Remember last week when Meta’s handy AI chatbot helped hackers breach high-profile Instagram accounts? Well, it looks like the fallout from that is much bigger than previously reported, with more than 20,000 accounts being breached using the same method, and the attacks started back in mid-April. We may never have learned of the scope if it weren’t for Maine’s state law requiring any breach to be fully disclosed to the state attorney general’s office. Now that it’s made news, Meta claims it’s notifying everyone who may have been impacted.
That’s not the only very quiet breach that happened this past week. Password manager Dashlane, one of my personal faves, revealed that hackers managed to get away with encrypted password vaults last week, which explained the cryptic email I got from the company claiming my account was suspended, followed up by an email that my access had been restored and I shouldn’t be worried about it. To the company’s credit, its internal systems worked as designed, and it’s unlikely hackers will get the actual data in those vaults unless they brute-force the master passwords for the vaults they obtained. This is where I remind you yet again to use strong, unique passwords for each of your accounts.
In other news, OpenAI is taking a stab at prompt injection attacks, not necessarily by changing the platform itself, but by limiting which features are available to a user in the first place. ChatGPT’s new “lockdown mode” is an optional setting that stops outbound network requests, significantly limiting its functionality but presumably protecting your data from rogue or unwanted prompts. Meanwhile, at Apple, during WWDC this week, the company announced that Siri will use AI to automatically change any breached passwords for you, which we seriously hope is more secure than the AI-generated passwords Gemini made for us. We’ll test it when it’s available, just to make sure.
Let’s see what else is going on in the infosec world this week.
Block the Breach: IT Brew Ransomware Attack Simulator
With catastrophic ransomware attacks a regular occurrence, you may wonder exactly how difficult it is for a business to recover and what tools it has at its disposal to fight back. Well, now’s your chance to step into the shoes of a chief information security officer (CISO) of a hypothetical firm that’s just suffered a massive ransomware breach, thanks to IT Brew’s Block the Breach simulator. It’s a fun little game that also underscores exactly how difficult it is to deal with a security breach when the business’s need to keep operating is breathing down your neck.
You’ll follow along during the phases of incident recovery, choosing whether or not you should pay the hackers and hope they delete your data, just leave the whole thing to your company’s insurance (or risk bankruptcy paying to try and make the problem go away), or even do something audacious like trying to stage a counterattack against the hackers to delete your company’s sensitive data. A few of us here at PCMag played the game and got a variety of scores. No spoilers here, but give it a try and let us know how you did.
The US Military Quietly Turned GPS Into a Global ‘Numbers Station,’ Evidence Suggests
If you’re not familiar with numbers stations, I don’t have enough space in this column to really dive into one of my favorite artifacts of tradecraft during the Cold War. The short version, though, is that they were (or are) a series of shortwave radio broadcasts of unknown origin, broadcasting a regular, cryptic series of numbers, sometimes with accompanying music, directed to no one in particular. Generally understood as a series of codes broadcast by intelligence agencies around the world to operatives for unknown purposes, for a long time you could just tune in and listen to them, or to The Conet Project, which brought many of them into popularity.
Now that you get the gist, you’ll be amused to learn that, according to reporting by 404 Media, the US military has been very quietly using GPS satellites for the same purpose for years. The evidence suggests that a seemingly random sequence in an innocuous GPS field is broadcast to any device that asks for positioning data (yes, that includes your phone). The researcher who uncovered it believes that, as with the purpose of numbers stations, the sequence is used by intelligence agencies and/or military divisions to regularly update their cryptographic keys for security. After all, if you want to avoid an adversary decrypting your communications or information, the best way is to keep it encrypted and change the encryption key regularly so that no single successful decryption exposes all your data.
Recommended by Our Editors
The amazing thing about this, though, is that this has probably been going on for years, maybe even decades, turning every GPS satellite in orbit into a numbers station. Sometimes the best way to keep a secret really is to hide it in plain sight.
You probably don’t need me to tell you this, but if something looks to be too good to be true, it probably is. So if you see someone on social media promising you can get Spotify Premium for free, something that normally costs $12.99 each month, it’s a scam. I get it, Spotify isn’t cheap, and it’s gotten much more expensive recently, but going for the bait in this case will earn you and your device a healthy dose of malware.
The news comes from the MalwareBytes blog, which notes that researchers from ReversingLabs have uncovered a pair of active campaigns targeting people looking for free Spotify Premium via short videos on social media, tricking them into running PowerShell commands that, the videos claim, will unlock Spotify Premium for free. In reality, what they guide the user into doing is installing malware that will harvest their autofill data, browser cookies, saved cryptocurrency wallets, passwords, and even two-factor authentication data. Even worse, the accounts spreading the malware are surprisingly well-polished, with names like “windows.tips” and “windows.insights” to give them a veneer of legitimacy. Keep your eyes open out there.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Click Here For The Original Source.
