Threat hunters have disclosed a new "widespread timing-based vulnerability class" that leverages a double-click sequence to facilitate clickjacking attacks and account takeovers in almost all major websites.
The technique has been codenamed DoubleClickjacking by security researcher Paulos Yibelo.
"Instead of relying on a single click, it takes advantage of a double-click sequence," Yibelo said.

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Your messages going back years are likely still lurking online, potentially exposing sensitive information you forgot existed. But there's no time like the present to do some digital decluttering.

If you're worried about possible expansions of government surveillance and access to your information, or simply want to do some digital purging so you're not saddled with old data, there are a bunch of concrete steps you can take to protect your digital privacy. Just as archeologists study carefully preserved tombs and ancient trash heaps to gain insight into historic communities, your long-forgotten digital footprint could be more revealing and sensitive than you realize. And while you can't control everything—particularly information stolen in breaches or gathered by data brokers—you probably have a digital attic full of old data that you can delete or download and save offline. First stop? Old message histories.

Chats are a good place to start your digital decluttering. Their real-time nature makes it easy to forget that if you don't have auto-delete turned on for a chat (or if a platform doesn't offer it), all of those “be there in 10 minutes,” “wait, what color is this dress???” and “welp, I have covid” messages are still knocking around years later. If you sent them on an end-to-end encrypted platform like Signal or WhatsApp, they only exist on your device and the devices of the other person or people you were chatting with. That means that for governments or bad actors to read them, they would need direct control of your device—a good level of protection, though not foolproof.

Crucially, though, messages that you sent on regular web apps like Slack, Facebook Messenger for most of its history, and Google Chat/Hangouts/Gchat are sitting on a cloud server somewhere. And while they're probably stored in an encrypted form to protect against theft, the platform itself has the keys to decrypt your data and would be able to comply with government requests for it, no matter how old the information is. Sure, all of those “u up?"s may not seem significant now, but years and years of chat histories can paint a very detailed picture of your life, associations, political beliefs, and past movements and activity.

“Doing a good digital cleaning from time to time is a great habit, especially with social media and old chat messages,” says Kenn White, security principal at the database developer MongoDB and director of the Open Crypto Audit Project. “Who you were five or 10 years ago is probably very different than who you are today, so it's worth asking yourself, ‘Do I really need those seven-year-old inside jokes and sarcastic posts? Do I need to keep old group chat messages and carry them forward to every new phone I get?’”

Some programs like Apple's Messages make it easy to auto-delete your chat histories after a set period of time. On iOS, go to **Settings** > **Apps** > **Messages** and then scroll and tap **Keep Messages**. Then choose whether to keep messages forever, for one year, or for 30 days before auto-deleting.

On the free version of Slack, data older than a year is automatically deleted. The company keeps data forever on paid plans, unless the administrator sets up rolling deletion. This is useful if you have an active Slack with your friends, but most people who use Slack at work don't make decisions about administrative policies and can't control deletion. Keep this in mind for any communication you do on an employer's platforms. You may be able to go through and delete messages or files one by one, but you likely won't have the access to make policy decisions about automatic or batch deletion.

Similarly, you may want to go through your chats on Android or iOS and delete old SMS conversations. Meta's Messenger now offers auto-delete options, but for your existing chats, you have to go down the list on desktop or in the Messenger mobile app and delete chats one by one. Meta's other chat platforms, Instagram Chat and WhatsApp, are similar, except that WhatsApp has been end-to-end encrypted since 2016 instead of adding the protection recently.

Consider whether you've spent time chatting on other social platforms as well. X, for example, has been through a lot of changes since Elon Musk bought Twitter more than two years ago and took the company private again. Musk promised that he would add end-to-end encryption to DMs on X, and eventually debuted an opt-in encryption feature with the paid tier of the platform, but the company doesn't definitively say that the tool offers full end-to-end encryption and it isn't open source for vetting. You can delete individual messages or go through your chat list and delete whole DM conversations if you want to pare down the data you're keeping on the platform.

