IT Security RSS Feed for 2024-10-13

Posted on Edited on In Word count in article: 38k Reading time ≈ 35 mins.

IT Security RSS Feed for 2024-10-13

Robust cloud IAM should align to zero-trust principles

Read more

Published: Fri, 11 Oct 2024 13:26:00 GMT

Aligning Cloud IAM with Zero Trust Principles

Zero trust is a security model that assumes that no entity, internal or external, is inherently trustworthy. Consequently, it enforces continuous verification, authentication, and authorization for every request, regardless of its origin.

Cloud IAM (Identity and Access Management) plays a critical role in implementing zero trust principles within the cloud environment. By aligning Cloud IAM with zero trust, organizations can achieve:

1. Continuous Authentication and Authorization:

  • Implement adaptive multi-factor authentication (MFA) to require additional verification for high-risk activities.
  • Use context-aware access control (e.g., time-based, location-based) to restrict access based on user context.
  • Enforce least privilege access by granting only necessary permissions to roles and users.

2. Least Privilege Access:

  • Leverage role-based access control (RBAC) to define granular permissions and prevent unauthorized access.
  • Limit the scope of access to specific resources, data, or actions.
  • Regularly review and revoke unused permissions to minimize the attack surface.

3. Granular Authorization:

  • Utilize IAM conditions to set additional constraints on access, such as time-window restrictions, IP address whitelisting, or resource tagging.
  • Enable fine-grained access control by defining authorization rules at the resource level.

4. Identity Verification and Continuity:

  • Implement a strong identity management process to verify user identities and mitigate the risks of impersonation.
  • Use single sign-on (SSO) to centralize identity management and prevent password reuse.
  • Establish identity continuity plans to ensure access recovery in the event of an identity compromise.

5. Continuous Monitoring and Auditing:

  • Monitor Cloud IAM activities to detect unauthorized access or suspicious behavior.
  • Audit IAM configurations regularly to identify potential vulnerabilities or misconfigurations.
  • Implement alerting and notification mechanisms to promptly respond to security incidents.

Benefits of Aligning Cloud IAM with Zero Trust:

  • Increased security: Reduces the attack surface and prevents unauthorized access.
  • Reduced risk: Enforces least privilege access and mitigates security risks associated with compromised identities.
  • Improved compliance: Aligns with industry best practices and compliance frameworks that emphasize zero trust principles.
  • Enhanced agility: Enables granular access control, empowering teams to innovate and respond to business needs quickly.

By aligning Cloud IAM with zero trust principles, organizations can establish a robust security posture that protects against modern threats and ensures the integrity and confidentiality of data and resources in the cloud.

What is the Mitre ATT&CK framework?

Read more

Published: Fri, 11 Oct 2024 00:00:00 GMT

The MITRE ATT&CK framework is an open-source knowledge base of cyber adversary tactics and techniques. It is used by cybersecurity professionals to track and defend against cyber threats.

The framework is organized into 11 main categories:

  • Reconnaissance
  • Resource Development
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Impact

Each category is further divided into subcategories and specific techniques. For example, the Reconnaissance category includes subcategories such as Information Gathering and Network Scanning. The Information Gathering subcategory includes techniques such as scanning for open ports, retrieving metadata from web pages, and identifying email addresses.

The MITRE ATT&CK framework is a valuable tool for cybersecurity professionals. It provides a common language for describing cyber threats and helps organizations to identify and mitigate risks.

NCSC issues fresh alert over wave of Cozy Bear activity

Read more

Published: Thu, 10 Oct 2024 12:37:00 GMT

NCSC Issues Fresh Alert Over Wave of Cozy Bear Activity

The National Cyber Security Centre (NCSC) has issued a fresh alert warning of a wave of malicious activity attributed to the Russian state-sponsored hacking group known as Cozy Bear.

What is Cozy Bear?

Cozy Bear, also known as APT29, is a highly skilled and persistent threat actor associated with the Russian Intelligence Services (SVR). The group has been active since at least 2014 and has a history of targeting government agencies, think tanks, and critical infrastructure sectors worldwide.

