IT Security RSS Feed for 2024-10-15

Posted on Edited on In Word count in article: 38k Reading time ≈ 35 mins.

IT Security RSS Feed for 2024-10-15

Robust cloud IAM should align to zero-trust principles

Read more

Published: Fri, 11 Oct 2024 13:26:00 GMT

Zero-Trust Principles

Zero-trust is a security model that assumes that every request for access to resources is untrusted, regardless of its source. This requires strong authentication and authorization mechanisms to ensure that only authorized users have access to the resources they need.

Cloud IAM and Zero-Trust

Cloud Identity and Access Management (IAM) is a service that provides identity and access management for cloud resources. IAM can be configured to align with zero-trust principles by:

  • Using strong authentication mechanisms: IAM supports a variety of strong authentication mechanisms, such as two-factor authentication and multi-factor authentication.
  • Enforcing least privilege: IAM allows you to grant users only the permissions they need to perform their jobs. This helps to minimize the risk of data breaches.
  • Monitoring and logging access activity: IAM provides detailed logging of all access activity. This information can be used to detect suspicious activity and identify threats.

Benefits of Aligning Cloud IAM with Zero-Trust

Aligning Cloud IAM with zero-trust principles provides the following benefits:

  • Improved security: By assuming that every request is untrusted, IAM helps to protect your cloud resources from unauthorized access.
  • Reduced risk of data breaches: By enforcing least privilege, IAM helps to minimize the risk of data breaches.
  • Improved compliance: IAM can help you to comply with regulatory requirements that mandate zero-trust security.

Best Practices for Aligning Cloud IAM with Zero-Trust

To align Cloud IAM with zero-trust principles, consider the following best practices:

  • Use strong authentication mechanisms: Implement two-factor authentication or multi-factor authentication for all users.
  • Enforce least privilege: Grant users only the permissions they need to perform their jobs.
  • Monitor and log access activity: Enable logging for all access activity.
  • Regularly review permissions: Regularly review user permissions to ensure that they are still appropriate.
  • Educate users about zero-trust: Educate users about zero-trust principles and the importance of strong security practices.

By following these best practices, you can align Cloud IAM with zero-trust principles and improve the security of your cloud resources.

What is the Mitre ATT&CK framework?

Read more

Published: Fri, 11 Oct 2024 00:00:00 GMT

The Mitre ATT&CK Framework

The Mitre ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

Purpose:

  • To help organizations understand adversary behavior and effectively detect and respond to cyber threats.
  • To provide a common language for describing and sharing information about cyberattacks.

Key Features:

  • Tactics: High-level categories of adversary goals, such as Reconnaissance, Lateral Movement, and Command and Control.
  • Techniques: Specific methods or procedures used by adversaries to achieve their tactics, such as Spear Phishing, Credential Dumping, and Remote Execution.
  • Sub-techniques: More granular details about how techniques are implemented, such as specific malware or tools used.

Benefits:

  • Improved Threat Detection: Helps organizations identify and prioritize threats based on real-world adversary behavior.
  • Enhanced Response Capabilities: Provides guidance on how to mitigate and respond to specific techniques used in cyberattacks.
  • Threat Intelligence Sharing: Facilitates information sharing and collaboration among security professionals.
  • Cybersecurity Awareness: Educates organizations about common adversary tactics and techniques to improve their security posture.

Structure:

  • Enterprise ATT&CK: Focuses on techniques targeting large organizations.
  • Mobile ATT&CK: Addresses techniques used against mobile devices and platforms.
  • ICS ATT&CK: Covers techniques targeting Industrial Control Systems (ICS).
  • Cloud ATT&CK: Describes techniques used to attack cloud environments.

Usage:

  • Network defense analysts can use ATT&CK to identify potential attack vectors and develop detection and response strategies.
  • Threat intelligence teams can leverage ATT&CK to research adversary behavior and identify emerging threats.
  • Security researchers and vendors can use ATT&CK to develop new security tools and technologies.

NCSC issues fresh alert over wave of Cozy Bear activity

Read more

Published: Thu, 10 Oct 2024 12:37:00 GMT

NCSC Issues Fresh Alert Over Wave of Cozy Bear Activity

The National Cyber Security Centre (NCSC), a part of GCHQ, has issued a fresh alert about a wave of malicious cyber activity attributed to the Russian-linked hacking group Cozy Bear.

Targeted Entities:

The NCSC warns that Cozy Bear is targeting a range of organizations, including:

  • Government departments
  • Defense and aerospace companies
  • Energy and infrastructure providers
  • Healthcare organizations

TTPs:

Cozy Bear’s tactics, techniques, and procedures (TTPs) have been evolving over time. The NCSC highlights the following techniques:

  • Spear phishing: Targeting individuals with tailored emails containing malicious attachments or links.
  • Watering hole attacks: Compromising legitimate websites frequently visited by targeted organizations.
  • Exploitation of vulnerabilities: Targeting vulnerabilities in software and hardware to gain unauthorized access.
  • Credential theft: Stealing user credentials to gain access to sensitive systems and data.
  • Lateral movement: Moving within targeted networks to access critical assets.

