• CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization by Robert N. M. Watson, Jonathan Woodruff, Peter G. Neumann, Simon W. Moore, Jonathan Anderson, David Chisnall, Nirav Dave, Brooks Davis, Khilan Gudka, Ben Laurie, Steven J. Murdoch, Robert Norton, Michael Roe, Stacey Son, Munraj Vadera
• Towards Making Systems Forget with Machine Unlearning by Yinzhi Cao, Junfeng Yang
  

Summary:
There are reports of communication devices found on equipment from China, like power inverters and batteries, that were not disclosed to the US purchaser. The US government has declined to comment on the reports, and the Chinese government has defended its achievements in producing infrastructure equipment. There has been no information about the purpose of the communication devices, but US security experts warn that the devices might enable remote operation or disabling of the equipment.

The possibililty of Trojan Horse devices in critical infrastructure equipment has long been a worry of the US government. "In February, two U.S. Senators introduced the Decoupling from Foreign Adversarial Battery Dependence Act, banning the Department of Homeland Security from purchasing batteries from some Chinese entities, starting October 2027, due to national security concerns."

There is no way to determine if the placement of the unexplained communicaiton devices was a deliberate act of Chinese operatives or a mix-up in shipment by the manufacturer. Perhaps the exact circumstances are less important than the fact that keeping a nation secure requires constant attention to to cyber detail.

Summary:
Of the many thousands of hardware and software vulnerabilities discovered each year, only a handful will be exploited. If we could prioritize protecting ourselves from those, it would save time and money. This paper proposes a method for identifying the most likely to be exploited vulnerabilities, but the authors note that the method requires close collaboration with industry.

The paper discusses how the existing Exploit Prediction Scoring System can be statistically augmented with Known Exploited Vulnerability lists to produce Likely Exploited Vulnerabilities lists that can have increased accuracy compared to the current state of the art.

Summary:
According to the DOJ, the LummaC2 software has been used to exfiltrate personal information from victims "in order to facilitate a host of crimes". In partnership with Microsoft, DOJ disrupted the software usage and control system by taking down two Internet domains. When hackers tried to get around that by opening three new domains, the DOJ immediately seized those. Microsoft was said to be instigating civil action to take down another 2300 affiliated domains.

Summary:
"After a joint investigation with allies including the US, Germany and France, the UK's National Cyber Security Centre (NCSC) said a Russian military unit had been targeting both public and private organisations since 2022." The Russians appeared to have accessed many surveillance cameras used by these organizations in and near Ukraine. The cameras presumably gave the Russians information about aid shipments and their distribution. John Hultquist, chief analyst at Google Threat Intelligence Group, said that anyone moving good into Ukraine should assume that they had been targeted by Russian intelligence groups.

Summary:
Authorities in the US, Germany, the UK, France, South Korea, Austria, the Netherlands, Brazil, Switzerland, and Spain, arrested people accused of being part of a dark web marketplace that dealt in illegal drugs, guns and knives, and counterfeit products. Europol provided the intelligence that led to the arrests and contraband seizures.

Summary:
After purchasing a pre-owned Volkswagen in 2024, cybersecurity researcher Vishal Bhaskar was frustrating in trying to connect the vehicle to the My Volkswagen app on his phone. So, he did some network snooping and some Python scripting to get access to his car's internal data. He was very surprised to find that the previous owner's personal data, including home address and driving license information, were clearly available, along with information that might allow the vehicle to be operated remotely. He reported this to VW last November, and this month they told him that all vulnerabilities had been patched.

Summary:
Ten years ago the EPA accused VW of introducing software into their diesel-engine vehicles that allowed them to pass emissions tests even though in normal driving the vehicles exceeded the statuatory limits. Two managers in the US received prison sentences, now four German managers for VW have also been sentenced to prison for their part in the fraud.