Security – Cisco Blog

AI Agent for Color Red

WIRED

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

WIRED

The Trump Administration Sure Is Having Trouble Keeping Its Comms Private

KitPloit - PenTest Tools!

API-s-for-OSINT - List Of API's For Gathering Information About Phone Numbers, Addresses, Domains Etc

Thank you for following me! https://cybdetective.com

IOT/IP Search engines

Universal OSINT APIs

Phone Number Lookup and Verification

Address/ZIP codes lookup

People and documents verification

Business/Entity search

Domain/DNS/IP lookup

Mobile Apps Endpoints

Scraping

Whois

GEO IP

Wi-fi lookup

Network

Finance

Email

Names/Surnames

Pastebin/Leaks

Archives

Hashes decrypt/encrypt

Crypto

Malware

Face Search

## Face Detection

## Reverse Image Search

## AI Geolocation

Social Media and Messengers

UNOFFICIAL APIs

!WARNING Use with caution! Accounts may be blocked permanently for using unofficial APIs.

Search Engines

| Memex Marginalia | https://memex.marginalia.nu/projects/edge/api.gmi | An API for new privacy search engine | FREE |

News analyze

Darknet

Torrents/file sharing

Vulnerabilities

Flights

Webcams

## Regex

API testing tools

Curl converters (tools that help to write code using API queries)

Create your own API

Distribute your own API

API Keys Info

API directories

If you don't find what you need, try searching these directories.

How to learn how to work with REST API?

If you don't know how to work with the REST API, I recommend you check out the Netlas API guide I wrote for Netlas.io.

Netlas Cookbook

There it is very brief and accessible to write how to automate requests in different programming languages (focus on Python and Bash) and process the resulting JSON data.

Thank you for following me! https://cybdetective.com

WIRED

The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats

WIRED

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years

WIRED

US Border Agents Are Asking for Help Taking Photos of Everyone Entering the Country by Car

WIRED

Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked

Security – Cisco Blog

Automate Forensics to Eliminate Uncertainty

WIRED

Security Researchers Warn a Widely Used Open Source Tool Poses a 'Persistent' Risk to the US

Troy Hunt

Passkeys for Normal People

Let me start by very simply explaining the problem we're trying to solve with passkeys. Imagine you're logging on to a website like this:

And, because you want to protect your account from being logged into by someone else who may obtain your username and password, you've turned on two-factor authentication (2FA). That means that even after entering the correct credentials in the screen above, you're now prompted to enter the six-digit code from your authenticator app:

There are a few different authenticator apps out there, but what they all have in common is that they display a one-time password (henceforth referred to as an OTP) with a countdown timer next to it:

By only being valid for a short period of time, if someone else obtains the OTP then they have a very short window in which it's valid. Besides, who can possibly obtain it from your authenticator app anyway?! Well... that's where the problem lies, and I demonstrated this just recently, not intentionally, but rather entirely by accident when I fell victim to a phishing attack. Here's how it worked:

1. I was socially engineered into visiting a phishing page that pretended to belong to Mailchimp who I use to send newsletters for this blog. The website address was mailchimp-sso.com, which was close enough to the real address (mailchimp.com) to be feasible. "SSO" is "single sign on", so also seemed feasible.
2. When I saw the login screen (the one with the big "PHISH" stamp on it), and submitted my username and password to them, the phishing site then automatically used those credentials to begin the login process on Mailchimp.
3. Mailchimp validated the credentials, and because I had 2FA turned on, then displayed the OTP request screen.
4. The legitimate OTP screen from Mailchimp was then returned to the bad guys...
5. ...who responded to my login request with their own page requesting the OTP.
6. I entered the code into the form and submitted it to the phishing site.
7. The bad guys then immediately sent that request to Mailchimp, thus successfully logging themselves in.

The problem with OTPs from authenticator apps (or sent via SMS) is that they're phishable in that it's possible for someone to trick you into handing one over. What we need instead is a "phishing-resistant" paradigm, and that's precisely what passkeys are. Let's look at how to set them up, how to use them on websites and in mobile apps, and talk about what some of their shortcomings are.

Passkeys for Log In on Mobile with WhatsApp

We'll start by setting one up for WhatsApp given I got a friendly prompt from them to do this recently:

So, let's "Try it" and walk through the mechanics of what it means to setup a passkey. I'm using an iPhone, and this is the screen I'm first presented with:

A passkey is simply a digital file you store on your device. It has various cryptographic protections in the way it is created and then used to login, but that goes beyond the scope of what I want to explain to the audience in this blog post. Let's touch briefly on the three items WhatsApp describes above:

1. The passkey will be used to logon to the service
2. It works in conjunction with how you already authenticate to your device
3. It needs to be stored somewhere (remember, it's a digital file)

That last point can be very device-specific and very user-specific. Because I have an iPhone, WhatsApp is suggesting I save the passkey into my iCloud Keychain. If you have an Android, you're obviously going to see a different message that aligns to how Google syncs passkeys. Choosing one of these native options is your path of least resistance - a couple of clicks and you're done. However...

I have lots of other services I want to use passkeys on, and I want to authenticate to them both from my iPhone and my Windows PC. For example, I use LinkedIn across all my devices, so I don't want my passkey tied solely to my iPhone. (It's a bit clunky, but some services enable this by using the mobile device your passkey is on to scan a QR code displayed on a web page). And what if one day I switch from iPhone to Android? I'd like my passkeys to be more transferable, so I'm going to store them in my dedicated password manager, 1Password.

A quick side note: as you'll read in this post, passkeys do not necessarily replace passwords. Sometimes they can be used as a "single factor" (the only thing you use to login with), but they may also be used as a "second factor" with the first being your password. This is up to the service implementing them, and one of the criticisms of passkeys is that your experience with them will differ between websites.

We still need passwords, we still want them to be strong and unique, therefore we still need password managers. I've been using 1Password for 14 years now (full disclosure: they sponsor Have I Been Pwned, and often sponsor this blog too) and as well as storing passwords (and credit cards and passport info and secure notes and sharing it all with my family), they can also store passkeys. I have 1Password installed on my iPhone and set as the default app to autofill passwords and passkeys:

Because of this, I'm given the option to store my WhatsApp passkey directly there:

The obfuscated section is the last four digits of my phone number. Let's "Continue", and then 1Password pops up with a "Save" button:

Once saved, WhatsApp displays the passkey that is now saved against my account:

And because I saved it into 1Password that syncs across all my devices, I can jump over to the PC and see it there too.

And that's it, I now have a passkey for WhatsApp which can be used to log in. I picked this example as a starting point given the massive breadth of the platform and the fact I was literally just prompted to create a passkey (the very day my Mailchimp account was phished, ironically). Only thing is, I genuinely can't see how to log out of WhatsApp so I can then test using the passkey to login. Let's go and create another with a different service and see how that experience differs.

Passkeys For Log In via PC with LinkedIn

Let's pick another example, and we'll set this one up on my PC. I'm going to pick a service that contains some important personal information, which would be damaging if it were taken over. In this case, the service has also previously suffered a data breach themselves: LinkedIn.

I already had two-step verification enabled on LinkedIn, but as evidenced in my own phishing experience, this isn't always enough. (Note: the terms "two-step", "two-factor" and "multi-factor" do have subtle differences, but for the sake of simplicity, I'll treat them as interchangeable terms in this post.)

