Мессенджер исчез, корпорация сослалась на санкции, Минцифры пошло на поклон… Что происходит?

Дыру закрыли. Эмиссию проверить невозможно. Доверие — подорвано.

Google добавил в Android защиту от звонков с клонированным голосом.

Троян MagicAd прятался более чем в 50 играх и программах каталога Xiaomi GetApps

США признали уязвимость SolarWinds активно эксплуатируемой и дали госорганам две недели.

Корпорация расширяет экосистему ИИ-инструментов для создателей контента на фоне растущей конкуренции с YouTube, TikTok и Instagram.

По данным СМИ, деньги заплатили. Weil подтвердила только сам инцидент.

Не разрезать, не вырезать, не надеяться на удачу.

Brave нашёл способ продавать отсутствие функций.

Военные годами глушили GPS, думая, что это решает проблему. Оказалось, у планеты есть запасной вариант.

Утечка воздуха в российском модуле «Звезда» усилилась во время ремонта, и пятерым астронавтам приказали перейти в Crew Dragon.

25 процессов, около 200 артефактов и постоянные изменения в командах превращают поддержку требований РБПО в сложную задачу.

Cloud.ru и Business Studio создали цифровую платформу, которая автоматически поддерживает актуальность процессов и документации.

Решение Business Studio: оцифрованная архитектура процессов как живая системаДля построения бизнес-архитектуры Cloud.ru выбрал Business Studio — профессиональный инструмент процессного моделирования.

Business Studio → HTML → Markdown → WikiДокументы из Business Studio экспортируются в HTML, затем специализированный сервис автоматически конвертирует их в Markdown и публикует в корпоративной Wiki-системе Confluence.

Использование Business Studi…

Значительная часть похищенных средств в подобных кейсах не исчезает из системы, а переходит в режим длительного ожидания, оставаясь на адресах годами без какой-либо активности.

Кроме того, они нередко рассчитывают на рост стоимости украденных активов: спустя несколько лет похищенная криптовалюта может стоить в разы дороже.

В результате связанные адреса получают соответствующий риск-профиль и маркируются в аналитических базах как потенциально связанные с противоправной деятельностью.

Напротив, современные системы блокчейн-аналитики позволяют отслеживать перемещение средств даже спустя годы после хищения, выявляя связи между адресами и фиксируя попытки вывода через регулируемую инфраструктуру…

ВведениеВидеоаналитика в промышленной безопасности перестала быть вспомогательным инструментом наблюдения.

Связано это не только с требованиями к безопасности данных, но и с желанием сохранить полный контроль над производственными процессами и не зависеть от внешней инфраструктуры.

В промышленной видеоаналитике результат часто зависит не от самой нейросети, а от качества её дообучения под конкретный объект.

Что определяет рынок в 2026 годуВидеоаналитика в промышленной безопасности постепенно перестаёт быть отдельной системой наблюдения и становится частью производственного управления рисками.

ВыводыСистемы видеоаналитики в промышленной безопасности постепенно переходят из категории средств …

Как превратить Threat Intelligence в инструмент для принятия решений, а не источник перегрузки?

По нашей оценке, ручная обработка всего массива обходится крупной компании в 20–25 млн рублей в год — и это только на зарплатах аналитиков.

Которая знает, что для завода в Перми опасна одна Common Vulnerabilities and Exposures (CVE), а для банка в Москве — совсем другая.

В энергетике использование скомпрометированных учётных записей (Valid Accounts) достигает 63 %, а в целом в критической информационной инфраструктуре (КИИ) — 76 %.

В том, чтобы собирать данные отовсюду: с Запада и с Востока, из открытых источников и закрытых форумов, от глобальных гигантов и локальных специалистов.

Интеграторы пережили и пандемию, и импортозамещение, но это не гарантирует им будущее.

Тем не менее казалось, что рост будет постоянным и стабильным, деньги не закончатся, заказчики сами будут приходить со своими проектами и запросами на многолетние контракты.

Но экономика в целом и рынок ИБ в частности продолжают жить.

Стабильная команда, уверенная и комфортная коммуникация, умение говорить как на языке инженеров, так и на языке бизнеса.

Побеждать будут те, кто способен стать для заказчика долгосрочным партнёром, а не исполнителем отдельного проекта.

У бизнеса должен быть выбор — заплатить на треть меньше, но получить риск простоя; не развиваться, но и не платить.

Повышать эффективность нужно везде, и это должно приводить к сокращению затрат.

Как сократить стоимость владения инфраструктуры и не потерять в эффективности?

Популярна функция саммари созвонов: если раньше был специальный человек, который вручную всё записывал, то сейчас это не нужно.

Тимофей Нецветаев, руководитель департамента инфраструктурных сервисов, СДЭК ДИДЖИТАЛНиколай Ульрих добавил, что ИИ можно использовать в консалтинге и для оптимизации процессов.

Где классический SAST остаётся незаменимымКлассический SAST не теряет актуальности с появлением ИИ.

Иногда проблема находится не в функции, не в строке и даже не в одном файле, а в сценарии.

Код может содержать проверку авторизации, но она может быть неполной, выполняться не на том уровне или не учитывать конкретное действие пользователя.

Модель работает не в пустоте и не со всем репозиторием сразу, а внутри подготовленного контекста, который уже собран классическим анализатором.

Зрелый подход состоит не в том, чтобы заменить весь анализ нейросетью, а в том, чтобы правильно разделить ответственность между слоями.

Эксперты рынка попытались разобраться, что можно автоматизировать уже сейчас, а что пока остаётся за человеком.

Что уже сейчас можно и нужно автоматизировать своими силами, а для чего по-прежнему требуется живая экспертиза и ответственность специалиста?

Давид Ордян считает, что в области сканеров уязвимостей — будь то внешний или внутренний периметр — автоматизация уже давно стала правдой жизни.

Именно отсюда пошла автоматизация хранения и управления логами в системах управления информацией и событиями безопасности (Security Information and Event Management, SIEM) и системах лог-менеджмента.

В планах — подключить к этому процессу машинное обучение, чтобы быстро получать актуальный срез инфр…

Организация сетевого доступа с нулевым доверием позволяет блокировать боковое перемещение злоумышленников внутри сети и выстраивать гибкие политики доступа для сотрудников, подрядчиков, администраторов и даже сервисных учётных записей.

На смену организации доступа с помощью VPN-туннелей пришла архитектура сетевого доступа с нулевым доверием — Zero Trust Network Access.

Обзор отечественных решений с поддержкой ZTNAСегодня на российском рынке представлено достаточно решений для организации сетевого доступа с нулевым доверием.

Гибридные решенияРяд российских вендоров предложил реализовать концепцию сетевого доступа с нулевым доверием с помощью совместных решений.

В данной интеграции универсаль…

ВведениеЗрелый межсетевой экран нового поколения (Next-Generation Firewall, NGFW) сегодня должен эффективно работать не только на периметре, но и в центрах обработки данных, и в территориально распределённых сетях.

Мы уже хорошо чувствуем себя в периметре и территориально распределённых сетях и делаем акцент на развитии защиты ЦОД и внутренней сети».

При использовании «Континента 4» в качестве сетевого оборудования в компании применяется BIRD, и в настоящее время он проигрывает во многих сценариях.

Технология ZTNA даёт понимание того, где, когда и как сотрудник подключается и к каким ресурсам он обращается.

Это важно и для удалённых, и для локальных пользователей.

Никита Назаров, «Лаборатория Касперского»: «Проактивность поиска киберугроз может быть ограничена многими факторами, и в первую очередь — зрелостью организации.

Накопление таких данных, развитие инструментов анализа информации и повышение компетенций специалистов формируют основу для оценки зрелости процессов проактивного поиска угроз в организации.

Сервис обеспечивает непрерывный мониторинг инфраструктуры, выявление сложных атак и реагирование на инциденты с использованием собственной экспертизы, аналитики угроз и технологий обнаружения.

Оценка киберрисков проводится для каждой рассматриваемой информационной системы и для каждой из идентифицированных угроз.

ГК UDV GroupUDV NTA — решение от…

ВведениеСпециально к конференции ЦИПР 2026, которая проходила в Нижнем Новгороде с 18 по 21 мая, АНО «Центр компетенций по импортозамещению в сфере ИКТ» (ЦКИТ) провело исследование, посвящённое ситуации, сложившейся с использованием зарубежного ПО в России.

И в целом проекты по миграции офисных приложений затрагивают большие массы пользователей, и в силу этого они масштабные и длительные.

Однако, как напоминает Дмитрий Хомутов, 71 % лицензий на Exchange в России изначально приобретались как бессрочные.

С другой стороны, как предупреждает Рустам Калимуллин, использование неподдерживаемого ПО, Exchange в том числе, создаёт целый ряд довольно серьёзных рисков.

Клиент RuPost Desktop«Самая сложн…

В авиа-, двигателе- и судостроении, на транспорте, в строительстве и ЖКХ доля российского ПО превышает 90%.

Например, «Роскосмос» представил модели модулей Российской орбитальной станции, перенесённые из импортного ПО в систему T-FLEX PLM.

Конференция ЦИПР 2026Во 2 день работы ЦИПР на выставке были представлены другие новые технологические решения.

Она будет направлена на выявление новых уязвимостей и атак в области ИИ, интернета вещей и других перспективных технологий.

Такой формат, как и в прошлом году, позволил выровнять ожидания и сформировать более согласованное понимание того, как должна развиваться цифровая среда и какие решения в ней действительно используются.

Однако в МТС отметили, что в разных регионах эта доля отличается, и там, где она выше, сроки рефарминга сдвигаются.

А вот 2G, ориентированному на передачу голоса и небольших объёмов данных, рефарминг угрожает в меньшей степени, и он будет существовать ещё долго.

А такие есть и в Центральной России, например Тверская область.

Однако такое характерно для не самых распространённых деноминаций (ряда старообрядческих согласий, некоторых направлений протестантизма, хасидов).

Впрочем, некоторые компании имеют частные сотовые сети и не зависят от операторов, но таких — считанные единицы.

Однако инструменты самозащиты приложений во время выполнения незаменимы для сценариев, где традиционные средства ИБ, обеспечивающие поиск уязвимостей, недостаточно эффективны.

Runtime Application Self-Protection (RASP) — это технология самозащиты приложений во время выполнения, работающая по принципу «защиты изнутри».

Отличие RASP от WAFПоскольку RASP защищает уже работающее приложение, существует мнение, что вместо него вполне можно использовать файрвол веб-приложений (Web Application Firewall, WAF).

Это решение для защиты приложений во время выполнения (RASP) от компании Contrast Security.

Он позволяет обеспечивать защиту приложений в режиме реального времени и может динамически внедрятьс…

Или один агент не может породить цепочку глубже 10 шагов без подтверждения человека.

Если не учитывать идемпотентность, можно получить дубли: два письма клиенту, два списания, два обновления записи, два созданных тикета.

