Threat actors are exploiting CVE-2025-20352, a recent Cisco zero-day, to deploy a rootkit on older networking devices.

The post Cisco Routers Hacked for Rootkit Deployment appeared first on SecurityWeek.

ON SECURITY By Susan Bradley There’s no question that multi-factor authentication strengthens online logins and makes it more difficult for the bad guys to gain access to vital assets. But a recent breakdown of an internal vendor process put accountants and clients at risk. You all know that I’m a CPA. It should thus come […]

The botnet packs over 50 exploits targeting unpatched routers, DVRs, NVRs, CCTV systems, servers, and other network devices.

The post RondoDox Botnet Takes ‘Exploit Shotgun’ Approach appeared first on SecurityWeek.

smooth wombat writes: At one point in technology history, floppy disks reigned supreme. Files, pictures, games, everything was put on a floppy disk. But technology doesn't stand still and as time went on disks were replaced by CDs, DVDs, thumb drives, and now cloud storage. Despite these changes, floppy disks are still found in long forgotten corners of businesses or stuffed in boxs in the attic. What is on these disks is anyone's guess, but Cambridge University Library is racing against time to preserve the data. However, lack of hardware and software to read the disks, if they're readable at all, poses unique challenges. Some of the world's most treasured documents can be found deep in the archives of Cambridge University Library. There are letters from Sir Isaac Newton, notebooks belonging to Charles Darwin, rare Islamic texts and the Nash Papyrus -- fragments of a sheet from 200BC containing the Ten Commandments written in Hebrew. These rare, and often unique, manuscripts are safely stored in climate-controlled environments while staff tenderly care for them to prevent the delicate pages from crumbling and ink from flaking away. But when the library received 113 boxes of papers and mementoes from the office of physicist Stephen Hawking, it found itself with an unusual challenge. Tucked alongside the letters, photographs and thousands of pages relating to Hawking's work on theoretical physics, were items now not commonly seen in modern offices -- floppy disks. They were the result of Hawking's early adoption of the personal computer, which he was able to use despite having a form of motor neurone disease known as amyotrophic lateral sclerosis, thanks to modifications and software. Locked inside these disks could be all kinds of forgotten information or previously unknown insights into the scientists' life. The archivists' minds boggled. These disks are now part of a project at Cambridge University Library to rescue hidden knowledge trapped on floppy disks. The Future Nostalgia project reflects a larger trend in the information flooding into archives and libraries around the world.

Read more of this story at Slashdot.

An anonymous reader shares a report: In another loss for early smart home adopters, Logitech has announced that it will brick all Pop switches on October 15. In August of 2016, Logitech launched Pop switches, which provide quick access to a range of smart home actions, including third-party gadgets. For example, people could set their Pop buttons to launch Philips Hue or Insteon lighting presets, play a playlist from their Sonos speaker, or control Lutron smart blinds. Each button could store three actions, worked by identifying smart home devices on a shared Wi-Fi network, and was controllable via a dedicated Android or iOS app. The Pop Home Switch Starter Pack launched at $100, and individual Pop Add-on Home Switches debuted at $40 each. A company spokesperson told Ars Technica that Logitech informed customers on September 29 that their Pop switches would soon become e-waste.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Register: New Zealand's Institute of IT Professionals has discovered it is insolvent and advised members it has no alternative but to enter liquidation. The Institute (ITP) wrote to members on Thursday and posted a document titled "Important Update on ITP's Future" that reveals it has "reached a point where the organization cannot continue. After a full review of our finances, the Board has confirmed that ITP is insolvent." Insolvency seems to have come as something of a surprise. "These debts are historic. They go back over many years. While some of the issues were worked on in more recent times, the full scale of the problem only became visible during the leadership change in 2025," the Update states. "Once the Board understood the full picture, it was clear that there was no responsible way forward other than liquidation." [...] ITP's constitution requires its members to formally resolve to wind up the organization, so as one of its final acts the group has called a Special General Meeting (SGM) for 23 October 2025 to confirm liquidation and appoint a liquidator. This situation impacts more than ITP's ~10,000 members, because the organization offers assessment services that assess whether IT professionals' skills and qualifications make them eligible to move to New Zealand for work. ITP also certifies IT degrees at New Zealand universities, and oversees the NZ Cloud Computing Code of Practice. ITP also conducted educational and advocacy activities aimed at growing New Zealand's tech workforce.

Read more of this story at Slashdot.

The Department of Homeland Security estimated over the weekend that it would send home about two-thirds of employees at the Cybersecurity and Infrastructure Security Agency in the event of a government shutdown.

