Discover the 13 hidden costs of password-based authentication, from $70-per-reset help desk overhead to SMS OTP fees and breach exposure. Includes a simple ROI worksheet formula to calculate your organization's annual password tax and build the business case for passwordless authentication

The post 13 Hidden Costs of Password-Based Authentication (With Real ROI Math) appeared first on Security Boulevard.

Run a quick self-audit against 10 warning signs that your authentication stack has critical vulnerabilities. Each sign includes a diagnostic check, an explanation of why it's dangerous, and a concrete fix. Covers SMS OTP risk, bot detection gaps, session management failures, and more.

The post 10 Warning Signs Your Current Authentication Stack Is a Breach Waiting to Happen appeared first on Security Boulevard.

A group of unauthorized users reportedly has gained access to Anthropic’s controversial Claude Mythos Preview AI frontier model despite the AI vendor’s efforts to keep it out of public hands by limiting the organizations that can use it. Bloomberg reported that the unnamed group had tried multiple ways to gain access to the AI model..

The post Unauthorized Users Reportedly Gain Access to Anthropic’s Mythos AI Model appeared first on Security Boulevard.

NIST said it overwhelmed by the surge in the number of CVEs submissions in recent years, so it is paring back the analysis work it does on the dangerous security flaws. Security experts say the number of new vulnerabilities detected will only grow during the AI era and that the private sector will need to pick up the slack left by NIST's decision.

The post NIST, Overrun by Massive Numbers of Submitted CVEs, Limits Analysis Work appeared first on Security Boulevard.

A major North Korea IT worker scheme has led to the sentencing of two U.S. nationals who helped facilitate fraudulent remote employment operations that generated millions of dollars for the Democratic People’s Republic of Korea (DPRK), according to the U.S. Department of Justice. The case highlights how foreign actors exploited remote work systems, stolen identities, and U.S.-based infrastructure to infiltrate companies and access sensitive data.

Sentencing in North Korea IT Worker Scheme

Kejia Wang, 42, and Zhenxing Wang, 39, were sentenced for their roles in supporting the North Korea IT worker scheme, which placed overseas operatives into jobs at more than 100 U.S. companies. Kejia Wang received a sentence of 108 months in prison, while Zhenxing Wang was sentenced to 92 months. Both had pleaded guilty to multiple charges, including conspiracy to commit wire fraud and money laundering. The court also ordered three years of supervised release and financial penalties, including forfeiture of $600,000. Officials confirmed that the scheme generated more than $5 million in revenue for the DPRK, with at least $400,000 already recovered by authorities.

How the Laptop Farm Scheme Worked

At the center of the North Korea IT worker scheme were so-called “laptop farms” operated by the defendants in the United States. These setups were designed to make it appear that remote IT workers were physically located in the U.S. Using stolen identities of more than 80 Americans, the group secured remote IT roles across multiple organizations, including several Fortune 500 companies. The defendants and their associates hosted company-issued laptops at U.S. locations, enabling overseas workers to access them remotely. To facilitate this, they used hardware tools such as keyboard-video-mouse switches, allowing remote control of the devices from abroad. This setup helped bypass location checks and security controls commonly used by employers.

Use of Shell Companies and Financial Networks

The defendants also created shell companies, including Hopana Tech LLC and Independent Lab LLC, to support the North Korea IT worker scheme. These entities had no real operations but were used to present the overseas workers as legitimate U.S.-based employees. Payments from victim companies were routed through financial accounts linked to these shell companies. Authorities said millions of dollars were funneled through these accounts, with a significant portion transferred to overseas co-conspirators. In return, the facilitators in the U.S. received nearly $700,000 for their involvement.

Access to Sensitive Data and Security Risks

The North Korea IT worker scheme raised serious concerns about data security and national security. Investigators found that some of the fraudulently hired workers gained access to sensitive corporate information, including source code and restricted technical data. In one instance, an overseas co-conspirator accessed data controlled under International Traffic in Arms Regulations from a U.S.-based defense contractor. The data included sensitive information related to advanced technologies. Officials warned that such access could expose critical systems and intellectual property to foreign adversaries.

Ongoing Investigation and Wanted Suspects

Authorities continue to investigate the broader North Korea IT worker scheme, with several individuals still at large. The Federal Bureau of Investigation has identified multiple suspects believed to be involved in the operation. The U.S. Department of State has announced a reward of up to $5 million for information that helps disrupt financial networks supporting such activities. Law enforcement agencies have already taken action to dismantle parts of the operation. This includes the seizure of web domains and financial accounts linked to the scheme, along with the recovery of more than 70 laptops and remote access devices during coordinated searches. The North Korea IT worker scheme is part of a broader effort by DPRK-linked actors to generate revenue through cyber-enabled operations. Authorities say these schemes often rely on stolen identities, fake online profiles, and third-party facilitators to gain access to company systems. Public advisories from U.S. agencies have previously warned that such workers can earn significant sums, sometimes up to $300,000 annually, contributing to large-scale funding operations tied to North Korea’s strategic programs.

