Login
Iβm approaching prompt injection less as an input sanitization issue and more as an authority and trust-boundary problem.
In many systems, model output is implicitly authorized to cause side effects, for example by triggering tool calls or function execution. Once generation is treated as execution-capable, sanitization and guardrails become reactive defenses around an actor that already holds authority.
Iβm exploring an architecture where the model never has execution rights at all. It produces proposals only. A separate, non-generative control plane is the sole component allowed to execute actions, based on fixed policy and system state. If the gate says no, nothing runs. From this perspective, prompt injection fails because generation no longer implies authority. Thereβs no privileged path from text to side effects.
Iβm curious whether people here see this as a meaningful shift in the trust model, or just a restatement of existing capability-based or mediation patterns in security systems.
Runtime threats rarely trigger obvious alerts. Usually something just feels slightly off before anything breaks. What subtle signs have tipped you off in the past?
A lot of environments look secure on paper, but runtime attacks often operate quietly. Credential misuse, app-layer abuse, and supply chain compromises tend to blend in rather than break things. What runtime signals have actually helped you catch issues early?
I am presenting a verified second-preimage collision for the SHA-256 algorithm, specifically targeting the Bitcoin Genesis Block header (Hash: 000000000019d668...).
Unlike previous theoretical differential attacks, this method utilizes a structural exploit in the message schedule (W-schedule) to manipulate internal states during the compression function. This allows for the generation of an alternative preimage (Kaoru DNA) that results in an identical 256-bit output.
Key Technical Aspects:
This discovery suggests that the collision resistance of SHA-256 is fundamentally compromised under specific state-transition conditions.
Verification Code: https://osf.io/2gdzq/files/dqghk
It's the most wonderful time of the year β¦ for corporate security bosses to run tabletop exercises, simulating a hypothetical cyberattack or other emergency, running through incident processes, and practicing responses to ensure preparedness if when a digital disaster occurs.β¦
interview According to Remedio CEO Tal Kollender, the only way to beat the bad guys hacking into corporate networks is to "think like a hacker," and because not everyone is a teenage hacker turned cybersecurity startup chief executive, she built an AI to do this.β¦
Every morning I find myself scrolling through 50+ tabs of RSS feeds, BleepingComputer, and CISA alerts. Itβs exhausting.
βI started a project called Threat Road to curate the "Top 3" most critical stories daily with a focus on immediate mitigations. I want to make it as useful as possible for the community.
βIβd love your brutal honesty:
βWhat makes a security newsletter "instant delete" for you?
βDo you care about "Chili-pepper" risk ratings, or do you find them gimmicky?
βWould you rather have a deep dive on one bug or a brief on three?
βI'm just looking to hear what you all actually want in a daily briefing.
From their original design as simple broadcast receivers, todayβs televisions have evolved into powerful, internet-connected entertainment hubs. Combining traditional viewing with online capabilities, smart TVs provide instant access to streaming platforms, web browsing, voice assistants, and personalized recommendations.Β
As our TVs have grown smarter, however, theyβve also become gateways to new privacy and security challenges. In a chilling echo of George Orwellβs dystopian novel 1984, itβs possible that Big Brother, or in this case, Big Hacker, might be surveilling you through your own television.
In 2013, evidence emerged that smart TVs can be just as vulnerable to hacking as home computers, following an investigation by security analysts Aaron Grattafiori and Josh Yavor at iSEC Partners. Working with smart TV manufacturers to address potential vulnerabilities, the analysts presented their findings at the Black Hat network security conference in Las Vegas. Their demonstration highlighted the concerning possibility of smart TVs not only physically surveilling you through the built-in camera but also prying deeper into your personal life by collecting data on your web searches, app usage, and preferences.
