UK Tribunal Opens "Bare Details" of Apple E2EE Backdoor Order; Update Apache Parquet to Fix CVSS 10.0 RCE; UMD Medical Center Sued Over Employee's Keylogging

While the UK is seeking to keep their security concerns confidential, the TCN requesting an encryption back door, and Apple's subsequent appeal are anything but. The IPT report cites a plethora of published information regarding the TCN and appeal. The best path forward is an open and honest debate about the problem the UK (and others) wish to solve and how that contrasts with the overall benefit provided by E2EE, not just from Apple but from other service providers as well, which really needs to become SOP for protecting data in transit in a world of continuous connectivity across networks of varied security.

Lee Neely

While some 'bare' details will be made publicly available, in the long run the Government will succeed in requiring AAPL to install the backdoor. It is a UK law after all. The 'ProtectEU' internal security strategy also advocates for a law enforcement backdoor via its technology roadmap on encryption.

Curtis Dukes

CVE-2025-30065, deserialization of untrusted data flaw, has a CVSS score of 10.0. Take steps to rapidly upgrade to Parquet 1.15.1. There is no current evidence of a POC or exploitation, but with the press this is getting, expect that to change quickly. Next review the OWASP's deserialization cheat sheet to see if you can implement any added controls around deserialization.

Lee Neely

Definitely not a success story for the integration of physical security with computer/information security. Both disciplines have to be well run because weak plus weak usually equals worse, not better, and the skill sets and processes are really very different. It sounds like both areas had serious deficiencies that were never detected - the processes used for periodic auditing need to be overhauled along with the security practices.

John Pescatore

This case says something about the state of cybersecurity on the UMMC network. First, the ability to install unauthorized software on the network. Second, accessing protected server rooms. These actions would have been flagged if proper security controls were implemented and managed. It will be difficult for the University to argue they maintained a standard of reasonableness in protecting employee and patient privacy.

Curtis Dukes

The keylogging software was installed on shared computers and used to capture not only UMMC credentials but also to activate and record cameras, disabling the camera light, as well as capture personal credentials. UMMC has replaced all affected computers and installed keylogger detectors. One of the lessons is to be cautious with a shared computer accessing sensitive information such as online banking. In a word: don't; you're not truly sure what is private and what is not.

Lee Neely

This sounds like a reasonable choice. But I think in the long term, NIST needs to find outside help. Makers of vulnerable software have an interest in seeing accurate information provided to NIST, and they should be enlisted to help. As a first step, NIST should suggest software vendors publish their vulnerability information in a standardized format to make it easier to automatically include the provided information. This would also help others collect vulnerability data. I still feel that academia is an underused resource in providing enrichment for vulnerabilities, or at least reviewing enrichments.

Johannes Ullrich

NIST is facing layoffs of 500 probationary employees and making a move to adjust the workload accordingly. Enrichment of current CVEs should be prioritized over older ones, though CVEs prior to 2018 represent about 34% of the total number of CVEs. While the enrichment efforts continue, reduced scope or otherwise, you need to continue your patching discipline, applying OS, browser, and layered product updates expeditiously, and incorporating appropriate scanning/monitoring to identify shortfalls and risks, leverage NIST's KEV, and reserve deep analysis for the exception, not every CVE.

Lee Neely

NIST is essentially punting on a third of existing CVEÕs. While the reason for their decision is understandable, it does put part of the vulnerability/patch/configuration management ecosystem at risk. Bottom line: every organization should already have a process in place to immediately patch/configure as software updates are released.

Curtis Dukes

Applying the MotW to compound file formats like compressed files and disk images will continue to be challenging, in particular, as different operating systems implement this feature differently. It may also not be supported by all file systems.

Johannes Ullrich

Verify your WinRAR and 7-Zip installations have been updated to at least 7.11 and 24.09 respectively. As this is a manual update, you may want to package the new version and push the update centrally for an expeditious resolution.

Lee Neely

This is a timely reminder that you need to ensure you are aware of all software packages that are installed on your estate and that your vulnerability management and patch management programs take all those packages into account. In particular, those packages that do not update automatically and require a manual update.

Brian Honan

I suspect this issue affects the non-US market more than the US market, specifically in the enterprise. I'm not sure how many US enterprises are using WinRAR more than, say, 7zip.

Moses Frost

This sounds like a well thought out solution to this old problem. There is some value in coloring visited links differently, but the privacy implications are hard to ignore and Chrome's solution seems to strike a good balance.

Johannes Ullrich

The CSS pseudo-class :visited allows sites to capture browsing habits for advertisers, cross-site tracking, phishing and social engineering as well as enhanced fingerprinting of users based on behavior. The partitioning in Chrome 136, will only allow the detection of visited sites which have been clicked on from the site you're on.

Lee Neely

There was a story a few months ago about a group that created polymorphic browser extensions that leveraged a feature that allowed you to fingerprint what extensions you had based on certain features like this. This enables more than just advertisers to figure out what you have and potentially what you are looking for. It's great that we see this protection in the base product.

Moses Frost

Maybe it is just the old cynic in me, but anytime I read phrases like "to detect or 'sniff' a user's browsing habits," it is not criminals exploiting the technology that jumps to mind but online advertising companies. When our privacy is being threatened by criminals and legitimate businesses you know that "privacy by design" and "privacy by default" are not the principles most of our technology is build on.

Brian Honan

The Rhysida ransomware gang is taking credit for this attack and the Port refused to pay any ransom demand. Data exfiltrated included names, DOB, SSNs, driverÕs license and other government ID numbers, as well as medical information, which was initially put up for auction by the gang, later some was released for free. The data doesn't appear to have any payment or traveler related information. The Port is providing affected individuals with one year of free credit monitoring/ID theft services. Time to verify your monitoring services have current information, credit is locked, and notifications are properly configured/working.

Lee Neely

Nearly nine months later the investigation concludes, and we formally learn what was lost in the ransomware attack. The good news is that the victims will get one year of credit monitoring and identity protection services. Hopefully in the intervening nine months the Port of Seattle has implemented the recommendations found in the 'Blueprint for Ransomware Defense' guide.

Curtis Dukes

Passwords continue to be the weak link in the chain. We need to help users change compromised passwords and use MFA, preferably not SMS or email based 2FA. Help users by both providing strong MFA and enabling notifications of password compromise. I've run across a mindset that a weak password coupled with a second factor is ok; correcting that mindset may be a hard sell, and needs to be incorporated in your UAT program.

Lee Neely

Reminder for the rest of us: Strong authentication is both essential and efficient.

William Hugh Murray

Cleo is a file transfer utility that was targeted by the Clop ransomware gang at the end of 2024 and WK Kellogg is the latest identified victim of this attack. If you're using file transfer utilities, take a lead from WK Kellogg and have an in depth conversation about their security and mitigations. Make sure that you've implemented all the best practices, to include making sure that your solution is appropriate with today's targeting of file transfer services to capture sensitive data or disrupt operations.

Lee Neely