Например, отправка письма клиенту, изменение финансовых данных, удаление записи, массовая рассылка, изменение прав доступа — всё это может требовать подтверждения человека.

Такие правила должны быть описаны не в хаотичном коде внутри каждого агента, а в отдельном policy-слое.

ИтогПлатформа управления AI-агентами должна справляться с нагрузкой не за счёт одной мощной модели и не за счёт бесконечного увеличения серверов.

Человеческая цивилизация держится в том числе на представлении об абсолютной неизменяемости прошлого. Но представьте себе существо, обладающее следующими свойствами:1. Видит свою память как набор фактов в любой момент времни. 2. Обладает возможностью по своей воле удалять, добавлять, изменять любые факты своей памяти. Реально?

Проблема обычно не в самом сертификате, а в том, как был создан CSR.

Чтобы получить SSL-сертификат для протокола TLS, вы создаёте CSR и отправляете его в удостоверяющий центр.

Важно: сам приватный ключ в CSR не передаётся.

Некоторые провайдеры предлагают выпустить сертификат, сгенерировав ключ и CSR на своей стороне — обычно это панель reseller-а или хостинг-провайдера.

Они комбинируются: один сертификат может иметь и SAN со списком доменов, и wildcard-записи в этом же SAN.

Хакеры используют ИИ для рутинной автоматизации, сбора информации в открытых источниках, написания шаблонов кода и моментальной адаптации существующих инструментов под новые задачи.

Как и легальные программисты, злоумышленники активно применяют вайбкодинг и копайлотов разработки.

Серверы, где обучаются и крутятся ваши модели, должны быть защищены так же тщательно, как и контроллеры домена.

Искусственный интеллект — это не абсолютное зло и не абсолютное благо.

А как обстоят дела с ИИ в вашей компании?

Этот пост появился по просьбе Сета Ларсона: он спросил, могу ли я разобрать, как разные пакетные менеджеры реализуют задержку установки новых версий зависимостей, или cooldown.

Настройка работает и для прямых, и для транзитивных зависимостей, а для пакетов, которым вы доверяете достаточно, чтобы пропустить проверку, есть список minimumReleaseAgeExclude .

Если настройка задается на уровне источника, а не отдельных gem-пакетов, на приватные реестры задержка просто не распространяется.

Оно отмечает конфигурации Dependabot, где нет настроек cooldown или задан слишком короткий период ожидания.

Но у этого поля npm есть обратная сторона: time доступно только в полном ответе реестра с метаданными п…

Существенная разница в том, что список обрабатываемых событий у fanotify гораздо шире, а также есть возможность принимать решение kernel-характера в user space.

Говорим о проблемахДостаточно ли метаданных предоставляет fanotify с точки зрения ИБ?

Офицер безопасности узнает, что с конкретным файлом произошло определённое действие.

Во время работы будем снимать дамп потребления CPU, а после остановки воспользуемся утилитой для профилирования:# 1.Запускаем программу sudo ./main /home # 2.Параллельно снимаем CPU дамп (шаг - 1 с) sudo pidstat -p 38014 1 # 3.По окончании смотрим результаты профилирования программы go tool pprof -http=:8080 cpu.outВывод pidstat следующий:Linux 6.6.87.2-microsoft-s…

Для того чтобы понять, что нужно приложениям, мы произведём анализ сетевого трафика и прав приложений на телефоне.

Для изучения я установил на ПК под управлением Linux Ubuntu — Android SDK, в котором с помощью андроид‑эмулятора создал тестовую среду для изучения.

Тестовая среда — это виртуальная машина/телефон с root‑доступом, общение с которой возможно в графическом интерфейсе и с помощью командной строки (Android Debug Bridge).

Выяснилось, что многие приложения собирают много аналитики, статистики, трекинговой информации, телеметрии и отправляют это не только на свои сервера, но и на посторонние.

Но есть приложения, которые могут иметь доступ на управление средой и оказывать влияние на эт…

На связи Nuit, мне 18 лет, я учусь и в этом году сдаю ЕГЭ и планирую двигаться дальше в ИБ.

Статья носит исключительно информационный и образовательный характер и не является инструкцией или призывом к совершению противоправных действий.

Автор статьи не поощряет и не поддерживает неправомерное использование представленной информации и не несет ответственности за ее использование в противоправных целях.

Долгое время играл и мне это нравилось, особенно категория web.

Дико нравится сама мысль, что я в свои годы нахожу опасные уязвимости в серьезных корпорациях.

Эта стеганография, зашитая в железо, на просторах интернета, называется по-разному: yellow dots, tracking dots, а в литературе чаще Machine Identification Code, MIC.

И если вы не нашли точек, то это не значит, что ваш лист на который вы светили синим, не метят.

Верхняя строка обычно содержит не данные, а биты четности: контроль ошибок, чтобы при сканировании не потерять и не приклеить лишнюю точку.

Берете тот же принцип, что и в сетке: четыре клетки, веса 8, 4, 2, 1, точка есть прибавляем вес.

Только здесь каждая строчка читается целиком слева направо, это не столбцы, как в сетке выше.

ping -n 3 -w 2000 {ip}После проверки подключения с помощью ping к указанным серверам в конфигурации создается профиль подключения rclone.

rclone.exe config create 229 sftp host={ip} user={user} port={port} pass={pass} key_file= key_file_pass= pubkey_file= key_use_agent=false use_insecure_cipher=false disable_hashcheck=falseПараметры {ip}, {user}, {port}, {pass} передаются на ВПО в конфигурации в виде объектов массива "svrs".

Рисунок 12 – Профиль пользователя s1r1banВ профиле s1r1b коммиты содержали еще более ранние конфигурации для тестирования.

Интересно, что в данном репозитории конфигурация была зашифрована тем же ключом, что и в описанном сэмпле.

Продолжение исследования, подробности, п…

В синтетических видео rPPG-сигнал часто отсутствует, искажается или демонстрирует физиологически неправдоподобные характеристики.

По сути, каждая точка на графике — это среднее значение яркости зелёного цвета в области лица на очередном кадре видео.

Possible manipulation / deepfake artifact Да Зафиксирована физиологическая аномалия, которая может быть связана как с синтетической генерацией контента, так и с низким качеством видеоматериала.

Следует учитывать, что предупреждение "Possible manipulation / deepfake artifact" является эвристическим индикатором и не означает автоматическое подтверждение факта подделки.

Проведённые эксперименты показали, что во всех исследуемых видео наблюдалось сн…

Сейчас FrisbeeTube функционирует как корпоративная видеотека, заточенная под механизм синхронизации пользователей и групп с Frisbee.

Для развертывания Frisbee и работы FrisbeeTube необходимо учитывать два ресурсоемких элемента, которые скрыты от обычных пользователей Youtube или его аналогов.

Если группа в Frisbee никогда ранее не была плейлистом в FrisbeeTube, при первой публикации мы делаем единичный REST-запрос, чтобы забрать текущий состав группы и перенести его в нашу базу данных (Postgres в FrisbeeTube, в отличие от Cassandra в Frisbee).

Мы также реализовали двухстороннюю связь для функционала лайков: отметка “Нравится”, поставленная в FrisbeeTube, отражается в Frisbee как тег.

Этот т…

И это не про «глупых юзеров» — это про сломанный продуктовый механизм: корпоративный агрегатор ИИ без встроенного обучения превращается в дорогую витрину.

Мы построили Альпина GPT — внутренний стартап Alpina Digital, который сегодня собрал 42 модели в одном окне и 9 000 зарегистрированных пользователей.

И у нас не только книги, но и онлайн-курсы с корпоративными образовательными продуктами.

Внешние модели подключены через API — данные пользователя не остаются на стороне OpenAI / Anthropic / Google и не используются для дообучения моделей.

Главная проблема была не в нём, а в том самом «первом касании».

Второй ежеквартальный номер «Хакера» отпечатан, и первые заказы уже доставлены читателям.

Если ты еще не успел заказать свой экземпляр — поторопись, свободных журналов становится все меньше.

Мы сделали ее специально для ежеквартального «Хакера», чтобы номер не пострадал в дороге и выглядел как настоящий подарок и коллекционный артефакт, а не просто очередная посылка.

Кроме того, вместе с ежеквартальным журналом ты получаешь бонус — дополнительный печатный спецвыпуск, посвященный Standoff, который мы не анонсировали ранее.

И специально для тех, кто не хочет следить за открытием предзаказов и остатками тиражей, в нашем магазине теперь доступен заказ комплекта из всех четырех ежеквартальных вы…

Представители компании Microsoft пытаются сгладить конфликт с ИБ-исследователем, известным под ником Nightmare Eclipse (он же Chaos Eclipse), который публикует эксплоиты для 0-day-уязвимостей в Windows.

После критики со стороны ИБ-сообщества компания заявила, что не намерена преследовать специалистов, занимающихся исследованиями безопасности.

В компании подчеркнули, что не собираются предпринимать никаких юридических действий против людей, которые занимаются ИБ-исследованиями или публикуют их результаты.

Также в Microsoft признали, что некоторые взаимодействия с исследователями могли проходить не слишком гладко, и пообещали учесть полученную обратную связь.

Тем временем сам Nightmare Eclips…

Тестирование собственных инструментов злоумышленники начали в декабре прошлого года, а в январе–феврале 2026 года специалисты зафиксировали атаки на военнослужащих через мессенджеры и сайты знакомств.

Исследование началось в феврале 2026 года с обнаружения архива «Решение по СВОДУ.zip».

Для закрепления в системе малварь создает BAT- и PowerShell-скрипты и добавляет их в автозагрузку через реестр.

Под видом волонтеров или девушек, желающих познакомиться, злоумышленники вступали в переписку с военнослужащими через Telegram и другие платформы.

В F6 отмечают, что операционная модель SiribClone сочетает социальную инженерию, фишинг, мобильное шпионское ПО и малварь для Windows.

В OSINT и безопас­ности час­то нуж­ны инс­тру­мен­ты ана­лиза крип­товалют: надо понимать, кто сто­ит за адре­сами, куда ухо­дят средс­тва и как отсле­дить активность.

Сегод­ня пос­мотрим, как устро­ены адре­са в раз­ных блок­чей­нах, как работа­ет пар­синг, какие есть спо­собы иден­тифика­ции и про­вер­ки.

Нап­ример, что­бы най­ти на форуме все Ethereum-адре­са, дос­таточ­но задать регуляр­ку вида 0x[ a-fA-F0-9]{ 40} .

В блок­чей­не адре­са пря­мо ука­заны в тран­закци­ях: в Bitcoin лежат в выходах, а в Ethereum — в логах и вызовах кон­трак­тов.

Вот нес­коль­ко реаль­ных кей­сов:На форумах вро­де BitcoinTalk поль­зовате­ли добав­ляют адре­са в под­писи, что­бы при­нимать донаты.

