Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Latest News

Google Employee Charged After Allegedly Using Confidential Search Data to Win $1.2 Million on Polymarket

  A person working at Google stands charged with misusing private internal data to make winning predictions online - profits reportedly surp...

All the recent news you need to know
US
Ads Chrome Digital Ads Google Location Privacy Tech US

Hackers Use Phone Location Data to Attack US Military Personnel

Hackers Use Phone Location Data to Attack US Military Personnel

Threat actors are targeting U.S. military personnel deployed in active war zones, exploiting commercially available location data. 

This shows how the global surveillance economy (digital targeted advertising) affects battlefield security. 

Location data exposing military location

The US Central Command (Centcom) confirmed this attack and said, "multiple threat reports concerning adversary exploitation of commercial location data to target or surveil U.S. personnel in theater."

Details about the incident

This alarming development was shared with Reuters by Senator Ron Wyden, but no particular detail about the incident was offered. 

But Centcom’s operation area consists of the Gulf, where the US forces are at war with the Iranian military. This is the first time that US forces have confirmed it is being targeted in an active war zone with the help of digital ads that are exposing location data. 

Officials’ statements

According to Pentagon and the US lawmakers, “"commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, and for counterintelligence."

Lawmakers warned that "commercial location data can be used to identify where U.S. troops congregate and their pattern of life, which can be exploited by adversaries to target attacks such as missiles, drones, and roadside bombs, and for counterintelligence."

The risk of digital advertising targeting in wars

Senator Wyden has warned that it is time to “"start treating the adtech industry as a national security threat." 
The problem has again exposed the underlying privacy threats concerning location data, which is the foundation of digital advertising.

The Pentagon did not return messages seeking comment, and lawmakers' efforts to obtain more information from military officials about the targeting reports.

Attack tactic

The location data is retrieved by apps through smartphones or service providers. For instance, a third-party sometimes collects the data which is sold on the web for advertising purposes.

The privacy threats of selling personal location data is not new. In 2016, a US defense contract bought commercially available location data to trace special ops forces from their domestic bases to a private staging post in Syria, according to a Wall Street Journal (WSJ) report. 

Recently, reporters from two German news outlets and the Wired used billions of coordinates from a data broker to leak detailed locations of individuals near eleven US military sites in Germany. 

The US lawmakers wrote a letter to the Pentagon which argued that military officials should act faster to protect military personnel, as their location is sometimes exposed due to the complex location data trade market.

The US lawmakers have suggested to:
  1. Disable location sharing on field smartphones
  2. Shifting military staff away from Google Chrome in favour of privacy focused browsers.
  3. Turn off digital advertising on military devices.

The impact

Advertising groups such as the Association of National Advertisers and the Interactive Advertising Bureau have not responded to any questions or comments.

North Carolina Republican and former U.S. Army Special Forces officer, representative Pat Harrigan, co-signed the letter, saying that browsers such as Google Chrome “are built from the ground up to collect and share user data. every day they remain on government-issued devices is another day we are handing our adversaries a weapon against our own troops.”

Responding to the statement, Google said that its browser has “industry-leading security" and has "long advocated for stronger rules and safeguards against data brokers."
Read more »
User Data
Carnival Cruise Data Breach Data Privacy Unauthorised Access User Data

Carnival Confirms Breach Affecting Nearly 6 Million Travelers

 

Carnival Cruise has confirmed a significant data breach that affected nearly 6 million people, exposing a wide range of personal information after attackers gained access to part of its IT systems through social engineering. The company began notifying 5,995,277 customers after investigating unauthorized activity tied to an employee account and later determined that personal data had been copied. 

The breach reportedly began on April 10, 2026, and by April 14 Carnival’s security team had identified suspicious access involving an employee account. According to the company, an attacker tricked an employee into granting access to a limited portion of its system, which allowed the intruder to move inside the network long enough to steal files before the activity was blocked. Carnival said it brought in outside security experts and started a formal investigation immediately after the incident was detected.

The data believed to have been exposed includes names, dates of birth, email addresses, genders, geographic locations, and loyalty program information linked to Carnival’s cruise brands. Reporting also suggests that some records may contain more sensitive identifiers such as government-issued ID numbers, passports, or driver’s license details, depending on the affected person. Have I Been Pwned said the leaked material appeared to relate to the Mariner Society loyalty program run by Holland America, a Carnival brand. 

