Slashdot reader spatwei shared this report from SC World: Nearly three dozen flaws in open-source AI and machine learning (ML) tools were disclosed Tuesday as part of [AI-security platform] Protect AI's huntr bug bounty program.

The discoveries include three critical vulnerabilities: two in the Lunary AI developer toolkit [both with a CVSS score of 9.1] and one in a graphical user interface for ChatGPT called Chuanhu Chat. The October vulnerability report also includes 18 high-severity flaws ranging from denial-of-service to remote code execution... Protect AI's report also highlights vulnerabilities in LocalAI, a platform for running AI models locally on consumer-grade hardware, LoLLMs, a web UI for various AI systems, LangChain.js, a framework for developing language model applications, and more.
In the article, Protect AI's security researchers point out that these open-source tools are "downloaded thousands of times a month to build enterprise AI Systems."

The three critical vulnerabilties have already been addressed by their respective companies, according to the article.

NASA's economic impact report highlights that in fiscal year 2023, the agency's initiatives contributed $75.6 billion to the U.S. economy, created over 300,000 jobs, and drove advancements in areas like space exploration, climate research, and technology innovation. The agency's budget for that year was $25.4 billion. Space.com reports: The Moon to Mars program alone created $23.8 billion in economic output and 96,479 jobs, while investments in climate research and technology contributed $7.9 billion and 32,900 jobs. The report also drills down into impacts in each state, with 45 states seeing over $10 million in impact and eight states surpassing the $1 billion mark. [...]

NASA's missions supported 304,803 jobs across America, according to the report -- the third agency-wide study of its kind -- generating an estimated total of $9.5 billion in federal, state, and local taxes. Additionally, NASA's technological innovations and transfers in 2023 led to 40 new patent applications, 69 patents issued, and thousands of software usage agreements. A number of NASA technology spinoffs have become everyday household items. The full NASA economic impact report can be found here.

JPMorgan Chase is suing customers who exploited an ATM glitch that allowed them to withdraw funds before a check bounced. CNBC reports: The bank on Monday filed lawsuits in at least three federal courts, taking aim at some of the people who withdrew the highest amounts in the so-called infinite money glitch that went viral on TikTok and other social media platforms in late August. [...] JPMorgan, the biggest U.S. bank by assets, is investigating thousands of possible cases related to the "infinite money glitch," though it hasn't disclosed the scope of associated losses. Despite the waning use of paper checks as digital forms of payment gain popularity, they're still a major avenue for fraud, resulting in $26.6 billion in losses globally last year, according to Nasdaq's Global Financial Crime Report.

The infinite money glitch episode highlights the risk that social media can amplify vulnerabilities discovered at a financial institution. Videos began circulating in late August showing people celebrating the withdrawal of wads of cash from Chase ATMs shortly after bad checks were deposited. Normally, banks only make available a fraction of the value of a check until it clears, which takes several days. JPMorgan says it closed the loophole a few days after it was discovered.

The lawsuits are likely to be just the start of a wave of litigation meant to force customers to repay their debts and signal broadly that the bank won't tolerate fraud, according to the people familiar. JPMorgan prioritized cases with large dollar amounts and indications of possible ties to criminal groups, they said. The civil cases are separate from potential criminal investigations; JPMorgan says it has also referred cases to law enforcement officials across the country. "Fraud is a crime that impacts everyone and undermines trust in the banking system," JPMorgan spokesman Drew Pusateri said in a statement to CNBC. "We're pursuing these cases and actively cooperating with law enforcement to make sure if someone is committing fraud against Chase and its customers, they're held accountable."

Boeing received an email from the chief pilot at Ethiopian Airlines on December 1, 2018 with several questions, reports the New York Times (alternate URL here). "in essence the pilot was asking for direction. If we see a series of warnings on the new 737 Max, he posed, what do we do?" What ensued was an email conversation among a number of Boeing senior officials about whether they could answer the pilot's questions without violating international restrictions on disseminating information about a crash while it was still under investigation. That restriction was in play because a 737 Max flown by Lion Air had crashed a few weeks earlier leaving Indonesia. The inquiry from Ethiopian Airlines would prove chillingly prescient because just months later one of its 737s would go down because of a flight control malfunction similar to the one that led to the Lion Air crash. The Ethiopian Airlines crash would kill everyone on board and leave questions about whether Boeing had done everything it could to inform pilots of what it had learned about the malfunction and how to handle it.

