Cyber Security Informer

Largest DDoS Attack to Date

Schneier on Security

JUNE 23, 2025

It was a recently unimaginable 7.3 Tbps : The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred.

Surveillance in the US

Schneier on Security

JUNE 20, 2025

Good article from 404 Media on the cozy surveillance relationship between local Oregon police and ICE: In the email thread, crime analysts from several local police departments and the FBI introduced themselves to each other and made lists of surveillance tools and tactics they have access to and felt comfortable using, and in some cases offered to perform surveillance for their colleagues in other departments.

Surveillance

Surveillance Media

Self-Driving Car Video Footage

Schneier on Security

JUNE 19, 2025

Two articles crossed my path recently. First, a discussion of all the video Waymo has from outside its cars: in this case related to the LA protests. Second, a discussion of all the video Tesla has from inside its cars. Lots of things are collecting lots of video of lots of other things. How and under what rules that video is used and reused will be a continuing source of debate.

Surveillance

Where AI Provides Value

Schneier on Security

JUNE 17, 2025

If you’ve worried that AI might take your job, deprive you of your livelihood, or maybe even replace your role in society, it probably feels good to see the latest AI tools fail spectacularly. If AI recommends glue as a pizza topping , then you’re safe for another day. But the fact remains that AI already has definite advantages over even the most skilled humans, and knowing where these advantages arise—and where they don’t—will be key to adapting to the AI-infused

Advertising

Advertising Marketing Accountability Software

Upcoming Speaking Engagements

Schneier on Security

JUNE 14, 2025

This is a current list of where and when I am scheduled to speak: I’m speaking at the International Conference on Digital Trust, AI and the Future in Edinburgh, Scotland on Tuesday, June 24 at 4:00 PM. The list is maintained on this page.

Paragon Spyware used to Spy on European Journalists

Schneier on Security

JUNE 13, 2025

Paragon is a Israeli spyware company, increasingly in the news (now that NSO Group seems to be waning). “Graphite” is the name of their product. Citizen Lab caught them spying on multiple European journalists with a zero-click iOS exploit: On April 29, 2025, a select group of iOS users were notified by Apple that they were targeted with advanced spyware.

Spyware

Airlines Secretly Selling Passenger Data to the Government

Schneier on Security

JUNE 12, 2025

This is news : A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media.

Government

Government Media Data collection Data privacy

New Way to Track Covertly Android Users

Schneier on Security

JUNE 9, 2025

Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly stopped now that they have been caught. The details are interesting, and worth reading in detail: >Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers

Mobile

Mobile Internet Internet

Report on the Malicious Uses of AI

Schneier on Security

JUNE 6, 2025

OpenAI just published its annual report on malicious uses of AI. By using AI as a force multiplier for our expert investigative teams, in the three months since our last report we’ve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive employment schemes, covert influence operations and scams.

Social Engineering

Social Engineering Scams Engineering Cyber threats

Hearing on the Federal Government and AI

Schneier on Security

JUNE 6, 2025

On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled “ The Federal Government in the Age of Artificial Intelligence.” The other speakers mostly talked about how cool AI was—and sometimes about how cool their own company was—but I was asked by the Democrats to specifically talk about DOGE and the risks of exfiltrating our data from government agencies and feeding it into AIs.

Government

Government Artificial Intelligence Risk

The Ramifications of Ukraine’s Drone Attack

Schneier on Security

JUNE 4, 2025

You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare: If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S. air bases? Or the Pakistanis with Indian air bases? Or the North Koreans with South Korean air bases?

Technology

Australia Requires Ransomware Victims to Declare Payments

Schneier on Security

JUNE 2, 2025

A new Australian law requires larger companies to declare any ransomware payments they have made.

Ransomware

Surveillance Via Smart Toothbrush

Schneier on Security

MAY 29, 2025

The only links are from The Daily Mail and The Mirror , but a marital affair was discovered because the cheater was recorded using his smart toothbrush at home when he was supposed to be at work.

Surveillance

Location Tracking App for Foreigners in Moscow

Schneier on Security

MAY 28, 2025

Russia is proposing a rule that all foreigners in Moscow install a tracking app on their phones. Using a mobile application that all foreigners will have to install on their smartphones, the Russian state will receive the following information: Residence location Fingerprint Face photograph Real-time geo-location monitoring This isn’t the first time we’ve seen this.

Mobile

Chinese-Owned VPNs

Schneier on Security

MAY 27, 2025

One one my biggest worries about VPNs is the amount of trust users need to place in them, and how opaque most of them are about who owns them and what sorts of data they retain. A new study found that many commercials VPNS are (often surreptitiously) owned by Chinese companies. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies.

VPN

Signal Blocks Windows Recall

Schneier on Security

MAY 23, 2025

This article gives a good rundown of the security risks of Windows Recall, and the repurposed copyright protection took that Signal used to block the AI feature from scraping Signal data.

