Crypto-Gram
October 15, 2025

by Bruce Schneier
Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit Crypto-Gram's web page.

Read this issue on the web

These same essays and news items appear in the Schneier on Security blog, along
with a lively and intelligent comment section. An RSS feed is available.

** *** ***** ******* *********** *************

In this issue:

If these links don't work in your email client, try reading this issue of
Crypto-Gram on the web.

Lawsuit About WhatsApp Security
Microsoft Still Uses RC4
Hacking Electronic Safes
Time-of-Check Time-of-Use Attacks Against LLMs Surveying the Global Spyware
Market Details About Chinese Surveillance and Propaganda Companies Apple's New
Memory Integrity Enforcement US Disrupts Massive Cell Phone Array in New York
Malicious-Looking URL Creation Service Digital Threat Modeling Under
Authoritarianism Abusing Notion's AI Agent for Data Theft Details of a Scam
Use of Generative AI in Scams
Daniel Miessler on the AI Attack/Defense Balance AI in the 2026 Midterm
Elections
AI-Enabled Influence Operation Against Iran Flok License Plate Surveillance
Autonomous AI Hacking and the Future of Cybersecurity AI and the Future of
American Politics Rewiring Democracy is Coming Soon
The Trump Administration's Increased Use of Social Media Surveillance Upcoming
Speaking Engagements
** *** ***** ******* *********** *************

Lawsuit About WhatsApp Security

[2025.09.15] Attaullah Baig, WhatsApp's former head of security, has filed a
whistleblower lawsuit alleging that Facebook deliberately failed to fix a bunch
of security flaws, in violation of its 2019 settlement agreement with the
Federal Trade Commission.

The lawsuit, alleging violations of the whistleblower protection provision of
the Sarbanes-Oxley Act passed in 2002, said that in 2022, roughly 100,000
WhatsApp users had their accounts hacked every day. By last year, the complaint
alleged, as many as 400,000 WhatsApp users were getting locked out of their
accounts each day as a result of such account takeovers.

Baig also allegedly notified superiors that data scraping on the platform was a
problem because WhatsApp failed to implement protections that are standard on
other messaging platforms, such as Signal and Apple Messages. As a result, the
former WhatsApp head estimated that pictures and names of some 400 million user
profiles were improperly copied every day, often for use in account
impersonation scams.

More news coverage.

** *** ***** ******* *********** *************

Microsoft Still Uses RC4

[2025.09.16] Senator Ron Wyden has asked the Federal Trade Commission to
investigate Microsoft over its continued use of the RC4 encryption algorithm.
The letter talks about a hacker technique called Kerberoasting, that exploits
the Kerberos authentication system.

** *** ***** ******* *********** *************

Hacking Electronic Safes

[2025.09.17] Vulnerabilities in electronic safes that use Securam Prologic
locks:

While both their techniques represent glaring security vulnerabilities, Omo says
it's the one that exploits a feature intended as a legitimate unlock method for
locksmiths that's the more widespread and dangerous. "This attack is something
where, if you had a safe with this kind of lock, I could literally pull up the
code right now with no specialized hardware, nothing," Omo says. "All of a
sudden, based on our testing, it seems like people can get into almost any
Securam Prologic lock in the world."

[...]

Omo and Rowley say they informed Securam about both their safe-opening
techniques in spring of last year, but have until now kept their existence
secret because of legal threats from the company. "We will refer this matter to
our counsel for trade libel if you choose the route of public announcement or
disclosure," a Securam representative wrote to the two researchers ahead of last
year's Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier
Foundation's Coders' Rights Project did the pair decide to follow through with
their plan to speak about Securam's vulnerabilities at Defcon. Omo and Rowley
say they're even now being careful not to disclose enough technical detail to
help others replicate their techniques, while still trying to offer a warning to
safe owners about two different vulnerabilities that exist in many of their
devices.

The company says that it plans on updating its locks by the end of the year, but
have no plans to patch any locks already sold.

** *** ***** ******* *********** *************

Time-of-Check Time-of-Use Attacks Against LLMs

[2025.09.18] This is a nice piece of research: "Mind the Gap: Time-of-Check to
Time-of-Use Vulnerabilities in LLM-Enabled Agents".:

Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across
a wide range of applications, but their deployment introduces vulnerabilities
with security implications. While prior work has examined prompt-based attacks
(e.g., prompt injection) and data-oriented threats (e.g., data exfiltration),
time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context.
TOCTOU arises when an agent validates external state (e.g., a file or API
response) that is later modified before use, enabling practical attacks
such as malicious configuration swaps or payload injection. In this work, we
present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We
introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to
evaluate this class of vulnerabilities. As countermeasures, we adapt detection
and mitigation techniques from systems security to this setting and propose
prompt rewriting, state integrity monitoring, and tool-fusing. Our study
highlights challenges u
nique to agentic workflows, where we achieve up to 25% detection accuracy using
automated detection methods, a 3% decrease in vulnerable plan generation, and a
95% reduction in the attack window. When combining all three approaches, we
reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%.
Our findings open a new research direction at the intersection of AI safety and
systems security.

** *** ***** ******* *********** *************

Surveying the Global Spyware Market

[2025.09.19] The Atlantic Council has published its second annual report:
"Mythical Beasts: Diving into the depths of the global spyware market."

Too much good detail to summarize, but here are two items:

First, the authors found that the number of US-based investors in spyware has
notably increased in the past year, when compared with the sample size of the
spyware market captured in the first Mythical Beasts project. In the first
edition, the United States was the second-largest investor in the spyware
market, following Israel. In that edition, twelve investors were observed to be
domiciled within the United States -- whereas in this second edition, t

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)