Трамп усиливает давление на картели и обещает новые шаги Пентагону и Минюсту в борьбе с фентанилом.

Google фиксирует волну атак на React с бэкдорами и инструментами туннелирования.

Science Robotics рассказал о самых маленьких машинах в мире.

Отчёты о найденных в даркнете данных уйдут в прошлое — Google назвал даты.

Полное руководство по безопасным покупкам.

Ошибка 403 при подключении к SoundCloud через VPN оказалась следом инцидента безопасности.

ShinyHunters шантажируют Pornhub, заявляя о краже истории просмотров и поисков Premium-пользователей.

Кибератака на PDVSA остановила экспорт венесуэльской нефти на фоне конфликта с США.

Тот неловкий момент, когда о дырах в безопасности приходится писать в СМИ, потому что у техподдержки банально нет почты.

Мерц говорит о гибридной войне и уже готовит ответ вместе с европейскими партнёрами.

Китайские организации опубликовали 2700 работ об уязвимостях американских энергосетей.

Связка «игрушка + приложение» удобна, но иногда превращает приватность в товар для рекламы и брокеров данных.

ИБ-специалисты бьют тревогу из-за нового тренда на теневом рынке.

Эксперты поговорили о ключевых принципах и практических шагах, которые позволяют не только предотвратить атаку, но и минимизировать ущерб в случае инцидента.

Порядка 15 % атак на средний и крупный бизнес оказывались диверсиями — компаниям наносился непоправимый урон, возможности выкупа декриптора не предоставлялось.

При переводе средств выяснилось, что в кошельке хранится два биткойна, которые в итоге злоумышленники забрали».

Это единственный способ увидеть, как процессы работают на практике, а не на бумаге».

Есть ли у вас чёткий план: кто и что будет делать, сколько времени займёт восстановление, как найти нужный сервер?

Причём травля, судя по источникам, встречалась и в учебных заведениях, ориентированных на небогатых людей, и в школах, где обучалась высшая аристократия.

С другой стороны, если речь заходит о кибербуллинге, то более активны девочки, причём и в качестве агрессоров, и в качестве жертв.

Были такие прецеденты и в России, в частности, с сочинцем Владимиром Голубовым.

Они находятся в одном ряду с разжиганием ненависти и насилия, вовлечением в пьянство и употреблением наркотиков, сексуальной эксплуатацией, распространением идеологий террористических группировок.

С другой стороны, данная проблема является застарелой, её предпосылки складывались много лет, и с ней на системном уровне практически не …

Как проходит рабочий день специалиста, какие ошибки могут быть критичными для ИБ организации и как справляться с постоянными вызовами — обо всём этом подробнее.

Список задач в основном следующий: разработка и внедрение новых правил и политик безопасности, сложные расследования АРТ-атак и взаимодействие с внешними организациями, регуляторами.

Распределение обязанностей в корпоративном SOC и коммерческом не является строго фиксированным: конкретный набор задач зависит от структуры команды, применяемых платформ и организационных процессов.

Описанная система KPI обеспечивает прозрачность работы SOC, позволяет выявлять узкие места в процессах и поддерживать одинаковый уровень эффективности как в…

Мы побывали на одной из стратегических сессий, проведённых компанией WMT AI в Москве в кластере «Образовательный» МГУ.

Снижение затрат при внедрении ИИ в ПО в разных областях (McKinsey Global Survey, 2025)GenAI и безопасностьПочти все разделяют мнение, что приход GenAI в сферу кибербезопасности неизбежен.

Очевидно, что по мере нарастания ИИ-агентов в бизнес-системах, поддержку этих однотипных задач лучше выделить в отдельный фреймворк для управления ИИ.

Делать это необходимо хотя бы потому, что ИИ постепенно становится основным носителем информации, даже шире, чем интернет или соцсети.

Обсуждение кейсов на реальных примерах позволит грамотно ставить возникающие задачи, активней внедрять ИИ …

Как отметил модератор дискуссии «Как подготовить компанию к разрушительной кибератаке» на SOC Forum 2025 (рис.

Причём это касается не только технического персонала, но и подразделений, которые не имеют никакого отношения к ИТ и ИБ службе.

Впрочем, вопрос о том, платить или не платить вымогателям, однозначного ответа не имеет.

Он предостерёг от попыток скрыть инцидент, в том числе от регуляторов, которые, к слову, также могут помочь.

Традиционным для завершения дискуссии стал вопрос о том, чего стоит ждать и к чему готовиться в будущем.

Теперь аналогичную функциональность для управления PKI-инфраструктурой в Linux-среде с полноценным Autoenrollment (автоматической выдачей) сертификатов предлагает и российская разработка: корпоративный центр сертификации SafeTech CA в связке с доменом ALD Pro.

Windows-серверы мигрируют на Astra Linux, Active Directory заменяется на ALD Pro.

Таким образом, ручное управление сертификатами не только трудоёмко и неэффективно, но и обходится компании слишком дорого — и для бюджета, и для безопасности.

Интерфейс командной строки: предоставляет набор утилит командной строки (getcert) для управления и диагностики.

ВыводыКомплексное решение на базе SafeTech CA и ALD Pro закрывает главный пробел Linu…

Разница не в людях — все мы одинаково открываем почту и кликаем по ссылкам, — а в масштабе катастрофы.

Что такое кибергигиена и почему она критична для госслужащих и компанийКибербезопасность — это когда организация защищает свои системы, данные и процессы от взлома, блокировки и утечек.

Поэтому нарушение правил кибергигиены одним сотрудником может отразиться не только на его ведомстве, но и на смежных структурах, госсервисах и гражданах.

Правило простое: если вы не в офисе и не дома — сначала VPN, потом работа.

Резервная копия, которая не восстанавливается, — это не резервная копия, а иллюзия безопасности.

Управление очередью файлов на поведенческий анализ, настройки приоритета источников и файлов на поведенческий анализ.

Настройка проверки, предварительной фильтрации, файлов в песочницеДобавлен ряд опций, позволяющий гибко настроить порядок проверки в зависимости от выявленных PT Sandbox свойств файлов.

Антивирусные средства проверки в PT Sandbox 5.27Правила в формате YARAДополнились средства проверки и возможность пользовательской загрузки правил в формате YARA.

Системные требования PT Sandbox 5.27Для корректной и стабильной работы PT Sandbox важно учитывать системные требования, которые зависят от планируемой нагрузки, объёма хранилища и уровня производительности.

Вердикты анализа в PT San…

Значимых результатов удаётся добиться тогда, когда обучение ориентировано не на всех сразу, а на конкретные группы риска.

Ошибки компаний в обученииНи одна платформа сама по себе не повышает уровень безопасности, если обучение выстроено формально и не отражает реальной работы сотрудников.

Система менеджмента информационной безопасности (ISO / IEC 27001:2022) также требует, чтобы организации обеспечивали «осведомлённость и обучение персонала по мерам безопасности» и регулярно проверяли эффективность этих программ.

Hoxhunt делает упор на персонализацию и игровой подход: пользователи получают баллы и достижения, а обучение строится «по возрастанию» сложности.

Но вне зависимости от региона обща…

Как подчеркнул модератор дискуссии «От кликбейта до утечки данных: как манипулируют нашим вниманием и безопасностью» (рис.

Но чем новости хуже, тем повышается тревожность, что, в свою очередь, приводит к выбросу кортизола — «гормона стресса».

По этой причине люди воспринимают негативную информацию как ценную и достоверную, что не всегда соответствует реальности.

Эта волна ажиотажного спроса охватила не только Японию, но и другие страны, и Россия не стала исключением.

И в целом, как отметил основатель CURATOR Александр Лямин в интервью Anti-Malware.ru, DDoS-атаки весьма широко применяются в конкурентной борьбе.

Экосистемы кибербезопасности — это следующий эволюционный шаг после набора точечных решений.

Юрий Драченин пояснил, что экосистемы должны отвечать на 3 фундаментальных вопроса кибербезопасности: усложняющийся ИТ-ландшафт у заказчика, стоимость владения, совместимость и надёжность систем.

Речь идёт о снижении нагрузки на инфраструктуру и, что критически важно, об экономии времени и усилий специалистов безопасности.

Этот показатель, как правило, убедительнее любых других и служит веским аргументом как для руководства, принимающего решение, так и для линейных специалистов, которые будут использовать систему.

Именно такие конкретные и понятные примеры, показывающие практическую выгоду от совмес…

Threat Intelligence (TI): основные понятияСуществуют различные трактовки понятия Threat Intelligence (TI) или Cyber Threat Intelligence (CTI).

Как развивается мировой рынок Threat IntelligenceДля оценки объёма мирового рынка Threat Intelligence можно обратиться к исследованию The Business Research Company.

Обзор отечественных платформ и сервисов Threat IntelligenceЗа последние пару лет сегмент решений Threat Intelligence в России значительно вырос, и спрос на подобные продукты продолжает расти.

Kaspersky Threat Intelligence Portal объединил множество сервисов: Kaspersky Threat Lookup, Kaspersky Threat Analysis, Kaspersky Threat Infrastructure Tracking, Kaspersky Threat Data Feeds, Kaspersky…

В отношениях бизнеса и ИБ наметились заметные подвижки в лучшую сторону.

Плюс ко всему, он не решает проблему, связанную с недостаточной зрелостью бизнеса и неготовностью нести дополнительные расходы и ответственность за провалы в обеспечении безопасности.

Так что неслучайно, что тема организации диалога ИБ и бизнеса поднялась на SOC Forum.

Так, синергия информационной и экономической безопасности стала требованием бизнеса, и нормальная работа соответствующих служб просто невозможна без систем, которые находятся в ведении каждой из них.

Директор защиты информации и ИТ-инфраструктуры «Норильского никеля» Алексей Мартынцев назвал построение коммуникаций ИБ и бизнеса сложной задачей.

При этом остаётся важным определить, где проходят реальные пределы рыночного потенциала и в каких точках ожидания участников оказываются необоснованными.

Сектор привлекает молодёжь, создаёт точки роста для смежных отраслей и оказывает давление на бизнес: компании, не инвестирующие в цифровизацию, рискуют потерять конкурентоспособность даже в традиционных сегментах.