Risk

More AIs Are Taking Polls and Surveys

Schneier on Security

MAY 21, 2025

I already knew about the declining response rate for polls and surveys. The percentage of AI bots that respond to surveys is also increasing. Solutions are hard: 1. Make surveys less boring. We need to move past bland, grid-filled surveys and start designing experiences people actually want to complete. That means mobile-first layouts, shorter runtimes, and maybe even a dash of storytelling.

Mobile

Communications Backdoor in Chinese Power Inverters

Schneier on Security

MAY 16, 2025

This is a weird story : U.S. energy officials are reassessing the risk posed by Chinese-made devices that play a critical role in renewable energy infrastructure after unexplained communication equipment was found inside some of them, two people familiar with the matter said. […] Over the past nine months, undocumented communication devices, including cellular radios, have also been found in some batteries from multiple Chinese suppliers, one of them said.

Firewall

Firewall Risk

AI-Generated Law

Schneier on Security

MAY 15, 2025

On April 14, Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum, announced that the United Arab Emirates would begin using artificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to “regularly suggest updates” to the law and “accelerate the issuance of legislation by up to 70%.” AI would create a “comprehensive legislative plan” spanning local and federal law and would be connected to public adminis

Government

Government Artificial Intelligence Technology Accountability

Upcoming Speaking Engagements

Schneier on Security

MAY 14, 2025

This is a current list of where and when I am scheduled to speak: I’m speaking (remotely) at the Sektor 3.0 Festival in Warsaw, Poland, May 21-22, 2025. The list is maintained on this page.

Google’s Advanced Protection Now on Android

Schneier on Security

MAY 14, 2025

Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. Wired article , behind a paywall.

Risk

Risk Cybersecurity

Court Rules Against NSO Group

Schneier on Security

MAY 13, 2025

The case is over : A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is.

Software

Software Hacking

Florida Backdoor Bill Fails

Schneier on Security

MAY 12, 2025

A Florida bill requiring encryption backdoors failed to pass.

Encryption

Another Move in the Deepfake Creation/Detection Arms Race

Schneier on Security

MAY 5, 2025

Deepfakes are now mimicking heartbeats In a nutshell Recent research reveals that high-quality deepfakes unintentionally retain the heartbeat patterns from their source videos, undermining traditional detection methods that relied on detecting subtle skin color changes linked to heartbeats. The assumption that deepfakes lack physiological signals, such as heart rate, is no longer valid.

Technology

Privacy for Agentic AI

Schneier on Security

MAY 2, 2025

Sooner or later, it’s going to happen. AI systems will start acting as agents, doing things on our behalf with some degree of autonomy. I think it’s worth thinking about the security of that now, while its still a nascent idea. In 2019, I joined Inrupt, a company that is commercializing Tim Berners-Lee’s open protocol for distributed data ownership.

Data privacy

NCSC Guidance on “Advanced Cryptography”

Schneier on Security

MAY 2, 2025

The UK’s National Cyber Security Centre just released its white paper on “Advanced Cryptography,” which it defines as “cryptographic techniques for processing encrypted data, providing enhanced functionality over and above that provided by traditional cryptography.” It includes things like homomorphic encryption, attribute-based encryption, zero-knowledge proofs, and secure multiparty computation.

Encryption

Encryption Cyber Attacks Authentication Risk

US as a Surveillance State

Schneier on Security

MAY 1, 2025

Two essays were just published on DOGE’s data collection and aggregation, and how it ends with a modern surveillance state. It’s good to see this finally being talked about.

Surveillance

Surveillance Data collection

WhatsApp Case Against NSO Group Progressing

Schneier on Security

APRIL 30, 2025

Meta is suing NSO Group, basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: Under the order , NSO Group is prohibited from presenting evidence about its customers’ identities, implying the targeted WhatsApp users are suspected or actual criminals, or alleging that WhatsApp had insufficient security protections. […] In making her ruling, Northern District of California Judge Phyllis Hamilton said NSO Group undercut its arguments

Hacking

Hacking Technology

Applying Security Engineering to Prompt Injection Security

Schneier on Security

APRIL 29, 2025

This seems like an important advance in LLM security against prompt injection: Google DeepMind has unveiled CaMeL (CApabilities for MachinE Learning), a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats language models as fundamentally untrusted components within a secure software framework, creating clear boundaries between user commands and potentially malicious content. […] To understand CaMeL

Engineering

Engineering Architecture Software

Windscribe Acquitted on Charges of Not Collecting Users’ Data

Schneier on Security

APRIL 28, 2025

The company doesn’t keep logs, so couldn’t turn over data : Windscribe, a globally used privacy-first VPN service, announced today that its founder, Yegor Sak, has been fully acquitted by a court in Athens, Greece, following a two-year legal battle in which Sak was personally charged in connection with an alleged internet offence by an unknown user of the service.

