US Defense Contractor Boss Sold Zero Days to Russia — Cops a Plea So long and thanks for all the fish: Peter Williams admits to selling unpatched iPhone bugs to a shady Russian broker.

Former head of #L3Harris​’s #Trenchant “offensive cyber” division admits to stealing weapons-grade exploit chain worth $35 million and then selling it for personal gain.

Raises important questions about national security risks of outsourcing such weaponry. In #SBBlogwatch, we go out with a whimper:

Elon Musk’s SpaceX ‘is Facilitating’ Scams via Starlink Low Earth Pork: Pig-butchering scammers in Myanmar lose use of 2,500 Starlink terminals.

One notorious center for the grotesquely evil practice of #PigButchering is #Myanmar.

This week, #SpaceX is crowing about how it’s blocked 2,500 #Starlink satellite internet terminals being used by these scumbags to reach their victims. In #SBBlogwatch, we wonder what took Elon so long.

October Patch Tuesday Fails Hard — Windows Update Considered Harmful? Satya fiddles while Redmond burns? Showstopper bugs with security certificates—plus failing USB keyboards and mice—cause QA questions.

#Microsoft​’s #Windows security update rollup is badly buggy this month. #WinRE recovery environment doesn’t work with most keyboards and mice. And a fix for a cryptography bypass bug is causing failures.

Leading to concerns about the #Windows dev process. In #SBBlogwatch, we grab a Linux ISO:

#Pixnapping: Android Timing Attack Sends Google Back to the Drawing Board If at first you don’t succeed: Researchers discover a new way to steal secrets from Android apps.

Anything any #Android app can display is vulnerable to #Pixnapping attack—including #2FA codes. “It’s like Rowhammer, but for the screen,” quips one wag.

Google thought it had already fixed the previously undisclosed flaw. But the group’s demo says not. In #SBBlogwatch, we blur the pels:

#RediShell: Redis/Valkey Get ‘Perfect 10’ Critical RCE Vuln Redis hell: CVSS 10.0 vulnerability in ubiquitous cloud storage layer. PATCH NOW.

#Redis (Remote Dictionary Server) and its open source fork #Valkey share a scary flaw that can give an attacker full RCE. It’s been assigned a max CVSS score of 10.0—you don’t often see that.

#Redis shouldn’t normally be exposed to the internet, but it often is. In #SBBlogwatch, we descend a layer:

Asahi Hack Update: Beer-Free Day #5 Dawns in Japanese Ransomware Crisis 金のうんこ！ Breaking: Big beer brewer belatedly believes bitten by ransomware—and likely a data breach.

#Japan​’s biggest producer of beer is still not producing any beer this week. #Asahi Group Holdings shut down production Monday after detecting a cyber intruder.

And today it’s confirmed fears of #ransomware. In #SBBlogwatch, we dry out.

securityboulevard.com/2025/10/japa...

‘Aggressive’ Akira Ransomware Blitz Clubs SonicWall 2FA to DEATH Strange factors: Yet another security problem plaguing SonicWall customers.

The #Akira gang have found a way to override the multifactor authentication in #SonicWall SSL VPN appliances. These scrotes appear to be able to move laterally from the VPN boxes to deploy #ransomware.

It’s worrying that they’ve broken SonicWall’s #2FA. In #SBBlogwatch, we hear customers’ anger:

Jaguar Land Rover Admits to Longer Shutdown as Childish Hackers Troll Carmaker JLR vs. SLH: Jaguar Land Rover woes worse than previously thought.

Iconic British brand warns it would stay stalled for longer. Loose confederation of threat actors, now calling itself Scattered Lapsus$ Hunters, claims it hacked the big car firm—via tedious Telegram trolling.

Yes, it’s those Salesforce vish kiddies again. In #SBBlogwatch, we drive the point home.

Microsoft’s ‘Gross Cybersecurity Negligence Threatens National Security’ Roasting Redmond for Kerberoasting: “Like an arsonist selling firefighting services,” quips this 76-year-old.

U.S. sen #RonWyden demanding #FTC do something about #Microsoft already. Says Satya’s crew to blame for some awful #ransomware attacks, via vuln 10+ years old.

#Kerberoasting exploit affects #ActiveDirectory installs not configured to modern specs. In #SBBlogwatch, we wonder where to point fingers:

Burger King’s ‘Very Bad’ Bugs Leaked Your Data, Claim Gagged Hackers Streisand Effect in full effect: Restaurant Brands International (RBI) “assistant” platform riddled with terrible security flaws.

Pair of ethical hackers discover “catastrophic” vulns in code running #BurgerKing, etc. sites. Owner quickly fixed flaws, but then #Cyble issued sus-seeming #DMCA takedown.