Onto passkeys, and you'll see similarities between LinkedIn's and WhatsApp's descriptions. An important difference, however, is LinkedIn's comment about not needing to remember complex passwords:

Let's jump into it and create that passkey, but just before we do, keep in mind that it's up to each and every different service to decide how they implement the workflow for creating passkeys. Just like how different services have different rules for password strength criteria, the same applies to the mechanics of passkey creation. LinkedIn begins by requiring my password again:

This is part of the verification process to ensure someone other than you (for example, someone who can sit down at your machine that's already logged into LinkedIn), can't add a new way of accessing your account. I'm then prompted for a 6-digit code:

Which has already been sent to my email address, thus verifying I am indeed the legitimate account holder:

As soon as I enter that code in the website, LinkedIn pushes the passkey to me, which 1Password then offers to save:

Again, your experience will differ based on which device and preferred method of storing passkeys you're using. But what will always be the same for LinkedIn is that you can then see the successfully created passkey on the website:

Now, let's see how it works by logging out of LinkedIn and then returning to the login page. Immediately, 1Password pops up and offers to sign me in with my passkey:

That's a one-click sign-in, and clicking the purple button immediately grants me access to my account. Not only will 1Password not let me enter the passkey into a phishing site, due to the technical implementation of the keys, it would be completely unusable even if it was submitted to a nefarious party. Let me emphasise something really significant about this process:

Passkeys are one of the few security constructs that make your life easier, rather than harder.

However, there's a problem: I still have a password on the account, and I can still log in with it. What this means is that LinkedIn has decided (and, again, this is one of those website-specific decisions), that a passkey merely represents a parallel means of logging in. It doesn't replace the password, nor can it be used as a second factor. Even after generating the passkey, only two options are available for that second factor:

The risk here is that you can still be tricked into entering your password into a phishing site, and per my Mailchimp example, your second factor (the OTP generated by your authenticator app) can then also be phished. This is not to say you shouldn't use a passkey on LinkedIn, but whilst you still have a password and phishable 2FA, you're still at risk of the same sort of attack that got me.

Passkeys for 2FA with Ubiquiti

Let's try one more example, and this time, it's one that implements passkeys as a genuine second factor: Ubiquiti.

Ubiquiti is my favourite manufacturer of networking equipment, and logging onto their system gives you an enormous amount of visibility into my home network. When originally setting up that account many years ago, I enabled 2FA with an OTP and, as you now understand, ran the risk of it being phished. But just the other day I noticed passkey support and a few minutes later, my Ubiquiti account in 1Password looked like this:

I won't bother running through the setup process again because it's largely similar to WhatsApp and LinkedIn, but I will share just what it looks like to now login to that account, and it's awesome:

I intentionally left this running at real-time speed to show how fast the login process is with a password manager and passkey (I've blanked out some fields with personal info in them). That's about seven seconds from when I first interacted with the screen to when I was fully logged in with a strong password and second factor. Let me break that process down step by step:

1. When I click on the "Email or Username" field, 1Password suggests the account to be logged in with.
2. I click on the account I want to use and 1Password validates my identity with Face ID.
3. 1Password automatically fills in my credentials and submits the form.
4. Ubiquiti asks for my passkey, I click "Continue" and my iPhone uses Face ID again to ensure it's really me.
5. The passkey is submitted to Ubiquiti and I'm successfully logged in. (As it was my first login via Chrome on my iPhone, Ubiquiti then asks if I want to trust the device, but that happens after I'm already successfully logged in.)

Now, remember "the LinkedIn problem" where you were still stuck with phishable 2FA? Not so with Ubiquiti, who allowed me to completely delete the authenticator app:

But there's one more thing we can do here to strengthen everything up further, and that's to get rid of email authentication and replace it with something even stronger than a passkey: a U2F key.

Physical Universal 2 Factor Key for 2FA with Ubiquiti

Whilst passkeys themselves are considered non-phishable, what happens if the place you store that digital key gets compromised? Your iCloud Keychain, for example, or your 1Password account. If you configure and manage these services properly then the likelihood of that happening is extremely remote, but the possibility remains. Let's add something entirely different now, and that's a physical security key:

This is a YubiKey and you can you can store your digital passkey on it. It needs to be purchased and as of today, that's about a US$60 investment for a single key. YubiKeys are called "Universal 2 Factor" or U2F keys and the one above (that's a 5C NFC) can either plug into a device with USB-C or be held next to a phone with NFC (that's "near field communication", a short-range wireless technology that requires devices to be a few centimetres apart). YubiKeys aren't the only makers of U2F keys, but their name has become synonymous with the technology.

Back to Ubiquiti, and when I attempt to remove email authentication, the following prompt stops me dead in my tracks:

I don't want email authentication because that involves sending a code to my email address and, well, we all know what happens when we're relying on people to enter codes into login forms 🤔 So, let's now walk through the Ubiquiti process and add another passkey as a second factor:

But this time, when Chrome pops up and offers to save it in 1Password, I'm going to choose the little USB icon at the top of the prompt instead:

Windows then gives me a prompt to choose where I wish to save the passkey, which is where I choose the security key I've already inserted into my PC:

Each time you begin interacting with a U2F key, it requires a little tap:

And a moment later, my digital passkey has been saved to my physical U2F key:

Just as you can save your passkey to Apple's iCloud Keychain or in 1Password and sync it across your devices, you can also save it to a physical key. And that's precisely what I've now done - saved one Ubiquiti passkey to 1Password and one to my YubiKey. Which means I can now go and remove email authentication, but it does carry a risk:

This is a good point to reflect on the paradox that securing your digital life presents: as we seek stronger forms of authentication, we create different risks. Losing all your forms of non-phishable 2FA, for example, creates the risk of losing access to your account. But we also have mitigating controls: your digital passkey is managed totally independently of your physical one so the chances of losing both are extremely low. Plus, best practice is usually to have two U2F keys and enrol them both (I always take one with me when I travel, and leave another one at home). New levels of security, new risks, new mitigations.

Finding Sites That Support Passkeys

All that's great, but beyond my examples above, who actually supports passkeys?! A rapidly expanding number of services, many of which 1Password has documented in their excellent passkeys.directory website:

Have a look through the list there, and you'll see many very familiar brands. You won't see Ubiquiti as of the time of writing, but I've gone through the "Suggest new listing" process to have them added and will be chatting further with the 1Password folks to see how we can more rapidly populate that list.

Do also take a look at the "Vote for passkeys support" tab and if you see a brand that really should be there, make your voice heard. Hey, here's a good one to start voting for:

Summary

I've deliberately just focused on the mechanics of passkeys in this blog post, but let me take just a moment to highlight important separate but related concepts. Think of passkeys as one part of what we call "defence in depth", that is the application of multiple controls to help keep you safe online. For example, you should still treat emails containing links with a healthy suspicion and whenever in doubt, not click anything and independently navigate to the website in question via your browser. You should still have strong, unique passwords and use a password manager to store them. And you should probably also make sure you're fully awake and not jet lagged in bed before manually entering your credentials into a website your password manager didn't autofill for you 🙂

We're not at the very beginning of passkeys, and we're also not yet quite at the tipping point either... but it's within sight. Just last week, Microsoft announced that new accounts will be passwordless by default, with a preference to using passkeys. Whilst passkeys are by no means perfect, look at what they're replacing! Start using them now on your most essential services and push those that don't support them to genuinely take the security of their customers seriously.

