ICYMI: New Spear-Phishing Attacks From Russian Hackers

On October 28, Google released a new update for Chrome, upgrading it to version 130.0.6723.91/.92 for Windows and Mac, and 130.0.6723.91 for Linux. When you install the update and refresh your browser, you won't be greeted with a new UI or a handful of new features or changes. Instead, you'll be running a browser that patches two security vulnerabilities found in older versions, according to an article from Lifehacker. The security vulnerabilities were discovered on October 23, 2024, by Apple. One of those security vulnerabilities is labeled as “High” severity. Tracked as CVE-2024-10488, this is a use after free vulnerability in WebRTC, a real-time communication protocol for web browsers. In use after free flaws, a program fails to clear the pointer to a memory location after freeing that memory location, which enables bad actors to exploit the flaw and attack the program. The other flaw, however, is a bit more interesting to me. CVE-2024-10487 is labeled as “Critical” severity, and is an out of bounds write in Dawn, the open-source implementation of WebGPU in Chrome. An out of bounds write flaw occurs when a program writes outside of its allocated memory. An attacker can take advantage of this situation to crash the program and run their own code.

ChatGPT Plus subscribers, Team subscribers, and SearchGPT waitlist members can use OpenAI's generative search engine starting October 31, the AI giant announced on, according to an article from TechRepublic. That might be a scare for Google Search, as OpenAI directly targets pulling users away from Google's algorithm. OpenAI created a Chrome extension to set ChatGPT search as the browser's default search engine. ChatGPT search also competes with Microsoft's Bing Chat in the Bing search engine. ChatGPT search will open up to enterprise and education users “in the next few weeks,” OpenAI said in a blog post. Free tier users will see the new functionality “in the coming months.” Another article from Lifehacker compared the search results between ChatGPT Search and Google Search. From their take, Google has reason to be worried.

Comic Sans has turned 30, and it's done being your punch line, according to an article from FastCompany. For three whole decades, Comic Sans cowered at your reproaches and winced at your jokes. It barely flinched when Google's practical joke made sure that searching for “Helvetica” would render all results in Comic Sans. Or when CERN, the European Organization for Nuclear Research, made it the butt of an April Fool's joke three years later. It even sat quietly while people gathered signatures for its demise. But Comic Sans has just hit the big 3-0 — and it's ready for its second act.

Microsoft Threat Intelligence has uncovered a new attack campaign by Russian threat actor Midnight Blizzard, targeting thousands of users across over 100 organizations, according to an article from TechRepublic. The attack leverages spear-phishing emails with RDP configuration files, allowing attackers to connect to and potentially compromise the targeted systems. The attack campaign targeted thousands of users in higher education, defense, non-governmental organizations, and government agencies. Dozens of countries have been impacted, particularly in the U.K., Europe, Australia, and Japan, which is consistent with previous Midnight Blizzard phishing campaigns.

The federal government is encouraging software manufacturers to ditch C/C++ and take other actions that could “reduce customer risk,” according to the Product Security Best Practices report, says an article from TechRepublic. In particular, CISA and the FBI set a deadline of Jan. 1, 2026, for compliance with memory safety guidelines. The report covers guidelines and recommendations rather than mandatory rules, particularly for software manufacturers who work on critical infrastructure or national critical functions. The agencies specifically highlighted on-premises software, cloud services, and software-as-a-service. While it isn't directly stated that using ‘unsafe' languages could disqualify manufacturers from government work, and the report is “non-binding,” the message is straightforward: Such practices are inappropriate for any work classified as relevant to national security. “By following the recommendations in this guidance, manufacturers will signal to customers that they are taking ownership of customer security outcomes, a key Secure by Design principle,” the report states.

An article from Lifehacker details how to find your saved passwords in Google Chrome. The bonus to saving passwords in Google Chrome is that they are also then available on Android and from the web (which sounds like a security nightmare to me). You'd probably be a LOT better off (and a lot more secure) using a bona fide password manager, like Bitwarden, but if you've been bitten by the convenience bug and used Google Chrome to remember your passwords instead, this article tells you how to find them, both on your computer and on your mobile device.

