Samsung has released software updates to address a critical security flaw in MagicINFO 9 Server that has been actively exploited in the wild.
The vulnerability, tracked as CVE-2025-4632 (CVSS score: 9.8), has been described as a path traversal flaw.
"Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to

Samsung Patches CVE-2025-4632 Used to Deploy Mirai Botnet via MagicINFO 9 Exploit

Threat actors have been observed actively exploiting security flaws in GeoVision end-of-life (EoL) Internet of Things (IoT) devices to corral them into a Mirai botnet for conducting distributed denial-of-service (DDoS) attacks.
The activity, first observed by the Akamai Security Intelligence and Response Team (SIRT) in early April 2025, involves the exploitation of two operating system command

Hackers Exploit Samsung MagicINFO, GeoVision IoT Flaws to Deploy Mirai Botnet

A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data.

Got an Android phone? Got a tap-to-pay card? Then you’re like millions of other users now at risk from a new form of cybercrime – malware that can read your credit or debit card and hand its data over to an attacker. A newly discovered malicious program effectively turns Android phones into malicious tap machines that vacuum up payment card data and send it to cybercriminals half a world away. All you have to do is install the software and tap your card to your phone – and criminals excel at persuading you to do just that.

The malware, which cybersecurity company Cleafy calls SuperCard X, uses a feature now found in most Android phones: near-field communication (NFC). This enables your phone to read the data on a supporting payment card when it comes close enough. It’s how tap-to-pay machines found in retailers and ATMs work their magic.

Attackers get the malicious software via a malware-as-a-service model. This enables them to become affiliates for the developers of the software, who typically offer it for a percentage of the attackers’ takings. They can then focus on finding and targeting victims with social engineering attacks, which Cleafy says they’ve been doing in Italy.

**How the attack works**

First the attackers have to get the malware onto someone’s Android phone. That starts with a fraudulent ‘smishing’ message sent via SMS or WhatsApp, often impersonating a bank and asking the user to call.

The telephone number connects the victim to the attacker, who then persuades them to give up their PIN and log into their bank account. From there, they persuade the victim to remove the spending limits on their card, and then to install what they claim is a security application, sent to their phone as a link. This contains the SuperCard X malware.

Finally comes the payoff. The attacker, who by now will likely have built up a rapport with the victim, will ask them to tap their card to their phone. The malware then captures the card details, which it then sends to the attacker’s own Android phone. They can then use the phone as a cloned card for contactless payments. If you’ve ever tapped your phone instead of your card to pay for something, you’ll know how easy that is to do.

**Where did SuperCard X come from?**

Like much malware, SuperCard X didn’t come out of nowhere. Cleafy says that it shares code with another piece of malware called NGate, discovered last year. Both of these are likely built on concepts first outlined in NFCGate, a freely available open-source NFC software tool developed by German’s Technical University of Darmstadt.

SuperCard X’s developers have focused on making this software as stealthy as possible. Most antivirus programs for Android fail to spot it, says Cleafy. That’s because it asks for as few privileges as possible on the phone, and it doesn’t include many of the features that other malware has. In short, the less that a malicious program does on a phone, the smaller its footprint is and the more silent it can be.

This malware is a cybercriminal’s favorite for several reasons. Rather than attacking people with accounts at a particular bank, it works against anyone with a payment card, increasing the attacker’s scope. It’s also instant, compared to thefts by wire transfer, which can take days to complete.

It is important to note that payment framework**s** like Google Pay, Apple Pay, Samsung Pay, and som b**a**nk-specific wallet apps  use dynamic cryptographic tokens — which are similar in concept to the “rolling codes” often used in car keyless entry systems — to prevent signal replay attacks.

**How to protect yourself**

But, as with many things, the best defense is you. In this case, protection is simple. The cybercriminals behind this attack can’t do anything unless you install the software on your phone, and so they go through several steps to convince you to do so.

Be skeptical of text messages from people you don’t know, especially those claiming to be urgent. Scammers typically try and panic you into a fast response. When they get you on the phone, they can befriend you, further impeding your ability to think critically and say “no”.

If you can’t help yourself and feel compelled to take action, check in with a trusted family member if available to get their perspective. If you’re still convinced, then at least verify the message first. Call your financial institution through an official number – not through the one in the text message. We’ll bet a steak dinner that they won’t know what you’re talking about.

Never give personal details to anyone you don’t know who contacts you via text message, and never change your banking details at their request. And if anyone asks you to install software sent via text message, refuse and end the communication.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android malware turns phones into malicious tap-to-pay machines 

Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!

Royal Mail Group, the UK’s centuries-old postal institution, has allegedly suffered a massive data breach resulting in the leak of 144GB of internal files, customer information, and marketing data. The breach was first made public on the cybercrime forum **Breach Forum** by a user known as GHNA.

