serisec

Category: cybersecurity

  • Hacking Meta’s AI Chatbot

    Hacking Meta’s AI Chatbot Hackers are convincing Meta’s AI support chatbot to let them take over other peoples’ accounts: A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker…

  • The Intersection of Encryption and AI

    The Intersection of Encryption and AI As part of their 20th Anniversary celebration, Dark Reading asked five cybersecurity industry leaders who wrote blogs or columns for them over the years to select their favorite piece and share their reflections on the topic today. This is my section. Renowned technologist and author Bruce Schneier contributed a…

  • CISA Security Leak

    CISA Security Leak Crazy story: Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests…

  • On AI Security

    On AI Security Good report: Executive Summary: Let’s say you wanted to make sure that your AI is secure. Can you just maximize the security and privacy benchmark and call it a day? Nope, because benchmarks don’t actually work for measuring AI capabilities (even when they are NOT emergent systemic properties like security). So let’s…

  • OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities

    OpenAI’s GPT-5.5 is as Good as Mythos at Finding Security Vulnerabilities The UK’s AI Security Institute evaluated GPT-5.5’s ability to find security vulnerabilities, and found that it is comparable to Claude Mythos. Note that the OpenAI model is generally available. Here is the Institute’s evaluation of Mythos. And here is an analysis of a smaller,…

  • Fast16 Malware

    Fast16 Malware Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: “…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then…

  • What Anthropic’s Mythos Means for the Future of Cybersecurity

    What Anthropic’s Mythos Means for the Future of Cybersecurity Two weeks ago, Anthropic announced that its new model, Claude Mythos Preview, can autonomously find and weaponize software vulnerabilities, turning them into working exploits without expert guidance. These were vulnerabilities in key software like operating systems and internet infrastructure that thousands of software developers working on…

  • Mythos and Cybersecurity

    Mythos and Cybersecurity Last week, Anthropic pulled back the curtain on Claude Mythos Preview, an AI model so capable at finding and exploiting software vulnerabilities that the company decided it was too dangerous to release to the public. Instead, access has been restricted to roughly 50 organizations—Microsoft, Apple, Amazon Web Services, CrowdStrike and other vendors…

  • On Anthropic’s Mythos Preview and Project Glasswing

    On Anthropic’s Mythos Preview and Project Glasswing The cybersecurity industry is obsessing over Anthropic’s new model, Claude Mythos Preview, and its effects on cybersecurity. Anthropic said that it is not releasing it to the general public because of its cyberattack capabilities, and has launched Project Glasswing to run the model against a whole slew of…

  • On Microsoft’s Lousy Cloud Security

    On Microsoft’s Lousy Cloud Security ProPublica has a scoop: In late 2024, the federal government’s cybersecurity evaluators rendered a troubling verdict on one of Microsoft’s biggest cloud computing offerings. The tech giant’s “lack of proper detailed security documentation” left reviewers with a “lack of confidence in assessing the system’s overall security posture,” according to an…

  • Python Supply-Chain Compromise

    Python Supply-Chain Compromise This is news: A malicious supply chain compromise has been identified in the Python Package Index package litellm version 1.82.8. The published wheel contains a malicious .pth file (litellm_init.pth, 34,628 bytes) which is automatically executed by the Python interpreter on every startup, without requiring any explicit import of the litellm module. There…

  • Cybersecurity in the Age of Instant Software

    Cybersecurity in the Age of Instant Software AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand—a spreadsheet,…

  • Possible US Government iPhone Hacking Tool Leaked

    Possible US Government iPhone Hacking Tool Leaked Wired writes (alternate source): Security researchers at Google on Tuesday released a report describing what they’re calling “Coruna,” a highly sophisticated iPhone hacking toolkit that includes five complete hacking techniques capable of bypassing all the defenses of an iPhone to silently install malware on a device when it…

  • Is “Hackback” Official US Cybersecurity Strategy?

    Is “Hackback” Official US Cybersecurity Strategy? The 2026 US “Cyber Strategy for America” document is mostly the same thing we’ve seen out of the White House for over a decade, but with a more aggressive tone. But one sentence stood out: “We will unleash the private sector by creating incentives to identify and disrupt adversary…

  • Hacked App Part of US/Israeli Propaganda Campaign Against Iran

    Hacked App Part of US/Israeli Propaganda Campaign Against Iran Wired has the story: Shortly after the first set of explosions, Iranians received bursts of notifications on their phones. They came not from the government advising caution, but from an apparently hacked prayer-timing app called BadeSaba Calendar that has been downloaded more than 5 million times…

  • AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities

    AIs Are Getting Better at Finding and Exploiting Security Vulnerabilities From an Anthropic blog post: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This illustrates…

  • AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities

    AIs are Getting Better at Finding and Exploiting Internet Vulnerabilities Really interesting blog post from Anthropic: In a recent evaluation of AI models’ cyber capabilities, current Claude models can now succeed at multistage attacks on networks with dozens of hosts using only standard, open-source tools, instead of the custom tools needed by previous generations. This…

  • More Prompt||GTFO

    More Prompt||GTFO The next three in this series on online events highlighting interesting uses of AI in cybersecurity are online: #4, #5, and #6. Well worth watching. Bruce Schneier Go to bruce schneier

  • Cisco Identity Services Engine Vulnerability Allows Attackers to Restart ISE Unexpectedly

    Cisco Identity Services Engine Vulnerability Allows Attackers to Restart ISE Unexpectedly A critical vulnerability in Cisco Identity Services Engine (ISE) could allow remote attackers to crash the system through a crafted sequence of RADIUS requests. The flaw CVE-2024-20399, lies in how ISE handles repeated authentication failures from rejected endpoints, creating a denial-of-service condition that forces…

  • A Cybersecurity Merit Badge

    A Cybersecurity Merit Badge Scouting America (formerly known as Boy Scouts) has a new badge in cybersecurity. There’s an image in the article; it looks good. I want one. Bruce Schneier Go to bruce schneier

  • Apple’s New Memory Integrity Enforcement

    Apple’s New Memory Integrity Enforcement Apple has introduced a new hardware/software security feature in the iPhone 17: “Memory Integrity Enforcement,” targeting the memory safety vulnerabilities that spyware products like Pegasus tend to use to get unauthorized system access. From Wired: In recent years, a movement has been steadily growing across the global tech industry to…

  • I’m Spending the Year at the Munk School

    I’m Spending the Year at the Munk School This academic year, I am taking a sabbatical from the Kennedy School and Harvard University. (It’s not a real sabbatical—I’m just an adjunct—but it’s the same idea.) I will be spending the Fall 2025 and Spring 2026 semesters at the Munk School at the University of Toronto.…

  • AI Applications in Cybersecurity

    AI Applications in Cybersecurity There is a really great series of online events highlighting cool uses of AI in cybersecurity, titled Prompt||GTFO. Videos from the first three events are online. And here’s where to register to attend, or participate, in the fourth. Some really great stuff here. Bruce Schneier Go to bruce schneier

  • White House Bans WhatsApp

    White House Bans WhatsApp Reuters is reporting that the White House has banned WhatsApp on all employee devices: The notice said the “Office of Cybersecurity has deemed WhatsApp a high risk to users due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved…

  • Why Denmark is breaking up with Microsoft

    Why Denmark is breaking up with Microsoft Relying too heavily on a US tech giant for your nation’s digital infrastructure is starting to feel a bit… well, risky. Graham Cluley Go to grahamcluley

  • Google’s Advanced Protection Now on Android

    Google’s Advanced Protection Now on Android Google has extended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. Wired article, behind a paywall. Bruce Schneier Go to bruce schneier

  • Android Improves Its Security

    Android Improves Its Security Android phones will soon reboot themselves after sitting idle for three days. iPhones have had this feature for a while; it’s nice to see Google add it to their phones. Bruce Schneier Go to bruce schneier

  • CVE Program Almost Unfunded

    CVE Program Almost Unfunded Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute. This is a big deal. The CVE program is one of…

  • Arguing Against CALEA

    Arguing Against CALEA At a Congressional hearing earlier this week, Matt Blaze made the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades,…

  • Rational Astrologies and Security

    Rational Astrologies and Security John Kelsey and I wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by…

  • Trojaned AI Tool Leads to Disney Hack

    Trojaned AI Tool Leads to Disney Hack This is a sad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job. Bruce Schneier Go to bruce schneier

  • DOGE as a National Cyberattack

    DOGE as a National Cyberattack In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national…

  • CISA Under Trump

    CISA Under Trump Jen Easterly is out as the Director of CISA. Read her final interview: There’s a lot of unfinished business. We have made an impact through our ransomware vulnerability warning pilot and our pre-ransomware notification initiative, and I’m really proud of that, because we work on preventing somebody from having their worst day.…

  • Biden Signs New Cybersecurity Order

    Biden Signs New Cybersecurity Order President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent…

  • Scams Based on Fake Google Emails

    Scams Based on Fake Google Emails Scammers are hacking Google Forms to send email to victims that come from google.com. Brian Krebs reports on the effects. Boing Boing post. Bruce Schneier Go to bruce schneier