Tootfinder

Prophet Security, which develops fully autonomous AI agents for cybersecurity defense, raised a $30M Series A led by Accel (Michael Nuñez/VentureBeat)
https://venturebeat.com/ai/ai-vs-ai-prophet-security-raises-30m-to-repla…

AI vs. AI: Prophet Security raises $30M to replace human analysts with autonomous defenders
Prophet Security raises $30 million to launch a fully autonomous AI cybersecurity platform that investigates and responds to threats without human intervention, promising 10x faster response times and 96% fewer false positives.

Top Ukrainian Security Service official suspected of corruption: https://benborges.xyz/2025/09/02/top-ukrainian-security-service-official.html

‘Luxury prison’: #Epstein accomplice Maxwell quietly moved to low-security camp
https://www.smh.com.au/world/north-america

Microsofts große Sicherheitsversprechen? Jürgen Schmidt, Leiter von heise Security, hält sie für leere Worte! 🚨
Zum Kommentar: https://heise.de/-10505985?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=…

ProVeg: A Plant-Rich Diet Plays a Crucial Role on the Path to Greater Food Security https://vegconomist.com/society/proveg-plant-rich-diet-crucial-role-greater-food-security/

ProVeg: A Plant-Rich Diet Plays a Crucial Role on the Path to Greater Food Security - vegconomist - the vegan business magazine
The Food and Agriculture Organization of the United Nations (FAO) today released its annual report, outlining global progress towards eliminating hunger and

EU Protective Security Advisors
#EUPSA
https://home-affairs.ec.europa.eu/policies/int…

International Criminal Court hit with cyber security attack
https://apnews.com/article/international-court-cyberattack-hague-netherlands-50ac8b2f53928fc1f05163c67b09c4bf

International Criminal Court hit with cyber security attack
The International Criminal Court says it has been hit by a “sophisticated” cyberattack. The court said Monday the incident, which happened last week, has been contained, but it has not disclosed the impact or motive. A court-wide analysis is underway, and measures are being taken to limit damage. The attack coincided with a NATO summit in The Hague, raising security concerns. The ICC, which handles high-profile war crimes cases, has faced espionage attempts in the past. It remains unclear i…

Innovative Earth observation with “DIEGOSat” supporting climate protection, agriculture and security: #satellite system. More in https://wirtschaft.nrw/mit-hightech-gegen-duerre-braende-und-ernteausfaelle-land-unterstuetzt-innovatives and https://news.rub.de/wissenschaft/2025-07-31-geografie-diegosat-fuer-klimaschutz-landwirtschaft-und-sicherheit

Department of Homeland Security Memo (New Republic)
https://newrepublic.com/article/198689/department-homeland-security-memo
http://www.memeorandum.com/250802/p20#a250802p20

Western nations making progress on post-ceasefire security for Ukraine - Finnish President - Euromaidan Press
https://euromaidanpress.com/2025/09/02/western-nations-making-progress-on-post-ceasefire-security-for-ukraine-finnish-president/

A hacking collective calling itself "Scattered LapSus Hunters," has threatened to leak Google databases unless the company sacks two senior employees. Whilst the group has yet to provide any evidence that it holds Google data, Google has recently disclosed a third-party security breach involving Salesforce.

Hackers threaten Google with data leak unless company fires two threat intelligence employees
A hacking collective calling itself "Scattered LapSus Hunters," has threatened to leak Google databases unless the company sacks two senior employees. Whilst the group has ...

Risks and Compliance with the EU's Core Cyber Security Legislation
Jukka Ruohonen, Jesper L{\o}ffler Nielsen, Jakub Sk\'orczynski
https://arxiv.org/abs/2508.21386 https:…

Risks and Compliance with the EU's Core Cyber Security Legislation
The European Union (EU) has long favored a risk-based approach to regulation. Such an approach is also used in recent cyber security legislation enacted in the EU. Risks are also inherently related to compliance with the new legislation. Objective: The paper investigates how risks are framed in the EU's five core cyber security legislative acts, whether the framings indicate convergence or divergence between the acts and their risk concepts, and what qualifying words and terms are used when des…

GOP tax bill includes a $6,000 ‘senior deduction.’ Here’s who qualifies.
Under current law, most taxpayers claim the standard deduction of $15,000 (or $30,000 for couples)
to reduce their tax liability,
though the GOP tax bill would increase those amounts slightly.
Additionally, seniors already qualify for an additional deduction of $2,000 (or $3,600 for couples).

The Senate bill would create a third category that gives seniors an additional $6,000 (or $12,000) off…

GOP tax bill includes a $6,000 ‘senior deduction.’ Here’s who qualifies.
The provision emerged from President Donald Trump’s campaign pledge to end taxes on Social Security. But experts say many are excluded.