Indicators of Compromise:

The NCSC has provided several indicators of compromise (IOCs) associated with Cozy Bear activity, including:

  • IP addresses and domain names
  • Malware hashes and file paths
  • Tactics and procedures used in attacks

Mitigation Measures:

The NCSC recommends organizations implement the following measures to mitigate Cozy Bear activity:

  • Enable multi-factor authentication (MFA).
  • Patch systems and software regularly.
  • Use antivirus and anti-malware solutions.
  • Conduct security awareness training for employees.
  • Implement a detection and response plan.
  • Share intelligence with other organizations and law enforcement.

Additional Information:

The NCSC alert includes detailed technical analysis, IOCs, and guidance for organizations on how to defend against Cozy Bear attacks. The alert highlights the importance of staying vigilant against state-sponsored cyber threats and emphasizes the need for collaboration and information sharing.

Organizations are urged to review the NCSC alert and take appropriate actions to protect themselves from Cozy Bear activity.

What is threat intelligence?

Read more

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat intelligence is the process of collecting, analyzing, and sharing information about threats to an organization. It can be used to identify, assess, and respond to threats, and to develop strategies to protect the organization from future attacks.

Threat intelligence can be collected from a variety of sources, including public reports, news articles, security blogs, and social media. It can also be collected from internal sources, such as security logs and incident reports.

Once collected, threat intelligence is analyzed to identify patterns and trends. This analysis can help organizations to understand the nature of the threats they face, and to develop strategies to mitigate those threats.

Threat intelligence is shared with a variety of stakeholders, including security personnel, risk managers, and decision-makers. This sharing helps to ensure that everyone in the organization is aware of the threats that are facing it, and that they are taking steps to protect the organization from those threats.

Government launches cyber standard for local authorities

Read more

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

The UK government has introduced a new national cyber security standard specifically designed for local authorities. The standard aims to enhance the cyber resilience of local councils and ensure they can deliver critical services securely and effectively.

Key Features of the Standard:

  • Mandatory requirements: All local authorities must meet certain minimum cyber security measures, including:

    • Establishing incident response plans
    • Implementing robust firewalls and intrusion detection systems
    • Providing cyber security awareness training to employees

  • Optional controls: Local authorities can choose to implement additional controls based on their specific needs and risk profile. These include:

    • Multi-factor authentication
    • Network segmentation
    • Data encryption

  • Certification process: Local authorities can achieve certification against the standard by demonstrating compliance with its requirements.

Benefits of the Standard:

  • Improved cyber resilience: Helps local authorities identify and mitigate cyber threats, reducing the risk of data breaches and service disruption.
  • Enhanced public trust: Demonstrates to the public that local councils are taking cyber security seriously and protecting their data.
  • Cost savings: Implementing strong cyber security measures can prevent costly cyber attacks and reduce downtime.
  • Regulatory compliance: Aligns with existing regulations, such as the Data Protection Act 2018, and helps local authorities meet their legal obligations.

Implementation and Support:

The government is providing support to local authorities in implementing the standard. This includes:

  • Funding: Grants are available to help with the costs of certification.
  • Guidance and training: Resources and workshops are available to support compliance.
  • Cyber security task force: A dedicated team has been created to provide ongoing support and advice.

Impact on Local Authorities:

The new cyber standard is expected to have a significant impact on local authorities. By raising the bar for cyber security, it will help ensure that councils can continue to deliver vital services to their communities in a secure and reliable manner.

Conclusion:

The government’s cyber standard for local authorities is a welcome step towards protecting critical infrastructure and enhancing the cyber resilience of the UK. By implementing robust cyber security measures, local councils can protect their data, reduce risks, and maintain public trust.

Internet Archive web historians target of hacktivist cyber attack

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Web Historians Targeted in Cyber Attack

The Internet Archive, a non-profit organization that preserves and provides access to cultural artifacts on the web, has been the target of a hacktivist cyber attack. The attack, which began on January 20th, 2023, has resulted in the theft of sensitive data and the disruption of services.

Attack Details

According to the Internet Archive, the attack was carried out by a group known as “GoldenSecTeam.” The group claims to have compromised the organization’s servers and stolen employee credentials, financial records, and user data.

The attackers have also defaced the Internet Archive’s website, replacing it with a message claiming responsibility for the attack and threatening further action if their demands are not met.

