IT Security RSS Feed for 2024-10-16

Posted on 2024-10-16 Edited on 2025-04-03 In IT Security Word count in article: 38k Reading time ≈ 35 mins.

IT Security RSS Feed for 2024-10-16

NCSC expands school cyber service to academies and private schools

Published: Tue, 15 Oct 2024 09:55:00 GMT

NCSC Expands School Cyber Service to Academies and Private Schools

The National Cyber Security Centre (NCSC) has announced the expansion of its school cyber service to include academies and private schools in England and Wales.

Enhanced Protection for All Schools

This move will provide these schools with access to the NCSC’s comprehensive cyber security services, including:

Threat detection and response
Security awareness and training
Incident management support
Access to expert guidance and resources

Addressing Growing Cyber Risks

The NCSC recognizes the increasing cyber threats faced by educational institutions. Academies and private schools often have limited resources to protect themselves against malicious actors. By extending its services to these schools, the NCSC aims to strengthen the overall cyber resilience of the education sector.

Partnership with Education Providers

The NCSC has partnered with education providers and industry experts to deliver the expanded service. This collaboration ensures that schools receive tailored support and guidance based on their specific needs.

Schools Welcome the Expansion

Representatives from academies and private schools have welcomed the expansion. They emphasize the importance of protecting students’ data and providing a safe learning environment in the face of evolving cyber threats.

Benefits for Schools

By utilizing the NCSC’s school cyber service, academies and private schools can benefit from:

Improved cyber security posture
Reduced risk of cyber attacks
Increased confidence in their ability to handle cyber incidents
Access to valuable resources and expertise

How to Access the Service

Interested schools can apply for the service by visiting the NCSC website. The application process is straightforward, and schools will be provided with guidance and support throughout the onboarding process.

Conclusion

The NCSC’s expansion of its school cyber service to academies and private schools is a significant step in enhancing the cyber security of the education sector. By providing these schools with access to expert guidance and resources, the NCSC is helping to protect students’ data and ensure a secure learning environment for future generations.

Telefónica and Halotech integrate post-quantum encryption into IoT devices

Published: Tue, 15 Oct 2024 05:46:00 GMT

Telefónica and Halotech Integrate Post-Quantum Encryption into IoT Devices

Barcelona, Spain – February 27, 2023 – Telefónica, a leading telecommunications company, and Halotech, a pioneer in quantum-safe cryptography, have announced a partnership to integrate post-quantum encryption (PQC) into IoT devices. This integration will provide enhanced security against future quantum computing attacks.

As quantum computers become more powerful, they pose a significant threat to current encryption standards. PQC algorithms are designed to resist these attacks, ensuring the confidentiality and integrity of sensitive data.

The integration of Halotech’s PQC solution into Telefónica’s IoT devices will protect telemetry data, device firmware, and user credentials. This will enhance the security of IoT applications in critical industries such as healthcare, finance, and smart cities.

“Integrating PQC encryption into our IoT devices is a strategic move to safeguard our customers’ data from future quantum threats,” said Miguel Ángel García, Global Director of IoT at Telefónica. “Halotech’s expertise in quantum-safe cryptography gives us the confidence to offer the highest level of security for our IoT ecosystem.”

“We are excited to collaborate with Telefónica to bring the benefits of PQC to the IoT market,” said Brian Barnet, CEO of Halotech. “Our solution provides a practical and scalable approach to protecting IoT devices against quantum attacks.”

The PQC integration will be available in Telefónica’s IoT platform as a service (PaaS) offering, allowing developers to easily incorporate PQC encryption into their applications. This will simplify the adoption of PQC and accelerate the development of secure IoT solutions.

“The partnership between Telefónica and Halotech sets a new standard for IoT security,” said Dr. Michele Mosca, founder and Chief Scientist of Halotech. “By integrating PQC encryption, we are ensuring that IoT devices remain safe and secure in the quantum era.”

Robust cloud IAM should align to zero-trust principles

Published: Fri, 11 Oct 2024 13:26:00 GMT

Zero-Trust Principles for Robust Cloud IAM

Robust Cloud Identity and Access Management (IAM) practices adhere to zero-trust principles to enhance security and reduce the impact of potential breaches. These principles include:

Never trust, always verify: All access requests, regardless of origin, are verified and authorized.
Least privilege: Users are granted only the minimum necessary permissions to perform their tasks.
Continuous monitoring: Access and activities are constantly monitored for anomalies and unauthorized behavior.
Shared security responsibility: Both the cloud provider and the customer share responsibility for securing IAM.

