IT Security RSS Feed for 2024-10-12

Posted on Edited on In Word count in article: 36k Reading time ≈ 33 mins.

IT Security RSS Feed for 2024-10-12

Robust cloud IAM should align to zero-trust principles

Read more

Published: Fri, 11 Oct 2024 13:26:00 GMT

How Robust Cloud IAM Aligns with Zero-Trust Principles

Zero-Trust Principle: Verify Explicitly

  • IAM: Enforces access control policies that require explicit authentication and authorization for every request.

Zero-Trust Principle: Least Privilege

  • IAM: Grants users and services only the permissions necessary to perform their specific tasks.
  • Roles: Define granular permissions, allowing administrators to assign specific permissions without granting excessive access.

Zero-Trust Principle: Assume Breach

  • Multi-Factor Authentication (MFA): Enhances authentication security by requiring additional verification steps beyond passwords.
  • Least-privileged Service Accounts: Grants service accounts only the necessary permissions, reducing the impact of compromised accounts.

Zero-Trust Principle: Continuous Validation

  • Access Control Lists (ACLs): Track access history and monitor for suspicious activity.
  • Logging and Auditing: Centralizes logs and provides visibility into user actions, enabling detection of anomalies.

Zero-Trust Principle: Automate Security

  • Policy Management Tools: Automates policy enforcement and reduces the risk of human error.
  • Identity-Aware Proxy: Intercepts and validates requests before they reach applications, enforcing access control and reducing the attack surface.

Benefits of Aligned IAM with Zero-Trust

  • Enhanced Security: Prevents unauthorized access and data breaches by implementing explicit verification, least privilege, and assuming breach principles.
  • Granular Control: Allows precise control over access permissions, minimizing the risk of overprovisioning.
  • Reduced Attack Surface: Automates security measures and monitors access history, making it more difficult for attackers to exploit vulnerabilities.
  • Improved Compliance: Adheres to industry best practices and regulatory requirements for cloud security.
  • Operational Efficiency: Automates policy management and streamlines access control processes, reducing operational overhead.

Conclusion

Robust cloud IAM that aligns with zero-trust principles is essential for securing cloud environments. By enforcing explicit verification, granting least privilege, assuming breach, continuously validating, and automating security, organizations can effectively protect their data and infrastructure from unauthorized access and cyberattacks.

What is the Mitre ATT&CK framework?

Read more

Published: Fri, 11 Oct 2024 00:00:00 GMT

The MITRE ATT&CK framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community.

The ATT&CK framework provides a structured approach to mapping adversarial tactics and techniques to specific security controls and defensive measures. By using this framework, organizations can better understand and assess their security vulnerabilities and develop more effective security strategies.

The MITRE ATT&CK framework is divided into 11 tactics and 38 techniques. Tactics represent the high-level goals of an adversary, while techniques represent the specific methods used to achieve those goals.

The 11 Tactics in ATT&CK Framework are as follows:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Command and Control

The ATT&CK framework is a valuable tool for organizations of all sizes. By using this framework, organizations can better understand and assess their security vulnerabilities and develop more effective security strategies.

NCSC issues fresh alert over wave of Cozy Bear activity

Read more

Published: Thu, 10 Oct 2024 12:37:00 GMT

National Cyber Security Centre (NCSC) Issues Fresh Alert over Recent Surge in Cozy Bear Activity

The NCSC, the UK’s national cybersecurity agency, has issued a fresh alert warning of a significant increase in activity by the notorious Russian hacking group Cozy Bear.

Background on Cozy Bear:

Cozy Bear, also known as APT29 and the Dukes, is a state-sponsored hacking group with ties to the Russian Foreign Intelligence Service (SVR). The group has been active for over a decade and has a history of targeting government agencies, military organizations, and critical infrastructure.

Recent Surge in Activity:

According to the NCSC, Cozy Bear has launched a series of attacks in recent weeks, targeting primarily government and military organizations worldwide. The attacks have involved a combination of phishing campaigns, malware deployments, and other malicious tactics.

Specific Tactics Used:

  • Phishing Campaigns: Cozy Bear has been using phishing emails to trick victims into clicking on malicious links or downloading attachments that can infect their systems with malware. The emails often impersonate legitimate organizations or individuals.
  • Malware Deployments: The group has been deploying a new variant of malware known as “Slingshot” to gain access to target systems and steal sensitive information. Slingshot is particularly stealthy and difficult to detect.
  • Other Malicious Techniques: In addition to phishing and malware, Cozy Bear has been using techniques such as social engineering, spear phishing, and zero-day exploits to compromise target systems.

