All news with #research tag

🔬 Charles Bennett and Gilles Brassard have been awarded the 2026 Turing Award for inventing quantum cryptography. Bruce Schneier welcomes the recognition but reiterates his view that, while scientifically impressive, the technology is largely unnecessary for most practical security problems. In a 2008 essay, he argued that quantum key exchange doesn’t address the usual weak points of systems and that effort is better spent on system-level security and crypto agility.

⚠️ Georgia Tech researchers warn that AI-assisted 'vibe coding' is producing measurable security flaws in real projects. The Vibe Security Radar traced at least 35 new CVEs in March 2026 and reports 74 confirmed AI-related vulnerabilities to date, while estimating the true count in open source may be five to ten times higher. The team monitors roughly 50 tools and uses metadata and AI agents to map vulnerable commits back to assistants such as Claude Code, noting some tools leave no trace.

🔍 Many organizations treat the cybersecurity skills gap as a supply problem, but the 2025 Cybersecurity Skills Gap Global Research Report shows restrictive hiring definitions are a major cause. Rigid filters like four-year degrees exclude candidates with military, technical, or vendor-certified experience who already possess relevant, hands-on capabilities. Adopting a skills-first approach and mapping role-aligned certifications to job requirements expands the qualified pool, shortens onboarding, and reduces operational risk. Fortinet emphasizes partnerships and free, scalable training as practical ways to build and certify talent at scale.

🔧 Cloudflare engineers traced repeated 30-minute Atlantis restarts to Kubernetes recursively changing file ownership on a large PersistentVolume. The default pod securityContext behavior (fsGroup combined with fsGroupChangePolicy: Always) caused kubelet to run an expensive recursive chgrp across millions of files, creating a mounting bottleneck. By validating that file group ownership would remain stable and setting fsGroupChangePolicy: OnRootMismatch, restarts dropped to ~30 seconds. That single-line change recovered roughly 50 engineering hours per month (about 600 hours per year).

🔔 This week’s ThreatsDay Bulletin captures a quieter, sneakier cadence: big-picture progress on cryptography and AI set against a steady churn of pragmatic abuse. Google accelerated a PQC migration to 2029 and GitHub is bringing AI-powered detections into the PR workflow, while threat actors keep innovating around trust — using pirated ISOs, fake extensions, firmware implants and clever phishing to scale backdoors, credential theft and fraud. The common thread is operational efficiency: takedowns and disruptions are temporary, but the workflows keep returning.

🚨 In mid-November security researcher Paul McCarty flagged a vast spam campaign in the npm registry that injected tens of thousands of useless modules named after Indonesian dishes. The packages — about 86,000 at discovery — often appeared legitimate, used chains of dependencies, and some contained self-replication to publish more modules and even tied into the TEA blockchain to harvest tokens. The campaign created dependency bloat, reputational risk, and the potential for future supply-chain abuse; Kaspersky recommends developer awareness training and container/dependency scanning with tools such as KASAP and specialized runtime protection.

🔍 Cisco Talos introduces DispatchLogger, an open-source DLL that transparently instruments late-bound COM (IDispatch) interactions to enhance malware analysis visibility. The tool hooks COM instantiation APIs and returns proxy objects that forward calls while logging method names, parameters, return values, and object relationships. It supports recursive wrapping, enumerator proxies, and moniker handling to reveal high-level automation events often missed by low-level API tracing. Deployment requires injecting the DLL into target processes and preserves COM lifetime and threading semantics.

🔬 The author expresses skepticism and notes they are not qualified to fully evaluate a newly announced claim of improved quantum factoring. If validated, the finding would represent a theoretical improvement in the speed of factoring large integers with a quantum computer. The post emphasizes that the result is currently unverified and that practical consequences for deployed cryptography remain uncertain. Further expert review, replication, and analysis are necessary to determine any real-world impact.

🔍Jake Moore, ESET Global Cybersecurity Advisor, demonstrated practical methods that can defeat widely used facial recognition systems. Using modified smart glasses, AI-generated images and real-time face swaps he showed how identities can be exposed, synthetic faces can bypass eKYC checks, and watchlists can be evaded. His findings highlight the need for rigorous adversarial testing and stronger verification controls; he will present live demos at RSAC 2026.

💰 Google paid $17.1 million to 747 security researchers in 2025 through its Vulnerability Reward Program, an all-time annual high and more than a 40% increase over 2024. The company said it has awarded over $81.6 million in bounties since 2010, with the top single reward reaching $250,000. In 2025 Google launched an AI Vulnerability Rewards Program, added AI-focused categories to the Chrome VRP, and introduced a rewards track for OSV-SCALIBR. Program-specific payouts included Android & Google Devices (~$2.9M), Chrome (~$3.72M), and Cloud (~$3.57M).

