Что аналитики нашли в коде популярного ИИ-помощника?

Когда обрывается связь, просыпаются старые конфликты.

Соблазн, страх и момент, когда ты решаешь не взламывать.

Кто стоит за атаками на чипы, телеком и даже игры.

Grok ест посты X на завтрак, а ЕС не в восторге.

Новая мера защиты от уязвимости CVE-2025-21204 — даже если у вас не установлен IIS.

Когда эфир за копейки — это не распродажа, а взлом.

Почему IT-гиганты хотят, чтобы цифровые ключи жили всего 47 дней?

Для борьбы с такими угрозами полезно знать, какие предложения есть сейчас на российском рынке безопасных шлюзов электронной почты (Secure Email Gateway, SEG).

Анализ ситуации на рынке систем защиты электронной почтыНа протяжении нескольких лет рынок систем защиты электронной почты демонстрирует уверенный рост.

Объём мирового рынка систем защиты электронной почты (по данным аналитической компании Market Research Future)Год Объём рынка систем защиты электронной почты (млрд долл.)

Доступные в России продукты для защиты электронной почты класса Secure Email GatewayНа российском рынке представлено множество решений класса SEG.

Защита электронной почты (SEG) от ГК «Солар»Solar SEG ― сервис для за…

Функциональность ADR и WAF пересекается, но это не одно и то же.

Он включает в себя сотрудничество разработчиков, тестировщиков и специалистов по безопасности, подразумевает автоматизированную проверку на уязвимости и непрерывную интеграцию безопасности в процесс создания ПО.

Ключевое отличие от ADR заключается в том, что DevSecOps работает до развёртывания приложения, а ADR — после.

Охватывая весь жизненный цикл ПО, ADR позволяет командам специалистов по безопасности приложений (AppSec) и разработчикам выявлять и исправлять проблемы после развертывания приложения.

Охватывая весь жизненный цикл ПО, ADR позволяет командам специалистов по безопасности приложений (AppSec) и разработчикам выявл…

«Нейроэксперт» пытается выбрать чайКроме того, похоже, что сервис в большей степени ориентируется на оценки и отзывы в описаниях товара, чем его характеристики, а также репутацию брендов.

«Нейроэксперт» при работе с объемным документомСервис может работать и с документами на иностранных языках.

Однако использование диалектов, сленга или просто сильный акцент могут поставить сервис в тупик (как, впрочем, и человека, даже являющегося носителем языка).

Также «Нейроэксперт» допускал ошибки, которые простительны разве что для безнадежного двоечника.

Плюс ко всему, он работает довольно поверхностно и не знает о целом ряде нюансов товаров, особенно высокотехнологичных.

Узнайте, как построить успешную карьеру в ИТ: от выбора направления и форматов обучения до стажировок и сертификаций.

Однако успешная карьера в ИТ начинается с правильного выбора направления обучения и качественного образования.

Насколько остёр сейчас кадровый голод в ИТ?

Убедила ли вас сегодняшняя дискуссия в необходимости образования в ИТ?

Телепроект AM Live еженедельно приглашает экспертов отрасли в студию, чтобы обсудить актуальные темы российского рынка ИБ и ИТ.

Синхронизация с LDAP в VMmanager 6После синхронизации у пользователя появится возможность войти в систему, используя свою доменную учётную запись.

Интерфейс Grafana в VMmanager 6На дашборде VMmanager 6 отображается информация о кластерах — совокупности серверов, расположенных в единой локации.

Полный вид таблицы с данными об узлах в VMmanager 6Детальная информация об объекте, его настройки, история, отображается в карточке.

Уведомления могут быть отправлены непосредственно в VMmanager, на электронную почту или в Телеграм.

Создание уведомлений в VMmanager 6Архитектура VMmanager 6VMmanager 6 построен на микросервисной архитектуре с использованием Docker, так как изначально проектировался под …

Вы узнаете, на какие критерии стоит опираться при выборе SOC и как найти оптимальный баланс между эффективностью, удобством внедрения и бюджетом.

Различия центров мониторинга и реагирования (SOC) по составу услугАлександр Боярский рассказал, что базовый состав во всех SOC примерно одинаковый: мониторинг, реагирование и выдача рекомендаций, отчётность.

На этапе подключения работают аналитик и инженер, которые ведут заказчика с самого начала и на всём протяжении жизненного цикла.

Александр Боярский, директор по развитию SOC в компании «К2 Кибербезопасность»Сергей Сидорин:«Наша задача — работать с инцидентом в рамках всего его жизненного цикла.

Среднему и малому бизнесу стоит обратить внимание…

Эксперты в студии AM Live обсудили преимущества коммерческого и гибридного SOC, распределение зон ответственности между провайдером и заказчиком, форматы услуг и риски.

Аутсорсинговый SOC — это когда заказчик обращается к провайдеру или интегратору за выстраиванием процесса управления инцидентами.

В B2B-сегменте наблюдается больший спрос на облачные варианты SOC в соотношении 80 на 20%.

Денис Иванов уверен, что заказчикам нужно самим общаться с регулятором и понимать, как с ним взаимодействовать.

Распределение ответственности между провайдером SOC и заказчикомКто отвечает за покрытие инфраструктуры мониторингом и какие есть варианты контроля?

От чего зависит выбор решения для 2FAОбъекты и цель защитыНе всё требует одинаковой защиты.

Это обеспечило бесшовный переход на 2FA для пользователей — им пришлось проходить второй фактор аутентификации только один раз за рабочую сессию.

В результате пришлось срочно искать альтернативные методы аутентификации, что затормозило переход на 2FA на несколько месяцев.

Для российских компаний это:сертификация ФСТЭК России (нужна не для всех организаций);включение в реестр отечественного ПО (для госучреждений);соответствие требованиям 152-ФЗ «О персональных данных».

Критерий № 10: Открытость вендораПри выборе решения для двухфакторной аутентификации важно убедиться, что вендор открыт к диалогу и го…

В отношении криптографической защиты каналов связи (ГОСТ VPN) порой можно услышать различные возражения, почему компаниям не нужна такая защита.

В рассмотренном нами выше случае обучение 1 специалиста, обслуживающего всего два канала, обойдется примерно в 150 тыс рублей на 3 года.

При этом провайдер канала связи и сервиса ГОСТ VPN могут быть разными организациями.

ВыводыМы обобщили свой опыт и знания по наиболее частым возражениям, с которыми сталкиваемся на встречах с потенциальными пользователями ГОСТ VPN.

Конечно, таких возражений может быть больше, и не охваченным здесь вопросам стоит посвятить отдельную статью.

Они связаны как с необходимостью поддержки унаследованного зарубежного ПО, так и с особенностями отечественных систем, в том числе созданных внутри компаний.

Поэтому решения на базе актуальной платформы S/4HANA, как правило, сохраняли, пусть и с перспективой возможной замены на российские продукты.

Использование западного ПО в 2025 году: риски и угрозы безопасностиДанный подход, по единодушному мнению опрошенных нами экспертов, сопряжен с целым комплексом рисков.

Однако, как подчеркнул Тимур Белкин, переход на российское ПО позволит в полной мере обеспечить соблюдение формальных требований по защите информации в прикладном ПО и прозрачные механизмы контроля отсутствия недекларированных возм…

В промышленном секторе (Industrial Internet of Things, IIoT) умные устройства сейчас широко используются на производстве, в транспорте и энергетике.

В частности, буквально несколько недель назад исследователи в области кибербезопасности обнаружили недокументированные команды в микрочипе ESP32, который используется более чем в миллиарде «умных» устройств по всему миру.

В целом, для организаций взлом IoT-устройств может быть намного более опасным в финансовом отношении, чем для отдельно взятых пользователей.

В 2024 году рост кибератак на промышленный сектор и IoT-устройства в России составил около 40%.

IoT открывает большие возможности в быту и на производстве, делая возможным удаленное управ…

Одна из них — угрозы, связанные с этическими проблемами, возникающими во взаимоотношениях людей и генеративного ИИ (GenAI) и еще не осознанных до конца по части последствий.

Инициатива, получившая название Thunderforge, призвана обеспечить внедрение ИИ для решения задач штабного планирования и управления на театрах военных действий (ТВД).

Можно ли доверять GenAI: иллюзия надежности или реальный инструментПоклонники ИИ могут опровергнуть страхи пользователей, предложив им привести примеры, препятствующие использованию GenAI наравне с человеком.

Как показывают результаты работы ИИ в генерации контента, они отличаются высоким подобием естественному и способны «передавать» даже чувства.

Поэтому…

Какие данные и системы компании размещают в публичных, гибридных и частных облакахНиколай Панченко рассказал, как сделать так, чтобы инфраструктура частично ушла в облако, но при этом обеспечить безопасность.

Долгое время был популярным перевод в облако SAP: чтобы не закупать оборудование, компании обращались к облачному провайдеру.

Угрозы безопасности в облаке: утечки данных, ошибки конфигурации, доступ третьих лицАндрей Семенюченко уверен, что стратегия миграции в облако, как и стратегия безопасности, должна быть согласована с целями и приоритетами бизнеса.

При переезде в облако есть понятие разделения ответственности: часть её переходит к облачному провайдеру, этим можно повысить безопас…

В опубликованном пресс-релизе было отмечено, что мероприятие состоялось «в рамках расширения стратегического сотрудничества Академии UserGate и РГУ в области подготовки специалистов по информационной безопасности».

Он был создан в РГУ в 2018 году и осуществляет подготовку бакалавров, магистров и аспирантов по дисциплинам ИБ.

Брендированный компьютерный класс UserGate в РГУ нефти и газа им.

Поэтому проект UserGate в РГУ – это методическое донесение до студентов того, что именно от них потребуется в работе в компаниях и обучение этим дополнительным навыкам.

Поэтому выбор решения Usergate для оснащения специализированного класса в стенах РГУ отражает еще и системный подход к задаче образования…

В этой статье расскажу, как мы перестроили систему SCA, изменили её архитектуру и какие инструменты теперь используем для контроля зависимостей.

SCA автоматически проверяет библиотеки и помогает понять, что с ними делать: обновить, заменить или хотя бы не забыть, что где-то есть дырка.

Получаем отчёт, где чётко расписано, какие пакеты под угрозой и что с ними делать.

Чтобы решить эти проблемы, мы не стали полагаться на стандартные инструменты SCA, а собрали свою систему на основе SBOM.

Прогоняем этот процесс по всему BOM (так как корневых зависимостей может быть несколько) и в итоге получаем полный список корней.

У главного героя внезапно оживает экран и сообщает: жизнь не будет прежней.

Любой другой компьютер брал роль клиента:$ nc 192.168.88.2 7777Теперь все, что вводилось в терминале, отображалось для обоих узлов.

Когда любой из узлов прервет выполнение socat, соединение будет закрыто.

Его разработали для проекта Nmap, и в нем можно организовать приватное соединение без дополнительных телодвижений.

При этом Cryptcat можно использовать и в качестве бэкенда для других приложений или скриптов.

Но, помимо «традиционных» для сети «М.Видео-Эльдорадо» сегментов вроде компьютеров или телевизоров, мы подводим итоги и в других.

А в Windows есть встроенный Microsoft Defender, абсолютно бесплатный и работающий (а также обновляющийся, в том числе и в подсанкционной России!)

Есть и еще один сегмент рынка, который приобретает ИБ-решения в рознице, в том числе и в магазинах «М.Видео» и «Эльдорадо».

А это значит, что потенциальная аудитория рынка антивирусного ПО в России весьма обширна, а самому рынку есть куда расти и в ближайшие годы.

Потому продукты «Лаборатории Касперского» лидируют в рейтинге продаж и по количеству, и по выручке.

В статье рассказываем про шесть важных и интересных трендов в кибербезе, а также разбираемся, как войти в профессию, кто сейчас востребован и как развиваться тем, кто уже работает в ИБ.

Работает не только с командой ИБ, но и с другими отделами — ИТ, юристами, разработкой и бизнесом — чтобы безопасность была встроена в общие процессы компании.

Только вредоносных действий, связанных с ПО, насчитали около 1,8 миллиарда — и это без учёта фишинга, DDoS и социальной инженерии.

Сайт может проверять IP-адрес, язык системы, тип браузера, устройство и даже временную зону — и в зависимости от этого решать, какой контент показать.

Многие из них не знают, что делает команда ls в Linux — но это не делает…

В начале апреля на конференции Black Hat Asia специалисты из компании PCAutomotive продемонстрировали ряд уязвимостей в электромобиле Nissan Leaf.

В частности, обеспечить постоянный доступ к взломанному автомобилю через Интернет, а также в некоторой степени контролировать функциональность автомобиля за пределами системы развлечений.

