries have worked together to dismantle scam networks across the continent. The operation recovered $97.4 million USD and shut down more than 11,000 infrastructures being used for various scams and ransomware, including cryptocurrency mining centers and illicit power stations. The network that was disrupted had targeted more than 65,000 victims, resulting in losses of over $300 million USD. Read more at INTERPOL.
The Bottom Line: Weâre always happy to see scam networks being shut down. Hopefully, this collaboration between the UK and various African countries will prevent major losses from scams in the long run.
Scammers Arrested Thanks to YouTube
YouTubers turned out to be the unlikely heroes in the indictment of 28 alleged scammers. Two YouTube channels, known as Scammer Payback and Trilogy Media, posted videos in 2020 and 2021 in which they baited scammers into showing their faces. The videos helped to unveil how their scam operations worked and allowed law enforcement to put faces to names. With that information, federal agents were able to arrest and charge the scammers back in August of this year for participating in a $65 million fraud scheme. Read more about the operation at the US Department of Justice.
The Bottom Line: âScam baitingâ is essentially its own genre on YouTube, so weâre happy to see some good come from those videos beyond just simple entertainment. Who knew making YouTube videos could prove helpful to the US government and its citizens?
Journalist Confronts Scammer Impersonating Her
A journalist named Iona Bain discovered that a scammer was impersonating her on the messaging app Telegram, so she did what any reasonable person would do: She reported the account. However, after weeks of inaction from Telegram, she decided to confront the scammer herself. First, she posed as an unsuspecting victim to lure the scammer in and eventually revealed her true identity. Instead of admitting defeat, the scammer went on to accuse Iona of being the fake. Ultimately, the scammer ended up deleting the account months later. You can read Ionaâs full story at Metro.
The Bottom Line: This story is a bit humorous and has a good ending, but impersonation on social media is a real problem. There are usually tools available to report these fake accounts, though their effectiveness varies. Telegram did not appear to help Iona in any way, but from our experience, other social media platforms, such as Meta, may be quicker to take action against impostors. Always be sure to report accounts that are clearly not who they claim to be.
The Signal Chat: âWe Are Currently Clean on OPSECâ
There have been many hilarious security fails this past year, but unfortunately, the biggest by far came back in March, when members of the Trump administration accidentally added the editor-in-chief of The Atlantic to a Signal group chat where they were discussing a military action. Somehow, in a stroke of unwitting comedy gold, US Secretary of Defense Pete Hegseth was moved to message this highly compromised chat to say: âWe are currently clean on OPSEC.â (OPSEC is short for OPerational SECurityâthe skills and techniques of preventing leaks.)
The Trump admin was quick to deny the incident happened and claimed that no classified material had been shared through Signal. But The Atlantic was just as quick to offer up proof. Since the material was no longer considered classified, the magazine published screenshots of the chat.
The following month, things got even worse when it was alleged that Hegseth had discussed the very same military action in a second Signal group chat that included his wife, brother, and personal lawyer. And if that wasnât bad enough, further revelations came in May after a hacker breached the foreign company TeleMessage, which sells the modified version of Signal that the Trump admin was using, and easily accessed vast logs of supposedly secure chats. That means those secret chats were using a version of Signal that had been modified by a private company, meaning the messages could easily be intercepted by hackers or other foreign adversaries.Â
The Bottom Line: As an end-to-end encrypted messaging platform, Signal is a great app for the average person who wants to maintain privacy, presuming you only use the Signal app available through the App Store, not a modified version. However, it is not set up for government use, where vetting, accountability, and oversight demands are all much greater. It all goes to show that you can never know for sure if youâre really âclean on OPSEC.â
Everything you need to know about Appleâs latest software updates.
- The most recent iOS and iPadOS is 26.2
- The most recent macOS is 26.2
- The most recent tvOS is 26.2
- The most recent watchOS is 26.2
- The most recent visionOS is 26.2
Read about the latest updates from Apple.
The correct answer is 4. Deny access to your photo library. 2. and 3. arenât always bad options either, but in the case of a calendar app, thereâs not really any good reason the app should need access to your photos. Even if the app gives a good reason or the developer seems legitimate, entrusting an independent third-party with access to all of your photos is a risky move. One data breach and all your photos are in a malicious actorâs hands.
Of course, this isnât a one-size-fits-all solution. Use your best judgment on an app-by-app basis. If it doesnât make sense to grant access to something like your photos or your contacts, donât give the app permission.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Stay secure this holiday season. Check out:
|
