Two-Factor Authentication Breaks Free From the Desktop
Two-factor authentication (2FA) is expanding beyond traditional IT logins to protect physical assets such as cars, home heating systems, and medical devices. In the automotive sector, firms like Keyfree Technologies are pairing in‑vehicle hardware with mobile apps to require one‑time passwords before a vehicle can start, aiming to curb key‑cloning and relay attacks. Healthcare providers are similarly adding MFA to network‑connected equipment—from infusion pumps to imaging systems—to safeguard patient data and comply with emerging policies. Industry leaders warn that usability, cost and the absence of clear standards could slow widespread adoption.
As DPDPA Kicks In, Are Startups Ready For Privacy Compliance Burden?
India’s Digital Personal Data Protection Act (DPDPA) 2023 and the DPDP Rules 2025 set an 18‑month compliance timeline ending May 2027, creating a $1.2 bn compliance‑as‑a‑service market. Startup IDfy, backed by Blume Ventures and others, won a government‑run privacy‑platform competition and is...
Microsoft's Original Windows Secure Boot Certificate Is Expiring
Microsoft announced that the original UEFI Secure Boot certificates, first deployed in 2011, will expire on June 24, 2024. The company is urging IT leaders to apply the updated 2023 certificates to all Windows PCs built before 2024 to maintain the hardware‑based...
Mythos Poses Risk to SEC Market-Tracking Database, Group Says
Anthropic’s new AI model Mythos could exploit the SEC’s Consolidated Audit Trail (CAT), a database that tracks every trade in U.S. equities. The American Securities Association warned that the model enables mass identity theft, portfolio exposure, and insider‑threat amplification, and...
AI Is a Gold Mine for Spammers and Scammers, but Google Is Using It as a Tool to Fight Back
Google’s latest ads safety report reveals that generative AI, specifically its Gemini system, intercepted over 99% of policy‑violating ads in 2024, blocking more than 8.3 billion ads—including 602 million scam‑related pieces. The AI‑driven approach also cut incorrect advertiser suspensions by 80% and...
Cookeville Medical Center Notifies Patients After July 2025 Ransomware Attack
Cookeville Regional Medical Center disclosed that a July 2025 ransomware attack exposed the personal and medical records of 337,917 patients. The Russian‑linked Rhysida gang claimed responsibility, demanding 10 Bitcoin—about $1.15 million—though it is unclear if the ransom was paid. The hospital began mailing...
What Are Security Experts Saying About OpenAI’s GPT-5.4-Cyber?
OpenAI has launched GPT‑5.4‑Cyber, a defensive‑oriented AI model, and is scaling its Trusted Access for Cyber (TAC) program to thousands of verified individual defenders and hundreds of critical‑infrastructure groups. Unlike Anthropic’s Claude Mythos, which remains limited to a handful of...
OpenAI Launches GPT-5.4-Cyber to Boost Defensive Cybersecurity
OpenAI unveiled GPT-5.4-Cyber, a defensive‑focused variant of its flagship GPT‑5.4 model, featuring binary reverse‑engineering to analyze compiled code without source access. The launch coincides with the expansion of its Trusted Access for Cyber (TAC) program, now available to thousands of...
Post-Quantum Cryptography Migration at Meta: Framework, Lessons, and Takeaways
Meta released a detailed guide on its post‑quantum cryptography (PQC) migration, outlining a multi‑year rollout of PQ‑enabled TLS across its internal infrastructure. The company introduced a five‑tier PQC Migration Level framework—PQ‑Unaware to PQ‑Enabled—to help organizations assess and prioritize quantum‑risk mitigation....
Intercede Now Supports Idemia PS Devices for Unified FIDO, PKI Credential Management
Intercede has integrated Idemia Public Security’s newest authentication hardware into its MyID CMS 12.18 platform, enabling unified management of both FIDO and PKI credentials. The Idemia devices, built on the COSMO X platform, meet the FIPS 201 PIV standard required for...
Quest Software Launches the Quest Security Management Platform
Quest Software unveiled the Quest Security Management Platform, an AI‑powered suite that consolidates identity threat detection, response, and recovery into a single solution. The platform introduces Quest Identity Defense to block unauthorized changes to Tier 0 assets and Quest Identity Recovery...
