Tag Archive for: plug

Using real-time data platforms to plug cybersecurity skills gap


How can we use real-time data platforms to improve the cybersecurity skills gap crisis in government and the public sector?

There is a crisis in cybersecurity skills, and the public sector, including government agencies, will be feeling the cumulative impact this year.

A report by Ipsos for the Department for Digital, Culture, Media and Sport last May found that many UK businesses needed more staff with the technical, incident response, and governance skills needed to manage their cyber security. Given that the government has responsibility for securing all our critical national infrastructure and attempts to attract quality cybersecurity talent into the public sector in recent years have not reduced the skills gap, action needs to be taken now to withstand the growing threat landscape.

How common are security breaches in government?

Headlines relating to government security breaches seem to litter the media frequently. In November 2022, the FT reported that the data protection regulator reprimanded the Department for Education for giving improper access to identifying information on up to 28 million children; April 2022 saw 170 email addresses of customers inadvertently copied into an email by the UK Home Office’s visa service and the previous December the Cabinet Office was fined £500,000 by the Information Commissioners Office after the postal addresses of the 2020 New Year honours recipients leaked online.

The hand of malicious insiders seems to have been at work in at least two of these incidents, which reflects the dangers that lurk internally for many government departments. It’s why having strong internal security measures in place is so important and why the visibility of suspicious activity in real-time, or as it is occurring, is essential. If government security teams can create intelligent cyber threat metrics, capture and identify active cyber threats, and minimise false positives, they are better positioned to thwart attacks.

More data can translate into more threat insights

The proliferation of data is at the heart of both the problem and the solution when it comes to cybersecurity. With more real-time data at their disposal, the better-informed…

Source…

UIDAI Seeking 20 Ethical Hackers to Protect Its Data, Plug Security Bugs. Read Details


New Delhi: Amid increasing cyber attacks against key infrastructure and government websites in India, the Unique Identification Authority of India (UIDAI) has quietly announced a “bug bounty programme” to hire 20 ethical hackers to protect its website and resources from nation-state bad actors. The recently-issued circular said that the programme will be limited to 20 registered candidates. “The UIDAI reserves the right to evaluate and select top 20 suitable candidates for participation in the programme,” the authority said in its circular.Also Read – Meta Likely to Invest $3 Million in Indian Startup ‘Better Opinions’: Report

It added that the candidate should be listed in the top 100 of the bug bounty leaders board such as HackerOne, or Bugcrowd. The candidate may also be listed in the bounty programmes “conducted by reputable companies such as Microsoft, Google, Facebook, Apple etc. or the candidate should be active in the bug bounty community/programmes and should have submitted valid bugs or received bounty in the last one year”. Also Read – What Are The Top Brands For Hackers to Steal People’s Data Via Phishing?

The bug bounty programme of the UIDAI comes at a time when earlier reports claimed that Chinese state-sponsored hackers allegedly infiltrated and stole data from it. The authority allayed the fears, saying, the leaking of Aadhaar numbers will not pose any hacking threat to bank accounts. Also Read – Aadhaar FaceRD App Launched By UIDAI | Here’s How You Can Confirm Your Identity With Face Authentication

‘Like just by knowing your ATM card number….’

“Just as by merely knowing your ATM card number, no one can withdraw money from the ATM machine; by knowing your Aadhaar number alone, no one can hack into your bank account and withdraw money,” the UIDAI said while posting some myth busters related to Aadhaar on its website. “Rest assured, there has not been a single case of financial loss due to Aadhaar. Aadhaar number alone cannot be used for banking or any other service,” it added.

Independent committee to assess candidates

The UIDAI said an independent committee will be formulated to assess and verify the candidates’…

Source…

Google Chrome Browser Needs A Second Update In As Many Weeks To Plug Nine Security Exploits


The Indian Computer Emergency Response Team (CERT-In) has issued a fresh advisory urging users of Google Chrome to update the web browser on their laptops or desktops immediately. This is the second update in as many weeks to plug nine security exploits.

CERT-In — the cybersecurity watchdog under the information technology ministry — warned that those using Google Chrome versions older than 103.0.5060.53 stand the risk of having their systems targeted by a remote attacker, who could “execute arbitrary code, disclose sensitive information and bypass security restriction on the targeted system”.

In other words, hackers can make use of any of the nine vulnerabilities, which CERT-IN rated “high” on the severity scale, to run programs without the user’s knowledge, gain access to and leak security information, and potentially even take over the device by bypassing the security authentication system.

These vulnerabilities were caused by improper execution of codes on the system level, CERT-In said. CERT-In has asked users to immediately update to version 103.0.5060.53, which Google rolled out two days ago.

Also Read:

How to update Google Chrome

1. Open Google Chrome on your computer

2. At the top right, click the “More” menu, represented as three vertical dots.

3. Next, click on “Settings”, then select “About Chrome”

4. This will show your browser’s current version and automatically install the latest version.

5. Once the update is installed, a button named “Relaunch” will appear in the menu. Click on it.

6. Chrome will shut down and relaunch, completing the update process.

Not just security, there are new features, too

Google rolled out the latest update two days ago to the Windows, macOS, and Linux platforms. In the official release notes, Google said the latest version has several bug fixes and improvements.

The update also has features like faster page load times, local font support for web applications, and using Machine Learning to block unwanted notification prompts and detect malicious websites, among others.

Google has also rolled out the beta of the next version of Google Chrome, which brings in a privacy sandbox that replaces third-party web cookies, and full-screen multi-window…

Source…

Razer to fix Windows installer that grants admin powers if you plug in a mouse • The Register


In brief Razer is working on an updated installer after it was discovered you can gain admin privileges on Windows by plugging in one of the gaming gear maker’s mice or keyboards.

In fact, inserting any USB device that declares itself a Razer mouse or keyboard will lead to an exploitable situation.

As documented late last week by a Twitter user called j0nh4t, if you plug into a Windows 10 or 11 machine a device identified as a Razer mouse or keyboard, Microsoft’s OS will automatically download and run Razer’s installer for the manufacturer’s Synapse software, which can be used to configure the peripheral.

During the installation process, which runs at the System level, you can spawn a Powershell terminal from an Explorer window that runs with these high-level privileges. Thus, you can gain local admin access on a machine, if you can login in somehow and plug in a gadget – useful for penetration testing, at least. It is also possible to tell the installer to use a user-controlled folder to store an executable that is run on every boot, which can be hijacked by a rogue user.

The bug finder said they had no luck in getting Razer’s attention when trying to report these flaws, and after they put a zero-day exploit for the Powershell hole on Twitter, the manufacturer got in touch and offered a vulnerability bounty. A new version of the installer to address these problems is being prepared for release, we’re told. We wonder how many Windows installers have these same weaknesses.

A spokesperson for Razer told us today: “We were made aware of a situation in which our software, in a very specific use case, provides a user with broader access to their machine during the installation process.

“We have investigated the issue, are currently making changes to the installation application to limit this use case, and will release an updated…

Source…