Sign in Subscribe
9 min read Newsletters

this week in security — march 8 edition 2026

Iran's cyber army is largely quiet, U.S. CBP tracks people with ad data, Meta sued over gross smart glasses, half of zero-days found in enterprise tech, and more.
~ ~

U.S., Israel used cyberattacks to target Iran, while Iranian hackers are mostly quiet
Bloomberg ($): We start this week in Iran... *breathes into a paper bag*... In short, the U.S. and Israeli-led bombing campaign against Iran continues, and while everyone was expecting broad cyber-retaliation, it's been largely crickets from Iran's cyber army, which analysts say has played a negligible role in the conflict. (It might not help having a broad internet outage and bombs dropping from above.) But while Iran's cyber forces are largely quiet, Iran is firing back with missiles across the region, with crucial shipping lanes and supply routes grinding to a halt. The U.S. confirmed it used cyber in its attack on Iran, and there were reports of Iranian apps being hijacked to send warning messages to citizens that "help has arrived," likely a psychological operation (psyop) aimed at urging along regime change. Meanwhile, Israel hacked the traffic cameras across Tehran and tracked phones as part of the operation to kill Iran's supreme leader.
More: Wired ($) | WSJ ($) | Bloomberg ($) | Reuters ($) | Axios | SecurityWeek | Nextgov | DefenseOne | @pylos | @granick | @hatr

Cynthia Brumfield post on Bluesky: ""While rumor and speculation are rife on social media, experts who spoke with Straight Arrow News agreed that the Iranian government — at least for the time being — is not preparing to conduct cyberattacks against the U.S"," quote postng Mikael Thalen, which reads: "NEW: Is the U.S. at risk of retaliatory cyberattacks from Iran? Here's what experts at cybersecurity firms like CrowdStrike and Recorded Future have to say."

OpenAI blurs its mass surveillance 'red lines' with new Pentagon contract
Forbes ($): After the Pentagon designated Anthropic a supply risk to national security last week because it wouldn't let its generals use its AI for killer robots and mass surveillance, OpenAI stepped in to fill the void, saying it was more or less OK with it. A key thing here is that OpenAI says it'll only allow the U.S. to use its AI for mass surveillance under U.S. laws and secretive executive orders, like EO 12333. But, if we've learned anything from the past decade-plus after the 2013 NSA leaks by Edward Snowden is that the U.S.' own "legal" (heavy air quotes) rules permit broad, mass surveillance, including on Americans. Forbes has some of the best analysis going on the weird twists and turns with this ongoing spat. Mensch @masnick has a much longer but very detailed read on exactly why this is a problem and it's worth taking your time to digest. All the while, OpenAI's Sam Altman couldn't explain why its contract was any safer, if at all. Anthropic, meanwhile, said it's going to sue the Trump administration over the de-facto federal ban.
Archive: Emptywheel | More: Techdirt | EFF | @masnick

U.S. Customs & Border Protection says it uses online advertising data to track people
404 Media ($): For the first time, Customs & Border Protection confirmed it bought (no warrant needed) data from the online advertising world to track people. Much of this data includes precise geolocations obtained from ordinary phone apps and sold to data brokers. The revelation prompted some 70 lawmakers to demand answers from its parent department Homeland Security about the buying of people's location data, which they say violates federal law and people's privacy. This kind of tracking relies on the online advertising industry, which shows why using an ad blocker is so important. Yes, the apps in your pocket can allow the feds to monitor you! A lot of the time, the app developers don't even know it themselves.
More: Wired ($) | Gizmodo | @josephcox 

~ ~

PLEASE SUPPORT THIS NEWSLETTER!

