26 May – 01 June 2025 Our new CVE of the Week is high severity vulnerability, CVE-2025-34027, has been identified and is making waves across the cybersecurity landscape. It affects Versa Concerto, an orchestrator and interface to configure and monitor Versa OS devices in Secure …
19 – 15 May 2025 Multiple high-severity vulnerabilities were responsibly disclosed in VCF by Gustavo Bonito of the NATO Cyber Security Centre. From among these, our #CVEOfTheWeek is CVE-2025-41229. This is a Directory Traversal vulnerability, which might allow a malicious actor with network access to …
It’s not often that a truly critical vulnerability is discovered that reaches the maximum severity rating of 10 on the Common Vulnerability Scoring System. This is one such case.
Microsoft confirmed that this Azure DevOps pipeline token hijacking vulnerability is caused by an issue whereby Visual Studio improperly handles the pipeline job tokens, enabling an attacker to potentially extend their access to a project. According to the company’s official communication:
To exploit this vulnerability, an attacker would first have to have access to the project and swap the short-term token for a long-term one.
To be fair, CVE-2025-29813 is just one of a number of critical vulnerabilities affecting core cloud services that the tech giant has confirmed this week. The good news is that none of them are known to have been exploited in the wild, none have been publicly disclosed, and there’s nothing you can do as a user to protect your environment.
“This vulnerability has already been fully mitigated by Microsoft.” -they say, so there’s no need to worry, we can sleep soundly.
You can find more information and details on the subject at the link below:
https://www.forbes.com/sites/daveywinder/2025/05/11/microsoft-confirms-critical-1010-cloud-security-vulnerability/
White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.
With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.
They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.
05 – 11 May 2025 A critical security vulnerability has been identified in the OpenCTI Platform which is designed to structure, store, organize and visualize technical and non-technical information about cyber threats. This vulnerability, tracked as CVE-2025-24977 is our new CVEofTheWeek with an assigned CVSS …
The Hacker News
A new report reveals that a staggering 89% of generative AI usage within enterprises remains undetected, exposing organisations to severe security risks. This covert AI activity can lead to significant data breaches and compromise system integrity. To combat these hidden dangers, the report urges companies to implement comprehensive AI governance frameworks. These should include enhanced visibility of AI applications, robust monitoring to detect unauthorised activities, and proactive management strategies to secure digital environments effectively, ensuring that enterprises can safeguard against the escalating threat landscape.
Read more
Dark Reading by Nate Nelson
A recent cybersecurity investigation has identified that a Chinese Advanced Persistent Threat (APT) group is exploiting a vulnerability in VPN software to launch sophisticated attacks on operational technology (OT) organizations globally. This exploitation poses severe risks to critical infrastructures such as power plants and water treatment facilities. The report calls for immediate and robust security enhancements in vulnerable systems and emphasizes the necessity for continuous vigilance and updated protocols to defend against these strategically targeted cyber-espionage activities, ensuring the safety and resilience of essential services.
Read more
Tripwire by Graham Cluley
Corporations are increasingly victimized by cybercriminals posing as cybersecurity auditors. These fraudsters gain unauthorized access by exploiting the trust within organizations, leading to significant breaches of sensitive data. This emerging trend underscores the critical importance for companies to rigorously verify the credentials of security professionals and to continuously educate their employees about such deceptive tactics. Enhancing verification processes and employee awareness are essential steps to shield businesses from these sophisticated scams, ensuring the security and integrity of corporate information systems against potential threats.
Read more
The Guardian by Josh Taylor
Apple is reportedly developing new technology that could enable social media platforms to accurately determine if users are under 16. This initiative aims to enhance online safety for minors by enforcing age-appropriate content restrictions and compliance with privacy laws. However, it raises significant privacy concerns about the extent and methods of data collection required for age verification. Advocates for digital privacy are calling for transparency and strict safeguards to ensure that these measures do not infringe on individual privacy rights, emphasizing the need for a balanced approach that protects both safety and privacy.
