The British Library has published its lessons learned from the devastating cyber attack that struck in October 2023.

In an eighteen-page report which shows an impressive commitment to transparency, but makes for painful reading, the organisation details how it was compromised by the Rhysida ransomware group during a traumatic timeline of events. In a subsequent press release, the Library also states it hopes other institutions will learn from its findings in the wake of a ‘deeply damaging criminal attack.’

Unfortunately, the report makes clear that in response to tighter security standards, the organisation ceased to be Cyber Essentials Plus certified in 2022, pending replacement of some older systems. In section six, sixteen ‘lessons learned’ form the basis of its future plans and guidance to other organisations:

• Enhance network monitoring capabilities
• Retain on-call external security expertise
• Fully implement multi-factor authentication: Multi-factor authentication needs to be in place on all internet-facing endpoints, regardless of any technical difficulties in doing so.
• Enhance intrusion response processes
• Implement network segmentation
• Practice comprehensive business continuity plans
• Maintain a holistic overview of cyber-risk
• Manage systems lifecycles to eliminate legacy technology
• Prioritise remediation of issues arising from legacy technology
• Prioritise recovery alongside security
• Cyber-risk awareness and expertise at senior level
• Regularly train all staff in evolving risks
• Proactively manage staff and user wellbeing
• Review acceptable personal use of IT
• Collaborate with sector peers
• Implement Government standards, review and audit policies and processes regularly

The exact origin of the hack – which took Library systems offline for months – is unconfirmed, in part due to the scale of the destruction. However the Library’s independent security investigators believe the original breach was caused by either a spear-phishing, brute force or other credential compromise. This allowed hackers access to a remote session on a terminal server that was not yet subject to Multi-Factor Authentication for a user to login.

From there, around 600GB of data (or half a million documents) were exfiltrated, with searches for sensitively-named content such as ‘passport’ and ‘confidential’. Backup copies of twenty-two databases were also made, and removed from the network. Ransomware was also deployed, and the encrypted data used for attempted extortion.

At several points Rhysida are believed to have made their own actions difficult to track – deleting log files and destroying servers to prevent a swift recovery. In a classic ‘double-extortion’ the group also leaked employee and customer data for auction on the dark web in November, with a starting value of 20 Btc (then approximately £600,000). The British Library insists that in line with guidance given by the National Cyber Security Centre, no attempt was made to communicate with the attackers, nor any ransom paid.

The Rhysida ransomware group are also reported to, or have claimed responsibility for, hacks carried out in Chile, Portugal, Kuwait and the United States in the latter half of 2023. Cyber security professionals believe the hackers are Russian-speaking, although evidence is limited.

Lengthy and costly, the cleanup effort has clearly been difficult. The report details that the Library convened Gold and Silver level crisis-management committees, with both private sector and UK state cyber security assistance – although senior staff at the BL were at one point forced to communicate via an emergency WhatsApp call in the absence of official systems. The Library’s main catalogue, containing more than 36-million records, only returned online in ‘read-only’ format in January, and the report states ‘Many staff have been unable to perform significant parts of their roles’ (for more than 3 months.)

The Financial Times have speculated that the recovery costs may eventually total over £7m, which would represent around 40% of the institution’s known financial reserves, although the Library’s Chief Executive, Sir Roly Keating, told the BBC it was too early to calculate the true value.

For cyber security expertise and assistance, please contact our team today.

The 2023 Cyber Breaches Survey has been released, highlighting key findings about the state of the UK’s cyber health.

This year’s study found that cyber security breaches and attacks remain a common threat, with 32% of businesses and 24% of charities recalling any breaches or attacks within the last 12 months – but with cyber security taking a back seat in the minds of many, falling behind economic issues like inflation.

In more positive news, a majority of businesses and charities have a broad range of measures in place, with the most common being endpoint security software (75%), cloud backups (70%), restricted admin rights (67%) and network firewalls (66%).

However general cyber hygiene may actually be getting worse. The report also highlights that the routine avoidance of relatively unsophisticated threats needs greater attention over more advanced hacking, with smaller businesses in particular losing ground in some very fundamental areas, including:

Use of password policies (79% in 2021, vs. 70% in 2023)
Use of network firewalls (78% in 2021 vs. 66% in 2023)
Restricting admin rights (75% in 2021, vs. 67% in 2023)
Security updates within 14 days (43% in 2021, vs. 31% in 2023).

A mere three-in-ten businesses have undertaken any kind of cyber security risk assessment – again showing low scores among smaller firms and driven in most cases by either changes at board level or the demands of customers – corresponding to an increase in businesses reporting checks on their own suppliers.

“Taken together, these findings highlight an increasing cyber hygiene challenge among small to medium enterprises (SMEs) in the post-pandemic era.”

Fewer than four-in-ten businesses have cyber security insurance, just 21% have an incident response plan, and only 14% of businesses are even aware of the NCSC’s important Cyber Essentials Scheme. A mere 9% successfully adhere to ISO 27001 standards.

In particular, the survey highlighted the food and hospitality sectors, entertainment and the construction sectors for reporting low take-up of cyber security measures. The UK’s largest businesses generally report higher scores across all areas, with the exception of patch management (44%) and restricting access to organisation-owned devices (31%).

Among the 11% of businesses that have suffered cyber crime in the last 12 months, the annual (mean) cost of an incident is now estimated to be approximately £15,300 per victim.

For Cyber Security advice and expertise, please contact our team today.

Windows Server 2012 and Server 2012 R2 will be declared end of life (EOL) as of 10th October 2023, after which the operating system will receive no new security updates.

This leaves organisations using Server 2012 with several options:

– Re-license and migrate to a newer operating system if hardware supports it.
– Migrate those server workloads into a cloud platform like Microsoft Azure.
– Replace those server workloads with web-based applications.
– Purchase new server hardware with a supported operating system.
– Purchase specialist Extended Security Updates (ESUs) until 2026.

Which option to choose depends on where a business is their replacement/hardware lifecycle, budgets and changing workplace requirements. For some, a move to a newer version of Windows Server (2016, 2019 or 2022) is still possible, but this isn’t the only option. Don’t forget to check out Lineal’s handy flow chart on what to do when faced with the choice of replacing a server.

How and when to replace servers is a complex question, and businesses increasingly have far more cloud-based and software-as-a-service (SaS) choices available than a decade ago. Bundled services like Microsoft 365 have increasingly replaced the on-premises Exchange server, the file server and more for many small organisations – making the heavy capital investment for a server impractical. In the face of increasing hardware and energy costs, running on onsite server also looks increasingly expensive.

In some ways the end of Server 2012 represents the end of an era – in 2012, server sales were just beginning to recover from the financial crash. A decade on, both PC and small volume server sales look bumpy, while the largest server manufacturers appear to be focusing ever more sales attention on the data centre market – where there is growing appetite for enterprise hardware driven partly by the hosting and increasing consumption of those same cloud services.

For many small businesses in particular, a Server 2012 box may have turned out to be the last on-premises server they would ever purchase.

For Technical support and expertise, please contact our team today.

The FBI has cautioned smartphone users to avoid public USB ports due to the risks of malware delivered by public charging stations. The Denver FBI office, through CNBC on Twitter, stated that public charging stations in hotels, airports, and shopping centers are all susceptible to opportunistic malware attacks.

According to the FBI, malicious individuals have discovered that public USB ports can be adapted to “inject malware and monitoring software onto devices.” As a result, users should bring their own charger and USB cord while in public and use an electrical outlet for charging instead of a public USB port if possible.

Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. Carry your own charger and USB cord and use an electrical outlet instead. pic.twitter.com/9T62SYen9T

— FBI Denver (@FBIDenver) April 6, 2023

Using a public USB port to transfer malware to a device, such as a computer, tablet, or smartphone, allows hackers to obtain sensitive data on the device, such as usernames and passwords, hijack email accounts, steal funds from online accounts, and much more.

While Apple’s iPhones and Macs possess a USB security feature that disables data transfer through the Lightning port when the device has been locked for over an hour, this feature does not prevent malware installation when the device is in use and connected to a public port.

To safeguard against this potential method of attack, the recommended solution is to bring your own USB cable to charge in public spaces. The FBI has issued a comparable warning on its website, cautioning individuals against using free charging stations, using public Wi-Fi for sensitive transactions, opening suspicious documents, utilizing the same password for all accounts, and clicking unsolicited links in text messages and emails.

For cyber security expertise and support, please contact our team today.

Microsoft have acknowledged a critical new zero-day vulnerability with Outlook, that does not require any user interaction with an email to be triggered.

Reported by the Ukrainian Computer Emergency Response Team (CERT) to Microsoft and graded 9.8/10 on the severity scale according the NIST, the exploit is believed to have already been used by a “Russia-based threat actor” in attacks against European targets across government, transport, energy and military sectors.

The exploit (CVE-2023-23397) abuses the way Microsoft Outlook attempts to follow links in emails to retrieve remote content, even before they’re opened or viewed in the preview pane – allowing a remote attacker’s server to request authentication via an old technology known as NTLM, and automatically receive poorly encrypted username and password details from Outlook. NTLM was officially retired by Microsoft after Exchange 2003, but the technology remains available in current versions.

This is dangerous because with a username, password and corresponding email address, hackers have effectively completed a credential theft without any interaction from the end user. Many users use their email account as a single-sign on for other applications, putting numerous other services at risk.

CVE-2023-23397 is not yet fully documented however Microsoft believe the vulnerability occurs “when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat-actor controlled server. No interaction is required.” Once a connection is made, the server sends the user a new technology LAN manager (NTLM) negotiation message which is relayed for authentication – none of which requires the user to even view the email itself.

The exploit affects only the Microsoft Windows version of the Outlook Desktop client. Outlook for Mac, the Outlook Web & Mobile Apps (as well as Outlook.com) are not affected – since these do not support NTLM authentication. Estimates vary but Outlook is said to be used by over 400 million users worldwide, in its various forms.

System administrators are advised to urgently patch with the latest Outlook updates from Microsoft within 24 hours.

Where this is not possible, system administrators are advised to add users to the Protected Users Security Group (blocking NTLM), or Block TCP 445/SMB outbound from network firewalls or via VPN settings, cutting off any NTLM authentication messages at the perimeter of your network. In both cases, Microsoft warn this may affect other services from working correctly.

For Cyber Security expertise and support, please contact Lineal’s Cyber Security Team today.

LastPass have confirmed that a hack on a staff member’s home PC led to a massive cyber security breach on the company.

The second stage of the attack used data stolen in LastPass’s August breach, cross-referenced with other stolen information, to launch a targeted sting on one of their DevOps engineers – installing a key logger on the staff member’s home PC which resulted in the loss of yet more data.

LastPass confirmed the attacker was able to steal the user’s master password, gaining access to corporate vault resources and shared folders. In the process, encrypted notes and decryption keys needed to access LastPass production backups based in Amazon Web Services (AWS) – cloud-based storage and critical database backups were also compromised.

Since the August 2022 breach, when LastPass source code was stolen, the company has admitted the breach also saw the theft of account usernames, hashed passwords, and some Multi-Factor Authentication (MFA) settings belonging to end users.

Unfortunately LastPass also acknowledged that saved URL for each password entry was unencrypted, giving potential attackers an obvious clue to the purpose of each set of credentials.

The breach highlights the way remote working culture has introduced significant new digital risks – such as the danger of home users accessing work data, resources and applications on devices that sit ‘outside’ of company cyber security protections.

LastPass is believed to be used by over 85,000 businesses and 30 million end users.

For Cyber Security Expertise & Support, please contact our team today.

Managed Cyber Security

We recently attended a special event about the danger of Russian cyber aggression against the UK: here’s the latest guidance from the UK National Cyber Security Centre.