~this week in security~ is my weekly cybersecurity newsletter supported by readers like you. Please consider signing up for a paying subscription starting at $10/month for exclusive articles, analysis, and more, including:

A beginner's guide to analyzing the network traffic of apps and websites

FBI agents visited my home about an article I wrote, and now I can't go to Mexico

ClickFix attacks are increasingly devious, dangerous, and can hack you in an instant

Apple's Lockdown Mode: Once an 'extreme' security protection, now a necessity for Americans

Subscribe to access premium blogs

~ ~

Meta sued after subcontractors fed footage from AI smart glasses
Svenska Dagbladet: Mark Zuckerberg's Meta, maker of pervert smart glasses with always-on cameras, is feeding users' glasses footage to subcontractors based in Kenya. Some of the workers described seeing people having sex, credit card numbers, and people undressing. Truly horrible for all involved. Now, Meta is facing a lawsuit over this, and questions from British regulators. ("Oi!")

Suspected U.S.-made exploit kit targeting iPhones now in the hands of spies and cybercriminals
Wired ($): Google researchers say a suite of exploits, which are capable of hacking into older iPhones a multitude of ways simply by visiting a malicious website, has passed from the hands of a government customer of a surveillance vendor (believed to be the U.S. government) into the hands of a Russian espionage crew and a Chinese financially motivated hacker. If you're thinking, well aren't these exploits developed for government use meant to be under lock and key? Well, yeah, and so the argument goes that exploits can't leak if you don't develop them to begin with. Lots of unanswered questions here. Help Net Security has more, and CISA sounded its own alarm over the bugs. 

Homeland Security Secretary Noem fired; Oklahoma lawmaker replaces her
Nextgov: Relatedly, area dog killer (but really though) and secretary of Homeland Security, Kristi Noem, was fired by Trump midway through a speech this week, after a hapless year on the job overseeing the indiscriminate rounding up of immigrants, the killing of two U.S. citizens, and cosplaying, to be quite honest. Corey Lewandowski, the largely-unseen but string-puller at DHS and widely reported to be the romantic partner of Noem, is also out. Trump nominated Oklahoma lawmaker Markwayne Mullins to replace her. Staff at CISA wait with bated breath, reportedly mixed in reaction now that an actual (alleged) adult is now in the room, but we'll see. DHS' top IT leadership is also out, per Fedscoop.

Julianne McShane post on Bluesky: "NOEM TAKING QUESTIONS - DOES NOT APPEAR TO KNOW SHE WAS FIRED"

LLMs can unmask pseudonymous users at scale with surprising accuracy
Ars Technica: Some AI models are increasingly good at deidentifying pseudonymous people on social media sites, an effort that has far-reaching consequences for privacy on the internet. Researchers warned that governments could use this technique to go after its critics. 

Half of 2025's zero-days were found in enterprise tech
Google Cloud: Some 48% of 90 zero-day bugs that Google tracked last year exploited enterprise software and other corporate networking gear, like firewalls, routers, and VPNs, which we know to be incredibly insecure thanks to the chronic nickel and diming of the cybersecurity industry by private equity. Google also called out Oracle's E-Business Suite, software used by big corporations to store HR files and manage their businesses, which last year was mass-exploited by the Clop gang.

~ ~

TikTok wants to snoop on your DMs: U.S.-owned (mostly) app TikTok says it won't roll out end-to-end encryption, instead favoring allowing staff access to user messages so they can provide user information in response to law enforcement requests. (via BBC News)

LeakBase gets forcibly offlined: Feds in the U.S. and Europe seized LeakBase, billed as one of the largest cybercrime forums for sharing stolen logins and hacking tools, leading to 13 arrests. Stolen logins are still a major source of cybercrime. (via Europol, Justice Department)

Hackers hungry… for money: Hackers abused their access to systems belonging to restaurant point-of-sale makers HungerRush to send a mass email to customers, threatening to release customer data if the company doesn't respond. HungerRush is used by thousands of restaurants around the United States. (via Bleeping Computer, @newarks_twt)

newark_twt on X: "just got an email from HungerRush POS company, seemingly a forwarded message(?) claiming that customer data is compromised & the sender will take "malicious action" if ignored," followed by a screenshot of an email from support@hungerrush.com with an extortion email sent to customers.