WIRED

Hacking Spree Hits UK Retail Giants

Security – Cisco Blog

Black Hat Asia 2025 NOC: Innovation in SOC

WIRED

Mike Waltz Has Somehow Gotten Even Worse at Using Signal

WIRED

Think Twice Before Creating That ChatGPT Action Figure

WIRED

North Korea Stole Your Job

WIRED

AI Code Hallucinations Increase the Risk of ‘Package Confusion’ Attacks

WIRED

WhatsApp Is Walking a Tightrope Between AI Features and Privacy

WIRED

Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi

Security – Cisco Blog

Instant Attack Verification: Verification to Trust Automated Response

Security – Cisco Blog

Foundation-sec-8b: Cisco Foundation AI’s First Open-Source Security Model

Security – Cisco Blog

Foundation AI: Robust Intelligence for Cybersecurity

Security – Cisco Blog

Cisco XDR Just Changed the Game, Again

WIRED

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

WIRED

Pete Hegseth’s Signal Scandal Spirals Out of Control

McAfee Blogs

This Week in Scams: $16.6 Billion Lost, Deepfakes Rise, and Google Email Scams Emerge

Welcome to the first edition of This Week in Scams, a new weekly series from McAfee breaking down the latest fraud trends, headlines, and real-time threats we’re detecting across the digital landscape. 

This week, we’re spotlighting the FBI’s shocking new cybercrime report, the rise of AI-generated deepfakes, and a sophisticated Gmail impersonation scam flagged by Google. We’re also seeing a surge in location-specific toll scams and fake delivery alerts—a reminder that staying ahead of scammers starts with knowing how they operate. 

Let’s dive in. 

Scams Making Headlines 

$16.6 Billion Lost to Online Scams in 2024
The FBI’s latest Internet Crime Report is here—and the numbers are staggering. Americans lost $16.6 billion to online scams last year, up from $12.5 billion in 2023. Older adults and crypto investors were hit especially hard, but the agency warns the real total is likely much higher, since many victims never report the crime.
Read more

AI-Powered Deepfake Scams Get More Convincing
Deepfake-enabled fraud has already caused more than $200 million in financial losses in just the first quarter of 2025.  

McAfee researchers estimate the average American sees three deepfakes per day, many of which are designed to mimic real people, services, or news stories. Whether it’s fake crypto pitches, job offers, or social media stunts—seeing is no longer believing.
Read more 

Google Warns Users of Sophisticated Email Scam  

Google is alerting Gmail users to a new type of phishing email that looks like it comes from Google itself. These messages often appear in legitimate email threads and pass all typical security checks, but lead victims to a cloned Google login page designed to steal credentials. The scam highlights how attackers are evolving to outsmart traditional filters.
Read more 

From Experts at McAfee 

McAfee Researchers have observed a recent surge in the following scam types: 

Fake Delivery Notifications: Scammers impersonate delivery services like USPS, UPS, and FedEx, sending fake tracking links that install malware or steal payment info

Invoice Scams: Fraudulent messages that claim you owe money for a product or service, often accompanied by a fake invoice PDF or request for payment via phone

Cloud Storage Spoofs: Emails that pretend to be from Google Drive, Dropbox, or OneDrive, prompting you to “log in” to view shared files. The links lead to phishing sites designed to capture your credentials. 

Toll Text Scams: Personalized smishing messages that claim you owe a toll and link to fake payment sites. These messages often use location data—like your area code or recent city visits—to appear legitimate. McAfee Labs saw toll scam texts spike nearly 4x between January and February.

This week, Steve Grobman, executive vice president and chief technology officer at McAfee, said the toll scam is effective because it hits all the correct social points for a consumer. 

These scams often rely on urgency and familiarity—pretending to be something you trust or expect—to get you to act quickly without double-checking. 

How to Stay One Step Ahead 

1. Be skeptical of emails—even from familiar senders.
   The Gmail scam shows that even official-looking messages can be fake. If an email asks you to log in, don’t click the link. Instead, go to the website directly through your browser and log in from there.
2. Understand how deepfakes are being used.
   Whether it’s a voice message from someone you know or a video of a public figure promoting an investment, deepfakes are designed to exploit trust. If a message pressures you to act urgently—especially involving money—slow down and verify it through another channel.
3. Don’t assume personalization means legitimacy.
   Scams like the toll fraud texts feel real because they include specific location data. But scammers can use leaked or purchased personal data to tailor messages. Just because it sounds accurate doesn’t mean it’s trustworthy.
4. Watch for emotional triggers.
   The most effective scams—whether it’s a fake support email, a travel deal, or a message about a missed toll—create urgency or panic. If something is pushing you to act fast, that’s your cue to stop and verify.
5. Protect yourself with tools that go beyond basic filters.
   Traditional spam filters aren’t enough anymore. Use security tools—like McAfee Scam Detector—that look at full message context and help flag advanced scams, impersonation attempts, and deepfakes before they cause harm.

Thanks for reading—See you next week with more scam alerts, insights, and protection tips from the McAfee team. 

The post This Week in Scams: $16.6 Billion Lost, Deepfakes Rise, and Google Email Scams Emerge appeared first on McAfee Blog.

WIRED

Protecting Your Phone—and Your Privacy—at the US Border

Security – Cisco Blog

Black Hat Asia 2025: Innovation in the SOC

WIRED

Gmail’s New Encrypted Messages Feature Opens a Door for Scams

McAfee Blogs

Interviewing for a Job? Spot a Scam with These Questions

Job scams are on the rise. And asking the right questions can help steer you clear of them. 

That rise in job scams is steep, according to the U.S. Federal Trade Commission (FTC). Recent data shows that reported losses have grown five times over between 2020 and 2024. In 2024 alone, reported losses hit half a billion dollars, with unreported losses undoubtedly pushing actual losses yet higher. 

Last week, we covered how “pay to get paid” scams account for a big chunk of online job scams. Here, we’ll cover a couple more that we’ve seen circulating on social media and via texts—and how some pointed questions can help you avoid them. 

Two classic job scams to look out for 

The headhunter scam 

Some job scammers pose as recruiters from job agencies who reach potential victims the same way legitimate agencies do—by email, text, and networking sites. Sometimes this leaves people with their guard down because it’s not unheard of at all to get contacted this way, “out of the blue” so to speak.  

Yet one of the quickest ways to spot a scammer is when the “recruiter” asks to pay a fee for the matchmaking, particularly if they ask for it up front. Legitimate headhunters, temp agencies, and staffing agencies typically get paid by the company or business that ultimately does the hiring. Job candidates don’t pay a thing.  

Training and equipment fee scams 

Another form of scam occurs during the “onboarding” process of the job. The scammer happily welcomes the victim to the company and then informs them that they’ll need to take some online training and perhaps buy a computer or other office equipment. Of course, the scammer asks the victim to pay for all of it—leaving the victim out of hundreds of dollars and the scammer with their payment info.  

Spot job scams by asking the right questions 

One way you can spot a job scam is to press for answers. Asking pointed questions about a company and the job it’s offering, just as you would in any real interview, can reveal gaps in a scammer’s story. In effect, scammers are putting on an acting job, and some don’t thoroughly prepare for their role. They don’t think through the details, hoping that victims will be happy enough about a job prospect to ask too many questions.  

