July, 2025

article thumbnail

Hiding Prompt Injections in Academic Papers

Schneier on Security

Academic papers were found to contain hidden instructions to LLMs: It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan’s Waseda University, South Korea’s KAIST, China’s Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S.

335
335
article thumbnail

Microsoft Patch Tuesday, July 2025 Edition

Krebs on Security

Microsoft today released updates to fix at least 137 security vulnerabilities in its Windows operating systems and supported software. None of the weaknesses addressed this month are known to be actively exploited, but 14 of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited to seize control over vulnerable Windows PCs with little or no help from users.

Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Weekly Update 460

Troy Hunt

This week's update is the last remote one for a while as we wind up more than a month of travel. I'm pushing this out just before we jump on the Qantas plane home. right after they've advised just how much of my data was impacted by their breach. That got me thinking in this week's video: what type of "third-party service" would expose those classes of data?

Retail 230
article thumbnail

Fake Jobs, Real Threats: How to Stay Safe on LinkedIn and Email

Lohrman on Security

How can we spot sophisticated new scams, fake profiles and more within our emails and on professional networking sites like LinkedIn? Here’s some helpful advice.

Scams 166
article thumbnail

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

Speaker: Erroll Amacker

Automation is transforming finance but without strong financial oversight it can introduce more risk than reward. From missed discrepancies to strained vendor relationships, accounts payable automation needs a human touch to deliver lasting value. This session is your playbook to get automation right. We’ll explore how to balance speed with control, boost decision-making through human-machine collaboration, and unlock ROI with fewer errors, stronger fraud prevention, and smoother operations.

article thumbnail

Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)

The Hacker News

Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.

125
125
article thumbnail

McDonald’s AI Hiring Bot Exposed Millions of Applicants' Data to Hackers Using the Password ‘123456’

WIRED Threat Level

Basic security flaws left the personal info of tens of millions of McDonald’s job-seekers vulnerable on the “McHire” site built by AI software firm Paradox.ai.

Passwords 143

LifeWorks

More Trending

article thumbnail

Big Tech’s Mixed Response to U.S. Treasury Sanctions

Krebs on Security

In May 2025, the U.S. government sanctioned a Chinese national for operating a cloud provider linked to the majority of virtual currency investment scam websites reported to the FBI. But a new report finds the accused continues to operate a slew of established accounts at American tech companies — including Facebook , Github , PayPal and Twitter/X.

Scams 216
article thumbnail

Welcoming Truyu to Have I Been Pwned's Partner Program

Troy Hunt

I always used to joke that when people used Have I Been Pwned (HIBP), we effectively said "Oh no - you've been pwned! Uh, good luck!" and left it at that. That was fine when it was a pet project used by people who live in a similar world to me, but it didn't do a lot for the everyday folks just learning about the scary world of data breaches.

article thumbnail

Bitcoin Booms, Scammers Bloom: Crypto Hits a Record High

Lohrman on Security

News Analytics Artificial Intelligence Civic Innovation Cloud & Computing Cybersecurity Lohrmann on Cybersecurity Education Election Technology Emerging Tech Budget & Finance Infrastructure Government Experience GovTech Biz Biz Data Health & Human Services Justice & Public Safety Broadband & Network Policy Smart Cities Transportation Workforce & People Voices Gov Efficiency Events Webinars Papers Magazine About About Us Advertise Newsletters Contact More Center for Digita

article thumbnail

News alert: Reflectiz expands Datadog’s security scope to cover client-side web vulnerabilities

The Last Watchdog

BOSTON, July 9, 2025, CyberNewswire — Reflectiz , a leading cybersecurity company specializing in web exposure management, today announced a new integration with Datadog , Inc. (NASDAQ: DDOG), the monitoring and security platform for cloud applications. This integration combines advanced website security intelligence with enterprise-grade observability, empowering organizations with continuous visibility and control over their expanding attack surface.

Risk 130
article thumbnail

Why Giant Content Libraries Do Nothing for Your Employees’ Cyber Resilience

Many cybersecurity awareness platforms offer massive content libraries, yet they fail to enhance employees’ cyber resilience. Without structured, engaging, and personalized training, employees struggle to retain and apply key cybersecurity principles. Phished.io explains why organizations should focus on interactive, scenario-based learning rather than overwhelming employees with excessive content.

article thumbnail

Code highlighting with Cursor AI for $500,000

SecureList

Attacks that leverage malicious open-source packages are becoming a major and growing threat. This type of attacks currently seems commonplace, with reports of infected packages in repositories like PyPI or npm appearing almost daily. It would seem that increased scrutiny from researchers on these repositories should have long ago minimized the profits for cybercriminals trying to make a fortune from malicious packages.