NordPass has released their list of the 200 most commonly used (a.k.a. worst) passwords for 2024. Believe it or not, the number one WORST password on the list is a perennial favorite: 123456. The worst password list also contains a column that tells you how long it takes to “crack” your insecure password. In many cases, it's a trivial matter, and many take less than one second to crack. If your “password” is on this list, you need to change it to something a LOT more secure yesterday. Don't worry. Those who try to hack passwords also pay attention to these lists, and update their “dictionaries” to contain these insecure passwords, making them some of the first to try when attempting to break into an account.

Thieves across the United States are eyeing Hyundai and Kia models as easy targets thanks in part to viral social media posts, according to one article from TheDrive.com. Essentially, if it's a modern car from one of those automakers that doesn't utilize push-button start, they can fire up the car and drive away in less than a minute. The only tool required is something that can be found in just about every vehicle: a USB charger. In a followup article, TheDrive.com explained that many Hyundai and Kia vehicles that use physical keys don't have ignition immobilizers. In a vehicle that has an anti-theft immobilizer, the key contains a computer chip that verifies the key being used is legitimate and allows the vehicle to start. These cars that have become targets do not have this feature. To protect your Hyundai or Kia car from theft, the second article explains that the use of a steering wheel immobilizer, commonly referred to as “The Club,” is recommended. In fact, in some communities, Hyundai and Kia are giving out free steering wheel immobilizers to owners of affected Hyundai and Kia cars.

Thomas E. Kurtz, a mathematician and inventor of the simplified computer programming language known as BASIC, which allowed students to operate early computers and eventually propelled generations into the world of personal computing, died on November 12, 2024, in Lebanon, N.H., according to an article from the New York Times. He was 96. The cause of his death, in a hospice, was multiple organ failure from sepsis, said Agnes Kurtz, his wife. In the early 1960s, before the days of laptops and smartphones, a computer was the size of a small car and an institution like Dartmouth College, where Dr. Kurtz taught, had just one. Programming was once the province of scientists and mathematicians, specialists who understood the non-intuitive commands used to manipulate data through those hulking machines, which processed data in large batches, an effort that sometimes took days or weeks to complete.

The European Commission has slapped tech giant Meta with another fine for tying Facebook Marketplace, its classified-ad service, to Facebook and using non-public advertising data, according to an article from TechRepublic. Authorities are demanding a €797.72 million fine for Meta, which is essentially giving Marketplace an unfair advantage over competing digital storefronts. Marketplace was set up in 2016 as a way for individuals to buy and sell items over social media, typically furniture. The Commission has two main problems with Meta. The first is that “all Facebook users automatically have access and get regularly exposed to Facebook Marketplace whether they want it or not,” and competitors cannot reach the same level of exposure.

The Fort Wayne Railroad Historical Society announced that it had acquired New York Central L-3a “Mohawk” 3001 and planned to restore the 4-8-2 locomotive to operation for use on its popular Indiana Rail Experience excursions, according to an article from RailFan. The 3001 is the largest surviving NYC steam locomotive and the only member of the L3a class to escape the scrapper's torch. The locomotive was under the care of the City of Elkhart, Ind., and has been on display at the National New York Central Museum for decades.

Over a million NHS employee records — including email addresses, phone numbers, and home addresses — were exposed online due to a misconfiguration of the low-code website builder Microsoft Power Pages, according to an article from TechRepublic. In September, researchers with the software-as-a-service security platform AppOmni identified a large shared business service provider for the NHS that was allowing unauthorized access to sensitive data through insecure permission settings on Power Pages. Specifically, the permissions on some tables and columns in Power Pages Web API were too broad, inadvertently granting access to “Anonymous” users or those who aren't logged in. The misconfiguration has since been disclosed to the NHS and resolved.

The International Space Station had to adjust its orbit to avoid space debris, according to an article from NPR. The debris avoidance maneuver involved firing thrusters on the ISS at 2:09 p.m. CT for 5 minutes, 31 seconds, according to NASA. This adjustment raised the ISS orbit to “provide an extra margin of distance from a piece of orbital debris from a defunct defense meteorological satellite that broke up in 2015,” the agency says. Had the maneuver not been conducted, the debris would have come within nearly 2.5 miles of the station, NASA also says. The debris was “small,” U.S. Space Forces-Space tells NPR.

