Aggregator

Civil Society Orgs Concerned Deal Could Tilt Cloud Security Space in Google’s Favor
A coalition of European civil society organizations is urging regulators to launch a detailed antitrust investigation into Google's proposed $32 billion purchase of Wiz. They argue the acquisition would strengthen Google's dominance in cloud security and undermine multi-cloud neutrality.

Also: Why AI Agents Are Colliding, What Good Governance Ought to Look Like
In this week's panel, four ISMG editors discussed real-time vishing attacks that are defeating MFA, the growing problem of AI agents making conflicting decisions inside of enterprises and why the next phase of AI adoption depends on governance, accountability and control.

NASCIO Agenda Focuses on AI Policy, Cyber Investment and Critical Infrastructure
State CIOs have lots on their plates, juggling multiple priorities from AI to cybersecurity. But the state IT programs don't have to go it alone. The National Association of State CIOs' 2026 agenda focuses on federal legislation - and federal funds - that could help state IT programs.

在2024年大选前几周，美国军方黑客进行了一项秘密行动，试图破坏俄罗斯水军向美国选民散布虚假信息的工作。

Session 11A: Blockchain Security 2

Authors, Creators & Presenters: Ye Liu (Singapore Management University), Yue Xue (MetaTrust Labs), Daoyuan Wu (The Hong Kong University of Science and Technology), Yuqiang Sun (Nanyang Technological University), Yi Li (Nanyang Technological University), Miaolei Shi (MetaTrust Labs), Yang Liu (Nanyang Technological University)

PAPER
PropertyGPT: LLM-driven Formal Verification of Smart Contracts through Retrieval-Augmented Property Generation

Formal verification is a technique that can prove the correctness of a system with respect to a certain specification or property. It is especially valuable for security-sensitive smart contracts that manage billions in cryptocurrency assets. Although existing research has developed various static verification tools (or provers) for smart contracts, a key missing component is the automated generation of comprehensive properties, including invariants, pre-/post-conditions, and rules. Hence, industry-leading players like Certora have to rely on their own or crowdsourced experts to manually write properties case by case. With recent advances in large language models (LLMs), this paper explores the potential of leveraging state-of-the-art LLMs, such as GPT-4, to transfer existing human-written properties (e.g., those from Certora auditing reports) and automatically generate customized properties for unknown code. To this end, we embed existing properties into a vector database and retrieve a reference property for LLM-based in-context learning to generate a new property for a given code. While this basic process is relatively straightforward, ensuring that the generated properties are (i) compilable, (ii) appropriate, and (iii) verifiable presents challenges. To address (i), we use the compilation and static analysis feedback as an external oracle to guide LLMs in iteratively revising the generated properties. For (ii), we consider multiple dimensions of similarity to rank the properties and employ a weighted algorithm to identify the top-K properties as the final result. For (iii), we design a dedicated prover to formally verify the correctness of the generated properties. We have implemented these strategies into a novel LLM-based property generation tool called PropertyGPT. Our experiments show that PropertyGPT can generate comprehensive and high-quality properties, achieving an 80% recall compared to the ground truth. It successfully detected 26 CVEs/attack incidents out of 37 tested and also uncovered 12 zero-day vulnerabilities, leading to $8,256 in bug bounty rewards.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – PropertyGPT appeared first on Security Boulevard.

Ankou 一款现代化的模块化指挥控制 (C2) 平台 by ourren

DARPA：AI已成为未来战争关键 — 2026年度预算重点项目分析 by ourren

DARPA 2025年在研项目深度研究报告 by ourren

基于AI Agent的自动化恶意程序分析平台 by ourren

AIxVuln: 一个基于LLM的多Agent全流程漏洞挖掘项目 by ourren

AutoRedTeam-Orchestrator: AI驱动的自动化红队编排框架 by ourren

2025年度全球APT威胁研究报告 by ourren

更多最新文章，请访问SecWiki

E-signatures are now part of your security posture. In 2026, most organizations sign contracts, approvals, onboarding packets, and financial documents electronically. That increases exposure to account takeover, identity theft, document tampering, and audit gaps especially when teams rely on weak methods like a pasted signature image or email-only approval. This guide explains what cybersecurity teams […]

The post Essential E-Signature Solutions for Cybersecurity in 2026 appeared first on Cyber Security News.