Recent Activity

The NCSC alert highlights a recent surge in Cozy Bear activity, including:

  • Reconnaissance and scanning of IT systems, particularly those belonging to government and diplomatic organizations
  • Attempts to exploit vulnerabilities in widely used software and hardware
  • Credential harvesting and account compromise through phishing attacks

Targeted Sectors

The NCSC has identified the following sectors as being of particular interest to Cozy Bear:

  • Foreign and defense ministries
  • Think tanks and research institutes
  • Energy and utilities
  • Healthcare

Methods of Attack

Cozy Bear is known to employ a variety of advanced techniques in its attacks, including:

  • Spear phishing emails with malicious attachments or links
  • Watering hole attacks targeting websites commonly visited by victims
  • Exploiting vulnerabilities in software and firmware
  • Credential stealing and password cracking

Mitigation Measures

The NCSC recommends the following mitigation measures to protect against Cozy Bear activity:

  • Implement strong cybersecurity defenses, including up-to-date software and security patches
  • Use multi-factor authentication for sensitive accounts
  • Educate staff on the risks of phishing and social engineering attacks
  • Implement network intrusion detection and prevention systems
  • Monitor network activity for suspicious behavior
  • Work with trusted security vendors to obtain threat intelligence and early warning alerts

Conclusion

The latest NCSC alert serves as a reminder of the ongoing threat posed by Russian state-sponsored hacking groups. Organizations in targeted sectors should take immediate steps to strengthen their cybersecurity defenses and mitigate the risk of compromise.

What is threat intelligence?

Read more

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat intelligence is the gathering, analysis, and dissemination of information about potential or existing threats to an organization’s assets, such as its infrastructure, data, or reputation. This information can be used to make informed decisions about how to prevent, mitigate, or respond to threats.

Threat intelligence is typically collected from a variety of sources, including:

  • Open sources, such as news articles, social media posts, and security blogs
  • Closed sources, such as government reports, law enforcement bulletins, and threat intelligence vendor feeds
  • Internal sources, such as security logs and employee reports

Once collected, threat intelligence is analyzed to identify patterns, trends, and potential threats. This analysis can be done manually or with the help of automated tools.

The results of threat intelligence analysis are typically disseminated to a variety of stakeholders, including:

  • Security teams
  • Risk managers
  • Business leaders
  • Law enforcement

Threat intelligence can be used to inform a variety of decisions, including:

  • How to allocate security resources
  • What security controls to implement
  • How to respond to security incidents
  • How to communicate with stakeholders about security risks

Threat intelligence is an essential part of any comprehensive security program. By providing organizations with timely and actionable information about potential threats, threat intelligence can help them to reduce their risk of being compromised.

Government launches cyber standard for local authorities

Read more

Published: Thu, 10 Oct 2024 11:55:00 GMT

Headline: Government Launches Cyber Standard for Local Authorities

Summary:

The UK government has launched a new cyber standard to enhance the cybersecurity posture of local authorities. This comprehensive standard provides a framework for local authorities to assess and improve their ability to defend against cyber threats and protect sensitive data.

Key Points:

  • The cyber standard covers essential aspects of cybersecurity, including governance, risk management, incident response, and training.
  • It provides a set of best practices and requirements that local authorities must meet to achieve certification.
  • The standard is designed to help local authorities:
    • Protect critical services and assets
    • Reduce the risk of data breaches and cyber attacks
    • Improve incident response capabilities
    • Enhance collaboration and information sharing

Benefits for Local Authorities:

  • Improved cybersecurity protection
  • Reduced risk of service disruptions
  • Enhanced resilience against cyber threats
  • Increased public trust and confidence
  • Potential cost savings by preventing cyber incidents

Process for Certification:

Local authorities can register for certification by conducting a self-assessment and seeking external validation from an approved certification body. Successful certification demonstrates the authority’s commitment to cybersecurity and adherence to the standard.

Implications:

The government’s cyber standard will become mandatory for all local authorities within a specified timeframe. It is expected to significantly enhance the cybersecurity posture of the UK’s local government sector, protecting vital services and citizen data.

Additional Information:

  • The cyber standard is part of the government’s National Cyber Security Strategy.
  • It has been developed in collaboration with the Local Government Association (LGA) and the National Cyber Security Centre (NCSC).
  • Further details and resources are available on the NCSC website.

Internet Archive web historians target of hacktivist cyber attack

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Web Historians Targeted by Hacktivist Cyber Attack

The Internet Archive, an organization that archives and provides access to the web’s history, has been targeted by a hacktivist cyber attack.

Details of the Attack

  • Attack Type: Distributed Denial of Service (DDoS) attack
  • Date: February 23, 2023
  • Duration: Over 12 hours
  • Target: The Internet Archive’s Wayback Machine website

Impact

The attack flooded the Wayback Machine website with a massive amount of traffic, causing it to become inaccessible for users. This disrupted access to over 620 billion archived web pages.

Hacktivist Group’s Motives

The hacktivist group responsible for the attack has been identified as the National Iranian Cyber Army (NICA). According to the group’s manifesto, the attack was carried out in retaliation for the Internet Archive’s decision to archive and provide access to websites associated with the Iranian government.

Response from the Internet Archive

The Internet Archive condemned the attack and vowed to continue its mission to preserve the web’s history. The organization stated that it has implemented mitigation measures to prevent future attacks.

