The Latest

Google Images is turning 25. Google first launched its image search tool back in 2001, reportedly in response to users looking for Jennifer Lopez's green Versace dress. The internet has changed dramatically in the two-and-a-half decades since, but Google Images has remained ever-present. While it might not be as essential to Google's product lineup as it once was, it's still a useful means of finding specific images (including memes) across the internet.

To mark Google Images' 25th anniversary, the company is rolling out two new features on the service: one for Images, and one for Search. In my view, the latter actually seems useful, assuming you're not locked in to Pinterest for all your inspo-needs.

Google Images wants to be Pinterest

google images pinterest dupe
Credit: Google

You are probably familiar with the Google Images home page: It basically looks just like the Google Search page, but with a small "Images" identifier to let you know you're searching specifically for pictures. This has been the core design of Google Images since its inception, but after 25 years, Google is making a big change here.

Starting today, Google is launching a "browseable" home page for Google Images. When you visit the new site, you'll see a "dynamic, immersive gallery" pulled from pictures across the internet. These images shouldn't be random: Google says the pictures that appear in the gallery are based on your interests.

Any time you see an image you like, you can add it to a "collection." Google has some ideas in its press release, including "Travel," "Reading nook," "Supper party inspo," and "Outfits for vacation." While the feature isn't rolling out for a few weeks (on desktop and in English, to start), it does appear that Google is trying to make Images into a Pinterest alternative. We'll have to see how the feature compares once it officially rolls out.

Google Search is now an AI image generator

While other companies might have beaten Google to the market with AI image generators, the company is having the last laugh. Google's Nano Banana model has exploded, and is perhaps now the most accessible way to generate hyperrealistic images with AI—especially if you already use Google products.

As part of its 25th anniversary celebrations, the company is turning Search into an AI image generator. While you can still search for images on the web, you can also enter text-based prompts into Google Images, and the site will use Nano Banana to generate your request for you. To be clear, it doesn't seem like Google Images itself is getting these capabilities; rather, you can type your query into Search, which activates AI Overviews to generate your image. The company seems to be using Google Images' anniversary to launch this new integration.


from Lifehacker https://ift.tt/dpB20NG

Jamf Threat Labs has uncovered a new macOS infostealer named CrashStealer that disguises itself as Apple’s crash-reporting tool to steal passwords, Keychain data, and cryptocurrency wallets.

The malware was first spotted in May while it was still under development. By early July, Jamf was seeing in-the-wild detections, indicating it had moved into active use.

“Unlike much of the commodity stealer activity on macOS, which is built on AppleScript droppers or thin Objective-C wrappers, CrashStealer is implemented in native C++ around an internal class the authors named MacOSData,” the researchers wrote.

“It validates the victim’s login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers and the Keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself.”

Signed installer starts the attack

The attack starts with a disk image named “Werkbit Setup.” When opened, it mounts a volume containing a single application, Werkbit.app. Its executable, named veltod, launches the next stage of the infection.

CrashStealer macOS infostealer

Werkbit Setup (Source: Jamf)

The dropper is a universal binary signed with the Developer ID “Emil Grigorov (WWB7JA7AQV)” and carries a stapled notarization ticket. This lets it pass Gatekeeper, macOS’s built-in protection against untrusted software, on first launch.

“Notably, the disk image itself is signed as well, not just the application inside it, which is uncommon in malicious DMG delivery where the container is typically left unsigned,” they added.

Jamf reported the Developer Team ID behind the signature to Apple after confirming its use in the campaign.

The installer was hosted on werkbit[.]io, a domain registered in late June, close to the build date of the dropper analyzed. Downloading it requires a meeting PIN, limiting access to people who already have the code. The report links the activity to other domains and shared infrastructure, indicating CrashStealer is one piece of a broader operation.

GitHub delivers the next stage

After launch, the veltod executable contacts a GitHub repository and downloads a file that supplies a command to fetch a script from a separate server. The script decodes its commands at runtime before downloading the next stage.