In response to the inquiry from Ethiopian Airlines, Boeing's chief pilot, Jim Webb, proposed to his colleagues that he thank the airline for attending a previous briefing on the flight control system, called MCAS, but otherwise decline to answer the pilot's first two questions and just refer the airline to training materials and previously issued guidance. Most of those on the email agreed.
Boeing's eventual response? "I can only address the current system and the Operations Manual Bulletin. The first two questions directly relate to the accident scenario; therefore, I will be unable to address them here." The Times adds that Boeing's chief pilot Jim Webb then "ended the email by stating that if airline officials had any additional questions about the bulletin and system, they should feel free to reach out....

"It is impossible to know whether any pilots with Ethiopian Arlines would have acted differently if Webb's reply had been more forthcoming. But Boeing's limited response to an airline seeking help highlights a missed opportunity to collaborate on safety and to pass along lessons Boeing had collected following the Lion Air jet's crash into the Java Sea on Oct. 29, 2018."

theodp writes: "Computer science education is a necessity for all students," argues tech-backed nonprofit Code.org in its newly-published 2024 State of Computer Science Education (Understanding Our National Imperative) report. "Students of all identities and chosen career paths need quality computer science education to become informed citizens and confident creators of content and digital tools."

In the 200-page report, Code.org pays special attention to participation in "foundational computer science courses" in high school. "Across the country, 60% of public high schools offer at least one foundational computer science course," laments Code.org (curiously promoting a metric that ignores school size which nonetheless was embraced by Education Week and others).

"A course that teaches foundational computer science includes a minimum amount of time applying learned concepts through programming (at least 20 hours of programming/coding for grades 9-12 high schools)," Code.org explains in a separate 13-page Defining Foundational Computer Science document. Interestingly, Code.org argues that Data and Informatics courses -- in which "students may use Oracle WebDB, SQL, PL/SQL, SPSS, and SAS" to learn "the K-12 CS Framework concepts about data and analytics" -- do not count, because "the course content focuses on querying using a scripting language rather than creating programs [the IEEE's Top Programming Languages 2024 begs to differ]." Code.org similarly dissed the use of the Wolfram Language for broad educational use back in 2016.

With its insistence on the importance of kids taking Code.org-defined 'programming' courses in K-12 to promote computational thinking, it's probably no surprise to see that the data behind the 2024 State of Computer Science Education report was prepared using Python (the IEEE's top programming language) and presented to the public in a Jupyter notebook. Just kidding. Ironically, the data behind the 2024 State of Computer Science Education analysis is prepared and presented by Code.org in a no-code Tableau workbook.

Apple CEO Tim Cook has acknowledged the company's late entry into AI, stating, "We weren't the first to do intelligence." Despite this admission, Cook defended Apple's approach, claiming it will be "the best for the customer."

The tech giant plans to roll out initial AI features on October 28, with more advanced capabilities expected in 2025. However, internal studies suggest Apple's AI lags behind competitors, with Siri reportedly 25% less accurate than ChatGPT. Cook remains optimistic, asserting that AI will make users' time on iPhones "profoundly different."

penciling_in writes: Ukrainian authorities have arrested a 28-year-old man in Khmelnytskyi for running an illegal VPN service that allowed users to bypass Ukrainian sanctions and access the Russian internet (Runet). The VPN, active since Russia's invasion, enabled Russian sympathizers and people in occupied territories to reach blocked Russian government sites, social media, and news.

Handling over 100GB of data daily and linking to 48 million Russian IP addresses, the VPN may have been exploited by Russian intelligence. Ukrainian cyber police, in collaboration with the National Security Service, seized servers and equipment in multiple locations. The suspect faces charges under Part 5 of Article 361 of Ukraine's Criminal Code, which could lead to a 15-year prison sentence. Investigations are ongoing into further connections and funding sources. The case highlights the growing role of VPNs in the ongoing cyberwar between Ukraine and Russia.

OpenAI said a group with apparent ties to China tried to carry out a phishing attack on its employees, reigniting concerns that bad actors in Beijing want to steal sensitive information from top US artificial intelligence companies. From a report: The AI startup said Wednesday that a suspected China-based group called SweetSpecter posed as a user of OpenAI's chatbot ChatGPT earlier this year and sent customer support emails to staff. The emails included malware attachments that, if opened, would have allowed SweetSpecter to take screenshots and exfiltrate data, OpenAI said, but the attempt was unsuccessful.