A Survey on Autonomy-Induced Security Risks in Large Model-Based Agents
Hang Su, Jun Luo, Chang Liu, Xiao Yang, Yichi Zhang, Yinpeng Dong, Jun Zhu
https://arxiv.org/abs/2506.23844

A Survey on Autonomy-Induced Security Risks in Large Model-Based Agents
Recent advances in large language models (LLMs) have catalyzed the rise of autonomous AI agents capable of perceiving, reasoning, and acting in dynamic, open-ended environments. These large-model agents mark a paradigm shift from static inference systems to interactive, memory-augmented entities. While these capabilities significantly expand the functional scope of AI, they also introduce qualitatively novel security risks - such as memory poisoning, tool misuse, reward hacking, and emergent mi…

Hierarchical Adversarially-Resilient Multi-Agent Reinforcement Learning for Cyber-Physical Systems Security
Saad Alqithami
https://arxiv.org/abs/2506.22445

Hierarchical Adversarially-Resilient Multi-Agent Reinforcement Learning for Cyber-Physical Systems Security
Cyber-Physical Systems play a critical role in the infrastructure of various sectors, including manufacturing, energy distribution, and autonomous transportation systems. However, their increasing connectivity renders them highly vulnerable to sophisticated cyber threats, such as adaptive and zero-day attacks, against which traditional security methods like rule-based intrusion detection and single-agent reinforcement learning prove insufficient. To overcome these challenges, this paper introdu…

Kommt noch jemand von Euch morgen in die #CyBARsecurity nach Bochum?
Würde mich freuen, mal ein paar aus der #Security Bubble im Fediverse persönlich kennen zu lernen.
PS: ich produziere übrigens seit einigen Jahren den WeTalkSecurity - ESET Podcast. Hört den jemand von Euch?

WeTalkSecurity - der ESET Podcast
WeTalkSecurity ist der deutschsprachige ESET Security Podcast zu den Bereichen Digitalisierung und IT-Sicherheit. Unsere Themen reichen vom Online-Shopping, Cyber-Spionage bis zur Absicherung des Unternehmensnetzwerks. Jeden Monat sprechen wir mit interessanten Gästen über aktuelle Themen aus der IT-Security. Über ESET ESET ist ein europäisches Unternehmen mit Hauptsitz in Bratislava (Slowakei). Seit 1987 entwickelt ESET preisgekrönte Sicherheits-Software, die bereits über 110 Million…

> "Secret Blizzard hackers are also taking advantage of Russia's domestic interception systems, including the System for Operative Investigative Activities (SORM), to carry out their large-scale AiTM campaigns."
https://www.bleepin…

Microsoft: Russian hackers use ISP access to hack embassies in AiTM attacks
Microsoft warns that a cyber-espionage group linked to Russia's Federal Security Service (FSB) is targeting diplomatic missions in Moscow using local internet service providers.

Certifying semi-device-independent security via wave-particle duality experiments
Chithra Raj, Tushita Prasad, Anubhav Chaturvedi, Lucas Pollyceno, Daniel Spegel-Lexne, Santiago G\'omez, Joakim Argillander, Alvaro Alarc\'on, Guilherme B. Xavier, Marcin Paw{\l}owski, Pedro R. Dieguez
https://arxiv.org/abs/2507.00679

Certifying semi-device-independent security via wave-particle duality experiments
Wave-particle duality is known to be equivalent to an entropic uncertainty relation based on the min- and max-entropies, which have a clear operational meaning in quantum cryptography. Here, we derive a connection between wave-particle relations and the semi-device-independent (SDI) security framework. In particular, we express an SDI witness entirely in terms of two complementary interferometric quantities: visibility and input distinguishability. Applying a symmetry condition to the interfero…

Hm?... Vamos fazer drones com os ucranianos? Não devia ser notícia cš, isso?
https://mastodon.online/@SocraticEthics/115130648160130676

Concrete Security Bounds for Simulation-Based Proofs of Multi-Party Computation Protocols
Kristina Sojakova, Mihai Codescu, Joshua Gancher
https://arxiv.org/abs/2507.22705 https…

Concrete Security Bounds for Simulation-Based Proofs of Multi-Party Computation Protocols
The concrete security paradigm aims to give precise bounds on the probability that an adversary can subvert a cryptographic mechanism. This is in contrast to asymptotic security, where the probability of subversion may be eventually small, but large enough in practice to be insecure. Fully satisfactory concrete security bounds for Multi-Party Computation (MPC) protocols are difficult to attain, as they require reasoning about the running time of cryptographic adversaries and reductions. In this…

N.B.: I don’t know whether Wendy can play poker, but the one thing I KNOW about poker is that you NEVER play against someone who insists that they’re lousy. https://infosec.exchange/@wendynather/114955733770668316

Safe Security, formerly Lucideus, which quantifies cyber risk using ML, raised a $70M Series C led by Avataar Ventures, bringing its total funding to $170M (Shashank Pathak/Entrackr)
https://entrackr.com/news/safe-security-raises-70-mn-in-ser…

Safe Security raises $70 Mn in Series C led by Avataar Ventures
Cybersecurity startup Safe Security, previously known as Lucideus, has secured $70 million in a Series C round, led bybAvataar Ventures.

Assessing security and privacy
I sometimes get asked how I think about and evaluate the security and privacy of Internet services and applications. For me, a number of factors come into focus when assessing the privacy of an application or service. Some of the factors are technological and some of them are human, social and organizational. Additionally, some of the factors are critical to ensure privacy and some are important but less critical.
 
I think we need a new model …

Freitag: Sammelklage wegen E-Autoschlüssel, Apple und Amazon mit Gewinnzuwachs
Autohersteller vor Gericht iPhone-Umsätze höher Amazon wächst wieder Zweifel an ARM-Plänen Kommentar zu Microsoft-Security Verbraucherschutz-Podcast

Social Security Backs Off Listing Living Migrants as Dead (New York Times)
https://www.nytimes.com/2025/07/01/us/politics/social-security-immigrants-dead.html?unlocked_article_code=1.TU8.IM62.3OjkBYPHfZ_0&smid=nytcore-ios-share&referringSource=articleShare
http://www.memeorandum.com/250701/p161#a250701p161

It sounds like that Tea app vulnerability (not the one where they had data just open to the world on Firebase, but a second problem) is what I describe in the first paragraph of this post.
You *can’t* rely on user-controlled devices to safely hold credentials that work for more than that one user—especially if the credentials live outside of something like a hardware security module, which they almost certainly do if your app is storing them.

