On the 270th day after President Biden's Executive Order (EO) on the Safe, Secure, and Trustworthy Development of Artificial Intelligence (AI), the US Department of Commerce announced the release of new guidance and software to help improve the safety, security, and trustworthiness of AI systems. The department's National Institute of Standards and Technology (NIST) has released three final guidance documents that were first made available for public comment in April, along with a draft guidance document from the US AI Safety Institute to help mitigate risks.

Phishing campaigns involving Microsoft Forms have increased to steal Microsoft 365 login credentials. Threat actors use breached business partners' and vendors' email accounts to send phishing emails. The latest campaigns use emails in the form of fake mail error notifications from Microsoft and bid invitations. This article continues to discuss findings regarding the phishing campaigns leveraging Microsoft Forms to trick targets into sharing their Microsoft 365 login credentials.

Researchers at Salt Labs have discovered and published details of a Cross-Site Scripting (XSS) attack that could affect millions of websites worldwide. It is not a product vulnerability that can be patched centrally, as it is more of an implementation issue between web code and OAuth, a popular app for social logins. This article continues to discuss the vulnerability of millions of websites to an XSS attack due to an OAuth implementation flaw.

Threat actors are abusing a Selenium Grid misconfiguration to deploy a modified XMRig tool for Monero cryptocurrency mining. Selenium Grid is a popular web app testing framework used by developers to automate testing across multiple machines and browsers. Researchers at Wiz discovered that the malicious activity, which they are tracking as "SeleniumGreed," has been running for over a year, exploiting the service's lack of authentication in the default configuration.

According to Binarly, there is a Secure Boot issue affecting hundreds of computer models. The vulnerability, called "PKfail," enables attackers to run malicious code during the device's boot process. It stems from an exposed American Megatrends International (AMI) Platform Key (PK), a Secure Boot private key. The exposed PK was a default key provided by AMI and was not meant for use in production. However, several major computer manufacturers shipped many devices with the untrusted key as they did not change the PK.

Researchers at Monash University give their insights on the rise of dark Large Language Models (LLMs), what we can do to protect ourselves, and the role of government in regards to regulations on Artificial Intelligence (AI). They note that widely available generative AI tools have further complicated cybersecurity, so online security is more important than ever. Dark LLMs are uncensored versions of AI systems such as ChatGPT. Re-engineered for criminal activities, they can be used to improve phishing campaigns, create sophisticated malware, and more.

Washington State University researchers have developed an algorithm that improves upon discovering data anomalies, including in streaming data. Their work contributes to Artificial Intelligence (AI) methods that could be applied in domains where anomalies in large amounts of data need to be found quickly, such as cybersecurity. This article continues to discuss the algorithm developed by Washington State University researchers to better find data anomalies than current anomaly-detection software.

The Association for Computing Machinery's (ACM) global Technology Policy Council (TPC) has released "TechBrief: Data Privacy Protection," which highlights the growing ineffectiveness of controls over information privacy. As data collection, advanced algorithms, and powerful computers have increased, it has become easier to piece together information about individuals' private lives from public information. This article continues to discuss key points from "TechBrief: Data Privacy Protection."

A team of researchers from the University of Luxembourg and the KASTEL Security Research Labs has devised a security protocol that allows court-authorized monitoring of end-to-end encrypted or anonymous communications while also detecting illicit or extensive surveillance. The new security protocol balances legitimate communication interception with privacy protection. This article continues to discuss the new security protocol devised by researchers at the University of Luxembourg and the KASTEL Security Research Labs.

NVIDIA has patched a high-severity flaw impacting its Jetson series computing boards. The exploitation of this vulnerability could enable Denial-of-Service (DoS), code execution, and privilege escalation in Artificial Intelligence (AI)-powered systems. This article continues to discuss the potential exploitation and impact of the flaw in Jetson software used in AI-powered systems, as well as other NVIDIA vulnerabilities that pose risks to networking and data center solutions.