Read more
Dark Reading by Becky Bracken
Recent findings reveal a critical security flaw that allows hackers to compromise car camera systems in just minutes, posing severe privacy and safety risks to vehicle owners. This vulnerability highlights the urgent need for the automotive industry to strengthen cybersecurity measures in vehicle surveillance systems. Manufacturers are called to rapidly enhance security protocols, implement advanced protection technologies, and ensure robust safeguards are in place to prevent unauthorized access. This proactive approach is essential to protect personal data and ensure the safety of drivers and passengers in an increasingly connected world.
Read more
The Register by Connor Jones
Signal CEO Meredith Whittaker has made clear her company has announced plans to withdraw its services from Sweden in response to proposed laws that could compromise encryption standards. The messaging app, known for its staunch privacy policies, stated that the new legislation requiring access to encrypted data would force them to cease operations in the country to protect user privacy. This move highlights the growing tension between tech companies and governments over encryption policies and the balance between security and privacy. Signal’s potential exit from Sweden underscores the significant impact such legislative changes could have on global digital communication and privacy rights.
Read more
BleepingComputer by Bill Toulas
Several popular VSCode extensions, with a combined total of 9 million installs, have been removed from the marketplace due to severe security vulnerabilities. These extensions were found to pose risks that could potentially allow hackers to execute malicious code remotely on a user’s system. This incident highlights significant security concerns within the development tools ecosystem and emphasizes the importance of continuous vigilance in software updates and security auditing. Developers and users are urged to regularly review and update their extensions to safeguard against emerging cybersecurity threats.
Read more
The Register by Jessica Lyons
The scale of info-stealer malware’s impact has been laid bare, affecting millions of victims globally. This type of malware, which stealthily extracts sensitive data from users’ devices, has proven to be almost unstoppable due to its evolving nature and widespread distribution methods. The revelation underscores the persistent threat posed by these malicious programs and highlights the critical need for enhanced cybersecurity measures. Users and organizations are advised to strengthen their defenses by implementing robust security protocols and staying informed about the latest cybersecurity practices to mitigate the risk of data theft.
Read more
CyberScoop by Tim Starks
Karen Evans has been appointed as the Executive Assistant Director for Cybersecurity at CISA, stepping into a pivotal federal role. With her extensive background in cybersecurity and government, Evans is well-prepared to steer national cybersecurity strategies during a time of increasing digital threats. Her leadership is expected to enhance CISA’s capabilities in protecting national infrastructure and improving cyber resilience across various sectors. This appointment underscores the emphasis on bolstering federal cybersecurity efforts to address both current and emerging challenges effectively.
Read more
The Guardian by Dara Kerr
The US national security director has strongly condemned the UK government’s request for Apple to implement a data ‘backdoor’, highlighting major privacy and cybersecurity risks. This demand could jeopardize the security of users worldwide by potentially allowing unauthorized access to sensitive personal and financial information. This critical stance reflects broader global concerns over balancing government surveillance with individual privacy rights. It underscores the urgent need for policies that protect user data while supporting legitimate national security efforts without compromising fundamental privacy principles.
Read more
BleepingComputer by Lawrence Abrams
The Pump.fun X account was recently compromised, sparking concerns over security on social media platforms where financial transactions are promoted. This breach led to the unauthorized promotion of a fraudulent governance token, exploiting platform vulnerabilities and potentially misleading investors. The incident highlights the critical need for robust security protocols and vigilant user education to prevent similar cybersecurity threats. It serves as a stark reminder for investors to rigorously verify the legitimacy of online investment opportunities and underscores the importance of implementing stringent digital safeguards to protect financial interactions on social media.
Read more
The Register by Iain Thomson
Bybit has declared a proactive stance against North Korea’s notorious Lazarus crime-ring following the theft of $1.5 billion from their digital wallet. This bold declaration marks a significant shift in how cryptocurrency exchanges are responding to cyber theft, especially those perpetrated by state-sponsored groups. Bybit’s commitment involves enhancing their security measures and collaborating with global cybersecurity experts to recover the stolen assets and prevent future incidents. This initiative reflects a growing trend among financial platforms to actively combat cyber threats and safeguard investor assets in the increasingly volatile digital currency landscape.