The data security risks of foreign-developed mobile apps are coming under sharper scrutiny, as the Federal Bureau of Investigation (FBI) issues a fresh warning on how widely used applications could expose sensitive user data. In a new public service announcement, the agency highlights that many of the most popular mobile apps used in the United States—especially those developed by companies based in China—may pose significant privacy and security concerns. At the core of the warning is a simple issue: users often do not fully understand how much data these apps can access—and where that data ultimately ends up.

Data Security Risks of Foreign-Developed Mobile Apps 

The data security risks of foreign-developed mobile apps are not limited to what users see on the surface. According to the FBI, once permissions are granted, apps can continuously collect data from across a device—not just while actively in use. This includes access to contacts, messages, location data, and even system-level information. In many cases, users unknowingly allow apps to collect information not only about themselves but also about people in their contact lists. Apps that offer features like inviting friends can access and store contact details such as names, phone numbers, email addresses, and physical addresses. This expands the risk beyond individual users, pulling non-users into the data collection ecosystem. The concern is not just the volume of data—but the persistence of access.

Where the Data Goes Raises Bigger Concerns

A key issue highlighted in the FBI’s advisory is data storage and jurisdiction. Many apps clearly state in their privacy policies that user data may be stored on servers located in China. This is where the data security risks of foreign-developed mobile apps become more complex. Companies operating in China are subject to national security laws that can require them to provide data access to government authorities when requested. For users, this creates a gap between consent and control. Even if data collection is disclosed, there is limited visibility into how that data may be accessed or used beyond the app itself. Some platforms offer local versions that allow users to run the app without relying on cloud-based systems, potentially reducing data transfer risks. However, not all apps provide this option. In some cases, users must agree to data sharing as a condition of using the service.

Malware Risks Add Another Layer of Threat

The data security risks of foreign-developed mobile apps are not limited to data collection practices. The FBI also warns that some apps may contain hidden malware. This can include malicious code designed to exploit vulnerabilities in mobile operating systems, install backdoors, and enable unauthorized access to sensitive data. In more advanced cases, such malware can download additional malicious packages without the user’s knowledge. The risk increases significantly when apps are downloaded from unofficial sources. Third-party app stores and unknown websites are more likely to host compromised applications, while official app stores typically conduct security checks to reduce such threats. Still, the presence of malware—even in seemingly legitimate apps—remains a concern.

FBI Urges Stronger Cyber Hygiene

While the spotlight is on foreign-developed apps, the FBI makes it clear that these data security risks of foreign-developed mobile apps are part of a broader digital security challenge. The agency emphasizes the importance of basic cyber hygiene. Users are advised to:

• Disable unnecessary data sharing permissions
• Download apps only from official app stores
• Regularly update passwords
• Keep device software up to date
• Review terms of service before installing apps

These steps may seem routine, but they are often overlooked—creating easy entry points for data exposure.

A Growing Concern Beyond the U.S.

Although the advisory focuses on users in the United States, the data security risks of foreign-developed mobile apps are not limited by geography. The same apps are used globally, often with similar permissions and data handling practices. This makes the issue less about nationality and more about transparency and control. Users are increasingly dependent on mobile apps, but visibility into how their data is collected, stored, and shared remains limited. The FBI also encourages users to report any suspicious activity linked to mobile apps, including unusual data usage, unauthorized access, or signs of malware. Incidents can be reported to the Internet Crime Complaint Center (IC3), along with details such as the app name, permissions granted, and type of data potentially compromised.

Learn how secure software development strengthens authentication, prevents breaches, and protects user data with modern security best practices.

The post Secure Authentication Starts With Secure Software Development appeared first on Security Boulevard.

Learn how exposed Ollama servers can allow unauthorized model access, prompt abuse, and GPU resource consumption when LLM inference APIs are publicly accessible.

The post Exposed Ollama Servers: Security Risks of Publicly Accessible LLM Infrastructure appeared first on Indusface.

The post Exposed Ollama Servers: Security Risks of Publicly Accessible LLM Infrastructure appeared first on Security Boulevard.

OpenClaw is already running inside enterprises, often unnoticed. Learn why banning it fails and how CISOs must shift to data-centric AI governance.

The post OpenClaw, the Fastest-Adopted Software Ever, Is Also a Security Blind Spot appeared first on TechRepublic.

As AI adoption accelerates, organizations must evolve their security strategies from prompt filtering to comprehensive behavioral monitoring. This shift is critical to safeguarding against adaptive threats and ensuring safe AI deployment in production environments.

The post The Attack Chain Your AI System is Already Missing  appeared first on Security Boulevard.