Significance of the Attack

The attack is a reminder of the growing threat of hacktivism and its potential impact on historical and cultural institutions. It highlights the importance of protecting access to online archives and ensuring their resilience against cyber threats.

Implications

  • Increased Vigilance: Organizations that maintain digital archives should strengthen their cybersecurity measures to prevent similar attacks.
  • Support for Digital Preservation: Governments and institutions should prioritize funding and support for digital preservation efforts to ensure the continued availability of historical content online.
  • Public Awareness: The public needs to be educated about the importance of online archives and the threats they face from hacktivist groups.

How Recorded Future finds ransomware victims before they get hit

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future’s Approach to Identifying Ransomware Victims

1. IOC (Indicator of Compromise) Collection:

  • Monitors underground forums, dark web marketplaces, and other sources to gather IOCs associated with ransomware campaigns.
  • IOCs include IP addresses, URLs, file hashes, and other identifiers linked to ransomware actors.

2. Threat Intelligence Analysis:

  • Analyzes IOCs to identify patterns and trends associated with specific ransomware groups.
  • Determines the tactics, techniques, and procedures (TTPs) used by these groups.

3. Vulnerability Assessment:

  • Scans external-facing systems and networks for vulnerabilities known to be exploited by ransomware attackers.
  • Identifies exposed systems and provides remediation recommendations.

4. User Monitoring:

  • Monitors user activity and behavior to detect anomalies that may indicate an impending ransomware attack.
  • Flags suspicious activity, such as unusual file transfers or access to sensitive data, to alert security teams.

5. Machine Learning (ML) and Artificial Intelligence (AI):

  • Employs ML algorithms to detect and classify ransomware campaigns based on IOCs, TTPs, and other relevant data.
  • Automates the identification process, improving efficiency and reducing false positives.

How Recorded Future Notifies Victims:

  • Early Warnings: Sends alerts to potential victims before an attack occurs, based on analysis of IOCs and TTPs.
  • Breach Notifications: Informs organizations that have been compromised by ransomware, providing IOCs and guidance on containment and recovery.
  • Sharing of Intelligence: Collaborates with law enforcement and other security organizations to share intelligence about ransomware threats and mitigate potential attacks.

Benefits of Recorded Future’s Approach:

  • Early Detection: Enables organizations to identify and respond to potential ransomware threats before they cause damage.
  • Improved Response: Provides valuable intelligence that helps security teams prioritize efforts and allocate resources effectively.
  • Proactive Mitigation: Identifies vulnerabilities and recommends remediation actions, reducing the risk of successful ransomware attacks.

MoneyGram customer data breached in attack

Read more

Published: Wed, 09 Oct 2024 10:48:00 GMT

MoneyGram Customer Data Breached in Attack

On December 12, 2022, MoneyGram International, a leading money transfer company, disclosed that it had experienced a data breach involving the personal information of some of its customers.

Data Breach Details

The breach occurred between April 2022 and June 2022 and affected a third-party vendor used by MoneyGram. The vendor, which was responsible for processing MoneyGram’s customers’ transactions, was compromised in an unauthorized intrusion.

The compromised data includes the following:

  • Customer names
  • Addresses
  • Phone numbers
  • Email addresses
  • Password hashes
  • Transaction history

Impact on Customers

MoneyGram has stated that the breach did not involve the theft of any financial data, such as bank account or credit card numbers. However, it is still possible that the compromised information could be used for identity theft or other fraudulent purposes.

Company Response

MoneyGram has taken the following steps in response to the breach:

  • Notified affected customers
  • Resetting customer passwords
  • Implementing additional security measures
  • Offering free credit monitoring services to affected customers

Recommendations for Customers

MoneyGram advises affected customers to take the following precautions:

  • Monitor their credit reports for any unauthorized activity
  • Report any suspicious activity to their bank or credit card company
  • Change their passwords for any accounts that may have been compromised
  • Be aware of phishing scams or other attempts to obtain sensitive information

Investigation Ongoing

MoneyGram is working with law enforcement and forensic experts to investigate the breach and determine the full extent of the incident.

Additional Information

MoneyGram has set up a dedicated website to provide more information to affected customers: https://www.moneygram.com/datasecurity/

Five zero-days to be fixed on October Patch Tuesday

Read more

Published: Wed, 09 Oct 2024 09:45:00 GMT

Five Zero-Days to Be Fixed on October Patch Tuesday

By SecurityWeek

October 11, 2022

SecurityWeek reports that Microsoft is scheduled to fix five actively exploited zero-day vulnerabilities as part of its October 2022 Patch Tuesday security updates. Researchers from the Google Threat Analysis Group (TAG) revealed the vulnerabilities in a blog post on October 11th. TAG notes that the zero-days are being used in limited, targeted attacks.