🔐 Password audits commonly validate complexity, length and rotation but frequently miss the accounts attackers prefer. Many organizations overlook reused or breached credentials, orphaned and dormant accounts, and high‑value service accounts with non‑expiring passwords. Point-in-time checks also fail to catch continuous threats like credential stuffing. Modern audits should add breached-password screening, risk-based prioritization, and continuous monitoring using tools such as Specops Password Policy.

⚠️AirSnitch exploits cross-layer identity desynchronization between Layers 1 and 2 to mount full, bidirectional machine-in-the-middle attacks. An attacker on the same SSID, a different SSID, or another segment tied to the same AP can intercept and modify link-layer traffic. The technique affects home, office, and enterprise Wi‑Fi and enables DNS poisoning, credential theft, and exploitation of unpatched flaws.

🔍 Anthropic reported discovering 22 new vulnerabilities in the Firefox browser using Claude Opus 4.6 during a two-week assessment in January 2026. Fourteen issues were rated high, seven moderate and one low, and most were patched in Firefox 148. The model detected a JavaScript use-after-free bug in about 20 minutes, which researchers validated in a virtualized environment. When tasked to produce exploits the model succeeded only twice after many attempts and roughly $4,000 in API spend, underscoring that discovery is cheaper than reliable exploitation.

📊 Boards receive regular CISO briefings—typically quarterly—but those interactions are often short and surface-level. A recent IANS/Artico Search/The CAP Group study of more than 650 CISOs found most updates are time-boxed to ~30 minutes, and only 30% of boards describe relationships as strong and collaborative. Directors want more forward-looking, operational insight on threats—especially those driven by AI—and fewer passive status reports. CISOs with extended airtime report deeper, strategy-focused engagement.

🛡️ The 2026 State of Browser Security Report from Keep Aware warns that modern browsers—now hosting embedded AI copilots and generative tools—have become the primary execution layer for enterprise work and the largest emerging security gap. The study finds broad adoption of AI web tools, frequent uploads of internal and regulated data, and that traditional DLP and network controls fail to inspect typed inputs, pasted content, and in-session file uploads. It highlights phishing, malicious extensions, and social engineering as leading browser attack vectors and urges organizations to adopt browser-specific visibility, continuous extension governance, and account-level controls for AI usage.

🛠 This article reviews fourteen long-dormant software vulnerabilities that persisted for ten to thirty years and were only recently discovered or fixed. It highlights flaws across foundational components — from libpng and Python modules to Windows internals, bootloaders, network daemons, and secrets vaults — illustrating how legacy design choices and sparse code review can leave pervasive risks. The piece summarizes impacts, discovery timelines, and the remediation actions taken by vendors and maintainers.

🔒 A representative survey by the Centre for European Economic Research (ZEW) found that a notable share of German companies experienced cyberattacks in 2025. In the information economy about one in seven firms and in industry about one in eight reported damage. Larger firms (100+ employees) were more frequently affected. The most common consequence was operational downtime, alongside financial losses, ransom demands, and data exfiltration.

🔐 Google is developing Merkle Tree Certificates (MTCs) in Chrome to make HTTPS certificates resilient to future quantum attacks while avoiding the bandwidth cost of adding post‑quantum algorithms to traditional X.509 chains. Working with Cloudflare and the PLANTS working group, Chrome proposes a model where a CA signs a single tree head and browsers receive lightweight proofs of inclusion. Google is running a feasibility study (Phase 1), plans to invite compatible Certificate Transparency logs in Q1 2027 (Phase 2), and aims to finalize requirements and launch a Chrome Quantum‑resistant Root Store (CQRS) and MTC-only root program by Q3 2027.

🔎 A new study demonstrates that large language models can reliably deanonymize users from a handful of anonymous posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, LLM agents infer location, occupation, and interests and then search the web to find likely identities. The researchers report high precision results that scale to tens of thousands of candidates, showing that automated deanonymization is now practical and widely feasible.

🛡️ In episode 456 of Smashing Security, Graham Cluley and guest Paul Ducklin examine allegations that an internet archiving service operator weaponised its own CAPTCHA to DDoS a Finnish blogger, tampered with archive content to smear them, and issued bizarre threats about AI-generated pornography. The hosts also cover a ransomware crew that accidentally corrupted victims' decryption keys, rendering extortion efforts ineffective. The episode closes with a calm Pick of the Week and a furious rant about web forms.