**144GB of Leaked Data**

As seen by the Hackread.com research team, GHNA published a post on Monday, March 31, 2025, stating: _“Today, I have uploaded 144GB of data from Royal Mail Group for you to download (courtesy of Spectos, again). Thanks for reading, and enjoy!”_

The post included a screenshot of what appears to be a Zoom meeting recording between Royal Mail Group and Spectos, a German-based data analytics and performance management firm.

Spectos has previously been mentioned in association with other leaks, raising questions about whether the vector for this attack was a direct compromise of **Royal Mail’s infrastructure** or a third-party breach involving vendors with deep system access.

The alleged breach gave the hacker access to a wide range of sensitive data. The leaked archive contains 293 folders and 16,549 files, totaling 144GB. The exposed records include:

*   **Customer Personally Identifiable Information (PII):** Names, full addresses, postal codes, and shipping details, including sender data like business names and services used.

*   **Internal Communications:** Video recordings of meetings, most notably Zoom calls between Spectos and Royal Mail staff.

*   **Operational Data:** Delivery route datasets, post office location information, and backend SQL databases.

*   **Marketing Infrastructure Data:** Mailchimp mailing list exports showing subscriber metadata, campaign tags, and detailed consent information.

Screenshot: Hackread.com

**The Hacker: Who Is GHNA?**

A closer look at the hacker’s activity reveals that they have been active on Breach Forums since late 2024. GHNA has built a growing reputation by leaking or selling access to several high-profile organizations across multiple industries. Their posts include:

*   **Multi-billion dollar software firms and solar industry players**

*   **Samsung Electronics (Germany) – Leaked customer satisfaction ticket data**

*   **Touchworld Technology LLC and Liberty Latin America – Source code repositories**

*   **Access to American and European software companies, including CRM and staking platforms**

*   **Crypto-focused targets, such as a staking company and a casino (both verified, with one marked as sold).**

Several of these listings have been tagged as “VERIFIED” by the forum’s moderation team, and some have already been sold, indicating that GHNA is not only gaining access to sensitive environments but actively monetizing them.

The Royal Mail Group breach appears to be one of the largest GHNA has published in terms of raw data volume. However, the variety of their previous listings suggests this is part of a broader campaign or ongoing **access-as-a-service operation**.

Screenshot: Hackread.com

****Third-Party Connection: Spectos In the Spotlight****

Spectos’ name appears multiple times in the breach materials, including in internal documents and recorded video calls. It is unclear whether Spectos was the breach vector or simply involved in the data Royal Mail was managing at the time.

The hacker’s comment, “Courtesy of Spectos, again”, suggests that Spectos may have played a role in how the data was accessed. Given the amount and type of leaked content, it’s possible the compromise happened through a shared system, an integration point, or within Spectos’ own infrastructure.

Royal Mail has acknowledged the situation. In an email to Hackread.com, the company stated, _“We are aware of an incident which is alleged to have affected Spectos, a supplier of Royal Mail. We are working with the company to investigate the issue and establish what impact, if any, there may be regarding their data.”_

So far, Spectos has not released any public statement about the incident.

****Past Breach: Royal Mail’s Security Challenges Continue****

This incident is the latest in a series of cybersecurity challenges faced by the Royal Mail Group. In early 2023, the company was **targeted by the LockBit ransomware gang**, causing major operational disruptions. That attack shut down Royal Mail’s international parcel delivery systems for weeks and forced the organization to issue emergency contingency plans.

That earlier attack was tied to financially motivated ransomware operators. This time, there’s no ransom demand, but the breach might point to a rising interest in Royal Mail’s data, either from opportunistic hackers or those taking advantage of weak links in the company’s vendor network.

****Impact and Ongoing Analysis****

While the breach hasn’t been confirmed by Royal Mail directly, the company has acknowledged the issue through their vendor, Spectos. If the data is genuine, it could have a wide impact. For customers, it means their details are now out there, which could lead to **scams, spam, or even identity theft**.

For Royal Mail Group, it puts more pressure on how they handle private data and who they trust to help manage it. And for regulators, it might lead to more questions about whether the company is doing enough to protect people’s information.

At the time of writing, the investigation is ongoing, and no further comment has been made by either Royal Mail or Spectos.

Hacker Leaks 144GB of Royal Mail Group Data, Blames Supplier Spectos

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

Before the official faculty profiles of renowned Indiana University, Bloomington (IU) data privacy professor Xiaofeng Wang and his wife disappeared and the FBI raided two of the couple’s homes last week, the school is said to have been reviewing for months whether the professor received unreported research funding from China, WIRED has learned.