The script downloads CrashReporter.dmg, mounts it, and copies the application bundle into a hidden folder before deleting the disk image. The payload uses the icon, display name, and bundle identifier of Apple’s crash-reporting component to resemble a system utility.

Malware steals passwords, wallets, and browser data

CrashStealer displays a password prompt designed to look like a macOS system dialog. It checks the password locally with the dscl command, a built-in macOS tool used to verify user credentials, and asks again if the password is wrong.

After receiving the correct password, the infostealer unlocks the login Keychain and copies it into a hidden staging folder. It also collects data from Documents, Downloads, and other user folders, skipping executables, installers, disk images, and bulky archive or media files to limit the amount of data collected.

It also targets Chromium browser profiles, Firefox login data, about 80 cryptocurrency wallet extensions such as MetaMask, Phantom, Coinbase Wallet, Trust Wallet, and Exodus, as well as 14 password managers, among them 1Password, Bitwarden, LastPass, Dashlane, and Keeper.

Collected files are encrypted one by one with AES-256-GCM before being stored, then packed into hidden ZIP archives and uploaded to a command-and-control server with libcurl, a networking library commonly used to transfer data over HTTP and HTTPS.

Although CrashStealer targets the same types of data as other macOS infostealers, its native C++ implementation and client-side encryption set it apart, leading the researchers to classify it as a separate malware family.

Persistence and anti-analysis

CrashStealer copies itself to another location and applies a new ad hoc signature to the copied binary. It installs the copy as a LaunchAgent named “com.apple.crashreporter.helper,” allowing it to run each time the user logs in.

The malware also includes code designed to slow analysis, with flattened control flow, strings decrypted only at runtime, and debugger checks placed at more than one point during startup.

Jamf’s report provides indicators of compromise, file names and hashes, delivery infrastructure details, and filesystem artifacts left behind after an infection.


from Help Net Security https://ift.tt/jJB7xZX

I regularly use my iPhone to scan physical documents like medical reports, identity cards, forms from my bank, etc. Since 2015 or so, I've used an app called Scanner Pro to get the job done. It works well enough, but the best features require a subscription and it is no longer as fast as I'd like it to be. I've long known about Apple's built-in scanner in the Notes app, but it isn't as convenient as the app I've been using, so I never made the switch.

That changed when I recently discovered another built-in scanner on the iPhone, hidden away in the Preview app, of all places. This one is fast, free, and well integrated with the Files app, which is a big plus. Here's why you should consider using it

Your iPhone's Preview app has a hidden document scanner

Your iPhone ships with an app called Preview, which was added with the release of iOS 26 in 2025. Now, when you open a document in the Files app, your iPhone will automatically switch to Preview and load the it. However, if you open the Preview app directly, you'll see a "Scan Documents" button front and center. I've been using iOS 26 since the developer betas released, but I only noticed this feature after the recent release of the iOS 27 betas.

When you tap Scan Documents in Preview, your iPhone will fire up the viewfinder, and you can point the device at the documents you want to scan. Like Scanner Pro, the Preview app's scanner automatically identifies document borders, takes a picture to scan, and reopens the viewfinder so you can point the camera at the next page; it'll scan that quickly too. Continue this process till you're done scanning, after which you can hit the checkmark button in the top-right corner. The scanned PDF will automatically be saved to your iCloud Drive folder, without the need to export it. I found this process to be really fast and intuitive enough to recommend to my family members, who resist any technology that requires them to install a new app or press more than two buttons.

When the scanner is open, you'll see four buttons near the bottom of the screen. The big shutter button lets you manually click pictures for the scan, and the other three let you toggle flash, set color filters, and toggle on the auto-shutter feature, respectively. Auto shutter is the best feature of this app, as it automatically scans a page the moment it detects borders, but it's not perfect. If you want more precise control over your scans, you can disable it, and control the shutter manually.