Be prepared for changes to Russian strategy

A feared ‘firestorm’ of wholesale attacks on the digital infrastructure of the UK and Ukraine’s other Western allies hasn’t arrived, but the NCSC urges Russia remains extremely unpredictable.

Intelligence agencies are now concerned Russia may launch a new cyber attacks on the West this year, partly as compensation for Russian ground war failures.

Rates of cyber attacks on UK organisations remain ‘steady’, with some very serious incidents reported – and the NCSC has emphasised before how Russian cyber attacks on satellite networks and banking systems in Ukraine have spilled over into multiple countries.

We do know that behind the scenes a number of UK organisations have been carefully briefed to prepare for Russian cyber attacks over the past year – and a ‘handful’ of cyber incidents each year are serious enough to require COBRA meetings.

Yes, REALLY unpredictable

Russian strategic aims are often inconsistent. Boldness and risk-taking are known to be favoured in Russian high command – which itself encourages reckless cyber operations, experimental techniques and surprise attacks – but also corners-cut and operational errors.

Much like the Russian ground offensive, many of the most aggressive Russian cyber attacks – such as the widespread use of destructive Wiper malware – appear to have been ‘front-loaded’ during March/April, preparing for a quick victory which did not materialise even as Ukrainian systems have been hardened.

Far less technical attacks also appear to have crept into the mix – alongside a curious quality gap in the actual work of Russian operatives, as if threat actors are being supplemented by other personnel. Recent incidents have highlighted the names of known Russian intelligence officers visible within the code of malware, and fascinating research by Mandiant even suggests attempts by the GRU to recruit assistance from amateur hacktivist volunteers via covert pro-Russian Telegram channels.

However, the NCSC emphasises that ineptitude or failure is not a barrier to the further attacks by Russia – the individuals behind the attacks are shameless, and cyber attacks remain a convenient way to highlight weaknesses from policy makers in other countries.

Essentially ‘nothing is off-limits’ – an approach that is also exacerbated by the internal competition between Russian service branches, with the FSB, FDR, GRU and others often seeking to outdo each other.

Who is a target in the UK?

Past experience suggest Russian cyber operations often include a key psychological element – following infamous KGB tradition.

As a result, the Russian military likes to target ‘pressure points’ in particular: critical infrastructure, the energy sector, transport, media organisations, senior politicians and especially companies with visible public-facing operations – anything that might generate panic among the public, suggest democratic policy makers are weak, undermine the West’s resolve to support Ukraine, or provoke a widespread feeling of vulnerability.

Ukraine provides some clues as to Russian strategy, but the NCSC emphasises that espionage attacks can often involve gaining access for no specific purpose – and (for example: obtaining privileged administrator access to systems) are simply a contingency for the future.

Organisations that plan ahead suffer less pain

Official advice is clear: organisations that prepare even the most basic disaster-contingency plans recover more quickly and suffer much less financial pain in the event of a cyber attack.

Even very simple crisis management steps like agreeing ‘who is in charge’ in advance, confirming ‘where are the backups’, and keeping printed copies of essential preparations for an emergency, all help radically minimise the damage, disruption and time to recovery.

However, this too comes with an NCSC warning: five years of IT improvement won’t be squeezed into your crisis remediation – better to have a roadmap for improving your cybersecurity as part of your existing business plans.

EDR is a Must

Forensic engines included in modern Endpoint Detection & Response (EDR) software help provide rapid information about the scale of hacks during incident response – this provides essential time for first responders to mitigate further threats, limit damage, and give the NCSC information about the threat to others.

The NCSC argues that British resilience will rely not just on small organisations across the country remaining vigilant, but gathering a wider pool of information on the centre’s behalf – the grassroots feeds into the ‘bigger picture’ of national security, and defending the UK is a team effort.

Services like the Signpost Cyber Incident Service now allow smaller organisations to report cyber attacks centrally.

Ransomware is THE threat.

NCSC guidance, right from the top of the organisation’s CEO remains the same:

“Even with a war raging in Ukraine, the biggest global cyber threat we still face is ransomware” – Lindy Cameron, NCSC CEO, June 2022.

Useful Links:

• NCSC Early Warning System – Early Warning helps organisation investigate cyber attacks on their network by notifying them of malicious activity that has been detected in information feeds
• NCSC Exercise in a Box – A free online tool which helps organisation find out how resilience they are to cyber attacks & practice their response in a safe environment.
• Incident Management – cyber incident response plan NCSC guidance to create your own cyber incident response plan
• The UK National Cyber Strategy – setting out five key pillars in the UK’s Cyber Planning.

For cyber security and technical expertise, please contact our team today.

Each year GCHQ’s National Cyber Security Centre issue stricter new rules for business and organisations looking to secure UK Cyber Essentials (CE) and Cyber Essentials Plus (CE+) Certification.

Continuing themes from last year, there are now tighter rules on account access, thin clients, device firmware, remote desktops, antivirus/EDR solutions and more. Despite the success of the Cyber Essentials scheme, the past year has seen some notable cyber attacks on British organisations, and renewed calls for cyber security vigilance.

We’ve compiled a summary to help organisations prepare for what revisions are coming down the line in April.

Multi-Factor or Else.

Even sooner than many expected, Cyber Essentials will now require not only Administrators to have Multi-Factor Authentication enabled – but all end-user accounts as well, across all platforms. Previously exemptions were granted for services without this option available, now that gap closes.

Instead, where a service doesn’t support MFA this will now be declared a non-conformity, bringing digital services fully into line with the rules enforced on UK online banking, and even applying to school children – right down to reception-age.

That’s likely to pose a challenge for companies (and particularly schools) using any software or web services which don’t yet offer MFA – so many organisations may need to look at augmenting their IT setups with 3rd-party MFA solutions like Cisco Duo.

Don’t forget the Firmware!

Software version controls now extend to hardware device firmware – with the definition clarified to specifying “firewall and router firmware” in particular – which was always essential, given the perimeter nature of these devices. In a rare step back, firmware on servers, PCs and other devices has been removed from the scope.

Device Clarifications

The NCSC has admitted third-party devices have been a point of confusion – and has published a revised table clarifying which devices are within the scope of Cyber Essentials. Updates will apply only to devices which are not domain-joined, or when unlocked have limited access to data (smartphones, handheld scanners etc.) If the a vendor does not allow configuration to see CE standards, the application may use the vendor defaults without incurring a non-conformity.

Given that the definition partly rests on who owns the device in question, we predict more changes in future years.

Not Just Any Anti-Malware

Antivirus solutions no-longer need to be ‘Signature-based’ – since the best EDR solutions don’t rely on signature-based detection of threats anyway. CE+ audits will include extra tests to verify that anti-malware software is effective (beyond simple EICAR tests) and application allow-listing is being encouraged.

Scoring Changes

Minor/Major non-conformities have been merged with a single Non-Conformity mark. Any applicant receiving three non-conformities will receive an instant failure. Corrective actions must now be completed within two days, despite some exceptions are available for larger organisations.

However, unsupported operating systems become an unfortunate immediate triple-word score: the presence of any unsupported operating system within the scope is an automatic fail.

For Cyber Security and Cyber Essentials expertise, please contact our team today.

UK & Dutch police have helped lead an international operation with Europol to take down one of the World’s biggest DDoS-for-hire services, webstresser.org.

The UK’s National Crime Agency and their Dutch Police counterparts announced the success of ‘Operation Power Off’ – which saw the seizure of infrastructure believed to be linked with criminal activity based in the UK, Netherlands and Germany, and the arrest of individuals as far afield as the UK, Spain, Canada, Croatia, Italy, Australia and Hong Kong by at least a dozen different law enforcement agencies.

On the other side of the Atlantic, the Department of Justice announced an additional six arrests by the FBI, with a further 48 domains seized as part of a criminal investigation into DDoS-for-hire operations.

According to Europol, Webstresser is estimated to have let over 136,000 customers launch more than four million Distributed Denial of Service (DDoS) attacks on targets for as little as £11, overwhelming websites and online services with traffic and knocking them offline. Although DDoS for hire services often pose as genuine ‘stress-test’ tools, users with very little technical knowledge were able to order attacks on unrelated targets – choosing between ‘Bronze’ ‘Silver’ and ‘Platinum’ packages.

The service was thought to be responsible for cyber attacks on at least seven major UK banks in November 2021, as well as numerous other businesses and government departments around the world. The BBC reports UK police have raided an address in Bradford, in connection with last year’s attacks on UK banks in particular.

Jaap van Oss, the Dutch Chair of the Joint Cybercrime Action Taskforce (J-CAT) praised the joint cooperation by law enforcement agencies to finally take Stresser offline.

Apple has released two urgent security warnings for iOS, iPadOS and macOS in response to two new zero-day vulnerabilities.

The company believes both weaknesses – found in WebKit, the engine which underpins Safari, Apple device kernels, and many other apps – are being actively exploited by hackers.

A vulnerable device that accesses “maliciously crafted web content” would allow hackers to execute code, and even to “execute arbitrary code with kernel privileges” – essentially full access to the device.

Affected Software Versions Include:

• iOS prior to 15.6.1
• iPadOS prior to 15.6.1
• macOS Monterey 12 Prior to 12.5.1

Users are advised to check their OS version and update immediately. To do this, please navigate to:

• On iPhone or iPad: Settings > General > Software Update
• On Mac: Apple Menu > About this Mac > Software Update

For Apple Support and Expertise, please contact our team today.

Microsoft have altered how macros activate in Microsoft Office files, in an effort to improve users’ cyber security.

Macros, which allow office files to run sequences of commands, can be used to automate simple tasks – but also maliciously by hackers as a mechanism of attack.

Macro-based hacks have been around since the late 1990s, but remain surprisingly effective. Users are commonly asked to open unexpected email attachment and authorise the macro to see its mystery contents, allowing the macro to introduce malware onto the system. In effect, users authorise the hack themselves.

Instead of the old yellow ‘Security Warning’ labelled with an instant ‘Enable Content’ button users previously saw when using Microsoft Office applications, files will now prompt with a red ‘Learn More’ button, and users will be forced to see guidance on using macros securely, before being able to enable the content.

This small move – which was originally rolled out, rolled back, and then rolled out again – has been part of a slow clampdown on macros that has lasted more than two decades. Over the years macro functionality has steadily had more restrictions applied – in 2003 IT admins could require macros to have a trusted certificate (more like software applications) and as of 2013, could block macros by default.

But Microsoft hopes this simple firebreak will nudge us to think twice, and stop (potentially millions) of people from endangering themselves and their technology with a click.

Human nature continues to catch out many users curious about mystery documents – particularly since only a small fraction of Microsoft Office users are even aware of Microsoft 365’s powerful automation features.

For IT support and expertise, please contact our team today.

A Policy Change: Admin Rights

This year we’ve made a number of policy changes to how Lineal protects your technology, data and users – part of a programme of adjustments designed to help our clients keep their organisations secure.

One of these is a change to how we manage security permissions. In future, we’ll be stricter about how and when we allow administrator (‘admin’) privileges to be used.

What does this mean?

Put simply, we expect no end-user to use an administrator account for their routine work.

Where a user needs administration privileges as part of their official role, we expect a separate admin account to be created for this function, with some extra protections put in place.

All admin accounts should be named to indicate the owner, assigned to only one individual, authorised by management, and protected by Multi-Factor Authentication, where available.

Why are Lineal taking this step?

Admin accounts carry enhanced powers – often to install applications, access raw data or bypass safeguards – each of which represents a more significant cyber security threat where an admin account is misused or compromised.

In the event of a cyber security breach, it’s not uncommon for attackers to leverage admin accounts to attack other systems or users laterally, using heightened account privileges.

Reducing the number of administrator accounts, their use, and the risk of an account breach, all help to maintain strong cyber security within your organisation.

