Eight years after a researcher warned WhatsApp that it was possible to extract user phone numbers en masse from the Meta-owned app, another team of researchers found that they could still do exactly that using a similar technique. The issue stems from WhatsApp’s discovery feature, which allows someone to enter a person’s phone number to see if they’re on the app. By doing this billions of times—which WhatsApp did not prevent—researchers from the University of Vienna uncovered what they’re calling “the most extensive exposure of phone numbers” ever.
Vaping is a major problem in US high schools. But is the solution to spy on students in the bathroom? An investigation by The 74, copublished with WIRED, found that schools around the country are turning to vape detectors in an effort to crack down on nicotine and cannabis consumption on school grounds. Some of the vape detectors go far beyond detecting vapor by including microphones that are surprisingly accurate and revealing. While few defend addiction and drug use, even non-vapers say the added surveillance and the punishments that result go too far.
Don’t look now, but that old networking equipment your company hasn’t thought about in years may jump out and bite you. Tech giant Cisco this week launched a new initiative, warning companies that AI tools are making it increasingly simple for attackers to find vulnerabilities in outdated and unpatched networking infrastructure. The message: Upgrade or else.
If you’ve ever attended a conference, you probably worried about getting sick in the cesspools that are a conference center. But one hacker conference in New Zealand, Kawaiicon, invented a novel way to keep attendees a little bit safer. By tracking the CO 2 levels in each conference room, Kawaiicon’s organizers were able to create a real-time air-quality monitoring system, which would tell people which rooms were safe and which seemed … gross. The project brings new meaning to antivirus monitoring.
And that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
The US Border Patrol is operating a predictive-intelligence program that monitors millions of American drivers far beyond the border, according to a detailed investigation by the Associated Press. A network of covert license-plate readers—often hidden inside traffic cones, barrels, and roadside equipment—feeds data into an algorithm that flags “suspicious” routes, quick turnarounds, and travel to and from border regions. Local police are then alerted, resulting in traffic stops for minor infractions like window-tint violations, air fresheners, or marginal speeding. AP reviewed police records showing that drivers were questioned, searched, and sometimes arrested despite no contraband being found.
Internal group chats obtained through public-records requests show Border Patrol agents and Texas deputies sharing hotel records, rental car status, home addresses, and social media details of US citizens in real time while coordinating what officers call “whisper stops” to obscure federal involvement. The AP identified plate-reader sites more than 120 miles from the Mexican border in the Phoenix area, as well as locations in metropolitan Detroit and near the Michigan-Indiana line that capture traffic headed toward Chicago and Gary. Border Patrol also taps DEA plate-reader networks and has, at various times, accessed systems run by Rekor, Vigilant Solutions, and Flock Safety.
CBP says the program is governed by “stringent” policies and constitutional safeguards, but legal experts told AP that its scale raises new Fourth Amendment concerns. A UC Law San Francisco official said the system amounts to a “dragnet” tracking Americans’ movements, associations, and daily routines.
Microsoft claims to have mitigated the largest distributed denial-of-service (DDoS) attack ever recorded in a cloud environment—a 15.72 Tbps, 3.64-billion-pps barrage launched on October 24 against a single Azure endpoint in Australia. Microsoft says The attack “originated from the Aisuru botnet,” a Turbo-Mirai–class IoT network of compromised home routers, cameras, and other consumer devices. More than 500,000 IP addresses are said to have participated, generating a massive DDoS attack with little spoofing. Microsoft says its global Azure DDoS Protection network absorbed the traffic without service disruption. Microsoft described the attack as the “the largest DDoS ever observed in the cloud,” emphasizing the single endpoint; however, Cloudflare also recently reported a 22.2 Tbps flood, naming it the largest DDoS attack ever seen.
Researchers note that Aisuru has recently launched multiple attacks exceeding 20 Tbps and is expanding its capabilities to include credential stuffing, AI-driven scraping, and HTTPS floods via residential proxies.
... continue reading