Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems.
The vulnerabilities in question are listed below -

CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate

Apple Backports Critical Fixes for 3 Live Exploits Impacting iOS and macOS Legacy Devices

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

A researcher found millions of pictures from specialized dating apps for iOS stored online without any kind of password protection.

The pictures, some of which are explicit, stem from dating apps that all have a specific audience. The five platforms, all developed by M.A.D. Mobile are kink sites BDSM People and Chica, and LGBTQ+ apps Pink, Brish, and Translove.

As we reported not too long ago, many iOS apps leak at least one hard coded secret. We consider hard coded secrets in the source code of the apps as exposed because they are relatively easy to find and abuse by cybercriminals. And those secrets can have serious consequences for the apps’ users

Cybernews’ Aras Nazarovas found the storage location (a Google Cloud Storage bucket) used by the apps by reverse engineering the code. To his surprise, he could access the unencrypted and otherwise unprotected photos without needing any password.

As soon as he saw the first image, he knew this storage should not have been public. Not only did it contain profile pictures, it also included pictures sent in private messages, including some removed by moderators.

In total, nearly 1.5 million user-uploaded images were available to anyone stumbling over the storage bucket. Although the images are not linked to any user accounts or other private information, it is not unthinkable that cybercriminals could figure out some of the identities by using commonly available face search engines.

Many of these search engines use Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

Although officially intended only for self-searches, many of them don’t bother to check whether that’s actually the case.

Coupled to the identity of the person in the picture, these images could expose users to extortion, as well as an increased risk of hostility. As if online dating isn’t nervewracking enough, especially for those looking in special categories, the last we need is to see our explicit images exposed.

M.A.D Mobile was warned about the leak in January, but didn’t take any action to protect the storage until the BBC contacted the company on Friday. The issue has now been fixed.

It’s important to stipulate that the apps are exclusive to iOS and do not have Android or web alternatives.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

 Intimate images from kink and LGBTQ+ dating apps left exposed online 

Apple has been hit with a fine of €150 million ($162 million) by France's competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework.
The Autorité de la concurrence said it's imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25,

Apple Fined €150 Million by French Regulator Over Discriminatory ATT Consent Practices

Massive Twitter (X) data breach exposes details of 2.8 billion users; alleged insider leak surfaces with no official response from the company.

A data leak involving a whopping 2.87 billion **Twitter (X)** users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of **mass layoffs**. If true, this would be the largest social media data breach in history, but surprisingly, neither X nor the broader public appears to be aware of it.

****What We Know About the Breach****

The original post by ThinkingOne states that the data, around 400GB worth, was likely exfiltrated during messy layoffs at X. The poster claims that they tried contacting X through multiple methods but received no response.

Frustrated with the lack of acknowledgment from X and the general public, they took matters into their own hands and decided to merge the newly leaked data with another infamous **breach from January 2023**.

Screenshot from Breach Forums shows what ThinkingOne has posted about the alleged breach (Credit: Waqas/Hackread.com)

****The 2023 Breach Recap****

To understand the full scope of what was leaked, looking at the 2023 X data breach that affected around 209 million users is important. That breach exposed:

*   **Email addresses**

*   **Display names and usernames (handles)**

*   **Followers count and account creation dates**

At the time, **X downplayed the leak**, stating that it consisted of publicly available data. Despite the massive exposure of email addresses, they insisted that no sensitive or private information was involved. However, security experts warned that the combination of emails and public data could enable phishing and identity theft on a large scale.

****What’s Inside the Alleged 2025 Breach?****

The 2025 breach, however, is a completely different beast. Unlike the 2023 leak, it doesn’t contain email addresses, but it does hold a goldmine of profile metadata, including:

*   **Account creation dates**.

*   **User IDs and screen names**.

*   **Profile descriptions and URLs**.

*   **Location and time zone settings**.

*   **Display names (current and from 2021).**

*   **Followers count from both 2021 and 2025**.

*   **Tweet count and timestamps of the last tweet**.

*   **Friends count, listed count, and favorites count**.

*   **Source of the last tweet (such as TweetDeck or X Web App).**

*   **Status settings (like whether the profile is verified or protected)**.