ИБ-исследователь Аммар Аскар (Ammar Askar) выложил в открытый доступ PoC-эксплоит и детали 0-day-уязвимости в Visual Studio Code, которая позволяет похищать токены GitHub OAuth.

После этого, при попытке эксплуатации проблемы, пользователь увидит предупреждение о том, что расширение GitHub Repositories запрашивает авторизацию через GitHub.

Дело в том, что Аскар уведомил разработчиков GitHub о баге всего за час до публикации своего отчета.

По его словам, ранее он сообщал MSRC о другой ошибке в VS Code, и тогда баг исправили без упоминания его имени.

Он подчеркнул, что в будущем намерен открыто публиковать информацию обо всех найденных проблемах в VS Code сразу после их обнаружения.

Почти 2000 сайтов под управлением WordPress оказались заражены необычной малварью, которая использует комментарии в Steam Community в качестве управляющей инфраструктуры.

Вредонос скрывает полезную нагрузку в невидимых Unicode-символах и получает команды через обычные профили пользователей Steam.

После изначальной компрометации на сайт внедряется первый компонент вредоноса, который обращается к определенным профилям Steam Community при загрузке страниц.

Владельцам ресурсов под управлением WordPress рекомендуют проверить логи на наличие обращений к Steam Community, подозрительных внешних JavaScript и соединений с доменом hello-mywordl[.]info.

Дополнительными индикаторами компрометации могут …

Специалисты из компании Calif представили новую DoS-атаку под названием HTTP/2 Bomb, которая затрагивает популярные веб-серверы и прокси, включая nginx, Apache HTTP Server, Microsoft IIS, Envoy и Cloudflare Pingora.

По словам исследователей, проблема присутствует в стандартной конфигурации HTTP/2 и не связана с какой-либо конкретной реализацией протокола.

В основе HTTP/2 Bomb лежит комбинация HPACK-компрессии и техники Slowloris.

Например, в случае Apache HTTP Server и Envoy один клиент может занять и удерживать около 32 Гбайт памяти примерно за 20 секунд.

Во время тестирования исследователи получили следующие результаты:Envoy 1.37.2 исчерпал 32 Гбайт памяти примерно за 10 секунд;Apache htt…

Исследователи из «Лаборатории Касперского» обнаружили новую вредоносную кампанию: злоумышленники распространяют RAT Argamal через хентай-игры, торрент-трекеры и игровые форумы.

Эксперты рассказывают, что весной 2026 года было выявлено, что злоумышленники распространяют ранее неизвестный троян удаленного доступа Argamal, который после заражения предоставляет атакующим практически полный контроль над системой.

После этого операторы Argamal могут удаленно выполнять команды на зараженной машине, делать скриншоты, управлять курсором, архивировать файлы и отправлять их на свои серверы, а также перезагружать или выключать систему.

Подробный технический анализ малвари показал, что Argamal может зак…

В популярном плагине WP Maps Pro для WordPress обнаружили критическую уязвимость, которую злоумышленники уже начали эксплуатировать в реальных атаках.

Она затрагивает все версии WP Maps Pro до 6.1.0 включительно.

WP Maps Pro — коммерческий плагин для WordPress, который используют для встраивания на сайты карт Google Maps и OpenStreetMap, а также создания локаторов магазинов и каталогов точек продаж.

После этого плагин автоматически создавал нового пользователя WordPress с жестко заданной ролью администратора, генерировал для него magic-ссылку для входа и возвращал ее в ответе.

Администраторам сайтов под управлением WordPress рекомендуют как можно скорее обновить WP Maps Pro до версии 6.1.1 …

Что вооб­ще такое Deep Research и зачем он нужен?

От «умного поиска» к полноценному исследованиюВ прош­лой статье я под­робно рас­ска­зал о Vane — прек­расной замене ИИ‑поис­ковикам с допол­нитель­ным режимом Deep Research.

Он нам при­годит­ся для работы с Local Deep Research, но, если ты не читал прош­лую статью или не уста­новил SearXNG, не страш­но: пос­тавим его отдель­но.

Встро­енный в Vane режим Deep Research инте­рес­нее, но до пол­ноцен­ного ана­лога Deep Research из Perplexity Pro не дотяги­вает.

Плюс есть пол­ный кон­троль над сво­ими базами дан­ных: обя­затель­ное шиф­рование (и не взду­май потерять пароль, вос­ста­новить его не получит­ся!).

После недавней атаки на пользователей менеджера паролей Dashlane выяснилось, что злоумышленникам удалось похитить зашифрованные хранилища как минимум 20 клиентов.

Напомним, что в конце прошлой недели представители Dashlane сообщили о брутфорс-атаке на учетные записи некоторых пользователей.

Тогда в компании заявляли, что из-за атак сработали встроенные механизмы защиты, которые автоматически приостановили работу затронутых аккаунтов.

«Начиная с воскресенья, 31 мая 2026 года, неизвестные проводили брутфорс-атаки на учетные записи некоторых пользователей Dashlane, — сообщили в компании.

При этом в компании подчеркивают, что собственная инфраструктура Dashlane не пострадала.

Специалисты компании Socket обнаружили необычный вредоносный пакет Sicoob.Sdk в репозитории NuGet.

Малварь маскировалась под официальный C# SDK для работы с API бразильской финансовой кооперативной системы Sicoob и похищала данные, необходимые для аутентификации компаний в банковской инфраструктуре.

По данным исследователей, вредоносный код присутствовал в версиях пакета с 2.0.0 по 2.0.4, и малварь успели загрузить более 500 раз.

Пакет также перехватывал ответы Boleto API и тоже отправлял их своим операторам.

После получения уведомления от исследователей администраторы NuGet заблокировали вредоносный пакет.

Раньше почту на Xakep.ru мог зарегистрировать любой желающий.

Если ты готов поддержать журнал и заодно обзавестись самой модной почтой в обитаемой Вселенной, мы поможем тебе в этом.

Раньше почту на Xakep.ru мог зарегистрировать любой желающий.

Дело в том, что ящики работают в инфраструктуре VK Workspace, и в результате почта функционирует стабильно и без рекламы.

Почта на @xakep.ru — это кусочек истории и ностальгия по временам, когда интернет был другим, а журнал «Хакер» лежал на каждом втором компьютерном столе.

Вечером 3 июня 2026 года приложение Max было удалено из App Store.

Разработчики подтвердили, что в настоящее время мессенджер недоступен в магазине Apple, но причины удаления пока остаются неизвестными.

Разработчики Max подтвердили, что приложение действительно пропало из каталога App Store.

Пока приложение отсутствует в App Store, пользователям предлагают загружать его через другие площадки.

В компании напоминают, что Max по-прежнему доступен в RuStore, Google Play, Huawei AppGallery, Samsung Store, Xiaomi Store, Vivo Store, а также на официальном сайте проекта.

Группировка RAlord публично извинилась перед нефтесервисной компанией Eriell Group из Узбекистана, а провинившегося аффилиата, атаковавшего компанию, исключили из партнерской программы.

Среди вымогателей по-прежнему действует негласное правило: не трогать организации из России и стран СНГ.

Как сообщает издание The Register, представители вымогательской партнерской программы Nova, связанной с группировкой RAlord, принесли официальные извинения нефтесервисной компании Eriell Group, штаб-квартира которой находится в Узбекистане, а головной офис расположен в Москве.

В результате провинившегося участника исключили из партнерской программы, и операторы малвари пообещали бесплатно помочь компании …

Microsoft's GitHub repositories have become the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign.

The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs, per OpenSourceMalware.

The development has GitHub to disable access to those repositories.

"If you are the owner of the repository, you may reach out to GitHub Support for more information."

Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026.

Cisco has warned that a high-severity security flaw impacting Catalyst SD-WAN Manager has come under active exploitation.

The vulnerability, tracked as CVE-2026-20245, carries a CVSS score of 7.8 out of a maximum of 10.0.

It affects the following deployment types -On-Prem DeploymentCisco SD-WAN Cloud-ProCisco SD-WAN Cloud (Cisco Managed)Cisco SD-WAN for Government (FedRAMP)"A vulnerability in the CLI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system," Cisco said in an advisory.

"To exploit this vulnerability, the attacker must have netadmin privilege…

Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages to distribute a Rust-based information stealer and a self-spreading worm, respectively.

The new malware has been codenamed IronWorm by the software supply chain security company.

By publishing itself to the npm registry in the form of trojanized packages, the approach results in a self-replicating attack.

JFrog described IronWorm as "a supply chain weapon built to find secrets, modify projects, and inject malicious code to self-propagate across GitHub."

"The malicious npm package was published by asteroiddao; asteroiddao corresponds …

Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin, according to findings from ESET.

]com, which claims to offer updates on military incidents (registered on January 20, 2025)Two of these websites - govlens[.

]me/liveuamap_ar"Each of these websites distributes a malicious app that combines legitimate functionality with stealthy spyware capabilities," ESET said.

"Three out of the five fraudulent apps we unearthed - GovLens, WarMap, and Syria Defense Map - seem primarily intended for people interested in open-source investigation," the company said.

"It thus seems possible that this set of activities may have been, at least partially, meant to target Arab…

Cybersecurity researchers have discovered a previously unreported threat cluster dubbed OP-512 (where "OP" stands for "opponent") that has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework.

Although no overlaps have been found between OP-512 and other known China-aligned adversaries, it's the fourth such threat group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS web servers over the past 12 months.

As recently as last month, Cisco Talos revealed that multiple Chinese-speaking cybercrime groups are sharing a variant of malware called BadIIS to infect IIS servers.

"Internet-facing IIS servers running le…

Across hybrid SOCs, in-house SOCs, and MSSP SOCs, the perceived value distribution is nearly identical.

Why the first wave of AI in the SOC underperformedThe first wave of AI SOC tools shipped as features bolted onto existing security products.

None of them fixes the handoffs between slices, which is where most SOC time and most SOC value live.

What's different about the SOCs that report excellent valueThe 10% of SOCs reporting excellent value from AI are not running different point tools.

Second wave AI in the SOC means agentic AI that operates across the full SOC lifecycle rather than inside a single stage.

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site compromise.

"This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval()," Wordfence said.

"The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters.

According to the WordPress security company, attackers have been observed exploiting the flaw starting April 13, 2026.

The captured data is then exfiltrated back t…

Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies FIFA's login page well enough to take over real accounts.

One Operator, 300 Cloned FIFA SitesThe most detailed findings come from Group-IB, which tracked more than 4,300 fraudulent FIFA domains registered since August 2025.

Here is the part that does the damage: the fake login page also asks to reset the password.

The FBI advisory lists dozens of fake FIFA domains, from misspelled lookalikes to phony FIFA jobs pages, and warns more are coming.

Group-IB counted roughly 3,800 fraudulent FIFA domains sitting parked and unused, ready to switch …

The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to create a covert SMTP email relay network.

