Researchers have finally cracked disruptive malware called Fast16 that predates Stuxnet and could be used to target Iran’s nuclear program. It was created in 2005 and was probably deployed by the US or an ally.
Meta is being sued by the Consumer Federation of America, a nonprofit organization, over allegedly misleading consumers about scam ads on Facebook and Instagram and the company’s efforts to combat them. A United States surveillance program that lets the FBI look at Americans’ communications without a warrant is up for renewal, but lawmakers are at an impasse over the next step. The new bill aims to address lawmakers’ growing concerns, but it lacks substance.
And if you want to dig deeper, WIRED investigated the years-long controversy behind GrapheneOS, the leading privacy and security-conscious mobile operating system. We also saw the strange story of how China spied on American figure skater Alyssa Liu and her father.
There is so much more. Each week, we round up security and privacy news that we haven’t covered in depth ourselves. Click on titles to read full stories. And stay safe there.
Anthropic’s Mythos Preview AI model is billed as an alarmingly capable tool for finding security vulnerabilities in software and networks, so powerful that its creator has carefully restricted its release. But a group of amateur spies on Discord discovered their own, relatively simple way — no AI hacking required — to gain unauthorized access to a coveted digital prize: the Mythos itself.
Despite Anthropic’s efforts to control who could use Mythos Preview, a group of Discord users gained access to the tool through some relatively straightforward spying actions: They examined data from the recent breach of Merker, an AI training startup that worked with developers, and “made an educated guess about the model’s online location based on Anthropic’s knowledge of the format used for other models” – a phrase that many observers speculated about. That refers to a web URL — according to Bloomberg, which broke the story.
The individual also reportedly took advantage of pre-existing permissions to access other Anthropic models thanks to his work for the Anthropic contracting firm. However, as a result of his investigation, he reportedly gained access to not only Mythos but also other unreleased anthropic AI models. Thankfully, according to Bloomberg, the group that gained access to Mythos has so far only used it to create simple websites — a decision designed to prevent it from being detected by Anthropic rather than hacking the planet.
Security researchers have long warned that the telecommunications protocol known as Signaling System 7, or SS7, which controls how phone networks connect to each other and route calls and texts, is vulnerable to abuse that would allow covert surveillance. This week researchers at the digital rights organization Citizen Lab revealed that at least two for-profit surveillance vendors have actually used those vulnerabilities – or similar vulnerabilities – in next-generation telecommunications protocols to spy on actual victims. Citizen Lab found that the two surveillance firms essentially acted as rogue phone carriers, and leveraged access to three smaller telecommunications companies—Israeli carrier 019Mobile, British cell provider Tango Mobile, and Airtel Jersey, based on the island of Jersey in the English Channel—to track the location of targets’ phones. Citizen Lab researchers say “high-profile” people were tracked by two surveillance firms, though they declined to name the firms or their targets. The researchers also warn that the two companies they found abusing the protocol are likely not alone, and that vulnerabilities in global telecommunications protocols remain a very real vector for phone spying around the world.
In a sign of a growing, if belated, crackdown by U.S. law enforcement on the vast criminal industry of human-trafficking-fueled scam complexes throughout Southeast Asia, the Justice Department this week announced charges against two Chinese individuals for allegedly helping manage one scam complex in Myanmar and trying to open another in Cambodia. According to prosecutors, Jiang Wen Jie and Huang Xingshan were both arrested in Thailand earlier this year on immigration charges, and are now accused of allegedly running a massive scam operation that lured human trafficking victims to their premises with fake job offers and then coerced them into scamming millions of dollars, including Americans, with fraudulent investments in cryptocurrency. The DOJ says it also “froze” $700 million of funds related to the operation — essentially freezing the funds in preparation for seizure — and seized a channel on the messaging app Telegram, which prosecutors say was used to entrap and enslave trafficking victims. The Justice Department statement claimed that Huang personally participated in the physical punishment of workers at a compound, and that Jiang at one point oversaw the theft of $3 million from a US scam victim.
The British government and non-profit UK Biobank revealed this week that three scientific research institutes were found to be selling the health information of British citizens on Alibaba. Over the past two decades, more than 500,000 people have shared their health data—including medical images, genetic information and health care records—with the UK Biobank, which allows scientists around the world to access the information to conduct medical research. However, the charity said the data leak involved a “breach of the contract” signed by the three organisations, with one of the datasets up for sale believed to contain data on all half a million research subjects. It did not detail the full type of data listed for sale, but said it had suspended the biobank accounts of those allegedly selling the information. Data advertisements have also been removed.
Earlier this month, 404 Media reported that the FBI was able to obtain copies of Signal messages from the defendant’s iPhone because the content of the messages, which were encrypted within Signal, were saved in the iOS push notification database. In this example, copies of the messages were still accessible even if Signal was removed from the phone — although the problem affected all apps that send push notifications.
This week, in response to the problem, Apple released an iOS and iPadOS security update to fix the flaw. Apple’s security update for iOS 26.4.2 states, “Notifications marked for deletion may unexpectedly be retained on the device.” “The logging issue was addressed with improved data reduction.”
Although the issue has been fixed, it is still advisable to change what appears in notifications on your device. You can open the app for Signal, go to settings, NotificationsToggle to show more notifications name only Or No name or content. This is another reminder that while apps like Signal are end-to-end encrypted, the same applies to content as it moves between devices: If someone can physically access and unlock your phone, chances are they can access everything on your device.
<a href