Многие организации продолжают приобретать продукты «про запас», а в ряде случаев поддержка зарубежных решений осуществляется уже собственными силами.

Стоимость ИТ-специалистов и ПО — другая история, которая во многом структурна и напрямую не связана с общей инфляцией.

Необходимо строить консервативные бизнес-планы, хеджировать ри…

Особенно когда заявлено, что система не является форком, а представляет собой минимальную базу, созданную с нуля.

Мы не пересобираем чужие дистрибутивыСкриншот с сайтаПервое, что бросается в глаза на сайте - громкое заявление:«NiceOS — не ещё один Linux.

И что я вижу?

Вывод №3: Это свежак, это не надежноАкт 4.

не, не слышалиПри установке нас встречает EULA (Лицензионное соглашение).

в статье фигурируют два отпечатка: отпечаток (hash) публичного ключа и отпечаток (hash) файла с данными.

Предполагается, что мы на 100500% уверены в подлинности этого отпечатка (мы вернёмся к вопросу уверенности в конце статьи).

Сообщение gpg: Can't check signature: No public key говорит нам, что у нас нет публичного ключа с таким отпечатком.

Вы могли получить и файл с данными, и asc-файл от злоумышленников.

Однако остаётся критическая проблема безопасности: если кто-то взломал сайт Armbian и заменил отпечаток ключа на свой собственный.

Исследователи «Лаборатории Касперского» опубликовали подробный анализ беспроводного протокола с низким энергопотреблением Zigbee, используемого для автоматизации как в домашних условиях, так и в промышленности.

Производителя устройства можно определить, проанализировав MAC-адреса устройств в сети, которые передаются открытым текстом.

В статье подробно рассматривается оборудование для мониторинга передачи данных в сети Zigbee и инъекции пакетов (недорогое устройство nRF52840 компании Nordic Semiconductor).

Операторам сетей Zigbee в промышленности рекомендуется использовать функциональность из самых свежих спецификаций протокола, а также избегать применения в сети стандартных ключей шифровани…

Однако довольно быстро после запуска «приватного коммьюнити» что‑то пошло не по плану.

Кстати, в посте канала был и пост, что и наш прошлый друг RYD сногсшибательно прошёл аудит — и тоже без пруфов.

И если вы не в whitelist и не админ — транзакция отклоняется.

Нам поясняется, что это не блокировка.

Никто не крал приватные ключи и не обходил защиту смарт‑контрактов.

Это устройство, выпущенное в прошлом году, позволяет удалённо управлять компьютером или сервером при помощи виртуальной клавиатуры, мыши и монитора.

Когда я сам купил это устройство, то провёл краткий аудит безопасности и обнаружил множество настораживающих проблем.

Скрытый микрофонПотом я обнаружил нечто ещё более настораживающее — крошечный микрофон, о котором не говорится в официальной документации.

Скрытый микрофон в NanoKVMФизически удалить микрофон можно, но сделать это не так просто.

На самом деле, это не такая уж плохая идея, потому что в конце прошлого года в PiKVM тоже появилась двусторонняя поддержка аудио.

Мы предложим системный взгляд на MLSecOps и разберем, как выстроить эффективную защиту на каждом этапе разработки и внедрения моделей – от подготовки данных и обучения до деплоя и мониторинга в продакшене.

Задачи безопасностиОпределение требований – четко зафиксировать цели по безопасности, приватности данных и соответствию внутренним и внешним нормативам.

Контроль целостности и источников – строгая верификация происхождения данных и обеспечение их неизменности на всех этапах передачи и хранения.

· Обучение модели – обеспечение безопасного и устойчивого обучения модели в контролируемой среде и на верифицированных данных.

Решения и меры защитыЦелостность модели – контроль подлинности и неизм…

Далее стал капитаном синей команды (Command and Defend, которая впоследствии сменила название на Ctrl+Alt+Defend) и возглавлял ее на протяжении пяти битв подряд.

Спойлер: атакующие так и не получили доступ к SCADA, хотя реализация КС в этом сегменте и дальнейшее расследование считаются у нас верхом мастерства.

Теперь я расскажу, каким образом красные команды смогли проникнуть в нашу инфраструктуру и как у них получилось реализовать КС.

Нам было необходимо разобраться не только в эксплуатации уязвимости, которую видно в предоставленных СЗИ, но и в логике работы приложения, на что ушло немало времени.

Красные команды постоянно совершенствуются, и с каждым разом их обнаружение становится всё б…

Сегодня мы поговорим про ‘’взрослый’’ autoenrollment сертификатов в Linux.

Всё это делает процесс автоматизации выпуска, обновления и отзыва сертификатов (autoenrollment-а сертификатов) в Linux-доменах трудоёмким.

В данной статье не будем рассматривать типы выпускаемых сертификатов и вопросы их дальнейшего использования, сосредоточимся на вопросах запроса и доставки сертификатов, получения и обновления (в конечном итоге сертификаты различаются лишь составом атрибутов и их значениями, в данном случае это не особенно важно).

Отдельную угрозу представляет безопасность закрытых ключей, которые в Linux зачастую хранятся в файловой системе без достаточной защиты (вплоть до отсутствия правил управ…

«Начиная с этого релиза, Notepad++ и WinGUp проверяют подпись и сертификат загруженных установщиков в процессе обновления.

Следует отметить, что в начале декабря известный ИБ-специалист Кевин Бомонт (Kevin Beaumont) предупреждал, что ему известно о трех организациях, пострадавших от инцидентов, связанных с Notepad++.

Дело в том, что когда Notepad++ проверяет обновления, он обращается к адресу https://notepad-plus-plus.org/update/getDownloadUrl.php?version=<номер_версии>.

Также специалист напомнил, что злоумышленники нередко используют вредоносную рекламу для распространения зараженных версий Notepad++, которые в итоге устанавливают малварь.

Дело в том, что расследование еще продолжается, и …

Специалисты MITRE опубликовали ежегодный рейтинг 25 самых опасных и распространенных проблем в программном обеспечении, которые стали причиной появления более 39 000 уязвимостей (раскрытых с июня 2024 по июнь 2025 года).

Отчет был подготовлен совместно с HSSEDI и Агентством по кибербезопасности и защите инфраструктуры США (CISA), курирующими программу Common Weakness Enumeration (CWE).

Под уязвимостями в ПО в данном случае подразумеваются самые разные проблемы, баги, уязвимости и ошибки, обнаруженные в коде, архитектуре, имплементациях или дизайне софта.

CWE отличаются от CVE тем, что, по сути, первые являются предшественниками вторых, то есть CWE приводят к появлению непосредственно уязвим…

Справка: сканирование портовСка­ниро­вание пор­тов — стан­дар­тный пер­вый шаг при любой ата­ке.

Он поз­воля­ет ата­кующе­му узнать, какие служ­бы на хос­те при­нима­ют соеди­нение.

На осно­ве этой информа­ции выбира­ется сле­дующий шаг к получе­нию точ­ки вхо­да.

На­ибо­лее извес­тный инс­тру­мент для ска­ниро­вания — это Nmap.

Улуч­шить резуль­таты его работы ты можешь при помощи сле­дующе­го скрип­та:#!/ bin/ bash ports = $( nmap -p- --min-rate = 500 $1 | grep ^[ 0- 9] | cut -d '/ ' -f 1 | tr ' ' ', ' | sed s/, $/ / ) nmap -p $ports -A $1

В Windows обнаружена новая уязвимость нулевого дня в службе Remote Access Connection Manager (RasMan), которую можно использовать для провоцирования отказа в обслуживании и дальнейших атак с повышением привилегий.

Новый баг был обнаружен при анализе другой проблемы — CVE-2025-59230 (уязвимости повышения привилегий в RasMan, которую Microsoft исправила в октябре 2025 года после сообщений об использовании в реальных атаках).

Она затрагивает все версии Windows — от Windows 7 до Windows 11, а также Windows Server от версии 2008 R2 до Server 2025.

Представители Microsoft подтвердили СМИ наличие проблемы и сообщили, что уже работают над исправлением.

При этом в компании подчеркнули, что системы с…

Эту уязвимость совместно выявили собственные специалисты Apple и Google TAG.

Сообщается, что проблемы угрожают следующим устройствам:iPhone 11 и новее;iPad Pro 12,9 дюйма (третье поколение и новее);iPad Pro 11 дюймов (первое поколение и новее);iPad Air (третье поколение и новее);iPad (восьмое поколение и новее);iPad mini (пятое поколение и новее).

Apple исправила обе проблемы в составе iOS 26.2 и iPadOS 26.2; iOS 18.7.3 и iPadOS 18.7.3; macOS Tahoe 26.2; tvOS 26.2; watchOS 26.2; visionOS 26.2 и Safari 26.2.

Это тот же CVE, исправления для которого подготовила Apple, что указывает на скоординированный выпуск патчей и раскрытие информации.

Поскольку обе уязвимости затрагивают WebKit (который …

В эту версию вошли три новых инструмента, улучшения для десктопных окружений, предварительная версия Wifipumpkin3 в NetHunter, а также расширенная поддержка Wayland.

Так, в GNOME 49 добавились обновленные темы оформления, новый видеоплеер Showtime, были реорганизованы папки инструментов в сетке приложений, а также появились новые горячие клавиши для быстрого запуска терминала.

Наконец, Xfce теперь поддерживает цветовые темы, которые предлагают функциональность, аналогичную той, что уже была реализована в GNOME и KDE.

Традиционно в каждом новом релизе в Kali добавляются свежие инструменты, и версия 2025.4 не стала исключением.

Также этот релиз привносит ряд обновлений в Kali NetHunter.

Мерч «Хакера» отлично подойдет для подарка и хорошо смотрится как на конференциях, так и в обычной жизни.

Футболки «Хакера»От зашифрованных в коде посланий до стильного минимализма и яркого киберпанка — все принты уникальны и созданы с учетом пожеланий нашего комьюнити.

В футболках «Хакера» можно ходить на стендапы и конференции, гулять по городу, залипать в код до утра или носить под худи в холодные зимние деньки.

Бейсболки «Хакера» будут уместны в любой ситуации: четыре модели с объемной вышивкой созданы специально для тех, кто ценит качество и минимализм.

