Cisco has dropped patches for a pair of critical vulnerabilities that could allow unauthenticated remote attackers to execute code on vulnerable systems.

Tracked as CVE-2025-20281 and CVE-2025-20282, Cisco assigned them both maximum 10/10 severity ratings, although the former was reduced to 9.8 by the National Vulnerability Database.

Both bugs affect Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing attackers to execute code on the underlying OS as root.

Put simply, it means they are both about as bad as they come.

ISE is a network access control solution, which can be found running on secure network servers, VMs, and some cloud instances.

ISE-PIC is used in the user authentication process, passively gathering up identity data and feeding it into other security tools.

Cisco said the two vulnerabilities are independent – they can be exploited individually, and exploiting one is not a requirement for exploiting the other.

[…]

Source: Cisco fixes two critical make-me-root bugs • The Register

The UK’s data watchdog is fining beleaguered DNA testing outfit 23andMe £2.31 million ($3.13 million) over its 2023 mega breach.

Among the various security failings demonstrated by the genetics company were:

• Unsatisfactory authentication measures, including lack of mandatory MFA and unsecure password requirements
• No measures taken to prevent accessing and downloading raw genetic data
• No measures to adequately monitor, detect, or respond to security threats to user data

The announcement comes a year after the Information Commissioner’s Office (ICO) and Office of the Privacy Commissioner of Canada (OPC) teamed up to investigate 23andMe and the failures that led to attackers compromising nearly 7 million users’ data.

John Edwards, the UK’s Information Commissioner, said: “This was a profoundly damaging breach that exposed sensitive personal information, family histories, and even health conditions of thousands of people in the UK. As one of those impacted told us, once this information is out there, it cannot be changed or reissued like a password or credit card number.

“23andMe failed to take basic steps to protect this information. Their security systems were inadequate, the warning signs were there, and the company was slow to respond. This left people’s most sensitive data vulnerable to exploitation and harm.”

The ICO went on to note the five-month gap between the attacker’s credential-stuffing activity, which began in April 2023, and 23andMe finally acknowledging the attack publicly in October that year.

It said 23andMe “missed many opportunities to act” during this time and only did so after the stolen data was put up for sale on Reddit.

[…]

Source: UK data watchdog fines 23andMe £2.3M over 2023 breach • The Register

Initially spotted in May 2018 by researchers at the email security firm Proofpoint, DanaBot is a malware-as-a-service platform that specializes in credential theft and banking fraud.

Today, the U.S. Department of Justice unsealed a criminal complaint and indictment from 2022, which said the FBI identified at least 40 affiliates who were paying between $3,000 and $4,000 a month for access to the information stealer platform.

The government says the malware infected more than 300,000 systems globally, causing estimated losses of more than $50 million. The ringleaders of the DanaBot conspiracy are named as Aleksandr Stepanov, 39, a.k.a. “JimmBee,” and Artem Aleksandrovich Kalinkin, 34, a.k.a. “Onix”, both of Novosibirsk, Russia. Kalinkin is an IT engineer for the Russian state-owned energy giant Gazprom. His Facebook profile name is “Maffiozi.”

[…]

The indictment says the FBI in 2022 seized servers used by the DanaBot authors to control their malware, as well as the servers that stored stolen victim data. The government said the server data also show numerous instances in which the DanaBot defendants infected their own PCs, resulting in their credential data being uploaded to stolen data repositories that were seized by the feds.

“In some cases, such self-infections appeared to be deliberately done in order to test, analyze, or improve the malware,” the criminal complaint reads. “In other cases, the infections seemed to be inadvertent – one of the hazards of committing cybercrime is that criminals will sometimes infect themselves with their own malware by mistake.”

[…]

Source: Oops: DanaBot Malware Devs Infected Their Own PCs – Krebs on Security

Security researchers are sounding the alarm over a fresh flaw in the JavaScript implementation of OpenPGP (OpenPGP.js) that allows both signed and encrypted messages to be spoofed.

Discovered by Codean Labs’ Edoardo Geraci and Thomas Rinsma, the vulnerability essentially undermines the core purpose of using public key cryptography to secure communications.

Tracked as CVE-2025-47934 (8.7 – high), the vulnerability stems from the openpgp.verify and openpgp.decrypt functions. The advisory posted to the library’s GitHub repo states that a maliciously modified message can be passed to one of these functions and return a result indicating a valid signature without actually being signed.

