If you are distributing or selling smart devices in to the UK market, your products will need to be compliant with the UK Product Security and Telecommunications Act. One of the three mandatory areas is that you have a vulnerability disclosure program (VDP)  In the supporting materials for the Act, the description is as follows:  Information on how to report security issues The manufacturer must provide information on how to report to them security issues about their product. The manufacturer must also provide information on the timescales within which an acknowledgment of the recei ..read more

NCSC has released an update of the Cyber Assessment Framework (CAF). The CAF represents where the rubber hits the road for the UK’s NIS regulations. TL;DR The NCSC CAF has been updated to version 3.2. There has been a material change to three aspects of the CAF. The changes are broadly sensible and will improve the cyber security of companies covered by NIS. They may create challenges in some areas, such as with legacy technologies, and make it harder for some companies to achieve the required standard. What is the CAF? The CAF defines cyber security objectives and principles that companies ..read more

TL;DR Malware toolkit specifically designed for attacking ICS  Modular and framework based  Main features are enumeration, Modbus comms, and HTTP interactions  Operational Technology (OT) network breaches are often due to connected Windows devices  Off-network compromise assessments give a strategic view of OT and IT security postures  Pipedream, tooling created by the CHERNOVITE hacking group, has sparked serious concern in the cybersecurity world. It has the ability to target industrial control systems (ICS) without relying on conventional attack methods, such as ..read more

TL;DR LUCKY13 is more an attack than a vulnerability LUCKY13 was patched over a decade ago … so it’s really unlikely that your server is vulnerable now It’s an implementation issue Disabling CBC ciphers is still a good idea … but not because of susceptibility to LUCKY13 There is no material risk in this issue Accurate remote detection is rarely possible Introduction It’s been a while since I wrote a “Vulnerabilities that (mostly) aren’t” post, but a recent discussion in our pen testing teams brought about a change in how we’re reporting LUCKY13 (and potentially other TLS vulnerabilities), l ..read more

TL;DR Even though MFA is effective it is one security control amongst many Even if MFA is in use, check its configuration Consider unexpected patterns of use, such as people logging in from Linux or macOS Make sure you log and can react to out-of-band behaviour Introduction On a recent Red Team engagement we got Domain Admin privileges on the on-premises Active Directory (AD) network. But we had not yet gained access to their cloud estate, which was hosted in Azure. Our level of access to on-prem AD gave us access to a large number of resources, many containing sensitive data. But it did no ..read more

TL:DR Being asked to speak at events is great …except when it looks like a scam or a phishing attempt This is walkthrough of my experience If you think it’s a scam, it probably is It’s a typical Sunday evening, and as I’m gearing up for the week ahead and an interesting email lands in my inbox. The message? An invitation to speak at a prestigious event in Spain on a subject I hold dear, with the added bonus of covered expenses. Colour me thrilled ¡España, aquí vengo! “Your insights and experiences would greatly enrich our conference agenda and contribute to the learning and engagement of ou ..read more

TL;DR Attackers can use Microsoft native SSH client to forward out internal network traffic Windows native SSH is common The attack only needs minimal set-up and commands Quicker and more cost effective for an attacker than using C2 infrastructure Reduces likelihood of Blue team detection Introduction Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. A simple SSH Split Tunnelling attack is not a ne ..read more

TL;DR PSTI: The UK Product Security and Telecommunications Infrastructure (Product Security) Act Regulations effective from 29 April 2024 Assess how, where, why, and when you may be affected Review supply chain and in-house teams for compliance readiness Specific obligations for manufacturers, importers, and distributors Use the PSTI Act and its regulations as your compliance blueprint Implement robust due diligence in system acquisitions Prepare for potential cybersecurity incidents with rigorous testing and validation Don’t overlook the importance of comprehensive training Regulatory evol ..read more

American consumers have two clear yet vastly differing choices when it comes to banking. Many opt for a large-sized national or regional bank. Folks select this option for a variety of reasons, typically due to the vast services and ease of use these powerhouses provide. Roughly 60% of Americans count themselves as customers of these large-scale institutions. Others choose to conduct their banking business differently – and more locally – via credit unions. According to the NCUA (National Credit Union Administration), there are over 4,500 credit unions with over 136 million members nationally ..read more

October 2023’s Cyber Security Awareness Month  led to a flurry of blog posts about a new attack called Quishing (QR Code phishing) and how new AI powered email gateways can potentially block these attacks. What’s the attack? To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly  phishing. Why is that? Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them ..read more