The data gives a detailed snapshot of users’ profiles and activity over time, including bios, follower counts from different years, tweet history, and even the app used for the last tweet. But the one thing it doesn’t include is the most sensitive bit: email addresses.

Data analyzed by the Hackread.com research team (Credit: Waqas/Hackread.com)

****The Data Mashup****

ThinkingOne, a well-known figure on Breach Forums for their skill in analyzing data leaks, decided to combine the 2025 leak with the 2023 one, producing a single 34GB CSV file (9GB compressed) containing 201 million merged entries. To be clear, the merged data only includes users that appeared in both breaches, creating a confusion of public and semi-public data.

This messy combination led many to believe that the 2025 leak also contained email addresses, but that’s not the case. The emails shown in the merged file are from the 2023 breach. The presence of emails in the merged dataset has given the wrong impression that the contents of the 2025 leak also include email addresses.

****Why 2.8 Billion Doesn’t Add Up****

As of Jan 2025, X (formerly Twitter) had around **335.7 million users**, so how is it possible that data from 2.8 billion users has been leaked? One possible explanation is that the dataset includes aggregated or historical data, such as bot accounts that were created and later banned, inactive or deleted accounts that still lingered in historical records, or old data that was merged with newer data, increasing the total number of records.

Additionally, some entries might not even represent real users but could include non-user entities like API accounts, developer bots, deleted or banned profiles that remained logged somewhere, or organization and brand accounts that aren’t tied to individual users.

Another possibility is that the leaked data wasn’t exclusively obtained from Twitter itself but rather scraped from multiple public sources and merged together, including archived data from older leaks or information from third-party services linked to Twitter accounts.

****Who Is ThinkingOne, and How Did They Get the Data?****

One of the biggest mysteries is how ThinkingOne managed to obtain the 2025 breach data in the first place. Unlike typical hackers, they are not known for breaching systems themselves but are highly regarded for analyzing and interpreting leaked datasets. Whether they received the data from another source or conducted some sophisticated data aggregation is still unclear.

Their theory that a disgruntled employee leaked the data during the layoffs remains unconfirmed, and there’s no concrete evidence to support it; it is only a plausible hypothesis given the timing and internal mess at X.

****Why the Silence from X?****

If the claims are true, this is not just a massive breach in size but also a blow to user privacy and corporate security practices. Yet, X remains silent, and the general public remains largely unaware.

Whether it’s due to a lack of awareness on their part or an intentional attempt to downplay the incident, the absence of any official response raises serious questions about corporate transparency and accountability.

Despite the large scale of the alleged breach, the lack of public acknowledgment from X is worrisome. Whether this was an **inside job** or not, users are left with more questions than answers: How much of their data has been compromised? Who was behind the leak? And why hasn’t X issued any statements about it?

Twitter (X) Hit by Data Leak of 2.8 Billion Users; Allegedly an Insider Job

While inundated with ideas, you also need to consider how to present them effectively and structure the course…

While inundated with ideas, you also need to consider how to present them effectively and structure the course to engage your learners. One challenge educators face is capturing students’ attention while ensuring they learn something. When course material is in methodical order, students tend to stay more focused and energized, which instructors can achieve through course outlining.

****Understand the Audience****

Understanding your audience is essential when using an AI course creator to develop digital courses. Before diving into content creation, consider who your learners are, what they need, and what prior knowledge they bring. Conducting surveys or interviews can offer valuable insights into their preferences and learning styles, ensuring a more engaging and effective course.

****Clear Learning Objectives****

Course objectives have been clearly defined and are a guiding light for the course path. These objectives should describe what the students can achieve by the end of the course. Learners with clear goals can easily avoid distractions due to purpose and direction. Learning objectives also aid in tracking progress and changing course or pedagogical strategies when needed.

****Organizing Content****

Well-organized content helps to create better transitions between topics. Chunking the material into smaller pieces avoids overloading the learners. Again, each section should leverage prior knowledge, reinforcing learning while keeping the reader engaged. Using multimedia, such as videos, quizzes, and infographics, can facilitate understanding and hold students’ attention.

****Interactive Elements****

These interactive elements are key to keeping the students engaged. Discussion boards, group work, and peer-review assignments promote engagement. Such activities encourage cooperation and critical thinking, ensuring course materials create a dynamic learning experience. Students can also use interactive elements as opportunities to apply knowledge, reinforcing concepts within a real context.