The researchers said a full write-up of the vulnerability, complete with a proof of concept (PoC) exploit, is “coming soon.” It’s common practice to delay disclosing PoCs to allow users time to patch affected products.

The affected versions are 5.0.1 to 5.11.2 and 6.0.0-alpha.0 to 6.1.0. Users are advised to upgrade to either 5.11.3 or 6.1.1 as soon as possible to fix the problem. Versions 4.x aren’t affected.

There is no PoC just yet, but the advisory offers up some details about how the attack, which affects both signed (inline) messages and signed-and-encrypted messages, could play out.

[…]

The most notable user of OpenPGP is encrypted email provider Proton Mail. The team behind it maintains the library, and the technology is used to offer end-to-end encryption for its users.

As of 2023, Proton Mail had more than 100 million accounts registered. It’s not known how many of these accounts are active, but the figure offers some sense of how many people rely on OpenPGP every day.

Various other email services support the OpenPGP standard either natively or with a little extra software tacked on.

Microsoft Outlook supports it, for example, provided users install an add-in such as gpg4o or Gpg4win, although Outlook has its own encryption capabilities via S/MIME or Microsoft Purview Message Encryption.

Many others, most of them open source and a little niche, however, support the standard straight out of the box.

Source: OpenPGP.js bug enables encrypted message spoofing • The Register

The US government’s Cybersecurity and Infrastructure Security Agency (CISA) announced Monday that going forward, only urgent alerts tied to emerging threats or major cyber activity will appear on its website. Routine updates, guidance, and other notifications will instead be shared via email, RSS, and X.

Up until now, its Cybersecurity Alerts and Advisories website has been posting a variety of bulletins, including known vulnerabilities under attack, flaws found in everything from industrial control systems to smart TVs, and warnings about specific products.

[…]

IT admins and others who want to know are advised to sign up for CISA’s email notifications to stay informed. Some updates will still be available via RSS, though users tracking the Known Exploited Vulnerabilities Catalog must subscribe to that topic through the GovDelivery email service. X will also carry general cybersecurity updates. We’ve asked CISA for further comment.

One has to wonder if this policy shift is linked to staff cuts at the agency, which began in March under the direction of Musk’s DOGE – a Trump-blessed project to trim costs at various federal agencies that oversee the Tesla tycoon’s businesses.

While some CISA workers have left, more layoffs are expected, as President Trump’s wish-list budget for 2026 proposes slashing CISA’s funding by about 17 percent. Former agency chief Jen Easterly has publicly criticized the recommendation, and described it as harmful to America.

“In a world where we are facing more serious, more complex, more dynamic threats, in a world where cyber crime damages are expected to cost the world $10.5 trillion by the end of this year, in a world where actors from the Chinese People’s Liberation Army are burrowed into our most sensitive critical infrastructure, that is a real loss for America to see the capability and capacity of America’s cyber defense agency being undermined,” she told the RSA Conference last month.

At the same time, US government bodies are increasingly moving more of their communications to Elon Musk’s social network. In February, following two major aviation accidents, the National Transportation Safety Board announced it would no longer distribute updates about press conferences or investigations via email, and would instead post all such information to its X account.

Then in April, the Social Security Administration began cutting staff from its communications office and told regional offices they would no longer issue press releases or “Dear Colleague” letters. Instead, agency updates will now be posted on X.

“If you’re used to getting press releases and Dear Colleague letters, you might want to subscribe to the official SSA X account, so you can stay up to date with agency news,” said SSA Midwest-West (MWW) Regional Commissioner Linda Kerr-Davis said at the time. “I know this probably sounds very foreign to you — it did to me as well — and not what we are used to, but we are in different times now.”

[…]

280 characters isn’t a lot of space to convey information, but maybe these agencies will get a group discount on X Premium for longer tweets. Either way, it’s good news for one of Trump’s more-favored billionaires. ®

Updated to add on May 13

Just a day after announcing it was changing the way it sent out alerts, CISA has changed its mind and reverted back to its old system of putting everything on its website.

“We recognize this has caused some confusion in the cyber community,” the site now reads. “As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.”