If the hiring process moves quicker than expected or details about a job seem light, it’s indeed time to ask questions. Here are a few you can keep handy when you start to wonder if you have a scam on your hands … 

“What’s the full job description, and what are the day-to-day responsibilities?” 

This is a great place to start. Legitimate employers write up job listings that they post on their website and job sites. In those descriptions, the work and everything it entails gets spelled out to the letter. A real employer should be able to provide you with a job description or at least cover it clearly over the course of a conversation.  

“Where’s the company based and where does it have offices?”  

This one can trip up a scammer quickly. A scammer might avoid giving a physical address. Likewise, they might offer up a fake one. Either a non-answer or a lie can readily call out a scam by following up the question with a web search for a physical address. (Resources like the Better Business Bureau can also help you research a company and its track record.) 

“Who will I be working with, and who will I report to?” 

Asking about co-workers, bosses, reporting structures and the like can also help sniff out a scam. Real employers, once again, will have ready answers here. They might even start dropping names and details about people’s tenure and background. Meanwhile, this is one more place where scammers might tip their hand because they haven’t made up those details. 

“What are the next steps in the hiring process?” 

This question alone can offer a telltale sign. Many job scams move through the hiring process at relative breakneck speed—skipping past the usual interview loops and callbacks that many legitimate jobs have. Scammers want to turn over their victims quickly, so they’ll make the “hiring process” quick as well. If it feels like you’re blazing through the steps, it could be a scam. 

“Can you tell me about the company’s history?”  

Every business has a story, even if it’s still in its startup days. Anyone in a recruiting or hiring position will have a good handle on this question, as they will on any follow-up questions about the company’s mission or goals. Again, vagueness in response to these kinds of questions could be a sign of a scam. 

More ways you can avoid job scams 

Watch out for job offers on social media.

Whether it’s through social media sites like Facebook, Instagram, and the like, scammers often reach out through direct messages. Recruiters stick to legitimate business networking sites like LinkedIn. Companies maintain established accounts on recruiting platforms that people know and trust, so view any contact outside of them as suspicious. 

Filter out scam links.

Scammers use the “hiring process” to trick people into providing their personal info with malicious links. Web protection, included in our plans, can steer you clear of them. Likewise, our Scam Detector scans URLs in your text messages and alerts you if they’re sketchy. If you accidentally click a bad link, both web and text scam protection will block a risky site. 

Lower your profile.

Many scammers get your contact info from data broker sites. McAfee’s Personal Data Cleanup scans some of the riskiest data broker sites, shows you which ones are selling your personal info, and, depending on your plan, can help you remove it. Our Social Privacy Manager lowers your public profile lower still. It helps you adjust more than 100 privacy settings across your social media accounts in just a few clicks, so your personal info is only visible to the people you want to share it with. 

The post Interviewing for a Job? Spot a Scam with These Questions appeared first on McAfee Blog.

Security – Cisco Blog

Does Your SSE Understand User Intent?

WIRED

The Tech That Safeguards the Conclave’s Secrecy

KitPloit - PenTest Tools!

Ghost-Route - Ghost Route Detects If A Next JS Site Is Vulnerable To The Corrupt Middleware Bypass Bug (CVE-2025-29927)

A Python script to check Next.js sites for corrupt middleware vulnerability (CVE-2025-29927).

The corrupt middleware vulnerability allows an attacker to bypass authentication and access protected routes by send a custom header x-middleware-subrequest.

Next JS versions affected: - 11.1.4 and up

[!WARNING] This tool is for educational purposes only. Do not use it on websites or systems you do not own or have explicit permission to test. Unauthorized testing may be illegal and unethical.

Installation

Clone the repo

git clone https://github.com/takumade/ghost-route.git
cd ghost-route

Create and activate virtual environment

python -m venv .venv
source .venv/bin/activate

Install dependencies

pip install -r requirements.txt

Usage

python ghost-route.py <url> <path> <show_headers>

• <url>: Base URL of the Next.js site (e.g., https://example.com)
• <path>: Protected path to test (default: /admin)
• <show_headers>: Show response headers (default: False)

Example

Basic Example

python ghost-route.py https://example.com /admin

Show Response Headers

python ghost-route.py https://example.com /admin True

License

MIT License

Credits

• CVE-2025-29927
• Next.js and the corrupt middleware: the authorizing artifact
• Rachid A.
• Yasser Allam

Krebs on Security

Whistleblower: DOGE Siphoned NLRB Case Data

A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.

The cover letter from Berulis’s whistleblower statement, sent to the leaders of the Senate Select Committee on Intelligence.

The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by Daniel J. Berulis, a 38-year-old security architect at the NLRB.

NPR, which was the first to report on Berulis’s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores “reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.”

The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful “tenant admin” accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.

Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.

Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building — the NLRB headquarters in Southeast Washington, D.C. The DOGE staffers did not speak with Berulis or anyone else in NLRB’s IT staff, but instead met with the agency leadership.

“Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.

“We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”

Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.

Berulis said he also noticed that early the next morning — between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4  — there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB’s NxGen case management system.

Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred — or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.

“I also don’t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,” Berulis told the senators. “This opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”

Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.

“Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”

According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB’s cloud systems: “DogeSA_2d5c3e0446f9@nlrb.microsoft.com.” He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including “Whitesox, Chicago M.” and “Dancehall, Jamaica R.”

A screenshot shared by Berulis showing the suspicious user accounts.

On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in Microsoft Azure was set to the “off” state, meaning it was no longer collecting and recording data like it should have.

Berulis said he discovered someone had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever use. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.

The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency’s associate chief information officer had agreed the matter should be reported to US-CERT. Operated by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.

But Berulis said that between April 3 and 4, he and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.

An email from Daniel Berulis to his colleagues dated March 28, referencing the unexplained traffic spike earlier in the month and the unauthorized changing of security controls for user accounts.

Tim Bearese, the NLRB’s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that “the agency conducted an investigation after Berulis raised his concerns but ‘determined that no breach of agency systems occurred.'” The NLRB did not respond to questions from KrebsOnSecurity.

Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.

As CNN reported last month, the NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function.

“Despite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation — notably Elon Musk, Trump’s key supporter both financially and arguably politically,” CNN wrote.

Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.

Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.

An email from the NLRB’s associate chief information officer Eric Marks, notifying employees they will lose security administrator privileges.

Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director Lasharn Hamilton saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior “official” contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.

An email from the NLRB Director Lasharn Hamilton on April 16, stating that the agency previously had no contact with DOGE personnel.

Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.

“That would give us way more insight,” he said. “Microsoft has to be able to see the picture better than we can. That’s my goal, anyway.”

Berulis’s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis’s home door with photographs — taken via drone — of him walking in his neighborhood.

“The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,” reads a preface by Berulis’s attorney Andrew P. Bakaj. “While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.”

Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn’t regret his decision to come forward.

“I didn’t expect the letter on my door or the pushback from [agency] leaders,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t really even a choice the first time.”

For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.

“They came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward” Berulis said of the DOGE employees. “We can’t really do anything, so we’re literally getting paid to count ceiling tiles.”

Further reading: Berulis’s complaint (PDF).

WIRED

How to Protect Yourself From Phone Searches at the US Border

KitPloit - PenTest Tools!

