1. UK Political Parties Canvassing Apps are full of security issues
The Open Rights Group (ORG) have flagged a number of security and privacy issues it has found in apps developed by all three of the UK’s major political parties.
Issues discovered by researchers at the ORG included potential data sharing with the credit reference agency Experian; vulnerability to dependency confusion attacks and reliance on Google Firebase SDKs which are prone to misconfiguration.
For more details please see: https://www.theregister.com/2025/01/30/uk_canvassing_app_issues/
2. US Blood Center hit by disruptive ransomware attack
On Sunday 26th January, the New York Blood Center Enterprises identified suspicious activity on their IT Systems, which the third-party incident response specialists they quickly brought in, identified as a ransomware attack.
In response, the non-profit has had to take some of their systems offline and blood donations have been affected as a result.
While I’m never surprised at the depths that cybercriminals will plumb this is surely a new low even by their standards.
For more details please see: https://www.nybce.org/news/articles/cyber/
3. DeepSeek data publicly exposed
CloudSecurity firm Wiz have reported that they found a publicly accessible, fully controllable, database belonging to DeepSeek, the Chinese AI company that has set the world’s tech media (and stock markets!) alight this week.
Wiz announced in a blog post that the database was “completely open and unauthenticated” and hosted over a million instances of “chat history, backend data, and sensitive information, including log streams, API secrets, and operational details.”
As is so often the case, it doesn’t take sophisticated threat actors to cause data leaks, just a failure to apply basic security controls to assets that are available on the public internet.
For further details please see: https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
4. Google takes action after tech savvy victim nearly caught out by sophisticated phishing attack
The Register reported this week that a group of scammers nearly tricked Zach Latta, founder of Hack Club, after claiming they were from the Google Workspace team and needed to reset his account password after spotting an unusual login attempt from Frankfurt (Latta is based in Vermont, USA).
The call came from a genuine number associated with Google and displayed a Google caller ID. The scammer spoke with an American accent and was even able to send an email from a workspace-noreply@google.com address when challenged by a suspicious Latta. It was only after another scammer joined the call and raised a red flag that Latta hung up before he was pwned.
Providing a verified phone number and an email from a legitimate address are two best practices that cybersecurity professionals encourage so it’s not surpising that this attack nearly suceeded even against a tech savvy victm like Latta.
Google have taken action after it was revealed the scammers created a legitimate Google Workspace using a G.co subdomain. The attackers then created an account for the victim and sent the password reset email to the victim as is normal for a Workspace account.
For the full article please see: https://www.theregister.com/2025/01/27/google_confirms_action_taken_to/
5. Cyber Farting Attacker in Court – Yes, it’s really a thing!
The Metro newspaper has reported that a UK woman, Rhiannon Evans, ended up in court after sending seven videos of her breaking wind to her boyfriend’s ex-partner Deborah Prytherach over Christmas and New Year following a dispute over child contact.
Miss Evans was arrested by Police and subsequently appeared in court where she was fined nearly £300 which included £100 compensation for her victim and £199 for court costs.
The lesson here, there’s better (and cheaper) ways to let off steam!
For the full article please see: https://metro.co.uk/2025/01/29/woman-charged-inappropriate-videos-uks-first-cyber-farting-case-22459049/
CyberDialectic 
Leave a comment