While the infosec world has been rather peeved about the surprise overhaul by CISA, there may be another reason for the latest shift in policy. CISA intended to place more reliance on the GovDelivery email service – which had earlier been compromised, TechCrunch pointed out today.

It appears a contractor working for the state of Indiana had their credentials stolen, leading to GovDelivery sending out scam messages requesting money for unpaid toll fees. Maybe CISA figured there ought to be other ways to reach people, just in case.

Source: CISA changes vulnerabilities updates, shifts to X and emails • The Register

Turns out Microsoft’s latest patch job might need a patch of its own, again. This time, the culprit is a mysterious inetpub folder quietly deployed by Redmond, now hijacked by a security researcher to break Windows updates.

The folder, typically c:\inetpub, reappeared on Windows systems in April as part of Microsoft’s mitigation for CVE-2025-21204, an exploitable elevation-of-privileges flaw within Windows Process Activation. Rather than patching code directly, Redmond simply pre-created the folder to block a symlink attack path. For many administrators, the reappearance of this old IIS haunt raised eyebrows, especially since the mitigation did little beyond ensuring the folder existed.

For at least one security researcher, in this case Kevin Beaumont, the fix also presented an opportunity to hunt for more vulnerabilities. After poking around, he discovered that the workaround introduced a new flaw of its own, triggered using the mklink command with the /j parameter.

It’s a simple enough function. According to Microsoft’s documentation, mklink “creates a directory or file symbolic or hard link.” And with the /j flag, it creates a directory junction – a type of filesystem redirect.

Beaumont demonstrated this by running: “mklink /j c:\inetpub c:\windows\system32\notepad.exe.” This turned the c:\inetpub folder – precreated in Microsoft’s April 2025 update to block symlink abuse – into a redirect to a system executable. When Windows Update tried to interact with the folder, it hit the wrong target, errored out, and rolled everything back.

“So you just go without security updates,” he noted.

The kicker? No admin rights are required. On many default-configured systems, even standard users can run the same command, effectively blocking Windows updates without ever escalating privileges.

[…]

Source: Microsoft mystery folder fix might need a fix of its own • The Register

Canny Windows users who’ve spotted a mysterious folder on hard drives after applying last week’s security patches for the operating system can rest assured – it’s perfectly benign. In fact, it’s recommended you leave the directory there.

The folder, typically C:\inetpub, is empty and related to Microsoft’s Internet Information Services (IIS). It will be created when you install the security patches whether or not you’re using that optional web server. The purpose of the folder is to mitigate an exploitable elevation-of-privileges flaw within Windows Process Activation, classified as CVE-2025-21204.

That CVE, which can give malware on a system or a rogue user system-level file-management privileges, was fixed in the April Patch Tuesday batch from the Windows maker; installing the fix on Windows 11 and 10 will create the directory as additional protection, we’re told.

“After installing the updates listed in the security updates table for your operating system, a new %systemdrive%\inetpub folder will be created on your device,” advised Microsoft.

“This folder should not be deleted regardless of whether Internet Information Services (IIS) is active on the target device. This behavior is part of changes that increase protection and does not require any action from IT admins and end users.”

[…]

If you have deleted it after applying the patch, there’s a fix. Go to the Windows Control Panel and open Programs and Features. On the left you’ll see “Turn Windows features on or off.” Scroll down until you find IIS and hit “OK” after highlighting it. The folder will be recreated with the correct SYSTEM-level permissions. You can then switch off IIS and restart. (No one uses IIS these days.)

Or create the folder by hand with read-only access and SYSTEM-level ownership

Source: Don’t delete inetpub folder. It’s a Windows security fix • The Register

Remember Recall? It’s been close to full trip around the sun since Microsoft announced then suddenly pulled its AI-powered, auto-screenshotting “photographic memory” software for Copilot+ PCs. Whether you want it or not, the feature is coming back, and you should be prepared for it not just if you’re planning to use it, but if you imagine any of your friends, family, or coworkers plan to use it too.

