We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

Due to the volume of information to share relating to the recent quarter, we are splitting this issue of our newsletter into two parts:

• Part 1 – Legislative changes covering Information Security, Environment, Health & Safety and Quality

• Part 2 – Security threat and vulnerability intelligence, support for awareness raising and other information security news

Information Security

Security threat and vulnerability intelligence

This update covers the period from 1st January to 31^st March 2024, but we have included any relevant information for the period to 26^th April 2024.

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Microsoft

SANS Internet Storm Centre published the following summaries of Q1’s patch Tuesday releases from :-

• January

• February

• March

• Copilot for Security, subscription AI security service released

• EU Cloud Users May Store Personal Data in Europe

• GitHub AI Code-Scanning Autofix Tool available

• MS Corporate email breach – see under noteworthy cyber incidents and breaches below

• See also New and emerging malware, techniques and other vulnerabilities in the quarter, below

 Apple

Details of Key apple updates and security fixes can be found on Apple’s security updates page

• See also New and emerging malware, techniques and other vulnerabilities in the quarter, below

• It is an old marketing myth that Apple devices are somehow immune to Malware – as highlighted in this Malwarebytes article on the extent of malware it detects on Apple Mac devices.

  • See also information about the malware spread via Calendly  in the new and emerging malware techniques below

• iMessage to be protected by post-quantum encryption

 Linux, Android, Google

• Linux xz-utils backdoor – A malicious back door was found in the data compression software library xz (versions 5.6.0 & 5.6.1). It arose from a supply-cain attack years in the making. Luckily it was found by random chance very soon after release and before it made its way in to most Distros but it may have found its way in to some distros of Fedora Linux 40 and Fedora Rawhide developer distribution. It was given the highest (10/10) CVSS severity score. Users should check to see which version of xz they have and take appropriate steps to apply an unaffected version

• AWS Fixes Service Takeover Vulnerability

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

We missed a number of posts from Q4 2023, so this update summarises the NCSC’s last six month’s-worth of blog posts that may be of use or interest. We have attempted to categorised them by topic.

 Information from the Information Commissioner’s Office and partner agencies

• ICO consultation series on generative AI and data protection

• 2024-25 Children’s Code priorities focus on: – Default privacy and geolocation settings. Profiling children for targeted adverts. Using Children’s information in recommender systems, and Use of information of children under 13 years old

• Guidance for organisations considering using biometric data (See also under Other infosec news below regarding action taken against Serco Leisure in this respect.

• Following research on how fertility apps use data, the ICO urged all app developers to prioritise privacy

• New guidance on data protection breach fines published

• Warning to organisations to make sure advertising cookies are compliant

• Platforms told to respect information rights when moderating online content

• Call for people who spent time in care to share experiences of accessing their records relating to that time

• The 2024 Data Protection Practitioner’s Conference will be held digitally on 8th October 2024

 Noteworthy cyber incident and breach news in the quarter

This information is provided to raise awareness of the causes of incidents and breaches, so preventative action can be taken to prevent similar breaches in your organisations. It may also be helpful to keep your awareness-raising materials up to date and build business cases for information security investment

• See also information about the LockBit takedown in other infosec news, below

• Southern Water – Black Basta ransomware attack resulted in breach of customer and employee personal data affecting 5-10% of the company’s database

• UK Communication workers union breach

• iCabbi exposed personal datails of almost 300,000 UK and Ireland taxi users

• Leicester Council suffered a ransomware attack in March with breach of personal data and loss of control of some council systems

• More than one Million neighbourhood watch members’ details exposed due to bug

• CVS veterinary group announced a possible breach of personal information in April

• French Health Insurance Data Compromised – tens of millions affected by the country’s largest ever breach

• Canterbury, Dover and Thanet Councils IT systems disrupted by cyber attack in January

• Belgian brewery, Duvel’s facility shut down for days by breach in March

• OWASP server misconfiguration exposed some member’s CVs

• World-check database used by businesses to verify the trustworthiness of users stolen

• Data from old AT&T breach, affecting 70 million dumped on dark web

• French Government agencies hit by unprecedented cyber attacks

• Orange España Mobile Outage due to a weak password

• Microsoft Officials email Breached by state sponsored actors – MS Subsequently revealed that an old test account that had admin privileges! and did not have MFA was compromised