The ShinyHunters extortion group claimed responsibility for the attack and said it had obtained millions of records, along with internal corporate data. While Carnival has not publicly confirmed the group’s claim, the scale of the incident and the types of information exposed make it especially serious because the stolen details could be used for identity theft, account takeover, or highly targeted phishing. The breach also follows earlier security incidents at Carnival, adding to concerns about the company’s handling of sensitive customer data. 

For affected travelers, the most immediate risk is that criminals could use the stolen information to impersonate Carnival or other travel companies in convincing scams. Customers should be alert for messages asking them to reset passwords, confirm bookings, or share documents, because those requests may be based on real personal details from the breach. Security experts generally advise changing account passwords, enabling multi-factor authentication, and monitoring financial and travel accounts closely after incidents like this.
Read more »
Ransomware Protection
Attack Disruption Automatic Device Isolation Cyber Security Cyber Threat Detection Endpoint security Microsoft Defender Microsoft Defender XDR Ransomware Protection

Microsoft Adds Automated Endpoint Isolation to Strengthen Cyber Defense


Microsoft is advancing its automated cyber defence strategy with the release of Microsoft Defender for Endpoints, which is capable of isolating compromised devices as soon as malicious activity is detected. 


The feature was introduced as a preview and has been designed to curb the most damaging stage of an intrusion by preventing endpoints from connecting to the broader corporate network while maintaining a secure connection to Microsoft's Defender service. By integrating this capability into the automatic attack disruption framework, the company hopes to accelerate containment, reduce the attacker's operating window, and provide security teams with valuable time for investigation and remediation during the critical early moments of a breach without relying solely on manual interventions. 

In spite of Microsoft's assertion that automated response systems can be deployed quickly in the event of active intrusions, security researchers caution that they must be implemented with carefully defined safeguards. Microsoft introduced the feature earlier this month as part of ongoing enhancements to Microsoft Defender, though a timeline for general availability has not yet been provided. 

In addition, a recent SANS Institute report outlined a potential risk scenario in which threat actors could manipulate automated disruption workflows to interfere with administrator accounts, potentially resulting in difficulties during incident response. According to Johannes Ullrich, Dean of Research at SANS Institute, automated isolation and attack disruption technologies have existed in both commercial and open-source security platforms for years, yet their effectiveness relies heavily on how they are configured and tuned. 

As Ullrich points out, organizations with limited security resources will significantly benefit from automated containment, however poorly configured policies may allow attackers to delay remediation by targeting privileged accounts, leading to delayed remediation. Nonetheless, industry experts agree that automation has become increasingly important as ransomware and malware operations continue to execute at machine speed. 

According to Robert Enderle, when a human analyst detects malicious activity, adversaries might have already established persistence, expanded their foothold, or begun encryption of data by the time he identifies it. Through the introduction of the new capability, Microsoft Defender XDR addresses this gap by automatically isolating workstations that are subject to ransomware or advanced intrusion activity upon detection of high-confidence indicators. 

While the network access is severed to prevent command-and-control communications, lateral movement, and data exfiltration, the endpoint is still connected to Microsoft Defender services, which enables continuous telemetry collection, remote investigation, and forensic analysis. The functionality is currently restricted to managed devices enrolled in Microsoft Defender for Endpoint and does not yet extend to servers or unmanaged assets. 

In addition to integrating signals from endpoints, identities, email environments, and SaaS applications, Defender XDR creates a comprehensive incident view by correlating signals across these technologies to trigger containment actions when malicious activity reaches a certain level of confidence. 

With a focus on isolated devices rather than wider network segments, the platform aims to contain threats with minimal operational impact, while reducing the potential for ransomware to spread throughout an organisation. In addition to operational safeguards built into the feature, Microsoft has also implemented measures to ensure that aggressive containment measures do not disrupt business operations in an unnecessary manner.

At present, only end-user workstations that have been onboarded through Microsoft Defender for Endpoint are capable of automatic isolation, with security teams remaining in control of remediation decisions once investigations are completed and threats have been mitigated.

Defender portal administrators have immediate control over recovery actions, as they can release devices directly from the Device Inventory or through the individual device management page. This latest development is a continuation of Microsoft's ongoing commitment to endpoint containment, a strategy that has steadily grown over the past several years. 