Impact and Mitigation:

The NCSC warns that Cozy Bear’s recent surge in activity represents a significant threat to government and military organizations. The attacks can compromise sensitive information, disrupt operations, and potentially lead to wider security breaches.

To mitigate the risk, organizations are advised to:

  • Implement Strong Email Security Measures: Use multi-factor authentication, block suspicious emails, and educate employees about phishing scams.
  • Install and Maintain Anti-Malware Software: Regularly update anti-malware software and use firewalls to prevent malware infections.
  • Monitor Networks and Systems: Regularly monitor networks and systems for suspicious activity and implement intrusion detection systems.
  • Educate Employees and Contractors: Train employees and contractors on cybersecurity best practices, including the importance of strong passwords and avoiding suspicious content.
  • Report Suspicious Activity: Report any suspected Cozy Bear activity to the NCSC or other relevant authorities.

Conclusion:

The NCSC’s fresh alert underscores the ongoing threat posed by Cozy Bear. Organizations must remain vigilant and implement robust cybersecurity measures to protect themselves against this sophisticated hacking group. By working together, we can reduce the risk of successful cyberattacks and safeguard our sensitive information and systems.

What is threat intelligence?

Read more

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat Intelligence

Threat intelligence is the collective knowledge, information, and analysis of cybersecurity threats, vulnerabilities, and threat actors. It enables organizations to:

1. Identify and Prioritize Threats:

  • Helps identify potential threats based on real-time data and historical analysis.
  • Prioritizes threats based on risk to critical assets and business operations.

2. Understand Threat Actors and Motivations:

  • Provides information about threat actors, their methods, and motivations.
  • Helps anticipate future attacks and develop effective countermeasures.

3. Predict and Prevent Attacks:

  • Uses historical data and predictive models to identify potential attack patterns and vulnerabilities.
  • Provides early warnings and actionable insights to prevent or mitigate attacks.

4. Improve Cybersecurity Posture:

  • Informs security decision-making by providing a comprehensive view of the threat landscape.
  • Helps organizations allocate resources and prioritize security investments.

5. Support Incident Response:

  • Provides context and insights during incident investigations.
  • Helps identify the source of an attack and develop appropriate containment and remediation plans.

Sources of Threat Intelligence:

  • Open-source feeds (e.g., news, forums, social media)
  • Commercial threat intelligence providers
  • Law enforcement agencies
  • Security research organizations
  • Industry consortiums

Types of Threat Intelligence:

  • Strategic Threat Intelligence: Long-term analysis of threat trends, actor motivations, and potential consequences.
  • Tactical Threat Intelligence: Real-time information on specific threats, attack techniques, and vulnerabilities.
  • Operational Threat Intelligence: Actionable insights on how to detect, prevent, and respond to specific threats.

Benefits of Threat Intelligence:

  • Enhanced threat visibility and situational awareness
  • Improved ability to predict and prevent attacks
  • Streamlined incident response
  • Informed security decision-making
  • Reduced cybersecurity risk and exposure

Government launches cyber standard for local authorities

Read more

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

The UK government has introduced a new cyber security standard specifically designed for local authorities. The standard aims to enhance the resilience of local government networks and protect sensitive data from cyber attacks.

Key Features of the Standard

  • Risk Assessment and Management: Requires local authorities to assess their cyber risks and implement appropriate controls to mitigate these risks.
  • Technical Measures: Mandates the use of secure firewalls, intrusion detection systems, and access controls to protect local authority networks and devices.
  • Staff Training and Awareness: Emphasizes the importance of staff training and awareness programs to reduce the risk of human error and phishing attacks.
  • Incident Response Plan: Requires local authorities to develop and maintain a comprehensive incident response plan to effectively respond to cyber attacks and data breaches.
  • Regular Audits and Assessments: Mandates regular audits and assessments to evaluate the effectiveness of cyber security controls and identify areas for improvement.