"OpenAI's security team contacted employees who were believed to have been targeted in this spear phishing campaign and found that existing security controls prevented the emails from ever reaching their corporate emails," OpenAI said. The disclosure highlights the potential cybersecurity risks for leading AI companies as the US and China are locked in a high-stakes battle for artificial intelligence supremacy. In March, for example, a former Google engineer was charged with stealing AI trade secrets for a Chinese firm.

"Pig Butchering Alert: Fraudulent Trading App targeted iOS and Android users."

That's the title of a new report released this week by cybersecurity company Group-IB revealing the official Apple App Store and Google Play store offered apps that were actually one part of a larger fraud campaign. "To complete the scam, the victim is asked to fund their account... After a few seemingly successful trades, the victim is persuaded to invest more and more money. The account balance appears to grow rapidly. However, when the victim attempts to withdraw funds, they are unable to do so."

Forbes reports: Group-IB determined that the frauds would begin with a period of social engineering reconnaissance and entrapment, during which the trust of the potential victim was gained through either a dating app, social media app or even a cold call. The attackers spent weeks on each target. Only when this "fattening up" process had reached a certain point would the fraudsters make their next move: recommending they download the trading app from the official App Store concerned.

When it comes to the iOS app, which is the one that the report focussed on, Group-IB researchers said that the app remained on the App Store for several weeks before being removed, at which point the fraudsters switched to phishing websites to distribute both iOS and Android apps. The use of official app stores, albeit only fleetingly as Apple and Google removed the fake apps in due course, bestowed a sense of authenticity to the operation as people put trust in both the Apple and Google ecosystems to protect them from potentially dangerous apps.
"The use of web-based applications further conceals the malicious activity," according to the researchers, "and makes detection more difficult." [A]fter the download is complete, the application cannot be launched immediately. The victim is then instructed by the cybercriminals to manually trust the Enterprise developer profile. Once this step is completed, the fraudulent application becomes operational... Once a user registers with the fraudulent application, they are tricked into completing several steps. First, they are asked to upload identification documents, such as an ID card or passport. Next, the user is asked to provide personal information, followed by job-related details...

The first discovered application, distributed through the Apple App Store, functions as a downloader, merely retrieving and displaying a web-app URL. In contrast, the second application, downloaded from phishing websites, already contains the web-app within its assets. We believe this approach was deliberate, since the first app was available in the official store, and the cybercriminals likely sought to minimise the risk of detection. As previously noted, the app posed as a tool for mathematical formulas, and including personal trading accounts within an iOS app would have raised immediate suspicion.
The app (which only runs on mobile phones) first launches a fake activity with formulas and graphics, according to the researchers. "We assume that this condition must bypass Apple's checks before being published to the store. As we can see, this simple trick allows cybercriminals to upload their fraudulent application to the Apple Store." They argue their research "reinforces the need for continued review of app store submissions to prevent such scams from reaching unsuspecting victims". But it also highlights "the importance of vigilance and end-user education, even when dealing with seemingly trustworthy apps..."

"Our investigation began with an analysis of Android applications at the request of our client. The client reported that a user had been tricked into installing the application as part of a stock investment scam. During our research, we uncovered a list of similar fraudulent applications, one of which was available on the Google Play Store. These apps were designed to display stock-related news and articles, giving them a false sense of legitimacy."

Last week the Register warned "If you're running the Unix printing system CUPS, with cups-browsed present and enabled, you may be vulnerable to attacks that could lead to your computer being commandeered over the network or internet." (Although the CEO of cybersecurity platform watchTowr told them "the vulnerability impacts less than a single-digit percentage of all deployed internet-facing Linux systems.")

But Tuesday generic (Slashdot reader #14,144) shared this new warning from Akamai: Akamai researchers have confirmed a new attack vector using CUPS that could be leveraged to stage distributed denial-of-service (DDoS) attacks. Research shows that, to begin the attack, the attacking system only needs to send a single packet to a vulnerable and exposed CUPS service with internet connectivity.

The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+). Of the 58,000+ vulnerable devices, hundreds exhibited an "infinite loop" of requests.

The limited resources required to initiate a successful attack highlights the danger: It would take an attacker mere seconds to co-opt every vulnerable CUPS service currently exposed on the internet and cost the attacker less than a single US cent on modern hyperscaler platforms.

