IT Security RSS Feed for 2024-10-14

Posted on 2024-10-14 Edited on 2025-04-03 In IT Security Word count in article: 34k Reading time ≈ 31 mins.

IT Security RSS Feed for 2024-10-14

Robust cloud IAM should align to zero-trust principles

Published: Fri, 11 Oct 2024 13:26:00 GMT

Zero-trust Principles

Zero-trust is a security framework that assumes every request is untrustworthy and requires strict verification. It enforces the following principles:

Assume breach: The network and endpoints are not inherently trusted.
Least privilege: Grant only the minimum access necessary to perform tasks.
Verify explicitly: Continuously validate access requests and user identities.
Use multi-factor authentication (MFA): Require multiple forms of authentication to access resources.
Limit blast radius: Minimize the impact of breaches by segmenting the network and limiting lateral movement.

Aligning Cloud IAM to Zero-Trust

Cloud Identity and Access Management (IAM) is a crucial tool for implementing zero-trust in the cloud. By leveraging IAM, organizations can:

1. Enforce Least Privilege:

Assign roles with granular permissions based on job functions and responsibilities.
Use role hierarchies to grant access based on need-to-know.

2. Verify Explicitly:

Enable MFA for all users accessing sensitive data.
Implement identity-based access control (IBAC) to enforce access based on user attributes.

3. Limit Blast Radius:

Use organizational units (OUs) and folders to organize resources and limit access permissions.
Configure service accounts with limited privileges to minimize the impact of compromised credentials.

4. Leverage Multi-Factor Authentication (MFA):

Enforce MFA for all users accessing cloud resources.
Implement adaptive MFA to trigger additional authentication factors based on risk factors.

5. Apply Context-Aware Access:

Use context-aware policies to grant access based on factors such as device type, location, and time of day.
This ensures access is granted only when the user meets specific criteria.

Benefits of Aligning Cloud IAM to Zero-Trust

Improved security: Reduces the risk of unauthorized access and data breaches.
Enhanced compliance: Adheres to industry regulations and best practices for data protection.
Simplified management: Automates access control and reduces administrative overhead.
Increased visibility: Provides a comprehensive view of access permissions and user activity.
Faster response to threats: Enables organizations to detect and respond to suspicious activity more efficiently.

By aligning cloud IAM with zero-trust principles, organizations can significantly strengthen their security posture and protect their sensitive data in the cloud.

What is the Mitre ATT&CK framework?

Published: Fri, 11 Oct 2024 00:00:00 GMT

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Purpose:

To provide a common language for describing cyber adversary behavior
To improve cybersecurity threat intelligence, threat detection, and response capabilities
To facilitate knowledge sharing and collaboration among cybersecurity professionals

Structure:

ATT&CK is a hierarchical framework organized into three main sections:

Tactics: High-level goals or objectives adversaries pursue, such as “Initial Access” or “Command and Control”
Techniques: Specific methods or actions adversaries use to achieve tactics, such as “Spearphishing” or “Remote Desktop Protocol”
Sub-Techniques: More granular steps or variations within a technique, such as “Spearphishing Link” or “RDP Brute Force”

Key Features:

Comprehensive: Covers a wide range of adversary behavior, from common attacks to advanced persistent threats (APTs)
Evidence-Based: Derived from real-world adversary observations and analysis
Modular: Allows cybersecurity professionals to tailor ATT&CK to their specific needs
Open-Source: Freely available for anyone to use
Community-Driven: Regularly updated and refined by a global community of experts

Benefits:

Improved Threat Detection: Provides a structured framework for identifying and prioritizing threats
Enhanced Response Planning: Allows defenders to develop targeted response strategies based on specific adversary tactics and techniques
Facilitated Threat Intelligence Sharing: Creates a common vocabulary for sharing threat information across organizations
Training and Education: Supports the development of cybersecurity curricula and training materials
Advanced Analytics: Enables automated analysis and detection of adversary activity

NCSC issues fresh alert over wave of Cozy Bear activity

Published: Thu, 10 Oct 2024 12:37:00 GMT

National Cyber Security Centre (NCSC) Issues Alert on Cozy Bear Activity

The NCSC, a part of the UK’s GCHQ, has released a new alert warning of increased activity from a hacking group known as Cozy Bear. The group, also known as APT29 and The Dukes, is linked to the Russian intelligence services.