Бейсболки «Хакера» — это:качество — плотная ткань, комфортная посадка, прочный регулятор на кнопке;вышивка — объемная вышивка, которая…

Уязвимость нулевого дня в популярном сервисе для самостоятельного хостинга Git-репозиториев Gogs позволяет злоумышленникам удаленно выполнять произвольный код, что привело к взлому сотен серверов по всему миру.

Дело в том, что версии Gogs, в которых исправлена уязвимость CVE-2024-55947, теперь проверяют пути файлов, чтобы предотвратить directory traversal.

Эксперты из компании Wiz обнаружили новую уязвимость еще в июле 2025, когда изучали малварь на Gogs-сервере одного из своих клиентов.

Дальнейший анализ показал, что в сети можно найти более 1400 публично доступных серверов Gogs, а свыше 700 из них демонстрируют признаки компрометации.

Все взломанные инстансы, обнаруженные в ходе расследов…

Исследователи из компании Varonis обнаружили новую PhaaS-платформу Spiderman, которая нацелена на пользователей банков и криптосервисов в Европе.

Злоумышленники используют сервис для создания копий легитимных сайтов, чтобы воровать учетные данные, 2ФА-коды и информацию о банковских картах.

По словам экспертов, платформа ориентирована на финансовые организации в пяти европейских странах и такие крупные банки, как Deutsche Bank, ING, Comdirect, Blau, O2, CaixaBank, Volksbank и Commerzbank.

Также Spiderman может создавать фишинговые страницы для финтех-сервисов, таких как шведская Klarna и PayPal.

Исследователи отмечают, что все фишинг-киты основаны на том, что жертва сама кликнет по ссылке и …

Кро­ме того, есть спе­циали­зиро­ван­ные решения для логов и трас­сиров­ки, так­же при­веду неболь­шой спи­сок.

В репози­тори­ях рос­сий­ско­го дис­три­бути­ва РЕД ОС дос­тупно решение Graylog, и это, на мой взгляд, хорошая и мощ­ная сис­тема цен­тра­лизо­ван­ного сбо­ра, ана­лиза и хра­нения логов.

MongoDB — база дан­ных, которая исполь­зует­ся в Graylog для хра­нения кон­фигура­цион­ных дан­ных и метадан­ных.

Средс­тва сбо­ра логов на кли­ентах:В Linux: стан­дар­тный демон auditd для ауди­та событий безопас­ности и rsyslog для пересыл­ки сис­темных логов.

Итак, в нашей опыт­ной инфраструк­туре необ­ходимо уста­новить сер­вер сбо­ра событий монито­рин­га Graylog и орга­низо­вать отправ­ку …

В спецификации протокола PCIe IDE обнаружили сразу три уязвимости.

Проблемы затрагивают PCIe Base Specification Revision 5.0 и более поздние версии в механизме протокола, представленном в Engineering Change Notice (ECN) для IDE.

По словам специалистов, в зависимости от имплементации уязвимости могут приводить к утечкам данных, повышению привилегий или отказу в обслуживании на затронутых компонентах PCIe.

PCIe IDE, который появился в PCIe 6.0, предназначен для защиты передачи данных посредством шифрования и проверки целостности.

— отсутствие проверки целостности на принимающем порту позволяет изменить порядок передачи PCIe-трафика, из-за чего получатель обработает устаревшие данные.

Компания выпустила исправления для Chrome в версиях для Windows (версия 143.0.7499.109), macOS (143.0.7499.110) и Linux (143.0.7499.109).

Обновления уже должны быть доступны для всех пользователей, хотя Google предупреждает, что полное развертывание патчей может занять несколько дней.

Любопытно, что в настоящее время новая 0-day не имеет даже CVE-идентификатора.

С начала 2025 года Google устранила в Chrome уже семь 0-day, и «безымянная» проблема стала восьмой.

Для сравнения: в 2024 году Google исправила 10 0-day в своем браузере, часть из которых была продемонстрирована на соревнованиях Pwn2Own, а остальные тоже эксплуатировались в реальных атаках.

Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web.

To that end, scans for new dark web breaches will be stopped on January 15, 2026, and the feature will cease to exist effective February 16, 2026.

"While the report offered general information, feedback showed that it didn't provide helpful next steps," Google said in a support document.

In July 2024, Google expanded the offering beyond Google One subscribers to include all account holders.

Google is also urging users to strengthen their account privacy and security by creating …

The extension in question is Urban VPN Proxy, which has a 4.7 rating on the Google Chrome Web Store.

"Users who installed Urban VPN for its stated purpose – VPN functionality – woke up one day with new code silently harvesting their AI conversations."

Due to the nature of the data involved in AI prompts, some sensitive personal information may be processed.

"The protection feature shows occasional warnings about sharing sensitive data with AI companies," Dardikman said.

"The harvesting feature sends that exact sensitive data - and everything else - to Urban VPN's own servers, where it's sold to advertisers.

Multiple security vulnerabilities have been disclosed in the open-source private branch exchange (PBX) platform FreePBX, including a critical flaw that could result in an authentication bypass under certain configurations.

As temporary mitigations, FreePBX has recommended that users set "Authorization Type" to "usermanager," set "Override Readonly Settings" to "No," apply the new configuration, and reboot the system to disconnect any rogue sessions.

Users are also displayed a warning on the dashboard, stating "webserver" may offer reduced security compared to "usermanager."

For optimal protection, it's advised to avoid using this authentication type.

It is best practice not to use the authe…

As a result, the cryptographic keys never change and can be used to access files containing valuable data.

As a result, the cryptographic keys never change and can be used to access files containing valuable data.

"Pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups.

"When a victim uses Okta as their identity provider (IdP), the phishing page hijacks the SSO authentication flow to bring the victim to a second-stage phishing page, which acts as a proxy to the organization's legitimate Okta tenant and captures the victim's credentials and session tokens," Datadog said…

Why Browser Extensions Are a SaaS Security NightmareFor SaaS security teams, ShadyPanda's campaign shows us a lot.

It proved that a malicious browser extension can effectively become an intruder with keys to your company's SaaS kingdom.

Steps to Reduce Browser Extension RiskSo based on all of this, what can organizations do to reduce the risk of another ShadyPanda situation?

Below is a practical guide with steps to tighten your defenses against malicious browser extensions.

Treat Extension Access Like OAuth AccessShift your mindset to treat browser extensions similarly to third-party cloud apps in terms of the access they grant.

Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images.

The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer.

The ISO image ("Подтверждение банковского перевода.iso" or "Bank transfer confirmation.iso") serves as an executable that's designed to launch Phantom Stealer by means of an embedded DLL ("CreativeAI.dll").

Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium…

According to SentinelOne, VolkLocker (aka CyberVolk 2.x) emerged in August 2025 and is capable of targeting both Windows and Linux systems.

More importantly, the master key is also written to a plaintext file in the %TEMP% folder ("C:\Users\AppData\Local\Temp\system_backup.key").

Since this backup key file is never deleted, the design blunder enables self-recovery.

Documents, Desktop, Downloads, and Pictures, if victims fail to pay within 48 hours or enter the wrong decryption key three times.

VolkLocker payloads come with built-in Telegram automation for command-and-control, allowing users to message victims, initiate file decryption, list active victims, and get system information.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request.

"A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver," the agency said.

"This vulnerability exists in the file upload capability of templates within the AirLink 450," the company sai…

Apple on Friday released security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and its Safari web browser to address two security flaws that it said have been exploited in the wild, one of which is the same flaw that was patched by Google in Chrome earlier this week.

It's worth noting that CVE-2025-14174 is the same vulnerability that Google issued patches for in its Chrome browser on December 10, 2025.

It's been described by the tech giant as an out-of-bounds memory access in the company's open-source Almost Native Graphics Layer Engine (ANGLE) library, specifically in its Metal renderer.

Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) …

Cybersecurity researchers are calling attention to a new campaign that's leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based Remote Access Trojan (RAT) dubbed PyStoreRAT.

PyStoreRAT has been described as a "modular, multi-stage" implant that can execute EXE, DLL, PowerShell, MSI, Python, JavaScript, and HTA modules.

The malware also deploys an information stealer known as Rhadamanthys as a follow-on payload.

Attack chains involve distributing the malware through Python or JavaScript loader stubs embedded in GitHub repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities that are designed to appeal to a…

Cybersecurity researchers have documented four new phishing kits named BlackForce, GhostFrame, InboxPrime AI, and Spiderman that are capable of facilitating credential theft at scale.

BlackForce, first detected in August 2025, is designed to steal credentials and perform Man-in-the-Browser (MitB) attacks to capture one-time passwords (OTPs) and bypass multi-factor authentication (MFA).

When the attacker attempts to log in with the stolen credentials on the legitimate website, an MFA prompt is triggered.

GhostFrame Fuels 1M+ Stealth Phishing AttacksAnother nascent phishing kit that has gained traction since its discovery in September 2025 is GhostFrame.

InboxPrime AI Phishing Kit Automates E…

“A City of a Thousand Zero Days” is the partial title of a talk at Black Hat Europe 2025.

Compounding the issue, the software is hosted on public-facing IP addresses; thus, it’s accessible from the internet.

One comment I distinctly remember from the research is that the protocol used by the ICS device concerned was never designed to be connected to the internet.

The talk by Gjoko raised a similar concern: the building management system was not designed to be public facing on the internet, and the vendor recommends to secure it behind a virtual private network (VPN).

Building management systems are one example of this.

Being seen as reliable is good for ‘business’ and ransomware groups care about 'brand reputation' just as much as their victimsBlack Hat Europe 2025 opened with a presentation by Max Smeets of Virtual Rotes titled ‘Inside the Ransomware Machine’.

At their height, between 2022-2024, the group had 194 affiliates, of which 110 had managed to get a cyberattack to the point of negotiation, with 80 of the affiliates succeeding in getting paid by the ransomware group.

Reputation is everythingA key message delivered by Max was regarding reputation, both of the victim and the ransomware group.

The victim company needs to uphold their reputation with their customers and any hint of a data breach can …

Which brings to mind Schrödinger’s cat, the famous thought experiment where a cat in a sealed box is simultaneously alive and dead – until you look inside.

But now I’m going to pick holes in the analogy a little whilst hoping to underscore the key message.

Therefore, the quantum breach analogy doesn’t quite hold.

