InfoSec News 13APR2026
General
- Google have rolled out their 'End to End Encryption' (E2EE) solution for Gmail. It should provide some protection, in some circumstances, however the nature of making it accessible via the web, on devices with no pre-enrolment, rather limits its protection.
- https://workspaceupdates.googleblog.com/2026/04/gmail-end-to-end-encryption-now-available-on-mobile-devices.html
- https://knowledge.workspace.google.com/admin/security/client-side-encryption-user-experience-overview
- https://www.bleepingcomputer.com/news/google/google-rolls-out-gmail-end-to-end-encryption-on-mobile-devices/
- The case for Software Bill of Materials (SBOM). The industry has been hit with a lot of supply-chain attacks recently, knowing what software makes up a product, the libraries included, is key to knowing if that software is impacted by a supply-chain attack.
Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months.
...
According to security experts, the incidents demonstrate the future of supply-chain attacks.
...
If there's a silver lining to be had, it's that both incidents "created a whole bunch of awareness of this problem that everybody's dealing with right now with compromised packages," Carmakal said. "And it reintroduces the conversation of SBOMs - software bill-of-materials."
...
There will always be a window between whenever code is poisoned and the time it's detected in a supply-chain attack. That window presents an opportunity for organizations to avoid downloading malware onto their systems and machines, he added.
"If you create a rule in your development environments where you don't download any versions newer than 24 hours, you would have skipped these," Read said. "It's easy to say, hard to enforce consistently, especially with Jim from accounting spinning up Claude and now everybody's a developer."
Still, enforcing some type of short delay, coupled with SBOMs, knowing what software runs on which machines, and where secrets live, can help organizations better "respond and prioritize efficiently," he added.
- [UK] Governments are getting serious, after the recent explosion of non-consensual intimate imagery.
The U.K. government on Friday announced it has formally submitted a proposed change to a crime bill that would allow tech executives who fail to remove nonconsensual intimate images published on their platforms to be imprisoned.
A U.K. communications regulator, Ofcom, has said it will be cracking down on the spread of the images in the aftermath of the Grok scandal, which led to millions of “nudified” images of women and children to be circulated worldwide.
...
“Tech execs could be held personally liable if platforms fail to comply with Ofcom’s enforcement decisions to remove people’s intimate images that have been shared without consent,” according to a government press release.
“This would mean senior execs who commit the offense without a reasonable excuse could be liable to imprisonment or a fine, or both.”
- https://therecord.media/uk-threatens-tech-bosses-with-jail-ai-nudification
- https://www.gov.uk/government/news/new-laws-to-crackdown-on-harmful-pornography
- [US] The United States aren't as far along, however investigations continue.
Senate Judiciary Committee chair Chuck Grassley (R-IA) has launched a congressional inquiry into eight tech giants for allegedly neglecting to supply adequate information to a cyber tipline aimed at detecting the exchange of child sexual abuse materials (CSAM) on their platforms.
Grassley said his inquiry follows reports from the National Center for Missing and Exploited Children (NCMEC) that allege the tech giants are deficient in their reporting of CSAM and data related to generative AI generally.
Meta, Amazon AI Services, TikTok, Snapchat, Discord, X.AI, Grindr and Roblox submitted more than 17 million reports of suspected online child exploitation in 2025, Grassley said in a press release, but allegedly failed to provide NCMEC with important location data and other information on users and suspects.
In 2025, NCMEC received 1.5 million CyberTipline reports that had a nexus to generative AI and child sexual exploitation
Getting Techy
- There's a near constant back and forth as to when (or even whether) a quantum computer will break meaningful cryptography. Now two cryptographers have set up a $5000 bet.
For the past ten years, the US National Institute of Standards and Technology (NIST) has been pushing for the development of Post-Quantum Cryptography (PQC), based on the belief that some day, quantum computers will be capable of decrypting data encrypted with legacy algorithms.