Astronomers have captured a “zoomed-in” image of a star outside the Milky Way for the first time, according to an article from Space.com. The team brought the vast red supergiant star designated WOH G64 into focus using the Very Large Telescope Interferometer (VLTI). WOH G64 is located a staggering 160,000 light-years away in the Large Magellanic Cloud (LMC), a satellite dwarf galaxy companion of the Milky Way. Astronomers have known of the existence of this star for some time, and it has earned the nickname the “behemoth star” because it is an incredible 2,000 times the size of the sun. The VLTI was able to see this distant star in such detail that it also revealed its surrounding cocoon of gas and dust. These outflows of material indicate that WOH G64 is dying, in the final stages of its life leading up to a massive supernova explosion.

A grad student discovers a planet orbiting around a nearby star, astronomers say. The celestial body is the youngest transiting planet found to date, according to an article from ABC News. Madyson Barber, a grad student at the University of North Carolina at Chapel Hill, was researching young transiting systems in space when she made a remarkable discovery. Barber used data from NASA's Transiting Exoplanet Survey Satellite to observe the brightness of stars over time. During the observations, Barber noticed some “little dips” in brightness, indicating that a “transiting” planet may be passing near Earth. “This planet discovery popped out,” Barber told ABC News.

In all our explorations of Mars to date, no evidence has been found that meets the rigorous standards to claim that we have conclusively found life, according to an article from Science Alert. But, decades ago in the 1970s, when the Viking landers became the first US mission to safely land on and explore the red planet, we may have been close. One researcher raises the possibility that life existed in a sample of Martian soil. And then, in our quest to sniff it, we snuffed it out. Just like that. According to astrobiologist Dirk Schulze-Makuch of the Technical University Berlin in Germany, an experiment to detect the signs of microbial life on Mars could have been deadly.

The Dark Energy Spectroscopic Instrument (DESI) has made significant contributions to understanding the universe's structure over the past 11 billion years, confirming Einstein's theory of general relativity on a cosmic scale, according to an article from SciTechDaily. Through extensive data analysis of nearly 6 million galaxies and quasars, DESI has provided new insights into the growth of cosmic structures, the mass of neutrinos, and the distribution of dark matter and energy. As DESI continues to gather data, expectations are high for revealing more about the evolving nature of dark energy and the universe's expansion.

Last year, it was reported that China's Zhurong rover found evidence for an ancient ocean on Mars. Now, another team of scientists in China said they've found even more evidence for that ocean, according to an article from EarthSky. The ocean would have covered a vast region of the lowlands in the Utopia Planitia region in the northern hemisphere. Researcher Bo Wu at Hong Kong Polytechnic University and his team published their peer-reviewed findings in Scientific Reports on November 7, 2024. From a post on X by New Scientist, “A possible ancient shoreline has been found in the region of Mars being explored by the Chinese rover Zhurong, hinting that an ocean may once have covered a vast area of the lowlands in the planet's northern hemisphere.”

Many migratory birds use Earth's magnetic field as a compass, but some can also use information from that field to determine more or less where they are on a mental map. Eurasian reed warblers (Acrocephalus scirpaceus) appear to calculate their geographical position by drawing data from different distances and angles between magnetic fields and the Earth's shape, according to an article from NewScientist. The findings suggest that the birds use magnetic information as a sort of “GPS” that tells them not only where to go, but where they are initially, says Richard Holland at Bangor University in the UK.

Apple's latest security updates for iOS, macOS, Safari, visionOS, and iPadOS contained brief but critical disclosures of two actively exploited vulnerabilities, according to an article from TechRepublic. The tech giant said Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group discovered the vulnerabilities. NIST lists the vulnerabilities as CVE-2024-44308 and CVE-2024-44309. With CVE-2024-44308, attackers could create malicious web content, leading to arbitrary code execution. Apple detected this exploit possibly in use on Intel-based Mac systems — unlike those systems using Apple's own M chips, which have been the standard since 2023. Apple put improved checks in place to prevent this issue. CVE-2024-44309 has been exploited similarly and applies to Intel-based Macs, but the fix was different. Apple said its team addressed a cookie management issue by improving state management.

A new quantum theory explaining how light and matter interact has also provided the first ever depiction of the shape of a single light particle, a photon, according to an article from Cosmos. Understanding these fundamental aspects of photon-matter interactions could open up new possibilities in quantum physics and material science. It could pave the way for new and improved nanophotonic technologies, pathogen detection or controlled chemical reactions. The research is published in the Physical Review Letters.