It’s the first time that the second Trump administration has released its contingency plan in response to what would happen if Congress doesn’t keep the government funded after Oct. 1 — something that looks likely at the moment. The furlough of two-thirds of CISA employees is also relatively close to the last time the Biden administration produced shutdown guidance in 2023.

According to the DHS document, 889 of CISA’s 2,540 personnel would keep working through a government funding lapse. That workforce estimate is from May, and could be smaller now. In 2023, DHS anticipated that it would keep 960 of its then-3,117 employees at work.

The Biden administration said that year that it would have had the ability to recall another 790 CISA employees if needed. The latest DHS guidance doesn’t include any information on recallable employees, and CISA didn’t immediately respond to a request for that figure Monday.

Furloughs of cyber personnel could have a whole host of potentially negative consequences, government officials and outside cyber experts have warned. Those consequences could be even worse as the Trump administration slashes the federal workforce, some say.

A temporary reduction could invite more attacks on the federal government; slow down patching, cyber projects and regulations; prompt permanent departures from workers disillusioned about the stability of federal cyber work; hinder cybercrime prosecutions; and freeze cyber vulnerability scans.

The latest CISA furlough estimates are “scary,” one cyber researcher wrote on the social media platform Bluesky. The White House has also instructed agencies to plan for mass firings in the event of a shutdown.

At other agencies, some federal cybersecurity-related personnel are likely to continue working during a federal funding lapse, because the law deems some government functions as “excepted,” such as those focused on missions like national security, law enforcement or protection of property and human safety. For example, at the Health and Human Services Department, the fiscal year 2026 contingency plan states that “HHS estimates that 387 staff (excluding those otherwise authorized by law) will be excepted for the protection of computer data.”

Unlike in past years, agencies are hosting contingency plans on their websites on a case-by-case basis, rather than on the website of the Office of Management and Budget. Some plans that have been published, such as those for the Department of Defense, don’t specify figures for cyber personnel.

Hundreds of thousands of federal workers could be furloughed, in total.

Two major cybersecurity laws, one providing legal protections for cyber threat data sharing and another providing state and local grants, are also set to expire in mere days. A House-passed continuing resolution would’ve temporarily extended them, but the legislation didn’t advance in the Senate.

The post Two-thirds of CISA personnel could be sent home under shutdown appeared first on CyberScoop.

Raspberry Pi has launched the Raspberry Pi 500 Plus for $200, more than doubling the $90 price of the standard model. The keyboard computer now includes an M.2 2280 SSD socket alongside the SD card slot, 256GB of storage and 16GB of LPDDR4x-4267 RAM instead of 8GB. The company added Gateron KS-33 Blue mechanical switches, replaceable low-profile keycaps finished to allow RGB lighting to shine through and an RP2040 microcontroller running QMK firmware. The 500 Plus retains Wi-Fi 5, Bluetooth, gigabit Ethernet, two micro HDMI ports, three USB-A ports, and USB-C power from the base model. A $220 Desktop Kit bundles necessary cables, power supply, and mouse.

Read more of this story at Slashdot.

Department of Government Efficiency practices at three federal agencies “violate statutory requirements, creating unprecedented privacy and cybersecurity risks,” according to a report that Senate Homeland Security and Governmental Affairs Committee Democrats published Thursday.

The report — drawn from a mix of media reports, legal filings, whistleblower disclosures to the committee and staff visits to the agencies — concludes that the Elon Musk-created DOGE is “operating outside federal law, with unchecked access to Americans’ personal data.” It focuses on DOGE activity at the General Services Administration (GSA), Office of Personnel Management (OPM) and Social Security Administration (SSA).

One previously unreported whistleblower claim is that at the SSA, a June internal risk assessment found that the chance of a data breach with “catastrophic adverse effect” stood between 35% and 65% after DOGE uploaded a computer database file known as Numident, containing personal sensitive information without additional protections against unauthorized access. The potential implications included “widespread PII [personally identifiable information] disclosure or loss of data” and “catastrophic damage to or loss of agency facilities and infrastructure with fatalities to individuals,” according to the assessment.

“DOGE isn’t making government more efficient — it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals,” Michigan Sen. Gary Peters, the top Democrat on the committee, said in a news release. “They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk. We cannot allow this shadow operation to continue operating unchecked while millions of people face the threat of identity theft, economic disruption, and permanent harm. The Trump Administration and agency leadership must immediately put a stop to these reckless actions that risk causing unprecedented chaos in Americans’ daily lives.”