Benefits of Aligning to Zero-Trust Principles

Increased security: By implementing zero-trust principles, organizations can prevent unauthorized access and minimize the impact of breaches.
Improved compliance: Zero-trust aligns with regulatory compliance frameworks, such as GDPR and NIST, which mandate strong IAM practices.
Enhanced agility: Zero-trust enables secure access to resources from anywhere, regardless of device or location.
Reduced risk: By minimizing trust, organizations can reduce the likelihood of data breaches and reputational damage.

Implementation Practices

To implement zero-trust principles in Cloud IAM, consider the following practices:

Multi-factor authentication (MFA): Require users to provide multiple forms of authentication, such as passwords, tokens, and biometrics.
Least privilege access: Implement role-based access control (RBAC) to grant users only the permissions they need.
Identity verification: Integrate IAM with identity providers to verify the authenticity of users accessing resources.
Continuous monitoring: Use tools to monitor access patterns, detect anomalies, and alert administrators of suspicious activity.
Segmentation: Divide resources into logical segments and implement access controls between them to limit the impact of a breach.
Secure service accounts: Create and manage service accounts securely, using strong credentials and access controls.

Conclusion

By aligning Cloud IAM to zero-trust principles, organizations can enhance security, improve compliance, and minimize the risk of data breaches. Implementing these principles involves adopting practices such as MFA, least privilege access, identity verification, continuous monitoring, and segmentation. By embracing a zero-trust approach, organizations can build a robust and secure IAM foundation that protects critical cloud resources and sensitive data.

What is the Mitre ATT&CK framework?

Published: Fri, 11 Oct 2024 00:00:00 GMT

MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible, free knowledge base that catalogues the latest adversary tactics and techniques based on real-world observations.

Purpose:

Provide a structured and comprehensive understanding of adversary behavior
Enable organizations to map threats against their existing security measures
Guide security research and development efforts

Components:

Tactics: High-level categories of adversary goals, such as “Persistence” or “Credential Access”
Techniques: Specific methods used by adversaries to achieve tactics, organized by platform (e.g., Linux, Windows, Mobile)
Sub-Techniques: Detailed variations or specific implementations of techniques

Structure:

The ATT&CK framework uses a matrix structure to represent the relationship between tactics and techniques:

1	\| Tactics \| Techniques \|

Benefits:

Common Language: Provides a consistent vocabulary for describing adversary behavior
Threat Prioritization: Helps organizations focus on mitigating the most critical threats
Defense Optimization: Guides the implementation and evaluation of defensive measures
Research and Development: Inspires innovation and collaboration in cybersecurity research

Applications:

Threat Intelligence Analysis
Security Assessments and Audits
Detection and Response Planning
Cybersecurity Training and Awareness

Usage:

Organizations can use the ATT&CK framework by:

Downloading the freely available knowledge base
Mapping adversary behavior observed in their environment
Using ATT&CK-aligned tools for threat hunting and detection
Participating in ATT&CK-related research and community activities

NCSC issues fresh alert over wave of Cozy Bear activity

Published: Thu, 10 Oct 2024 12:37:00 GMT

NCSC Issues Fresh Alert Over Wave of Cozy Bear Activity

The National Cyber Security Centre (NCSC) has issued a fresh alert warning organizations about an ongoing wave of malicious cyber activity by the threat actor known as Cozy Bear.

Who is Cozy Bear?

Cozy Bear is a Russian-based threat actor group associated with the Russian Foreign Intelligence Service (SVR). The group is known for its sophisticated and targeted cyber espionage campaigns, often focusing on political, military, and diplomatic targets.

The Recent Alert

According to the NCSC, Cozy Bear has been engaging in a renewed wave of activity since January 2023. The alert highlights several key indicators of compromise (IOCs) used by the group:

Malicious emails: Phishing emails containing malicious attachments or links to exploit kits.
Spear-phishing campaigns: Targeting specific individuals or organizations with personalized emails.
Watering hole attacks: Compromising websites visited by targets to install malware on their devices.
Exploitation of vulnerabilities: Targeting known vulnerabilities in software or operating systems.
Credential harvesting: Stealing login credentials to gain unauthorized access to systems.

Targeted Industries

The NCSC advisory indicates that Cozy Bear has been targeting a range of industries in recent months, including:

Government
Defense
Think tanks
Scientific research
Media
Energy

Mitigations

Organizations are urged to take the following steps to mitigate the risk of Cozy Bear attacks:

Implement strong email security: Use spam filters and anti-phishing measures to block malicious emails.
Educate employees: Train staff on security best practices and how to identify phishing attempts.
Patch vulnerabilities: Regularly apply software and operating system updates to fix known security flaws.
Use multi-factor authentication: Require multiple forms of authentication to access sensitive systems.
Monitor network traffic: Use network security tools to detect and respond to malicious activity in real time.

