From Dell’s Vulnerability to Fake VPN Scams: August’s Cyber Security Chaos and the Growing Surveillance Threat
th4ts3cur1ty.company’s Daily Cyber Briefing, hosted by our COO Stephen Ridgway, has been your go-to source for sharp, relevant cyber news since 2023. Listen back here to the podcast. Now, we’re bringing it all together in one place with the Monthly Daily Cyber Briefing Newsletter, packed with all the standout stories you might’ve missed.
Attention Cyber Geeks: You might want to sit down before you read our first ‘Daily Cyber Briefing’ newsletter. August has really outdone itself, breaches, bugs, and biometric blunders.
Pulled from our cyber briefing podcast. The latest wave of cyber security issues is hitting both personal devices and the broader public infrastructure. It feels like every corner of tech, hardware, software, law enforcement, and policy is raising red flags right now.
Let’s start with Dell laptops. Turns out, a vulnerability in the Broadcom ControlVault firmware has put millions of Dell PCs at risk. Researchers from Cisco Talos dug into it and found a mess of problems, stack overflows, memory management flaws, and insecure deserialization. The scary part? These issues sit so deep in the firmware that an attacker with admin access could actually inject rogue fingerprints or credentials, bypassing disk encryption altogether. Even if you’re careful, an unattended machine could be compromised, and you wouldn’t know. Dell’s scrambling to patch it, but it’s another reminder that security isn’t just about software anymore; it’s buried in the hardware, too.
Fake VPN’s
And speaking of trust issues, there was an exposé about fake VPN and security apps on mobile platforms. A campaign linked to a group called VexTrio has been pushing shady apps through Google and Apple’s stores, things like fake VPNs, RAM, and spam blockers. They trick users into downloading them, then hit them with hidden subscriptions and ads, all while siphoning off personal data. It’s wild that even “privacy” tools now need to be vetted for privacy.
That ties in neatly with some major concerns about biometrics. You’d think logging in with your face or fingerprint would be more secure, right? Well, not always.
At Black Hat, researchers showed how attackers could tamper with Windows Hello under certain conditions, especially on systems without Microsoft’s Enhanced Sign-in Security. Basically, if someone already has admin access, they could add their own face to your login profile. That kind of attack would be silent and incredibly hard to detect. Microsoft downplayed the threat, but if your machine isn’t running the right hardware, biometrics might not be as ironclad as you’d hope.
Facial recognition surveillance
But it’s not just individuals who are at risk. In the UK, the police are rolling out vans equipped with live facial recognition tech. On the surface, it sounds like a crime-fighting upgrade. In practice? It’s pretty dystopian. They’re feeding images from passport databases into the system, and critics are warning that this is surveillance overreach. It’s not just about catching criminals; it’s about monitoring behaviour, associations, and movements. And this expansion comes as more policing shifts to social media, which makes you wonder where the line is between public safety and thought policing.
Of course, facial recognition isn’t even that reliable. Academic reviews have shown that in real-world conditions, blurry images, inconsistent lighting, and diverse populations, these systems perform way worse than in controlled lab tests. That’s how you end up with innocent people being flagged or even arrested, especially in minority communities. The tech just isn’t there yet, and using it as a basis for law enforcement seems reckless at best.
The Online Safety Bill
Now layer all of that onto what’s happening in the regulatory space. The UK’s Online Safety Act, supposedly designed to make the internet safer, is drawing fire from all sides. Business experts like Marc Andreessen are worried it’ll crush free speech, and “some” MPs are saying the Act doesn’t even address the misinformation that helped spark last year’s riots. On the flip side, supporters argue it’s outcome-based and flexible, not a blunt instrument for censorship. Still, with vague rules and questionable oversight, it’s not clear who gets to decide what’s “harmful” versus just controversial. It’s a thin line, and the risk is that platforms will over-correct to avoid penalties.
Even Microsoft has been pushing the limits of user trust.
You might see the following error in Event Viewer. No action is required.
They recently told users to just “ignore” certificate enrollment errors in Windows. Seriously! That kind of advice erodes confidence. Most users can’t tell which certificate warnings are legit and which are attacks, so being told to disregard them just makes everything more confusing. How are users supposed to know when something is actually wrong?
Paypal data breach
And in case all that wasn’t enough, there’s a PayPal data breach now making the rounds. A threat actor claims to be selling plaintext credentials (yes, plaintext) for thousands of accounts. If it’s legitimate, and some indicators suggest it is, then PayPal might be facing one of its worst data breaches yet. This kind of breach underlines just how valuable identity data is right now, and how sloppy, even major players, can be with it. Paypal has recently denied these claims of a recent breach in August 2024.
All of this ties into something that was recently highlighted in a Help Net Security piece about cyber security myths. One myth is that all cyber attacks are sophisticated, but in reality, most are pretty basic: phishing, poor passwords, and misconfigurations. Another is that regulation will fix everything, but even the most comprehensive laws can’t substitute for digital hygiene, investment in secure infrastructure, and user education. Unfortunately, it’s often the simple stuff that gets overlooked until something goes horribly wrong.
So yeah, it’s been a busy few weeks in our cyber briefing. Whether it’s biometric backdoors, surveillance vans, or fake privacy apps, it feels like we’re in a weird tug-of-war between tech promising more control and systems that increasingly take it away. The tools we trust, VPNs, biometrics, and OS security, are starting to show cracks. And the policies meant to protect us are either too slow or too vague to catch up.
Thanks for tuning in to this, the first of our monthly cyber security roundups pulled from th4ts3cur1ty.company’s, ‘Daily Cyber Briefing’ podcast presented by Stephen Ridgway. Find out more about Stephen here.
