Crypto-Gram
September 15, 2025

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Trojans Embedded in .svg Files
Eavesdropping on Phone Conversations Through Vibrations Zero-Day Exploit in
WinRAR File
Subverting AIOps Systems Through Poisoned Input Data Jim Sanborn Is Auctioning
Off the Solution to Part Four of the Kryptos Sculpture
AI Agents Need Data Integrity
I'm Spending the Year at the Munk School Poor Password Choices
Encryption Backdoor in Military/Police Radios We Are Still Unable to Secure LLMs
from Malicious Inputs The UK May Be Dropping Its Backdoor Mandate Baggage Tag
Scam
1965 Cryptanalysis Training Workbook Released by the NSA Indirect Prompt
Injection Attacks Against LLM Assistants Generative AI as a Cybercrime Assistant
GPT-4o-mini Falls for Psychological Manipulation
My Latest Book: Rewiring Democracy
AI in Government
Signed Copies of Rewiring Democracy New Cryptanalysis of the Fiat-Shamir
Protocol A Cyberattack Victim Notification Framework Upcoming Speaking
Engagements
** *** ***** ******* *********** *************

Trojans Embedded in .svg Files

[2025.08.15] Porn sites are hiding code in .svg files:

Unpacking the attack took work because much of the JavaScript in the .svg images
was heavily obscured using a custom version of "JSFuck," a technique that uses
only a handful of character types to encode JavaScript into a camouflaged wall
of text.

Once decoded, the script causes the browser to download a chain of additional
obfuscated JavaScript. The final payload, a known malicious script called
Trojan.JS.Likejack, induces the browser to like a specified Facebook post as
long as a user has their account open.

"This Trojan, also written in Javascript, silently clicks a 'Like' button for a
Facebook page without the user's knowledge or consent, in this case the adult
posts we found above," Malwarebytes researcher Pieter Arntz wrote. "The user
will have to be logged in on Facebook for this to work, but we know many people
keep Facebook open for easy access."

This isn't a new trick. We've seen Trojaned .svg files before.

** *** ***** ******* *********** *************

Eavesdropping on Phone Conversations Through Vibrations

[2025.08.18] Researchers have managed to eavesdrop on cell phone voice
conversations by using radar to detect vibrations. It's more a proof of concept
than anything else. The radar detector is only ten feet away, the setup is
stylized, and accuracy is poor. But it's a start.

** *** ***** ******* *********** *************

Zero-Day Exploit in WinRAR File

[2025.08.19] A zero-day vulnerability in WinRAR is being exploited by at least
two Russian criminal groups:

The vulnerability seemed to have super Windows powers. It abused alternate data
streams, a Windows feature that allows different ways of representing the same
file path. The exploit abused that feature to trigger a previously unknown path
traversal flaw that caused WinRAR to plant malicious executables in
attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows normally
makes off-limits because of their ability to execute code.

More details in the article.

** *** ***** ******* *********** *************

Subverting AIOps Systems Through Poisoned Input Data

[2025.08.20] In this input integrity attack against an AI system, researchers
were able to fool AIOps tools:

AIOps refers to the use of LLM-based agents to gather and analyze application
telemetry, including system logs, performance metrics, traces, and alerts, to
detect problems and then suggest or carry out corrective actions. The likes of
Cisco have deployed AIops in a conversational interface that admins can use to
prompt for information about system performance. Some AIOps tools can respond to
such queries by automatically implementing fixes, or suggesting scripts that can
address issues.

These agents, however, can be tricked by bogus analytics data into taking
harmful remedial actions, including downgrading an installed package to a
vulnerable version.

The paper: "When AIOps Become "AI Oops": Subverting LLM-driven IT Operations via
Telemetry Manipulation":

Abstract: AI for IT Operations (AIOps) is transforming how organizations manage
complex software systems by automating anomaly detection, incident diagnosis,
and remediation. Modern AIOps solutions increasingly rely on autonomous
LLM-based agents to interpret telemetry data and take corrective actions with
minimal human intervention, promising faster response times and operational cost
savings.

In this work, we perform the first security analysis of AIOps solutions, showing
that, once again, AI-driven automation comes with a profound security cost. We
demonstrate that adversaries can manipulate system telemetry to mislead AIOps
agents into taking actions that compromise the integrity of the infrastructure
they manage. We introduce techniques to reliably inject telemetry data using
error-inducing requests that influence agent behavior through a form of
adversarial reward-hacking; plausible but incorrect system error interpretations
that steer the agent's decision-making. Our attack methodology, AIOpsDoom, is
fully automated -- combining reconnaissance, fuzzing, and LLM-driven adversarial
input generation -- and operates without any prior knowledge of the target
system.

To counter this threat, we propose AIOpsShield, a defense mechanism that
sanitizes telemetry data by exploiting its structured nature and the minimal
role of user-generated content. Our experiments show that AIOpsShield reliably
blocks telemetry-based attacks without affecting normal agent performance.

Ultimately, this work exposes AIOps as an emerging attack vector for system
compromise and underscores the urgent need for security-aware AIOps design.

** *** ***** ******* *********** *************

Jim Sanborn Is Auctioning Off the Solution to Part Four of the Kryptos Sculpture

[2025.08.21] Well, this is interesting:

The auction, which will include other items related to cryptology, will be held
Nov. 20. RR Auction, the company arranging the sale, estimates a winning bid
between $300,000 and $500,000.

Along with the original handwritten plain text of K4 and other papers related to
the coding, Mr. Sanborn will also be providing a 12-by-18-inch copper plate that
has three lines of alphabetic characters cut through with a jigsaw, which he
calls "my proof-of-concept piece" and which he kept on a table for inspiration
during the two years he and helpers hand-cut the letters for the project. The
process was grueling, exacting and nerve wracking. "You could not make a

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)