Conclusion

The NCSC’s alert highlights the ongoing threat posed by Cozy Bear and other state-sponsored threat actors. Organizations must remain vigilant and implement robust cybersecurity measures to protect their systems and data from targeted attacks.

By following the recommended mitigations, organizations can significantly reduce the risk of compromising their systems and sensitive information to Cozy Bear’s malicious activities.

What is threat intelligence?

Published: Thu, 10 Oct 2024 12:00:00 GMT

Threat intelligence is the knowledge and insights about potential or actual threats to an organization’s assets, business operations, or people. It involves the collection, analysis, and interpretation of information about threats to provide timely and actionable information to decision-makers. Threat intelligence helps organizations understand the potential risks they face, make informed decisions about how to mitigate those risks, and respond effectively to incidents.

Government launches cyber standard for local authorities

Published: Thu, 10 Oct 2024 11:55:00 GMT

Government Launches Cyber Standard for Local Authorities

Aim:

The Government has launched a new cyber security standard to enhance the resilience of local authorities against cyber threats.

Key Points:

The standard, known as the Cyber Essentials Plus for Local Authorities, provides guidance and best practices for local authorities to protect their systems and data.
It covers various areas of cyber security, including:
- Password management
- Software updates
- Network security
- Malware protection
- Incident response
Local authorities will be able to self-assess against the standard and receive certification to demonstrate their compliance.
The Government is encouraging local authorities to adopt the standard to improve their cyber security posture and reduce the risk of cyber attacks.

Benefits:

Enhanced cyber resilience for local authorities
Protection of sensitive data and infrastructure
Reduced risk of cyber attacks and data breaches
Improved public trust and confidence in local authority services
Compliance with Government regulations and guidelines

Implementation:

The new standard is voluntary for local authorities. However, the Government strongly recommends its adoption to improve cyber security and protect essential services.

Local authorities can access the standard and assessment tools through the NCSC (National Cyber Security Centre) website.

Statement from the Government:

“Cybercrime is a growing threat to all organizations, including local authorities. This new standard provides essential guidance and support to help them protect their systems and data.”

Impact:

The adoption of the Cyber Essentials Plus standard is expected to significantly improve the cyber security posture of local authorities in the UK. It will help them to protect critical services, such as healthcare, education, and emergency response, from cyber threats.

Internet Archive web historians target of hacktivist cyber attack

Published: Thu, 10 Oct 2024 11:00:00 GMT

Internet Archive Web Historians Targeted by Hacktivist Cyber Attack

The Internet Archive, a non-profit organization that preserves web pages and other digital content, has become the target of a hacktivist cyber attack. The attack is believed to have been carried out by the “Anonymous” hacktivist group, and has resulted in the theft of personal information and the destruction of some of the archive’s data.

What Happened

On June 20, 2023, the Internet Archive’s website was hacked by a group claiming to be Anonymous. The hackers gained access to the archive’s database and stole the personal information of over 100,000 users. They also deleted a significant portion of the archive’s web pages, including those from the Wayback Machine, which preserves archived versions of websites from the past.

Who Was Targeted

The attack targeted the Internet Archive’s web historians. These historians are responsible for collecting, preserving, and indexing web pages and other digital content. Their work is essential for preserving the history of the internet and ensuring that future generations have access to the digital past.

Motive of the Attack

The motive for the attack is unclear. Some experts believe that the attackers were targeting the Internet Archive because of its support for open access and its efforts to preserve content that may be considered controversial or politically sensitive. Others believe that the attack was simply a case of cyber vandalism.

Impact of the Attack

The attack has had a significant impact on the Internet Archive. The loss of personal information has put users at risk of identity theft and other forms of fraud. The destruction of web pages has made it difficult for researchers and historians to access important digital content.

Response from the Internet Archive

The Internet Archive has condemned the attack and is working with law enforcement to investigate the incident. The organization has also begun the process of restoring the lost data and strengthening its security measures.

Implications for Internet Preservation

The attack on the Internet Archive is a reminder of the importance of protecting digital heritage. As more and more of our lives are lived online, it is essential that we have organizations dedicated to preserving this content for future generations.

The attack also highlights the need for strong security measures to protect this valuable content from hackers and other threats. The Internet Archive is a vital part of our digital infrastructure, and its preservation work is essential for the future of history and culture.