В стеке Bluetooth была обнаружена уязвимость, которая позволяет выполнить произвольный код в ходе подключения к системе «нового устройства».

Исследователи далее изменяют правила встроенного брандмауэра и подключаются к мультимедийной системе с помощью обратного шелла.

Исследование PCAutomotive показывает, что добиться похожего результата можно и в автомобиле 202…

Таким образом, багхантинг предлагает те же преимущества, что и работа в IT в целом: это интересная, хорошо оплачиваемая деятельность, которая помогает развить резюме.

Возможные проблемы с законом (10%) и долгое рассмотрение отчётов (9%) указывают на то, что в сфере багхантинга ещё есть проблемы во взаимодействии специалистов и с компаниями, и с государством.

Опытный багхантер готов подстраиваться под ситуацию: 62% опрошенных найдут ошибку и в выходной, и в отпуске на пляже, если это необходимо.

При этом в выходные и в праздники работу он не бросает: зарегистрирован на всех доступных в России площадках багбаунти и регулярно их чекает.

Багхантинг — это не только способ заработка, но и возможн…

В этой статье я хотел бы описать механизм безопасности API-запросов, с которым я столкнулся в одном из своих проектов.

Формируется новый заголовок XX-Signature , который вставляется в запрос.

Однако, возникла проблема с интеграцией этих запросов в HTTP-запросы для последующей обработки в Burp Suite.

Сгенерированный скриптом ключ успешно проходил проверку в терминале, но при вставке ключа в запрос Burp, сервер возвращал ошибку 401 “Signature mismatch”.

На рисунке 2 изображена еще одна попытка отправить запрос, на этот раз с добавлением требуемого заголовка.

Для мобильных приложений, отображающих критичные данные хорошей практикой будет запретить делать снимки и запись экрана в областях отображающих конфиденциальную информацию.

Установив его для конкретной Activity, можно запретить создание снимков экрана, а также скрыть содержимое приложения в списке недавно запущенных приложений.

android:inputType=”textPassword”Стоит отметить, что критичные данные во время ввода могут “подсмотреть” не только автоматизированные средства для записи экрана, но и любопытные люди.

RenderEffectЭкран могут снять не только в режиме использования, но и в фоновом режиме, поэтому рекомендуется скрывать критичные данные при отображении приложения в списке "недавние" или …

Способы противодействия техникам злоумышленников с помощью PAM-платформы СКДПУ НТ на примере матрицы MITRE ATT&CK.;

Пример: Злоумышленник получил доступ к PAM, но сессии работают без доступа к shell, или блокируется выполнение сканирующих команд (nmap, ping, traceroute).

PAM-платформа СКДПУ НТ не заменяет другие средства защиты, но создает критически важный "буферный слой", без преодоления которого злоумышленник не может эффективно провести разведку.

Паттерны формируются следующим образом:$prefix:>Еще существует механизм, закрывающий приложения не на уровне считывания заголовка, а на уровне процесса.

Паттерны формируются следующим образом:$prefix:>Также существует механизм, закрывающий прил…

Shuffle начался как проект в середине 2019 года для решения нескольких проблем, связанных с автоматизацией в сообществе CERT/SIRT.

Архитектура Server частиПри настройке Shuffle для продакта разработчики рекомендуют использовать два или более серверов (ВМ), но для начала будет достаточно одного.

Задаем первоначальные логин и пароль в соответствующих переменных SHUFFLE_DEFAULT_USERNAME и SHUFFLE_DEFAULT_PASSWORD , а также иные параметры для внедрения в собственную инфраструктуру.

Настройки организацииПод "организацией" имеют в виду способ организации данных в Shuffle.

Интерпретируемое значение в данном кейсе является attachment_uids — вложение, которое было загружено в Shuffle, с помощью этог…

А теперь представьте: заходите на «свой» банковский сайт, а это лишь идеальная копия, созданная мошенниками.

Это поможет лучше понять, где и как можно атаковать и, соответственно, как защититься.Допустим, у нас есть адрес: www.selectel.ru .

Злоумышленники могут использовать поддельные DNS-записи для атак, и для этого не нужно быть экспертом.Вариантов совершить хакерскую атаку с использованием DNS существует множество.

Это делает DDoS неотъемлемой частью разговора о DNS: угроза здесь не в подмене записей, а в полном уничтожении доступности — основы любой DNS-системы.

Важно также внедрять технологии DNS over HTTPS (DoH) и DNS over TLS (DoT), которые шифруют трафик и защищают от MITM-атак.

Масштабы их атак поражают, и, учитывая, что многие считают транзакции в блокчейне анонимными, может возникнуть ощущение, что вычислить их невозможно.

Криптовалютная криминалистика (Crypto Forensics) — это направление цифровой криминалистики, которое занимается анализом блокчейнов, транзакций и связанных данных для выявления преступных действий, таких как отмывание денег, мошенничество, финансирование терроризма и взломы бирж.

Анализ транзакций включает изучение:UTXO-модели (Bitcoin, Litecoin) — анализ входов и выходов транзакций.

CipherTrace — анализ транзакций и мониторинг рисков.

Так как централизованные биржи — самый простой и с виду легальный способ вывести криптовалюту в реальные деньг…

Эта инструкция написана на примере смартфона POCO M4 Pro 5G (кодовое название "evergreen") с прошивкой MIUI 12.5.6 Global (V12.5.6.0.RGBRUXM) на базе Android 11.0, , но инструкция актуальна для других устройство серии MiВАЖНО!

Перейдите в режим Fastboot:Нажмите и удерживайте кнопку питания + уменьшение громкости, пока не увидите на экране надпись "FASTBOOT" и логотип (заяц в шапке, чинящий андроида).

Установка драйверовСкачайте драйверы для POCO M4 Pro 5G:https://xiaomidriver.com/poco-m4-pro-5g#google_vignetteУстановите: Mediatek Driver (для чипсета MediaTek, используемого в POCO M4 Pro 5G).

Если файла boot.img нет:Скачайте другую версию Fastboot ROM для POCO M4 Pro 5G с официального сайта …

Вредоносный код добавлен в мессенджер WhatsApp и направлен на кражу криптовалют методом клиппинга.

Дело в том, что в состав прошивки входило скрытое приложение, позволяющее с легкостью изменить всю отображаемую техническую информацию об устройстве не только в системном меню, но и в отчетах таких приложений, как AIDA64 и CPU-Z.

При получении же входящего сообщения в чате собеседнику виден адрес отправленного им кошелька, а на устройстве жертвы входящий адрес подменяется на адрес кошелька хакеров.

Кроме того, осуществляется поиск и передача на сервер злоумышленников всех изображений в форматах jpg, png и jpeg в следующих папках: DCIM, PICTURES, ALARMS, DOWNLOADS, DOCUMENTS, SCREENSHOTS.

Такая…

Компания Fourlis Group, оператор магазинов IKEA в Греции, на Кипре, в Румынии и Болгарии, сообщила, что атака с использованием вымогательского ПО, которой она подверглась накануне «черной пятницы» 27 ноября 2024 года, нанесла ущерб в размере 20 млн евро (22,8 млн долларов США).

Об этом инциденте стало известно еще 3 декабря 2024 года, когда компания подтвердила, что технические проблемы у интернет-магазинов IKEA были вызваны «вредоносным внешним воздействием».

Хотя Fourlis Group также управляет магазинами Intersport, Foot Locker и Holland & Barrett в перечисленных выше странах, последствия атаки в основном затронули только работу IKEA.

В заявлении для местных СМИ генеральный директор Fourli…

Опубликованное в конце марта исследование, посвященное изучению «галлюцинаций» ИИ, показало, что примерно в 20% случаев (576 000 сгенерированных примеров кода на Python и JavaScript) рекомендуемые искусственным интеллектом пакеты не существовали.

Это свидетельствует о том, что большинство “галлюцинаций” — не просто случайный шум, а повторяющиеся артефакты того, как модели реагируют на определенные промпты, — объясняют исследователи Socket.

Также всегда стоит помнить о том, что любой пакет, упомянутый ИИ, может не существовать в реальности и не быть безопасным.

Кроме того, отмечается, что снижение «температуры» ИИ помогает снизить количество галлюцинаций, что тоже следует учитывать всем вайб…

Американская организация Laboratory Services Cooperative (LSC), специализирующаяся на предоставлении лабораторных услуг, сообщила, что пострадала от утечки данных.

LSC сообщает, что злоумышленники проникли в ее сеть еще в октябре 2024 года и успешно похитили данные.

В ответ LSC немедленно привлекла сторонних специалистов по кибербезопасности для определения характера и масштабов инцидента и уведомила федеральные правоохранительные органы.

В основном от утечки пострадали люди, которые проходили лабораторные исследования в отдельных центрах планирования семьи, использующих услуги LSC для проведения анализов.

LSC сообщает, что расследование инцидента еще продолжается, и внешние ИБ-эксперты сле…

Справка: сканирование портовСка­ниро­вание пор­тов — стан­дар­тный пер­вый шаг при любой ата­ке.

Он поз­воля­ет ата­кующе­му узнать, какие служ­бы на хос­те при­нима­ют соеди­нение.

На осно­ве этой информа­ции выбира­ется сле­дующий шаг к получе­нию точ­ки вхо­да.

На­ибо­лее извес­тный инс­тру­мент для ска­ниро­вания — это Nmap.

Улуч­шить резуль­таты его работы ты можешь при помощи сле­дующе­го скрип­та:#!/ bin/ bash ports = $( nmap -p- --min-rate = 500 $1 | grep ^[ 0- 9] | cut -d '/ ' -f 1 | tr ' ' ', ' | sed s/, $/ / ) nmap -p $ports -A $1

Хакеры атакуют уязвимость обхода аутентификации в плагине OttoKit (ранее SureTriggers) для WordPress, который используется более чем на 100 000 сайтов.

Уязвимость в OttoKit позволяет пользователям подключать дополнительные плагины и внешние инструменты, включая WooCommerce, Mailchimp и Google Sheets, автоматизировать такие задачи, как рассылка писем и добавление пользователей, а также обновлять CRM без кода.

Специалисты компании Wordfence раскрыли подробности об уязвимости обхода аутентификации в OttoKit в конце прошлой недели.

Злоумышленник может воспользоваться уязвимостью, отправив пустой заголовок st_authorization, и в результате получив доступ к защищенным эндпоинтам API.

Дело в том, ч…

ИБ-компания Prodaft объявила о запуске инициативы, в рамках которой она готова покупать старые учетные записи на известных хакерских форумах и сайтах в даркнете.

Представители Prodaft объясняют, что проверенные и старые учетные записи на теневых сайтах помогут им в работе, так как аккаунты на хакерских форумах, по сути, позволяют наблюдать за ландшафтом угроз изнутри.

В настоящее время к покупке рассматриваются учтенные записи на XSS, Exploit[.

В компании уверяют, что не будет никакого осуждения и никаких лишних вопросов, «простая, безопасная сделка, которая выгодна обеим сторонам».

При этом подчеркивается, что все данные о приобретенных аккаунтах будут переданы правоохранительным органам, …

— веж­ливо пред­ложил Кад­лер, бро­сив взгляд на его опус­тевший бокал.

— Поп­робу­ете перема­нить его на свою сто­рону?

Информа­ция, которую мы ему переда­ли, не в пол­ной мере отра­жает кар­тину пред­сто­ящих событий.

— И что это?

Ки­рилл выж­дал, пока на его компь­юте­ре заг­рузит­ся опе­раци­онка, запус­тил бра­узер и про­бежал­ся по новос­тным сай­там.

Дело в том, что EncryptHub уведомил Microsoft о двух уязвимостях нулевого дня в Windows.

Как пишут исследователи Outpost24, им удалось связать EncryptHub и SkorikARI, так как злоумышленник случайно заразил собственную систему малварью, в результате чего раскрыл свои учетные данные.

Исследователи заявляют, что нашли доказательства, позволяющие предположить, что в это время EncryptHub был заключен в тюрьму.

Еще одним весомым подтверждением связи между ними стали чаты с ChatGPT, в которых можно наблюдать активность, связанную как с EncryptHub, так и со SkorikARI».

К примеру, EncryptHub использовал ChatGPT как для разработки вредоносных и фишинговых сайтов, так и для интеграции стороннего кода …

Управление контролера денежного обращения Министерства финансов США сообщило, что пострадало от серьезного киберинцидента.

Управление контролера денежного обращения (Office of the Comptroller of the Currency, OCC) при Министерстве финансов США осуществляет надзор за деятельностью американских и иностранных банков.

Согласно заявлению OCC, одна из административных учетных записей электронной почты, которая имеет доступ к почтовым ящикам пользователей и внутренним системам, была скомпрометирована, и в результате данные попали в третьи руки.