And that’s even if you can recruit enough people due to the much reported, cybersecurity skills shortage.

Stress is probably one of the words most used in cybersecurity teams the world over, when describing their day-to-day – and it’s hardly surprising.

Despite their wordy nomenclature, every report mentioned above has a beneficial role in canvassing the colorful endpoint security landscape.

Some, like the MITRE ATT&CK Evaluations, go as far as to pit products against known advanced adversary attacks.

Producing value is one thing, but keeping it safe is another: hence the need for appropriate endpoint security measures.

Most well-regarded independent analyst and lab test reports focus on endpoints, since they’re at the crossroads of every activity, including malign.

MITRE ATT&CK Evaluations Enterprise is the one for you then.

Put simply, a whaling cyberattack is one targeted at a high-profile, senior member of the corporate leadership team.

Or to hijack their email account in order to launch BEC attacks at subordinates impersonating the whale to get a smaller fish to make a big money transfer.

With AI, whaling attacks increase in scale and effectiveness, as sophisticated capabilities become democratized to more threat actors.

Taking out the whalersThere are several ways security teams can help to mitigate the risks of spearphishing and BEC attacks.

More generally, your organization may want to start limiting the kind of corporate information it shares publicly.

Often, threat actors research the individual they’re targeting in order to improve their success rates.

If IT doesn’t properly manage the accounts, credentials and privileges of its users and machines, security blind spots inevitably emerge.

How to enhance identity securityA considered, multi-layered approach to identity security can help mitigate the risk of serious compromise.

Revisit security training for all employees, from the CEO down, to ensure they know the importance of identity security, and can identify the latest phishing tactics.

Best practice identity security starts with a prevention-first mindset.

E02DD79A8CAED662969F 6D5D0792F2CB283116E8 66f3e097e4tnyHR .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

E8F4EA3857EF5FDFEC1A 2063D707609251F207DB main .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

F26CAE9E79871DF3A47F A61A755DC028C18451FC 7295be2b1fAzMZI .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

FF09608790077E1BA52C 03D9390E0805189ADAD7 20d188afdcpfLFq .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

A9747A3F58F8F408FECE FC48DB0A18A1CB6DACAE AppVs .exe WinGo/TrojanProxy .Agent.D MuddyWater – go‑socks5 reverse tunnel.

It could feasibly be described as the largest open database of corporate information in the world: a veritable treasure trove of job titles, roles, responsibilities and internal relationships.

It’s also where recruiters post job listings, which may overshare technical details that can be leveraged later on in spearphishing attacks.

They might also share corporate email addresses in Git commit configurations.

Here are some hypothetical examples:An adversary finds LinkedIn information on a new starter in an IT role at company A, including their core role and responsibilities.

Update security awareness programs to ensure that all employees, from executives down, understand the importance of no…

Data exposure by top AI companies, the Akira ransomware haul, Operation Endgame against major malware families, and more of this month's cybersecurity newsNovember 2025 is almost behind us, and it's time for ESET Chief Security Evangelist Tony Anscombe to look at cybersecurity stories that raised the alarms, moved the needle or offered vital lessons over the past 30 or so days.

Here's some of what caught Tony's eye this month:many of the world's largest Ai companies inadvertently leak their secrets such as API keys, tokens, and sensitive credentials in their GitHub repositories, according to cloud security giant Wiz,the Akira ransomware group has netted $244 million from its malicious activ…

Doxxing (doxing) is what happens when a malicious third party deliberately exposes the personal information of someone else online.

Or query WHOIS databases that store the personal details of website/domain name registrants.

It would involve sending phishing messages to the victim in order to trick them into divulging logins or personal information, or installing infostealing malware on their machine/device.

Minimizing the doxxing threatThe best way to reduce your children’s exposure to doxxing is to minimize the amount of personal information their share online.

Never share their personal details, or even photos that could identify school and location.

If you’re a social media content creator, it may be time to revisit those account security best practices.

They ideally also want to target influencers who have built long-term trust with their audience, through months or years of providing advice online.

When it comes to the targeting of influencers, attacks begin with the social media account itself – whether it’s X (formerly Twitter), YouTube, TikTok, Instagram or another platform.

Highly targeted phishing attacks designed to trick the individual into handing over their logins.

The bottom line is identity theft-related security risks for followers, trashed reputation for brands and influencers, and potentially direct losses for content c…

So what’s this got to do with cybersecurity – and a solution known as Managed Detection and Response (MDR)?

That’s why Managed Detection and Response (MDR) services are often cited as the predominant way organisations will protect themselves.

Earlier this year, Gartner forecast that up to 50% of all organisations will have adopted MDR by the end of 2025.

IT generalists – and even security managers – wear many hats.

MDR offers the same level of protection – without the overhead – making it accessible to SMEs and large enterprises alike.

Short for “Open Source Intelligence”, OSINT refers to the gathering and analysis of publicly available data to produce actionable insights.

Basically, if you’re trying to make sense of public data, you’re already in OSINT territory.

OSINT Framework and OSINTCombine: these tools organize hundreds of free resources by category (web search, social media platforms, government sites, etc.

Social media tools: platforms like Namechk and Sherlock check whether a username exists across dozens of sites and are, therefore, useful for building digital profiles.

Parting thoughtsKnowing how to use OSINT tools is one thing; knowing how to investigate responsibly is another.

Internally named dns_cheat_v2 by its developers – and codenamed EdgeStepper by us – bioset is PlushDaemon’s adversary-in-the-middle tool, which forwards DNS traffic from machines in a targeted network to a malicious DNS node.

Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address.

Illustration of the final stage of the update hijackingFigure 5 shows the hijacking node serving LittleDaemon.

We observed that IP address from 2021 to 2022 as the source of the malicious update: the hijacking node.

ConclusionWe analyzed the EdgeStepper network implant that enables PlushDaemon’…

In October, researchers warned that two AI companion apps (Chattee Chat and GiMe Chat) had unwittingly exposed highly sensitive user information.

The information shared by victims in romantic conversations with their AI companion is ripe for blackmail.

As per the above example, revenue generation rather than cybersecurity is the priority for AI app developers.

How to keep your family safeWhether you’re using an AI companion app yourself or are concerned about your children doing so, the advice is the same.

It goes without saying that you shouldn’t allow any AI companion apps whose age verification and content moderation policies do not offer sufficient protections for your children.

Phishing is still a go-to tactic for attackers, which is why even small gains in user training are worth noticing.

AI content helped people spot more attacksThe first study involved 80 participants who received training generated through four prompting methods.

Although no large statistical differences appeared between formats, this direct profile method produced better results after training.

In a few cases the generic groups showed slightly larger improvement, although these differences were not large enough to change the overall result.

It suggests that generic training can work as well as tailored versions for phishing detection.

No account creation is required, and the app begins tracking data usage, privacy, and security as soon as it’s enabled.

You can see how much mobile data or Wi-Fi each app uses by the hour, day, week, or month.

You can also see which apps use Wi-Fi versus mobile data, which helps when managing limited data plans.

Firewall optionFor users who want more control, GlassWire offers firewall functionality on supported devices.

Final thoughtsGlassWire combines network visibility, firewall control, and data usage insights into a single tool.

Security teams know the strain that comes from tightening authentication controls while keeping users productive.

Stronger authentication methods are gaining traction, and many of them let users move through sign in flows with less effort than before.

Researchers compared different authentication approaches by looking at speed, failure patterns, and resilience against common attacks.

The findings show that stronger approaches can reduce risk and lower frustration at the same time.

Together, these forces create an environment where stronger authentication is not only encouraged but expected.

Cybersecurity Senior ManagerGrant Thornton | USA | On-site – View job detailsAs a Cybersecurity Senior Manager, you will lead and perform cybersecurity assessments, including capability, threat and risk, architecture, compliance, and configuration reviews.

Get weekly updates on new cybersecurity job openings.

Contribute directly to securing GitLab using GitLab, and strengthen software supply chain security through improved workflows and controls.

You will continuously improve monitoring processes and documentation, and develop operational procedures to strengthen detection capabilities and overall security posture.

Threat Intelligence AnalystVMRay | Germany | Hybrid – View job detailsAs a T…

Traffic kept growing, but unevenlyGlobal internet traffic increased again in 2025, continuing a long-running trend.

DDoS attacks reached new highsDDoS attacks remained one of the most visible threats.

Network layer attacks remained the most common category, though application layer attacks also grew.

Outages exposed dependenciesMajor internet outages again highlighted how dependent services are on a small number of providers and protocols.

Even during the largest attacks, traffic often stabilized within seconds, showing how automated defenses have become standard at the network edge.

Astra Security announced the launch of its Cloud Vulnerability Scanner, a new solution designed to help organizations continuously maintain validated cloud security.

Astra’s Cloud Vulnerability Scanner provides a continuous view of cloud posture and verifies the impact of each finding through offensive-grade testing.

“Astra’s cloud vulnerability scanner tells you the five things that actually matter and proves it.

Our cloud security posture finally feels manageable.”“Organizations need ongoing proof of security, not just periodic visibility,” said Shikhil Sharma, CEO of Astra Security.

“Our Cloud Vulnerability Scanner provides a continuous validation process that confirms what needs attenti…

Apple has issued security updates with fixes for two WebKit vulnerabilities (CVE-2025-14174, CVE-2025-43529) that have been exploited as zero-days.

Several days before the release of these updates, Google fixed CVE-2025-14174 in the desktop version of Chrome, though at the time the issue did not have a CVE number nor a description.

The vulnerabilities (CVE-2025-14174, CVE-2025-43529)CVE-2025-14174 was reported to Google by Apple Security Engineering and Architecture (SEAR) and Google Threat Analysis Group (TAG) on December 5.

CVE-2025-14174 may lead to memory corruption, and CVE-2025-43529 (also in WebKit) may allow arbitrary code execution.

Nevertheless, it’s a good idea for all users to u…

OffSec has released Kali Linux 2025.4, a new version of its widely used penetration testing and digital forensics platform.

Most of the changes are related to appearance and usability:Kali’s GNOME desktop environment now organizes Kali tools into folders via the app grid, and there’s a shortcut for opening a terminal windowIts KDE Plasma desktop enviroment now comes with a new screenshot tool with added editing features, offers quick access to pinned clipboard items, and its search/launch tool now correctly identifies which app you wanted to open even if you misspell its nameIts Xfce desktop environment gets supports for color themesAs per usual, new versions of Kali come with new tools.