CentralizedFirewall - Provides A Firewall Manager API Designed To Centralize And Streamline The Management Of Firewall Configurations

Firewall Manager API Project

Installation

Follow these steps to set up and run the API project:

1. Clone the Repository

git clone https://github.com/adriyansyah-mf/CentralizedFirewall
cd CentralizedFirewall

2. Edit the .env File

Update the environment variables in .env according to your configuration.

nano .env

3. Start the API with Docker Compose

docker compose up -d

This will start the API in detached mode.

4. Verify the API is Running

Check if the containers are up:

docker ps

Additional Commands

Stop the API

docker compose down

Restart the API

docker compose restart

Let me know if you need any modifications! 🚀

How to setup for the first time and connect to firewall client

1. Install Firewall Agent on your node server
2. Run the agent with the following command

sudo dpkg -i firewall-client_deb.deb

1. Create a New Group on the Firewall Manager
2. Create New API Key on the Firewall Manager
3. Edit the configuration file on the node server

nano /usr/local/bin/config.ini

1. Add the following configuration

[settings]
api_url = API-URL
api_key = API-KEY
hostname = Node Hostname (make it unique and same as the hostname on the SIEM) 

1. Restart the firewall agent

systemctl daemon-reload
systemctl start firewall-agent

1. Check the status of the firewall agent

systemctl status firewall-agent

1. You will see the connected node on the Firewall Manager

Default Credential

Username: admin
Password: admin

You can change the default credential on the setting page

How to Integration with SIEM

1. Install the SIEM on your server
2. Configure the SIEM to send the log to the Firewall Manager (You can do this via SOAR or SIEM configuration) The request should be POST with the following format
3. The format of the log should be like this

curl -X 'POST' \
  'http://api-server:8000/general/add-ip?ip=123.1.1.99&hostname=test&apikey=apikey&comment=log' \
  -H 'accept: application/json' \
  -d ''

You can see the swagger documentation on the following link

http://api-server:8000/docs

The .env detail configuration

DB=changeme
JWT_SECRET=changeme
PASSWORD_SALT=changme
PASSWORD_TOKEN_KEY=changme
OPENCTI_URL=changme
OPENCTI_TOKEN=changme

Sponsor This Project 💖

If you find this project helpful, consider supporting me through GitHub Sponsors

WIRED

Florida Man Enters the Encryption Wars

WIRED

ICE Is Paying Palantir $30 Million to Build ‘ImmigrationOS’ Surveillance Platform

KitPloit - PenTest Tools!

PANO - Advanced OSINT Investigation Platform Combining Graph Visualization, Timeline Analysis, And AI Assistance To Uncover Hidden Connections In Data

Getting Started

1. Clone the repository: bash git clone https://github.com/ALW1EZ/PANO.git cd PANO

2. Run the application:

3. Linux: ./start_pano.sh
4. Windows: start_pano.bat

The startup script will automatically: - Check for updates - Set up the Python environment - Install dependencies - Launch PANO

In order to use Email Lookup transform You need to login with GHunt first. After starting the pano via starter scripts;

1. Select venv manually
2. Linux: source venv/bin/activate
3. Windows: call venv\Scripts\activate
4. See how to login here

💡 Quick Start Guide

1. Create Investigation: Start a new investigation or load an existing one
2. Add Entities: Drag entities from the sidebar onto the graph
3. Discover Connections: Use transforms to automatically find relationships
4. Analyze: Use timeline and map views to understand patterns
5. Save: Export your investigation for later use

🔍 Features

🕸️ Core Functionality

• Interactive Graph Visualization
• Drag-and-drop entity creation
• Multiple layout algorithms (Circular, Hierarchical, Radial, Force-Directed)
• Dynamic relationship mapping

• Visual node and edge styling

• Timeline Analysis

• Chronological event visualization
• Interactive timeline navigation
• Event filtering and grouping

• Temporal relationship analysis

• Map Integration

• Geographic data visualization
• Location-based analysis
• Interactive mapping features
• Coordinate plotting and tracking

🎯 Entity Management

• Supported Entity Types
• 📧 Email addresses
• 👤 Usernames
• 🌐 Websites
• 🖼️ Images
• 📍 Locations
• ⏰ Events
• 📝 Text content
• 🔧 Custom entity types

🔄 Transform System

• Email Analysis
• Google account investigation
• Calendar event extraction
• Location history analysis

• Connected services discovery

• Username Analysis

• Cross-platform username search
• Social media profile discovery
• Platform correlation

• Web presence analysis

• Image Analysis

• Reverse image search
• Visual content analysis
• Metadata extraction
• Related image discovery

🤖 AI Integration

• PANAI
• Natural language investigation assistant
• Automated entity extraction and relationship mapping
• Pattern recognition and anomaly detection
• Multi-language support
• Context-aware suggestions
• Timeline and graph analysis

🧩 Core Components

📦 Entities

Entities are the fundamental building blocks of PANO. They represent distinct pieces of information that can be connected and analyzed:

• Built-in Types
• 📧 Email: Email addresses with service detection
• 👤 Username: Social media and platform usernames
• 🌐 Website: Web pages with metadata
• 🖼️ Image: Images with EXIF and analysis
• 📍 Location: Geographic coordinates and addresses
• ⏰ Event: Time-based occurrences

• 📝 Text: Generic text content

• Properties System

• Type-safe property validation
• Automatic property getters
• Dynamic property updates
• Custom property types
• Metadata support

⚡ Transforms

Transforms are automated operations that process entities to discover new information and relationships:

• Operation Types
• 🔍 Discovery: Find new entities from existing ones
• 🔗 Correlation: Connect related entities
• 📊 Analysis: Extract insights from entity data
• 🌐 OSINT: Gather open-source intelligence

• 🔄 Enrichment: Add data to existing entities

• Features

• Async operation support
• Progress tracking
• Error handling
• Rate limiting
• Result validation

🛠️ Helpers

Helpers are specialized tools with dedicated UIs for specific investigation tasks:

• Available Helpers
• 🔍 Cross-Examination: Analyze statements and testimonies
• 👤 Portrait Creator: Generate facial composites
• 📸 Media Analyzer: Advanced image processing and analysis
• 🔍 Base Searcher: Search near places of interest

• 🔄 Translator: Translate text between languages

• Helper Features

• Custom Qt interfaces
• Real-time updates
• Graph integration
• Data visualization
• Export capabilities

👥 Contributing

We welcome contributions! To contribute to PANO:

1. Fork the repository at https://github.com/ALW1EZ/PANO/
2. Make your changes in your fork
3. Test your changes thoroughly
4. Create a Pull Request to our main branch
5. In your PR description, include:
6. What the changes do
7. Why you made these changes
8. Any testing you've done
9. Screenshots if applicable

Note: We use a single main branch for development. All pull requests should be made directly to main.

