Source: Techdirt
https://www.techdirt.com/2025/03/21/democratic-senators-team-up-with-maga-to-hand-trump-a-censorship-machine/
At the exact moment when Donald Trump and his MAGA allies are actively dismantling democratic institutions and working to silence critics, a group of Democratic Senators have decided to collaborate with Trump’s supporters to make it easier to censor speech online. As reported in The Information (paywalled), several Democratic Senators are teaming up with some of Trump’s strongest Senate allies to repeal Section 230 — the law that both enables content moderation and protects websites from being sued into oblivion for hosting user speech.
They appear to be doing this out of a deep misunderstanding of how the law works combined with an astounding naiveté about how this process will be used by the MAGA faithful.
As early as next week, Sen. Dick Durbin, As early as next week, Sen. Dick Durbin, a Democrat, and Sen. Lindsey Graham, a Republican, plan to introduce a bill that would set an expiration date of Jan. 1, 2027, for Section 230, according to a congressional aide familiar with the bill’s development.
Source: FedScoop
https://fedscoop.com/fbi-warning-federal-employees-national-finance-center-payroll/
The scam looks to trick federal workers searching for National Finance Center services through search engines into sharing their sensitive information.
Hackers are targeting the Employee Personal Page, or MyEPP page, which is operated by the National Finance Center (NFC), a financial and human resources shared service within the Agriculture Department used by 661,000 employees across the federal government for payroll. The site, which is used to manage salary and benefits information, is typically accessed through an online account or with Login.gov credentials.
According to the FBI, cybercriminals hope to trick federal employees by running advertisements on search engines that impersonate the NFC website. If they click on the ad, employees are brought to a “sophisticated phishing website” that looks similar to the actual MyEPP page that aims to capture their login credentials when users enter them.
Source: Forbes
https://www.forbes.com/sites/daveywinder/2025/03/23/google-confirms-user-data-deletion-error-who-is-impacted-what-to-do/
Hot on the heels of confirming a major scam involving more than 10,000 fake listings and hacked accounts impacting searches for Google Maps users, Google has made a non-apology to users after their data was deleted and, for those without encrypted backups, might be gone forever. Google Maps Timeline Data Deleted. As I first reported March 11, some users of Google Maps had been taking to the support forums to angrily complain that when they went to view their timeline data there was nothing there. Nada. It had all, quite literally, vanished into the ether. One person said that Every single day for the last 3+ years just disappeared… and I can’t load my local backup, only the option to delete it.” This appeared to be unconnected to the warnings being issued at the same time in the form of notification emails about changes being made to the Google Maps timeline feature, which required urgent action to prevent data from being deleted. It was, indeed, a mystery. Google had not confirmed or denied the issue; there was radio silence as to what was happening, which left users in the dark as to where their data had gone until now.
Source: Forbes
https://www.forbes.com/sites/zakdoffman/2025/03/22/google-confirms-gmail-upgrade-3-billion-users-must-now-decide/
There’s a new battle taking place on your computers and your phones that will shape how you use technology for years to come. Google is leading the charge—albeit it’s not alone, and Gmail will likely change more than any other platform. That means serious decisions for its 3 billion users, who are well advised to think before clicking “yes.”
We’re talking AI and the breakneck speed with which new tools are being stitched into the platforms and services we all use daily. Apple may have been hit with an unintended slowdown, but not Google and Microsoft. There’s no stopping them.
And so we come to Gmail, and Google’s confirmation on Thursday that “Gmail is rolling out a smarter search feature powered by AI to show you the most relevant results, faster.” No doubt this is useful. Factoring in how you engage with emails and senders to better serve up results, to resolve the pain in email search. “If you’ve ever struggled with finding information in your overflowing inbox,” Google says, “you’re not alone.”
…
Source: BleepingComputer
https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-unencrypted-traffic-to-its-api-endpoints/
Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. The move prevents unencrypted API requests from being sent, even accidentally, to eliminate the risk of sensitive information being exposed in cleartext traffic before the server closes the HTTP conection and redirects to a secure communication channel.
“Starting today, any unencrypted connection to api.cloudflare.com will be completely rejected,” reads Cloudflare’s announcement on Thursday.