• American Express breach

• Swedish Data Centre ransomware leads to IT Outages in Sweden

• Schneider Electric TBs of corporate data breached by Cactus ransomware

• Mishandled GitHub Token Exposes Mercedes Source CodE

• AnyDesk Forces Passwords Resets After Data Leak

• Fujitsu Data Breach

• Cisco Duo SMS MFA Logs Stolen from Telephony Provider

• Roku Mandates 2FA following data breach

 Highlights of new and emerging malware, techniques and other vulnerabilities in the quarter

This is not intended to be a comprehensive summary. Readers are strongly recommended to sign up for some of the more regular vulnerability news feeds available from SANS and other providers to stay abreast of emerging vulnerabilities in general and particularly those that may affect systems they use

• Saflok Keycard Lock Vulnerability Fix – while reported as ‘hotel keycards’ these cards are also used in door and lift access control systems

• Information about the emerging Dragonforce Ransomware

• ‘Thread Hijacking’ credential-theft Phishing This isn’t necessarily a new technique, but it is interesting. It happens when the recipient gets CCd in to a conversation that includes someone the recipient already knows. The conversation is designed to prey on the recipient’s curiosity and includes malicious attachments that ultimately ask them to log in to your M365 account and steal their credentials

• Critical vulnerability found in Chirp door locks – easy to exploit to unlock doors

• AI used to create fake software packages containing malware – Devs are downloading them

• Apple

  • Hackers use application invitations sent via Calendly to spread macOS malware

  • Side-channel vulnerability in M-series chips can allow theft of cryptographic keys

  • Apple device owners targeted by MFA bombing campaign to try to steal credentials

• Ivanti

  • Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN – CISA subsequently orders US Federal Agencies to disconnect Ivanti VPNs – And MITRE says its NERVE R&D operation was penetrated via the flaws

  • Fixes for more critical flaws

  • And more fixes for critical flaws

  • And more fixes for critical flaws (Avalanche Mobile Device Management System)

• Microsoft

  • Privilege Escalation vulnerability in Microsoft SharePoint Server is being actively exploited – patches have been available for several months

  • Windows Server update causes Domain Controller crasheS

  • Old print spooler bug recycled in to malware by Russians

  • Researchers claim that Windows Defender can be exploited to delete databases

• Git Hub

  • critical security releases issued in January

  • ore critical security releases in January

  • Warning from researchers to lock down GitHub services that are being actively used to launch cyber-attacks

  • Warning about attack resulting in millions of repositories containing obfuscated malicious code

• Palo Alto critical RCE vulnerability in GlobalProtect

• Atlassian – critical confluence vulnerability actively exploited

• VMWare

  • Known vCentre Server vulnerability under active exploitation

  • Advises users to remove old plugins

• JetBrains

  • Patches Critical Vulnerability in On-Prem TeamCity

  • Further TeamCity fix

• Multiple Vulnerabilities in Canon Printers

• Fake LastPass app removed from App Store

• Fortinet

  • critical vulnerability

  • Critical SQL injection Flaw fix

• Ubiquiti urges users to secure home routers attacked by Russia – you might want to pass this on to your remote/homeworkers?

• CISCO – vulnerability fixes

• QNAP – vulnerability fixes

• Kubernetes

  • vulnerability

  • OpenMetadata vulnerability

• ChatGPT plugin vulnerabilities

• Ray AI framework vulnerability

• Nvidia ChatRTX vulnerability

• D-Link NAS vulnerability

 Other infosec news

• March was a bad month for UK retailers with Sainsburys, Tesco, McDonalds (globally) and Greggs all suffering outages within a few days of each other. McDonalds blamed a third party provider, and Sainsburys and Greggs blamed issues with payment systems (presumably also provided by third parties)

• The ICO took action against outsourcing giant Serco’s Serco Leisure, and community leisure trusts, to stop them using biometrics (facial recognition and/or fingerprint scanning) to monitor worker attendance

• Capita announced >£100 Million loss for 2023, part of which was blamed on the cyber attack they suffered in that year

• The remnants of BlackCat ransomware group (aka ALPHV) may have finally collapsed after successfully extracting a ransom from a US healthcare provider

• US and  UK authorities took down LockBit’s websites and the Japonese Policie, supported by Europol have made a recovery tool available to recover files encrypted by the LockBit 3.0 Black Ransomware via NoMoreRansom.org

• CISA and the FBI have published a Secure by Design alert, which urges software manufacturers eliminate SQL injection vulnerabilities from their products

• GPT-4 can be used to exploit vulnerabilities by reading security advisories

• US legislature drafting Nationwide Data Privacy Act

• The FTC is sending refunds totalling $5.6 to US Ring customers, following revolations last year that. Security controls in Ring products were deemed inadequate to prevent criminals using them to spy on users

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment, Health & Safety and Quality – click to jump to the relevant section.