****Flexible Learning Pace****

Different learners require varying learning paces, and providing them with a flexible option can significantly enhance their engagement. Students also rarely have the exact schedules or are committed to other activities, so allowing them to move at their own pace encourages them to be more engaged. Asynchronous or pre-recorded modules enable students to study when their schedule allows. This method also relieves stress and allows for a more positive learning atmosphere.

****Feedback and Assessment****

An engaging course has regular feedback and assessment. Students can identify their strengths and areas for improvement only when teachers provide them with constructive feedback. Use more quizzes or assignments, as your feedback keeps you going and allows you to self-evaluate. Course assessments must be based on course objectives so learners can measure their current position and enjoy success.

A strong sense of community fosters student engagement. Promoting engagement using forums for discussions, live sessions, or group projects creates a collaborative atmosphere. When a learning environment is supportive, the learner has the opportunity to share experiences that will help others learn, ask questions, and seek guidance from both peers and instructors. A sense of belonging helps students stay on track with their learning.

****Real-world Examples****

One of the best ways to apply abstract concepts is through real-world example explanations. The research will show you that when course content takes on an applied nature by integrating case studies, current events, or actual industry scenarios, it reflects the practical application of dry theoretical knowledge. Understanding the real-life applications of the course material adds value to students’ learning experiences, making the course intriguing and fun.

****Adapting to Feedback****

This responsiveness to student needs is crucial. Consistent feedback helps instructors improve and adjust course material. When students feel like you listen to their suggestions, it gives them a feeling of ownership and creates a conducive atmosphere for learning. Incorporating feedback shows a commitment to creating a high-quality learning experience.

****Conclusion****

Creating a course involves more than transferring content from your brain to your students. Tips to deliver the best presentation include knowing your audience, setting appropriate goals, and using an interactive approach. Flexibility, community building, and responsiveness to feedback promote student engagement. These can help teachers develop breakthrough courses that can prove to be unforgettable learning experiences for the learners.

Image by Mohamed Hassan from Pixabay.

Engaging Online Learning: Strategies to Keep Students Focused and Motivated

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability. An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. In the default installation, the controller can access all Secrets cluster-wide. 🔹 On March 24, […]

**About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability.** An unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. In the default installation, the controller can access **all Secrets cluster-wide**.

🔹 On March 24, Wiz published a write-up on this vulnerability, naming it **IngressNightmare** (alongside CVE-2025-1097, CVE-2025-1098, and CVE-2025-24514). Wiz researchers identified 6,500 vulnerable controllers **exposed to the Internet**. 😱 The Kubernetes blog reports that in many common scenarios, the Pod network is accessible to all workloads in the cloud VPC, or even **anyone connected to the corporate network**. Ingress-nginx is used in 40% of Kubernetes clusters.

🔹 Public exploits are available on GitHub since March 25th. 😈

Update ingress-nginx to versions v1.12.1, v1.11.5, or higher!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Remote Code Execution – Kubernetes (CVE-2025-1974) vulnerability

Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

This week we learned that the US Government uses Signal for communication, after a journalist was accidentally added to a Signal chat.

Accidental additions of people aside, the news has got regular folks asking if they should, too, be using Signal for private communications.

Probably the largest alternative to Signal, WhatsApp is owned by Meta, and has faced criticism for its data-sharing practices. But is switching to Signal truly an improvement? Let’s explore the differences between these apps and whether the move would be justified.

Both WhatsApp and Signal offer end-to-end encryption, ensuring that only the sender and recipient can read messages. But the difference is that Signal employs “Sealed Sender,” a feature that hides metadata even from itself, whereas WhatsApp collects metadata such as phone numbers, IP addresses, and device information, which it shares with Meta and third parties.

As president of Signal Meredith Whittaker said in a statement to Dutch website Security.nl:

> “WhatsApp collects and shares, when required, large amounts of private information that is not encrypted, like your profile picture, your location, your contacts, when you send a message, when you stop, who’s in your group chats, and so on.”

Signal collects minimal data, but it’s run by the non-profit Signal Foundation, which operates free from commercial interests. Signal’s open-source code allows for public scrutiny of its security claims, which is a transparency WhatsApp lacks.

