Uncategorized

Un cambio realizado por Microsoft en su lista oficial de hardware compatible ha liado aún más el panorama La transición a Windows 11 se ha convertido en el mayor desafío de Microsoft en una década. Lo que en 2015 fue una migración masiva y relativamente fluida hacia Windows 10, hoy se ha transformado en un gigantesco atasco, según un estudio llevado a cabo por Dell: unos 500 millones de ordenadores capaces de ejecutar Windows 11 han decidido no dar el salto, mientras que otros 500 millones, más antiguos, directamente no pueden hacerlo aunque sus usuarios quieran. El problema para Microsoft, sin embargo, no se limita a la resistencia del usuario. A la ecuación se suma un elemento inesperado: la compañía ha oscurecido los requisitos oficiales del sistema, transformando lo que debería ser una guía clara de compatibilidad en un laberinto que desconcierta incluso a los usuarios avanzados. Un mercado detenido Jeffrey Clarke, COO de Dell, ha revelado durante la conferencia de resultados trimestrales de su compañía que aproximadamente 500 millones de PCs en el mercado están capacitados para actualizar a Windows 11, pero optan por no hacerlo. A su vez, otros 500 millones de equipos, con más de cuatro años de antigüedad, quedan excluidos de la actualización por los exigentes requisitos de hardware del SO. Windows 10 —ya sin soporte oficial— continúa dominando tanto en hogares como en empresas. La predicción de Clarke no es optimista: incluso con la presión comercial que supone el auge de los llamados “AI PCs”, es de esperar que el mercado permanezca plano. Microsoft, por su parte, ha afirmado que “casi mil millones de personas confían en Windows 11”, aunque no ha aclarado si se refiere a instalaciones activas o algún otro indicador. Complicando aún más el salto En medio de este estancamiento, Microsoft ha introducido cambios en su documentación oficial que han causado desconcierto. Antes, la lista de procesadores compatibles detallaba modelo por modelo, permitiendo al usuario verificar rápidamente si su CPU soportaba Windows 11. Pero la versión actual de la documentación abandona esa precisión y agrupa los chips por familias genéricas, remitiendo al usuario directamente al fabricante. El resultado: WINDOWS 10: 9 TRUCOS MUY ÚTILES y POCO CONOCIDOS Por qué el usuario no quiere actualizar La resistencia a Windows 11 no es algo nuevo. Desde su lanzamiento, el sistema ha impuesto barreras técnicas y de experiencia de usuario que han generado rechazo: Para los usuarios que todavía ejecutan Windows 10, la situación es cada vez más delicada: el sistema ya no recibe soporte oficial en forma de actualizaciones de seguridad, lo que lo convierte en un blanco fácil para ciberataques. Microsoft ha ofrecido un programa de actualizaciones extendidas, y aunque en Europa el primer año es gratuito debido a presiones regulatorias, eso se trata tan sólo de un parche temporal. Mientras tanto, quienes deciden no actualizar recurren a alternativas: ¿Y ahora qué? Ahora, Microsoft tiene dos frentes abiertos: el de la comunicación con sus usuarios, que se ha deteriorado justo cuando más claridad era necesaria; y el de la presión de un mercado que no quiere o no puede actualizar. La solución ideal para el usuario sigue siendo actualizar a Windows 11 —proceso aún gratuito—, pero la compañía deberá resolver antes el caos de compatibilidad si quiere evitar que la transición siga estancada. Si no lo hace, podría encontrarse con un escenario donde cientos de millones de equipos optan por dos caminos que Microsoft no desea: seguir en Windows 10 sin soporte o abandonar definitivamente Windows. Image Credits: Marcos Merino mediante IA Referencia: Genbeta

Los modelos de inteligencia artificial son tan buenos detectando vulnerabilidades que algunos expertos afirman que la industria tecnológica podría tener que replantearse cómo se construye el software. Vlad Ionescu y Ariel Herbert-Voss, cofundadores de la startup de ciberseguridad RunSybil, se sorprendieron cuando su herramienta de IA, Sybil, les alertó de un punto débil en los sistemas de un cliente el pasado noviembre. Sybil utiliza una combinación de diferentes modelos de inteligencia artificial, así como algunos trucos técnicos propios, para escanear sistemas informáticos en busca de problemas que los hackers podrían aprovechar, como un servidor sin parches o una base de datos mal configurada. Qué les alertó Sybil En este caso, la IA detectó un problema en la implantación por parte del cliente de GraphQL federado, un lenguaje utilizado para especificar cómo se accede a los datos a través de la web mediante interfaces de programación de aplicaciones (API). El problema significaba que el cliente estaba exponiendo información confidencial. VIDEOUn paleontólogo nos responde nuestras dudas sobre la extinción de los dinosaurios | Tech Support Lo que dejó boquiabiertos a Ionescu y Herbert-Voss fue que detectar el problema requería un conocimiento extraordinariamente profundo de varios sistemas diferentes y de cómo interactuaban entre sí. Desde entonces, RunSybil ha detectado el mismo problema en otras implantaciones de GraphQL, antes de que nadie lo hiciera público. “Buscamos en internet y no existía. Descubrirlo fue un paso de razonamiento en cuanto a las capacidades de los modelos: un cambio radical”, afirma Herbert-Voss. La situación apunta a un riesgo creciente. A medida que los modelos de IA siguen haciéndose más inteligentes, su capacidad para encontrar ataques de día cero y otras vulnerabilidades también sigue creciendo. La misma inteligencia que puede utilizarse para detectar vulnerabilidades también puede encontrar la forma de explotarlas. Dawn Song, informático de la Universidad de Berkeley especializado en IA y seguridad, afirma que los últimos avances en IA han dado lugar a modelos más capaces de detectar fallos. El razonamiento simulado, que consiste en dividir los problemas en partes constituyentes, y la IA agéntica, como las búsquedas online o la instalación y ejecución de herramientas de software, han aumentado las capacidades cibernéticas de los modelos. Recibe en tu correo lo más relevante sobre innovación e inteligencia artificial con