Due to the volume of information to share relating to the recent quarter, we are splitting this issue of our newsletter into two parts:

Part 1 – Legislative changes covering Information Security, Environment, Health & Safety and Quality
Part 2 – Security threat and vulnerability intelligence, support for awareness raising and other information security news

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

Published legislation

The following security-related legislation came in to effect during the quarter.

Name Potentially affected Management Systems Anticipated impact on Infosec subscribers High level summary
Various commencements to the Online Safety Act 2023 Security Low Regulatory and enforcement commencement act
The Online Safety Act 2023 is already recorded on the Infosec Legislation portfolio

Other published

The UK and US Governments have signed a memorandum of understanding to develop tests for advanced AI Consultations etc.

• The UK Artificial Intelligence (Regulation) Bill passed its second reading in March

• The Information Commissioner’s Office (ICO) is also consulting on generative AI with respect to data protection – see the ICO update info below

• Consultation on the Cyber Governance Code of Practice closed in March. It sets out the critical governance areas directors need to tackle in order to protect their organisations. The Code is designed to be simple to use, with the relevant information all in one place. It is for organisations of all sizes.

Environment

Legislative changes

No new principal legislation and no other relevant legislation was identified in this quarter.

Health & Safety

Legislative changes

Name Potentially affected Management Systems Anticipated impact on Infosec subscribers High level summary Reflected on Infosec?
The Merchant Shipping (Special Measures to Enhance Maritime Safety) Regulations 2024 Health and Safety Specialist Implement provisions of Chapter XI-1 (special measures to enhance maritime safety) in the Annex to the International Convention on the Safety of Life at Sea, 1974 (“the Convention”) which are not already implemented in other United Kingdom legislation.

Infosec Legislation customers – Please inform us if you feel this is relevant to your organisation, and require it adding to your legislation portfolio No. Infosec Legislation customers – Please inform us if you feel this is relevant to your organisation, and require it adding to your legislation portfolio
The Higher-Risk Buildings (Keeping and Provision of Information etc.) (England) Regulations 2024 Health and Safety Specialist Supports elements of the Building Safety Act

The Building Safety Act 2022, which this legislation supports has been added to the Infosec portal, and this legislation has been referenced from it. Please inform us if you feel that legislation is relevant to your organisation, and require it adding to your legislation portfolio No. Infosec Legislation customers – The Building Safety Act 2022, which it supports has been added and this legislation referenced from it. Please inform us if you feel that legislation is relevant to your organisation, and require it adding to your legislation portfolio
Various commencements to the Building Safety Act 2022 Health and Safety Specialist Regulatory and enforcement commencement act

The Building Safety Act 2022, which this legislation supports has been added to the Infosec portal. Please inform us if you feel that legislation is relevant to your organisation, and require it adding to your legislation portfolio No. Infosec Legislation customers – The Building Safety Act 2022, which it supports has been added and this legislation referenced from it. Please inform us if you feel that legislation is relevant to your organisation, and require it adding to your legislation portfolio

Consultations etc.

• Consultation on The Terrorism (Protection of Premises) Bill (aka Martyn’s Law) closed in March. This legislation aims to improve public safety at events following the Manchester Arena Bombing in 2017. We reported on this in the Q3 2023 update

Round up of posts and announcements by the by the Health and Safety Executive (HSE) released in the quarter

• April is stress awareness month

• Updated guidance on RIDDOR reporting published. The HSE stressed that the legal requirements have not changed. This guidance is to help users understand the circumstances under which they should submit reports under RIDDOR

• Guidance on protecting workers from violence and aggression at work including lone workers and advice for workers

• Guidance on controlling legionella bacteria in evaporative cooling systems updated. More info about legionella and legionnaire’s disease here and here

• Updates on first aid at work guidance – on regulations and on selecting first aid training providers

•  ‘Asbestos – your duty’ campaign. Updated guidance on duty to manage asbestos published and refreshed asbestos guidance

• New posters to help workers, building owners, landlords, employers or persons responsible for building maintenance on where asbestos is most frequently found in buildings. Industrial and residential

Quality

No new principal legislation was identified in this quarter. The only relevant legislative changes were minor amendments to the Russia Sanctions Regulations that are already summarised on the InfoSec portal.