If you've had Gmail for a long time, the messenger service “Google Talk,” once colloquially known as “Gchat,” may have a special place in your heart. And perhaps, over the years, you went through the saga in which Gchat—which was once known for interoperability with platforms like AIM—became the siloed Google chat platform Hangouts, and then transformed again into what is now called Google Chat. Your chats on this platform through the years are still hanging around, but they're not all in the same place.

The crucial thing to understand is that Gchat was fully integrated with Gmail and wasn't a separate platform, so your chat histories all saved in your mail archive. To find them now, open Gmail and **search for the phrase in:chats** (using no quotation marks). Hundreds or thousands of chats from May 2013 and earlier may pop up. They must be deleted directly from Gmail. After May 2013, Google migrated Gchat users to Hangouts, and that history has come forward into what is now Google Chat, so you can delete whole chats or individual messages there.

“Messages sent and received with history on in Google Talk from before May 2013 (the time when Google Hangouts launched) are stored in Gmail under the ‘in:chats’ label. Those messages are not available in Google Chat and can be deleted directly from Gmail only,” Google spokesperson Ross Richendrfer tells WIRED. “In terms of Hangouts data—which was merged with Chat—core Chat controls (including deletion) will work.”

There are lots of other chat apps to consider, too, where old messages may still be lurking. Think about Skype chat or GroupMe. And there's one other complicating factor when you declutter your messages: Most deletion features only delete data from your account, and the messages live on in the accounts of the person or people you were chatting with. To do a total digital detox you need to recruit your community to delete their message archives as well.

Additionally, you may feel sentimental about burning your letters (aka deleting all of your old chats). If you're sad about hitting that trash icon, consider downloading chat histories with your closest friends or other loved ones and storing them on an encrypted external hard drive before deleting them from the cloud. This way, you don't have to give up that slice of life completely, but the data isn't controlled by other entities anymore.

“Some apps, including Signal, give one the ability to set a ‘self-destruct’ time on messages, perhaps in hours or weeks. This is worth considering to reduce your exposure, particularly if you travel outside the country, are politically active, or in any way have a higher public profile,” MongoDB's White says. “It's easy to dismiss the potential of attacks on our personal data and physical safety as something that's only a concern for some James Bond–type scenarios, but the hard truth is that threats exist in many forms, both online and in person.”

Hey, Maybe It's Time to Delete Some Old Chat Histories

Researchers at FortiGuard Labs have identified a prolific attacker group known as "EC2 Grouper" who frequently exploits compromised credentials using AWS tools.

****SUMMARY****

*   **EC2 Grouper Identified:** Researchers found EC2 Grouper exploiting AWS credentials and tools using distinct patterns like “ec2group12345.”

*   **Credential Compromise:** They primarily obtain credentials from code repositories tied to valid accounts.

*   **API Reliance:** The group avoids manual activity, using APIs for reconnaissance and resource creation.

*   **Detection Challenges:** Indicators like naming conventions and user agents are unreliable for consistent detection.

*   **Security Recommendations:** Use CSPM tools, monitor for credential misuse, and detect unusual API activity to mitigate risks.

Cloud environments are **constantly under attack**, with sophisticated threat actors employing various techniques to gain unauthorized access. One such actor, dubbed _EC2 Grouper_, has become a notable adversary for security teams.

According to the latest research from Fortinet’s FortiGuard Labs Threat Research team, this group is characterized by its consistent use of **AWS tools** and a unique security group naming convention in its attacks. Researchers tracked this actor in several dozen customer environments due to similar user agents and security group naming conventions. 

The latest revelation comes amid increasing exploitation of AWS infrastructure by top hacker groups. In December 2024, **reports revealed** that ShinyHunters and the Nemesis Group collaborated to target misconfigured servers, particularly AWS S3 Buckets.