VPN

VPN Internet Internet Data collection

Cryptocurrency Thefts Get Physical

Schneier on Security

APRIL 25, 2025

Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping.

Cryptocurrency

Cryptocurrency Cybercrime

New Linux Rootkit

Schneier on Security

APRIL 24, 2025

Interesting : The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors.

Marketing

Marketing Cybersecurity

Regulating AI Behavior with a Hypervisor

Schneier on Security

APRIL 23, 2025

Interesting research: “ Guillotine: Hypervisors for Isolating Malicious AIs.” Abstract :As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or malice, can generate existential threats to humanity.

Architecture

Architecture Healthcare Software Risk

Android Improves Its Security

Schneier on Security

APRIL 22, 2025

Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it’s nice to see Google add it to their phones.

Cybersecurity

Age Verification Using Facial Scans

Schneier on Security

APRIL 17, 2025

Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user settings,” a spokesperson for Discord said in a statement. “The information shared to power the age verification method is only used for the one-time age verification process and is not stored by Discord or our vendor.

Hacking

Hacking Media

CVE Program Almost Unfunded

Schneier on Security

APRIL 16, 2025

Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled , as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of those pieces of common infrastructure that everyone benefits from.

CSO

CSO Government Software Cybersecurity

Slopsquatting

Schneier on Security

APRIL 15, 2025

As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with malware, of course.

Malware

Malware Software

China Sort of Admits to Being Behind Volt Typhoon

Schneier on Security

APRIL 14, 2025

The Wall Street Journal has the story : Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate. The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwa

Hacking

AI Vulnerability Finding

Schneier on Security

APRIL 11, 2025

Microsoft is reporting that its AI systems are able to find new vulnerabilities in source code: Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

How to Leak to a Journalist

Schneier on Security

APRIL 9, 2025

Neiman Lab has some good advice on how to leak a story to a journalist.

Arguing Against CALEA

Schneier on Security

APRIL 8, 2025

At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically.

Telecommunications

Telecommunications Internet Internet Government

Web 3.0 Requires Data Integrity

Schneier on Security

APRIL 3, 2025

If you’ve ever taken a computer security class, you’ve probably learned about thethree legs of computer security—confidentiality, integrity, and availability—known as the CIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts.

Artificial Intelligence

Artificial Intelligence Architecture Internet Internet

Rational Astrologies and Security

Schneier on Security

APRIL 2, 2025

John Kelsey and I wrote a short paper for the Rossfest Festschrift : “ Rational Astrologies and Security “: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by Randy Steve Waldman [Wal12], the term refers to something people treat as though it works, generally for social or institutional reasons, even when theres little e

Technology

Technology Cybersecurity

Cell Phone OPSEC for Border Crossings

Schneier on Security

APRIL 1, 2025

I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones. Are there easy ways to delete data—files, photos, etc.—on phones so it can’t be recovered? Does resetting a phone to factory defaults erase data, or is it still recoverable?

Computers and Electronics

Computers and Electronics Encryption Passwords

Schneier on Security

Largest DDoS Attack to Date

Surveillance in the US

Trending Sources

Self-Driving Car Video Footage

Where AI Provides Value

Upcoming Speaking Engagements

Paragon Spyware used to Spy on European Journalists

Airlines Secretly Selling Passenger Data to the Government

New Way to Track Covertly Android Users

Report on the Malicious Uses of AI

Hearing on the Federal Government and AI

The Ramifications of Ukraine’s Drone Attack

Australia Requires Ransomware Victims to Declare Payments

Surveillance Via Smart Toothbrush

Location Tracking App for Foreigners in Moscow

Chinese-Owned VPNs

Signal Blocks Windows Recall

More AIs Are Taking Polls and Surveys

Communications Backdoor in Chinese Power Inverters

AI-Generated Law

Upcoming Speaking Engagements

Google’s Advanced Protection Now on Android

Court Rules Against NSO Group

Florida Backdoor Bill Fails

Another Move in the Deepfake Creation/Detection Arms Race

Privacy for Agentic AI

NCSC Guidance on “Advanced Cryptography”

US as a Surveillance State

WhatsApp Case Against NSO Group Progressing

Applying Security Engineering to Prompt Injection Security

Windscribe Acquitted on Charges of Not Collecting Users’ Data

Cryptocurrency Thefts Get Physical

New Linux Rootkit

Regulating AI Behavior with a Hypervisor

Android Improves Its Security

Age Verification Using Facial Scans

CVE Program Almost Unfunded

Slopsquatting

China Sort of Admits to Being Behind Volt Typhoon

AI Vulnerability Finding

How to Leak to a Journalist

Arguing Against CALEA

Web 3.0 Requires Data Integrity

Rational Astrologies and Security

Cell Phone OPSEC for Border Crossings

Stay Connected