The report recommends stripping all DOGE access to sensitive personal information until agencies certify that the initiative is in compliance with federal security and privacy laws such as the Federal Information Security Management Act, and recommends that DOGE employees complete the same kind of cybersecurity training as other federal employees.

It describes the three agencies blocking access to specific offices or otherwise obstructing access. For example, it says that DOGE installed a Starlink network at GSA, but wouldn’t let staff view it. Starlink is the Musk-owned satellite internet service, and the report concludes that Starlink might have allowed DOGE staffers to circumvent agency IT oversight. Data sent over the network “could be an easy target for foreign adversaries,” the report states.

The report also expands upon an alleged attempt at SSA to create a “master database” that would pool data from multiple federal agencies. According to whistleblower disclosures, former SSA DOGE employee John Koval inquired about uploading agency data into a cloud environment to share with the Department of Homeland Security. He was “rebuffed,” the report states, but later worked at DHS and the Justice Department, where SSA data surfaced in some projects, raising further privacy concerns. 

It revisits concerns about DOGE staffer Edward “Big Balls” Coristine having access to sensitive agency data despite reports that he had been fired from an internship at a cybersecurity company for leaking company information to a competitor, and arrives at further conclusions about the risk posed by the ability of Coristine and others “to move highly sensitive SSA data into an unmonitored cloud environment.”

“It is highly likely that foreign adversaries, such as Russia, China, and Iran, who regularly attempt cyber attacks on the U.S. government and critical infrastructure, are already aware of this new DOGE cloud environment,” the report states.

Two of the agencies that were the subject of the report took issue with its conclusions.

“OPM takes its responsibility to safeguard federal personnel records seriously,” said a spokeswoman for the office, McLaurine Pinover. “This report recycles unfounded claims about so-called ‘DOGE teams’ that simply have never existed at OPM. Federal employees at OPM conduct their work in line with longstanding law, security, and compliance requirements.

“Instead of rehashing baseless allegations, Senate Democrats should focus their efforts on the real challenges facing the federal workforce,” she continued. “OPM remains committed to transparency, accountability, and delivering for the American people.”

The SSA pointed to Commissioner Frank Bisignano’s letter to Congress responding to questions about Numident security concerns. 

“Based on the agency’s thorough review, the Numident data and database — stored in a longstanding secure environment used by SSA — have not been accessed, leaked, hacked, or shared in any unauthorized fashion,” a SSA spokesperson wrote, adding, “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen — SSA’s standard practice.”

The SSA spokesperson emphasized there are no DOGE employees at SSA, only agency employees. 

The GSA did not immediately respond to Scoop News Group requests for comment on the Democratic report.

Miranda Nazzaro contributed reporting to this story.

The post Dem report concludes Department of Government Efficiency violates cybersecurity, privacy rules appeared first on CyberScoop.

An anonymous reader quotes a report from Ars Technica: When the COVID-19 pandemic forced kids to stay home, educators flocked to VMware, and thousands of school districts adopted virtualization. The technology became a solution for distance learning during the pandemic and after, when events such as bad weather and illness can prevent children from physically attending school. However, the VMware being sold to K-12 schools today differs from the VMware that existed before and during the pandemic. Now a Broadcom business, the platform features higher prices and a business strategy that favors big spenders. This has created unique problems for educational IT departments juggling restrictive budgets and multiple technology vendors with children's needs. Ars Technica recently spoke with an IT director at a public school district in Indiana. The director requested anonymity for themself and the district out of concern about potential blowback. The director confirmed that the district has five schools and about 3,000 students. The district started using VMware's vSAN, a software-defined storage offering, and the vSphere virtualization platform in 2019. The Indiana school system bought the VMware offerings through a package that combined them with VxRail, which is hyperconverged infrastructure (HCI) hardware that Dell jointly engineered with VMware. However, like many of VMware customers, the Indiana school district was priced out of VMware after Broadcom's acquisition of the company. The IT director said the district received a quote that was "three to six" times higher than expected. This came as the school district is looking to manage changes in education-related taxes and funding over the next few years. As a result, the district's migration from VMware is taking IT resources from other projects, including ones aimed at improving curriculum. For instance, the Indiana district has been trying to bolster its technology curriculum, the IT director said. One way is through a summer employment program for upperclassmen that teaches how to use real-world IT products, like VMware and Cisco Meraki technologies. The district previously relied on VMware-based virtual machines (VMs) for creating "very easily and accessible" test environments for these students. But the school is no longer able to provide that opportunity, creating a learning "barrier," as the IT director put it. The IT director told Ars that dealing with a migration could be "catastrophic in that that's too much work for one person," adding: "It could be a chokehold, essentially, to where they're going to be basically forced into switching platforms -- maybe before they were anticipating -- or paying exorbitant prices that have skyrocketed for absolutely no reason. Nothing on the software side has changed. It's the same software. There's no features being added. Nobody's benefiting from the higher prices on the education side."

