Infosec In Brief DNS vulnerabilities are being addressed 84 percent faster in the UK public sector thanks to an automated vulnerability scanning system established as part of a program kicked off early last year.
The Department for Science, Innovation and Technology (DSIT) last week said its Vulnerability Monitoring System (VMS), introduced as part of the Blueprint for Modern Digital Government delivered in January 2025, has reduced the identification and remediation of DNS vulnerabilities in public sector sites from an average of 50 days to just eight.
According to the Department, VMS uses a combination of commercial and proprietary scanning tools to detect vulnerabilities and DNS configurations that could be compromised by attackers. The automated system constantly scans some 6,000 websites hosted by UK public sector agencies, DSIT said, and is configured to check for around 1,000 different vulnerabilities.
Along with its DNS vulnerability improvements, VMS has also reduced the median time to fix other issues from 53 days to 32 days, cut the backlog of critical open domain-related vulnerabilities by 75 percent, and resolved around 400 confirmed vulnerabilities a month since its inception.
"The vulnerability monitoring service has transformed how quickly we can spot and fix weaknesses before they're exploited so we can protect against that," Minister for Digital Government Ian Murray said of the new system.
Murray also announced a new career pipeline designed to motivate security professionals to seek jobs at the DSIT and the UK’s National Cyber Security Centre, in order to "protect the services that matter most to people's lives.”
"Cyber-attacks aren't abstract threats – they delay NHS appointments, disrupt essential services, and put people's most sensitive data at risk," the minister added. "When public services struggle it's families, patients and frontline workers that feel it."
When Mozilla delivered Firefox 148 last week, it came with a new feature you may not have noticed: Cross-site scripting protections thanks to a new API.
The Sanitizer API included in the latest release of Mozilla's browser strips potentially malicious HTML of its ability to do harm, leaving nothing but plain old web content in its wake. It does this by replacing innerHTML assignments with setHTML(), and can do so in existing code if allowed.
The API only addresses document object model (DOM) XSS attacks and is unable to prevent reflected or stored XSS attacks. Mozilla told us that’s because DOM XSS attacks are client-side, and the other two types of XSS attacks are server-side. The Sanitizer API can’t be adapted to solve those vulnerabilities, we’re told.
Firefox is the first browser to ship with the Sanitizer API.
The US Federal Trade Commission said last week that it won't pursue enforcement action under the Children's Online Privacy Protection Act (COPPA) for website operators snapping up minors' PII for age verification purposes, provided they handle it properly.
The FTC said that it has heard a number of concerns recently that the rise in age verification software directly conflicted with the statutory requirements of COPPA, namely not to collect the data of persons under 13 without explicit permission from their parents.
COPPA, enacted in 1998, simply hasn't kept pace with the reality of our modern digital age, and the FTC believes age verification tech ought to be an exception under the rule.
"Our statement incentivizes operators to use these innovative tools, empowering parents to protect their children online," FTC consumer protection bureau chief Christopher Mufarrige said.
Of course, site operators must still notify parents why data is being collected, not disclose it or retain it for "longer than necessary," and protect the data.
Embattled CISA acting director Madhu Gottumukkala has been removed from his post and reassigned to serve as director of strategic implementation at the Department of Homeland Security, though not because he famously uploaded sensitive documents to ChatGPT in violation of department policy or anything, CISA tells us.
"Gottumukkala has done a remarkable job in a thankless task of helping reform CISA back to its core statutory mission," a senior DHS official told The Register. "He tackled the woke, weaponized, and bloated bureaucracy that existed at CISA, wrangling contracts to save American taxpayer dollars."
The agency, which has experienced rapid change under the Trump administration, will now be led by Nick Andersen, the agency's former executive assistant director for cybersecurity. Even he won't be hanging around, however, as he's just the acting director as well. Former CISA director nominee Sean Plankey has been renominated to head the agency.
UK communications regulator Ofcom has fined a pornography website operator £1.35 million ($1.8m) for failing to enact age checks required under the Online Safety Act, and enforcement director George Lusty isn't happy.
"We've been clear that adult sites must deploy robust age checks to protect children in the UK from seeing porn," Lusty stated. "Those that fail to do this – or ignore legally binding requests from us – should expect to face fines."
In this case, a UK outfit called 8579 LLC that operates several sites ran afoul of the rules. According to Ofcom, the outfit's websites not only didn't implement age checks, but the company also ignored information requests when asked to respond to complaints about the matter.
In addition to the £1.35m fine, 8579 was also charged £50,000 for ignoring the information requests. It will also be charged £1,000 a day until age checks are put in place, and £250 a day for up to 60 days until the company responds to the information requests, which remain open. ®
Source: The register