Microsoft is updating Windows 11 with a set of new encryption algorithms that can withstand future attacks from quantum computers in a move aimed at jump-starting what’s likely to be the most formidable and important technology transition in modern history.

Computers that are based on the physics of quantum mechanics don’t yet exist outside of sophisticated labs, but it’s well-established science that they eventually will. Instead of processing data in the binary state of zeros and ones, quantum computers run on qubits, which encompass myriad states all at once. This new capability promises to bring about new discoveries of unprecedented scale in a host of fields, including metallurgy, chemistry, drug discovery, and financial modeling.

Averting the cryptopocalypse

One of the most disruptive changes quantum computing will bring is the breaking of some of the most common forms of encryption, specifically, the RSA cryptosystem and those based on elliptic curves. These systems are the workhorses that banks, governments, and online services around the world have relied on for more than four decades to keep their most sensitive data confidential. RSA and elliptic curve encryption keys securing web connections would require millions of years to be cracked using today’s computers. A quantum computer could crack the same keys in a matter of hours or minutes.

Read full article

Comments

© Getty Images

The FBI is warning people to be vigilant of an ongoing malicious messaging campaign that uses AI-generated voice audio to impersonate government officials in an attempt to trick recipients into clicking on links that can infect their computers.

“Since April 2025, malicious actors have impersonated senior US officials to target individuals, many of whom are current or former senior US federal or state government officials and their contacts,” Thursday’s advisory from the bureau’s Internet Crime Complaint Center said. “If you receive a message claiming to be from a senior US official, do not assume it is authentic.”

Think you can’t be fooled? Think again.

The campaign's creators are sending AI-generated voice messages—better known as deepfakes—along with text messages “in an effort to establish rapport before gaining access to personal accounts,” FBI officials said. Deepfakes use AI to mimic the voice and speaking characteristics of a specific individual. The differences between the authentic and simulated speakers are often indistinguishable without trained analysis. Deepfake videos work similarly.

Read full article

Comments

© Getty Images

Threat actors, likely supported by the Russian government, hacked multiple high-value mail servers around the world by exploiting XSS vulnerabilities, a class of bug that was among the most commonly exploited in decades past.

XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software that, when exploited, allow attackers to execute malicious code in the browsers of people visiting an affected website. XSS first got attention in 2005, with the creation of the Samy Worm, which knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. XSS exploits abounded for the next decade and have gradually fizzled more recently, although this class of attacks continues now.

Just add JavaScript

On Thursday, security firm ESET reported that Sednit, a Kremlin-backed hacking group also tracked as APT28, Fancy Bear, Forest Blizzard, and Sofacy—gained access to high-value email accounts by exploiting XSS vulnerabilities in mail server software from four different makers. Those packages are: Roundcube, MDaemon, Horde, and Zimbra.

Read full article

Comments

© Getty Images

Google is adding a new security setting to Android to provide an extra layer of resistance against attacks that infect devices, tap calls traveling through insecure carrier networks, and deliver scams through messaging services.

On Tuesday, the company unveiled the Advanced Protection mode, most of which will be rolled out in the upcoming release of Android 16. The setting comes as mercenary malware sold by NSO Group and a cottage industry of other exploit sellers continues to thrive. These players provide attacks-as-a-service through end-to-end platforms that exploit zero-day vulnerabilities on targeted devices, infect them with advanced spyware, and then capture contacts, message histories, locations, and other sensitive information. Over the past decade, phones running fully updated versions of Android and iOS have routinely been hacked through these services.

A core suite of enhanced security features

Advanced Protection is Google’s latest answer to this type of attack. By flipping a single button in device settings, users can enable a host of protections that can thwart some of the most common techniques used in sophisticated hacks. In some cases, the protections hamper performance and capabilities of the device, so Google is recommending the new mode mainly for journalists, elected officials, and other groups who are most often targeted or have the most to lose when infected.

Read full article

Comments

© Getty Images

Imagine a world where AI-powered bots can buy or sell cryptocurrency, make investments, and execute software-defined contracts at the blink of an eye, depending on minute-to-minute currency prices, breaking news, or other market-moving events. Then imagine an adversary causing the bot to redirect payments to an account they control by doing nothing more than entering a few sentences into the bot’s prompt.

That’s the scenario depicted in recently released research that developed a working exploit against ElizaOS, a fledgling open source framework.

ElizaOS is a framework for creating agents that use large language models to perform various blockchain-based transactions on behalf of a user based on a set of predefined rules. It was introduced in October under the name Ai16z and was changed to its current name in January. The framework remains largely experimental, but champions of decentralized autonomous organizations (DAOs)—a model in which communities or companies are governed by decentralized computer programs running on blockchains—see it as a potential engine for jumpstarting the creation of agents that automatically navigate these so-called DAOs on behalf of end users.

Read full article

Comments

Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years.

Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US.

A steady stream of published credentials

According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps.

