Researchers have unveiled two new hardware-based attacks, Battering RAM and Wiretap, that break Intel SGX and AMD SEV-SNP trusted enclaves by exploiting deterministic encryption and physical interposers. Ars Technica reports: In the age of cloud computing, protections baked into chips from Intel, AMD, and others are essential for ensuring confidential data and sensitive operations can't be viewed or manipulated by attackers who manage to compromise servers running inside a data center. In many cases, these protections -- which work by storing certain data and processes inside encrypted enclaves known as TEEs (Trusted Execution Enclaves) -- are essential for safeguarding secrets stored in the cloud by the likes of Signal Messenger and WhatsApp. All major cloud providers recommend that customers use it. Intel calls its protection SGX, and AMD has named it SEV-SNP.

Over the years, researchers have repeatedly broken the security and privacy promises that Intel and AMD have made about their respective protections. On Tuesday, researchers independently published two papers laying out separate attacks that further demonstrate the limitations of SGX and SEV-SNP. One attack, dubbed Battering RAM, defeats both protections and allows attackers to not only view encrypted data but also to actively manipulate it to introduce software backdoors or to corrupt data. A separate attack known as Wiretap is able to passively decrypt sensitive data protected by SGX and remain invisible at all times.

Starting in November, Venmo and PayPal users will finally be able to send money directly to each other, ending years of workarounds despite Venmo being owned by PayPal. TechCrunch reports: This change means that PayPal users will now be able to find Venmo users by inputting their phone numbers, and later, their email addresses. If you don't want PayPal users to be able to find you, you can update your settings in the Venmo app by navigating to Settings - Privacy - Find me... and while you're at it, you might as well default your Venmo transactions to private via Settings > Privacy. You'll thank me in the long run.

PayPal announced that it would broaden its network of payment systems in July, starting with Venmo, but the companies did not confirm the date of the update until now. This collection of partnerships, which PayPal has named PayPal World, will also work with Mercado Pago, NPCI International Payments Limited, and Tenpay Global. This will help users send money internationally without barriers and fees. Combined, Venmo and PayPal have 2 billion global users, according to PayPal.

Camembert writes: In a move that is sure to make Ripple nervous, traditional financial network Swift announced yesterday that it is partnering with Consensys and more than 30 global banks to build a blockchain based network that will run in parallel with its traditional network. Interestingly, unlike XRP, there is no native coin, rather it aims for interoperability (probably using Chainlink with whom the company did case studies for a few years already). There is also a strong focus on regulatory compliance. There are several news articles and opinion pieces on this event; I linked the Reuters article.

An anonymous reader writes: Landlords are using a service that logs into a potential renter's employer systems and scrapes their paystubs and other information en masse, potentially in violation of U.S. hacking laws, according to screenshots of the tool shared with 404 Media.

The screenshots highlight the intrusive methods some landlords use when screening potential tenants, taking information they may not need, or legally be entitled to, to assess a renter.

"This is a statewide consumer-finance abuse that forces renters to surrender payroll and bank logins or face homelessness," one renter who was forced to use the tool and who saw it taking more data than was necessary for their apartment application told 404 Media. 404 Media granted the person anonymity to protect them from retaliation from their landlord or the services used.

[...] "Argyle hijacked my live Workday session, stayed hidden from view, and downloaded every pay stub plus all W-4s back to 2024, each PDF seconds apart," they said. "Workday audit logs show dozens of 'Print' events from two IPs from a MAC which I do not use," they added, referring to a MAC address, a unique identifier assigned to each device on a network.

Six months ago California had 48% more public and "shared" private EV chargers than gasoline nozzles. (In March California had 178,000 public and shared private EV chargers, versus about 120,000 gas nozzles.)

Since then they've added 23,000 more public/shared charging ports — and announced this week that there's now 68% more EV charger ports than the number of gasoline nozzles statewide. "Thanks to the state's ever-expanding charger network, 94% of Californians live within 10 minutes of an EV charger," according to the announcement from the state's energy policy agency. And the California Energy Commission staff told CleanTechnica they expect more chargers in the future. "We are watching increased private investment by consortiums like IONNA and OEMs like Rivian, Ford, and others that are actively installing EV charging stations throughout the state."