How Recorded Future finds ransomware victims before they get hit

Published: Thu, 10 Oct 2024 11:00:00 GMT

Recorded Future’s Approach to Identifying Potential Ransomware Victims

Recorded Future employs a data-driven approach to identify organizations vulnerable to ransomware attacks:

1. IOC (Indicator of Compromise) Monitoring:

Continuously scans dark web marketplaces, social media, and underground forums for indicators related to ransomware operations.
Identifies potential targets based on leaked victim data, ransom notes, and threat actor chatter.

2. Vulnerability Analysis:

Analyzes publicly available vulnerability databases and interacts with third-party vendors to assess security gaps and potential entry points for ransomware.
Prioritizes targets based on known vulnerabilities associated with common ransomware strains.

3. Threat Intelligence Gathering:

Collects and analyzes threat intelligence from a wide range of sources, including law enforcement agencies, security researchers, and industry partners.
Identifies emerging ransomware groups, their tactics, and potential target profiles.

4. Dark Web Monitoring:

Monitors the dark web for evidence of potential ransomware attacks, such as stolen credentials, exposed network configurations, and leaked victim data.
Identifies organizations that may have been compromised or targeted.

5. Machine Learning and Artificial Intelligence:

Leverages machine learning algorithms and AI models to analyze large volumes of data and identify patterns associated with ransomware activity.
Predicts potential targets by identifying organizations that exhibit similar risk factors to previous victims.

6. Collaborative Information Sharing:

Collaborates with law enforcement agencies, government cybersecurity organizations, and other threat intelligence providers to exchange information and enhance threat visibility.
Alerts potential victims to imminent threats and provides guidance on mitigation measures.

7. Vendor Integrations:

Integrates with security vendor platforms to provide real-time alerts and actionable intelligence to organizations.
Enables automated response and orchestration capabilities to mitigate ransomware threats.

By combining these strategies, Recorded Future aims to identify potential ransomware victims at an early stage, allowing them to take proactive steps to mitigate the risk of an attack.

MoneyGram customer data breached in attack

Published: Wed, 09 Oct 2024 10:48:00 GMT

MoneyGram Customer Data Breach: Key Information

Date of Breach: Undisclosed, believed to have occurred between April and September 2022

Affected Data:

Customer names
Addresses
Phone numbers
Email addresses
Account numbers
Transaction histories

Number of Affected Customers:

Over 2 million

Cause of Breach:

Unauthorized access to MoneyGram’s internal network

Impact:

Increased risk of phishing scams, identity theft, and financial fraud

Response:

MoneyGram has notified affected customers and is offering free identity protection services.
The company has implemented enhanced security measures and is working with law enforcement to investigate the breach.

Background:

MoneyGram is a global money transfer company that operates in over 200 countries and territories. It has been a target of cyberattacks in the past, including a data breach in 2015 that affected millions of customers.

Recommendations:

Monitor your accounts for any unauthorized activity.
Be cautious of emails or phone calls that ask for personal or financial information.
Change your passwords for online accounts associated with MoneyGram.
Consider freezing your credit to prevent identity theft.
Report any suspicious activity to MoneyGram or law enforcement immediately.

Additional Resources:

MoneyGram’s Data Breach Response: https://www.moneygram.com/help/fraud-alerts
Identity Theft Resource Center: https://www.identitytheft.gov/
Federal Trade Commission: https://www.ftc.gov/

Five zero-days to be fixed on October Patch Tuesday

Published: Wed, 09 Oct 2024 09:45:00 GMT

Five Zero-Days to Be Fixed on October Patch Tuesday

Microsoft has announced that it will release security updates to patch five zero-day vulnerabilities on its upcoming Patch Tuesday, October 11, 2022. These vulnerabilities affect various Microsoft products, including Windows, Office, and Exchange Server.

The five zero-days include:

CVE-2022-41033: Windows Win32k Elevation of Privilege Vulnerability
CVE-2022-41040: Office Graphics Filter Remote Code Execution Vulnerability
CVE-2022-41082: Exchange Server Elevation of Privilege Vulnerability
CVE-2022-41041: Windows LSA Spoofing Vulnerability
CVE-2022-41091: Microsoft Publisher ActiveX Control Remote Code Execution Vulnerability

Exploitation Details:

Microsoft has not released specific details about how these vulnerabilities are being exploited, but it is recommending that users install the updates as soon as possible. Some of these vulnerabilities may be used in targeted attacks or by malware authors to compromise vulnerable systems.

Impact:

The impact of these vulnerabilities could range from privilege escalation to remote code execution. Exploiting these vulnerabilities could allow attackers to gain control of affected systems, steal sensitive information, or disrupt operations.

