December 1

News/Trends

• Researchers Disclose Critical RCE Vulnerability Affecting Quarkus Java Framework

• Researchers ‘Accidentally’ Crash KmsdBot Cryptocurrency Mining Botnet Network

• US effectively bans imports of Chinese telecoms products

• DOD Releases Path to Cyber Security Through Zero Trust Architecture

• Zero-Day Flaw Discovered in Quarkus Java Framework

• Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection

• This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms

• The 5 Cornerstones for an Effective Cyber Security Awareness Training

• Elon Musk Confirms Twitter 2.0 will Bring End-to-End Encryption to Direct Messages

Law/Policy

• What’s in store for cybersecurity in Congress’s stretch run

• Enhancing Surface Cyber Risk Management Proposed Rule

• Cyberlaw: Where We Are and What’s On the Horizon

• DOD Releases Path to Cyber Security Through Zero Trust Architecture

Technical

• A Privacy-Preserving Outsourced Data Model in Cloud Environment

• Accuracy-Aware Inference Engine for Differentially Private Data Exploration

• AI-based Malware and Ransomware Detection Models

• Security and Privacy-Preservation of IoT Data in Cloud-Fog Computing Environment

Report, blogs, podcasts

• Connect the Dots with Genetic Algorithms on CNAPP

• Smashing Security podcast #300: Interplanetary file systems, iSpoof, and don’t delete Twitter

• ConnectWise Quietly Patches Flaw That Helps Phishers

• Computer Repair Technicians Are Stealing Your Data

• SASE: The Only Way to Improve Network Security Without Added Complexity

• How to build a public profile as a cybersecurity pro

• Smashing Security podcast #299: EV charging risks, FTX, and an ancient apocalypse

• 9 Out of 10 Security Leaders State That Control Failures Are the Primary Reason For Data Breaches

• U.S. Govt. Apps Bundled Russian Code With Ties to Mobile Malware Developer

November 24

News/Trends

• U.S. Authorities Seize Domains Used in ‘Pig butchering’ Cryptocurrency Scams

• Biden Lays Path to Cyber Regulations for Critical Infrastructure

• The LinkedIn-HiQ Labs Case and Data Scraping in the US: Some Takeaways

• Researchers Sound The Alarm On Smart Home Hub Security Vulnerabilities

• More Turbulence Ahead for Twitter as the EU’s Digital Services Act Tests Musk’s Vision

• Hackers Exploiting Abandoned Boa Web Servers to Target Critical Industries

• Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware

• Notorious Emotet Malware Returns With High-Volume Malspam Campaign

• LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities

Law/Policy

• Pentagon releases zero trust strategy to guide DoD cybersecurity priorities 

• Redefining DOD’s Bring Your Own Device Policy

• New DOJ Regulations Are a Victory for Press Freedom, But More Work Remains

• Policy trends: where are we today on regulation in cyberspace?

Technical

• PointCA: Evaluating the Robustness of 3D Point Cloud Completion Models Against Adversarial Examples

• Backdoor Cleansing with Unlabeled Data

• Intrusion Detection in Internet of Things using Convolutional Neural Networks

• Machine Learning for Encrypted Malicious Traffic Detection

Report, blogs, podcasts

• ‘Patch Lag’ Leaves Millions of Android Devices Vulnerable

• Better Together: Why It’s Time for Ops and Security to Converge 

• Apple’s Device Analytics Can Identify iCloud Users

• Where Are We Heading With Data Privacy Regulations?