Why Preview's scanner is much better than the one in Apple Notes

I don't enjoy dealing with PDFs in Apple Notes, and that's the best argument for using the scanner in Preview, which immediately saves those documents to the Files app. First, Notes makes it much harder to find and use the scanner: You need to open a note, tap the paperclip icon, and select the document scanner from the menu. The output is saved in the same note, and I find it unwieldy to deal with PDFs from within in the Notes app, which is best suited to viewing text-only notes.

I now only use the Notes app to scan documents when I specifically want to store the file in the Notes app. But other than the odd recipe I might scan to keep there, I don't foresee myself using the Notes scanner again. In most cases, Preview's scanner does a much better job.

Another third-party scanning app to consider

If you want more features than Apple's document scanner, there are third-party apps that may suit you better. In addition to Scanner Pro, which I mentioned above, Adobe Scan does a great job with scanning, OCR (optical character recognition) and has a generous free tier. In the free tier, Adobe Scan lets you capture unlimited scans, provides 2GB of space in Adobe Document cloud, and offers OCR for documents up to 25 pages long.

The premium tier costs $10/month, and adds a bunch of PDF editing features such as combining PDFs, extracting specific pages from a scan, and editing text in PDFs. You also get to use OCR on scans up to 100 pages per document, up to 20 GB of cloud storage, and a tool called Magic Eraser, which can automatically remove your thumb or fingers from scanned pages. I think the free tier is good enough for most people, but the most annoying thing about Adobe Scan is that even the free tier requires you to sign up for an account. You can sign in with your Apple, Google, or Facebook accounts to make it quick, but it's still an unnecessary step for those who just want an app that'll let them start scanning the moment it's installed.


from Lifehacker https://ift.tt/467zamE

Tidal Cyber has announced Threat-Led Asset Visibility and Vulnerability Prioritization, new innovations extending the company’s Threat-Led Defense platform.

The announcement marks a significant advancement in defensive security, shifting the industry beyond static asset inventories, CVSS scoring, and disconnected exposure management toward an execution-centric model built on how adversaries actually execute attacks across the kill chain.

At Tidal Cyber, adversary procedures are not another data point. They are the organizing principle that connects threats, assets, vulnerabilities, and defenses into a single operational mode to:

  • Identify the assets and defenses based that matter most based on their role in adversary execution and attacker success.
  • Expose vulnerabilities that enable adversary execution and increase the probability of successful attacks.
  • Prioritize defensive action using procedural-level intelligence, not inventory counts or severity scores.
  • Measure defensive gaps against real-world adversary execution and identify the controls most likely to disrupt an attack.

Unlike security platforms that treat assets, vulnerabilities, and threats as separate domains, most asset management programs still cannot determine which assets attackers care about. And most exposure management platforms still stop at identification instead of answering the only question that truly matters:

“Can an adversary successfully execute this attack against my environment?”

That question fundamentally changes the defensive equation. Rather than evaluating assets, vulnerabilities, and defenses independently, Tidal Cyber correlates them through the lens of real adversary execution. Every procedure becomes a connective layer that reveals how vulnerabilities enable attacks, which assets are operationally relevant, and where defensive controls can interrupt attacker progress. Instead of measuring isolated risk, organizations can understand and reduce the likelihood of attacker success across the entire attack lifecycle.

“Most security platforms still prioritize based on severity scores, inventory counts, or generalized risk models,” said Rick Gordon, CEO of Tidal Cyber. “But adversaries don’t attack environments based on CVSS scores or asset databases. They exploit the path of least resistance. Threat-Led Defense changes the model entirely by aligning defenses to the assets, vulnerabilities, and procedures attackers actually use to execute attacks. This announcement represents another major milestone in our mission to redefine how organizations understand, prioritize, and defend against modern cyber threats.”

Threat-Led Asset Visibility moves beyond inventory management by identifying which assets are operationally relevant to adversary execution, where defensive blind spots exist, and those gaps increase influence attacker success.

Threat-Led Vulnerability Prioritization moves beyond static severity scoring by correlating vulnerabilities directly to adversary procedures, operational tradecraft, and the likelihood of successful; attack execution.