An anonymous reader quotes a report from 404 Media: After a horseback riding accident left him paralyzed from the waist down in 2009, former jockey Michael Straight learned to walk again with the help of a $100,000 ReWalk Personal exoskeleton. Earlier this month, that exoskeleton broke because of a malfunctioning piece of wiring in an accompanying watch that makes the exoskeleton work. The manufacturer refused to fix it, saying the machine was now too old to be serviced, and Straight once again couldn't walk anymore. "After 371,091 steps my exoskeleton is being retired after 10 years of unbelievable physical therapy," Straight posted on Facebook on September 16. "The reasons [sic] why it has stopped is a pathetic excuse for a bad company to try and make more money. The reason it stopped is because of a battery in the watch I wear to operate the machine. I called thinking it was no big deal, yet I was told they stopped working on any machine that was 5 years or older. I find it very hard to believe after paying nearly $100,000 for the machine and training that a $20 battery for the watch is the reason I can't walk anymore?"

Straight's experience is a nightmare scenario that highlights what happens when companies decide to stop supporting their products and do not actively support independent repair. It's also what happens without the protection of right to repair legislation that requires manufacturers to make repair parts, guides, and tools available to the general public. Specifically, a connection wire became desoldered from the battery in a watch that connects to the exoskeleton: "It's not the actual battery, but it's the little green connection piece we need to be the right fit and that's been our problem," Straight posted on Facebook. Straight's personal exoskeleton was broken for two months, he said in a video on Facebook. He was eventually able to get the device fixed after attention from an article in the Paulick Report, a website about the horse industry, and a spot on local TV. "It took me two months, and I got no results," he said in the video. With social media and news attention, "it only took you all four days, and look at the results," he said earlier this week while standing in the exoskeleton. "This is the dystopian nightmare that we've kind of entered in, where the manufacturer perspective on products is that their responsibility completely ends when it hands it over to a customer. That's not good enough for a device like this, but it's also the same thing we see up and down with every single product," Nathan Proctor, head of citizen rights group US PIRG's right to repair project told 404 Media. "People need to be able to fix things, there needs to be a plan in place. A $100,000 product you can only use as long as the battery lasts, that's enraging. We should not have to tolerate a society where this happens."

"We have all this technology we release into the wild and it changes people's lives, but there's no long-term thinking. Manufacturers currently have no legal obligation to support the equipment indefinitely and there's no requirements that they publish sufficient documentation to allow others to do it," Proctor said. "We need to set minimum standards for documentation so that, even if a company goes bankrupt or falls off the face of the earth, a technician with sufficient knowledge can fix it."

Amazon is joining the Motion Picture Association as its seventh member, alongside Paramount Pictures, Sony Pictures, Universal Studios, The Walt Disney Studios, Warner Bros. Discovery and Netflix. Engadget reports: Amazon was already involved with the MPA, having worked with its Alliance for Creativity and Entertainment, an anti-piracy coalition, as a governing board member since 2017. MGM (which Amazon bought in 2022) was previously an MPA member from 1928 until 2005. Amazon's involvement with the MPA speaks to the foothold that the company has in entertainment. The fact that Amazon and Netflix are both members also highlights the major influence of streaming over the industry at large. "The MPA is the global voice for a growing and evolving industry, and welcoming Prime Video & Amazon MGM Studios to our ranks will broaden our collective policymaking and content protection efforts on behalf of our most innovative and creative companies," Charles Rivkin, MPA chairman and CEO, said in a statement. "MPA studios fuel local economies, drive job creation, enrich cultures and bolster communities everywhere they work. With Prime Video & Amazon MGM Studios among our roster of extraordinary members, the MPA will have an even larger voice for the world's greatest storytellers."

An anonymous reader quotes a report from The Register: Germany's Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrike's outage in July are dropping their current vendor's products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to do so in the near future. It wasn't explicitly said whether this referred to CrowdStrike's Falcon product specifically or was a knee-jerk reaction to security vendors generally. One in five will also change the selection criteria when it comes to reviewing which security vendor gets their business. The whole fiasco doesn't seem to have hurt the company much though, at least not yet.

The findings come from a report examining the experiences of 311 affected organizations in Germany, published today. Of those affected in one way or another, most said they first heard about the issues from social media (23 percent) rather than CrowdStrike itself (22 percent). The report also revealed that half of the 311 surveyed orgs had to halt operations -- 48 percent experienced temporary downtime. Ten hours, on average. Aside from the obvious business continuity impacts, this led to various issues with customers too. Forty percent said their collaboration with customers was damaged because they couldn't provide their usual services, while more than one in ten organizations didn't even want to address the topic. The majority of respondents (66 percent) said they will improve their incident response plans in light of what happened, or have done so already, despite largely considering events like these as unavoidable. The report highlights a curious finding that over half of CrowdStrike customers wanted to install updates more regularly, even though that would have been worse for an organization.