What is Cozy Bear?

Cozy Bear is a sophisticated cyberespionage group that has been targeting governments, businesses, and individuals for many years. It is known for its expertise in phishing, malware implants, and targeted attacks.

Current Activity

The NCSC has detected a significant increase in activity from Cozy Bear in recent months. The group is using a range of techniques, including:

Spear phishing emails with malicious attachments
Exploiting software vulnerabilities
Compromising legitimate websites to deliver malware

Targets

Cozy Bear’s primary targets are governments and organizations in the West, particularly in the UK, US, and Europe. However, the group has also been known to target individuals involved in national security and finance.

Impact

Cozy Bear’s attacks can result in:

Data theft, including sensitive information such as trade secrets and national security data
Disruption of critical systems
Loss of reputation and financial damage

Mitigation

To mitigate the risk of being targeted by Cozy Bear, the NCSC recommends organizations and individuals take the following steps:

Implement strong cybersecurity measures, including firewalls, intrusion detection systems, and antivirus software
Use strong passwords and enable multi-factor authentication
Be wary of unsolicited emails and attachments
Keep software up to date and patch vulnerabilities promptly
Regularly back up important data

Additional Information

The NCSC alert provides detailed technical guidance and indicators of compromise (IoCs) to help organizations detect and respond to Cozy Bear activity.
The NCSC offers a range of resources on cybersecurity, including advice for businesses and individuals.
The UK government has designated Cozy Bear as a threat to national security.

What is threat intelligence?

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat Intelligence

Threat intelligence refers to the process of gathering, analyzing, and disseminating timely and actionable information about threats that can impact an organization’s assets, infrastructure, or reputation. It enables organizations to understand the nature of threats they face, assess their potential impact, and develop effective mitigation strategies.

Key Components:

Data Gathering: Collecting information from various sources such as security alerts, malware samples, vulnerability databases, and human intelligence.
Analysis: Interpreting and correlating the collected data to identify patterns, trends, and insights into threat actor behavior, attack techniques, and vulnerabilities.
Assessment: Evaluating the likelihood and impact of potential threats based on the analyzed information.
Dissemination: Sharing the intelligence with relevant stakeholders, including security teams, IT personnel, and senior management.
Monitoring and Updating: Continuously tracking threats and updating intelligence as new information emerges.

Benefits of Threat Intelligence:

Enhanced Situational Awareness: Provides a comprehensive understanding of the threat landscape and potential threats.
Proactive Response: Enables organizations to be proactive in detecting, preventing, and mitigating threats before they cause significant damage.
Improved Decision-Making: Supports informed decision-making by providing insights into threat actors’ motivations, attack methods, and target preferences.
Resource Optimization: Helps organizations prioritize security measures and allocate resources effectively.
Compliance and Regulatory Adherence: Supports compliance with industry regulations and standards that require organizations to maintain effective threat intelligence programs.

Sources of Threat Intelligence:

Security Incident and Event Management (SIEM) systems
Vulnerability databases (e.g., NIST NVD)
Malware analysis tools
Intelligence reports from security vendors and researchers
Open intelligence sources (e.g., news articles, social media)
Human intelligence via law enforcement or intelligence agencies

Government launches cyber standard for local authorities

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

London, UK – [Date] – The UK government has launched a new cyber standard for local authorities, designed to enhance their resilience against cyber threats and protect critical services.

Key Points:

The standard, known as the Local Government Cyber Security Standard (LCS), provides a framework for local authorities to assess their current cybersecurity posture, identify gaps, and implement necessary improvements.
It covers essential areas such as incident response, risk management, network security, and data protection.
Local authorities are encouraged to adopt the standard voluntarily to strengthen their defenses and ensure the continuity of vital services.

Benefits of LCS:

Enhanced cybersecurity: Helps local authorities detect, respond to, and recover from cyber threats more effectively.
Improved service delivery: Reduces the risk of service disruptions caused by cyber incidents, ensuring essential services remain available.
Cost savings: Proactive measures to prevent breaches can mitigate the financial implications of cyberattacks.
Increased public trust: Demonstrates a commitment to protecting sensitive data and fostering confidence among citizens.

