Ice obtains access to Israeli-made spyware that can hack phones and encrypted apps
US immigration agents will have access to one of the world’s most sophisticated hacking tools after a decision by the Trump administration to move ahead with a contract with Paragon Solutions, a company founded in Israel which makes spyware that can be used to hack into any mobile phone – including encrypted applications. The Department of Homeland Security first entered into a contract with Paragon, now owned by a US firm, in late 2024, under the Biden administration. But the $2m contract was put on hold pending a compliance review to make sure it adhered to an executive order that restricts the US government’s use of spyware, Wired reported at the time.
Passkeys Are Not Broken. The Conversation About Them Often Is
Every few months, like clockwork, a talk or article appears claiming that new research has uncovered a “vulnerability” with passkeys. This can understandably raise concern for executives and product leaders looking to uplift their authentication frameworks. But these reports have a pattern: they highlight opportunities for exploitation in the environment where passkeys are used, not any vulnerability in passkeys themselves. Passkeys are FIDO authentication credentials that leverage public key cryptography. The authentication protocol relies on the user having control of their private key, which is generated on the user’s device (their smartphone, their FIDO Security Key, etc) and is never shared with the service they are authenticating to (all the service receives and saves is the corresponding public key). That design makes passkeys inherently resistant to phishing, credential stuffing, and large-scale data breaches. Breaking the security model of passkeys would require stealing the private key itself, something cryptographically and practically infeasible without compromising the device in some manner.
Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack
Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). “Over the past few weeks, we’ve autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps,” the web infrastructure and security company said in a post on X. “The 11.5 Tbps attack was a UDP flood that mainly came from Google Cloud.” The entire attack lasted only about 35 seconds, with the company stating its “defenses have been working overtime.”
Amazon disrupts Russian APT29 hackers targeting Microsoft 365
Researchers have disrupted an operation attributed to the Russian state-sponsored threat group Midnight Blizzard, which sought access to Microsoft 365 accounts and data. Also known as APT29, the hacker group compromised websites in a watering hole campaign to redirect selected targets “to malicious infrastructure designed to trick users into authorizing attacker-controlled devices through Microsoft’s device code authentication flow.” The Midnight Blizzard threat actor has been linked to Russia’s Foreign Intelligence Service (SVR) and is well-known for its clever phishing methods that recently impacted European embassies, Hewlett Packard Enterprise, and TeamViewer.
Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet
People in Internet security circles are sounding the alarm over the issuance of three TLS certificates for 1.1.1.1, a widely used DNS service from content delivery network Cloudflare and the Asia Pacific Network Information Centre (APNIC) Internet registry. The certificates, issued in May, can be used to decrypt domain lookup queries encrypted through DNS over HTTPS or DNS over TLS. Both protocols provide end-to-end encryption when end-user devices seek the IP address of a particular domain they want to access. Two of the certificates remained valid at the time this post went live on Ars.
France fines Google, SHEIN, for undercooked Cookie policies that led to crummy privacy
France’s data protection authority levied massive fines against Google and SHEIN for dropping cookies on customers without securing their permission, and also whacked Google for showing ads in email service. The Commission nationale de l’informatique et des libertés (CNIL) announced the fines on Wednesday, and explained it found Google broke local laws as its signup process for new accounts, which encouraged users to approve use of cookies tied to advertising services, but didn’t inform them that accepting those cookies was a condition for using Google’s services.