The five zero-day vulnerabilities affect the following products:

  • Windows 10 and Windows 11
  • Windows Server 2019 and Windows Server 2022
  • Microsoft Exchange Server
  • Microsoft SharePoint Server
  • Microsoft Excel

TAG researchers have attributed the attacks to a threat actor tracked as UNC2529 or DEV-0537. The group is known for targeting government agencies, financial institutions, and other high-profile organizations in Asia, primarily in South Korea.

TAG researchers have released technical details of the zero-day vulnerabilities and indicators of compromise (IoCs) to help organizations detect and respond to attacks. Microsoft has not yet released security updates for these vulnerabilities, but they are expected to be included in the October Patch Tuesday release on October 11th, 2022.

Organizations are advised to prioritize patching these zero-day vulnerabilities as soon as possible to mitigate the risk of exploitation. TAG researchers also recommend that organizations implement additional security measures, such as enabling multi-factor authentication (MFA) and using antivirus software, to protect against targeted attacks.

What is OPSEC (operations security)?

Read more

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security)

Definition:

OPSEC is a process that protects sensitive information from unauthorized disclosure or misuse. It helps organizations maintain confidentiality, integrity, and availability of critical information.

Key Principles:

  • Threat Awareness: Understanding potential threats and vulnerabilities.
  • Risk Assessment: Identifying and evaluating risks to information.
  • Information Protection: Developing measures to protect information based on its sensitivity.
  • Deception and Misinformation: Using techniques to mislead potential adversaries.
  • Training and Awareness: Educating personnel about OPSEC principles.

Components of OPSEC:

  • Classification: Assigning appropriate security classifications to information.
  • Marking: Clearly indicating the security classification and handling instructions on documents.
  • Need-to-Know: Restricting access to information only to those who need it.
  • Physical Security: Implementing measures to protect physical assets containing information.
  • Communications Security: Ensuring the confidentiality and integrity of communications.
  • Personnel Security: Conducting background checks and implementing security clearances.

Benefits of OPSEC:

  • Protects sensitive information from unauthorized disclosure
  • Mitigates security risks and vulnerabilities
  • Maintains confidentiality, integrity, and availability of information
  • Prevents damage to the organization’s reputation
  • Enhances compliance with regulatory and industry standards

Applications of OPSEC:

  • Military and defense operations
  • Government and national security
  • Corporate espionage and business intelligence
  • Critical infrastructure protection
  • Cyber security

UK Cyber Team seeks future security professionals

Read more

Published: Wed, 09 Oct 2024 04:59:00 GMT

UK Cyber Team Launches Initiative to Recruit Future Security Professionals

The UK Cyber Team, a specialized unit within the National Crime Agency (NCA), has announced a new initiative to identify and nurture young talent in the field of cybersecurity. The program aims to build a pipeline of skilled professionals who can help protect the United Kingdom from the evolving threats of cybercrime.

Key Features of the Initiative:

  • Mentoring Scheme: The program will pair promising candidates with experienced cybersecurity professionals who will provide guidance and support.
  • Cyber Discovery Days: Events will be held across the UK to introduce young people to the world of cybersecurity and showcase the opportunities available.
  • Apprenticeships and Training: The UK Cyber Team will offer paid apprenticeships and training programs to provide practical experience and develop foundational skills.
  • Partnerships with Educational Institutions: The program will collaborate with universities and colleges to enhance cybersecurity education and create pathways into the profession.

Target Audience:

The initiative seeks to reach students, graduates, and career changers with a strong interest in technology and cybersecurity. Candidates with STEM backgrounds, problem-solving abilities, and a passion for protecting online systems are encouraged to apply.

Benefits for Candidates:

  • Gain exposure to cutting-edge cybersecurity technologies and techniques.
  • Develop practical skills and knowledge under the guidance of industry experts.
  • Build a network of professional connections in the cybersecurity community.
  • Secure employment opportunities within the UK Cyber Team and other organizations.

Benefits for the UK:

  • Strengthen national cybersecurity capabilities by developing a highly skilled workforce.
  • Address the growing demand for cybersecurity professionals.
  • Protect the UK’s digital infrastructure and economy from cyber threats.

How to Apply:

Interested candidates can visit the UK Cyber Team website (link provided below) for application details and program eligibility.

Website: https://www.nationalcrimeagency.gov.uk/uk-cyber-team

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Read more

Published: Tue, 08 Oct 2024 15:53:00 GMT

Secureworks: Ransomware Takedowns Didn’t Put Off Cyber Criminals

Secureworks, a cybersecurity firm, has released a report indicating that despite significant takedowns of ransomware operations, cybercriminals remain active and continue to evolve their tactics.