el newsletter de WIRED en español. ¡Únete a nuestra newsletter! Encontrar vulnerabilidades en el sistema “Las capacidades de ciberseguridad de los modelos de frontera han aumentado drásticamente en los últimos meses. Este es un punto de inflexión”, indica Song. El año pasado, cocreó un punto de referencia llamado CyberGym para determinar lo bien que los grandes modelos de lenguaje (LLM) encuentran vulnerabilidades en grandes proyectos de software de código abierto. CyberGym incluye 1,507 vulnerabilidades conocidas encontradas en 188 proyectos. En julio de 2025, Claude Sonnet 4 de Anthropic fue capaz de encontrar alrededor del 20% de las vulnerabilidades de la referencia. En octubre de 2025, el nuevo Claude Sonnet 4.5, fue capaz de identificar el 30%. “Los agentes de IA son capaces de encontrar vulnerabilidades de día cero, y a muy bajo costo”, afirma Song. Song menciona que esta tendencia muestra la necesidad de nuevas contramedidas, incluyendo que la IA ayude a los expertos en ciberseguridad: “Tenemos que pensar en cómo hacer que la IA sea un recurso de defensa”. Una idea es que las empresas punteras en IA compartan modelos con los investigadores de seguridad antes de su lanzamiento, de modo que puedan utilizarlos para encontrar fallos y proteger los sistemas antes de su lanzamiento general. Otra contramedida, de acuerdo con Song, es replantearse cómo se construye el software. Su laboratorio ha demostrado que es posible utilizar la IA para generar código más seguro que el que utiliza la mayoría de los programadores hoy en día: “A largo plazo, creemos que este enfoque de diseño seguro ayudará mucho a los defensores”. El equipo de RunSybil afirma que, a corto plazo, las habilidades de codificación de los modelos de IA podrían suponer una ventaja para los hackers. “La IA puede generar acciones en una computadora y generar código, y esas son dos cosas que hacen los hackers. Si esas capacidades se aceleran, eso significa que las acciones ofensivas de seguridad también se acelerarán”, afirma Herbert-Voss. Lo más visto Publicidad Artículo originalmente publicado en WIRED. Adaptado por Alondra Flores. Image Credits: Getty Images Referencia: Wired

Un fallo en la forma en que 17 modelos de auriculares y altavoces utilizan el protocolo Bluetooth de Google de emparejamiento rápido con un solo toque ha dejado los dispositivos expuestos a escuchas y acosadores. Google diseñó el protocolo inalámbrico conocido como Fast Pair para optimizar las conexiones ‘ultraconvenientes’. Permite a los usuarios conectar sus gadgets Bluetooth con dispositivos Android y ChromeOS con un solo toque. Ahora, un grupo de investigadores ha descubierto que el mismo protocolo también permite a los hackers conectarse con la misma comodidad a cientos de millones de auriculares y altavoces. El resultado es una enorme colección de dispositivos de audio compatibles con Fast Pair que permiten a cualquier espía o acosador tomar el control de altavoces y micrófonos o, en algunos casos, rastrear la ubicación de un objetivo involuntario, incluso si la víctima es un usuario de iPhone que nunca ha tenido un producto de Google. Hoy, investigadores de seguridad del grupo de Seguridad Informática y Criptografía Industrial de la Universidad KU Leuven de Bélgica revelan una colección de vulnerabilidades que han encontrado en 17 accesorios de audio que utilizan el protocolo Fast Pair de Google y que comercializan 10 empresas diferentes: Sony, Jabra, JBL, Marshall, Xiaomi, Nada, OnePlus, Soundcore, Logitech y la propia Google. Las técnicas de pirateo demostradas por los investigadores, a las que denominan colectivamente WhisperPair, permitirían a cualquiera que se encontrara dentro del alcance Bluetooth de esos dispositivos (cerca de 15 metros según sus pruebas) emparejarse silenciosamente con periféricos de audio y secuestrarlos. Dependiendo del accesorio, un hacker podría tomar el control o interrumpir transmisiones de audio o conversaciones telefónicas, reproducir su propio audio a través de los auriculares o altavoces de la víctima al volumen que eligiera, o tomar el control de los micrófonos de forma indetectable para escuchar el entorno de la víctima. Peor aún, algunos dispositivos vendidos por Google y Sony que son compatibles con la función de seguimiento de geolocalización de dispositivos de Google, Find Hub, también podrían ser explotados para permitir el acecho sigiloso de alta resolución. Audífonos secuestrados “Vas por la calle con los auriculares puestos y escuchando música. En menos de 15 segundos, podemos secuestrar tu dispositivo”, explica Sayon Duttagupta, investigador de KU Leuven. “Lo que significa que puedo encender el micrófono y escuchar el sonido ambiente. Puedo inyectar audio. Puedo rastrear tu ubicación”. “El atacante ahora es dueño de este dispositivo”, añade el investigador Nikola Antonijević, “y básicamente puede hacer lo que quiera con él”. Los investigadores demuestran sus técnicas de pirateo y rastreo en el siguiente video (en inglés): La respuesta de Google Google ha publicado hoy un aviso de seguridad en coordinación con los investigadores, en el que reconoce sus hallazgos y describe sus esfuerzos para solucionar el problema. Desde que los investigadores revelaron por primera vez su trabajo a la empresa en agosto, Google parece haber alertado al menos a algunos de los proveedores de dispositivos vulnerables, muchos de los cuales han puesto a disposición actualizaciones de seguridad. Sin embargo, dado que muy pocos consumidores se plantean actualizar el software de dispositivos del internet de las cosas como audífonos o altavoces, los investigadores de KU Leuven advierten que las vulnerabilidades de WhisperPair pueden persistir en accesorios vulnerables durante meses o años. En la mayoría de los casos, la aplicación de esas actualizaciones requiere la instalación de una aplicación del fabricante en el teléfono o la computadora, un paso que la mayoría de los usuarios nunca da y que a menudo ni siquiera sabe que es necesario. “Si no tienes la aplicación de Sony, nunca sabrás que hay una actualización de software para tus auriculares Sony”, asegura Seppe Wyns, investigador de la KU Leuven. “Y