В письме сообщается, что в результате атаки злоумышленники получили доступ примерно к 150 000 писем и оставались незамеченными в период с мая 2023 года по …

Исследователи из компании PCAutomotive продемонстрировали ряд уязвимостей в электромобиле Nissan Leaf.

О взломе Nissan Leaf эксперты подробно рассказали на прошлой неделе, в рамках конференции Black Hat Asia 2025.

Объектом изучения стал электромобиль Nissan Leaf второго поколения, выпущенный в 2020 году.

В дополнение к своему докладу эксперты опубликовали видео, в котором наглядно продемонстрировали, как использовали свои эксплоиты для удаленного взлома Nissan Leaf.

При этом в компании подчеркнули, что будут продолжать разрабатывать и внедрять технологии для борьбы с кибератаками «ради безопасности и спокойствия клиентов».

В пос­леднее вре­мя исполь­зование прог­рамм Oracle в Рос­сии зна­читель­но усложни­лось — в час­тнос­ти, они недос­тупны для ска­чива­ния нап­рямую с сай­та раз­работ­чика.

Но все эти прог­раммы сущес­тву­ют в виде обра­зов кон­тей­неров на обще­дос­тупных ресур­сах, в том чис­ле на hub.docker.com .

Для при­мера мы запус­тим прог­рамму Analytic Workspace Manager (AWM), которая пред­назна­чена для соз­дания и выпол­нения опе­раций над хра­нили­щами в виде мно­гомер­ных кубов.

Он вклю­чает том, находя­щий­ся в пап­ке / colap/ globaldb (для демонс­тра­цион­ной базы дан­ных global ), и том в пап­ке / colap/ awm/ awm (для прог­раммы AWM).

Образ oracle-awm: 121 соз­дает­ся из исходно­го вклю­чен…

A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date.

It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025.

The vulnerability is said to have been exploited as a zero-day in March 2025, although the exact nature of the attacks is unknown.

Now, according to Huntress, the weakness also affects Gladinet Triofox up to version 16.4.10317.56372.

In light of active exploitation, it's essential that users of Gladinet CentreStack and Triofox update their instances to the latest version to safeguard against potential …

Meta has announced that it will begin to train its artificial intelligence (AI) models using public data shared by adults across its platforms in the European Union, nearly a year after it paused its efforts due to data protection concerns from Irish regulators.

To that end, users' posts and comments, as well as their interactions with Meta AI, are expected to be used for training and improving the models.

The notifications will also include an opt-out link to a form where users can choose to object to their public data being collected for AI training.

The development comes shortly after the European Data Protection Board (EDPB) approved the rollout owing to it meeting legal obligations und…

Cybersecurity researchers have discovered a new, sophisticated remote access trojan called ResolverRAT that has been observed in attacks targeting healthcare and pharmaceutical sectors.

"Once accessed, the link directs the user to download and open a file that triggers the ResolverRAT execution chain."

Once launched, the malware utilizes a bespoke certificate-based authentication prior to establishing contact with a command-and-control (C2) server such that it bypasses the machine's root authorities.

It also implements an IP rotation system to connect to an alternate C2 server if the primary C2 server becomes unavailable or gets taken down.

Furthermore, ResolverRAT is fitted with capabiliti…

Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts.

The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens.

In this scenario, the email address entered by the victim in a phishing landing page is validated against the attacker's database, after which the bogus login page is displayed.

The two-pronged attack leverages an embedded URL that seemingly points to a PDF file that's scheduled to be deleted from a legitimate file …

Trusted security tools are being hijacked to deliver malware.

X previously X agreed to stop training its AI systems using personal data collected from E.U.

X previously X agreed to stop training its AI systems using personal data collected from E.U.

The development comes as the cybersecurity company said it has identified a dramatic increase in phishing attacks using malicious Scalable Vector Graphics (SVG) files, driven by PhaaS platforms like Tycoon2FA, Mamba2FA, and Sneaky2FA.

Check for signs of hidden accounts, unauthorized remote access tools, and changes to RDP settings.

Attackers are already using AI to automate reconnaissance, generate sophisticated phishing lures, and exploit vulnerabilities before security teams can react.

AI offers a way to level the playing field, but only if security professionals learn to apply it effectively.

AI allows security teams to ingest and analyze more data than ever before, transforming traditional security tools into powerful intelligence engines.

Security teams need to study AI advancements daily/hourly because adversaries are adapting in hours/minutes.

The event will take place June 16-21, 2025, in Washington, D.C., bringing together top cybersecurity professionals for hands-on training, live labs, and expert-led discus…

A threat actor with ties to Pakistan has been observed targeting various sectors in India with various remote access trojans like Xeno RAT, Spark RAT, and a previously undocumented malware family called CurlBack RAT.

It's so named for mimicking the attack chains associated with another threat actor called SideWinder to deliver its own payloads.

The files were also found to contain references to URLs that hosted RTF files identified as used by SideWinder.

"APT36 focus is majorly Linux systems whereas SideCopy targets Windows systems adding new payloads to its arsenal," SEQRITE noted at the time.

"Additionally, they are leveraging customized open-source tools like Xeno RAT and Spark RAT, alon…

Fortinet has revealed that threat actors have found a way to maintain read-only access to vulnerable FortiGate devices even after the initial access vector used to breach the devices was patched.

The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762.

"A threat actor used a known vulnerability to implement read-only access to vulnerable FortiGate devices," the network security company said in an advisory released Thursday.

"This was achieved via creating a symbolic link connecting the user file system and the root file system in a folder used to serve language files for the SSL-VPN.…

The threat actor known as Paper Werewolf has been observed exclusively targeting Russian entities with a new implant called PowerModul.

"The shellcode is similar to what we saw in earlier attacks, but in addition contains an obfuscated Mythic agent, which immediately begins communicating with the command-and-control (C2) server."

But in addition, it can send information about the targeted environment in the form of a "checkin" message, as well as execute other commands received from the C2 server as tasks.

"Recently, we have observed that GOFFEE is increasingly abandoning the use of PowerTaskel in favor of the binary Mythic agent during lateral movement."

The development comes as BI.ZONE at…

Initial Access Brokers (IABs) specialize in gaining unauthorized entry into computer systems and networks, then selling that access to other cybercriminals.

By selling access, they significantly mitigate the risks associated with directly executing ransomware attacks or other complex operations.

The rising prominence of Initial Access Brokers (IABs) is directly tied to their ability to streamline and accelerate ransomware operations, particularly Ransomware-as-a-Service (RaaS) schemes.

The Financial Motives of IABsThe Initial Access Broker (IAB) market demonstrates a dynamic pricing structure, generally offering corporate access between $500 and $3,000.

The rise of Initial Access Brokers (I…

Our habit of blindly trusting and clicking on top search results has become so predictable that it can be subverted and turned against us.

A fake website blending in search results for Firefox and targeting Chinese speakers (image credit: landiannews.com)The risks aren’t lost on Google, of course.

Which is why it pays to know about the risks involved in both organic and paid search results, and how to separate the wheat from the chaff.

Mastercard impersonatorsStaying safeMost of all, remember that prominence in search results doesn’t automatically equate to legitimacy.

Use reputable security software that can identify and block connections to malicious domains, thus providing an additional …

News that someone close, be it a friend, relative, or colleague, has had one of their valuable online accounts compromised is bound to trigger a mix of reactions.

Maybe you’ve already received a message that ostensibly came from a close friend but felt off.

Have you previously shared access to streaming services or other online tools with the person who was hacked?

What if the same or similar login credentials have been used to access other digital accounts?

Collective awareness and securityFinally, chances are high your relative or friend could use some help when rebuilding their digital life.

Here’s a lowdown on how your personal data could be stolen – and how to make sure it isn’t.

Once circulating in the cybercrime underground, it’s only a matter of time before it is used in identity fraud attempts.

According to Javelin Strategy & Research, identity fraud and scams cost Americans $47bn in 2024 alone.

Malicious websites: Phishing sites can be spoofed to appear as if they are the real thing, right down to faked domain.

Identity fraud continues to be a threat because it is relatively easy for threat actors to start making healthy profits.

AI systems, especially the large foundation models, are revolutionizing the way AI is used in society.

People devise various tests to showcase how far AI has come and where these AI systems or models surpass human capabilities.

Trust in AI is a major topic globally, with attitudes toward AI systems varying widely between cultures and regions.

How can the AI research community help foster trust in AI technologies and ensure that they are viewed as beneficial and trustworthy across diverse societies?

How do you see AI researchers contributing to policies and regulations that ensure the ethical and responsible development of AI systems?

From an exploited vulnerability in a third-party ChatGPT tool to a bizarre twist on ransomware demands, it's a wrap on another month filled with impactful cybersecurity newsAs you might expect, the world of cybersecurity doesn't sleep, so much so that keeping up with new threats and other impactful news actually feels like a full-time job.

This is where our roundup of the month's most impactful cybersecurity stories comes in.

In the March 2025 edition, ESET Chief Security Evangelist Tony Anscombe looks at:how cybercriminals exploited a year-old vulnerability in a third-party ChatGPT tool to attack US government organizations,a bizarre twist on ransomware demands, as a scam is making the rou…

“Everybody has a plan until they get punched in the mouth.”Mike Tyson’s punchy (pun intended) adage rings all too true for organizations reeling from a ransomware attack.

According to Verizon’s 2024 Data Breach Investigations Report, one-third of all data breaches involve ransomware or another extortion technique.

Bruised and batteredWhen the news of a ransomware attack breaks, headlines often focus on the dramatic ransom demands and the ethical and legal conundrums over payment.

Second, decryption tools from researchers are better thought of as a last-resort option as it often cannot match the urgency of business recovery needs.

Since attackers also often take aim at data backups, this app…

For a fleeting moment, she actually felt like she’d seen a similar message before, probably in last year’s cybersecurity awareness training.

But by now that training was a blur of lifeless PowerPoint slides, forgettable screenshots and mind-numbing multiple-choice questions replete with obscure terms and concepts.

Ripping off the band aidThe story above exposes a major problem: even the most diligent employees are prone to forgetting what they “learned” in cybersecurity training.

Why subject your employees to mundane training that is likely to fail the moment pressure hits?

She recognizes the red flags, because she has encountered similar scenarios in her engaging security training.

ESET researchers also examine the growing threat posed by tools that ransomware affiliates deploy in an attempt to disrupt EDR security solutionsESET research has released a deep-dive analysis of changes in the ransomware ecosystem in 2024, focusing especially on RansomHub, a new but highly prolific ransomware-as-a-service (RaaS) gang.

Among other things, the report features previously unpublished insights into RansomHub’s affiliate structure and uncovers connections between this gang and its peers, such as Play, Medusa, and BianLian.

In addition, ESET's analysis also documents the emerging threat of EDR killers, unmasking EDRKillShifter, one such tool developed and maintained by RansomHub.…

While assisting one of the affected entities with the remediation of the attack, ESET's experts found that the China-aligned cyberespionage outfit has hit its targets with two previously undocumented versions of their flagship backdoor called SparrowDoor.

Importantly, the group was also observed using the ShadowPad backdoor for the first time.

ESET research also shows that FamousSparrow must have been hard at work developing its toolset between 2022 and 2024, which proves that the group did not cease its operations a few years ago, as had previously been thought.

What else is there to know about the group's recent tactics, techniques, and procedures?

Learn from ESET Chief Security Evangelis…

Figure 3 shows the ransom note that RansomHub affiliates leave on their victims’ machines.

On June 21st, 2024, RansomHub operators changed the affiliate rules in reaction to an alleged breach by security researchers.

RansomHub’s EDR killer, named EDRKillShifter by Sophos , is a custom tool developed and maintained by the operator.

EDRKillShifter is offered to RansomHub affiliates through the web panel, same as the encryptor; it too is protected by a 64-character password.

Roughly a month after EDRKillShifter’s announcement, on June 3rd, 2024, RansomHub operators posted yet another update, stating that they improved EDRKillShifter.

Both versions of SparrowDoor used in this campaign constitute onsiderable advances in code quality and architecture compared to older ones.

This is sent to the C&C server when it requests information about the host and whenever a new socket is created.

All communication between the malware and its C&C server uses the same base packet format, defined in Figure 2.

For each file, SparrowDoor sends one message, with the same command ID as the list file command (0x32341132) and the information described in Figure 3.

]comXNNET LLC 2024‑07‑05 SparrowDoor C&C server.

Key points of this blogpost: Verticals targeted during Operation FishMedley include governments, NGOs, and think tanks, across Asia, Europe, and the United States.

]com STARK INDUSTRIES 2022‑03‑20 ShadowPad C&C server.

]165 N/A IRT-HKBN-HK 2022‑03‑10 Spyder C&C server.

