If you're creating an application that displays URLs to users (chat app for example), please make sure to apply spoof checks to avoid use of UTF-8 confusables in IDN homograph attacks. You may want to block URLs with hostnames that get flagged, or display them in #punycode instead.

As an example, see https://github.com/chromium/chromium/tree/main/components/url_formatter/spoof_checks

In particular https://github.com/chromium/chromium/blob/8e070073d47861b8bfc7548dce8fcfc708a356fb/components/url_formatter/spoof_checks/idn_spoof_checker.cc#L177 is quite interesting read.

#cybersecurity #infosec

"Encrypted chat apps like Signal and WhatsApp are one of the best ways to keep your digital conversations as private as possible. But if you’re not careful with how those conversations are backed up, you can accidentally undermine your privacy.

When a conversation is properly encrypted end-to-end, it means that the contents of those messages are only viewable by the sender and the recipient. The organization that runs the messaging platform—such as Meta or Signal—does not have access to the contents of the messages. But it does have access to some metadata, like the who, where, and when of a message. Companies have different retention policies around whether they hold onto that information after the message is sent.

What happens after the messages are sent and received is entirely up to the sender and receiver. If you’re having a conversation with someone, you may choose to screenshot that conversation and save that screenshot to your computer’s desktop or phone’s camera roll. You might choose to back up your chat history, either to your personal computer or maybe even to cloud storage (services like Google Drive or iCloud, or to servers run by the application developer)."

https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups

#CyberSecurity #Privacy #Encryption #Messaging #Signal #WhatsApp

There are security protections, and then there are strong security protections. How to turn on Lockdown Mode for your iPhone and Mac, from @TheVerege@flipboard.com:

https://flip.it/xzuEi5

#Tech #iPhone #Mac #CyberSecurity #Privacy

How #Signal, #WhatsApp, #Apple, and #Google Handle Encrypted Chat Backups

https://www.eff.org/deeplinks/2025/05/back-it-back-it-let-us-begin-explain-encrypted-chat-backups

#cybersecurity #privacy

Police dismantles #botnet selling hacked routers as residential proxies

https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/

#cybersecurity #cybercrime #proxy

#Florida bill requiring #encryption backdoors for #SocialMedia accounts has failed

https://techcrunch.com/2025/05/09/florida-bill-requiring-encryption-backdoors-for-social-media-accounts-has-failed/

#cybersecurity #politics

#InvisibleThingsLab is hiring a #Linux graphics stack developer to work on #Qubes OS

https://www.qubes-os.org/news/2025/05/08/invisible-things-lab-hiring-linux-graphics-stack-developer/

#FOSS #cybersecurity #FediHire #GetFediHired

"Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.

Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US."

https://arstechnica.com/security/2025/05/doge-software-engineers-computer-infected-by-info-stealing-malware/

#CyberSecurity #DOGE #USA #Musk #CISA #FEMA #Malware

#Microsoft employees are banned from using #DeepSeek app, president says

https://techcrunch.com/2025/05/08/microsoft-employees-are-banned-from-using-deepseek-app-president-says/

#AI #cybersecurity

#FBI: End-of-life routers hacked for #cybercrime proxy networks

https://www.bleepingcomputer.com/news/security/fbi-end-of-life-routers-hacked-for-cybercrime-proxy-networks/

#cybersecurity #router

#Delta Air Lines class action cleared for takeoff over #CrowdStrike chaos

https://www.theregister.com/2025/05/07/delta_crowdstrike_class_action/

#cybersecurity

#Cisco fixes max severity #IOSXE flaw letting attackers hijack devices

https://www.bleepingcomputer.com/news/security/cisco-fixes-max-severity-ios-xe-flaw-letting-attackers-hijack-devices/

#cybersecurity #iOS

#Education giant #Pearson hit by cyberattack exposing customer data

https://www.bleepingcomputer.com/news/security/education-giant-pearson-hit-by-cyberattack-exposing-customer-data/

#cybersecurity #privacy #DataBreach

Supply chain attack hits #npm package with 45,000 weekly downloads

https://www.bleepingcomputer.com/news/security/supply-chain-attack-hits-npm-package-with-45-000-weekly-downloads/

#cybersecurity #RandUserAgent

#Google links new #LostKeys data theft #malware to Russian cyberspies

https://www.bleepingcomputer.com/news/security/google-links-new-lostkeys-data-theft-malware-to-russian-cyberspies/

#Russia #cybersecurity

#Kickidler employee monitoring software abused in #ransomware attacks

https://www.bleepingcomputer.com/news/security/kickidler-employee-monitoring-software-abused-in-ransomware-attacks/

#bossware #cybersecurity #privacy

#SonicWall urges admins to patch #VPN flaw exploited in attacks

https://www.bleepingcomputer.com/news/security/sonicwall-urges-admins-to-patch-vpn-flaw-exploited-in-attacks/

#cybersecurity

#LockBit #ransomware gang hacked, victim negotiations exposed

https://www.bleepingcomputer.com/news/security/lockbit-ransomware-gang-hacked-victim-negotiations-exposed/

#cybersecurity #cybercrime

#WhatsApp provides no cryptographic management for group messages

https://arstechnica.com/security/2025/05/whatsapp-provides-no-cryptographic-management-for-group-messages/

#Meta #cybersecurity

Customs and Border Protection Confirms Its Use of Hacked #Signal Clone #TeleMessage

https://www.wired.com/story/cbp-confirms-telemessage-use/

#cybersecurity #politics #CBP

#CoGUI #phishing platform sent 580 million emails to steal credentials

https://www.bleepingcomputer.com/news/security/cogui-phishing-platform-sent-580-million-emails-to-steal-credentials/

#cybersecurity

Hackers exploit #OttoKit #WordPress plugin flaw to add admin accounts

https://www.bleepingcomputer.com/news/security/hackers-exploit-ottokit-wordpress-plugin-flaw-to-add-admin-accounts/

#cybersecurity

#OpenSource project #curl is sick of users submitting “#AI slop” vulnerabilities

https://arstechnica.com/gadgets/2025/05/open-source-project-curl-is-sick-of-users-submitting-ai-slop-vulnerabilities/

#FOSS #cybersecurity

#CrowdStrike says it will lay off 500 workers

https://techcrunch.com/2025/05/07/crowdstrike-says-it-will-lay-off-500-workers/

#cybersecurity

Medical device maker #Masimo warns of #cyberattack, manufacturing delays

https://www.bleepingcomputer.com/news/security/medical-device-maker-masimo-warns-of-cyberattack-manufacturing-delays/

#healthcare #cybersecurity