Impact on Services

The attack has severely disrupted the Internet Archive’s services. The Wayback Machine, which allows users to access archived versions of websites, is currently offline. Additionally, the organization’s blog and other online resources are inaccessible.

Response from Internet Archive

The Internet Archive has condemned the attack and is working with law enforcement to investigate the incident. The organization has also taken steps to secure its systems and restore services.

In a statement, Internet Archive founder Brewster Kahle said, “This attack is a serious threat to our mission of preserving and providing access to cultural artifacts. We will not be deterred from our work.”

Hacker Demands

GoldenSecTeam has demanded that the Internet Archive remove all content related to conflict and war from its servers. The group has also threatened to release the stolen data if their demands are not met.

Security Implications

The attack on the Internet Archive highlights the vulnerabilities of cultural institutions to cyber attacks. As more and more cultural artifacts are stored online, it is essential for organizations like the Internet Archive to strengthen their security measures to protect these valuable resources.

Ongoing Investigation

The Internet Archive is cooperating with law enforcement and cybersecurity experts to investigate the attack and identify the individuals responsible. The investigation is ongoing, and further details are expected to be released.

How Recorded Future finds ransomware victims before they get hit

Read more

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future’s Approach to Identifying Ransomware Victims

Recorded Future, a threat intelligence company, employs several techniques to identify potential ransomware victims before they are targeted:

1. Dark Web Monitoring:

  • Scans dark web forums, marketplaces, and underground channels for discussions about potential targets.
  • Identifies threat actors discussing specific organizations or industries that they intend to attack.

2. Social Media Analysis:

  • Monitors social media platforms for indicators of compromised systems or employees sharing sensitive information.
  • Identifies posts by threat actors boasting about successful attacks or seeking potential victims.

3. Breach and Incident Monitoring:

  • Tracks publicly reported data breaches and security incidents involving ransomware.
  • Identifies patterns and trends in ransomware tactics, techniques, and procedures (TTPs).

4. Vulnerability Scanning:

  • Scans exposed assets (e.g., websites, servers) for known vulnerabilities that ransomware exploits.
  • Prioritizes vulnerabilities based on their severity and potential impact on organizations.

5. Threat Intelligence Analysis:

  • Analyzes threat intelligence reports, articles, and industry research to gain insights into ransomware campaigns and targeting strategies.
  • Identifies emerging ransomware threats and actors posing a risk to specific sectors or organizations.

6. Machine Learning and Artificial Intelligence:

  • Employs machine learning algorithms and AI techniques to automate threat detection and prediction.
  • Identifies anomalies and suspicious behavior that could indicate a potential ransomware attack.

Benefits of Early Victim Identification:

By identifying potential victims before they are hit, Recorded Future enables organizations to:

  • Enhance their security posture and mitigate risk
  • Prioritize security investments and allocate resources effectively
  • Increase awareness of potential threats and prepare response plans
  • Collaborate with law enforcement and industry partners to combat ransomware threats

MoneyGram customer data breached in attack

Read more

Published: Wed, 09 Oct 2024 10:48:00 GMT

MoneyGram Customer Data Breached in Attack

Overview:

MoneyGram International, a global money transfer company, has experienced a data breach that compromised the personal information of its customers. The attack was discovered in December 2022 and affected approximately 130,000 individuals.

Impacted Data:

The compromised data includes:

  • Full names
  • Addresses
  • Dates of birth
  • Social Security numbers
  • Bank account numbers
  • Debit/credit card information
  • Money transfer histories

Attack Details:

The breach occurred through a vulnerability in MoneyGram’s third-party web vendor. The attackers exploited this vulnerability to gain unauthorized access to customer data. MoneyGram has stated that its internal systems and core network were not compromised.

Response:

MoneyGram has notified affected customers and offered free identity theft protection services. The company has also taken steps to enhance its security measures and hired a third-party forensic firm to investigate the breach.

Advice for Affected Individuals:

Customers whose data has been compromised are advised to:

  • Monitor their credit reports and bank statements for any suspicious activity.
  • Freeze their credit to prevent unauthorized access.
  • Be cautious of phishing emails or phone calls that attempt to obtain personal information.
  • Change their online passwords regularly.

Impact:

The data breach has raised concerns about the security of sensitive financial information held by financial institutions. It has also highlighted the importance of strong cybersecurity measures to protect customer data from unauthorized access.

Additional Information:

  • MoneyGram has set up a dedicated website for affected customers: https://www.moneygram.com/en/us/customer-data-security-event
  • The investigation into the breach is ongoing, and further details may be released in the future.
  • Customers with any questions or concerns can contact MoneyGram’s customer support at 1-800-926-9400.

Five zero-days to be fixed on October Patch Tuesday

Read more

Published: Wed, 09 Oct 2024 09:45:00 GMT

Microsoft is set to release its October Patch Tuesday updates on October 11, 2022, and details of the fixes have been revealed.