Name Potentially affected Management Systems Anticipated impact on Infosec subscribers High level summary
Various minor amendments to the The Russia (Sanctions) (EU Exit) Act Quality Low Further ongoing amendments to the scope of goods and services covered under the Russia Sanctions Act

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. We’ve linked to that page on our website at the end of this email.

This update includes Information Security, Environment, Health & Safety and Quality – click to jump to the relevant section.

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes

The following security-related legislation came in to effect during the quarter. We mentioned the Online Safety Act 2023 as a breaking news story in the last update. After reviewing it, we have published a summary on InfoSec. Organisations may wish to revisit their acceptable use policies in light of that new legislation.

 Other updates

Microsoft

Patch Tuesday roundups

• October-Included fixes for more than 100 issues, including three actively exploited zero-days and a patch for the rapid reset attack mentioned under Android & Google below. More details here

• November– Addressed 64 vulnerabilities flaws, including three which were known to be actively exploited. More details here

• December– 35 patches were released in December, for of which were critical and none known to be actively exploited. More details here

Other

• Microsoft is depreciating VBScript ahead of its removal entirely from future releases of Windows client. More here

• Microsoft announced that it will end full security support for Windows 10 on 14th October 2025. MS is encouraging users to upgrade to Windows 11, but users will be able to purchase extended security updates for Windows 10, including Windows 10 Home for an annual subscription fee.

Apple

Key apple updates and security fixes

• October– 11 updates were released including five for iOS and iPadOS and three for MacOS (Monterey, Ventura and Sonoma)

• November– Eight updates released including two for IOS and iPadOS, and three for MacOS (two for Ventura and one for Sonoma).

• December– 12 updates including four for iOS and or iPadOS four for and MacOS (Monterey, Ventura and two for Sonoma)

• More information can be found on Apple’s security updates page

Linux, Android, Google

• In October; Amazon, Cloudflare and Google released advisories on addressing a rapid reset DDoS attack that affected their various cloud environments. Google provided an overview of the attack Microsoft included a patch for this in their October Patch Tuesday release.

• Updates were released in October for a number of Linux distros including Debian and Ubuntu, to address a buffer overflow vulnerability. More here

• Google, Amazon and WhatsApp all announced support for, or made passkeys the default login setting for users, in further moves away from passwords. Users are now able to use biometrics to log in to supported accounts. More here and here

• Google’s Chrome browser now automatically upgrades all HTTP requests to HTTPS

• A vulnerability in Android was announced where the restricted settings feature could be used to install malware on devices and obtain access to accessibility services. More here

• In late November, number of Google Drive users reported loss of several months’ worth of data.

 Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

• With draft standards for Post Quantum Cryptography (PQC), the NCSC published guidance on implementing PQC and managing its risks here

• Adding to its body of work around AI, new guidelines for Developers were published here

  Noteworthy cyber incident and breach news in the quarter

• Probably the largest breach in the quarter affected the 23AndMe genetic testing company with the theft of genetic and ancestry data. It was estimated that nearly 7 million users were affected. 23andMe later appeared to blame the users’ poor password hygiene. Hackers initially breached 14000 accounts and were then able to scrape data of 6.9million users who had opted to share data with people who they had genetic links to.

• A Spanish Aerospace company suffered an attack via LinkedIn messages from a fake recruiter from Meta that contained malicious code in the form of coding quizzes and challenges. More info here

• Boeing was hit by a Lockbit ransomware incident in November. More here

• Okta confirmed a breach in its support case management system in October. They later informed more than 5000 current and former employees that their data had been breached and said the breach affected all Customer Support users. Okta said the breach likely arose when an employee signed in their personal Google account on a company device. More here, here and here

• The Irish Police confirmed that more than 500,000 records relating to seized vehicles, including personal data were found online in an unprotected database

• The British Library suffered a major outage in October

• OpenAI confirmed that ChatGPT outages in early November were due to DDoS attacks.

• CTS, a managed services provider, confirmed a cyber breach affecting a number of UK law firms in late November. The outage interrupted property transactions.

 New and emerging malware and techniques in the quarter

• The FBI published a Private Industry Notification (PIN) warning of new ransomware attack trends, where organisations are hit by two ransomware variants in quick succession, and new data destruction techniques. The PIN includes recommendations for preparing for and protecting against incidents.