“Developers should not expect a 403 Forbidden response any longer for HTTP connections, as we will prevent the underlying connection to be established by closing the HTTP interface entirely. Only secure HTTPS connections will be allowed to be established” – the internet services company added.
However, as the company explains, even rejected HTTP requests may leak sensitive data like API keys or tokens before the server responds.
Source: CBC News
https://www.cbc.ca/news/marketplace/marketplace-fraud-scam-centre-1.7486399
It can often seem as if phone and online scammers are beyond accountability. Often operating from abroad, where illegal activity is either tolerated or ignored, the organized criminal groups behind the scams that annoy and frustrate so many of us, have reaped billions in stolen gains from some of society’s most vulnerable. But there is a small army of good guys fighting back.
Three of the world’s most popular “scambusters” — who have a combined following of more than 10 million across their social media platforms — joined forces with CBC’s Marketplace to create a fraud-fighting centre, using their unique skills to infiltrate criminal networks overseas, reroute 62 active scam call centres back to their operation and intercept fraudulent calls to stop scammers from accessing money from Canadian victims.
…
Cybersecurity experts, law enforcement agencies and scambusters continue to recommend education as being the best tool in the fight against scams.
Source: AP via WHYY
https://whyy.org/articles/what-is-signal-messaging-app-trump-officials-texted-war-plans/
National security officials texted war plans for military strikes in Yemen to a group chat in the secure messaging app that included the editor-in-chief for The Atlantic.
A magazine journalist’s account of being added to a group chat of U.S. national security officials coordinating plans for airstrikes has raised questions about how highly sensitive information is supposed to be handled.
Atlantic Editor-in-Chief Jeffrey Goldberg detailed a discussion that happened over the Signal messaging app hours before strikes on Iran-backed Houthi-rebels in Yemen ordered by U.S. President Donald Trump.
The National Security Council has since said the text chain “appears to be authentic” and that it is looking into how a journalist’s number was added to the chain…
…
See also:
- https://apnews.com/article/encryption-apps-government-transparency-sunshine-week-ad26ecdee91c8f99f15228bbe7989ede
- https://penncapital-star.com/government-politics/self-deleting-message-apps-confound-pennsylvanias-public-access-law-senate-panel-hears/
Since its debut in 2008, state courts have interpreted the Right-to-Know Law, which provides access to public records, to accommodate evolution in the way public officials use technology. Emails and other messages, even on officials’ personal accounts and devices, can be public records under the law.
“The courts have said it doesn’t matter where you’re conducting agency business,” Liz Wagenseller, executive director of the Office of Open Records. “It could be a Facebook message. It could be a LinkedIn message. It could be a YouTube video. If you’re conducting agency business, it may be subject to the Right-to-Know Law.”
Source: Nextgov/FCW
https://www.nextgov.com/artificial-intelligence/2025/03/nist-releases-finalized-guidelines-protecting-ai-attacks/404042/
The final guidance for defending against adversarial machine learning offers specific solutions for different attacks, but warns current mitigation is still developing.The final version [127-p PDF — ToC appended] of the National Institute of Standards and Technology’s guide to combatting artificial intelligence-powered cyberattacks was released on Monday, featuring updated definitions of attacks and mitigation terms as well as recent threat mitigation method developments.
Differentiating adversarial machine learning attacks by predictive and generative AI systems, the report brings standardization to the emerging adversarial machine learning threat landscape.
“AI is useful but vulnerable to adversarial attacks. All models are vulnerable in all stages of their development, deployment, and use,” NIST’s Apostol Vassilev, a research team supervisor and one of the authors of the adversarial machine learning publication, told Nextgov/FCW. “At this stage with the existing technology paradigms, the number and power of attacks are greater than the available mitigation techniques.”
The report lists three distinct threat types for each of the types of AI systems. …
Filed: https://www.nextgov.com/artificial-intelligence/
Topics:
Source: Bleeping Computer
https://www.bleepingcomputer.com/news/security/new-atlantis-aio-automates-credential-stuffing-on-140-services/
A new cybercrime platform named ‘Atlantis AIO’ provides an automated credential stuffing service against 140 online platforms, including email services, e-commerce sites, banks, and VPNs.Specifically, Atlantis AIO features pre-configured modules for these services to perform brute force attacks, bypass CAPTCHAs, automate account recovery processes, and monetize stolen credentials/accounts.