Read more of this story at Slashdot.

Cybersecurity researchers believe the attack on Collins Aerospace involved a piece of ransomware known as HardBit.

The post European Airport Cyberattack Linked to Obscure Ransomware, Suspect Arrested appeared first on SecurityWeek.

The software update includes additional file checks and helps users remove the known rootkit deployed in a recent campaign.

The post SonicWall Updates SMA 100 Appliances to Remove Overstep Malware appeared first on SecurityWeek.

Near Microsoft's headquarters in Redmond, the Five Stones coffee shop advertised for a barista a few months ago — and started getting resumes from "people who listed Microsoft and other tech companies," writes the Wall Street Journal: The applicants typically had master's degrees and experience in graphic design or marketing roles, Andrews said — sometimes senior ones. They were applying to jobs at Five Stones that would pay Redmond's minimum wage, $16.66 an hour. Five Stones hasn't yet hired such candidates because the coffee shop gives priority to more traditional entry-level baristas, like high-schoolers... [Microsoft and Amazon] have laid off more than 46,000 employees since 2023, according to Layoffs.fyi, which tracks workforce reductions. That represents 85% of layoffs by Seattle-area tech companies... As Amazon and Microsoft have made cuts — and other local tech firms including Expedia and Redfin have followed suit — the effects have rippled through Seattle's other business sectors. Weakness in payroll and sales tax contributed to a projected $146 million shortfall in revenue over the next two years. Restaurant and retail spending is down in the business and shopping districts surrounding Amazon's and Microsoft's campuses, with total transactions falling by as much as 7% in some popular areas in the past year, according to data from Square. In the first half of 2025, around 450 restaurants closed in Seattle, or about 16% of its total. "At the halfway point of the year, we've already seen as many closures as we'd usually see in a full year," said Anthony Anton, chief executive officer of the Washington Hospitality Association. Uber driver Juan Prado made six figures in 2021, often shuttling passengers in town for job interviews and doing frequent drop-offs near downtown tech offices. Now, he said, demand is much lower. "There are moments where you can be online, and in certain areas, it shows nothing...." Seattle tech firms are asking for significantly fewer job placements than years ago, said Noelle McDonald, senior vice president at recruiting company Aquent, which counts Amazon and Microsoft as clients. Hiring windows have lengthened and open roles receive around 10 times as many applications. And of course, "Commercial real-estate vacancies stand at a record high as offices built to accommodate a boom sit empty... " While some laid-off employees launched their own startups, "the outlook for many tech workers is dour as companies invest in software tools they can use to streamline teams," the article points out. Microsoft CEO Satya Nadella "has said the company is increasingly looking to AI to perform coding and other tasks once done by people," while in June, Amazon "said its workforce would shrink going forward."

Read more of this story at Slashdot.

alternative_right writes: Austria's armed forces have switched from Microsoft's Office programs to the open-source LibreOffice package. The reason for this is not to save on software license fees for around 16,000 workstations. "It was very important for us to show that we are doing this primarily (...) to strengthen our digital sovereignty, to maintain our independence in terms of ICT infrastructure and (...) to ensure that data is only processed in-house," emphasizes Michael Hillebrand from the Austrian Armed Forces' Directorate 6 ICT and Cyber. This is because processing data in external clouds is out of the question for the Austrian Armed Forces, as Hillebrand explained on ORF radio station O1. It was already apparent five years ago that Microsoft Office would move to the cloud. Back then, in 2020, the decision-making process for the switch began and was completed in 2021.

Read more of this story at Slashdot.

Federal agencies are increasingly incorporating artificial intelligence into the cyberdefenses of government networks, and there’s more still to come, acting Federal Chief Information Security Officer Michael Duffy said Thursday.

“We’re at an exciting time in the federal government to see that we’re not only putting AI in production, but we’re finding ways to accelerate emerging technology across the government, across all missions and all angles,” Duffy said at FedTalks, produced by Scoop News Group. In his “role overseeing federal cybersecurity policy,” he said, he is “able to see these at the ground level, as agencies bring excitement and enthusiasm and hope for what they can optimize through artificial intelligence.”