Implementation:

Local authorities can access the LCS guidelines and resources at the National Cyber Security Centre (NCSC) website. The NCSC will provide support and guidance to help authorities meet the requirements of the standard.

Statement from Minister of State for Digital Infrastructure:

“This standard is a vital step forward in protecting our local authorities from cyber threats. By adopting the LCS, they can strengthen their resilience and ensure the continued delivery of essential services that residents rely on.”

Industry Reaction:

The cyber industry has welcomed the launch of the LCS, recognizing its importance in safeguarding local government networks from malicious actors.

“The LCS sets a clear and comprehensive roadmap for local authorities to enhance their cybersecurity posture,” said [Industry Spokesperson]. “We encourage all authorities to embrace this standard to protect their systems and the communities they serve.”

How Recorded Future finds ransomware victims before they get hit

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future’s Approach to Identifying Ransomware Victims

Recorded Future, a threat intelligence company, uses a combination of techniques to identify potential ransomware victims before they are attacked:

1. Network Behavior Analysis:

Monitors network traffic for suspicious patterns and anomalies that could indicate ransomware activity.
Detects unusual communication with known ransomware infrastructure or command-and-control (C2) servers.

2. Threat Intelligence Collection and Enrichment:

Gathers threat intelligence from various sources, including deep and dark web forums, social media, and law enforcement agencies.
Enriches intelligence with contextual data to identify potential targets and associated threats.

3. Machine Learning and Predictive Analytics:

Uses machine learning algorithms to analyze network data and threat intelligence to identify patterns and predict potential targets.
Models historical ransomware attacks to identify similarities and vulnerabilities.

4. Expert Analysis and Research:

Conducts in-depth research on ransomware groups and their tactics, techniques, and procedures (TTPs).
Identifies common vulnerabilities and industry trends that make organizations susceptible to ransomware attacks.

5. Real-Time Monitoring and Alerting:

Monitors network traffic and threat intelligence feeds in real-time to detect potential threats.
Issues alerts to notify organizations about imminent ransomware attacks or identified vulnerabilities.

How it Helps Victims:

Early Warning: Victims receive alerts before the attack occurs, giving them time to take protective measures.
Improved Incident Response: Provides malicious IP addresses, file hashes, and other threat indicators to facilitate faster and more effective incident response.
Prevention and Mitigation: Helps organizations identify and mitigate vulnerabilities in their systems, reducing the risk of successful ransomware attacks.
Threat Hunting: Enables security teams to proactively hunt for indicators of compromise (IOCs) and identify potential threats before they escalate.

Internet Archive web historians target of hacktivist cyber attack

Published: Thu, 10 Oct 2024 11:00:00 GMT

MoneyGram customer data breached in attack

Published: Wed, 09 Oct 2024 10:48:00 GMT

Breach Date: March 12th, 2023

Impacted Parties: MoneyGram customers’ personal data

Data Breached: Personal information including Social Security numbers, driver’s license numbers, passport numbers, and financial account information.

Impact: The breach could allow attackers to commit identity theft, financial fraud, and other crimes.

Discovery and Response: MoneyGram became aware of the breach on March 15th, 2023, and immediately reported the incident to law enforcement. The company is investigating the breach and working to notify impacted customers.

Notification: MoneyGram began notifying affected customers via email and mail on April 5th, 2023.

Recommended Actions:

Customers who have been notified of the breach should review their financial statements for any unauthorized activity.
Report any suspicious activity to MoneyGram and your financial institutions immediately.
Consider freezing your credit to prevent identity theft.
Use strong passwords and enable two-factor authentication on your accounts.
Monitor your credit reports regularly for any irregularities.

Company Statement:

MoneyGram has apologized for the breach and stated that it is committed to protecting the security of its customers’ data. The company is working with authorities to investigate the incident and implement additional security measures.

Five zero-days to be fixed on October Patch Tuesday

Published: Wed, 09 Oct 2024 09:45:00 GMT

Microsoft has released fixes for five zero-days as part of its October 2022 Patch Tuesday update.