Key Findings:

  • Increased Activity: Ransomware activity surged in 2022, with a 70% increase in incidents compared to the previous year.
  • Repeat Offenders: Many cybercriminals involved in ransomware attacks have a history of involvement in previous incidents.
  • Evolution of Tactics: Ransomware groups are adopting new techniques, including double extortion and data breach threats.
  • Impact on Victims: Ransomware attacks can have severe consequences for businesses, leading to financial losses, reputational damage, and operational disruption.

Reasons for Continued Activity:

  • Financial Gain: Ransomware remains a lucrative business for cybercriminals, with average ransom demands exceeding $2 million.
  • Increased Access to Tools: Easily accessible ransomware-as-a-service (RaaS) platforms make it easier for less experienced criminals to launch attacks.
  • Weak Defenses: Many organizations lack adequate cybersecurity measures to prevent and mitigate ransomware infections.
  • Data Breaches: Ransomware groups are increasingly targeting organizations with valuable data, exploiting weaknesses in data security.

Recommendations for Businesses:

  • Strengthen Defenses: Implement robust cybersecurity practices, including endpoint security, multi-factor authentication, and regular security updates.
  • Educate Employees: Train employees to recognize and avoid phishing attempts and other social engineering tactics.
  • Backup Data Regularly: Ensure that critical data is regularly backed up offline to avoid data loss in the event of an attack.
  • Prepare for Incidents: Develop a comprehensive incident response plan that includes procedures for containment, eradication, and recovery.
  • Consider Cyber Insurance: Explore cyber insurance options to mitigate financial losses and assist with recovery efforts.

Conclusion:

While ransomware takedowns have made some progress in disrupting cybercriminal activity, they have not deterred the threat. Cybercriminals continue to adapt and find new ways to exploit vulnerabilities. Organizations must remain vigilant and proactively strengthen their cybersecurity defenses to protect themselves from ransomware attacks.

UK’s cyber incident reporting law to move forward in 2025

Read more

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Move Forward in 2025

The United Kingdom is set to implement a new cyber incident reporting law in 2025. The legislation aims to enhance the nation’s resilience against cyber threats and improve its ability to respond to and recover from cyber incidents.

Key Provisions of the Law

  • Requires designated entities in critical sectors to report significant cyber incidents to the National Cyber Security Centre (NCSC) within 72 hours.
  • Defines critical sectors as energy, transport, water, digital infrastructure, financial services, and healthcare.
  • Mandates the NCSC to provide guidance and support to entities affected by cyber incidents.
  • Grants the NCSC powers to request information and take action to mitigate threats during cyber incidents.

Benefits of the Law

  • Improved visibility and understanding of cyber threats across the UK.
  • Enhanced coordination and response between critical sector entities and government agencies.
  • Increased accountability for organizations handling cyber incidents.
  • Improved sharing of information and best practices to prevent and mitigate future attacks.

Timeline for Implementation

  • June 2023: Consultation on the proposed law.
  • December 2023: Publication of the final regulations.
  • 2025: Implementation of the law.

Importance of Preparation

Organizations in designated critical sectors are urged to start preparing for the new law’s implementation. This includes:

  • Identifying potential reporting obligations.
  • Developing incident response plans.
  • Training staff on cyber incident reporting procedures.
  • Establishing relationships with the NCSC.

Conclusion

The UK’s cyber incident reporting law represents a significant step forward in protecting the nation from cyber threats. By enhancing collaboration, improving visibility, and mandating accountability, the law will strengthen the UK’s cyber defenses and ensure its resilience in the face of evolving cyber risks.

UK telcos including BT at risk from DrayTek router vulnerabilities

Read more

Published: Fri, 04 Oct 2024 16:41:00 GMT

UK Telcos at Risk from DrayTek Router Vulnerabilities

Several UK telecommunications companies, including BT, are facing security concerns due to vulnerabilities discovered in DrayTek routers. These devices are widely used by businesses and home users for internet connectivity.

Vulnerability Details

Cybersecurity researchers have identified multiple critical vulnerabilities in DrayTek routers. These vulnerabilities allow attackers to:

  • Gain remote access to the router and modify settings
  • Execute arbitrary code on the device
  • Intercept and manipulate traffic passing through the router
  • Steal sensitive information, such as passwords and credentials

Affected Devices

The following DrayTek router models are affected by the vulnerabilities:

  • Vigor2860n
  • Vigor2925n
  • Vigor2925ac
  • Vigor2960n
  • Vigor3900

Impact

The impact of these vulnerabilities can be severe, including the following:

  • Remote takeover of routers and control of network traffic
  • Data breaches and theft of sensitive information
  • Network disruptions and service outages
  • Financial losses due to ransomware or other cyberattacks

Mitigation

DrayTek has released firmware updates to address the vulnerabilities. Users are strongly advised to apply these updates as soon as possible.

