Cyber News 01DEC2025

General

• A nice little beginners OpSec guide from Wired. If you want more depth, try looking at Michael Bazzell's books.
  • https://www.wired.com/story/digital-opsec-for-teens/
  • https://inteltechniques.com/books.html
• It appears that GitLab Cloud was a fertile hunting ground for secrets in Git repositories. US$770 in AWS costs to scan with TruffleHog, US$9,000 in bounties - not a bad return on investment.
  • https://trufflesecurity.com/blog/scanning-5-6-million-public-gitlab-repositories-for-secrets
  • (Prior work on Bitbucket Cloud) https://trufflesecurity.com/blog/scanning-2-6-million-public-bitbucket-cloud-repositories-for-secrets
  • (Even more prior work) https://www.sud0luke.net/why-i-am-still-finding-secrets-in-your-code
  • https://www.bleepingcomputer.com/news/security/public-gitlab-repositories-exposed-more-than-17-000-secrets/
• Crypto-currency and Non-Fungible Tokens (NFTs) aren't the only digital assets vulnerable to a crash - Counter-Strike-2 items were a US$6b market, till a change in scarcity wiped out US$2b.
  • https://theconversation.com/2b-counter-strike-2-crash-exposes-a-legal-black-hole-your-digital-investments-arent-really-yours-268749
  • https://store.steampowered.com/news/app/730/view/516350567072662005
• Why you need to get Due Diligence right before a merger - Naver announced acquisition of Upbit for ~US$10b, the next day Upbit announces theft of US$30+ million in Solana tokens.
  • https://www.theregister.com/2025/11/28/naver_upbit_crypto_heist/
• There's locking yourself out of your account, then there's locking yourself out of your bio-implants. A reminder to get a good password manager, and take offline backups.
  • https://futurism.com/future-society/lost-password-chip-magician
• More quality coding from Microsoft - invisible password-login button in Win11.

you might notice that the password icon is not visible in the sign-in options on the lock screen. If you hover over the space where the icon should appear, you’ll see that the password button is still available

• https://support.microsoft.com/en-us/topic/august-29-2025-kb5064081-os-build-26100-5074-preview-3f9eb9e1-72ca-4b42-af97-39aace788d93#:~:text=Password%20icon%20might%20be%20missing%20or%20invisible%20in%20the%20lock%20screen%20sign%2Din%20options
• https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-updates-hide-password-icon-on-lock-screen/
• [AU] Seven years prison for running a WiFi Pineapple (evil-twin) attack at an airport and on-board flights.
  • https://www.bleepingcomputer.com/news/security/man-behind-in-flight-evil-twin-wifi-attacks-gets-7-years-in-prison/
  • https://shop.hak5.org/products/wifi-pineapple?srsltid=AfmBOoo4BfmVltT7UFu1Wmss-Uek_a6BiFwR-c8em_2htpl3DIQz2QDV
  • https://www.itnews.com.au/news/wa-man-jailed-for-at-least-five-years-for-evil-twin-attack-622190

Getting Techy

• Synacktiv detail how they compromised a Synology BeeStation NAS at Pwn2Own this year. A nostalgic buffer-overflow.
  • https://www.synacktiv.com/en/publications/breaking-the-beestation-inside-our-pwn2own-2025-exploit-journey
• PostHog detail how their flawed assumptions of GitHub workflows got them pwned by Shai-Hulud 2.
  • https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem
  • https://www.theregister.com/2025/11/28/posthog_shaihulud/
• Developing - dos-op.io starts dumping information on the RALord Ransomware as a Service platform. More claimed to be coming
  • (CBSecurity.net) https://archive.is/R4DG5
  • http://cbsecurity.net/

Geo-Politics

• [UK] Office for Budget Responsibility (OBR) forecasts £1.8b (£0.6b annual cost over the next three years) to rollout digital ID cards.

"countless benefits, like being able to prove your identity to access key services swiftly"

• https://www.theregister.com/2025/11/28/digital_id_cost/
• [US] ICE raid in New York thwarted by two-hundred person counter-demonstration
  • https://time.com/7337578/ice-raid-new-york-mamdani/

Privacy

• [FR] Concern over France's position on privacy, and support for the much maligned Chat Control legislation has lead to privacy-focused mobile-OS GrapheneOS leaving French cloud provider OVH
  • https://www.theregister.com/2025/11/28/grapheneos_ovhcloud/
• [UK] At least one company must be doing well from all of the data breaches - UK ISP Brsk suffers a breach, and rolls out the formulaic "we care" response.

We have informed affected customers, and as an additional precaution, we are offering them 12 months of free personal, financial, and web-monitoring services provided by Experian

• https://www.theregister.com/2025/11/28/brsk_breach/
• [US] California's latest amendment to the Consumer Privacy Act, requiring browser signalling of data-sharing opt-out, must work for all California residents, regardless of VPNs or current location. This will likely lead to the capability being rolled out for all in the US, perhaps even globally.

it's actually quite simple for these browsers to implement — what's not simple is for them to understand who is a California resident and who is not which is why it will likely be national

• https://therecord.media/california-web-browser-law-national-implications

AI

• More confirmation that ChatGPT is getting advertising.

This move could disrupt the web economy, as what most people don't understand is that GPT likely knows more about users than Google

The leak suggests that ads will initially be limited to the search experience only, but this may change in the future.

• https://www.bleepingcomputer.com/news/artificial-intelligence/leak-confirms-openai-is-preparing-ads-on-chatgpt-for-public-roll-out/
• Breaking AI guardrails, with poetry - "Adversarial Poetry as a Universal Single-Turn Jailbreak Mechanism in Large Language Models". Models evaluated included Gemini 2.5, GPT-5, Claude 4.5, DeepSeek R1, Qwen 3, Grok-4, Kimi-K2. Anthropic, OpenAI, and x-AI rated safest.

Across 25 frontier proprietary and open-weight models, curated poetic prompts yielded high attack-success rates (ASR), with some providers exceeding 90%

Poetic framing achieved an average jailbreak success rate of 62% for hand-crafted poems and approximately 43% for meta-prompt conversions

• https://arxiv.org/pdf/2511.15304
• (Wired) https://archive.is/RlKoj
• [US] AI adoption may be stagnating

in September 37% of Americans used generative AI at work, down from 46% in June

while 87% of executives use AI on the job, just 57% of managers and 27% of employees do

• (The Economist) https://archive.is/deRZG
• [UK] If (When) the AI tech bubble bursts, it could impact the UK budget by £26b by 2028.

After the dotcom bubble equity prices fell 46 per cent

In the first scenario of a “global correction”, both UK and world equity prices fall by 35 per cent from a peak in 2026-27. This would cause a £27 billion fall in forecast tax revenue

• (Times) https://archive.is/rexjz