By June 2022, Defender introduced manual containment capabilities for unmanaged Windows devices, enabling administrators to prevent inbound and outbound communication from Defender-protected endpoints that are compromised. In early 2023, support for isolating onboarded Linux devices began testing, and general availability was expected later that year. 

The Microsoft Corporation has subsequently extended its automatic attack disruption framework to include user account isolation, a measure aimed at preventing lateral movement during the exploitation of hands-on-keyboard ransomware attacks. As part of an ongoing evaluation of Defender for Endpoint enhancements, the company is currently testing automatic traffic blocking for previously undiscovered Windows devices, thereby reducing the possibility of attackers pivoting to unprotected devices within a network. 

The Microsoft company has also provided an overview of scheduled antivirus scanning for Linux-onboarded systems, in addition to these containment-focused developments. Administrators can schedule quick or full scans recurring through the Defender portal, managed JSON configurations, or command-line controls, with options for low-priority execution, idle-time scheduling, and randomised scans. 

Providing flexibility through automated recovery, administrator-driven release controls, exclusion policies for business-critical assets, and targeted containment logic that isolates only systems that are directly associated with malicious activity is a major component of the new automated isolation framework. 

Throughout the Microsoft Defender portal, all isolations, restorations, and response actions are recorded, and security teams can review detailed event timelines, trigger detections, and automated remediation activities through centralised investigation and action management interfaces. 

In a world where speed of detection is no longer sufficient without equally rapid containment, Microsoft's latest move highlights a broader shift in enterprise security. With threat actors increasingly automating intrusion, ransomware deployment, and lateral movement, organisations are increasingly relying on security platforms capable of determining the appropriate response in real time based on their high level of confidence.

However, the effectiveness of such automation ultimately relies upon its careful implementation, ongoing validation, and clearly defined operational safeguards. The challenge for defenders is not simply adopting autonomous security capabilities, but also ensuring they remain accurate, transparent, and aligned with corporate objectives. Success in cyber resilience is determined by finding the right balance between speed and control.
Read more »
SafeBreach
Android Data Breach Gemini Google notifications SafeBreach

Researchers Show How Android Notifications Could Be Used to Manipulate Google Gemini

 





Security researchers have disclosed a now-remediated flaw that could have allowed specially crafted notifications from common messaging and social networking applications to influence the behavior of Google Gemini on Android devices.

The research was conducted by SafeBreach researcher Or Yair, who found that Gemini's ability to access and process notifications could be abused to deliver hidden instructions through otherwise legitimate messages. According to the findings, the technique did not rely on malware or a rogue application being installed on a target device. Instead, any service capable of sending a notification, including WhatsApp, Slack, Signal, Instagram, Messenger, or SMS, could potentially be used to deliver malicious content.

The study builds on SafeBreach's earlier "Invitation Is All You Need" research, which demonstrated how malicious Google Calendar invitations could manipulate Gemini through indirect prompt injection. Following that disclosure, Google introduced new safeguards designed to prevent external content from influencing sensitive actions. Yair's latest work examined whether similar manipulation could still occur through a different source of user data.

At the center of the issue was Gemini's Utilities feature on Android. The functionality allows the assistant to read, manage, and respond to notifications from connected applications. Researchers found that under certain circumstances, notification text could be interpreted not only as information but also as instructions that influenced the assistant's responses and actions.

Because the feature is available on Android devices and not through Gemini's web version or iOS implementation, the attack scenario was limited to Android users who had granted Gemini access to notifications.

According to SafeBreach, the number of potential entry points was unusually large because notifications can originate from countless applications and online services. This meant attackers would not necessarily need direct access to a device. Delivering a crafted notification could be sufficient to introduce malicious instructions into Gemini's processing workflow.

One of the simpler demonstrations involved altering the information Gemini presented to users. Researchers showed that manipulated notifications could cause the assistant to relay fabricated messages while making them appear to originate from legitimate contacts. In some scenarios, Gemini could process real notifications first and then attribute attacker-controlled content to an actual sender already present in the notification queue.

The researchers noted that this type of deception could be particularly effective when users interact with Gemini through voice. For example, someone driving a vehicle may hear a message that appears to come from a manager, colleague, or trusted contact and have little opportunity to verify the information displayed on the screen.