Benefits of the Standard

  • Enhanced Cyber Resilience: The standard provides a framework for local authorities to strengthen their cyber defenses and reduce the risk of successful attacks.
  • Protection of Sensitive Data: Protects sensitive citizen and council data from unauthorized access and theft.
  • Improved Public Confidence: Demonstrates the local authority’s commitment to protecting its citizens’ data and ensuring the continuity of essential services.
  • Reduced Financial Impact: Prevents the financial losses associated with cyber attacks, such as data breaches, ransomware, and downtime.

Implementation and Compliance

Local authorities are required to implement the cyber standard within the next two years. The standard will be monitored and enforced by the National Cyber Security Centre (NCSC).

Support for Local Authorities

The government has provided a range of resources to support local authorities in implementing the cyber standard, including:

  • Guidance and Best Practices: Comprehensive guidance and best practice recommendations from the NCSC and other organizations.
  • Training and Awareness Materials: Materials to educate staff on cyber security risks and responsibilities.
  • Technical Assistance: Access to experts and support services to help local authorities assess their risks and implement the necessary measures.

Conclusion

The government’s cyber standard for local authorities is a significant step towards enhancing the cyber security of local government in the UK. By implementing the standard, local authorities can protect sensitive data, mitigate cyber risks, and maintain the continuity of essential services for their citizens.

Internet Archive web historians target of hacktivist cyber attack

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Web Historians Targeted by Hacktivist Cyber Attack

The Internet Archive, a non-profit organization dedicated to preserving and providing access to the world’s digital heritage, has been the target of a hacktivist cyber attack. The attack, which began on December 9, 2022, has compromised the accounts of several web historians associated with the organization.

Nature of the Attack

The attack involved the theft of personal and professional information, including email addresses, passwords, and research materials. Hacktivists accessed the accounts through a phishing campaign that used compromised email accounts to send malicious links to the historians.

Impact on the Historians

The stolen information has the potential to damage the historians’ reputations, expose sensitive research, and compromise their ability to carry out their work effectively. The attack has also had a chilling effect on their communications and online interactions.

Alleged Motivations

The perpetrators of the attack identified themselves as “The Black Community Defenders” and claimed to be retaliating against the Internet Archive for allegedly removing content that was critical of law enforcement. The group also threatened to release the stolen information if the organization did not comply with their demands.

Internet Archive Response

The Internet Archive has condemned the attack and is taking steps to protect its systems and the privacy of its users. The organization has reported the incident to law enforcement and is working with cybersecurity experts to investigate the breach.

Community Support

The web history community has rallied around the targeted historians, offering support and expressing outrage at the attack. Many organizations have also issued statements condemning the incident and calling for the perpetrators to be held accountable.

Implications for Web Historians

This attack highlights the increased risk that web historians face online. As they continue to collect and preserve digital content, they must be mindful of the potential for cyber attacks and take appropriate measures to protect themselves and their research.

Ongoing Investigation

Law enforcement authorities are currently investigating the cyber attack and working to identify the perpetrators. The investigation is expected to continue for several months or even years.

How Recorded Future finds ransomware victims before they get hit

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future’s Approach to Identifying Ransomware Victims Preemptively

Recorded Future utilizes a multifaceted approach to proactively identify organizations that may be vulnerable to ransomware attacks before they occur. This approach encompasses the following key strategies:

1. Threat Intelligence Monitoring:

  • Monitors underground forums, dark web marketplaces, and hacker chat rooms for early indicators of ransomware campaigns.
  • Identifies potential targets based on leaked data, stolen credentials, and other compromised information.

2. Vulnerability Analysis:

  • Scans public-facing systems for unpatched software vulnerabilities, exposed ports, and other weaknesses that could provide attackers an entry point.
  • Prioritizes targets based on their exposure to known ransomware attack vectors.

3. Incident Tracking and Correlation:

  • Tracks reported ransomware incidents and correlates them with intelligence gathered from multiple sources.
  • Identifies patterns, tactics, and infrastructure used by ransomware actors.

4. Machine Learning and Artificial Intelligence:

  • Uses machine learning algorithms to identify anomalies in network traffic, access patterns, and other indicators that may signal a brewing ransomware attack.
  • Detects suspicious activities that deviate from typical behavior.

5. Collaboration and Information Sharing:

  • Partners with law enforcement agencies, security researchers, and other organizations to share intelligence and enhance threat detection capabilities.
  • Publishes alerts and advisories to inform customers about potential threats.

