IEEE Cipher --- Items from security-related news (E191)
Prior news summaries from Cipher
Summary:
The unending attack/defense dynamic in cybersecurity may have become
unbalanced in terms of attack by an AI system with unprecedented
hacking skills. When Anthropic's researchers asked Mythos to
scan the source code of various operating systems, it flagged
thousands of places where weaknesses existed. Instead of
releasing the AI model, Anthropic set up a consortium, Glasswing,
to investigate its capabilities.
Weaknesses are not the same as exploitable flaws, and the researchers will need to determine just how much havoc Mythos could cause in practice.
Summary:
The heads of the US Treasury Department and the Federal Reserve warned
bank CEOs about the dangers posed by Anthropic's Mythos AI model. The
goal to make banks aware of a potential change is cybersecurity
landscape. With advance warning, banks will be better able to keep
their systems safe.
Summary:
Cloudflare is one of the companies in the Glasswing Consortium.
This account of their experiments with Mythos helps delineate
its capabilities from the general consternation that Anthropic's
announcements created. Mythos seems to be a potent force, and
this statement from their evaluation team explains why. The
group compared Mythos to other AI systems for finding security
problems in code, this is their statement about them:
"Where they fell short was at the point of stitching the pieces
together. A model would identify an interesting bug, write a
thoughtful description of why it mattered, and then stop, leaving the
actual chain unfinished and the question of exploitability open. What
changed with Mythos Preview is that a model can now take those
low-severity bugs (which would traditionally sit invisible in a
backlog) and chain them into a single, more severe exploit."
Summary:
Headhunters in the tech field share in the misery of
struggling workers looking for jobs in the software industry. But
they have noted an uptick in one sector (other than AI) -- "Cybersecurity
job postings in the first quarter were up 11 percent from a year
earlier." As impressive as AI coding seems, humans are still needed
to review security. [Ed. I have seen AI fail badly at basic security
advisements. Transmitting plaintext passwords is perfectly acceptable
if it part of a library of "secure login methods."]. Further
positivity comes from Lea Kissner, the chief information security
officer at LinkedIn, "The job market for security people is getting
hotter and hotter."
Summary:
In a previous Cipher issue we reported that the
FCC tightened regulations on
home routers, requiring approval for new sales. Shortly
thereafter, the FCC issued a
public notice, stating that many (all?) of Netgear's
routers were determined not to be national security risks had
"Conditional Approval" until October 2027. There was no mention
of how the determination was made.
Summary:
Several experts in the cybersecurity industry weigh in on Iranian
cyberintrusion tactics against the US and Israel. The techniques
focus on misinformation, especially on Israeli targets, probes
against infrastructure controls, and stealing personal information
from public officials, notably FBI Director Kash Patel. As they
say, "there's no ceasefire in the cybersphere."
Summary:
Headphones that you use with your computer can easily be divulging
personal biometric data to third parties. According to Kirk Nahra, a
partner at WilmerHale. He warns that "any data that's collected by
your headphone app - such as your location, heart rate, movement,
hearing loss, temperature, or neural activity - may be used for
marketing or other purposes." Some headphones collect this data for
health and fitness apps, and it is not protected by HIPAA. He notes
that "he state of privacy laws is generally bad for patients."
Summary:
The days of chalkboard lectures are long gone, and college professors
today deliver lectures through multiple channels, assignments through
websites, and grades through secure interfaces to administrative
portals. For many learning institutions, this fairly smooth interface
between students, professors, and administration was completely broken
when a major learning management system, Canvas, was thoroughly
hacked. Classes were canceled, end-of-term grades were unavailable, and Canvas
faced information ransom demands from invisible cyber criminals in
a group known as ShinyHunters. They were threatening to release
personal data of students and billions of private messages within
the learning institutions.
The Canvas system is a product of Instructure, a company based in Salt Lake City, Utah. Finding themselves with no immediate remedy to the cyberattack, they reached a deal to protect its users. They did not disclose the amount of the suspected payment. Shortly after Canvas resumed operation.
Summary:
This report shows that AI is being actively used to find and exploit
zero-day vulnerabilities, to orchestrate attacks, and to develop cyberattack
tools. In parallel, hackers get free access to LLMs by using
anonymized accounts and middleware to bypass usage limits and
scrutiny. On top of all this, supply chain attacks on the components
of AI can potentially corrupt the privacy and integrity of AI
interactions.
The analysis is based on information collected by Mandiant, Gemini, and other sources.
Summary:
Google's quantum research group has released a paper giving new
estimates for the quantum resources necessary to solve elliptic curve
discrete logs over a finite field. The resource estimates crucially
important to determining the risk to today's cryptographic methods
that rely on such curves. Google expects to produce a quantum
computer within some small number of years. The few resources
required for breaking elliptic curve cryptography, the nearer we are
to the moment when much of today's cryptography will be vulnerable to
a quantum computation attack.
The Google group chose to disclose the existence of their quantum circuits in an unusual way. They have provided a proof that their circuit has their claimed capabilities, but they have not shown the actual circuit. By using a zero-knowledge proof, they can show that the circuit exists and works as claimed, but the design remains secret.
Their work is highly relevant to the security of Bitcoin and its use of ECDLP-based digital signatures. When and if a quantum computer capable of executing this new circuit comes into being, Bitcoin security would be seriously, even completely, undermined. The authors urge that Post Quantum Cryptography (PKC) methods be implemented with due haste.
Summary:
The GitHub code repository is for open source code, and it is widely
used. The administration of the site requires specialized tools,
and a nefarious hacker group struck a blow into the site's integrity
by secretly adding malware to the those tools. GitHub found at least
3,800 compromised repositories of their own code. That meant that
as privileged GitHub personal the tools, they may have been corrupting
other parts of the system. The group responsible for the attack,
TeamPCP, has been ripping through code distribution systems in
multiple waves of supply chain attacks. The corrupted code can enable
credential harvesting and other techniques that widen the footprint
of the attackers and give them access credentials that can be sold
and/or exploited.
Summary:
Researchers and investigators got to see the offensive framework that
underlies the TeamPCP supply chain attacks. On May 12, 2026, a GitHub
repository appeared, and it had the complete source code for the
Shai-Hulud tools attributed to TeamPCP. The README file was worded to
imply that the repository had been created by TeamPCP.
The article has an in-depth discussion of the code, and it is interesting reading. One tidbit: there is a predicate named isSystemRussian that causes an exit if true.