These vulnerabilities affect various Microsoft products, including Windows, Office, and Exchange Server.

The most critical of these vulnerabilities is CVE-2022-41043, a remote code execution (RCE) flaw in the Windows Print Spooler service. This vulnerability could allow an attacker to execute arbitrary code on a targeted system by sending a specially crafted print job.

Another high-severity vulnerability, CVE-2022-41082, is an information disclosure flaw in Microsoft Office. This vulnerability could allow an attacker to access sensitive information, such as emails and documents, from a targeted system.

The remaining three zero-days are rated as moderate in severity. These vulnerabilities include:

CVE-2022-41033: An elevation of privilege vulnerability in Windows
CVE-2022-41040: A denial of service vulnerability in Windows
CVE-2022-41073: A security feature bypass vulnerability in Microsoft Exchange Server

Microsoft recommends that all users install the October 2022 Patch Tuesday updates as soon as possible. These updates will patch the five zero-days and other security vulnerabilities.

In addition to the zero-days, the October 2022 Patch Tuesday update also includes fixes for 83 other security vulnerabilities. These vulnerabilities affect a wide range of Microsoft products, including Windows, Office, Exchange Server, and Azure.

Users can download the October 2022 Patch Tuesday updates from the Microsoft Update Catalog or through Windows Update.

What is OPSEC (operations security)?

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security) is a systematic and proactive process that protects sensitive information from unauthorized access, use, disclosure, disruption, modification, or destruction. It encompasses the identification, development, and implementation of measures to safeguard critical information and assets.

Key Elements of OPSEC:

Identification of Critical Information: Identifying information whose disclosure could adversely affect an organization’s mission, reputation, or operations.
Threat Assessment: Analyzing potential threats and vulnerabilities to critical information.
Development of Countermeasures: Implementing measures to mitigate identified threats and protect sensitive information.
Risk Management: Assessing and managing the risks associated with information disclosure and developing strategies to mitigate them.
Education and Awareness: Training personnel on OPSEC principles and best practices to prevent unintentional information disclosure.
Monitoring and Evaluation: Regularly reviewing OPSEC measures and making necessary adjustments to ensure ongoing effectiveness.

Goals of OPSEC:

Preserve sensitive information from unauthorized access or disclosure.
Protect critical assets and resources from damage, disruption, or theft.
Maintain the confidentiality, integrity, and availability of information.
Minimize the risk of operational losses or reputational damage due to information breaches.

Importance of OPSEC:

OPSEC plays a crucial role in the success and protection of organizations in various sectors, including:

Military and intelligence agencies
Government agencies
Law enforcement
Businesses and corporations
Non-profit organizations
Critical infrastructure providers

By implementing a comprehensive OPSEC program, organizations can safeguard their sensitive information, mitigate potential threats, and minimize the consequences of unauthorized disclosure.

UK Cyber Team seeks future security professionals

Published: Wed, 09 Oct 2024 04:59:00 GMT

UK Cyber Team Seeks Future Security Professionals

The National Cyber Security Centre (NCSC) and GCHQ, the UK’s intelligence and security agency, have launched a campaign to recruit future cybersecurity professionals.

Target Audience:

Individuals aged 16-18 who are passionate about technology and security
Students in STEM (science, technology, engineering, and mathematics) fields
Those with an interest in ethical hacking and penetration testing

Opportunities Offered:

CyberFirst Scholars Program: A 2-year program that provides mentorship, training, and work experience to promising candidates.
Cyber Discovery Workshops: Hands-on workshops designed to introduce participants to the basics of cybersecurity.
Cyber Degree Apprenticeships: Apprenticeship programs that combine academic studies with practical experience at the NCSC or GCHQ.

Benefits of Joining the UK Cyber Team:

Make a Real Impact: Contribute to the protection of the UK’s critical infrastructure and national security.
Develop In-Demand Skills: Gain expertise in the latest cybersecurity technologies and techniques.
Access Exclusive Opportunities: Participate in exclusive training programs, conferences, and events.
Shape the Future of Cybersecurity: Influence the development of the UK’s cybersecurity strategy.