Instead of asking, “Which vulnerabilities are most severe?” organizations can now answer the question that matters most: “Which vulnerabilities materially increase the likelihood of attacker success against the assets and procedures that matter most?”

This approach enables organizations to prioritize:

  • vulnerabilities tied to active adversary tradecraft,
  • control gaps impacting critical attack procedures,
  • and defensive actions that reduce real operational risk.

The announcement also builds on Tidal Cyber’s continued innovation strategy, including the recent separation of MITRE ATT&CK CTI from Tidal Cyber CTI and proprietary intelligence sources, an industry-first approach designed to provide greater transparency, attribution clarity, and procedural precision across modern threat intelligence.

“Threat-Led Defense starts with a simple principle: you cannot reduce residual risk unless you understand how adversaries actually execute attacks and how that execution impacts your defensive environment,” said Frank Duff, Chief Innovation Officer of Tidal Cyber.

“That is why procedures are foundational to everything we do. Assets alone do not increase risk. Vulnerabilities alone do not explain attacker success. The value emerges when adversary procedures become the connective tissue between threats, vulnerabilities, assets, and defensive controls creating a unified operational model for disrupting attacks across the entire kill chain.”


from Help Net Security https://ift.tt/hjkNIYT

Organizations build, deploy, and operate AI in the cloud, but basic cybersecurity hygiene is often sacrificed for speed, according to Orca Security’s 2026 State of AI Security Report.

AI infrastructure security risks

Building AI without security

Fifty-six percent of AI adopters have deployed agent frameworks into production, and 51.5% use AI to build custom applications. Orca also found that 81.2% of companies running AI packages have at least one known vulnerability, and 99.9% of AI vulnerability alerts with an available fix remain unpatched. These findings show how quickly AI has become operational infrastructure without a corresponding increase in security maturity.

API-based AI is embedded in development workflows with access to codebases, terminals, environment variables, and credentials, creating new attack surfaces.

Organizations deploying AI agents also deploy agent frameworks. Every production agent represents a new non-human identity with its own permissions, memory, and potential blast radius. Retrieval-augmented generation (RAG) pipelines allow LLMs to access internal documents, customer data, and proprietary knowledge at query time.

More than half of AI cloud service users, operate four or more distinct AI service types. Between 87% and 98% of organizations across the three major cloud providers have not configured customer-managed encryption keys for their AI services. They manage complex AI ecosystems connected to enterprise data, cloud services, identities, and production workflows.

“AI has introduced an entirely new operational layer into cloud environments,” said Nir Mishal, CISO at Orca Security. “Organizations now have agents making decisions, vector databases connected to enterprise data, and AI services spread across multiple cloud providers. Security teams need unified visibility across that entire environment, paired with automated prevention, to understand where risk actually exists and stop attackers before damage is done.”

Securing the AI supply chain

Attackers are moving across five layers of the AI stack: package registries, model hubs, developer tools, agent frameworks, and brand trust. Technologies across these layers are widely deployed in production environments.

Eighty-one percent of companies running AI packages have at least one known vulnerability, and 74.1% have at least one critical CVE. AI packages inherit vulnerabilities disclosed over the past five years, including CVEs published during the last 12 months, exposing production environments to both old and new threats.

A vulnerable library embedded in a dependency graph often outlives the patch cycle. AI workloads inherit the same problem despite release cycles that assume dependencies remain up to date.

In 2024, organizations often deprioritized patching AI packages because many vulnerabilities were considered difficult to exploit. Now, 99.9% of AI vulnerability alerts with an available fix remain unpatched.

Orca groups new AI-related packages vulnerabilities into three categories: SDKs for accessing hosted AI models, frameworks for building AI agents and integrations, and the rapidly expanding Model Context Protocol (MCP) ecosystem.

Managing AI agents and RAG

Despite the governance response making progress, adoption is not so many AI agents run with default permissions, logging, and no runtime separation from production systems. This gives attackers opportunity to weaponize them to execute commands and move laterally through the AI layer.