Indiana University contacted Wang in December to ask about a 2017-2018 grant in China that listed Wang as a researcher, according to an unsigned statement that appears to be written by a Purdue University professor and long-time collaborator of Wang seen by WIRED. The statement says that the author believed IU was concerned that Wang allegedly failed to properly disclose the funding to the university and in applications for US federal research grants.

The statement has been circulating among cybersecurity and privacy scholars at universities around the world in recent days and was sent to WIRED by three separate sources. It claims that Wang had explained the funding situation to IU, then was told in February that the school would continue looking into the matter.

Alex Tanford, a professor emeritus at Indiana University and the IU Bloomington Chapter president of the American Association of University Professors, says Wang reached out to him and said that he had been accused of alleged research misconduct. Tanford says he provided Wang guidance as a member of the faculty board of review. IU did not answer WIRED’s questions regarding any probes into Wang.

“The charge seemed trivial—that he had failed to properly disclose who was principal investigator on a grant application and had not fully listed all his coauthors on an article,” Tanford tells WIRED of the allegations. He says Wang wanted to know if the university had the right to lock him out of his office and computer, as he was in the middle of ongoing research.

Research papers Wang published between 2017 and 2018 list funding from places like the National Science Foundation, National Institutes of Health, the US Defense Advanced Research Projects Agency, the US Army Research Office, Google, and Samsung, according to a WIRED review of his publications from the time period.

Wang regularly collaborated with researchers at the Institute of Information Engineering (IIE) at the Chinese Academy of Sciences, a government-funded cybersecurity research lab. In papers, Wang and his coauthors disclosed that the IIE scholars received funding from sources such as the National Natural Science Foundation of China, but that Wang was being supported by US grants. It’s not uncommon for professors at US institutions to collaborate with researchers in China, and there's no public evidence to suggest that the arrangements were improper.

According to the unsigned statement’s title and metadata, it appears to have been authored by Ninghui Li, a computer science professor at Purdue who has collaborated on research with Wang since at least 2006. The pair also serve together on the board of the ACM Special Interest Group on Security, Audit, and Control (SIGSAC), which aims “to develop the information security profession by sponsoring high quality research conferences and workshops,” according to the Association for Computer Machinery’s website. Li did not respond to emailed requests for comment nor a voicemail left on his office phone.

Jason Covert, one of attorneys representing Xiaofeng Wang and his wife, Nianli Ma, a library systems analyst whose employee profile was also removed by Indiana University, tells WIRED that Wang and Ma are both “safe” and that neither of them have been arrested. Their legal team is not currently aware of any pending criminal charges against them, and while the couple’s attorneys have viewed a search warrant from the Department of Justice, Covert says they have not received a copy of the affidavit establishing probable cause.

Wang is considered among the top researchers in the field of privacy, data security, and biometric privacy, and his sudden disappearance came as a shock to many of his academic peers. Wang joined IU in 2004 and is the lead principal investigator of the multidisciplinary Center for Distributed Confidential Computing, which he established in 2022 with an almost $3 million grant from the National Science Foundation (NSF), according to a since-deleted bio on IU’s website. As part of his application for the NSF funding and other US federal research grants, Wang would have been required to disclose other grants he already received or were currently pending review.

On March 28, the FBI searched two home addresses associated with Wang. The same day, IU also reportedly terminated Wang’s job via an email sent by provost Rahul Shrivastav, which WIRED obtained and was first reported by The Indiana Daily Student. The email also said it was understood that Wang had recently accepted a position with a university in Singapore, a detail also repeated in the statement attributed to Li.

The statement says Wang planned to start at the unnamed Singaporean university on June 1, 2025, and requested a leave of absence from Indiana University in early March. But IU responded by “putting him on administrative leave, removing his IU homepage, and disabling his IU email address,” it claims.

Wang’s new job offer “would be irrelevant in any event because it is for \[the\] next academic year and would not justify firing him,” Tanford says. Terminating his employment via an email was a violation of university policy, Tanford claims, which prohibits firing a tenured professor without cause, and requires a 10-day notice and a hearing before a faculty board of review, if requested by the staff member. “The faculty is deeply concerned. If the administration can fire a tenured professor without due process and in violation of a policy approved by our trustees, none of us is safe,” he says.

Reached for comment, an IU spokesperson declined to answer detailed questions from WIRED about prior communications between the university and Wang and the school’s decision to fire him.

“Indiana University was recently made aware of a federal investigation of an Indiana University faculty member,” university spokesperson Mark Bode tells WIRED in an emailed statement. “At the direction of the FBI, Indiana University will not make any public comments regarding this investigation. In accordance with Indiana University practices, Indiana University will also not make any public comments regarding the status of this individual.”