Read more
BleepingComputer by Bill Toulas
EncryptHub has been implicated in a major cybersecurity breach that impacted 618 organizations, leading to the deployment of ransomware and info-stealers across multiple sectors. This extensive breach demonstrates the vulnerabilities in digital security frameworks and the sophisticated tactics employed by cybercriminals to exploit them. The incident calls for an urgent reassessment of cybersecurity measures within affected organizations and emphasizes the necessity for continuous enhancement of defense strategies to combat the evolving landscape of cyber threats. It also highlights the importance of proactive threat detection and response protocols to mitigate the impact of such breaches.
Read more
CyberScoop by Tim Starks
As a vital U.S. cybersecurity law approaches expiration, there is a concerted effort among advocates to secure its renewal. This legislation is foundational in fortifying national infrastructure against evolving cyber threats, enhancing public-private partnerships, and ensuring robust cyber defense mechanisms remain effective. The urgency to renew the law reflects concerns about the potential vulnerabilities that could emerge without it, emphasizing the necessity for up-to-date legal frameworks to adapt to rapidly advancing cyber tactics and maintain the United States’ leadership in cybersecurity resilience and innovation.
Read more
BBC by Zoe Kleinman
The head of US intelligence has publicly expressed concern over the UK’s covert request to Apple for a data ‘backdoor,’ which was not disclosed to US officials. This revelation has sparked significant international tension, highlighting the complexities of privacy, security, and transatlantic cooperation. The US intelligence leader emphasized the potential risks to global digital security and the importance of transparency in such requests, which could undermine trust among allies and jeopardize the privacy of countless users. This incident underscores the delicate balance required in government surveillance and the need for clear communication between nations on cybersecurity matters.
Read more
Dark Reading by Agam Shah
Fortanix is addressing the looming threat of quantum computing to cybersecurity with innovative algorithms designed to withstand potential breaches. As quantum technology advances, traditional encryption methods are at risk of becoming obsolete, exposing critical data to new vulnerabilities. Fortanix’s proactive approach involves developing quantum-resistant algorithms that ensure data remains secure against future quantum decryption capabilities. This initiative not only highlights the importance of forward-thinking in cybersecurity but also positions Fortanix as a leader in preparing for the next generation of cyber challenges.
Read more
Popular Information by Judd Legum
A federal court has issued an injunction against DOGE following a report by Popular Information, which highlighted significant regulatory concerns. This legal action reflects growing scrutiny over digital currencies and their compliance with financial regulations. The court’s decision to halt certain activities of DOGE underscores the challenges facing cryptocurrency projects in navigating the complex landscape of financial laws. This development serves as a critical reminder of the importance of regulatory compliance for cryptocurrencies and may set a precedent for how similar cases are handled in the future.
Read more
Dark Reading by Kristina Beek
Artificial intelligence is being exploited by cybercriminals to create highly convincing fake websites that mimic the cryptocurrency analysis tool, DeepSeek. These fraudulent sites are meticulously crafted to dupe cryptocurrency enthusiasts into divulging personal and financial information, resulting in significant financial losses. This trend of AI-facilitated scams highlights a disturbing evolution in cyber fraud, signalling an urgent need for the crypto community to bolster their defences. Enhanced security protocols and heightened user education are essential to counteract the sophisticated tactics employed by these digital swindlers.
Read more
Security Affairs by Pierluigi Paganini
The Lockbit ransomware group has dramatically escalated its cyber threats by publicly targeting Kash Patel, the FBI Director, with a bold threat to leak “classified” information. This audacious move signals a significant evolution in ransomware tactics, shifting from broad-scale data extortion to directly confronting and challenging national security officials. The incident not only exposes the brazen confidence of cybercriminals but also underscores the urgent need for national security entities to enhance their defensive and responsive strategies against such politically charged cyber threats.