]70 N/A The Constant Company 2022‑05‑18 SodaMaster C&C server.

]211 N/A Akamai Connected Cloud 2022‑06‑22 SodaMaster C&C server.

The group's Operation AkaiRyū begins with targeted spearphishing emails that use the upcoming World Expo 2025 in Osaka, Japan, as a lureThe China-aligned MirrorFace APT group has targeted a Central European diplomatic institute, marking the first time this China-aligned APT group has attempted to infiltrate an entity in Europe, ESET research has found.

In keeping with its previous campaigns, Operation AkaiRyū (which is Japanese for RedDragon) begins with carefully crafted spearphishing emails that, if successful, attempt to leverage legitimate applications and tools to install malware.

What else is there to know about the campaign's tactics, techniques, and procedures?

Learn from ESET Chief…

In the 2024 activities analyzed in this blogpost, MirrorFace started using APT10’s former signature backdoor, ANEL, in its operations as well.

Compromise chain observed in June 2024Case 2: Central European diplomatic instituteOn August 26th, 2024, MirrorFace targeted a Central European diplomatic institute.

In 2024, MirrorFace started using ANEL as its first-line backdoor.

ANELLDRANELLDR is a loader exclusively used to decrypt the ANEL backdoor and run it in memory.

Malware and tools deployed by MirrorFace throughout the attackTools Notes Machine A Machine B ANEL APT10’s backdoor that MirrorFace uses as a first-line backdoor.

Here's what's been hot on the AI scene over the past 12 months, how it's changing the face of warfare, and how you can fight AI-powered scamsThe second season of the Unlocked 403 cybersecurity podcast kicks off with a familiar face – ESET Security Evangelist Ondrej Kubovič, who also appeared on the podcast's inaugural episode.

Picking up where they left off this time last year, Becks and Ondrej discuss what's been hot on the AI scene over the past 12 months.

Their conversation touches on various topics related to AI, including its evolving role in modern warfare, use in cybersecurity, and how it impacts our daily lives.

Along the way, they dispel a few stubborn myths that surround the techn…

This latest version of the Seemplicity Platform introduces powerful new AI-driven capabilities designed to streamline and scale remediation operations.

Security teams face inadequate prioritization, misrouted remediation requests, and manual workflows that slow down progress.

“With AI-powered exposure management, we’re removing the friction that slows remediation down,” said Ravid Circus, CPO at Seemplicity.

“Security teams shouldn’t have to guess who owns what or rebuild workflows every time the organization changes.

With up to 70% of resource assignments automated, security teams can ensure findings reach the right person the first time.

Let’s break down seven reasons shorter certificate lifespans aren’t just a good idea—they’re inevitable.

Shorter lifespans step up as a proactive shield—keys expire before attackers can cash in.

Shorter lifespans are your foundation for staying sharp in a future that’s all about speed and adaptability.

Looking aheadThe push for shorter lifespans, led by Apple, Google, and the industry’s sharpest minds—isn’t about making your day harder.

Shorter certificate lifespans aren’t a fad, they’re the future.

In this Help Net Security interview, Sandy Kronenberg, CEO of Netarx, discusses how cybercriminal groups are adopting corporate structures and employee incentives to scale operations, retain talent, and evade detection.

What motivates cybercriminal groups to adopt mainstream corporate structures and employee incentives, and what impact does this have on recruitment and retention?

Alternatively, groups with corporate structures can be more effective longer-term.

How do cybercriminal groups strategically collaborate with one another to amplify the success and impact of cyberattacks?

These operations work at-scale and are one of the reasons that Congress approved the Corporate Transparency Act…

Big firms take longer to fix pentest issues94% of firms view pentesting as essential to their program.

In 2017, only 27% of serious pentest findings were resolved.

In 2024, serious findings were fixed in one-third of the time it took back in 2017 (37‬ versus 112 days).

Three-quarters of organizations have set SLAs (service-level agreement) specifying that pentest findings‬ should be fixed in two weeks or less.

95% firms have performed pentesting on these apps in the last year with 32% of tests finding vulnerabilities warranting a serious rating.

In this Help Net Security video, Jennifer Chen, Executive Director of the Association of Corporate Counsel (ACC) Foundation, discusses how globally, Chief Legal Officers (CLOs) are becoming integral leaders in cybersecurity strategy, holding leadership positions, and frequently reporting cybersecurity strategies to the company board.

According to the ACC Foundation, the findings highlight a significant shift in how cybersecurity is viewed through a legal and governance lens.

Key findings include:

Cybersecurity OfficerInternational New Economic Research Institute | Hong Kong | On-site – View job detailsAs a Cybersecurity Officer, you will design and implement comprehensive cybersecurity strategies for blockchain nodes, decentralized applications (dApps), and trading platforms.

Head of Global CybersecurityDaiichi Sankyo | Germany | On-site – View job detailsAs a Head of Global Cybersecurity, you will lead the strategic direction and operational coherence of cybersecurity in Daiichi Sankyo Group supervising two distinct functions, Cybersecurity policies & strategy and Cybersecurity architecture.

OT CyberSecurity SpecialistAspen Pharma | UAE | On-site – View job detailsAs an OT CyberSec…

A known occurrenceMany software developers nowadays use large language models (LLMs) to help with their programming.

Now, let’s say in the generated code it includes a link to some package, and I trust it and run the code, but the package does not exist, it’s some hallucinated package.

An astute adversary/hacker could see this behavior (of the LLM) and realize that the LLM is telling people to use this non-existent package, this hallucinated package.

Finally, while the majority of hallucinated packages had names that were “substantively different from existing package names”, those names were often convincing and fit the context.

The researchers have outlined recommendations to help LLM cre…

Set clear rules about what data can and cannot be entered into AI systems.

Researchers found that many inputs posed some level of data leakage risk, including personal identifiers, financial data, and business-sensitive information.

Implement input validation and sanitization – Ensure that AI systems can differentiate between legitimate commands and potentially harmful inputs.

Establish access controls – Limit access to AI systems and their training data.

Educate employees on AI security – Train staff to recognize the risks associated with AI systems, including the potential for prompt injections.

Tirreno is an open-source fraud prevention platform designed as a universal analytics tool to monitor online platforms, web applications, SaaS products, digital communities, mobile apps, intranets, and e-commerce websites.

“Our aim is to liberate online fraud protection technologies, making them widely available for organizations of any size.

Unlike most cyberfraud prevention services, Tirreno is not solely focused on transactions or e-commerce.

Tirreno featuresTirreno offers tailored fraud prevention capabilities for a wide range of users.

Must read:Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools.

The Growing Cybersecurity Skills GapThe cybersecurity landscape is more complex and dangerous than ever before.

Immigration: A Solution to the Cybersecurity ShortageImmigration can help solve the cybersecurity skills shortage in several ways.

Although immigration was highlighted as a crucial element in the policy to mitigate the cybersecurity talent shortage, meaningful immigration reform by Congress is essential for the successful implementation of this strategy.

These experts can help train the next generation of American cybersecurity professionals, ensuring that the U.S. remains at the forefront of global cybersecurity for decades to come.

ConclusionThe cybersecurity skills shortage is …

Cybereason has launched its revolutionary SDR Data Ramp Programme with Observe.

This ensures that customers can experience the full capabilities of Cybereason’s SDR product, which is designed to detect, analyse, and respond to cyber threats with unparalleled accuracy and speed, reducing the need for legacy SIEM platforms.

“The 1TB Free SDR Data Ramp Programme underscores our commitment to empowering organisations with the tools they need to defend against increasingly sophisticated cyber threats.

This multi-layered approach enables security teams to identify and mitigate threats more effectively, reducing the time to detect and respond to incidents.

To learn more about Cybereason’s 1TB Free…

Even seasoned professionals stumble upon common pitfalls that can impact user experience and, consequently, a site’s success.

With expertise from website design company, Full Stack Industries, we will explore common design mistakes and how to avoid them.

This inclusive step means all audiences can experience your site and will also improve your search engine rankings.

Final ThoughtsKeeping these common website design mistakes at bay can significantly elevate your online presence.

By prioritising user experience, accessibility, and clear communication, you’ll create a site that looks great and effectively serves its users.

Encrypting a few devices to test their strategy is a red flag that a more significant ransomware assault is imminent and demands immediate action.

By staying alert to these signs and responding promptly, organisations can better defend against the escalating threat of ransomware attacks.

Poorly Managed Remote Desktop Protocol ConnectionsRemote Desktop Protocol (RDP) connections, if not properly managed, can be an entry point for ransomware attacks.

Sectors Prone to Ransomware AttacksSpecific sectors are particularly vulnerable to ransomware attacks thanks to the critical nature of their operations.

Here are the sectors most commonly targeted:The healthcare sector is a prime target for ranso…

Databarracks’ Data Health Check – an annual survey of 500 UK IT decision makers – found that while more organisations than ever have cyber insurance, the number of claims is down.

66% of those surveyed report having insurance specifically for cyber in 2024, rising from 51% over the past two years.

James Watts, Managing Director at Databarracks, commented:“We have long speculated about the negative effect of cyber insurance policies on ransomware.

The nascent cyber insurance market suddenly became unsustainable.

As our Data Health Check found last year, cyber insurance prices increased significantly and the requirements to obtain cover became stricter.

According to research from Absolute Security, over half (54%) of Chief Information Security Officers (CISOs) feel their security team is unprepared for evolving AI-powered threats.

The findings were uncovered in the Absolute Security United Kingdom CISO Cyber Resilience Report 2024, which surveyed 250 UK CISOs at enterprise organisations to assess the state of cyber resilience, AI, and the cyber threat landscape in the UK.

Almost half (46%) of CISOs believe that AI is more of a threat to their organisation’s cyber resilience than a help, highlighting AI as a potential danger in safeguarding organisations from cyber threats rather than strengthening cyber resilience.

As AI-driven cyber threa…

The report found that threat actors are selling data and source code from major brands on the dark web.

Given the popularity of Amazon, users should be wary of threat actors creating counterfeit websites that ask to submit sensitive information.

Log4j remains a popular vulnerability that threat actors attempt to exploitThree years after its discovery in 2021, Log4j remains one of the most used vulnerabilities leveraged by threat actors.

Inbound traffic is traffic that doesn’t originate from within the network, while WANbound traffic resides within a WAN environment.

“With the Q2 2024 Cato CTRL SASE Threat Report, we are putting the spotlight on a notorious threat actor named IntelBroker.

The National Institute of Standards and Technology (NIST) has officially published its highly anticipated Federal Information Processing Standards (FIPS) for post-quantum cryptography (PQC).

The algorithms announced today represent the first finalized standards from NIST’s PQC standardization project and are now ready for immediate implementation.

Today’s announcement takes place within a larger regulatory framework, including the White House’s National Security Memorandum, NSM-8, which requires the adoption of post-quantum cryptography (PQC).

Today’s quantum computers are small and experimental, but they are rapidly becoming more capable, and it is only a matter of time before cryptographi…

Yet despite the clear and present danger, some businesses continue to deprioritise cyber security, with a concerning 15% failing to invest in cyber security measures.

An overshadowed priorityDespite a shared understanding of cyber threats among security leaders and C-suite, cyber security often gets overlooked.

Alarmingly, a third of security leaders only prioritise cyber security expertise after an attack has happened.

Securing buy-inTo ensure cyber security is prioritised, it is vital to convey to the C-suite the very real implications of not mitigating cyber security risks.

It is time to implement cyber security measures nowBy deprioritising cyber security, businesses are essentially def…

High levels of demand for cyber security expertise also means that it’s one of the best paying roles in tech with a great level of job security.

However, cyber security professionals are in a never-ending arms race with hackers.

On the other side, AI also has the capacity to create an arsenal of new offensive and defensive tools for cyber security experts.

Quantum computingLike AI, Quantum has the capacity to utterly transform how we all live and work.

Ambitious cyber security professionals could become trail blazers in this sector if they start acquiring relevant skills now.

HealthEquity, a leading provider of health savings account (HSA) services, has announced it suffered a data breach recently, resulting in compromised customer protected health information (PHI). It is understood the breach was detected on March 25, 2024, after abnormal activity was flagged from a business partner’s device. Once an investigation was carried out, it was […]

The post HealthEquity Data Breach Compromises Customer Information first appeared on IT Security Guru.

The post HealthEquity Data Breach Compromises Customer Information appeared first on IT Security Guru.

Today, Accenture (NYSE: ACN) and SandboxAQ have announced that they are expanding their partnership to address the critical need for enterprise data encryption that can defend against current data breaches, as well as future AI and quantum threats. Together, Accenture and SandboxAQ are helping organisations secure sensitive data and strengthen encryption across their technology portfolios. […]

The post Accenture and SandboxAQ Expand Cybersecurity Partnership first appeared on IT Security Guru.