  • On a related note, the No More Ransom initiative from Europol provides guidance and decryption tools for cracked ransomware strains here

• Microsoft’s Digital Defence Report claimed 80-90% of successful Ransomware compromises originated through unmanaged devices, including users’ personal devices (BYOD) and that human-operated ransomware attacks, mostly affecting organisations with less than 500 users, had increased by 200%. More here and here

Other infosec news

• Researchers announced a credential-stealing flaw that they have named Auto Spill affecting some of the big password managers on older Android devices.

• Cisco announced a critical zeroday flaw in its IOS XE software that was seen to be exploited.

• Citrix urged users to patch a widely-exploited NetScaler ADC and Gateway

• VMWare released patches for a critical vCentre vulnerability

• NSA and CISA released a list of the Top 10 network misconfigurations here

• NSA and CISA released Identity and Access Management guidance for Developers and vendors here, with guidance for administrators here

• Amazon announced that all AWS privileged access accounts will be required to use multifactor authentication by mid-2024

• MGM says the 2023 ransomware attack is likely to cost the organisation more than $100Million

• Progress Software the manufacturer of the MOVEit file transfer tool in which a zero-day vulnerability was revealed in May, that is reported to affected more than 2000 of its customers, and millions of people announced a number of vulnerabilities in its WS_FTP Server that was later seen to be exploited. The company released a number of patches. More here and here

• Google’s Threat Analysis Group said it has seen evidence of government-backed hacking Groups exploiting a known vulnerability in WinRAR.

• Noteworthy victories against some high-profile ransomware gangs were announced in the quarter.

  • A joint law enforcement operation took down the Ragnar Locker Website in October

  • The FBI took down the BlackCat/ALPHV darknet website in December

  • European law enforcement agencies shut down the ransomw4re group in November

  • And while we were preparing this update, it was announced that  a joint UK and US operation seized control of the Lockbit group’s website

Environment

Legislative changes

No new principal legislation was identified in this quarter. The only relevant legislative changes were, one amendment and one commencement order for aspects of acts already summarised on the InfoSec portal and an extension to The Value Added Tax (Installation of Energy-Saving Materials) Order 2024 relating to Scotland.

Health & Safety

Legislative changes

No new principal legislation was identified in this quarter. The only relevant legislative changes were one amendment and one commencement order for aspects of acts already summarised on the InfoSec portal.

Round up of posts and announcements by the by the Health and Safety Executive (HSE) released in the quarter

• Annual Health and Safety Statistics for 2023 published – summary here

  • Key facts include 1.8million workers suffering from work related ill health in 2022/23, with almost half (875,000) relating stress, depression or anxiety and 27% (473,000) relating to musculoskeletal disorders

  • 2268 mesothelioma deaths due to past exposure were recorded

  • 135 workers were killed and 561,000 injured in work-related accidents or at work

  • 60,645 RIDDOR-reported injuries

  • 2 million working days lost due to work related illness and workplace injury at a cost of approximately £20.7 billion

  • Both the total number of workers suffering from work related ill health, and the number relating to stress spiked up during the Coronavirus pandemic (covered in the 2021/22), and have not returned to pre-pandemic levels

  • Musculoskeletal disorders have declined slightly, but remain fairly constant

 Stress at work – A new free online learning tool for employers was released in November. More here and stress guidance here

• Refreshed asbestos guidance published here

Quality / Other

Legislative changes

No new principal legislation was identified in this quarter. The only relevant legislative changes were two amendments to the Russia Sanctions Regulations that are already summarised on the InfoSec portal.

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

Here are some more helpful links which may be of use

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. 

This update includes Information Security, Environment, Health & Safety and Quality topics

Information Security

If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative Changes

The following security-related legislation came into effect during Q2 2023. Of these; The Data Protection (Adequacy) (United States of America) Regulations 2023 is likely to have the most relevance to infosec legislation customers. It should help simplify data sharing with entities in the US.

Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-

****Breaking News****

During preparation of this newsletter, the UK Government finally released its much-publicised Online Safety Act 2023. This has been a long time coming, having started life in 2019 as a white paper on ‘online harms’. Its path to law has been controversial, not least because it has become a hot topic for privacy campaigners following its expansion to include requirements for ‘user-to-user’ and internet search service providers to be able to comply with requests from OFCOM to identify potential communications relating to terrorism. This is not currently achievable with end-to-end encryption of messages.

We are currently reviewing the act to determine its applicability to Infosec customers and will make necessary amendments. The full act is available on www.legislation.gov.uk

Other Updates

Microsoft

Patch Tuesday roundups

• September-Included fixes for 59 issues, including two actively exploited zero-days. Five issues were rated as ‘critical’.