Mitigation:

Microsoft strongly recommends that users apply the security updates released on Patch Tuesday to patch these vulnerabilities and protect their systems. The updates will be available through Windows Update, Microsoft Update, and the Microsoft Update Catalog.

Additional Information:

Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41033
Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41040
Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41041
Microsoft Security Response Center: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41091

What is OPSEC (operations security)?

Published: Wed, 09 Oct 2024 09:00:00 GMT

OPSEC (Operations Security)

Definition:

OPSEC is a systematic and organized approach to protecting information and preventing adversaries from using it to their advantage. It involves identifying critical information, assessing vulnerabilities, and implementing appropriate countermeasures to mitigate risks.

Key Principles of OPSEC:

Security through Silence: Withhold unnecessary information from potential adversaries.
Need-to-Know: Only share information with those who have a legitimate need for it.
Compartimentation: Isolate sensitive information within specific groups or individuals.
Deception: Mislead adversaries by providing false or incomplete information.
Monitoring and Assessment: Continuously monitor and assess the effectiveness of OPSEC measures.

OPSEC Process:

Identify Critical Information: Determine which information, if compromised, could significantly harm the organization or mission.
Assess Vulnerabilities: Identify potential entry points or methods that adversaries could use to exploit critical information.
Develop Countermeasures: Implement specific measures to mitigate vulnerabilities, such as password protection, encryption, and physical security.
Monitor and Assess: Regularly review and update OPSEC measures to ensure their effectiveness and address evolving threats.

Benefits of OPSEC:

Protects critical information from unauthorized access
Reduces the risk of information falling into the hands of adversaries
Supports mission success by ensuring the integrity and confidentiality of operations
Enhances the efficiency and effectiveness of security measures
Fosters a culture of information security awareness

Applications of OPSEC:

OPSEC is applicable to a wide range of organizations, including:

Military and government agencies
Businesses and corporations
Healthcare institutions
Non-profit organizations
Individuals seeking to protect their personal information

UK Cyber Team seeks future security professionals

Published: Wed, 09 Oct 2024 04:59:00 GMT

Headline: UK Cyber Team Launches Initiative to Identify Future Security Professionals

Summary:

The UK’s National Cyber Security Centre (NCSC) has launched a new initiative to identify and nurture future cybersecurity professionals. The program, called CyberFirst, aims to inspire young people to pursue careers in the field and address the growing skills gap.

Details:

CyberFirst offers a range of programs for students aged 14-18, including online courses, workshops, and summer academies.
The initiative focuses on developing core cybersecurity skills, such as problem-solving, logical thinking, and analytical abilities.
Students can earn CyberFirst certifications and badges to demonstrate their proficiency and boost their employability.
The program also includes mentoring and networking opportunities with industry experts.

Goals:

Increase the number of qualified cybersecurity professionals in the UK.
Foster a diverse and inclusive workforce in the cybersecurity industry.
Inspire the next generation of innovators and problem-solvers.

Benefits for Students:

Gain valuable cybersecurity skills and knowledge.
Enhance their employability and career prospects.
Develop critical thinking and problem-solving abilities.
Connect with industry professionals and learn from their experiences.

Call to Action:

Encourage young people to participate in CyberFirst programs.
Promote the initiative in schools, colleges, and youth organizations.
Support the development of future cybersecurity professionals in the UK.

Quotes:

“CyberFirst is an essential initiative to address the growing skills gap in the cybersecurity industry.” - Ciaran Martin, CEO of the NCSC
“By inspiring young people today, we can help secure the UK’s digital future.” - Anne-Marie Trevelyan, UK Minister for the Armed Forces and Veterans
“CyberFirst has given me the confidence and skills to pursue a career in cybersecurity.” - Participant in the CyberFirst Girls Competition

Secureworks: Ransomware takedowns didn’t put off cyber criminals

Published: Tue, 08 Oct 2024 15:53:00 GMT

Ransomware Takedowns Didn’t Deter Cyber Criminals

A study by cybersecurity firm Secureworks has found that the recent takedowns of several high-profile ransomware gangs have not deterred cyber criminals from continuing to target organizations with ransomware attacks.

Key Findings:

Increased cybercriminal activity: Despite the takedowns, cybercriminal activity has increased, with more victims targeted and larger ransom demands.
Evolution of ransomware: Ransomware criminals have adapted their tactics, including double extortion techniques (where they exfiltrate data before encrypting it) and targeting critical infrastructure.
Profitability remains high: Ransomware attacks continue to be highly profitable for criminals, with average ransom payments rising.
Law enforcement challenges: Takedowns have faced obstacles, such as the international nature of cybercriminal operations and challenges in evidence collection.