• The US Securing Open Source Software Act of 2022 is a step in the right direction

• Breaking the Zeppelin Ransomware Encryption Scheme

• Successful Hack of Time-Triggered Ethernet

• MIT Research Documents Effectiveness of Consensus Cyber Risk Oversight Principles

• The Next Generation of Supply Chain Attacks Is Here to Stay

November 18

News/Trends

• EV charging infrastructure is seriously insecure 

• Zero-Trust Initiatives Stall, as Cyberattack Costs Rocket to $1M per Incident

• Iranian Hackers Compromised a U.S. Federal Agency’s Network Using Log4Shell Exploit

• Researchers Discover Hundreds of Amazon RDS Instances Leaking Users’ Personal Data

• Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions

• Ransomware gangs shift tactics, making crimes harder to track 

• Google to Pay $391 Million Privacy Fine for Secretly Tracking Users’ Location

• Worok Hackers Abuse Dropbox API to Exfiltrate Data via Backdoor Hidden in Images

Law/Policy

• CISA Highlights Space, Bioeconomy as Possible New Critical Infrastructure Sectors 

• Rules for the Road: Data Security and Collection

• House approves key cybersecurity bill as U.S. government’s quantum activity ramps up

• Cybersecurity & you: Five state comprehensive data privacy laws ( and counting)

Technical

• Towards Good Practices in Evaluating Transfer Adversarial Attacks

• Improving Interpretability via Regularization of Neural Activation Sensitivity

• Blockchain Technology to Secure Bluetooth

• Generating Cyber Threat Intelligence to Discover Potential Security Threats Using Classification and Topic Modeling

Report, blogs, podcasts

• Security teams are responding to the ransomware threat, but remain on high alert 

• Researchers Quietly Cracked Zeppelin Ransomware Keys

• Disneyland Malware Team: It’s a Puny World After All

• Many financial institutions say their own IT staffs pose the biggest risk to cloud security 

• S3 Ep109: How one leaked email password could drain your business

• Offboarding processes pose security risks as job turnover increases

• FortiGuard Labs Recaps State of Ransomware Settlements

• Smashing Security podcast #298: Housing market scams, Twitter 2FA, and the fesshole

• Cybersecurity as a Service: What Is It? And Is It Right for Your Business?

November 11

News/Trends

• Researchers Warn of Malicious Packages on PyPI Using Steganography Techniques 

• These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan

• Russian-Canadian National Charged Over Involvement in LockBit Ransomware Attacks

• New York financial officials propose updates to state cyber regulation, with three tiers of covered companies

• New UEFI Firmware Flaws Reported in Several Lenovo Notebook Models

• Several Cyber Attacks Observed Leveraging IPFS Decentralized Network

• Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

• U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud

• CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software

Law/Policy

• United States and Spain Announce the Development of a New Capacity Building Tool to Combat Ransomware

• Pentagon to unveil zero-trust cyber strategy 

• National Security Memorandum on Strengthening the Security and Resilience of United States Food and Agriculture

• LinkedIn Scores Partial Win in Long-Running Data Scraping Feud

Technical

• It’s TEEtime: Bringing User Sovereignty to Smartphones

• Warmup and Transfer Knowledge-Based Federated Learning Approach for IoT Continuous Authentication

• Spoofing Attack Detection in the Physical Layer with Commutative Neural Networks

• DatChain — Blockchain implementation in Data transfer for IoT Devices

Report, blogs, podcasts

• Alleged LockBit ransomware operator arrested in Canada

• Cloud computing is booming, but these are the challenges that lie ahead 

• Analyst Note: Venus Ransomware Targets Publicly Exposed Remote Desktop Services

• Using Wi-FI to See through Walls

• Update your Lenovo laptop’s firmware now!

• Smashing Security podcast #297: Mastodon 101, and the Hushpuppi saga

• Defeating Phishing-Resistant Multifactor Authentication

• Geopolitics plays major role in cyberattacks, says EU cybersecurity agency

• Crime in the metaverse – police face new challenges in a virtual world

November 4

News/Trends

• Why Identity & Access Management Governance is a Core Part of Your SaaS Security

• New Malware in Google Play Store Leads to Phishing Sites 

• Android Apps With a Million Downloads Led Users to Phishing Sites

• OpenSSL Releases Patch for 2 New High-Severity Vulnerabilities

• Chinese Hackers Using New Stealthy Infection Chain to Deploy LODEINFO Malware

• Kids today are ‘overly confident’ about their skills online—losing $101.4 million to hackers last year 