Проект GnuPG выпустил обновление 2.5.17 для устранения критической уязвимости

Mandiant says a wave of recent ShinyHunters SaaS data-theft attacks is being fueled by targeted voice phishing (vishing) attacks and company-branded phishing sites that steal single sign-on (SSO) credentials and multi-factor authentication (MFA) codes. [...]

A vulnerability classified as problematic has been found in ays-pro Popup Box Plugin up to 6.1.1 on WordPress. Affected by this vulnerability is the function publish_unpublish_popupbox. Performing a manipulation results in cross-site request forgery. This vulnerability is cataloged as CVE-2026-1165. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as critical has been identified in Linux Kernel up to 6.6.121/6.12.66/6.18.6/6.19-rc5. Affected is the function es58x_alloc_rx_urbs of the component can. Such manipulation leads to allocation of resources. This vulnerability is listed as CVE-2026-23037. The attack must be carried out from within the local network. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.19-rc4. This impacts the function vortex_probe1. This manipulation causes null pointer dereference. This vulnerability is tracked as CVE-2026-23020. The attack is only possible within the local network. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability labeled as problematic has been found in hayyatapps Sell BTC Plugin up to 1.5 on WordPress. This affects the function orderform_data of the component Orders Page. The manipulation results in cross site scripting. This vulnerability is identified as CVE-2025-14554. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability identified as critical has been detected in Linux Kernel up to 6.18.5/6.19-rc4. The impacted element is the function flow_steer_list_lock. The manipulation leads to memory leak. This vulnerability is referenced as CVE-2026-23024. The attack needs to be initiated within the local network. No exploit is available. You should upgrade the affected component.

A vulnerability categorized as critical has been discovered in Linux Kernel up to 6.18.5/6.19-rc4. The affected element is the function idpf_vc_core_deinit of the component idpf. Executing a manipulation can lead to memory leak. The identification of this vulnerability is CVE-2026-23022. The attack needs to be done within the local network. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.12.65/6.18.5/6.19-rc4. It has been rated as critical. Impacted is the function idpf_vport_rel of the component idpf. Performing a manipulation results in memory leak. This vulnerability was named CVE-2026-23023. The attack needs to be approached within the local network. There is no available exploit. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 6.6.121/6.12.66/6.18.6/6.19-rc5. It has been declared as critical. This issue affects the function null_blk. Such manipulation leads to memory leak. This vulnerability is uniquely identified as CVE-2026-23032. The attack can only be initiated within the local network. No exploit exists. It is recommended to upgrade the affected component.

A researcher has released detailed evidence showing some Instagram private accounts exposed photo links to unauthenticated visitors. The issue was later fixed, but Meta closed the report as not applicable and did not respond to multiple requests for comment. [...]

CERN 获得 10 亿美元私人捐赠用于建造未来环形对撞机（Future Circular Collider，FCC），这是该机构 72 年历史上首次有私人和慈善基金支持其大型项目。FCC 有望成为大强子对撞机（LHC）的继任者。FCC 设计建造一条长约 90.7 公里的巨型隧道——其长度三倍于 LHC——平均深度约为地下 200 米。FCC 方案是 CERN 下一代对撞机的首选方案，将于 2026 年 5 月递交给 CERN 理事会，如果理事会在 2028 年批准该方案，那么 FCC 电子正电子对撞机（FCC-ee）的建造将于 2030 年启动，2047 年投入运行。

A vulnerability was found in Linux Kernel up to 6.18.6/6.19-rc5. It has been classified as critical. This vulnerability affects the function kvm_eiointc_destroy of the component LoongArch. This manipulation causes memory leak. This vulnerability is handled as CVE-2026-23029. The attack can only be done within the local network. There is not any exploit available. Upgrading the affected component is recommended.