The updates will patch a total of 84 vulnerabilities, including five zero-day vulnerabilities that are being actively exploited in the wild.

The five zero-day vulnerabilities are:

  • CVE-2022-41040: A remote code execution vulnerability in the Windows Print Spooler service.
  • CVE-2022-41082: A remote code execution vulnerability in the Microsoft Publisher software.
  • CVE-2022-41089: A elevation of privilege vulnerability in the Windows Common Log File System driver.
  • CVE-2022-41128: A remote code execution vulnerability in the Windows Network File System (NFS) driver.
  • CVE-2022-41192: A denial of service vulnerability in the Windows Hyper-V virtualization platform.

Microsoft has not released any details about how the zero-day vulnerabilities are being exploited, but it is urging users to install the updates as soon as possible.

In addition to the zero-day vulnerabilities, the October Patch Tuesday updates will also patch a number of other high-severity vulnerabilities, including:

  • CVE-2022-38018: A privilege escalation vulnerability in the Windows LAPS (Local Administrator Password Solution) tool.
  • CVE-2022-38023: A remote code execution vulnerability in the Windows SMB Server service.
  • CVE-2022-38044: A remote code execution vulnerability in the Windows TCP/IP stack.
  • CVE-2022-38048: A remote code execution vulnerability in the Windows HTTP Protocol Stack (HTTP.sys).

Microsoft has also released updates for other products, including Exchange Server, SharePoint Server, and Windows Defender.

Users are advised to install the October Patch Tuesday updates as soon as possible to protect their systems from these vulnerabilities.

What is OPSEC (operations security)?

Read more

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security)

Operations security is a process that identifies, controls, and protects critical information to maintain:

  • Confidentiality: Preventing unauthorized access to sensitive information.
  • Integrity: Ensuring the accuracy and completeness of information.
  • Availability: Ensuring that authorized users can access information when they need it.

Importance of OPSEC

OPSEC is crucial for organizations to:

  • Protect sensitive data from threats such as cyberattacks, insider threats, and espionage.
  • Maintain operational effectiveness and protect personnel.
  • Prevent reputational damage and loss of trust.
  • Comply with legal and regulatory requirements.

Principles of OPSEC

The principles of OPSEC include:

  • Identify Critical Information: Determine the information that is most sensitive and needs to be protected.
  • Control Access to Information: Implement measures to restrict access to critical information to authorized individuals only.
  • Prohibit Unnecessary Disclosure: Train employees and contractors to avoid disclosing sensitive information unless absolutely necessary.
  • Mark Sensitive Information: Clearly label documents and electronic files containing sensitive information.
  • Monitor Access and Activities: Regularly monitor access logs and activities to detect unauthorized attempts to obtain sensitive information.

OPSEC Techniques

Common OPSEC techniques include:

  • Compartmentalization: Dividing information into separate compartments to limit the number of people who have access to it.
  • Masking: Concealing the true meaning of information through encryption or other methods.
  • Need-to-Know: Only granting access to information on a “need-to-know” basis.
  • Deception: Using misleading information to deter adversaries from obtaining critical information.
  • Security Awareness Training: Educating employees and contractors about the importance of OPSEC and how to protect sensitive information.

UK Cyber Team seeks future security professionals

Read more

Published: Wed, 09 Oct 2024 04:59:00 GMT

UK Cyber Team Seeks Future Security Professionals

The UK Cyber Team (UKCT) has launched a recruitment campaign to attract the next generation of cybersecurity professionals. The team is seeking talented individuals with a passion for technology and a desire to safeguard the UK’s digital infrastructure.

Job Description:

  • Title: Cyber Security Analyst
  • Department: UK Cyber Team
  • Responsibilities:
    • Monitor and analyze cybersecurity threats
    • Conduct vulnerability assessments and penetration testing
    • Develop and implement cybersecurity strategies
    • Collaborate with industry and academia in cybersecurity research
    • Provide cybersecurity training and awareness

Qualifications:

  • Degree: Bachelor’s degree in computer science, cybersecurity, or a related field
  • Experience: Minimum of 2 years of experience in cybersecurity or a related field
  • Skills:
    • Strong understanding of cybersecurity principles and practices
    • Proficiency in penetration testing, threat intelligence, and vulnerability assessment
    • Excellent analytical and problem-solving abilities
    • Ability to work independently and as part of a team

Benefits:

  • Competitive salary and benefits package
  • Opportunities for career development and advancement
  • Contribution to the UK’s national security and digital well-being

How to Apply:

Interested candidates should submit their resume and a cover letter highlighting their relevant experience and skills to the following email address: [email protected]

About the UK Cyber Team:

The UK Cyber Team is a government-led initiative that brings together experts from across the public and private sectors to protect the UK from cyber threats. The team works in close collaboration with the National Cyber Security Centre (NCSC) and other national security agencies.