We’re also acting in line with the current requirements of the UK NCSC’s Cyber Essentials Scheme, as well as ISO 27001, CIS benchmarks and NIST 800-60.

Does my organisation need to budget for this?

No – this change will be a guiding principle for the assignment of existing/new admin privileges.

My organisation is subject to a compliance standard / framework, what do I do?

If you’re already subject to any specific controls over the distribution of administrator privileges, please contact us to discuss further, and we’ll do our best to explain how these changes support or enhance your existing controls.

What if I don’t want to do this, because of _________?

Where a client still allows a user to have local or domain administrative rights for standard duties, we’ll now require you to declare this to us in writing – as part of a disclaimer accepting liability for any adverse consequences of this decision.

We’ll also make clear that any remedial works required by us following an incident caused by this decision will be chargeable.

Who can I speak to about this?

Please contact our IT Support Teams via our Client Portal, via [email protected] or, 01271 375999, and one of our team will be happy to assist.

Apple have unveiled a special ‘Lockdown Mode’ for individuals likely to face extremely targeted threats to their cybersecurity.

Lockdown Mode will be added to iOS 16, iPad OS16 and macOS Ventura, and is designed for a small number of users who are likely to be targets of high-end surveillance spyware, and require the digital attack ‘surface’ of their device to be drastically reduced.

The new functionality is partly a response to the work of organisations like NSO Group, who have faced repeated accusations that their counter-terrorism surveillance software has also been used by governments and various state-sponsored actors around the world to illegally target journalists, activists and other political opponents.

The new tool represents an extreme device-hardening posture, and imposes very strict controls – including:

* Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.

* Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.

* Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.

* Wired connections with a computer or accessory are blocked when iPhone is locked.

* Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on.

Apple is keen to point out that “while the vast majority of users will never be the victims of high targeted cyberattacks”, lockdown mode will become an option for those that may be, and reasserts Apple’s credentials in the high-end ‘secure-phone’ market previously dominated by Blackberry and other niche hardware players.

The tech giant’s will also offer up to $2m to anybody able to demonstrate a vulnerability in Lockdown Mode under their bug bounty programme – the largest such reward available in the industry.

Just occasionally cybercriminals discover a new technique for tricking users or gaining access to something they shouldn’t have.

Hacks and scams go in and out fashion like much else – depending on their effectiveness and particularly, awareness among the wider public.

It’s helpful to keep one step ahead, so here’s our pick of some newer emerging threats to watch out for:

MFA Fatigue

The introduction of Multi-factor ‘Prompt’ notifications on Android and iOS are meant to make life easier. Instead of typing in a six digit code sent by text or generated by an authentication app, the user simply clicks ‘Yes this is me’ (or similar) when prompted on their authorising device.

But a hacker who obtains your password may have the option to spam the user with such notifications, until the user either accepts one by mistake or deliberately to make the prompts go away.

This trick can even get the hacker past otherwise bulletproof MFA on an account by pestering a targeted user – and users are often spammed in the early hours, when they’re likely to approve the login attempt without thinking, believing it to be a technical fault. By the time they’re asleep again, the hacker has remotely accessed their account.

30 Pieces of Silver

One of the most interesting revelations from recent arrest of members of the Lapsus$ ransomware group was wider publicity of their public-facing telegram channel.

Among the techniques used by the prolific hacking group were appeals to recruit disaffected employees of notable companies.

This presents an interesting strategic question: how do you defend against a disgruntled member of your team being bribed to hand over vulnerabilities, credentials or privileged access that would otherwise remain guarded? Attackers who begin inside a networks usual defences have an extra capability for ‘lateral’ attacks that use each system or login captured to slowly compromise more of an organisation.

An ‘Insider’ attack is perhaps a corporation’s worst nightmare – with even a single VPN or admin password able to cause severe damage.

Dodgy App Permissions

A massive ecosystem of additional connected apps is available for Microsoft 365 – although many require addition permissions (such as access to emails, calendars, contacts and more) which are approved through an authorisation standard called Oauth.

Unfortunately this is open to abuse, particularly ultra-targeted spear phishing of upper-level management and those with privileged accounts. First step: get the user to visit a URL that wants permission for an innocent-sounding app to connect with Microsoft 365. Second step: when the user ‘Accepts’ an app’s access conditions, they grant an access to much of their Microsoft 365 account – an access that works remotely without being re-authorised by MFA or any of the usual protections, often in perpetuity.

In some cases the permission windows for the suspicious app are specially modified so that cancelling is circular, or give the app immediate permission to email other users the same app authorisation to spread the hack further.

QR Codes

We’ve written before about the problem with QR codes – and many of the ways they’re potentially open to abuse.

In a mobile-first world, QR codes in public places can all too easily be tampered with to make users pay the wrong website, share malicious links on social media, or even dial premium numbers. Although Google Lens and similar apps will preview a link before the user clicks it, the underlying flaw is how easy it is to mimic the style and placement of official, legitimate QR codes, without the end user realising the swap has taken place.

The central problem is user awareness – would you click on a blind link in an email? No, exactly.

For cybersecurity expertise and support, please contact our team today.

If your staff’s company-issued devices are now everywhere, how can you keep track – and what are the benefits?

Device Management technology has really come into its own in the last few years, particularly as companies have embraced hybrid working during Covid. 

Maintaining a large digital estate of company devices far beyond the reach of your travel distance or office network sounds like a logistical headache – but it simply requires a shift in approach. Here’s why your organisation should consider rolling out device management:

The Basics

First and foremost, device management means protecting access to data and your hardware investment.

Tracking a device’s specifications and physical location remotely have long been a cornerstone of device management – but modern hardware-loss protections go a step further by adding the ability for IT admins to remotely lock or even wipe a device in the event of a suspected theft. On the best solutions, MDM software can also look out for suspicious warning signs like a mobile device being jailbroken – and conditionally deny access to company apps or data.

In 2022 that safeguarding can now apply across desktop, mobile and tablet devices – right across Windows, Mac, iOS, Android & ChromeOS. Now that staff work anywhere from their homes to airports, that lockdown ability is a powerful tool.

Stress-Free Maintenance

With modern device management it’s easier for your IT administrators to manage devices, apps and the updates that apply to them.

In the old days (well, the early 2000s), remote administration meant a device had to be domain controlled, connected via VPN or similar, or within physical travelling distance of the technician.

No longer. Modern device management means device profiles, Windows updates, access to company-approved apps, patches, firewall rules and more can all be created and pushed out centrally via content-distribution ‘over the air’. Device management means even the hardware specifications of company devices can be remotely managed, potentially saving thousands of hours of IT support hours.

The ‘Out-of-the-Box’ Experience

Don’t forget the users! Device Management isn’t just to make life easier for the IT admins, but also helps make sure the end-user gets a great experience.

With remote device onboarding, the preparation of new or re-issued devices can be done in advance, allowing the user a complete profile of settings and apps to launch right ‘out of the box’. That flexibility allows organisations to enroll staff that never visit a central hub to collect the device, supporting distributed organisations with personnel (potentially) all over the world.

If your MDM solution also supports single-sign-on, that sign in can be the user’s passport to the full ecosystem of company apps and IT resources, right from day 1.

For IT support and systems expertise, please contact our team today.

Three major tech providers have agreed to introduce support for passkey-based login, in line with recommendations of the FIDO Alliance.

Passkeys have been proposed as one of the possible futures for the death of passwords, and would be freshly generated with each biometric login to a registered device to help prevent password-theft.

In future Google Chrome, Microsoft Edge and Apple’s Safari will all facilitate passwordless login as an option – and major tech providers will offer passkey login for important online services including Active Directory and Azure.

• Apple: “An Expansion of Passwordless Standard Support“
• Google: “One Step Closer to a Passwordless Future”
• Microsoft: “Expansion of FIDO standard and new updates for Microsoft passwordless solutions”

Microsoft estimate that around 330,000 people have removed their password from their Microsoft Account in the last six months – with most using Microsoft Authenticator as a kind of passkey instead.

‘Hackers don’t break in, they log in’ is an often repeated mantra among cybersecurity professionals – reflecting the fact that most online accounts are breached via a normal login attempt, but with stolen credentials.

The FIDO alliance is the the online movement to replace password authentication entirely with single-use passkeys – although the organisation admits there are barriers to entry, including organisations’ cost to develop their own versions of the technology, an unfamiliar user experience, and the reluctance to ‘go first’.

It is hoped that with major tech providers building passkey support into their browsers, many more developers will be able to adopt the new standard to help keep users secure.

For Cybersecurity expertise and support, please contact our team today.

A good cybersecurity strategy includes layers of defensive counter-measures, designed to mitigate a wide range of threats at different levels of your organisation.

However there’s lots of ways you can help bolster your cybersecurity a little more, even working on a budget of (basically) zero – here’s our pick of the best:

2FA / MFA Directory

We’ve written before about the colossal effectiveness of turning on multi-factor authentication for all your online logins – in particular the way it helps prevent an outside attacker accessing your technology remotely with stolen credentials.

Although compulsory for online banking in the UK, this feature is often available for free elsewhere online as well – and you should take full advantage.

This useful website is an index of websites and online services that already offer 2FA on your account(s), which methods are available, and where to find them.

Customised Login Pages

By default, your login window for many public cloud services is identical to everyone else’s – for example, by default Microsoft 365 companies see a picture of Rio de Janeiro each time they sign in. However, many people don’t realise this image can be customised, making the sign-in experience unique for your compny.

This feature is often free – but has one really important cybersecurity benefit: it helps your users realise when they might have been redirected to a phishing website. Fake login pages attempting to steal their credentials will often use the default background image to be recognisable to more people, rather than your custom one. When one of your staff clicks the wrong link, the wrong background might just help alert them before they hand over their credentials to a cybercriminal.

‘Spot the Phish’ Quiz

Let’s be honest, many online cybersecurity training tools are a bit rubbish – but this little gem of an online game from email security provider Barracuda uses five real examples of scam emails (A & B) to quiz your staff, and educate them on the warning signs.

User training helps build a resilience to cybersecurity threats that isn’t available via technology – protection for the ‘human layer’ of the organisation that needs to be vigilant, no matter which technology they’re using. Challenge your team today!

Has your Email been Pwned?

This delightfully terrifying website allows you to search those massive cybersecurity breaches you read about in the news for your own email address – informing you whether your information was involved, and where.

If you find an old email address has been listed in a known data breach, it’s best to update your password, turn-on two-factor authentication, and make sure your haven’t used that password anywhere else online – because it’s entirely possible that your credentials are already circulating as part of large stolen data dumps on the dark web.

Build a Cyber Action Plan

The UK National Cyber Security Centre (part of GCHQ offers a free ‘Cyber Action Plan’ tool to sole traders and smaller businesses that takes you through a short questionnaire about your business to help you build a starter list of recommendations to consider.

This is a similar exercise to that undertaken by professional managed cybersecurity providers – but on a smaller scale – well worth a look!

For cybersecurity expertise and support, please contact our team today.

Members of Lineal’s cybersecurity team recently ran a special training event for over a hundred UK exporters, as part of the Department for International Trade’s ‘Export Academy’ initiative.

The UK Export Academy was formed to give UK companies vital know-how as they develop international trade opportunities, and to help them avoid common pitfalls.

Attendees were given a wide-ranging crash course on common threats, including a run-down of various vectors of cyber attack typical to companies trading internationally, and techniques to mitigate dangers.

Topics included best practice for password management & identity protection, email safety, device health, network safeguards and much much more.

We’ll be part of other UK Export Academy events in the near future – you can find more information about the academy here.

Learn more about Lineal Cybersecurity expertise here.

Microsoft have announced a raft of new security features for Windows 11 – aimed squarely at the new trend of hybrid working.

