Aggregator

Feds Warn US May Lose Quantum Race Without Sustained Research Funding
Federal scientists told Congress that failure to reauthorize the National Quantum Initiative threatens to unravel coordinated research and development progress, stall commercialization and allow China to surpass U.S. leadership as adversaries accelerate post-quantum capabilities.

Also, CIRO Phishing Breach, Ingram Micro Ransomware and CVE Surge
This week, DOGE posted sensitive data on an outside server. A phishing attack affected 750,000 Canadians. A hacktivism warning from the U.K. NCSC. An Ingram Micro breach. CVEs surged in 2025. SK Telecom challenged a fine. Researchers disclosed Chainlit flaws. North Korean hackers abused VS Code.

OIG: Gaps in Standards, Third-Party Oversight Put Agencies, Health Sector at Risk
Auditors say the U.S. Department of Health and Human Services should buttress its ability to respond to cyberthreats by standardizing governance and controls across its many divisions - and also do a better job of overseeing its many contractors and the risk they introduce.

Threat actors who specialize in vishing (i.e., voice phishing) have started using phishing kits that can intercept targets’ login credentials while also allowing attackers to control the authentication flow in a targeted user’s browser in real-time. At least two custom-made phishing kits are currently used by a number of threat actors that go after credentials and authentication factors to gain access to corporate systems and assets. “These custom kits are made available on an as-a-service … More →

The post Okta users under attack: Modern phishing kits are turbocharging vishing attacks appeared first on Help Net Security.

Let's get something out of the way: retrospectives can feel a bit like mandatory fun. Someone gathers up the year's events, packages them into neat categories, and delivers "key takeaways" that land somewhere between obvious and forgettable. This is not that.

The post The 2025 Phishing Surge Proved One Thing: Chasing Doesn’t Work appeared first on Security Boulevard.

Fortinet has officially confirmed that it's working to completely plug a FortiCloud SSO authentication bypass vulnerability following reports of fresh exploitation activity on fully-patched firewalls. "In the last 24 hours, we have identified a number of cases where the exploit was to a device that had been fully upgraded to the latest release at the time of the attack, which suggested a new

Prinses Amalia heeft de Algemene Militaire Opleiding (AMO) afgerond en is bevorderd tot korporaal. Vandaag kreeg ze haar baret. De AMO is onderdeel van de opleiding die ze volgt aan Defensity College.

Really interesting blog post from Anthropic:

In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates how barriers to the use of AI in relatively autonomous cyber workflows are rapidly coming down, and highlights the importance of security fundamentals like promptly patching known vulnerabilities.

[…]

A notable development during the testing of Claude Sonnet 4.5 is that the model can now succeed on a minority of the networks without the custom cyber toolkit needed by previous generations. In particular, Sonnet 4.5 can now exfiltrate all of the (simulated) personal information in a high-fidelity simulation of the Equifax data breach—­one of the costliest cyber attacks in history—­using only a Bash shell on a widely-available Kali Linux host (standard, open-source tools for penetration testing; not a custom toolkit). Sonnet 4.5 accomplishes this by instantly recognizing a publicized CVE and writing code to exploit it without needing to look it up or iterate on it. Recalling that the original Equifax breach happened by exploiting a publicized CVE that had not yet been patched, the prospect of highly competent and fast AI agents leveraging this approach underscores the pressing need for security best practices like prompt updates and patches. ...

The post AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities appeared first on Security Boulevard.

The Supreme Court’s review of United States v. Chatrie puts geofence warrants and mass digital data seizures under Fourth Amendment scrutiny, raising urgent questions about particularity, AI-driven searches, and constitutional limits in the digital age.

The post Mass Data, Mass Surveillance, and the Erosion of Particularity: The Fourth Amendment in the Age of Geofence Warrants and Artificial Intelligence appeared first on Security Boulevard.

To help reduce phishing risk, 1Password added an extra layer of protection and began rolling out a phishing prevention feature designed to stop users before they share passwords with scammers. How 1Password phishing prevention works When a user clicks a link whose URL doesn’t match a saved login, 1Password will not autofill their credentials. To avoid confusion, the product displays a warning message that prompts users to pause and reconsider before proceeding. Source: 1Password For … More →

The post 1Password targets AI-driven phishing with built-in prevention appeared first on Help Net Security.

Wat kan Defensie leren van de snelle groei en grootschalige veranderingen van ondernemingen? Die vraag stond gisteravond centraal tijdens een diner bij Defensie. Aan tafel op landgoed de Zwaluwenberg in Hilversum schoven topondernemers, experts, jonge ondernemers en CEO’s uit uiteenlopende sectoren aan. 

Red Teaming has become one of the most discussed and misunderstood practices in modern cybersecurity. Many organizations invest heavily in vulnerability scanners and penetration tests, yet breaches continue to happen through paths those tools never simulate. Enterprise leaders now ask a deeper question: “Does our security testing completely reflect how attackers will break in?” This […]

The post 10 Questions Enterprise Leaders Should Ask Before Running a Red Teaming Exercise appeared first on Kratikal Blogs.

The post 10 Questions Enterprise Leaders Should Ask Before Running a Red Teaming Exercise appeared first on Security Boulevard.

TikTok on Friday officially announced that it formed a joint venture that will allow the hugely popular video-sharing application to continue operating in the U.S. The new venture, named TikTok USDS Joint Venture LLC, has been established in compliance with the Executive Order signed by U.S. President Donald Trump in September 2025, the platform said. The new deal will see TikTok's Chinese

Cybersecurity researchers have disclosed details of a new dual-vector campaign that leverages stolen credentials to deploy legitimate Remote Monitoring and Management (RMM) software for persistent remote access to compromised hosts. "Instead of deploying custom viruses, attackers are bypassing security perimeters by weaponizing the necessary IT tools that administrators trust," KnowBe4 Threat

Cloud-native applications have changed how businesses build and scale software. Microservices, containers, and serverless architectures enable faster and more flexible development, but they also make the environment more challenging to...

The post How ASPM Protects Cloud-Native Applications from Misconfigurations and Exploits appeared first on Strobes Security.

The post How ASPM Protects Cloud-Native Applications from Misconfigurations and Exploits appeared first on Security Boulevard.

漏洞来源一个满评分漏洞漏洞描述enclave-vm 是一个基于 Node.js 的 JavaScript 沙箱工具，专为运行 AI 代理代码设计，目标是：隔离不可信的用户代码，在受限环境中执行 JavaScript，防止恶意代码访问文件系统、网络等敏感资源。它使用了 Node.js 的 VM 模块 或类似的机制构建隔离环境，但依赖于 JavaScript 的原型链和对象继承机制。在 enclave

本文将 LLM 安全问题从简单的提示词注入升级为供应链安全问题，提出 Prompt 已经从单纯的文本变成了可被传递、拼接、缓存 、持久化、再利用的供应链对象。攻击者不需要破解模型，只需要投喂上下文就能实现攻击目标。