Vendor Security
A few weeks ago I had to have a conversation with a vendor about credentials. Despite some push back from our side, they insisted that their Bearer Token style authentication key for HTTP requests was

Canada suspends Hikvision operations over national security concerns https://therecord.media/canada-suspends-hikvision-operations-national-security

@… I was having issues accessing social.linux.pizza. After racking my brain for a while as to what could have happened, I remembered the old adage "It's always DNS" and indeed it was so.
More specifically, one of the blocklists that Quad9 DNS (which is what I normally use) uses has classified the site as "Botnet" -

Securing the Sky: Integrated Satellite-UAV Physical Layer Security for Low-Altitude Wireless Networks
Jiahui Li, Geng Sun, Xiaoyu Sun, Fang Mei, Jingjing Wang, Xiangwang Hou, Daxin Tian, Victor C. M. Leung
https://arxiv.org/abs/2506.23493

Securing the Sky: Integrated Satellite-UAV Physical Layer Security for Low-Altitude Wireless Networks
Low-altitude wireless networks (LAWNs) have garnered significant attention in the forthcoming 6G networks. In LAWNs, satellites with wide coverage and unmanned aerial vehicles (UAVs) with flexible mobility can complement each other to form integrated satellite-UAV networks, providing ubiquitous and high-speed connectivity for low-altitude operations. However, the higher line-of-sight probability in low-altitude airspace increases transmission security concerns. In this work, we present a collab…

student_cooperation: Student cooperation (2012)
Network of cooperation among students in the "Computer and Network Security" course at Ben-Gurion University, in 2012. Nodes are students, and edges denote cooperation between students while doing their homework. The graph contains three types of links: Time, Computer, Partners.
This network has 185 nodes and 360 edges.
Tags: Social, Offline, Multigraph, Unweighted

The Secrets Must Not Flow: Scaling Security Verification to Large Codebases (extended version)
Linard Arquint, Samarth Kishor, Jason R. Koenig, Joey Dodds, Daniel Kroening, Peter M\"uller
https://arxiv.org/abs/2507.00595

The Secrets Must Not Flow: Scaling Security Verification to Large Codebases (extended version)
Existing program verifiers can prove advanced properties about security protocol implementations, but are difficult to scale to large codebases because of the manual effort required. We develop a novel methodology called *Diodon* that addresses this challenge by splitting the codebase into the protocol implementation (the *Core*) and the remainder (the *Application*). This split allows us to apply powerful semi-automated verification techniques to the security-critical Core, while fully-automat…

He’s probably (he’s on the list) doing it out of (he’s on every page of the list) a strategic need (and there are photos) and sound military and national security (and there is footage) concerns. There’s no way he’d do this as a distraction (this way, this is the way he does it as a distraction), that would be reckless, irresponsible and dangerous (which he very much is).

Trump orders US nuclear subs repositioned over statements from ex-Russian leader
President Donald Trump has ordered the repositioning of two U.S. nuclear submarines. Friday's decision comes after what he calls "highly provocative statements" by former Russian President Dmitry Medvedev. Medvedev and Trump has fueded online in recent days. The impact on U.S. nuclear subs — which normally and routinely patrol global hotspots — remains unclear. But the move potentially escalates tensions between Washington and Moscow at a delicate time, as Trump threatens new sanctions in a…

Accuracy and Security-Guaranteed Participant Selection and Beamforming Design for RIS-Assisted Federated Learning
Mengru Wu, Yu Gao, Weidang Lu, Huimei Han, Lei Sun, Wanli Ni
https://arxiv.org/abs/2507.00388

Accuracy and Security-Guaranteed Participant Selection and Beamforming Design for RIS-Assisted Federated Learning
Federated learning (FL) has emerged as an effective approach for training neural network models without requiring the sharing of participants' raw data, thereby addressing data privacy concerns. In this paper, we propose a reconfigurable intelligent surface (RIS)-assisted FL framework in the presence of eavesdropping, where partial edge devices are selected to participate in the FL training process. In contrast, the remaining devices serve as cooperative jammers by transmitting jamming signals …

😆
Microsofts Secure Future Initiative: "Bullshit!"
https://www.heise.de/en/opinion/Microsofts-Secure-Future-Initiative-Bullshit-10506153.html

Microsofts Secure Future Initiative: "Bullshit!"
With the Secure Future Initiative, Microsoft's bosses promised to make security a top priority. "It's all just security theater," says Jürgen Schmidt.

