- 🗒️✅ Your Security Checklist
- 🏆🎖️ Test Your Security Skills
- 📰 Your Weekly Security Update
- 🤨 This Should Be on Your Radar 📡
- 🙈 Security Fail of the Week 👎
- 🍎📱 Security Updates from Apple 🍎
If you take nothing else from this newsletter, just do these three things to protect yourself:
- Learn to spot scam texts. Scammers often lure victims in by sending texts about undeliverable packages, unpaid tolls, fraudulent purchases, and more.
- Turn off Visited Places in Apple Maps. This feature records every place you visit and creates a searchable timeline. We recommend turning off Visited Places.
- Consider using an alphanumeric passcode. An alphanumeric passcode allows you to create a more complex iPhone passcode. Though, only do so if it's one you're confident you can remember and can type with ease.
What should you do in the following scenario?
You receive a text claiming to be from Apple, informing you of a purchase you made. You don't remember purchasing any Apple products recently, and the text says that if the purchase was made in error, you can call to cancel it. There is a phone number provided. What do you do? 🤔
- Delete the text and report it as spam.
- Call the provided number to cancel the purchase.
- Text back and try to cancel.
- Find the official Apple phone number and call it instead.
Scroll to the bottom to see how you did!
On June 12th, the Trump Administration issued an export control directive requiring AI maker Anthropic to prevent all foreign nationals from accessing its most recent AI models, called Fable 5 and Mythos 5. This type of export control is usually reserved for weapons technologies. The government directive was prompted by administration officials believing they had discovered a way to bypass the AI's guardrails—guardrails meant to prevent it from producing malicious code (read more at Politico). For context, claims have widely circulated that Fable 5 and Mythos 5 are unusually good at rapidly finding vulnerabilities in software and can even hack that software on their own. Immediately, and unsurprisingly, Anthropic published statements suggesting that the concerns were overblown. Now, cybersecurity bigwigs from across the industry have weighed in, with 130 top experts all co-signing a letter asking the government to lift the export control, saying it does more harm than good.
The Bottom Line: At the moment, Anthropic's top AI models, Fable 5 and Mythos 5, are capable of rapidly discovering security vulnerabilities in software, but this capability is not unique to them. Other GenAI systems, like Anthropic competitors ChatGPT or even Google Gemini, can also do this. Setting aside the politics of this export control debate, the reality for us regular folks is that AI tools can find vulnerabilities so quickly that it's getting much harder to secure software—and if you have software on your device that's not secure, then that makes you vulnerable too. For the moment, there isn't anything new that we can recommend to secure your devices: keep them up to date, use a password manager, compartmentalize your most important information, and keep offline backups.
Massachusetts Moves to Protect User Data
The Massachusetts House of Representatives passed a bill that will allow users to access and delete any data held by tech companies and prevent them from selling user data without the user's consent. That includes health data, fingerprints, location data, sexual orientation, and more. The bill will apply to both residents and visitors to the state. The bill is expected to be signed into law by the governor. Read more at TechCrunch.
The Bottom Line: If you live in Massachusetts, you will soon have more control over your data. This bill will affect the smallest of tech startups all the way up to tech giants. This is a big win for user privacy.
Chinese-Linked Hackers Steal US & Canadian Intelligence
According to a new report from Google Threat Intelligence Group, a Chinese-linked hacking group called UNC6508 breached academic, medical, and military research institutions in the US and Canada. The breach lasted from September 2023 to November 2025 before it was detected by threat intelligence. The hackers were after data that included information on defense strategy, artificial intelligence, cyber warfare, medical research, and more. Check out the full story at Reuters or read the Google Threat Intelligence report itself
The Bottom Line: Google has identified the organizations that have been affected by this breach and has begun notifying each of them. Private individuals are unlikely to be affected; this was an intelligence-gathering operation targeting industrial and government systems.
Federal Government Directs Agencies to Combat AI Threats
The US government's Cybersecurity and Infrastructure Security Agency wants us to think it is taking the threat of AI-empowered hackers very seriously. Last week, the agency directed other federal agencies to begin addressing serious vulnerabilities in their systems, with a focus on exploits that can be automated by AI. Under the new directive, when new vulnerabilities are discovered, agencies will have three days to fix them. Such a timeline does not seem realistic to us. AI can help discover vulnerabilities very rapidly, and it can even sometimes generate patches for those vulnerabilities, but testing patches to make sure they don't break anything isn't easy or fast, and three days seems ambitious. Read more about CISA's new directive at Cybersecurity Dive, or check out the directive for yourself.
The Bottom Line: GenAI tools are now capable of finding vulnerabilities much faster than they can be patched. For the moment, this is mostly affecting corporate and government networks, but eventually it will begin to affect consumers as well. In the short term, there are no new steps to take besides those we have been recommending, which will increase your security.