Read full article

Comments

© Getty Images

The world has been abuzz for weeks now about the inclusion of a journalist in a group message of senior White House officials discussing plans for a military strike. In that case, the breach was the result of then-National Security Advisor Mike Waltz accidentally adding The Atlantic Editor-in-Chief Jeffrey Goldberg to the group chat and no one else in the chat noticing. But what if someone controlling or hacking a messenger platform could do the same thing?

When it comes to WhatsApp—the Meta-owned messenger that’s frequently touted for offering end-to-end encryption—it turns out you can.

A clean bill of health except for...

A team of researchers confirmed that behavior in a recently released formal analysis of WhatsApp group messaging. They reverse-engineered the app, described the formal cryptographic protocols, and provided theorems establishing the security guarantees that WhatsApp provides. Overall, they gave the messenger a clean bill of health, finding that it works securely and as described by WhatsApp.

Read full article

Comments

© Stan Honda / Getty Images

A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users.

The verdict, reached Tuesday, comes as a major victory not just for Meta-owned WhatsApp but also for privacy- and security-rights advocates who have long criticized the practices of NSO and other exploit sellers. The jury also awarded WhatsApp $444 million in compensatory damages.

Clickless exploit

WhatsApp sued NSO in 2019 for an attack that targeted roughly 1,400 mobile phones belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. NSO, which works on behalf of governments and law enforcement authorities in various countries, exploited a critical WhatsApp vulnerability that allowed it to install NSO’s proprietary spyware Pegasus on iOS and Android devices. The clickless exploit worked by placing a call to a target's app. A target did not have to answer the call to be infected.

Read full article

Comments

© Getty Images | the-lightwriter

A California man has pleaded guilty to hacking an employee of The Walt Disney Company by tricking the person into running a malicious version of a widely used open source AI image-generation tool.

Ryan Mitchell Kramer, 25, pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer, the US Attorney for the Central District of California said Monday. In a plea agreement, Kramer said he published an app on GitHub for creating AI-generated art. The program contained malicious code that gave access to computers that installed it. Kramer operated using the moniker NullBulge.

Not the ComfyUI you’re looking for

According to researchers at VPNMentor, the program Kramer used was ComfyUI_LLMVISION, which purported to be an extension for the legitimate ComfyUI image generator and had functions added to it for copying passwords, payment card data, and other sensitive information from machines that installed it. The fake extension then sent the data to a Discord server that Kramer operated. To better disguise the malicious code, it was folded into files that used the names OpenAI and Anthropic.

Read full article

Comments

© Getty Images | naruecha jenthaisong

Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday.

The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it’s possible that the true number is double that, researchers from security firm Sansec said.

Among the compromised customers was a $40 billion multinational company, which Sansec didn’t name. In an email Monday, a Sansec representative said that “global remediation [on the infected customers] remains limited.”

Read full article

Comments

© Getty Images

Microsoft says it’s making passwordless logins the default means for signing in to new accounts, as the company helps drive an industry-wide push to transition away from passwords and the costly security problems they have created for companies and their users.

A key part of the “passwordless by default” initiative Microsoft announced on Thursday is encouraging the use of passkeys—the new alternative to passwords that Microsoft, Google, Apple, and a large roster of other companies are developing under the coordination of the FIDO Alliance.

Going forward, Microsoft will make passkeys the default means for new users to sign in. Existing users who have yet to enroll a passkey will be presented with a prompt to do so the next time they log in.

Read full article

Comments

© Microsoft

An entire cottage industry has formed around phishing attacks that bypass some of the most common forms of multifactor authentication (MFA) and allow even non-technical users to quickly create sites that defeat the protections against account takeovers.

MFA works by requiring an additional factor of authentication besides a password, like a fingerprint, face scan, or the possession of a digital key. In theory, this prevents attackers from accessing an account even after they phish a victim’s username and password. Most often, the second form of authentication comes in the form of a one-time passcode that is sent to the user by text message or email or is generated by an authentication app that the user has already set up.

Adversary in the middle

As detailed on Thursday by Cisco Talos, an entire ecosystem has cropped up to help criminals defeat these forms of MFA. They employ an attack technique known as an adversary in the middle. The tools provide phishing-as-a-service toolkits that are marketed in online crime forums using names like Tycoon 2FA, Rockstar 2FA, Evilproxy, Greatness, and Mamba 2FA.

Read full article

Comments

© Getty Images

A new study found that code generated by AI is more likely to contain made-up information that can be used to trick software into interacting with malicious code.

From the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked.

Password changes are among the first steps people should take in the event that a password has been leaked or an account has been compromised. People expect that once they've taken this step, none of the devices that relied on the password can be accessed.

Not just a bug

The Remote Desktop Protocol—the proprietary mechanism built into Windows for allowing a remote user to log in to and control a machine as if they were directly in front of it—however, will in many cases continue trusting a password even after a user has changed it. Microsoft says the behavior is a design decision to ensure users never get locked out.

Read full article

Comments

© Microsoft

AI-generated computer code is rife with references to non-existent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows.

The study, which used 16 of the most widely used large language models to generate 576,000 code samples, found that 440,000 of the package dependencies they contained were “hallucinated,” meaning they were non-existent. Open source models hallucinated the most, with 21 percent of the dependencies linking to non-existent libraries. A dependency is an essential code component that a separate piece of code requires to work properly. Dependencies save developers the hassle of rewriting code and are an essential part of the modern software supply chain.