Credential stuffing and automation – Credential stuffing is a type of cyberattack where threat actors try out a list of credentials (usernames + passwords) they stole or sourced from leaked data breaches against platforms hoping to gain access to accounts.
If the credentials match and the account isn’t protected by multi-factor authentication, they can hijack it, lock the legitimate owner out, and then abuse or resell the account to others.
This type of attack is popular and widespread, with large credential-stuffing attacks occurring daily. Over the years, these attacks have impacted brands and services like Okta, Roku, Chick-fil-A, Hot Topic, PayPal, Pet Smart, and 23andMe.
Source: 404media.co
https://www.404media.co/you-need-to-use-signals-nickname-feature/
But there is a somewhat overlooked setting inside Signal that can ensure you don’t make the same mistake. It’s the nickname feature. First, take a look at my Signal when I search for “Jason” when trying to make a new group and add members to it.
There is a much easier way, but it requires you to be proactive. You can add your own nickname to a Signal contact by clicking on the person’s profile picture in a chat with them then clicking “Nickname.” Signal says “Nicknames & notes are stored with Signal and end-to-end encrypted. They are only visible to you.” So, you can add a nickname to a Jason saying “co-founder,” or maybe “national security adviser,” and no one else is going to see it. Just you. When you’re trying to make a group chat, perhaps. …
Source: Raw Story
https://www.bespacific.com/boggles-the-mind-trump-aide-central-to-war-plan-debacle-left-venmo-friends-list-public/
Follow up to The High Cost of Team Trump’s Sloppy OPSEC via Raw Story: “A new analysis suggests the widely condemned error triggered by National Security Adviser Mike Waltz, who included a journalist in a group chat discussing top-secret war plans, may not be an isolated incident, leaving him open to potential national security risks. That’s according to WIRED, which revealed on Wednesday that Waltz left exposed his Venmo friend list – until the publication asked him about it. The list laid bare not only the top Trump official’s profile photo but also accounts with names linked to others in the administration. “A WIRED analysis shows that the account revealed the names …
Source: WIRED
https://www.wired.com/story/even-more-venmo-accounts-tied-to-trump-officials-in-signal-group-chat-left-data-public/
A number of top Trump administration officials—including four who were on a now-infamous Signal group chat—appear to have Venmo accounts that have been leaking data, including contacts and in some cases transactions, to the public. Experts say this is a potentially serious counterintelligence problem that could allow foreign intelligence services to gain insight into a target’s social network or even identify individuals who could be paid or coerced to act against them.
The officials in question include Dan Katz, chief of staff at the US Treasury; Joe Kent, President Trump’s nominee for director of the National Counterterrorism Center; and Mike Needham, counselor and chief of staff to the secretary of state.
WIRED has previously reported on the partially public Venmo accounts of several of the high-ranking officials in the Houthi PC chat, including Vice President JD Vance; Mike Waltz, the national security adviser; and Susie Wiles, the White House chief of staff. Waltz and Wiles set their accounts to private only after WIRED reached out to the White House for comment on Wednesday afternoon.
“From my perspective, as a veteran, everyone is entitled to use the applications and services they feel are necessary to live their lives,” says Tara Lemieux, a 35-year veteran of the US intelligence community including the National Security Agency, Department of Homeland Security, and supporting agencies. “That said, when you post anything in those third-party applications and you don’t understand how that information can be shared or exploited, you are taking a risk for our nation—and that’s not acceptable.”
Mike Yeagley, a specialist in commercial data and its security risks, has spent over 15 years advising the US Department of Defense on how both allies and adversaries leverage what he calls “digital exhaust,” the seemingly mundane details—social connections, service transactions, and metadata trails—left behind in everyday apps. “At the highest level of our national security leadership, regardless of administration, there has to be an awareness of our data and what we project that can be discoverable,” he says.
Nevertheless, according to Venmo’s privacy policy, unless users proactively change their privacy settings, their network remains visible to anyone. That means that even when a user sets their account to private, their friends list remains visible unless they take an additional step. As of publication, hiding your connections requires navigating to Settings > Privacy > Friends List and selecting Private.