EC2 Grouper typically initiates attacks by leveraging AWS tools like PowerShell, often employing a distinctive user agent string. Furthermore, the group consistently creates security groups with naming patterns like “ec2group,” “ec2group1,” “ec2group12,” and so on. Also, they frequently use code repositories to acquire credentials in their cloud attacks, often originating from valid accounts. This method is believed to be the primary method of credential acquisition.

Further probing revealed that Grouper uses APIs for reconnaissance, security group creation, and resource provisioning, avoiding direct actions like inbound access configuration.

While these indicators can provide initial clues, they are often insufficient for reliable threat detection, researcher Chris Hall noted in the **blog post**, shared with hackread.com. That’s because relying solely on these indicators can be misleading. Attackers can easily modify their user agents and may deviate from their usual naming conventions. 

Researchers did not observe calls to AuthorizeSecurityGroupIngress, which is essential to configure inbound access to EC2 launched with the security group, but they observed CreateInternetGateway and CreateVpc for remote access.

Moreover, no actions have been based on objectives or manual activity in a compromised cloud environment. EC2 Grouper may be selective in their escalation or compromised accounts were detected and quarantined before they escalated.

Screenshot: FortiGuard Labs

Still, researchers note that by analysing signals like credential compromise and API usage, security teams can develop a reliable detection strategy and help organizations defend against sophisticated adversaries like EC2 Grouper. They suggest that a more effective approach would be monitoring for suspicious activity related to legitimate secret scanning services to identify potential credential compromises, which are the primary source of access for EC2 Grouper.

To stay safe, organizations must also utilize Cloud Security Posture Management (CSPM) tools to monitor and assess your cloud environment’s security posture continuously. Implementing anomaly detection techniques to identify unusual behaviour within the cloud environment, such as unexpected API calls, resource creation, or data exfiltration can also help. 

1.  **Hackers Use Fake PoCs on GitHub to Steal AWS Keys**
2.  **New APT Group “Unfading Sea Haze” Hits Military Targets**
3.  **TA866 Linked to WarmCookie Malware in Espionage Campaign**
4.  **Builder.ai Database Misconfiguration Exposes 1.29TB of Records**
5.  **Russian Cozy Bear Phish Critical Sectors with Microsoft, AWS Lures**

FortiGuard Labs Links New EC2 Grouper Hackers to AWS Credential Exploits

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Tuesday leveled sanctions against two entities in Iran and Russia for their attempts to interfere with the November 2024 presidential election.
The federal agency said the entities – a subordinate organization of Iran's Islamic Revolutionary Guard Corps and a Moscow-based affiliate of Russia's Main Intelligence

Iranian and Russian Entities Sanctioned for Election Interference Using AI and Cyber Tactics

The results of Dark Reading's 2024 Strategic Security Survey suggest that security teams continue to grapple with the challenges that come with increased cloud adoption, such as data visibility and loss of controls. Managing cloud risks will be a focus for security teams in 2025.

Source: John Williams RF via Alamy Stock Photo

Enterprise IT and security managers had a lot to worry about in 2024, such as the exploding number of vulnerabilities, increased volume of threats against their organizations, constant drumbeat of data breaches, and steady stream of user errors and behaviors to manage. Also a big concern was the growing risk exposure as a result of their organizations' increased reliance on cloud technologies.

Respondents to Dark Reading's Strategic Security Survey revealed growing concerns about risks tied to cloud services. In the face of rising adoption of cloud services for data storage, applications, and business operations, organizations appear to be particularly worried about their dependence on cloud providers' security measures and their reduced control over data in cloud environments. Thirty-five percent of organizations, compared with just 23% in the 2023 survey, reported using between 10 and 29 cloud applications internally. Most organizations said they work with multiple cloud providers, which contributes to the visibility challenges. Almost half (48%) rely on two or three providers, and 60% use between two to five cloud service providers.