Package hallucination flashbacks

These non-existent dependencies represent a threat to the software supply chain by exacerbating so-called dependency confusion attacks. These attacks work by causing a software package to access the wrong component dependency, for instance by publishing a malicious package and giving it the same name as the legitimate one but with a later version stamp. Software that depends on the package will, in some cases, choose the malicious version rather than the legitimate one because the former appears to be more recent.

Read full article

Comments

© Getty Images

About a decade ago, Apple and Google started updating iOS and Android, respectively, to make them less susceptible to “juice jacking,” a form of attack that could surreptitiously steal data or execute malicious code when users plug their phones into special-purpose charging hardware. Now, researchers are revealing that, for years, the mitigations have suffered from a fundamental defect that has made them trivial to bypass.

“Juice jacking” was coined in a 2011 article on KrebsOnSecurity detailing an attack demonstrated at a Defcon security conference at the time. Juice jacking works by equipping a charger with hidden hardware that can access files and other internal resources of phones, in much the same way that a computer can when a user connects it to the phone.

An attacker would then make the chargers available in airports, shopping malls, or other public venues for use by people looking to recharge depleted batteries. While the charger was ostensibly only providing electricity to the phone, it was also secretly downloading files or running malicious code on the device behind the scenes. Starting in 2012, both Apple and Google tried to mitigate the threat by requiring users to click a confirmation button on their phones before a computer—or a computer masquerading as a charger—could access files or execute code on the phone.

Read full article

Comments

© Aurich Lawson | Getty Images

The FBI is offering $10 million for information about the China-state hacking group tracked as Salt Typhoon and its intrusion last year into sensitive networks belonging to multiple US telecommunications companies.

Salt Typhoon is one of a half-dozen or more hacking groups that work on behalf of the People’s Republic of China. Intelligence agencies and private security companies have concluded the group has been behind a string of espionage attacks designed to collect vital information, in part for use in any military conflicts that may arise in the future.

A broad and significant cyber campaign

The agency on Thursday published a statement offering up to $10 million, relocation assistance, and other compensation for information about Salt Typhoon. The announcement specifically sought information about the specific members of Salt Typhoon and the group's compromise of multiple US telecommunications companies last year.

Read full article

Comments

© Aurich Lawson

Russian military personnel are being targeted with recently discovered Android malware that steals their contacts and tracks their location.

The malware is hidden inside a modified app for Alpine Quest mapping software, which is used by, among others, hunters, athletes, and Russian personnel stationed in the war zone in Ukraine. The app displays various topographical maps for use online and offline. The trojanized Alpine Quest app is being pushed on a dedicated Telegram channel and in unofficial Android app repositories. The chief selling point of the trojanized app is that it provides a free version of Alpine Quest Pro, which is usually available only to paying users.

Looks like the real thing

The malicious module is named Android.Spy.1292.origin. In a blog post, researchers at Russia-based security firm Dr.Web wrote:

Read full article

Comments

© Getty Images

Security and privacy advocates are girding themselves for another uphill battle against Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store everything a user does every three seconds.

When Recall was first introduced in May 2024, security practitioners roundly castigated it for creating a gold mine for malicious insiders, criminals, or nation-state spies if they managed to gain even brief administrative access to a Windows device. Privacy advocates warned that Recall was ripe for abuse in intimate partner violence settings. They also noted that there was nothing stopping Recall from preserving sensitive disappearing content sent through privacy-protecting messengers such as Signal.

Enshittification at a new scale

Following months of backlash, Microsoft later suspended Recall. On Thursday, the company said it was reintroducing Recall. It currently is available only to insiders with access to the Windows 11 Build 26100.3902 preview version. Over time, the feature will be rolled out more broadly. Microsoft officials wrote:

Read full article

Comments

© Andrew Cunningham

Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal.

The extensions, which so far number at least 35, use the same code patterns, connect to some of the same servers, and require the same list of sensitive systems permissions, including the ability to interact with web traffic on all URLs visited, access cookies, manage browser tabs, and execute scripts. In more detail, the permissions are:

• Tabs: manage and interact with browser windows
• Cookies: set and access stored browser cookies based on cookie or domain names (ex., "Authorization" or "all cookies for GitHub.com")
• WebRequest: intercept and modify web requests the browser makes
• Storage: ability to store small amounts of information persistently in the browser (these extensions store their command & control configuration here)
• Scripting: the ability to inject new JavaScript into webpages and manipulate the DOM
• Alarms: an internal messaging service to trigger events. The extension uses this to trigger events like a cron job, as it can allow for scheduling the heartbeat callbacks by the extension
• :: This works in tandem with other permissions like webRequest, but allows for the extension to functionally interact with all browsing activity (completely unnecessary for an extension that should just look at your installed extensions)

These sorts of permissions give extensions the ability to do all sorts of potentially abusive things and, as such, should be judiciously granted only to trusted extensions that can’t perform core functions without them.

Read full article

Comments

© Getty Images