Several European nations are already planning similar moves while Britain has said ‘nothing is off the table’

Australia is taking on powerful tech companies with its under-16 social media ban, but will the rest of the world follow? The country’s enactment of the policy is being watched closely by politicians, safety campaigners and parents. A number of other countries are not far behind, with Europe in particular hoping to replicate Australia, while the UK is keeping more of a watchful interest.

Continue reading...

© Photograph: Saeed Khan/AFP/Getty Images

© Photograph: Saeed Khan/AFP/Getty Images

© Photograph: Saeed Khan/AFP/Getty Images

No parent should worry about their child’s safety while they work. But a crisis in our early-years sector is shielding predators such as Vincent Chan

I remember those initial heart-wrenching days and weeks leaving my daughter, aged nine months, at the nursery. She was distraught as I left, and I – like so many parents – headed off to work feeling guilty for leaving her, wondering if I was doing the right thing. Every parent does the research and nursery visits, reads the Ofsted reports and assumes that the staff in their chosen nursery will have the necessary qualifications and training to take care of their child. Obviously, there will be hiccups along the way, but never in your wildest nightmares do you think your child might be physically – or worse still, sexually – abused.

Yet the harrowing case of Vincent Chan, a former nursery worker in Camden, north London, who pleaded guilty to nine counts of sexual assault and 17 counts of taking or making indecent photos of children, hit the headlines last week, leaving parents with young children across the country feeling physically sick and asking the question: How did this happen? Tragically, this is not an isolated case.

Munira Wilson is Liberal Democrat MP for Twickenham

Do you have an opinion on the issues raised in this article? If you would like to submit a response of up to 300 words by email to be considered for publication in our letters section, please click here.

Continue reading...

© Photograph: Dominic Lipinski/PA

© Photograph: Dominic Lipinski/PA

© Photograph: Dominic Lipinski/PA

Peer named as chair of national inquiry, which is expected to cover England and Wales, after long-delayed search

• UK politics live – latest updates

The former children’s commissioner Anne Longfield will chair the national grooming gangs inquiry in what will be a “moment of reckoning” for the nation, the home secretary, Shabana Mahmood, has announced.

Lady Longfield, who will resign the Labour whip in the House of Lords, was recommended by Louise Casey after a long-delayed search during which some victims quit the inquiry’s advisory panel amid disagreements over the chair appointment.

Continue reading...

© Photograph: Gary Calton/The Observer

© Photograph: Gary Calton/The Observer

© Photograph: Gary Calton/The Observer

Andrew Ferguson has used the Federal Trade Commission’s consumer protection mandate to investigate issues important to President Trump and his base.

© Al Drago for The New York Times

If companies can modify internet-connected products and charge subscriptions after people have already purchased them, what does it mean to own anything anymore?

Peak e-commerce season hits retailers every year just as the Halloween decorations start to come down. Unsurprisingly, cyber criminals see this time as an opportunity to strike, and criminal activity online spikes alongside sales. Shockingly, 4.6% of attempted e-commerce transactions during the 2024 Black Friday period were suspected to be digital fraud. In the UK..

The post How to Protect from Online Fraud This Holiday Season appeared first on Security Boulevard.

In Nevada, a state employee downloaded what looked like a harmless tool from a search ad. The file had been tampered with, and that single moment opened the door to months of silent attacker movement across more than 60 agencies.  That pattern shows up again and again in the latest ColorTokens Threat Intelligence Brief. Attackers rarely break in with […]

The post Nevada’s Trojan Download, Penn’s 1.2M Donor Breach, and the Malware That Kills Your Defenses First appeared first on ColorTokens.

The post Nevada’s Trojan Download, Penn’s 1.2M Donor Breach, and the Malware That Kills Your Defenses First appeared first on Security Boulevard.

DataDome's 2025 report reveals 61% of large enterprises fail basic bot detection. Company size doesn't equal security. Learn why bigger businesses remain vulnerable.