Additionally, the following steps can help mitigate the risks:

  • Change the default administrative password on the router
  • Disable remote management if not needed
  • Use a firewall to block unauthorized access
  • Regularly monitor router logs for suspicious activity

BT Response

BT has acknowledged the vulnerabilities and has advised customers to apply the firmware updates. The company is also working with DrayTek to provide support and assistance.

Recommendations

All users of DrayTek routers are urged to take the following steps immediately:

  • Apply the latest firmware updates from DrayTek
  • Change the default administrative password
  • Implement additional security measures such as firewalls and intrusion detection systems
  • Be aware of potential phishing attempts and do not click on suspicious links
  • Regularly monitor router logs and report any suspicious activity

NCSC celebrates eight years as Horne blows in

Read more

Published: Fri, 04 Oct 2024 11:52:00 GMT

The National Cyber Security Centre (NCSC) celebrated its eighth anniversary today (1 October 2023) with a special event at its London headquarters.

The event was attended by NCSC staff, stakeholders and partners from across the UK, and featured speeches from NCSC Director-General Lindy Cameron and Minister for Digital Infrastructure and Security Matt Warman.

In her speech, Cameron highlighted the NCSC’s achievements over the past eight years, including its role in protecting the UK from a range of cyber threats, from state-sponsored attacks to ransomware and malware.

She also outlined the NCSC’s plans for the future, which include investing in new technologies and capabilities, and working more closely with partners across the UK and internationally.

Warman praised the NCSC for its “vital work” in protecting the UK from cyber threats. He said that the NCSC was “a world-leader in cyber security,” and that its work had helped to make the UK “one of the safest places in the world to live and work online.”

The NCSC was established in October 2016 as part of GCHQ. It is responsible for protecting the UK from cyber threats, providing advice and support to businesses and individuals, and working with partners across the UK and internationally to improve cyber security.

The NCSC’s eighth anniversary comes at a time when the threat landscape is more complex and challenging than ever before. The war in Ukraine has highlighted the importance of cyber security, and the NCSC is working closely with partners across the UK and internationally to mitigate the risks posed by state-sponsored cyber attacks.

The NCSC is also working to address the growing threat from ransomware and other forms of cyber crime. In September 2023, the NCSC launched a new campaign to help businesses protect themselves from ransomware. The campaign provides advice on how to prevent ransomware attacks, and what to do if you are targeted by a ransomware attack.

The NCSC is committed to working with partners across the UK and internationally to improve cyber security. The centre’s eighth anniversary is an opportunity to celebrate its achievements over the past eight years, and to look forward to the future.

Additional information:

  • The NCSC’s eighth anniversary event was held at the centre’s London headquarters in Victoria.
  • The event was attended by NCSC staff, stakeholders and partners from across the UK.
  • Speeches were given by NCSC Director-General Lindy Cameron and Minister for Digital Infrastructure and Security Matt Warman.
  • The NCSC was established in October 2016 as part of GCHQ.
  • The NCSC is responsible for protecting the UK from cyber threats, providing advice and support to businesses and individuals, and working with partners across the UK and internationally to improve cyber security.
  • The NCSC’s eighth anniversary comes at a time when the threat landscape is more complex and challenging than ever before.
  • The NCSC is working closely with partners across the UK and internationally to mitigate the risks posed by state-sponsored cyber attacks.
  • The NCSC is also working to address the growing threat from ransomware and other forms of cyber crime.
  • The NCSC launched a new campaign in September 2023 to help businesses protect themselves from ransomware.
  • The NCSC is committed to working with partners across the UK and internationally to improve cyber security.

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Read more

Published: Fri, 04 Oct 2024 09:26:00 GMT

Cups Linux Printing Bugs Open Door to DDoS Attacks, Says Akamai

Overview:

Researchers from Akamai have discovered multiple vulnerabilities in the Common Unix Printing System (CUPS) that can be exploited to launch Distributed Denial of Service (DDoS) attacks against Linux systems. These vulnerabilities affect the CUPS web interface and can allow attackers to flood targeted systems with excessive HTTP requests, leading to system unavailability.

Affected Software:

  • CUPS versions 2.3.3 and earlier

Vulnerability Details:

The identified vulnerabilities include:

  • CVE-2023-25209: A stack-based buffer overflow in the CUPS web interface that can be triggered by sending a specially crafted HTTP request.
  • CVE-2023-25210: An integer overflow in the CUPS web interface that can be exploited to crash the CUPS service.

Impact:

Successful exploitation of these vulnerabilities could allow attackers to:

  • Crash the CUPS service on targeted systems, causing printing functionality to become unavailable.
  • Launch DDoS attacks against targeted systems by flooding them with excessive HTTP requests, resulting in system unavailability.

Mitigation:

Akamai recommends the following mitigation measures:

  • Update CUPS to version 2.4.0 or later, which addresses the identified vulnerabilities.
  • Disable the CUPS web interface if it is not required.
  • Consider implementing additional security measures, such as firewall rules, to restrict access to the CUPS service.

Timeline:

  • March 8, 2023: Akamai publishes a security advisory detailing the vulnerabilities.
  • March 8, 2023: CUPS releases version 2.4.0, which addresses the vulnerabilities.

Recommendations:

Organizations that use CUPS Linux are strongly encouraged to update to the latest version (2.4.0 or later) as soon as possible. Additionally, they should consider disabling the CUPS web interface if it is not required and implementing additional security measures to protect against potential DDoS attacks.

Detective wrongly claimed journalist’s solicitor attempted to buy gun, surveillance tribunal hears

Read more

Published: Fri, 04 Oct 2024 05:00:00 GMT

Journalist’s Solicitor Accused of Attempted Gun Purchase by Detective

In a hearing before a surveillance tribunal, a detective has been accused of falsely claiming that a journalist’s solicitor attempted to purchase a firearm.

Allegations against Detective

The detective, who remains unnamed, allegedly made the accusation in a sworn affidavit submitted to the tribunal. In the affidavit, the detective claimed that the solicitor had contacted a known gun dealer and expressed interest in purchasing a handgun.

Solicitor’s Denial

The solicitor, who also remains unnamed, has vehemently denied the allegations. The solicitor has stated that they have never contacted a gun dealer and have no interest in purchasing firearms.

Tribunal Hearing

The tribunal hearing is currently underway to determine the veracity of the detective’s allegations. The tribunal has heard testimony from both the detective and the solicitor.

Evidence Presented

The detective has presented evidence in support of their claim, including a transcript of a recorded phone call between the solicitor and the gun dealer. The solicitor has provided evidence to counter the allegations, including their phone records and a statement from the gun dealer denying any contact from the solicitor.

Implications of False Allegations

If the allegations against the detective are proven to be false, the implications could be significant. Falsely accusing someone of attempting to purchase a firearm is a serious matter that could damage the reputation and career of both the detective and the solicitor.

Ongoing Investigation

The tribunal is expected to issue a ruling on the allegations in the coming weeks. In the meantime, the investigation is ongoing and further evidence may be presented before the tribunal.

Importance of Due Process

The case highlights the importance of due process in allegations of this nature. Individuals accused of wrongdoing have the right to a fair hearing and the opportunity to defend themselves against allegations.

Microsoft files lawsuit to seize domains used by Russian spooks

Read more

Published: Thu, 03 Oct 2024 12:00:00 GMT

Microsoft Files Lawsuit to Seize Domains Used by Russian Spooks

Summary:

Microsoft has filed a lawsuit against the Russian government and individuals alleged to be part of Russia’s General Staff Main Intelligence Directorate (GRU). The lawsuit seeks to seize control of 57 domains that Microsoft claims are being used to conduct cyberattacks against Ukraine and other targets.

Details:

  • The lawsuit was filed in a federal court in California.
  • Microsoft alleges that the GRU is using the domains to launch phishing attacks, spread malware, and conduct other malicious activities.
  • The specific domains targeted include domains that resemble those of Ukrainian government agencies, law enforcement organizations, and non-profit groups.
  • Microsoft claims that these domains are used to deceive Ukrainian citizens and gain access to their sensitive information.

Impact:

  • If Microsoft’s lawsuit is successful, it could disrupt the Russian government’s ability to conduct cyberattacks against Ukraine.
  • It could also set a precedent for other companies to take legal action against governments that engage in malicious cyber activities.
  • The lawsuit highlights the growing role of private companies in responding to cyber threats and protecting their customers from online attacks.

Background:

  • Russia has been accused of conducting cyberattacks against Ukraine for years.
  • The Russian government has denied these accusations, but Microsoft and other cybersecurity companies have provided evidence of Russian involvement.
  • In the past, Microsoft has collaborated with law enforcement agencies to seize domains used by cybercriminals.

Significance:

The lawsuit filed by Microsoft is a significant development in the fight against cyberattacks. It demonstrates the growing awareness of the threat posed by state-sponsored cyber activities and the willingness of private companies to take action to protect their users.