entonces seguirás siendo vulnerable”. Cuando WIRED se puso en contacto con Google, un portavoz respondió en un comunicado dando las gracias a los investigadores y confirmando sus hallazgos sobre WhisperPair. “Hemos trabajado con los investigadores para solucionar estas vulnerabilidades y no hemos encontrado pruebas de que se hayan explotado fuera del entorno de laboratorio en el que se realizó este informe”, escribe el portavoz. “Estamos constantemente evaluando y mejorando la seguridad de Fast Pair y Find Hub”. Lo más visto Publicidad Google también señaló que ha publicado correcciones para sus propios accesorios de audio vulnerables y una actualización de Find Hub en Android que, según la compañía, evita que los actores deshonestos utilicen WhisperPair para rastrear a las víctimas. Sin embargo, pocas horas después de que Google informara a los investigadores sobre la corrección, estos dijeron a WIRED que habían encontrado una forma de eludir el parche y seguían siendo capaces de llevar a cabo su técnica de rastreo de Find Hub. Google no ha respondido inmediatamente a la solicitud de WIRED de que comentara la forma en que los investigadores habían sorteado el parche. En cuanto a la afirmación de Google de que no había visto la explotación de la vulnerabilidad WhisperPair en la naturaleza, los investigadores señalan que Google no tendría forma de observar el secuestro de accesorios de audio que no implicaran dispositivos de Google. ¿Qué dicen las otras marcas? WIRED también se puso en contacto con las otras nueve empresas cuyos accesorios los investigadores de KU Leuven determinaron que eran vulnerables. Xiaomi respondió en un comunicado que “ha estado en comunicación con Google y otras partes relevantes y está trabajando con los proveedores para desplegar actualizaciones [over-the-air]” para su marca de auriculares Redmi. JBL, que es propiedad de Harman Audio, declaró en un comunicado que “Google ha advertido a JBL sobre posibles vulnerabilidades de seguridad que podrían afectar a dispositivos como auriculares y altavoces. Hemos recibido los parches de seguridad de Google y el software se actualizará a través de las apps de JBL en las próximas semanas.” Jabra respondió en un comunicado que había enviado parches para las vulnerabilidades de Bluetooth en el chipset Airoha que utiliza en sus accesorios en junio y julio. Sin embargo, dado que los investigadores no informaron a nadie de sus hallazgos hasta agosto, sugieren que Jabra puede estar confundiendo su trabajo con hallazgos no relacionados de junio. Logitech ha dicho que ha “integrado un parche de firmware para las próximas unidades de producción” y señala que

Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploitation in widespread attacks targeting a swath of the Internet, researchers say. The zero-day went undiscovered until March, when security firm Trend Micro said it had been under active exploitation since 2017, by as many as 11 separate advanced persistent threats (APTs). These APT groups, often with ties to nation-states, relentlessly attack specific individuals or groups of interest. Trend Micro went on to say that the groups were exploiting the vulnerability, then tracked as ZDI-CAN-25373, to install various known post-exploitation payloads on infrastructure located in nearly 60 countries, with the US, Canada, Russia, and Korea being the most common. A large-scale, coordinated operation Seven months later, Microsoft still hasn’t patched the vulnerability, which stems from a bug in the Windows Shortcut binary format. The Windows component makes opening apps or accessing files easier and faster by allowing a single binary file to invoke them without having to navigate to their locations. In recent months, the ZDI-CAN-25373 tracking designation has been changed to CVE-2025-9491. On Thursday, security firm Arctic Wolf reported that it observed a China-aligned threat group, tracked as UNC-6384, exploiting CVE-2025-9491 in attacks against various European nations. The final payload is a widely used remote access trojan known as PlugX. To better conceal the malware, the exploit keeps the binary file encrypted in the RC4 format until the final step in the attack. Ars Video How Scientists Respond to Science Deniers “The breadth of targeting across multiple European nations within a condensed timeframe suggests either a large-scale coordinated intelligence collection operation or deployment of multiple parallel operational teams with shared tooling but independent targeting,” Arctic Wolf said. “The consistency in tradecraft across disparate targets indicates centralized tool development and operational security standards even if execution is distributed across multiple teams.” With no patch available, Windows users are left with a limited number of options for fending off attacks. The most effective countermeasure is locking down .lnk functions by blocking or restricting the usage of .lnk files from untrusted origins. This can be done by setting the Windows Explorer to disable the automatic resolution of such files. The severity rating for CVE-2025-9491 is 7 out of 10. The other Windows vulnerability was patched last week, when Microsoft issued an unscheduled update. CVE-2025-59287 carries a severity rating of 9.8. It resides in the Windows Server Update Services, which administrators use to install, patch, or delete apps on vast fleets of servers. Microsoft previously attempted to patch the potentially wormable remote code execution vulnerability, caused by a serialization flaw, a week earlier in its October Patch Tuesday release. Publicly released proof-of-concept code quickly proved that the attempted fix was incomplete Around the same time that Microsoft released its second fix, security firm Huntress said it had observed the WSUS flaw being exploited starting on October 23. Security firm Eye reported the same finding shortly after. Security firm Sophos said Wednesday that it has also observed CVE-2025-59287 being exploited “in multiple customer environments” since October 24. “The wave of activity, which spanned several hours and targeted internet-facing WSUS servers, impacted customers across a range of industries and did not appear to be targeted attacks,” Sophos said. “It is unclear if the threat actors behind this activity leveraged the public PoC or developed their own exploit.” Administrators should investigate immediately if their devices are vulnerable to either of the ongoing attacks. There’s no indication when Microsoft will release a patch for CVE-2025-9491. Image Credits: Getty Images Referencia: Arstechnica