• Samsung Galaxy Store Bug Could’ve Let Hackers Secretly Install Apps on Targeted Devices

• CISA releases cybersecurity performance goals to reduce risk and impact of adversarial threats

• Apple Only Commits to Patching Latest OS Version

Law/Policy

• Warner Releases Policy Options Paper Addressing Cybersecurity in the Health Care Sector

• The Biden Administration’s SIGINT Executive Order, Part I: New Rules Leave Door Open to Bulk Surveillance

• Cybercriminals Responsible For Computer Intrusions Nationwide Indicted For RICO Conspiracy That Netted Millions

• Children’s Online Privacy Protection Rule (“COPPA”)

Technical

• On the Interaction Between Differential Privacy and Gradient Compression in Deep Learning

• The Impostor Among US(B): Off-Path Injection Attacks on USB Communications

• Secure Web-Based Student Information Management System

• How (Not) to Defend Against Property Inference Attacks

Report, blogs, podcasts

• Espionage campaign loads VPN spyware on Android devices via social media

• Episode 245: How AI is remaking knowledge-based authentication

• New SOC Performance Report: Security Analysts Are Overworked and Under Resourced

• Algorithm-Substitution Attacks on Cryptographic Puzzles

• Smashing Security podcast #296: Twitter turmoil, AI animal chatters, and metaverse at work

• GAO report: government departments need dedicated leaders to oversee privacy goals

• Engineering workstation attacks on industrial control systems double

• Child Identity Fraud: The Perils of Too Many Screens and Social Media

• Data capture by border agencies can and will happen – are your on-the-road employees prepared?

October 29

News/Trends

• Researchers Uncover Stealthy Techniques Used by Cranefly Espionage Hackers

• Google Issues Urgent Chrome Update to Patch Actively Exploited Zero-Day Vulnerability

• Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

• U.S. Charges Ukrainian Hacker Over Role in Raccoon Stealer Malware Service

• Google Chrome Pays $57K (and Counting) in Bug Bounties for Latest Update

• Stress Is Driving Cybersecurity Professionals to Rethink Roles

• Cybersecurity Executives Say These are the Most Pressing Challenges They Face

• Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability

• Why Ransomware in Education on the Rise and What That Means for 2023

Law/Policy

• California Appellate Court In Ruling of First Impression Affirms Denial of Class Certification in Data Breach Involving Confidential Medical Information

• U.S. AI, IoT, CAV, and Privacy Legislative Update – Third Quarter 2022

• Will new CISA guidelines move the needle on cyber defense?

• In a nutshell: data protection, privacy and cybersecurity in USA

Technical

• Rethinking the Reverse-engineering of Trojan Triggers

• Uncloneable Cryptography

• A critical review of cyber-physical security for building automation systems

• Uncovering Fingerprinting Networks. An Analysis of In-Browser Tracking using a Behavior-based Approach

Report, blogs, podcasts

• Cryptographic Protection of Random Access Memory

• S3 Ep106: Facial recognition without consent – should it be banned?

• New York Post was hacked from the inside, employee fired after offensive articles posted online

• Zero-Day Hoarding Aids Advanced Spyware, PEGA Committee Told 

• Ransomware activity persists, but lags 2021 highs 

• The long-term psychological effects of ransomware attacks 

• Cybersecurity event cancelled after scammers disrupt LinkedIn live chat

• Smashing Security podcast #295: Slushygate, sextortion, and nano-targeting

• On the Randomness of Automatic Card Shufflers

October 21

News/Trends

• Hackers Started Exploiting Critical “Text4Shell” Apache Commons Text Vulnerability

• Cybersecurity Workforce Gap Grows by 26% in 2022 

• BrandPost: DDoS Threat Intelligence Report Reveals Troubling Attacker Behavior

• Google Launches GUAC Open Source Project to Secure Software Supply Chain

• Scammers Targeting Those Seeking Student Loan Forgiveness

• New York Department of Financial Services settles charges against EyeMed with a $4.5 million penalty and remedial cybersecurity plan