With millions of users working remotely post-Covid, the enhancements largely focus on hardware security and identity protection, as end-user devices access ever more cloud-resources from a broader range of working environments.

Microsoft Pluton

‘Microsoft Pluton’ is the name of a new security processor integrated into CPUs on devices shipping with the new operating system – an App Control feature designed to prevent untrusted apps from running, block the theft of user credentials, and counter dangers from outdated drivers.

As we’ve noted before, Pluton (like Windows 11 itself) also relies upon Trusted Platform Module (TPM) technology to fire up a PC securely – but some TPM chips remain vulnerable to encryption keys being intercepted between components. Pluton devices are expected to close off that weakness, preventing this kind of hardware attack.

Smart App Control

As many predicted, Application Management begins taking centre-stage in 2022, as bigger organisations seek to prevent users introducing rogue software into their IT infrastructure (or worse, introducing it back into the company network themselves.)

Smart App Control blocks unsigned or suspicious apps at the OS level, and will receive regular updates daily.

However – it’s worth noting this core feature only applies to newly shipped devices – so even those who adopted Windows 11 early would have to complete a full operating system reinstall to ensure Smart App is live.

Microsoft Defender SmartScreen

SmartScreen helps protect identity by alerting the user if they’ve begun interacting with a known malicious application, fake or hacked website – with the added advantage that the safeguard is pre-installed for all users.

Microsoft are keen to demonstrate SmartScreen’s record of success elsewhere – blocking nearly 26 billion brute force attacks on Microsoft Azure Active Directory, and nearly 36 billion phishing emails that were intercepted by Microsoft 365, last year alone.

Credential Guard

Another ‘by default’ upgrade – Credential Guard isolates really important system secrets in a way that is designed to stop ‘pass the hash’ style attacks where a hacker is able to use the encrypted version of a password to gain entry, and (Microsoft claim) can even prevent malicious applications that have somehow obtained Admin-user privileges on their device from accessing those secrets.

You can discover the full list of the security enhancements coming to Windows 11 here.

The National Cyber Security Centre (NCSC) has released its annual ‘Cyber Security Breaches Survey’.

The survey is used to inform government policy on digital security, educate British businesses, and ensure UK cyber space remains safe.

Data collected across over 2,400 business and 850 charities produced some startling statistics concerning the ever-looming threat of cyber-attacks infiltrating UK businesses’ digital footprint.

The report discovered that 39% of UK businesses detected an incoming cyber-attack during 2021. Phishing attacks made up a fifth of all threats identified – the most frequent type of malicious attack.

Organisations also revealed that ransomware was being recognised as a serious digital threat with 56% of businesses stating they have installed or will be introducing a company policy to not pay ransoms to cyber criminals.

Whilst 58% of small and medium businesses disclosed to outsourcing their IT Support service, only 23% of surveyed businesses had a cybersecurity incident management strategy in place that is more advanced than a basic endpoint antivirus.

NCSC promote a blend of regular cyber security learning and training processes within your business to better inform the deployment of traditional cybersecurity software measures across all the organisation’s IT systems.

This multi-layered approach aims to counteract the report’s discovery that a lack of cyber technical expertise amongst UK businesses is to blame for threats going undetected.

Similarly, a company-wide policy of digital hygiene erodes the false assumption that managed cybersecurity strategies are a cost to the business rather than a strategic, protective investment.

31% of business admitted being attacked at least once a week showing that any weak link in an organisation’s cyber defence can have grievous financial implications.

To mitigate this, we recommend organisations follow the NCSC’s guidance and adopt Cyber Essentials and Cyber Essentials +. The scheme requires businesses to meet or exceed an assured set of security requirements each year to protect against common forms of online crime, technology dangers and digital threats.

It is estimated that a Cyber Essentials certification can reduce your organisation’s risk of a cyberattack by 98.5% – contact Lineal to assist with your organisation’s application and to help you meet the requirements for a successful certification or re-certification today.

Endpoint security specialist SentinelOne have isolated and demonstrated an installed instance of HermeticWiper malware currently destroying PCs across Ukraine.

First spotted on February 23rd, the 114kb ‘Hermetic Wiper’ malware gets its name from the (likely fictitious) ‘Hermetic Digital Ltd’ – a Cypriot company allegedly named on its digital certificate. The malware appears to have been circulated among a number of Ukrainian organisations, and abuses a partition management driver to begin corrupting a device’s physical drives.

Watch below as SentinelOne test-detonate an instance of Hermetic Wiper, first on an undefended PC, then with powerful endpoint protections in place:

Video Credit: SentinelOne.

Once activated, the malware initiates a device shutdown, making the system irretrievable and booting only as far as Windows’ ‘Your PC/Device needs to be repaired’ screen.

The timing and nature of the attack (crippling PCs in the short term, until they can be replaced) suggests an effort that has been coordinated with Russian military operations.

For cybersecurity advice and expertise, please contact Lineal today.

QR codes have become an easy way for companies to promote themselves – now that everyone carries a barcode scanner in their pocket (their smartphone) why not take advantage of this to better connect with customers?

Well…. because it can also be a cybersecurity nightmare.

Cryptocurrency platform Coinbase recently made headlines by using their Super Bowl half-time advert to advertise themselves with a bouncing QR code that users could scan live from their sofas. As many pointed out, this is literally the equivalent of clicking a blind link in an email from an unknown sender – with users unlikely to have checked where the link will take them, or what information they’re handing over when they get there.

Worse still, even if a company’s own QR codes are harmless, it’s very easy to generate imitations online that are not – leveraging a larger company’s advertising as a way to scam users.

QR codes can all too easily be planted by third-parties as a way of tricking the unsuspecting – in particular, you need to be wary of the following scams:

Parking Meters
– A fake parking meter QR code, stuck as a label, acts in a similar fashion to phishing emails and the carding-devices cybercriminals have famously used on ATMs to steal card details. By re-directing the user to a fake payment portal to pay their parking, this catches those who might otherwise be a rush. See also: fake parking penalty tickets.

SMS/Phone Codes
– QR codes are generally used from smartphones with calling and SMS sending abilities, so it’s possible to prompt the user to send a text message to a number. Handy for business, certainly, but risky if the user doesn’t realise they’re calling or texting a premium number.

Social Media Share
– Scan here to automatically tweet a link from @Lineal! Unfortunately that link is easily manipulated, causing the scanner to potentially become part of further phishing attempts on their own twitter followers.

Connecting to Wi-Fi
– In public spaces, many businesses will prompt users to join their free Wi-Fi via QR code. Clever and convenient, but obviously easy to use as a mechanism for a man-in-the-middle attack by those whose fake Wi-Fi network is simply a trap set for the unsuspecting user who’s just trying to access their email in a coffee shop, airport or hotel.

Guidance:

Think before you click – does the QR code match the rest of their branding? Where does the link preview point to? Is there anybody/anywhere you can double-check?

Use a Password Manager – although you might not spot a fake website URL, a password manager that normally autofills only a password on specific sites will recognise the fake immediately.

Assuming the device doesn’t sit within the container of a firewall that’s likely to detect threats as you browse the web, companies issuing work mobiles & tablets need to also extend endpoint security software to those devices – the same way you might a work laptop for those working on the move.

Most importantly, users need to be regularly educated on the importance of recognising phishing scams with organised training – to build personal resilience that extends to whatever device they happen to be using.

For Cybersecurity expertise and support, contact Lineal today.

This year GCHQ’s National Cyber Security Centre have introduced stricter new rules for businesses and organisations hoping to achieve UK Cyber Essentials (CE) and Cyber Essentials Plus (CE+) Certification.

In addition to promoting the scheme’s key priorities, the new terms for successful assessment are widely believed to be partially a response to recent events – including more widespread remote and home-working via cloud-based web services during Covid-19, and a series of devastating ransomware attacks that disrupted major infrastructure in the US.

Need a taster of what’s to come? Here are our key take-aways:

Cloud Services under the spotlight

In previous years organisations could exclude many cloud-based platforms from the scope of their assessment – but with the wholesale move to the cloud only accelerating under working from home, and web-services containing ever more data, cloud-based systems such as Microsoft 365 and Google Workspace move squarely into the frame.

Multiplying multi-factor

Most critically this year, two-factor authentication will become compulsory for all administrator accounts registered to cloud-based services – as the NCSC tries to stop hackers obtaining credentials and then remote accessing their way to cyber-devastation. Expect user accounts to follow in 2023 – an exemption may be granted under certain circumstances, but it’s clear the days of the old ‘password-only’ login are numbered.

2022 also places new restrictions on passwords: organisations are encouraged to have password managers enforcing random 8-characters or more, or a 12-character pattern, at a minimum. Mobile devices and similar should have minimum 6-figure pin or biometric security – with a recommended lock-out for ten failed password attempts.

Sub-networks under scrutiny

Sub-networks may now only be excluded if they don’t have a connection to main networks or no internet-access – meaning many organisations will now have to detail their satellite and subordinate operations more fully.

Patching-discipline is said to be the most common reason for failing a Cyber Essentials assessment – the 14 day patch window remains, but automated updates should now be enabled if available. Thin client devices are to be included from next year, and unsupported software should be air-gapped on sub-networks that don’t have internet access.

A question of hats

All super-users are now meant to have distinct user and administrator accounts, with stronger security on the latter. This distinction extends to cloud-services, meaning administrators will have to swap between their day-to-day functions completed on user accounts, and their admin roles where they have elevated privileges.

In the wake of the Colonial Pipeline ransomware attack and others, it’s clear rules for admin accounts will only become more stringent.

Greater auditing

Cyber Essentials Plus Certification will increasingly require more in-depth auditing by independent inspectors – including sending malicious test-emails, validating software versions, testing file access, and confirmation of the all-important admin/MFA rules described above.

Lineal are a Cyber Essentials Plus certified organisation, and can help your team achieve certification. Contact our team today.

For 2022 we’re announcing a series of changes to the way Lineal helps keep your IT safe and secure – including some new technologies that will allow us to better care for our customers’ cybersecurity.

One of these is the introduction of SentinelOne as an alternative to traditional antivirus options. We’ve formed this partnership to offer a more extensive set of tools to customers, and further modernise the way we keep your staff, systems and data safe.

You can learn more about SentinelOne, and why we’ve taken this step, below:

What is SentinelOne?

SentinelOne is a next-generation Endpoint Detection & Response (EDR) software that we’ll be recommending in future to protect PCs/Macs and more from cybersecurity threats, in place of more traditional antivirus options.

Why are Lineal making this change?

We’re responding to changing times – in recent years we’ve seen the threats to small businesses shift away from general malware towards more dangerous ransomware that encrypt data and seek to extort payment from victims.

Why have you re-focused on Ransomware?

The scale of the threat. While malware might endanger data, hit device performance or introduce other serious technical problems, ransomware can be totally devastating – bringing even major industries to a standstill.

The UK National Cyber Security Centre recently argued that “Ransomware represents the key cybersecurity threat facing Britain…” – following a series of high-profile and crushing ransomware breaches in the US, across industry, and against the NHS.

For a small business, a ransomware infection is potentially terminal, and as the methods used by cybercriminals change, our recommended cybersecurity precautions need to adjust to reflect this.

What’s wrong with traditional antivirus?

While a traditional antivirus software is a good defence, these typically work by comparing against a list of known threats that are regularly updated. This technique has its limits – particularly when it comes to never-before-seen ‘Zero Day’ threats.

With the spread of ‘ransomware kits’ on the dark web, it’s becoming easier and easier for cybercriminals to introduce brand new variants and strains, on an hourly basis. This necessitates a different kind of counter-measure: intelligent EDR software that understands how a threat to an endpoint ‘acts’ and can remediate more effectively.

OK, but why SentinelOne rather than [Product X?]

In addition to performing exceptionally well in independent testing, we’ve been impressed with SentinelOne’s cloud-based management and ‘storyline’ investigation tools, and their Ransomware Warranty pledge of $1,000 per computer (Up to $1m) for each machine with valid protection.

Even more impressively, the Singularity engine utilises some highly advanced fingerprinting technology to support cutting-edge rollback abilities – a powerful aid to incident response.

The company consistently ranks as a Leader in Gartner analysis, is the only vendor on record to achieve a 100% score in MitreEngenuity testing, and won both Gartner’s 2021 ‘Customer Choice’ highest ranked product, and CRN’s 2021 Product of the Year award for endpoint security.

What does this all mean for me?

In future cybersecurity discussions, one of the Lineal team may speak with you about EDR, and may quote SentinelOne as an alternative option to renewing your existing antivirus.

If you would like to discuss this with us, please contact [email protected] or simply speak to one of our team.

PC & Mac? And Servers too?

Yes!

Will I still be able to purchase other Antivirus products via Lineal?

Yes!

A massive cybersecurity vulnerability discovered in an Apache logging tool has caused chaos across the internet, as organisations rush to patch millions of web-based services around the world.

The Log4j weakness exploits a bug in Apache’s open-source Log4j v.2 logging Java library, allowing an outside user to insert their own code that Log4j will interpret as ‘real’ instructions, to devastating effect.

Log4j is highly common across huge numbers of web-based services, servers with web based front-ends, and countless devices that support some kind of web-based maintenance – such as routers, network switches and many more.

A horrifying compilation of screenshots gathered on GitHub shows how (at time of writing) hackers can already exploit the bug everywhere from the search fields of Linkedin, Amazon and Baidu, to the login pages of Apple and Cloudflare, across Webex meetings and even the chat boxes on online games such as Minecraft.

In each case hackers can use the vulnerability to have the device’s network-access ability either forward confidential information to another URL, or retrieve a payload from another website. According to reports by ARSTechnica, the trick has already been used in the wild, with researchers seeing new botnets, crypto-mining malware and more installed by hackers.

CVE-2021-44228 is graded ‘Critical’ by Apache, and SysAdmins are advised to patch services urgently.

Lineal’s IT Support Teams are rolling out an important security change to the way we secure your Microsoft 365 accounts – enabling Multi-Factor Authentication (MFA) for all users.

We’re taking this step in response to a marked increase in account-theft attempts that we’ve seen in recent months; where previously MFA was an optional extra for added security, we’re now strongly recommending this be enabled across the board.

We feel this is an appropriate measure – in addition to having become a standard security measure across many web-based services in recent years, the advantages of MFA are increasingly recognised as vastly outweighing the downsides.

Who is affected by this change?

Every person with a Microsoft 365, Exchange Online or Azure user account licensed with Lineal.

What are the advantages?

An extra ‘factor’ at login drastically helps improve the security of your user account – making it difficult for any attacker who manages to obtain your username & password from logging into Microsoft 365 using your identity.

If your credentials are stolen from another website, or tricked from you via phishing email, this is no longer enough information for a hacker to be able to access your account from another location. Multi-factor authentication is estimated to stop over 99% of this kind of automated (harvested credential-stuffing) attacks.

Why are Lineal enforcing this?

We’ve encountered a noticeable increase in account-takeover attempts in recent months, with individuals’ work emails then being used for the onward spread of supply-chain attacks and phishing emails to others.

Multi-factor authentication is already standard practice across online-banking in the UK, and we believe it should be standardised for all identity-based online services.

How does it work?

In addition to your username and password, each user registers a third factor – typically either a mobile phone number (for SMS), smartphone authenticator app, USB security key or password manager – any of which generates a temporary code for login. This extra ‘factor’ verifies your identity – making it hard for a third party to log into your accounts, since they won’t have access to the temporary passcode.

There’s a short video introduction to MFA here, and you can learn more via our Client Portal guide here.

Which MFA method should I be using?

For preference, we recommend free Authenticator-app based MFA via Microsoft Authenticator, Google Authenticator or similar apps for iOS/Android. These are generally considered to be a more secure method than single-use SMS (text-message) codes, which have their weaknesses, with Microsoft and others announcing this method will be phased out.

However, even SMS-based MFA will be more secure than a standalone password, so we’ll still implement this where necessary.

Does my organisation need to budget for this?

No – although paid options are available if you need your MFA backed by Conditional Access or other security settings.

What’s the timetable for this change?

We’re aiming to have this change fully deployed by 2022.

What do I need to do?

Nothing for now – a member of your Lineal IT Support team will be in touch to discuss implementing the change.

What if I experience issues getting started with MFA?

Please contact our IT Support Teams via [email protected], 01271375999 or via our Client Portal, and one of our team will be happy to assist.

Law enforcement agencies have announced the arrest of seven individuals linked to REvil ransomware which caused a series of high profile ransomware incidents earlier this year.

Europol and the US Department of Justice recently announced the success of ‘Operation GoldDust’ which included a joint-effort from 17 countries – with arrests spanning Romania, Poland, South Korea and Kuwait.

The group are accused of 7,000 individual ransomware attacks, and links to attacks which breached organisations using Kaseya remote-manageement software back in July – a supply chain attack described by security specialists SentinelOne as a ‘well orchestrated’ and ‘mass-scale’ ransomware campaign.

REvil was also used in the devastating attack on the Colonial Pipeline which caused fuel shortages across the US East Coast, and at the world’s largest meat supplier JBS Foods earlier in 2021. Authorities are believe to have recovered around $6.1m in ransom payments so far.

Europol thanked all the countries involved for a concerted effort, Eurojust and Interpol, and also praised the contribution of a number of private cybersecurity firms who assisted Operation GoldDust with technical support.

A previous investigation by Romanian police suggested the REvil group were an offshoot of those responsible for GandCrab ransomware released in 2018, and resulted in the release of three universal decryption tools by UK and US authorities which are believed to have prevented a further €60m of ransom payments from being extorted.

After originally claiming to be disbanding in September, it was revealed REvil’s infrastructure was itself hacked by a joint team from the FBI, US Cyber Command and the Secret Service – and forced offline. Key members of the group’s leadership, believed to be Russian, were thought to be on the run.

The issue of Russian reluctance to tackle cyber-crime syndicates also spilled over into warnings of US retaliation during in-person talks between US President Joe Biden and Russian President Vladimir Putin in June.

Lineal’s Lewis Marrow has graduated from the University of Plymouth to become North Devon’s first cybersecurity ‘Degree Apprentice’.

Starting at Lineal in 2017 to pursue an apprenticeship in cybersecurity via PETROC, Lewis’s skills have gone from strength-to-strength to see him achieve a 2:1 BSc (Hons) from the University of Plymouth (Digital Technology Solutions: Cyber Security Analyst.)

‘Degree’ or ‘Higher’ Apprenticeships are an advanced category of apprenticeship organised by the National Apprenticeship Service that combine undergraduate-level academic work with specialist training in the workplace.

Apprentices are expected to ‘earn-and-learn’ in tandem, gaining both knowledge and industry skills that are greatly-valued by employers. Many, like Lewis, are quickly snapped up by their business sponsors full-time once their apprenticeship is completed.

Lewis said: “A Degree Apprenticeship has been a fantastic experience allowing me to gain the knowledge and training I require to become an IT professional, the team at Lineal have been very supportive along the journey and I would recommend to anyone.”

While working at Lineal, Lewis won a Petroc Outstanding Achievement Award, has appeared in a Department for Culture, Media and Sport ‘Real Ideas’ film project promoting STEM education in schools, and his cybersecurity work has improved the resilience of numerous organisations – including helping Lineal itself achieve Cyber Essentials Plus Certification.

Lewis also recently completed the Great North Run in a blisteringly quick time of just under 1 hour and 27 minutes!

Congratulations Lewis!

Lineal are proud to announce that we have officially achieved Cyber Essentials Plus certification.

Our operations passed a number of essential vigorous vulnerability tests of our cyber security with flying colours. Cyber Essentials Plus is the advanced level of certification offered by the government-accredited Cyber Essentials scheme; supported by the UK National Cyber Security Centre – a public facing arm of GCHQ.

The external audit of a sample of our systems saw a 100% pass rate across all PC and devices – thanks to the hard work of our in-house Cybersecurity team who worked tirelessly to ensure our success.

Attainment of CE Plus certification showcases our dedication to protect and respond to the needs of our customers. This allows us to not only have peace of mind about the high standard of Lineal’s cyber protection, but also presents opportunities for us to more effectively assist your business in achieving the Cyber Essentials certificate.

Hackers’ methods have evolved in recent years, leading to a huge rise in phishing and malware attacks with over 86% of businesses experiencing some form of cyber attack since 2017. The need for a comprehensive cyber security standards within your organisation has never been greater.

Suitable for businesses of all sizes and sectors, Cyber Essentials certification helps to demonstrate that your organisation takes cybersecurity and its clients’ data protection seriously – ensuring trust from your customers.

Contact us today to assist with your organisation’s application and ongoing compliance. You can refocus on your core business, safe in the knowledge experienced technicians will be able to help you meet the requirements for successful certification or re-certification.

An intrepid group of Lineal IT engineers are each competing in a capture the flag (CTF) event designed to sharpen the skills of Systems Administrators.

Points are awarded by completing a number of investigative technical challenges across Hyper-V, Microsoft Azure and 365 – capturing a ‘flag’, or important string of text, which credits the player’s score.

Designed to test System Administration and IT engineering skills, one thousand contestants are taking part in the ongoing July event, organised by CyberDrain, and supported by judges from Managed IT Service Provider association CyberGeek.

There are forty flag-capture challenges being attempted by (overwhelmingly) IT engineers around the world – spanning server and client, Azure, Linux and Microsoft 365 management.

Challenges must be completed independently, and the scoreboard is updated as individuals compete for first place. Contestants are encouraged to tackle more difficult challenges to win prizes, and find creative alternative solutions to capturing flags – although hacking is strictly prohibited!

The capture the flag competition is sponsored by a number of leading IT, communications and cybersecurity providers, including Microsoft, Datto and Huntress.

Good luck to all those taking part!

For IT Support and technical expertise – please contact us today.

Microsoft have delivered emergency out-of-band patches for the PrintNightmare zero day print spooler vulnerability with more on the horizon.

The bug, CVE-2021-34527, is existent in all versions of Windows and exploits a remote code execution vulnerability where the Windows Print Spooler service improperly performs privileged file operations.

This vulnerability means that a cyber attacker could run arbitrary code leading to instilling programs; view, change or delete data and even go so far as to create new accounts with full user system rights for exploitative purposes on the system.

A cautionary Microsoft statement released outlined the situation with “the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as ‘PrintNightmare’, documented in CVE-2021-34527.”

Patches released are available for Windows Server 2019, Windows Server 2012 R2, Windows Server 2008, Windows 8.1, Windows RT 8.1, a variety of supported versions of Windows 10 and the no longer supported Windows 7.

However, Microsoft announced that security updates are not currently available for Windows 10 version 1607, Windows Server 2012 or 2016 and urges prompt installation of its patches to deter any attacks via the domain controller when made available in due course. Microsoft also offer workarounds to those unable to download the July patches including the shutting down of the Print Spooler Service and the disabling of inbound remote printing through group policy.

The proof of concept (PoC) was accidentally released by Chinese technology group Sangfor on GitHub, but was cloned and cached before the researchers realised their mistake and took down the PoC. The group were under the impression that the exploit had already been patched as part of Microsoft’s CVE-2021-1675 patch – a patch that Microsoft confirmed was distinct about a different attack vector and vulnerability issue associated with RpcAddPrinterEx.

The situation is continually updating and the latest news on Windows patch releases can be found here.