The research also examined Google's post-Calendar security protections. According to Yair, Gemini included mechanisms intended to prevent sensitive actions from being triggered without proper authorization. These checks evaluated both the user's response and the assistant's preceding output to determine whether a requested action was consistent with the conversation.

During testing, direct attempts to inject hidden commands were repeatedly blocked. To overcome these restrictions, Yair developed a technique called "Fake Context Alignment," which sought to make a user's approval appear valid to Gemini's authorization system while obscuring the true request from the user.

One variation involved displaying a sensitive authorization prompt in a language unfamiliar to the victim. Researchers used an example where a request such as "Do you want to open the window?" appeared in Chinese while a harmless English-language question followed. If the user responded with "Yes," Gemini could potentially associate that response with the hidden authorization request rather than the visible conversation.

A second technique relied on differences between information displayed on-screen and information spoken aloud by Gemini's text-to-speech system. Researchers found that certain hidden content embedded within hyperlinks might not be read aloud. In a demonstration, the visible interface contained a sensitive authorization request while the spoken response presented a routine message, increasing the likelihood that a user would unknowingly approve an action.

SafeBreach reported that combining these techniques increased the chances of bypassing the authorization safeguards that Google had introduced after the earlier Calendar-based attack research.

Once authorization was obtained, the researchers demonstrated several potential outcomes. Through integrations with Google Home, Gemini could interact with connected smart-home devices, including windows, lighting systems, and boilers. Additional demonstrations involved opening websites that could expose a user's approximate location through IP address information or trigger file downloads.

The research also explored interactions with third-party applications. In one proof-of-concept scenario, Gemini followed a trusted web address that later redirected to a Zoom link, resulting in the device joining an online meeting. SafeBreach emphasized that this occurred within a controlled testing environment and stated that its own public domain was not configured to redirect users to Zoom. Instead, the redirect was performed through a local test server used during the demonstration.

Researchers additionally identified a persistence mechanism involving Gemini's memory capabilities. Unlike the earlier Calendar-based research, the notification technique enabled the assistant to store attacker-controlled information as long-term memory. In one demonstration, Gemini was persuaded to remember an incorrect name for the user. Because memory is associated with a Google account rather than a single device, inaccurate information could potentially appear wherever that account later accessed Gemini.

The study also demonstrated the creation of recurring automated tasks. Researchers showed that instructions could potentially be scheduled to execute repeatedly, including examples involving regular access to recent messages at specific times.

SafeBreach disclosed the findings to Google's Vulnerability Reward Program on August 17, 2025. Google classified the report as a high-priority issue and later confirmed that changes to its content-classification systems mitigated both the notification-based prompt injection technique and the related authorization bypass method. The company confirmed the remediation on November 14, 2025.

No CVE identifier was assigned to the issue, and SafeBreach stated that it found no evidence indicating the technique had been exploited in real-world attacks before the fixes were implemented.

Because Google's mitigation was deployed through server-side updates, users did not need to install a software update to receive protection. However, individuals seeking additional safeguards can restrict Gemini's access to notifications by disabling the Utilities feature through Connected Apps settings or by revoking the Google app's notification-reading permissions on Android.

The findings provide another example of the security challenges that emerge as AI assistants gain access to messages, notifications, calendars, and connected services. As these systems become increasingly capable of performing actions on behalf of users, researchers continue to examine how external content can influence AI-driven decision-making and whether existing safeguards are sufficient to prevent misuse.

Read more »
Ethical Hacking
AI cybersecurity AI Hacking AI Systems AI Tool AI-powered hacking Cyber Security ethical AI Ethical Hacking

AI Cybersecurity Tools Raise Questions About the Future of Ethical Hacking Competitions

 

Surprisingly, artificial intelligence is changing cybersecurity faster than expected. Some elite ethical hackers now wonder whether human-driven hacking contests will stay relevant much longer. Momentum built around this idea when someone prominent at Pwn2Own this year pointed to advanced AI systems possibly surpassing numerous expert analysts. Performance gaps might widen as these tools grow stronger. 