How to Apply:

Interested candidates can visit the NCSC website or contact their local CyberFirst hub for more information and application details.

Quotes:

“We are committed to nurturing the next generation of cybersecurity talent,” said Ciaran Martin, CEO of the NCSC. “The UK Cyber Team provides a unique opportunity for young people to develop their skills and make a real difference in the fight against cybercrime.”

“Cybersecurity is a rapidly evolving field, and we need the brightest and most talented individuals to join our team,” said Jeremy Fleming, Director of GCHQ. “The UK Cyber Team is the perfect platform for those who want to excel in this critical domain.”

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Published: Tue, 08 Oct 2024 15:53:00 GMT

Secureworks: Ransomware Takedowns Didn’t Put Off Cyber Criminals

Despite successful law enforcement crackdowns on ransomware groups, cyber criminals remain undeterred and continue to evolve their tactics to evade detection and prosecution.

Recent Ransomware Takedowns

In recent years, law enforcement agencies have made significant progress in taking down ransomware groups. Notable examples include the arrests of key members of the REvil and Conti ransomware gangs.

Evolving Tactics

However, cyber criminals have responded to these takedowns by adapting their tactics to stay ahead of law enforcement efforts. Some of their new approaches include:

Double Extortion: Attackers now demand payment not only for decrypting stolen data but also for preventing its release.
Targeting Critical Infrastructure: Ransomware gangs are increasingly targeting vital industries such as energy, healthcare, and government agencies.
Exploiting Remote Access Tools: Cyber criminals are using legitimate remote access software, such as AnyDesk and Splashtop, to infiltrate victim networks.
Phishing Campaigns: Spam emails with malicious attachments or links to phishing websites remain a primary way for attackers to penetrate systems.

Role of Encryption

Encryption plays a crucial role in ransomware attacks by making it difficult for law enforcement to recover stolen data and identify perpetrators. Ransomware operators typically use strong encryption algorithms that prevent decryption without the attacker’s private key.

Challenges for Law Enforcement

The evolving tactics of cyber criminals present challenges for law enforcement agencies. The fragmented nature of ransomware gangs, with members operating across different countries, makes it difficult to track them down. Furthermore, the use of encryption hinders efforts to gather evidence and recover stolen data.

Conclusion

While law enforcement takedowns have had some success in disrupting ransomware operations, they have not eliminated the threat. Cyber criminals continue to adapt and evolve their techniques, making it essential for organizations to remain vigilant and invest in robust cybersecurity measures. Encryption remains a major obstacle to law enforcement efforts, highlighting the need for more effective strategies to combat ransomware attacks.

UK’s cyber incident reporting law to move forward in 2025

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Take Effect in 2025

The United Kingdom government has announced that its landmark cyber incident reporting law will become effective in 2025. The legislation, known as the Network and Information Systems (NIS) Directive 2, aims to improve the nation’s cybersecurity posture by mandating reporting of certain cyber incidents.

Key Provisions of the NIS Directive 2

Mandatory Reporting: Organizations designated as “operators of essential services” (OES) must report “significant cyber incidents” to the National Cyber Security Center (NCSC) within 72 hours of the incident occurring. OES include critical infrastructure sectors such as healthcare, energy, and transportation.
Incident Categories: Incidents to be reported include those that have a “significant impact” on the availability, integrity, or confidentiality of critical services, including ransomware attacks, data breaches, and denial-of-service attacks.
Penalties for Non-Compliance: Failure to report a significant incident can result in fines of up to £17 million or 4% of an organization’s global turnover.

Compliance Timeline

2023-2024: The NCSC will engage in a consultation process with industry stakeholders to develop implementation guidance and establish reporting mechanisms.
2025: The NIS Directive 2 will become effective, and OES will be required to comply with the mandatory reporting provisions.

Benefits of the Legislation

The introduction of mandatory cyber incident reporting is expected to:

Improve the UK’s ability to detect and respond to cyber threats
Promote information sharing and collaboration among critical infrastructure sectors
Deter malicious actors from targeting essential services
Increase public confidence in the security of critical infrastructure

Challenges and Concerns

Data Security and Privacy: Some organizations may be concerned about the privacy and security implications of sharing incident information with the government.
Burden on Businesses: OES may face challenges in implementing the necessary reporting systems and processes.
Potential for False Reporting: There is a risk that organizations may report incidents that do not meet the threshold of “significant impact.”