Brain Corp Achieves SOC 2 Compliance, Reinforcing Trusted Enterprise-Grade Deployment of AI Systems at Scale
Brain Corp announced that its BrainOS platform has passed a SOC 2 Type II audit, confirming robust data security and operational controls. The company now supports more than 40,000 autonomous mobile robots deployed across six continents in settings such as stores, warehouses...
N-Able CEO On The MSP AI Journey: Efficiency First, Safe Deployment Next, Monetization Last
N‑able CEO John Pagliuca told CRN that managed‑service providers must prioritize efficiency, then safe AI deployment, and only later monetize AI. At the Empower conference the company unveiled a Model Context Protocol (MCP) server that securely connects external LLMs like...
SBOM in Practice: Embedding Compliance Into the Software Delivery Lifecycle
Software Bill of Materials (SBOM) is becoming a mandatory inventory for modern applications, capturing every library, version, license and known vulnerability. The article explains the two leading formats—CycloneDX and SPDX—and argues that consistency matters more than choice. It outlines a...
Defending Your Enterprise When AI Models Can Find Vulnerabilities Faster Than Ever
General‑purpose AI models are now capable of discovering and even generating functional exploits, compressing the traditional vulnerability‑to‑exploit timeline. Threat actors are already leveraging large language models to automate zero‑day creation, threatening enterprises that rely on human‑speed patching. In response, security...
What “The Pitt” Gets Right About Ransomware and What Hospitals Can’t Afford to Ignore
The TV drama *The Pitt* dramatizes a ransomware attack that mirrors real‑world hospital incidents, showing how systems can be restored while operational chaos persists. The piece highlights that credential abuse accounts for 22% of healthcare breaches, leading to prolonged downtime,...
Privacy, Power, and Encryption: Why End-to-End Security Matters
The article argues that end‑to‑end encryption (E2EE) is the most reliable defense against today’s pervasive surveillance by governments, corporations and cyber‑criminals. It explains how E2EE works, its widespread adoption in messaging, password managers and cloud storage, and why any “exceptional...
Fragmented Regulation Complicates Telco Sovereignty Agenda – Omdia
A new Omdia report highlights that more than 100 countries now enforce data‑sovereignty or localization laws, creating a patchwork of regulations for telecom operators. The fragmented landscape forces telcos to incur higher compliance costs, redesign networks, and train staff to...
Critical MCP Vulnerability in Nginx-UI Now Actively Exploited in the Wild
The open‑source nginx‑UI, a web interface for managing Nginx configurations, has been found to lack authentication middleware, creating a critical Missing Control Plane (MCP) vulnerability. With over 11,000 GitHub stars and more than 430,000 Docker pulls, the tool is widely...
Senior Bosses Exposed to Fraud Through Online Exposure
Half of UK companies reported fraud attempts that impersonated senior leaders in the past year, driven by executives' growing online visibility. Average losses per incident top £758,000 (about $970,000), with the most severe cases exceeding £5 million (≈$6.4 million). AI‑generated deep‑fakes and...
Cargo Thieving Hackers Running Sophisticated Remote Access Campaigns, Researchers Find
Proofpoint researchers observed sophisticated cybercriminal campaigns infiltrating load‑board platforms used by trucking and logistics firms. After compromising a load board, the attackers deployed six remote‑access tools, including four ScreenConnect instances, and leveraged a novel "signing‑as‑a‑service" to auto‑sign malware with trusted...
Insurers Face the Same Cyber Threats They Underwrite — and Gaps Remain
Insurance carriers, which underwrite cyber risk, are themselves prime cyber‑attack targets. A new report by the Insurance Information Institute and Fenix24 shows insurers generally follow strong security practices but still lag in credential management, backup definitions, and patch deployment cycles....
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
The ThreatsDay bulletin highlights a wave of cyber incidents, from a North Korean‑linked breach at Zerion that stole $100 K from internal hot wallets to a newly disclosed Microsoft Defender privilege‑escalation zero‑day called RedSun. Legacy flaws remain dangerous, with CISA adding...
Early Warning’s Certos Launches and Other Digital Transactions News Briefs From 4/16/26
Early Warning Services launched Certos, a suite aimed at reducing fraud while widening financial access for U.S. banks. Binance introduced Binance Chat, adding crypto transfers, messaging and other in‑app functions. MegPrime rolled out a consumer app that rewards homebuyers with...