The post Size ≠ Security: Bigger Businesses Still Fail at Bot Protection appeared first on Security Boulevard.

Learn the top strategies to secure customer data when expanding internationally, from MFA and encryption to compliance, SIEM, and scalable security partners.

The post Top 7 Strategies for Securing Customer Data While Expanding Your Business Internationally appeared first on Security Boulevard.

Enterprise GenAI success depends on more than models—security, observability, evaluation, and integration are critical to move from fragile pilots to reliable, scalable AI.

The post Securing GenAI in Enterprises: Lessons from the Field appeared first on Security Boulevard.

The chatter left startled adults unsure whether they heard correctly. Testers warned that interactive toys like this one could allow children to stray into inappropriate exchanges.

© FoloToy

Striving for digital transformation, organizations are innovating at an incredibly fast pace. They deploy new applications, services, and platforms daily, creating great opportunities for growth and efficiency. However, this speedy transformation comes with a significant, often overlooked, consequence: an accumulated massive vulnerability backlog. This ever-expanding list of unpatched software flaws, system misconfigurations, and coding errors is a silent drain on an organization's most valuable resources.  For many IT and security teams, the vulnerability backlog is a source of constant pressure and a seemingly unwinnable battle. As soon as they deploy one batch of patches, a new wave of critical vulnerabilities is disclosed.   This reactive cybersecurity approach is both unsustainable and incredibly costly. The true price of a vulnerability backlog extends far beyond the person-hours spent on patching. It manifests as operational friction, stifled innovation, employee burnout, and a persistent, elevated risk of a catastrophic cyberattack.   To truly secure the modern enterprise, leaders must look beyond traditional scanning and patching cycles and embrace a new, proactive paradigm for vulnerability management. 

The Anatomy of a Swelling Vulnerability Backlog

A vulnerability backlog is the aggregate of all known but unaddressed security weaknesses within an organization’s IT environment. These weaknesses can range from critical flaws in open-source libraries and commercial software to misconfigured cloud services and insecure code pushed during quick development cycles.  There are three principal reasons the backlog grows incessantly: 

1. The sheer volume of newly discovered vulnerabilities, numbering in the tens of thousands each year
2. The complexity of modern, hybrid environments, where assets are spread across on-premises data centers and multiple cloud providers
3. The monumental challenge of tracking and patching every critical vulnerability

The growing mountain of security weaknesses creates a form of vulnerability debt. It accumulates when you defer patching due to operational constraints, resource limitations, or the fear of breaking critical applications.  The longer a vulnerability remains unpatched, the more time attackers have to develop exploits and launch attacks and turn even a low-priority issue into a full-blown crisis. 

The True, Multifaceted Cost of Inaction 

The costs associated with a large vulnerability backlog are both direct and indirect, affecting your organization’s financial health, operational agility, and human capital. 

Financial and Operational Drains 

The most obvious cost is the direct expense of remediation. That includes the salaries of security professionals who spend countless hours identifying, prioritizing, and deploying patches.  However, the indirect costs are often far greater. Developer productivity plummets when teams are constantly pulled away from building new features to address security issues. It affects the time-to-market for new products and services, handing an advantage to more agile competitors.  In case of a breach from an unpatched vulnerability, the financial fallout can be devastating. It can encompass everything from regulatory fines and legal fees to customer compensation and a drop in stock value. 

The Human Toll 

Beyond the financial and operational impact is the human cost. When security teams drown in a sea of alerts, alert fatigue is unavoidable. And with it, missed critical warnings amidst the terrible alert noise, too.  The constant pressure and the feeling of being perpetually behind contribute to high levels of stress and burnout, resulting in the high turnover of skilled security talent. And here is your vicious cycle: experienced professionals leave; the remaining team is stretched even thinner; and the backlog continues to grow.  This state can also strain the relationship between security, development, and operations teams, preventing the collaboration necessary for a healthy DevSecOps culture. 