Microsoft’s warning on Tuesday that an experimental AI agent integrated into Windows can infect devices and pilfer sensitive user data has set off a familiar response from security-minded critics: Why is Big Tech so intent on pushing new features before their dangerous behaviors can be fully understood and contained? As reported Tuesday, Microsoft introduced Copilot Actions, a new set of “experimental agentic features” that, when enabled, perform “everyday tasks like organizing files, scheduling meetings, or sending emails,” and provide “an active digital collaborator that can carry out complex tasks for you to enhance efficiency and productivity.” Hallucinations and prompt injections apply The fanfare, however, came with a significant caveat. Microsoft recommended users enable Copilot Actions only “if you understand the security implications outlined.” The admonition is based on known defects inherent in most large language models, including Copilot, as researchers have repeatedly demonstrated. One common defect of LLMs causes them to provide factually erroneous and illogical answers, sometimes even to the most basic questions. This propensity for hallucinations, as the behavior has come to be called, means users can’t trust the output of Copilot, Gemini, Claude, or any other AI assistant and instead must independently confirm it. How The Callisto Protocol’s Team Designed Its Terrifying, Immersive Audio Another common LLM landmine is the prompt injection, a class of bug that allows hackers to plant malicious instructions in websites, resumes, and emails. LLMs are programmed to follow directions so eagerly that they are unable to discern those in valid user prompts from those contained in untrusted, third-party content created by attackers. As a result, the LLMs give the attackers the same deference as users. Both flaws can be exploited in attacks that exfiltrate sensitive data, run malicious code, and steal cryptocurrency. So far, these vulnerabilities have proved impossible for developers to prevent and, in many cases, can only be fixed using bug-specific workarounds developed once a vulnerability has been discovered. That, in turn, led to this whopper of a disclosure in Microsoft’s post from Tuesday: “As these capabilities are introduced, AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs,” Microsoft said. “Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.” Microsoft indicated that only experienced users should enable Copilot Actions, which is currently available only in beta versions of Windows. The company, however, didn’t describe what type of training or experience such users should have or what actions they should take to prevent their devices from being compromised. I asked Microsoft to provide these details, and the company declined. Like “macros on Marvel superhero crack” Some security experts questioned the value of the warnings in Tuesday’s post, comparing them to warnings Microsoft has provided for decades about the danger of using macros in Office apps. Despite the long-standing advice, macros have remained among the lowest-hanging fruit for hackers out to surreptitiously install malware on Windows machines. One reason for this is that Microsoft has made macros so central to productivity that many users can’t do without them. “Microsoft saying ‘don’t enable macros, they’re dangerous’… has never worked well,” independent researcher Kevin Beaumont said. “This is macros on Marvel superhero crack.” Beaumont, who is regularly hired to respond to major Windows network compromises inside enterprises, also questioned whether Microsoft will provide a means for admins to adequately restrict Copilot Actions on end-user machines or to identify machines in a network that have the feature turned on. A Microsoft spokesperson said IT admins will be able to enable or disable an agent workspace at both account and device levels, using Intune or other MDM (Mobile Device Management) apps. Critics voiced other concerns, including the difficulty for even experienced users to detect exploitation attacks targeting the AI agents they’re using. “I don’t see how users are going to prevent anything of the sort they are referring to, beyond not surfing the web I guess,” researcher Guillaume Rossolini said. Microsoft has stressed that Copilot Actions is an experimental feature that’s turned off by default. That design was likely chosen to limit its access to users with the experience required to understand its risks. Critics, however, noted that previous experimental features—Copilot, for instance—regularly become default capabilities for all users over time. Once that’s done, users who don’t trust the feature are often required to invest time developing unsupported ways to remove the features. Sound but lofty goals Most of Tuesday’s post focused on Microsoft’s overall strategy for securing agentic features in Windows. Goals for such features include: The goals are sound, but ultimately they depend on users reading the dialog windows that warn of the risks and require careful approval before proceeding. That, in turn, diminishes the value of the protection for many users. “The usual caveat applies to such mechanisms that rely on users clicking through a permission prompt,” Earlence Fernandes, a University of California, San Diego professor specializing in AI security, told Ars. “Sometimes those users don’t fully understand what is going on, or they might just get habituated and click ‘yes’ all the time. At which point, the security boundary is not really a boundary.” As demonstrated by the rash of “ClickFix” attacks, many users can be tricked into following extremely dangerous instructions. While more experienced users (including a fair number of Ars commenters) blame the victims falling for such scams, these incidents are inevitable for a host of reasons. In some cases, even careful users are fatigued or under emotional distress and slip up as a result. Other users simply lack the knowledge to make informed decisions. Microsoft’s warning, one critic said, amounts to little more than a CYA (short for cover your ass), a legal maneuver that attempts to shield a party from liability. “Microsoft (like the rest of the industry) has no idea how to stop prompt injection or hallucinations, which makes it fundamentally unfit for almost anything serious,” critic Reed Mideke said. “The solution? Shift liability

