Some UK hospitals appear to be publicly documenting their own Cybersecurity weaknesses. The Guy's and St Thomas' NHS Foundation Trust meeting notes from 20th December 2023 state: "There was discussion about how the Trust routinely monitors and manages cyber security arrangements where the Trust had interfaces with third parties, for example the Pathology Business Unit (PBU)". https://www.guysandstthomas.nhs.uk/media/13533/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B31%2BJanuary%2B2024

Meeting notes from 28th February 2024 also note that "Cyber security remained a high risk, and the Trust had not met the standards for the NHS data security protection toolkit self-assessment in recent years." https://www.guysandstthomas.nhs.uk/media/13680/Board%2Bof%2BDirectors%2Bmeeting%2Bpapers%2B-%2BWednesday%2B24%2BApril%2B2024

On 3rd June the hospital declared a critical incident when Synnovis (their pathology services provider) was the victim of a ransomware attack. I can't help but wonder if they essentially painted a big target on themselves here.

These meeting notes also refer to other ongoing cybersecurity activities and known areas of risk. It would be trivial to automatically scrape and analyse all of these meeting notes and then use that data to focus future attacks on other NHS trusts. Accountability and transparency are good things, but publicly documenting security risks before they have been addressed is never a good idea. #ransomware #nhs

Apple integrate an LLM into everything and the response is "that looks cool" but when Microsoft announced Recall the world went into meltdown. This isn't entirely surprising, Apple genuinely seem to be trying to address the privacy aspects of LLMs while Microsoft's recent security and privacy track record is... shall we just say... less than perfect.

Perception does matter. If Microsoft's past mistakes mean it is now harder for them to roll out innovative new features then they could be in real trouble.

The latest Zyxel NAS vulnerabilities paint a clear picture of a complete product security failure. Zyxel advise installing the patches for "optimal protection". I disagree, applying these patches is a waste of time.

The only way to achieve "optimal protection" is by disconnecting these devices from the network, I think it is highly disingenuous of Zyxel to suggest any other course of action. https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-nas-products-06-04-2024

another week, another critical ivanfortitrix vuln. I realize ripping out appliances and software is no small task, but at what point does the cost of total time spent patching and maintaining these surpass any value they add?

Cyber Safety Review Board (March 2024): "Microsoft leadership should consider directing internal Microsoft teams to deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made"

Microsoft (May 2024): "We have completely reimagined the entirety of the PC – from silicon to the operating system, the application layer to the cloud – with AI at the center, marking the most significant change to the Windows platform in decades."

That seems to be going about as well as expected.

A brief look at the risk of exposing Microsoft’s Remote Desktop (RDP) directly to the Internet. TL;DR: Don't do it. https://www.secmatics.com/blog/peering-down-the-rdp-rabbit-hole #rdp #remotedesktop #cybersecurity

Some thoughts on the MITRE breach: https://www.secmatics.com/news/vpns-considered-dangerous #cybersecurity #infosec #incident #databreach

Oooo, a webinar invite: "Automate financial reporting with generative AI". Why yes, that sounds like a perfectly sensible thing to do. I mean, what could possibly go wrong? 😱

A look at the real implications of the XZ backdoor. https://www.secmatics.com/blog/dear-open-source-can-we-ever-trust-you-again

#xzbackdoor #cybersecurity #opensource

The Cyber Safety Review Board's report on the Summer 2023 Microsoft Exchange Online intrusion:

"However, by the conclusion of this review, Microsoft was still unable to demonstrate to the Board that it knew how Storm-0558 had obtained the 2016 MSA key." https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf

This not surprising. As I noted last year:

"One of the main design goals of a secure key management system is to ensure that you have full traceability of the keys and know exactly what hardware and software components could have accessed them. Without such a system it is next to impossible to retrace all of the direct and indirect touch points at which a key could potentially have been compromised" https://www.secmatics.com/blog/losing-the-keys-to-the-kingdom

#microsoft #cybersecurity

A lot of people seem to be worried about the use of AI in cyberattacks.

Meanwhile, state-sponsored cyber groups are busy attacking critical US infrastructure by connecting to Internet-visible PLCs with password of "1111".

Don't worry about AI. Worry about this instead. https://www.epa.gov/system/files/documents/2024-03/epa-apnsa-letter-to-governors_03182024.pdf

Want to know what your organisation is exposing to the Internet? https://www.secmatics.com/services/surface-scan

The France Travail breach impacted 0.5% of the world's population.

Is it time to put more focus on designing secure multilayered systems?

Or is that still too expensive?

Security gets exponentially harder as complexity increases. Security also gets exponentially harder as attacker sophistication increases.

With a sufficiently complex system and a sufficiently sophisticated attacker, there is a point at which it becomes impossible to mount an effective defense.

I suspect that point is exactly where Microsoft are right now.

https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/

#cybersecurity #microsoft

This was true 50 years ago, and it is still true today:

"The panel cannot overemphasize its belief that 'patching' of known faults in the design or implementation of existing systems without any better technical foundation than is presently available, is futile for achieving multilevel security."

COMPUTER SECURITY TECHNOLOGY PLANNING STUDY.
James P. Anderson, October 1972.
https://seclab.cs.ucdavis.edu/projects/history/papers/ande72.pdf

"By cross referencing the indicators of compromise against the exploit timestamp and the NetScaler version being used, we were able to recreate a precise granular timeline of the global attack, here is how it unfolded..."

https://www.secmatics.com/blog/netscaler-cve-2023-3519-exploit-campaign-analysis

#ransomware #netscaler #breach #infosec

My coworker this morning "I'm going to start calling them (redacted 3rd party company) scan testers, because all they do is run burp scans and call it a pentest."

scantester is now in my mind as the corporate version of a script kiddie.

Today's Security Offender: Nachonacho.com

I don't think this requires any additional words.

Is our framework centric approach to security making life easy for the attackers?

Putting the focus back on threat driven security might be the only way to stop the ransomware epidemic.

https://www.secmatics.com/blog/threat-driven-security

#infosec #cybersecurity

I had a look at how #FIDO and #WebAuthn mitigate #phishing attacks.

Link to the blog is below. Yep, that's right, click on the link to learn about phishing.​ 🤔​

https://www.secmatics.com/blog/phishing-with-fido

I have two important pieces of advice for anybody using Micro Focus Visual COBOL:

1. Apply patches for CVE-2023-4501
2. STOP USING COBOL. It's time to move on.

https://nvd.nist.gov/vuln/detail/CVE-2023-4501