License Plate Readers Are Leaking Real-Time Video Feeds and Vehicle Data
In just 20 minutes this morning, an automated license-plate-recognition (ALPR) system in Nashville, Tennessee, captured photographs and detailed information from nearly 1,000 vehicles as they passed by. Among them: eight black Jeep Wranglers, six Honda Accords, an ambulance, and a yellow Ford Fiesta with a vanity plate. This trove of real-time vehicle data, collected by one of Motorola’s ALPR systems, is meant to be accessible by law enforcement. However, a flaw discovered by a security researcher has exposed live video feeds and detailed records of passing vehicles, revealing the staggering scale of surveillance enabled by this widespread technology.
CISA says Oracle and Mitel have critical security flaws being exploited
The US Cybersecurity and Infrastructure Security Agency (CISA) HAS added three new flaws to its Exploited Vulnerabilities Catalog (KEV), signalling in-the-wild abuse, and giving federal agencies a deadline to patch things up. Two of the three flaws are found in Mitel’s MiCollab unified communications platform. One is a critical path traversal vulnerability, tracked as CVE-2024-41713. By abusing this bug, threat actors can run admin actions and access user and network information.
Security pros baited with fake Windows LDAP exploit traps
Security researchers are once again being lured into traps by attackers, this time with fake exploits of serious Microsoft security flaws. Trend Micro spotted what appears to be a fork of the legitimate proof-of-concept (PoC) exploit for LDAPNightmare, initially published by SafeBreach Labs on January 1. But the “forked” exploit PoC actually leads to the download and execution of information-stealing malware. LDAPNightmare is the name of the PoC for CVE-2024-49113, a 7.5-severity denial-of-service bug in LDAP patched in Microsoft’s December Patch Tuesday.
Now, you can create a digital copy of your personality in just two hours
Researchers at Google Deepmind and Stanford University have concluded that a two-hour interview is sufficient to create a realistic AI copy with the same personality as the interviewee. In an experiment, 1,052 people were interviewed using a questionnaire that addressed everything from personal life events to opinions about society. A digital AI copy was then created and when a new round of questions was asked, it answered the same as its human counterpart in 85% of cases. According to the researchers, AI copies of real people can be used in a wide range of contexts, but there are also risks with the technology. For example, they can be used for scams.
Largest US addiction treatment provider notifies patients of data breach
BayMark Health Services, North America’s largest provider of substance use disorder (SUD) treatment and recovery services, is notifying an undisclosed number of patients that attackers stole their personal and health information in a September 2024 breach. The Texas-based organization provides medication-assisted treatment (MAT) services targeting both substance use and mental health disorders to more than 75,000 patients daily in over 400 service sites across 35 U.S. states and three Canadian provinces. In data breach notification letters mailed to affected individuals, BayMark revealed that it learned of the breach on October 11, 2024, following an IT systems disruption. A follow-up investigation revealed that the attackers accessed BayMark’s systems between September 24 and October 14.
Chinese spies targeting new Ivanti vulnerability, Mandiant says
A newly publicized vulnerability in popular products from tech company Ivanti is being exploited by China-based espionage threat actors, according to Google-owned cybersecurity firm Mandiant. Mandiant published a blog post detailing its examination of CVE-2025-0282 — a vulnerability Ivanti announced on Wednesday that affects the company’s popular Connect Secure VPN appliance. On Wednesday night, the leading U.S. cybersecurity agency ordered all federal civilian agencies to patch the vulnerability by January 15 — the shortest time frame it has ever issued since creating its Known Exploited Vulnerabilities Catalog.