Hacker conferences—like all conventions—are notorious for giving attendees a parting gift of mystery illness. To combat “con crud,” New Zealand’s premier hacker conference, Kawaiicon, quietly launched a real-time, room-by-room carbon dioxide monitoring system for attendees. To get the system up and running, event organizers installed DIY CO2 monitors throughout the Michael Fowler Centre venue before conference doors opened on November 6. Attendees were able to check a public online dashboard for clean air readings for session rooms, kids’ areas, the front desk, and more, all before even showing up. “It’s ALMOST like we are all nerds in a risk-based industry,” the organizers wrote on the convention’s website. “What they did is fantastic,” Jeff Moss, founder of the Defcon and Black Hat security conferences, told WIRED. “CO2 is being used as an approximation for so many things, but there are no easy, inexpensive network monitoring solutions available. Kawaiicon building something to do this is the true spirit of hacking.” Elevated levels of CO2 lead to reduced cognitive ability and facilitate transmission of airborne viruses, which can linger in poorly ventilated spaces for hours. The more CO2 in the air, the more virus-friendly the air becomes, making CO2 data a handy proxy for tracing pathogens. In fact, the Australian Academy of Science described the pollution in indoor air as “someone else’s breath backwash.” Kawaiicon organizers faced running a large infosec event during a measles outbreak, as well as constantly rolling waves of COVID-19, influenza, and RSV. It’s a familiar pain point for conference organizers frustrated by massive gaps in public health—and lack of control over their venue’s clean air standards. “In general, the Michael Fowler venue has a single HVAC system, and uses Farr 30/30 filters with a rating of MERV-8,” Kawaiicon organizers explained, referencing the filtration choices in the space where the convention was held. MERV-8 is a budget-friendly choice–standard practice for homes. “The hardest part of the whole process is being limited by what the venue offers,” they explained. “The venue is older, which means less tech to control air flow, and an older HVAC system.” Kawaiicon’s work began one month before the conference. In early October, organizers deployed a small fleet of 13 RGB Matrix Portal Room CO2 Monitors, an ambient carbon dioxide monitor DIY project adapted from US electronics and kit company Adafruit Industries. The monitors were connected to an Internet-accessible dashboard with live readings, daily highs and lows, and data history that showed attendees in-room CO2 trends. Kawaiicon tested its CO2 monitors in collaboration with researchers from the University of Otago’s public health department. “That’s awesome,” says Adafruit founder and engineer Limor “Ladyada” Fried about the conference’s adaptation of the Matrix Portal project. “The best part is seeing folks pick up new skills and really understand how we measure and monitor air quality in the real world (like at a con during a measles flare-up)! Hackers and makers are able to be self-reliant when it comes to their public-health information needs.” (For the full specs of the Kawaiicon build, you can check out the GitHub repository here.) The Michael Fowler Centre is a spectacular blend of Scandinavian brutalism and interior woodwork designed to enhance sound and air, including two grand pou—carved Māori totems—next to the main entrance that rise through to the upper foyers. Its cathedral-like acoustics posed a challenge to Kawaiicon’s air-hacking crew, which they solved by placing the RGB monitors in stereo. There were two on each level of the Main Auditorium (four total), two in the Renouf session space on level 1, plus monitors in the daycare and Kuracon (kids’ hacker conference) areas. To top it off, monitors were placed in the Quiet Room, at the Registration Desk, and in the Green Room. “The things we had to consider were typical health and safety, and effective placement (breathing height, multiple monitors for multiple spaces, not near windows/doors),” a Kawaiicon spokesperson who goes by Sput online told WIRED over email. “To be honest, it is no different than having to consider other accessibility options (e.g., access to venue, access to talks, access to private space for personal needs),” Sput wrote. “Being a tech-leaning community it is easier for us to get this set up ourselves, or with volunteer help, but definitely not out of reach given how accessible the CO2 monitor tech is.” Kawaiicon’s attendees could quickly check the conditions before they arrived and decide how to protect themselves accordingly. At the event, WIRED observed attendees checking CO2 levels on their phones, masking and unmasking in different conference areas, and watching a display of all room readings on a dashboard at the registration desk. In each conference session room, small wall-mounted monitors displayed stoplight colors showing immediate conditions: green for safe, orange for risky, and red to show the room had high CO2 levels, the top level for risk. “Everyone who occupies the con space we operate have a different risk and threat model, and we want everyone to feel they can experience the con in a way that fits their model,” the organizers wrote on their website. “Considering Covid-19 is still in the community, we wanted to make sure that everyone had all the information they needed to make their own risk assessment on ‘if’ and ‘how’ they