Smart TVs can be hacked in several ways, but the gateway that opens your smart TV to these attacks is the IP address, which links with internet-driven apps such as Facebook and YouTube, as well as video streaming services, microphones, and even internal cameras. Because smart TVs often run the same code as computers and smartphones, such as JavaScript or HTML5, they are also susceptible to malware and spyware attacks. These are some of the ways your device can be hacked:
Once a hacker has compromised your smart TV, they can spy on you through several built-in technologies that collect data on your viewing habits, conversations, and online activities.
The key to managing these privacy risks is understanding what data your TV collects and taking control through privacy settings, network restrictions, and informed usage decisions.Β
Your smart TV data typically flows to multiple parties. It starts with the device manufacturer for product improvements, then to streaming app providers for content recommendations, on to advertising networks for targeted marketing, and analytics companies for usage insights. Recent regulatory guidance emphasizes that you should have clear visibility into these data-sharing relationships through your TVβs privacy policy.
You can limit data collection by disabling Automatic Content Recognition (ACR) in your TVβs privacy settings, turning off personalized advertising, and regularly reviewing app permissions. Consumer protection agencies require smart TV manufacturers to provide opt-out mechanisms for advertising personalization and data sharing with third parties.
Fortunately, you can significantly reduce your smart TV risks with some simple preventive measures:
Most smart TVs donβt fully turn off when you press the power button; they enter standby mode to enable quick startup. In this state, certain components may remain active and continue collecting data. It might maintain network connectivity to receive software updates, keep microphones and voice assistants ready to respond to wake words, or continue ACR that tracks your viewing habits.
To truly disconnect your TV from potential monitoring, you have several options:
It depends on your specific smart TV model and its manufacturing date. Most modern smart TVs manufactured after 2022 do not include built-in cameras. Major manufacturers such as Samsung, LG, Sony, and TCL have largely moved away from integrating cameras directly into their television sets due to privacy concerns and limited consumer adoption.Β
Some premium models and older smart TVs from 2018-2021 may still feature built-in cameras designed typically used for:
If your smart TV does have a camera, you still have control, as most smart TVs with cameras include physical privacy shutters, software controls to disable the camera, or the option to cover the lens. For external USB cameras, simply unplugging it ensures that no one can see you through the smart TV.
To determine if your smart TV has a camera, check the following:
If you discover your smart TV has a camera, you can take control of your privacy by disabling it in your TVβs settings, covering it with tape when not in use, or using any built-in privacy shutters.
Aside from the precautions listed above, there are other ways you can disable your smart TVβs camera:
If the thought of your living room turning into a hackerβs surveillance paradise sends a chill down your spine, youβre not alone. Fortunately, you can take some protective measures that keep your smart TV safe.
One of the best ways to protect yourself is to stay informed about the latest developments in smart TV security. Attend webinars, read articles, and follow experts in the field to stay current with the latest security threats and fixes.Β
Just as importantly, small but effective digital habits will also fortify your smart TV security: keep your TVβs firmware updated, stick to official app stores, secure your home Wi-Fi with strong encryption, use unique passwords for your devices, limit the use of social media and messaging apps on your TV, and be cautious about what you plug into your TVβs ports.Β
By following these recommendations, you can continue to relax in your living room and enjoy your digital entertainment experience without compromising your privacy and security.
The post How To Tell If Your Smart TV Spying on You appeared first on McAfee Blog.
A simple click of a link canβt cause any trouble, right? Wrong.
It doesnβt matter if you quickly close out of a window. It doesnβt matter if you only take a quick peek and donβt touch anything else while youβre on a risky webpage. Often, just clicking on a single link can compromise your device, online privacy, and even your personal information. The mere action of clicking a suspicious link could expose you to malware, scams, or identity theft.
Hereβs everything you need to know to recognize, steer clear of, and take the proper action in case you accidentally click on a questionable link.
