North Korean actors 🇰🇵 are targeting security researchers again including use of at least one 0-day. IOCs in the blog ⬇️ If you've been in contact, please reach out blog.google/threat-analysi…

I'm looking for a postdoc to work with us on lattice-based cryptography See martinralbrecht.wordpress.com/2023/10/12/pos… and kcl.ac.uk/jobs/076525-re… Closing date: 31 January, 2 year contract in London, salary £42k to £60k. Please help me reach potential candidates.

[1/7] We found an flaw in the SSH specification which allows a MitM attacker to drop certain messages from the secured connection. If you are using SSH, check this out: terrapin-attack.com 🐢

We conducted a penetration test of the #IdP of WAYF (run by @deic1). Their #IdP acts as an intermediary in the federation ecosystem supporting both #SAML and #OIDC. Find the summary of the weaknesses and the full public penetration test report here: hackmanit.de/en/blog-en/179…

This is a good explainer why you shouldn’t buy a new quantum key-distribution system for Christmas next year. Or ever. bsi.bund.de/SharedDocs/Dow…

Fuzzing is hard, evaluating fuzzing is harder 🔥 For our new IEEE S&P paper, we studied 150 fuzzing evals and found issues such as lackluster documentation, bad experiment setups, or questionable CVEs 📄 Paper mschloegel.me/paper/schloege… 🔧 Help us fix this github.com/fuzz-evaluator…

Template engines are very popular in web applications. A severe threat posing a risk for the application, its data, and its users: Template Injection Vulnerabilities Detect them – manually and automatically: Blog 🌐hackmanit.de/en/blog-en/178… Tool 🛠️ hackmanit.de/en/penetration…

As a PC member, did you ever get a mail from an author pointing you to their “interesting” submission so you can bid on it and review it? At ICSE, such behavior will now result in the paper being rejected without review: icse2025.hotcrp.com

Very happy and honored to see my name on the list, thank you NDSS Symposium x.com/joebeone/statu…

Do you want to have a bad time? Try cryptographic vulnerability disclosure through bug bounty programs.

Ross Anderson Professor Ross Anderson, FRS, FREng Dear friend and treasured long term campaigner for privacy and security, Professor of Security Engineering at Cambridge University and Edinburgh University, Lovelace Medal winner, has died suddenly at home in Cambridge.

We found a critical vulnerability in #PuTTY SSH client with NIST P-521 keys, that allows private key recovery from only 60 signatures, CVE-2024-31497! If you use #Putty or #Filezilla with ECDSA P-521, upgrade now and generate a new key! Joint work with Fabian Bäumer, details ⬇️

In May 2024, the Federal Office for Information Security (BSI) hosted the 20th German IT Security Congress. Our colleague Conrad Schmidt and Marcel Maehren (RUB) held a talk on "Combinatorial testing of TLS libraries". ➡️ KoTeBi Talk (German) youtu.be/4lOpB-49VRY?si…

[1/4] If you've ever tried finding timing side channels by actually measuring, you probably know that this can be incredibly frustrating. But it does not have to! While major side-channels are easy to detect, more subtle ones, especially when the measurements are noisy, are not!

Little bit flattened rn... Our Terrapin attack paper just got awarded distinguished paper and distinguished artifact awards USENIX Security. If you are attending, make sure to join for our talk on Friday afternoon, 4:45 pm, in Salon IJK 🐢 #usesec24

The call for presentations of #RuhrSec 2025 is now open! ✅ Bring your expertise to the stage—submit your proposal today! 🎯 👉 ruhrsec.de/2025/cfp.html #cfp #conference #ITSecurityConference #NRW #Bochum #itsecurity #itsicherheit #cybersicherheit