Where Signal adds privacy-focused features such as call relay (to hide IP addresses), self-destructing messages, and customizable notification settings, WhatsApp provides more social features like status updates.

Switching to Signal is justified if privacy is your top priority. Its minimal data collection, transparency, and advanced security features make it superior to WhatsApp in protecting user information. However, for those who rely on WhatsApp’s massive user base or social features, the transition might be less convenient.

There is no inter-compatibility, so all participants in a conversation need to use the same app. Meaning that one of the few things holding many users back from switching from WhatsApp to Signal is leaving contacts behind that are not willing to move over.

Obviously, the decision is yours and depends on your personal priorities: privacy versus convenience.

To fully benefit from Signal’s privacy capabilities, users should enable the following features:

*   **Disappearing messages**:
    *   Open a chat in Signal.
    *   Tap the three dots or profile icon to enter chat settings.
    *   Select “Disappearing Messages” and set a timer (e.g., five minutes or one week). This ensures messages are automatically deleted after the specified time.
*   **Screen lock**:
    *   Go to Signal settings by tapping your profile avatar.
    *   Navigate to “Privacy.”
    *   Enable “Screen Lock” to require biometric authentication or a PIN to access the app.
*   **Relay calls**:
    *   Under “Privacy” settings, activate “Always Relay Calls.” This routes calls through Signal servers to hide your IP address from contacts.
*   **Incognito keyboard** (Android only):
    *   In “Privacy” settings, enable “Incognito Keyboard” to prevent your keyboard from sending typing data to third-party servers.
*   **Screen security**:
    *   For Android: Enable “Screen Security” to block screenshots within the app.
    *   For iPhone: Turn on “Enable Screen Security” to prevent app previews in multitasking mode.
*   **Registration lock**:
    *   Activate this feature in “Privacy” settings to require a PIN for re-registering your account on new devices.

By enabling these features, users can ensure their conversations remain private and secure.

Another important tip is to check **Group chat members**. Before you send messages to a group, check who can read them: Open your group chat and tap on the group name to view chat settings. Scroll to the Members list and tap “View all members” to see the full list of group members.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Moving from WhatsApp to Signal: A good idea? 

Cary, North Carolina, 27th March 2025, CyberNewsWire

**Cary, North Carolina, March 27th, 2025, CyberNewsWire**

INE, a global leader in networking and cybersecurity training and certifications, is proud to announce it is the recipient of twelve badges in G2’s Spring 2025 Report, including Grid Leader for Cybersecurity Professional Development, Online Course Providers, and Technical Skills Development, which highlight INE’s superior performance relative to competitors. 

> “INE solves the problem of accessible, hands-on security training with structured learning paths and real-world labs,” says SOC Analyst Sai Tharun K. “It helps bridge the gap between theory and practical skills. For me, it has been very valuable in refining my penetration testing, cloud security, and threat analysis skills.”

G2 calculates rankings using a proprietary algorithm sourced from verified reviews of actual product users and is a trusted review source for thousands of organizations around the world. Its recognition of INE’s strong performance in enterprise, small business, and global impact for technical training showcases the depth and breadth of INE’s online learning library. 

> “We’re incredibly proud to once again be at the forefront of the training industry, recognized by G2 users in a time when cyber threats are escalating in both frequency and complexity,” said Dara Warn, CEO of INE. “This recognition reflects our commitment to providing training that not only keeps pace with but anticipates the dynamic intersection of cybersecurity with networking, cloud services, and broader IT disciplines. At INE, we believe deeply in equipping professionals and organizations with the robust, up-to-date skills necessary to navigate and secure today’s rapidly changing digital landscapes. A huge thank you to our dedicated team and learners, who are essential in our mission to transform cybersecurity training to meet the urgent demands of the current environment.”

INE’s G2 Spring 2025 Report highlights include:

*   **Momentum Leader, Cybersecurity Professional Development**
*   **Momentum Leader, Online Course Providers**
*   **Momentum Leader, Technical Skills Development**
*   **Grid Leader, Cybersecurity Professional Development**
*   **Grid Leader, Online Course Providers**
*   **Grid Leader, Technical Skills Development**
*   **Regional Leader, Europe Online Course Providers**
*   **Regional Leader, Asia Online Course Providers**
*   **Regional Leader, Asia Pacific Online Course Providers**
*   **Grid Leader, Small-Business Technical Skills Development**
*   **Grid Leader, Small-Business Online Course Providers**
*   **High Performer, India Online Course Providers**

> “INE’s hands-on labs and real-world scenarios have helped me refine by skills,” said Leonard R.G., a Pentesting Consultant. “INE is solving the hiring issues most HR people have when they are hiring cybersecurity workers,” adds Batuhan A., a Cyber Security Researcher. 