FBI confirms network breach: The FBI confirmed it was hacked. CNN broke the news that the FBI's wiretap systems were targeted. The WSJ ($) has more details, and said China is currently number one on the blame list (of course it's a @dustinvolz scoop!) All eyes are on China's Salt Typhoon, since targeting wiretap systems is pretty much its modus operandi, though it's unclear at this stage if it actually is to blame. (via TechCrunch ($), Cyberscoop)

Proton gave police protester's data: Privacy tools maker Proton gave information about a protester, who uses its email service Proton Mail, to Swiss police under its local laws, who then passed the information on to the requesting agency — the FBI. It's a reminder that there is little to no real expectation of privacy with any email provider. (via 404 Media ($), @evacide, @proton) And some wise words from @hacks4pancakes:

Lesley Carhart post on Mastodon: "t’s both disingenuous to celebrate Proton (who are a business making money in a friendly nation) as bulletproof, and to compare them to Google, who make money by mining your email content. Understand your threat model and message accordingly."

London Tube hack hits 10 million: The BBC confirmed the 2024 hack on London's transport authority allowed hackers to steal data belonging to 10 million people, which is waaay more than Transport for London initially let on. @joetidy obtained a cache of the stolen data and verified his own data. The cache contains names, emails, home addresses, and phone numbers. (via BBC News, The Register)

~ ~

Thankfully, at last. After a busy week of news, this is the much-earned happy corner.

I laughed at this one, thanks to @malwaretech. (We all know those drapes aren't eavesdrop-proof, or fooling anyone for that matter.)

Marcus Hutchins post on Bluesky: "To prove you’re not a robot, please select all the Mar-a-lago SCIFs," followed by two photos of the Mar-A-Lago "SCIF", and two stock photos of kids playing in tents.

If you've ever seen that famous xkcd cartoon about dependency on online infrastructure, now you can actually simulate its collapse, thanks to this awesome web-based simulator by @isohedral.

a screenshot of the xkcd dependency simulator, which shows a stack of rectangles falling over, simulating the collapse of all modern digital infrastructure.

Major congrats to my friends over at Privacy Guides on launching its activism section, including guides and tools to empower privacy activists — people just like me and you! This is a really great interactive resource to learn what you can do to help you support the wider privacy effort. More in the toots. Major props to @Em0nM4stodon for doing amazing work here. 

As you'll know from over the years, our house (and all good regular readers of ~this week in security~) gets our supply of cookies from the Trans Girl Scouts. Erin Reed reports that the list of trans kids who are participating in this year's cookie drive exceeded a new high of 220 kids, who have already sold 330,000 boxes! Uhh, you mean 330,005 after my latest order goes in. Get your cookies!

And lastly. I really love this collection of privacy-friendly and helpful web tools for artists and others: delphitools are handmade tools that work in your browser, and do not collect data. Fabulous!

Got good news to share? Get in touch! this@weekinsecurity.com.

~ ~

This week's cyber cat is Archie, who can be seen here carefully contemplating their next hacking strategy... sneak away the credit card and order treats? Or social engineering their human into just turning them over? Thanks so much to Rachel for sending in!

Archie is a black and white tuxedo kitty who can be seen here on a wooden windowsill, looking up at the wall, as if to ponder.

🙀The cyber-cat bank is running really low! Do you have a minute to send me a snap of your favorite cyber-cat(s) — or non-feline friend? Drop me a quick email with their name and photo, and they'll be featured in an upcoming newsletter! 🐈‍⬛

~ ~

Thank you so much for reading, I hope you enjoyed this week's news blast.

On a brief programming note, there will be no newsletter next Sunday as I'm away next week for a much-needed vacation. I promised my partner that we'd go away for a few days since Mexico is off the list of places I can go any time soon. Maybe next year we'll go to Jamaic…ah, crap

In any case, I posted a very, very long post on the blog, a beginner's guide to Burp Suite, which has been one of the single most helpful technical things I have learned in my career, and will surely keep you busy if you want to dig in. I'd really encourage you to take a look, and consider becoming a paying subscriber!

Feel free to get in touch, though I may be a little slower than usual to respond. I appreciate your patience. And, thanks again for all your support, your emails, and your readership. I am enormously grateful.

Back in a couple!
@zackwhittaker