News

Web application security

• July 15, 2025 15 Jul'25

  NCSC sets up Vulnerability Research Initiative

  The NCSC is expanding its vulnerability research project to draw in external expertise

• July 08, 2025 08 Jul'25

  July Patch Tuesday brings over 130 new flaws to address

  Microsoft patched well over 100 new common vulnerabilities and exposures on the second Tuesday of the month, but its latest update is mercifully light on zero-days

• July 02, 2025 02 Jul'25

  Google fixes type confusion flaw in Chrome browser

  An actively exploited type confusion vulnerability in the Google Chrome web browser needs immediate attention from users

• July 02, 2025 02 Jul'25

  Dutch study uncovers cognitive biases undermining cyber security board decisions

  Dutch research reveals how cognitive biases can lead to catastrophic security decisions

• July 02, 2025 02 Jul'25

  Qantas customer data exposed in contact centre breach

  Australian flag carrier is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised

• July 01, 2025 01 Jul'25

  Cloudflare to let customers block AI web crawlers

  Publishers and other providers of creative content now have the option to block AI crawlers from accessing and scraping their intellectual property with new tools from Cloudflare.

• June 11, 2025 11 Jun'25

  June Patch Tuesday brings a lighter load for defenders

  Barely 70 vulnerabilities make the cut for Microsoft’s monthly security update, but an RCE flaw in WEBDAV and an EoP issue in Windows SMB Client still warrant close attention

• June 06, 2025 06 Jun'25

  CISOs must translate cyber threats into business risk

  To manage risk effectively and secure board-level buy-in, CISOs must stop talking about technology and start speaking the language of business, according to a senior Check Point executive

• June 05, 2025 05 Jun'25

  HMRC phishing breach wholly avoidable, but hard to stop

  A breach at HMRC saw innocent taxpayers tricked into letting scammers impersonate them through simple phishing attacks leading to account takeover. Such attacks are avoidable, but hard to stop

• June 04, 2025 04 Jun'25

  NCSC sets out how to build cyber safe cultures

  The UK’s National Cyber Security Centre has published guidance for security teams and leaders on how to foster accessible and appropriate cyber security cultures in their organisations

• May 30, 2025 30 May'25

  Dutch businesses lag behind in cyber resilience as threats escalate

  The Netherlands is facing a growing cyber security crisis, with a staggering 66% of Dutch businesses lacking adequate cyber resilience, according to academic research.  

• May 15, 2025 15 May'25

  NHS asks suppliers to sign up to cyber covenant

  NHS digital and security leaders call on their suppliers to commit to a cyber security charter as the health service works to improve its resilience in the face of growing threat levels

• May 14, 2025 14 May'25

  Enisa launches European vulnerability database

  The EU’s new vulnerability database is designed to offer a broader, more transparent source of information on new cyber vulnerabilities

• May 13, 2025 13 May'25

  May Patch Tuesday brings five exploited zero-days to fix

  Microsoft fixes five exploited, and two publicly disclosed, zero-days in the fifth Patch Tuesday update of 2025

• May 09, 2025 09 May'25

  Ransomware: What the LockBit 3.0 data leak reveals

  An administration interface instance for the ransomware franchise's affiliates was attacked on 29 April. Data from its SQL database has been extracted and disclosed

• May 08, 2025 08 May'25

  UK government websites to replace passwords with secure passkeys

  Government websites are to replace difficult-to-remember passwords with highly secure passkeys that will protect against phishing and cyber attackers

• May 07, 2025 07 May'25

  Meta awarded $167m in court battle with spyware mercenaries

  WhatsApp owner Meta is awarded millions of dollars in damages and compensation after its service was exploited by users of mercenary spyware developer NSO’s infamous Pegasus mobile malware

• May 07, 2025 07 May'25

  Europe leads shift from cyber security ‘headcount gap’ to skills-based hiring

  Research from Sans Institute reveals European organisations are leading a global shift in hiring priorities, driven by regional regulatory frameworks

