Infosec In Brief The UK’s National Cyber Security Centre (NCSC) has found that cyber-deception tactics such as honeypots and decoy accounts designed to fool attackers can be useful if implemented very carefully.

The NCSC tested cyber deception technology with several volunteer companies, because those that wander into the carefully laid traps leave behind clues that can turn into threat intelligence, at least according to vendors of such tools.

The NCSC found that there’s truth to those claims during the run of its Active Cyber Defense 2.0 program, according to a blog post last week.

"We found that cyber deception can be used for visibility in many systems, including legacy or niche systems," the NCSC said. Great news, but there’s the caveat: "Without a clear strategy organizations risk deploying tools that generate noise rather than insight.”

In other words, you need a proper plan to make these tools work.

"If cyber deception tools aren’t properly configured, they may fail to detect threats or lead to a false sense of security, or worse, create openings for attackers," the NCSC warned. "Keeping cyber deception tools aligned requires ongoing effort."

The NCSC also found that, while most companies using deception tools prefer to keep that fact quiet, the data suggests the opposite ought to be the case.

"When attackers believe cyber deception is in use they are less confident in their attacks," the org said. "This can impose a cost on attackers by disrupting their methods and wasting their time, to the benefit of the defenders."

The NCSC sees cyber deception tools as an essential part of a modern defense strategy and said that they want to start helping organizations properly invest in them, and are working to develop a service to that end.

How to instantly drain an AI development budget

A malicious actor or untrained developer can change spending limits in AI IDE Cursor or AWS Bedrock, potentially spending millions in a matter of hours.

A vendor called Ox Security learned this the hard way after a new developer on its team “accidentally spent our monthly Cursor budget in hours, then discovered he could change team spending limits to over $1M without admin approval or notification."

Ox Security last week admitted to the incident and reported that Cursor and Bedrock both lack default controls that prevent unprivileged users from modifying budget controls, and both leak API tokens that can provide unlimited access.

Both platforms include features to prevent such accidents or malicious actions from occurring due to an attacker gaining access via a malicious link or leaked API token, as Ox proved in its proof of concept attacks, but neither have the features enabled by default.

"This wasn’t just a configuration oversight," Ox said. "It exposed a systemic problem: AI platforms prioritize speed and access over protection, creating an environment where a single leaked token or malicious link can trigger unbounded usage."

In its post about its own mess, Ox has detailed procedures to prevent the kind of incident it endured.

Spanish police arrest suspected perp behind theft of 64 million personal records

A 19-year-old is behind bars in Spain after police allegedly connected him to the theft of 64 million people’s personal records from nine different companies.

The unnamed suspect is thought to have stolen national ID numbers, addresses, telephone numbers and international bank account numbers, Spanish police reported last week. The suspect reportedly sold the data online for an unspecified quantity of cryptocurrency, following his breaches of the nine firms he targeted. Spanish police said they’ve frozen the cryptocurrency wallet where the suspect stashed his ill-gotten gains.

Law enforcement officials said they had been investigating the breaches since last June, which led them to the city of Igualada, near Barcelona, and the suspect whom they subsequently apprehended for the crime.

• Apache warns of 10.0-rated flaw in Tika metadata ingestion tool
• Swiss government says give M365, and all SaaS, a miss as it lacks end-to-end encryption
• Weaponized file name flaw makes updating glob an urgent job
• Louvre’s pathetic passwords belong in a museum, just not that one

Polish police arrest trio of suspected traveling hackers

Police in Warsaw apprehended a trio of Ukrainian citizens last week, as they suspect the trio are a traveling band of threat actors.

Polish police stopped the three for a traffic violation and found them to be "visibly nervous," Polish police said in a report. The trio apparently said they were traveling around Europe, having only recently arrived in Poland, and planned to depart for Lithuania in short order.

Upon searching the vehicle, police found a whole bunch of suspicious items, including a Flipper penetration testing tool, plus antennae, laptops, "a large number of SIM cards," routers, portable hard drives, and cameras. All of the storage media was encrypted, police said.

The situation smelled fishy enough that police apprehended the trio, who claimed to be IT specialists.

"When asked more specific questions, they forgot their English and pretended not to understand what was being said," Polish police said.

The equipment seized from the trio could be used to interfere with national strategic IT systems or break into telecom networks, Polish police said, so they’re being detained while law enforcement tries to get to the bottom of this rather unusual situation.

XSS tops CISA’s top vulns of 2025 list

CISA has published the Common Weakness Enumeration top 25 most dangerous software weaknesses of 2025.

The rankings don’t have anything to do with the number of CVEs assigned for the year, rather they’re all about which flaws have the potential to do the most damage.

Topping the list this year is improper neutralization of input during webpage generation, or cross-site scripting, the second year in a row it’s made number one. SQL injection came in second, rising from third place the year prior, followed by cross-site request forgery, missing authorization, and out-of-bounds writes.

Classic buffer overflow, stack-based buffer overflow, heap-based buffer overflow, and improper access control are all new entries on the list, suggesting the risk they pose has increased.

CISA is urging security professionals to prioritize detection and remediation of the weaknesses outlined in the list. ®