»Managed-Detection and Response – meist mehr Schein als Sein«
Die Firmen auf die darauf setzen sind (selten) dies Schuldigen aber fallen ungeprüft leichtgläubig in MDR-Services, das sich als "IT-Security" verkaufen, herein – aber ja wem sage ich das? Nein simpel ist dies je nach Umfang sicherlich nicht.
🫥

Managed-Detection and Response – meist mehr Schein als Sein
Ein Blick hinter die Fassade vieler MDR-Services. Managed-Detection and Response (MDR) ist der neue Hype der IT-Sicherheitsbranche. Kaum ein Systemhaus,

Human-Written vs. AI-Generated Code: A Large-Scale Study of Defects, Vulnerabilities, and Complexity
Domenico Cotroneo, Cristina Improta, Pietro Liguori
https://arxiv.org/abs/2508.21634

Human-Written vs. AI-Generated Code: A Large-Scale Study of Defects, Vulnerabilities, and Complexity
As AI code assistants become increasingly integrated into software development workflows, understanding how their code compares to human-written programs is critical for ensuring reliability, maintainability, and security. In this paper, we present a large-scale comparison of code authored by human developers and three state-of-the-art LLMs, i.e., ChatGPT, DeepSeek-Coder, and Qwen-Coder, on multiple dimensions of software quality: code defects, security vulnerabilities, and structural complexit…

This is of course very bad, but I also found it funny. AI evangelists are suddenly privacy-aware and repeating this as a security risk. And it is. But the idea that using ChatGPT itself hasn’t always been a security risk is ridiculous to me.

TLDR: If you’ve ever used the share function on a ChatGPT chat, that full chat can be found via Google, viewable for anyone in the world.

https:…

New Features We Find Exciting in the #Kubernetes 1.34 Release
https://metalbear.co/blog/kubernetes-1-34/

Trump's Homeland Security Council Sets Its Sights on Zohran Mamdani (Jose Pagliery/NOTUS)
https://www.notus.org/trump-white-house/zohran-mamdani-homeland-security-trump
http://www.memeorandum.com/250702/p99#a250702p99

Varonis Systems agrees to acquire email security company SlashNext for up to $150M, including retention awards, after buying database company Cyral for ~$25M (Emily Forgash/Bloomberg)
https://www.bloomberg.com/news/articles/2025…

German security services launch campaign to warn about Russian recruitment of 'disposable agents': https://benborges.xyz/2025/08/30/german-security-services-launch-campaign.html

Metacurity is back after our hiatus, and we're shaking things up. Check out today's issue for a special report and a recap of the top infosec developments of the past two weeks, including
--More on DOGE and that insecure database at SSA…,
--UK's age ID law pushes users to non-compliant sites,
--Noem fires FEMA workers for failing basic security protocols,
--UNC6395 stole mass of authentication tokens from Salesloft,
--A hacker used Anthropic's Cl…

More on DOGE and that insecure database at SSA…
UK's age ID law pushes users to non-compliant sites, Noem fires FEMA workers for failing basic security protocols, UNC6395 stole a mass of authentication tokens from Salesloft, A hacker used Anthropic's Claude in crime spree, Salt Typhoon struck at least 200 organizations and 80 countries, more

Hundreds of Brother printer models have an unpatchable security flaw | The Verge
https://www.theverge.com/news/694877/brother-printers-security-flaw-password-vulnerability

Ukraine Pursues a Weapons Buildup More Potent Than Any Security Guarantee (Constant Méheut/New York Times)
https://www.nytimes.com/2025/09/02/world/europe/ukraine-weapons-security.html
http://www.memeorandum.com/250902/p23#a250902p23

Security: CERT@VDE wird erste deutsche Schaltzentrale für Sicherheitslücken
Das IT-Security-Zentrum des VDE ist zur zentralen Anlaufstelle im globalen CVE-Programm aufgestiegen. Es soll helfen, Sicherheitslücken zügiger zu schließen.

On the Implementation Security of Twin-Field Quantum Key Distribution using Optical Injection Locking
Sergio Ju\'arez, Alessandro Marcomini, Mikhail Petrov, Robert I. Woodward, Toby J. Dowling, R. Mark Stevenson, Marcos Curty, Davide Rusca
https://arxiv.org/abs/2508.21763

On the Implementation Security of Twin-Field Quantum Key Distribution using Optical Injection Locking
Twin-Field Quantum Key Distribution (TF-QKD) has emerged as a leading quantum communication protocol, enabling secure key distribution over unprecedented distances by utilising coherent interference of quantum states. Optical Injection Locking (OIL) architectures have been used to simplify the precise phase and frequency stabilisation required by TF-QKD. In this work, we systematically analyse potential side-channels in OIL-based TF-QKD that can be introduced through the various optical degrees…

Rapid7 finds eight vulnerabilities, including one remotely-exploitable flaw that cannot be fixed via firmware patch, affecting 689 models of Brother printers (Jess Weatherbed/The Verge)
https://www.theverge.com/news/694877/brother-printer…

Hundreds of Brother printer models have an unpatchable security flaw
Serious security flaws have been found in hundreds of Brother printer models that could allow attackers to remotely access the device.

Querying Attack-Fault-Defense Trees: Property Specification in Smart Grid and Aerospace Case Studies
Reza Soltani, Stefano M. Nicoletti, Milan Lopuha\"a-Zwakenberg, Mari\"elle Stoelinga
https://arxiv.org/abs/2506.23789

Querying Attack-Fault-Defense Trees: Property Specification in Smart Grid and Aerospace Case Studies
This paper introduces AFDL, a logic-based framework for reasoning about safety, security, and defense interactions in Attack-Fault-Defense Trees, which is a model that captures all safety, security, and defense domains in a single framework. We showcase both AFDL and propose a structured domain specific query language, LangAFDL, which enables domain experts to express complex analysis goals through intuitive templates. LangAFDL supports both Boolean and quantified queries as well as minimal cut…

A top Social Security Administration official turned whistleblower
says members of the Trump administration’s Department of Government Efficiency (DOGE)
uploaded hundreds of millions of Social Security records to a vulnerable cloud server,
putting the personal information of most Americans at risk of compromise.
Charles Borges, the Social Security Administration’s chief data officer,
said in a newly released whistleblower complaint published Tuesday
that o…

DOGE uploaded live copy of Social Security database to 'vulnerable' cloud server, says whistleblower | TechCrunch
The Social Security Administration's chief data officer has publicly blown the whistle, alleging DOGE put hundreds of millions of Social Security records at risk of compromise.