Ot…

How should an AI agent know when to use someone’s data without asking every time?

“Arguably the biggest vulnerability isn’t so much the permission system itself but the infrastructure that it all runs on.

Teaching AI to learn your rulesThe second part of the research explored whether an AI system could learn these patterns well enough to make permission decisions for users.

“Mitigation here, in practice, means running permission inference behind your firewall and on your hardware.

You can’t let the permission system learn from unvetted data.”He added that sectors with strict rules will face extra challenges.

Prometheus is an open-source monitoring and alerting system built for environments where services change often and failures can spread fast.

Prometheus is designed around a simple idea, collect metrics from systems, store them locally, and make them easy to query and alert on.

A metrics model built for scalePrometheus uses a time series data model.

Security teams benefit from this approach when monitoring ephemeral workloads such as containers or short-lived jobs.

Prometheus does one job, collect and query metrics.

Mobile security has long depended on tight control over how apps and services interact with a device.

Platform diversity complicates the issue because Android and iOS implement security features in different ways.

The idea is to let third parties reach needed functions through controlled interfaces instead of exposing sensitive system components.

Each interoperability feature should come with a clear statement describing why data access is needed and how it will be limited.

The DMA will influence how mobile platforms structure identity controls, manage third party risk and enforce data protection.

What types of compliance should your password manager support, and how do you judge whether a tool meets those expectations.

A password manager becomes a practical tool to demonstrate that an organization treats credential handling as part of its compliance program.

A password manager that provides comprehensive logs, separation of roles, encrypted storage, and administrative oversight can help fulfill these obligations.

Build compliance awareness into your credential strategyA password manager is only one piece of a compliance program.

If a password manager helps them answer tough questions during audits, then it becomes more than a convenience.

States that have already enacted consumer protections and other AI regulations, like California, and those actively debating them, like Massachusetts, were alarmed.

Then, a draft document leaked outlining the Trump administration’s intent to enforce the state regulatory ban through executive powers.

AI companies and their investors have been aggressively peddling this narrative for years now, and are increasingly backing it with exorbitant lobbying dollars.

The often-heard complaint that it is hard to comply with a patchwork of state regulations rings hollow.

EDITED TO ADD: Trump signed an executive order banning state-level AI regulations hours after this was published.

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:I’m speaking and signing books at the Chicago Public Library in Chicago, Illinois, USA, at 6:00 PM CT on February 5, 2026.

I’m speaking at Capricon 44 in Chicago, Illinois, USA.

I’m speaking at the Munich Cybersecurity Conference in Munich, Germany on February 12, 2026.

I’m speaking at Tech Live: Cybersecurity in New York City, USA on March 11, 2026.

I’m speaking at RSAC 2026 in San Francisco, California, USA on March 25, 2026.

I have no context for this video—it’s from Reddit—but one of the commenters adds some context:Hey everyone, squid biologist here!

With so many people carrying around cameras, we’re getting more videos of giant squid at the surface than in previous decades.

We’re also starting to notice a pattern, that around this time of year (peaking in January) we see a bunch of giant squid around Japan.

When we see big (giant or colossal) healthy squid like this, it’s often because a fisher caught something else (either another squid or sometimes an antarctic toothfish).

There are a few colossal squid sightings similar to this from the southern ocean (but fewer people are down there, so fewer cameras, fe…

It makes sense; the engineering expertise that designs and develops AI systems is completely orthogonal to the security expertise that ensures the confidentiality and integrity of data.

We each want this data to include personal data about ourselves, as well as transaction data from our interactions.

The engineering expertise to build AI systems is orthogonal to the security expertise needed to protect personal data.

AI companies optimize for model performance, but data security requires cryptographic verification, access control, and auditable systems.

Fortunately, decoupling personal data stores from AI systems means security can advance independently from performance (https:// ieeexplore…

AIs Exploiting Smart ContractsI have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature.

Here’s some interesting research on training AIs to automatically exploit smart contracts:AI models are increasingly good at cyber tasks, as we’ve written about before.

In a recent MATS and Anthropic Fellows project, our scholars investigated this question by evaluating AI agents’ ability to exploit smart contracts on Smart CONtracts Exploitation benchmark (SCONE-bench)­a new benchmark they built comprising 405 contracts that were actually exploited between 2020 and 2025.

Going beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in…

The FBI is warning of AI-assisted fake kidnapping scams:Criminal actors typically will contact their victims through text message claiming they have kidnapped their loved one and demand a ransom be paid for their release.

Oftentimes, the criminal actor will express significant claims of violence towards the loved one if the ransom is not paid immediately.

The criminal actor will then send what appears to be a genuine photo or video of the victim’s loved one, which upon close inspection often reveals inaccuracies when compared to confirmed photos of the loved one.

Examples of these inaccuracies include missing tattoos or scars and inaccurate body proportions.

Criminal actors will sometimes p…

There’s a public health imperative to quickly expand the adoption of autonomous vehicles.

The answer is critical for determining how autonomous vehicles may shape motor vehicle safety and public health, and for developing sound policies to govern their deployment.

In this paper, we calculate the number of miles of driving that would be needed to provide clear statistical evidence of autonomous vehicle safety.

And yet, the possibility remains that it will not be possible to establish with certainty the safety of autonomous vehicles.

One problem, of course, is that we treat death by human driver differently than we do death by autonomous computer driver.

Here’s a fun paper: “The Naibbe cipher: a substitution cipher that encrypts Latin and Italian as Voynich Manuscript-like ciphertext“:Abstract: In this article, I investigate the hypothesis that the Voynich Manuscript (MS 408, Yale University Beinecke Library) is compatible with being a ciphertext by attempting to develop a historically plausible cipher that can replicate the manuscript’s unusual properties.

The resulting cipher­a verbose homophonic substitution cipher I call the Naibbe cipher­can be done entirely by hand with 15th-century materials, and when it encrypts a wide range of Latin and Italian plaintexts, the resulting ciphertexts remain fully decipherable and also reliably reprod…

Friday Squid Blogging: Vampire Squid GenomeThe vampire squid (Vampyroteuthis infernalis) has the largest cephalopod genome ever sequenced: more than 11 billion base pairs.

That’s more than twice as large as the biggest squid genomes.

It’s technically not a squid: “The vampire squid is a fascinating twig tenaciously hanging onto the cephalopod family tree.

It’s neither a squid nor an octopus (nor a vampire), but rather the last, lone remnant of an ancient lineage whose other members have long since vanished.”As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on December 5, 2025 at 5:06 PM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Social media companies made the same sorts of promises 20 years ago: instant communication enabling individual connection at massive scale.

We legitimately fear artificial voices and manufactured reality drowning out real people on the internet: on social media, in chat rooms, everywhere we might try to connect with others.

They could extract the funding needed to mitigate these harms to support public services—strengthening job training programs and public employment, public schools, public health services, even public media and technology.

Millions quickly signed up for a free service where the only source of monetization was the extraction of their attention and personal data.

They were …

Banning VPNsThis is crazy.

Lawmakers in several US states are contemplating banning VPNs, because…think of the children!

As of this writing, Wisconsin lawmakers are escalating their war on privacy by targeting VPNs in the name of “protecting children” in A.B.

It’s an age verification bill that requires all websites distributing material that could conceivably be deemed “sexual content” to both implement an age verification system and also to block the access of users connected via VPN.

Posted on December 1, 2025 at 7:59 AM • 0 Comments

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Across 25 frontier proprietary and open-weight models, curated poetic prompts yielded high attack-success rates (ASR), with some providers exceeding 90%.

Mapping prompts to MLCommons and EU CoP risk taxonomies shows that poetic attacks transfer across CBRN, manipulation, cyber-offence, and loss-of-control domains.

Sadly, the paper does not give examples of these poetic prompts.

They claim this is for security purposes, I decision I disagree with.

This design enables measurement of whether a model’s refusal behavior changes as the user’s apparent competence or intent becomes more plausible or technically informed.

A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.

UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:–Proglobal Solutions LTD (advertised nerdifyit[.

Currently active Google Ads accounts for the Nerdify brands include:-OK Marketing LTD (advertising geekly-hub[.

For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.

While Synergy University promotes itself as Russia’s largest private educational institutio…

The phishing domains are being promoted by scam messages sent via Apple’s iMessage service or the functionally equivalent RCS messaging service built into Google phones.

The website scanning service urlscan.io shows thousands of these phishing domains have been deployed in just the past few days alone.

Pivoting off these T-Mobile phishing domains in urlscan.io reveals a similar scam targeting AT&T customers:Ford Merrill works in security research at SecAlliance, a CSIS Security Group company.

CAVEAT EMPTORMany SMS phishing or “smishing” domains are quickly flagged by browser makers as malicious.

“The fake e-commerce sites are tough because a lot of them can fly under the radar,” Merrill sai…

A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations.

Scattered LAPSUS$ Hunters (SLSH) is thought to be an amalgamation of three hacking groups — Scattered Spider, LAPSUS$ and ShinyHunters.

But last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r.

The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle “Rey” and who is currently one of just three administrators of the SLSH Telegram channel.

Incredibly, Rey w…

UNBOXINGCensys’s Ashley said the phone home to China’s Tencent QQ instant messaging service was the first red flag with the Superbox devices she examined.

In July 2025, Google filed a “John Doe” lawsuit (PDF) against 25 unidentified defendants dubbed the “BadBox 2.0 Enterprise,” which Google described as a botnet of over ten million Android streaming devices that engaged in advertising fraud.

Several of the Android streaming devices flagged in Google’s lawsuit are still for sale on top U.S. retail sites.

Kilmer said Badbox 2.0 was used as a distribution platform for IPidea, a China-based entity that is now the world’s largest residential proxy network.

-Generic TV streaming devices advertis…

Sixteen months later, however, Mozilla is still promoting Onerep.

This week, Mozilla announced its partnership with Onerep will officially end next month.

In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025.

Shelest released a lengthy statement wherein he acknowledged maintaining an ownership stake in Nuwber, a data broker he founded in 2015 — around the same time he launched Onerep.