Cyber attackers are moving faster than ever, and on a much larger scale than before, he said. They’re also using technology in new ways. But it’s not all “doom and gloom” when it comes to the cybersecurity of federal networks, especially because of feds’ move toward AI, Duffy said.

“I’m pleased to say that the advancements that we’ve made over the past decade in the federal government have brought us to this point: Agencies are poised now, postured, positioned, to take advantage of new capabilities, bring them into federal agencies and make them work for the mission,” he said.

The next decade is important, and needs a “clear vision” of the available technologies and the threat landscape, “and how AI-interconnected digital ecosystems will both strengthen and strain that defensive posture,” Duffy said.

The focus now is on protecting sensitive information and making sure the government has efficient and secure interactions with the general public, he said. That includes “leveraging AI to identify vulnerabilities at scale,” Duffy said.

He said that will require the government to update a key document on federal information security, the Office of Management and Budget Circular A-130. A Biden administration executive order from January ordered an update within three years, and a June Trump executive order retained that requirement, albeit with fewer specifications about what the update would entail.

But Duffy noted the document had not been updated since the onset of large-scale AI adoption; its last update was in 2016.

In coordination with the federal chief information officer, Duffy said his office was undertaking a review of AI to measure its strengths and limitations. That includes several steps, among them evaluating the best methods of swiftly adopting AI but with safeguards for proper use.

“We’ll assess the existing cyber defense capabilities within agencies and explore cyber-centric AI use cases,” he also said.

“We’re working with CISOs to rationalize their cybersecurity tool stack to ensure individual agencies are well-postured for the evolving threat environment, while identifying opportunities to eliminate redundant and ineffective systems and capabilities to leverage enterprise-wide capabilities and programs — shared services to gain efficiencies and scale, successful AI pilots occurring within agencies,” he said.

And “we’re working with agencies to increase operational resilience as well, and our collective capacity to respond to AI incidents,” Duffy said.

The post Agencies increasingly dive into AI for cyber defense, acting federal CISO says appeared first on CyberScoop.

The startup provides an authentication stack that secures both incoming authentication and outgoing agent actions.

The post Scalekit Raises $5.5 Million to Secure AI Agent Authentication appeared first on SecurityWeek.

Microsoft’s Digital Crimes Unit coordinated the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that developed and sold phishing kits that have been used to steal more than 5,000 Microsoft credentials since July 2024, the company said Tuesday. 

The threat group, which Microsoft tracks as Storm-2246, enabled cybercriminals to steal credentials from organizations spanning 94 countries, making it the “fastest-growing tool used by cybercriminals to steal Microsoft 365 usernames and passwords,” Steven Masada, assistant general counsel at Microsoft’s DCU said in a blog post. 

RaccoonO365 services were used indiscriminately to target more than 2,300 U.S. organizations in a tax-themed phishing campaign earlier this year. Its kits, which use Microsoft branding for fraudulent emails, attachments and websites, have also been used against at least 20 U.S. health care organizations, according to Microsoft. 

“The rapid development, marketing, and accessibility of services like RaccoonO365 indicate that we are entering a troubling new phase of cybercrime where scams and threats are likely to multiply exponentially,” Masada said.

Microsoft, acting on a court order granted by the U.S. District Court for the Southern District of New York, worked with Cloudflare to seize and take down RaccoonO365’s infrastructure. The company also worked with Chainalysis to trace the threat group’s cryptocurrency transactions, allowing it to attribute malicious online activity to real identities.

Microsoft accuses Joshua Ogundipe of Nigeria of running the criminal enterprise, which sold phishing kits to a community base of more than 850 members on Telegram. Ogundipe and his associates have received at least $100,000 in cryptocurrency payments, reflecting an estimate of up to 200 subscriptions. 

“During the investigation, the DCU engaged directly with the threat actor without disclosing our identity to acquire the phishing kits,” Maurice Mason, principal cybercrime investigator at Microsoft’s DCU, said in a Q&A with Chainalysis. 

In a separate purchase, the alleged cybercriminal inadvertently shared a cryptocurrency wallet address for payment that allowed investigators to trace the funds to a wallet hosted on a Nigeria-based cryptocurrency exchange previously linked to Ogundipe, Mason added. 

Microsoft said Ogundipe has a background in computer programming and accused him of writing the majority 

of the code for the subscription-based phishing service, which allows cybercriminals to send up to 9,000 phishing emails per day. Investigators said RaccoonO365 may have facilitated the transmission of hundreds of millions of malicious emails. 

Microsoft, which sent a criminal referral for Ogundipe to international law enforcement, also addressed continued discontent with persisting legal challenges. 