Cybersecurity Must Evolve as Frontier AI Fuels New Fraud Risks
Cybercriminals are leveraging frontier AI models that can reason, code, and generate deepfakes, dramatically lowering the barriers to sophisticated fraud. The FBI’s latest Internet Crime Report recorded 22,364 AI‑related complaints and nearly $893 million in losses, while studies show AI is...
Bitcoin’s Quantum Migration Plan Forces the Network to Choose Between Frozen and Stolen Coins
Bitcoin’s BIP 361 draft proposes a three‑phase migration that would block new sends to quantum‑vulnerable addresses, then freeze legacy ECDSA/Schnorr coins, and possibly allow recovery via zero‑knowledge proofs. The plan follows BIP 360’s Pay‑to‑Merkle‑Root format and targets the roughly 34% of BTC...
Fashion Retailer Express Left Customers’ Personal Data and Order Details Exposed to the Internet
Express, a major U.S. fashion retailer, patched a website flaw that let anyone view other shoppers’ order confirmations. The vulnerability exposed names, contact details, addresses, purchase items and partial credit‑card data for at least a dozen customers, all accessible by...
Kenya’s LOLC Microfinance Bank Directors Risk Prosecution in Data Enforcement Case
Kenya’s Office of the Data Protection Commissioner (ODPC) has recommended criminal prosecution of directors at LOLC Microfinance Bank after the lender ignored a formal request to justify publishing a former employee’s personal data. The regulator found the bank unlawfully processed...
CYBERUK ’26: UK Lagging on Legal Protections for Cyber Pros
The UK’s 1990 Computer Misuse Act (CMA) is increasingly seen as an obstacle for cyber‑security professionals who need to conduct authorised hacking as part of their work. Ahead of the CYBERUK conference, the CyberUp Campaign released a report urging Westminster...
Supply Chain Dependencies: Have You Checked Your Blind Spot?
Supply‑chain cyber risk is exploding, with third‑party breaches now accounting for 30% of incidents and costs soaring from $46 bn in 2023 to $60 bn in 2025, projected $138 bn by 2031. Yet ESET’s 2026 SMB Cyber Readiness Index shows only about 16%...
Ukrainian Emergency Services and Hospitals Hit by Espionage Campaign Using New AgingFly Malware
Ukrainian hospitals, emergency services and municipal authorities have been hit by a coordinated espionage campaign using a new malware suite dubbed AgingFly. The attacks, attributed to the Russian‑linked APT28 group, began with phishing emails masquerading as humanitarian‑aid proposals and delivered...
Behind the Mythos Hype, Glasswing Has Just One Confirmed CVE
Anthropic’s Project Glasswing, the gated access program behind its Mythos AI, has produced only one publicly attributed CVE (CVE‑2026‑4747) according to VulnCheck’s analysis. While Anthropic researchers are credited with 40 CVEs overall, the majority stem from external collaborations rather than...
Splunk Enterprise Update Patches Code Execution Vulnerability
Splunk released emergency patches for several critical flaws across its Enterprise, Cloud Platform, and MCP Server products. The most severe issue, CVE‑2026‑20204, allowed low‑privileged users to upload malicious files and achieve remote code execution due to improper handling of temporary...
Overstretched NIST to Limit CVE Enrichments
The U.S. National Institute of Standards and Technology (NIST) announced it will stop enriching every CVE entry in its National Vulnerability Database due to a surge in submissions. CVE submissions rose 263 % between 2020 and 2025, overwhelming NIST’s resources. Going...
Standard Bank Data Breach Fallout Deepens
Standard Bank confirmed that data stolen in a March cyber‑attack has now been posted online, exposing client names, identification numbers, contact details and limited credit‑card information. The breach, attributed to a hacker using the handle “ROOTBOY,” involved a three‑week intrusion...
Cybersecurity Risks of Hiring a Virtual Assistant and How to Protect Your Business
The surge in remote work has led many firms to hire virtual assistants (VAs) without robust security checks, exposing critical systems to credential theft, device compromise, and insider threats. Excessive access and shared passwords create a large attack surface, while...
French Minister Says New Measures Are Coming After Crypto Kidnappings
French interior minister delegate Jean‑Didier Berger announced new measures to curb crypto kidnappings, known as wrench attacks, after a recent €400,000 ransom case. Authorities have launched a prevention platform that already has thousands of sign‑ups and are collaborating with Interior...
AI Bots - a New Risk and Opportunity for CIOs to Manage
AI‑generated bots are flooding corporate web estates, with Akamai reporting a 300% rise in AI‑driven traffic and some CIOs seeing a 400% jump in site crawls. The surge inflates API, cloud and CDN usage, driving up operating expenses and degrading...
AI and Executive Protection: New Risks, New Defenses
AI‑generated phishing attacks are now targeting corporate executives with hyper‑personalized emails crafted from public profiles and generative AI. The barrier to launch such campaigns has collapsed, allowing amateurs to produce convincing phishing kits and doxing databases. Security teams can counter...
Hidden Passenger? How Taboola Routes Logged-In Banking Sessions to Temu
Reflectiz discovered that a Taboola tracking pixel approved in a bank’s CSP silently redirected logged‑in users to a Temu endpoint via a 302 response. The redirect included an Access‑Control‑Allow‑Credentials header, causing browsers to send authentication cookies to Temu and link...
Business Logic Flaws: The Silent Threat in Modern Web Applications
In late 2019 Robinhood’s options platform mis‑calculated buying power, allowing users to control positions worth hundreds of thousands of dollars with only a few thousand in capital. The flaw stemmed from a business‑logic assumption that margin‑related trades reduced risk, which...
Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks
Researchers at Elastic Security Labs identified a novel social‑engineering campaign that abuses Obsidian’s community plugins to deliver the previously unknown PHANTOMPULSE remote‑access trojan. Threat actors pose as venture‑capital contacts on LinkedIn and Telegram, coaxing finance and cryptocurrency professionals to enable...
License-Layer Security: The Missing Piece in OTT Content Protection
Modern OTT services rely on DRM to protect streamed video, but DRM only secures content in transit. Attackers now target the license layer, extracting keys from legitimate license responses and redistributing decrypted copies at scale. The article argues that license‑layer...
Systemic Flaw in MCP Protocol Could Expose 150 Million Downloads
Security researchers at Ox Security disclosed a critical, systemic flaw in Anthropic's Model Context Protocol (MCP) that enables arbitrary command execution. The vulnerability stems from the protocol’s STDIO interface, which runs commands even when server startup fails, exposing over 200...
CAIS
HolistiCyber’s Cyber AI Suite (CAIS) is a comprehensive service that secures AI‑driven applications from architecture through governance. It begins with a deep review of Retrieval‑Augmented Generation (RAG) pipelines and vector databases, then applies threat modeling and AI‑focused penetration testing using...
How Secure WordPress Hosting Protects Growing Agency Portfolios
Agencies managing dozens of WordPress sites face exponential security risk, as a single vulnerable plugin can cascade across a portfolio. Secure, agency‑focused hosting mitigates that threat by moving protection to the server layer with firewalls, DDoS mitigation, and continuous malware...
Inditex Data Breach: Zara Owner Inditex Reports Major Data Breach Exposing Customer Transaction Records
Inditex, the parent of Zara, disclosed a data breach that originated from a former technology provider and exposed transaction‑related information but no customer names, contact details, passwords, or payment data. The breach involved a third‑party service used by several international...
'Attention-Seeking' Man Allegedly Targeted Police, Defence in 'Cybercrime Spree'
A 22‑year‑old Adelaide resident, Aiden Wood, was charged with 12 hacking offences after allegedly launching a four‑month cybercrime spree that targeted critical government infrastructure, including the Australian Federal Police and Defence Force, as well as the NBN network at a...
Cyber Essentials Closes the MFA Loophole but Leaves some Organisations Adrift
The UK’s Cyber Essentials scheme has long been a baseline for cyber‑hygiene, especially for firms seeking government contracts. Effective 27 April, version 3.3 upgrades multi‑factor authentication (MFA) from a recommendation to a binary pass‑or‑fail rule. Any cloud service used without enabled MFA...
Norway’s State Telecoms Firm Accused of Helping Myanmar Regime Seize Activists
A Norwegian state‑owned telecom, Telenor, faces a class‑action lawsuit in Norway alleging it supplied the Myanmar military with personal data on more than 1,200 activists, facilitating arrests and alleged torture. The suit, filed by the Justice and Accountability Initiative and...