Crypto-Gram
October 15, 2025
by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School
schneier@schneier.com https://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit Crypto-Gram's web page.
Read this issue on the web
These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.
Lawsuit About WhatsApp Security
Microsoft Still Uses RC4
Hacking Electronic Safes
Time-of-Check Time-of-Use Attacks Against LLMs Surveying the Global Spyware Market Details About Chinese Surveillance and Propaganda Companies Apple's New Memory Integrity Enforcement US Disrupts Massive Cell Phone Array in New York Malicious-Looking URL Creation Service Digital Threat Modeling Under Authoritarianism Abusing Notion's AI Agent for Data Theft Details of a Scam
Use of Generative AI in Scams
Daniel Miessler on the AI Attack/Defense Balance AI in the 2026 Midterm Elections
AI-Enabled Influence Operation Against Iran Flok License Plate Surveillance Autonomous AI Hacking and the Future of Cybersecurity AI and the Future of American Politics Rewiring Democracy is Coming Soon
The Trump Administration's Increased Use of Social Media Surveillance Upcoming Speaking Engagements
** *** ***** ******* *********** *************
Lawsuit About WhatsApp Security
[2025.09.15] Attaullah Baig, WhatsApp's former head of security, has filed a whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch of security flaws, in violation of its 2019 settlement agreement with the Federal Trade Commission.
The lawsuit, alleging violations of the whistleblower protection provision of the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000 WhatsApp users had their accounts hacked every day. By last year, the complaint alleged, as many as 400,000 WhatsApp users were getting locked out of their accounts each day as a result of such account takeovers.
Baig also allegedly notified superiors that data scraping on the platform was a problem because WhatsApp failed to implement protections that are standard on other messaging platforms, such as Signal and Apple Messages. As a result, the former WhatsApp head estimated that pictures and names of some 400 million user profiles were improperly copied every day, often for use in account impersonation scams.
More news coverage.
** *** ***** ******* *********** *************
Microsoft Still Uses RC4
[2025.09.16] Senator Ron Wyden has asked the Federal Trade Commission to investigate Microsoft over its continued use of the RC4 encryption algorithm. The letter talks about a hacker technique called Kerberoasting, that exploits the Kerberos authentication system.
** *** ***** ******* *********** *************
Hacking Electronic Safes
[2025.09.17] Vulnerabilities in electronic safes that use Securam Prologic locks:
While both their techniques represent glaring security vulnerabilities, Omo says it's the one that exploits a feature intended as a legitimate unlock method for locksmiths that's the more widespread and dangerous. "This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing," Omo says. "All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world."
[...]
Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. "We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure," a Securam representative wrote to the two researchers ahead of last year's Defcon, where they first planned to present their research.
Only after obtaining pro bono legal representation from the Electronic Frontier Foundation's Coders' Rights Project did the pair decide to follow through with their plan to speak about Securam's vulnerabilities at Defcon. Omo and Rowley say they're even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.
The company says that it plans on updating its locks by the end of the year, but have no plans to patch any locks already sold.
** *** ***** ******* *********** *************
Time-of-Check Time-of-Use Attacks Against LLMs
[2025.09.18] This is a nice piece of research: "Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents".:
Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context. TOCTOU arises when an agent validates external state (e.g., a file or API response) that is later modified before use, enabling practical attacks
such as malicious configuration swaps or payload injection. In this work, we present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to evaluate this class of vulnerabilities. As countermeasures, we adapt detection and mitigation techniques from systems security to this setting and propose prompt rewriting, state integrity monitoring, and tool-fusing. Our study highlights challenges u
nique to agentic workflows, where we achieve up to 25% detection accuracy using automated detection methods, a 3% decrease in vulnerable plan generation, and a 95% reduction in the attack window. When combining all three approaches, we reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%. Our findings open a new research direction at the intersection of AI safety and systems security.
** *** ***** ******* *********** *************
Surveying the Global Spyware Market
[2025.09.19] The Atlantic Council has published its second annual report: "Mythical Beasts: Diving into the depths of the global spyware market."
Too much good detail to summarize, but here are two items:
First, the authors found that the number of US-based investors in spyware has notably increased in the past year, when compared with the sample size of the spyware market captured in the first Mythical Beasts project. In the first edition, the United States was the second-largest investor in the spyware market, following Israel. In that edition, twelve investors were observed to be domiciled within the United States -- whereas in this second edition, t
--- BBBS/LiR v4.10 Toy-7
* Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)