You probably associate information security with desktops and laptops, business computers, and servers in datacenters. Too often, we assume that our mobile devices are inherently more secure, probably because of how we interact with them. But this week’s security news includes warnings for iPhone and Android users. Just a reminder that no one is safe.
First, if you haven’t updated iOS, it’s time to do so. Earlier this week, we reported that iPhone users running iOS 18.4 to 18.7 are vulnerable to the “DarkSword” attack, which can collect personal data, steal it, and clean up behind itself within minutes. Security researchers have been warning about the attack since last November, because so far it’s been used largely as targeted malware by Russian state actors against Ukrainian iPhone owners. That said, it won’t be long before it’s used against others since it’s already in the wild.
Android users, you don’t get a break. If you’re a VPN user (and you should be), your VPN could be broken on your phone, and notable providers like Proton, Mullvad, TunnelBear, and others have been trying to get Google to fix it for months now. In short, updates from the Google Play Store prevent a VPN from working in the background as it should, leading the connection to drop, causing the user to assume their VPN isn’t working properly and to blame the service. Google acknowledged the issue but hasn’t done anything about it, likely because it doesn’t affect all VPN users. That said, Proton recommends reinstalling your VPN app manually if you run into the problem, so keep that in mind. While you’re at it, check out our VPN power user tips to boost your protection.
In other security news, hackers hit identity protection company Aura this week, making off with over 900,000 records of its users. It’s bad news whenever a security firm is breached, but in this case the situation is pretty familiar: one user’s business account was compromised through a phishing attack, and while company admins shut down the hacker’s access after about an hour, they still managed to get away with a lot of information, mostly names, phone numbers, email addresses, and customer service records. That data has already been spotted on the dark web, posted by a name you might recognize: ShinyHunters, the same ransomware gang that’s breached Grubhub, Google, and Pornhub, among others.
That’s a lot of hacks and vulnerabilities, and before we take a look at what else is going on around the web, here’s a reminder that the PCMag security team will be at the RSAC security conference next week, so expect even more news from the event. Here’s what we’re looking forward to seeing when we get there.
Until then, let’s take a look at everything else that happened this week.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Gartner Warns: Copilot May Cause Cognitive Debt on Fridays
If you haven’t heard the phrase “cognitive debt,” you will soon, as more and more companies push AI to their employees, and more research comes out showing that people use AI to automate tasks that then result in errors that need to be fixed by humans, completely negating the potential productivity benefits. Well, over at Gartner, a research and consulting firm, teams are floating a ban on using Microsoft’s Copilot on Fridays, because people are tired, it’s the end of the week, and they use it so often without checking their work that it’s causing problems.
According to The Register, the suggestion, which started as a joke from Gartner analyst Dennis Xu, was actually based on the fact that Copilot has a tendency to produce results that, even when factually correct, may be unacceptable for the workplace, or for sharing with customers. Combine that with Friday afternoons and everyone just wanting to be done with work and to go home, and well, you see where this is going. To be fair to Xu, it was just one suggestion in a talk about mitigating Copilot risks in the workplace. Among the others were limiting Copilot’s access to sensitive data to prevent exfiltration and reducing the risk of prompt injections, all tips that every organization saddled with an AI tool could use.
Free Parking in Russia After DDoS Attack Disables City System
It’s rare that I get fun news to share in these weekly security roundups, but this is too good not to include. Over on the BitDefender blog, this story from Russia caught my eye: In the city of Perm, a community east of Moscow and just west of the Ural mountains, citizens were able to treat themselves to three days of free city parking after a DDoS attack took out the city’s parking payment system. The municipal government issued an official statement on Telegram about the outage, stating that they wouldn’t be ticketing or fining people for parking in normally paid spots due to the issue.
Recommended by Our Editors
This isn’t the first time DDoS attacks have taken out services that people use every day, but it is perhaps one of the most amusing examples. And hey, no one can complain about free parking. Although the party’s long over, the same announcement said that Perm officials were already on the case when the outage occurred last week, and that they’d planned to have parking services live by Monday the 16th, so by the time you’re reading this, the fine people of Perm are paying for parking yet again.
Tech Giants Unite Against Online Scams
It’s no secret that online scams are everywhere, and generative AI is making them easier to create and harder to spot. That’s probably why major tech companies, including Google, Microsoft, Meta, OpenAI, Match Group, and a number of retailers as well, have all signed on to an “industry accord against online scams and fraud,” published by Google. According to SecurityWeek, the accord lays out ways each company that’s signed on has promised to combat online scams, both through prevention and identity verification, as well as through internal security best practices and improved security for payment services used by scammers. The document also goes into detail about the signatories’ plans to work more closely with law enforcement to share information about scammers and to prosecute them (notably, no law enforcement agencies were involved).
While it’s definitely a good sign that these major tech companies are taking scams and cybersecurity seriously, the accord isn’t binding or anything. As it stands, it’s mostly a set of promises and best practices for taking online scams seriously and improving the online shopping and data-sharing experience for everyone, especially the companies that trade in that data. The signatories have committed in the document to work harder to educate users and offer clear reporting channels for people to report scams they encounter, which is definitely a start.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Read Full Bio