Staged in one of the open directories Sliver-integrated SMTP proxy deployment toolkit, along with Chisel tunneling and proxy binaries for most Linux CPU architectures, such as AMD64, ARM64, and x86.

Beacons are implants that periodically phone home to the C2 server at regular intervals to check in and retrieve commands.

"Each beacon receives a SOCKS5 proxy port derived deterministically from an MD5 hash of its Sliver UUID, mapped into the range 10000-14999," Hunt.io noted.

"The verified proxy list is being sync…

Unified CM and its Session Management Edition fail to validate certain HTTP requests properly, so a crafted request can push the server into writing arbitrary files onto the underlying OS.

There is one mitigating factor: the flaw only works when the WebDialer service is running, and WebDialer ships off by default.

To check, open Cisco Unified CM Administration and switch to Cisco Unified Serviceability.

Under Tools > Control Center - Feature Services, look at the Cisco WebDialer Web Service status in the CTI Services section.

Unified CM has been a steady source of unauthenticated, root-level trouble.

A security researcher found a flaw in Anthropic's Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it, with nothing more than a single opened GitHub issue.

Claude Code GitHub Actions drops Claude into CI/CD pipelines to triage issues, slap on labels, review pull requests, or run slash commands.

By default, the workflow gets read and write access to a repo's code, issues, pull requests, discussions, and workflow files.

Claude Code blocks naive reads, but RyotaK bypasses the guard anyway and gets Claude to write the values back into the issue, where the attacker can grab them.

Claude Code trades that token with Anthropic's backend for a Claude Gi…

Here's some of what caught Tony’s attention in May 2026:Poland’s Internal Security Agency (ABW) has released information about cyber-intrusions into ICS (industrial control systems) at five water treatment facilities in the country in 2024 and 2025.

The two main attack vectors – weak passwords and systems exposed directly to the internet – were the same as those used in attacks against the Polish energy sector that leveraged DynoWiper described by ESET researchers here.

What are some key mitigation steps against attacks targeting OT systems?

How do scams crypto ATMs work and how to stay safe?

Learn this and more in Tony's video and be sure to check out the April 2026 edition of Tony's month…

ESET APT Activity Report Q4 2025–Q1 2026 summarizes notable activities of selected advanced persistent threat (APT) groups documented by ESET researchers from October 2025 through March 2026.

During the monitored time frame, China-aligned threat actors remained highly active worldwide, conducting espionage campaigns shaped in part by geopolitical developments affecting Beijing’s economic and security interests.

The war in Iran that began in late February 2026 was the defining event for Iran-aligned activity during this period.

Russia-aligned threat actors continued to focus overwhelmingly on Ukraine and entities connected to the country’s defense efforts.

Intelligence shared here is based m…

Alongside a number of freely available AI chatbots, major technology companies have moved into consumer-facing health AI with the launches of services such as Copilot Health, ChatGPT Health, and Amazon’s HealthAI that models help users interpret their medical records and ask questions about their symptoms, lab results and treatment options.

Misuse of AI chatbots in general is now the number one health technology hazard out there, according to one US patient safety organization.

Your health data is not like a stolen credit card that can be frozen while the details are replaced and reissued.

Even so, people should be cautious: health data is unusually sensitive, and anonymization doesn’t alwa…

Our recent review of threat detections in Brazil surfaced BTMOB, an Android remote access trojan (RAT) that is less notable for detection volume than for the damage it can wreak.

BTMOB at a glanceFirst described in February 2025, BTMOB has evolved from the SpySolr malware.

BTMOB APK creation toolHow does BTMOB spread?

For example, researchers Johnk3r and Merl recently spotted campaigns that spread BTMOB while impersonating Argentina’s tax and customs authorities.

ESET products detect the primary tool as MSIL/BtmobRat, while related Android variants trigger detections such as Android/Spy.Agent.EED, Android/Spy.Agent.EIJ and Android/Spy.Agent.EIK.

Many soccer fans may still be hunting for tickets, merchandise, travel and hospitality packages – and scammers know exactly how to exploit this demand.

]shop, uses a domain that looks close enough to FIFA and the 2026 World Cup to catch a hurried visitor.

Fake site impersonating the official FIFA World Cup 2026™ websiteThe trickery doesn’t stop there, however.

Official FIFA World Cup 2026™ websiteBut back to the fake website – here’s what happens if you want to “purchase” tickets or merchandise.

The countdown to the World Cup gives criminals a ready-made audience: countless people hunting for tickets, merchandise and various last-minute opportunities.

Discord and Microsoft Graph API C&C communicationIn 2025, Webworm started abusing Discord and Microsoft Graph API for C&C communication.

]com/anjsdgasdf/WordPress, which acts as a file stager for other tools and malware used by Webworm (one such tool used the compromised Amazon S3 bucket mentioned above).

WormFrpWormFrp is a proxy tunneling tool inspired by the existing fast reverse proxy (frp) utility that Webworm also uses.

ChainWormChainWorm is another custom proxy tool used by Webworm operators.

FilesSHA-1 Filename Detection Description CB4E5043333670738142 9707F59C3CBE8D497D98 SearchApp.exe WinGo/Agent.ZK EchoCreep backdoor using Discord for C&C.

Europe’s push for tech sovereigntyIn Europe, calls for greater tech sovereignty – the ability to choose and act independently, autonomously, and securely – have become almost deafening.

Over the last year in the EU, several groups of countries have coalesced around more or less political approaches to tech sovereignty.

This is where the EU’s enhanced focus on ICT supply chain security comes into foreground complementing the initiatives specifically aimed at tech sovereignty.

In response to growing demands for national tech sovereignty and protection of local competitiveness in various regions around the world, several US tech firms have begun offering “sovereign” solutions tailored to forei…

The truth is that geopolitical tension and conflict offers potentially rich pickings for opportunistic online scammers.

The backdrop of geopolitical turmoil, whether it’s Ukraine or Iran, adds weight to the stories they spin in order to achieve their goals.

Whatever tactics they choose, the end goal is usually the same: to harvest your credentials and/or personal and financial data.

They’re tried and tested and could come via email, text, social media or phone call.

Scammers know this and will create their own fake charities – or impersonate legitimate ones – to collect donations.

Every 10 minutes, the compromised computer’s fingerprint is sent to the C&C server via an HTTP POST request to https://book-happy.needbinding[.]icu/employment/documents-and-resources.

If the C&C server response content is larger than 100 bytes, the received data is executed using the eval method.

]icu N/A 2026‑03‑10 Cobalt Strike C&C server.

]icu N/A 2026‑04‑14 PicassoLoader C&C server.

]buzz N/A 2026‑04‑14 Cobalt Strike C&C server.

Smart glasses allow anyone to track and record the world around them.

So we probably shouldn’t be surprised that smart glasses are doing the rounds once more, after a failed attempt by Google to popularize them over a decade ago.

This presents significant security and privacy risks for both smart glasses users and the people they interact with.

Smart glasses give anyone the ability to record or take photos of strangers surreptitiously.

It might put you in physical danger if you lose track of your surroundingsFor bystanders:Keep your eyes peeled for anyone wearing smart glasses.

We identified and reported 28 CallPhantom apps on Google Play, cumulatively downloaded more than 7.3 million times.

The table in the Analyzed CallPhantom apps section lists each app along with its key details, including the download count.

Examples of CallPhantom initial screensCampaign overviewThe CallPhantom apps we found on Google Play mainly targeted Android users in India and the broader Asia‑Pacific region.

No data generation occurs until after payment; users have to pay or subscribe before any email would supposedly be sent.

For these third-party payment apps, CallPhantom apps either included hardcoded URLs or fetched the URLs dynamically from a Firebase realtime database, meaning th…

The most-used password globally is exactly what you think it is: ‘123456.’ That’s according to NordPass’s latest annual report on passwords exposed in data breaches globally.

NordPass’s data suggests that there are many more sites that set limited password policies and allow trivial passwords like ‘123456’.

However, I think there may also be elements of legacy in the method used to calculate the most common passwords.

Breaking the cycleNow, how do we resolve this never-ending loop of negativity about passwords, along with the ridiculous situation that platforms still permit non-secure passwords?

There is a simple and effective way to resolve it: mandate complex passwords or, better yet, MFA.

In this blogpost, we provide an overview of the attack, and the first public analysis of the Android backdoor.

sqgame is a gaming platform tailored for the people of Yanbian and hosts traditional Yanbian games for Windows, Android, and iOS.

Android BirdCall analysisIn this section, we provide a technical analysis of the Android BirdCall backdoor – an Android port of the eponymous Windows backdoor written in C++.

Trojanized Android gamesAndroid BirdCall is distributed via trojanized Android games.

During our research, we observed 12 Zoho WorkDrive drives used by the Android BirdCall backdoor for C&C purposes.

Tony also offers insights that the they may hold for your own cyber-defenses.

Iranian-linked hackers are targeting Rockwell programmable logic controllers (PLCs), with almost 4,000 such devices exposed on the networks of U.S. critical infrastructure organizations, according to a warning from multiple U.S. federal agencies.

How can critical infrastructure organizations using Rockwell PLCs stay safe?

How do the FBI's figures compare to those from 2024 and what was the most damaging scam to affect businesses last year?

Learn this and more from Tony's video and be sure to check out the March 2026 edition of Tony's monthly security news roundup for more insights.

Dashlane has disclosed new details about a brute-force attack that let a threat actor access some customer accounts and copy encrypted vaults.

The advisory notes that the copied vaults remain encrypted and require the user’s master password to unlock.

However, stolen vaults can still be subjected to offline password-cracking attempts, making the strength of a user’s master password a key factor in limiting the risk of exposure.

While unrelated to the recent brute-force attack, the researchers demonstrated scenarios in which a compromise of a provider’s infrastructure could expose or modify data stored in encrypted vaults.

The risks associated with stolen password vaults can also persist lon…

Let’s Encrypt plans to pursue a post-quantum-safe Web PKI through Merkle Tree Certificates (MTCs), a new approach that adds post-quantum authentication to the web without sacrificing the speed and reliability that have made TLS universal. The project is targeting late 2026 for a staging environment that issues MTCs, with a production-ready environment planned for 2027. “For much of the last several years, the conversation about post-quantum cryptography has been a conversation about encryption. The reasoning … More →

The post Let’s Encrypt works toward post-quantum certificates at web scale appeared first on Help Net Security.

A 0-day privilege escalation vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN Manager that has yet to be patched by Cisco is being leveraged by attackers.

Cisco is not aware of successful exploitation by other methods,” the company shared on Thursday.

CVE-2026-20245 affects all Cisco SD-WAN deployment types: on-prem, Cloud-Pro, Cloud (Cisco Managed), and for Government (FedRAMP).

Cisco is still working on pushing out patches for CVE-2026-20245 and there are no available workarounds.

(Cisco didn’t outright say that CVE-2026-20245 is being exploited in conjuction with those two authentication bypass vulnerabilities, but it seems likely.)