Read more
The Register by Jessica Lyons
A startling revelation indicates that Chinese cyber espionage efforts have targeted the email communications of Republican figures, as detailed in a recent publication. This exposure not only highlights the deep reach of state-sponsored cyber operations but also raises significant concerns about the security of political communications in the U.S. The situation calls for an urgent reassessment of cybersecurity measures within political entities to safeguard sensitive communications from foreign interference, emphasising the need for robust, updated defence mechanisms in the ever-evolving landscape of global cyber warfare.
Read more
The Register by Jessica Lyons
Chinese cyber operators are now targeting medical imaging applications to hijack patients’ computers. This sophisticated attack not only compromises sensitive patient data but also exposes the vulnerability of healthcare systems to cyber espionage. By masquerading as legitimate medical software, Silver Fox disrupts healthcare operations and accesses confidential health records, highlighting a critical need for strengthened cybersecurity measures in medical institutions. This incident urges healthcare providers to enhance their digital defenses and implement more rigorous security protocols to protect patient information from such malicious intrusions.
Read more
Cybersecurity Dive by Rob Wright
The recent discovery of attackers exploiting critical vulnerabilities in Cisco products marks a significant escalation in the Salt Typhoon campaign. This sophisticated cyber operation targets essential network infrastructure, highlighting glaring security gaps that could jeopardise entire networks. The attacks not only exploit these vulnerabilities to gain unauthorised access but also pose severe risks to data integrity and operational continuity for businesses globally. This situation underscores the urgent necessity for organizations to swiftly apply security patches and adopt comprehensive cybersecurity strategies to mitigate potential damages from such pervasive and aggressive cyber threats.
Read more
CyberScoop by Matt Bracken
The recent endorsement by a DHS deputy secretary nominee of the decision to purge the Cyber Review Board has sparked significant discussion within the cybersecurity community. This controversial stance suggests a shift towards streamlining cybersecurity governance, which some argue might sacrifice thorough oversight for efficiency. Advocates for the purge believe it will lead to more direct and agile responses to cyber threats, while critics warn that it could undermine comprehensive policy-making and weaken the nation’s cyber defences. This development calls for a balanced approach that ensures robust security without stifling innovation.
Read more
The Hacker News by Ravie Lakshmanan
The malware LightSpy has notably expanded its capabilities, now boasting over 100 commands that enable it to exert unprecedented control over infected devices across multiple platforms including Windows, macOS, Linux, and mobile. This enhancement significantly increases the threat level posed by LightSpy, allowing cybercriminals to execute a wider range of malicious activities, from data theft to surveillance. The evolution of LightSpy illustrates the growing sophistication of malware tools and underscores the urgent need for cross-platform security solutions to protect against versatile and adaptive cyber threats.
Read more
Cybersecurity Dive by David Jones
Palo Alto Networks has issued a critical warning about active exploitation attempts targeting a file read flaw in their firewall products. This vulnerability, if exploited, allows attackers to access sensitive data, potentially leading to further network compromises. The alert underscores the importance of immediate patching and heightened vigilance among network administrators to prevent unauthorised access. This incident serves as a stark reminder of the continuous threats facing network security infrastructure and the need for ongoing proactive measures to defend against sophisticated cyber attacks.
Read more
ISMG Data Breach Today by Akshaya Asokan
Apple’s recent deactivation of iCloud’s end-to-end encryption, prompted by UK government demands, has been sharply criticised as “digitally illiterate” by Signal’s Meredith Whittaker. This decision is feared to undermine global cybersecurity, potentially affecting anyone globally who communicates with UK users. Experts warn that the UK could now effectively set a “security cap” for users worldwide, compromising digital security unknowingly. In reaction, cybersecurity expert Josh Moore has started a Change.org petition to uphold digital rights, which could lead to parliamentary debate if it reaches significant support levels.