The post Accenture and SandboxAQ Expand Cybersecurity Partnership appeared first on IT Security Guru.

New research by Keeper Security has revealed some worrying trends and misunderstandings when it comes to password best practices and overconfidence in cyber knowledge. The research found that, while 85% of respondents believe their passwords are secure, over half admit to sharing their passwords. Additionally, 64% of people feel confident in their cybersecurity knowledge despite […]

The post People Overconfident in Password Habits, Overwhelmed by Too Many Passwords first appeared on IT Security Guru.

The post People Overconfident in Password Habits, Overwhelmed by Too Many Passwords appeared first on IT Security Guru.

Technology is advancing rapidly and tokenized payment cards are a part of its evolution. Gone are the days of keying in long card numbers, expiry dates and CVV codes and hoping for the best. Instead, tokenized cards offer heightened security and improved transaction processes for digital payments. But what are they all about and how […]

The post Secure, Simple, Superior: The Advantages of Tokenized Payment Cards by Wallester first appeared on IT Security Guru.

The post Secure, Simple, Superior: The Advantages of Tokenized Payment Cards by Wallester appeared first on IT Security Guru.

New threat research by Salt-Labs, the research arm of API security company Salt Security, has released new research highlighting critical security flaws within popular web analytics provider Hotjar. The company serves over one million websites, including global brands like Microsoft and Nintendo (according to their website). These vulnerabilities could have potentially allowed an attacker unlimited […]

The post Security Flaws Found in Hotjar, Potentially Affecting Sensitive Data of Millions Utilising Major Global Brands first appeared on IT Security Guru.

The post Security Flaws Found in Hotjar, Potentially Affecting Sensitive Data of Millions Utilising Major Global Brands appeared first on…

Upcoming Speaking EngagementsThis is a current list of where and when I am scheduled to speak:I’m giving an online talk on AI and trust for the Weizenbaum Institute on April 24, 2025 at 2:00 PM CEST (8:00 AM ET).

The list is maintained on this page.

Posted on April 14, 2025 at 12:04 PM • 0 Comments

The Wall Street Journal has the story:Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.

The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.

Friday Squid Blogging: Squid and Efficient Solar TechResearchers are trying to use squid color-changing biochemistry for solar tech.

This appears to be new and related research to a 2019 squid post.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on April 11, 2025 at 7:06 AM • 0 Comments

AI Vulnerability FindingMicrosoft is reporting that its AI systems are able to find new vulnerabilities in source code:Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison.

Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device.

But that an AI system can do this at all …

The deleterious effects of optimizing a political system for economic outcomes was another theme.

We looked at whether—and when—we might be comfortable ceding power to an AI system.

I am happy for an AI system to figure out the optimal timing of traffic lights to ensure the smoothest flow of cars through my city.

Our discourse was filled with suggestions about how to patch our political system where it is fraying.

See Schneier, “Recreating Democracy” and Schneier, “Second Interdisciplinary Workshop.” This essay was originally published in Common Knowledge.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale.

The job of the illegal eavesdropper has gotten significantly easier, with many more options and opportunities for them to exploit.

To put it bluntly, something like Salt Typhoon was inevitable, and will likely happen again unless significant changes are made.

The hacks reportedly may have resulted in the “vast collection of internet traffic”; from the telecom and internet giants.

CNN and The Washington Post also confirmed the intrusions and that the U.S. government’s investigation is in its early stages.

DIRNSA FiredIn “Secrets and Lies” (2000), I wrote:It is poor civic hygiene to install technologies that could someday facilitate a police state.

It’s something a bunch of us were saying at the time, in reference to the vast NSA’s surveillance capabilities.

I have been thinking of that quote a lot as I read news stories of President Trump firing the Director of the National Security Agency.

Once Trump replaces Haugh with a loyalist, the NSA’s vast surveillance apparatus can be refocused domestically.

But the wrong technology infrastructure could allow such a future government to watch every move anyone makes to oppose it.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

About Bruce SchneierI am a public-interest technologist, working at the intersection of security, technology, and people.

I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998.

I'm a fellow and lecturer at Harvard's Kennedy School, a board member of EFF, and the Chief of Security Architecture at Inrupt, Inc.

This personal website expresses the opinions of none of those organizations.

This layered approach to understanding security becomes increasingly critical as AI systems grow in complexity and autonomy, particularly with large language models (LLMs) and deep-learning systems making high-stakes decisions.

This multi-layered security approach becomes especially crucial as AI systems take on more autonomous decision-making roles in critical domains such as healthcare, finance, and public safety.

When AI systems operate without sufficient security measures to handle corrupted or manipulated data, they can produce subtly flawed outputs that appear valid on the surface.

Finally, the fourth is access standardization: common interfaces and protocols that enable consistent da…

[…]Both security theater and rational astrologies may seem irrational, but they are rational from the perspective of the people making the decisions about security.

Security theater is often driven by information asymmetry: people who don’t understand security can be reassured with cosmetic or psychological measures, and sometimes that reassurance is important.

It can be better understood by considering the many non-security purposes of a security system.

But it makes sense as a security system designed to alleviate fears of new mothers [Sch07].

Rational astrologies in security result from two considerations.

Cell Phone OPSEC for Border CrossingsI have heard stories of more aggressive interrogation of electronic devices at US border crossings.

I know a lot about securing computers, but very little about securing phones.

Does resetting a phone to factory defaults erase data, or is it still recoverable?

That is, does the reset erase the old encryption key, or just sever the password that access that key?

And it’s not just the US; the world is going to become a more dangerous place to oppose state power.

The Signal Chat Leak and the NSAUS National Security Advisor Mike Waltz, who started the now-infamous group chat coordinating a US attack against the Yemen-based Houthis on March 15, is seemingly now suggesting that the secure messaging service Signal has security vulnerabilities.

Waltz’s implication that Goldberg may have hacked his way in was followed by a report from CBS News that the US National Security Agency (NSA) had sent out a bulletin to its employees last month warning them about a security "vulnerability" identified in Signal.

So, what does the NSA do if it finds a security flaw in Signal?

Equally, bad actors such as drug cartels may also feel safer using Signal.

Their security …

Friday Squid Blogging: Squid Werewolf Hacking GroupIn another rare squid/cybersecurity intersection, APT37 is also known as “Squid Werewolf.”As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Posted on March 28, 2025 at 5:04 PM • 1 Comments

China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google.

Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies.

Rather, they are sent via iMessage to Apple device users, and via RCS on Google Android devices.

The Smishing Triad members maintain their own Chinese-language sales channels on Telegram, which frequently offer videos and photos of their staff hard at work.

Prodaft’s report details how the Smishing Triad has achieved such success in sending their spam messages.

Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild.

Microsoft rates it as “important,” but as Chris Goettl from Ivanti points out, risk-based prioritization warrants treating it as critical.

Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.

And in case you missed it, on March 31, 2025 Apple released a rather large batch of security updates for a wide range of their products, from macOS to the iOS operating systems on iPhones and iPa…

Another example: President Trump recently fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies.

President Trump recently took the extraordinary step of calling for the impeachment of federal judges who rule against the administration.

On March 20, Trump issued an order calling for the closure of the DOE.

On Jan. 27, Trump issued a memo (PDF) that paused all federally funded programs pending a review of those programs for alignment with the administration’s priorities.

Where is President Trump going with all these blatant attacks on the First Amendment?

Researchers at the security firm Silent Push mapped a network of several dozen phishing domains that spoof the recruitment websites of Ukrainian paramilitary groups, as well as Ukrainian government intelligence sites.

]army features a carbon copy of the homepage for the Freedom of Russia Legion (a.k.a.

“Free Russia Legion”), a three-year-old Ukraine-based paramilitary unit made up of Russian citizens who oppose Vladimir Putin and his invasion of Ukraine.

According to Edwards, there are no signs that these phishing sites are being advertised via email.

“They are on top of DuckDuckGo and Yandex, so it unfortunately works.”Further reading: Silent Push report, Russian Intelligence Targeting its…

How are these China-based phishing groups obtaining stolen payment card data and then loading it onto Google and Apple phones?

“I would be shocked if this wasn’t the NFC relay app,” Merrill said, concerning the arrested suspects in Tennessee.

ABC10 reported that while most of those transactions were declined, the suspects still made off with $1,400 worth of gift cards.

In other words, the phishing websites are powered by real human operators as long as new messages are being sent.

For more on how these China-based mobile phishing groups operate, check out How Phished Data Turns Into Apple and Google Wallets.

A message posted on Monday to the homepage of the U.S. Cybersecurity & Infrastructure Security Agency (CISA) is the latest exhibit in the Trump administration’s continued disregard for basic cybersecurity protections.

On March 13, a Maryland district court judge ordered the Trump administration to reinstate more than 130 probationary CISA employees who were fired last month.

The message in the screenshot above was removed from the CISA homepage Tuesday evening and replaced with a much shorter notice directing former CISA employees to contact a specific email address.

The White House press secretary told The Times that Starlink had “donated” the service and that the gift had been vetted by t…

ClickFix attacks mimic the “Verify You are a Human” tests that many websites use to separate real visitors from content-scraping bots.

In November 2024, KrebsOnSecurity reported that hundreds of hotels that use booking.com had been subject to targeted phishing attacks.

Earlier this month, the security firm Arctic Wolf warned about ClickFix attacks targeting people working in the healthcare sector.

The company said those attacks leveraged malicious code stitched into the widely used physical therapy video site HEP2go that redirected visitors to a ClickFix prompt.

Alas, the email security vendor Proofpoint has documented plenty of ClickFix attacks via phishing emails that include HTML attachm…

Microsoft today issued more than 50 security updates for its various Windows operating systems, including fixes for a whopping six zero-day vulnerabilities that are already seeing active exploitation.

Two of the zero-day flaws include CVE-2025-24991 and CVE-2025-24993, both vulnerabilities in NTFS, the default file system for Windows and Windows Server.

Microsoft credits researchers at ESET with reporting the zero-day bug labeled CVE-2025-24983, an elevation of privilege vulnerability in older versions of Windows.

However, ESET notes the vulnerability itself also is present in newer Windows OS versions, including Windows 10 build 1809 and the still-supported Windows Server 2016.

This month’…

Authorities in India today arrested the alleged co-founder of Garantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations.

On March 7, the U.S. Department of Justice (DOJ) unsealed an indictment against Besciokov and the other alleged co-founder of Garantex, Aleksandr Mira Serda, 40, a Russian national living in the United Arab Emirates.

Since those penalties were levied, Garantex has processed more than $60 billion, according to the blockchain analysis company Elliptic.

Mira Serda is allegedly Garantex’s co-founder and chief commercial officer.

Federa…

In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022.

“Since we initially disclosed this incident back in 2022, LastPass has worked in close cooperation with multiple representatives from law enforcement,” LastPass said in a written statement.

But on Nov. 30, 2022, LastPass notified customers about another, far more serious security incident that the company said leveraged data stolen in the August breach.

Researchers found that many of the cyberheist victims had chosen master passw…

It is difficult to find another person connected to DOGE who has stronger ties to Musk than Branden Spikes.

In 2012, Spikes launched Spikes Security, a software product that sought to create a compartmentalized or “sandboxed” web browser that could insulate the user from malware attacks.

In 2016, Spikes Security was merged with another security suite called Aurionpro, with the combined company renamed Cyberinc.

The photo of Branden and Natalia above is from one such event in 2011 (tied to russianwhitenights.org, another Haldeman domain).

The Russian Heritage Foundation and the California Russian Association both promote the interests of the Russian Orthodox Church.

Mark Lanterman is a former investigator for the U.S. Secret Service Electronics Crimes Task Force who founded the Minneapolis consulting firm Computer Forensic Services (CFS).

Or at least it did until last month, when Lanterman’s profile and work history were quietly removed from the CFS website.

Upsala College, located in East Orange, N.J., operated for 102 years until it closed in 1995 after a period of declining enrollment and financial difficulties.

“I am 60 years old,” Lanterman told the judge.

On March 24, Allwine petitioned a Minnesota court (PDF) to revisit his case, citing the accusations against Lanterman and his role as a key witness for the prosecution.

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab, KrebsOnSecurity has learned.

Kaspersky began selling antivirus and security software in the United States in 2005, and the company’s malware researchers have earned accolades from the security community for many important discoveries over the years.

But in September 2017, the Department of Homeland Security (DHS) barred U.S. federal agencies from using Kaspersky software, mandating its removal within 90 days.

A second story claimed that Israeli spies caught Russian government hacke…

After scouring darknet markets for stolen Snowflake account credentials, the hackers began raiding the data storage repositories used by some of the world’s largest corporations.

AT&T reportedly paid a hacker $370,000 to delete stolen phone records.