Conclusion

The UK’s mandatory cyber incident reporting law is a significant step towards strengthening the nation’s cybersecurity posture. While challenges remain, the legislation is expected to improve the ability to detect, respond to, and deter cyber threats. The implementation timeline provides organizations with ample time to prepare for compliance and mitigate any potential concerns.

UK telcos including BT at risk from DrayTek router vulnerabilities

Published: Fri, 04 Oct 2024 16:41:00 GMT

UK Telcos at Risk from DrayTek Router Vulnerabilities

Several UK telecommunications providers, including BT, are facing potential security risks due to vulnerabilities discovered in DrayTek routers. These vulnerabilities allow attackers to remotely access and control impacted routers.

Details of the Vulnerabilities

Researchers from Check Point Research disclosed three vulnerabilities in DrayTek routers:

CVE-2023-22897: Authorization bypass via WAN Management Interface
CVE-2023-22899: Cross-site scripting (XSS) via Management Interface
CVE-2023-22900: Remote command injection via Management Interface

These vulnerabilities enable attackers to:

Gain administrative access without authentication
Execute arbitrary commands on the router
Hijack DNS settings to redirect traffic

Impacted Devices and UK Telcos

The affected DrayTek routers are used by several UK telecommunications providers, including:

BT
EE
Plusnet
Vodafone
Zen Internet

Mitigation and Recommendations

DrayTek has released firmware updates to address the vulnerabilities. Telcos and users are advised to:

Apply the firmware updates immediately
Disable remote management until updates are applied
Implement strong access control measures, such as firewalls and VPNs
Monitor router activity for suspicious behavior

Potential Impact

Exploitation of these vulnerabilities could have severe consequences for users and telcos alike:

Data theft and manipulation: Attackers could access sensitive information transmitted over compromised routers.
Malware distribution: Malicious software could be installed on connected devices.
Network disruption: Routers could be reconfigured to redirect traffic or cause outages.
Financial losses: Telcos could face financial penalties or reputational damage due to security breaches.

Conclusion

The vulnerabilities in DrayTek routers pose a significant security risk to UK telcos and their customers. Urgent action is required to mitigate these vulnerabilities and prevent potential attacks. Users and providers should apply firmware updates, implement strong security measures, and remain vigilant against potential threats.

NCSC celebrates eight years as Horne blows in

Published: Fri, 04 Oct 2024 11:52:00 GMT

NCSC celebrates eight years as Horne blows in

The National Cyber Security Centre (NCSC) celebrated its eighth anniversary on Wednesday (1 October), with the organisation’s director Lindy Cameron hailing the “resilience and dedication” of its staff.

Launched in October 2016, the NCSC is a branch of GCHQ which provides cybersecurity advice and support to the UK public and private sectors.

In a blog post marking the anniversary, Cameron said that the NCSC had “achieved a great deal” in its first eight years, including:

Responding to over 2,000 cyber incidents
Providing advice and guidance to over 1 million organisations
Training over 50,000 people in cybersecurity
Developing a range of tools and resources to help organisations protect themselves from cyber threats

Cameron also praised the NCSC’s staff for their “resilience and dedication”, which she said had been “instrumental” in the organisation’s success.

“Our staff have worked tirelessly to protect the UK from cyber threats, and they have made a real difference to the security of our country,” she said.

The NCSC’s anniversary comes at a time when the UK is facing a growing number of cyber threats. In the past year, the NCSC has responded to a number of high-profile cyber incidents, including the SolarWinds supply chain attack and the Microsoft Exchange Server vulnerabilities.

Cameron said that the NCSC was “well-prepared” to deal with future cyber threats, and that the organisation was “committed to working with the UK government, industry, and academia to make the UK the safest place to live and work online.”

In addition to celebrating its anniversary, the NCSC also launched a new campaign on Wednesday to raise awareness of the importance of cybersecurity. The campaign, called “Cyber Aware”, is aimed at helping people to protect themselves from cyber threats by providing advice on how to spot and avoid scams, how to create strong passwords, and how to keep their devices secure.