The near ubiquity of the cloud means organizations are increasingly concerned about cloud security threats. Exploits targeting cloud service providers is the top worry for almost half of the respondents (49.6%), followed closely by cloud services breaches and intrusions (47.8%). The lack of data visibility in cloud environments and an inability to enforce security policies on cloud-stored data tie for third place (39.1%). In comparison, the 2023 survey revealed 45% of respondents worried about cloud exploits, 38% worried about cloud services breaches, and 24% worried about the inability to enforce security policies in the cloud.

The complexity of cloud security is further highlighted by organizations' staffing and control concerns. Overreliance on cloud service providers to detect data breaches was cited by 28.7% of respondents, while 19.1% expressed concern about unclear incident-response protocols with their cloud service providers. Notably, the percentage of organizations worried about their inability to enforce security policies on cloud-stored data increased from 24.4% in 2023 to 39.1% in 2024, suggesting a growing awareness of the challenges in maintaining security control in cloud environments. These findings indicate that while organizations continue to embrace cloud services, they struggle with visibility, control, and the division of security responsibilities between themselves and their cloud service providers.

Security teams have long grappled with the challenges posed by the shared responsibility model with cloud providers, where the provider and the organization have to work together to handle their part of the security tasks. The survey found that organizations are increasingly including the challenges of shared responsibility models, data sovereignty issues, and loss of control in their risk assessments. For instance, 39% are worried about risks tied to a lack of visibility in cloud environments, and an identical proportion believed their inability to enforce enterprise data security policies in the cloud has put them at risk. Nearly three in 10 (29%) are concerned about their overreliance on cloud vendors to detect security issues.

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Managing Cloud Risks Gave Security Teams a Big Headache in 2024

The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-wgqq-9qh8-wvqv: OpenShift Hive RCE through AWS/Kubernetes client configuration leads to privilege escalation

From "spying" air fryers to 3 million rogue toothbrushes, here are the strangest stories about internet-connected home goods in 2024.

The holidays are upon us, which means now is the perfect time for gratitude, warmth, and—because modern society has thrust it upon us—gift buying.

It’s Bluey and dig kits and LEGOs for kids, Fortnite and AirPods and backpacks for tweens, and, for an adult you particularly love, it’s televisions, air fryers, e-readers, vacuums, dog-feeders, and more, which all seemingly require a mobile app to function.

“The Internet of Things” is the now-accepted term to describe countless home products that connect to the internet so that they can be controlled and monitored from a mobile app or from a web browser on your computer. The benefits are obvious for shoppers. Thermostats can be turned off during vacation, home doorbells can be answered while at work, and gaming consoles can download videogames as children sleep on Christmas Eve.

And while some of these internet-connected smart devices can sound a little dumb—cue the $400 “smart juicer” that a Bloomberg reporter outperformed with her bare hands—there are legitimate cybersecurity risks at hand. Capable of collecting data and connecting to the internet, smart devices can also fall victim to leaking that data to hackers online.

As we enter the new year, Malwarebytes Labs is looking back at some of the strangest, scariest, and most dumbfounding smart device stories this past year. Read on and enjoy.

****The million-car track hack****

The latest vehicles filling up the local car lot might not strike you as “smart devices,” but upon closer inspection, these cars, SUVs, trucks, and minivans absolutely are. Replete with cameras and sensors that can track location, speed, distance travelled, seatbelt use, and even a driver’s eye movements, modern vehicles are, as many have described them, “smartphones on wheels.”

For years, the cybersecurity of these particularly mobile mobiles (sorry) was passable.

When a group of security researchers hacked into a Jeep Cherokee’s steering and braking systems in 2014, they were building off earlier research that required the hacker’s laptop to be physically connected to the Jeep itself—a comforting reality when imagining shadowy cybercriminals wresting control from a driver while sat behind a computer console hundreds of miles away. And while the security researchers were able to eventually hack the Jeep Cherokee without a physical connection, the work involved was still robust.

But early this year, a separate group of security researchers revealed that they could remotely lock, unlock, start, turn off, and geolocate more than a million Kia vehicles by knowing nothing more than the vehicle’s license plate number. The researchers could also activate a vehicle’s horn, lights, and camera.