In several posts to an English-language cybercrime forum in November, Kiberphant0m leaked some of the phone records and threatened to leak them all unless paid a ransom.

The government states that Kiberphant0m privately demanded $500,000 from Victim-1, threatening to release all of the stolen phone records unless he was paid.

Days after he apparently finished communicating with Country-1’s military intelligence service, Wagenius Googled, ‘can ha…

The Medusa ransomware-as-a-service (RaaS) claims to have compromised the computer systems of NASCAR, the United States' National Association for Stock Car Auto Racing, and made off with more than 1TB of data.

In an attempt to verify its claim of having hacked NASCAR, Medusa has published screenshots of what it claims are internal documents - including some purporting to show the names, email addresses, and phone numbers of NASCAR employees and sponsors, as well as invoices, financial reports, and more.

Furthermore, the ransomware gang has published a substantial directory illustrating NASCAR's internal file structure and the names of documents that have been exfiltrated.

Although NASCAR has…

This website is using a security service to protect itself from online attacks.

The action you just performed triggered the security solution.

There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

You can email the site owner to let them know you were blocked.

Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

All this and more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Follow Graham Cluley on Bluesky or Mastodon to read more of the exclusive content we post.

In episode 45 of The AI Fix, our hosts discover that ChatGPT is running the world, Mark learns that mattress companies have scientists, Gen Z has nightmares about AI, OpenAI gets a bag, Graham eats too many cheese sandwiches, and too much training makes AIs over-sensitive.

Mark reveals why he’s got beef with cows, GPT-4.5 beats the Turing test, and Anthropic’s brain scanner reveals how AIs really think.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

Powered by RedCircleHosts:Graham Cluley:@grahamcluley.com@[email protected]Mark Stockley:@ai-fix-mark.bsky.socialEpisode links:Support the show:You can help the podcast by te…

Internet users in Romania are finding their social media posts and online news articles bombarded with comments promoting blatant propaganda, inciting hatred towards the EU and NATO, and support for Vladimir Putin's Russia.

That's the finding of an investigation which has explored the rapid growth in activity of pro-Russian and pro-Putin propaganda accounts on TikTok, specifically targeting a Romanian audience.

The accounts post messages that purport to come from Russian president Vladimir Putin, encourage anti-EU feeling, and suggest a potential future conflict with Europe during which Romania may wish to ally with Russia.

Some of the posts have even suggested that Vladimir Putin would be …

A Florida man, linked to the notorious Scattered Spider hacking gang, has pleaded guilty to charges related to cryptocurrency thefts which have netted hundreds of thousands of dollars.

Prosecutors described how Urban and other members of the Scattered Spider gang stole victims' personal information to help them hijack the phone numbers of cryptocurrency investors, and then abuse their unauthorised access to seize control of victims' online accounts, and break into their cryptocurrency wallets.

"Scattered Spider" become infamous as the cybercrime syndicate behind the headline-generating hacks of the Las Vegas casinos MGM Resorts and Caesars, amongst other high profile victims.

In some cases,…

This website is using a security service to protect itself from online attacks.

The action you just performed triggered the security solution.

There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

You can email the site owner to let them know you were blocked.

Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Don’t miss our featured interview with Alastair Paterson, CEO and co-founder of Harmonic Security, discussing how companies can adopt Generative AI without putting their sensitive data at risk.

Harmonic Security gives you full control and stops leaks so your teams can innovate confidently.

Smashing Security listeners get $1000 off!

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

In episode 44 of The AI Fix, ChatGPT won’t build a crystal meth lab, GPT-4o improves the show’s podcast art, some students manage to screw in a lightbulb, Google releases Gemini 2.5 Pro Experimental and nobody notices, and Mark invents a clock for measuring AI time.

All this and much more is discussed in the latest edition of “The AI Fix” podcast by Graham Cluley and Mark Stockley.

Powered by RedCircleHosts:Graham Cluley:@grahamcluley.com@[email protected]Mark Stockley:@ai-fix-mark.bsky.socialEpisode links:Support the show:You can help the podcast by telling your friends and colleagues about “The AI Fix”, and leaving us a review on Apple Podcasts or Podchaser.

Follow us:Follow the show on B…

Hackers are abusing the “Must-Use” plugins (MU-plugins) feature to hide malicious code and maintain long-term access on hacked websites.

Unlike regular WordPress plugins, they may not be listed alongside regular plugins unless the "must use" filter is selected.

So there is a good legitimate reason for a WordPress site to have "must-use" plugins, although many WordPress users may be largely oblivious to their existence.

The best advice is to harden your WordPress site, by ensuring that you use strong, unique passwords and have enabled two-factor authentication.

Finally, if you suspect your WordPress-powered website could be hosting malicious MU-plugins, look in the wp-content/mu-plugins fold…

As the ICO explains, hackers launched a ransomware attack on systems at Advanced health and care subsidiary via an account that was not protected with MFA.

Aside from the failure to universally adopt MFA, Advanced was also criticised by the ICO for its failure to regularly check for vulnerabilities and keep systems up to date with the latest security patches.

This incident shows just how important it is to prioritise information security.

Losing control of sensitive personal information will have been distressing for people who had no choice but to put their trust in health and care organisations," said UK Information Commissioner John Edwards.

"Not only was personal information compromised…

This website is using a security service to protect itself from online attacks.

The action you just performed triggered the security solution.

There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

You can email the site owner to let them know you were blocked.

Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Malaysian Prime Minister Anwar Ibrahim has said that he refused to pay a US $10 million ransom demanded by hackers who, according to some reports, paralysed operations at Kuala Lumpur International Airport (KLIA).

Anwar described how he had refused to comply with a ransom demand after a cyber attack on Malaysia Airports Holdings Berhad (MAHB), which operates the country’s airports, in the early hours of Sunday morning.

He posted an image on Twitter of what appeared to be airport staff using whiteboards to list flight details for travellers - suggesting electronic systems were indeed disrupted.

While acknowledging that a cyber attack against computer systems at the airport had occurred, a jo…

All this and more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Smashing Security listeners get $1000 off!

Drata – The world’s most advanced Trust Management platform – making risk and compliance management accessible, continuous, and 10x more automated than ever before.

Support the show:You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.

Follow us:Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.

Чтобы ваш аккаунт не взломали и не украли, например выпустив нелегальный дубликат SIM-карты.

Зайти в мессенджере в настройки безопасности и конфиденциальности, ввести и хорошо запомнить секретный пароль.

Никому не пересылать и не диктовать одноразовые коды для входа в мессенджер.

В настройках самого мессенджера или в настройках смартфона нужно также активировать опцию Блокировка приложения (App Lock).

Зайти в настройках мессенджера в подраздел Конфиденциальность и поправить настройки «Кто видит время моего посещения», «Фото профиля», «Статус» и прочие.

Программы-архиваторы, упрощающие хранение и пересылку файлов, стали привычным инструментом не только для пользователей, но и для злоумышленников.

В этом очень помогает то, что технические заголовки ZIP-архива находятся в конце файла, а не в начале.

Убедитесь, что ваше защитное решение способно проверять многократно вложенные архивы и архивы большого размера.

Поэтому разумно использовать более глубокий анализ на конечных точках и в почтовых шлюзах и посильный (с учетом ограничений) — на веб-фильтрах и NGFW.

Если загрузка файлов в архивах не является критически важной бизнес-функциональностью, лучше отключить эту возможность в CMS, CRM и других онлайн-приложениях.

Рассказываем, как выглядит применение GetShared в атаках, зачем злоумышленникам это нужно и как оставаться в безопасности.

Как выглядит атака при помощи GetSharedЖертве приходит вполне обычное, совершенно настоящее уведомление от сервиса GetShared, в котором говорится, что пользователю был прислан файл.

Зачем злоумышленникам нужен GetShared и другие сторонние сервисы?

Очередным, подходящим для эксплуатации инструментом оказался GetShared — бесплатный сервис для отправки больших файлов.

Признаки того, что что-то не такДавайте для начала отвлечемся от этого кейса и вообще от GetShared.

Сегодня на примере реальных кейсов расскажем, что не так с ресурсами, которые предлагают скачать любое ПО здесь и сейчас.

И эта возможность, как и в случае с GitHub, — камень преткновения на пути к высокому уровню безопасности.

Рассмотрим лишь один пример: наши эксперты обнаружили на SourceForge проект с названием officepackage.

А если мы скажем, что описание и файлы полностью скопированы с чужого проекта на GitHub?

А после клика пользователи перенаправлялись не на страницу проекта loading, а на очередной сайт-прокладку с очередной же кнопкой Скачать.

Затем смартфон с этим аккаунтом используется, чтобы оплачивать товары с чужой карты — в обычном магазине или в фальшивой торговой точке с платежным терминалом, поддерживающим NFC.

Никаких мгновенных списаний с карты не происходит, и многие люди, не увидев ничего подозрительного в выписке, забывают об этом эпизоде и успокаиваются.

Как крадут деньги с картыПреступники привязывают к одному смартфону десяток, а то и несколько десятков карт, не пытаясь тратить с них деньги.

А тот с ее помощью оплачивал покупки или снимал деньги в банкомате с NFC.

Когда жертва подносит телефон к банкомату, мошенник транслирует на него данные своей карты, и деньги в результате поступают на счет мошенника.

Но интересен способ, при помощи которого злоумышленники прятали свой вредоносный код в, казалось бы, безобидном файле, — для этого они использовали технику polyglot.

Используются они для маскировки зловредов — для пользователя, а также для некоторых защитных механизмов они могут выглядеть как что-то совершенно безопасное, например картинка или документ.

Компания Unit42 исследовала атаку с применением файла контекстной справки в формате Microsoft Compiled HTML Help (расширение .chm), который одновременно является HTML-приложением (файлом в формате .hta).

Внутри архива находился ярлык — файл с двойным расширением .pdf.lnk.

Ну а для того, чтобы иметь самые актуальные данные о техниках, тактика…

Представьте, каким был бы мир, если бы с помощью карт Таро можно было точно предсказать абсолютно любые события!

Что за троянНовый троян Trojan.Arcanum распространяется через сайты, посвященные гаданиям и эзотерике, маскируясь под «магическое» приложение для предсказания будущего.

На первый взгляд — это безобидная программа, предлагающая пользователю разложить виртуальные карты Таро, рассчитать астрологическую совместимость или даже «зарядить амулет энергией Вселенной», что бы это ни значило.

После внедрения на устройство пользователя Trojan.Arcanum обращается к облачному C2-серверу и устанавливает полезную нагрузку — стилер Autolycus.Hermes, майнер Karma.Miner и шифровальщик Lysander.Scyta…

Хотя звучит это очень странно, в развитии событий есть логика, которую легко применить к другой организации и другим устройствам в ее инфраструктуре.

На сервере они попытались запустить свой шифровальщик, но EDR-система, установленная в компании, опознала вредоносное ПО и поместила его в карантин.

Увы, это не остановило атакующих.

Злоумышленники смогли установить свое вредоносное ПО на эту камеру и зашифровать серверы организации прямо с нее.

Как не стать следующей жертвойИнцидент с IP-камерой наглядно демонстрирует некоторые принципы целевых кибератак и подсказывает способы эффективного противодействия.

Реализация крайне проста — брелок тайно подкладывают жертве слежки и с комфортом следят за ее перемещениями через сервис Apple Find My.

Но недавно исследователи безопасности опубликовали исследование, которое демонстрирует, что для дистанционной слежки можно не тратиться на AirTag и даже… никогда не приближаться к жертве!

Вычисленный публичный ключ передается обратно на зараженное устройство, и зловред начинает транслировать через Bluetooth сообщение, аналогичное сигналам AirTag и содержащее этот ключ.

Насколько эффективна слежкаТочность и скорость определения местоположения сильно зависят от того, насколько много вокруг жертвы устройств Apple и с какой скоростью перемещается жертва.

Разуме…

После того как мы написали о том, как можно взломать велосипед, нам некоторое время казалось, что вряд ли кому-то удастся удивить нас взломом более неожиданного предмета.

Итак, встречайте: подключенный к Интернету матрас, разработанный компанией Eight Sleep, и несколько способов его взломать, которые обнаружил исследователь безопасности Дилан Эйри.

Исследователь безопасности Дилан Эйри решил изучить, как обстоят дела с безопасностью у Eight Sleep — по его словам, просто из любопытства.

Поскольку умные матрасы Eight Sleep, как и многие другие современные устройства, — полноценные компьютеры на Linux, такое подключение позволяет удаленно запускать произвольный код.

Ну а для желающих решить во…

В атаке использовалась уязвимость нулевого дня в браузере Chrome, о которой мы незамедлительно сообщили в Google, и компания оперативно выпустила закрывающий ее патч.