Microsoft’s latest blog about the Windows Insider build KB5055627 includes the note that Recall is rolling out “gradually” to beta users over the coming weeks. Like what Microsoft first showed off in May 2024, Recall automatically screenshots most apps, webpages, or documents you’re on. The system catalogues all these screenshots then uses on-device AI to parse what’s on each screenshot

[…]

Microsoft originally recalled Recall  when security experts found glaring, obvious holes in the software that let any user with access to the PC read the AI’s excerpts. The program had no qualms about screenshotting bank accounts, social security numbers, or any other sensitive information. Microsoft returned Recall to the drawing board, and now users need to enroll in Windows Hello biometric or PIN security to access the screenshots. Users can also pause screenshots or filter out certain apps or specific webpages (though only for Edge, Firefox, Opera, and Chrome browsers). That may not be foolproof, as reports from late last year showed Recall failed to detect when it was looking at bank info. It will be up to users to ensure every sensitive page they visit is on the no-go list.

Users will choose whether to enable or disable Recall the first time they startup their device with the new update. To disable it, you need to search “Turn Windows features on or off” in the Windows 11 taskbar, then uncheck Recall.

[…]

This is where some security-focused Windows users are especially concerned. You can tell Recall to gather dust alongside all the other pre-installed Windows apps, but that doesn’t mean your less-tech literate family member will. Security blogger Em pointed out in a Mastodon post (via Ars Technica) if you send that family member any photos or sensitive information, they could be scraping everything you text or email them, including family photos or passwords, and you wouldn’t even know it.

[…]

Source: Windows’ Controversial Recall Is Back—Here’s How to Control It

A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment – and, to be fair, it doesn’t take much craft to pull that off.

The spoofing flaw, tracked as CVE-2025-30401, affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug in how the app handles file attachments.

Specifically, WhatsApp displays attachments based on their MIME type – the metadata meant to indicate what kind of file it is – but when a user opens the file, the app hands it off based on its filename extension instead. That means something disguised as a harmless image with the right MIME type but ending in .exe could be executed as a program – if the user clicks it.

“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp,” WhatsApp’s parent company Meta explained in its security advisory.

[…]

Make sure you’re running a version of WhatsApp for Windows higher than 2.2450.6 to be safe.

[…]

Source: Don’t open that file in WhatsApp for Windows just yet • The Register

Boeing issued a software safety patch for the VHF radio systems used on its 787 aircraft, and the update turned out to be ineffective, Qatar Airways has complained.

In February, the US Department of Transportation issued an advisory [PDF] about a problem with the aircraft’s electronics that was causing VHF radio traffic to unexpectedly switch between active and standby mode. In practice, this means pilots constantly have to check their radio settings to make sure all messages from air traffic control are received, and multiple cases of this unwanted switching have been reported.

“The FAA has received reports indicating that VHF radio frequencies transfer between the active and standby windows of the TCP [tuning control panel] without flightcrew input,” the dept said.

“The flightcrew may not be aware of uncommanded frequency changes and could fail to receive air traffic control communications. This condition, if not addressed, could result in missed communications such as amended clearances and critical instructions for changes to flight path and consequent loss of safe separation between aircraft, collision, or runway incursion.”

Boeing issued a free software fix to stop the mode changes and, according to Uncle Sam, the update will take 90 minutes to install with an estimated labor cost of $127.50 per aircraft, with 157 US airplanes reportedly vulnerable. The problem affects 787-8, 787-9, and 787-10 aircraft.

The unsafe condition still exists on airplanes

America’s aviation watchdog the FAA has asked for feedback from airlines by April 14 on the situation, and Qatar Airways isn’t waiting that long. It has already warned the patch isn’t working as it should: The radios still change mode without warning.

“Qatar Airways flight crew are still reporting similar issues from post-mod airplanes. [Qatar Airways] already reported the events to Boeing/Collins aerospace for further investigation and root cause determination,” the airline said.

“As of now, Qatar believes that the issue is not completely addressed, and the unsafe condition still exists on airplanes.”

Neither Qatar, Boeing, or the FAA representative were available for comment on the issue. Collins is a software provider for Boeing.

Source: Boeing 787 radio software patch didn’t work, says Qatar • The Register

Researchers have discovered nearly 1.5 million pictures from specialist dating apps – many of which are explicit – being stored online without password protection, leaving them vulnerable to hackers and extortionists.

Anyone with the link was able to view the private photos from five platforms developed by M.A.D Mobile: kink sites BDSM People and Chica, and LGBT apps Pink, Brish and Translove.

