Verizon Communications has recently warned that an insider data breach impacts almost half its workforce, exposing sensitive employee information.  A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.  Verizon says it discovered the breach on December 12, 2023, nearly three months later, and determined it contained sensitive information of 63,206 employees.

The Linux Foundation has announced the launch of the Post-Quantum Cryptography Alliance (PQCA). This effort brings chip makers, cloud providers, researchers, and developers together to address the cryptographic security challenges raised by quantum computing. The PQCA's founding members include Amazon Web Services (AWS), Cisco, Google, IBM, NVIDIA, QuSecure, the University of Waterloo, and more. The PQCA will participate in different technical projects that support its objectives, including developing software for evaluating, prototyping, and implementing new post-quantum algorithms.

Group-IB researchers have discovered a malicious campaign aimed primarily at job search and retail websites of companies in the Asia-Pacific region. Between November and December 2023, the group called ResumeLooters successfully infected at least 65 websites using SQL injection and XSS attacks. Most victims were in India, Taiwan, Thailand, Vietnam, China, and Australia. The group has stolen several databases containing over 2 million different emails and other sensitive records. ResumeLooters then offered the stolen data for sale on Telegram channels.

Google recently announced a grant of $1 million to the Rust Foundation, meant to help improve the interoperability between Rust and C++ code.  Google joined the Rust Foundation in 2021 for the same reason and has adopted the memory-safe programming language across Android and other Google products due to its benefits for addressing memory safety vulnerabilities.  Based on historical vulnerability density statistics, Google noted that Rust has proactively prevented hundreds of vulnerabilities from impacting the Android ecosystem.

Homeland Justice, an Iran-linked hacking group that has previously targeted Albanian state agencies and businesses, has claimed responsibility for an attack on the country's Institute of Statistics (INSTAT). This institute is responsible for census data and other official statistics. The cyber incident affected INSTAT's official website and email service, forcing the agency to delay official statistics. INSTAT announced that the hackers did not access recent census data because it is stored in other systems dedicated to this purpose.

Japanese electronics maker Canon recently announced software updates that patch seven critical-severity vulnerabilities impacting several small office printer models.  The issues, described as buffer overflow bugs, can be exploited over the network for remote code execution (RCE) or to cause the vulnerable product to become unresponsive.  The flaws are tracked as CVE-2023-6229 through CVE-2023-6234 and CVE-2024-0244.  According to Japan’s vulnerability information portal JVN, they have a CVSS score of 9.8.

Google recently announced patches for 46 vulnerabilities in Android, including a critical severity bug leading to remote code execution.  The flaw tracked as CVE-2024-0031 and impacting Android Open Source Project (AOSP) versions 11, 12, 12L, 13, and 14 was identified in the platform’s System component.  Google noted that the most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed.

Researchers at the Thanthai Periyar Government Arts and Science College have proposed using system behavioral modeling as well as unattended or semi-supervised Machine Learning (ML) to help solve the cybersecurity problem in smart cities. According to the team, by training ML models on relevant datasets, security systems can better identify and mitigate cyber threats. An ongoing challenge is ensuring the reliability and completeness of those datasets so that anomalies can be detected confidently.

The emergence of generative Artificial Intelligence (AI), such as text-to-image, text-to-speech, and Large Language Models (LLMs), has created new security challenges and risks. Threat actors are increasingly attempting to exploit LLMs to compose phishing emails and use generative AI, including fake voices, to scam victims. IBM researchers have presented a successful attempt to intercept and hijack a live conversation. They used LLMs to understand the conversation in order to manipulate the audio output. This attack would allow the adversary to manipulate an audio call's outcomes silently.

Joseph Ravichandran, a Ph.D. student at the Massachusetts Institute of Technology (MIT) and an Apple Vision Pro user, says they have discovered vulnerabilities in the popular Augmented Reality (AR) headset. Ravichandran posted an image on X, formerly Twitter, showing what appears to be a Kernel exploit for Vision Pro. A Kernel exploit targets an operating system's core component that manages system resources and provides critical services to other system parts and user applications.