J-school security curriculum: new resource pack!

Hi there!

It’s Evan, senior digital security trainer at Freedom of the Press Foundation (FPF), with our regular update on the U.S. Journalism School Digital Security Curriculum.

J-school security curriculum update

• We’ve added a new resource pack to the “Digital security 101 — Crossing the U.S.-Mexico border” module. This pack provides a summary of tips related to risk assessment, device security, chat safety, and how to interact with Customs and Border Protection alongside links to resources focused on border crossing in general.

Highlights from digital security in the news

• Microsoft recently released a report highlighting a slew of financially motivated “payroll pirate” attacks targeting U.S. universities. The attacks, which occurred over the first half of 2025, used sophisticated phishing techniques to hijack university employee email accounts and gain access to connected HR and payroll systems. The phishing messages convinced targets to open Google Docs links that redirected them to malicious sign-in pages used by the attackers to collect passwords and two-factor authentication codes. Once inside the accounts, the attackers created hidden inbox rules to delete payroll alerts so they could fly under the radar while changing direct deposit details to send paychecks to bank accounts that they controlled. In some cases, compromised university accounts were also used to send thousands of additional phishing emails across other institutions. Read more. Suggested modules: Social engineering, Authentication Part 1 and Part 2
• Earlier this month, about 70,000 Discord users had their government ID photos, selfies, and personal data exposed. There have been conflicting reports about whether the data breach resulted from a hack of a third-party company that handles Discord’s age verification processes or human error. Regardless of the cause, the exposed material includes identifying details like names, emails, and IP addresses of tens of thousands of users who submitted documentation to appeal age-related bans. The breach has drawn renewed attention to how online platforms store and manage sensitive data required for age verification processes. Cybersecurity experts have long warned that such age verification systems — given the significant volume of sensitive data required to operationalize them — pose a significant risk to user privacy. Read more. Suggested module: Internet and telecommunications security
• The European Union cancelled a scheduled vote on the problematic Child Sexual Abuse Regulation this month after German officials reiterated their opposition to the measure. Frequently referred to as “Chat ControI,” this regulation would mandate that messaging app providers operating in Europe scan all user content for child sexual abuse material. In effect, such a regulation would require providers to create a backdoor into their systems that would effectively break end-to-end encryption in order to remain available in the EU. Traditionally, a strong opponent of “Chat Control,” German officials in recent weeks faced public backlash after news reports that they might be considering a reversal in their position. This backlash included a letter from Signal’s president, Meredith Whittaker, threatening to remove Signal from the EU should “Chat Control” pass. Read More. Suggested module: Chat Safety

What we’re reading:

• We’ve been reading about some exciting technical enhancements from Apple and Signal lately. Apple shared a blog announcing a new security standard for upcoming iPhone 17 and iPhone Air devices called Memory Integrity Enforcement, while Signal announced it was rolling out an enhancement called the Sparse Post Quantum Ratchet. The goal behind Apple’s Memory Integrity Enforcement is to further strengthen iPhones’ defenses against powerful targeted spyware attacks. Signal’s SPQR is designed to strengthen the app’s resilience against future quantum computing threats. While the types of attacks mitigated by these new features are currently incredibly rare (in the case of targeted spyware) or still theoretical in nature (in the case of post-quantum encryption), it’s always encouraging to see proactive investments in the security of the devices and tools that many of us rely on.

As always, let our team know how you’re using the curriculum, what’s useful, and how it can be improved! Feel free to respond to this email or [email protected].

Thanks so much,
Evan

--

Evan Summers

Senior Digital Security Trainer

Freedom of the Press Foundation