The FBI has so far not commented on the reason for its activities surrounding Wang’s properties. In a statement sent to WIRED, Indianapolis-based spokesperson Chris Bavender says, “The FBI conducted court authorized law enforcement activity at homes in Carmel and Bloomington, Indiana last Friday. We have no further comment at this time.”

WIRED could not immediately reach Wang or Ma for comment directly, but Covert, their attorney, provided a statement on their behalf.

“Prof. Wang and Ms. Ma are thankful for the outpouring of support they have received from colleagues at Indiana University and their peers across the academic community,” the statement reads. “They look forward to clearing their names and resuming their successful careers at the conclusion of this investigation.”

To many in the academic research community, the events surrounding Wang and another Chinese-born scholar in Florida who was fired recently are reminiscent of the China Initiative, a US Department of Justice campaign launched under the first Trump administration to combat cybercrime and economic espionage. Critics accused the program of unfairly targeting Chinese-born researchers and broader Asian-immigrant and Asian-American academic communities.

The DOJ abandoned the program under the Biden administration in 2022 after it lost or withdrew charges in a number of associated cases. At the time, a top DOJ official said it had “helped give rise to a harmful perception” that there are lower standards for prosecuting conduct related to China, and people with ties to the country are treated differently. But several congressional efforts have since sought to resurrect the program or start similar law enforcement campaigns, including a 2023 bill that passed the House but not the Senate last year.

“We, like many other organizations and individuals, have broad concerns that the end of the \[China Initiative\] is just in name but does not reflect a change in fact and substance,” Jeremy Wu, the coorganizer of APA Justice, a nonprofit organization that advocates against racial profiling, said in a March webinar at the Michigan State University. Wu declined WIRED’s request to comment on the events surrounding Wang.

Matthew Green, a professor at Johns Hopkins University who specializes in cryptography and cryptographic engineering says that, while he doesn’t know Wang personally, he is troubled by how secretive Indiana University has been about the circumstances that led to his alleged firing. “This is not normal behavior by a university,” Green tells WIRED.

Green says he worries that cases like Wang’s could make young engineers from China think twice about studying at American universities, and even motivate talented researchers who have lived in the US for decades to instead consider working abroad. “We may lose a huge amount of expertise,” Green says.

Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say

The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency.

Sometimes the updates we install to keep our devices safe do a little bit more than we might suspect at first glance. Take the October 2024 Android Security Bulletin.

It included a new service called Android System SafetyCore. If you can find a mention of that in the security bulletin, you’re a better reader then I am. It wasn’t until a few weeks later, when a Google security blog titled 5 new protections on Google Messages to help keep you safe revealed that one of the new protections was designed to introduce Sensitive Content Warnings for Google Messages.

Sensitive Content Warnings is an optional feature that blurs images that may contain nudity before viewing, and when an image that may contain nudity is about to be sent or forwarded, it will remind users of the risks of sending nude imagery and preventing accidental shares.

**Wait! What?**

Yes, there is now a service on my phone that checks whether your pictures are “decent enough” to send or share? I’m not oblivious to the many users that would be better off with such a service, but I’m not so sure they’d appreciate it.

However, what really concerned me is the fact that Google is looking at my incoming and outgoing pictures. I use end-to-end-encrypted (E2EE) messaging for a reason. The content is for me and the receiver, and no-one else, and that definitely includes Google.

But, again, no mention of SafetyCore in that blog or what will provide the Sensitive Content Warnings feature with the necessary data.

So, you can imagine the surprise and outrage when users found this service which doesn’t show up on the regular list of running applications that has permissions to do almost anything on the device.

And by looking up what this app called SafetyCore was all about, all of the above starts to make sense.

Google PlayStore says:

> “SafetyCore is a Google system service for Android 9+ devices. It provides the underlying technology for features like the upcoming Sensitive Content Warnings feature in Google Messages that helps users protect themselves when receiving potentially unwanted content. While SafetyCore started rolling out last year, the Sensitive Content Warnings feature in Google Messages is a separate, optional feature and will begin its gradual rollout in 2025. The processing for the Sensitive Content Warnings feature is done on-device and all of the images or specific results and warnings are private to the user.”

Google goes on to reassure:

*   The developer says that this app doesn’t collect or share any user data. 
*   The developer says that this app doesn’t share user data with other companies or organizations. 
*   The developer says that this app doesn’t collect user data.
*   The developer has committed to follow the Play Families policy for this app. 

Google promises that it only rates our pictures and does not collect or share them, but this feature has almost Artificial Intelligence (AI) written all over it. As we all know, an AI needs to be trained, and training an AI locally on your phone is hardly an option. I wish it had the necessary power, but it doesn’t.

