Deep Dig Weekly / #02

Hey there! 👋

Welcome to my weekly cybersecurity newsletter. Each week, I share practical insights on emerging threats, education, privacy, and technology.

Major U.S. Security Overhaul: Cybersecurity Board Terminated Amid Hacking Probe

U.S. Department of Homeland Security has terminated several advisory committees, including the Cyber Safety Review Board (CSRB), a group of cybersecurity experts. The decision comes amid CSRB's investigation into Chinese cyberattacks on U.S. telecommunications infrastructure (Salt Typhoon) and their review of breaches in U.S. government email systems. Critics call the move shortsighted given ongoing threats to critical infrastructure. Separately, a major U.S. executive order on AI safety and oversight has been revoked, removing requirements for companies to share AI safety test results with the government and NIST's role in addressing model flaws.

Trump administration fires members of cybersecurity review board in ‘horribly shortsighted’ decision | TechCrunch

The Department of Homeland security told members of the Cyber Safety Review Board that their membership was terminated.

TechCrunchLorenzo Franceschi-Bicchierai

CISA Takes Novel Approach: Highlights Bad Security Practices

CISA has released an unconventional security guide that focuses on identifying bad practices rather than traditional best practices recommendations. The guidance targets software manufacturers, detailing dangerous practices to avoid when developing products for critical infrastructure. This includes use of outdated cryptography, hardcoded credentials, and insufficient product support periods. The framework covers three areas: product properties, security features, and organizational processes. Key updates address memory safety, SQL and command injection prevention, KEV patching timelines, and requirements for phishing-resistant MFA, particularly in operational technology systems.

Product Security Bad Practices | CISA

This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).

Cybersecurity and Infrastructure Security Agency CISA

ParrotOS Partners Caido

Security company Caido, based in Montreal, has partnered with Parrot to integrate their web security auditing toolkit into Parrot Security OS. The toolkit features automated workflows, project organization tools, and a modern Rust/Vue architecture. This collaboration strengthens the toolset available to cybersecurity professionals and penetration testers on the OS.

Parrot + Caido

Parrot Security website

Google Launches Parfait for Private AI Development

Google Research has announced Parfait, a new GitHub organization focused on private AI technologies. It aims to protect user data and privacy while enabling AI advancement through its key pillars: transparency in data usage, data minimization via federated learning and secure aggregation, data anonymization using differential privacy, and external verifiability through trusted execution environments. Parfait's technology has been implemented in Google products like Gboard, Android's Private Compute Core, and Google Maps. The organization is now open-source to help advance private AI development across machine learning and analytics applications.

Google Research also created this online comic to explain how Federated Learning works.

Parfait: Enabling private AI with research tools

Behind the Binary: A Cybersecurity Podcast That Explores Malware Experts' Stories

Josh Stroschein, Reverse Engineer at FLARE (Google/Mandiant) and creator of The Cyber Yeti YouTube channel, hosts "Behind the Binary," a podcast exploring tech professionals' journeys. The series features notable guests including Nick Harbour discussing malware analysis and the Flare-On contest, Victor Manuel Alvarez sharing YARA's development story, Ryan Chapman detailing his path from hacking to cyber defence, and Stephen Eckels revealing insights on the SolarWinds Sunburst backdoor discovery.

Behind the Binary by Google Cloud Security

Welcome to Behind the Binary, the podcast that introduces you to the fascinating people, technology, and tools driving the world of reverse engineering. Join your host, Josh Stroschein, a reverse engineer with the FLARE team at Google, and someone…

Buzzsprout

Lunatask: Privacy-First Productivity Suite with End-to-End Encryption

Lunatask is a comprehensive productivity app that prioritizes security and privacy through end-to-end encryption. The app combines task management, habit tracking, and note-taking while maintaining strict privacy standards: no data selling, minimal data collection (email only), and no analytics tracking. Security features include industry-standard encryption algorithms, PIN-protected notebooks, and secure synchronization across devices. The app integrates with popular platforms through Zapier, email, and a public API while maintaining its security-first approach.

Encrypted to-do list, life-tracking, journaling and notes app | Lunatask

Encrypted to-do list, habit tracker, journaling, life-tracking and notes app

Lunatask

Until next week for more insights! 📮