The vulnerability wasn’t in the vehicles themselves, but in Kia’s online infrastructure (Kia fixed the vulnerability before the researchers published their findings).

In short, the researchers posed as Kia _dealers_ when using an online Kia web portal and, by entering the Vehicle Identification Number—which could be revealed separately through license plate numbers—they could assign certain features like remote start and geolocation to a new account, which the security researchers controlled.

While the vulnerability did not provide access to any of the vehicles’ steering systems or acceleration or braking, it still posed an enormous privacy and security risk, said researcher Sam Curry in speaking to the outlet Wired:

> “If someone cut you off in traffic, you could scan their license plate and then know where they were whenever you wanted and break into their car. If we hadn’t brought this to Kia’s attention, anybody who could query someone’s license plate could essentially stalk them.”

****Whispering sweet nothings into your air fryer****

There’s a modern urban legend that our smartphones listen to our in-person conversations to deliver eerily relevant ads, and while there’s no proof this is true, there are certainly a few stories that raise nearby suspicions.

Take, for instance, the case of the nosy air fryers.

On November 5, a UK consumer rights group named “Which?” published research into several categories of smart devices—TVs, smart watches, etc.—and what they discovered about three models of air fryers surprised many.

In testing the Xiaomi Mi Smart Air Fryer, the Cosori CAF-LI401S, and the self-titled Aigostar, the researchers discovered that the associated air fryer mobile apps for Android requested a startling amount of information:

> “\[As\] well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason.”

The connected app for the Xiaomi air fryer “connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).” When creating an account for the Aigostar air fryer, the connected app asked users to divulge their gender and date of birth, without stating why that was necessary. The request, however, could be declined. The Aigostar app, like the Xiaomi app, sent personal data to servers in China, but this data sharing practice was clarified in the companies’ privacy policies, the researchers wrote.

The companies in the report pushed back on the characterizations from Which?, with a Xiaomi representative clarifying that “the permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat.” A representative for Cosori expressed frustration that the researchers at Which? did not share “specific test reports” with the company, as well.

The truth, then, may be somewhere in the middle. The air fryer mobile apps in question may request more information than necessary to function, but that could also be because the apps are trying to service the needs of many different types of products all at once.

****A toothbrush tall tale****

Let’s play a game of telephone: A Swiss newspaper interviews a cybersecurity expert about a _hypothetical_ cyberattack and, days later, dozens of news outlets report that hypothetical as the truth.

This story did happen, and it would be far more disturbing if it wasn’t also tinged with a hint of humor, and that’s because the tall-tale-turned-“truth” involved a massive cyberattack launched by… toothbrushes.

In February, a Swiss newspaper article included an anecdote about a “Distributed Denial-of-Service” attack, or DDoS attack. DDoS attacks involve sending loads of connection requests (like regular internet traffic) to a certain webpage as a way to briefly overwhelm that web page and take it down. But the interesting thing about DDoS attacks is that they don’t require a laptop or a smartphone to make those requests—all they need is a device that can connect to the internet.

In the Swiss newspaper’s account, those devices were 3 million toothbrushes. Translated from the article’s original language in German, it read:

> “She’s at home in the bathroom, but she’s part of a large-scale cyberattack. The electric toothbrush is programmed with Java, and criminals have, unnoticed, installed malware on it—like on 3 million other toothbrushes. One command is enough and the remote-controlled toothbrushes simultaneously access the website of a Swiss company. The site collapses and is paralyzed for four hours. Millions of dollars in damage is caused.”

The article, which noted that the whole scenario could’ve been ripped out of “Hollywood,” contextualized why the attack was so scary: It “actually happened.”

But it most assuredly had not.

The article had no details about the attack, so there was no company named, no toothbrush model specified, and no response from any organization. But none of that mattered as countless news outlets aggregated the original article, because what _did_ matter was the virality of the whole affair. There was a device that seemingly everyone agreed had no reason to connect to the internet, and—would you look at that—it led to major consequences.