“Today’s patchwork of international laws remains a major obstacle and cybercriminals exploit these gaps,” Masada said. “Governments must work together to align their cybercrime laws, speed up cross-border prosecutions and close the loopholes that let criminals operate with impunity.”

RaccoonO365’s kits sent emails to victims with malicious attachments, links or QR codes that redirected users to a fake Microsoft O365 login page to harvest credentials, Cloudflare researchers said in a blog post. When victims entered credentials, the kit allowed attackers to capture the password and resulting session cookie, bypassing multifactor authentication.

The codebase included functions for anti-analysis and evasion, user-agent filtering, security vendor evasion, network-level blocking and dynamic traffic routing, according to Cloudflare.

The phishing emails were often a precursor to malware and ransomware, yet not every stolen credential led to compromised networks or fraud, according to Microsoft. The company said it always expects cybercriminals to try to rebuild operations after a takedown and pledged to take additional steps to dismantle any new or reemerging infrastructure.

The post Microsoft seizes hundreds of phishing sites tied to massive credential theft operation appeared first on CyberScoop.

Paramount and Comcast's NBCUniversal are joining Microsoft in telling employees "they could face consequences if they don't return to the office more frequently," reports the Washington Post: NBCUniversal sent a memo to its employees telling them to return to the office four days a week starting in January [with the option to work remotely on Fridays]. Last week, Paramount told employees to return five days a week, with the first group starting in January. Both Paramount and NBCUniversal said they would offer severance packages to eligible employees who are unwilling or unable to make the switch... Companies have been cracking down on flexible work for the past several years, with Goldman Sachs being one of the first to implement a five-day office policy. Since then, others have joined in including Amazon, AT&T, JPMorgan Chase and the federal government... Overall, the number of people working full time in office hasn't changed much over the past couple of years. About 61.7 percent of salaried employees worked from an office full time in August, according to data from university researchers Jose Maria Barrero, Nicholas Bloom and Steven J. Davis, who are studying the matter. That is down one percentage point from August 2024, their research shows. During the same period, the amount of people working remotely dropped two percentage points and those working hybrid schedules increased three points. While most of the big office pushes are coming from some of the largest employers in the nation, the majority of companies in the United States aren't requiring full-time office work, said Brian Elliott [publisher of the Flex Index, which tracks flexible policies, and CEO]. And about half of U.S. workers are employed by smaller companies, he added. Some companies are capitalizing on the mandates, using flexible policies as a way to poach talent from their competitors, he said.... Some employers are using office mandates to purposely shed workers. An August report from the Federal Reserve Bank shows that "multiple districts reported reducing headcounts through attrition — encouraged, at times, by return-to-office policies and facilitated, at times, by greater automation, including new AI tools." Still, with fewer job openings in the market, some employees will have to comply with office mandates. Announcing their return-to-office mandates, employers gave the following reasons: "In-person collaboration is absolutely vital to building and strengthening our culture and driving the success of our business. Being together helps us innovate, solve problems, share ideas, create, challenge one another, and build the relationships that will make this company great." -- Paramount CEO David Ellison (in a memo to staff) "It has become increasingly clear that we are better when we are together. As we have all experienced, in-person work and collaboration spark innovation, promote creativity, and build stronger connections." -- Adam Miller, NBCUniversal chief operating officer (in a memo to staff)

Read more of this story at Slashdot.

A top official at the Cybersecurity and Infrastructure Security Agency on Thursday rejected concerns that personnel and program cuts at CISA have hindered its work.

Nick Andersen, who just began serving as executive assistant director of cybersecurity at CISA this month, said he’s seen the agency function at a high level from both the outside and inside.

“There’s been an awful lot of reporting recently about CISA and the potential for degraded operational capabilities, and I’m telling you, nothing can be further from the truth,” he said at the Billington Cybersecurity Summit. “It is just a fantastic opportunity to see the high-level output and throughput that this team has.

“There is not a single instance where I can think of that somebody reaches out — whether it’s in our remit or not, we are connecting them with the right level of resources, and we are helping them to make themselves right, whether it’s incidents that we see affecting a state/local partner, small- or medium-sized businesses or the largest critical infrastructure owner/operators,” he continued.

The Trump administration has cut or plans to cut more than 1,000 personnel at the agency, a third of its total full-time employees, and has sought nearly half a billion dollars in funding reductions.

CISA’s shuttering of an array of programs has drawn widespread criticism from many in industry as well as from state and local governments who have partnered with the agency, not to mention concerns from Capitol Hill.