These services are used by an estimated 800,000 to 900,000 people.

M.A.D Mobile was first warned about the security flaw on 20 January but didn’t take action until the BBC emailed on Friday.

They have since fixed it but not said how it happened or why they failed to protect the sensitive images.

Ethical hacker Aras Nazarovas from Cybernews first alerted the firm about the security hole after finding the location of the online storage used by the apps by analysing the code that powers the services.

He was shocked that he could access the unencrypted and unprotected photos without any password.

[…]

In an email M.A.D Mobile said it was grateful to the researcher for uncovering the vulnerability in the apps to prevent a data breach from occurring.

But there’s no guarantee that Mr Nazarovas was the only hacker to have found the image stash.

“We appreciate their work and have already taken the necessary steps to address the issue,” a M.A.D Mobile spokesperson said. “An additional update for the apps will be released on the App Store in the coming days.”

The company did not respond to further questions about where the company is based and why it took months to address the issue after multiple warnings from researchers.

Usually security researchers wait until a vulnerability is fixed before publishing an online report, in case it puts users at further risk of attack.

But Mr Nazarovas and his team decided to raise the alarm on Thursday while the issue was still live as they were concerned the company was not doing anything to fix it.

[…]

In 2015 malicious hackers stole a large amount of customer data about users of Ashley Madison, a dating website for married people who wish to cheat on their spouse.

Source: Over a million private photos from dating apps exposed online

The cybersecurity outlet The Record originally reported that under Trump’s new Defense Secretary Pete Hegseth, U.S. Cyber Command has been ordered to “stand down from all planning against Russia, including offensive digital actions.” The outlet cites three anonymous sources who are familiar with the matter. The order reportedly does not apply to the National Security Agency.

The policy shift represents a complete 180-degree turn from America’s posture over the past decade, which has consistently considered Russia one of the top cybersecurity threats. Credible reporting and government investigations have shown that Russia has hacked into U.S. systems countless times.

The Guardian has reported that a memo recently circulated to staff at America’s Cybersecurity and Infrastructure Security Agency (CISA) established “new priorities” for the agency and, while mentioning the threat of digital incursions by China and other enemies, failed to mention Russia.

“Russia and China are our biggest adversaries. With all the cuts being made to different agencies, a lot of cyber security personnel have been fired. Our systems are not going to be protected and our adversaries know this,” a source, who was familiar with the internal memo, told The Guardian. “People are saying Russia is winning. Putin is on the inside now.”

Another anonymous source, who said that CISA staff had been “verbally informed that they were not to follow or report on Russian threats,” expressed concern for the shift: “There are thousands of US government employees and military working daily on the massive threat Russia poses as possibly the most significant nation state threat actor. Not to diminish the significance of China, Iran, or North Korea, but Russia is at least on par with China as the most significant cyber threat,” they said.

[…]

As far as layoffs go, the NSA purge is a drop in the bucket for America’s signals intelligence agency. One of the intel community’s biggest outfits is reputed to employ at least 20,000 employees but has been estimated to use as many as 50,000. In general, despite Trump’s promise to smash the “deep state,” America’s dark and powerful national security state has remained largely untouched since he took office, with his administration’s wrecking ball DOGE content to spend most of its time smashing agencies that dispense services to the public.

Source: Trump’s Defense Secretary Hegseth Orders Cyber Command to ‘Stand Down’ on All Russia Operations

Machine learning has become more and more powerful, to the point where a bad actor can take a photo and a voice recording of someone you know, and forge a complete video recording. See the “OmniHuman-1” model developed by ByteDance:

• discussion on X
• ByteDance’s paper

 

Bad actors can now digitally impersonate someone you love, and trick you into doing things like paying a ransom.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

1. Two people, Person A and Person B, sit in front of the same computer and open this page;
2. They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”;
3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Note that this depends on both Alice’s and Bob’s phones being secure. If somebody steals Bob’s phone and manages to bypass the fingerprint or PIN or facial recognition of Bob’s phone, then all bets are off.

Discussion on Hacker News

Source code of this page on GitHub

Source: PeerAuth

Good work, Britain. Owners of Apple devices in the United Kingdom will be a little less safe moving forward as the company pulls its most secure end-to-end (E2E) encryption from the country. The move is in response to government demands there that Apple build a backdoor into its iCloud encryption feature that would allow law enforcement to access the cloud data of any iPhone user around the world under the guise of national security.