Clean Technica notes in 2019, the state had roughly 42,000 charging ports and now there are a little over 200,000. (And today there's about 800,000 home EV chargers.)

This week California announced another milestone: that in 2024 nearly 23% of all the state's new truck sales — that's trucks, buses, and vans — were zero-emission vehicles. (The state subsidizes electric trucks — $200 million was requested on the program's first day.) Greenhouse gas emissions in California are down 20% since 2000 — even as the state's GDP increased 78% in that same time period all while becoming the world's fourth largest economy.

The state also continues to set clean energy records. California was powered by two-thirds clean energy in 2023, the latest year for which data is available — the largest economy in the world to achieve this level of clean energy. The state has run on 100% clean electricity for some part of the day almost every day this year.
"Last year, California ran on 100% clean electricity for the equivalent of 51 days," notes another announcement, which points out California has 15,763 MW of battery storage capacity — roughly a third of the amount projected to be needed by 2045.

Friday the security researchers at Arctic Wolf Labs wrote: In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation.

This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.
More from Cybersecurity News: SonicWall has linked these malicious logins to CVE-2024-40766, an improper access control vulnerability disclosed in 2024. The working theory is that threat actors harvested credentials from devices that were previously vulnerable and are now using them in this campaign, even if the devices have since been patched. This explains why fully patched devices have been compromised, a fact that initially led to speculation about a potential zero-day exploit.

Once inside a network, the attackers operate with remarkable speed. The time from initial access to ransomware deployment, known as "dwell time," is often measured in hours, with some intrusions taking as little as 55 minutes, Arctic Wolf said. This extremely short window for response makes early detection critical.
"Threat actors in the present campaign successfully authenticated against accounts with the one-time password (OTP) MFA feature enabled..." notes Artic Wolf Labs: The threats described in this campaign demand early detection and a rapid response to avoid catastrophic impact to organizations. To facilitate this process, we recommend monitoring for VPN logins originating from untrusted hosting infrastructure. Equally important is ensuring visibility into internal networks, since lateral movement and ransomware encryption can occur within hours or even minutes of initial access. Monitoring for anomalous SMB activity indicative of Impacket use provides an additional early detection opportunity.

When firewalls are confirmed to be running firmware versions vulnerable to credential access or full configuration export, patching alone is not enough. In such situations, credentials must be reset wherever possible, including MFA-related secrets that might otherwise be thought of as secure, and Active Directory credentials with VPN access. These considerations are best practices that apply regardless of which firewall products are in use.
Thanks to Slashdot reader Mirnotoriety for suggesting this story.

Cloudflare announced plans Thursday to launch NET Dollar, a U.S. dollar-backed stablecoin designed to enable autonomous AI agents to conduct instant financial transactions. The company says the stablecoin will support microtransactions and pay-per-use models as AI agents take over tasks like booking flights and ordering groceries. BrianFagioli comments: A U.S. dollar-backed cryptocurrency from Cloudflare feels unusual to me, and I'm still surprised by it. The decision shows just how much the Internet is shifting in response to artificial intelligence.

CEO Matthew Prince said, "For decades, the business model of the Internet ran on ad platforms and bank transfers. The Internet's next business model will be powered by pay-per-use, fractional payments, and microtransactions -- "tools that shift incentives toward original, creative content that actually adds value." He added that by using its global network, Cloudflare aims to "help modernize the financial rails needed to move money at the speed of the Internet."

Cloudflare blocked the largest-ever DDoS attack against a European network infrastructure company, which peaked at 22.2 Tbps and 10.6 Bpps. The hyper-volumetric attack has been linked to the Aisuru botnet and lasted just 40 seconds, but was double the size of the previous record. SecurityWeek reports: Cloudflare told SecurityWeek that the attack was aimed at a single IP address of an unnamed European network infrastructure company. Cloudflare has yet to determine who was behind the attack, but believes it may have been powered by the Aisuru botnet, which was also linked earlier this year to a massive 6.3 Tbps attack on the website of cybersecurity blogger Brian Krebs. Aisuru has been around for more than a year. The botnet is powered by hacked IoT devices such as routers and DVRs that have been compromised through the exploitation of known and zero-day vulnerabilities.