But Andersen said CISA has full support from President Donald Trump, who clashed with agency leadership in his first term, and Department of Homeland Security Secretary Kristi Noem.

“We have exceedingly strong relationships with” other government agencies and the private sector, Andersen touted. “The level of commitment within this team is second to none, and we’re just going to continue to hone and focus [on] that operational mission of what CISA should be delivering on. We’re going to continue to sort of separate out the fluff, but we are going to take every single dollar, every single resource, every single manpower hour to deliver an even sharper focus on those core capabilities in keeping with what President Trump identified as our administration priorities.”

Those priorities, Andersen said, include fortifying federal networks. “Raising the collective bar across the dot gov is a big one,” he said.

It also includes strengthening relationships with critical infrastructure owners and operators. “We want to be able to work very closely with our critical infrastructure partners on focused resilience efforts, be able to raise the bar in a sprint between now and 2027 as we prepare for the potential of China making good on its promise … to take Taiwan,” he said, so that “our critical infrastructure is not going to be held hostage.”

And it includes strengthening partnerships with other federal agencies as well as state and local governments, Andersen said.

The post CISA work not ‘degraded’ by Trump administration cuts, top agency official says appeared first on CyberScoop.

Meta is being sued by a former security manager, who claims the company ignored repeated warnings that its messaging platform WhatsApp was riddled with security vulnerabilities and privacy violations, and retaliated against him for raising these concerns, ultimately firing him.

Attaullah Baig worked at Meta and WhatsApp from 2021 until this past April. Baig, who has held cybersecurity positions at PayPal, Capital One and Whole Foods Market, claims that he was issued a verbal warning Nov. 22, 2024, and was fired by Meta on April 11, 2025, with the company citing poor performance as the reason.

But in the lawsuit, he alleges the real reason he was fired was that soon after joining Meta in September 2021, he “discovered systemic cybersecurity failures that posed serious risks to user data and violated Meta’s legal obligations” to the federal government under a 2020 Federal Trade Commission privacy order and federal securities laws.

“Through a ‘Red Team Exercise’ conducted with Meta’s Central Security team, Mr. Baig discovered that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information covered by the FTC Privacy Order, and could move or steal such data without detection or audit trail,” the complaint stated.

The lawsuit was filed Monday in the U.S. District Court for the Northern District of California and names Meta, CEO Mark Zuckerberg and four other company executives as defendants.

According to Baig, he attempted to notify Meta executives on five separate occasions over the next year, raising concerns with his supervisors and highlighting information gaps — like what user data the company was collecting, where and how it was stored, and who had access — that made it impossible to comply with the consent order and federal privacy regulations.

He also created a “comprehensive product requirements document” for Meta’s privacy team that would have included a data classification and handling system to better comply with the 2020 order.

Instead, he claimed his supervisor “consistently ignored these concerns and directed Mr. Baig to focus on less critical application security tasks.”

“Mr. Baig understood that Meta’s culture is like that of a cult where one cannot question any of the past work especially when it was approved by someone at a higher level than the individual who is raising the concern,” the complaint alleged.

In August and September 2022, Baig again convened a group of Meta and WhatsApp executives to lay out his concerns, including the lack of security resources and the potential for Meta and WhatsApp to face legal consequences. He noted that WhatsApp had just 10 engineers focused on security, while comparably sized companies usually had teams approaching or exceeding 200 people.

He also outlined — at his supervisor’s request — a number of core digital vulnerabilities the company was facing.

Among the allegations: WhatsApp did not have an inventory of what user data it collected, potentially violating California state law, the European Union’s General Data Protection Regulation (GDPR) and the 2020 privacy order with the federal government. The company could not conclusively determine where it was storing user data and gave thousands of Meta engineers “unfettered access” without any business justifications.

The company also had no security operations center and apparently didn’t have any method of logging or tracking when those engineers sought to access user data, the lawsuit alleged.

Baig also claimed that approximately 100,000 WhatsApp users were suffering account takeovers daily, and the company had no process to prevent or deter such compromises.

During this period, Baig claims he was subject to “ongoing retaliation” from his supervisors for blowing the whistle.

Three days after initially disclosing his concerns, Baig’s direct supervisor told him he was “not performing well” and his work had quality issues. It was the first time he had received negative feedback; that same supervisor had, just three months earlier, praised Baig for his “extreme focus and clarity on project scope, timeline, etc.” In September 2022, the supervisor changed Baig’s employment performance rating to “Needs Support.” Subsequent performance ratings specifically cited Baig’s cybersecurity complaints as a basis for downgrading his score.