"Regardless, with the number of urgent patch warnings we and the infosec community dish out every week, it's probably a net positive, even if it's slightly misguided," concludes The Register.

The U.S. Committee on Foreign Investment (CFIUS) fined T-Mobile $60 million, its largest penalty ever, for failing to prevent and report unauthorized access to sensitive data tied to violations of a mitigation agreement from its 2020 merger with Sprint. "The size of the fine, and CFIUS's unprecedented decision to make it public, show the committee is taking a more muscular approach to enforcement as it seeks to deter future violations," reports Reuters. From the report: T-Mobile said in a statement that it experienced technical issues during its post-merger integration with Sprint that affected "information shared from a small number of law enforcement information requests." It stressed that the data never left the law enforcement community, was reported "in a timely manner" and was "quickly addressed." The failure of T-Mobile to report the incidents promptly delayed CFIUS' efforts to investigate and mitigate any potential harm to U.S. national security, they added, without providing further details. "The $60 million penalty announcement highlights the committee's commitment to ramping up CFIUS enforcement by holding companies accountable when they fail to comply with their obligations," one of the U.S. officials said, adding that transparency around enforcement actions incentivizes other companies to comply with their obligations.

The World Wide Web Consortium (W3C) has expressed disappointment with Google's decision to retain third-party cookies, stating it undermines collaborative efforts. Google's reversal follows a five-year initiative to develop privacy-focused ad technology. While some advertising industry representatives welcomed the move, the W3C's criticism highlights the ongoing debate over online privacy and advertising practices. W3C writes: Third-party cookies are not good for the web. They enable tracking, which involves following your activity across multiple websites. They can be helpful for use cases like login and single sign-on, or putting shopping choices into a cart -- but they can also be used to invisibly track your browsing activity across sites for surveillance or ad-targeting purposes. This hidden personal data collection hurts everyone's privacy.

We aren't the only ones who are worried. The updated RFC that defines cookies says that third-party cookies have "inherent privacy issues" and that therefore web "resources cannot rely upon third-party cookies being treated consistently by user agents for the foreseeable future." We agree. Furthermore, tracking and subsequent data collection and brokerage can support micro-targeting of political messages, which can have a detrimental impact on society, as identified by Privacy International and other organizations. Regulatory authorities, such as the UK's Information Commissioner's Office, have also called for the blocking of third-party cookies.

The job of the TAG as stewards of the architecture of the web has us looking at the big picture (the whole web platform) and the details (proposed features and specs). We try to provide guidance to spec authors so that their new technologies fill holes that need to be filled, don't conflict with other parts of the web, and don't set us up for avoidable trouble in the future. We've been working with Chrome's Privacy Sandbox team (as well as others in the W3C community) for several years, trying to help them create better approaches for the things that third-party cookies do. While we haven't always agreed with the Privacy Sandbox team, we have made substantial progress together. This announcement came out of the blue, and undermines a lot of the work we've done together to make the web work without third-party cookies.

The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies. We fear it will have an overall detrimental impact on the cause of improving privacy on the web. We sincerely hope that Google reverses this decision and re-commits to a path towards removal of third-party cookies.

Microsoft has intensified its push for OneDrive adoption in Windows 11, introducing a full-screen pop-up that prompts users to back up their files to the cloud service, according to a report from Windows Latest. The new promotional message, which appears after a recent Windows update, mirrors the out-of-box experience typically seen during initial system setup and highlights OneDrive's features, including file protection, collaboration capabilities, and automatic syncing.

Russian officials boasted on Friday that Moscow was spared the impact of the global IT systems outage because of its increased self-sufficiency after years of Western sanctions, though some experts said Russian systems could still be vulnerable. From a report: Microsoft and other IT firms have suspended sales of new products in Russia and have been scaling down their operations in line with sanctions imposed over Russia's war in Ukraine, which Moscow describes as a special military operation. The Kremlin, along with companies from state nuclear giant Rosatom, which operates all of Russia's nuclear plants, to major lenders and airlines, reported no glitches amid the outage that affected international companies across the globe. "The situation once again highlights the significance of foreign software substitution," Russia's digital development ministry said. Russian financial and currency markets also ran smoothly.