[…]

Following Apple’s decision to pull E2E cloud encryption from the UK, the company on Friday told Bloomberg that “enhancing the security of cloud storage with end-to-end encryption is more urgent than ever before” and that it “remains committed to offering our users the highest level of security for their personal data and are hopeful that we will be able to do so in the future in the United Kingdom.”

The UK order asked Apple for access to global user data under the country’s Investigatory Powers Act, a law that grants officials the authority to compel companies to remove encryption under a “technical capability notice.”

[…]

“Security officials asked not only that Apple allow the UK government access to UK residents’ encrypted cloud storage, but that the UK government get access to any Apple user’s encrypted cloud storage,” said David Ruiz, an online privacy expert at Malwarebytes. “To demand access to the world’s data is such a brazen, imperialist maneuver that I’m surprised it hasn’t come from, well, honestly, the US. This may embolden other countries, particularly those in the ‘Five Eyes,’ to make a similar demand of Apple.” Ruiz questioned what this means for the UK’s privacy guarantees with the US.

Law enforcement is always looking for new ways to conduct surveillance under the guise of protecting the public—Edward Snowden famously revealed a dragnet of surveillance created after 9/11 that pulled in data on individuals domestic and abroa. But once the genie is taken out of the proverbial bottle, it is hard to put it back, and the capabilities can end up in the wrong hands. Police already have access to plenty investigative powers, privacy advocates say, and the public should be very cautious about giving them more that could be ripe for abuse.

[…]

With today’s move, Apple is essentially saying that it would rather pull the E2E encryption altogether and inform customers they will be less safe, rather than build an open door for the UK government. It is a shrewd, gigachad move by Apple even though consumers there will no longer have the same amount of security as others around the globe. iCloud encryption is important as the service has in the past been a target of hackers who penetrated the accounts of celebrities to steal their nudes and post them online in a scandal that was called “the Fappening.”

[…]

Source: Apple Says ‘No’ to UK Backdoor Order, Will Disable E2E Cloud Encryption Instead

So, no security or privacy for those in the UK then.

Chinese tech company employees and government workers are siphoning off user data and selling it online – and even high-ranking Chinese Communist Party officials and FBI-wanted hackers’ sensitive information is being peddled by the Middle Kingdom’s thriving illegal data ecosystem.

“While Western cybercrime research focuses heavily on criminals in the English- and Russian-speaking worlds, there is also a large community of Chinese-speaking cybercriminals who engage in scammy, low-level, financially motivated cybercrime,” SpyCloud senior security researcher Kyla Cardona said during a talk at last month’s Cyberwarcon in Arlington, Virginia.

It’s no secret that President Xi Jinping’s government uses technology companies to help maintain the nation’s massive surveillance apparatus.

But in addition to forcing businesses operating in China to stockpile and hand over info about their users for censorship and state-snooping purposes, a black market for individuals’ sensitive data is also booming. Corporate and government insiders have access to this harvested private info, and the financial incentives to sell the data to fraudsters and crooks to exploit.

“It’s a double-edged sword,” Cardona told The Register during an interview alongside SpyCloud infosec researcher Aurora Johnson.

“The data is being collected by rich and powerful people that control technology companies and work in the government, but it can also be used against them in all of these scams and fraud and other low-level crimes,” Johnson added.

China’s thriving data black market

To get their hands on the personal info, Chinese data brokers often recruit shady insiders with wanted ads seeking “friends” working in government, and promise daily income of 20,000 to 70,000 yuan ($2,700 and $9,700) in exchange for harvested information. This data is then used to pull off scams, fraud, and suchlike.

Some of these data brokers also claim to have “signed formal contracts” with the big three Chinese telecom companies: China Mobile, China Unicom, and China Telecom. The brokers’ marketing materials tout they are able to legally obtain and sell details of people’s internet habits via the Chinese telcos’ deep packet inspection systems, which monitor as well as manage and store network traffic. (The West has also seen this kind of thing.)

Crucially, this level of surveillance by the telcos gives their employees access to users’ browsing data and other info, which workers can then swipe and then resell themselves through various brokers, Cardona and Johnson said.