Malware 142
article thumbnail

Ubuntu Disables Spectre/Meltdown Protections

Schneier on Security

A whole class of speculative execution attacks against CPUs were published in 2018. They seemed pretty catastrophic at the time. But the fixes were as well. Speculative execution was a way to speed up CPUs, and removing those enhancements resulted in significant performance drops. Now, people are rethinking the trade-off. Ubuntu has disabled some protections, resulting in 20% performance boost.

Malware 267
article thumbnail

PerfektBlue Bluetooth Vulnerabilities Expose Millions of Vehicles to Remote Code Execution

The Hacker News

Cybersecurity researchers have discovered a set of four security flaws in OpenSynergy's BlueSDK Bluetooth stack that, if successfully exploited, could allow remote code execution on millions of transport vehicles from different vendors.

article thumbnail

Weekly Update 458

Troy Hunt

I'm in Austria! Well, I was in Austria, I'm now somewhere over the Aussie desert as I try and end this trip on top of my "to-do" list. The Have I Been Pwned Alpine Grand Tour was a great success with loads of time spent with govs, public meetups and users of this little data breach project that kinda escalated. As I say in the vid, I'm posting a lot more pics publicly to my Facebook page , so if you want to see the highlights, head over there.

article thumbnail

Zero Trust Mandate: The Realities, Requirements and Roadmap

The DHS compliance audit clock is ticking on Zero Trust. Government agencies can no longer ignore or delay their Zero Trust initiatives. During this virtual panel discussion—featuring Kelly Fuller Gordon, Founder and CEO of RisX, Chris Wild, Zero Trust subject matter expert at Zermount, Inc., and Principal of Cybersecurity Practice at Eliassen Group, Trey Gannon—you’ll gain a detailed understanding of the Federal Zero Trust mandate, its requirements, milestones, and deadlines.

article thumbnail

Fortinet Fixes Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257, CVSS 9.6)

Penetration Testing

Fortinet released a critical patch for FortiWeb (CVE-2025-25257, CVSS 9.6). This unauthenticated SQL injection flaw allows remote code execution; update immediately!

Firewall 119
article thumbnail

Millions of people spied on by malicious browser extensions in Chrome and Edge

Malwarebytes

Researchers have discovered a campaign that tracked users’ online behavior using 18 browser extensions available in the official Chrome and Edge webstores. The total number of installs is estimated to be over two million. These extensions offered functionality, received good reviews, touted verification badges, and some even enjoyed featured placement.

VPN 123
article thumbnail

News alert: INE Security debuts advanced eMAPT certification to close mobile security talent gap

The Last Watchdog

Cary, NC, July 10, 2025, CyberNewsire — INE Security , a leading provider of cybersecurity education and cybersecurity certifications, today launched its significantly enhanced eMAPT (Mobile Application Penetration Testing) certification. The updated certification delivers the industry’s most comprehensive and practical approach to mobile application security testing.

Mobile 130
article thumbnail

Yet Another Strava Privacy Leak

Schneier on Security

This time it’s the Swedish prime minister’s bodyguards. (Last year, it was the US Secret Service and Emmanuel Macron’s bodyguards. in 2018, it was secret US military bases.) This is ridiculous. Why do people continue to make their data public?

247
247
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update

The Hacker News

Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild. The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine. "Type confusion in V8 in Google Chrome prior to 138.0.7204.

article thumbnail

Welcoming Push Security to Have I Been Pwned's Partner Program

Troy Hunt

As we gradually roll out HIBP’s Partner Program , we’re aiming to deliver targeted solutions that bridge the gap between being at risk and being protected. HIBP is the perfect place to bring these solutions to the forefront, as it's often the point at which individuals and organisations first learn of their exposure in data breaches.

article thumbnail

Critical HIKVISION applyCT Flaw (CVE-2025-34067, CVSS 10.0): Unauthenticated RCE Via Fastjson

Penetration Testing

A critical flaw (CVE-2025-34067, CVSS 10.0) in HIKVISION applyCT allows unauthenticated RCE via Fastjson deserialization, risking surveillance systems. Patch immediately!