Valve had its employee and payroll data leaked through a poorly redacted document in an antitrust lawsuit in May, offering a rare glimpse into the company's small but impactful workforce over the years. As first noticed by SteamDB's Pavel Djundik, Valve's significant influence in PC gaming transactions has been maintained by just a few hundred employees. Kyle Orland reports via Ars Technica: It's striking to consider just how small Valve is compared to other major players in the game industry. In 2021, Microsoft estimated Valve's annual revenue at $6.5 billion, roughly on the same scale as EA's $7.5 billion in 2024 revenue. But Steam achieved those numbers with around 350 employees, compared to well over 13,000 people employed by EA. The disparity highlights just how much money Valve brings in with a relatively small workforce. And a lot of that is thanks to the chunk of revenue Valve takes from every sale on Steam. The dominant PC gaming marketplace has seen a massive increase in the number of annual game releases since 2012 or so, thanks to initiatives like Steam Greenlight and Steam Direct.

Yet, surprisingly, the size of the "Steam" department inside Valve has shrunk in recent years, from a peak of 142 employees in 2015 down to just 79 in 2021. From the outside, having just 79 employees keeping track of more than 11,000 Steam releases in 2021 is a pretty incredible ratio. Some readers may also be surprised that Valve's "Games" department has represented a majority of the company's headcount since 2003. That has remained true (though to a lesser extent) even in more recent years, as Valve's output of new games has become much more occasional. It seems likely a large number of those Games department employees are devoted to ultra-popular Valve games like Dota 2 and Counter-Strike 2, which enjoy tens of millions of players and need significant support work.

The leaked data also shows the slow rise of Valve's small Hardware department, which started with just three employees in 2011 as the company began work on its doomed Steam Machines initiative. Transitioning into the Valve Index era in the late 2010s, the hardware department still represented just a few dozen people and a paltry 3 to 4 percent of the company's annual payroll. By the time we hit 2021 and the run-up to the Steam Deck, the Hardware division still makes up just 12 percent of Valve's small total headcount. Looking back, it's impressive that such a small team was able to create a portable gaming device that quickly spawned a whole micro-industry of imitators. We can only hope the Hardware team got a little more employee support in the wake of the Steam Deck's market success.

Cellebrite, the well-known mobile forensics company, was unable to unlock a sizable chunk of modern iPhones available on the market as of April 2024, 404 Media reported Wednesday, citing leaked documents it obtained. From the report: Mobile forensics companies typically do not release details on what specific models their tools can or cannot penetrate, instead using vague terms in marketing materials. The documents obtained by 404 Media, which are given to customers but not published publicly, show how fluid and fast moving the success, or failure, of mobile forensic tools can be, and highlights the constant cat and mouse game between hardware and operating manufacturers like Apple and Google, and the hacking companies looking for vulnerabilities to exploit.

[...] For all locked iPhones able to run 17.4 or newer, the Cellebrite document says "In Research," meaning they cannot necessarily be unlocked with Cellebrite's tools. For previous iterations of iOS 17, stretching from 17.1 to 17.3.1, Cellebrite says it does support the iPhone XR and iPhone 11 series. Specifically, the document says Cellebrite recently added support to those models for its Supersonic BF [brute force] capability, which claims to gain access to phones quickly. But for the iPhone 12 and up running those operating systems, Cellebrite says support is "Coming soon."

In its latest State of Application Security Report, Cloudflare says 6.8% of traffic on the internet is malicious, "up a percentage point from last year's study," writes ZDNet's Steven Vaughan-Nichols. "Cloudflare, the content delivery network and security services company, thinks the rise is due to wars and elections. For example, many attacks against Western-interest websites are coming from pro-Russian hacktivist groups such as REvil, KillNet, and Anonymous Sudan." From the report: [...] Distributed Denial of Service (DDoS) attacks continue to be cybercriminals' weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year. But it's not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

The report also highlights the increased importance of application programming interface (API) security. With 60% of dynamic web traffic now API-related, these interfaces are a prime target for attackers. API traffic is growing twice as fast as traditional web traffic. What's worrying is that many organizations appear not to be even aware of a quarter of their API endpoints. Organizations that don't have a tight grip on their internet services or website APIs can't possibly protect themselves from attackers. Evidence suggests the average enterprise application now uses 47 third-party scripts and connects to nearly 50 third-party destinations. Do you know and trust these scripts and connections? You should -- each script of connection is a potential security risk. For instance, the recent Polyfill.io JavaScript incident affected over 380,000 sites.

Finally, about 38% of all HTTP requests processed by Cloudflare are classified as automated bot traffic. Some bots are good and perform a needed service, such as customer service chatbots, or are authorized search engine crawlers. However, as many as 93% of bots are potentially bad.