In reality, the consequences were to the truth.

This holiday season, let’s do better than the silliest, most needless IoT devices, and let’s connect to what matters instead.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Connected contraptions cause conniption for 2024 

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

6 AI-Related Security Trends to Watch in 2025

An overview of what the year 2024 had to offer in the realm of data breaches: Big ones, sensitive data and some duds

It may sound weird when I say that I would like to remember 2024 as the year of the biggest breaches. That’s mainly because that would mean we’ll never see another year like it.

To support this nomination, I will remind you of several high-profile breaches, some of a size almost beyond imagination, some that really left us worried because of the type of data that was stolen, and a few duds.

**Huge increase in numbers**

As we reported in July, the number of data breach victims went up 1,170% in Q2 2024, compared to Q2 2023 (from 81,958,874 victims to 1,041,312,601).

The huge increase is no big surprise if you look at the size of some of these breaches. Remember these headlines?

5\. Dell notifies customers about data breach (49 million customers)

4\. “Nearly all” AT&T customers had phone records stolen in new data breach disclosure (73 million people).

3\. 100 million US citizens officially impacted by Change Healthcare data breach.

2\. Ticketmaster confirms customer data breach (560 million customers).

1\. Stolen data from scraping service National Public Data leaked online (somewhere between 2.9 billion people (unconfirmed) and 272 million unique social security numbers).

The reason why I counted down to the biggest one, is because the first 4 are household names and people will know whether they might be affected since they are customers of the company. But National Public Data is a company that most people had never heard of before they read about the data breach.

The data gathered by National Public Data was “scraped,” meaning it was pulled from various sources and then combined in a large database. This also made it hard to get an exact number of affected people. The initially reported 2.9 billion people seemed a stretch, so we looked into that, and the estimates from our researchers say that it contains 272 million unique social security numbers. That could mean that the majority of US citizens were affected, although numerous people confirmed that it also included information about deceased relatives.

**Sensitive data**

Some of the huge breaches we listed contained Social Security Numbers (SSNs) which are a challenging process to be changed, but other breaches revealed all kinds of sensitive information.

Financial information was leaked by MoneyGram. Slim CD, Evolve Bank, Truist Bank, Prudential, and American Express.

Medical information was leaked by the earlier mentioned Change Healthcare breach, but we saw several smaller incidents at providers in the healthcare industry like Australia’s leading medical imaging provider I-MED Radiology, US and UK based healthcare provider DocGo that offers mobile health services, ambulance services, and remote monitoring for patients, nonprofit, outpatient provider of treatment for Opioid Use Disorder (OUD) CODAC Behavioral Healthcare, and DNA testing companies.

Ransomware incidents are also a big source of data breaches. When victims refuse to pay, the ransomware groups publish stolen data, as we saw with pharmacy chain Rite Aid.

Other sensitive data might have surfaced in hacktivist breaches at the Heritage Foundation, The Real World, and the Internet Archive. And sometimes it may be hard to not feel a bit of schadenfreude, as in the breach of the userbase of mobile monitoring app mSpy.

**Anticlimaxes**

In a few cases, there was a lot to do about something that turned out not to be so bad after all.

In February, a cybercriminal offered a business contact information database containing 132.8 million records for sale. It turned out to be a two-year-old third-party database which showed around 122 million unique business email addresses. That would have made it into our top 5, but the information in the database ages rather quickly. As soon as you move to a new job, that email address gets decommissioned and becomes worthless to phishers and other cybercriminals.

In July, a user leaked a file containing 9,948,575,739 unique plaintext passwords. The list was referred to as RockYou2024 because of its filename, rockyou.txt. However, without the associated user names or email, the list would have been of limited use to cybercriminals. If you don’t reuse passwords and never use “simple” passwords, like single words, then this release should not concern you.

If you were in any way affected by a data breach, we encourage you to have a look at our guide: Involved in a data breach? Here’s what you need to know.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Latest News