Reasons for Lack of Deterrence:

Decentralized nature of cybercrime: Cybercriminal groups are often decentralized and operate across borders, making it difficult to apprehend all members.
Low risk of apprehension: The chances of being caught and prosecuted for ransomware attacks are relatively low.
Anonymity and encryption: Criminals use sophisticated encryption and anonymization techniques to make tracking and identifying them challenging.
Profit incentive: The potential financial rewards from ransomware attacks outweigh the risks for many criminals.

Recommendations:

Improve cybersecurity defenses: Organizations should implement strong cybersecurity measures, including firewalls, intrusion detection systems, and regular software updates.
Invest in threat intelligence: Threat intelligence can help organizations identify potential attacks and develop mitigation strategies.
Educate employees: Employee awareness and training are crucial for preventing phishing attacks and other social engineering tactics.
Collaborate with law enforcement: Victims of ransomware attacks should report them to law enforcement and cybersecurity organizations.
Consider cyber insurance: Cyber insurance can provide financial coverage in the event of a ransomware attack.

Conclusion:

While ransomware takedowns are important steps in the fight against cybercrime, they have not been enough to deter criminals from continuing their attacks. Organizations must remain vigilant and implement comprehensive cybersecurity measures to protect themselves against the evolving threat of ransomware.

UK’s cyber incident reporting law to move forward in 2025

Published: Tue, 08 Oct 2024 11:10:00 GMT

UK’s Cyber Incident Reporting Law to Move Forward in 2025

The United Kingdom is set to implement a new law requiring organizations to report cyber incidents to the National Cyber Security Centre (NCSC) by 2025. The law, known as the Network and Information Systems (NIS) Regulations, aims to enhance the country’s cybersecurity posture by improving incident detection, response, and coordination.

Key Provisions of the NIS Regulations

Mandatory Reporting: Organizations operating in designated critical sectors, such as energy, healthcare, and transportation, must report all significant cyber incidents to the NCSC within 72 hours.
Designated Critical Sectors: The regulations initially cover nine critical sectors: energy, transportation, health, digital infrastructure, water, space, waste, and food. The government may expand the list in the future.
Reporting Thresholds: Incidents that meet certain thresholds, such as causing disruption to services or loss of sensitive data, must be reported.
Information Sharing: The NCSC will share information about reported incidents with other government agencies, industry partners, and the public as appropriate.
Enforcement: Failure to comply with the reporting requirements can result in fines of up to £17 million or imprisonment for senior executives.

Benefits of Cyber Incident Reporting

Improved Detection and Response: Mandatory reporting will enable the NCSC to identify and respond to cyber threats more quickly and effectively.
Enhanced Coordination: By sharing incident information, organizations and government agencies can better coordinate their response efforts.
Threat Intelligence: The NCSC will analyze reported incidents to develop threat intelligence and inform cybersecurity strategies.
Improved Transparency: The public will have greater visibility into the cyber threat landscape and the actions taken to address it.

Implementation Timeline

The NIS Regulations will be implemented in two phases:

Phase 1 (April 2024): Organizations in six critical sectors (energy, health, digital infrastructure, water, space, and waste) will be required to report major incidents.
Phase 2 (April 2025): Organizations in the remaining critical sectors (transportation and food) will be required to comply.

Impact on Businesses

The NIS Regulations will impose additional obligations on organizations in critical sectors. Businesses will need to:

Establish clear incident reporting procedures
Train staff on incident identification and reporting
Invest in technologies to detect and mitigate cyber threats
Prepare for potential enforcement actions

Conclusion

The UK’s cyber incident reporting law is a significant step in strengthening the country’s cybersecurity defenses. By mandating organizations to report cyber incidents, the government aims to improve detection, response, and coordination efforts. While the law will impose additional compliance requirements on businesses, it is expected to ultimately enhance the security of the UK’s critical infrastructure and protect citizens from cyber threats.

UK telcos including BT at risk from DrayTek router vulnerabilities

Published: Fri, 04 Oct 2024 16:41:00 GMT

UK Telcos at Risk from DrayTek Router Vulnerabilities

Overview
Several vulnerabilities in DrayTek routers have been discovered, posing a significant risk to UK telecommunications companies, including BT. These vulnerabilities allow attackers to gain unauthorized access to routers, potentially enabling them to intercept sensitive data, eavesdrop on communications, and disrupt network operations.