A risky link is any hyperlink that redirects you to an unexpected and possibly compromised webpage. Often, these webpages trick visitors into divulging personal information or automatically download malicious payloads (viruses, malware, spyware, etc.) onto your device.Β
Email remains the most frequent delivery method, with phishing messages designed to look like urgent notifications from trusted companies. A variation of this is SMS phishing or βsmishing,β where attackers send sketchy links through text messages claiming package delivery issues. Another common method involves sending malicious links via direct messages on social media, where compromised accounts target their contact lists. According to the Federal Trade Commission (FTC), $70 million was lost to phishing and spoofing in 2024.Β
Hackers could also use your browser to deliver their criminal work. In drive-by downloads, for instance, simply visiting a compromised webpage can automatically install malware on your device without any additional action from you. Outdated browsers and plugins are another entry point for cybercriminals to gain unauthorized access to your system.Β
A bad link might also direct you to a fake login page that looks identical to a legitimate site, such as your bank. Any information you enter on these fraudulent pages goes directly to scammers, who can then access your real accounts.
Meanwhile, mobile malware is a vast category of malicious software that often makes its way onto devices through infected links. Malware can spy on you, monitor your keystrokes, infect your device with a botnet, and ultimately compromise your device and the information it stores.
As threat actors continuously adapt their tactics to circumvent security solutions, one critical factor that determines your risk level is your deviceβs security posture. A device with updated software, a modern browser, active antivirus protection, and restricted permissions is far less likely to be compromised by a malicious site or download. Conversely, outdated systems, unpatched vulnerabilities, or disabled security features create easy openings for attackers to exploit.Β
Another risk factor is the rhythm or pace at which you operate your devices. As artificial intelligence tools are increasingly helping scammers and phishers disguise their malicious links to look more believable, you will need to slow down, control the impulse to click, and take a minute to intentionally look at what you are doing. If you read quickly, you could accidentally click a malicious link and fall for a scam.
Even the most convincing messages can hide dangerous links. Before you click on anything, itβs worth taking a few seconds to verify where that link actually leads. These quick checks can help you spot red flags and avoid landing on malicious or fraudulent websites designed to steal your information.
If youβve accidentally clicked a phishing link, donβt panic, but do act fast. Quick, calm steps can make all the difference in preventing further damage. Hereβs what to do right away to secure your device, accounts, and personal information.
Even with your strong digital habits and awareness, itβs easy for something to slip through the cracks. With the right technology that catches potential threats before they reach you, you can browse, message, and shop online without worry.
McAfeeβs Scam Detector proactively alerts you and automatically protects you the moment it detects a scam link in your texts, emails, or on social media. If you accidentally click on a scam link, the app will block the malicious webpage from loading. The more you use this artificial intelligence-powered tool, the smarter it becomes.Β
Protecting yourself from those risky phishing links doesnβt require becoming a security expert. It only takes simple habits to dramatically reduce these threats. Take a moment to be intentional and alert, and make informed choices about the links you encounter.Β
By taking time to verify URLs, staying reasonably skeptical, enabling automatic updates, trusting your instincts, and relying on trusted security tools for safe browsing and scam detection, you can create powerful barriers against cybercriminals.
Whether youβre browsing social media, checking emails, or exploring new websites, that brief pause to assess whether a link looks legitimate can be the difference between safety and falling victim to sketchy links and credential theft. Share these simple safety practices with your family members, especially those who might be less familiar with online threats, because collective awareness makes everyone safer.
The post What Are the Risks of Clicking on Malicious Links? appeared first on McAfee Blog.
Little write-up for a patched WebSocket-based RCE I found in the CurseForge launcher.
It involved an unauthenticated local websocket API reachable from the browser, which could be abused to execute arbitrary code.
Happy to answer any questions if anyone has any!
Researchers at Pen Test Partners found four flaws in Eurostar's public AI chatbot that, among other security issues, could allow an attacker to inject malicious HTML content or trick the bot into leaking system prompts.Β Their thank you from the company: being accused of "blackmail."β¦
The US says it has shut down a platform used by cybercriminals to break into Americans' bank accounts.β¦
Hey r/netsec -- it's been about two years since we last published a tool for the security community. As a little festive gift, today we're happy to announce the release of certgrep, a free Certificate Transparency search tool we built for our own detection work and decided to open up.