Exploring Privacy and Security as Drivers for Environmental Sustainability in Cloud-Based Office Solutions
Jason Kayembe, Iness Ben Guirat, Jan Tobias M\"uhlberg
https://arxiv.org/abs/2506.23866

Exploring Privacy and Security as Drivers for Environmental Sustainability in Cloud-Based Office Solutions
In this paper, we explore the intersection of privacy, security, and environmental sustainability in cloud-based office solutions, focusing on quantifying user- and network-side energy use and associated carbon emissions. We hypothesise that privacy-focused services are typically more energy-efficient than those funded through data collection and advertising. To evaluate this, we propose a framework that systematically measures environmental costs based on energy usage and network data traffic …

When the International Criminal Court gets hacked in June 2025, it's not clear who you might expect the culprits to be.
https://www.icc-cpi.int/news/icc-detects-and-contains-new-sophisticated-cyber-security-incident

So if the U.S. Capitol Police had beefed up a protective detail on Murkowski and Murkowski’s family, to protect them from maga violence and give the Senator the sense of security to vote as they themselves now seem to think they should have, would things be different?
We may never know.
#USpol

Trump Exaggerates His Agenda Bill's Impact on Social Security Taxes (Karoun Demirjian/New York Times)
https://www.nytimes.com/2025/07/01/us/politics/trump-bill-social-security-taxes.html
http://www.memeorandum.com/250701/p95#a250701p95

A Trio of US Treasury Hacks Exposes a Pattern Making Banks Nervous
https://www.bloomberg.com/news/features/2025-06-30/us-treasury-hacks-exposes-pattern-of-federal-security-missteps-report-finds

Not quite a piece of CHERI-cake: Are new digital security by design architectures usable?
Maysara Alhindi, Joseph Hallett
https://arxiv.org/abs/2506.23682 …

Not quite a piece of CHERI-cake: Are new digital security by design architectures usable?
A digital security-by-design computer architecture, like CHERI, lets you program without fear of buffer overflows or other memory safety errors, but CHERI also rewrites some of the assumptions about how C works and how fundamental types (such as pointers) are implemented in hardware. We conducted a usability study to examine how developers react to the changes required by CHERI when porting software to run on it. We find that developers struggle with CHERI's display of warnings and errors and a…

Quantum Leap in Finance: Economic Advantages, Security, and Post-Quantum Readiness
Gerhard Hellstern, Esra Yeniaras
https://arxiv.org/abs/2508.21548 https://

Quantum Leap in Finance: Economic Advantages, Security, and Post-Quantum Readiness
This paper provides an in-depth review of the evolving role of quantum computing in the financial sector, emphasizing both its computational potential and cybersecurity implications. Distinguishing itself from existing surveys, this work integrates classical quantum computing applications - such as portfolio optimization, risk analysis, derivative pricing, and Monte Carlo simulations with a thorough examination of blockchain technologies and post-quantum cryptography (PQC), which are crucial fo…

Before you head out for the weekend, and ahead of the big cyber news week ahead, check out today's Metacurity for the most crucial infosec developments you should know, including
--Russian group Turla impersonated Kaspersky to spy on embassies,
--China accuses US of exploiting Exchange flaw to steal data and launch attacks,
--China grills Nvidia on AI chip security risks,
--Google was indexing ChatGPT conversations,
--UK age verification law is blocking non-p…

Russian group Turla impersonated Kaspersky to spy on embassies
China accuses US of exploiting Exchange flaw to steal data and launch attacks, China grills Nvidia on AI chip security risks, Google was indexing ChatGPT conversations, UK age verification law is blocking non-porn content, Illumina to pay $9.8m to resolve US cybersecurity complaint, much more

Why Ukraine security guarantees are dead in the water: https://benborges.xyz/2025/08/29/why-ukraine-security-guarantees-are.html

Hundreds of protesters greeted Trump and the homeland security secretary, Kristi Noem, as they arrived at the hastily assembled concentration camp in the Florida Everglades .
The space was previously a largely disused airstrip surrounded by swampland abundant in alligators and Burmese pythons.
“You’ll have a lot of people that will deport on their own because they don’t want to end up in an Alligator Alcatraz, or some of these other places,” Governor Ron DeSantis said.
“Th…

An interview with CrowdStrike CEO George Kurtz on the company's M&A strategy as it acquires Madrid-based data observability startup Onum for about $290M (Allie Garfinkle/Fortune)
https://fortune.com/2025/08/27/crowdstrike-ceo-g…

Exclusive: Crowdstrike CEO George Kurtz on $290 million acquisition of startup Onum and security in the AI age
The cybersecurity company, which went public in 2019, is a longtime acquirer, and has acquired data observability startup Onum for about $290 million.