Дальше в дело вступает эксплойт для уязвимости CVE-2025-2783, который позволяет обмануть механизмы защиты браузера Google Chrome.

Благодаря исследованиям наших экспертов, 25 марта разработчики Google Chrome оперативно закрыли уязвимость, так что мы рекомендуем убедиться, что используемый в вашей организации браузер обновлен как минимум до версии 134.0.6998.177/.178.

Кроме того, мы рекомендуем использовать на всех компьютерах, имеющих выход в Сеть, надежные защитные решения, оснащенные современными технологиями для выявления и …

Можно сказать, что Chrome — это Chromium со встроенными сервисами Google, но на Chromium базируются и десятки других браузеров, включая Edge и Opera.

С версии 128 в Firefox появилась «сохраняющая приватность система измерения рекламы», тестируемая в партнерстве с Facebook*.

Лучший браузер для защиты приватности в 2025 годуПопулярные Chrome и Edge с июня будут малопригодны для любителей конфиденциальности с любыми расширениями и настройками.

Браузер оперативно обновляется следом за выпусками Firefox и доступен на Windows, macOS и нескольких разновидностях Linux.

В дополнение к этому в Brave и Firefox можно включить настройку «Сообщать веб-сайтам, чтобы они не продавали и не разглашали мои да…

Недавно эксперты Глобального центра исследования и анализа угроз Kaspersky GReAT обратили внимание, что после атак шифровальщика-вымогателя Fog преступники публикуют не только украденные данные жертв, но и IP-адреса пострадавших компьютеров.

Ранее мы не замечали такой тактики у шифровальщиков.

Атаки с использованием Fog проводились против компаний, работающих в сферах образования, финансов и организации отдыха.

Зачем публиковать IP-адреса жертвНаши эксперты считают, что основная цель публикации IP-адресов — усиление психологического давления на жертв.

Это, в свою очередь, делает последствия публикации еще более неприятными, а следовательно, становится дополнительным фактором устрашения.

Отличная новость для всех пользователей Linux: в нашей линейке продуктов для частных пользователей появилось защитное решение Kaspersky для Linux.

Kaspersky для Linux поддерживает распространенные ключевые дистрибутивы — Ubuntu, ALT Linux, Uncom и РЕД ОС (64-битные версии).

Затем нужно скачать установочные файлы в зависимости от установленной у вас версии Linux: Kaspersky для Linux распространяется в пакетах форматов DEB и RPM.

В настоящее время набор функций, доступных пользователям Kaspersky для Linux, не зависит от выбранной подписки Kaspersky Standard, Kaspersky Plus или Kaspersky Premium.

Вы можете бесплатно ознакомиться с полной функциональностью Kaspersky для Linux в рамках пробной в…

В конце 2024 года наши эксперты обнаружили новый стилер Arcane — он умеет собирать множество различных данных с зараженного устройства.

Злоумышленники пошли дальше и выпустили загрузчик ArcanaLoader, который якобы скачивает читы, кряки и прочие «полезности» для геймеров, а на деле заражает устройство стилером Arcane.

Как распространяют стилер ArcaneВредоносная кампания, в которой мы обнаружили стилер Arcane, была активна еще до его появления на свет.

Функциональность его сводилась к запуску PowerShell для скачивания еще одного запароленного архива, внутри которого лежали два исполняемых файла: майнер и стилер VGS.

То есть под прицелом Arcane в основном русскоязычные геймеры.

Cisco and Endace are providing SOC Services to RSAC™ 2025 Conference, monitoring traffic on the Moscone wireless network for security threats.

Experts will be using Cisco Security Cloud in the SOC, with the power of Cisco Breach Protection Suite and User Protection Suite, and Secure Firewall; with Splunk Enterprise Security as the platform.

Please complete the SOC at RSAC Tour Request Form to reserve your spot.

You can read the SOC Findings Report From RSAC™ 2024 Conference here.

Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Quantum interference is used to manipulate qubit states, allowing quantum algorithms to solve problems more efficiently than classical computers.

Comparison – PQC, QC and CCPost-quantum cryptography (PQC) and quantum cryptography (QC) are distinct concepts.

Below table illustrates the key differences and roles of PQC, Quantum Cryptography, and Classical Cryptography, highlighting their objectives, techniques, and operational contexts.

Feature Post-Quantum Cryptography (PQC) Quantum Cryptography (QC) Classical Cryptography (CC) Objective Secure against quantum computer attacks Use quantum mechanics for cryptographic tasks Secure using mathematically hard problems Operation Runs on classical …

The traditional Intrusion Detection Systems (IDS) have depended on rule-based or signature-based detection, which are challenged by evolving cyber threats.

Through the introduction of Artificial Intelligence (AI), real-time intrusion detection has become more dynamic and efficient.

By incorporating ANNs into intrusion detection systems, firewalls can learn, deriving knowledge from cyber-attacks and becoming increasingly more accurate.

LSTM firewalls can identify time-based anomalies and mark suspicious behavior before it becomes a problem.

As cyber threats continue to advance, AI- driven methods will be the answer to real-time defense mechanisms.

Cisco at MWC 2025: A Powerhouse of InnovationIn true Cisco fashion, our booth wasn’t just a space but rather a hub of innovation and collaboration.

We also connected the integrations with Cisco XDR, for Dashboard visibility and Incident investigation.

Cisco’s SNOC Team remains committed to staying one step ahead, turning every challenge into an opportunity to innovate and protect.

Special appreciation to Ivan Padilla Ojeda, who was our liaison with the network team to connect everything in the SNOC.

Thank you for joining us on this journey through MWC 2025 and stay tuned for more insights and behind-the-scenes stories from MWC 2025.

Understanding Today’s Privacy LandscapeIn our interconnected world, data privacy has become increasingly important.

The Cisco 2025 Data Privacy Benchmark Study, which gathered perspectives from 2,600+ privacy and security professionals across 12 countries, paints a dynamic picture of the state of privacy today.

Privacy and AI: The Intersection of Innovation and ResponsibilityArtificial Intelligence offers substantial business value while also introducing novel privacy and security risks.

This underscores the urgent need for robust AI security and privacy frameworks and controls to protect non-public data during development, deployment, and use of AI.

Explore these trends and more in the Cis…

Secure Network Analytics version 7.5.2 has been released, offering exciting new features such as the Network Visibility Module (NVM) and Zeek detections.

By integrating a more diverse range of telemetry sources, Secure Network Analytics significantly enhances network visibility and provides deeper insights into network activities.

The Secure Network Analytics version 7.5.2 software updates can be downloaded from Cisco Software Central.

New Network Visibility Module (NVM) AlertsNetwork Visibility Module is a component of Cisco Secure Client that records and reports on network activity from an endpoint device and ties in endpoint style information with those network details.

The detections en…

An open integration approach for extended detection and response (XDR) empowers organizations to harness the full potential of their security ecosystems.

Cisco XDR stands out in this arena by offering unmatched integration capabilities with not only Cisco solutions but a broad array of third-party tools.

Open > NativeFor that reason, since inception, Cisco XDR has followed an Open XDR philosophy, or to be more precise, Hybrid XDR.

These integrations are written by trusted Cisco partners to bring their products into the Cisco XDR ecosystem and are vetted by Cisco XDR Engineering and Quality Assurance teams prior to release.

If your cybersecurity company would like to build an integration wit…

Robust Intelligence (now a part of Cisco) and the UK AI Security Institute partnered with the National Institute of Standards and Technology (NIST) to release the latest update to the Adversarial Machine Learning Taxonomy.

This transatlantic partnership aimed to fill this need for a comprehensive adversarial AI threat landscape, while creating alignment across regions in standardizing an approach to understanding and mitigating adversarial AI.

It also included a preliminary AI attacker technique landscape for generative AI, models that generate new content based on existing data.

In the latest update of the taxonomy, we expand on the generative AI adversarial techniques and violations secti…

That’s why we’re excited to introduce our inaugural State of AI Security report.

The State of AI Security report examines several AI-specific attack vectors including prompt injection attacks, data poisoning, and data extraction attacks.

Original AI Security ResearchThe Cisco AI security research team has led and contributed to several pieces of groundbreaking research which are highlighted in the State of AI Security report.

The State of AI Security report outlines several actionable recommendations, including managing security risks throughout the AI lifecycle, implementing strong access controls, and adopting AI security standards such as the NIST AI Risk Management Framework and MITRE A…

Cisco is bringing Secure Workload, Secure Access, and AI Defense into Security Cloud control, enhancing its capabilities and providing comprehensive management.

Unlike selective upgrades of network devices based on what features are needed in the field, the Quantum security threat would require all the devices to be upgraded.

This kind of unique hardware integrity measure must also be made Quantum safe to maintain the same level of trust in the Quantum Computing era.

Lastly, in my previous blog post on Quantum threat to network security, the threat to transport protocol security was highlighted along with the available solutions from Cisco.

So far, the solutions to address the threat to key negotiation were centered around various forms of Quantum Key Distribution methods.

Cisco is actively working on Quantum Safe Security solutions and is also inv…

Enter Cisco Secure Firewall 4225, which demonstrated exceptional performance in SE Labs’ rigorous Advanced Security Test, scoring 100% in protection accuracy.

In all cases with Cisco Secure Firewall, threats could not move beyond the earliest stage of the attack chain.

In all cases with Cisco Secure Firewall, threats could not move beyond the earliest stage of the attack chain.

With three classified as unknown, and according to SE Labs’ weighting system, Secure Firewall achieved a rating of 91%.

This report follows our recent Best Next Generation Firewall Award from SE Labs for Cisco Secure Firewall, our second year in a row receiving this excellent recognition.

Now, leveraging a single cloud service provider may allow you to overcome this challenge, but these native security controls tend to lack advanced capabilities seen in traditional networks.

What defenders tend to do is leverage traditional skills and products from the data center and migrate that into the cloud service provider.

Cisco provides mechanism that allows security practitioners and network operators to abstract the security elements from the cloud service provider.

This ensures cloud native capabilities are in place and the controls are consistent across all cloud service providers you may operate in.

Is it time to simplify cloud security without sacrificing security and the inher…

For the second time at Cisco Live APJC, the team was tapped to support the Cisco Live Melbourne 2024 conference.

SOC ReviewThe Cisco Live Security Operations Centre (SOC) has a mandate to ensure access to event services is delivered securely.

Cisco Secure Network AnalyticsCisco Secure Network Analytics (formerly known as Stealthwatch Enterprise) provides full visibility across the Conference network and uses advanced analytics to detect and respond to threats in real-time.

In the Cisco Live SOC, XDR is used as the triage platform.

The Cisco Security Cloud app, which is published on the Splunk base app store, is a single app to get data from Cisco Security tools into Splunk.

Register to attend one or all our Learn Live sessions to learn how to secure your environment for AI adoption.

The post Explore how to secure AI by attending our Learn Live Series appeared first on Microsoft Security Blog.

For RSAC 2025, Microsoft Security is bringing an exciting lineup of sessions, expert panels, and exclusive networking opportunities to empower security professionals in the era of AI. The post The ultimate guide to Microsoft Security at RSAC 2025 appeared first on Microsoft Security Blog.

Exchange Server and SharePoint Server are business-critical assets and considered crown jewels for many organizations, making them attractive targets for attacks.

This AMSI integration on SharePoint Server and Exchange Server becomes especially important when attackers attempt to exploit security vulnerabilities, particularly zero-days.

AMSI integrationIn both SharePoint Server and Exchange Server, AMSI is integrated as a security filter module within the IIS pipeline to inspect incoming HTTP requests before they are processed by the application.

Here are steps that organizations can take:Activate AMSI on Exchange Server and SharePoint Server.

To hear stories and insights from the Microsoft…

The role of domain controllers in ransomware campaignsDomain controllers are the backbone of any on-premises environment, managing identity and access through Active Directory (AD).

—The cyberattacker leverages the domain controller’s wide network visibility and high privileges to map the network using different tools, focusing on servers and network shares.

—Leveraging the domain controller’s native group policy functionality, the cyberattacker attempts to tamper with the victim’s antivirus by modifying security-related group policy settings.

Assuming they’re able to validate a domain controller’s effectiveness, they begin by running the payload locally on the domain controller.

Protecting…

Ransomware threat actors value post-compromise elevation of privilege exploits because these could enable them to escalate initial access, including handoffs from commodity malware distributors, into privileged access.

CVE 2025-29824: A zero-day vulnerability in the Common Log File System (CLFS)The exploit activity discovered by Microsoft targets a zero-day vulnerability in the Common Log File System (CLFS) kernel driver.