Read more
Dark Reading by Maxime Lamothe-Brassard
Relying solely on traditional cybersecurity methods increasingly exposes businesses to significant vulnerabilities as cyber threats evolve. These outdated defences often fall short, leaving organisations at risk from more sophisticated cyber attacks. The pressing need for a more adaptive and proactive cybersecurity approach is evident, emphasising the integration of innovative technologies and strategies. This shift is crucial for organizations aiming to protect their digital assets effectively in a landscape where cyber risks are constantly changing, urging companies to overhaul their cybersecurity frameworks to stay ahead of threats.
Read more
Forbes by Chris Dimitriadis
The cybersecurity jobs market is tightening, reflecting a growing mismatch between the supply of qualified professionals and the escalating demand for cybersecurity expertise. Organisations are now facing significant challenges in recruiting and retaining skilled personnel amid rising cyber threats. This shift necessitates not only reevaluating compensation packages but also enhancing training and development programs to attract and cultivate talent. Emphasising career development and job satisfaction could be crucial for companies aiming to secure their digital environments in this competitive landscape.
Read more
PrivID (Substack)
The disappearance of $1.4 billion in cryptocurrency has created a perfect storm in the financial technology sector, exposing significant vulnerabilities within crypto exchanges and digital wallets. This incident highlights the intricate challenges of ensuring security in the largely unregulated and highly technical field of cryptocurrency. It underscores the urgent need for enhanced regulatory frameworks and advanced security measures to prevent similar incidents. As the industry grapples with these issues, stakeholders are called to prioritize transparency and strengthen cybersecurity practices to restore and maintain trust among investors.
Read more
IT Security Guru by Kirsten Doyle
MFA fatigue is becoming a tool for cybercriminals who exploit human tendencies to bypass authentication. This involves tricking users into security lapses by exploiting their response to frequent prompts, leading to complacency. The issue underscores the need for organizations to intensify user education and enhance security protocols. By adapting to the evolving tactics of cybercriminals who leverage such human vulnerabilities, companies can better protect sensitive information. Strengthening defenses against these subtle attacks is critical in maintaining robust digital security.
Read more
Security Magazine by Tim Eades
As organizations navigate through increasingly complex digital landscapes, identifying and addressing specific cybersecurity risks has never been more critical. This year, the focus shifts towards combating emerging threats that capitalise on new technologies and the expanded digital footprint of remote work. Proactive measures, including advanced threat detection systems and enhanced security protocols, are vital. Additionally, training employees to recognise phishing attempts and securing end-point devices are essential steps to mitigate risks. Organizations must stay agile, continuously updating their cybersecurity strategies to protect against the ever-evolving cyber threats.
Read more
By Saba Bagheri
Reflecting on this year’s Safer Internet Day, CyAN APAC Director Saba Bagheri delves into the evolving landscape of cyber-attacks in our increasingly digital world. Saba analyses how organized cybercrime groups have sophisticatedly adapted, utilising advanced technologies to exploit cybersecurity vulnerabilities effectively. She emphasises the urgent need for robust defensive strategies, advocating for relentless innovation in cybersecurity measures and a significant increase in user awareness. Her comprehensive insights stress the importance of a proactive approach in protecting digital infrastructures and personal data. By highlighting these ongoing challenges and solutions, Saba Bagheri calls for a united effort to shape a safer internet, ensuring it remains a secure environment for future generations.
Read more
Cyber Daily by David Hollingworth
As part of the Safer Internet Day 2025 campaign, this article underscores the pivotal role of employees in organisational cybersecurity. It discusses the significance of regular cybersecurity training, emphasising how informed employees can act as the first line of defence against phishing, malware, and social engineering attacks. Practical measures, such as interactive training sessions and robust access controls, are presented as key strategies to create a safer internet for all. The piece ties the Safer Internet Day theme to the importance of fostering cyber awareness at every level of an organisation. By equipping employees with the knowledge and tools to navigate online risks, businesses contribute to a global culture of responsibility and safety.