I for one don’t see how the secretly installed service measures up to what the feature has to offer. But obviously everyone is entitled to their own opinion and the device is yours to do with as you please.

**How to uninstall or disable SafetyCore**

The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so.

So, if you wish to uninstall or disable SafetyCore, take these steps:

1.  **Open Settings**: Go to your device’s Settings app
2.  **Access Apps**: Tap on ‘Apps’ or ‘Apps & Notifications’
3.  **Show System Apps**: Select ‘See all apps’ and then tap on the three-dot menu in the top-right corner to choose ‘Show system apps’
4.  **Locate SafetyCore**: Scroll through the list or search for ‘SafetyCore’ to find the app
5.  **Uninstall or Disable**: Tap on Android System SafetyCore, then select ‘Uninstall’ if available. If the uninstall option is grayed out, you may only be able to disable it
6.  **Manage Permissions**: If you choose not to uninstall the service, you can also check and try to revoke any SafetyCore permissions, especially internet access

Note: depending on the software version and manufacturer of your device, these instructions may be slightly off. I personally couldn’t test them because my Samsung has not received the October patch yet due to the patch gaps.

If you’d like to learn more about AI and encrypted messaging, we recommend listening to our podcast The new rules for AI and encrypted messaging, with Mallory Knodel (Lock and Code S06E01)

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Android happy to check your nudes before you forward them 

While AI-generation services and major camera makers are adopting the specification for digitally signed metadata, creating a workflow around the nascent ecosystem is still a challenge.

Source: Thapana\_Studio via Shutterstock

The effort to establish digitally verifiable images, video, and other content using signed metadata known as Content Credentials promises an internet where users can easily determine the source of media and whether it is authentic. An easy-to-use implementation of that vision is still under construction.

The brainchild of the Coalition for Content Provenance and Authenticity (C2PA), Content Credentials allow the signing of a metadata audit trail — a manifest — that accompanies images and other media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Content Credentials show each of those steps as part of an audit log, which provides people with information about whether the content they are viewing is real or has been somehow modified. The companies behind the standard include internet providers, software makers, device technology makers, and media giants.

In the last year, major camera makers — Canon, FujiFilm, Leica, Nikon, and Sony — announced support for the Content Credentials standard, but only a few models with the capability have hit the market. Leica has released its second camera with the technology, the Leica SL3-S. At this year's Consumer Electronics Show in January, Samsung announced its upcoming Galaxy S25 mobile phone will support Content Credentials, but only to label images that have been edited by AI. It will not label the original photo taken with the smartphone's camera.

And other major smartphone makers, such as Apple, have not announced support for the standard yet.

Meanwhile, computer-based editing software that supports Content Credentials is mainly limited to Adobe's products. As a founder of the content-authenticity movement, Adobe has extensive support for Content Credentials in its own products — such as a beta feature in Photoshop and tagging images generated with its generative AI service, Adobe Firefly.

Still, some islands of functionality have appeared: Images from OpenAI's DALL-e and Adobe's Firefly are labeled with Content Credentials tagging them as AI-generated, while end-to-end services, such as Truepic, use the technology in its platform to digitally sign and authenticate images.

It's a good start, but an end-to-end workflow requires more: Cameras or smartphones to generate signed images, support for Content Credentials in a wide variety of image-editing software, and the ability to view authenticated metadata on social media and websites.

"It is crucial to ensure that Content Credentials are enabled on all devices throughout the entire workflow—from capture to editing to sharing," says Nico Köhler, head of product experiences for Leica Camera AG. "This requires that all tools and platforms involved in the process support Content Credentials. ... Ensuring compatibility across the entire workflow is key to preserving the authenticity of the content."

**Where Does the Content Credential Work?**

Closed end-to-end ecosystems that incorporate the Content Credentials specification show the potential of the digital authentication feature.

Truepic, for example, essentially created its own end-to-end authenticated image service based on Content Credentials, allowing companies to know the provenance of images. Credit bureaus can request authenticated images of office locations to verify legitimate businesses, dispensing with the need for expensive on-site visits. Insurance companies can request photos of damaged assets from policyholders, avoiding deepfake and edited photos from claiming fictitious damages.

Because smartphones do not yet have the Content Credential technology embedded in the device, Truepic requires its app be used to take photos and video.

"We believe that unless a digital process is backed and secured by image and data authentication, enterprises will not be able to address or even understand the amount of fraud they are missing," says Mounir Ibrahim, chief communications officer at Truepic. "With widespread adoption of credentials, businesses will have a stronger foundation for detecting tampering and ensuring content authenticity, but they will still need a trusted verification platform that can ingest, analyze, and validate digital content at scale and within their environments."