• These 16 Clicker Malware Infected Android Apps Were Downloaded Over 20 Million Times

• EY Report Says Digital Natives Are Undermining Corporate Security 

• Researchers Say Microsoft Office 365 Uses Broken Email Encryption to Secure Messages

Law/Policy

• Biden Administration Issues New Cybersecurity Requirements for Rail Operators 

• 4 Critical Infrastructure Sectors to Get New Cyber Rules, Per White House Official

• Some Key Takeaways from The Updated CPRA Rules

• Dawning Digital Data Access via New EU Law

Technical

• Prove You Owned Me: One Step beyond RFID Tag/Mutual Authentication

• Probabilistic Categorical Adversarial Attack & Adversarial Training

• Control, Confidentiality, and the Right to be Forgotten

• Gradient Obfuscation Gives a False Sense of Security in Federated Learning

Report, blogs, podcasts

• S3 Ep105: WONTFIX! The MS Office cryptofail that “isn’t a security flaw”

• Adversarial ML Attack that Secretly Gives a Language Model a Point of View

• Battle with Bots Prompts Mass Purge of Amazon, Apple Employee Accounts on LinkedIn

• Smashing Security podcast #294: The Virgin trains swindler, cyber clowns, and AirTag election debacle

• Cyber Talent Still in High Demand 

• Episode 244: ZuoRAT brings APT Tactics to Home Networks

• Election security, misinformation threats loom large ahead of the US midterms

• How Card Skimming Disproportionally Affects Those Most In Need

• Regulating DAOs

October 14

News/Trends 

• Researchers Warn of New Phishing-as-a-Service Being Used by Cyber Criminals

• Endor Labs offers dependency management platform for open source software

• LockBit Affiliates Compromise Microsoft Exchange Servers to Deploy Ransomware 

• Biden signs order to implement E.U.-U.S. data privacy framework 

• Sequoia Project takes ‘critical step’ in march toward secure data exchange for healthcare

• Researchers Disclose Decade-Long Espionage Attacks by Earth Aughisky 

• Budworm Hackers Resurface with New Espionage Attacks Aimed at U.S. Organization

• New Chinese Malware Attack Framework Targets Windows, macOS, and Linux Systems

• What the Uber verdict means to CISOs

Law/Policy 

• US Privacy Changes Put EU Data Flow Pact On Strong Footing

• White House to unveil ambitious cybersecurity labeling effort modeled after Energy Star 

• U.S. to issue new cybersecurity requirements for critical aviation systems 

• Colorado Attorney General Releases Draft CPA Rules

Technical 

• Biometric Template Protection for Neural-Network-based Face Recognition Systems

• Content-Adaptive Pixel Discretization to Improve Model Robustness

• Secret-Key Agreement Using Physical Identifiers for Degraded and Less Noisy Authentication Channels

• Efficient Adversarial Training without Attacking: Worst-Case-Aware Robust Reinforcement Learning

Report, blogs, podcasts 

• Recovering Passwords by Measuring Residual Heat

• Big U.S. Banks Are Stiffing Account Takeover Victims

• New Report Uncovers Emotet’s Delivery and Evasion Techniques Used in Recent Attacks

• Fortinet Warns of Active Exploitation of Newly Discovered Critical Auth Bypass Bug

• Microsoft Patch Tuesday Fixes New Windows Zero-Day; No Patch for Exchange Server Bugs

• Information overload, burnout, talent retention impacting SOC performance

• Smashing Security podcast #293: Massive crypto bungle, and the slave scammers

• Should hospital ransomware attackers be locked up for life?