Read more
News Tech by Alex Cooney
This article emphasises the crucial role parents play in safeguarding their children’s online experiences, especially as legislation to hold tech companies accountable is still pending. A report from CyberSafeKids reveals that 82% of children aged 8-12 have unsupervised access to smart devices in their bedrooms, underscoring the need for increased parental engagement. The piece offers practical recommendations, such as initiating regular conversations about online activities, monitoring device usage, and establishing clear digital rules.
Read more
Microsoft Post by Courtney Gregoire
In light of Safer Internet Day 2025, Microsoft addresses the rising concerns over AI-generated content misuse. Their research indicates a global increase in AI usage, with 51% of individuals having used AI tools, up from 39% in 2023. However, 88% express concerns about generative AI. To combat potential abuses, Microsoft has partnered with Childnet to develop educational materials aimed at preventing the misuse of AI, including the creation of deepfakes. These resources are designed to equip schools and families with the knowledge to protect children from online risks associated with AI.
Read more
European Union News
Celebrated on February 11, 2025, the 22nd edition of Safer Internet Day saw worldwide participation under the theme “Together for a Better Internet.” The event introduced “Ally,” a new mascot symbolising a tech-savvy companion for young digital users. Additionally, the AdWiseOnline campaign, “Play Smart, Spend Wisely – Mind the Hidden Costs,” was launched to educate young gamers about their rights and the recognition of manipulative in-game marketing tactics. The campaign reached over 250,000 parents and educators, emphasising the collective effort required to create a safer digital environment.
Read more
Google for Education by Jennifer Holland
In observance of Safer Internet Day 2025, Google for Education highlights its dedication to fostering safe and enriching learning environments amidst the rise of AI technologies. The initiative focuses on collaborating with educators, families, and students to navigate the challenges posed by generative AI. Emphasis is placed on media literacy, responsible AI usage, and overall well-being in both school and home settings, ensuring that students are equipped with the necessary tools and knowledge to thrive safely in the digital age.
Read more
57Network by Shahirah Abdul Aziz
Small and medium-sized enterprises (SMEs) are increasingly targeted by cybercriminals due to perceived vulnerabilities. This article emphasises the need for SMEs to prioritise cybersecurity. It highlights practical steps like educating employees on safe online practices, implementing access controls, and creating incident response plans to ensure a safer internet for businesses and their customers. The article draws attention to the global message of Safer Internet Day, calling for collective action in fostering a secure online environment.
Read more
By Fel Gayanilo
CyAN General Secretary Fel Gayanilo discusses the evolution of identity and access management (IAM) in small to medium-sized businesses (SMBs) beyond traditional Active Directory frameworks. In his analysis, Fel highlights the emerging technologies and strategies that enhance IAM security, addressing the unique challenges faced by SMBs. Fel advocates for adaptive security measures that integrate advanced authentication mechanisms and user behaviour analytics to protect against increasingly sophisticated cyber threats. His insights emphasise the importance of evolving SMB security practices to safeguard sensitive data in a dynamic digital landscape.
Read more
CyAN Board Member and a highly accomplished leader in cybersecurity, fraud management, and risk governance, Bharat Raigangar has been selected as an esteemed juror for the 2025 SCCS & TPRM Europe Awards. These prestigious awards honour the leaders, teams, and solutions driving meaningful change in cyber resilience, risk management, and compliance. Winners will be celebrated at an exclusive networking dinner on April 10, 2025, in Lisbon.
Great news from our community! FIDES Rating, our AI-based SaaS solution for regulatory compliance, is shortlisted for the RegTech Insight Awards Europe 2025 under Best AI Solution for Regulatory Compliance. This nomination celebrates our commitment to transforming compliance with AI, enhancing efficiency and insights across regulations like DORA, NIS2, GDPR, and the AI Act. Vote for Innovation! Support FIDES in category #37 to help advance AI-driven compliance. Your vote matters!
We at CyAN are ALWAYS overjoyed to celebrate our members’ successes and their contributions to the cybersecurity community!