Tale as old as time: Poor, unfortunate $8½ billion corp vs. evil, vindictive, millennial hackers. In #SBBlogwatch, we rule:

Google Hack Redux: Should 2.5B Gmail Users PANIC Now? Summer’s lease hath all too short a date: Let’s ask Ian Betteridge.

Four weeks ago, #Google admitted it was hacked—via #vishing. Sadly, this sparked a journalistic game of Telephone: Over the space of four weeks, it became, “2.5 billion #Gmail users hacked!!1!”

Sigh. “This is entirely false,” complains Google. In #SBBlogwatch, we bait for clicks during dog days.

Farmers Group Loses 1.111M PII Rows: It’s Salesforce Again ShinyHunters Hunt Again: Scattered Spider claims another Salesforce instance—albeit three months ago.

A subsidiary of Zurich Insurance (SIX:ZURN) admitted to a huge leak: More than one million customers’ data.

#FarmersGroup is the latest corporation ’fessing up to its data going AWOL via #ScatteredSpider #Salesforce vishing.

In #SBBlogwatch, we wonder what their Swiss masters will think:

NOT-So-Great Firewall: China Blocks the Web for 74 Min. Xi Whiz: HTTPS connections on port 443 received forged replies.

Chinese web users couldn’t access websites outside the People’s Republic yesterday—with no explanation. Nobody’s sure whether it was a mistake or an ominous test of new #censorship capabilities.

But some are linking it to a recent outage in #Pakistan. In #SBBlogwatch, we shave with Hanlon’s razor.

UK Quietly Drops ‘Think of the Children’ Apple iCloud Crypto Crack Call ADP E2EE vs. UK: Brits agree to change course, but Tim still shtum.

The U.S. administration is celebrating a “mutually beneficial understanding” with the #UK, meaning #Apple won’t need to backdoor #iCloud. Tulsi Gabbard and JD Vance seem happy about it, anyway.

However, it’s not entirely clear that anything’s really changed. In #SBBlogwatch, we doctor the spin.

Act Surprised: Data Brokers Seem to Scoff at California Privacy Act Privacy Rights Crushed by robots.txt: Sen. Hassan is on the warpath.

35 data brokers employed #DarkPatterns to discourage #Californian​s from exercising privacy rights. Hid legally required web pages from Google—so we can’t find them.

Senator unhappy, accuses firms of “requiring people to navigate byzantine labyrinths.” In #SBBlogwatch, we join her trisyllabic diss.

ANOTHER WinRAR 0-Day: Don’t Patch Now — Uninstall It! Zero day—zero clue: Old, bug-prone app relies on you to go look for update files.

Venerable file compression-cum-archiving tool suffers yet another exploited vuln, causing the sole developer to issue a patch. Is it time to ditch WinRAR?

Yes! Here’s why: Eugene Roshal (pictured) doesn’t believe in automatic updates. In #SBBlogwatch, we can’t believe it’s still like that in 2025.

Google Breached — What We Know, What They’re Saying GOOG CRM PII AWOL: ‘ShinyHunters’ group hacked big-G and stole a load of customer data from a Salesforce cloud instance.

#Google finally admitted it got socially engineered—leading to a breach of #CRM data. Yes, Google got vished.

Do scrotes have your info? We don’t know; Google’s not saying.

What’s worse is this happened a couple of MONTHS ago. In #SBBlogwatch, we wonder why it took Google so long to tell us:

Amazon AI Privacy Panic — Bee Brings Bezos Panopticon Amazzon Beee Buzzzz: It records everything you say (and what people around you say, too).

The company behind the #Bee bracelet is being bought by #Amazon. It seems like Jeff Bezos (pictured) just can’t get enough of knowing everything about you and your life.

Naturally, this raises a ton of privacy questions. In #SBBlogwatch, we have more questions than answers:

Ukraine Pwns Russian Drone Maker — Gaskar is ‘Paralyzed’ All Your UAVs Are Belong to UKR: Ukrainian Cyber Alliance and Black Owl team up to hack manufacturer of Russian military drones, sources say.

#Gaskar Group, #Russian designer of drones plaguing #Ukraine​ skies, in utter disarray. Or, at least, so says Ukrainian military intelligence.

Hacker groups steal and delete 57 TB of critical data and backups, preventing the company from operating. In #SBBlogwatch, we peer through the fog of war.

‘FRED’ Security FAIL — Ignored by US Rail for 20 YEARS BCH vs. SDR, AAR vs. CISA: Railroad industry first warned about this nasty vulnerability in 2005.

U.S. freight trains use radio link between front/rear, designed ~40y ago. But the Flashing Rear End Device (#FRED) can be told to slam on the brakes via a weak wireless protocol.