The company mapped the observed behavior to the MITRE ATT&CK framework, which documents tactics and techniques used by attackers.

The researchers analyzed activity linked to the banned accounts and mapped it to version 18 of the MITRE ATT&CK framework.

In total, the study recorded 13,873 actions spanning 482 unique ATT&CK techniques and all 14 ATT&CK tactics.

Of the 832 reviewed accounts, 67.3% used AI for tasks such as malware development.

The analysis also identified cases where AI was used to support more advanced operations, including lateral movement inside compromised networks.

Infosecurity Europe 2026 is a cybersecurity event that took place from June 2 to 4 in London.

Help Net Security was on-site and here’s a closer look at the conference.

The featured vendors are: Microsoft, JupiterOne, Menlo Security, Cato Networks, Falkin, Vivida, Pen Test Partners, Netskope, Qualys, Syteca, runZero, Vanta, OneTrust, Panaseer, Airia.

Microsoft Defender blocks newly exploited RedSun and UnDefend threatsMicrosoft only had one major out-of-band release since May Patch Tuesday.

The June Patch Tuesday release will contain a fix for the failures and errors when installing KB5089549 for Windows 11.

This month, Microsoft held their first Windows Hardware Engineering Conference (WinHEC 2026) since 2018.

Oracle has announced they will be providing security updates on the months between their quarterly Critical Product Updates.

The Critical Security Patch Update Advisory, May 2026 was recently announced.

The project is an open-source agentic SAST scanner released under the Apache 2.0 license.

The catalog ships more than 100 official agents, and it downloads on the first scan from the agentgg-agents repository.

Philip Garabandic, a security engineer at TikTok and lead maintainer of AgentGG, told Help Net Security that model selection depends on the type of bug.

A scope file lets the validator consult a security policy or pentest scope document, so it can mark findings that sit outside an engagement.

Must read:Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools.

A keyless car can be stolen in under a minute.

Most keyless cars remain vulnerableThe vulnerability runs across the global market.

How relay attacks workA relay attack targets the radio signal that a keyless fob sends out at all times.

A relay attack runs in under 30 seconds and leaves the car with no broken glass and no damaged locks.

A signal-blocking pouch, often called a Faraday pouch, holds the key fob and stops the fob signal from reaching a relay device.

In this Help Net Security video, Amit Gautam, CTO at Abluva, explains the security risks that autonomous AI agents bring into enterprise environments.

He opens with a real case: a reconciliation agent at a financial services firm had legitimate access to a customer database.

Gautam walks through three patterns driving this risk, employee co-pilots, sanctioned agentic workflows, and MCP integrations, and explains why agents differ from old service accounts: they are non-deterministic, easy to manipulate, and growing fast.

He then lays out four pillars for governing them: discovery, permission scoping, exfiltration controls, and audit trails.

Download: The IT and security field guide to AI ad…

Ivanti’s 2026 AI Maturity Report, drawn from responses by 1,500 IT professionals across six countries, finds that 68% have personally seen AI produce hallucinations with potential operational impact.

Among IT professionals surveyed, 52% report AI autonomously adjusting performance settings, 50% report AI isolating risky devices, 47% report AI restarting services or processes, and 46% report AI applying patches or fixes.

For scaled, mature AI organizations, these autonomous applications run at more than double the rate of less mature peers.

65% have AI risk review processes, 59% have policies for evaluating and approving new AI solutions, 58% have acceptable AI use policies, and 49% have AI …

Here’s a look at the most interesting products from the past week, featuring releases from Asimily, depthfirst, Diligent, Hyland, MazeBolt, and Noma.

Hyland platform innovations focus on AI governance, context, and agent oversightHyland has unveiled platform innovations designed to move AI from experimentation to enterprise-wide adoption.

Powered by the Content Innovation Cloud, these advancements transform governed enterprise content into trusted, actionable intelligence that accelerates business outcomes.

Diligent automates cyber risk assessments and reportingDiligent has announced Diligent Cyber Risk Management, an agentic solution designed to help organizations manage cybersecurity risk…

Installing an app from the Google Workspace Marketplace or GitHub Marketplace can grant a third party access to company email, files, calendars, code repositories, CI workflows, organization settings, and secrets.

An audit by OhAuth, the OAuth research project from identity security company Offroad, covered 2,890 public OAuth app listings, with 1,595 on Google Workspace Marketplace and 1,295 on GitHub Marketplace.

On GitHub, 346 apps hold access to code, 183 reach actions, workflows, and runners, and 107 reach organization settings.

Some of these gaps come from the OAuth scope catalog itself.

AI apps that can write49 AI-powered apps hold broad write access, with a lower-bound install footpr…

But amid the buzz, have you ever paused to consider the staggering level of risk inherent to such large-scale events?

The answer lies in having an AI-forward Governance, Risk, and Compliance (GRC) strategy that is dynamic, scalable, and connected.

The right GRC solution helps you focus time and resources where risk is the highest, even automating some third-party risk management workflows where appropriate.

The right GRC solution helps you focus time and resources where risk is the highest, even automating some third-party risk management workflows where appropriate.

To defend against these threats, event organizers are fighting fire with fire, using AI-driven GRC solutions to strengthen th…

The conversation covers how organizations check the 110 requirements but miss the 320 assessment objectives beneath them, why spotless SOC 2 evidence can hide a broken control, and how continuous monitoring is changing compliance work.

This is where I have seen organizations assume preparedness through the 110 requirements, without understanding how deep the assessment objectives go.

Pick one client engagement where the compliance evidence looked spotless on paper but the underlying control was broken.

The Tuesday morning task that FedRAMP 20x makes obsolete is the manual evidence gathering routine.

I’ve been moving customers away from this since 2020 through automated tests and integration…

A vulnerability scanner flags a critical CVSS 10 vulnerability on an industrial asset.

The report lands in the boss’ inbox and now he wants to know why we’re sitting on a critical vulnerability.

In a normal IT environment, you patch it then close the ticket and call it a day.

If, however, you’re in OT or dealing with ICS in a live manufacturing facility, it’s rarely that simple.

Note that patching in OT environments can be risky if you don’t have a test or dev environment to test patches.

AI WormResearchers have prototyped an AI-powered internet worm.

The coolest thing about the prototype is that it carries its own LLM with it, and runs it on computers that have been broken into.

This is the closest to John Brunner’s original 1975 conception of a computer worm that I’ve seen.

Posted on June 5, 2026 at 9:21 AM • 0 Comments

Hacking Meta’s AI ChatbotHackers are convincing Meta’s AI support chatbot to let them take over other peoples’ accounts:A video posted on X showed the step-by-step process to hack someone’s Instagram account.

The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections.

Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account.

[…] On Monday, Instagram spokesperson Andy Stone said in a reply to Wong’s post and others that the issue was now fixed.

But there are others, many others, and they cannot be blocked as a class.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography’s inability to secure modern networks, a point he says he has been trying to argue since 2000.

“For a while now, I’ve pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on.

Computer security defenses are inherently very fragile.

Security, real security that you or I might find useful in our lives, involves people: things people know, relationships between people, people …

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

New article: “Responsible Disclosure in the Age of AI: A Call for Urgent Action,” by Melissa Hathaway.

Abstract: Artificial intelligence is fundamentally reshaping the balance between vulnerability discovery and remediation.

This development exposes decades of accumulated technical debt created by a software industry that prioritized rapid deployment over secure-by-design engineering practices.

Drawing on the evolution of software assurance, vulnerability disclosure frameworks, and U.S. cyber policy, this perspective argues that the current moment represents a strategic inflection point for governments, industry, and critical infrastructure operators.

Responsible disclosure can no longer re…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Despite an unpopular Iran war and an even more unpopular Trump administration, college campus protests nationwide have gone silent.

It’s increasingly clear to us that these impacts are not incidental or ancillary to Trump administration policy.

Instead, we see a persistent strategy to maximize fear and chilling effects in ways that are corrosive to freedom and democracy.

Courts can block abuses of federal power, including illegal arrests, detentions and mass citizen databases.

But to resist chilling effects and their dangers over the long term, this would have to be the norm, not the exception.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Not identifying people based on their use of Wi-Fi routers, but identifying people using Wi-Fi signals.

This is accomplished through what is known as WiFi sensing, or the use of WiFi signals to infer information about a physical environment.

When radio signals like WiFi travel through a space, they interact with the objects and people around them.

“By observing the propagation of radio waves, we can create an image of the surroundings and of persons who are present,” said Thorsten Strufe, a KIT professor and study co-author, in a press release.

“This works similar to a normal camera, the difference being that in our case, radio waves instead of light waves are used for the recognition.”

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

Can you just maximize the security and privacy benchmark and call it a day?

Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security).

Over the last 30 years, security engineering for software evolved from black box penetration testing, through whitebox code analysis and architectural risk analysis to de facto process-driven standards like the Building Security In Maturity Model (BSIMM).

In the meantime we can make real progress in AI security by cleaning up our WHAT piles and managing risk by identifying and applying good assurance processes.

(Spoiler alert: no matter what we do, we still don’t get a secur…

(I lost track of her since college and her 1981 hit “”https://www.youtube.com/watch?v=Vkfpi2H8tOE”>O Superman.”)The origins of the quote is from Roger Needham:If you think cryptography can solve your problem, you don’t understand your problem and you don’t understand cryptography.

I modified the quote in the preface to my 2000 book Secrets and Lies:A few years ago I heard a quotation, and I am going to modify it here: If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.

I can’t tell you why me in 2000 didn’t credit Needham by name.

Somewhere along the line I dropped “security” from the phrase, and now say i…

But as KrebsOnSecurity observed in September 2025, those sanctions failed to target Stark’s remaining connection to the Internet — an Internet service provider based in the Netherlands called MIRhosting.

MIRhosting is operated by Andrey Nesterenko, a 39-year-old Russian native who runs the business out of the Netherlands.

And as our September 2025 report showed, WorkTitans was controlled by Nesterenko and a 57-year-old from Amsterdam named Youssef Zinad.

On top of that, WorkTitans was getting connectivity to the larger Internet solely through MIRhosting, where Zinad had worked previously.

“The transition to the.hosting was not intended to evade sanctions,” Nesterenko wrote.

The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials.

Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.

CISA acknowledged the leak but has not responded to questions about the duration of the data exposure.

TruffleHog does this by monitoring a live feed that GitHub publishes which includes a record of all commits and changes to public code repositories.

In practical terms, it is likely that cybercrime groups or foreign adversaries also noticed the publication of these CISA secrets, …

A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, a.k.a.

“Dort,” of Ottawa, Canada with operating the Kimwolf DDoS botnet.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads.

Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage told KrebsOnSecurity he’s relieved Butler is in custody.

The DOJ said at least one of those services collaborated with Butler’s Kimwolf botnet.

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems.

Another file exposed in their public GitHub repository — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems.

“The available Git metadata alone does not prove which endpoint or device was used.”Caturegli said he validated that the exposed credentials could authenticate to three AWS GovCloud accounts at a high privilege level.

CISA has not responded to questions about the p…

Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code.

May’s Patch Tuesday is a welcome respite from April, which saw Microsoft fix a near-record 167 security flaws.

But at the end of April, Oracle announced it was switching to a monthly update cycle for critical security issues.

Chrome automagically downloads available security updates, but installing them requires fully restarting the browser.

For a more granular look at the Microsoft updates released today, checkout this inventory by the SANS Internet Storm Center.

The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform.

Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance.

Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers.

For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs.

The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider.

But so-called “DNS reflection” attacks rely on DNS servers that are (mis)configured to accept queries from anywhere on the Web.

“We received and notified many Tier 1 upstreams regarding very very large DDoS attacks against small ISPs,” Nascimento said.

Nascimento flatly denied being involved in DDoS attacks against Brazilian operators to generate business for his company’s services.

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign.

That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan is the second known Scattered Spider member to plead guilty.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft.

Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities.

For example, a Google Chrome update released earlier t…

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today.

The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by …

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations.

The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process.

REvil never recovered f…

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP.

TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote.

The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices.

That disclosure help…

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Hackers have been hijacking Instagram accounts at scale by exploiting Meta's AI support chatbot. And, as if that weren't bad enough, the technique required no technical skill whatsoever. Read more in my article on the Fortra blog.

This AI security flaw might be impossible to fix with Graham Cluley and special guest Tanya Janca.

Yeah, I've done some work with them in the past and they're actually sponsoring this episode of the podcast.

Turns out some quiet little permission that crept wider over 3 years, a policy exception that nobody had reviewed, the kind of thing that's invisible until it isn't.

I don't know if that was also exposed on the WebBucket, but yeah, it's additional information though, isn't it?

And I used to work at the Canadian Revenue Agency, so I know they're not following the policy because I wrote it.

Dutch police have arrested a 35-year-old man suspected of hacking into the computer systems of Amsterdam football giant Ajax, after the personal data of hundreds of thousands of supporters was put at risk.

However, it quickly emerged that the claim of a "few hundred" potential victims was wide of the mark, as it was reported that the incident could have exposed the personal details of around 300,000 registered Ajax supporters.

In short, the number of supporters whose details were exposed was around 1000 times larger than the club's initial estimate.

Ajax says that it has worked with external experts to patch the vulnerabilities, and has strengthened its security.

It is easy to imagine that …

The Play ransomware gang is claiming to have stolen data from US pillow manufacturer MyPillow, making off with private and personal confidential data.

The company denies it has been hit, and the Play ransomware gang claims otherwise.

The truth is likely to emerge quickly, as the deadline for payment listed by Play on its leak portal is reached tomorrow.

We'll know soon enough whether Friday's payment deadline from the Play ransomware group brings a data dump or a quiet anticlimax.

One thing is certain - ransomware gangs target anyone they think might pay, and strong defences are needed by all organisations.

Smashing Security, Episode 469: What Your Oura Ring Won't Tell You, with Graham Cluley and special guest Lesley Carhart.

Because one of the things, I don't know how many people know this, but you are actively into martial arts.

I don't know.

I don't know if it's a real martial art, but I don't want to get in that argument with anybody.

And this is just a prime example of really, really, you did that.

The FBI has issued an advisory warning about a phishing-as-a-service platform that has recently emerged, which can hijack Microsoft 365 accounts without ever stealing a password.

Kali365 is a subscription service for scammers that was first spotted in April 2026, and has been promoted largely through Telegram.

Subscribers to Kali365 have access to AI-generated phishing lures, automated campaign templates, real-time dashboards for tracking targets, and the ability to capture OAuth tokens.

If you've done that, you've used "device code flow."

And this is why the FBI's top recommendation is to block device code flow, with a conditional access policy in Microsoft Entra ID where appropriate.

For almost 20 years, stolen credentials have been the most common route for attackers into organizations, according to the Verizon Data Breach Investigations Report (DBIR). But that's no longer the case. Read more in my article on the Fortra blog.

Smashing Security, episode 468: High-Speed Train Hacks and Homicidal Lawnmowers.

I've not, but also given— I don't think— In my imagination, in my mind, Taiwan's not a massive island.

I don't know.

Yeah, I don't think that's too cheeky.

I think that's a very good question because models do, as they get more capable, they tend to eat some types of software, right?

The advisory doesn't say the platform that was hacked was Canvas, and that the company concerned was Instructure.

The security breach was not just big news on cybersecurity blogs, it made headlines worldwide.

There are a few possible problems with paying an extortion gang and trusting that they will honour the deal.

Furthermore, extortionists might falsely claim to have access to compromising information, such as embarrassing photographs or videos of victims.

Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future.

Prosecutors allege he is "Speedstepper" - the suspected main administrator of the notorious Dream Market dark web marketplace that operated from 2013 until its abrupt closure in 2019.

Dream Market's cryptocurrency wallets, holding millions of dollars worth in commission payments, went dormant after the site's closure.

But in November and December 2022, someone who had access to Dream Market's original private keys began to move funds around.

And, according to the indictment, those gold bars were shipped directly to Andresen's home address in Germany.

If the claims of prosecutors are true, it was a massive error by the man suspected of being the Dream Market kingpin.

The only weapon is the hackers' threat to release stolen data, or leave your systems permanently encrypted.

Instead, they are making threats to hurt their victims.

A study last year by identity security firm Semperis found that 40% of ransomware attacks saw criminals threatening physical violence against employees who refused to pay.

Some of the most disturbing instances of cybercrime spilling out into physical violence can be found where cryptocurrency and organised crime intertwine.

With physical threats seemingly becoming more common than ever before, it's clearly important for defenders to learn some lessons.

I don't know.

Yeah, that's it, that's it.

Now, one of those in your— I was about to say Filofax, but I don't think those are a thing anymore.

But you know, yeah, as you point out, a large part of this is through the same ecosystem.

He is professor of letters at a— I don't know which letters, I imagine all of them— at a university in Besançon.

One in eight UK workers admits to selling their company login credentials - or knowing someone who has - in the past 12 months. The really alarming bit? Their bosses are even more relaxed about it. Read more in my article on the Fortra blog.

Russia's military intelligence service, the GRU, directly controls who gets into Department 4, according to the leak.

It is GRU that is overseeing exams, and signing-off on graduates' postings, with some promising students scouted as early as secondary school.

Upon his graduation, he is said to have been assigned to the Fancy Bear hacking group, which was linked by the US Department of Justice over the high profile hack of the Democratic National Committee.

He has, it seems, gone from running the Fancy Bear hacking group to helping train its replacements.

What the report does is act as a useful reminder that the threat posed by groups like Fancy Bear and Sandworm is serious and organised.

У Павла Дурова и его «приватного» мессенджера появился новый конкурент, и это — барабанная дробь — Илон Маск и его сервис XChat.

Все описанные выше сложности с PIN-кодом в XChat, на самом деле, имеют под собой своеобразное основание.

Напомним, что, в отличие от WhatsApp и Signal, разработчики XChat решили хранить приватные ключи пользователей на своих серверах.

Так что в итоге с XChat?

И, конечно, хранить его, как и любые другие пароли, следует не в заметках, а в надежном менеджере паролей.

Отключение при помощи политик: в Admin Center пройти в раздел Settings → Integrated Apps, найти Copilot в списке Available Apps, выбрать Block.

Как отключить панель Copilot в EdgeДетектирование: на уровне NGFW или других сетевых журналов искать обращение к ресурсам copilot.microsoft.com, bing.com/chat, edgeservices.bing.com.

Блокировка с помощью политик: в панели управления: Apps → Additional Google services → Gemini app: OFF.

Блокировка с помощью политик: в корпоративных политиках Chrome необходимо установить: GenAILocalFoundationalModelSettings = 0, HelpMeWriteSettings = 2 (отключено), TabOrganizerSettings = 2, CreateThemesSettings = 2, DevToolsGenAiSettings = 2.

Как отключить Apple Intel…

Мы исследовали более 84 500 общественных точек доступа Wi-Fi в Мехико, Гвадалахаре и Монтеррее — и нам есть что вам рассказать об их безопасности.

Что и как мы исследовалиПройтись пешком по Мексике в поисках публичных Wi-Fi-точек было бы сложновато, хотя ради аналогичного исследования безопасности Wi-Fi в Париже мы именно так и поступили (кстати, ознакомиться с его результатами можно в материале Безопасен ли парижский Wi-Fi?).

Выяснилось, что WPS включен почти у половины (47%) точек доступа в Мехико, у 43% — в Гвадалахаре и 41% — в Монтеррее.

Поэтому наиболее безопасным вариантом станет использование сотовой связи для доступа в Интернет — и никакой Wi-Fi не понадобится.

О том, как это сдела…

Конкретные примеры современных вредоносных кампанийНесмотря на эти изменения, наши эксперты продолжают активно отслеживать новые вредоносные кампании и реагировать на современные угрозы.

Наши технологии зарегистрировали более тысячи вредоносных писем почти идентичной структуры, разосланных организациям из госсектора, строительной и промышленной отраслей, что прямо указывает на автоматизацию проводимых атак.

Примечательно, что в качестве резервного командного сервера загрузчик обращается к Solana Name Service, децентрализованному блокчейн-реестру, что существенно затрудняет блокировку инфраструктуры.

Обе группы активно применяют PowerShell-нагрузки и нацелены на российский госсектор, что ука…

Как настроить интеграцию Kaspersky Scan Engine c F5 BIG IP LTMНастройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c NextcloudНастройка Kaspersky Scan EngineKaspersky Scan Engine должен работать в режиме HTTP.

Как настроить интеграцию Kaspersky Scan Engine c Hitachi NAS Platform 13.9Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

Как настроить интеграцию Kaspersky Scan Engine c RspamdНастройка Scan EngineKaspersky Scan Engine должен работать в режиме HTTPD.

Как настроить интеграцию Kaspersky Scan Engine c ARA JAGUAR 5000Настройка Scan EngineKaspersky Scan Engine должен работать в режиме ICAP.

В последнее время злоумышленники активно используют для фишинговых атак платформу Google AppSheet: через нее можно настроить почтовую рассылку, которая отправляется c почтового адреса, связанного с Google.

К сожалению, именно эта простота делает AppSheet привлекательным и для злоумышленников.

Ниже показано, как выглядит типичный путь от получения письма от якобы «карьерного портала Google» до кражи данных аккаунта:Аналогичные письма приходят от имени и других IT-гигантов.

Прежде всего смотрите не на отображаемое имя, а на адрес отправителя.

Куда более вероятно, что вы получите легитимную AppSheet-рассылку от имени небольшой компании или бизнеса, но уж точно не от IT-гигантов.

Поэтому неудивительно, что за прошедшие несколько месяцев исследователи кибербезопасности зафиксировали несколько случаев распространения вредоносного ПО под видом IPTV-приложений для Android.

В этом посте поговорим о том, что представляют собой IPTV-приложения, как с помощью их поддельных версий преступники распространяют вредоносное ПО, на что оно способно и, главное, как не стать жертвой.

Обычно они привлекают пользователей бесплатным или очень дешевым доступом к контенту, который может быть нелегко найти без дорогостоящих подписок — в первую очередь это трансляции различных спортивных мероприятий и, в частности, футбольных матчей.

Вместо этого поддельное приложение открывало во встроенн…

Хотя многие компании осознанно внедряют ИИ для повышения качества и эффективности, еще быстрее в них появляются ИИ-инструменты, руководством не санкционированные.

ИИ встраивают в уже применяемые компанией решения сами разработчики ПО (например, Microsoft Copilot и Gemini), а также самовольно устанавливают сотрудники.

И риски, и способы их снижения отличаются для разных видов ИИ-систем.

Мы дадим обзор этой широкой темы, сфокусировавшись на инструментах детектирования и блокировки ИИ на двух уровнях.

SalesforceВ режиме настроек (Setup) нужно воспользоваться поиском по словам connected apps и в результатах поиска нажать Manage Connected Apps.

Но вы даже не узнаете, что в ваше устройство уже внедрен вредоносный код, а злоумышленники смогут получить доступ даже к заблокированному смартфону.

Что такое BootROMЧтобы понять серьезность находки, сначала нужно разобраться в том, как загружается современное устройство на чипе Qualcomm.

Самый нижний — фундамент и база, самый доверенный уровень — BootROM, постоянная память, вшитая в кремний и недоступная для изменения после производства.

Почему патча не существует — и что делатьQualcomm был уведомлен о находке в марте 2025 года и подтвердил наличие уязвимости в своих чипах.

Если у вас на руках устройство с уязвимым чипом, воспользуйтесь нашими советами, которые помогут снизить риск заражен…

В решении для защиты почтовых шлюзов мы даже реализовали технологию, позволяющую считывать эти коды (причем не только из писем, но и вложений) и проверять зашитые в них ссылки.

Что такое ASCII-графика и как ее используют злоумышленникиСейчас в это нелегко поверить, но когда-то компьютеры не умели отображать графику.

Ну и вдобавок в то время многие платили за трафик, а потому отключали загрузку картинок в почте.

А в качестве дополнительного слоя защиты — установить защитные решения на все рабочие устройства, используемые для выхода в Интернет.

В частности, объяснять, что ASCII-графика в современных письмах может свидетельствовать о попытке фишинговой атаки.

Дешевая ТВ-приставка на Android с бесплатными подписками может стать основой для ботнет-сетей и прокси-серверов киберпреступников. Разбираемся, как такие ТВ-боксы сдают ваш IP в аренду и как выбрать безопасное устройство.

Интеграция с LLMТеперь у пользователей Kaspersky Container Security есть возможность использовать технологию Kaspersky Investigation and Response Assistant (KIRA).

KIRA активно внедряется и в другие продукты, и теперь она доступна для пользователей Kaspersky Container Security в качестве ИИ-ассистента.

В ходе недавнего обновления решение Kaspersky Container Security было снабжено программным интерфейсом для подключения больших языковых моделей.

Что еще обновилось в Cloud Workload SecurityКроме добавления ИИ-ассистента наши разработчики внесли еще ряд изменений в продукты, входящие в предложение Kaspersky Cloud Workload Security.

Kaspersky Container Security, теперь поддерживает механизм еди…

При этом большая часть из них — семейные, используемые совместно с близкими… и не очень: 37% пользователей делятся своими подписками за пределами семьи.

Сегодня расскажем, как безопасно управлять подписками, избежать взлома всех ваших аккаунтов и не попасться на удочку злоумышленников.

Как делятся подписками с близкими и не оченьМногие владельцы подписок с легкостью делятся ими с членами семьи и друзьями.

Самый худший вариант с точки зрения безопасности — когда покупается один подписной аккаунт и владелец передает логин и пароль другим пользователям.

Если вы и ваши близкие храните пароли «в голове», то вероятность того, что вы используете один и тот же пароль в разных сервисах, весьма велик…

Но в этом посте я хочу рассказать о Kaspersky Container Security (KCS) не как представитель вендора, а скорее как член команды, активно использующей это решение в повседневной работе.

Но Kaspersky Container Security (KCS) — это скорее платформа для защиты контейнерной среды, которая закрывает сразу несколько задач, встраиваясь в контейнерный контур целиком.

Когда у команды сотни сборок, одного периодического сканирования реестра уже мало и это всегда требует ручного вмешательства.

Чем KCS полезен в наших сценарияхУ нас работает своя система композиционного анализа, поэтому мы не смотрим на KCS как на единственный источник истины.

Почему мы смотрим на KCS не только как на сканерЕще один силь…

Да, за рулем все еще водитель, но он там скорее для страховки, так что появление настоящего беспилотного авто — это лишь вопрос времени.

Для производителя это означает ответственность за поведение автомобиля на дороге и за выбор поставщиков.

Обеспечение безопасности автомобиля в современных условияхДолгое время, когда речь шла о безопасности автомобиля, имелась в виду исключительно функциональная безопасность.

Контроль осуществляется на разных уровнях архитектуры: внутри доменов, на уровне отдельных контроллеров и на границе сетей.

В рамках этой статьи мы рассмотрели лишь часть подходов, которые сегодня применяются в KASG для обеспечения безопасности транспортных средств.

This is the shift from access control to action control.

To move from access control to action control, Agent Gateway will help answer five questions before a request is allowed to proceed:Who is the agent?

With Agent Gateway, Cisco extends these capabilities into the agentic workflow.

Duo will identify the agent process itself using Duo identity, extending naturally from user MFA to agent and non-human identities.

Duo will identify the agent process itself using Duo identity, extending naturally from user MFA to agent and non-human identities.

Why we are changing our cadenceThe fundamental scale of vulnerability discovery has shifted.

Seven days before each release, PSIRT will publish the list of technologies and platforms included in that drop.

Cisco PSIRT will provide ‘bundled’ CVEs (Common Vulnerability Exposures) tied to CWE categories (Common Weakness Enumerations).

If a finding is being addressed in a scheduled release, upgrading should negate the need to implement corner-case mitigations that do not scale.

The Cisco PSIRT is the gold standard for vulnerability disclosure and will drive this revolution – with significantly expanded tooling and cadence built for the new rate of discovery.

The National Institute of Standards and Technology (NIST) finalized its first PQC standards in 2024.

Cisco’s Quantum Resilience FrameworkCisco has developed a framework to articulate multiple levels of quantum resilience – each representing distinct capabilities designed to respond to new and emerging threats to confidential communication and product integrity.

It gives organizations a foundation as they progress toward more complete levels of quantum resilience.

Level 3 extends quantum resilience into identity and attestation.

Together, these levels give customers a practical way to evaluate quantum resilience.

Secure agents as digital workersThe second imperative is to secure the agents now entering the enterprise.

At Cisco Live, we are taking the next step by making DefenseClaw enterprise-ready and integrating it into Cisco Secure Client.

Context provided by the network is what allows security teams to understand behavior, enforce trust, and respond with confidence across domains.

That is how Cisco is helping customers become more resilient—and helping security teams protect, detect and respond with confidence in the agentic era.

Ask a question and stay connected with Cisco Security on social media.

Introducing Identity in Cisco Cloud ControlIdentity in Cisco Cloud Control brings identity, device, network, application and agentic activity context together in a single, unified operational view.

By unifying capabilities across Duo, Cisco Identity Intelligence (CII), Cisco Identity Services Engine (ISE), and supported vendor sources, Cisco enables teams to investigate, assess, and act on identity risk without switching tools or losing context.

What’s NewWith the introduction of Identity in Cisco Cloud Control, customers gain new capabilities designed to simplify identity operations and make identity risk more actionable.

Identity in Cisco Cloud Control provides a unified way to operationa…

Bringing security into Cisco Cloud ControlThat is the challenge Security in Cisco Cloud Control with AI Canvas is built to address.

Security in Cloud Control brings Security Cloud Control into Cisco Cloud Control’s unified operations platform.

With Cisco Cloud Control, security becomes part of a broader operational model across domains.

A new era for security operationsSecurity in Cisco Cloud Control with AI Canvas is about bringing security work into the same operating model the rest of IT needs: unified context, governed action, and collaboration between people and AI agents.

And with Security in Cisco Cloud Control with AI Canvas, that new operating model is here.

That gap is exactly why Cisco Talos is expanding its threat hunting program.

The Cisco Talos Threat Hunting program takes this expansive context and mixes it with their deep knowledge of Cisco products and security processes to help keep you secure.

The program uniquely offers threat hunting capabilities across three Cisco products.

With reporting and communication directly from the Cisco Talos Threat Hunting team, a true partnership builds over time to strengthen awareness of your organization’s environment and the skill sets required to address complex threats.

If that gap is one you’re thinking about, it’s worth a conversation with your Cisco account team, or further exploring what’s pos…

That is why Cisco is bringing richer product telemetry into Splunk, along with the detections and correlation needed to make that telemetry useful.

Now, in its latest software release, Cisco Firewall introduces a native advanced logging capability, giving customers detailed, structured logs for richer protocol-level detail.

This is where the combination of Cisco telemetry and Splunk analytics becomes especially valuable.

Together, these signals help analysts connect workload behavior to network behavior, investigate with confidence, and respond faster.

To multiply this advantage, check out the advanced threat detection, investigation, and response with Cisco Firewall Promotional Splunk Capa…

Cisco Secure Access provides the foundation with zero trust network access, ensuring that only authenticated users on trusted devices can connect to the appropriate private applications.

Extending Zero Trust to Where Work HappensTraditional zero trust architectures are built around a simple principle: verify identity and device posture before granting access.

With Cisco Secure Access and Island, organizations can enforce policies not only at the point of access, but also throughout the user session.

Behind the scenes, device posture is evaluated in real time and shared with Cisco Secure Access, which determines whether access should be granted.

By combining zero trust access with browser-na…

But as they deploy Cisco Secure Access to protect web and cloud traffic, they face a familiar challenge: policy fragmentation.

Cisco Secure Access + Microsoft Purview: Integrated, Consistent ProtectionCisco is excited to announce a new phase in our collaboration with Microsoft—bringing Purview’s robust data classification and data loss prevention capabilities directly into Cisco Secure Access.

As one of the early partners in this Purview ecosystem initiative, Cisco Secure Access will extend the enforcement of Purview data loss prevention policies to web traffic.

Apply trusted policies from Purview to web traffic managed by Cisco Secure Access, ensuring consistent protection across email, en…

We are excited to announce advanced enterprise browser integration between Cisco Secure Access and Microsoft Edge for Business, designed to enhance data security and protect the use of AI in modern organizations.