📖 Development Guide

from dataclasses import dataclass
from typing import ClassVar, Dict, Any
from .base import Entity

@dataclass
class PhoneNumber(Entity):
    name: ClassVar[str] = "Phone Number"
    description: ClassVar[str] = "A phone number entity with country code and validation"

    def init_properties(self):
        """Initialize phone number properties"""
        self.setup_properties({
            "number": str,
            "country_code": str,
            "carrier": str,
            "type": str,  # mobile, landline, etc.
            "verified": bool
        })

    def update_label(self):
        """Update the display label"""
        self.label = self.format_label(["country_code", "number"])

from dataclasses import dataclass
from typing import ClassVar, List
from .base import Transform
from entities.base import Entity
from entities.phone_number import PhoneNumber
from entities.location import Location
from ui.managers.status_manager import StatusManager

@dataclass
class PhoneLookup(Transform):
    name: ClassVar[str] = "Phone Number Lookup"
    description: ClassVar[str] = "Lookup phone number details and location"
    input_types: ClassVar[List[str]] = ["PhoneNumber"]
    output_types: ClassVar[List[str]] = ["Location"]

    async def run(self, entity: PhoneNumber, graph) -> List[Entity]:
        if not isinstance(entity, PhoneNumber):
            return []

        status = StatusManager.get()
        operation_id = status.start_loading("Phone Lookup")

        try:
            # Your phone number lookup logic here
            # Example: query an API for phone number details
            location = Location(properties={
                "country": "Example Country",
                "region": "Example Region",
                "carrier": "Example Carrier",
                "source": "PhoneLookup transform"
            })

            return [location]

        except Exception as e:
            status.set_text(f"Error during phone lookup: {str(e)}")
            return []

        finally:
            status.stop_loading(operation_id)

from PySide6.QtWidgets import (
    QWidget, QVBoxLayout, QHBoxLayout, QPushButton,
    QTextEdit, QLabel, QComboBox
)
from .base import BaseHelper
from qasync import asyncSlot

class DummyHelper(BaseHelper):
    """A dummy helper for testing"""

    name = "Dummy Helper" 
    description = "A dummy helper for testing"

    def setup_ui(self):
        """Initialize the helper's user interface"""
        # Create input text area
        self.input_label = QLabel("Input:")
        self.input_text = QTextEdit()
        self.input_text.setPlaceholderText("Enter text to process...")
        self.input_text.setMinimumHeight(100)

        # Create operation selector
        operation_layout = QHBoxLayout()
        self.operation_label = QLabel("Operation:")
        self.operation_combo = QComboBox()
        self.operation_combo.addItems(["Uppercase", "Lowercase", "Title Case"])
        operation_layout.addWidget(self.operation_label)
        operation_layout.addWidget(self.operation_combo)

        # Create process button
        self.process_btn = QPushButton("Process")
        self.process_btn.clicked.connect(self.process_text)

        # Create output text area
        self.output_label = QLabel("Output:")
        self.output_text = QTextEdit()
        self.output_text.setReadOnly(True)
        self.output_text.setMinimumHeight(100)

        # Add widgets to main layout
        self.main_layout.addWidget(self.input_label)
        self.main_layout.addWidget(self.input_text)
        self.main_layout.addLayout(operation_layout)
        self.main_layout.addWidget(self.process_btn)
        self.main_layout.addWidget(self.output_label)
        self.main_layout.addWidget(self.output_text)

        # Set dialog size
        self.resize(400, 500)

    @asyncSlot()
    async def process_text(self):
        """Process the input text based on selected operation"""
        text = self.input_text.toPlainText()
        operation = self.operation_combo.currentText()

        if operation == "Uppercase":
            result = text.upper()
        elif operation == "Lowercase":
            result = text.lower()
        else:  # Title Case
            result = text.title()

        self.output_text.setPlainText(result)

📄 License

This project is licensed under the Creative Commons Attribution-NonCommercial (CC BY-NC) License.

You are free to: - ✅ Share: Copy and redistribute the material - ✅ Adapt: Remix, transform, and build upon the material

Under these terms: - ℹ️ Attribution: You must give appropriate credit - 🚫 NonCommercial: No commercial use - 🔓 No additional restrictions

🙏 Acknowledgments

Special thanks to all library authors and contributors who made this project possible.

👨‍💻 Author

Created by ALW1EZ with AI ❤️

WIRED

New Jersey Sues Discord for Allegedly Failing to Protect Children

WIRED

This ‘College Protester’ Isn’t Real. It’s an AI-Powered Undercover Bot for Cops

McAfee Blogs

“Pay to Get Paid” – The New Job Scam That’s Raking in Millions Right Now

How does this job offer sound? When you pay, you get paid. Sounds fishy, right? In fact, it’s one of the fastest-growing job scams out there right now. 

Looking at job scams overall, a data from the U.S. Federal Trade Commission (FTC) shows that job scam reports have nearly tripled between 2020 and 2024. Further, reported losses grew more than five times—spiking to $501 million in 2024.  

In all, job scams are more common and more costly than ever. 

And leading those losses is a new breed of job scam, where victims indeed “pay to get paid.” 

“Pay to get paid,” the hottest job scam going 

The FTC has dubbed these “pay to get paid” scams as “gamified job scams” or “task scams.” Given the way these scams work, the naming fits. The work feels like a gamey task—and the only winner is the scammer.  

It all plays out like this: 

You get a job offer by text or private message. The scammer offers you “work” involving “app optimization” or “product boosting,” which they often describe in loose, hazy terms. 

You accept the offer. Then the scammer sets you up with an account on an app or platform where you get tasked to “like” or “rate” sets of videos or product images online.  

You get to work. The app or platform is fake, yet it looks like you’re racking up commissions as you click and complete sets of tasks. At this point the scammer might dole out a small payment or two, making you think the job truly is legit. 

The scammer sets the hook. Here’s where the gamey “pay to get paid” part comes in—if you want more “work,” you must pay for it. At this point, the scammer requires a “deposit” for your next set of tasks. Like a video game, the scammer sweetens the deal by saying the next set can “level up” your earnings.  

You get scammed. You make the deposit, complete the task set, and try to get your earnings from the app or platform—only to find that the scammer and your money are gone. It was all fake.  

Based on what we’ve seen in the past, these scams borrow from other “easy money” con games found on payment apps. “Easy money” scams build slowly as scammers build a false sense of trust with victims by making small returns on small investments over time. Finally, with the con set, the scammer asks for a huge amount and disappears with it. “Pay to get paid” scams can work much the same way. 

A few things to keep in mind about this scam as well: 

• Per the FTC, any job that pays you to “like” or “rate” content is illegal. That’s the irony here. It asks you to do something illegal, which leads to something else illegal—theft. 

• Reports show that scammers often fund these scams with cryptocurrency. In fact, the FTC says people lose far more money to job scams using cryptocurrency than any other form of payment.  

Keep your money safe from “pay to get paid” job scams 

Step one—ignore job offers over text and social media 

A proper recruiter will reach out to you by email or via a job networking site. Moreover, they’ll give you clear details about a possible job, and they’ll answer any questions you have just as clearly. 

Quite the opposite, scammers write vague texts and private messages. They’re often big on hype but short on details. Asking questions about the job will get you similarly vague answers. Ignore these offers. 

Step two—look up the company 

In the case of online job offers in general, look up the company. Check out their background and see if it’s an actual company—and see if that matches up with what that recruiter is telling you. 

In the U.S., you have several resources that can help you answer that question. The Better Business Bureau (BBB) offers a searchable listing of businesses in the U.S., along with a brief profile, a rating, and even a list of complaints (and company responses) waged against them. Spending some time here can quickly shed light on the legitimacy of a company.   

For a listing of businesses with U.S. and international locations, organizations like S&P Global Ratings and the Dun and Bradstreet Corporation can provide background info as well.  

Lastly, check out the company’s website. See if it has a job listing that matches the one you’re offered. Legwork like this can help uncover a scam. 

Step three—refuse to pay 

As simple as it sounds, don’t pay to get paid. 