In 2024, the prestigious SC Awards recognized INE Security, INE’s cybersecurity-specific training, as the **Best IT Security-Related Training Program**. This designation further underscores INE Security’s role as a frontrunner in cybersecurity training for businesses, providing the tools and knowledge essential for tackling today’s complex cyber threats.

INE Security was also presented with 4 awards from Global InfoSec Awards at RSAC 2024, including: 

*   **Best Product – Cybersecurity Education for Enterprises**
*   **Most Innovative – Cybersecurity Education for SMBs**
*   **Publisher’s Choice – Cybersecurity Training**
*   **Cutting Edge – Cybersecurity Training Videos**

Combined, these accolades highlight INE’s leadership in delivering innovative and effective networking and cybersecurity education across various market segments, including enterprises and small to medium-sized businesses.

**About INE Security**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

G2 Names INE 2025 Cybersecurity Training Leader

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. Security breaches and data…

Cybersecurity threats are evolving at an unprecedented pace, leaving organizations vulnerable to large-scale attacks. **Security breaches** and data leaks can have severe financial and reputational consequences. To tackle these risks, businesses must adopt a proactive approach to security that doesn’t just react to threats but actively anticipates and mitigates them. 

This is where **pentesting services** come into play. Unlike automated vulnerability scans, penetration testing involves simulating real-world attacks to uncover security gaps before malicious actors can exploit them. Organizations across industries rely on pentesting to strengthen their defenses, meet compliance requirements, and validate security controls against evolving threats.

This article explores the most relevant penetration testing services, their role in cybersecurity, and how businesses can leverage them to enhance security resilience. From network and application testing to red teaming and cloud security assessments, understanding these services is essential for organizations looking to stay ahead of cyber threats.

****The Role of Penetration Testing in Cybersecurity****

Penetration testing (**pentesting**) is a controlled security assessment that mimics real-world cyberattacks to identify and address vulnerabilities before attackers can exploit them. Unlike traditional security measures that rely on firewalls, antivirus software, and automated scanners, pentesting provides a hands-on evaluation of an organization’s security posture. It helps detect misconfigurations, weak authentication mechanisms, and exploitable flaws that may go unnoticed in routine security checks.

The primary goal of penetration testing is to reduce the attack surface by uncovering security gaps across networks, applications, APIs, and cloud environments. This proactive approach not only strengthens defenses but also ensures compliance with security standards like **PCI DSS, ISO 27001**, and **HIPAA**. Organizations that integrate regular pentesting into their security strategy are better equipped to handle emerging threats and minimize the risk of costly breaches.

However, a common misconception is that penetration testing is just an advanced form of vulnerability scanning. While automated scanners can detect known issues, they cannot analyze complex attack chains, logic flaws, and business logic vulnerabilities. Skilled penetration testers use a combination of manual techniques, custom exploits, and real-world attack scenarios to simulate how an adversary would attempt to compromise a system. This makes penetration testing an essential component of a robust security program.

****Key Types of Penetration Testing Services****

Not all security risks are the same, and different environments require specialized testing approaches. Below are the most relevant penetration testing services, each addressing specific attack surfaces and security concerns.

****Network Penetration Testing****

A core component of security assessments, network penetration testing focuses on identifying vulnerabilities in both external and internal network infrastructure. This involves testing firewalls, routers, VPNs, and other network devices for misconfigurations, outdated protocols, and weak authentication mechanisms.

Common threats mitigated by network pentesting include:

*   Open ports and exposed services provide an entry point for attackers.

*   Weak encryption can be exploited for data interception and manipulation.

*   Misconfigured access controls that allow unauthorized access to sensitive systems.

Network penetration testing is particularly relevant for enterprises, cloud service providers, and organizations handling sensitive data across distributed networks.