According to Cloudflare, the 22 Tbps attack was traced to over 404,000 unique source IPs across over 14 ASNs worldwide. "Based on internal analysis using a proprietary system, the source IPs were not spoofed," the company explained. The security firm described it as a UDP carpet bomb attack targeting an average of 31,000 destination ports per second, with a peak of 47k ports, all of a single IP address. Cloudflare revealed in July that the number of DDoS attacks it blocked in the first half of 2025 had already exceeded all the attacks mitigated in 2024.

An anonymous reader quotes a report from The Guardian: After deflecting the US Department of Justice's attack on its illegal monopoly in online search, Google is facing another attempt to dismantle its internet empire in a trial focused on abusive tactics in digital advertising. The trial that opened Monday in an Alexandria, Virginia, federal court revolves around the harmful conduct that resulted in US district Judge Leonie Brinkema declaring parts of Google's digital advertising technology to be an illegal monopoly in April. The judge found that Google has been engaging in behavior that stifles competition to the detriment of online publishers that depend on the system for revenue.

Google and the justice department will spend the next two weeks in court presenting evidence in a "remedy" trial that will culminate in Brinkema issuing a ruling on how to restore fair market conditions. If the justice department gets its way, Brinkema will order Google to sell parts of its ad technology -- a proposal that the company's lawyers warned would "invite disruption and damage" to consumers and the internet's ecosystem. The justice department contends a breakup would be the most effective and quickest way to undercut a monopoly that has been stifling competition and innovation for years. [...]

The case, filed in 2023 under Joe Biden's administration, threatens the complex network that Google has spent the past 17 years building to power its dominant digital advertising business. Digital advertising sales account for most of the $305 billion in revenue that Google's services division generates for its corporate parent Alphabet. The company's sprawling network of display ads provide the lifeblood that keeps thousands of websites alive. Google believes it has already made enough changes to its "ad manager" system, including providing more options and pricing options, to resolve the problems Brinkema flagged in her monopoly ruling.

Microsoft is preparing a Publisher Content Marketplace to pay publishers when their work is used in AI products like Copilot. Neowin reports: Microsoft is reportedly discussing with select US publishers a pilot program for its so-called Publisher Content Marketplace, a system that pays publishers for their content when it gets used by AI products, starting with its own Copilot assistant. The PCM will launch with a limited number of partners before Microsoft hopes to expand the program over time. The company pitched the idea to publishing executives at an invite-only Partner Summit in Monaco last week. Microsoft was allegedly courting them with the message: "You deserve to be paid on the quality of your IP." No concrete launch date for the pilot was shared.

As Axios notes, Microsoft is the first major company to try to build a proper AI marketplace for publishers. Other AI labs like OpenAI have mostly focused on securing one-off licensing deals instead of building a platform for ongoing transactions. Companies like Cloudflare are also working on a more technical, network-level solution to this problem.

mrspoonsi writes: The US Secret Service says it has dismantled a network of more than 300 SIM servers and 100,000 SIM cards in the New York area that were capable of crippling telecom systems.

The devices were "concentrated within 35 miles of the global meeting of the UN General Assembly now under way in New York City" and an investigation has been launched, it adds in a press statement.

The Secret Service says the dangers posed included "disabling cell phone towers, enabling denial of services attacks, and facilitating anonymous, encrypted communication between potential threat actors and criminal enterprises."

The rise of self-driving cars could eventually cost many ride-hailing drivers their jobs -- and that's a big problem, Uber CEO Dara Khosrowshahi said. From a report: Khosrowshahi spoke about the issue onstage this month at a summit hosted by the "All-In" podcast, which posted a video of the conversation on Wednesday. At the summit, Khosrowshahi was asked about concerns that gig workers, who have played a key role in Uber's development, will eventually lose their jobs as self-driving cars become more prevalent.