Latest researcher to signal problem says, “You could shutdown the entire system.” In #SBBlogwatch, we get to the points:

4 Arrests in Dawn Raid of Scattered-Spider Suspects Alleged arachnid arrests: Three teenage males and a young woman hauled away by cops, suspected of hacking huge retailers.

4 youngsters are in custody today, alleged to be notorious #ScatteredSpider hackers (or at least, some of them). “Loose affiliation” of hackers is suspected of badly disrupting operations at three large retail chains since April.

In #SBBlogwatch, we channel Sir William Garrow:

Did This Retail Giant Pay a Ransom to Scattered Spider? Moral hazard ahoy: M&S head Archie Norman won’t say if he authorized DragonForce ransomware hacker payday.

British shopping titan M&S still dealing with mess caused by April’s #ransomware attack. At least three months more work ahead says firm’s chairman, Archie Norman (pictured).

But persistent rumors say M&S paid #ScatteredSpider’s ransom demand. In #SBBlogwatch, Norman will neither confirm nor deny:

Yet More Stalkerware Leaks Secret Data: ‘Catwatchful’ is Latest Nasty App Content warning: Domestic abuse, stalking, controlling behavior, Schadenfreude, irony.

A new data leak shows the dangers of secret, silent #stalkerware. An app known as #Catwatchful appears to be just as insecure as all the others.

The Catwatchful app’s user login database was vulnerable to a simple #SQLinjection attack. In #SBBlogwatch, we call for Little Bobby Tables.

ICE’s Shiny New ‘AI’ Facial Recognition App: False Positives Ahoy! Mobile Fortify: Liberty’s existential threat, or sensible way to ID illegal immigrants?

U.S. Immigration and Customs Enforcement (ICE) agents are using a new phone app: #MobileFortify puts “instant, #AI powered” #FacialRecognition in their hands. What could possibly go wrong?

A major risk is inaccurate recognition. In #SBBlogwatch, the French want their statue back:

WhatsApp BANNED by House Security Goons — But Why? New phone—who dis? Office of the Chief Administrative Officer (CAO) offers hazy reasoning.

House of Representatives bans use of Meta’s #WhatsApp chat app on its managed devices. Jamie Crotts (pictured) is CAO’s CIO, tasked with denying staffers any use of WhatsApp on House devices.

Apparently, #Meta suffers from “a lack of transparency.” In #SBBlogwatch, we wonder who’ll be next:

US Pig Butchering Victims ‘Will’ Get Refunds — Feds Seize $225M Cryptocurrency DoJ, FBI, USSS yoinked USDT: Pretty girls plus investment fraud equals forfeiture recovery (eventually).

Federal agencies have spent the past 18 months piecing together this complex #MoneyLaundering web. And now they’re ready to announce seizure of a few hundred million from industrial scale #PigButchering #scams.

You can almost hear the bacon sizzling. In #SBBlogwatch, we grab the lettuce and tomato:

Trump’s TikTok Tarry — Yet Again, Ban-Can Kicked Down the Road PAFACA Pause Persists: Won’t somebody PLEASE think of the children?

#Trump reprieves #TikTok a third time, despite concerns about #security, press freedom and child safety. White House says he’ll sign yet another EO preventing enforcement of #PAFACA (Protecting Americans from Foreign Adversary Controlled Applications Act).

In #SBBlogwatch, we turn the page for you.

Huge Food Wholesaler Paralyzed by Hack — is it Scattered Spider Again? UNFInished business: We were warned this would happen. And now here we are.

United Natural Foods (UNFI) had to switch off systems after a cyberattack, crippling its operations. This is a huge deal, because #UNFI is a big part of the grocery distribution network.

Once again, it looks like the work of #UNC3944, a/k/a #ScatteredSpider. In #SBBlogwatch, we hoard canned goods.

Meta’s Secret Spyware: ‘Local Mess’ Hack Tracks You Across the Web Farcebok: Zuckerberg’s privacy pledge revealed as ineffectual

Millions of websites leaking your private information to #Meta. By hacking #Android browser features, Meta is tracking you all the way around the web—with no disclosure.

As soon as researchers disclosed the #LocalMess problem, Meta stopped it—for now. In #SBBlogwatch, we go live in a cave:

Microsoft Opens Windows Update to 3rd-Party Apps A breath of fresh air: Security fixes and other updates will be “orchestrated” by Redmond’s own update tool.

#WindowsUpdate keeps #Windows updated (well, duh). It can also update some “other #Microsoft products,” if you let it. Soon, it’ll be able to do the same for other companies’ apps.

Messy musical metaphors aside, this seems like a good idea. In #SBBlogwatch, we wave a baton: