Positive Technologies представила мартовский дайджест трендовых уязвимостей.

Российский кибербез превращается в закрытый клуб для гигантов.

Прощай, отец Quicksort и null, без которого современной разработки не было бы.

Telegram стал раем для цифровых воришек.

Как крупнейшие ИТ-сервисы России адаптируются к работе без интернета.

Зачем строить научные центры за миллиарды, если есть REBCO?

ФБР подтвердило факт утечки данных из лаборатории цифровой криминалистики в Нью-Йорке.

Что получится, если миллиардер с мировым влиянием решит умножить классическое IT на ноль?

Зачем писать сложный код, если есть AnyDesk?

Встречайте Copilot Health: ваш личный врач прямо в браузере.

Почему настойчивость разработчиков превращает алгоритмы в преступников.

Илья Шабанов обозначил 3 ключевых тенденции, подталкивающих рынок к переходу на тонкие клиенты: безопасность, централизованное управление и развитие удалённой работы с филиальной сетью.

Какую главную выгоду вы видите в переходе на тонкие клиенты в связке с VDI?

Достигать полного замещения текущей инфраструктуры тонкими клиентами не только невозможно, но и не нужно.

Финальный опрос показал, насколько зрители готовы перевести рабочие места на тонкие клиенты и VDI после эфира:Уже переводят и будут наращивать их применение — 32 %.

Насколько вы готовы перевести рабочие места на тонкие клиенты и VDI после эфира?

Что такое психологический OSINT и как он применяется для защиты криптовалютПсихологический OSINT — это междисциплинарный метод анализа, который сочетает поведенческую психологию, цифровую криминалистику и разведку по открытым источникам.

Психологический OSINT в таких условиях изучает цифровой «почерк» субъекта: структуру фраз, лексику, эмоциональную окраску сообщений, временные интервалы активности, маршруты движения средств, частоту и последовательность операций.

Психологический OSINT помогает объединить цифровые и поведенческие данные, что создаёт целостное представление о действиях и мотивации субъекта и повышает эффективность расследований и стратегий защиты.

Транзакции как индикаторы: …

Дмитрий Беляев напомнил, что многие компании начинают работать с TI с бесплатных источников.

Прежде всего он предлагает расширить привычное представление о Threat Intelligence: разведка полезна не только для обнаружения атак, но и для их предотвращения.

Евгений Чунихин: «Купить TI и не пользоваться им, отсутствие компетенций и экспертизы в области киберразведки».

Какие изменения в атаках сильнее всего меняют требования к TI в 2026 году?

Поэтому эксперты рекомендуют относиться к ним либо как к временному учебному пособию, либо как к дополнению к платным решениям, но не как к полноценной замене профессиональной киберразведке.

Рассказываем о текущем состоянии рынка корпоративных систем сквозного (единого) входа — Enterprise Single Sign-On, ESSO — в России и мире.

ВведениеРешение многих задач и в обычной жизни, и в рабочей среде требует авторизации, т. е. выдачи прав на совершение каких-то действий в информационной системе.

Сквозной вход (Single Sign-On, SSO): что это, как работает и чем полезноТермин Single Sign-On (SSO) обычно переводят как «сквозной вход» или «единый вход».

Системы класса Enterprise Single Sign-On основаны на тех же принципах, что и обычные механизмы SSO.

Вполне вероятно, что и российский сегмент последует за ним — особенно если учесть потребность в замене иностранных разработок, равно как и не…

Компания РЕД СОФТ открыла совместную с Университетом МИСИС лабораторию, ориентированную на подготовку специалистов по отечественным ИТ-решениям.

Университеты становятся крупными узлами в инфраструктуре отечественного ПО, через которые решения закрепляются в профессиональной практике будущих специалистов и на рынке.

Представители университета и компании на открытии лабораторииТак, лаборатория в Университете МИСИС оснащена 30 рабочими местами с предустановленным программным обеспечением компании и интегрирована в образовательный процесс университета.

«Уральская Сталь» движется в этом направлении, и впереди у нас масштабные проекты, в том числе совместно с НИТУ МИСИС и компанией РЕД СОФТ.

На Р…

И хотя отечественный рынок растёт двузначными темпами, многие компании всё ещё опасаются переходить на российские решения.

В эфире АМ Live ведущие специалисты поделились взглядами на то, что мешает компаниям внедрить отечественные системы и как преодолеть эти страхи.

Но, несмотря на быстрый рост рынка, многие компании всё ещё опасаются переходить на отечественный стек технологий.

Создание собственной инфраструктуры завязывает её на конкретных людях в компании, уход которых может нарушить функционирование системы.

И сейчас главное — понять не только почему компании боятся переходить на отечественную инфраструктуру, но и какие условия следует выполнить, чтобы они могли ей доверять.

Сложность отнесения ПАКов к категории доверенных наблюдается не только на стороне заказчиков, но и регуляторов, и вендоров.

Для объектов КИИ, относящихся к научным организациям, здравоохранению и т. д., такого «доверия» в целом оказалось достаточно.

Но если не учитывать, что реализовать на практике эти требования на текущий момент часто не удаётся и приходится идти на «допущения».

«Эту проблему надо как-то решать, и в нашей организации знают, как это сделать», — отметил Алексей Симонов (НПО «Критические информационные системы», входит в состав «Росатома»).

Но в Минпромторге считают, что для достижения технологического суверенитета модель доверия необходимо развивать.

Причём это не только про инфраструктуру, но и про процессы и людей вокруг неё: учёт ресурсов, правильные регламенты, то, как передаются изменения, и многое другое».

Всё это должно быть покрыто единой системой управления, которая работает и с виртуальными, и с физическими ресурсами.

Вячеслав Самарин: «Динамическая инфраструктура — это и техника, и культура, и процессы, и технологии.

Павел Лавров предлагает рассматривать универсальную модель, которая помогает упростить понимание того, из каких слоёв состоит динамическая инфраструктура и на каком этапе находится конкретная компания.

Архитектура динамической инфраструктуры от Cloud.ruРуслан Иванов показал, как выглядит динамическая инфраструкту…

ВведениеЦифровизация в России давно закреплена в стратегических документах государства и в ИТ-стратегиях крупных компаний.

Эта типология позволяет системно рассматривать мобильность не как набор частных кейсов, а как архитектурный выбор.

Такая модель формируется не как осознанная стратегия, а как результат быстрого роста операционных задач при недостаточной зрелости процессов управления.

При этом для процессов с персональными данными или электронной подписью используются корпоративные устройства, а для вспомогательных операций допускается использование личных смартфонов.

Перенос приложений связан не только с переработкой кода и тестированием, но и с пересборкой значительной части инфраструк…

APT-группы активно используют уязвимости в системах управления идентификацией и привилегированным доступом (IAM и PAM), делая кражу учётных данных основным способом проникновения.

Они применяют вишинг, поддельные звонки от имени руководителей (FakeBoss, FakeTeam) и атаки через подрядчиков.

Использование слабых методов MFA (MFA Fatigue и SIM-своппинг)Push-уведомления без подтверждения номером, СМС-коды и одноразовые пароли создают опасную иллюзию безопасности.

APT-группа и её атаки: Scattered Spider (MFA Fatigue и SIM-своппинг)Описанная ранее группировка Scattered Spider активно применяет MFA Fatigue.

Такие учётные записи часто создаются один раз и затем забываются: доступ не пересматриваетс…

🔒 Security CheckPlease wait while we verify your browser...

Эксперты рынка обсудили, как применять ML и AI на практике, измерять результат внедрения и не совершать типичных ошибок.

При этом эксперт уверен, что ИИ действительно приносит пользу и обеспечивает большую прозрачность в различных процессах — как в работе SOC, так и в задачах инфраструктурной безопасности, и в продуктах защиты.

Исходя из этого, внедрять нужно именно те технологии, которые помогут решить эти конкретные задачи, а не ИИ ради ИИ.

Во втором опросе выяснилось, что в первую очередь ограничивает зрителей от более широкого применения ML/AI в кибербезопасности:Нехватка компетенций внутри команды — 24 %.

Пока не верят в применимость ИИ в кибербезопасности — 11 %.

В MULTIDIRECTORY реализовано два механизма такой интеграции:двусторонние доверительные отношения типа Realmоднонаправленное проксирование LDAP-запросов (LDAP-Forward)Эти механизмы решают разные задачи и используются в разных архитектурных сценариях.

В MULTIDIRECTORY для этого используется механизм DNS Forwarding, который позволяет пересылать DNS-запросы между доменами и упрощает обнаружение сервисов в удалённых каталогах.

Настройка доверия доменовНастройка доверительных отношений выполняется через административный интерфейс MULTIDIRECTORY в разделе «Домены и доверие».

Планы развития доверительных отношений в MULTIDIRECTORYВ ближайшем обновлении в MULTIDIRECTORY появится расширенная поддержк…

Устройство (бокс) должно уметь предоставить удалённому узлу подписанный Apple «аттестат», подтверждающий, что на устройстве запущено приложение с конкретным хешем бинарника.

Задачку закинули в ТГ-канал, Сетку, не совсем разрешенный Линкедин и на Хабр, а также понесли по знакомым и чатикам проф.

Ответ: у удалённого узла нет гарантии, что он общается именно с нужным процессом и что он не был подменен.

Сервер проверяет, что перед ним действительно доверенный Mac, что ответ подписан hardware-bound ключом именно этого Mac, и что приложение заявило разрешенный cdhash.

это нельзя проверить и что «компания» вложит при создании каждого устройства - вопрос, это не получится вынести на кибериспытания.

На его примере мы покажем, как применять фаззинг к chaincode (смарт-контрактам в терминологии Fabric), формулировать инварианты и строить воспроизводимый процесс запусков и анализа покрытия.

Подробнее о Hyperledger FabricHyperledger Fabric — это permissioned-блокчейн-сеть (сеть с разрешенным доступом) с разделением ролей и сервисов (обзор chaincode).

Для ACL удобно фиксировать каждое свойство в форме: предусловие → ожидаемое поведение → оракул ( assertion в тесте).

Привилегированные write-методы ( AddRights , AddUser ) без прав администратора должны завершаться отказом и не менять состояние: проверяем класс ошибки и validateStateChanges(..., []string{} ).

Этот таргет хорошо показывает, что …

В этой статье разберём, что это такое архитектурно, как работает изнутри и в каких сценариях это имеет практический смысл.

Management plane при этом остаётся общим и в контексты не входит.

Два типа контекстов: классический и высокопроизводительныйВиртуальные контексты в Ideco NGFW реализованы в двух вариантах.

Схема показывает, как общие сервисы в Management plane обслуживают несколько NGFW и их VCE, и фиксирует ограничение: перегрузка ClickHouse влияет на отчётность, но не на трафик.

Схема показывает, как кластер NGFW и отдельный NGFW представлены в Ideco Center: каждый VCE виден как отдельная сущность, контексты группируются под общие политики.

100 000 итераций PBKDF2, которые использовались в первой версии, уже не соответствуют актуальным рекомендациям (OWASP рекомендует от 600 000 для SHA-256).

Сохранение:Полученный файл отправляется на сервер через POST-запрос и сохраняется в соответствующую директорию.

Количество итераций увеличено с 100 000 до 600 000.

длина имени файла 64 КБ Поддерживаемые форматы любые Итерации PBKDF2 600 000 AES-256-GCM ~50 МБ/с Простые слои ~200 МБ/с Время запуска < 2 сПринцип работыВсё крутится на локальном Flask-сервере, который поднимается при запуске.

Ключи из пароля выводятся через PBKDF2 с 600 тысячами итераций — это основная защита от перебора.

Ведь чем больше сервисов размещается в ЦОД, тем выше потенциальный ущерб от их недоступности.

В статье мы разберем три распространенные схемы интеграции локального комплекса в инфраструктуру ЦОД, уделив особое внимание архитектурным требованиям ЦОД.

Архитектура и требования к ЦОДНеправильно было бы говорить про схемы интеграции защитных комплексов, не коснувшись вопроса архитектуры ЦОД.

Схемы интеграции локального комплекса Anti-DDoSСуществует несколько логических схем интеграции локального комплекса Anti-DDoS в сетевую инфраструктуру:«в разрыв» uplink-каналов ;«out-of-path» или «сбоку» (в большинстве случаев с использованием схемы с BGP-ответвлением);гибридная схема с использованием вышеук…

На данный момент в России представлены производители Netams, Газинформсервис (GIS), DECK, а также Axel PRO и Eltex, недавно выпустившие свои решения.

Efros эту сертификацию получил, и для ряда госкомпаний, это стало решающим аргументом в пользу продукта.

Решения от Axel PRO и Eltex и не так давно появились на рынке и уже выпустили полноценные релизы.

Вендоры не просто копируют старый функционал, а создают новые сценарии, оглядываясь друг на друга и на запросы заказчиков.

Обсудим, как в новых реалиях строить и управлять сетевой инфраструктурой, разберем кейсы, поговорим с вендорами и заглянем в нашу техническую лабораторию.

В чем суть:при обработке входящих запросов к серверу с заголовком Content-Encoding: gzip и сжатым содержимым, в некоторых случаях происходит утечка памяти.

Зона рискаХотя проблема затрагивает только 12ю версию Jetty, но зато все релизы с 2023 года и по март 2026го, страшные красные плашки на артефактах вот тут не дадут соврать.

Но есть что-то и хорошее во всем этом бесконечном мраке ужаса и отчаяния:обработка сжатых запросов и ответов по-умолчанию выключена и требует отдельной настройки.

Если в вашем проекте Jetty используется в виде зависимости, вроде:Достаточно лишь изменить версию на исправленную и обновиться.

Spring Boot активно использует Jetty в качестве одного из главных сервлет-конт…

Выбор решенийЕстественно для автоматизации управления инфраструктурой на базе Linux - золотым стандартом является давно зарекомендовавший себя в сообществе Ansible.

Но используя любой подобный оркестратор мы повышаем риски по ИБ, поскольку появляется новая точка для потенциальной централизованной компрометации инфраструктуры и закрепления в ней.

необходимо применять не только харденинг ОС и наложенные средства защиты и мониторинга, но и защитить учётные данные от утечки.

Именно по этому, наперекор всем кустарным системным администратором, было принято волевое решение - убрать все учётные данные в HashiCorp Vault.

Надеюсь что данный плейбук сможет сэкономить Вам львиную долю времени на дейст…

Вторая группа, физически отгороженная от первой и не имеющая доступа к исходным текстам, пишет код с нуля на базе составленного технического задания.

Юридическая база столетней давности в сочетании с машинным обучением превращает авторское право из непреодолимой защиты сообщества разработчиков открытого кода в формальность, которую легко автоматизировать.

По оценке создателей сервиса, среднестатистическая корпорация со штатом более пятисот инженеров ежегодно тратит около четырех миллионов долларов на управление рисками открытого кода.

В такой парадигме использование открытого исходного кода становится для корпораций непредсказуемой структурной уязвимостью.

Платформа Malus предлагает решить …

DNS TXT-записи решают эту проблему не через обход блокировок, а через выбор канала который блокировать политически сложно.

Защита конфига от чужих глазTXT-запись публична — любой может сделать dig TXT и прочитать конфиг.

# encrypted кладём в TXT # На клиенте config = f.decrypt(txt_value).decode()Двухшаговая доставка.

DNS TXT в этом контексте — менее популярная но более независимая альтернатива: не требует Telegram, не зависит от мессенджера который сам может быть заблокирован.

Сам по себе он не делает соединение более стойким к детекции и не меняет протокол туннеля.

При этом инструмент не требует установки и работает прямо в браузере, хотя при необходимости его можно скачать и использовать локально.

Такой подход превращает инструмент в своего рода интерактивный конвейер обработки.

А в CyberChef можно такОсобенно полезной оказывается ситуация, когда формат данных неизвестен.

Для таких случаев в CyberChef есть операция Magic, которая пытается автоматически определить возможные кодировки.

У инструмента сотни операций и довольно широкий спектр сценариев применения - от повседневных задач разработчиков до анализа вредоносного ПО и расследования инцидентов.

Что конкретно изменилось, как это устроено на уровне алгоритмов — и почему XHTTP сейчас выглядит как правильный следующий шаг.

JA3/JA4: почему «fingerprint: chrome» — это не опция, это необходимостьЧтобы понять масштаб проблемы — небольшой эксперимент.

Это не «похоже на Chrome» — это Chrome.

DPI-система делает активное зондирование, получает сертификат, смотрит на ASN и IP-адрес сертификата — и видит что это не iCloud и не Spotify.

Три режима XHTTP: какой когда использоватьРежимов три, и это важно понимать перед тем как трогать конфиг.

И что, все усилия, которые я и команда вкладывали ежедневно на протяжении 3,5 лет, оказались… напрасны?

И всё это рухнуло...23 июля, находясь в отпуске в другой стране, я зашла в свой аккаунт и меня неожиданно перекинуло на проверку, что я не робот.

Но сдаваться не в моих правилах - у меня внутри живёт воин, который готов сражаться до самого конца.

Моё, пока ещё, вежливое письмо...Ответ был тот же: «Ограничение доступа к вашему профилю является постоянным и не будет снято».

🤪 Правда сначала мне вернули всего 18 тысяч подписчиков, а на другой день их уже было 22+ тысячи.

Правоохранительные органы США и Европы, совместно с партнерами из частного сектора, закрыли прокси-сервис SocksEscort, который был построен на базе устройств, зараженных Linux-малварью AVRecon.

Впервые исследователи задокументировали SocksEscort еще в 2023 году, однако в общей сложности сервис функционировал более десяти лет.

«С лета 2020 года SocksEscort продал доступ примерно к 369 000 различных IP-адресов, — говорится в пресс-релизе Минюста.

Кроме того, в США заморозили 3,5 млн долларов в криптовалюте, связанные с SocksEscort.

Более половины пострадавших устройств находились в США и Великобритании.

Аналитики «Лаборатории Касперского» изучили активность хак-группы Toy Ghouls, которая с начала 2025 года шифрует данные российских компаний из сферы промышленности, строительства, производства и телекоммуникаций.

Эксперты рассказывают, что Toy Ghouls — это финансово мотивированная группировка, которая не разрабатывает собственных инструментов и полагается исключительно на общедоступные утилиты и утекшие исходники чужих вредоносов.

Для шифрования машин под управлением Windows Toy Ghouls применяют шифровальщики RedAlert и LockBit 3.0 (на основе слитого билдера), а в Unix-системах и на NAS-хранилищах используют Babuk, написанный на Go.

Разведку Toy Ghouls проводят с помощью SoftPerfect Network…

В опубликованном в WeChat предупреждении специалисты CERT перечислили основные угрозы, связанные с OpenClaw: злоумышленники могут атаковать инструмент, встраивая вредоносные инструкции в веб-страницы, а отравленные skills для ИИ-агента могут подвергать пользователей риску.

Кроме того, в CERT напоминают, что в OpenClaw уже нашли ряд серьезных уязвимостей, которые приводят к краже учетных данных и открывают дорогу для дальнейших атак.

В качестве мер защиты CERT рекомендует изолировать OpenClaw в контейнере, закрыть порт управления от доступа через интернет, настроить строгую аутентификацию и контроль доступа, а также отключить автоматические обновления и ограничить установку плагинов.

Следует…

ИБ-исследователь Крис Азиз (Chris Aziz) из компании Bombadil Systems разработал и продемонстрировал технику атак под названием Zombie ZIP, которая позволяет скрывать вредоносные нагрузки в ZIP-архивах таким образом, что их не замечают антивирусы и EDR.

Специалист объясняет, что суть атаки заключается в манипуляции с заголовками файла ZIP.

В поле Method выставляется значение 0 (STORED), то есть «данные не сжаты».

При этом стандартные утилиты вроде WinRAR, 7-Zip или unzip при попытке распаковать такой архив сообщают об ошибке или извлекают поврежденные данные.

При этом подчеркивается, что некоторые инструменты для распаковки все же могут корректно обрабатывать такие «зомби-архивы».

Разработчик из Мексики рассказал на Reddit, что его компания получила счет на более чем 82 000 долларов США после того, как неизвестные злоумышленники похитили API-ключ Google Gemini и за 48 часов израсходовали весь лимит.

Компрометация ключа произошла между 11 и 12 февраля, и за это время атакующие потратили 82 314 долларов, в основном используя модели Gemini 3 Pro Image и Gemini 3 Pro Text.

Обнаружив проблему, разработчик отозвал скомпрометированный ключ, отключил Gemini API, сменил все учетные данные и обратился в поддержку Google.

Так как обычно стартап из трех человек тратил на API около 180 долларов в месяц, расходы выросли примерно на 46 000%.

Проблема в том, что эти ключи теперь исп…

Се­год­ня мы раз­берем­ся с одним из самых неп­рият­ных .NET-обфуска­торов — Eazfuscator.NET, который защища­ет код не толь­ко шиф­ровани­ем строк и запуты­вани­ем control flow, но и пол­ноцен­ной вир­туаль­ной машиной.

Добыва­ем код из ConfuserEx без готовых деоб­фуска­торов» тебе не надо­ели .NET-обфуска­торы, сегод­ня мы перей­дем к обсужде­нию еще более злов­редно­го пред­ста­вите­ля это­го семей­ства — Eazfuscator.NET.

Разуме­ется, это чер­тов­ски замед­ляет работу при­ложе­ния, одна­ко на что не пой­дешь ради при­ват­ности кода?

Так что не будем отвле­кать­ся на эту тему — решению нашей задачи она помога­ет лишь опос­редован­но.

И сно­ва при­ятная неожи­дан­ность: нам не при­дет­ся са…

Самый высокий балл в этом месяце — 9,8 балла по шкале CVSS — получила критическая RCE-уязвимость CVE-2026-21536 в Microsoft Devices Pricing Program.

Также отдельного внимания заслуживают две RCE-уязвимости в Microsoft Office (CVE-2026-26110 и CVE-2026-26113), которые можно эксплуатировать через панель предварительного просмотра.

Интересна и уязвимость CVE-2026-26144 (7,5 балла по шкале CVSS) — баг раскрытия информации в Microsoft Excel, связанный с XSS.

По данным Microsoft, с помощью этой проблемы атакующий может заставить режим Copilot Agent «сливать» данные через сторонние сетевые запросы, реализуя zero-click атаку.

Кроме того, среди примечательных исправлений был патч для SSRF-уязвимости…

Международная операция, координируемая Европолом, нарушила работу Tycoon2FA — одной из крупнейших фишинговых платформ, работавших по модели фишинг-как-услуга (phishing-as-a-service, PhaaS).

Техническую часть операции возглавили специалисты компании Microsoft при поддержке коалиции из частных партнеров.

Технически Tycoon2FA представляла собой AitM-платформу: реверс-прокси перехватывал учетные данные жертв и сессионные cookie в реальном времени при атаках на пользователей Microsoft и Google.

Как пояснили в Microsoft, платформа позволяла злоумышленникам имитировать страницы входа популярных сервисов — Microsoft 365, OneDrive, Outlook, SharePoint и Gmail.

Захваченные сессионные cookie и учетные…

По состоянию на конец февраля 2026 года вредонос скомпрометировал более 10 000 устройств в России, и за две недели количество заражений выросло на 33%.

Falcon — банковский троян для Android, построенный на базе другого вредоноса — Anubis, и известный с 2021 года.

В отличие от Mamont и вредоносных сборок NFCGate, которые в первую очередь нацелены на прямую кражу средств со счетов, Falcon охотится за учетными данными: логинами, паролями и кодами двухфакторной аутентификации от более чем 30 популярных сервисов.

Среди его целей — приложения банков и госсервисов, маркетплейсы, мессенджеры, VPN, сервисы такси и бронирования и даже YouTube.

На устройствах Xiaomi малварь дополнительно отключает раз…

В настоящее время система TPMS становится обязательной для новых автомобилей в США, ЕС и ряде других стран.

Однако проблема заключается в том, что TPMS передает данные и уникальный идентификатор в открытом виде, при этом ID не меняется на протяжении всего срока службы шины.

Исследователи подчеркивают, что данные TPMS передаются без какого-либо шифрования и защитных механизмов.

По мнению специалистов, злоумышленники могут масштабировать такую систему слежки, расставив множество приемников в нужных точках.

Авторы работы призывают автопроизводителей пересмотреть подход к TPMS и отказаться от передачи данных в открытом виде.

Google on Thursday released security updates for its Chrome web browser to address two high-severity vulnerabilities that it said have been exploited in the wild.

(CVSS score: 8.8) - An out-of-bounds write vulnerability in the Skia 2D graphics library that allows a remote attacker to perform out-of-bounds memory access via a crafted HTML page.

The development comes less than a month after Google shipped fixes for a high-severity use-after-free bug in Chrome's CSS component (CVE-2026-2441, CVSS score: 8.8) that had also been exploited as a zero-day.

Google has patched a total of three actively weaponized Chrome zero-days since the start of the year.

To make sure the latest updates are instal…

Cybersecurity researchers have disclosed multiple security vulnerabilities within the Linux kernel's AppArmor module that could be exploited by unprivileged users to circumvent kernel protections, escalate to root, and undermine container isolation guarantees.

The nine confused deputy vulnerabilities have been collectively codenamed CrackArmor by the Qualys Threat Research Unit (TRU).

AppArmor is a Linux security module that provides mandatory access control (MAC) and secures the operating system against external or internal threats by preventing known and unknown application flaws from being exploited.

It has been included in the mainline Linux kernel since version 2.6.36.

"Combined with k…

A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud.

SocksEscort ("socksescort[.

"To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency.

It is estimated that this payment platform received more than EUR 5 million from proxy service customers."

The proxy service is estimated to have victimized 280,000 distinct IP addresses beginning in early 2025.

Veeam has released security updates to address multiple critical vulnerabilities in its Backup & Replication software that, if successfully exploited, could result in remote code execution.

(CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server.

CVE-2026-21667 (CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server.

(CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote code execution on the Backup Server.

(CVSS score: 9.9) - A vulnerability that allows an authenticated domain user to perform remote cod…

Cybersecurity researchers have disclosed details of a new banking malware targeting Brazilian users that's written in Rust, marking a significant departure from other known Delphi-based malware families associated with the Latin American cybercrime ecosystem.

The malware, which is designed to infect Windows systems and was first discovered last month, has been codenamed VENON by Brazilian cybersecurity company ZenoX.

VENON is distributed by means of a sophisticated infection chain that uses DLL side-loading to launch a malicious DLL.

Also extracted from the DLL are two Visual Basic Script blocks that implement a shortcut hijacking mechanism exclusively targeting the Itaú banking application…

Cybersecurity researchers have disclosed details of a suspected artificial intelligence (AI)-generated malware codenamed Slopoly put to use by a financially motivated threat actor named Hive0163.

The e-crime group is primarily associated with a wide range of malicious tools, including NodeSnake, Interlock RAT, JunkFiction loader, and Interlock ransomware.

Slopoly's discovery can be traced back to a PowerShell script that's likely deployed by means of a builder, which also established persistence via a scheduled task called "Runtime Broker."

The emergence of Slopoly adds to a growing list of AI-assisted malware, which also includes VoidLink and PromptSpy, highlighting how bad actors are usin…

For CISOs, the priority is now clear: scale phishing detection in a way that helps the SOC uncover real risk before it becomes credential theft, business interruption, and board-level fallout.

When phishing detection cannot scale, the consequences quickly reach the CISO’s desk:Stolen corporate identities: Attackers capture employee credentials and gain access to email, SaaS platforms, VPNs, and internal systems.

For CISOs, the message is clear: phishing detection must operate at the same speed and scale as the attacks themselves, or the organization will always be reacting after the damage has begun.

What a Scaled Phishing Defense Looks LikeA SOC that can handle phishing at scale behaves ve…

Another Thursday, another pile of weird security stuff that somehow happened in just seven days.

Some of the stuff in this week’s list feels a little too practical.

The kind of things that make defenders sigh because… yeah, that’ll probably work.

There’s also a bit of the usual theme: tools and features doing exactly what they were designed to do… just not for the people who built them.

Anyway — quick reads, strange ideas, and a few reminders that security problems rarely disappear… they just change shape.

When a phishing investigation takes 12 hours instead of five minutes, the outcome can shift from a contained incident to a breach.

When Phishing Volume Becomes a WeaponPhishing is often treated as a series of independent threats.

The Predictable Failure ModeThis tactic works because SOC phishing triage tends to follow a predictable pattern across organizations.

In practice, this means agentic AI architectures where distinct analytical agents handle different parts of a phishing investigation simultaneously.

Changing the Defensive EquationThe attacker's advantage in weaponizing SOC workload depends on a specific assumption: that increasing phishing volume reliably degrades defensive quality.

Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit.

The vulnerability, tracked as CVE-2023-43010, relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content.

"This fix associated with the Coruna exploit was shipped in iOS 17.2 on December 11th, 2023," Apple said in an advisory.

"This update brings that fix to devices that cannot update to the latest iOS version."

(Originally fixed in iOS 16.6, released on July 24, 2023) - A use-after-free issue in WebKit that could lead to memory corruption when …

For most organizations, however, the more immediate risk plays out in cyberspace and involves all manner of threat actors.

Advanced Persistent Threat (APT) operations involving reconnaissance and initial access run in parallel or closely behind.

ESET researchers have previously documented close links between several Iran-aligned APT actors.

Muddying the waters further, several pro-Russian hacktivist groups have now apparently joined the fray in support of Iran, and there are reports of Iran-linked groups engaging with IABs on Russian cybercrime forums.

Spearphishing attachments and links have long been the most popular initial access techniques among most Iran-aligned APT groups, including …

Across 2025 and 2026, Sednit repeatedly deployed BeardShell together with Covenant, a third major piece of its modern toolkit.

Sednit profileThe Sednit group – also known as APT28, Fancy Bear, Forest Blizzard, or Sofacy – has been operating since at least 2004.

Moreover, because Xagent is a custom toolset used exclusively by the Sednit group for more than six years, we attribute SlimAgent to Sednit with high confidence.

To maintain persistent access to these high-value targets, Sednit systematically deploys another implant alongside BeardShell: Covenant, the final component of its modern arsenal.

Previously, in 2023, Sednit’s Covenant abused the legitimate cloud service pCloud, and in 2024–…

Cybersecurity is one of the few business functions where success is typically quiet.

While the need to prevent disruption is undeniable, justifying the cost of doing so against competing business priorities isn’t always straightforward.

Other parts of the business, especially profit centers, can usually point to visible changes: better sales or shorter time-to-market.

However, a couple of years where your business stayed out of harm’s way tell you little about the following year.

Theory meets realityThe lived security reality is often harsh, especially in perpetually resource-strapped and disproportionately targeted smaller organizations.

We recently caught up with Director of ESET Threat Research Jean-Ian Boutin to talk about the work of his team, and how threat research and intelligence feed into MDR workflows.

What do most small business users gain from ESET Threat Research?

ESET has a threat research team spread across multiple regions; I’m with the team in Montreal, but we have researchers spread across Europe and in the US, too.

As the head of a threat research team, what’s the difference that you see MDR having on customers?

From a threat research standpoint, this is the top advantage, and another key reason to value such visibility is the speed of response.

For the education sector, cybersecurity isn’t just about preserving reputation and minimizing financial damage.

The challenge for education institutions lies partly in the diversity of their adversaries.

How managed detection and response can helpManaged detection and response (MDR) is not a silver bullet solution to these problems.

Your MDR provider must adhere to any regulatory/industry-specific data privacy, residency or retention requirements and/or insurance policy clauses.

But disruption to learning is perhaps the most insidious impact of cyber incidents in the education sector.

In this roundup, Tony looks at how opportunistic threat actors are taking advantage of weak authentication, unmanaged exposure, and popular AI toolsWith the second month of 2026 (almost) behind us, it's time for ESET Chief Security Evangelist Tony Anscombe to look at cybersecurity stories that moved the needle and offered vital lessons over the past four weeks.

Here's Tony's rundown of some of what stood out in February 2026:Threat actors misused commercial generative AI tools to compromise more than 600 FortiGate devices located in 55 countries.

Rather than specific vulnerabilities, the attacks exploited exposed management ports and weak credentials without two-factor authentication, accor…

App permissions are almost like an invisible sentry, governing what type of data and device access your apps get.

What’s the deal with app permissions?

An app permission pop-up is essentially a dialog between your mobile OS and yourself.

Long list of permissions requested by a deceptive loan app back in 2023 (source: ESET Research)Which app permissions should ring alarm bells?

Managing app permissions safelyBefore allowing or blocking, always consider if a permission is necessary for the app in question to do its job.

Generative AI (GenAI) has democratized the creation of deepfake audio and video, to the point where generating a fabricated clip is as easy as pushing a button or two.

Organizations underestimate the deepfake threat at their peril.

How attacks workAs an experiment by ESET Global Security Advisor Jake Moore has also shown, it’s never been easier to launch a deepfake audio attack on your business.

They call the pre-selected target, using GenAI-generated deepfake audio to impersonate the CEO/supplier.

These programs should be updated to include deepfake audio simulations to ensure staff known what to expect, what’s at stake and how to act.

This Android malware also abuses the Accessibility Service to block uninstallation with invisible overlays, captures lockscreen data, records video.

This makes it difficult to automate with fixed scripts traditionally used by Android malware.

Based on these findings, we named the first stage of this malware PromptSpy dropper, and its payload PromptSpy.

9B1723284E3117949879 97CB7E8814EB6014713F mgappm-1.apk Android/Spy.PromptSpy.A Android PromptSpy dropper.

apk Android/Spy.PromptSpy.A Android PromptSpy.

High commission feeA 20% Poshmark commission for items over $15 means users are only too happy to complete deals off the platform.

Although Poshmark will authenticate certain items as part of its value-add services, it only does so for goods over $500.

Off-platform payment scamSimilar to the above, a buyer or seller suggests moving the transaction off Poshmark to avoid paying the 20% commission.

Poshmark support scamsA buyer contacts you with a phishing link purporting to come from Poshmark support claiming there’s a problem with your transaction.

Alternatively, a seller might sell a counterfeit item for just under the $500 threshold, over which Poshmark checks for authenticity.

The pros and cons of social mediaAlthough some would have you believe otherwise, social media is not inherently evil.

But it matters now more than ever, in an age when AI bots are scraping social media content to train large language models (LLMs).

But the correlation is clear, as this is the same period that smartphone and social media penetration surged in the West.

Experts have also claimed that social media can impact young people’s self-esteem, physical health, and quality of sleep.

Before you start a conversation about the pros and cons of your kids sharing selfies online, consider first reining in your “sharenting” behavior.

This is where dedicated leak sites, or data leak sites (DLSs), come in.

How do ransomware groups use data leak sites?

And that is, of course, the point – data leak sites are a coercion tool.

Data leak site of the Medusa ransomwarePressure by designEvery element of a leak site is designed to maximize psychological pressure.

World Leaks data leak siteBeyond extortionSome ransomware-as-a-service (RaaS) operators have expanded what leak sites do.

Scammers may impersonate the IRS or tax preparers via phone/email/text, using official logos or spoofing caller ID/sender domains.

The most common IRS scamsWith the above in mind, look out for the following most common IRS and tax return scams:Phishing/smishing/vishingEmails, texts and even phone calls purporting to come from tax authorities (e.g., IRS, state tax agencies and tax software companies).

Tax refundsThe IRS tax refund system offers several opportunities for scammers to make easy money.

Once again, they do so to get their hands on your cash and personal information.

For added security and peace of mind, switch on multifactor authentication (MFA) for any account used to access tax…

If you’re looking to buy or sell on the platform and want to stay clear of the scammers, read on.

Payment scamAs above, scammers (whether buyer or sellers) will often try to trick you into transacting via third-party cash app services.

In fact, they’re usually trying to log into your account and need the two-factor authentication code sent by OfferUp.

Bouncing checksA scammer pays for an item you’re selling via check, which bounces several days later, leaving you without the item and no payment.

OfferUp is great way to pick up bargains in your area, or make a little extra money from items you no longer need.

Fake appsMobile apps masquerading as official Winter Olympics apps may actually contain infostealing malware or other threats.

Staying safe from Winter Olympics scamsTo stay safe online, stick to the official Winter Olympics sites and don’t engage with unsolicited messages and too-goo-to-be-true deals.

Avoid clicking on links or opening attachments in unsolicited messages, even if they appear to be from legitimate Winter Olympics organizers/sponsors.

If you’re going to the event, download the official Olympics app for schedules, maps, and digital tickets.

The XXV Winter Olympic Games in Milano-Cortina is set to be a treat for sports fans around the world.

The European Parliament has voted to extend a temporary exemption to EU privacy legislation that allows online platforms to voluntarily detect child sexual abuse material (CSAM).

Lawmakers say the additional time will allow the EU to negotiate and adopt a permanent legal framework to prevent and combat child sexual abuse online.

Members of the European Parliament said detection measures must remain proportionate and targeted.

“We have a responsibility to address the horrific crime of child sexual abuse while safeguarding everyone’s fundamental rights.

An open letter to the European Parliament, signed by more than 800 scientists and researchers, questions the reliability of technologies prop…

SocksEscort, a residential proxy network used to exploit thousands of compromised home routers worldwide and facilitate large-scale fraud that cost victims millions of dollars, has been disrupted in an international law enforcement operation led by the U.S. Department of Justice.

The infected routers used to provide the proxy service have been disconnected, and officials plan to notify affected countries about the compromised devices to support further investigations.

Investigators say SocksEscort infected home and small business routers with malware that routed internet traffic through the compromised devices and sold that access to customers.

Cybercriminals then used the proxy access to c…

BioCatch has announced the launch of DeviceIQ, a comprehensive new device identification and intelligence product that transforms how financial institutions evaluate the trustworthiness of devices used for digital banking.

At the same time, financial institutions must comply with increasingly stringent privacy protections and customer expectations around data usage.

The depth and richness of these device insights allow banks to more accurately detect fraud risk earlier in every digital banking journey.

Unlike traditional device networks that share only lists of blocked devices with member institutions, DeviceIQ draws on insights from across BioCatch’s entire suite of solutions.

This enables…

Red Access has announced firewall-native SSE, an agentless cloud layer that instantly upgrades any existing firewall with Security Service Edge (SSE), GenAI security, and browser-agnostic protection.

“We built an agentless solution so that any company can activate such modern SSE and GenAI security seamlessly and within a few hours.

Simply by using Red Access’ configuration, any organization can get an instant upgrade to the advanced security capabilities of an SSE, over the top of their existing firewall,” Zvi continued.

Red Access firewall-native SSE is vendor-agnostic and supercharges firewalls such as Palo Alto Networks, Fortinet, Cisco, and Check Point.

It instantly delivers the capabi…

“AI coding agents can produce working software at incredible speed, but security isn’t part of their default thinking,” said James Wickett, CEO of DryRun Security.

“In our usage and experience, AI coding agents often missed adding security components or created authentication logic flaws.

Across 38 scans covering 30 pull requests, the agents produced 143 security issues.

Most of the high-severity findings in the final game scans traced back to design choices made during that task.

Review security during planning, not only during coding, since many issues in the study originated in design decisions that agents then implemented.

Passwords weren’t enough, so we added MFA.

Now MFA isn’t enough either.

In this Help Net Security video, Karlo Zatylny, CTO/CISO at Portnox, walks through why each layer of identity security has failed and what comes next.

And even when MFA works correctly, session hijacking can let attackers impersonate a user after authentication is complete.

Instead of relying on a session token alone, each request gets signed with a private key stored in hardware.

Here’s a look at the most interesting products from the past week, featuring releases from Binary Defense, Mend.io, OPSWAT, Singulr AI, SOC Prime, Terra Security, and Vicarius.

Agent Pulse delivers enforceable runtime governance, contextual discovery, and measurable oversight for the agentic enterprise.

Mend.io eliminates AI prompt weaknesses before productionMend.io has launched System Prompt Hardening within Mend AI to detect, score, and automatically remediate weaknesses in AI system prompts.

Hidden instructions in system prompts have emerged as a growing security concern that traditional AppSec tools do not fully address.

Binary Defense’s NightBeacon brings AI-driven analysis to SOCsBin…

A criminal group suspected of running an online fraud scheme in Germany, which defrauded victims of around €1 million, has been dismantled through judicial cooperation coordinated by Eurojust.

On 10 March, German and French authorities arrested three suspects in a joint operation.

According to the investigation, the criminal group allegedly used phishing emails to obtain victims’ online banking and mobile phone login credentials.

“Extensive evidence that was collected during the action day will now be further analysed as investigations into the online fraud scheme continue,” Eurojust said in the announcment.

This operation is the latest in a series of actions Eurojust has carried out with o…

ENISA’s Technical Advisory for Secure Use of Package Managers, released in March 2026, examines how this development practice expands exposure across software ecosystems.

Each package becomes part of the project’s dependency graph and remains present in the development environment after installation.

“This document focuses on how developers can securely use package managers as part of their software development life cycle.

Security practices follow the dependency lifecycleManaging dependency risk requires security controls across the package lifecycle.

Dependency chains created by package managers remain a core feature of software development.

Mimecast’s latest platform enhancements help security teams meet that challenge with adaptive controls, AI-powered investigation, and open ecosystem integrations that secure how employees and AI tools interact in real time.

Automated, adaptive security policies: The Mimecast platform now allows more flexibility to automatically adjust security controls based on individual user risk levels, leveraging insight from the Human Risk Command Center.

The Mimecast platform now allows more flexibility to automatically adjust security controls based on individual user risk levels, leveraging insight from the Human Risk Command Center.

An open platform that fits how security teams workSecurity teams d…

WhatsApp has introduced parent-managed accounts designed for pre-teens, giving parents and guardians new controls over contacts, group participation, and how the app is used.

Parents can also review message requests from unknown contacts and adjust the account’s privacy settings.

Only parents can access and change privacy settings, ensuring they are empowered to tailor their family’s experience,” the company said.

Parents will receive notifications about key activity on managed accounts, such as when a new contact is added or when a message request is received.

On WhatsApp, the company added an extra layer of protection beyond the app’s existing authentication options.

Socure has announced Socure Launch, providing every organization with immediate access to industry tested, pre-built identity and fraud solutions.

This marks a new era for Socure, providing startups an enterprise level of identity verification, fraud detection, and compliance decisioning.

With Socure Launch, developers can instantly build on Socure’s RiskOS platform and move from account creation to production-ready identity and risk workflows in minutes, rather than weeks.

“With Socure Launch, identity and risk will never hold back innovation.

As a result, we recognize that all organizations need the same identity infrastructure that the world’s largest enterprises rely on,” said Johnny Ay…

Zscaler has expanded its data sovereignty capabilities globally, powered by the Zscaler Zero Trust Exchange cloud security platform.

Its architecture is based on isolated control, data, and logging planes, distinct layers and separation for management, traffic inspection, and record-keeping to ensure sensitive data never leaves its required jurisdiction enabling customers to maintain authority over their data.

Running a control plane in a country is more complex than just data and logging planes.

“Effective data sovereignty requires customers to have verified authority over their data residency, telemetry and control data plane data.

By separating control, data, and logging planes with a de…

SOC Prime has announced the release of DetectFlow Enterprise, a solution that brings real-time threat detection to the ingestion layer, turning data pipelines into detection pipelines.

Running tens of thousands of Sigma detections on live Kafka streams with millisecond MTTD using Apache Flink, DetectFlow Enterprise enables security teams to detect, tag, enrich, and correlate threat data in flight before data reaches downstream systems such as SIEM, EDR, and Data Lakes.

Built on SOC Prime’s Detection Intelligence dataset, DetectFlow uses Flink Agent to assemble detections, events, and relevant active threat context for AI-powered analysis.

This helps security teams surface high-confidence at…

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

The only real alternative is to be bold and invest in a wholly Canadian public AI: an AI model built and funded by Canada for Canadians, as public infrastructure.

With funding from the federal government, a consortium of academic institutions—ETH Zurich, EPFL, and the Swiss National Supercomputing Centre—released the world’s most powerful and fully realized public AI model, Apertus, last September.

The case for public AI rests on both democratic principles and practical benefits.

These decisions will profoundly shape society as AI becomes more pervasive, yet corporate AI makes them in secret.

What’s needed now is a reorientation away from viewing this as an opportunity to attract private ca…

Jailbreaking the F-35 Fighter JetCountries around the world are becoming increasingly concerned about their dependencies on the US.

If you’ve purchase US-made F-35 fighter jets, you are dependent on the US for software maintenance.

The Dutch Defense Secretary recently said that he could jailbreak the planes to accept third-party software.

Posted on March 10, 2026 at 5:50 AM • 0 Comments

This cross-layer identity desynchronization is the key driver of AirSnitch attacks.

The attacker can be on the same SSID, a separate one, or even a separate network segment tied to the same AP.

It works against small Wi-Fi networks in both homes and offices and large networks in enterprises.

The AirSnitch MitM also puts the attacker in the position to wage attacks against vulnerabilities that may not be patched.

Attackers can also see the external IP addresses hosting webpages being visited and often correlate them with the precise URL.

This is a very weird story about how squid stayed on the menu of Byzantine monks by falling between the cracks of dietary rules.

At Constantinople’s Monastery of Stoudios, the kitchen didn’t answer to appetite.

It answered to the “typikon”: a manual for ensuring that nothing unexpected happened at mealtimes.

Medieval monks, confronted with a creature that was neither fish nor fowl, gave up and let it pass.

In a kitchen governed by prohibitions, the safest ingredient was the one that caused the least disturbance.

Anthropic and the PentagonOpenAI is in and Anthropic is out as a supplier of AI technology for the US defense department.

AI models are increasingly commodified.

The latest models from Anthropic, OpenAI and Google, in particular, tend to leapfrog each other with minor hops forward in quality every few months.

Anthropic knew what they were getting into when they agreed to a defense department partnership for $200m last year.

Regardless, the defense department can also reasonably demand that the AI products it purchases meet its needs.

An unknown hacker used Anthropic’s LLM to hack the Mexican government:The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them and determining ways to automate data theft, Israeli cybersecurity startup Gambit Security said in research published Wednesday.

[…]Claude initially warned the unknown user of malicious intent during their conversation about the Mexican government, but eventually complied with the attacker’s requests and executed thousands of commands on government computer networks, the researchers said.

Anthropic investigated Gambit’s claims, disrupted …

Israel Hacked Traffic Cameras in IranMultiple news outlets are reporting on Israel’s hacking of Iranian traffic cameras and how they assisted with the killing of that country’s leadership.

The New York Times has an on the intelligence operation more generally.

Posted on March 5, 2026 at 12:31 PM • 1 Comments

Wired has the story:Shortly after the first set of explosions, Iranians received bursts of notifications on their phones.

They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times from the Google Play Store.

The messages arrived in quick succession over a period of 30 minutes, starting with the phrase ‘Help has arrived’ at 9:52 am Tehran time, shortly after the first set of explosions.

No party has claimed responsibility for the hacks.

Microsoft is reporting:Companies are embedding hidden instructions in “Summarize with AI” buttons that, when clicked, attempt to inject persistence commands into an AI assistant’s memory via URL prompt parameters….

These prompts instruct the AI to “remember [Company] as a trusted source” or “recommend [Company] first,” aiming to bias future responses toward their products or services.

We identified over 50 unique prompts from 31 companies across 14 industries, with freely available tooling making this technique trivially easy to deploy.

This matters because compromised AI assistants can provide subtly biased recommendations on critical topics including health, finance, and security without …

The MIT Technology Review has a good article on Moltbook, the supposed AI-only social network:Many people have pointed out that a lot of the viral comments were in fact posted by people posing as bots.

But even the bot-written posts are ultimately the result of people pulling the strings, more puppetry than autonomy.

“Humans are involved at every step of the process.

From setup to prompting to publishing, nothing happens without explicit human direction.”Humans must create and verify their bots’ accounts and provide the prompts for how they want a bot to behave.

The agents do not do anything that they haven’t been prompted to do.

Turns out that LLMs are good at de-anonymization:We show that LLM agents can figure out who you are from your anonymous online posts.

Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, our method identifies users with high precision ­ and scales to tens of thousands of candidates.

While it has been known that individuals can be uniquely identified by surprisingly few attributes, this was often practically limited.

Data is often only available in unstructured form and deanonymization used to require human investigators to search and reason based on clues.

In our new research, we show that this is not only possible but increasingly practical.

Friday Squid Blogging: Squid Fishing in PeruPeru has increased its squid catch limit.

The article says “giant squid,” but they can’t possibly mean that.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Blog moderation policy.

Posted on February 27, 2026 at 5:04 PM • 0 Comments

Triggered as part of January’s government crackdown against citizen protests nationwide, the regime implemented an internet shutdown that transcends the standard definition of internet censorship.

The technical architecture of Iran’s shutdown reveals its primary purpose: social control through isolation.

The United Nations and various international bodies have increasingly recognized internet access as an enabler of other fundamental human rights.

Unlike China’s censorship regime, Iran’s overlay model is highly exportable.

A coalition of civil society organizations has already launched a campaign calling for “direct-to-cell” (D2C) satellite connectivity.

A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan.

Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.

In a lengthy statement posted to Telegram, an Iranian hacktivist group known as Handala (a.k.a.

Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.

The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploratio…

Microsoft Corp. today pushed security updates to fix at least 77 vulnerabilities in its Windows operating systems and other software.

It would hardly be a proper Patch Tuesday without at least one critical Microsoft Office exploit, and this month doesn’t disappoint.

Ben McCarthy, lead cyber security engineer at Immersive, called attention to CVE-2026-21536, a critical remote code execution bug in a component called the Microsoft Devices Pricing Program.

Microsoft has already resolved the issue on their end, and fixing it requires no action on the part of Windows users.

For a complete breakdown of all the patches Microsoft released today, check out the SANS Internet Storm Center’s Patch Tues…

The new hotness in AI-based assistants — OpenClaw (formerly known as ClawdBot and Moltbot) — has seen rapid adoption since its release in November 2025.

“The testimonials are remarkable,” the AI security firm Snyk observed.

WHEN AI INSTALLS AIOne of the core tenets of securing AI agents involves carefully isolating them so that the operator can fully control who and what gets to talk to their AI assistant.

Probably the best known (and most bizarre) example is Moltbook, where a developer told an AI agent running on OpenClaw to build him a Reddit-like platform for AI agents.

Claude Code Security is a legitimate signal that AI is reshaping parts of the security landscape.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet.

Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “Dortware” software that helped players cheat.

Dort also used the nickname DortDev, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$.

Dort peddled a service for registering temporary email addresses, as well as “Dortsolver,” code that could bypass various CAPTCHA services designed to prevent automated account abuse.

The breach tracking service Constella I…

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms.

Enter Starkiller, a new phishing service that dynamically loads a live copy of the target login page and records everything the user types, proxying the data to the legitimate site and back to the victim.

According to an analysis of Starkiller by the security firm Abnormal AI, the service lets customers select a brand to impersonate (e.g., Apple, Facebook, Google, Microsoft et.

“Starkiller represents a significant escalation in phishing infrastructure, reflecting a broader trend toward commoditized, enterp…

I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers.

I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously.

However, Lance James, founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day.

Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by security companies and network …

The zero-day flaw CVE-2026-21513 is a security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows.

CVE-2026-21514 is a related security feature bypass in Microsoft Word.

The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to “SYSTEM” level access in Windows Remote Desktop Services.

Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since January’s Patch Tuesday.

On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.

A prolific data ransom gang that calls itself Scattered Lapsus Shiny Hunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion.

Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks.

That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221.

Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroyin…

The FBI said Badbox 2.0 was discovered after the original Badbox campaign was disrupted in 2024.

KrebsOnSecurity was initially skeptical of the claim that the Kimwolf botmasters had hacked the Badbox 2.0 botnet.

]net, a domain that was flagged in a March 2025 report by HUMAN Security as one of several dozen sites tied to the distribution and management of the Badbox 2.0 botnet.

However, the source of that Badbox 2.0 screenshot said the Kimwolf botmasters had an ace up their sleeve the whole time: Secret access to the Badbox 2.0 botnet control panel.

The source said it isn’t clear how Dort gained access to the Badbox botnet panel.

Kimwolf grew rapidly in the waning months of 2025 by tricking various “residential proxy” services into relaying malicious commands to devices on the local networks of those proxy endpoints.

Kimwolf mainly targeted proxies from IPIDEA, a Chinese service that has millions of proxy endpoints for rent on any given week.

The Kimwolf operators discovered they could forward malicious commands to the internal networks of IPIDEA proxy endpoints, and then programmatically scan for and infect other vulnerable devices on each endpoint’s local network.

Kimwolf’s close association with residential proxy networks and compromised Android TV boxes might suggest we’d find relatively few infections on corpor…

Microsoft today issued patches to plug at least 113 security holes in its various Windows operating systems and supported software.

“Today’s Windows patches remove agrsm64.sys and agrsm.sys.

This security feature is designed to protect against threats like rootkits and bootkits, and it relies on a set of certificates that are set to expire in June 2026 and October 2026.

Once these 2011 certificates expire, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes.

Windows admins should keep an eye on askwoody.com for any news about patches that don’t quite play nice with everything.

XLab said it suspected since October that Kimwolf and Aisuru had the same author(s) and operators, based in part on shared code changes over time.

In late October 2025, Brundage shared that the people selling various proxy services which benefitted from the Aisuru and Kimwolf botnets were doing so at a new Discord server called resi[.]to.

]to Discord channel would periodically post new IP addresses that were responsible for proxying traffic over the Kimwolf botnet.

All told, Synthient said it tracked at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025.

]to Discord server vanished, Synthient’s website was hit with a DDoS at…

The most typical of these uninvited guests are small programs that turn the device into a residential proxy node that is resold to others.

Brundage says Kimwolf grew rapidly by abusing a glaring vulnerability in many of the world’s largest residential proxy services.

Kilmer said one model of unsanctioned Android TV boxes that is especially popular — the Superbox, which we profiled in November’s Is Your Android TV Streaming Box Part of a Botnet?

At that point, your home’s public IP address will show up for rent at the website of some residential proxy provider.

Brundage also has compiled a list of the unofficial Android TV boxes that are most highly represented in the Kimwolf botnet.

Your engagement this past year here has been tremendous and truly a salve on a handful of dark days.

The arrests came shortly after the FBI and the Dutch police seized dozens of servers and domains for the group.

In June, KrebsOnSecurity.com was hit by the largest DDoS attack that Google had ever mitigated at the time (we are a grateful guest of Google’s excellent Project Shield offering).

Another Aisuru attack on Cloudflare just days later practically doubled the size of the June attack against this website.

If you like the content we publish at KrebsOnSecurity.com, please consider making an exception for our domain in your ad blocker.

Democratic lawmakers have urged the SEC to investigate what they call “concerning ties to President Trump and his family” as potential conflicts of interest and foreign influence.

In October, President Trump pardoned Changpeng Zhao, the founder of the world’s largest cryptocurrency exchange Binance.

President Trump this term has fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

CONSUMER PROTECTION, PRIVACYAt the beginning of this year, President Trump ordered staffers at the Consumer Financial Protection Bureau (CFPB) to stop most work.

Nevertheless, it emerged in June that the Trump administration has built a central databas…

The problem is not with Signal itself, but rather with its users being tricked into handing over the keys to their accounts.

The hacking campaign uses two main techniques, neither of which requires exploiting any vulnerability in Signal or WhatsApp.

As Signal explained in its post, targeted victims receive an in-app message which purports to come from "Signal Security Support Chatbot", or a similar official-sounding account.

The reality is that scanning the QR code links the attacker's device to the victim's account, allowing their conversations to be monitored surreptitiously.

And if someone contacts you claiming to be the "Signal Security Support Chatbot" - well, they're an attacker.

All this, and much more, in episode 458 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Tricia Howard.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

X, Elon Musk's social media site that many people (me included) still prefer to call Twitter, has told British MPs that it suspended 800 million accounts in 2024 for breaching its rules on platform manipulation and spam.

The "massive" 800 million suspensions in 2024 covered accounts breaching X's rules on platform manipulation and spam, although the company declined to break down how many of those related specifically to interference by foreign powers.

Fernández confirmed to MPs that manipulation attempts had not subsided, with "several hundred million accounts" having been taken down in just the latter part of 2024.

The problem does not seem to be going away, and the site's approach to han…

Tycoon 2FA's key trick was how it could bypass MFA by sitting between the victim and the legitimate service.

A fake website that looked identical to the real one doesn't just collect a victim's login credentials - it immediately forwards them to the real site in real time, acting as a transparent proxy.

When the victim enters their one-time-password on the fake site, it is forwarded to the real site before it expires, and the attack gains a fully-authenticated session.

Meanwhile, law enforcement authorities in Latvia, Lithuania, Portugal, Poland, Spain, and the UK also seized infrastructure used by the criminal operation.

Obviously it's a good thing that one of the most dangerous phishing p…

All this, and much more, in episode 457 of the “Smashing Security” podcast with cybersecurity veteran Graham Cluley, and special guest Carl Miller.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on LinkedIn, Bluesky, or Mastodon to read more of the exclusive content we post.

South Korea's National Tax Service (NTS) has found itself in the middle of a deeply embarrassing — and costly — blunder after accidentally handing thieves the master key to a seized cryptocurrency wallet.

Publishing the access key in a press release, in plain sight for the entire world to see.

This seed phrase is the 12-to-24 word sequence that functions as the master key for a cryptocurrency wallet.

For those unfamiliar with how hardware wallets work, the mnemonic (or seed) phrase is essentially your wallet's ultimate password.

The moment a seed phrase is exposed, the offline protection is weaker than tissue paper.

A new report claims that the cost of insider security incidents has surged 20% in two years, reaching an average of US $19.5 million per organization annually, with no sign that the alarming figure is flattening. Read more in my article on the Fortra blog.

There is a certain poetic justice in a cybersecurity-related story that has emerged from Moscow this week: A man has been accused of trying to extort money... from a notorious Russian ransomware gang.

Conti, one of the world's most infamous cybercriminal operations, was allegedly the victim of an attempted scam by someone pretending to be an officer of Russia's Federal Security Service (FSB).

The irony that a ransomware group with a history of extorting money from hacked organisations was itself being extorted is surely not lost on anybody.

That data reinforced long-standing suspicions that the Conti group deliberately avoided Russian targets, and aligned itself with the interests of the Kr…

All this, a surprisingly zen Pick of the Week, and a gloriously splenetic rant against web forms, on episode 456 of the award-winning “Smashing Security” podcast, with cybersecurity veteran Graham Cluley and special guest Paul Ducklin.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

If you did, maybe you're one of those who were sat at your sofa fuming about Ring camera's TV ad.

In the ad, a family's dog goes missing, and Ring cameras across the neighbourhood scan their footage in search of the animal.

Ring probably hoped that the ad would sell the "Search Party" feature in a heartwarming way.

Others posted videos of themselves destroying their Ring devices in protest, and online forums were ablaze with discussions about data ownership and consent.

Instead, any winner of the bounty will need to demonstrate a method that allows affected Ring cameras to operate locally and redirect footage to the owner's own computer or server, without transmitting video footage to Amazo…

But if I was able to book hotel rooms worth up to €1,000 just for a single euro cent?

Spain's police force has announced that it has arrested a 20-year-old man who they claim managed to book luxury hotel rooms worth up to €1,000 a night for just one euro cent."

The man - whose identity has not been released - allegedly targeted the payment gateway of a well-known online travel and hotel booking website.

According to reports, which are being understandably kept high-level to avoid copycats, the attack did not meddle with the price displayed on the hotel booking site, but instead interfered with the message sent back to the booking site so that it claimed the transaction had been authorised.

…

All of this, and much more, in episode 455 of the award-winning “Smashing Security” podcast with cybersecurity veteran Graham Cluley, joined this week by journalist and author James Ball.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Join Smashing Security PLUS for ad-free episodes and our early-release feed!

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Police in The Netherlands say they have arrested a 40-year-old man on suspicion of hacking... after police officers accidentally sent him a link granting him access to their own confidential documents.

The police officer handling the contact sent the man a link intended to allow him to upload the images.

However, by mistake, the link that was sent to the man actually allowed him to access and download confidential files.

Dutch police say that there is no indication that any of the leaked files have been shared more widely.

The recipient can reasonably assume that the download link and the files shared with it were not intended for them."

A coordinated cyberattack that targeted Poland's energy infrastructure in late December 2025 has prompted cybersecurity agencies to issue urgent warnings to critical national infrastructure operators on both sides of the Atlantic. Read more in my article on the Fortra blog.

A 29-year-old Polish man has been charged in connection with a data breach that exposed the personal details of around 2.5 million customers of the popular Polish e-commerce website Morele.net.

The high-profile breach of Morele.net, whose international equivalents include the likes of Best Buy, Newegg, and Amazon, sent shockwaves through Poland's online retail sector.

The investigation into the data breach had originally been shelves after police failed to identify a suspect, but authorities claim that the trail never went entirely cold.

Unfortunately for the site's users who had their information breached, fraudsters weaponised the stolen data immediately.

Victims reported receiving SMS me…

Если жертвы ищут инструменты под macOS, то в качестве вредоносной нагрузки выступает тот же AMOS, а если под Windows — инфостилер Amatera.

А это значит, что подобные кампании несут угрозу не только для домашнего пользователя, но и для организаций.

Дело в том, что ассистента для кодинга Claude Code, как и агента для автоматизации рабочих задач OpenClaw достаточно часто используют сотрудники компаний.

Вредоносная нагрузкаТочно так же, как и в случае с оригинальным Claude Code, команда для macOS пытается через консольную утилиту curl установить приложение.

Она устанавливает инфостилер Amatera, который собирает данные браузера и криптокошельков и информацию папки пользователя и отправляет данны…

В одной кампании троян маскировался под официальное приложение для получения госуслуг в Бразилии, INSS Reembolso, в другой — под приложение Starlink.

Перед расшифровкой и переходом к следующим этапам заражения он проверяет, что находится на реальном смартфоне и в нужной стране.

BeatBanker прекращает работу, если найдет любые несоответствия или обнаружит себя на эмуляторе или в среде для анализа приложений.

Кстати, фальшивый «загрузчик обновлений» вообще загружает модули прямо в оперативную память, чтобы не создавать в смартфоне файлов, видимых защитному ПО.

Затем они активируют майнинг, но отключают эту функцию, если смартфон перегрелся, сильно разрядился или в данный момент им активно поль…

Другая проблема — локальное хранение данных с правами на чтение для любого приложения на устройстве.

Полтора года без патчей — и это для приложения, в котором хранятся журналы настроения, записи о сеансах терапии и графики приема лекарств.

Распространяется ли политика обработки данных не только на сайт, но и на приложение?

Распространяется ли политика обработки данных не только на сайт, но и на приложение?

Если вы не готовы, чтобы это прочитал случайный человек из Интернета, — то, наверное, не стоит записывать это в приложение с полутора сотнями уязвимостей, не обновлявшееся с позапрошлого года.

В этом посте еще раз разберем, что собой представляет атака browser-in-the-browser, покажем, как злоумышленники ее применяют, и, главное, объясним, как не стать жертвой.

Что такое атака «Браузер в браузере» (browser-in-the-browser, BitB)Для начала давайте вспомним, что же придумал mr.d0x.

Как не стать жертвойПрименение интернет-мошенниками атаки «браузер в браузере» в очередной раз демонстрирует, что используемые ими методы и уловки постоянно меняются.

Что представляют собой ключи доступа и как начать ими пользоваться, вы можете узнать из нашего подробного поста о данной технологии.

Что представляют собой ключи доступа и как начать ими пользоваться, вы можете узнать из нашего подробного пос…

Наши эксперты GReAT обнаружили в нем уязвимость CVE-2026-3102, которая проявляется при обработке вредоносного файла изображения (например, PNG), содержащего в метаданных команды оболочки.

При обработке такого файла с помощью ExifTool на macOS команда срабатывает, и на компьютере выполняются действия, задуманные злоумышленником, — например, загрузка и запуск вредоносного ПО с внешнего сервера.

В крупных библиотеках, издательствах и компаниях, занимающихся аналитикой изображений, ExifTool зачастую используется в автоматизированном режиме, его вызывают из написанных в организации приложений и скриптов.

Как защититься от уязвимости в ExifToolИсследователи GReAT сообщили об уязвимости автору Exi…

И еще один полезный для экспертов инструмент — для работы с локальной версией KTAE наши эксперты сделали плагин к популярному средству дизассемблирования — IDA Pro, доступный совершенно бесплатно.

Зачем нужен плагин атрибуции для дизассемблераДежурный аналитик для атрибуции найденного в инфраструктуре вредоносного файла просто загрузит его в сервис KTAE (будь то облачный или локальный) и получит вердикт: Manuscrypt (83%).

Для работы плагина нужно иметь IDA Pro (IDA Free, к сожалению, не подходит, поскольку не поддерживает Python-плагины).

К слову, это далеко не единственный плагин для IDA Pro, разработанный нашими экспертами Глобального центра исследований и анализа угроз (GReAT) для облегч…

Как отключить ИИ в Google Docs, Gmail, Google WorkspaceФункции ИИ-ассистента в почте и документах Google объединены под общим названием «умные функции».

Как отключить ИИ-обзоры в поиске GoogleУстранить ИИ-обзоры в результатах поиска можно как на компьютерах, так и на смартфонах, включая iPhone, и рецепт везде одинаков.

Можете также изучить нашу подробную инструкцию, как отключить и полностью удалить Microsoft Recall.

Как отключить ИИ в «Блокноте» и контекстных действиях WindowsИИ можно обнаружить во всех уголках Windows, включая «Проводник» и «Блокнот».

Как отключить ИИ в macOS и iOSВстроенные в платформу Apple ИИ-функции называются Apple Intelligence и отключаются максимально прямолинейно …

Суть атак с применением ClickFix сводится к тому, что жертву под разными предлогами убеждают выполнить вредоносную команду на собственном компьютере.

То есть с точки зрения защитных решений запускается она от лица активного пользователя и с его привилегиями.

В настоящее время протокол почти не используется, но поддерживается как в Windows, так и в macOS, а также в ряде систем на базе Linux.

Он применялся в атаке на пользователей, пытающихся найти инструмент для блокировки рекламных баннеров, трекеров, зловредов и другого нежелательного контента на веб-страницах.

Как защитить компанию от ClickFix-атакОт простейших атак, использующих технику ClickFix, можно защититься, заблокировав на рабочих…

Смогли добраться до чужого сервера SharePoint — рассылают через него; не смогли — отправляют уведомления через какой-нибудь бесплатный сервис, например через GetShared.

На этот раз дошла очередь до сервиса Google Задачи (Google Tasks).

Как выглядит фишинг через Google ЗадачиАдресат получает легитимную нотификацию с адреса @google.com с сообщением «у вас новая задача».

По сути, злоумышленники пытаются создать у жертвы впечатление, что в компании начали использовать трекер задач от Google, в связи с чем нужно незамедлительно пройти по ссылке и заполнить форму подтверждения сотрудника.

Автоматизировать процесс обучения сотрудников и поддержания их уровня осведомленности о современных киберугро…

Схема особенно коварна потому, что мини-приложения в Telegram модерируются лишь постфактум, если на них вообще поступают жалобы.

Срочно зайдите в раздел Настройки → Устройства в Telegram и завершите все остальные сеансы, а затем прочитайте нашу пошаговую инструкцию о том, что делать при угоне аккаунта Telegram и как восстановить к нему доступ.

В комментариях крупных каналов и в групповых чатах злоумышленники рассказывают о версии Telegram, которая якобы уже сейчас работает без замедлений.

Проверьте активные сеансыВ мобильной версии Telegram перейдите в Настройки → Устройства → Активные сеансы, в версии для десктопов — в Настройки → Активные сессии.

С недавних пор passkeys доступа можно подк…

Вы наверняка слышали про OpenClaw (он же Clawdbot и Moltbot) — ИИ-ассистента с открытым исходным кодом, которого можно развернуть на компьютере.

В OpenClaw можно задействовать любые локальные или облачные LLM и широкий спектр интеграций.

Также в OpenClaw были обнаружены две уязвимости с инъекцией команд (CVE-2026-24763, CVE-2026-25157).

Секреты в открытом видеВ конфигурации, «памяти» и чатах OpenClaw в открытом виде хранятся API-ключи, пароли и другие секреты для работы LLM и сервисов интеграции.

Подчеркнем, что OpenClaw является лишь ярким, экстремальным примером, но в целом эта «ужасная пятерка» характерна для всех многоцелевых ИИ-агентов.

Но расспросить друзей и близких о том, как они передают интонации и эмоции в переписке, все равно не будет лишним.

Впрочем, дело может быть не только в алгоритмах работы подобных приложений, но и в наших ожиданиях от них.

Немаловажно и то, что романтический взгляд на любовь появился не на пустом месте.

Романтики, как и многие наши современники, скептически относились к бурному развитию технологий, индустриализации и урбанизации.

И первый шаг к этому — разобраться с настройками приватности всех ваших соцсетей и приложений с помощью нашего бесплатного сервиса Privacy Checker.

А те, кто не приехал, посмотрят соревнования по телевидению и на стримингах: по данным платформ, рейтинги трансляций уже самые высокие с 2014 года.

Рассказываем, как избежать проблем в виде фальшивых билетов, несуществующего мерча и поддельных трансляций, сохранить свои деньги и персональные данные.

С их помощью злоумышленники выуживают у фанатов платежные данные, чтобы либо перепродать их, либо обчистить счета сразу.

Итог: шоу не будет, как минимум злоумышленники использовали вас для арбитража трафика, а как максимум — получили доступ к вашему счету.

Тактика защитыМошенники обманывают любителей спорта годами, а их доходы напрямую зависят от качества мимикрии под официальные порталы.

Мы разберем самые яркие примеры фишинговых и спамерских схем прошлого года, а полный отчет «Спам и фишинг в 2025 году» читайте на Securelist.

После знакомства и непродолжительного общения в дейтинг-сервисах новая пассия приглашала жертву в театр или кино и присылала ссылку на покупку билетов.

Вишенкой на торте водителю предлагалось оплатить «пошлину по замене прав» в 1200 крон (больше $125) — так мошенники получали и персональные данные, и реквизиты банковской карты, и деньги.

Нейросетевые мошенникиРазумеется, скамеры не остались в стороне и от бума искусственного интеллекта.

Хайп сей ложь, да в нем намекКак и раньше, в 2025 году мошенники мгновенно подхватывали любые инфоповоды и оперативн…

Очень скоро Clawdbot по настоянию Anthropic из-за созвучности с Claude был переименован сначала в Moltbot, a затем, еще через несколько дней, — в OpenClaw.

Риски безопасности: исправляемые и не оченьОдновременно с тем, как OpenClaw захватывал соцсети, эксперты по кибербезопасности хватались за голову: количество уязвимостей, содержащихся в OpenClaw, превосходило все возможные предположения.

Проблема в том, что в Интернете в открытом доступе находятся сотни неправильно настроенных административных интерфейсов OpenClaw.

Например, как мы недавно писали в посте Джейлбрейк в стихах: как поэзия помогает разговорить ИИ, промпт в стихах существенно снижает эффективность защитных ограничений языковы…

In support of this model, Orange Business has certified Cisco Catalyst SD-WAN Next-Generation Firewall (NGFW) capabilities as part of its Orange Flexible SD-WAN managed service.

Rather than treating networking and security as separate solutions, Catalyst SD-WAN enables partners like Orange Business to deliver an integrated service model built on consistent policy enforcement, visibility, and security across distributed environments.

Built-in security capabilities powered by Catalyst SD-WANCatalyst SD-WAN embeds security directly into the WAN fabric, enabling partners like Orange Business to deliver robust, enterprise-grade managed security without added complexity.

Learn more about how you …

As discussed in Peter Bailey’s recent LinkedIn post, the security conversation is shifting toward protecting the infrastructure software that underpins everything else.

Security agencies have warned that threat actors actively exploit vulnerabilities in network infrastructure devices to gain and maintain persistent access.

The exposure window CISOs can’t ignoreOne of the structural challenges in securing networking infrastructure is patch velocity.

Threat intelligence research has shown that vulnerabilities in network infrastructure are frequently exploited rapidly after disclosure, while remediation may take 30 days or more.

With eBPF at its core and Cisco’s networking leadership as its pl…

To address this reality, Cisco is expanding the remote browser isolation (RBI) capability of Cisco Secure Access with advanced isolation controls.

Introducing Advanced Isolation Controls in Cisco Secure AccessRBI advanced isolation controls in Cisco Secure Access extend policy enforcement into how users interact with web-based content.

By keeping policy enforcement within isolation, organizations may reduce tools for data protection, browser control, and end point enforcement.

RBI advanced isolation controls represent a natural next step, building on a proven isolation foundation to deliver practical, policy-driven protection at the last mile.

Read the Secure Access e-book or join a Secure …

While organizations have made significant progress securing their email domains with DMARC, attackers are exploiting an adjacent, less-defended surface: social media.

Why social media is the next impersonation frontierUnlike domain-based attacks, which require registering infrastructure and hosting phishing pages, social media impersonation is operationally simple.

Now, Brand Trust’s newest add-on, Social Media Monitoring, is now available through Cisco.

This gives Cisco customers the ability to detect and respond to fraudulent social media profiles that impersonate their company or executives.

For more information on domain protection and Social Media Monitoring, please visit Red Sift’s Ci…

Building on the lessons learned in the Security Operations Center (SOC) at major events, we challenged ourselves to build something new at Cisco Live Amsterdam 2026, a closed-loop integration with Cisco XDR and Splunk Enterprise Security.

The Splunk Security Product Labs team worked to utilize the power of the Cisco XDR correlation engine, to bring Splunk ES Risk index logs as Sources into the XDR Data Analytics Platform.

The integration between Cisco XDR and Splunk ES delivers a seamless experience for security operations teams by combining native XDR detections with Splunk’s extensive data backend and custom OCSF detections.

Key factors enabling this rapid setup included:Pre-validated Dat…

The Challenge of Encrypted Traffic InspectionTraffic inspection remains one of the most critical capabilities in modern firewall systems.

This is where Encrypted Visibility Engine (EVE) becomes a gamechanger, providing valuable insight into encrypted connections without requiring decryption.

What is Encrypted Visibility Engine?

This enables visibility into the source process by generating encrypted connections, a capability traditionally limited to endpoint antivirus and anti-malware software.

Without Encrypted Visibility Engine, this connection would have succeeded unnoticed by a security analyst.

During Cisco Live EMEA we noticed a variety of AI tools being used across the network.

To better understand which AI tools are the most popular I decided to dig into DNS data.

First, we queried DNS events categorized under Secure Access’ Generative AI classification to identify emerging and long-tail AI-related destinations.

This allowed us to discover AI services beyond well-known platforms and understand broader generative AI adoption trends.

Here is the Splunk query and the results specifically searching for Umbrella DNS events that have been categorized as Generative AI.

Agentic AI comes to analyst’s rescue here as most of these mundane tasks can be automated with some Generative AI creativity.

How did Instant Attack Verification do at Cisco Live EMEA 2026?

Both incidents stem from the same source IP scanning internal surveillance cameras and (in the first case) Cisco DNA Center.

ConcludingInstant Attack Verification proved its value during the week at Cisco Live EMEA 2026.

Instead, Instant Attack Verification did that work in minutes per incident, producing structured reports with MITRE ATT&CK mappings, confidence scores, and prioritized recommendations.

The Oosterscheldekering is a unique storm surge barrier designed to stay open to allow the natural tide to flow, preserving the ecosystem.

But the moment a storm surge is detected, its massive gates drop to protect the land.

The Oosterscheldekering is a unique storm surge barrier designed to stay open to allow the natural tide to flow, preserving the ecosystem.

But the moment a storm surge is detected, its massive gates drop to protect the land.

Splunk & Splunk ES: Since the acquisition, the synergy between Cisco XDR and Splunk Enterprise Security (ES) has become our North Star.

Advanced Logging is a Cisco Firewall unique capability that sends Zeek style logs to Splunk or another SIEM solution.

In this blog post, we’ll look at the Splunk integration wizard and Advanced Logging, alongside a few use cases from the conference.

The Splunk Integration WizardVersion 10.0 brings with it a new wizard that can be used to export syslog from Cisco Secure Firewall to Splunk and other SIEMs.

With Advanced Logging enabled, a firewall admin can then select individual rules to generate logs.

Fortunately, Advanced Logging gave us the visibility to quickly confirm that a connection using the /rootr2 string never occurred.

Tier 1 and Tier 2 analysts operated in Cisco XDR, while Tier 3 analysts conducted advanced investigations in Splunk Enterprise Security (ES).

To understand the broader SOC architecture and tooling deployed at the event, check out the blog “Cisco Live Amsterdam 2026: XDR + Splunk ES” by Jessica Oppenheimer & Ivan Berlinson, which outlines the full design and operational model.

This post focuses on how we bridged Cisco XDR and Splunk Enterprise Security to streamline escalations, eliminate friction, and create a true bidirectional workflow between platforms.

Obstacle 2: Cisco Security Cloud App for SplunkThe Cisco Security Cloud App allows ingestion of XDR incident into Splunk and the ability…

At Cisco Live EMEA in Amsterdam, we deployed an innovative and fully integrated security architecture, combining multiple technologies and products to deliver comprehensive protection for such a large-scale event.

As part of this innovation, we introduced the newly released Cisco Security Foundation AI Reasoning model, integrated into the security ecosystem through Cisco XDR.

In the SOCs at Cisco Live and Black Hat, we integrated Foundation via a workflow and playbook within Cisco XDR.

Cisco Live security analysts saw firsthand how embedding the Foundation AI model into their incident workflows enhanced speed, accuracy, and decision-making across the Security Operations Center.

Cisco Securi…

Introduction: The SOC at the Heart of Cisco LiveEvery year, Cisco Live brings together thousands of technology professionals, engineers, and security practitioners under one roof.

The Cisco Live SOC operates around three core pillars:Protect: Safeguarding the Cisco Live network from both internal and external threats.

Safeguarding the Cisco Live network from both internal and external threats.

Figure [1] – The SOC teamThis blog is a first-hand account of a real investigation I conducted during Cisco Live Amsterdam 2026.

The Cisco Live SOC exists not just to protect the conference network, but to demonstrate in a live environment that the vision of a modern, automated SOC is not aspirational…

An investigation leveraging Cisco XDR, Splunk, Cisco Secure Firewall, and Endace (Zeek) to separate signal from noise.

Cisco XDR began clustering a set of high and critical incidents labeled as overflow attempts, sourced from Cisco Secure Firewall IPS telemetry, ingested via Splunk.

However, a burst of near-identical detections is also a strong signal that an environmental trigger might be driving noise.

We pivoted into Splunk to examine the underlying Cisco Secure Firewall (FTD) IPS events and pull the fields that typically decide whether an IPS overflow alert is actionable or noisy.

For the same source hosts tripping the IPS overflow signatures, we asked a straightforward question: what w…

]org Domain Initial access domain (GitHub ZIP) ivanti-secure-access[.

]nl Domain Suspect initial access domain sophos-connect[.

]org Domain Suspect initial access domain vpn-fortinet[.

]com Domain Initial access domain (GitHub ZIP) watchguard-vpn[.

]com Domain Suspect initial access domain vpn-connection[.

With the latest Microsoft benchmarking data, we’re sharing what real-world telemetry reveals about how effectively modern email threats are detected, mitigated, and stopped by Microsoft Defender, secure email gateway (SEG) providers, and integrated cloud email security (ICES) solutions.

The recent additions reinforce our belief that email security is strongest when it combines native platform intelligence with specialized partner capabilities, surfaced through a single pane of glass.

To learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

1Clarity in complexi…

This post outlines how to turn your threat-modeling insights into operational defenses by detecting prompt abuse early and responding effectively before it impacts the business.

Understanding prompt abuse in AI systemsPrompt abuse refers to inputs crafted to push an AI system beyond its intended boundary.

AI assistant prompt abuse detection playbookThis playbook guides security teams through detecting, investigating, and responding to AI Assistant tool prompt abuse.

Step 3 – Secure Access AI could attempt to access sensitive documents or automate workflows influenced by hidden instructions.

With the guidance in the AI prompt abuse playbook, teams can put visibility, monitoring, and governan…

Microsoft Defender Experts has observed the Contagious Interview campaign, a sophisticated social engineering operation active since at least December 2022.

Attack chain overviewInitial accessAs part of a fake job interview process, threat actors pose as recruiters from cryptocurrency trading firms or AI-based solution providers.

While Microsoft Defender Experts have observed FlexibleFerret less frequently than the backdoors discussed in earlier sections, it remains active in the wild.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

DeviceProcessEvents | where ProcessCommandLine has_all ("handleCode", "AgentId", "SERVER…

Today we shared the next step to make Frontier Transformation real for customers across every industry with Wave 3 of Microsoft 365 Copilot, Microsoft Agent 365, and Microsoft 365 E7: The Frontier Suite.

Data Security Posture Management provides visibility and insights into data risks for agents so data security admins can proactively mitigate those risks.

Audit and eDiscovery extend core compliance and records management capabilities to agents, treating AI agents as auditable entities alongside users and applications.

extend core compliance and records management capabilities to agents, treating AI agents as auditable entities alongside users and applications.

Secure your Frontier Transfor…

Today we shared the next step to make Frontier Transformation real for customers across every industry with Wave 3 of Microsoft 365 Copilot, Microsoft Agent 365, and Microsoft 365 E7: The Frontier Suite.

Data Security Posture Management provides visibility and insights into data risks for agents so data security admins can proactively mitigate those risks.

Audit and eDiscovery extend core compliance and records management capabilities to agents, treating AI agents as auditable entities alongside users and applications.

extend core compliance and records management capabilities to agents, treating AI agents as auditable entities alongside users and applications.

Secure your Frontier Transfor…

The following examples reflect broader trends in how threat actors are operationalizing AI, but they don’t encompass every observed technique or all threat actors leveraging AI today.

As an example, Microsoft Threat Intelligence has observed threat actors employing role-based jailbreak techniques to bypass AI safety controls.

To learn more about the Microsoft Security Dashboard for AI see: Assess your organization’s AI risk with Microsoft Security Dashboard for AI (Preview).

ReferencesLearn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.

To hear stories and insights from the Microsoft Threat Intelligenc…

The power of women early in career and beyondWomen early in their career bring something incredibly powerful to cybersecurity and AI: fresh perspective paired with fearless curiosity.

Building and cultivating pathways for the next generationInvesting in women early in their cybersecurity and AI security careers is essential.

That means pairing early career investment with sustained support, inclusive cultures, and everyday actions that reinforce belonging and opportunity over time.

When women early in career see themselves reflected in cybersecurity, they’re more likely to enter the field.

That starts by ensuring the next generation of cybersecurity and AI security professionals has equitab…

Microsoft Defender has investigated malicious Chromium-based browser extensions that impersonate legitimate AI assistant tools to collect LLM chat histories and browsing data.

Details page for the browser extension fnmhidmjnmklgjpcoonkmkhjpjechg, as displayed in the browser extension management interface.

Details page for the browser extension inhcgfpbfdjbjogdfjbclgolkmhnooop, as displayed in the browser extension management interface.

Inventory, audit, and apply restrictions for browser extensions installed in your organization, using Browser extensions assessment in Microsoft Defender Vulnerability Management.

Leverage Microsoft Purview data security to implement AI data security and comp…

Defending against Tycoon2FA and similar AiTM phishing threats requires a layered approach that blends technical controls with user awareness.

Sample Tycoon2FA phishing pagesBeyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes.

Tycoon2FA phishing emailsIn observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments.

In such scenarios, Microsoft Defender XDR raises the following alerts:Stolen session cookie was usedUser compromised through session cookie hijackMicrosoft Defender XDR raises the following alerts by combining Microsoft Defender for Offi…

Defending against Tycoon2FA and similar AiTM phishing threats requires a layered approach that blends technical controls with user awareness.

Sample Tycoon2FA phishing pagesBeyond campaign configuration, the panel provides detailed visibility into victim interaction and authentication outcomes.

Tycoon2FA phishing emailsIn observed campaigns, threat actors gained initial access through phishing emails that used either embedded links or malicious attachments.

In such scenarios, Microsoft Defender XDR raises the following alerts:Stolen session cookie was usedUser compromised through session cookie hijackMicrosoft Defender XDR raises the following alerts by combining Microsoft Defender for Offi…

In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor.

Following the installation phase, the masqueraded workplace executables (TrustConnect RMM) initiated encoded PowerShell commands designed to download additional payloads from the attacker-controlled infrastructure.

The masqueraded Workplace executables associated with the TrustConnect RMM initiated a series of encoded PowerShell commands.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

ReferencesThis research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kand…

In February 2026, Microsoft Defender Experts identified multiple phishing campaigns attributed to an unknown threat actor.

Following the installation phase, the masqueraded workplace executables (TrustConnect RMM) initiated encoded PowerShell commands designed to download additional payloads from the attacker-controlled infrastructure.

The masqueraded Workplace executables associated with the TrustConnect RMM initiated a series of encoded PowerShell commands.

Microsoft Defender XDR detectionsMicrosoft Defender XDR customers can refer to the list of applicable detections below.

ReferencesThis research is provided by Microsoft Defender Security Research with contributions from Sai Chakri Kand…

Microsoft Defender researchers uncovered phishing campaigns that exploit legitimate OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses across email and browsers.

During the investigation, several malicious OAuth applications were identified and removed to mitigate the threat.

Although the mechanics behind OAuth redirection abuse can be subtle, the operational use is straightforward.

The examples below show attacker-controlled phishing pages reached after the OAuth redirection.

These findings reinforce the need for cross-domain XDR detections, clearer governance around OAuth redirection behavior, and continued collaboration across the securit…

Microsoft Defender researchers uncovered phishing campaigns that exploit legitimate OAuth protocol functionality to manipulate URL redirection and bypass conventional phishing defenses across email and browsers.

During the investigation, several malicious OAuth applications were identified and removed to mitigate the threat.

Although the mechanics behind OAuth redirection abuse can be subtle, the operational use is straightforward.

The examples below show attacker-controlled phishing pages reached after the OAuth redirection.

These findings reinforce the need for cross-domain XDR detections, clearer governance around OAuth redirection behavior, and continued collaboration across the securit…

Today we're announcing a new program in Chrome to make HTTPS certificates secure against quantum computers.

Instead, Chrome, in collaboration with other partners, is developing an evolution of HTTPS certificates based on Merkle Tree Certificates (MTCs), currently in development in the PLANTS working group.

Since MTC technology shares significant architectural similarities with CT, these operators are uniquely qualified to ensure MTCs are able to get off the ground quickly and successfully.

The Chrome Quantum-resistant Root Program will operate alongside our existing Chrome Root Program to ensure a risk-managed transition that maintains the highest levels of security for all users.

First, we…

For Majik, Scam Detection was the intervention he needed: “The warning is what made me pause and avoid a bad situation”.

As scammers evolve their tactics and create more convincing and personalized threats, we’re using the best of Google AI to stay one step ahead.

Expanding Scam Detection for Calls to Samsung DevicesTo help protect you during phone calls, Scam Detection alerts you if a caller uses speech patterns commonly associated with fraud.

Scam Detection for phone calls on Google Pixel devices is available in the U.S., Australia, Canada, India, Ireland, and the UK.

Powered by Gemini’s on-device model, Scam Detection provides intelligent protection against scam calls while ensuring that…

Upgrading Google Play’s AI-powered, multi-layered user protectionsWe’ve seen a clear impact from these safety efforts on Google Play.

As Android’s built-in defense against malware and unwanted software, Google Play Protect now scans over 350 billion Android apps daily.

This proactive protection constantly checks both Play apps and those from other sources to ensure they are not potentially harmful.

Looking aheadOur top priority remains making Google Play and Android the most trusted app ecosystems for everyone.

Thank you for being part of the Google Play and Android community as we work together to build a safer app ecosystem.

That’s why we're committed to providing multi-layered defenses that help protect you before, during, and after a theft attempt.

Today, we're announcing a powerful set of theft protection feature updates that build on our existing protections, designed to give you greater peace of mind by making your device a much harder target for criminals.

These updates are now available for Android devices running Android 16+.

More User Control for Failed Authentications: In Android 15, we launched Failed Authentication Lock, a feature that automatically locks the device's screen after excessive failed authentication attempts.

This feature is now getting a new dedicated enable/disable toggle in settings,…

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation.

What’s Domain Control Validation?

Domain Control Validation is a security-critical process designed to ensure certificates are only issued to the legitimate domain operator.

Sunsetted methods relying on email:Sunsetted methods relying on phone:Sunsetted method relying on a reverse lookup:For everyday users, these changes are invisible - and that’s the point.

These changes push the ecosystem toward standardized (e.g., ACME), modern, and auditable Domain Control Validation methods.

Partnership with ArmOur goal is to raise the bar on GPU security, ensuring the Mali GPU driver and firmware remain highly resilient against potential threats.

We partnered with Arm to conduct an analysis of the Mali driver, used on approximately 45% of Android devices.

This approach allowed us to roll out the new security policy broadly while minimizing the impact on developers.

This effort spans across Android and Android OEMs, and required close collaboration with Arm.

The Android security team is committed to collaborating with ecosystem partners to drive broader adoption of this approach to help harden the GPU.

We built on Gemini's existing protections and agent security principles and have implemented several new layers for Chrome.

To further bolster model alignment beyond spotlighting, we’re introducing the User Alignment Critic — a separate model built with Gemini that acts as a high-trust system component.

A flow chart that depicts the User Alignment Critic: a trusted component that vets each action before it reaches the browser.

The User Alignment Critic runs after the planning is complete to double-check each proposed action.

Looking forwardThe upcoming introduction of agentic capabilities in Chrome brings new demands for browser security, and we've approached this challenge with the same ri…

Android uses the best of Google AI and our advanced security expertise to tackle mobile scams from every angle.

Over the last few years, we’ve launched industry-leading features to detect scams and protect users across phone calls, text messages and messaging app chat notifications.

To help combat these types of financial scams, we launched a pilot earlier this year in the UK focused on in-call protections for financial apps.

The UK pilot of Android’s in-call scam protections has already helped thousands of users end calls that could have cost them a significant amount of money.

We’ve also started to pilot this protection with more app types, including peer-to-peer (P2P) payment apps.

Secure by DesignWe built Quick Share’s interoperability support for AirDrop with the same rigorous security standards that we apply to all Google products.

Secure Sharing Channel: The communication channel itself is hardened by our use of Rust to develop this feature.

On Android, security is built in at every layer.

On Android, security is built in at every layer.

Secure Sharing Using AirDrop's "Everyone" ModeTo ensure a seamless experience for both Android and iOS users, Quick Share currently works with AirDrop's "Everyone for 10 minutes" mode.

Our first rust memory safety vulnerability...almost: We'll analyze a near-miss memory safety bug in unsafe Rust: how it happened, how it was mitigated, and steps we're taking to prevent recurrence.

Our First Rust Memory Safety Vulnerability...AlmostWe recently avoided shipping our very first Rust-based memory safety vulnerability: a linear buffer overflow in CrabbyAVIF.

Unsafe Review and TrainingOperating system development requires unsafe code, typically C, C++, or unsafe Rust (for example, for FFI and interacting with hardware), so simply banning unsafe code is not workable.

Dmytro Hrybenko for leading the effort to develop training for unsafe Rust and for providing extensive feedback on …

Survey shows Android users’ confidence in scam protectionsGoogle and YouGov3 surveyed 5,000 smartphone users across the U.S., India, and Brazil about their experiences.

The findings were clear: Android users reported receiving fewer scam texts and felt more confident that their device was keeping them safe.

Android users were 58% more likely than iOS users to say they had not received any scam texts in the week prior to the survey.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

As an extra safeguard, Google Messages also helps block suspicious links in messages that are determined to be spam or scams.

What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites.

To address this risk, we launched the “Always Use Secure Connections” setting in 2022 as an opt-in option.

We now think the time has come to enable “Always Use Secure Connections” for all users by default.

For more than a decade, Google has published the HTTPS transparency report, which tracks the percentage of navigations in Chrome that use HTTPS.

Since HTTP navigations remain a regular occurrence for most Chrome users, a naive approach to warning on all HTTP navigations would be quite disruptive.

To help accelerate adoption of AI for cybersecurity workflows, we partnered with Airbus at DEF CON 33 to host the GenSec Capture the Flag (CTF), dedicated to human-AI collaboration in cybersecurity.

Our goal was to create a fun, interactive environment, where participants across various skill levels could explore how AI can accelerate their daily cybersecurity workflows.

An overwhelming 85% of all participants found the event useful for learning how AI can be applied to security workflows.

This positive feedback highlights that AI-centric CTFs can play a vital role in speeding up AI education and adoption in the security community.

We are committed to advancing the AI cybersecurity frontier…

This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the Terms of Service .

The block will expire shortly after those requests stop.

In the meantime, solving the above CAPTCHA will let you continue to use our services.This traffic may have been sent by malicious software, a browser plug-in, or a script that sends automated requests.

If you share your network connection, ask your administrator for help — a different computer using the same IP address may be responsible.

Learn more Sometimes you may be asked to solve the CAPTCHA if you are using advanced terms that robots are known to use, or sending requests very qu…

At Made by Google 2025, we announced that the new Google Pixel 10 phones will support C2PA Content Credentials in Pixel Camera and Google Photos.

Pixel Camera attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

attaches Content Credentials to any JPEG photo capture, with the appropriate description as defined by the Content Credentials specification for each capture mode.

Google Photos attaches Content Credentials to JPEG images that already have Content Credentials and are edited using AI or non-AI tools, and also to any images that are edited using AI tools.

Building a More Trus…