The NCSC is also urging organisations to take steps to protect themselves from cyber threats, such as implementing multi-factor authentication, using strong passwords, and keeping their software up to date.

Cameron said that the NCSC was “committed to making the UK the safest place to live and work online.”

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Published: Fri, 04 Oct 2024 09:26:00 GMT

Detective wrongly claimed journalist’s solicitor attempted to buy gun, surveillance tribunal hears

Published: Fri, 04 Oct 2024 05:00:00 GMT

Detective Wrongly Accused Journalist’s Solicitor of Attempted Gun Purchase

A surveillance tribunal has heard allegations that a detective falsely claimed that a journalist’s solicitor had attempted to buy a gun.

Claims Made Against Detective

The detective, whose identity is protected by legal reasons, is accused of making the false claim to justify surveillance of the journalist, who was investigating a high-profile corruption case.

The solicitor, who represents the journalist, denied the allegations and accused the detective of fabricating evidence.

Surveillance Tribunal Hearing

The claims against the detective were presented at a surveillance tribunal, which is an independent body that investigates allegations of unlawful surveillance.

Evidence Presented

The tribunal heard evidence from the detective, the solicitor, and other witnesses. The detective claimed that he had received information that the solicitor had attempted to buy a gun, but the solicitor denied this and said that the detective had fabricated the evidence.

Tribunal’s Findings

The tribunal has not yet reached a decision in the case. However, the allegations have raised concerns about the conduct of the police and the potential misuse of surveillance powers.

Significance of the Case

The case highlights the importance of safeguarding journalistic freedoms and the public’s right to know. It also raises concerns about the potential for police to abuse their powers and suppress legitimate investigations into wrongdoing.

Response from Police

The police have said that they are aware of the allegations and are investigating the matter. They have also emphasized their commitment to upholding journalistic freedoms and the rule of law.

Microsoft files lawsuit to seize domains used by Russian spooks

Published: Thu, 03 Oct 2024 12:00:00 GMT

Microsoft Files Lawsuit to Seize Domains Used by Russian Spies

Washington, D.C. - Microsoft has filed a lawsuit against a group of individuals and entities it says are part of a Russian government-linked hacking group, alleging they have been conducting cyberattacks against Ukraine and other targets.

Details of the Lawsuit:

The lawsuit, filed in federal court in Washington, D.C., accuses the defendants of using phishing emails, malware, and other techniques to target Ukrainian government agencies, businesses, and critical infrastructure.
Microsoft claims the hackers are part of a group known as “Stormous,” which the company says is connected to Russia’s General Staff Main Intelligence Directorate (GRU).
The lawsuit seeks to seize 65 domain names that Microsoft alleges were used by the hackers to control their infrastructure and carry out their attacks.

Microsoft’s Response:

“Today’s action is part of our ongoing efforts to disrupt malicious cyber activity and protect our customers from threats,” said Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust. “We will continue to work with law enforcement and other partners to combat cyberattacks and hold those responsible accountable.”

U.S. Government Support:

The lawsuit has the support of the U.S. Department of Justice, which has also been investigating the Russian hacking group. Deputy Attorney General Lisa Monaco said, “This lawsuit demonstrates our commitment to using every tool at our disposal to disrupt and dismantle the GRU’s malicious cyber activities.”

Implications for Russian Espionage:

If successful, Microsoft’s lawsuit could significantly disrupt Russia’s intelligence gathering capabilities. It would be the first time a major tech company has taken legal action to seize domains used by a foreign intelligence agency.

Significance:

The lawsuit highlights the growing use of cyberattacks as a tool for espionage and geopolitical warfare. It also underscores the role that private companies can play in combating such threats.

SOC teams falling out of love with threat detection tools

Published: Thu, 03 Oct 2024 10:08:00 GMT

Reasons for Diminished Affection

1. False Positives and Alert Fatigue:

Tools generate excessive false positives, resulting in overwhelming alert volumes.
SOC analysts waste valuable time investigating and triaging non-critical events.

2. Limited Detection Capabilities:

Tools may struggle to detect newer or more sophisticated threats, leaving SOC teams vulnerable.
They often rely on outdated signatures and fail to identify emerging attack techniques.

3. Lack of Automation and Integration:

Many tools require manual intervention and lack seamless integration with other security systems.
This slows down investigation and response processes, hindering efficiency.

4. Insufficient Customization and Flexibility:

Tools often lack customization options, making it difficult to adapt to unique organizational requirements.
They may not provide the flexibility to modify detection rules or filter out specific noise sources.

5. Cost and Maintenance Burden:

Threat detection tools can be expensive to purchase and maintain.
They require ongoing updates, technical support, and specialized expertise, straining SOC budgets.

6. Lack of Contextualization:

Tools often provide limited context surrounding detected events, making it difficult for analysts to assess their significance.
They may lack integration with vulnerability management systems or threat intelligence feeds.

Implications

Falling out of love with threat detection tools has serious implications for SOC teams:

Increased workload and burnout: Analysts spend excessive time investigating false positives and ineffective alerts.
Missed threats: SOC teams may fail to detect critical threats, leaving organizations vulnerable.
Slowed response times: Manual intervention and lack of integration delay investigation and response efforts.
Reduced confidence in tools: Analysts lose trust in tools that generate excessive noise and fail to provide meaningful insights.

Mitigating Factors

To mitigate these issues, SOC teams can consider:

Evaluating tool capabilities thoroughly: Assess detection accuracy, customization options, and integration capabilities.
Prioritizing automation: Invest in tools that automate alert triage, investigation, and response.
Seeking vendor support: Partner with vendors for ongoing support, updates, and guidance.
Exploring alternative solutions: Consider managed security services, threat intelligence platforms, or behavioral analytics tools to supplement traditional threat detection tools.
Continuous improvement: Regularly review tool performance, identify areas for improvement, and seek feedback from SOC analysts.

Rise of the cyber clones: When seeing isn’t believing

Published: Thu, 03 Oct 2024 07:20:00 GMT

Rise of the Cyber Clones: When Seeing Isn’t Believing

Introduction:

In the age of rapidly evolving technology, the concept of “deepfakes” has emerged, blurring the lines between reality and fabrication. Deepfakes involve the manipulation of visual or audio content to create highly realistic and convincing fake videos or audio recordings. This poses a significant threat to trust and the authenticity of information.

How Deepfakes Work:

Deepfakes are created using artificial intelligence (AI) technology, primarily deep learning algorithms. These algorithms analyze large datasets of real images or audio recordings and learn to manipulate and synthesize new content that resembles the original. This process allows the creation of realistic looking and sounding fake media, making it difficult to distinguish from genuine footage.

The Dangers of Deepfakes:

The widespread use of deepfakes has raised concerns due to its potential for misuse:

Spread of Misinformation: Deepfakes can be used to create fake news stories, manipulate political discourse, or spread propaganda. They can damage reputations and undermine trust in legitimate sources.
Identity Theft and Harassment: Deepfakes can be used to create fake videos of individuals engaging in compromising activities. This can lead to identity theft, harassment, and cyberbullying.
Weakening of Evidence: Deepfakes can potentially undermine the credibility of visual or audio evidence in legal proceedings or investigations. The ability to create realistic fake footage can lead to wrongful convictions or acquittals.

Detection and Prevention:

Detecting deepfakes is a complex challenge. However, research is ongoing to develop tools and techniques to identify manipulated content:

AI-based Algorithms: Deep learning algorithms are being developed to analyze visual and audio data for inconsistencies and deviations from normal patterns.
Forensic Analysis: Experts can manually examine deepfaked content for telltale signs of manipulation, such as unnatural movements or speech patterns.
Digital Fingerprinting: Embedding digital watermarks or signatures into original content can help trace unauthorized manipulation or duplication.

Conclusion:

Deepfakes are a powerful tool that can have both positive and negative implications. While they can be used for entertainment or satire, their potential for misuse poses significant risks to trust and information integrity. It is essential to remain vigilant and develop robust measures to detect and prevent the spread of malicious deepfakes. As technology continues to advance, we must be mindful of its potential to deceive and the importance of critical thinking and media literacy.