Sixty-four percent of AI adopters have deployed vector databases that connect LLMs to internal documents, customer records, and proprietary knowledge.

Businesses using retrieval-augmented generation (RAG) operate an average of 3.78 vector databases, making it more difficult to enforce consistent security policies across platforms, deployment models, and access methods.

Closing the governance gap

AI spans models, agents, packages, browser extensions, and cloud services. These technologies have spread across enterprises faster than security teams can inventory and secure them. Each introduces its own security model, encryption options, access controls, and compliance requirements.

AI coding tools can introduce vulnerabilities into software, making code review, secrets management, commit security policies, and security scanning essential.

Governments are expanding AI regulation. The EU AI Act introduces additional requirements for high-risk AI systems beginning on August 2, 2026. The United States continues to develop its AI regulatory framework, and Colorado’s amended AI law takes effect on January 1, 2027. China has expanded its cybersecurity framework with AI-specific requirements and mandatory labeling of AI-generated content.

AI services have created a new category of exposed credentials. API keys provide access to AI models, enterprise data, and AI services, making them attractive targets. Nearly 30% of AI adopters store at least one AI key in an insecure location. Keys committed to Git repositories may remain accessible even after they are removed from the codebase.

Fixing AI infrastructure exposure

Companies often deploy AI services with configurations that leave them exposed. Attackers increasingly target AI infrastructure by exploiting excessive permissions, public endpoints, weak authentication, and predictable configurations.

Common issues across platforms such as Amazon SageMaker, Azure OpenAI, and Google Vertex AI include missing encryption, broad access privileges, and internet-facing services that make lateral movement and data theft easier.

Strengthening AI encryption

Businesses that rely on provider-managed encryption keys have limited control over access to AI data. Provider-managed keys encrypt data at rest but do not allow customers to control key rotation, revoke access independently, or gain visibility into key usage.

Customer-managed encryption keys help protect training data, sensitive information, and AI models. Most organizations have not enabled them.


from Help Net Security https://ift.tt/1nqkWCr

Growing demand for compute capacity, power, cooling and low-latency connectivity is prompting organizations to reassess where AI applications run, according to CoreSite.

Public cloud continues to support experimentation and rapid deployment, while colocation is increasingly used for workloads that require predictable performance, dedicated infrastructure or close proximity to cloud services and enterprise data.

More than half of organizations have implemented or are upgrading AI technologies, an increase from the previous year. Generative AI, chatbots, predictive analytics and agentic AI have reached production environments at many organizations, indicating that AI deployments are moving beyond pilot projects.

Hybrid environments have become the preferred location for AI and machine learning workloads, while interest in on-premises deployments continues to decline. Colocation is emerging as a preferred environment for AI workloads that require additional power capacity and direct connections to cloud platforms.

“The levels of compute that AI requires are something new that enterprises are grappling with to manage effectively,” said Juan Font, President and CEO of CoreSite and SVP of American Tower.

“While the AI tools are effective, CIOs may not currently have accurate reporting on how widespread the usage is within their organizations. We’re seeing greater use of large language models, and the token usage, and therefore cost, is growing. So, when the actual invoices related to using these tools are shown to IT leaders, they start to rationalize and prioritize projects with higher ROI on AI spend.”

Colocation gains ground

Enterprises are expanding the role of colocation facilities within their infrastructure. They are deploying a broader range of applications in these environments, including web applications, human resources systems, security workloads and augmented AI applications.

Colocation for AI workloads

Top technical drivers for moving workloads to a colocation environment (Source: CoreSite)

Organizations increased public cloud deployments of mobile applications, websites, chatbots and content delivery services compared with the previous year. Some workloads moved away from public cloud as organizations reassessed workload placement based on performance, security and infrastructure requirements.

Organizations prioritize security, uptime and predictable performance when selecting colocation providers. Businesses value direct connections to cloud platforms, scalable infrastructure and support for the higher-density power and cooling requirements of AI systems.