With that in mind, please join us in congratulating our valued member Fatema Fardan on her new role as a Part-time Lecturer at the Bahrain Institute of Banking and Finance (BIBF)!
Starting her career in Bahrain’s banking sector as a student in their management associates program, she now returns with an impressive 16 years of experience in cybersecurity and finance. She is eager to inspire future leaders and contribute to the development of the next wave of talent in Bahrain’s financial sector.
Read more
We’re thrilled to share that CyAN member Tulin Sevgin is starting a new chapter as a Non-Executive Board Member at Working Spirit, a charity that connects Australian military veterans with corporate career opportunities. Tulin’s extensive experience and dynamic enthusiasm have enriched our CyAN board, and we’re excited for her to bring these qualities to an organisation that plays a crucial role in supporting veterans. We are confident that Tulin will greatly contribute to Working Spirit’s growth and continued success in making a meaningful impact.
Read more
03-10 March 2025 Palo Alto PAN-OS authentication bypass exploited in the wild: CVE-2025-0108 This week’s #CVEofTheWeek is about an actively exploited critical Authentication Bypass vulnerability in Palo Alto PAN-OS. PAN-OS is the software that runs all Palo Alto Networks Next-Generation Firewalls (NGFW). The high-level properties …
Join our motivated more-or-less informed amateurs Hugo Tarrida and John Salomon for the latest in our State of (Cyber)War series, part of CyAN’s Secure in Mind video and podcast network. This is part one of a two-part series; part II discusses military crypto applications and techniques throughout the Cold War until the present day.
As always, we haven’t read all of these in their entirety, and the Wikipedia links are provided as-is, and only meant as a starting point for someone interested in more than just casual information.
06:09 https://en.wikipedia.org/wiki/Caesar_cipher
07:13 Vigenère cipher – https://en.wikipedia.org/wiki/Vigen%C3%A8re_cipher
07:31 The Code Book – https://en.wikipedia.org/wiki/The_Code_Book
07:50 Applied Cryptography – https://www.schneier.com/books/applied-cryptography/
08:30 Painting: Urgent for Capetown, by Stuart Brown – https://skipperpress.com/portfolio/gallery-prints/urgent-for-capetown/
08:35 Heliographs are neat-o: https://en.wikipedia.org/wiki/Heliograph
09:20 For some information about the kerfuffle around how this was planned: https://en.wikipedia.org/wiki/England_expects_that_every_man_will_do_his_duty
09:45 Cryptanalysis of Spanish Civil War Ciphers – https://informatik.rub.de/wp-content/uploads/2021/11/BA-Thesis_Jose-Luis-Benitez-Moreno.pdf
10:41 Look up Oskar Hutier, if you’re interested in that sort of thing
11:42 The cryptanalyst in question was Thomas Phillips/Phelippes, who served under Sir Francis Walsingham – arguably one of the first to hold the office of ‘M’, if you’re into historical espionage documentaries. https://en.wikipedia.org/wiki/Thomas_Phelippes – to read more on the plot to kill Elizabeth I whose uncovering led to the execution of Mary Queen of Scots: https://en.wikipedia.org/wiki/Babington_Plot
11:52 Giovanni Soro. John’s notes suck. https://www.atlasobscura.com/articles/cryptography-renaissance-venice
12:45 And beyond. CSS Virginia (US Confederate ironclad) supposedly had a turning radius of 1.6km and took approximately 45 minutes to complete a 180 degree turn. Zippy boi.
13:54 Abū Yūsuf Yaʻqūb ibn ʼIsḥāq aṣ-Ṣabbāḥ al-Kind (“al-Kindi”) – https://en.wikipedia.org/wiki/Al-Kindi. See also Ibn Adlan – https://en.wikipedia.org/wiki/Ibn_Adlan. Check out Contribution of Muslims and European in the Evolution of
Cryptology: A case Study – https://powertechjournal.com/index.php/journal/article/download/456/340/862 (PDF)
14:50 We are totally leaving out a whole bunch of stuff, on the way to WWI, e.g. Charles Babbage and others’ work on breaking the Vigenère cipher using machines, because it didn’t really have that much impact on military communications cryptanalisis. That is left as an exercise for the reader.
