ポッドキャスト収録用のメモですよ。

podcast - #セキュリティのアレ - ゆるーいセキュリティのポッドキャストですよ。

---

• 事件、事故
  • イギリスで Online Safety Act によりプラットフォームにおける年齢確認が必須に
• 攻撃、脅威
  • IBM が "Cost of a Data Breach Report 2025" を公開
  • Microsoft がロシアの攻撃者グループ Secret Blizzard による攻撃活動について報告
• 脆弱性
  • CISA が Known Exploited Vulnerabilities (KEV) カタログに 3 個の脆弱性を追加
  • Apple が macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, iOS 18.6 / iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, watchOS 11.6, visionOS 2.6 をリリース
• その他
  • 警察庁が令和 7年版警察白書を公表
  • IPA が「脆弱性診断内製化ガイド」を公開
  • NIST が SP 800-63-4 Digital Identity Guidelines を公開

事件、事故

イギリスで Online Safety Act によりプラットフォームにおける年齢確認が必須に

(7/24) Online Safety Act - GOV.UK

As of 25 July 2025, platforms have a legal duty to protect children online. Platforms are now required to use highly effective age assurance to prevent children from accessing pornography, or content which encourages self-harm, suicide or eating disorder content.

(7/24) Online age checks now in force - Ofcom

(7/25) UK to see 6,000 porn sites verifying user age, Ofcom says

(7/25) The Age-Checked Internet Has Arrived | WIRED

(8/1) No, the UK’s Online Safety Act Doesn’t Make Children Safer Online | Electronic Frontier Foundation

Just a few minutes after the Online Safety Act went into effect last night, Proton VPN signups originating in the UK surged by more than 1,400%.

Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content. pic.twitter.com/W9R5FQBWKa

— Proton VPN (@ProtonVPN) July 25, 2025

攻撃、脅威

IBM が "Cost of a Data Breach Report 2025" を公開

(7/30) IBM Report: 13% Of Organizations Reported Breaches Of AI Models Or Applications, 97% Of Which Reported Lacking Proper AI Access Controls

Microsoft がロシアの攻撃者グループ Secret Blizzard による攻撃活動について報告

(7/31) Frozen in transit: Secret Blizzard’s AiTM campaign against diplomats | Microsoft Security Blog

Microsoft Threat Intelligence has uncovered a cyberespionage campaign by the Russian state actor we track as Secret Blizzard that has been targeting embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection. This campaign, which has been ongoing since at least 2024, poses a high risk to foreign embassies, diplomatic entities, and other sensitive organizations operating in Moscow, particularly to those entities who rely on local internet providers.

脆弱性

CISA が Known Exploited Vulnerabilities (KEV) カタログに 3 個の脆弱性を追加

(7/28) CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

• CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability
• CVE-2025-20337 Cisco Identity Services Engine Injection Vulnerability
• CVE-2023-2533 PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability

Apple が macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7, iOS 18.6 / iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, watchOS 11.6, visionOS 2.6 をリリース

(7/29) Apple security releases - Apple Support

その他

警察庁が令和 7年版警察白書を公表

(7/29) 令和7年版 警察白書

IPA が「脆弱性診断内製化ガイド」を公開

(7/31) 脆弱性診断内製化ガイド | デジタル人材の育成 | IPA 独立行政法人 情報処理推進機構

NIST が SP 800-63-4 Digital Identity Guidelines を公開

(7/31) SP 800-63-4, Digital Identity Guidelines | CSRC

(8/1) Let’s get Digital! Updated Digital Identity Guidelines are Here! | NIST