Connectivity becomes a priority

Direct connectivity between enterprise infrastructure and major cloud providers has become an important requirement for hybrid deployments.

79% of IT leaders said native, direct cloud connections are a very important capability for colocation providers. These connections provide lower-latency access to cloud services, reduce reliance on the public internet and simplify data movement between enterprise environments and cloud platforms.

Organizations are increasingly evaluating provider ecosystems that combine cloud platforms, network carriers, AI services, security products and managed services to support workloads across multiple infrastructure environments.


from Help Net Security https://ift.tt/AMb8PCz

Most PCs still run with a UEFI Secure Boot certificate authority, installed by default since 2013, that has now expired. That certificate signed the bootloaders letting machines start with Secure Boot turned on. Its expiry sits at the center of the sixth update to Debian 13, codenamed “trixie.” The point release carries mostly security corrections along with a few fixes for serious problems.

Debian 13.6 security update

The Secure Boot problem gets handled through fwupd, updated to upstream version 2.0.20. The new build can update the Secure Boot certificate authority, the Key Exchange Key, and the revocation database on affected machines. Systems that skip these updates risk a specific failure. Future updates to “shim-signed” could leave them unable to boot with Secure Boot enabled. Debian advises users to apply the CA, KEK, and DBX updates supplied by their system OEM.

The shim package received its own attention. It moved to a new upstream release built with the default compiler, and its SBAT revocation level was set to 2025021800. The signed shim binaries were rebuilt to keep Secure Boot working with the 2023 Microsoft UEFI certificate, and the installer now checks for likely boot problems before it proceeds.

Licensing drove a second change. The “geoip-database” package reverted to a build dated around December 2019, because recent GeoLite versions conflict with the Debian Free Software Guidelines and cannot be shipped. Software reading the database may return stale network allocation data as a result. Debian encourages anyone depending on this data to obtain a GeoLite license directly.

Web tooling saw heavy patching. The curl package alone took 13 fixes covering bearer token leaks on redirects, reuse of the wrong cached certificate authority, connection reuse across HTTP Negotiate and proxy sessions, reuse of plaintext STARTTLS connections, a use-after-free in its SMB code, and leaked credentials during redirects. rsync gained a limit on overly long HTTP proxy response lines. python-urllib3, nginx, and squid each received separate advisories from the Security Team.

The apache2 web server received corrections for 13 tracked flaws. These covered use-after-free bugs, a cross-site scripting hole, several buffer overflows, denial-of-service conditions, out-of-bounds reads, and a file read issue. A further advisory, DSA-6323, covered additional apache2 work.

Virtualization users have a large batch to apply. The qemu emulator moved to a new upstream stable release carrying 25 security fixes. The Python interpreter shipped as python3.13 gained fixes for CR/LF injection in proxy tunnel headers, denial-of-service conditions, a path traversal, and a server-side request forgery.

Cryptographic libraries received targeted hardening. The libcrypt-pbkdf2-perl module changed its default hashing to HMAC-SHA256 and raised its default iteration count to 600,000, and it adopted constant-time comparison to close a timing attack. The nss library improved its handling of escape sequences during URI parsing. Separate advisories addressed openssl, gnutls28, libgcrypt20, and krb5.

The Security Team released more than a hundred advisories folded into this revision. Chromium accounted for close to a dozen of them, reflecting the browser’s steady stream of upstream releases. The Linux kernel appeared across several advisories covering its amd64 and arm64 signed builds. Firefox ESR, Thunderbird, Samba, PostgreSQL, and BIND rounded out the roster of widely deployed software with named fixes.

Several fixes targeted media and document handling, a common source of memory-safety bugs. giflib, libvncserver, graphite2, and rlottie all gained corrections for out-of-bounds access and memory corruption. The openslide library received a fix for a possible code execution flaw, and poppler corrected invalid signature creation.

Upgrading an existing installation can be achieved by pointing the package management system at one of Debian’s many mirrors.


from Help Net Security https://ift.tt/db68P1F