Google says its Chrome browser will stop trusting certificates from two certificate authorities after “patterns of concerning behavior observed over the past year” diminished trust in their reliability. The two organizations, Taiwan-based Chunghwa Telecom and Budapest-based Netlock, are among the dozens of certificate authorities trusted by Chrome and most …

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta …

For years, members of the Russian cybercrime cartel Trickbot unleashed a relentless hacking spree on the world. The group attacked thousands of victims, including businesses, schools, and hospitals. “Fuck clinics in the usa this week,” one member wrote in internal Trickbot messages in 2020 about a list of 428 …

Thousands of home and small office routers manufactured by Asus are being infected with a stealthy backdoor that can survive reboots and firmware updates in an attack by a nation-state or another well-resourced threat actor, researchers said. The unknown attackers gain access to the devices by exploiting now-patched vulnerabilities …

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a …

Marketers promote AI-assisted developer tools as workhorses that are essential for today’s software engineer. Developer platform GitLab, for instance, claims its Duo chatbot can “instantly generate a to-do list” that eliminates the burden of “wading through weeks of commits.” What these companies don’t say is that these …

Researchers have found malicious software that received more than 6,000 downloads from the NPM repository over a two-year span, in yet another discovery showing the hidden threats users of such open source archives face. Eight packages using names that closely mimicked those of widely used legitimate packages contained …

A consortium of global law enforcement agencies and tech companies announced on Wednesday that they have disrupted the infostealer malware known as Lumma. One of the most popular infostealers worldwide, Lumma has been used by hundreds of what Microsoft calls “cyber threat actors” to steal passwords, credit card and …

Signal Messenger is warning the users of its Windows Desktop version that the privacy of their messages is under threat by Recall, the AI tool rolling out in Windows 11 that will screenshot, index, and store almost everything a user does every three seconds. Effective immediately, Signal for Windows …

Microsoft is updating Windows 11 with a set of new encryption algorithms that can withstand future attacks from quantum computers in a move aimed at jump-starting what’s likely to be the most formidable and important technology transition in modern history. Computers that are based on the physics of …

Threat actors, likely supported by the Russian government, hacked multiple high-value mail servers around the world by exploiting XSS vulnerabilities, a class of bug that was among the most commonly exploited in decades past. XSS is short for cross-site scripting. Vulnerabilities result from programming errors found in webserver software …

Google is adding a new security setting to Android to provide an extra layer of resistance against attacks that infect devices, tap calls traveling through insecure carrier networks, and deliver scams through messaging services. On Tuesday, the company unveiled the Advanced Protection mode, most of which will be rolled …

Imagine a world where AI-powered bots can buy or sell cryptocurrency, make investments, and execute software-defined contracts at the blink of an eye, depending on minute-to-minute currency prices, breaking news, or other market-moving events. Then imagine an adversary causing the bot to redirect payments to an account they control …

Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years. Kyle Schutt is a 30-something-year-old software …

The world has been abuzz for weeks now about the inclusion of a journalist in a group message of senior White House officials discussing plans for a military strike. In that case, the breach was the result of then-National Security Advisor Mike Waltz accidentally adding The Atlantic Editor-in-Chief Jeffrey …

A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. The verdict, reached Tuesday, comes as a major victory not just for Meta-owned WhatsApp but also …

A California man has pleaded guilty to hacking an employee of The Walt Disney Company by tricking the person into running a malicious version of a widely used open source AI image generation tool. Ryan Mitchell Kramer, 25, pleaded guilty to one count of accessing a computer and obtaining …

A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages, but is not made by Signal itself. 404 Media reported yesterday that a hacker stole data …

Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday. The infections are the result of a supply-chain …

Microsoft says it’s making passwordless logins the default means for signing in to new accounts, as the company helps drive an industry-wide push to transition away from passwords and the costly security problems they have created for companies and their users. A key part of the “passwordless by …

An entire cottage industry has formed around phishing attacks that bypass some of the most common forms of multifactor authentication (MFA) and allow even non-technical users to quickly create sites that defeat the protections against account takeovers. MFA works by requiring an additional factor of authentication besides a password …

An entire cottage industry has formed around phishing attacks that bypass some of the most common forms of multifactor authentication (MFA) and allow even non-technical users to quickly create sites that defeat the protections against account takeovers. MFA works by requiring an additional factor of authentication besides a password …

From the department of head scratches comes this counterintuitive news: Microsoft says it has no plans to change a remote login protocol in Windows that allows people to log in to machines using passwords that have been revoked. Password changes are among the first steps people should take in …

Apple’s AirPlay feature enables iPhones and MacBooks to seamlessly play music or show photos and videos on other Apple devices or third-party speakers and TVs that integrate the protocol. Now newly uncovered security flaws in AirPlay mean that those same wireless connections could allow hackers to move within …

AI-generated computer code is rife with references to non-existent third-party libraries, creating a golden opportunity for supply-chain attacks that poison legitimate programs with malicious packages that can steal data, plant backdoors, and carry out other nefarious actions, newly published research shows. The study, which used 16 of the most …