While the world watched Apple announce several new iPhones, smartwatches, and more (check out our complete coverage of the event here), the cybersecurity world kept turning with new breaches, new tools to fight the breaches, and new attacks on internet privacy.
At the beginning of the week, a security firm discovered that hackers had poisoned 18 npm packages, tools used by developers to streamline software development, with malware. Most consumers probably have little familiarity with npm packages, but developers rely on them, and the npm packages in question are usually downloaded over 2 billion times each week. Luckily, it looks like the impact has been minimal, aside from the person maintaining the packages having to come forward to admit that he got caught in a phishing attack, which led to the infection. That’s a good reminder for all of us to brush up on our phishing detection skills. The scammers are getting much better now, especially with the help of generative AI to help do their jobs for them.
Meanwhile, Russian authorities are cracking down on encrypted communication tools and social media, this time blocking YouTube, Telegram, and WhatsApp. The official reason is to curb Ukrainian drone strikes, and that this is just a continuation of the country’s policy of cutting off foreign-owned platforms like Signal, Discord, and tons of VPNs. Of course, Russian-owned platforms are exempt from the ban, and the (possibly intended) side effect is that people who want to communicate with others are pushed toward those state-owned and monitored platforms instead.
Back on the home front, a jury has ordered Google to pay $425 million in a class action lawsuit. The lawsuit claims that Google violated users’ privacy rights by collecting data from apps like Venmo, Instagram, and Uber, even though those same users specifically disabled data tracking in their Google account settings. Regardless, it’s unclear whether anyone will ever see the money since the company has already announced plans to appeal.
That’s not everything that caught our eye this week, though. Here are some smart stories from around the web that got us worried (or inspired) about the state of internet security.
Apple’s Big Bet to Eliminate the iPhone’s Most Targeted Vulnerabilities
One of Apple’s biggest announcements this week wasn’t flashy, won’t change how you use your devices, and wasn’t represented on stage at all. Memory Integrity Enforcement, according to Apple’s blog post, is the result of years of engineering designed to eliminate one of the most significant attack vectors in modern operating systems: system memory. If you’ve ever heard the term “written to memory” or “buffer overflow” in the context of a hack, you know what we’re talking about.
While Apple’s post focuses on the technical details, this excellent piece from Wired elaborates a bit on what this might mean for users. In short, it means that all iPhone 17 models and the iPhone Air will have memory protection at the hardware level, and that developer tools are coming to leverage the memory protection available in Apple’s newly unveiled A19 chips. Bottom line: If other operating system developers and CPU manufacturers follow suit, we could be looking at a drastic leap in OS-level security, one you may not immediately see on your device, but will almost certainly cut back on the number of hacks you see in the headlines.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Meanwhile, at the Department of Defense, here’s a reminder that the weakest link in cybersecurity often isn’t complicated or technical, but human. The Intercept reports that the agency has been posting its stream keys to a website called the Defense Visual Information Distribution Service (DVIDS), which doesn’t require an account to view and is completely public. Stream keys are the unique identifiers that platforms like Twitch, Twitter, and others generate to allow streaming software to connect without using individual user credentials each time. Suffice to say, posting them publicly is very much like posting a password where anyone can get to it.
Recommended by Our Editors
Of course, once presented with the investigation, the DoD says that they’ve stopped doing this, which is a good thing. Additionally, there’s no evidence that anyone used the stream keys improperly, but honestly, if someone had, we may never know.
Qantas Cuts Executive Bonuses by 15% After a July Data Breach
We don’t often see significant accountability from companies that suffer data breaches, at least not in a way that actually has a visible public impact. Security Affairs reports that Qantas, the major Australian airline, cut executive bonuses by 15% despite making close to $1.5 billion in profits last year. Normally, when a company suffers a breach, the impact doesn’t reach the C-suite (unless a Chief Security Officer is dismissed, if the company has one), and the company tries to push the issue under the rug as quickly as possible.
In this case, Qantas’ move is designed to show global travelers that the company’s board (and, by proxy, its shareholders) takes data security seriously enough to penalize its executives for the company’s July data breach. In that attack, hackers stole data on close to 6 million airline customers, including names and email addresses, and in some cases physical addresses, phone numbers, and birth dates.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers. Before PCMag, I was at WIRED, The New York Times, and Lifehacker. When I’m not editing, I play way too many video games and post far too much on social media.
Read Full Bio