Seamless and Secure Enterprise Browser ExperienceThis integration brings together Cisco’s Secure Access (SSE) platform with Edge for Business, delivering a unified solution that enables secure, zero-trust access to private applications directly through the enterprise browser.

Key Benefits for IT and Security TeamsThe integration of Microsoft Edge for Business and Cisco Secure Access delivers data protection at the browser and network layers.

Enhanced Data Security with Cisco DLP In…

Instead of asking what happens when segmentation succeeds, let’s ask: why do so many segmentation projects fail.

That question is the focus of the newly released Cisco 2026 Segmentation Report, which draws on a survey of 400 failed segmentation projects at U.S.-based organizations with 500 or more employees.

Four Patterns of FailureWhen we evaluated each failed project against twelve factors spanning general IT project management and segmentation-specific challenges, four distinct failure patterns emerged:Perfect Storm (50%).

Where the Failures ConcentrateNot all segmentation projects are equally risky.

Read the Full ReportThe full 2026 Cisco Segmentation Report goes deeper into each failur…

As the cybersecurity landscape rapidly evolves, driven by groundbreaking advancements in artificial intelligence (AI), Cisco is adapting its vulnerability disclosure practices to meet the challenges and opportunities presented by these technologies.

These AI capabilities enable unprecedented speed and scale in identifying security issues, while also allowing network defenders to continuously evolve to address emerging threats.

At the same time, we recognize that adversaries will also take advantage of these evolving AI capabilities, increasing the urgency and complexity of cybersecurity defense.

Our public facing Security Vulnerability Policy (SVP) describes our process in detail including …

Two capabilities now available for Cisco Secure Email Gateway address exactly this gap: Remote Browser Isolation (RBI) and Content Disarm and Reconstruction (CDR).

How RBI and CDR fit into Cisco Secure Email GatewayAdding RBI and CDR to the gateway means organizations no longer depend on perfect threat identification at the moment of delivery.

A more resilient email layerModern secure email gateways are no longer only about keeping bad messages out.

RBI and CDR are available as add-on licenses to Cisco Secure Email Gateway.

Ask a question and stay connected with Cisco Security on social media.

Defining the inconsistency problem in AI reportingVarious types of inconsistencies in AI output frequently diminish the efficiency gains that AI reporting processes promise to deliver.

This unpredictability is problematic for professional environments where standardized layouts, such as consistent executive summaries or recommendation sections, are essential for quality control.

This unpredictability is problematic for professional environments where standardized layouts, such as consistent executive summaries or recommendation sections, are essential for quality control.

Input quality control: Unsurprisingly, we found that input quality determines output quality.

Unsurprisingly, we found t…

It identified novel failure modes unique to agentic systems (agent compromise, injection, impersonation, flow manipulation) alongside existing failure modes materially amplified in agentic contexts (memory poisoning, cross-domain prompt injection, human-in-the-loop bypass).

Agentic systems consume plugin registries, MCP servers, prompt templates, and third-party tool integrations, each a new supply chain ingestion point.

In agentic systems, it exposes operational primitives and turns black-box probing into a white-box exploit path.

Operational findings: What red teaming showedTwelve months of engagements against deployed agentic systems produced several consistent patterns.

Zero-click HitL …

The malware then executes the payload via Bun, creating an unusual process chain (node → shell → bun → payload) designed to evade Node-focused monitoring and detections.

Use Microsoft Defender XDR to investigate suspicious activity across endpoints, identities, cloud apps, and developer environments.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Advanced huntingThe following KQL queries can be used in Microsoft Defender XDR Advanced Hunting to identify potential exposure to this supply-chain compromi…

The new Microsoft Security multi-model agentic scanning harness (codename MDASH) is available in an expanded preview for eligible organizations and now includes integration with Microsoft Defender.

Build secure agents from day oneAt Build 2026, Microsoft is introducing new capabilities to help developers build secure, enterprise-ready agents by default.

The registry supports more than 20 types of local agents, including coding agents, AI desktop applications, and both local and remote Model Context Protocol (MCP) servers.

Trust agents with your dataDevelopers also need direct, real-time insight into data security posture and risk signals associated with the agents they build.

Also, follow u…

Inflated version numbersmr.4nd3r50n uses version 100.100.100, an absurdly high version number designed to win npm’s server resolution against any real internal package version.

Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.

Use Microsoft Defender XDR to investigate suspicious activity across endpoints, identities, cloud apps, and developer environments.

Microsoft Defender XDR Threat analyticsMicrosoft Defender XDR customers can reference the Threat analytics report for this campaign in the Microsoft Defender portal at https://security.microsoft.com/threatanalytics3 for the latest …

As threats become more coordinated and faster to execute, endpoint protection has become the proving ground for modern defense.

For the seventh consecutive time, Microsoft has been named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection.

Learn moreIf you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform.

Gartner, Magic Quadrant for Endpoint Protection, Deepak Mishra, Evgeny Mirolyubov, Nikul Patel, 26 May 2026.

Gartner research publications consist of the opinions of Gartner’s research organization and should not be construe…

Microsoft has identified an active supply chain attack targeting the npm package ecosystem.

Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment.

Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.

How Microsoft Defender helpsMicrosoft Defender Antivirus detects and blocks the malicious components on access.

Microsoft Defender XDR DetectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Microsoft has identified an active supply chain attack targeting the npm package ecosystem.

Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment.

Review npm package lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml), build logs, and artifact provenance for evidence of compromised package versions.

How Microsoft Defender helpsMicrosoft Defender Antivirus detects and blocks the malicious components on access.

Microsoft Defender XDR DetectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.

In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques.

Identification: The GENTLEMEN marker, located after -- marker -- , serves as a unique identifier, allowing encryptors/decryptors to quickly determine that the file has been encrypted by The Gentlemen ransomware.

Free space wipeIf the -- wipe argument is provided, The Gentlemen ransomware performs an add…

Microsoft has observed The Gentlemen ransomware impacting organizations across education, transportation, healthcare, and financial industries in North America, South America, Europe, Africa, and Asia.

In this blog, we present a detailed analysis of the Gentlemen ransomware encryptor, including its execution flow, defense evasion behaviors, encryption design, and lateral movement techniques.

Identification: The GENTLEMEN marker, located after -- marker -- , serves as a unique identifier, allowing encryptors/decryptors to quickly determine that the file has been encrypted by The Gentlemen ransomware.

Free space wipeIf the -- wipe argument is provided, The Gentlemen ransomware performs an add…

DLL sideloading and silent installation of ScreenConnect softwareThe downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.

The malicious DLL uses msiexec.exe to silently install a second malicious DLL named vcredist_x64.dll, named to masquerade as the Visual C++ Redistributable.

]com:8443/ws URL C2 from hollowed binaryReferencesThis research is provided by Microsoft Defender Security Research with contributions from Parasharan Raghavan and members of Microsoft Threat Intelligence.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blo…

DLL sideloading and silent installation of ScreenConnect softwareThe downloaded ZIP archive contains the legitimate executable for the spoofed utility alongside a malicious DLL named autorun.dll.

The malicious DLL uses msiexec.exe to silently install a second malicious DLL named vcredist_x64.dll, named to masquerade as the Visual C++ Redistributable.

]com:8443/ws URL C2 from hollowed binaryReferencesThis research is provided by Microsoft Defender Security Research with contributions from Parasharan Raghavan and members of Microsoft Threat Intelligence.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blo…

We’re pleased to share that Microsoft has been recognized as a Leader in The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026, receiving the highest scores in both the current offering and strategy categories.

The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026.

Forrester noted Microsoft strengths in identity threat detection and response (ITDR), access control, phishing-resistant authentication, and identity verification.

An Access Fabric brings together identity signals, access policies, and security workflows into a continuous loop.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Multi-stage Linux intrusion via F5 and Confluence – Threat actor activities.

In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account.

The threat actor used gowitness to perform a detailed reconnaissance of the HTTP/HTTPS services identified in the previous scan.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Multi-stage Linux intrusion via F5 and Confluence – Threat actor activities.

In this incident, the threat actor authenticated to a Linux server over SSH using a privileged account.

The threat actor used gowitness to perform a detailed reconnaissance of the HTTP/HTTPS services identified in the previous scan.

Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.

Here, threat actors may simply seed prompt injections on websites in hope of corrupting AI systems that browse them.

Early experiments revealed a significant volume of "benign" prompt injection text, which illustrates the complexity of distinguishing between functional threats and harmless content.

Many prompt injections were found in research papers, educational blog posts, or security articles discussing this very topic.

(Source: GitHub/swisskyrepo)When searching for prompt injections naively, the majority of detections are benign content – false positives in our case.

Malicious: ExfiltrationWe were able to observe a small number of prompt injections that aim at theft of data.

Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities.

Following our previous discussion on "Deploying Rust in Existing Firmware Codebases", this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware.

Hook-up Rust to modem firmwareBefore building the Rust DNS library, we defined several Rust unit tests to cover basic arithmetic, dynamic allocations, and FFI to verify the integration of Rust with the existing modem firmware code base.

Pixel modem firmware already has a well-tested and specialized global memory allocation system to…

This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape.

Session theft typically occurs when a user inadvertently downloads malware onto their device.

Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server.

How DBSC WorksDBSC protects against session theft by cryptographically binding authentication sessions to a specific device.

The issuance of new short-lived session cookies is contingent upon Chrome proving possession of the correspondi…

Staying ahead of the latest indirect prompt injection attacks is critical to our mission of securing Workspace with Gemini.

In our previous blog “Mitigating prompt injection attacks with a layered defense strategy”, we reviewed the layered architecture of our IPI defenses.

Synthetic data generationAfter we discover, curate, and catalog new attacks, we use Simula to generate synthetic data expanding these new attacks.

We partition the synthetic data described above into separate training and validation sets to ensure performance is evaluated against held-out examples.

This process leverages the newly generated synthetic attack data described on this blog, to create a robust, end-to-end evalu…

2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary 🎉🎉🎉!

Coming back to 2025 specifically, our VRP once again confirmed the ongoing value of engaging with the external security research community to make Google and its products safer.

Vulnerability Reward Program 2025 in NumbersWant to learn more about who’s reporting to the VRP?

Tip: Want to be informed of new developments and events around our Vulnerability Reward Program?

Follow the Google VRP channel on X to stay in the loop and be sure to check out the Security Engineering blog, which covers topics ranging from VRP updates to security practices and vulnerability des…

To stay ahead of the curve, the technology industry must undertake a proactive, multi-year migration to Post-Quantum Cryptography (PQC).

To bring these critical protections to the wider developer community with minimal friction, the transition will be supported through Play App Signing.

Play App Signing leverages Google Cloud KMS, which helps ensure industry-leading compliance standards, to secure signing keys.

Empower Developers : The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and application.

: The inclusion of ML-DSA support within Android Keystore and Play App Signing allows developers to safeguard their users and …

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.