attended the con. So this is our threat model and all the controls and zones we have in place.” Colorful custom-made Kawaiicon posters by New Zealand artist Pepper Raccoon placed throughout the Michael Fowler Centre displayed a QR code, making the CO2 dashboard a tap away, no matter where they were at the conference. “We think this is important so folks don’t put themselves at risk having to go directly up to a monitor to see a reading,” Kawaiicon spokesperson Sput told WIRED, “It also helps folks find a space that they can move to if the reading in their space gets too high.” It’s a DIY solution any conference can put in place: resources, parts lists, and assembly guides are here. Kawaiicon’s organizers aren’t keen to pretend there were no risks to gathering in groups during ongoing outbreaks. “Masks are encouraged, but not required,” Kawaiicon’s Health and Safety page stated. “Free masks will be available at the con if you need

Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivest Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. Out with the old One of the most visible holdouts in supporting RC4 has been Microsoft. Eventually, Microsoft upgraded Active Directory to support the much more secure AES encryption standard. But by default, Windows servers have continued to respond to RC4-based authentication requests and return an RC4-based response. The RC4 fallback has been a favorite weakness hackers have exploited to compromise enterprise networks. Use of RC4 played a key role in last year’s breach of health giant Ascension. The breach caused life-threatening disruptions at 140 hospitals and put the medical records of 5.6 million patients into the hands of the attackers. US Senator Ron Wyden (D-Ore.) in September called on the Federal Trade Commission to investigate Microsoft for “gross cybersecurity negligence,” citing the continued default support for RC4. Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension’s network. “By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption,” Matthew Palko, a Microsoft principal program manager, wrote. “RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it.” AES-SHA1, an algorithm widely believed to be secure, has been available in all supported Windows versions since the roll out of Windows Server 2008. Since then, Windows clients by default authenticated using the much more secure standard, and servers responded using the same. But, Windows servers, also by default, respond to RC4-based authentication requests and returned an RC4-based response, leaving networks open to Kerberoasting. Following next year’s change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it’s crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions. To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It’s the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn’t easy. No salt, no iteration? Really? “The problem though is that it’s hard to kill off a cryptographic algorithm that is present in every OS that’s shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft’s Windows Authentication team, wrote on Bluesky. “See,” he continued, “the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes.” Over those two decades, developers discovered a raft of critical RC4 vulnerabilities that required “surgical” fixes. Microsoft considered deprecating RC4 by this year, but ultimately “punted” after discovering vulnerabilities that required still more fixes. During that time Microsoft introduced some “minor improvements” that favored the use of AES, and as a result, usage dropped by “orders of magnitude.” “Within a year we had observed RC4 usage drop to basically nil. This is not a bad thing and in fact gave us a lot more flexibility to kill it outright because we knew it genuinely wasn’t going to break folks, because folks weren’t using it.” Syfuhs went on to document additional challenges Microsoft encountered and the approach it took to solving them. While RC4 has known cipher weaknesses that make it insecure, Kerberoasting exploits a separate weakness. As implemented in Active Directory authentication, it uses no cryptographic salt and a single round of the MD4 hashing function. Salt is a technique that adds random input to each password before it is hashed. That requires hackers to invest considerable time and resources into cracking the hash. MD4, meanwhile, is a fast algorithm that requires modest resources. Microsoft’s implementation of AES-SHA1 is much slower and iterates the hash to further slow down cracking efforts. Taken together, AES-Sha1-hashed passwords require about 1,000 times the time and resources to be cracked. Windows admins would do well to audit their networks for any usage of RC4. Given its wide adoption and continued use industry-wide, it may still be active, much to the surprise and chagrin of those charged with defending against hackers. Image Credits: Getty Images Referencia: Arstechnica

Pairing Bluetooth devices can be a pain, but Google Fast Pair makes it almost seamless. Unfortunately, it may also leave your headphones vulnerable to remote hacking. A team of security researchers from Belgium’s KU Leuven University has revealed a vulnerability dubbed WhisperPair that allows an attacker to hijack Fast Pair-enabled devices to spy on the owner. Fast Pair is widely used, and your device may be vulnerable even if you’ve never used a Google product. The bug affects more than a dozen devices from 10 manufacturers, including Sony, Nothing, JBL, OnePlus, and Google itself. Google has acknowledged the flaw and notified its partners of the danger, but it’s up to these individual companies to create patches for their accessories. A full list of vulnerable devices is available on the project’s website. The researchers say that it takes only a moment to gain control of a vulnerable Fast Pair device (a median of just 10 seconds) at ranges up to 14 meters. That’s near the limit of the Bluetooth protocol and far enough that the target wouldn’t notice anyone skulking around while they hack headphones. Ars Video How Lighting Design In The Callisto Protocol Elevates The Horror Once an attacker has forced a connection to a