There's some skepticism about that. Last year, Peter Gutmann, a professor of computer science at the University of Auckland, New Zealand, dismissed PQC in an interview with The Register. He noted that quantum computers have yet to factor the number 35 (6 bits) due to their inability to correct errors. Elliptic Curve Cryptography private keys have a default key length of 256 bits, so quantum computers still have a long way to go.
...
The bet is for $5,000. Valsorda will pay if a shared secret from ML-KEM-768 – a recently approved quantum-resistant algorithm – is recovered from a public key and ciphertext, either from a classical or quantum attack. And Green is on the hook to pay if a shared secret from X25519 – a widely used elliptic curve algorithm – is recovered from a pair of public points on the curve, whether through classical or quantum means.
In theory, X25519 should be easier for a CRQC to defeat than ML-KEM-768, which is designed to offer a more robust defense against quantum cryptanalysis. So Green is essentially betting that advances in cryptanalysis will reveal weaknesses in Module-Lattice-Based Key-Encapsulation (ML-KEM) before quantum systems come into play.
Geo-Politics
- [FR] It's finally the year of Linux on the (French Government) desktop.
France is trying to move on from Microsoft Windows. The country said it plans to move some of its government computers currently running Windows to the open source operating system Linux to further reduce its reliance on U.S. technology.
...
France’s decision to ditch Windows comes months after the government announced it would stop using Microsoft Teams for video conferencing in favor of French-made Visio, a tool based on the open source end-to-end encrypted video meeting tool Jitsi.
- [HU] Bellingcat examined the password security of the Hungarian government - results weren't good. It's unlikely to be isolated to just Hungary.
Almost 800 Hungarian government email addresses and associated passwords are circulating online, revealing basic vulnerabilities in the security protocols of ministries involved in classified and sensitive work.
A Bellingcat analysis of breach data shows that 12 out of the government’s 13 ministries have been affected, which in some cases have exposed the confidential information of military personnel and civil servants posted abroad.
...
Some government workers used easy-to-guess passwords such as variations of the word “Password” or the number sequence “1234567”. One employee whose credentials were exposed in the 2012 LinkedIn hack used the password “linkedinlinkedin”. Another, in the defence ministry, used their surname. One leaked password from an employee in the foreign affairs ministry was “embassy13hungary”.
...
One senior official in the prison service used the password “adolf”. After it appeared in breach databases the password was changed twice – first to a five-digit number and then to what appeared to be the name for a pet dog. The passwords were subsequently breached again.
Privacy
- Paywalled article from 404 Media, however the key detail is in the preamble.
Settings-> Nofications -> Notification Content, disable Content!
The FBI was able to forensically extract copies of incoming Signal messages from a defendant’s iPhone, even after the app was deleted, because copies of the content were saved in the device’s push notification database, multiple people present for FBI testimony in a recent trial told 404 Media. The case involved a group of people setting off fireworks and vandalizing property at the ICE Prairieland Detention Facility in Alvarado, Texas in July, and one shooting a police officer in the neck.
The news shows how forensic extraction—when someone has physical access to a device and is able to run specialized software on it—can yield sensitive data derived from secure messaging apps in unexpected places. Signal already has a setting that blocks message content from displaying in push notifications; the case highlights why such a feature might be important for some users to turn on.
- Microsoft's 'Recall' feature once again fails to meaningfully protect data. Alex Hagenah (aka xaitax) found a number of ways to breach the security protection, and extract data from Recall.
When Microsoft redesigned Recall with VBS enclaves, AES-256-GCM encryption, Windows Hello authentication, and a Protected Process Light host, the message was clear: the data is locked in a vault.
The vault is solid. The delivery truck is not.
AIXHost.exe, the process that renders the Recall timeline, has no PPL, no AppContainer, no code integrity enforcement. Any process running as the logged-in user can inject code into it and call the same COM APIs the legitimate UI uses. Once the user authenticates with Windows Hello, decrypted screenshots, OCR text, and metadata flow through AIXHost.exe as live COM objects. TotalRecall Reloaded sits inside that process and extracts everything.
No admin required. Standard user. No kernel exploit. No crypto bypass. Just COM calls.