• May 01, 2025 01 May'25

  Thomas Herdman’s legal battle over Sky ECC encrypted phone distribution set to enter fifth year

  Computer Weekly speaks to Julie Kawai Herdman, daughter of Thomas Herdman, the only person in custody for distributing Sky ECC encrypted phones

• April 30, 2025 30 Apr'25

  Current SaaS delivery model a risk management nightmare, says CISO

  JPMorgan Chase security chief Patrick Opet laments the state of SaaS security in an open letter to the industry and calls on software providers to do more to enhance resilience

• April 25, 2025 25 Apr'25

  M&S suspends all online sales as cyber attack worsens

  M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems

• April 23, 2025 23 Apr'25

  Amid uncertainty, Armis becomes newest CVE numbering authority

  Amid an uncertain future for vulnerability research, exposure management company Armis has been given the authority to assign CVE IDs to newly discovered vulnerabilities

• April 22, 2025 22 Apr'25

  AI-powered APIs proving highly vulnerable to attack

  The growth of AI is proving a double-edged sword for API security, presenting opportunities for defenders to enhance their resilience, but also more risks from AI-powered attacks, according to report

• April 21, 2025 21 Apr'25

  CW Innovation Awards: Transforming cyber security with AI

  Facing rising cyber threats and a shortage of experts, Citic Telecom International CPC developed an AI-powered penetration testing tool to automate security audits and reduce costs

• April 16, 2025 16 Apr'25

  CISA extends Mitre CVE contract at last moment

  The US Cybersecurity and Infrastructure Security Agency has ridden to the rescue of the under-threat Mitre CVE Programme, approving a last-minute, 11-month contract extension to preserve the project’s vital security vulnerability work

• April 16, 2025 16 Apr'25

  CVE Foundation pledges continuity after Mitre funding cut

  With news that Mitre’s contract to run the world-renowned CVE Programme is abruptly terminating, a breakaway group is setting up a non-profit foundation to try to ensure the project’s continuity

• April 15, 2025 15 Apr'25

  Mitre warns over lapse in CVE coverage

  Mitre, the operator of the world-renowned CVE repository, has warned of significant impacts to global cyber security standards, and increased risk from threat actors, as it emerges its US government contract will lapse imminently

• April 11, 2025 11 Apr'25

  Warranty fraud fuels hidden army of hardware hackers

  Widespread warranty fraud is not only costing companies billions but also creating a breeding ground for advanced hardware exploits, warns hardware hacker and researcher Bunnie Huang at Black Hat Asia 2025

• April 10, 2025 10 Apr'25

  Google bets on unifying security tools to ease CISO pain

  At Google Cloud Next in Las Vegas, Google launches its Unified Security platform with the goal of bringing together disparate security solutions to help cyber leaders and practitioners address their most keenly felt pain points

• April 08, 2025 08 Apr'25

  NCSC issues warning over Chinese Moonshine and BadBazaar spyware

  Two spyware variants are being used to target the mobile devices of persons of interest to Chinese intelligence, including individuals in the Taiwanese, Tibetan and Uyghur communities

• April 08, 2025 08 Apr'25

  Spoofing vuln threatens security of WhatsApp Windows users

  Meta has disclosed and patched a potentially dangerous spoofing flaw in WhatsApp for Windows that could have caused big problems for unwitting users

• April 07, 2025 07 Apr'25

  NIST calls time on older vulnerabilities amid surging disclosures

  The National Institute of Standards and Technology is deferring future updates to thousands of cyber vulnerabilities discovered prior to 2018 amid surging volumes of new submissions

• April 04, 2025 04 Apr'25

  Norway and Nordic financial sector ramps up cyber security

  Finans Norge sets up cyber security unit CTSU to support the finance sector in Norway amid increasing threats

• April 03, 2025 03 Apr'25

  Are LLM firewalls the future of AI security?

