Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption

Cybersecurity news that you may have missed this week: AI regulation, layoffs, US aerospace malware attacks, and post-quantum encryption.

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless crucial for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

By bringing these stories to your attention, we empower you to stay informed, enhance your security posture, and make well-informed decisions to protect your organization.

Here are this week’s stories:

AI regulation still a long way off

The EU was thought to be close to AI regulation, but progress on the AI Act has stumbled. Blame is being laid on the EPP party for apparently wishing to change the rules. The problem appears to be the detail involved in remote biometric identification. Meanwhile, in the US, MeriTalk reports that “Congress appears to be just lining up at the starting gate with its own efforts to explore possible regulation of the technology.” One obvious complication is whether GPT-speak should be protected under the First Amendment.

CSC’s recommendations on securing US critical infrastructure

Advertisement. Scroll to continue reading.

In a new report, the Cyberspace Solarium Commission (CSC) deems the system currently used to designate critical sectors as inadequate. CSC evaluates the state of the public-private sector relationship, underlines flaws in policy implementation, and provides recommendations on how to change it to improve national security.

Dragos and SentinelOne announce layoffs

Industrial cybersecurity firm Dragos is laying off 50 employees, or roughly 9% of its workforce, after missing its Q1 targets. Impacted individuals have been offered severance packages and other benefits. 

SentinelOne shares took a nosedive recently after the company announced poor financial results and layoffs that impacted 100 employees, representing 5% of its workforce.

Radiflow and Network Perception update OT security platforms

OT security firms Radiflow and Network Perception have announced significant product updates. Radiflow has updated its CIARA platform to version 4.0, which introduces a benchmark tool and delivers actionable insights for managing risks in large multi-site industrial facilities. Network Perception has launched version 4.2 of its NP-View OT network security solution, which should make OT network path analysis and reporting faster and more comprehensive.

OWASP Top 10 for Large Language Model applications

OWASP has published a Top 10 list of security risks associated with large language model (LLM) applications. Vulnerabilities include prompt injections, data leakage, inadequate sandboxing, and unauthorized code execution.

Tor getting DoS mitigation feature

The Tor Project is working on a denial-of-service (DoS) feature where clients will be asked to ‘solve’ a puzzle and prove they have the solution. Highly adaptable, the puzzle challenge would prioritize requests and be turned off entirely when the service is not overloaded.

RenderDoc vulnerabilities leading to EoP, RCE

Qualys has shared technical details on three vulnerabilities in the RenderDoc graphics debugger. Tracked as CVE-2023-33865, CVE-2023-33864 and CVE-2023-33863, the flaws could lead to escalation of privilege (EoP) and remote code execution (RCE). The first of the bugs is “an intellectually stimulating challenge to exploit”, Qualys says.

Microsoft guide for finding vulnerabilities with Yara 

Microsoft has published a guide on how Yara can be used to create rules for finding different types of software vulnerabilities. Examples include deserialization vulnerabilities that can lead to arbitrary code execution, command injection vulnerabilities, and loose regular expressions that can be bypassed and could lead to SSRF.

Chinese Communist Party tracked protesters via ByteDance (TikTok) data 

A former executive at ByteDance, the Chinese company that owns TikTok, said in a legal filing that some members of the ruling Communist Party used data held by the company to identify and locate protesters in Hong Kong.

US aerospace industry targeted with new PowerDrop malware

Adlumin has identified suspected nation-state attacks using the PowerDrop PowerShell script against the US aerospace industry. Built from a PowerShell and Windows Management Instrumentation (WMI) remote access trojan (RAT), it allows attackers to execute commands remotely on the victims’ networks.

QuSecure’s drive for post-quantum encryption 

The US Army has given QuSecure a Small Business Innovation Research (SBIR) Phase II contract for post-quantum encryption. It allots up to $2 million to address use in tactical edge and tactical IoT devices that can be used for battle-ready deployment. It follows an SBIR III grant from the US Air Force in autumn. QuSecure provides a quantum secure channel that provides built-in crypto agility.

SDK for quantum software

Australian firm Quantum Brilliance has announced the full release of its Qristal SDK. Quantum Brilliance develops miniaturized, room-temperature and portable quantum computing products. Use-cases include classical-quantum hybrid applications in data centers, massively parallel clusters for computational chemistry and embedded accelerators for edge computing applications such as robotics, autonomous vehicles, and satellites. But quantum computers require new software – hence the SDK.

Kevin Townsend and Ionut Arghire contributed to this article

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.