An intermittent outage at Cloudflare on Tuesday briefly knocked many of the Internet’s top destinations offline.

Some affected Cloudflare customers were able to pivot away from the platform temporarily so that visitors could still access their websites.

However, some customers did manage to pivot their domains away from Cloudflare during the outage.

“Then you see through DNS changes that the target has eliminated Cloudflare from their web stack due to the outage.

But also look hard at the behavior inside your org.”Scott said organizations seeking security insights from the Cloudflare outage should ask themselves:1.

Microsoft this week pushed security updates to fix more than 60 vulnerabilities in its Windows operating systems and supported software, including at least one zero-day bug that is already being exploited.

Affected products this month include the Windows OS, Office, SharePoint, SQL Server, Visual Studio, GitHub Copilot, and Azure Monitor Agent.

Many of the more concerning bugs addressed by Microsoft this month affect Windows 10, an operating system that Microsoft officially ceased supporting with patches last month.

As that deadline rolled around, however, Microsoft began offering Windows 10 users an extra year of free updates, so long as they register their PC to an active Microsoft accoun…

More recently, Lighthouse has been used to spoof e-commerce websites, financial institutions and brokerage firms.

Google’s lawsuit alleges the purveyors of Lighthouse violated the company’s trademarks by including Google’s logos on countless phishing websites.

Ford Merrill works in security research at SecAlliance, a CSIS Security Group company, and he’s been tracking Chinese SMS phishing groups for several years.

Merrill said many Lighthouse customers are now using the phishing kit to erect fake e-commerce websites that are advertised on Google and Meta platforms.

But he said the Chinese mobile phishing market is so lucrative right now that it’s difficult to imagine a popular phishing serv…

The Washington Post recently reported that more than a half-dozen federal departments and agencies were backing a proposed ban on future sales of TP-Link devices in the United States.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement.

Microsoft found the hacker groups were leveraging the compromised TP-Link systems to conduct “password spraying” attacks against Microsoft accounts.

Happily, TP-Link users spooked by the proposed ban may have an alternative to outright junking these devices, as many TP-Link routers also support open-source firmware options l…

Cloudflare responded by redacting Aisuru domain names from their top websites list.

One Aisuru botnet domain that sat prominently for days at #1 on the list was someone’s street address in Massachusetts followed by “.com”.

Other Aisuru domains mimicked those belonging to major cloud providers.

Sometime in the past 24 hours, Cloudflare appears to have begun hiding the malicious Aisuru domains entirely from the web version of that list.

However, downloading a spreadsheet of the current Top 200 domains from Cloudflare Radar shows an Aisuru domain still at the very top.

The 2012 indictment targeting the Jabber Zeus crew named MrICQ as “John Doe #3,” and said this person handled incoming notifications of newly compromised victims.

Two sources familiar with the Jabber Zeus investigation said Rybtsov was arrested in Italy, although the exact date and circumstances of his arrest remain unclear.

Further searching on this address in Constella finds the same apartment building was shared by a business registered to Vyacheslav “Tank” Penchukov, the leader of the Jabber Zeus crew in Ukraine.

Nevertheless, the pilfered Jabber Zeus group chats provided the basis for dozens of stories published here about small businesses fighting their banks in court over six- and se…

Experts say the Aisuru botmasters recently updated their malware so that compromised devices can more easily be rented to so-called “residential proxy” providers.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer.

“I just checked, and in the last 90 days we’ve seen 250 million unique residential proxy IPs,” Kilmer said.

Brundage says that by almost any measurement, the world’s largest residential proxy service is IPidea, a China-based proxy network.

That 2022 story named Yunhe Wang from Beijing as the apparent owner and/or manager of the 911S5 proxy service.

Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services.

On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.

Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.

Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at…

Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.

Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues.

Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.

In the example below, replying to any of the junk customer sup…

Regular readers of Hot for Security will have read plenty of articles about cybercriminals who have created malware, or malicious hackers who have used malware to infect the systems of victims.

But the news this week is that a court in Singapore has jailed a man not for launching an attack himself, but instead for teaching others exactly how to do it.

According to Singaporean authorities this is the country's first prosecution specifically targeted against somebody who had taught others how to use malware.

Prosecutors claim that Lee Rong Teng provided Cheoh with several versions of the spyware and asked him to learn how they functioned.

Cheoh’s alleged accomplice, Lee Rong Teng, is thought …

Analyst firm Gartner has issued a blunt warning to organizations: Agentic AI browsers introduce serious new security risks and should be blocked "for the foreseeable future." Read more in my article on the Fortra blog.

Plus, Graham chats with Rob Edmondson from CoreView about why misconfigurations and over-privileged accounts can make Microsoft 365 dangerously vulnerable.

All this, and more, in episode 447 of the “Smashing Security” podcast with Graham Cluley, and special guest Jenny Radcliffe.

Smashing Security listeners get $1000 off!

CoreView – Benchmark your Microsoft 365 tenant security against the Center for Internet Security (CIS) controls.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

A new report from the United States's Financial Crimes Enforcement Network (FinCEN) has shone a revealing light on the state of the criminal industry of ransomware. The report, which examines ransomware incidents from 2022 to 2024, reveals that attackers extorted more than $2.1 billion over the three-year period. Yes, that number is enormous - but it hides a more interesting story beneath it: that after peaking in 2023, ransomware payments actually started to decline. Read more in my article on the Fortra blog.

Remember when a notorious ransomware gang hit the Irish Health Service back in May 2021?

Four years on, and it seems victims who had their data exposed will finally receive compensation.

The attack against the Health Service Executive (HSE) began when the Russia-linked Conti ransomware group tricked a user into downloading a boobytrapped Microsoft Excel file.

The Health Service Executive (HSE) has now made an offer of €750 to victims whose personal data was compromised in what was declared the largest ever cyber attack against a health service computer system in Ireland.

According to media reports, a Cork-based solicitors firm representing more than 100 people affected by the data breach re…

A 22-year-old from Newport Beach, California has pleaded guilty to his role in a sophisticated criminal network that stole approximately US $263 million in cryptocurrency from victims.

Evan Tangeman is the ninth defendant to plead guilty in connection with what prosecutors have described as a highly-organised criminal enterprise, dubbed the "Social Engineering Enterprise" (SE Enterprise).

Some members of SE Enterprise specialised in hacking databases to identify wealthy cryptocurrency investors.

Evan Tangeman admitted to working as a money launderer for the group, helping convert US $3.5 million worth of stolen cryptocurrency into cash.

For all their supposed sophistication, the downfall of…

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow us:Follow the show on Bluesky, or subscribe for free in your favourite podcast app such as Apple Podcasts or Spotify, or visit our website for more information.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

Grok, the AI chatbot developed by Elon Musk's xAI, has been found to exhibit more alarming behaviour - this time revealing the home addresses of ordinary people upon request.

And, as if that wasn't enough of a privacy violation, Grok has also been exposed as providing detailed instructions for stalking and surveillance of targeted individuals.

If Grok was not able to identify the exact person, it would often return lists of similarly named individuals with their addresses.

Grok was also not afraid of offering tips for encountering a world-famous pop star, providing tips for waiting near venue exits.

As AI becomes embedded in our daily lives, it is clear that stronger safeguards are not opti…

A new warning about the threat posed by Distributed Denial of Service (DDoS) attacks should make you sit up and listen. Read more in my article on the Fortra blog.

All this and more is discussed in episode 446 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Rik Ferguson.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

The FBI has recently issued a public service announcement that warns that since January 2025 there have been more than 5,100 complaints of account takeover fraud, and total reported losses in excess of US $262 million. Read more in my article on the Fortra blog.

In episode 79 of The AI Fix, Gemini 3 roasts the competition, scares Nvidia, and can’t remember what year it is.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

You can also help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

If you would like to further support the podcast, and gain access to ad-free episodes, become a supporter by joining The AI Fix Plus!

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

In a statement published on 27 November, Asahi shared details of a nearly two-month forensic investigation into the security incident.

The company reported that around 1.52 million customers who had previously contacted the company's customer-service centres may have had their personal information accessed during the attack.

Asahi states that it is continuing to reinforce its cybersecurity systems in the wake of the attack, and improve its resilience.

For millions of customers and employees, the consequences may take far longer to resolve than the beer shortages that made headlines.

For the millions of affected individuals, the immediate concern shifts from beer shortages to the potential f…

CISA, the US Cybersecurity and Infrastructure Security Agency, has issued a new warning that cybercriminals and state-backed hacking groups are using spyware to compromise smartphones belonging to users of popular encrypted messaging apps such as Signal, WhatsApp, and Telegram.

CISA says that it has seen evidence that hackers targeting the users of encrypted messaging apps are focusing on "high-value" targets such as those working in politics, the government, and the military.

"CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications," the agency said in its advisory.

The vulnerability was patched by Samsung in Apr…

All this and more is discussed in episode 445 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Dan Raywood.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Разумеется, сообщать облачный пароль нельзя никому — он нужен исключительно для того, чтобы войти в ваш аккаунт в Telegram.. Сделайте это в разделе Настройки → Конфиденциальность Telegram прямо сейчас.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

После недавнего обновления в Telegram появилась возможность защитить вход в аккаунт не только облачным паролем, но и ключом доступа.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Telegram и хранить как его, так и ключ доступа для Telegram в Kaspersky Password Manager.

Поэтому мы рекомендуем создать сложный и уникальный облачный пароль Teleg…

Правоохранительные органы Южной Кореи арестовали четырех подозреваемых во взломе 120 000 IP-камер, установленных как в частных домах, так и в коммерческих помещениях — например, в комнатах караоке, студии пилатеса и гинекологической клинике.

Объясняем, что представляют собой IP-камеры и в чем состоят их уязвимости, а также подробно рассказываем об инциденте в Южной Корее и о том, как не стать жертвой злоумышленников, охотящихся за горячими видео.

Что случилось в Южной КорееВернемся к событиям, произошедшим этой осенью в Южной Корее.

Он взломал 63 000 IP-камер и создал, а затем продал 545 видео сексуального характера за 35 миллионов южнокорейских вон (чуть меньше 24 000 долларов).

Он взломал…

В этом посте попробуем определить, какие активы требуют первоочередного внимания, как их обнаружить и в какой форме проводить реагирование.