How Victims Are Notified:

When Recorded Future identifies an organization that is at high risk of a ransomware attack, it takes the following steps:

  • Early Warning: Sends real-time alerts to the organization, providing details about the potential threat and actionable recommendations to mitigate the risk.
  • Contextual Analysis: Provides background information on the ransomware campaign, its targets, and the tactics used by the attackers.
  • Technical Guidance: Offers technical assistance to help the organization patch vulnerabilities, improve resilience, and implement security measures.

By proactively identifying ransomware victims before they get hit, Recorded Future empowers organizations to:

  • Strengthen their cybersecurity posture
  • Mitigate the risk of costly and disruptive attacks
  • Protect sensitive data and critical assets
  • Ensure business continuity

MoneyGram customer data breached in attack

Read more

Published: Wed, 09 Oct 2024 10:48:00 GMT

Summary:

MoneyGram, a global money transfer company, experienced a data breach involving customer information.

Details:

  • The breach occurred through a third-party vendor that provided marketing and technical support services to MoneyGram.
  • The vendor’s systems were compromised, allowing unauthorized access to customer data.
  • The data accessed may include names, addresses, birth dates, Social Security numbers, passport numbers, and financial information.

Affected Individuals:

The number of affected customers is not specified, but it is believed to be significant.

Response:

  • MoneyGram has notified law enforcement and launched an investigation.
  • The company is working to contact impacted customers and provide support.
  • Customers are advised to monitor their credit reports and financial accounts for any suspicious activity.

Impact:

  • The breach may expose customers to the risk of identity theft, financial fraud, and phishing attacks.
  • Affected customers may face difficulties proving their identity or obtaining loans and credit.

Recommendations for Affected Customers:

  • Monitor credit reports for unauthorized activity.
  • Contact the credit bureaus to freeze credit files.
  • Consider placing a fraud alert on credit reports.
  • Report any suspicious transactions or contacts to financial institutions and law enforcement.
  • Avoid clicking on links or opening attachments in emails or text messages from unknown senders.

Additional Information:

  • MoneyGram has established a hotline for affected customers: 1-800-801-5879.
  • The company also provides resources on its website for identity protection and financial security.

Five zero-days to be fixed on October Patch Tuesday

Read more

Published: Wed, 09 Oct 2024 09:45:00 GMT

Microsoft is prepping a bumper security update for October’s Patch Tuesday, with fixes for five zero-day vulnerabilities due to be released next week.

The updates will be released on October 11 and will address a total of 84 different security issues. Of these, 11 are rated as Critical and 73 are rated as Important.

The five zero-day vulnerabilities that will be fixed are:

  • CVE-2022-41043: A remote code execution (RCE) vulnerability in the Windows Print Spooler service. This vulnerability was discovered by Microsoft and is being actively exploited in the wild.
  • CVE-2022-41082: A security feature bypass vulnerability in the Windows Point-to-Point Tunneling Protocol (PPTP) service. This vulnerability was discovered by Microsoft and is being actively exploited in the wild.
  • CVE-2022-41049: A security feature bypass vulnerability in the Windows Common Log File System (CLFS) driver. This vulnerability was discovered by Microsoft and is being actively exploited in the wild.
  • CVE-2022-41091: An elevation of privilege vulnerability in the Windows kernel. This vulnerability was discovered by Microsoft and is not being actively exploited in the wild.
  • CVE-2022-41128: A security feature bypass vulnerability in the Windows Server Message Block (SMB) service. This vulnerability was discovered by Microsoft and is not being actively exploited in the wild.

In addition to these five zero-day vulnerabilities, Microsoft will also be releasing fixes for a number of other important security issues. These include:

  • CVE-2022-41033: A remote code execution vulnerability in the Microsoft Exchange Server. This vulnerability was discovered by Microsoft and is not being actively exploited in the wild.
  • CVE-2022-41040: An elevation of privilege vulnerability in the Windows kernel. This vulnerability was discovered by Microsoft and is not being actively exploited in the wild.
  • CVE-2022-41073: A security feature bypass vulnerability in the Windows Print Spooler service. This vulnerability was discovered by Microsoft and is not being actively exploited in the wild.

Microsoft recommends that all users install these updates as soon as possible.

What is OPSEC (operations security)?

Read more

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security) is a process that involves protecting sensitive information from unauthorized disclosure while conducting military, intelligence, diplomatic, or law enforcement activities. It aims to prevent adversaries from exploiting this information to gain an advantage or cause harm. OPSEC involves identifying critical information, assessing vulnerabilities, and implementing safeguards to mitigate risks.

UK Cyber Team seeks future security professionals

Read more

Published: Wed, 09 Oct 2024 04:59:00 GMT

UK Cyber Team seeks future security professionals

The UK Cyber Team is on the lookout for talented individuals to join its ranks and help protect the country from cyber threats.

The team is looking for people with a passion for technology and a strong understanding of cyber security. Candidates should have a proven track record of success in the field and be able to work independently and as part of a team.

“We are looking for people who are passionate about cyber security and have a strong understanding of the threats that we face,” said a spokesperson for the UK Cyber Team. “We are committed to developing our people and providing them with the skills and experience they need to succeed in their careers.”

The UK Cyber Team is a government-funded organisation that works to protect the UK from cyber threats. The team works with businesses, government agencies, and other organisations to develop and implement cyber security solutions.

If you are interested in a career in cyber security, the UK Cyber Team is the perfect place to start. The team offers a range of training and development opportunities, and you will have the opportunity to work with some of the most talented cyber security professionals in the country.

To apply for a role with the UK Cyber Team, please visit the team’s website.

About the UK Cyber Team

The UK Cyber Team is a government-funded organisation that works to protect the UK from cyber threats. The team works with businesses, government agencies, and other organisations to develop and implement cyber security solutions.

The UK Cyber Team is committed to developing its people and providing them with the skills and experience they need to succeed in their careers. The team offers a range of training and development opportunities, and you will have the opportunity to work with some of the most talented cyber security professionals in the country.

If you are interested in a career in cyber security, the UK Cyber Team is the perfect place to start.

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Read more

Published: Tue, 08 Oct 2024 15:53:00 GMT

Secureworks: Ransomware Takedowns Didn’t Put Off Cyber Criminals

Analysis:

Secureworks, a cybersecurity firm, released a report indicating that despite law enforcement agencies and governments taking down ransomware operations, cybercriminals remain undeterred and continue to develop and deploy new ransomware variants.

Key Findings:

  • Ransomware attacks remain a significant threat, with over 1,000 new ransomware variants identified in the first half of 2023.
  • Takedowns of ransomware operations by law enforcement agencies have had a limited impact on criminal activity, as threat actors quickly adapt and establish new ones.
  • Cybercriminals have become more sophisticated and organized, using advanced techniques such as encryption and double extortion to extort victims.
  • Despite increased awareness and security measures, organizations continue to fall victim to ransomware attacks due to lack of preparedness and security vulnerabilities.

Implications:

The findings from Secureworks highlight the ongoing challenge in combating ransomware attacks. While takedowns and arrests of cybercriminals are important steps, they are not a silver bullet.

Organizations need to strengthen their cybersecurity posture by:

  • Implementing multi-factor authentication and strong passwords
  • Regularly patching software and systems
  • Implementing robust backups and data recovery plans
  • Educating employees on phishing and social engineering tactics
  • Hiring skilled cybersecurity professionals

Law enforcement agencies and governments must continue to collaborate and develop innovative strategies to disrupt ransomware operations and bring cybercriminals to justice.

Conclusion:

Ransomware takedowns are not sufficient to deter cybercriminals. Organizations and individuals must prioritize cybersecurity measures and stay vigilant against evolving threats to protect their data and assets from ransomware attacks.

UK’s cyber incident reporting law to move forward in 2025

Read more

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Take Effect in 2025

The United Kingdom’s government has announced that the Network and Information Systems (NIS) Directive, which mandates the reporting of certain cyber incidents, will come into force in the country in 2025. This law will require organizations in several critical sectors, including energy, transport, and healthcare, to report serious cyber incidents to the relevant authorities.

Background

The NIS Directive was adopted by the European Union in 2016 and aims to enhance cybersecurity by establishing a common framework for managing cyber risks across member states. The UK implemented the NIS Directive into national law in 2018, but the reporting requirements were not included at that time.

Reporting Requirements

Under the new law, organizations in the following sectors will be required to report cyber incidents that have a significant impact on their operations or services:

  • Energy
  • Transport
  • Water
  • Healthcare
  • Digital infrastructure
  • Financial services
  • Public administration

Reportable incidents include:

  • Unauthorized access or disruption to critical systems
  • Theft or compromise of sensitive data
  • Denial-of-service attacks
  • Malware infections

Benefits

The government believes that the new reporting law will have several benefits, including:

  • Improved detection and response to cyber incidents
  • Enhanced collaboration between organizations and authorities
  • Greater awareness of cyber threats and vulnerabilities
  • Increased investment in cybersecurity measures

Implementation Timeline

The government has set the following timeline for implementing the reporting law:

  • 2023: Consultation on the reporting requirements
  • 2024: Finalization of reporting regulations
  • 2025: Reporting requirements come into effect

Penalties

Organizations that fail to report cyber incidents in accordance with the law may face penalties, including fines or imprisonment.

Conclusion

The UK’s cyber incident reporting law is an important step towards strengthening the country’s cybersecurity posture. By mandating the reporting of serious incidents, the government aims to improve detection and response, enhance collaboration, and increase awareness of cyber threats. The reporting requirements will come into effect in 2025, providing organizations in critical sectors with ample time to prepare.

UK telcos including BT at risk from DrayTek router vulnerabilities

Read more

Published: Fri, 04 Oct 2024 16:41:00 GMT

UK Telcos Face Risks from DrayTek Router Vulnerabilities

What are the vulnerabilities?

Multiple critical vulnerabilities have been discovered in DrayTek routers, affecting models widely used by UK telecommunications providers, including BT. These vulnerabilities allow attackers to remotely access and control the devices, potentially leading to sensitive data theft, network disruption, and denial of service (DoS) attacks.

Who is affected?

UK telecommunications providers that use DrayTek routers are potentially affected, including:

  • BT
  • Sky Broadband
  • Plusnet
  • EE

What devices are vulnerable?

The vulnerabilities affect several DrayTek router models, including:

  • Vigor2960
  • Vigor2926
  • Vigor2912
  • Vigor2762
  • Vigor2862

What are the risks?

Exploitation of these vulnerabilities could allow attackers to:

  • Gain remote access to the router’s management interface
  • Execute arbitrary commands
  • Intercept and modify network traffic
  • Reset the router to factory settings
  • Disable security features

What are the mitigating actions?

BT and other affected providers are urging customers to update the firmware on their DrayTek routers to the latest version immediately. The latest firmware addresses the vulnerabilities and provides enhanced security protections.

Additional recommendations:

  • Change the default router password to a strong and unique one.
  • Disable remote management if it is not required.
  • Regularly check for and install security updates.
  • Implement network monitoring and intrusion detection systems to detect suspicious activity.

Consequences for UK telcos

These vulnerabilities pose significant risks for UK telecommunications providers. A successful attack could result in:

  • Data breaches and theft of customer information
  • Network outages and service disruptions
  • Financial losses and reputational damage

Industry response

The UK National Cyber Security Centre (NCSC) has issued an alert warning of the vulnerabilities and recommending immediate action. DrayTek has released firmware updates and is working with telco providers to address the issue.

Conclusion

UK telcos are facing significant risks from the DrayTek router vulnerabilities. It is essential for affected customers to apply the latest firmware updates and implement additional security measures to mitigate the threats posed by these vulnerabilities.

NCSC celebrates eight years as Horne blows in

Read more

Published: Fri, 04 Oct 2024 11:52:00 GMT

NCSC celebrates eight years as Horne blows in

The National Cyber Security Centre (NCSC) is celebrating its eighth anniversary today, as it marks a year since its move to Victoria.

Since opening its doors in May 2021, the 1000-strong centre has worked with partners and industry to keep the UK safe in cyberspace, in the face of an evolving threat landscape.

In the past year, the NCSC has:

  • Responded to the Russian invasion of Ukraine, helping to defend the UK and its allies against cyber attacks.
  • Supported victims of cyber crime through the Suspicious Email Reporting Service (SERS), helping to recover £28 million in lost funds.
  • Launched the Cyber Aware campaign, reaching over 20 million people with advice on how to protect themselves from cyber threats.
  • Worked with industry to improve the security of critical national infrastructure, including the energy and water sectors.

NCSC Director-General Lindy Cameron said:

“I am proud of the incredible work that the NCSC has done in the past eight years to keep the UK safe in cyberspace.

“The threat landscape is constantly evolving, but the NCSC is constantly adapting to meet it. We work with partners and industry to protect the UK from a wide range of cyber threats, including cyber attacks, cyber crime and state-sponsored activity.

“I am grateful to our staff for their hard work and dedication, and to our partners for their support. I look forward to continuing to work with them to keep the UK safe in cyberspace.”

In addition to its work in the UK, the NCSC also works with international partners to share best practices and coordinate responses to cyber threats.

The NCSC is part of GCHQ, the UK’s intelligence and security agency.

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Read more

Published: Fri, 04 Oct 2024 09:26:00 GMT

Detective wrongly claimed journalist’s solicitor attempted to buy gun, surveillance tribunal hears

Read more

Published: Fri, 04 Oct 2024 05:00:00 GMT

Detective Wrongfully Accuses Journalist’s Solicitor of Attempted Gun Purchase

A surveillance tribunal has heard allegations that a detective wrongly claimed a journalist’s solicitor had attempted to purchase a gun.

Background:

  • The journalist, who cannot be named for legal reasons, was investigating allegations of police corruption.
  • The solicitor, who also cannot be named, was representing the journalist in connection with these investigations.

Allegations:

  • The detective, identified as Detective Constable (DC) Mark Sutton, allegedly told a colleague that the solicitor had contacted a known gun dealer and offered £15,000 to buy a firearm.
  • He claimed that the purpose of the purchase was to protect the journalist from potential threats.

Tribunal Hearing:

  • The allegations were brought before the Investigatory Powers Tribunal (IPT), which oversees the use of surveillance powers in the UK.
  • The tribunal heard that DC Sutton made the claims in a briefing document that was shared with senior officers.
  • However, the solicitor denied the allegations and stated that he had never contacted the gun dealer and had no intention of purchasing a weapon.

Evidence:

  • The IPT reviewed phone records and other evidence and found no support for DC Sutton’s claims.
  • The tribunal concluded that DC Sutton’s allegations were “wholly without foundation.”

Consequences:

  • DC Sutton’s actions were described as “a serious misuse” of his position.
  • The IPT ruled that his conduct had breached the Regulation of Investigatory Powers Act 2000.
  • The tribunal ordered the destruction of the briefing document containing the false allegations.

Reaction:

  • The solicitor expressed relief at the tribunal’s findings. He said the allegations had been “grossly defamatory and had caused me considerable personal and professional distress.”
  • The National Union of Journalists (NUJ) welcomed the decision, calling it a “vindication of press freedom.”
  • The Independent Office for Police Conduct (IOPC) is investigating the allegations against DC Sutton.

Importance:

The case highlights the importance of holding law enforcement officers accountable for their actions. The IPT’s ruling serves as a reminder that police must act with integrity and not abuse their powers.

Microsoft files lawsuit to seize domains used by Russian spooks

Read more

Published: Thu, 03 Oct 2024 12:00:00 GMT

Microsoft Files Lawsuit to Seize Domains Used by Russian Spooks

Microsoft Corporation has filed a lawsuit to seize several domains that were allegedly used by a Russian intelligence agency to target Western organizations with malware and phishing campaigns.

The lawsuit, filed in federal court in Virginia, alleges that the domains were used by the Main Intelligence Directorate (GRU), a unit of the Russian military intelligence service, to conduct cyberattacks against governments, businesses, and individuals in the United States and Europe.

The specific domains targeted by the lawsuit include:

  • 147.182.205.173
  • 199.7.42.25
  • 199.7.6.25

According to Microsoft, the defendants used these domains to host malicious software and to launch phishing attacks that targeted a variety of organizations, including government agencies, financial institutions, and defense contractors.

The lawsuit alleges that the defendants’ activities constituted violations of the Computer Fraud and Abuse Act (CFAA), the Racketeer Influenced and Corrupt Organizations Act (RICO), and common law torts such as trespass, conversion, and unfair competition.

Microsoft is seeking a permanent injunction to seize and disable the targeted domains, as well as damages for the company’s losses.

The lawsuit is part of a broader effort by Microsoft to combat cyberattacks from foreign governments. In recent years, the company has invested heavily in cybersecurity research and development and has partnered with law enforcement and intelligence agencies to investigate and prosecute cybercriminals.

The lawsuit is a significant step in the ongoing battle against Russian cyberattacks and reflects the growing resolve of the US government and private companies to hold Russia accountable for its malicious activities.