Scammers and other criminals are buying copies of this personal information, illicitly obtained or otherwise, for their swindles, but it’s also being purchased by legitimate businesses for sales leads — to sell people car insurance when theirs is about to expire, for example.

Information acquired through DPI also seems to be a major source of the stolen personal details that goes into the so-called “social engineering databases,” or SGKs (short for shegong ku​), according to the researchers.

In addition to amassing information collected from DPI, these databases contain personal details provided by underhand software development kits (SDKs) buried in apps and other programs, which basically spy on users in real time, as well as records stolen during IT security breaches.

SGK records include personal profiles (names, genders, addresses, dates of birth, phone numbers, email and social media account details, zodiac signs), bank account and other financial information, health records, property and vehicle information, facial recognition scans and photos, criminal case details, and more. Some of the SGK platforms allow users to do reverse lookups on potential targets, allowing someone to be ultimately identified from their otherwise non-identifying details.

[…]

One SGK that has since been taken down had more than 3 million users. As of now, one of the biggest stolen-info databases has 317,000 subscribers, we’re told, while most of the search services each see about 90,000 users per month.

[…]

One also displayed a ton of sensitive details belonging to a high-ranking CCP member.

​A free SGK search query about this individual pulled up the person’s name, physical address, mobile number, national ID number, birth date, gender, and issuing authority, which the researcher surmised is the issuing authority for the ID card.

An additional query produced even more: The person’s WeChat ID, vehicle information, hobbies and industry information, marital status, and monthly salary, and his phone’s International Mobile Equipment Identity (IMEI) number with a link to click for more information about the device.

The researchers found similar info about a People’s Liberation Army member using SGKs, plus details about suspected nation-state-backed criminals wanted by the FBI.

[…]

“There is a huge ecosystem of Chinese breached and leaked data, and I don’t know that a lot of Western cybersecurity researchers are looking at this,” Johnson continued. “It poses privacy risks to all Chinese people across all groups. And then it also gives us Western cybersecurity researchers a really interesting source to track some of these actors that have been targeting critical infrastructure.” ®

Source: How Chinese insiders exploit its surveillance state • The Register

Which goes to show – large centralised databases give away their data to far too many people. Bad security (like government backdoors to encryption) is bad for everyone – anyone with the key can (and will) get in (like the US is finding out: In massive U-turn, FBI Warns Americans to Start Using Encrypted Messaging Apps, after discovering the problem with backdoors)

America’s top cybersecurity and law enforcement officials made a coordinated push Tuesday to raise awareness about cyber threats from foreign actors in the wake of an intrusion of U.S. telecom equipment dubbed Salt Typhoon. The hackers are linked to the Chinese government and they still have a presence in U.S. systems, spying on American communications, in what Sen. Mark Warner from Virginia has called “the worst hack in our nation’s history.”

Officials with the U.S. Cybersecurity and Infrastructure Security Agency and FBI went so far as to urge Americans to use encrypted messaging apps, according to a new report from NBC News, something that’s ostensibly about keeping foreign hackers out of your communications.

[…]

“Our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Jeff Greene, executive assistant director for cybersecurity at CISA, said on a press call Tuesday according to NBC News.

The unnamed FBI agent on the call with reporters echoed the message, according to NBC News, urging Americans to use “responsibly managed encryption,” which is a rather big deal when you remember that agencies like the FBI have been most resistant to Silicon Valley’s encryption efforts.

The hackers behind Salt Typoon failed to monitor or intercept anything encrypted, meaning that anything sent through Signal and Apple’s iMessage was likely protected, according to the New York Times. But the intrusion for all other communications was otherwise extremely galling. The hackers had access to metadata, including information on messages and phone calls along with when and where they were delivered. The hackers reportedly focused on targets around Washington, D.C.

The most alarming sort of intrusion in Salt Typhoon involved the system used by U.S. officials to wiretap Americans with a court order

[…]

Source: FBI Warns Americans to Start Using Encrypted Messaging Apps

It’s not like people have not been warning governments all over the world that there is no such thing as a safe backdoor to encryption and that forbidding encryption leads to a world of harm. We knew this, but still the idiots in charge wanted keys to encryption. The key, once it is in the hands of “baddies” will still work. It really does show the absolute retardation of government spy people who say breaking encryption will make us safer.