Stealtooth: Breaking Bluetooth Security Abusing Silent Automatic Pairing
Keiichiro Kimura, Hiroki Kuzuno, Yoshiaki Shiraishi, Masakatu Morii
https://arxiv.org/abs/2507.00847

Stealtooth: Breaking Bluetooth Security Abusing Silent Automatic Pairing
Bluetooth is a pervasive wireless communication technology used by billions of devices for short-range connectivity. The security of Bluetooth relies on the pairing process, where devices establish shared long-term keys for secure communications. However, many commercial Bluetooth devices implement automatic pairing functions to improve user convenience, creating a previously unexplored attack surface. We present Stealtooth, a novel attack that abuses unknown vulnerabilities in the automatic …

Trump Turns to Small Group of Advisers, Shrinks National Security Council (Wall Street Journal)
https://www.wsj.com/politics/national-security/trump-turns-to-small-group-of-advisers-shrinks-national-security-council-65b12aa5
http://www.memeorandum.com/250831/p47#a250831p47

zkLoRA: Fine-Tuning Large Language Models with Verifiable Security via Zero-Knowledge Proofs
Guofu Liao, Taotao Wang, Shengli Zhang, Jiqun Zhang, Shi Long, Dacheng Tao
https://arxiv.org/abs/2508.21393 …

zkLoRA: Fine-Tuning Large Language Models with Verifiable Security via Zero-Knowledge Proofs
Fine-tuning large language models (LLMs) is crucial for adapting them to specific tasks, yet it remains computationally demanding and raises concerns about correctness and privacy, particularly in untrusted environments. Although parameter-efficient methods like Low-Rank Adaptation (LoRA) significantly reduce resource requirements, ensuring the security and verifiability of fine-tuning under zero-knowledge constraints remains an unresolved challenge. To address this, we introduce zkLoRA, the fi…

Zelensky discusses security guarantees with Erdogan, says they'll be 'set out on paper next week': https://benborges.xyz/2025/08/28/zelensky-discusses-security-guarantees-with.html

https://www.irishtimes.com/media/2025/07/28/rte-investigating-potential-cyber-security-incident/
RTÉ investigating potential cyber security incident

RTÉ investigating potential cyber security incident
National Cyber Security Centre made contact with broadcaster in recent days

Sources: the US intelligence community persuaded the DOJ that allowing the HPE-Juniper merger was essential to US national security and competing with Huawei (Mike Allen/Axios)
https://www.axios.com/2025/07/30/merger-hpe-juniper-networks-national-security

U.S. intelligence intervened with DOJ to push HPE-Juniper merger
An official tells Axios that blocking the deal would have "hindered American companies and empowered" Chinese competitors.

The Trump administration is drawing up plans to rebrand the Department of Defense as the Department of War,
according to a White House official,
following up on the president’s push to revive a name last used in 1947.
https://www.wsj.com/politi…

Trump administration targets CNN coverage of migration app (Reuters)
https://www.reuters.com/business/media-telecom/homeland-security-secretary-noem-says-cnn-may-be-prosecuted-over-report-2025-07-01/
http://www.memeorandum.com/250702/p6#a250702p6

An ontological lens on attack trees: Toward adequacy and interoperability
\'Italo Oliveira, Stefano M. Nicoletti, Gal Engelberg, Mattia Fumagalli, Dan Klein, Giancarlo Guizzardi
https://arxiv.org/abs/2506.23841

An ontological lens on attack trees: Toward adequacy and interoperability
Attack Trees (AT) are a popular formalism for security analysis. They are meant to display an attacker's goal decomposed into attack steps needed to achieve it and compute certain security metrics (e.g., attack cost, probability, and damage). ATs offer three important services: (a) conceptual modeling capabilities for representing security risk management scenarios, (b) a qualitative assessment to find root causes and minimal conditions of successful attacks, and (c) quantitative analyses via s…

Ukraine calls emergency UN Security Council meeting over Russian strike on Kyiv: https://benborges.xyz/2025/08/29/ukraine-calls-emergency-un-security.html

Tea, which claims to make dating safer for women, is the #2 app in the US App Store, despite multiple security flaws exposing private chats, photo IDs, and more (Ben Lovejoy/9to5Mac)
https://9to5mac.com/2025/07/29/tea-app-secur…

Tea app security breaches reveal private chats and photo ID
Two major security vulnerabilities in the Tea app – which claims to make dating safer for women – have exposed...

CISA to release telecom security report as its director nominee nears confirmation
https://www.nextgov.com/cybersecurity/2025/07/cisa-release-telecom-security-report-its-director-nominee-…

CISA to release telecom security report as its director nominee nears confirmation
The 2022 report, which has not been made publicly available, has been used as leverage by Senator Ron Wyden to hold Sean Plankey from being confirmed as director of CISA.