Additionally, after reviewing the security report that was explicitly requested of him by executives, his supervisor Suren Verma allegedly told him on a video call that the report was “the worst doc I have seen in my life” and issued a warning that Meta executives “would fire him for writing a document like this.” Verma also reportedly threatened to withhold Baig’s executive compensation package and discretionary equity.

WhatsApp denies retaliation

Meta and WhatsApp have denied Baig’s allegations that he was fired for bringing up security and privacy deficiencies.

“Sadly this is a familiar playbook in which a former employee is dismissed for poor performance and then goes public with distorted claims that misrepresent the ongoing hard work of our team,” said Carl Woog, vice president of policy at WhatsApp. “Security is an adversarial space and we pride ourselves in building on our strong record of protecting people’s privacy.” 

Zade Alsawah, a policy communications manager at WhatsApp, told CyberScoop that Baig was never “head of security” at WhatsApp, and that his formal title was software engineering manager.

“I know he’s been calling himself and framing himself as head of security, but there were seasoned security professionals layered ahead of him,” Alsawah said. “I think he’s been creating himself as this central figure when there are multiple engineers structured ahead of him.”

Further, he said that a Department of Labor and OSHA investigation ultimately cleared WhatsApp of any wrongdoing in Baig’s firing. The company shared copies of two letters from the agencies. One dated April 14, 2025, had the subject line “RE: Meta et al/Baig – notification of dismissal with appeal rights” and stated that Baig’s complaint had been dismissed.

A second letter from OSHA, dated Feb. 13, 2025, provides further reasoning for the dismissal.

“As a result of the investigation, the burden of establishing that Complainant was retaliated against in violation of [federal law] cannot be sustained,” the letter states. “Complainant’s allegations did not make a prima facie showing. Complainant’s asserted protected activity likely does not qualify as objectively reasonable under” federal law.

Even if the activity was reasonable, the agency said, “there is no reasonable expectation of a nexus between the asserted protected activity and the adverse actions. This is largely due to intervening events related to Respondent raising repeated concerns about Complainant’s performance and/or behavior, according to documents provided by Complainant.”

Baig’s allegations closely mirror that of another security whistleblower at a major social media company. Around the same time that Baig was at Meta, the top security executive at Twitter — now X — was documenting similar problems.  

Peiter Zatko, a legendary hacker turned cybersecurity specialist brought in to improve Twitter’s security, quickly determined that the company’s data infrastructure was so decentralized that executives could not reliably answer questions about the data they collected or where it was stored.

“First, they don’t know what data they have, where it lives, or where it came from and so unsurprisingly, they can’t protect it,” Zatko told the Senate Judiciary Committee in 2022. “That leads to the second problem: employees need to have too much access to too much data on too many systems.”

Like the allegations against WhatsApp, Zatko told Congress that when he first arrived at Twitter in 2020 he quickly realized the company was “more than a decade behind industry security standard.”

According to Baig’s lawsuit, in one meeting WhatsApp’s global head of public policy, Jonathan Lee, remarked that the vulnerabilities highlighted by Baig were serious enough that it might lead to WhatsApp facing similar consequences as “Mudge to Twitter” — referring to Zatko.

Baig continued his warnings through March 2023, telling executive leadership that he believed the company’s lackluster efforts around cybersecurity directly violated the 2020 FTC consent order.

After dealing with what he called “escalating retaliation” from his supervisors, Baig wrote to Zuckerberg and Meta general counsel Jennifer Newstead on Jan. 2, 2024, warning that the company’s central security team had falsified security reports to “cover up” their lack of security. Later that month, Baig told his supervisor he was documenting Meta’s “false commitment” to complying with Ireland’s data protection laws, citing specific examples where user data was readily accessible to tens of thousands of employees.

Such warnings continued throughout 2024, with Baig reiterating past concerns and bringing up new ones about the company’s compliance with privacy laws.

In November 2024, Baig filed a TCR (Tip, Complaint or Referral) form with the Securities and Exchange Commission outlining his concerns and lack of remediation by Meta, and filed a complaint with the Occupational Safety and Health Administration for “systematic retaliation” by the company.

Baig was told by Meta in February 2025 that he would be included in upcoming performance-based layoffs, with the company citing “poor performance” and inability to collaborate as the primary reasons.

Update, Sept. 9, 2025: This story was updated with Meta/WhatsApp’s response.

The post Former WhatsApp security manager sues company for privacy violations, professional retaliation appeared first on CyberScoop.