More than a thousand organisations using Kaseya Remote Monitoring and Management (RMM) software are estimated to have been hit by ransomware over the weekend.

The supply chain attack, which was described as “colossal and devastating” by security research company Huntress, is believed to have been carried out by the same Russia-linked ‘REvil’ ransomware gang strongly-suspected of the recent ransomware attack on meat-packing corporation JBS.

Miami-based Kaseya’s ‘VSA’ product – which is used by Managed Service Providers to provide remote IT services to the systems of organisations worldwide, including endpoint and patch management – is believed to have been breached with an update that rolled-out ransomware to many of Kaseya’s own customers.

REvil themselves claim the total number of encrypted user endpoints around the world may be as high as one million, and have demanded an unprecedented ransom of $70m in Bitcoin (around £51m at current price.)

On Friday, Kaseya advised all customers to immediately shut down any on-premises Kaseya VSA servers, to prevent hackers shutting off administrative access for future fixes – and ignore any communication from hacking groups while an FBI investigation was ongoing. 

Access to Kaseya’s cloud-based SaaS services were initially shut down as a precaution, but has since been restored, and an endpoint detection tool has been published online here.

It is now believed that the exploit for Kaseya VSA had recently been highlighted by the Dutch Institute for Vulnerability disclosure, but early patches to rectify the problem had not yet been issued. In the 48 hours following the breach, more than 2,000 VSA severs were taken offline – suggesting that many organisations did heed warnings issued by the US Cybersecurity and Infrastructure Security Agency (CISA), the UK National Cyber Security Centre (NCSC) and others – although Swedish supermarkets, New Zealand schools and many others have had systems crashed by encrypted data.

Kaseya is published regular updates to its advisory page, here.

For Cyberscurity expertise and support, please contact our team today.

It’s 2021 but somehow the phishing email scams just keep coming.

You could almost miss the days when ‘Bill Gates’ would get in touch by email to offer you a shipment of diamonds. Modern email scams are much more sophisticated, the designs more convincing, and the payloads more dangerous – than ever.

Our advice remains the same:

• Be wary of any unsolicited email or unknown contact.
• Always look to see if an email is being sent from the correct domain.
• Don’t open any unexpected or mystery attachment, or click links to unrecognised destinations.
• If unsure, verify information with someone by asking via a communication method other than email (eg: by looking up a phone number separately from the email, and calling direct.)

Here’s our pick for some of the sneakiest our team have seen ‘in the wild’:

The Dodgy File Share (Deluxe Edition)

As useful as a crowbar in the arsenal of the burglar, cybercriminals have been using these ever since file sharing and collaboration apps took over the world – this one appeared even more persuasive for it’s nearly spot-on branding imitating a Microsoft 365 file share link.

But the Deluxe edition takes this scam to a whole new level – with just a mistaken click giving cybercriminals an automated account access, and even replying affirmatively to emails between users asking if these are genuine. Nasty.

The TV License

TV licensing is something many people buy once a year, often never receiving physical proof, and don’t think about much – making this a clever way to steal card details without arousing too much suspicion.

These often go the extra mile – making up fake customer numbers and renewal dates – to seem real, which can also identify the email as a scam if cross-referenced in your own records.

The Pandemic Phish

Cybercriminals don’t let little things like ethics get in the way of a good scam – with widespread public fear, and the NHS Covid vaccine roll-out in full swing, everything is an opportunity to hack accounts, steal information, or extort money.

Please be aware the real NHS will contact you via a combination of text message and/or post, and certainly won’t threaten you with the loss of your vaccine appointment if you don’t click a suspicious link.

Divine Intervention

OK, perhaps not a threat to everyone – but it’s easy to imagine this inheritance scam prompting a click from someone more spiritually-minded. Technology aside, a compelling story is sometimes the most persuasive scam of all.



For Cybersecurity expertise and support, please contact our team today.

A new set of fragmentation vulnerabilities have been discovered which have the capacity to affect all WiFi enabled devices dating back to 1997.

There have been 12 identified separate vulnerabilities discovered by New York University Abu Dhabi researcher Mathy Vanhoef, named FragAttacks (fragmentation and aggression attacks) which have a dangerous data exfiltration potential to gather information about the owner of a WiFi enabled device and export it to a within-range attacker or to run malicious code to compromise the device; bypassing WEP and WPA security protocols.

Vanhoef announced that more than 75 tested Wi-Fi devices are affected by at least one of the FragAttacks vulnerabilities, but a majority of the devices are impacted by multiple CVEs. These tested devices included Huawei, Google, Samsung and Apple for mobile devices; computers from Dell, Apple and MSI; Xiaomi and Canon IoT devices; Asus, Linksys and D-Link routers; and Aruba, Lancom and Cisco access points.

Furthermore, the identified CVEs had the capacity to erroneously reassemble fragments encrypted under different keys, process fragmented as full frames and not clear fragments from memory when (re)connecting to a network. These vulnerabilities are named ‘FragAttacks’ due to the issues on how the WiFi network dissipates and then reorders data for easier transmission before reassembly at the receiving endpoint device.

Despite the existence of these unearthed vulnerabilities, WiFi Alliance released a statement saying that “There is no evidence of these vulnerabilities being used against WiFi users maliciously” and suggests protection methods to users through downloading “routine device updates that enable the detection of suspect transmissions or improve adherence to security implementations”

The video below demonstrates how the 12 discovered vulnerabilities can be used as a stepping stone to launch advanced malware attacks:

Adobe is warning customers of a critical zero-day bug that is active in the wild affecting its Adobe Acrobat PDF reader software.

The bug, tracked as CVE-2021-28550, affects eight versions of Adobe software (full list below) and exploits vulnerabilities in the software including arbitrary code execution, memory leaks and exposure of private information.

10 critical and four important vulnerabilities were addressed in Adobe Reader and Acrobat in addition to five critical flaws in Adobe Illustrator that were resolved by Tuesday’s security patch release. The technical specific details of the bug were not available to Adobe software users until after the 43 patch fixes were downloaded which meant that before manual user installation, the zero-day bug allowed for hackers to execute virtually any command on targeted systems.

Users can download these new security fixes by initiating the auto update feature of Acrobat and Reader by going to Help –> Check for Updates and installing via the Adobe Download Centre. This will remove the user intervention necessity to manually install security updates and allows Adobe products to update automatically upon detection of patch releases.

List of affected Adobe software versions:

– Acrobat DC, 2021.001.20150  and earlier versions - Windows

– Acrobat Reader DC, 2021.001.20150  and earlier versions – Windows

– Acrobat DC, 2021.001.20149  and earlier versions - macOS

– Acrobat Reader DC, 2021.001.20149  and earlier versions – macOS

– Acrobat 2020, 2020.001.30020 and earlier versions – Windows & macOS

– Acrobat Reader 2020, 2020.001.30020 and earlier versions – Windows & macOS

– Acrobat 2017, 2017.011.30194  and earlier versions – Windows & macOS

– Acrobat Reader 2017, 2017.011.30194  and earlier versions – Windows & macOS

Consumer watchdog Which? have investigated 13 legacy router models supplied by leading UK internet service providers (ISPs) including EE, Sky, TalkTalk, Virgin Media and Vodafone – a report discovered that around 7.5 million internet users are at risk from out-of-date hardware.

Out of the 13 router models investigated, 9 presented pressing security flaws that are unlikely to be in compliance with upcoming UK government legislation around tackling the security of connected devices.

The new legislation is in response to government figures showing that 49% of UK residents have purchased at least one smart device since the start of the COVID-19 Pandemic. Due to this huge increased national scope of vulnerability to potential cyber-attacks, the proposed legislation will ban easy to guess default passwords across all, enforces policies to make it easier to report software bugs that can be exploited by hackers on legacy or modern hardware.

Kate Bevan, Which?’s Computing Editor, commented that “proposed new government laws to tackle devices with poor security can’t come soon enough – and must be backed by strong enforcement.” Which? are simultaneously pushing for increased transparency from ISPs about how customers automatically or manually update their routers and how they should actively upgrade existing customers who are identified as being in the ‘at risk’ category.

Of those 7.5 million affected, 6 million users currently possess ISP hardware that has not been updated since 2018 and a few instances even as far back as 2016 – meaning that these vulnerable devices have not received security updates for defence against the latest threats posed by cybercrime.

A cluster of three main problems with ISP legacy hardware were identified by Which? ranging from weak default passwords that allow cybercriminals unlimited access to a router from anywhere, a lack of firmware updates and a local network vulnerability issue with EE Brightbox 2 giving potential hackers full control of the router to install malware or malicious spyware.

In response, Virgin Media have openly rejected Which?’s report conclusions; saying that 9 out of 10 customers are using their latest router models and are benefiting from regular router security updates. This sentiment was mirrored by BT Group (owners of EE), TalkTalk and Vodafone who announced that the HHG2500 device included in the Which? report has not been supplied since August 2019.

Devices with weak default passwords: TalkTalk HG635, TalkTalk HG523a, TalkTalk HG533, Virgin Media Super Hub 2, Vodafone HHG2500, Sky SR101 and Sky SR102.

Routers affected by lack of updates: Virgin Media Super Hub, Virgin Media Super Hub 2, Sky SR101, Sky SR102, TalkTalk HG523a, TalkTalk HG533 and TalkTalk HG635.

Routers that passed the Which? security tests: BT Home Hub 3B, BT Home Hub 4A, BT Home Hub 5B and Plusnet Hub Zero 2704N

Apple has released important security updates under macOS 11.3, in response to a serious gatekeeper vulnerability discovered by security researcher Cedric Owens.

The weakness, found in Apple’s ‘Gatekeeper’ tool which normally blocks unrecognised apps from being installed by default, allows a dangerous file to be rigged so as to not trigger the operating system’s inbuilt safeguards.

Writing in a Medium Post entitled ‘Gatekeeper Bypass: 2021 Edition’, Owens demonstrates a terrifying method by which an attacker can ‘very easily craft a macOS payload that is not checked by Gatekeeper.’

Once launched, no warning prompts prevent the user from installing just about any dangerous application, which can also communicate with external servers without even triggering App Transport Security (ATS).

The simplicity of the hack, which leverages the fact that scripts placed in Contents / macOS / directory are not checked, has been described by Objective-See as ‘massively bad’ and ‘a doozy’ of a blog post.

GateKeeper itself was originally introduced in 2012 as part of an effort to stop the spread of malware in Mac OS X ‘Lion’ v10.7.5, and was followed by enforced application notarisation in 2020 under macOS 10.15 ‘Catalina’, as Apple required software developers to have apps officially cleared for authorised use.

In response to the discovery, Apple have released macOS Big Sur 11.3 update with ‘improved state management’ that prevents the ‘bypass’ of Gatekeeper checks, and are urging macOS users to install the upgrade.

For Cybersecurity expertise and support, please contact our team today.

The NHS COVID-19 app, run by the Department for Health and Social Care (DHSC), has had its latest update blocked due to a breach in the privacy terms outlined by Apple and Google.

NHS Coronavirus app, available on Apple and Android devices, was designed to include a new feature that would allow users (upon showing a positive COVID test result) to upload a list of all locations and establishments they have visited using a phone scan QR code.

The Exposure Notification System built into the app’s software would then alert other users who had entered the same venue to monitor their symptoms or to immediately be tested. This update relies on location tracking for its function – a tracking type heavily reliant on Bluetooth monitoring of surrounding devices with the app installed – outlawed by Apple and Google privacy agreements.

This is the latest in a calamitous string of COVID app mishaps by the UK Government who had only recently scrapped plans for their own rival system to the Apple and Android contact tracing system.

Total development of the UK based rival tracking app cost £12 million over a 3 month period, but was eventually rejected due to battery life issues, privacy concerns over Bluetooth’s potentially invasive interaction with, and data collection from, other apps installed on the device such as Facebook and Twitter. As a consequence, the Apple and Android app was adopted even with the concerns over restrictions of location data.

As the UK returns to a quasi-normal state with Phase 2 of lockdown lifting measures being rolled out today, this news comes as a blow for the Department of Health who have released a statement reassuring the public that the update blockage does not affect the overall functionality of the NHS COVID-19 app and that there are “discussions ongoing with our partners to provide beneficial updates to the app which protect the public”

Instead of the updated version, the previous form of the app will still be obtainable in both the Google Play and iOS App Stores.

Facebook and LinkedIn have both suffered massive data breaches, exposing the details of more than 533 million and 500 million user accounts respectively, it has been revealed.

Extensive leaked data from Facebook was reportedly found online by security researcher Alon Gal – including the personal information of 11 million UK users such as phone numbers, locations, birth dates and many email addresses.

It’s believed that the ‘hack’ may relate to a bug in Facebook’s friend-adding ‘Contact Importer’ tool which was fixed in September 2019. Previous breaches in 2017 fell before the introduction of GDPR, which Facebook argues absolved it of responsibility to notify users.

Questions still hover over the LinkedIn breach in particular, with the company claiming much of their data appears to have been aggregated from other sources, or (like Facebook) were perhaps not technically ‘hacked’ at all – but scraped in bulk from publicly visible parts of the popular professional website.

The huge cache of Linkedin data was thought to be on sale, after security researches found a 2 million user ‘sample’ advertised online.

A Facebook spokesperson told Reuters the social media platform will not inform users if their accounts were part of the breach, and Linkedin are yet to issue a statement on this point – although given that LinkedIn has around 740 million accounts in total, a clear majority of its users are likely affected.

Users of both platforms can check if their email addresses (and now phone numbers) were likely breached via either platform over at: https://haveibeenpwned.com/ – and are advised to update passwords as a precaution.

For IT Support and cybersecurity expertise, please contact our team today.

Microsoft has announced that up to 92% of all stand-alone Exchange servers have been patched, following a mass data breach by Chinese state-sponsored Hafnium cybercrime group.

A mass attack on zero-day Exchange servers through four security vulnerabilities was identified and exploited by Hafnium in early March. Those with at risk servers, according to Microsoft VP Tom Burt, are recognised as 400,000 on-premise Exchange servers belonging to multiple government and corporate data centres including defence contractors, schools and other entities globally.

Consequently, the ProxyLogon security fixes released on 2^nd March have mitigated this number significantly with 92% of Exchange servers now protected under the new patches. Nevertheless, Microsoft states that around 32,000 servers remained unpatched and vulnerable to Hafnium cybercrime including theft of confidential sensitive data together with installation of ransomware and ‘corrupted web shells’, such as China Chopper, allowing unrestricted external access to the unpatched Exchange servers.

These security fixes are in conjunction with Microsoft’s Exchange on-premises mitigation tool (EOMT) which installs defender scripts and dependency downloads whilst automatically running the Safety Scanner; troubleshooting any identified problems on the Exchange servers.

However, the patches do not protect servers that have already been compromised from further exploitation, therefore Microsoft has advised that organisations administrators scan their stand-alone networks for potentially installed malicious software and scripts in addition to the scans of EOMT.

The attacks themselves have raised questions over the security maintenance of in-house email servers and adds weight to the growing adoption of cloud-based internet email.

Microsoft have urged the system admins of on-premise Exchange email servers to upgrade in response to new breaches from state-sponsored hackers.

The Chinese group, known as ‘HAFNIUM’, are believed to have exploited previously undiscovered zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019 via compromised US-based servers. Microsoft Exchange Online or related services (such as Microsoft 365) are not affected.

All four breaches were announced on Wednesday under the Microsoft Security Response Centre (MSRC) and graded ‘Critical’ – requiring urgent patching.

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 create a ‘perfect storm’ under which the attacker makes an untrusted connection to the targeted Exchange Server on port 443, and connects appearing to be someone with authorised access to add a web shell that grants a backdoor for future access.

HAFNIUM has previously been accused of industrial espionage and attempts to breach the technology of important private, public and national security organisations, including defence contractors.

As of 4th March, the Department of Homeland Security has also issued an emergency directive to all US federal agencies to urgently patch any on-premises Exchange servers by midday on 5th March.

For Cybersecurity advice and expertise, please contact our team today.

The UK National Cyber Security Centre have launched a new online Cyber Aware ‘Cyber Security Self-Assessment Tool’ to help small businesses.

Free to use, and aimed at organisations with fewer than ten staff, the short online questionnaire generates a handy to-do list of actionable cybersecurity recommendations and points to check, with guidance for each – depending on the answers submitted.

Questions are branching depending on the circumstances of each small business, but covers topics including backups, passwords, technology lifecycle management and more. Small business owners are also directed to useful plain-English resources to address each point highlighted.

Cyber Aware is a campaign launched by the UK National Cyber Security Centre (the public-facing arm of GCHQ) designed to provide simple guidance for individuals and small businesses to use technology more safely.

You can learn more about Cyber Aware, the NCSC, and get your own Action Plan here.

For IT Support and cybersecurity expertise: please contact our team today.

Microsoft have announced they will direct users away from SMS 2FA (‘text-based’ two-factor authentication) for security reasons.

Instead, the company will promote multi-factor authentication methods they consider to be more secure – including biometrics and secure authentication apps such as Microsoft Authenticator – for logging into Microsoft services such as Microsoft 365 and Azure.

SMS-based two-factor authentication, where the user typically receives a passcode text message to their smartphone that acts as a secondary confirmation of who they are, has been a staple of online banking and many other secure online services needing two-factor authentication (2FA) for over a decade.

However many now believes even SMS can be intercepted, and would rather sign users onto authenticator apps or issue secure keys with encoded passcode generation.

Official Microsoft statistics state that users who enable Multi-Factor Authentication (MFA) on their accounts to verify identity block 99.9% of all automated account breaches. Using SMS-based two-factor authentication should not ‘stop’ doing so (despite the flaws of SMS, any 2FA is better than none) but users should consider swapping to other methods.

We’ve talked before about the often-predicted ‘death of passwords’ – and possible scenarios for their phasing out, but in recent years a number of big tech firms, including Apple, Google and Microsoft have all suggested their long-term plans that seek to replace passwords with biometric or other forms of login.

However this modification to Microsoft’s advice will see more of a driving force behind MFA as specifically biometric, authenticator app or secure-key based, rather than relying on mobile networks for one-time passcodes.

For cybersecurity expertise and support, please contact out IT team today.

Lineal Software Solutions has become a managed servicer provider for Keeper Password Management.

We tested a number of different Password Management providers, including 1Password and LastPass, but were particularly impressed with Keeper.

Password management is increasingly recognised as a key pillar of cybersecurity: the UK National Cyber Security Centre admits it is ‘virtually impossible’ for users to use unique passwords for all their accounts without software assistance.

Password managers help users remember all their passwords – but can be a much more powerful tool for dramatically limiting the damage in the event of a single account being compromised.

Criminals increasingly use credential-stuffing attacks where automated tools use previously-breached account details to gain access to the user’s other accounts.

A good password manager ensures you can use a strong, randomly generated and distinct password across each of your accounts to prevent any single breach putting other data at risk.

Keeper can also notify users when breached passwords are identified online, integrate with single sign on tools such as Active Directory, and enforce multi-factor authentication – all important considerations for organisations needing to maintain cybersecurity standards across large teams.

For added convenience, Keeper is available via the web, Windows/MacOS desktop clients, browser extension and Android/iOS mobile app.

For Cybersecurity advice and expertise, please contact our team today.

The original source code to Microsoft Windows XP and Windows Server 2003 has leaked online – nearly two decades after their original release.

Official support for Windows XP ended back in 2014, and the final security patch was a one-off release in 2017 released in response to the WannaCry ransomware attack that temporarily crippled large parts of the NHS.

Among the interesting things we learned were that Microsoft originally included a hidden theme that made Windows XP look like Apple’s rival macOS operating system, and that the 4chan poster who released the dump had either added or helped spread anti-vax and population control conspiracy-theory material about Microsoft founder Bill Gates.

According to NetMarketShare, Windows XP still accounts for at least 1% of all PCs that generate web traffic worldwide (around 25 million PCs) although may actually include many air-gapped factory PCs and similar in practice.

The 43gb data dump has been available to Government agencies and similar for a while, although it’s unusual that the public at large have the opportunity to discover zero-day exploits for an entire operating system. Microsoft urges that users should not still be using XP, and the outdated platform is insecure even for the oldest legacy services.

For IT expertise and guidance, contact our IT team today.

July 14th: as Microsoft flag a ‘Critical’ Level-10 DNS vulnerability on Domain Name System (DNS) servers worldwide, Lineal engineers rush to patch the infrastructure of dozens of organisations overnight.

The Microsoft Security Response Center recently released details of CVE-2020-135, a ‘Critical Remote Code Execution’ weakness deemed ‘wormable’ (potentially spreading between devices automatically) affecting all Windows Server versions.

A grade of 10.0 is the highest possible severity level that can be assigned under the Common Vulnerability Scoring System Calculator. For comparison the WannaCry attack, which temporarily crippled the NHS in 2017, had a CVSS rating of 8.5.

Lineal staff use remote monitoring software to administer large numbers of client servers and devices, monitor hardware health and deploy patches more rapidly – and were quickly on the case overnight to patch the vulnerability as a special emergency.

Within 8 hours we’d patched a large number of DNS servers – applying both an initial fix and further scheduled updates.

DNS is a naming technology which translates the identities of computers, servers and other networked devices into the IP addresses used for connecting on private and public IT networks.

For this reason, DNS servers often have massive reach, and must be carefully protected to mitigate the risk of compromising an organisation’s technology on a huge scale – even across the globe.

Israeli IT security firm Checkpoint Software Technologies, who discovered the 17-year old hidden bug and reported it to Microsoft, argue ‘this is not just another vulnerability’ and risks handing an attacker ‘complete control of your IT’ if IT admins fail to address the issue urgently.

For IT expertise and support, please contact our team today.

Cybersecurity experts are warning against a prevalent new strain of macOS ransomware for Apple devices dubbed ‘EvilQuest’ – packaged alongside pirated versions of popular apps.

Like most ransomware, EvilQuest encrypts all the Apple user’s files and demands a $50 ransom for decryption within 72 hours.

While many Mac users believe malware for Apple devices does not exist – this is simply untrue. The newest strain comes after similar infections spreading between Mac users in recent years, including KeRanger and Patcher.

EvilQuest is also a more sophisticated effort than most attempts by cybercriminals: the app is correctly code signed, with a very convincing installer, and even overpowers the Mac versions of common antivirus softwares such as Norton, Kaspersky, Avast, McAffee and Bullguard.

The trojanised software known to be used to deliver EvilQuest to unsuspecting victims are torrent download versions of popular Apple macOS apps, examples of which include Little Snitch, Ableton Live and Mixed in Key 8 – a popular DJ software.

Among the important steps Mac users should take to reduce the risk of macOS ransomware are:

• Keep a regular, organised regime of backups, offline and air-gapped from the device itself.
• Only download Apps from reputable sources.
• Consider whether utilities like Malwarebytes and RansomWhere are needed as extra precautions.

For IT Support and cybersecurity expertise, please contact our team today.

Cloud storage giant Dropbox is beta-testing a new password manager app – ‘Dropbox Passwords’ – by invitation only.

Password managers allow the user to generate and store encrypted, complex passwords for many user accounts inside a single piece of locked software and autofill them into websites and applications – making it easier to use diverse, complex passwords across all of your IT.