Columbia’s new policies intended to stop and punish any on-campus criticism of the Gaza genocide
by characterizing it as “antisemitism”
have made it impossible for Rashid Khalidi to teach his planned fall course.
See his explanation here, which ends with:
Columbia’s capitulation has turned a university that was once a site of free inquiry and learning
into a shadow of its former self,
an-anti university, a gated security zone with electronic entry controls,…

Crisis Response Networks: Wartime Civic Engagement in Ukraine’s Local Governments: https://benborges.xyz/2025/07/01/crisis-response-networks-wartime-civic.html

Wallarm, which builds a platform for API and AI security, raised a $55M Series C led by Toba Capital after an $8M Series A in 2018, taking total raised to ~$66M (Michael Novinson/BankInfoSecurity.com)
https://www.bankinfosecurity.com/wallarm-s

Trump's newborn savings accounts a 'back door for privatizing Social Security,' Bessent says (Jacob Bogage/Washington Post)
https://www.washingtonpost.com/business/2025/07/30/trump-accounts-social-security-bessent/
http://www.memeorandum.com/250731/p74#a250731p74

Replaced article(s) found for cs.CR. https://arxiv.org/list/cs.CR/new
[1/1]:
- How Resilient is QUIC to Security and Privacy Attacks?
Jayasree Sengupta, Debasmita Dey, Simone Ferlin-Reiter, Nirnay Ghosh, Vaibhav Bajpai

The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix.
https://www.bleepingcomputer.com/news/security/switze…

Switzerland says government data stolen in ransomware attack
The government in Switzerland is informing that sensitive information from various federal offices has been impacted by a ransomware attack at the third-party organization Radix.

Israel-based Noma Security, whose platform secures enterprise data and AI models against AI agents, raised a $100M Series B, bringing its total funding to $132M (Steven Scheer/Reuters)
https://www.reuters.com/world/middle-east/

Threadbox: Sandboxing for Modular Security
Maysara Alhindi, Joseph Hallett
https://arxiv.org/abs/2506.23683 https://arxiv.org/pdf/250…

Threadbox: Sandboxing for Modular Security
There are many sandboxing mechanisms provided by operating systems to limit what resources applications can access, however, sometimes the use of these mechanisms requires developers to refactor their code to fit the sandboxing model. In this work, we investigate what makes existing sandboxing mechanisms challenging to apply to certain types of applications, and propose Threadbox, a sandboxing mechanism that enables having modular and independent sandboxes, and can be applied to threads and san…

Researchers confirmed that 29 devices from Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel are affected.
Bluetooth flaws could let hackers spy through your microphone
https://www.bleepingcomputer.com/news/secu

Bluetooth flaws could let hackers spy through your microphone
Vulnerabilities affecting a Bluetooth chipset present in more than two dozen audio devices from ten vendors can be exploited for eavesdropping or stealing sensitive information.

Internal emails and audits warn the Schengen Information System II, the system used by EU border forces, is rife with software and security vulnerabilities (Bloomberg)
https://www.bloomberg.com/news/articles/2025-…

A Large-Scale Evolvable Dataset for Model Context Protocol Ecosystem and Security Analysis
Zhiwei Lin, Bonan Ruan, Jiahao Liu, Weibo Zhao
https://arxiv.org/abs/2506.23474

A Large-Scale Evolvable Dataset for Model Context Protocol Ecosystem and Security Analysis
The Model Context Protocol (MCP) has recently emerged as a standardized interface for connecting language models with external tools and data. As the ecosystem rapidly expands, the lack of a structured, comprehensive view of existing MCP artifacts presents challenges for research. To bridge this gap, we introduce MCPCorpus, a large-scale dataset containing around 14K MCP servers and 300 MCP clients. Each artifact is annotated with 20+ normalized attributes capturing its identity, interface conf…

Fable, a startup offering AI-generated security training for employees, comes out of stealth having raised $31M, a source says at a $120M valuation (Thomas Brewster/Forbes)
https://www.forbes.com/sites/thomasbrewste

This $120 Million Startup’s AI Will Teach You How To Suck Less At Security
With a $31 million raise, Fable is aiming to take on multi-billion companies with its AI-generated security training targeted at employees who need it.

https://cyberscoop.com/att-wireless-account-lock-sim-swapping-protection/
AT&T deploys new account lock feature to counter SIM swapping

House Homeland Security Democrats allude to internment camps as they slam 'Alligator Alcatraz' facility (Gregory Svirnovskiy/Politico)
https://www.politico.com/live-updates/2025/07/01/congress/democrats-slam-alligator-alcatraz-00436039
http://www.memeorandum.com/250701/p139#a250701p139

Safe Low Bandwidth SPV: A Formal Treatment of Simplified Payment Verification Protocols and Security Bounds
Craig S Wright
https://arxiv.org/abs/2507.00740

Safe Low Bandwidth SPV: A Formal Treatment of Simplified Payment Verification Protocols and Security Bounds
This paper presents a complete formal specification, protocol description, and mathematical proof structure for Simplified Payment Verification (SPV) as originally defined in the Bitcoin whitepaper \cite{nakamoto2008}. In stark contrast to the misrepresentations proliferated by popular implementations, we show that SPV is not only secure under bounded adversarial assumptions but strictly optimal for digital cash systems requiring scalable and verifiable transaction inclusion. We reconstruct the…

Investigation: three US Treasury hacks in the past five years were due to a failure to deploy basic security measures, as DOGE cuts further weaken the agency (Bloomberg)
https://www.bloomberg.com/news/features/20

Ghislaine Maxwell Moved to Minimum-Security Women's Prison in Texas (Alan Feuer/New York Times)
https://www.nytimes.com/2025/08/01/us/politics/ghislaine-maxwell-prison-texas.html
http://www.memeorandum.com/250801/p68#a250801p68

Lock Prediction for Zero-Downtime Database Encryption
Mohamed Sami Rakha, Adam Sorrenti, Greg Stager, Walid Rjaibi, Andriy Miranskyy
https://arxiv.org/abs/2506.23985