  As large language models permeate industries, experts at Black Hat Asia 2025 debate the need for LLM firewalls and explore their role in fending off emerging AI threats

• April 01, 2025 01 Apr'25

  Gmail ‘bubble’ encryption may be an S/MIME killer, says Google

  Marking the 21st anniversary of Gmail, Google is preparing to roll out an end-to-end encryption standard for its email service in hopes of democratising encryption and leaving old standards in the dust

• April 01, 2025 01 Apr'25

  Apple devices are at ‘most risk’ in UK following government ‘backdoor’ order

  Home Office refuses to answer questions from Lords over technical capability notice issued against Apple’s iCloud Advanced Data Protection encryption services

• March 18, 2025 18 Mar'25

  Largest ever cyber deal reflects Google’s CNAPP ambitions

  In a signal of its future ambitions, Google lays down $32bn to acquire cloud-native application protection platform Wiz, reflecting the increasing need to secure multicloud environments

• March 12, 2025 12 Mar'25

  iPhone, iPad update fixes critical WebKit flaw

  iPhone and iPad users are advised to update their devices as Apple addresses an out-of-bounds write issue in the WebKit browser engine that appears to have been exploited in targeted cyber attacks

• March 11, 2025 11 Mar'25

  March Patch Tuesday brings 57 fixes, multiple zero-days

  The third Patch Tuesday of 2025 brings fixes for 57 flaws and a hefty number of zero-days

• March 11, 2025 11 Mar'25

  UK government under-prepared for catastrophic cyber attack, hears PAC

  The Commons Public Accounts Committee heard government IT leaders respond to recent National Audit Office findings that the government’s cyber resilience is under par

• March 01, 2025 01 Mar'25

  Ransomware: from REvil to Black Basta, what do we know about Tramp?

  This key member of the Black Basta ransomware gang is wanted by the US justice system. He narrowly escaped extradition at the end of June 2024 - with the help of highly-placed contacts in Moscow, according to him

• February 27, 2025 27 Feb'25

  CVE volumes head towards 50,000 in 2025, analysts claim

  Many trends, notably a big shift to open source tools, are behind an expected boom in the number of disclosed vulnerabilities

• February 23, 2025 23 Feb'25

  Check Point co-founder on AI, quantum and independence

  Gil Shwed, Check Point’s co-founder and executive chairman, discusses the company’s focus on artificial intelligence-driven security and his commitment to remaining an independent force in the cyber security market

• February 19, 2025 19 Feb'25

  Warning over privacy of encrypted messages as Russia targets Signal Messenger

  Russia is using phishing attacks to compromise encrypted Signal Messenger services used by targets in the Ukraine. Experts warn that other encrypted app users are at risk

• February 07, 2025 07 Feb'25

  US lawmakers move to ban DeepSeek AI tool

  US politicians have introduced a bill seeking to ban the use of the DeepSeek AI tool on government-owned devices, citing national security concerns due to its alleged links to the Chinese state

• February 03, 2025 03 Feb'25

  DeepSeek-R1 more readily generates dangerous content than other large language models

  Research scientists at cyber firm Enkrypt AI publish concerning findings from a red team exercise conducted against DeepSeek, the hot new generative AI tool

• January 31, 2025 31 Jan'25

  AI jailbreaking techniques prove highly effective against DeepSeek

  Researchers at Palo Alto have shown how novel jailbreaking techniques were able to fool breakout GenAI model DeepSeek into helping to create keylogging tools, steal data, and make a Molotov cocktail

• January 31, 2025 31 Jan'25

  DeepSeek API, chat log exposure a ‘rookie’ cyber error

  Security researchers at Wiz find a trove of DeepSeek data including API secrets and chat logs publicly exposed via an open source database management tool, raising questions about the fast-growing service’s approach to security

• January 29, 2025 29 Jan'25

  How government hackers are trying to exploit Google Gemini AI

  Google’s threat intel squad has shared information on how nation state threat actors are attempting to exploit its Gemini AI tool for nefarious ends

• January 23, 2025 23 Jan'25

  ICO launches major review of cookies on UK websites

  ICO sets out 2025 goals, including a review of cookie compliance across the UK’s top 1,000 websites, as it seeks to achieve its ultimate goal of giving the public meaningful control over how their data is used