Физические и виртуальные серверы остаются бесхозными в крупных инфраструктурах после проектов по миграции или после слияния и поглощения компаний.

Важно также закрепить в политике способы учета создаваемых хранилищ и запрет на «бесхозные» данные, доступные без ограничений, паролей и шифрования.

Для внутренней разработки — обязательное использование сканеров и комплексных систем защиты, интегрированных с конвейером CI/CD и предотвращающих сборку ПО с устаревшими компонентами.

Подключенные к сети, но не управляемые и не обновляемые роутеры, межсетевые экр…

Недавно на новостных сайтах появилась информация о том, что некие злоумышленники распространяют инфостилер через бесплатные файлы 3D-моделей для ПО Blender.

Почему Blender и онлайн-маркетплейсы 3D-моделей могут быть источниками рискаBlender — это программное обеспечение для создания 3D-графики и анимации, которое используется множеством специалистов по визуализации в различных областях.

Среди прочих возможностей Blender есть и поддержка выполнения Python-скриптов, которые используются для автоматизации задач и расширения функциональности ПО.

Чем опасны рабочие инструменты, не контролируемые ИБПроблема не в Blender как таковом — злоумышленники неизбежно попробуют эксплуатировать возможности …

Теперь поделиться можно еще и чатом с ИИ-ассистентом, и ссылка на него будет вести на официальный сайт чат-бота.

При правильном вводе скрипт скачивает вредоносное ПО и использует указанный пароль для установки и запуска зловреда.

Инфостилер и бэкдорЕсли пользователь поддастся на уговоры, на его компьютере запустится распространенный инфостилер AMOS (Atomic macOS Stealer).

Использовать надежную защиту от вредоносного ПО на всех своих смартфонах, планшетах и компьютерах, включая компьютеры под управлением macOS и Linux.

Никогда не выполнять технические инструкции, о которых вы не просили и в которых разбираетесь не до конца.

Что нового в Kaspersky Embedded Systems Security для WindowsНаши эксперты значительно переработали кодовую базу решения, добавив ряд продвинутых механизмов детектирования и блокирования угроз.

Что нового в Kaspersky Embedded Systems Security для LinuxМы значительно доработали и новый KESS для Linux, но большинство нововведений в нем повышают эффективность уже реализованных защитных механизмов.

В нем мы планируем:Обеспечить полную совместимость Kaspersky Embedded Systems Security с сервисом Kaspersky Managed Detection and Response.

Добавить в Kaspersky Embedded Systems Security для Linux технологию защиты от BadUSB, которая уже работает в Windows-версии.

Обеспечить поддержку решением Kaspers…

3 декабря стало известно о скоординированном устранении критической уязвимости CVE-2025-55182 (CVSSv3 — 10), которая содержалась в React server components (RSC), а также во множестве производных проектов и фреймворков: Next.js, React Router RSC preview, Redwood SDK, Waku, RSC-плагинах Vite и Parcel.

Учитывая, что на базе React и Next.js построены десятки миллионов сайтов, включая Airbnb и Netflix, а уязвимые версии компонентов найдены примерно в 39% облачных инфраструктур, масштаб эксплуатации может быть очень серьезным.

Благодаря компонентам RSC, появившимся в React 18 в 2020 году, часть работы по сборке веб-страницы выполняется не в браузере, а на сервере.

Изначально React предназначен дл…

C октября этого года наши технологии фиксируют вредоносные рассылки файлов, в названии которых эксплуатируется тема годовых премий и бонусов.

Еще одной интересной особенностью данной вредоносной кампании является то, что в качестве полезной нагрузки выступает XLL-файл, что достаточно нестандартно.

Атакующие, конечно, меняют иконку, но в некоторых интерфейсах — в первую очередь в «проводнике Windows» — очевидно, что тип файла не соответствует видимому расширению, как показано, например, вот в этом посте.

Тип файла XLL служит для надстроек Microsoft Excel и, по сути, представляет собой DLL-библиотеку, которая запускается непосредственно программой для работы с электронными таблицами.

Часть ко…

Наверняка найдутся и желающие применить на практике новую атаку Whisper Leak.

Исследователи из Microsoft продолжили эту тему и проанализировали параметры поступления ответа от 30 разных ИИ-моделей в ответ на 11,8 тысяч запросов.

Сравнив задержку поступления пакетов от сервера, их размер и общее количество, исследователи смогли очень точно отделить «опасные» запросы от «обычных».

Как защититься от Whisper LeakОсновное бремя защиты от этой атаки лежит на провайдерах ИИ-моделей.

Если вы пользуетесь моделью и серверами, для которых Whisper Leak актуален, можно либо сменить провайдера на менее уязвимого, либо принять дополнительные меры предосторожности.

Как устроена автоматическая машина для тасования карт Deckmate 2Машина для автоматического тасования карт Deckmate 2 была запущена в производство в 2012 году.

В предыдущей модели устройства, Deckmate, внутренней камеры не было и, соответственно, не было возможности подглядеть последовательность карт в колоде.

Как исследователи смогли взломать устройство Deckmate 2Опытные читатели нашего блога уже наверняка заметили несколько уязвимостей в конструкции Deckmate 2, которыми воспользовались исследователи для создания proof-of-concept.

Это позволяло специалистам в реальном времени узнавать порядок карт в тасовке.

Как мафия использовала взломанные Deckmate 2 в реальных покерных играхДва года спус…

Видеорегистраторы, популярные в одних странах и полностью запрещенные в других, обычно воспринимаются как страховка на случай ДТП и спорных ситуаций на дорогах.

По Wi-Fi к устройству может подключаться смартфон водителя, чтобы через мобильное приложение провести настройки, скачать видео на телефон и так далее.

Как выяснилось, многие регистраторы допускают обход аутентификации и к ним можно подключиться с чужого устройства, а затем скачать сохраненные данные.

Просто они заказывают компоненты и ПО у одного и того же разработчика.

Но массовый взлом видеорегистраторов может привести к значительно более агрессивному сбору данных и злоупотреблению ими в преступных и мошеннических схемах.

Рассказываем о том, как она работает и как защититься от злоумышленников.

Что делать, если ваш аккаунт на «Госуслугах» взломалиИзучите, как восстановить доступ к «Госуслугам», на официальном сайте и установите по-настоящему надежный пароль.

Перейдите в Профиль → Уведомления .

Также изучите разделы Профиль → Согласия , Профиль → Разрешения и доверенности , Профиль → Сим-карты — нет ли там чего-то нового и неожиданного?

Мы рекомендуем пользоваться одноразовыми кодами из приложения-аутентификатора, а не из SMS.

В октябре Microsoft завершила поддержку Exchange Server 2019, так что единственным поддерживаемым on-premise-решением в 2026 году остается Exchange Server Subscription Edition (Exchange SE).

Миграция с версий EOLИ Microsoft, и CISA рекомендуют переход на Exchange SE, чтобы своевременно получать обновления безопасности.

Срочные обновленияДля срочных уязвимостей и ошибок рекомендации по временным мерам обычно публикуются в блоге Exchange и на странице Emergency Mitigation.

Самый свежий CIS Benchmark создан для Exchange 2019, но он полностью применим к Exchange SE, поскольку по доступным настройкам текущая версия SE не отличается от Exchange Server 2019 CU15.

Подробные рекомендации по оптималь…

Рассказываем подробнее о том, как работает данная атака, почему она особенно опасна для пользователей — и как от нее защититься.

Во-первых, они явно рассчитывают, что значительное число пользователей будет попадать на созданные ими фейковые страницы через простой поиск в Google.

Дело в том, что чаще всего поддельные сайты имеют адреса, совпадающие с целевыми поисковыми запросами — или близкие к ним.

Поддельные сайты, изготовленные с помощью ИИ-конструктора LovableНесмотря на различие в содержимом, участвующие в данной вредоносной кампании поддельные веб-сайты имеют ряд общих черт.

В данном случае злоумышленники не только не стали создавать собственный троян, но даже не купили на черном рынк…

Thanks to Duo, I was quickly given access to all the essential tools: Cisco XDR, Splunk, firewall dashboards, and more from the duo directory.

Detection: Cisco XDR flagged the suspicious behavior, visualizing the connections between one internal asset and several high-risk external hosts.

This raised immediate concerns about potential malware or command-and-control activity (see Cisco XDR investigation below).

In summary, my first SOC experience turned initial nerves into genuine confidence.

Ask a question and stay connected with Cisco Security on social media.

As a reminder, when a Windows client is seeking to talk to a domain controller it will make DNS queries for SRV records for names like _kerberos._tcp.dc._msdcs.DOMAINNAME or _ldap._tcp.dc._msdcs.DOMAINNAME.

These DNS requests enable the client to find nearby Kerberos or LDAP servers for their domain.

Finally, the Cisco Live network is designed to be a safe network for attendees to use.

A properly configured VPN client like Cisco Secure Client can support both a full tunnel VPN and “Start Before Login”.

Check out the other blogs by my colleagues in the Cisco Live Melbourne 2026 SOC.

Kerberoasting: An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

An attacker with a valid ticket can request service tickets from the KDC which are encrypted with the service account password.

Cisco XDR: Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Cross-signal correlation and incident management spanning Secure Firewall, Secure Access (DNS), Secure Network Analytics, and partner telemetry.

Secure Network Analytics: NetFlow analytics to surface scanning, beaconing, and anomalous connection patterns at scale.

Building on the success of the 2nd annual Security Operations Centre (SOC) at Cisco Live Melbourne (Asia Pacific Japan) 2024, the executive team supported the first SOC for Cisco Live San Diego (Americas) and invited the team back for 20025.

The SOC at Cisco Live SOC was successfully deployed in just 12 hours over 1 ½ days, demonstrating extensive prior planning and specialized expertise.

The partnership with Endace, a highly skilled full-packet capture provider, whose experience in the 2025 SOC was critical and extended to their commitment for Cisco Live Melbourne.

For example, Ryan MacLennan created an AI model to find domain generated algorithms at the Cisco Live AMER Security SOC.

Ackno…

Joining the Security Operations Centre (SOC) team in Cisco Live Melbourne was a new experience for me as a Cisco Technical Marketing Engineer (TME).

