Dark mode: ON

Infosec Decoded Season 5 #67: Banning Vaccine

With Doug Spindler and sambowne@infosec.exchange

Recorded Tue, Aug 26, 2025

AI

Citizen Is Using AI to Generate Crime Alerts With No Human Review. It’s Making a Lot of Mistakes
Citizen recently laid off more than a dozen unionized employees, with some sources believing the firings are related to Citizen’s increased use of AI and the shifting of some tasks to overseas workers. It also comes as New York City enters a more formal partnership with the app.

AI mistranslated “motor vehicle accident” to “murder vehicle accident.” It interpreted addresses incorrectly and published an incorrect location. It would add gory or sensitive details that violated Citizen’s guidelines, like saying “person shot in face” or including a person’s license plate details in an unconfirmed report.

We Put Agentic AI Browsers to the Test - They Clicked, They Paid, They Failed
Agentic AI fully automates your online tasks, from shopping to handling emails. But security guardrails are missing or inconsistent, leaving the AI free to interact with phishing pages, fake shops, and even hidden malicious prompts, all without the human’s awareness or ability to intervene.
Phishing Emails Are Now Aimed at Users and AI Defenses
The visible part of a phishing email tries to trick the human reader, and invisible text in a MIME section contains commands for the AI.

Politics

Trump and RFK Jr. to Ban COVID-19 Vaccine ‘Within Months’
The Trump administration will move to pull the COVID vaccine off the U.S. market "within months," because a British cardiologist is more influential than scientific consensus, and he claims the vaccines are more dangerous than the virus.
Fourth Amendment Victory: Michigan Supreme Court Reins in Digital Device Fishing Expeditions
Warrants authorizing searches of cell phones and other digital devices must contain express limitations on the data police can review, restricting searches to data that they can establish is clearly connected to the crime.
Nancy Mace Champions Cybersecurity Reform, Puts Skills Ahead Of Degrees
The Cybersecurity Hiring Modernization Act is a bipartisan bill to eliminate unnecessary degree barriers and ensure federal agencies can hire the skilled cybersecurity professionals our country needs.
Americans, Be Warned: Lessons From Reddit’s Chaotic UK Age Verification Rollout
The UK's Online Safety Act requires online platforms to check that all UK-based users are at least eighteen years old before allowing them to access broad categories of “harmful” content. This included subreddits for LGBTQ+ identity and support, global journalism and conflict reporting, and even public health-related forums like r/periods, r/stopsmoking, and r/sexualassault. Also, the for-profit vendor Reddit contracts with, Persona, is buggy. It can be fooled easily, and sometimes rejects valid users.
Trump, 79, Clasps Both Hands in Desperate Bid to Cover Up Bruises
Is it illegal to not buy ads on X? Experts explain the FTC’s bizarre ad fight.
Former FTC commissioner Alvaro Bedoya, who joined fellow Democrats who sued Trump for ejecting them from office, flagged the probe as appearing "bizarrely" politically motivated to protect Musk.
Swedish startup unveils Starlink alternative — that Musk can’t switch off
The system, named the RU1, is billed as the world’s smallest and lightest mm-Wave radio, a form of communications that offers blazing-fast speeds and huge bandwidth. RU1 can be deployed in minutes to keep units connected in fast-changing environments. The devices can be installed on tripods or drones. Multiple RU1s can then link into a resilient mesh.
Phone Searches at the US Border Hit a Record High
Customs and Border Protection agents searched nearly 15,000 devices from April through June of this year, a nearly 17 percent spike over the previous three-month high in 2022.

Infosec

Australian university used Wi-Fi location data to identify student protestors
The University used CCTV and WiFi location data to identify students who refused to leave a building when ordered to.
Weaponizing image scaling against production AI systems
LLMs resize images before processing them. In this attack, a malicioous large image contains commands that only appear after downscaling the image, which the LLM then executes.
When a SSRF is enough: Full Docker Escape on Windows Docker Desktop (CVE-2025-9074)
There was an unprotected docker API endpoint that allows code execution on the host. This has been fixed.
DOM-based Extension Clickjacking: Your Password Manager Data at Risk
A single click anywhere on a attacker controlled website could allow attackers to steal users' data (credit card details, personal data, login credentials including TOTP). The products are being fixed.
Detecting CVE-2025-43300: A Deep Dive into Apple's DNG Processing Vulnerability
DNG is an image format from Adobe. In this attack, a malicious image claims to contain 2 components, but only has one, leading to out-of-bounds writes. This leads to zero-click RCE, and has already been used in targeted attacks. Apple has patched this vulnerability.
The Silent, Fileless Threat of VShell
This Linux attack embeds code in a filename. The code is executed when automated backup or logging routines list filenames.
SpyNote Malware Part 2
Deceptive websites are mimicking popular Android application install pages on the Google Play Store to lure victims into downloading AndroidOS SpyNote malware, a potent Android RAT used for surveillance, data exfiltration, and remote control.
Evaluation: DOE-OIG-25-30
The Department of Energy was audited for cybersecurity, finding that only 19 of 63 (30 percent) of recommendations from last year were implemented, and 79 new recommendations were made.
Malware-ridden apps made it into Google's Play Store, scored 19 million downloads
Many contained an updated version of the Anatsa banking trojan, with a keylogger for password collection, SMS interception capabilities, and anti-detection tools.

The APK uses a corrupted archive to hide a file, which is deployed during runtime. This archive has invalid compression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on standard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will run on standard Android devices.

Google will block sideloading of unverified Android apps starting next year
The company describes it like an "ID check at the airport." Since requiring all Google Play app developers to verify their identities in 2023, it has seen a precipitous drop in malware and fraud.

Google plans to create a streamlined Android Developer Console, which devs will use if they plan to distribute apps outside of the Play Store. After verifying their identities, developers will have to register the package name and signing keys of their apps. Google won't check the content or functionality of the apps, though.