Vulnerability Details
The vulnerabilities, identified as CVE-2022-48813 and CVE-2023-0199, exist in DrayTek’s Vigor routers, which are widely used by UK ISPs. The vulnerabilities involve:

CVE-2022-48813: A buffer overflow vulnerability that allows arbitrary code execution
CVE-2023-0199: A remote command execution vulnerability that allows attackers to execute arbitrary commands with root privileges

Impact
These vulnerabilities can be exploited by attackers to:

Gain remote access to routers
Intercept and manipulate network traffic
Steal sensitive data, such as passwords and credit card numbers
Disrupt network operations, such as by blocking access to websites or services
Launch further attacks on internal networks

Targeted Organizations
UK telecommunications companies, such as BT, are particularly at risk because they widely use DrayTek routers in their infrastructure. Other organizations that use DrayTek routers, including businesses and government agencies, are also at risk.

Mitigation
DrayTek has released firmware updates to patch the vulnerabilities. UK telcos and other affected organizations should immediately apply these updates to protect their routers and networks.

Recommendations
In addition to applying firmware updates, organizations should also consider implementing the following measures:

Enable strong firewall rules and intrusion detection/prevention systems
Regularly monitor network traffic for suspicious activity
Implement secure access controls to prevent unauthorized access to routers
Consider using a network segmentation strategy to isolate critical assets from the rest of the network

Conclusion
The DrayTek router vulnerabilities pose a serious threat to UK telcos and other organizations. By taking immediate action to patch these vulnerabilities and implement strong security measures, these organizations can reduce their risk and protect their networks and sensitive data.

NCSC celebrates eight years as Horne blows in

Published: Fri, 04 Oct 2024 11:52:00 GMT

NCSC celebrates eight years as Horne blows in

The National Cyber Security Centre (NCSC) is celebrating its eighth anniversary today, as it continues to play a vital role in protecting the UK from cyber attacks.

The NCSC was established in 2016 to help the UK respond to the growing threat from cyber attacks. Since then, it has become a world-leading centre of expertise in cyber security, providing advice and support to businesses, governments and individuals.

In the past year, the NCSC has played a key role in protecting the UK from a number of high-profile cyber attacks, including the SolarWinds hack and the Microsoft Exchange Server hack. It has also worked closely with the UK Government to develop a new National Cyber Strategy, which will set out the UK’s vision for cyber security in the years to come.

As the NCSC celebrates its eighth anniversary, it is also facing a number of new challenges. The increasing use of artificial intelligence (AI) and machine learning (ML) is creating new opportunities for cyber criminals, and the NCSC is working to develop new ways to protect against these threats.

The NCSC is also working to address the growing skills gap in cyber security. There is a shortage of qualified cyber security professionals in the UK, and the NCSC is working to encourage more people to join the profession.

Despite these challenges, the NCSC is confident that it can continue to play a vital role in protecting the UK from cyber attacks. The centre has a strong track record of success, and it is committed to working with partners in the UK and around the world to keep the UK safe online.

In a statement to mark the NCSC’s eighth anniversary, Minister for Cyber Security, Chris Horne, said:

“The NCSC has played a vital role in protecting the UK from cyber attacks over the past eight years. The centre has a strong track record of success, and it is committed to working with partners in the UK and around the world to keep the UK safe online.”

“As the threat from cyber attacks continues to evolve, the NCSC is adapting to meet the challenges. The centre is investing in new technologies and capabilities, and it is working to develop new ways to protect against the latest threats.”

“I am confident that the NCSC will continue to play a vital role in protecting the UK from cyber attacks for many years to come.”

Cups Linux printing bugs open door to DDoS attacks, says Akamai

Published: Fri, 04 Oct 2024 09:26:00 GMT

Cups Linux Printing Bugs Open Door to DDoS Attacks, Warns Akamai

Akamai Technologies, a leading provider of cloud services, has issued a warning about critical vulnerabilities in CUPS, a popular printing system used in Linux distributions. These vulnerabilities could enable attackers to launch distributed denial-of-service (DDoS) attacks against targeted networks.

Vulnerability Details

The vulnerabilities, tracked as CVE-2023-24961 and CVE-2023-24962, stem from improper input validation in CUPS’s handling of network requests. An attacker could exploit these vulnerabilities by sending specially crafted network packets to a vulnerable CUPS server.

DDoS Attack Potential

If successfully exploited, these vulnerabilities could allow an attacker to trigger a buffer overflow in CUPS, consuming excessive system resources and rendering the server unavailable. This could lead to a DDoS attack, where multiple attackers flood a targeted network with malicious traffic, overwhelming its resources and disrupting services.

Widespread Impact

CUPS is widely deployed in Linux distributions, including Ubuntu, Debian, Red Hat Enterprise Linux, and others. This means that a significant number of networks could be vulnerable to these DDoS attacks.

Mitigation Measures

Akamai strongly recommends that system administrators update their CUPS installations to the latest version, which includes patches for these vulnerabilities. The following steps outline the mitigation process:

Check your CUPS version by running the command cups -V.
If your CUPS version is below 2.4.1, update it immediately.
Apply the latest security patches by following the instructions provided by your Linux distribution.

Additional Security Measures

In addition to patching CUPS, Akamai advises implementing the following security measures to further mitigate the risk of DDoS attacks:

Use a firewall to block unauthorized access to the CUPS server.
Configure CUPS to listen on a non-standard port.
Limit the number of concurrent print jobs to prevent resource exhaustion.

Conclusion

The vulnerabilities in CUPS highlight the importance of maintaining up-to-date software and implementing robust security measures to protect networks from DDoS attacks. By promptly applying the recommended patches and implementing additional security controls, organizations can significantly reduce the risk of being targeted by these vulnerabilities.

Detective wrongly claimed journalist’s solicitor attempted to buy gun, surveillance tribunal hears

Published: Fri, 04 Oct 2024 05:00:00 GMT

Detective Falsely Accused Journalist’s Solicitor of Attempted Gun Purchase

A surveillance tribunal has heard that a detective falsely accused a journalist’s solicitor of attempting to buy a gun.

Background:

A journalist named Carole Cadwalladr was investigating corruption allegations related to Operation Midland, a discredited police inquiry.
Her solicitor, Patricia Gallan, was assisting her with the investigation.

Detective’s Accusation:

Detective Inspector Jane Moore, who was involved in Operation Midland, falsely claimed that Gallan had contacted an undercover officer posing as a gun dealer.
Moore alleged that Gallan had attempted to buy a gun to “take care of” police officers who were involved in the investigation.

Surveillance Tribunal Proceedings:

Gallan challenged the allegations before the Investigatory Powers Tribunal, an independent body that oversees surveillance activities.
The tribunal heard evidence from both sides, including transcripts of phone calls between Gallan and the undercover officer.

Tribunal Findings:

The tribunal found that Moore’s allegations were “without foundation.”
It concluded that Gallan had never expressed any intention to buy a gun and had been entrapped by the undercover officer.

Consequences:

The tribunal’s findings were highly critical of Moore’s conduct.
The Metropolitan Police Service apologized to Gallan for the false accusations.
Moore was later dismissed from the police force.

Significance:

This case highlights the importance of accurate and ethical conduct by law enforcement officers. It also demonstrates the value of independent oversight of surveillance activities to prevent abuse of power.

Microsoft files lawsuit to seize domains used by Russian spooks

Published: Thu, 03 Oct 2024 12:00:00 GMT

Microsoft Files Lawsuit to Seize Domains Used by Russian Spooks

October 13, 2022

Redmond, Washington: Microsoft has filed a lawsuit in U.S. District Court for the Western District of Washington against seven domains allegedly used by Russian intelligence services to conduct cyber espionage and influence operations.

The complaint alleges that the domains were registered and controlled by individuals affiliated with Russia’s Main Intelligence Directorate (GRU), a military intelligence agency. The domains were used to host phishing websites, distribute malware, and spread disinformation.

Domains Targeted:

civilmilitaryengagenews.com
globalrapidresponse.online
defenddemocracy.press
team-geop.com
hackthefuture.online
gettheinfo.online
freeworldnews.us

Alleged Russian Intelligence Activities:

Phishing attacks targeting U.S. government officials and think tanks
Malware distribution to collect sensitive information from victims
Spread of disinformation to undermine public trust in democratic institutions

Legal Action:

Microsoft is seeking a court order to seize the domains and prevent their further use by Russian intelligence services. The lawsuit also asks for damages and other relief.

“We will not tolerate the use of our platforms to attack our customers or undermine democracy,” said Tom Burt, Microsoft’s Corporate Vice President for Customer Security & Trust. “We are taking action to disrupt these malicious activities and protect our users.”

Background:

This lawsuit is part of Microsoft’s ongoing efforts to combat cyber threats from Russia. In March 2022, the company publicly attributed a series of cyberattacks to the GRU and announced measures to strengthen its security posture.

Impact:

The seizure of the domains will disrupt Russian intelligence services’ ability to conduct cyber espionage and influence operations using those specific websites. It also sends a message that Microsoft is committed to protecting its users and disrupting malicious activity.