vulnerable audio device, they can perform relatively innocuous actions, such as interrupting the audio stream or playing audio of their choice. However, WhisperPair also allows for location tracking and microphone access. So the attacker can listen in on your conversations and follow you around via the Bluetooth device in your pocket. The researchers have created a helpful video dramatization (below) that shows how WhisperPair can be used to spy on unsuspecting people. The flaw arises from an incomplete implementation of the Fast Pair standard. Bluetooth devices that get a Fast Pair connection request are supposed to accept only when in pairing mode. However, the researchers say that many devices fail this check and will pair regardless. WhisperPair forces the connection through via the regular Bluetooth pairing process. Hoping for an update When vulnerabilities are found in phone or computer software, it’s a relatively simple matter to get patches rolled out, as most devices now support automatic updates for critical issues. Accessories aren’t quite the same, though. Many people never install accessory apps on their devices, so they never move beyond the original firmware. WhisperPair is even more problematic because you cannot disable Fast Pair functionality on supported devices. The only thing you can do is install the companion app and wait for an update. Google says it pushed a phone update to to partially protect devices devices, but the researchers tell Wired that it was a simple matter to find a workaround for that patch. Google says it has since issued a full patch for the Pixel Buds Pro 2. It may take weeks or months for all the affected devices to be fully fixed, particularly when there’s so much confusion about what needs to be fixed. Google has said it is not aware of WhisperPair being leveraged in the wild. However, the risk of that goes up now that it’s public. If you’re worried someone has used this flaw to gain access to your headphones, all you can do is factory reset them, forcing the attacker to redo the hack. It’s also smart to keep the official app installed so you can get firmware updates as soon as they’re available. Updated 1/16/26 with additional details from Google.  Image Credits: Ryan Whitwam Referencia: Arstechnica

The New York Times has published new details about a purported cyberattack that unnamed US officials claim plunged parts of Venezuela into darkness in the lead-up to the capture of the country’s president, Nicolás Maduro. Key among the new details is that the cyber operation was able to turn off electricity for most residents in the capital city of Caracas for only a few minutes, though in some neighborhoods close to the military base where Maduro was seized, the outage lasted for three days. The cyber-op also targeted Venezuelan military radar defenses. The paper said the US Cyber Command was involved. Got more details? “Turning off the power in Caracas and interfering with radar allowed US military helicopters to move into the country undetected on their mission to capture Nicolás Maduro, the Venezuelan president who has now been brought to the United States to face drug charges,” the NYT reported. The NYT provided few additional details. Left out were the methods purportedly used. When Russia took out electricity in December 2015, for instance, it used general-purpose malware known as BlackEnergy to first penetrate the corporate networks of the targeted power companies and then further encroach into the supervisory control and data acquisition systems the companies used to generate and transmit electricity. The Russian attackers then used legitimate power distribution functionality to trigger the failure, which took out power to more than 225,000 people for more than six hours, when grid workers restored it. Ars Video What Happens to the Developers When AI Can Code? | Ars Frontiers In a second attack almost exactly a year later, Russia used a much more sophisticated piece of malware to take out key parts of the Ukrainian power grid. Named Industroyer and alternatively Crash Override, it’s the first known malware framework designed to attack electric grid systems directly. As I reported in 2017: What makes Crash Override so sophisticated is its ability to use the same arcane technical protocols that individual electric grid systems rely on to communicate with one another. As such, the malware is more notable for its mastery of the industrial processes used by global grid operators than its robust code. Its fluency in the low-level grid languages allowed it to instruct Ukrainian devices to de-energize and re-energize substation lines, a capability not seen in the attack a year earlier that used a much cruder set of tools and techniques. The concern is that “Industroyer”—the other name given to the malware—can be used against a broad range of electric systems around the world. Besides the lack of details of the purported hack of Venezuela’s power infrastructure, electricity experts have said that the country’s grid has been in disrepair for years. It’s feasible, they say, that power went out due to inadequate maintenance and investment. Another reason for skepticism is that Venezuela’s government said US missiles were at least partially to blame. An unconfirmed video circulating on social media also purports to show a bombed-out substation. Whether through kinetic or cyber attacks, military strikes on power grids have been controversial because the collateral damage they cause can take out hospitals and other infrastructure that’s crucial to civilians’ survival. The NYT said the strike on Venezuela’s power infrastructure “demonstrated [the] precision” of US cyber capabilities and showed the US “could use cyberweapons with powerful and precise effects.” If the attacks were indeed the result of cyber intrusions, there will likely be ample forensic evidence for independent experts in security power grids to confirm. Until then, there’s reason to withhold final judgment. Image Credits: Getty Images Referencia: Arstechnica