Password managers are measure increasingly recommended by respected cybersecurity authorities – including the UK National Cyber Security Centre. Options like 1Password, Lastpass and others are already well established, although Dropbox is likely to have significant reach to business customers considering using a password manager for the first time.

Unlike bigger rivals such as Microsoft’s Office 365 and Google’s G-suite, Dropbox do not offer workplace document editing apps – leading the company to explore new avenues for branching out beyond file-sharing and cloud-storage.

These plans have included Dropbox Paper (a collaboration and project management tool), integrations to other growing challenger-platforms such as Slack and Zoom, and now password management.

The rise of password managers have prompted some to speculate that the age of passwords (or at least – memorised key-string passwords) may be over – either replaced by biometrics or generated, encrypted, held and recalled by software.

Principally a cloud-storage company that helped establish file-sharing in the minds of those who had never used it before, only time will tell if Dropbox can establish a broader brand for securing a cloud-first IT business world.

Dropbox Passwords can be found by invitation only here: https://play.google.com/store/apps/details?id=com.dropbox.passwords_android

For cloud-software and cybersecurity expertise, please contact Lineal today.

The combined NHS Digital Taskforce, NHSX, recently beta tested the new UK Covid-19 contact tracing app on the Isle of Wight, and have released code to the cyber security community to review.

The app logs interactions with other bluetooth-enabled smartphones each day, and allows the NHS to notify users who have been in contact with self-reporting Covid-19 cases that they should re-enter isolation as a precaution.

A recent blog post by the UK National Cyber Security Centre identified a number of areas for improvement, with the contact tracing app itself expected to be officially released in June 2020.

The Pairing Problem

NHS servers ping the app every 8 seconds to confirm active connections, and the app itself records received signal strength indicators (RSSI) via Bluetooth to gauge where users have been in contact with each other. Users then upload their records if they experience symptoms.

Any attacker with access to this upload traffic, (which does not include the user ID but is unencrypted) could begin comparing submissions via start/end times and signal strength readings, and would theoretically be able to pair these users together.

This problem of uniquely identifiable pairs potentially compromises the identity of the individuals using the app, as well as their location history relative to each other.

The NCSC have confirmed that in the release version, even ‘anonymised’ RSSI data will itself be encrypted, to stop any third-parties attempting to ‘re-identify’ either or both of the users.

Intercepting the Public Key

In beta testing, the Authority’s Public Key was not transferred to the user’s phone via TLS encryption (like a secured web-page) raising the possibility that although the app could be downloaded successfully, this important piece of information used for submitting data could be compromised.

This would be akin to a kind of ‘man-in-the-middle’ attack, where a user’s encrypted uploads could be (even if not unencrypted) sabotaged or withheld during transmission back to NHS systems.

Security researchers have suggested that since this key is not secret, it should be wrapped into the installation of the app itself.

The NCSC have since confirmed that intermediate certificate pinning has been used to reduce the risk of this happening, and that this limitation will be fixed once the Isle of Wight trial ends.

Bluetooth Broadcast Values

The app operates via broadcast values with change every 24 hours to prevent a device being tracked by Bluetooth over longer periods of time. This is significantly longer than the industry standard 15 minutes.

However, more controversially, a predictable ‘KeepAlive’ counter is used to connect old and new broadcast values, raising the potential for an attacker to re-identify the user beyond the 24-hour limit.

The NCSC defends the longer-term tracing as necessary to establish social interactions more accurately, but has resolved to randomise the counter to stop broadcast values being easily matched or the user re-identified endlessly.

Whistleblowing

Under beta testing, the app’s original policy documentation contained the line: “You may not publicly disclose any details of the vulnerability [that you’re reporting] without consent from NHSX.”

This would have run counter to the NCSC’s own vulnerability disclosure policy, which suggests that members of the technology community should be encouraged to highlight system weaknesses (particularly during public consultation beta-tests) for correction.

This line is to be removed from the public release version.

For cybersecurity support & IT expertise, please contact our team today.

Popular short-haul airline easyJet has been hit by a cyber attack, affecting around nine million customers.

In a statement, easyJet says that a “highly sophisticated cyber-attack” discovered in January 2020 compromised email addresses and travel details of roughly nine million travellers. For 2,208 customers, credit card information was also accessed.

No further detail has yet been publicised as to the nature of the breach, although the company stated that it had “closed off unauthorised access”.

The bad news comes at a difficult time for airlines, as air-travel has declined dramatically in the wake of Covid-19 restrictions. When faced with a similar situation in 2018, British Airways received a large financial penalty of £183m from the Information Commissioner’s Office.

The airline are making contact with all affected customers warning extra vigilance towards ‘unsolicited communications’, due to the heightened risk of phishing attempts from criminals masquerading as easyJet who may have gained access to customers’ personal details.

Under new GDPR guidelines introduced in 2019, it is mandatory that breached organisations report to the UK Information Commissioner’s Office (ICO), who are currently investigating.

For cybersecurity and IT Support expertise, please contact Lineal today.

The UK National Cyber Security Centre (NCSC) are officially removing the technical terms ‘Whitelist’ and ‘Blacklist’ from their organisation in an effort to be more inclusive.

The terms ‘Whitelist’ and ‘Blacklist’, which refer to lists of permitted and not-permitted things in the cybersecurity world, will be replaced with the more literal and accurate ‘Allow List’ and ‘Deny List’.

Prolific spam email domains for example are often ‘Blacklisted’ by system administrators – a negative association the NCSC feels should not, even inadvertently, imply a connection to skin colour.

The organisation, a more public extension of GCHQ, acknowledged in a statement on their website that whilst “…it’s not the biggest issue in the world…”, the organisation is acting positively in response to requests from the public, is making an effort to be more inclusive, and that using such terms might otherwise have impaired the recruitment of valued “future colleagues.”

‘Blacklisting’ also has an unfortunate connotation with an illegal practice of barring whistle-blowing employees and trade union members from working across certain sectors, which has a history within the construction industry among others.

Google Chrome, Microsoft Edge and others have made similar terminology decisions – deciding that pejorative references to colour should not be used in cybersecurity terminology.

For IT Support and cybersecurity expertise, please contact Lineal today.

The volume of Covid-19 scams and phishing emails has increased dramatically in recent weeks according to cybersecurity authorities.

Email security software and cybersecurity provider Barracuda Networks has reported a 667% increase in phishing emails throughout the pandemic.

Common scams include pretending to represent Government, law enforcement or medical authorities to obtain information or financial payment, blackmailing users with threat of infection, donation requests for fake organisations, and malware distribution – including one new ransomware even dubbed ‘Coronavirus.’

Via Barracuda: Source 

In a joint statement published in April, the UK National Crime Cyber Security Centre and US CISA (Dept. of Homeland Security) notes the sudden rise in Covid-19 scams, and even highlight instances of SMS text-messaging phishing attempts mimicking UK Government text alerts.

In the example cited, a fake compensation payment is offered to entice the user to hand over details via an imitation UK Government website.

There has also been a growth in online hackers and trolls targeting Zoom and other video conferencing platforms. Users unfamiliar with this kind of software in particular may prove an easy target for cyber criminals.

Phishing scams are part of a larger trend of online Covid-19 themed fraud. In March, the NCSC removed around 500 fake online shops claiming to be selling fraudulent virus-related items over the internet.

Google currently estimate that Gmail filtering is blocking over 100 million phishing emails each day, and that almost 20% of online email scams now refer to Coronavirus (around 18 million) – likely to be the largest phishing ‘theme’ in history.

For cybersecurity expertise and assistance, please contact Lineal today.

Mozilla have released an urgent patch to version 74.0 of Firefox, notifying browser users around the world that it’s time to patch Firefox again.

The timing of the new patch, which also affects the ‘Extended Support Release’ (version 68.6) suggests that the latest update fixes a vulnerability which (at worst) may have been live in the browser since July 2019.

Mozilla’s official announcement from 3rd April categorises the impact as ‘Critical’, and states that ‘we are are of targeted attacks in the wild abusing this flaw’.

The precise details of the security flaw have not yet been published, although we know that the issue refers to a ‘use-after-free’ function by which the browser frees up previously occupied memory back to the device – with online cybersecurity blogs speculating that any new contents of the relinquished memory may still have some level of access to the browser.

Community-led Mozilla, whose popular Firefox browser is still the World’s second-most popular desktop browser, suffered other critical security flaws as recently as January – when the US Department of Homeland security took the unusual step of instructing users to urgently update their browsers following the discovery of a vulnerability which granted potential access to the operating system.

Not that Mozzilla are unique in such issues: Google also faced embarrassment in recent months after rolling out an experimental change to Chrome which left millions of users unable to load new tabs.

Patch your browser regularly: Firefox users can update to version 74.0.1 via:

• To upgrade on PC, open Firefox and click ‘About’ and select ‘Restart and Update Firefox.’
• To upgrade on Mac, open Firefox and click ‘Options’, ‘Firefox Updates or Options’, ‘Advanced’, ‘Update to update Firefox.’

How secure is your password?… One of the biggest reasons for security breaches is weak passwords.  People often choose passwords that are too short.  Regardless of how tedious it seems, make it a point to update your passwords regularly; use upper and lower case letters along with symbols and numbers.

The key measurement of password security is entropy. This, in computer science terms, is a measurement of how unpredictable a password is, based on how long it would take an attacker to work it out by making a guess at each character.  As a standard, longer passwords are by definition more secure and harder to crack.  In the table below you can see how shorter/easier passwords, are quicker to crack.

What should a password look like

Strong, secure passwords have a lot in common; they are usually long, unique, random and involve a mixture of lowercase and uppercase letters as well as special characters and numbers.  Trying to create passwords that comprised of all of these aspects, can sometimes be challenging.

Most insecure passwords are the result of our human behaviour. People do a lot of very predictable things and in general find it difficult to be random, especially when they are actively trying to be.  For instance putting special characters only at the beginning or end rather than mixing them up in the middle, or using common phrases and keyboard patterns.  So that we can remember we often try to use memorable pieces of information but we should always, where possible, avoid clues and references to our personal lives.

Where can I go for advice

There are many articles online to help assist with what a strong password looks like.  At a recent event Lineal ran with the South West Police Regional Cyber Crime Unit, which focused on cyber security, password strength was highlighted as a high risk for many businesses and individuals.

To find out more, or if you require any help with ways to help protect your business, please contact the IT support team at Lineal.

Local businesses recently gathered at Barnstaple Library for a special cybersecurity workshop organised by the South West Police Regional Cyber Crime Unit and Lineal Software Solutions Ltd.

Thirty participants from firms across the South West took part in a series of lego-based group exercises highlighting key concepts in cybersecurity, as they sought to protect a fictional utilities company from attack by common real-world cyber crime.

The winning team defended their company by spending their budget on the correct countermeasures at each stage of the exercise, and strategically limiting the damage from any breaches in security.

The South West Regional Organised Crime Unit (SW ROCU) is one of nine regional units across England and Wales that delivers specialist capabilities to target and disrupt serious and organised crime. Designed to raise awareness of coordinated digital threats, the cybersecurity workshop session is part of a new educational initiative being run by the Police right across the region.

Group exercises were followed by a short Q&A including advice for businesses on related topics including network best-practice, password policy, physical security, and the Government’s new Cyber Essentials certification.

Lineal’s Head of Technical Services, Matt Norris, explained: “We were to delighted to be able to organise the Cyber Crime Unit to run this very special workshop for local companies: we see cyber attacks becoming ever more sophisticated, and the SWRCCU takes a really positive and constructive approach to educating business owners about how to protect their organisations and employees.”

“Many businesses struggle to grapple with cybersecurity, but help and expertise is accessible.”

You can learn more about the South West Police Regional Cyber Crime Unit’s and their educational work across the South West online here.

For IT support and cybersecurity expertise, please contact Lineal today.