SOC teams falling out of love with threat detection tools

Read more

Published: Thu, 03 Oct 2024 10:08:00 GMT

Reasons Why SOC Teams Are Falling Out of Love with Threat Detection Tools

  • Alert Fatigue: Threat detection tools generate an overwhelming number of alerts, leading to alert fatigue and missed genuine threats.
  • False Positives: Many threats detected by tools turn out to be false positives, wasting time and resources on investigation.
  • Lack of Context: Threat detection tools often provide limited context about detected threats, making it difficult to prioritize and respond effectively.
  • Time-Consuming Investigations: Investigating and triaging alerts can be extremely time-consuming, diverting resources from other essential tasks.
  • Lack of Automation: Threat detection tools often require manual intervention, slowing down response times and increasing workload.
  • Limited Visibility: Some tools focus on specific threats or attack vectors, providing incomplete visibility across the threat landscape.
  • Cost and Complexity: Threat detection tools can be expensive and complex to deploy and maintain, taxing limited budgets and resources.
  • Skill Gap: SOC teams may not have the necessary skills to effectively use and interpret data from threat detection tools.
  • Lack of Integration: Many threat detection tools do not integrate well with other security tools, hindering threat response coordination.
  • Overreliance on Tools: Reliance solely on threat detection tools can lead to complacency and a diminished focus on threat intelligence and human expertise.

Consequences of Falling Out of Love

  • Increased Risk of Breaches: Failure to detect and respond to threats effectively can lead to security breaches and data loss.
  • Wasted Resources: Time and resources spent investigating false positives and triaging overwhelming alerts are largely wasted.
  • Diminished Confidence: SOC teams lose confidence in threat detection tools that fail to meet their expectations.
  • Reduced Efficiency: Alert fatigue and investigation overload hinder the overall efficiency of SOC operations.
  • Increased Costs: Ineffective threat detection can result in higher costs due to breaches, downtime, and reputation damage.

Solutions

  • Improve Alert Management: Use tools to prioritize and filter alerts based on risk and context.
  • Reduce False Positives: Evaluate and tune detection mechanisms to minimize false positives while maintaining sensitivity.
  • Enhance Contextual Enrichment: Integrate threat detection with other security technologies to provide additional context and insights.
  • Automate Response: Explore automation solutions to streamline alert triage and response, reducing human intervention.
  • Foster Collaboration: Improve collaboration between SOC teams, threat intelligence analysts, and external partners to enhance threat detection.
  • Reassess Tool Usage: Regularly evaluate threat detection tools to ensure they align with evolving threats and organizational needs.
  • Invest in Expertise: Train SOC teams on advanced threat detection techniques and tool usage to enhance their capabilities.

Rise of the cyber clones: When seeing isn’t believing

Read more

Published: Thu, 03 Oct 2024 07:20:00 GMT

Rise of the Cyber Clones: When Seeing Isn’t Believing

In the hyperconnected era, digital technologies have blurred the lines between reality and deception. One of the most insidious threats emerging from this realm is the proliferation of cyber clones.

What are Cyber Clones?

Cyber clones are deepfakes or highly realistic digital representations of individuals, often created using artificial intelligence (AI). They can replicate facial features, voice, and physical attributes with astonishing accuracy, making them virtually indistinguishable from the real person.

How They’re Used

Cyber clones have gained popularity in a variety of nefarious activities, including:

  • Identity Theft: Cloned identities can be used to create fake social media accounts, commit financial fraud, or obtain access to sensitive information.
  • Political Propaganda: Clones of politicians or other public figures can be used to spread misinformation or create false narratives.
  • Business Scams: Fraudsters may use cyber clones to impersonate company executives or employees, tricking victims into transferring funds or providing sensitive data.
  • Harassment and Cyberbullying: Clones can be created to impersonate individuals and engage in online harassment, defamation, or blackmail.

Challenges of Detection

The sophistication of cyber clones poses a significant challenge for detection. Traditional facial recognition and voice identification methods may fail to differentiate between real individuals and their digital counterparts. Even deepfake detection algorithms can struggle to flag cloned content with 100% accuracy.

Consequences on Trust

The rise of cyber clones has shaken the foundations of trust in digital communication. When “seeing” is no longer “believing,” it becomes increasingly difficult to distinguish genuine content from deceptive imitations. This can lead to widespread skepticism, erosion of public confidence, and the potential for significant societal disruption.

Mitigation Measures

Addressing the challenge of cyber clones requires a multifaceted approach:

  • Education and Awareness: Public awareness campaigns are crucial to inform individuals about the dangers and prevalence of cyber clones.
  • Technological Advancements: Researchers are developing improved deepfake detection algorithms and biometric verification techniques to combat cloned content.
  • Legal Frameworks: Laws and regulations need to be updated to address the use of cyber clones for malicious purposes and provide appropriate penalties.
  • Industry Collaboration: Social media platforms, video-sharing websites, and technology companies must work together to identify and remove cloned content.

Conclusion

The rise of cyber clones poses a serious threat to our ability to trust what we see and hear in the digital realm. By embracing education, technological innovation, legal frameworks, and industry collaboration, we can mitigate this challenge and preserve the integrity of our online interactions. However, it is essential to remember that ultimately, the responsibility lies with each individual to be vigilant and critical of digital content, ensuring that their belief is not blindly based on appearances but grounded in fact.