Microsoft Issues. An emergency fix for a Windows update that locks users out. Pwn2Own Berlin 2025 Hackers Breach. Windows 11, red Hat, Linux and Virtual Box. And that was on day one. US experts flag hidden devices in Chinese made solar equipment, and the Consumer Financial Protection Bureau quietly backs down on regulating data brokers. This is cybersecurity today.
I'm your host, Jim Love. I. Microsoft has released an urgent patch after recent Windows updates triggered BitLocker recovery mode on some systems, leaving users locked out without warning. The issue stems from the May security update, which caused certain enterprise and government systems using Intel, vPro chips, and trusted execution technology or TXT to enter BitLocker recovery. affected. Users were asked to provide a recovery key. Something many don't readily have.
Microsoft has released Patch KB 5 0 6 1 7 6 8 available for manual download through the Microsoft Update catalog. It's not yet part of automatic updates. Users who are already locked out need to locate their BitLocker recovery key usually stored in their Microsoft account or perhaps with their IT department. For users who aren't locked out yet, Microsoft recommends applying the patch as soon as possible in case it does happen to you.
As a temporary workaround, tech savvy users or IT admins could disable the intel TXD and VT dash D settings and bios. Boot the system, apply the patch, but try not to forget to enable those security features when you get to fix. Actually better still. If you want my take on it, get the emergency fix instead. While home users are unlikely to be affected, the bug underscores how updates, even security ones, can disrupt critical systems.
And if you've dodged the bullet this time, it's a good reminder for support to review the bias configurations on their intel powered machines, and ensure that they have recovery keys stored securely and accessibly. Apparently, you never know when you might need them. I am losing track here now. Have we had a successful Microsoft update this year in case you missed it.
Last week, the opening of Pwn2Own Berlin 2025 had security researchers demonstrate successful zero day exploits against Windows 11, red Hat, Linux, and Oracle Virtual Box. All on day one of the conference, these and other exploits earned participants to combine $260,000 in prize money. The devco research team's pumpkin exploited an integer overflow to escalate privileges in Red Hat Linux for a $20,000 prize.
Another team achieved root access using a combination of vulnerabilities earning 15,000 star Lab's, SGS Chen Laki combined a use after free and integer overflow to gain system privileges on Windows 11, which earned him $30,000. Additional exploits by other researchers also achieved system level access, and that got two of them, $30,000 and $15,000 respectively.
Team Prison Break used an integer overflow to escape the virtual machine in Oracle Virtual Box and execute code on the Hostos earning $40,000. vendors have 90 days to address these vulnerabilities before public disclosure, but They might also want to try hiring some of these people to do their quality control. I know that Microsoft should have a few bucks to be able to hire a few people after shedding 6,000 employees.
and given the previous story about their patch failures and the three groups that were quite easily busted through their security, Microsoft might want to consider hiring a few more people for quality control, and I'm sure even Oracle and Red Hat could come up with a few bucks to get some additional in-house expertise, security teams in the US have discovered undocumented communications hardware in Chinese made solar inverters and batteries, raising
concerns about remote access risks to the power grid, but stopping short of confirming any cyber attack. According to a May, 2024 Reuters investigation, private companies and US utilities found embedded communications devices such as cellular modems in power equipment imported from China. These components weren't listed in product manuals and could potentially allow remote access that bypasses standard firewalls. The report describes this as a serious potential vulnerability.
Some experts fear the hardware could be used to disable or disrupt parts of the US electrical grid. One incident from November where inverters were remotely shut down is also noted, but there's no confirmed link to China or any clear evidence of intentional sabotage. Many modern inverters, regardless of their origin, include remote management features for updates and diagnostics.
The problem arises when such features aren't disclosed to operators or regulators, creating blind spots in security protocols. US officials are taking the risk seriously, but have not publicly released evidence of any attack. The Chinese government for its part denies wrongdoing and accuses Washington of politicizing trade and technology concerns. Now this issue is about trust and transparency in critical infrastructure.
US energy firms are now facing new pressures to scrutinize imported hardware, especially as the grid becomes more decentralized and dependent on smart devices. So while no kill switch has been proven, the findings have already triggered a reevaluation of equipment sourcing and raised calls for stronger supply chain controls. And the FBI is sounding the alarm on a new wave of phishing attacks that skip links entirely.
Instead, the scammers are using AI generated messages to lure victims into responding directly, a tactic that evades traditional security filters In a recent public service announcement, the FBI highlighted a growing trend. Attackers are now crafting emails, texts, and messages that don't include suspicious links or attachments. the initial messages are often harmless, impersonating someone who the user might know or trust.
They provide personalized, believable content to eventually trick victims into replying with sensitive information such as passwords, personal data, or even payment details. These linkless phishing messages are especially effective because they can bypass spam filters and security systems that look for malicious URLs. But once the victim replies, attackers continue the conversation to gather more information and escalate the scam.
Now, often referred to as business email compromise, BEC, or impersonation fraud. This method uses generative AI to mimic writing styles and even voices. It can appear to come from a boss, a government agency, or a trusted vendor without any of the usual red flags like suspicious links. The rise of linkless, phishing makes traditional training and security tools less effective. So the FBI's encouraging individuals and businesses to verify unexpected messages even if they seem harmless.
And avoid sharing sensitive information without direct confirmation of who you're talking to. We've been critical of some government's inability to develop proper consumer protection with privacy and security regulations. Are you listing Government of Canada? But the Consumer Financial Protection Bureau, the CFPB in the US has taken this a step further withdrawing a proposed rule aimed at restricting data brokers from selling American sensitive personal information without their consent.
Originally introduced by former CFPB director Rohit Chopra. The rule intended to put some controls in place to protect privacy. And since data brokers seemed to be hacked regularly, adding some level of protection for consumer information, acting director Russell Vaught cited changes in the bureau policy at a revised interpretation of the Fair Credit Reporting Act in canceling the rule.
Privacy advocates and organizations like Common Defense and Demand Progress strongly condemn the move, warning it jeopardizes consumer safety and even national security. Not sure about the last one, but consumer safety. Absolutely, definitely. Meanwhile, industry groups like the Financial Technology Association representing the financial services industry supported the rollback, claiming the rule exceeded CFPB authority.
The rules withdrawal coincides with a significant downsizing at the CFPB, that part of a broader government restructuring supported by Elon Musk's Doge Group, who has advocated for the agency's complete elimination. You can be an advocate of lean government and still believe that data brokers are not something we want to have unregulated. And that's our show for today. Glad to be back. I've given you my opinion on data brokers.
You can reach me with yours or other comments, questions, or confidential tips at [email protected] or on LinkedIn. And if you're watching this on YouTube, just leave me a note under the video. I'm your host, Jim Love. Thanks for listening.