The Uber CEO said he expects human drivers to continue working alongside self-driving cars in Uber's network in the coming years. "For the next five to seven years, we're going to have more human drivers and delivery people, just because we're going so quickly," Khosrowshahi said. "But, I think, 10 to 15 years from now, this is going to be a real issue," he said about drivers losing their jobs.

"On a recent assignment to test defenses, Dave Brauchler of the cybersecurity company NCC Group tricked a client's AI program-writing assistant into executing programs that forked over the company's databases and code repositories," reports the Washington Post.

"We have never been this foolish with security," Brauchler said... Demonstrations at last month's Black Hat security conference in Las Vegas included other attention-getting means of exploiting artificial intelligence. In one, an imagined attacker sent documents by email with hidden instructions aimed at ChatGPT or competitors. If a user asked for a summary or one was made automatically, the program would execute the instructions, even finding digital passwords and sending them out of the network. A similar attack on Google's Gemini didn't even need an attachment, just an email with hidden directives. The AI summary falsely told the target an account had been compromised and that they should call the attacker's number, mimicking successful phishing scams.

The threats become more concerning with the rise of agentic AI, which empowers browsers and other tools to conduct transactions and make other decisions without human oversight. Already, security company Guardio has tricked the agentic Comet browser addition from Perplexity into buying a watch from a fake online store and to follow instructions from a fake banking email...

Advanced AI programs also are beginning to be used to find previously undiscovered security flaws, the so-called zero-days that hackers highly prize and exploit to gain entry into software that is configured correctly and fully updated with security patches. Seven teams of hackers that developed autonomous "cyber reasoning systems" for a contest held last month by the Pentagon's Defense Advanced Research Projects Agency were able to find a total of 18 zero-days in 54 million lines of open source code. They worked to patch those vulnerabilities, but officials said hackers around the world are developing similar efforts to locate and exploit them. Some longtime security defenders are predicting a once-in-a-lifetime, worldwide mad dash to use the technology to find new flaws and exploit them, leaving back doors in place that they can return to at leisure.

The real nightmare scenario is when these worlds collide, and an attacker's AI finds a way in and then starts communicating with the victim's AI, working in partnership — "having the bad guy AI collaborate with the good guy AI," as SentinelOne's [threat researcher Alex] Delamotte put it. "Next year," said Adam Meyers, senior vice president at CrowdStrike, "AI will be the new insider threat."
In August more than 1,000 people lost data to a modified Nx program (downloaded hundreds of thousands of times) that used pre-installed coding tools from Google/Anthropic/etc. According to the article, the malware "instructed those programs to root out" sensitive data (including passwords or cryptocurrency wallets) and send it back to the attacker. "The more autonomy and access to production environments such tools have, the more havoc they can wreak," the article points out — including this quote from SentinelOne threat researcher Alex Delamotte.

"It's kind of unfair that we're having AI pushed on us in every single product when it introduces new risks."

Amazon's logistics network will now fulfill orders placed on Walmart.com, the company announced at its Accelerate seller conference, creating a surreal arrangement where the e-commerce giant directly supports its biggest retail rival's online operations. Third-party sellers can now use Amazon's Multichannel Fulfillment service to automatically process Walmart orders through direct integration. The packages arrive in unbranded boxes since Walmart prohibits Amazon-branded deliveries to its customers.

Amazon VP Dharmesh Mehta told GeekWire the system automatically routes any Walmart order through Amazon's fulfillment network. The service expansion includes upcoming Shein integration and existing support for eBay, Etsy, and Temu. Amazon's third-party seller services generated $156 billion in 2024 revenue. The company now competes directly against ShipBob, FedEx, UPS, and ironically Walmart's own fulfillment services while positioning itself as an end-to-end logistics provider regardless of where the sale originates.