Among those who took part in Berlin’s yearly Pwn2own contest, Valentina Palmiotti stood out - not just by name but by result. Though many go by handles online, she competes under the tag “Chompie,” a nickname familiar across security circles. Success came her way more than others’, marking her top among solo entrants. Instead of waiting for flaws to be misused, the event encourages finding hidden bugs first. Rewards follow when researchers expose weaknesses in digital tools that were not yet public knowledge. 

This year’s competition handed out close to $1..3 million for spotting 47 previously unknown weaknesses in various software and systems. Because researchers shared the details with makers first, fixes arrived ahead of potential exploitation. Midway through the event, Chompie exposed weaknesses across several platforms - some tied to Nvidia - securing significant rewards. Her method? Endless stretches of probing flaws, something she laughed about calling "zombie hacker mode," where nights blurred into days thanks to sheer persistence and concentration. 

Though today's AI tools speed up code analysis and threat detection, Chompie sees a shift on the horizon. Her view: present systems boost efficiency, yet future versions may make several classic roles obsolete. What now requires teams might soon run on smarter algorithms alone. Nowhere has scrutiny been more intense than around Claude Mythos, a powerful AI said to detect vast quantities of software weaknesses. The creators state it has uncovered countless security issues spanning many applications. Because of risks tied to abuse, only certain government bodies and cyber defense groups are allowed to use it. Access remains tightly controlled amid ongoing debate. Some scientists see things differently. 

A top Pwn2-Owned champion, Orange Tsai of Taiwan, treats artificial intelligence as a helpful tool instead of a substitute for people's knowledge. Because it speeds up testing, new approaches get checked faster - this means more attacks can be studied quickly. Still, originality, gut instinct, and sideways leaps in logic stay within human reach only; these traits often spot flaws machines miss. Though tech advances, certain mental moves resist automation. 

Though artificial intelligence is advancing, hackers now employ automation more often to speed up tasks like scanning networks, crafting phishing messages, or building malicious software. Yet a large number of breaches continue depending on older methods - manipulating people or stealing login details - instead of exploiting cutting-edge flaws. 

Even with worries over automation, some specialists think artificial intelligence might boost digital defense by spotting flaws more quickly than hackers can act. Because systems evolve fast, teams protecting networks may rely on smart tools to stay ahead - provided those resources are used carefully and shared wisely.
Read more »
Malware attacks
Cyber Attacks GTA 6 GTA 6 Scams malware Malware attacks

GTA 6 Pre-Order Hype Triggers Wave of Scams and Malware Attacks on Fans

 

The excitement around Grand Theft Auto 6 is creating a fresh opportunity for online scammers and hackers. As users search for pre-order news, fake offers are beginning to appear across websites, social platforms, and shady download pages, all designed to steal money or personal data. Mashable reports that the hype has already become a magnet for criminal activity, especially as rumors about pre-orders spread and players rush to secure a copy early. 

One of the biggest dangers is the rise of fake pre-order listings. Cybercriminals are posting bogus sales pages that promise early access, special bonuses, or limited-edition copies, even though official pre-orders have not been widely launched yet. Some of these scams try to look legitimate by copying retailer branding or using familiar game-related language, but they often ask for payment details, email addresses, or account logins before any real product exists. 

Security researchers have also found more aggressive threats tied to GTA 6 enthusiasm. According to NordVPN-related reporting, attackers are using fake beta-test invitations, malware-laced installers, cloned Android apps, and phishing pages that imitate Rockstar Social Club login screens. In some cases, these files are not games at all but tools for stealing credentials, tracking victims, or pushing adware and subscription traps. That means the risk is not just losing money; it can also involve infected devices and compromised accounts. 

Safety tips 

The clearest defense is to wait for official announcements from Rockstar and major retailers such as PlayStation, Xbox, Best Buy, Walmart, Amazon, or the Rockstar Store before paying for anything. Third-party sellers claiming to have pre-orders, beta keys, or early access are a major red flag, especially if they ask for payment before Rockstar has confirmed availability. If a page offers a price that seems random, a download that sounds too early, or a “verification” step that leads to more forms or apps, it is best to leave immediately. 

For users, the best rule is simple: excitement should not replace caution. Check the source, avoid unofficial links, and never install files or enter passwords from unverified GTA 6 pages. Until the real pre-order window opens, patience is safer than chasing a deal that could end in theft, malware, or both.
Read more »
Subscribe to: Posts (Atom)

Featured