As a Tier1 / Tier 2 analyst the first screen to look at is Cisco XDR, that will bring incidents from the different data sources including Splunk Core.

Day 1 at Cisco Live and guess what?

Distributed Deniel of Service (DDoS) activity was detected targeting Cisco TV devices connected to Cisco Live network.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

In the Cisco Live Melbourne SOC, we use a combination of Endace full packet capture (PCAP), Splunk Enterprise Security, and Splunk SOAR to provide automated detections of cleartext credential leakage.

We resolve this using the coalesce function in Splunk’s eval command.

The coalece function will return the first non-null value from a list of possible values, just like the COALESCE function in SQL.

In our case, we use it like so:However, during Cisco Live we discovered a problem with this logic.

One answer is a Splunk macro.

One area of integration between CSF and Splunk that we worked on at Cisco Live Melbourne involved Enterprise Security Content Update (ESCU) detections in Splunk Enterprise Security (ES).

Splunk ES has around two dozen ESCU detections for Cisco Secure Firewall.

These can be accessed from ES by navigating to Security Content > Content Management and then searching for ‘Secure Firewall’.

All ESCU detections for Secure Firewall reference the same macro, ‘cisco_secure_firewall’.

We transitioned our firewall log export to syslog a few conferences ago, and in Melbourne we decided to test the ESCU detections with syslog.

Sometimes though we see exceptions, in this circumstance an asset connected to the Attendee Wi-Fi network at Cisco Live Melbourne 2025 exhibited a large spike in traffic on multiple occasions.

Upon investigation, the asset was found to be connecting to multiple confirmed malicious external IP addresses.

When the Incident was investigated, we found that the asset was communicating with numerous external IP addresses classified as malicious.

Investigating further, we saw the internal IP address communicating with a number of external IP addresses, all classed as malicious.

Cisco Security Social MediaLinkedInFacebookInstagramX

The Adrenaline of the Real World: Rapid Threat Containment on DisplayThe first thing that strikes you when you walk into the Cisco Live SOC is the energy.

The XDR & Splunk ES Synergy: The key highlight of the visibility demo was the seamless data exchange between XDR and Splunk ES.

Forging the Future: Empowering New and Tier One AnalystsPerhaps the most inspiring aspect of the SOC tours was the focus on people.

The Cisco Live Melbourne 2025 SOC tours weren’t just about the technology of today; they were about sharing our experiences, delivering on the EDUCATE component of our Mission.

Check out the other blogs by my colleagues in the Cisco Live APJC 2026 SOC.

Segmentation introduces critical control points, regulating who and what can access the network environment and its applications.

I consistently approach the segmentation journey with my customers by framing it as a circular cycle.

This cycle starts with visibility, progresses through identity context, policy selection, and policy enforcement, ultimately returning to enhanced visibility.

1: The segmentation cycleVisibilityThe segmentation cycle both starts and ends with robust visibility.

Policy AssignmentPolicy Assignment, often referred to as the Policy Decision Point (PDP) in NIST SP 800-207, represents the “what” in our segmentation cycle.

The survey results also revealed interesting insights into why segmentation remains a foundational concept.

The evolution of segmentation and the development of different segmentation approaches make the concept ideal for implementing a proactive approach to enterprise cybersecurity today.

And now, augmenting macro-segmentation with micro-segmentation implementations allows security teams to split environments into separate networks AND isolate specific workloads based on behavior or identity.

Data split by those who have fully implemented both macro- and micro-segmentation (315), and those who have not fully implemented both (608).

Data split by those who have fully implemented both macro-…

The GovWare Security Operations Centre is a collaborative initiative with Cisco for GovWare Conference and Exhibition 2025 — GovWare 2025 Security Operations CentreFollowing the successful Security Operations Centre (SOC) deployments at RSAC 2025, Black Hat Asia, and Cisco Live San Diego 2025, the Cisco ASEAN executive team approved the inaugural SOC for GovWare.

The SOC was founded on three primary missions:To Protect — Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating from both internal and external sources.

— Ensure the security of the GovWare 2025 network by defending against all forms of threats and attacks, originating f…

During my recent work protecting GovWare 2025, I discovered that integrating Splunk Enterprise and Splunk Attack Analyzer (SAA) with Endace created a powerful threat hunting workflow that bridged the gap between security analytics and network forensics.

We leveraged Splunk Attack Analyzer’s robust API to connect to Endace, an advanced network recording tool that provides packet-level visibility into network activity.

This cross-referencing revealed two IP addresses associated with the suspicious domain, with one particularly standing out: 103.235.46[.]102.

This context transformed our investigation from a routine suspicious domain check into a potential active threat scenario.

Leveraging En…

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

This form of cyberattack involves operatives posing as legitimate remote hires, slipping past human resources checks and onboarding processes to gain trusted access.

With support from Microsoft Threat Intelligence, we quickly traced the activity to the North Korean remote IT workforce known as Jasper Sleet.

TACTICPiKVM devices—low-cost, hardware-based remote access tools—were utilized as egress channels.

Advanced detection tools, including Microsoft Defender for Identity and Microsoft Defender for Endpoint, were deployed to uncover lateral movement and credential misuse.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

Our blog “Building human-centric security skills for AI” offers insights and guidance you can apply in your organization.

Find in AI Skills Navigator, our agentic learning space, AI and security training tailored to different roles.

—Jeana Jorgensen, Corporate Vice President, Microsoft LearningFostering a culture that prioritizes securityAs AI impacts everyone’s role, make security awareness and responsible AI practices shared priorities.

From awareness to actionIn the agentic AI era, people continue to be our most valuable resource.

It’s essential to empower them with AI and equip them with the skills they need to use AI responsibly and securely.

As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback.

The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

Secure Email Gateway and Integrated Cloud Em…

As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback.

The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

Secure Email Gateway and Integrated Cloud Em…

The Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Tactic Observed activity Microsoft Defender coverage Execution S…

The Shai‑Hulud 2.0 supply chain attack represents one of the most significant cloud-native ecosystem compromises observed recently.

In defending against threats like Shai-Hulud 2.0, organizations benefit significantly from the layered protection from Microsoft Defender, which provides security coverage from code, to posture management, to runtime.

This blog provides a high-level overview of Shai‑Hulud 2.0, the attack mechanisms, potential attack propagation paths, customized hunting queries, and the actions Microsoft Defender is taking to enhance detection, attack-path analysis, credential scanning, and supply chain hardening.

Tactic Observed activity Microsoft Defender coverage Execution S…

In this article, John Lambert, Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense.

It’s easy to see why some security professionals out there see the physics of defense as being against them.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors.

By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

In this article, John Lambert, Chief Technology Officer, Corporate Vice President and Security Fellow at Microsoft dives into the future of cyber defense.

It’s easy to see why some security professionals out there see the physics of defense as being against them.

It’s also important to work on cyber defense together with organizations that you otherwise view as your competitors.

By rewriting the physics of defense, we can reclaim the advantage and redefine what it means to be secure.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Cyber insurance plays a critical role, helping you recover faster while reinforcing trust across your organization and with your partners.

Faster response, seamless reimbursementWe’ve built Microsoft Incident Response with both technical strength and ease of use.

This helps streamline onboarding and supports reimbursements for covered incidents under eligible cyber insurance policies.

Microsoft Incident Response Strengthen your security with an end-to-end portfolio of proactive and reactive cybersecurity incident response services.

Learn moreTo learn more about how our teams are working together, and how our collaboration with cyber insurance providers like Beazley can help you strengthen y…

We’re honored to share that Microsoft has been named a Leader in the 2025 Gartner® Magic Quadrant™ for Email Security.

We believe this recognition highlights the value of Microsoft Defender for Office 365’s innovative capabilities in addressing today’s complex email security challenges.

2025 Gartner® Magic Quadrant™ for Email Security.

Learn moreYou can learn more by reading the full 2025 Gartner® Magic Quadrant™ for Email Security report.

Gartner, Magic Quadrant for Email Security, 1 December 2025, By Max Taggett, Nikul Patel

Use network segmentation on your internal networks and enforce traffic patterns to prevent unexpected or unwanted network traffic.

Implement DNS security extensions, DNS filtering and blocking, monitor and log DNS traffic, and configure DNS servers securely to help minimize these risks.

Using fingerprinting as a primary key in correlating user traffic allows for easy identification of questionable activity.

Learn more with Microsoft SecurityTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…

Today marks a watershed moment and new benchmark for open-source security and the future of consumer electronics.

Google is proud to announce that protected KVM (pKVM), the hypervisor that powers the Android Virtualization Framework, has officially achieved SESIP Level 5 certification.

This makes pKVM the first software security system designed for large-scale deployment in consumer electronics to meet this assurance bar.

With this level of security assurance, Android is now positioned to securely support the next generation of high-criticality isolated workloads.

Achieving Security Evaluation Standard for IoT Platforms (SESIP) Level 5 is a landmark because it incorporates AVA_VAN.5, the hi…

Today we're excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.

Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.

With an estimated value exceeding $12 trillion, open source software has never been more integral to the global economy.

For publishers and maintainers of open source packages, OSS Rebuild can...

If you're a developer, enterprise, or security researcher interested in OSS security, we invite you to follow along and get involved!

Android recently announced Advanced Protection, which extends Google’s Advanced Protection Program to a device-level security setting for Android users that need heightened security—such as journalists, elected officials, and public figures.

This is particularly useful for Advanced Protection users, since in 2023, plaintext HTTP was used as an exploitation vector during the Egyptian election.

JavaScript Optimizations and Security Advanced Protection reduces the attack surface of Chrome by disabling the higher-level optimizing Javascript compilers inside V8.

Javascript optimizers can be disabled outside of Advanced Protection Mode via the “Javascript optimization & security” Site Setting.

We…

Below we describe our prompt injection mitigation product strategy based on extensive research, development, and deployment of improved security mitigations.

A layered security approachGoogle has taken a layered security approach introducing security measures designed for each stage of the prompt lifecycle.

From there, a key protection against prompt injection and data exfiltration attacks occurs at the URL level.

Users are encouraged to become more familiar with our prompt injection defenses by reading the Help Center article.

Moving forwardOur comprehensive prompt injection security strategy strengthens the overall security framework for Gemini.