From a Reactive to a Proactive Protection 

Instead of “How can we patch faster?”, the more effective question is, “How can we neutralize security risk before we patch vulnerabilities?”.  The answer lies in moving from a predominantly reactive posture revolving around patching and response to a proactive one centered around mitigation. A robust patchless mitigation platform can effectively shield your organization’s environment from exploitation, regardless of the length of your patching cycles.  For instance, Virsec provides powerful compensating controls that prevent malicious actors from exploiting a vulnerability even if it is there and unpatched.  This approach decouples cybersecurity protection from the act of patching. It gives teams the breathing room to remediate vulnerabilities in a planned, methodical way without leaving critical systems exposed to immediate threats.  Applying these mitigation controls at scale is where the smart application of artificial intelligence becomes essential. AI-driven security tools can automate burdensome tasks in security operations centers (SOCs) and security teams.  As an illustration, Virsec’s OTTOGUARD.AI leverages agentic AI to improve security operations’ efficiency in the following way: 

1. AI agents autonomously deploy and configure security probes to determine which code and software to trust.
2. They integrate with your existing cybersecurity tool stack to analyze telemetry, assess your risk environment, and identify assets that can be protected immediately (without patching).
3. They then interface with IT service management platforms, such as ServiceNow, presenting human experts with validated remediation and patching solutions for the remaining issues. Human experts have the final word, reviewing the suggested solutions and deciding whether to act on them.

Foster a Culture of Shared Responsibility 

Technology alone is not a panacea. The most effective vulnerability management programs stand on a strong security culture that breaks down silos between development, security, and operations.  Hence, before anything else, strive to build this culture of collaboration and unified goals. It will inevitably instill a sense of shared responsibility for your organization’s security posture and motivate every individual to be a proactive guardian against threats. 

Final Thoughts 

By combining proactive protection with AI-driven automation and a culture of shared responsibility, organizations can begin to tame their vulnerability backlogs.  This multi-layered approach helps you reduce the risk of a breach, frees up valuable resources, accelerates innovation, and builds a more resilient and future-proof enterprise.  Its goal is to transform security from a cost center and a source of friction into a true business enabler. Because that's what cybersecurity really is: an essential business enabler that makes it possible for organizations to innovate with confidence in an increasingly complex digital world. 

Encryption can protect data at rest and data in transit, but does nothing for data in use. What we have are secure enclaves. I’ve written about this before:

Almost all cloud services have to perform some computation on our data. Even the simplest storage provider has code to copy bytes from an internal storage system and deliver them to the user. End-to-end encryption is sufficient in such a narrow context. But often we want our cloud providers to be able to perform computation on our raw data: search, analysis, AI model training or fine-tuning, and more. Without expensive, esoteric techniques, such as secure multiparty computation protocols or homomorphic encryption techniques that can perform calculations on encrypted data, cloud servers require access to the unencrypted data to do anything useful.

Fortunately, the last few years have seen the advent of general-purpose, hardware-enabled secure computation. This is powered by special functionality on processors known as trusted execution environments (TEEs) or secure enclaves. TEEs decouple who runs the chip (a cloud provider, such as Microsoft Azure) from who secures the chip (a processor vendor, such as Intel) and from who controls the data being used in the computation (the customer or user). A TEE can keep the cloud provider from seeing what is being computed. The results of a computation are sent via a secure tunnel out of the enclave or encrypted and stored. A TEE can also generate a signed attestation that it actually ran the code that the customer wanted to run.

Secure enclaves are critical in our modern cloud-based computing architectures. And, of course, they have vulnerabilities:

The most recent attack, released Tuesday, is known as TEE.fail. It defeats the latest TEE protections from all three chipmakers. The low-cost, low-complexity attack works by placing a small piece of hardware between a single physical memory chip and the motherboard slot it plugs into. It also requires the attacker to compromise the operating system kernel. Once this three-minute attack is completed, Confidential Compute, SEV-SNP, and TDX/SDX can no longer be trusted. Unlike the Battering RAM and Wiretap attacks from last month—which worked only against CPUs using DDR4 memory—TEE.fail works against DDR5, allowing them to work against the latest TEEs.