article thumbnail

Set Sail: Remote Code Execution in SailPoint IQService via Default Encryption Key

NetSpi Technical

During an Internal Network Penetration Test, NetSPI identified a vulnerability affecting a component of SailPoint, a highly privileged Identity and Access Management solution. The affected IQService component is used primarily for syncing changes between Active Directory and SailPoint. This blog walks through the discovery methods, exploit development, and remediation guidance.

article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Why Discomfort Might Be the Ultimate Power Move for Cybersecurity Leaders

Jane Frankland

Most of us have heard the saying, “No pain, no gain.” For cybersecurity leaders navigating the high-stakes world of defending critical systems, this phrase takes on a whole new meaning. Pain, in this context, doesn’t have to mean the physical discomfort. Instead, it’s the uncomfortable reality of facing constant threats, adapting to a rapidly shifting landscape, and shouldering the pressure of being the frontline defence for organisations.

article thumbnail

Using Signal Groups for Activism

Schneier on Security

Schneier on Security Menu Blog Newsletter Books Essays News Talks Academic About Me Search Powered by DuckDuckGo Blog Essays Whole site Subscribe Home Blog Using Signal Groups for Activism Good tutorial by Micah Lee. It includes some nonobvious use cases. Tags: activism , encryption , Signal Posted on July 10, 2025 at 7:08 AM • 1 Comments Comments Winter • July 10, 2025 7:52 AM A reminder: If you think this is important, donate to Signal!

Adware 201
article thumbnail

Critical Sudo Vulnerabilities Let Local Users Gain Root Access on Linux, Impacting Major Distros

The Hacker News

Cybersecurity researchers have disclosed two security flaws in the Sudo command-line utility for Linux and Unix-like operating systems that could enable local attackers to escalate their privileges to root on susceptible machines. A brief description of the vulnerabilities is below - CVE-2025-32462 (CVSS score: 2.8) - Sudo before 1.9.

article thumbnail

How passkeys work: Let's start the passkey registration process

Zero Day

X Trending Amazon Prime Day is July 8 - 11: Here's what you need to know Best Prime Day deals overall 2025 Best Sam's Club tech deals 2025 Best Buy Black Friday in July deals 2025 Best Walmart tech deals 2025 Best Costco deals 2025 Best Prime Day tablet deals 2025 Best Prime Day laptop deals 2025 Best Prime Day TV deals 2025 Best Prime Day gaming deals 2025 Best Prime Day deals under $25 2025 Best Prime Day Kindle deals 2025 Best Prime Day Apple deals 2025 Best Prime Day EcoFlow deals

article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Four Critical RCE Flaws Found in Grafana Plugins via Chromium: Patch Now!

Penetration Testing

Grafana warns of four critical RCE flaws in Image Renderer and Synthetic Monitoring Agent, stemming from Chromium V8 bugs. Update to patched versions immediately!

article thumbnail

Threat modeling as a dial, not a switch

Adam Shostack

Thinking of threat modeling with a knob helps you get more out of it. Lately, a lot of people have been asking me about what “triggers” threat modeling. The question confused me: you think about threats as part of any design decision! There are lots and lots of design decisions, ranging from tiny to enormous. For each, we ought to be asking what are their pros and cons?

article thumbnail

No thanks: Google lets its Gemini AI access your apps, including messages

Malwarebytes

If you’re an Android user, you’ll need to take action if you don’t want Google’s Gemini AI to have access to your apps. That’s because, regardless of your previous settings, Google now allows Gemini to interact with third-party apps. Through Gemini extensions , it already had the ability to integrate with apps to lend a helping hand and make Google Assistant obsolete.

Mobile 127
article thumbnail

Iranian Blackout Affected Misinformation Campaigns

Schneier on Security

Dozens of accounts on X that promoted Scottish independence went dark during an internet blackout in Iran. Well, that’s one way to identify fake accounts and misinformation campaigns.

article thumbnail

Next-Level Fraud Prevention: Strategies for Today’s Threat Landscape

Speaker: Sierre Lindgren

Fraud is a battle that every organization must face – it’s no longer a question of “if” but “when.” Every organization is a potential target for fraud, and the finance department is often the bullseye. From cleverly disguised emails to fraudulent payment requests, the tactics of cybercriminals are advancing rapidly. Drawing insights from real-world cases and industry expertise, we’ll explore the vulnerabilities in your processes and how to fortify them effectively.