**Interoperable Workflow is Still Not Ready**

While different manufacturers are releasing specific implementations of Content Credentials, creating an end-to-end workflow for images — from creation to editing to distribution to end users — continues to be a challenge.

In early February, for example, Cloudflare tackled one small part of a typical workflow, the content delivery network, announcing that its CDN service would preserve image credentials, even through automated compression and image resizing. Most current infrastructure inadvertently strips away the Content Credential or invalidates the signature by transforming the image.

The Cloudflare changes allow its Images service to add actions to the Content Credential manifest and re-authenticate using the company's credentials, Will Allen, head of privacy and media products at Cloudflare, wrote in a blog post describing the feature.

"When you use Images to resize or change the file format to your images, these transformations will be cryptographically signed by Cloudflare," he said. "This ensures, for example, that the end-user who sees the photograph on your website can use an open-source verification service ... to verify the full provenance chain."

The Content Credential ecosystem at work. A picture taken with a Leica camera is edited with Adobe Photoshop, with each stage documented in the credential. Source: Contentcredential.org/verify using Leica image

Yet, even companies that are forging ahead with their own services look forward to when the wrinkles in the interoperability are ironed out. Truepic's Ibrahim, for example, argues that greater support is the end goal.

"Although closed ecosystems and business processes are where our clients are deriving the most benefit today, we see this as the first step to a more authentic internet," he says. "Interoperable standards will be the essential foundation to a more trusted digital ecosystem and shared global economy."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Show Promise, But Ecosystem Still Young

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Source: Tero Vesalainen via Shutterstock

When armed gangs raided a Haitian prison and released 4,700 prisoners last March, images and videos showing the violence and gunfire saturated social media around the world. Determining which graphic media was authentic — and marking those instances in a way that future viewers could verify for themselves what was real and what was modified — was a significant challenge.

Showcasing a solution to exactly that problem, the British Broadcasting Corporation (BBC) launched its adoption of Content Credentials, a technology for attesting to the authenticity and provenance of digital content, by using the technology to verify a TikTok video of the attack. The BBC verified the location of the video and its likely veracity, but it determined that audio of gunfire had been added after the fact. The company then digitally signed the video so that future viewers would know the BBC had verified it.

Content Credentials — an open technology that aims to solve disinformation and media integrity issues — is being developed by the Coalition for Content Provenance and Authenticity (C2PA), a group of more than 500 media, software, and hardware companies working to create an ecosystem for verified media.

The BBC's adoption of Content Credentials is just one use case but an important one, says Andy Parsons, senior director of the Content Authenticity Initiative (CAI) at Adobe and a steering committee member of the C2PA.

"The BBC \[is\] declaring that — regardless of whether this is a photo or whether AI was used to do a photo illustration — you can be guaranteed that it came from BBC, and even that simple proof-of-date or proof-of-origin is something we don't have in media right now," Parsons says.

In 2019, technology and media companies created the CAI to find solutions to disinformation and ways for news organizations to authenticate photos and video. Two years later, six companies — Adobe, Arm, BBC, Intel, Microsoft, and Truepic — founded the C2PA to pursue an open standard for establishing the provenance of various types of media files. The two efforts eventually combined forces to advance Content Credentials, a digital-signature technology and infrastructure for verifying and authenticating media.

In the past year, Content Credentials and the C2PA gained significant steam, with the addition of Amazon, Google, Meta, and OpenAI to the steering committee and the adoption of the technology by several camera makers — including Canon, Leica, and Sony — and smartphone makers, such as Samsung.

Yet the ecosystem is still in its infancy, Christian Paquin, a principal research software engineer at Microsoft, told attendees at last month's ShmooCon 2025.

"You can imagine the situation in five to 10 years when this technology is baked in a lot of the trusted news and a hardware ecosystem that can produce these signatures and can be validated by the social media themselves or the browsers, so that we can really have trust signals to differentiate what's real and what's not," he said.

**Manifest Destiny**

Content Credentials have three main components: the media data, a manifest describing the data and any actions transforming the data, and a digital signature binding the two pieces of information together in a tamper-evident way. The manifest includes typical metadata, as well as some additional C2PA-accepted fields — attestations — that can describe additional attributes of the photo, its source, and the software actions used to process the data.

Based on public-key encryption and digital signatures, Content Credentials act as an audit log of every action performed on a piece of media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Each of those steps would be an attestation in the manifest of the signed content credential.

A video signed with a Content Credential shows that it originated with the BBC News Lab. Source: https://contentcredentials.org/verify

The result is providing an audit trail with each piece of authenticated content, which could help citizens and users better know what is fake and what is arguably real, Adobe's Parsons says.