Yes, these attacks require physical access. But that’s exactly the threat model secure enclaves are supposed to secure against.

Manish Mimani, founder and CEO of Protectt.ai For years, static passwords, dynamic One-time Passwords (OTPs), and Multi-factor Authentication (MFA) have been the foundation of mobile app security. They have helped users verify their identities and kept unauthorized access at bay. But today, that’s no longer enough. Modern fraudsters aren’t just trying to break through login screens — they are targeting what happens after you log in. Post-authentication fraud is rising at an alarming pace across mobile-first industries like BFSI, fintech, and digital commerce. Fraudsters bypass identity checks altogether by compromising runtime environments, targeting APIs, or exploiting device vulnerabilities, often without ever touching credentials. The biggest misconception in mobile app security today is: If the login is secure, the app is secure. That couldn’t be further from the truth!

Mobile App Security Risks Don’t Stop at Login

Runtime Blind Spots: Once users log in, most apps assume the environment is safe. It is not.

• Malware, repackaged apps, and overlay attacks exploit runtime weaknesses.
• Fraudsters hijack active sessions and execute transactions from within.

Compromised Devices: A secure app on a rooted or jailbroken device is vulnerable.

• Malicious keyboard overlays, screen sharing, and unsafe environments open hidden backdoors.

Unsecured APIs: Many fraudsters bypass the UI entirely.

• Weak APIs are prime targets for token replay, man-in-the-middle exploits, and automated fraud.

Result: Fraud happens after successful authentication — where most defences do not exist.

The Solution: Build Defence Inside the App

To counter post-authentication threats, security must be intrinsic; not just guard the login. Embed Protection with Runtime Application Self-Protection (RASP)

• RASP sits inside the application, detecting and blocking malicious activity the moment it occurs.
• It thwarts tampering, reverse engineering, overlay attacks, and session hijacking in real time.
• Unlike static perimeter defences, RASP protects every user interaction across any network, device, or location. It transforms your app from a passive target into an active shield.

Enforce Continuous Device Integrity

• Validate the trustworthiness of the device at every step.
• Detect rooted or jailbroken devices, malicious tools, or unsafe conditions.
• Apply adaptive responses — restrict high-risk functions or block sensitive actions entirely.

Secure the API Layer End-to-End

• Treat APIs as critical attack surfaces.
• Harden with encryption, authentication, behavioural monitoring, and anomaly detection.
• Stop fraud before it can bypass the UI.

Authentication Is Just the Start Login protection is necessary, but no longer sufficient. True mobile app security is layered:

• RASP for in-app runtime defence.
• Device Integrity for trusted environments.
• API Protection for invisible attack surfaces.

Fraudsters have evolved. Thus, security must be built inside, not just around. The challenge is no longer just about the OTP; it is also about what happens after the OTP is validated. For mobile-first industries like BFSI, fintech, and digital commerce, the mobile app security of their business empires depends entirely on this strategic shift. Authentication starts the journey; RASP ensures protection every step of the way.

Here’s the summary:

We pointed a commercial-off-the-shelf satellite dish at the sky and carried out the most comprehensive public study to date of geostationary satellite communication. A shockingly large amount of sensitive traffic is being broadcast unencrypted, including critical infrastructure, internal corporate and government communications, private citizens’ voice calls and SMS, and consumer Internet traffic from in-flight wifi and mobile networks. This data can be passively observed by anyone with a few hundred dollars of consumer-grade hardware. There are thousands of geostationary satellite transponders globally, and data from a single transponder may be visible from an area as large as 40% of the surface of the earth.

Full paper. News article.

Energy costs have become a central issue in the governor’s race between Jack Ciattarelli, the Republican, and Representative Mikie Sherrill, the Democrat.

© James Estrin/The New York Times