Microsoft will increase Xbox Series X and Series S console prices in the United States on October 3. The Series X rises to $649.99 from $599.99 and the 512GB Series S increases to $399.99 from $379.99. The 1TB Series S moves to $449.99 from $429.99. The Series X Digital Edition reaches $599.99 from $549.99 and the 2TB Galaxy Black Special Edition climbs to $799.99 from $729.99. Microsoft cited macroeconomic changes for the increases. Console prices outside the US and controller and headset prices domestically remain unchanged. The company raised console prices globally in May.

An anonymous reader shares a report: SoftBank Group will lay off nearly 20% of its Vision Fund team globally as it shifts resources to founder Masayoshi Son's large-scale AI bets in the United States, according to a memo seen by Reuters and a source familiar with the plan. The cuts mark the third round of layoffs at the Japanese investment conglomerate's flagship fund since 2022. Vision Fund currently has over 300 employees globally. Unlike previous rounds, when the group was saddled with major losses, the latest reductions come after the fund last month reported its strongest quarterly performance since June 2021, driven by gains in public holdings such as Nvidia and South Korean e-commerce firm Coupang. The move signals a pivot away from a broad portfolio of startup investments. While the fund will continue to make new bets, remaining staff will dedicate more resources to Son's ambitious AI initiatives, such as the proposed $500 billion Stargate project -- an initiative to build a vast network of U.S. data centers in partnership with OpenAI, the source added.

An anonymous reader quotes a report from Ars Technica: Verizon agreed to offer $20-per-month broadband service to people with low incomes in California in exchange for a merger approval. In a bid to complete its $9.6 billion purchase of Frontier Communications, Verizon committed to offering $20 fiber-to-the-home service with symmetrical speeds of 300Mbps. Verizon also committed to offering a $20 fixed wireless service with download speeds of 100Mbps and upload speeds of 20Mbps. Verizon would be required to offer the plans for at least 10 years, according to a joint motion (PDF) to approve the settlement agreement. After three years, Verizon would need to "make commercially reasonable efforts" to increase the speeds "while retaining the $20 price point."

The joint motion filed by Verizon and the California Public Advocates Office seeks approval from the California Public Utilities Commission (CPUC). The $20 plans would be available to people who meet income eligibility guidelines and can be paired with Lifeline discounts. "My team required those options to be California Lifeline eligible, which effectively makes it free for low-income Californians throughout the state," wrote Ernesto Falcon, a program manager at the Public Advocates Office. California's Lifeline program provides $19 discounts. Falcon also wrote that the settlement would expand fiber deployment beyond what Frontier would have offered on its own. "If the merger is approved, Verizon will deliver 75,000 new fiber-to-the-home connections in California beyond Frontier's entire buildout plan with a priority for low-income households," he wrote. The deal also requires 250 new cell sites for Verizon's 5G network.

They stole a woman's phone in Barcelona. Unfortunately, her husband was security consultant/penetration tester Martin Vigo, reports Spain's newspaper El Pais.

"His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru...." In Vigo's case, the phone was locked and the "Find my iPhone" feature was activated... Once stolen, the phones are likely wrapped in aluminum foil to prevent the GPS from tracking their movements. "Then they go to a safe house where they are gathered together and shipped on pallets outside of Spain, to Morocco or China." This international step is vital to prevent the phone from being blocked if the thieves try to use it again. Carriers in several European countries share lists of the IMEIs (unique numbers for each device) of stolen devices so they can't be used. But Morocco, for example, doesn't share these lists. There, the phone can be reconnected...

With hundreds or thousands of stored phones, another path begins: "They try to get the PIN," says Vigo. Why the PIN? Because with the PIN, you can change the Apple password and access the device's content. The gang had created a system to send thousands of text messages like the one Vigo received. To know who to target with the bait message, the police say, "the organization performed social profiling of the victims, since, in many cases, in addition to the phone, they also had the victim's personal belongings, such as their ID." This is how they obtained the phone numbers to send the malicious SMS...