****Web Application Penetration Testing****

Web applications are prime targets for cyberattacks due to their accessibility and integration with critical business operations. This form of pentesting evaluates applications against vulnerabilities outlined in the OWASP Top 10, such as:

*   **SQL Injection (SQLi):** Exploiting database queries to extract sensitive data.

*   **Cross-Site Scripting (XSS):** Injecting malicious scripts to hijack user sessions.

*   **Broken Authentication:** Weak login mechanisms that allow unauthorized access.

SaaS providers, fintech companies, and e-commerce platforms rely on web application pentesting to secure customer transactions, APIs, and user authentication mechanisms.

**Mobile Application Penetration Testing**

With mobile apps handling sensitive financial, healthcare, and personal data, securing them is critical. Mobile application penetration testing assesses both iOS and Android apps for risks such as:

*   **Insecure data storage** that exposes sensitive user information.

*   **Weak API security,** leading to unauthorized access or data leaks.

*   **Reverse engineering risks** where attackers decompile apps to extract secrets.

Pentesters analyze app permissions, encryption mechanisms, and backend API security to ensure mobile applications comply with industry best practices and regulatory standards.

****Cloud Penetration Testing****

Cloud security introduces unique challenges, including misconfigured storage services, excessive permissions, and insecure **API endpoints**. Cloud penetration testing assesses environments like AWS, Azure, and Google Cloud for:

*   **Publicly exposed assets** such as S3 buckets or storage blobs.

*   **Identity and Access Management (IAM) misconfigurations** leading to privilege escalation.

*   **Insecure APIs and serverless functions** that could be exploited.

Given the widespread adoption of cloud services, cloud pentesting is critical for organizations leveraging SaaS platforms, multi-cloud environments, and **DevOps workflows**.

**API Penetration Testing**

APIs serve as the backbone of modern applications, yet they are often overlooked in security assessments. API penetration testing targets vulnerabilities like:

*   **Broken authentication and authorization** that allow unauthorized access to critical services.

*   **Rate limiting bypasses** enabling brute-force attacks or data scraping.

*   **Data exposure** due to improper input validation and misconfigured responses.

API pentesting is especially relevant for fintech, healthcare, and logistics platforms that rely on secure data exchange.

**IoT Penetration Testing**

The increasing adoption of IoT devices introduces significant security risks, from industrial control systems to smart home devices. IoT penetration testing identifies weaknesses such as:

*   **Default credentials** that attackers exploit to gain control.

*   **Lack of encryption,** exposing communication channels to interception.

*   **Unpatched firmware vulnerabilities,** leaving devices open to exploitation.

Industries like healthcare, automotive, and industrial automation require IoT pentesting to safeguard connected devices and prevent large-scale cyber incidents.

**Red Team Assessments**

Unlike traditional pentesting, **red team** assessments simulate full-scale attacks to test an organization’s detection and response capabilities. These engagements go beyond vulnerability discovery to mimic advanced persistent threats (APTs) and real-world adversary tactics.

Key attack vectors in red team assessments include:

*   **Physical security bypass,** such as tailgating into restricted areas.

*   **Social engineering** to manipulate employees into disclosing credentials.

*   **Persistence mechanisms** to maintain undetected access over extended periods.

Red teaming is essential for large enterprises, government agencies, and critical infrastructure operators looking to validate their security resilience against sophisticated attacks.

****Choosing the Right Penetration Testing Service****

Selecting the right penetration testing service depends on business impact, regulatory requirements, and infrastructure. Security assessments must be tailored to provide actionable insights rather than generic findings.

****Key Considerations****

*   **Business Impact:** Identifying critical assets that require testing, such as customer data or financial transactions.

*   **Regulatory Compliance:** Industries like finance and healthcare must meet PCI DSS, ISO 27001, HIPAA, and SOC 2 standards.

*   **Infrastructure Type:** Cloud-native environments require different security tests than on-premises systems or API-heavy platforms.

*   **Security Maturity:** Organizations with mature security defenses may benefit from red team assessments, while those with fewer controls should start with network and application pentesting.

****Compliance vs. Risk-Driven Testing****

*   **Compliance-driven:** Focuses on meeting security mandates but may have a limited scope.

*   **Risk-driven:** Simulates real-world attack scenarios beyond compliance checklists.