Long-term use of cardiovascular drugs may reduce dementia risk in older adults by up to 25%, while antiplatelet drugs could increase it, according to an article from SciTechDaily. Further research is needed to confirm these findings and investigate related lifestyle factors. A new study from Karolinska Institutet, published in Alzheimer's & Dementia: The Journal of the Alzheimer's Association, suggests that commonly used cardiovascular drugs are associated with a reduced risk of dementia in older adults. “We can see a clear link between long-term use – five years or more – of these drugs and reduced risk of dementia in older age,” says Mozhu Ding, assistant professor at the Institute of Environmental Medicine, Karolinska Institutet, and one of the lead authors of the paper. The researchers also found that, on the contrary, the use of antiplatelet drugs may be linked to a higher risk of dementia. Antiplatelet drugs, such as aspirin and clopidogrel (Plavix), are medicines used to prevent strokes and stop platelets from clumping together. One possible explanation is that these drugs increase the risk of microbleeds in the brain, which are associated with cognitive decline. The study is an important piece of the puzzle for finding new treatments for dementia, according to the researchers.

A group of U.S. students has smashed a series of world records after launching a “homemade” rocket farther and faster into space than any other amateur rocket, according to an article from LiveScience. The student-made missile soared 90,000 feet (27,400 meters) beyond the previous record-holder — a rocket launched more than 20 years ago. The record-breaking rocket, named Aftershock II, was designed and built by students at the University of Southern California's (USC) Rocket Propulsion Lab (RPL) — a group run entirely by undergraduate students. The students launched Aftershock II on Oct. 20 from a site in Black Rock Desert, Nevada. The rocket stood about 14 feet (4 meters) tall and weighed 330 pounds (150 kilograms). The rocket broke the sound barrier just two seconds after liftoff and reached its maximum speed roughly 19 seconds after launch.

A research group led by Specially Appointed Professor Takami Tomiyama of Osaka Metropolitan University's Graduate School of Medicine has found that administering the dried seeds of a type of jujube called Ziziphus jujuba Miller var. spinosa, used as a medicinal herb in traditional Chinese medicine, holds promise in restoring cognitive and motor function in model mice, according to an article from SciTechDaily. By administering hot water extracts of Zizyphi spinosi semen to model mice with Alzheimer's disease, frontotemporal dementia, Parkinson's disease, and dementia with Lewy bodies, the team found that cognitive and motor functions were restored. Furthermore, when the seeds were simply crushed into powder and administered to the model mice, the team discovered that the cognitive function of the model mice recovered to a level above that of control mice. In addition, the powders apparently suppressed cellular aging in older mice and improved their cognitive function to a similar level as younger mice.

Earlier this week, it was reported that the US Department of Justice's top antitrust officials would likely ask a judge to enforce a significant break up of Google, in part proposing that Chrome be sold off, according to an article from PC Gamer. As of the night of November 20, 2024, the official paperwork has since been filed, and we can now see that the authorities' plan is even further reaching than initially suggested. Not only will a judge be asked to enforce Google's sale of Chrome, but the filing made to a Washington federal court also outlines that, “following its divestiture of Chrome may not reenter the browser market for five years” (via The Guardian). The proposal also calls for Google to be prohibited from “acquiring any interests in search rivals, potential entrants, and rival search or search ads-related AI products,” and that it must let go of any it already holds in its clutch. Furthermore, the documents additionally call for a halt to all “anticompetitive payments to distributors, including Apple” that are made to ensure Google is the default search engine on various companies' devices.

News broke recently that China-backed hackers have compromised the wiretap systems of several U.S. telecom and internet providers, likely in an effort to gather intelligence on Americans, according to an article from TechCrunch. The wiretap systems, as mandated under a 30-year-old U.S. federal law, are some of the most sensitive in a telecom or internet provider's network, typically granting a select few employees nearly unfettered access to information about their customers, including their internet traffic and browsing histories. But for the technologists who have for years sounded the alarm about the security risks of legally required backdoors, news of the compromises are the “told you so” moment they hoped would never come but knew one day would.

Google might merge Chrome OS and Android, according to an article from Android Authority. This information was related to a new Google laptop in the works that will very likely have Android under the hood, not Chrome OS. Ostensibly, Google is doing this to better compete with the iPad — backed up by the fact that, later, we heard Google has also seemingly canceled the Pixel Tablet 2. Regardless, dumping Chrome OS for Android would dramatically shift Google's overall compute strategy, considering how much mindshare Chromebooks and Chrome OS already have, especially in the education space.