Each victim received a unique link, and the server knew which victim clicked it... With the first click, the attackers would redirect the user to a website they believed was credible, such as Apple's real iCloud site... [T]he next day you receive another text message, and you click on it, more confidently. However, that link no longer redirects you to the real Apple website, but to a flawless copy created by the criminals: that's where they ask for your PIN, and without thinking, full of hope, you enter it... "The PIN is more powerful than your fingerprint or face. With it, you can delete the victim's biometric information and add your own to access banking apps that are validated this way," says Vigo. Apple Wallet asks you to re-authenticate, and then everything is accessible...

In the press release on the case, the police explained that the gang allegedly used a total of 5,300 fake websites and illegally unlocked around 1.3 million high-end devices, about 30,000 of them in Spain.
Vigo tells El Pais that if the PIN doesn't unlock the device, the criminal gang then sends it to China to be "dismantled and then sent back to Europe for resale. The devices are increasingly valuable because they have more advanced chips, better cameras, and more expensive materials."

To render the phone untraceable in China, "they change certain components and the IMEI. It requires a certain level of sophistication: opening the phone, changing the chip..."

The Swiss government could soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months and, in many cases, disable encryption. From a report: The proposal, which is not subject to parliamentary approval, has alarmed privacy and digital-freedoms advocates worldwide because of how it will destroy anonymity online, including for people located outside of Switzerland. A large number of virtual private network (VPN) companies and other privacy-preserving firms are headquartered in the country because it has historically had liberal digital privacy laws alongside its famously discreet banking ecosystem.

Proton, which offers secure and end-to-end encrypted email along with an ultra-private VPN and cloud storage, announced on July 23 that it is moving most of its physical infrastructure out of Switzerland due to the proposed law. The company is investing more than $117 million in the European Union, the announcement said, and plans to help develop a "sovereign EuroStack for the future of our home continent." Switzerland is not a member of the EU. Proton said the decision was prompted by the Swiss government's attempt to "introduce mass surveillance."

An anonymous reader quotes a report from Ars Technica: Verizon lost an attempt to overturn a $46.9 million fine for selling customer location data without its users' consent. The US Court of Appeals for the 2nd Circuit rejected Verizon's challenge in a ruling (PDF) issued today. The Federal Communications Commission fined the three major carriers last year for violations revealed in 2018. The companies sued the FCC in three different courts, with varying results.

AT&T beat the FCC in the reliably conservative US Court of Appeals for the 5th Circuit, while T-Mobile lost in the District of Columbia Circuit. Although FCC Chairman Brendan Carr voted against (PDF) the fine last year, when the commission had a Democratic majority, his FCC urged the courts to uphold the Biden-era decisions. A ruling against the FCC could gut the agency's ability to issue financial penalties. The different rulings from different circuits raise the odds of the cases being taken up by the Supreme Court.

Today's 2nd Circuit ruling against Verizon was issued unanimously by a panel of three judges, and it comes to the same legal conclusions as the DC Circuit did in the T-Mobile case. The court did not accept the carrier's argument that the fine violated its Seventh Amendment right to a jury trial and that the location data wasn't protected under the law used by the FCC to issue the penalties. "We disagree [with Verizon]," the 2nd Circuit ruling said. "The customer data at issue plainly qualifies as customer proprietary network information, triggering the Communication Act's privacy protections. And the forfeiture order both soundly imposed liability and remained within the strictures of the penalty cap. Nothing about the Commission's proceedings, moreover, transgressed the Seventh Amendment's jury trial guarantee. Indeed, Verizon had, and chose to forgo, the opportunity for a jury trial in federal court. Thus, we DENY Verizon's petition." Until 2019, the ruling said Verizon operated a location-based services program that sold customer location data through intermediaries like LocationSmart and Zumigo, who then resold it to dozens of third-party entities. Instead of directly managing consent and notifications, Verizon "largely delegated those functions via contract" to its partners, a system that came under scrutiny after a 2018 New York Times report exposed security breaches.

One major misuse involved Securus Technologies, which "was misusing the program to enable law enforcement officers to access location data without customers' knowledge or consent, so long as the officers uploaded a warrant or some other legal authorization," the ruling said. Verizon argued that Section 222 of the Communications Act only covered call-location data, but the court ruled that device-location data also qualifies as protected customer information.