Every year, TechCrunch looks back at the cybersecurity horror shows of the past 12 months — from the biggest data breaches to hacks resulting in weeks of disruption — to see what we can learn. This year, the data breaches were like nothing we’ve seen before.  Here’s our look back at some of the biggest security incidents of 2025, starting with: The U.S. federal government was breached, several times over The U.S. government remained one of the biggest targets in cyberspace. The year started with a brazen cyberattack by Chinese hackers on the U.S. Treasury, followed by the breaching of several federal agencies, including the agency tasked with safeguarding U.S. nuclear weapons, thanks to a SharePoint security flaw. All the while, the Russian hackers were stealing sealed records from the U.S. Courts’ filing system, sending alarm bells ringing across the federal judiciary. But nothing quite came as close as DOGE ripping through federal government departments and databases in what became the biggest raid of U.S. government data in its history. The Trump administration’s Department of Government Efficiency, or DOGE as it was widely known, led by Elon Musk and his band of private sector lackeys, violated federal protocols and defied common security practices. They ransacked federal databases of citizens’ data, despite warnings of the national security risks and conflicts of interests over Musk’s overseas business dealings. Legal experts say that DOGE staffers are “personally liable” under U.S. hacking laws, though a court would also have to agree. Musk’s subsequent, very public falling out with President Trump saw the billionaire leave DOGE, and left staffers fearing that they could face federal charges without his protection. Hackers are extorting dozens of companies whose Oracle E-Business servers were breached In late September, senior executives at American corporate giants began receiving threatening emails from a prolific ransomware and extortion group called Clop. The emails included an attached copy of their personal information — and a ransom demand for several million dollars not to publish it. Months earlier, the Clop gang had quietly exploited a never-before-seen vulnerability in Oracle’s E-Business software, a suite of applications used for hosting a company’s core business information, such as financial and human resources records, supply chain data, and customer databases. The vulnerability allowed Clop to steal reams of sensitive employee data, including data belonging to executives, from dozens of organizations that rely on Oracle’s software. Oracle had no idea until it was caught out in October as it was scrambling to patch the vulnerability. It was too late, though: The hackers had already stolen gobs of data from universities, hospitals and health systems, media organizations, and more. This was Clop’s most recent mass-hacking campaign. The group had previously exploited flaws in enterprise file-transfer services, such as GoAnywhere, MOVEit, and Cleo Software, which tech giants use to share large amounts of information over the internet. Hacker collective steals at least 1 billion records from Salesforce databases Salesforce customers had a rough year after two separate data breaches at downstream tech companies allowed hackers to steal a billion records of customer data stored in Salesforce’s cloud.  Hackers targeted at least two companies, Salesloft and Gainsight, both of which allow their customers to handle and analyze the data that they store in Salesforce.  By breaching these companies directly, the hackers gained access to all of the data through their customer connections to Salesforce. Some of the largest tech giants had data stolen in the breaches, including Bugcrowd, Cloudflare, Google, Proofpoint, Docusign, GitLab, LinkedIn, SonicWall, and Verizon. A hacking collective known as Scattered Lapsus$ Hunters, made up of members from different hacking groups, including ShinyHunters, published a data leak site advertising the stolen records in exchange for a ransom paid by the victims. New victims are still rolling in. Hackers ransack the U.K. retail sector, and disrupt operations at Jaguar Land Rover, denting the economy Hackers tore through the U.K. retail sector earlier this year, stealing data from Marks & Spencer and at least 6.5 million customer records from the Co-op. The back-to-back hacks sparked outages and disruption across the retailers’ networks, and some grocery shelves went empty as the systems used to support the retailers were knocked out. Luxury store Harrods was also later hacked. But a major cyberattack targeting Jaguar Land Rover, one of the country’s biggest employers, left a dent in the U.K. economy. A September hack and data breach saw JLR’s car plant stall production for months as the company worked to get its systems back up and running.  The fallout affected JLR’s suppliers across the U.K., some of whom went out of business altogether. The U.K. government ended up guaranteeing a bailout to the tune of £1.5 billion to ensure Jaguar Land Rover employees and suppliers got paid during the shutdown. U.K. security experts said the breach was the most economically damaging cyberattack to hit the United Kingdom in history, showing that disruption may be more valuable for financially motivated hackers than stolen data. South Korea sees months of hacks and data breaches South Korea experienced a major data breach every month this year, and the personal data of millions of its citizens was compromised thanks to security lapses and shoddy data practices at the country’s biggest tech and phone providers. The country’s largest phone company, SK Telecom, was hacked and 23 million customer records were exposed; several cyberattacks were attributed to its hostile North Korean neighbor; and a massive data center fire wiped out years of Korean government data that wasn’t backed up. But the cherry on the data breach cake was the months-long theft of some 33 million customers’ personal information from Coupang, the country’s retail giant that some call Asia’s Amazon. The data theft began in June, but wasn’t detected until November, and ultimately led to the company’s chief executive resigning. Image Credits: John Webb / Getty Images Referencia: Techcrunch