****The Need for Recurring Assessments****

Cyber threats evolve, making regular pentesting (quarterly or annually) essential. Organizations integrating security into **DevSecOps detect vulnerabilities** early, reducing risks proactively rather than reactively.

****Conclusion****

Penetration testing is essential for identifying vulnerabilities before attackers exploit them. Unlike automated scans, pentesting services simulate real-world threats, strengthening defenses and ensuring compliance.

Choosing the right service, whether network, application, cloud, or red teaming, depends on risk exposure and industry standards. Security isn’t a one-time effort; regular testing and DevSecOps integration help organizations stay alert against increasing cybersecurity threats.

Penetration Testing Services: Strengthening Cybersecurity Against Evolving Threats

The Trump cabinet’s shocking leak of its plans to bomb Yemen raises myriad confidentiality and legal issues. The security of the encrypted messaging app Signal is not one of them.

The eye-popping scandal surrounding the Trump cabinet’s accidental invitation to The Atlantic’s editor in chief to join a text-message group secretly planning a bombing in Yemen has rolled into its third day, and that controversy now has a name: SignalGate, a reference to the fact that the conversation took place on the end-to-end encrypted free messaging tool Signal.

As that name becomes a shorthand for the biggest public blunder of the second Trump administration to date, however, security and privacy experts who have promoted Signal as the best encrypted messaging tool available to the public want to be clear about one thing: SignalGate is not about Signal.

Since The Atlantic’s editor, Jeffrey Goldberg, revealed Monday that he was mistakenly included in a Signal group chat earlier this month created to plan US airstrikes against the Houthi rebels in Yemen, the reaction from the Trump cabinet’s critics and even the administration itself has in some cases seemed to cast blame on Signal for the security breach. Some commentators have pointed to reports last month of Signal-targeted phishing by Russian spies. National security adviser Michael Waltz, who reportedly invited Goldberg to the Signal group chat, has even suggested that Goldberg may have hacked into it.

On Wednesday afternoon, even President Donald Trump suggested Signal was somehow responsible for the group chat fiasco. “I don't know that Signal works,” Trump told reporters at the White House. “I think Signal could be defective, to be honest with you.”

The real lesson is much simpler, says Kenn White, a security and cryptography researcher who has conducted audits on widely used encryption tools in the past as the director of the Open Crypto Audit Project: Don’t invite untrusted contacts into your Signal group chat. And if you’re a government official working with highly sensitive or classified information, use the encrypted communication tools that run on restricted, often air-gapped devices intended for a top-secret setting rather than the unauthorized devices that can run publicly available apps like Signal.

“Unequivocally, no blame in this falls on Signal,” says White. “Signal is a communication tool designed for confidential conversations. If someone's brought into a conversation who’s not meant to be part of it, that's not a technology problem. That's an operator issue.”

Cryptographer Matt Green, a professor of computer science at Johns Hopkins University, puts it more simply. “Signal is a tool. If you misuse a tool, bad things are going to happen,” says Green. “If you hit yourself in the face with a hammer, it’s not the hammer’s fault. It’s really on you to make sure you know who you’re talking to.”

The only sense in which SignalGate _is_ a Signal-related scandal, White adds, is that the use of Signal suggests that the cabinet-level officials involved in the Houthi bombing plans, including secretary of defense Pete Hegseth and director of national intelligence Tulsi Gabbard, were conducting the conversation on internet-connected devices—possibly even including personal ones—since Signal wouldn’t typically be allowed on the official, highly restricted machines intended for such conversations. “In past administrations, at least, that would be absolutely forbidden, especially for classified communications,” says White.

Indeed, using Signal on internet-connected commercial devices doesn’t just leave communications open to anyone who can somehow exploit a hackable vulnerability in Signal, but anyone who can hack the iOS, Android, Windows, or Mac devices that might be running the Signal mobile or desktop apps.

This is why US agencies in general, and the Department of Defense in particular, conduct business on specially managed federal devices that are specially provisioned to control what software is installed and which features are available. Whether the cabinet members had conducted the discussion on Signal or another consumer platform, the core issue was communicating about incredibly high-stakes, secret military operations using inappropriate devices or software.