Lock Prediction for Zero-Downtime Database Encryption
Modern enterprise database systems face significant challenges in balancing data security and performance. Ensuring robust encryption for sensitive information is critical for systems' compliance with security standards. Although holistic database encryption provides strong protection, existing database systems often require a complete backup and restore cycle, resulting in prolonged downtime and increased storage usage. This makes it difficult to implement online encryption techniques in high-…

Cloudflare says attackers gained access to a Salesforce instance it uses for internal customer case management, as part of the Salesloft Drift breach (Sergiu Gatlan/BleepingComputer)
https://www.bleepingcomputer.com/news/secu

Whoa, a positive development on the federal government funding front, where it's needed, perhaps, most - state and local grants.
DHS Launches Over $100 Million in Funding to Strengthen Communities’ Cyber Defenses

EXCLUSIVE: Someone Waived Ghislaine Maxwell's Sex Offender Status to Move Her to a Minimum Security Camp in Texas (Allison Gill/The Breakdown)
https://www.muellershewrote.com/p/exclusive-someone-waived-ghislaine
http://www.memeorandum.com/250801/p79#a250801p79

Towards a Decentralized IoT Onboarding for Smart Homes Using Consortium Blockchain
Narges Dadkhah, Khan Reaz, Gerhard Wunder
https://arxiv.org/abs/2508.21480 https://

Towards a Decentralized IoT Onboarding for Smart Homes Using Consortium Blockchain
The increasing adoption of smart home devices and IoT-based security systems presents significant opportunities to enhance convenience, safety, and risk management for homeowners and service providers. However, secure onboarding-provisioning credentials and establishing trust with cloud platforms-remains a considerable challenge. Traditional onboarding methods often rely on centralized Public Key Infrastructure (PKI) models and manufacturer-controlled keys, which introduce security risks and li…

Qantas discloses a data breach after hackers gained access to a third-party platform with personal data of 6M customers, but says no financial info was exposed (Lawrence Abrams/BleepingComputer)
https://www.bleepingcomputer.com/news/secu

Poisoning Attacks to Local Differential Privacy for Ranking Estimation
Pei Zhan (School of Cyber Science and Technology, Shandong University, State Key Laboratory of Cryptography and Digital Economy Security, Shandong University, Qingdao, China), Peng Tang (School of Cyber Science and Technology, Shandong University, State Key Laboratory of Cryptography and Digital Economy Security, Shandong University, Qingdao, China), Yangzhuo Li (School of Cyber Science and Technology, Shandong Univ…

Poisoning Attacks to Local Differential Privacy for Ranking Estimation
Local differential privacy (LDP) involves users perturbing their inputs to provide plausible deniability of their data. However, this also makes LDP vulnerable to poisoning attacks. In this paper, we first introduce novel poisoning attacks for ranking estimation. These attacks are intricate, as fake attackers do not merely adjust the frequency of target items. Instead, they leverage a limited number of fake users to precisely modify frequencies, effectively altering item rankings to maximize ga…

Securing AI Systems: A Guide to Known Attacks and Impacts
Naoto Kiribuchi, Kengo Zenitani, Takayuki Semitsu
https://arxiv.org/abs/2506.23296 https://

Securing AI Systems: A Guide to Known Attacks and Impacts
Embedded into information systems, artificial intelligence (AI) faces security threats that exploit AI-specific vulnerabilities. This paper provides an accessible overview of adversarial attacks unique to predictive and generative AI systems. We identify eleven major attack types and explicitly link attack techniques to their impacts -- including information leakage, system compromise, and resource exhaustion -- mapped to the confidentiality, integrity, and availability (CIA) security triad. We…

19-year-old Edward Coristine, a DOGE staffer known as "Big Balls" online, has joined the Social Security Administration days after resigning from the GSA (Wired)
https://www.wired.com/story/big-balls-social-security-administration/

‘Big Balls’ Is Now at the Social Security Administration
Edward “Big Balls” Coristine’s placement at the SSA comes after a White House official told WIRED on Tuesday that the 19-year-old had resigned from his position in government.

Agentic Discovery and Validation of Android App Vulnerabilities
Ziyue Wang, Liyi Zhou
https://arxiv.org/abs/2508.21579 https://arxiv.org/pdf/2508.21579

Agentic Discovery and Validation of Android App Vulnerabilities
Existing Android vulnerability detection tools overwhelm teams with thousands of low-signal warnings yet uncover few true positives. Analysts spend days triaging these results, creating a bottleneck in the security pipeline. Meanwhile, genuinely exploitable vulnerabilities often slip through, leaving opportunities open to malicious counterparts. We introduce A2, a system that mirrors how security experts analyze and validate Android vulnerabilities through two complementary phases: (i) Agenti…

An Empirical Study of Vulnerable Package Dependencies in LLM Repositories
Shuhan Liu, Xing Hu, Xin Xia, David Lo, Xiaohu Yang
https://arxiv.org/abs/2508.21417 https://

An Empirical Study of Vulnerable Package Dependencies in LLM Repositories
Large language models (LLMs) have developed rapidly in recent years, revolutionizing various fields. Despite their widespread success, LLMs heavily rely on external code dependencies from package management systems, creating a complex and interconnected LLM dependency supply chain. Vulnerabilities in dependencies can expose LLMs to security risks. While existing research predominantly focuses on model-level security threats, vulnerabilities within the LLM dependency supply chain have been overl…