Itβs focused on pattern-based discovery (regex/substring-style searches) and quick search and drill down workflows, as a complement to tools like crt.sh.
A few fun example queries itβs useful for:
FreshRSS 
(login|signin|account|secure).*yourbrand.*\*.*google.*yourbrand.*(cdn|assets|static).*We hope you like it, and would love to hear any feedback you folks may have! A number of iterations will be coming up, including API, SDKs, and integrations (e.g., Slack).
Enjoy!
A new research paper highlights a critical implementation flaw in how major vendors (ASUS, MSI, etc.) configure IOMMU during the DXE phase of boot.
The Core Issue:
The firmware reports DMA protection as "Active" to the OS, but fails to actually enable the IOMMU translation tables during the initial boot sequence. This creates a window of vulnerability where a malicious peripheral can read/write system memory unrestricted.
I've analyzed the root cause and the discrepancy between "Reported Status" vs "Actual Enforcement" in this report:
[π Full Analysis & Mitigation Strategies]https://www.nexaspecs.com/2025/12/critical-uefi-flaw-exposes-motherboards.html
Has anyone started seeing patched BIOS versions roll out yet?
Hi everyone,
Over the last month Iβve been analyzing modular addition not as a bitwise operation, but as a fractional mapping. Treating (a + b) mod 2^32 as a projection into the fractional domain [0, 1), modular βbit lossβ stops behaving like noise and instead becomes predictable geometric wrapping.
This leads to what I call the Kaoru Method.
The core idea is to run a βShadow SHA-256β in parallel using infinite precision arithmetic. By comparing the real SHA-256 state with the shadow state, itβs possible to reconstruct a Universal Carry Map (k) that fully captures all modular wraps occurring during execution.
Once k is recovered for the 64 rounds, the modular barriers effectively disappear and the compression function reduces to a system of linear equations.
In my experiments, a standard SHA-256 block produces exactly 186 modular wraps. This number appears stable and acts like a structural βDNAβ of the hash computation.
Under this framework, differential cryptanalysis becomes significantly simpler, since the carry behavior is no longer hidden. Iβm releasing both the theoretical framework and an extractor implementation so others can validate, attack, or extend the idea toward full collisions.
Paper (theory):
https://osf.io/jd392/files/4qyxc
Code (Shadow SHA-256 extractor):
https://osf.io/n9xcw
DOI:
https://doi.org/10.17605/OSF.IO/JD392
Iβm aware this challenges some long-held assumptions about modular addition as a source of non-linearity, so Iβm especially interested in feedback, counterexamples, or independent replication.
Thanks for reading.
Microsoft wants to develop tech that could translate its codebase to Rust, and is hiring people to make it happen.β¦
Over one year ago the Goverment wanted to email the victims but Bitfinex denied it. But it is not too late yet if we act now. Did you hear of any availability of old crypto exchange user email addresses? Security researchers in possession of historic leak data could help to return $ nine digits to victims soon.
Please suggest specific forums for outreach.
Thanks!
Ranked list of 2016 exchanges: Poloniex Bitstamp OKCoin BTC-e LocalBitcoins Huobi Xapo Kraken CoinJoinMess Bittrex BitPay NitrogenSports-eu Cex-io BitVC Bitcoin-de YoBit-net Cryptsy HaoBTC BTCC BX-in-th Hashnest BtcMarkets-net Gatecoin Purse-io CloudBet Cubits AnxPro Bitcurex AlphaBayMarket Luno BTCC Loanbase Bitbond BTCJam Bit-x BitPay BitBay-net NucleusMarket PrimeDice BitAces-me Bter MasterXchange CoinGaming-io CoinJar Cryptopay-me FaucetBOX Genesis-Mining
Mac Malware analysis
After over a week of speculation, ServiceNow announced on Tuesday that it has agreed to buy cybersecurity heavyweight Armis in a $7.75 billion deal that will see the workflow giant incorporate a real-time security intelligence feed into its products.β¦