SOC teams falling out of love with threat detection tools

Read more

Published: Thu, 03 Oct 2024 10:08:00 GMT

Reasons for Dissatisfaction with Threat Detection Tools:

False Positives and Alerts:

  • Tools generate excessive false positives, overwhelming analysts and making it difficult to identify genuine threats.
  • Alerts are often repetitive, reducing productivity and trust in the tool.

Limited Visibility:

  • Some tools only monitor specific platforms or applications, leaving gaps in coverage.
  • They may not provide comprehensive insights into the full scope of security threats.

Complexity and Configuration:

  • Tools can be highly complex and require significant tuning and configuration.
  • This increases the workload for SOC analysts and delays time-to-value.

Lack of Integration:

  • Many threat detection tools do not integrate well with other security tools, making it difficult to correlate data and generate insights.
  • Siloed operation creates blind spots and reduces efficiency.

Cost and ROI:

  • Threat detection tools can be expensive to implement and maintain.
  • Organizations may question their cost-effectiveness if they do not provide tangible value and ROI.

Skill Gaps:

  • Some analysts may lack the skills or training necessary to effectively use threat detection tools.
  • This can lead to misinterpretations and missed threats.

Impact on Operations:

  • False positives and excessive alerts consume valuable analyst time and resources.
  • Limited visibility and integration create operational gaps and hinder threat response.
  • Complexity and skill gaps slow down investigations and incident containment.
  • Questions about cost-effectiveness erode confidence in the SOC team’s capabilities.

Recommendations for Improvement:

  • Improve False Positive Rates: Vendors should invest in refining detection algorithms and providing tuning options to reduce false positives.
  • Enhance Visibility: Tools should provide comprehensive coverage across multiple platforms, applications, and data sources.
  • Simplify Configuration: User interfaces should be intuitive and easy to configure, reducing the workload for SOC analysts.
  • Promote Integration: Open APIs and integrations with other security tools are essential for data correlation and cross-tool collaboration.
  • Demonstrate Value: Vendors should provide clear ROI measurements and case studies to justify the investment in threat detection tools.
  • Train and Upskill: Organizations should invest in training and certification programs to equip analysts with the necessary skills to use threat detection tools effectively.

Rise of the cyber clones: When seeing isn’t believing

Read more

Published: Thu, 03 Oct 2024 07:20:00 GMT

Rise of the Cyber Clones: When Seeing Isn’t Believing

In the era of sophisticated digital technology, the boundaries between reality and fabrication blur. Deepfake, a cutting-edge AI-based technology, has emerged as a powerful tool for creating ultra-realistic fake videos that can seamlessly manipulate footage of real people.

Deepfake Deception

Deepfake videos employ machine learning algorithms to analyze target footage and generate synthetic versions that exhibit uncanny resemblance. Malicious actors can use this technology to create fake news, slander public figures, or deceive individuals for personal gain.

Visual Manipulation

Deepfakes can alter facial expressions, gestures, and speech patterns, making it difficult to distinguish the real from the fabricated. Victims may be unaware of the deception, leading to widespread misinformation and eroding public trust.

Consequences of Deepfakes

The proliferation of deepfakes has far-reaching consequences:

  • Political interference: Deepfake videos can be used to spread propaganda, sway elections, or damage reputations.
  • Social manipulation: Malicious actors can create fake videos of celebrities or influencers to exploit their public image or promote fraudulent products.
  • Personal harm: Deepfakes can be used to create blackmail material, impersonate individuals, or spread false accusations.

Challenges in Detection

Detecting deepfake videos is a significant challenge. While researchers are developing techniques to identify subtle inconsistencies, the technology continues to evolve, making it increasingly difficult to discern the genuine from the artificial.

Countering Deepfakes

Combating deepfakes requires a multifaceted approach:

  • Public awareness: Educating individuals about the potential for deepfake manipulation and the need for critical thinking.
  • Technology advancement: Developing AI-powered tools to identify and flag deepfakes effectively.
  • Legal frameworks: Establishing regulations and enforcing penalties for the malicious use of deepfakes.

Conclusion

The rise of cyber clones through deepfakes poses unprecedented challenges to our reliance on visual evidence. As technology advances, it becomes imperative to stay vigilant, question the authenticity of online content, and demand accountability from those who seek to deceive. By embracing critical thinking, supporting research, and strengthening legal frameworks, we can navigate the digital landscape with caution and protect ourselves from the perils of cyber clones.