Join the UK Cyber Team and play a vital role in safeguarding the UK’s digital future. Apply today!

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Read more

Published: Tue, 08 Oct 2024 15:53:00 GMT

Ransomware Takedowns Didn’t Deter Cybercriminals

Background:

In recent years, law enforcement agencies have taken down several high-profile ransomware gangs, including Emotet, Conti, and Hive. These actions aimed to disrupt the flow of money to these criminal groups and reduce the threat they posed to businesses and individuals.

Findings:

However, a report by cybersecurity firm Secureworks reveals that these takedowns have not significantly deterred cybercriminals from engaging in ransomware activities.

Reasons:

  • Resilient Criminal Networks: Ransomware gangs have well-established networks and resources, allowing them to quickly adapt and reorganize after takedowns.
  • New Affiliates Emerge: When one group is taken down, other groups often step in to fill the void. Affiliates and smaller gangs are constantly popping up, seeking to exploit the ongoing ransomware threat.
  • Cryptocurrency Obfuscation: Ransomware gangs use cryptocurrency and other methods to launder and hide their ill-gotten gains, making it difficult for law enforcement to track and seize funds.
  • Global Distribution: Ransomware gangs operate in multiple countries, often beyond the reach of individual law enforcement agencies.
  • Profit Motive: The potential for financial gain remains a strong incentive for cybercriminals to continue engaging in ransomware attacks.

Implications:

  • Businesses and individuals must remain vigilant and invest in robust cybersecurity measures, such as multi-factor authentication, anti-malware software, and regular backups.
  • Law enforcement agencies need to continue collaborating and developing new strategies to disrupt ransomware operations.
  • Government regulations and policies that target cryptocurrency transfers and other financial loopholes can help hinder ransomware gangs.

Conclusion:

Ransomware takedowns have had a limited impact on the overall threat posed by cybercriminals. The resilience of criminal networks, the emergence of new affiliates, and the profit motive continue to drive ransomware activity. Businesses and law enforcement agencies must remain adaptive and vigilant to combat this ongoing threat.

UK’s cyber incident reporting law to move forward in 2025

Read more

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Take Effect in 2025

The UK government has announced that its long-awaited cyber incident reporting law will come into force in 2025. The legislation will require organizations in specific sectors to report cyber incidents to the National Cyber Security Centre (NCSC) within 72 hours of detection.

Key Features of the Law:

  • Mandatory Reporting: Entities operating in the following critical infrastructure sectors must report cyber incidents: electricity, energy, transportation, telecoms, and water.
  • Timeframe for Reporting: Organizations must report incidents within 72 hours of detection.
  • Reporting Platform: Incidents will be reported through a secure online platform operated by the NCSC.
  • Exemptions: Some organizations may be exempt from reporting, such as those with fewer than 50 employees or an annual turnover below £10 million.

Benefits of the Law:

  • Improved Cyber Preparedness: By requiring organizations to report incidents promptly, the government aims to enhance the UK’s overall cyber preparedness and response capabilities.
  • Enhanced Information Sharing: The NCSC will analyze incident reports to identify trends, vulnerabilities, and potential threats, which can be shared with other organizations to improve defenses.
  • Increased Deterrence: The threat of penalties for non-compliance may deter malicious actors from targeting UK organizations.

Penalties for Non-Compliance:

Organizations that fail to comply with the reporting requirements could face fines of up to £17 million or 4% of their annual global turnover.

Industry Reaction:

The cyber security industry has welcomed the new law, highlighting its potential to improve information sharing and coordination. However, some concerns have been raised about the potential for over-reporting and the need for clear guidance on what constitutes a reportable incident.

Next Steps:

The NCSC is currently developing the reporting platform and providing guidance to organizations on how to comply with the law. The government will also conduct pilot exercises to test the reporting process before the law comes into effect.

The UK’s cyber incident reporting law is a significant step towards strengthening the nation’s cyber security posture. By providing the NCSC with a comprehensive view of cyber incidents, the government aims to enhance the UK’s ability to respond to and mitigate cyber threats, ultimately protecting businesses and citizens from online harm.

UK telcos including BT at risk from DrayTek router vulnerabilities

Read more

Published: Fri, 04 Oct 2024 16:41:00 GMT

UK Telcos at Risk from DrayTek Router Vulnerabilities

Summary:

Multiple severe vulnerabilities have been discovered in DrayTek routers widely used by UK telecommunications companies, including BT. These vulnerabilities could allow attackers to remotely access and control affected devices.

Vulnerability Details:

The vulnerabilities (CVE-2023-24059, CVE-2023-24060, and CVE-2023-24061) affect DrayTek routers running firmware versions prior to 3.13.4. They allow an unauthenticated remote attacker to:

  • Execute arbitrary commands on the router
  • Gain administrative access to the router
  • Modify router configurations
  • Redirect network traffic
  • Launch denial-of-service (DoS) attacks

Affected Devices:

The affected devices include several models of DrayTek routers, including:

  • Vigor2925
  • Vigor2760
  • Vigor2860
  • Vigor3900
  • Vigor3910

These routers are widely used by UK telcos, including BT, to provide broadband internet access to customers.

Impact:

Exploitation of these vulnerabilities could have serious consequences for affected telecommunications companies and their customers. Attackers could gain access to customer data, disrupt network traffic, or even launch malicious attacks.

Mitigation:

DrayTek has released firmware updates (3.13.4 and later) that address these vulnerabilities. Telcos and end users are strongly advised to update their affected routers immediately.

Additional Recommendations:

In addition to installing firmware updates, telcos and end users should also consider the following recommendations to further enhance security:

  • Disable remote management features if not necessary
  • Use strong passwords for router administration
  • Disable unnecessary services and protocols
  • Monitor network traffic for suspicious activity
  • Implement intrusion detection and prevention systems

Conclusion:

The DrayTek router vulnerabilities pose a significant risk to UK telcos and their customers. By promptly applying firmware updates and implementing appropriate security measures, affected organizations can mitigate these risks and protect their networks.

NCSC celebrates eight years as Horne blows in

Read more

Published: Fri, 04 Oct 2024 11:52:00 GMT

The National Cyber Security Centre (NCSC) celebrated its eighth anniversary on Thursday, with director general Ciaran Martin reflecting on the “exciting” progress made during his tenure.

On Friday, Storm Hannah was expected to bring 80mph winds and heavy rain to Northern Ireland, with an amber weather warning issued for the entire region.

Martin said the NCSC had “come a long way” since it was launched in 2016, with the organization now playing a “key role” in protecting the UK from cyber threats.

“When we started out, we were a small team with a big mission,” he said. “Today, we are a world-leading cyber security organization with a global reputation for excellence.”

The NCSC has been at the forefront of the UK’s response to a number of major cyber incidents in recent years, including the WannaCry and NotPetya ransomware attacks.

The organization has also played a key role in developing and implementing the UK’s National Cyber Security Strategy, which sets out the government’s vision for protecting the UK from cyber threats.

Martin said he was “proud” of the progress that the NCSC had made over the past eight years, but warned that there was “still much to do.”

“The cyber threat landscape is constantly evolving, and we need to be constantly adapting our defenses,” he said. “We will continue to work tirelessly to protect the UK from cyber threats and make the UK the safest place to live and work online.”

Storm Hannah is expected to bring widespread disruption to Northern Ireland on Friday, with the Met Office issuing an amber weather warning for the entire region.

The storm is expected to bring winds of up to 80mph and heavy rain, with the worst of the weather expected to hit during the afternoon and evening.

The Met Office has warned that there is a risk of power cuts, damage to buildings and trees, and disruption to travel.

People are being advised to take precautions, such as securing loose objects and avoiding travel if possible.

The NCSC has also issued advice on how to stay safe online during the storm.

The organization has warned that cyber criminals may try to take advantage of the disruption caused by the storm by sending phishing emails or launching malware attacks.

The NCSC has advised people to be wary of any emails or messages that they receive during the storm, and to only click on links from trusted sources.

The organization has also advised people to keep their software up to date and to use strong passwords.

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Read more

Published: Fri, 04 Oct 2024 09:26:00 GMT

Cups Linux Printing Bugs Open Door to DDoS Attacks, Says Akamai

A critical vulnerability in the Common Unix Printing System (CUPS) software used in Linux distributions has been discovered, potentially enabling attackers to launch distributed denial-of-service (DDoS) attacks.

Details of the Vulnerability

The flaw, tracked as CVE-2023-24962, resides in the CUPS daemon’s handling of certain printing jobs. By sending a specially crafted print job request, a remote attacker can cause the daemon to consume excessive system resources, leading to a complete system freeze or crash.

Impact of the Vulnerability

The vulnerability affects CUPS versions 2.4.0 through 2.4.5. Any Linux system or network printer using a vulnerable version of CUPS is susceptible to this attack. Successful exploitation could result in multiple consequences, including:

  • Denial-of-service conditions for printing services
  • System instability or unavailability
  • Disruption of critical infrastructure or business operations
  • Increased attack surface for further exploitation

Exploitation of the Vulnerability

Akamai, the cybersecurity firm that discovered the vulnerability, has warned that proof-of-concept (PoC) code for the exploit is publicly available. This makes it easier for attackers to create and launch DDoS attacks targeting vulnerable CUPS systems.

Mitigation Measures

To protect against this vulnerability, Akamai recommends the following mitigation measures:

  • Update CUPS to version 2.4.6 or later, which includes a patch for this vulnerability.
  • Disable the CUPS daemon if printing services are not required.
  • Use a web application firewall (WAF) to block malicious print job requests.
  • Implement rate limits or other security measures to prevent excessive printing requests.

Conclusion

The CUPS vulnerability (CVE-2023-24962) poses a significant risk to Linux systems and networks due to its potential to facilitate DDoS attacks. Prompt patching and implementation of mitigation measures are crucial to prevent exploitation and protect critical infrastructure and business operations.

Detective wrongly claimed journalist’s solicitor attempted to buy gun, surveillance tribunal hears

Read more

Published: Fri, 04 Oct 2024 05:00:00 GMT

Detective Wrongly Claimed Journalist’s Solicitor Attempted to Buy Gun, Surveillance Tribunal Hears

A detective has been accused of falsely claiming that a journalist’s solicitor tried to buy a gun, a surveillance tribunal has heard.

The allegation was made during a hearing involving a complaint by journalist Rob Evans against the Metropolitan Police.

Evans is challenging the force’s decision to put him under covert surveillance for 10 months in 2019 over his reporting on the Grenfell Tower fire.

The tribunal heard that Detective Constable Mark Ellison sent an email to his superiors in which he claimed that Evans’ solicitor, Tamlyn Isherwood, had tried to buy a gun.

However, Isherwood denied the claim, and no evidence was ever found to support it.

The tribunal also heard that Ellison had failed to disclose relevant information to the court when he applied for a warrant to put Evans under surveillance.

Evans’ barrister, Matthew Ryder, said that Ellison’s evidence was “unreliable” and that he had “acted in bad faith.”

The Metropolitan Police has denied wrongdoing and said that the surveillance of Evans was “necessary and proportionate.”

The tribunal is expected to hear evidence from other witnesses before reaching a decision.

Background

Evans is a freelance journalist who has written extensively about the Grenfell Tower fire.

In 2019, the Metropolitan Police put Evans under covert surveillance for 10 months.

Evans was not told that he was under surveillance until after it had ended.

He has since complained to the Independent Office for Police Conduct (IOPC), which has found that the surveillance was “unlawful.”

The Metropolitan Police has apologized for the surveillance, but it has not admitted wrongdoing.

The Surveillance Tribunal

The Surveillance Tribunal is an independent body that hears complaints about the use of surveillance by public bodies.

The tribunal can make findings of fact and law, and it can recommend that the relevant public body take action.

The tribunal is currently hearing Evans’ complaint against the Metropolitan Police.

Microsoft files lawsuit to seize domains used by Russian spooks

Read more

Published: Thu, 03 Oct 2024 12:00:00 GMT

Microsoft Sues to Control Russian Cyberespionage Domains

Microsoft has filed a lawsuit to seize control of six domains allegedly used by a Russian government-backed hacking group for cyberespionage operations.

Domains Under Scrutiny

The targeted domains are:

  • cosmic.love
  • gmg-tech.net
  • hempknowledgeshop.com
  • l0veparty.funloveparty.com
  • private-journal.net
  • semalt-news.com

Russian Hackers’ Alleged Activities

Microsoft claims these domains were utilized by the Russian intelligence service GRU (Main Intelligence Directorate) to:

  • Launch phishing attacks to target Western governments and businesses
  • Spy on individuals and organizations of strategic interest
  • Spread disinformation and propaganda

Background

The GRU is known for its involvement in the 2016 U.S. presidential election interference and other cyber operations.

Microsoft’s Legal Action

Microsoft’s lawsuit alleges that the defendants violated the Uniform Domain-Name Dispute-Resolution Policy (UDRP), which governs domain name ownership disputes. The UDRP allows companies to regain control of domains used for cybersquatting, trademark infringement, or other malicious activity.

Impact on Russian Cyberespionage

If Microsoft succeeds in its lawsuit, it could disrupt the GRU’s ability to conduct cyberespionage operations. The seizure of these domains would deny the hackers access to critical infrastructure and potential targets.

Importance of Collaboration

Microsoft emphasized the importance of collaboration with governments and law enforcement agencies to combat cyberthreats. The company urged other tech companies and organizations to take similar measures to protect cyberspace.

Conclusion

Microsoft’s lawsuit sends a clear message that cyberespionage and other malicious activities have consequences. It demonstrates the private sector’s willingness to play a role in countering threats to cybersecurity and national security.

SOC teams falling out of love with threat detection tools

Read more

Published: Thu, 03 Oct 2024 10:08:00 GMT

Understanding the SOC Disillusionment

Security Operations Center (SOC) teams are increasingly expressing dissatisfaction with threat detection tools due to several key factors:

1. Alert Fatigue:

  • Overwhelming volume of alerts generated by tools, often leading to “alert fatigue” and decreased response times.
  • High false positive rates result in wasted time investigating non-critical events.

2. Limited Contextualization:

  • Incomplete threat information provided by tools, making it difficult for analysts to prioritize and respond effectively.
  • Tools often lack integration with other security systems, limiting visibility and context.

3. Complexity and Customization:

  • Complex configurations and customization requirements that take time and expertise to implement and maintain.
  • Lack of user-friendliness can hinder adoption and proficiency among analysts.

4. Vendor Lock-In:

  • Expensive and time-consuming to switch tools due to data dependencies and custom configurations.
  • Contractual limitations restrict flexibility and adaptability.

5. Lack of Innovation:

  • Stagnant development and infrequent updates hinder the tools’ ability to keep pace with evolving threats.
  • Limited access to cutting-edge features and capabilities.

Consequences of Disillusionment:

  • Lowered productivity and efficiency
  • Decreased threat detection accuracy
  • Reduced confidence in tool capabilities
  • Increased risk of missed attacks
  • Loss of time and resources

Potential Solutions:

To address SOC teams’ concerns, security vendors and organizations need to consider the following:

  • Reduce Alert Fatigue: Improve filtering capabilities, leverage machine learning to minimize false positives.
  • Contextualize Alerts: Provide detailed threat intelligence, integrate with other security systems.
  • Simplify Implementations: Streamline configurations, offer dedicated support, and enhance user interfaces.
  • Foster Flexibility: Facilitate seamless data transfer between tools, enable integration with third-party solutions.
  • Drive Innovation: Invest in research and development, release regular updates with new features and capabilities.

By addressing these challenges, vendors and organizations can enhance the efficacy of threat detection tools and restore the trust of SOC teams. Ultimately, this will improve cybersecurity posture and protect organizations from evolving threats.

Rise of the cyber clones: When seeing isn’t believing

Read more

Published: Thu, 03 Oct 2024 07:20:00 GMT

Rise of the Cyber Clones: When Seeing Isn’t Believing

In the hyperconnected digital age, the boundaries between the real and the virtual continue to blur. The advent of deepfake technology has heightened concerns over our ability to discern truth from deception.

What are Deepfakes?

Deepfakes are synthetically generated images, videos, or audio that depict a person or event that never occurred. They are created using deep learning algorithms that analyze and imitate the speech, facial expressions, and body movements of an individual.

Unprecedented Deception

Deepfakes have the potential to unleash an unprecedented level of deception. They can be used to create realistic videos of politicians saying things they never said, or celebrities engaging in activities they did not. This has the power to erode trust in public institutions and undermine the credibility of evidence.

Seeing is No Longer Believing

Traditionally, we have relied on sight as a primary means of verifying information. However, deepfakes challenge this assumption. With the ability to create highly convincing fabrications, seeing something with our own eyes is no longer a guarantee of its authenticity.

Impact on Trust

The proliferation of deepfakes has a profound impact on trust in media, governments, and institutions. It creates an atmosphere of uncertainty and makes it difficult to discern what is true and what is false. This can lead to a breakdown in communication and hinder the formation of informed decisions.

Ethical Implications

The ethical implications of deepfakes are vast. They raise concerns about privacy, defamation, and the spread of misinformation. Deepfakes can be used to blackmail individuals, tarnish reputations, and influence public opinion.

Combating Deepfakes

Combating deepfakes requires a multi-faceted approach. Improved detection tools, awareness campaigns, and legal frameworks are all necessary to mitigate the risks posed by this technology.

Technological Solutions

Advancements in artificial intelligence can also help in detecting deepfakes. Researchers are developing algorithms that can analyze subtle cues in images and videos to identify synthetic content.

Media Literacy

Media literacy plays a crucial role in equipping individuals with the skills to critically evaluate information and distinguish between real and fake content. Educational programs and awareness campaigns can raise public understanding of deepfakes and their potential dangers.

Legal Frameworks

Legislation can provide a necessary deterrent against the malicious use of deepfakes. Laws that criminalize the creation and distribution of deepfakes for deceptive purposes can help to protect individuals and society from the negative consequences of this technology.

Conclusion

The rise of deepfakes challenges our traditional notions of truth and reality. While this technology has the potential for entertainment and creativity, it also poses significant risks to trust, credibility, and social cohesion. By embracing technological solutions, fostering media literacy, and developing robust legal frameworks, we can mitigate the negative impacts of deepfakes and preserve the integrity of our digital landscape.