Microsoft Defender AntivirusMicrosoft Defender Antivirus detects threats associated with this activity as the following malware:SilverBasket (Win64/Windows)MSBuildInlineTaskLoader.C (Script/Windows)Microsoft Defender for EndpointThe following alerts might indicate threat a…

Igor Sakhnov: “As Microsoft’s Corporate Vice President of Engineering for Identity, I lead data and platform engineering along with business-facing initiatives.

My journey began with a deep interest in understanding how systems work and how they interact and perform at scale.

From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI.

Register nowTo learn more about Microsoft Security solutions, visit our website.

Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

During the Tech Accelerator event on April 22, 2025, you will learn how to leverage Microsoft security guidance, products, and tooling throughout your cloud journey.

The post Tech Accelerator: Azure security and AI adoption appeared first on Microsoft Security Blog.

Microsoft Defender AntivirusMicrosoft Defender Antivirus detects threat components used in the campaigns shared in this blog as the following:Microsoft Defender for EndpointThe following alerts might indicate threat activity associated with this threat.

Microsoft Defender Threat IntelligenceMicrosoft Security Copilot customers can also use the Microsoft Security Copilot integration in Microsoft Defender Threat Intelligence, either in the Security Copilot standalone portal or in the embedded experience in the Microsoft Defender portal to get more information about this threat actor.

]com/scl/fi/ox2fv884k4mhzv05lf4g1/2024-Tax-Document.zip?rlkey=fjtynsx5c5ow59l4zc1nsslfi&st=gvfamzw3&dl=1 URL U…

Read the datasheetMicrosoft’s unified security operations for public sectorEmbracing modern security technology, processes, and continuous skill development is vital for protecting public sector organizations.

The AI-powered unified security operations platform offers an enhanced and streamlined approach to security operations by integrating security information and event management (SIEM), security orchestration, automation, and response (SOAR), extended detection and response (XDR), posture and exposure management, cloud security, threat intelligence, and AI into a single, cohesive experience, eliminating silos and providing end-to-end security operations (SecOps).

By adopting Microsoft S…

CVE-2021-3695CVE-2021-3696CVE-2021-3697 Image parsing Several buffer overflow vulnerabilities were discovered when parsing images.

CVE-2022-28733CVE-2022-28734 Network Various buffer overflow vulnerabilities when parsing IP or HTTP packets.

CVE-2025-0678 ReiserFS (filesystem) Buffer overflow in symbolic link handling due to an integer overflow in allocation.

CVE-2025-0689 HFS (filesystem) Buffer overflow in filesystem mounting due to wild strcpy function on a non-NUL-terminated string.

Bootloader Vulnerability Description U-boot CVE-2025-26726 SquashFS directory table parsing buffer overflow U-boot CVE-2025-26727 SquashFS inode parsing buffer overflow U-boot CVE-2025-26728 SquashFS nested f…

The Microsoft Fabric and Microsoft Purview teams are excited to be in Las Vegas from March 31 to April 2, 2025, for the second annual and highly anticipated Microsoft Fabric Community Conference.

Additionally, with the convergence of the responsibilities of cybersecurity and data teams, customers are asking for a solution that turns data security and data governance into a team sport to address issues such data discovery, data classification, data loss prevention, and data quality in a unified way.

Since last year’s Microsoft Fabric Community Conference, Microsoft Purview has extended Microsoft Purview Information Protection and Purview DLP policy tip value across the data estate, including…

To review how Microsoft Entra ID can help your department or agency meet federal cybersecurity requirements, while reducing complexity and improving the user experience, visit Microsoft Entra ID: Enhancing identity security for US agencies.

Adopting Microsoft Entra ID as a centralized identity systemLike many organizations, DOL first used Entra ID (then called Azure Active Directory) when they adopted Microsoft 365.

Integrating applications with Entra ID makes it possible to strengthen security by applying Conditional Access policies to them.

To explore phishing-resistant authentication methods available with Microsoft Entra, explore the video series Phishing-resistant authentication in Mic…

One year ago, we launched Microsoft Security Copilot to empower defenders to detect, investigate, and respond to security incidents swiftly and accurately.

We are expanding Security Copilot with six security agents built by Microsoft and five security agents built by our partners—available for preview in April 2025.

Six new agentic solutions from Microsoft SecurityBuilding on the transformative capabilities of Security Copilot, the six Microsoft Security Copilot agents enable teams to autonomously handle high-volume security and IT tasks while seamlessly integrating with Microsoft Security solutions.

New AI-powered data security investigations and analysisWe are also announcing Microsoft Pu…

When you’re secure—innovation happens. But, the fast pace of AI often outpaces traditional security measures, leaving gaps that bad actors can take advantage of. As a security professional, you’re the hero in this battle between protecting vast amounts of data while ensuring AI systems remain transparent and compliant. What you need in this time of new threats and complexity in securing interconnected AI applications is a proactive, innovative approach to stay ahead. The post AI innovation requires AI security: Hear what’s new at Microsoft Secure appeared first on Microsoft Security Blog.

Persistence mechanisms : Achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed.

: Achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed.

These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows.

]cc Domain name C2Learn moreFor the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog: https://aka.ms/threatintelblog.

To hear stories and insights from the Microsoft Threat Intelligence communit…

Today, we’re announcing Sec-Gemini v1, a new experimental AI model focused on advancing cybersecurity AI frontiers.

This is why we are making Sec-Gemini v1 freely available to select organizations, institutions, professionals, and NGOs for research purposes.

Sec-Gemini v1 outperforms other models on key cybersecurity benchmarks as a result of its advanced integration of Google Threat Intelligence (GTI), OSV, and other key data sources.

Sec-Gemini v1 outperforms other models on CTI-MCQ, a leading threat intelligence benchmark, by at least 11% (See Figure 1).

If you are interested in collaborating with us on advancing the AI cybersecurity frontier, please request early access to Sec-Gemini v1…

In partnership with NVIDIA and HiddenLayer, as part of the Open Source Security Foundation, we are now launching the first stable version of our model signing library.

These challenges are addressed by using Sigstore, a collection of tools and services that make code signing secure and easy.

These features are why we recommend Sigstore’s signing mechanism as the default approach for signing ML models.

Today the OSS community is releasing the v1.0 stable version of our model signing library as a Python package supporting Sigstore and traditional signing methods.

This model signing library is specialized to handle the sheer scale of ML models (which are usually much larger than traditional so…

The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome.

It is non-normative and considered distinct from the requirements detailed in the Chrome Root Program Policy.

Last spring, the Chrome Root Program led ecosystem-wide experiments, emphasizing the need for linting adoption due to the discovery of widespread certificate mis-issuance.

We recently landed an updated version of the Chrome Root Program Policy that further aligns with the goals outlined in “Moving Forward, Together.” The Chrome Root Program remains committed to proactive advancement of the Web PKI.

We continue to value collaboration with web…

We’re excited to announce that starting today, Titan Security Keys are available for purchase in more than 10 new countries:IrelandPortugalThe NetherlandsDenmarkNorwaySwedenFinlandAustraliaNew ZealandSingaporePuerto RicoThis expansion means Titan Security Keys are now available in 22 markets, including previously announced countries like Austria, Belgium, Canada, France, Germany, Italy, Japan, Spain, Switzerland, the UK, and the US.

What is a Titan Security Key?

How do I use a Titan Security Key?

Where can I buy a Titan Security Key?

You can buy Titan Security Keys on the Google Store.

In December 2022, we released the open source OSV-Scanner tool, and earlier this year, we open sourced OSV-SCALIBR.

With guided remediation support for Maven, you can remediate vulnerabilities in both direct and transitive dependencies through direct version updates or overriding versions through dependency management.

We also introduced machine readable output for guided remediation that makes it easier to integrate guided remediation into your workflow.

VEX Support: We're planning to add support for Vulnerability Exchange (VEX) to facilitate better communication and collaboration around vulnerability information.

Try OSV-Scanner V2You can try V2.0.0 and contribute to its ongoing developme…

Posted by Dirk GöhmannIn 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward Program 2024 in NumbersYou can learn about who’s reporting to the Vulnerability Reward Program via our Leaderboard – and find out more about our youngest security researchers who’ve recently joined the ranks of Google bug hunters.VRP Highlights in 2024In 2024 we made a series of changes and improvements coming to our vulnerability reward programs and rel…

Scam Detection in Google Messages uses powerful Google AI to proactively address conversational scams by providing real-time detection even after initial messages are received.

You can turn off Spam Protection, which includes Scam Detection, in your Google Messages at any time.

Scam Detection in Google Messages is launching in English first in the U.S., U.K. and Canada and will expand to more countries soon.

Scam Detection for callsMore than half of Americans reported receiving at least one scam call per day in 2024.

If enabled, Scam Detection will beep at the start and during the call to notify participants the feature is on.

This includes memory-safe languages, now including high-performance ones such as Rust, as well as safer language subsets like Safe Buffers for C++.

In Android for example, the increasing adoption of memory-safe languages like Kotlin and Rust in new code has driven a significant reduction in vulnerabilities.

In this way, policymakers will gain the technical foundation to craft effective policy initiatives and incentives promoting memory safety.

Importantly, our vision for achieving memory safety through standardization focuses on defining the desired outcomes rather than locking ourselves into specific technologies.

The goal would be to objectively compare the memory safety assurance of diff…

Google Play’s multi-layered protections against bad appsTo create a trusted experience for everyone on Google Play, we use our SAFE principles as a guide, incorporating multi-layered protections that are always evolving to help keep Google Play safe.

Google Play Protect automatically scans every app on Android devices with Google Play Services, no matter the download source.

In 2024, Google Play Protect’s real-time scanning identified more than 13 million new malicious apps from outside Google Play1.

To prevent this, the Play Protect app scanning toggle is now temporarily disabled during phone or video calls.

To prevent this, the Play Protect app scanning toggle is now temporarily disabled …

This type of attack is commonly referred to as an "indirect prompt injection," a term first coined by Kai Greshake and the NVIDIA team.

One of these tools is a robust evaluation framework we have developed to automatically red-team an AI system’s vulnerability to indirect prompt injection attacks.

Threat model and evaluation frameworkOur threat model concentrates on an attacker using indirect prompt injection to exfiltrate sensitive information, as illustrated above.

Based on this probability, the attack model refines the prompt injection.

This process repeats until the attack model converges to a successful prompt injection.

This is why we recently launched Android theft protection, a comprehensive suite of features designed to protect you and your data at every stage – before, during, and after device theft.

As part of enabling Identity Check, you can designate one or more trusted locations.

Theft Detection Lock: expanding AI-powered protection to more usersOne of the top theft protection features introduced last year was Theft Detection Lock, which uses an on-device AI-powered algorithm to help detect when your phone may be forcibly taken from you.

You can turn on the new Android theft features by clicking here on a supported Android device.

Learn more about our theft protection features by visiting our help …

Today, we’re excited to release OSV-SCALIBR (Software Composition Analysis LIBRary), an extensible library for SCA and file system scanning.

We offer OSV-SCALIBR primarily as an open source Go library today, and we're working on adding its new capabilities into OSV-Scanner as the primary CLI interface.

OSV-Scanner + OSV-SCALIBRUsers looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities using much of the same extraction as OSV-SCALIBR.

Some of OSV-SCALIBR’s capabilities are not yet available in OSV-Scanner, but we’re currently working on integrating OSV-SCALIBR more deeply into O…

Fortunately, they can now improve their image and container security by harnessing Google-grade vulnerability scanning, which offers expanded open-source coverage.

A significant benefit of utilizing Google Cloud Platform is its integrated security tools, including Artifact Analysis.

This integration provides industry-leading insights into open source vulnerabilities—a crucial capability as software supply chain attacks continue to grow in frequency and complexity, impacting organizations reliant on open source software.

Open source vulnerabilities, with more reachArtifact Analysis pulls vulnerability information directly from OSV, which is the only open source, distributed vulnerability dat…

Today, we are announcing the availability of Vanir, a new open-source security patch validation tool.

In collaboration with the Google Open Source Security Team, we have incorporated feedback from our early adopters to improve Vanir and make it more useful for security professionals.

These algorithms have low false-alarm rates and can effectively handle broad classes of code changes that might appear in code patch processes.

The Vanir signatures for Android vulnerabilities are published through the Open Source Vulnerabilities (OSV) database.

You can also contribute to Vanir by providing vulnerability data with Vanir signatures to OSV.

But these particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets.

The ideal solution would be to completely automate the manual process of developing a fuzz target end to end:Drafting an initial fuzz target.

Running the corrected fuzz target for a longer period of time, and triaging any crashes to determine the root cause.

In January 2024, we open sourced the framework that we were building to enable an LLM to generate fuzz targets.

New results: More code coverage and discovered vulnerabilitiesWe’re now able to automatically gain more coverage in 272 C/C++ projects on OSS-Fuzz (up from 160), …