Any case where you’re asked to pay to up front, with any form of payment, refuse. A legitimate employer will never ask you to invest or deposit a small amount of money with the promise of a big return. And a legitimate employer will provide you with things like training or equipment to do the job you’re qualified for.  

More ways you can avoid scams online 

Online protection software like ours can help keep you far safer from job scams and scams in general. Specific to job scams, here are just a few ways it can help: 

• Scammers still use links to malicious sites to trick people into providing their personal info. Web protection, included in our plans, can steer you clear of those links.  

• And scammers love lacing texts with links to suspicious sites and other places where that can steal personal info. McAfee+ can block those links and prevent you from clicking on them. AI technology automatically detects scams by scanning URLs in your text messages. If you accidentally click a bad link, it’ll block a risky site. 

• Scammers get your contact info from somewhere. Many scammers get it from data broker sites. Fueled by thousands of data points on billions of people, they can harvest your contact info, along with other personal info for a highly tailored attack. McAfee’s Personal Data Cleanup scans some of the riskiest data broker sites, shows you which ones are selling your personal info, and, depending on your plan, can help you remove it. 

• You can also lower your profile on social media with our Social Privacy Manager. It helps you adjust more than 100 privacy settings across your social media accounts in just a few clicks, so your personal info is only visible to the people you want to share it with. 

The post “Pay to Get Paid” – The New Job Scam That’s Raking in Millions Right Now appeared first on McAfee Blog.

WIRED

‘Stupid and Dangerous’: CISA Funding Chaos Threatens Essential Cybersecurity Program

Security – Cisco Blog

The Need for a Strong CVE Program

WIRED

Here’s What Happened to Those SignalGate Messages

WIRED

Suspected 4chan Hack Could Expose Longtime, Anonymous Admins

Security – Cisco Blog

From Deployment to Visibility: Cisco Secure Client’s Cloud Transformation

Krebs on Security

Trump Revenge Tour Targets Cyber Leaders, Elections

President Trump last week revoked security clearances for Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency (CISA) who was fired by Trump after declaring the 2020 election the most secure in U.S. history. The White House memo, which also suspended clearances for other security professionals at Krebs’s employer SentinelOne, comes as CISA is facing huge funding and staffing cuts.

Chris Krebs. Image: Getty Images.

The extraordinary April 9 memo directs the attorney general to investigate Chris Krebs (no relation), calling him “a significant bad-faith actor who weaponized and abused his government authority.”

The memo said the inquiry will include “a comprehensive evaluation of all of CISA’s activities over the last 6 years and will identify any instances where Krebs’ or CISA’s conduct appears to be contrary to the administration’s commitment to free speech and ending federal censorship, including whether Krebs’ conduct was contrary to suitability standards for federal employees or involved the unauthorized dissemination of classified information.”

CISA was created in 2018 during Trump’s first term, with Krebs installed as its first director. In 2020, CISA launched Rumor Control, a website that sought to rebut disinformation swirling around the 2020 election.

That effort ran directly counter to Trump’s claims that he lost the election because it was somehow hacked and stolen. The Trump campaign and its supporters filed at least 62 lawsuits contesting the election, vote counting, and vote certification in nine states, and nearly all of those cases were dismissed or dropped for lack of evidence or standing.

When the Justice Department began prosecuting people who violently attacked the U.S. Capitol on January 6, 2021, President Trump and Republican leaders shifted the narrative, claiming that Trump lost the election because the previous administration had censored conservative voices on social media.

Incredibly, the president’s memo seeking to ostracize Krebs stands reality on its head, accusing Krebs of promoting the censorship of election information, “including known risks associated with certain voting practices.” Trump also alleged that Krebs “falsely and baselessly denied that the 2020 election was rigged and stolen, including by inappropriately and categorically dismissing widespread election malfeasance and serious vulnerabilities with voting machines” [emphasis added].

Krebs did not respond to a request for comment. SentinelOne issued a statement saying it would cooperate in any review of security clearances held by its personnel, which is currently fewer than 10 employees.

Krebs’s former agency is now facing steep budget and staff reductions. The Record reports that CISA is looking to remove some 1,300 people by cutting about half its full-time staff and another 40% of its contractors.

“The agency’s National Risk Management Center, which serves as a hub analyzing risks to cyber and critical infrastructure, is expected to see significant cuts, said two sources familiar with the plans,” The Record’s Suzanne Smalley wrote. “Some of the office’s systematic risk responsibilities will potentially be moved to the agency’s Cybersecurity Division, according to one of the sources.”

CNN reports the Trump administration is also advancing plans to strip civil service protections from 80% of the remaining CISA employees, potentially allowing them to be fired for political reasons.

The Electronic Frontier Foundation (EFF) urged professionals in the cybersecurity community to defend Krebs and SentinelOne, noting that other security companies and professionals could be the next victims of Trump’s efforts to politicize cybersecurity.

“The White House must not be given free reign to turn cybersecurity professionals into political scapegoats,” the EFF wrote. “It is critical that the cybersecurity community now join together to denounce this chilling attack on free speech and rally behind Krebs and SentinelOne rather than cowering because they fear they will be next.”

However, Reuters said it found little sign of industry support for Krebs or SentinelOne, and that many security professionals are concerned about potentially being targeted if they speak out.

“Reuters contacted 33 of the largest U.S. cybersecurity companies, including tech companies and professional services firms with large cybersecurity practices, and three industry groups, for comment on Trump’s action against SentinelOne,” wrote Raphael Satter and A.J. Vicens. “Only one offered comment on Trump’s action. The rest declined, did not respond or did not answer questions.”

CYBERCOM-PLICATIONS

On April 3, President Trump fired Gen. Timothy Haugh, the head of the National Security Agency (NSA) and the U.S. Cyber Command, as well as Haugh’s deputy, Wendy Noble. The president did so immediately after meeting in the Oval Office with far-right conspiracy theorist Laura Loomer, who reportedly urged their dismissal. Speaking to reporters on Air Force One after news of the firings broke, Trump questioned Haugh’s loyalty.

Gen. Timothy Haugh. Image: C-SPAN.

Virginia Senator Mark Warner, the top Democrat on the Senate Intelligence Committee, called it inexplicable that the administration would remove the senior leaders of NSA-CYBERCOM without cause or warning, and risk disrupting critical ongoing intelligence operations.

“It is astonishing, too, that President Trump would fire the nonpartisan, experienced leader of the National Security Agency while still failing to hold any member of his team accountable for leaking classified information on a commercial messaging app – even as he apparently takes staffing direction on national security from a discredited conspiracy theorist in the Oval Office,” Warner said in a statement.

On Feb. 28, The Record’s Martin Matishak cited three sources saying Defense Secretary Pete Hegseth ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions. The following day, The Guardian reported that analysts at CISA were verbally informed that they were not to follow or report on Russian threats, even though this had previously been a main focus for the agency.

A follow-up story from The Washington Post cited officials saying Cyber Command had received an order to halt active operations against Russia, but that the pause was intended to last only as long as negotiations with Russia continue.

The Department of Defense responded on Twitter/X that Hegseth had “neither canceled nor delayed any cyber operations directed against malicious Russian targets and there has been no stand-down order whatsoever from that priority.”

But on March 19, Reuters reported several U.S. national security agencies have halted work on a coordinated effort to counter Russian sabotage, disinformation and cyberattacks.

“Regular meetings between the National Security Council and European national security officials have gone unscheduled, and the NSC has also stopped formally coordinating efforts across U.S. agencies, including with the FBI, the Department of Homeland Security and the State Department,” Reuters reported, citing current and former officials.

TARIFFS VS TYPHOONS

President’s Trump’s institution of 125% tariffs on goods from China has seen Beijing strike back with 84 percent tariffs on U.S. imports. Now, some security experts are warning that the trade war could spill over into a cyber conflict, given China’s successful efforts to burrow into America’s critical infrastructure networks.

Over the past year, a number of Chinese government-backed digital intrusions have come into focus, including a sprawling espionage campaign involving the compromise of at least nine U.S. telecommunications providers. Dubbed “Salt Typhoon” by Microsoft, these telecom intrusions were pervasive enough that CISA and the FBI in December 2024 warned Americans against communicating sensitive information over phone networks, urging people instead to use encrypted messaging apps (like Signal).

The other broad ranging China-backed campaign is known as “Volt Typhoon,” which CISA described as “state-sponsored cyber actors seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.”

Responsibility for determining the root causes of the Salt Typhoon security debacle fell to the Cyber Safety Review Board (CSRB), a nonpartisan government entity established in February 2022 with a mandate to investigate the security failures behind major cybersecurity events. But on his first full day back in the White House, President Trump dismissed all 15 CSRB advisory committee members — likely because those advisers included Chris Krebs.

Last week, Sen. Ron Wyden (D-Ore.) placed a hold on Trump’s nominee to lead CISA, saying the hold would continue unless the agency published a report on the telecom industry hacks, as promised.

“CISA’s multi-year cover up of the phone companies’ negligent cybersecurity has real consequences,” Wyden said in a statement. “Congress and the American people have a right to read this report.”

The Wall Street Journal reported last week Chinese officials acknowledged in a secret December meeting that Beijing was behind the widespread telecom industry compromises.

“The Chinese official’s remarks at the December meeting were indirect and somewhat ambiguous, but most of the American delegation in the room interpreted it as a tacit admission and a warning to the U.S. about Taiwan,” The Journal’s Dustin Volz wrote, citing a former U.S. official familiar with the meeting.

Meanwhile, China continues to take advantage of the mass firings of federal workers. On April 9, the National Counterintelligence and Security Center warned (PDF) that Chinese intelligence entities are pursuing an online effort to recruit recently laid-off U.S. employees.

“Foreign intelligence entities, particularly those in China, are targeting current and former U.S. government (USG) employees for recruitment by posing as consulting firms, corporate headhunters, think tanks, and other entities on social and professional networking sites,” the alert warns. “Their deceptive online job offers, and other virtual approaches, have become more sophisticated in targeting unwitting individuals with USG backgrounds seeking new employment.”

Image: Dni.gov

ELECTION THREATS

As Reuters notes, the FBI last month ended an effort to counter interference in U.S. elections by foreign adversaries including Russia, and put on leave staff working on the issue at the Department of Homeland Security.

Meanwhile, the U.S. Senate is now considering a House-passed bill dubbed the “Safeguard American Voter Eligibility (SAVE) Act,” which would order states to obtain proof of citizenship, such as a passport or a birth certificate, in person from those seeking to register to vote.

Critics say the SAVE Act could disenfranchise millions of voters and discourage eligible voters from registering to vote. What’s more, documented cases of voter fraud are few and far between, as is voting by non-citizens. Even the conservative Heritage Foundation acknowledges as much: An interactive “election fraud map” published by Heritage lists just 1,576 convictions or findings of voter fraud between 1982 and the present day.

Nevertheless, the GOP-led House passed the SAVE Act with the help of four Democrats. Its passage in the Senate will require support from at least seven Democrats, Newsweek writes.

In February, CISA cut roughly 130 employees, including its election security advisors. The agency also was forced to freeze all election security activities pending an internal review. The review was reportedly completed in March, but the Trump administration has said the findings would not be made public, and there is no indication of whether any cybersecurity support has been restored.

Many state leaders have voiced anxiety over the administration’s cuts to CISA programs that provide assistance and threat intelligence to election security efforts. Iowa Secretary of State Paul Pate last week told the PBS show Iowa Press he would not want to see those programs dissolve.

“If those (systems) were to go away, it would be pretty serious,” Pate said. “We do count on a lot those cyber protections.”

Pennsylvania’s Secretary of the Commonwealth Al Schmidt recently warned the CISA election security cuts would make elections less secure, and said no state on its own can replace federal election cybersecurity resources.

The Pennsylvania Capital-Star reports that several local election offices received bomb threats around the time polls closed on Nov. 5, and that in the week before the election a fake video showing mail-in ballots cast for Trump and Sen. Dave McCormick (R-Pa.) being destroyed and thrown away was linked to a Russian disinformation campaign.

“CISA was able to quickly identify not only that it was fraudulent, but also the source of it, so that we could share with our counties and we could share with the public so confidence in the election wasn’t undermined,” Schmidt said.

According to CNN, the administration’s actions have deeply alarmed state officials, who warn the next round of national elections will be seriously imperiled by the cuts. A bipartisan association representing 46 secretaries of state, and several individual top state election officials, have pressed the White House about how critical functions of protecting election security will perform going forward. However, CNN reports they have yet to receive clear answers.

Nevada and 18 other states are suing Trump over an executive order he issued on March 25 that asserts the executive branch has broad authority over state election procedures.

“None of the president’s powers allow him to change the rules of elections,” Nevada Secretary of State Cisco Aguilar wrote in an April 11 op-ed. “That is an intentional feature of our Constitution, which the Framers built in to ensure election integrity. Despite that, Trump is seeking to upend the voter registration process; impose arbitrary deadlines on vote counting; allow an unelected and unaccountable billionaire to invade state voter rolls; and withhold congressionally approved funding for election security.”

The order instructs the U.S. Election Assistance Commission to abruptly amend the voluntary federal guidelines for voting machines without going through the processes mandated by federal law. And it calls for allowing the administrator of the so-called Department of Government Efficiency (DOGE), along with DHS, to review state voter registration lists and other records to identify non-citizens.

The Atlantic’s Paul Rosenzweig notes that the chief executive of the country — whose unilateral authority the Founding Fathers most feared — has literally no role in the federal election system.

“Trump’s executive order on elections ignores that design entirely,” Rosenzweig wrote. “He is asserting an executive-branch role in governing the mechanics of a federal election that has never before been claimed by a president. The legal theory undergirding this assertion — that the president’s authority to enforce federal law enables him to control state election activity — is as capacious as it is frightening.”

WIRED

Microsoft’s Recall AI Tool Is Making an Unwelcome Return

Security – Cisco Blog

Sign Up for a Tour at the SOC at RSAC™ 2025 Conference

WIRED

TraderTraitor: The Kings of the Crypto Heist

WIRED

Black Basta: The Fallen Ransomware Gang That Lives On

WIRED

CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide

WIRED

Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows

WIRED

Smishing Triad: The Scam Group Stealing the World’s Riches

WIRED

Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

WIRED

The Most Dangerous Hackers You’ve Never Heard Of

WIRED

Homeland Security Email Tells a US Citizen to ‘Immediately’ Self-Deport

WIRED

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

WIRED

Sex-Fantasy Chatbots Are Leaking a Constant Stream of Explicit Messages