• Glut of Fake LinkedIn Profiles Pits HR Against the Bots

October 7

News/Trends

• Warren’s Report Says Zelle Scam Victims Left ‘High And Dry’ 

• Hundreds of Microsoft SQL Servers Backdoored with New Maggie Malware 

• Zinc APT Targets Victims Across Critical Sectors 

• Researchers Report Supply Chain Vulnerability in Packagist PHP Repository 

• Never-Before-Seen Backdoors Spotted on VMware ESXi Servers 

• Russian Hackers Knock US State Government Websites Offline 

• BlackCat Ransomware Gang Claims to Hack US Defense Contractor NJVC 

• New Report Shows Significant Improvement in Consumer Cyber Hygiene 

• 8 strange ways employees can (accidently) expose data 

Law/Policy 

• Calif.’s Novel Privacy Moves May Dim Federal Law’s Chances 

• Telecom Group Urges Tougher Anti-Robocall Measures 

• US, UK Deal To Speed Police Access To User Data Goes Live 

• Landmark Ill. Privacy Law Faces First Jury Test 

• Supreme Court To Review Broad Immunity For Big Tech 

Technical 

• Certified Data Removal in Sum-Product Networks.

•  From Threat Reports to Continuous Threat Intelligence: A Comparison of Attack Technique Extraction Methods from Textual Artifacts.

• NeuDep: Neural Binary Memory Dependence Analysis

• Model-Driven Engineering for Formal Verification and Security Testing of Authentication Protocols

• On the Robustness of Deep Clustering Models: Adversarial Attacks and Defenses

Report, blogs, podcasts 

• Detecting Deepfake Audio by Modeling the Human Acoustic Tract

• Differences in App Security/Privacy Based on Country

• Detecting Deepfake Audio by Modeling the Human Acoustic Tract

• Smashing Security podcast #292: Trussterflucks and eBay stalking

• GAO: Communication Breakdowns Hurt Otherwise Positive View of Federal Ransomware Support 

• Zero Trust Architecture Adoption Rises Across Industries 

• The Top 5 Cloud Vulnerabilities You Should Know Of 

• Chinese hacking group targeting US agencies and companies has surged its activity, analysis finds 

• Office exploits continue to spread more than any other category of malware 

• EU’s cybersecurity agency chief warns to keep guard up 

September 23

News/Trends

• Details of Over 300,000 Russian Reservists Leaked, Anonymous Claims

• NSA Reveals “Hackers’ Playbook” for OT Attacks

• Europol “Hackathon” Identifies Scores of Human Trafficking Victims

• LastPass source code breach – incident response report released

• What Are Privacy-Enhancing Technologies (PETs)? A Comprehensive Guide

• Banks face a WhatsApp reckoning as regulators clamp down on messaging apps

• Microsoft bolsters threat intelligence security portfolio with two new products

• Held to Ransom: How Cyberattacks Can Become a Legal and Regulatory Odyssey for a Private Investment Fund

Law/Policy

• Industry Objections Spur Changes to Cybersecurity Provisions in Defense Bill

• New SEC Cybersecurity Rules Could Affect Private Companies Too 

• Understanding the Biden Administration’s Technology Policy Platform

• DATA PRIVACY: EVOLVING UPDATES TO THE GLOBAL LANDSCAPE

Technical

• Talking Trojan: Analyzing an Industry-Wide Disclosure

• You Can’t Hide Behind Your Headset: User Profiling in Augmented and Virtual Reality

• Improving Utility for Privacy-Preserving Analysis of Correlated Columns using Pufferfish Privacy

• Zero Trust Federation: Sharing Context under User Control toward Zero Trust in Identity Federation

Report, Blogs, Podcasts

• Leaking Screen Information on Zoom Calls through Reflections in Eyeglasses

• Prompt Injection/Extraction Attacks against AI Systems

• Automatic Cheating Detection in Human Racing

• Credit Card Fraud That Bypasses 2FA

• Smashing Security podcast #290: Uber, Rockstar, and crystal balls

• How to have fun negotiating with a ransomware gang

• Energy bill rebate scams spread via SMS and email

• SIM Swapper Abducted, Beaten, Held for $200k Ransom

• Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers