Apple’s new Memory Integrity Enforcement system deals a huge blow to spyware developers

Article Link: https://cyberscoop.com/apple-memory-integrity-enforcement-iphone-ios-anti-spyware/

• Apple has announced new security protections with the launch of the iPhone 17 and iPhone Air, both equipped with the A19 and A19 Pro chips. The key feature, Memory Integrity Enforcement (MIE), is designed to provide always-on defenses against spyware that exploits memory vulnerabilities.
• A key part of the new system is the Enhanced Memory Tagging Extension (EMTE). This works by giving each piece of memory a secret tag and checking it every time the memory is used. If the tag does not match, the program is stopped and the incident is recorded.
• Patrick Wardle, co-founder and CEO of DoubleYou, speaks to the advantage Apple has over other vendors in developing such an effective solution, as the company controls both the Apple Silicon hardware and the iOS software. The article does, however, mention similar systems implemented by Microsoft in Windows 11 and Google in its Pixel devices.  
• While it does not completely eliminate the ability for spyware to be executed on a device, Apple believes it will make attacks much more difficult to develop and maintain. It also disrupts many effective exploitation techniques that count on small time windows for attacks to take place.

New cybersecurity rules land for Defense Department contractors

Article Link: https://www.theregister.com/2025/09/09/new_cybersecurity_compliance_rules_dod/

• The Pentagon finalized its Cybersecurity Maturity Model Certification (CMMC) rule, requiring contractors to meet new security standards beginning November 9, 2025. Vendors must comply with one of three CMMC levels, depending on the sensitivity of data handled, to qualify for defense contracts.
• Requirements include access controls, multifactor authentication, software patching, incident reporting, and facility security. Level 1 requires self-assessments, while Level 2 generally mandates third-party audits, and Level 3 requires government-led assessments.
• Acting DoD CIO Katherine Arrington said compliance proves vendors are prioritizing national security. However, the rule follows numerous vendor objections to CMMC requirements and a subsequent revision to the program.
• Contracting officers must now ensure solicitations specify required CMMC levels and verify vendor certification. The shift places new accountability on both contractors and procurement officials, which looks to significantly improve supply chain security enforcement.

Employees keep feeding AI tools secrets they can’t take back

Article Link: https://www.helpnetsecurity.com/2025/09/09/employees-ai-tools-sensitive-data/  

• A Kiteworks report reveals employees are frequently leaking sensitive data into public AI tools, with only 17% of companies using automated controls to block this leaking, while the other 83% rely simply on warnings, training, company guidelines, or no oversight at all.
• Executives often overestimate visibility, with one-third believing their company tracks all AI usage, while only 9% have effective governance. This blind spot of overconfidence leaves firms unable to assess how much data they expose or where it resides once entered into AI models.
• AI oversight is increasing quickly, with 59 new U.S. AI regulations issued in 2024, more than double 2023. Compliance remains an issue, however; GDPR, HIPAA, and SOX requirements cannot be met if companies cannot track or delete data employees feed into AI systems.
• For CISOs, priorities include implementing blocking and scanning controls for AI uploads and preparing to prove compliance under tightening regulations. Training remains useful, but technical visibility and enforcement are essential to reducing AI-related data exposure risks.

Why Cyber Education Must Begin in Kindergarten

Article Link: https://www.aol.com/lifestyle/why-cyber-education-must-begin-165600690.html

• Article writers argue that cybersecurity education should start in kindergarten, not workplace onboarding. They state the “secure by design” concept of integrating security from the beginning of software development can also apply to people by teaching cyber-secure habits from an early age.
• Human Risk Management programs focus on adult behaviors but remain reactive, whereas early cyber education emphasizes cyber resilience, identifying risks calmly and adapting to evolving threats, and wellness, promoting safe, ethical, and mentally healthy online practices.
• The case for early training is reinforced by soaring cybercrime costs, projected at $10.5 trillion annually by 2025 and $23 trillion by 2027. Teaching cyber hygiene, safety, and wellness early could reduce attacks, lower security costs, and prepare digitally resilient future workforces.
• Programs like Hackersjack and Belmont University’s initiatives show early momentum, while experts urge parents, businesses, policymakers, and professionals to advocate and contribute. Making cybersecurity part of everyday education could strengthen communities and national security alike.

Ransomware Payments Plummet in Education Amid Enhanced Resiliency

Article Link: https://infosecurity-magazine.com/news/ransomware-payments-plummet/

• A new Sophos study reveals ransomware demands and payments in the education sector have dropped over the past year, with demands to lower education providers fell 74% to $1.02 million, while higher ed saw an 80% drop to $697,000. This compares to a cross-sector average decline of 34%.
• Researchers attribute the fall to fewer high-value demands, with lower education seeing an 86% drop in demands of $5 million or more. Ransom payments mirrored this trend, with lower education median payments plunging 88% to $800,000 and higher education dropping to $463,000. Education moved from one of the highest-paying sectors in 2024 to among the lowest in 2025.
• Faster recovery also played a major role. Recovery costs for higher education fell 77% to $900,000, and 59% of institutions fully recovered within a week, compared to just 30% the year before. Data recovery improved as well, with 97% of institutions regaining access to encrypted data.
• Attackers are being stopped earlier in the kill chain, especially in lower education where only 29% of attacks led to encryption, a four-year low. Phishing was the top initial vector for lower education, while higher education was more likely hit by exploited vulnerabilities. The report illustrates a positive shift in resilience and preparedness across the sector.

Study reveals widespread silent keystroke interception

Article Link: https://www.helpnetsecurity.com/2025/09/11/website-keystroke-tracking-privacy/

• A joint academic study has revealed that many websites capture keystrokes as users type, even if a form is never submitted. Researchers tested 15,000 websites and found that 38.5% used third-party scripts capable of intercepting keystrokes, with 3.18% transmitting them to remote servers.
• The data collected often included email addresses, phone numbers, and free-text entries, creating risks of tracking and profiling. Researchers highlighted email addresses as particularly sensitive identifiers, easily linked across websites by advertisers or data brokers.
• The study mapped these practices to the California Invasion of Privacy Act (CIPA), which requires all parties to consent to interception. The researchers urged regulators to clarify third-party status for analytics and ad vendors and called for federal updates to align with California’s stricter consent rules.
• For users, the findings show how little control they have once data leaves their browser, even if never submitted. Organizations face reputational and compliance risks if customers discover their information is silently logged. The researchers recommend that companies reassess their use of third-party scripts and adopt transparent disclosures to maintain trust and align with privacy protections.
• Study: https://arxiv.org/pdf/2508.19825

AI Darwin Awards to celebrate spectacularly bad deployments

Article Link: https://theregister.com/2025/09/09/ai_darwin_awards/

• A new parody recognition, the AI Darwin Awards, has launched to spotlight catastrophic AI missteps in real-world deployments. The awards build on the traditional Darwin Awards but instead highlight companies and developers whose overzealous use of AI has ended in disaster.
• Early nominees include Taco Bell’s drive-thru system that repeatedly bungled customer orders, Replit’s coding mishap that wiped out a production database, and McDonald’s AI chatbot with security so weak that the password “123456” exposed data on 64 million job applicants.
• Organizers stress the awards aren’t mocking AI itself, but the reckless ways it can be applied. AI, they argue, is a neutral tool that can cause massive damage when used without appropriate safeguards.
• By documenting these cautionary tales, the awards aim to remind organizations that enthusiasm must be balanced with responsibility. As organizers put it, “Why stop at individual acts of spectacular stupidity when you can scale them to global proportions with machine learning?”

Huntress’s ‘hilarious’ attacker surveillance splits infosec community

Article Link: https://www.theregister.com/2025/09/12/huntress_attacker_surveillance/

• Huntress published research describing how an attacker accidentally installed its endpoint detection and response (EDR) tool, allowing the company to monitor the adversary’s activity for three months. Researchers observed the attacker experimenting with phishing kits, exploit tools, and automation while even installing a Malwarebytes browser extension for personal protection. The case offered defenders rare, detailed insight into attacker tradecraft.
• Huntress’s logs showed the attacker searched for “Bitdefender” and downloaded the EDR trial via a sponsored Google ad. The logs captured their behavior, including heavy reliance on Google Translate to craft phishing content in English from Thai, Spanish, and Portuguese.
• However, the humorous framing of the research raised ethical concerns. Industry leaders questioned whether Huntress crossed a line by effectively monitoring an adversary’s system without involving law enforcement. Some called it a “complete invasion of privacy,” while others raised concerns about how much data EDR platforms can access.
• Huntress defended its actions, stating that its methodology matched industry norms and that the case was discovered during legitimate malware investigation. The company emphasized its duty to both research threats and educate the community, arguing that sharing the attacker’s tactics helps defenders. The controversy reflects a broader debate over the boundary between incident response, intelligence gathering, and potential “hack back” activity.