Is That an Investment Opportunity or a Scam?
The FBI's Internet Crime Complaint Center (IC3) has issued a PSA about the rise of investment scams. These scams, which most often target senior citizens, involve scammers making contact with their victims, building a relationship, and gaining trust before eventually luring them into an investment scam. The investment usually involves downloading a cryptocurrency app, and the scammer instructs the victim to withdraw cash and will send a courier to pick it up. Read up on the full details of the scam at the IC3 website.
The Bottom Line: The IC3 website has some great tips on how to avoid getting caught up in these scams. Be wary of wrong-number texts. Do not give out banking details or any personal information, such as your home address, to anyone you haven't met in person. Don't hand over cash to strangers.
Google Chrome Patches Major Vulnerability
Google Chrome recently pushed out an update that patched a number of vulnerabilities, including one that would allow malicious websites to manipulate your computer's memory to execute code. Thankfully, even without the patch, the vulnerability is restricted to activity in the web browser itself. However, it is possible to use this exploit as just one step in a larger attack, so it's still important to keep your browser up to date. Malwarebytes has more details on its blog post.
The Bottom Line: If you're a Google Chrome user, be sure to keep your browser up to date. The desktop version will often update automatically when you close and reopen it, but you can also manually install the update by going into settings and clicking About Chrome.
Hackers Breach the Council of Europe
The Council of Europe is one of more than a hundred organizations breached by the hacking group ShinyHunters. The hackers claim to have stolen nearly 300 GB of data after exploiting a vulnerability in Oracle's PeopleSoft application. The stolen data includes HR records, employee salaries, tax records, health information, and more. The Council is currently investigating the incident. Head over to The Register for more.
The Bottom Line: Data breaches are nothing new and will continue to happen. The only thing we can do as individuals is to take preventative measures to mitigate the damage caused by data breaches. Never reuse passwords, keep your credit frozen, and consider identity theft protection services.
Stop Meta from Tracking Your Activity Outside of Facebook
Meta, like most social media, displays ads that are personalized based on data collected about you when you browse the web. It also uses anything you tell Meta AI to curate ads to your interests. Thankfully, you can prevent Meta from tracking your activity with other businesses by going into the settings of both Facebook and Instagram. Head over to TechPP for the full breakdown.
The Bottom Line: Using Facebook and Instagram poses a risk to your privacy, but if you must use them, we recommend disabling the setting that allows them to follow you around the web. You can find it in the Accounts Center section of either app.
Flock Determined to Leak as Much Private Data as Possible
Flock continues to astound us. The automatic license plate reader (ALPR) company appears to have inadvertently leaked law enforcement records. The information includes license plate numbers, car makes, models, colors, and the specific reasons police had for looking cars up. Somehow, these searches were indexed by search engines and appeared in search results on DuckDuckGo and Bing.
The make and model of one's car or even its license plate are not necessarily private information—anyone who sees your car in public can see this information after all—but normally it's only those who see your car in person who have access to those details, not anyone in the world who uses a search engine. This kind of data can be used to identify specific people and the kinds of cars they drive. Thankfully, Flock has already begun removing the records from searches, though they never should have leaked in the first place. Check out the full story at 404 Media.
The Bottom Line: Cybersecurity is hard to get right, but we expect a bit more from surveillance companies handling sensitive information like law enforcement records.
- The most recent iOS for the iPhone 17 lineup and iPhone Air is 26.5.1
- The most recent iOS for the iPhone 11 through 16e is 26.5
- The most recent iPadOS is 26.5
- The most recent macOS is 26.5.1
- The most recent tvOS is 26.5
- The most recent watchOS is 26.5
- The most recent visionOS is 26.5
Read about the latest updates from Apple.
The correct answer is A. Delete the text and report it as spam. This is a common scam tactic that is designed to induce panic so that you'll call the number in the text. Neither the number nor the text are actually from Apple, and if you call it, you'll be talking to a scammer who will try to trick you into providing your payment information.
If you're worried about a fraudulent purchase, you can D. Find the official Apple phone number and call it instead. Calling Apple can help put your mind at ease if you're feeling anxious about a purchase that may have been made under your account.
There is far too much security and privacy news for us to cover it all. When building this newsletter, we look for scams, hacks, trouble, and news to illustrate the kinds of problems Apple enthusiasts may encounter in our private lives, and the self-defense we can practice to keep our devices, accounts, and lives secure. Our commentary focuses on practical advice for everyday people. This newsletter was written by Cullen Thomas and Rhett Intriago and edited by August Garry.
Worried about your iPhone getting hacked? Check out:
|