15:04 Episode 1 – https://cybersecurityadvisors.network/2024/09/10/subsea-cables-a-crunchy-target/
Episode 2 – https://cybersecurityadvisors.network/2024/09/24/subsea-cables-part-ii-mind-the-sharks/
15:12 https://en.wikipedia.org/wiki/Room_40
15:21 https://en.wikipedia.org/wiki/Zimmermann_telegram – one of the all time dumbest moves in a long history of dumb moves.
15:45 Oh look, we went and mentioned him after all – https://en.wikipedia.org/wiki/Charles_Babbage
15:47 Also, an ok-ish book by Neal Stephenson. If you want to go down a rabbit hole, several people have actually built working models based on Babbage’s designs.
16:30 https://en.wikipedia.org/wiki/Niedermayer%E2%80%93Hentig_Expedition
16:45 https://en.wikipedia.org/wiki/Abhorchdienst
17:07 Or, if you believe Hollywood, because Matthew McConaughey singlehandedly captured U-571 and its codebook.
17:39 https://en.wikipedia.org/wiki/MI8
17:50 From Secretary of State Henry Stimson. Allegedly.
18:18 https://en.wikipedia.org/wiki/Hebern_rotor_machine
18:27 Byuro Szifrow – https://en.wikipedia.org/wiki/Cipher_Bureau_(Poland)
18:31 https://en.wikipedia.org/wiki/Marian_Rejewski
18:45 https://en.wikipedia.org/wiki/Rotor_machine – the Hebern machine was one of these.
18:50 Obligatory – https://en.wikipedia.org/wiki/Enigma_machine
19:54 Lorenz cipher – similar, but with some differences, e.g. https://thehistorypress.co.uk/article/how-lorenz-was-different-from-enigma/
20:47 Open to visitors! https://bletchleypark.org.uk/
21:05 https://en.wikipedia.org/wiki/Colossus_computer
24:00 See also: the Double-Cross System
24:19 https://en.wikipedia.org/wiki/Juan_Pujol_Garc%C3%ADa
25:45 https://www.smithsonianmag.com/arts-culture/a-wwii-propaganda-campaign-popularized-the-myth-that-carrots-help-you-see-in-the-dark-28812484/ – carrots are good for your eyes, though. Eat your vegetables.
27:42 https://en.wikipedia.org/wiki/Pearl_Harbor_advance-knowledge_conspiracy_theory
28:15 Purple code, aka the Type B cipher machine – https://en.wikipedia.org/wiki/Type_B_Cipher_Machine
28:20 Wikipedia has a big list of Japanese naval codes here – https://en.wikipedia.org/wiki/Japanese_naval_codes
28:28 https://en.wikipedia.org/wiki/Magic_(cryptography)
28:36 https://en.wikipedia.org/wiki/Joseph_Rochefort
29:56 https://www.intelligence.gov/people/barrier-breakers-in-history/453-navajo-code-talkers
30:44 Italian-only, we’re afraid – https://it.wikipedia.org/wiki/Servizio_informazioni_militare
31:04 Richard Sorge – https://en.wikipedia.org/wiki/Richard_Sorge
31:05 Apparently there is some discussion about whether the “Red Orchestra” (German name Rotes Orchester) was a single organization controlled by the USSR or rather several loose groups of anti-Nazi Germans acting independently. Draw your own confusions.
32:45 For example https://www.101computing.net/enigma-machine-emulator/
You can find CyAN’s Secure-in-Mind YouTube channel at https://youtube.com/@cybersecadvisors – and of course, our videos about cyber conflict on the State of (Cyber)War playlist here. All of our episodes are also available in audio format on Apple iTunes, Amazon Audible, Podcast Republic, Spotify, and Libsyn – links on our Media page.