One of the most straightforward reasons that communication apps like Signal and WhatsApp are not suitable for classified government work is that they offer “disappearing message” features—mechanisms to automatically delete messages after a preset amount of time—that are incompatible with federal record retention laws. This issue was on full display in the principals’ chat about the impending strike on Yemen, which was originally set for one-week auto-delete before the Michael Waltz account changed the timer to four-week auto-delete, according to screenshots of the chat published by The Atlantic on Wednesday. Had The Atlantic’s Goldberg not been mistakenly included in the chat, its contents might not have been preserved in accordance with long-standing government requirements.

In congressional testimony on Wednesday, US director of national intelligence Tulsi Gabbard said that Signal can come preinstalled on government devices. Multiple sources tell WIRED that this is not the norm, though, and noted specifically that downloading consumer apps like Signal to Defense Department devices is highly restricted and often banned. The fact that Hegseth, the defense secretary, participated in the chat indicates that he either obtained an extremely unusual waiver to install Signal on a department device, bypassed the standard process for seeking such a waiver, or was using a non-DOD device for the chat. According to political consultant and podcaster FP Wellman, DOD “political appointees” demanded that Signal be installed on their government devices last month.

Core to the Trump administration’s defense of the behavior is the claim that no classified material was discussed in the Signal chat. In particular, Gabbard and others have noted that Hegseth himself is the classification authority for the information. Multiple sources tell WIRED, though, that this authority does not make a consumer application the right forum for such a discussion.

“The way this was being communicated, the conversation had no formal designation like 'for official use only' or something. But whether it should have been classified or not, whatever it was, it was obviously sensitive operational information that no soldier or officer would be expected to release to the public—but they had added a member of the media into the chat,” says Andy Jabbour, a US Army veteran and founder of the domestic security risk-management firm Gate 15.

Jabbour adds that military personnel undergo annual information awareness and security training to reinforce operating procedures for handling all levels of nonpublic information. Multiple sources emphasize to WIRED that while the information in the Yemen strike chat appears to meet the standard for classification, even nonclassified material can be extremely sensitive and is typically carefully protected.

“Putting aside for a moment that classified information should never be discussed over an unclassified system, it’s also just mind-boggling to me that all of these senior folks who were on this line and nobody bothered to even check, security hygiene 101, who are all the names? Who are they?” US senator Mark Warner, a Virginia Democrat, said during Tuesday’s Senate Intelligence Committee hearing.

According to The Atlantic, 12 Trump administration officials were in the Signal group chat, including vice president JD Vance, secretary of state Marco Rubio, and Trump adviser Susie Wiles. Jabbour adds that even with ​​decisionmaking authorities present and participating in a communication, establishing an information designation or declassifying information happens through an established, proactive process. As he puts it, “If you spill milk on the floor, you can’t just say, ‘That’s actually not spilled milk, because I intended to spill it.’”

All of which is to say, SignalGate raises plenty of security, privacy, and legal issues. But the security of Signal itself is not one of them. Despite that, in the wake of The Atlantic’s story on Monday, some have sought tenuous connections between the Trump cabinet’s security breach and Signal vulnerabilities. On Tuesday, for example, a Pentagon adviser echoed a report from Google’s security researchers, who alerted Signal earlier this year to a phishing technique that Russian military intelligence used to target the app’s users in Ukraine. But Signal pushed out an update to make that tactic—which tricks users into adding a hacker as a secondary device on their account—far harder to pull off, and the same tactic also targeted some accounts on the messaging services WhatsApp and Telegram.

“Phishing attacks against people using popular applications and websites are a fact of life on the internet,” Signal spokesperson Jun Harada tells WIRED. “Once we learned that Signal users were being targeted, and how they were being targeted, we introduced additional safeguards and in-app warnings to help protect people from falling victim to phishing attacks. This work was completed months ago."

In fact, says White, the cryptography researcher, if the Trump administration is going to put secret communications at risk by discussing war plans on unapproved commercial devices and freely available messaging apps, they could have done much worse than to choose Signal for those conversations, given its reputation and track record among security experts.

“Signal is the consensus recommendation for highly at-risk communities—human rights activists, attorneys, and confidential sources for journalists,” says White. Just not, as this week has made clear, executive branch officials planning airstrikes.

_Updated at 5:50 pm ET, March 25, 2025: Added remarks about Signal by President Trump._

Tag

#ios