"All the companies involved — and I would lump in civil society and some governments as well — have a real urgency to solve this problem," he says. "And while C2PA is not a silver bullet at solving misinformation, it does put in place a fundamental foundational layer that the Internet probably should always have had around trust, and this is a really nice clean way to do it."

Already, most makers of foundational artificial intelligence (AI) models — such as Open AI, Meta, and Microsoft — digitally sign all images created by their image-generation models with a Content Credential, indicating that it was AI generated or manipulated.

**An Evolving Standard**

The technology is not done, either. The C2PA specification has quickly evolved over the past three years, reaching version 2.1 in September. Among the new features are efforts to make the credentials more "durable" — in other words, adopting techniques, such as digital fingerprinting and watermarking, to indicate the provenance of images, even if they are manipulated after publication or captured from a screenshot.

The combination of signed metadata with fingerprinting and watermarking is powerful, Adobe's Purdy wrote in a 2024 analysis of the techniques.

"\[N\]one of these techniques is durable enough in isolation to be effective on its own," he said. "But combined into a single approach, the three form a unified solution that is robust and secure enough to ensure that reliable provenance information is available no matter where a piece of content goes."

Watermarks, fingerprinting, and Content Credentials can be a powerful combination. Source: "Durable Content Credentials," CAI blog

A number of technical problems remain to be solved. Journalists reporting on an authoritarian regime, for example, may want to remain anonymous and mask their location. Zero-knowledge proofs can help, allowing a name to be redacted and only the organization — BBC News, for example — to be shown or to generalize the location. ZK proofs allow an attribute to be signed, so a photo's GPS coordinates could instead be reduced to New York City or Kiev to provide a general location that hides the photographer's identity, and verified with a digital signature.

"This is an evolving set of certifications," Microsoft's Paquin told the audience at ShmooCon. "The main challenge is establishing who can sign certificates ... establishing PKI that is worldwide is a big problem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Technology Verifies Image, Video Authenticity

PRESS RELEASE

LONDON, Jan. 20, 2025 /PRNewswire/ -- A new survey from Omdia reveals that phishing scams are the leading security threat for smartphone users, with 24% of respondents reporting they have fallen victim to these attacks. Phishing, which includes fraudulent texts, emails, or calls designed to trick individuals into revealing sensitive personal information, remains a significant concern as cybercriminals continue to exploit unsuspecting consumers.

Omdia surveyed 1,572 consumers across the Americas, Asia & Oceania, and Europe in October 2024 for the fourth annual Omdia Mobile Device Security Scorecard. The survey found that the next most common security issue was malware and viruses, followed by physical theft, such as pickpocketing, mugging, or snatching.

In Omdia's recent assessment of leading premium smartphones, Google's Pixel 9 Pro and Samsung's Galaxy S24 outperformed Apple's iPhone 16 Pro and other Android-based devices, including the OnePlus 12, Xiaomi 14, and Honor Magic 6 Pro. Anti-phishing protection proved to be a weak spot across all devices, as none successfully intercepted all phishing texts, calls and emails.  

Simulated spam calls revealed that all Android devices from Google, Xiaomi, OnePlus, Honor, and Samsung successfully flagged suspected spam calls before users answered, while the iPhone 16 Pro lacked similar voice call protection. 

None of the tested devices fully No device flagged simulated phishing emails from Gmail as phishing, only identifying them as spam when sent from Google's SMTP. 

Despite gaps in detecting phishing texts and emails, devices with Google Safe Browsing protections successfully blocked the link from opening, displaying a warning screen and requiring user confirmation to proceed. Performance across browsers varied significantly: Samsung Internet effectively blocked most links, including advanced custom URLs, while Xiaomi Mii and OnePlus Internet browsers failed to warn users about known malicious links, underscoring inconsistencies in Android device's security.

"The lack of security protection, particularly against the growing threat of phishing attacks, is eroding consumer trust," said Omdia Senior Analyst, Aaron West. "When consumers were asked if their trust following a security issue increased (due to how well the issue was handled) or decreased, 73% reported they had reduced trust in the smartphone brand and operating system developer."  

"Despite the latest protections in place by some manufacturers, it is difficult to protect 100% against phishing attempts, highlighting the severity of the issue and potential impact to consumers. That said, smartphone manufacturers can (demonstrated by the more advanced phishing protection capabilities available) and should have a better baseline of phishing protection – such as voice call protection, and all Android devices making use of Google's Safe Browsing protections," said Hollie Hennessy, Principal Analyst, Omdia. "This needs to be paired with awareness activity from manufacturers and the wider industry to help consumers be vigilant and prepared".

ABOUT OMDIA

Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a technology research and advisory group. Our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.

Omdia Finds Phishing Attacks Top Smartphone Security Concern for Consumers

While employees want to take advantage of the increased efficiency of GenAI and LLMs, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations.

Anuj Jaiswal, Chief Product Officer, Fortanix

January 23, 2025

3 Min Read

Source: LuckyStep48 via Alamy Stock Vector

COMMENTARY

The rapid rise of artificial intelligence (AI) has cast a long shadow, but its immense promise comes with a significant risk: shadow AI.

Shadow AI refers to the use of AI technologies, including AI models and generative AI (GenAI) tools outside of a company's IT-sanctioned governance. As more people use tools like ChatGPT to increase their efficiency at work, many organizations are banning publicly available GenAI for internal use. Among the organizations looking to prevent unnecessary security risks are those in the financial services and healthcare sectors, as well as technology companies like Apple, Amazon, and Samsung.

Unfortunately, enforcing such a policy is an uphill battle. According to a recent report, non-corporate accounts make up 74% of ChatGPT use and 74% of Gemini and Bard use at work. Employees can easily skirt corporate policies to continue their AI use for work, potentially opening up security risks.

The greatest among these is the lack of protection for sensitive data. As of March 2024, 27.4% of data inputted into AI tools would be considered sensitive, an increase from 10.7% at the same time last year. Protecting this information once it is put into a GenAI tool is virtually impossible.

The uncontrolled risk of shadow AI usage reveals the need for stringent privacy and security practices when employees use AI.

It all boils down to data. Data is the fuel of AI, but it is also the most valuable asset to organizations. Stolen, leaked, or corrupted data causes real, tangible harm to a business — regulatory fines from leaking personally identifiable information (PII), costs associated with leaked proprietary information like source code, and an increase in severe security breaches like hacks and malware.

To mitigate risk, organizations must secure their data while it's at rest, in transit, and in use. The counter to risky shadow AI use is having fine control over the information employees feed into large language models (LLMs).

**How Can CISOs Secure GenAI and Company Data?**

Securing sensitive company data is a challenging balancing act for chief information security officers (CISOs) as they weigh the desire for their organizations to take advantage of the perceived value of GenAI while also protecting the sole asset that makes these benefits possible — their data.

So, the question becomes: How do you do this? How do you get the balance right? How do you extract positive business outcomes while protecting the enterprise's most valuable asset?

At a high level, CISOs should look at protecting data through its entire life cycle. This includes:

*   Protecting the data before it is even ingested into the GenAI model
    

*   Ensuring that the data output is completely secured, as this new data will drive the business outcomes and create true value
    

If the data life cycle isn't secure, this becomes a business-critical exposure.

More specifically, a multifaceted approach is necessary to protect sensitive data from being leaked, and though it starts with limiting shadow AI as much as possible, it is just as important to preserve data security and privacy with some basic best practices:

*   Encryption: Data encryption across its life cycle is vital, but it's equally important to manage and store encryption keys securely and separately from the data itself.
    
*   Obfuscation: Use data tokenization to anonymize any sensitive or PII data that could be fed to an LLM. This prevents data that enters the AI pipeline from being corrupted or leaked.
    
*   Access: Apply granular, role-based access controls to data so that only authorized users can see and use the data in plain text.
    
*   Governance: Commit to ethical business practices, embed data privacy across all operations, and remain current on data privacy regulations.
    

As is often the case with most tech advancements, GenAI's ease and convenience come with some fallbacks. While employees want to take advantage of the increased efficiency of GenAI and LLMs for work, CISOs and IT teams must be diligent and stay on top of the most up-to-date security regulations to prevent sensitive data from entering the AI system. Along with making sure workers know the importance of data protection, it is key to mitigate potential risks by taking all measures to encrypt and secure data from the start.

**About the Author**

Chief Product Officer, Fortanix

Anuj Jaiswal is chief product officer at Fortanixa. He is seasoned product and engineering leader with an impressive track record spanning more than 20 years. Anuj previously served as vice president of engineering at Embrace.io and was a pivotal figure at Arkin, a company that caught the attention of VMware and was subsequently acquired in 2016. During his time at Arkin, Anuj played a critical role in the acquisition process, showcasing his strategic vision and technical insight. Before Arkin, Anuj worked as a senior leader at FrontRange Solutions (acquired by Ivanti) and DBO2 (acquired by Predictive Solutions).

Anuj's domain knowledge is extensive, covering crucial areas such as cloud security, network security, cybersecurity, data security and application performance monitoring (APM) for both cloud and mobile applications. His approach to product management — vision, strategy, customer-centric, roadmapping, partnerships, and UX — has consistently resulted in products that drive revenue and growth for organizations while meeting customer needs. Anuj holds a master's degree in computer applications and a bachelor's degree in business administration.

Tag

#samsung