• August – Addressed 87 flaws, of which 23 were remote code execution vulnerabilities. Two flaws were known to be actively exploited.

• July – Addressed 132 flaws including six which were known to be actively exploited. Nine ‘critical’ remote code execution vulnerabilities were fixed.

 Other

• W11 Support for passkeys – the latest release of Windows 11 includes support for passkeys as its next step toward eliminating passwords entirely and secure login to websites via Windows Hello using face, fingerprint, or PIN.

• New faster, lighter teams app – The new version of MS Teams was made generally available for Windows and Mac on 5th October. Microsoft claim that it’s twice as fast and uses half as much memory.

• Reminder issued that TLS 1.0 & 1.1 to be disabled in future versions of Windows.

• Stolen Key – Following initial disclosure that a stolen cryptographic key was used to access Exchange Online and Outlook email at US Government agencies and other organisations, it was determined that the key may have been used to access other MS cloud applications including SharePoint, Teams and OneDrive. The key was revoked, and Microsoft published key indicators of compromise, as well as agreeing to make cloud security logs available to all users for free from September (the latter was previously a premium option).

Apple

Key apple updates and security fixes

• September- Apple had a busy September with 20 updates and releases in the month including new operating systems across most devices – macOS Sonoma 14 (released 26th), iOS 17, iPadOS 17, tvOS 17 and watchOS 10 (all released on 18th). Major app updates included Xcode 15 (released on 18th) and Safari 17 (released on 26th).

  A fix for actively exploited Zero day flaw that could allow installation of spyware was released in iOS 16.6.1 and iPadOS 16.6.1 on 7th September

• August – Was a very quiet month with only two updates released – macOS Ventura 13.5.1 was released on 15th August and watchOS 9.6.1 on 15th

• July – Eight updates were issued including Rapid Security Response for macOS Ventura   and iOS and IPadOS that was pulled and reissued due to reports of the first release causing browser crashes.

More information can be found on Apple’s security updates page

Android & Google

• Weekly chrome updates – Google announced in early August that security updates to Chrome will be published weekly to the stable channel to reduce patch gap

• A heap buffer overflow bug in Chrome was reportedly fixed in a security fix, released 11th September.

• Google search indexed Bard conversations – In late September it was reported that, where users chose to ‘share’ a Bard conversation with friends etc. by creating a sharing link, the search engine was indexing those links and making them available to a wider audience in search results. Google said it was working on a fix. 

 Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

•  New principles for making cloud backups more resilient against ransomware

• Supply chain security resources – including guidance and e-learning modules

• AI – ‘prompt injection’ attacks and data manipulation – Explores two specific vulnerabilities in Large Language Model (LLM)-type AIs like GhatGPT and Google Bard. Prompt Injection involves users creating a specific input/request designed to make the model behave in an unintended way e.g., to expose confidential information.  Data manipulation or ‘data poisoning’  could allow attackers to bias LLMs or compromise security.

• Spotlight on Shadow IT – new guidance to help organisations manage rogue devices and services

• Updated advice for organisations considering a Security Operations Centre (SOC)

• Top tips for staff e-learning course – the course covers phishing, password security, device security and reporting incidents. The guidance is generic, and could conflict with organisational rules, so organisations should take steps to ensure their staff understand the organisations’ rules, but this training can be a useful ‘baseline’ for staff

 Roundup of recent blog posts by the Information Commissioner’s Office (ICO)

•  Simple data protection tips – the ICO has released new video guides in their e-learning suite

• Data Protection Officer Community Forum launched – The forum is intended to offer space to network, explore topics in detail and share experience. This would appear to be a helpful way for DPOs of organisations holding ISO 27001 certification to demonstrate ‘contact with special interest groups’. DPOs can register for the forum

• Guidance on lawful monitoring in the workplace – Guidance to stay on the right side of the law

 Recent noteworthy cyber incidents

• UK Police Services – It hasn’t been a good period for UK police services…

• • Police Service of Northern Ireland – A man was arrested and bailed following a Freedom of Information (FoI) request that resulted in the PSNI posting a spreadsheet online identifying 10,000 serving officers.

  • Metropolitan Police – London’s Met Police suffered a breach via a supplier’s IT system. Data relating to all 47,000 employees was reportedly exposed.

  • Norfolk & Suffolk Police – reported a ‘technical issue’ that led to raw data relating to crime reports being included in FoI reports.

  • Cumbria Constabulary – announced that the names and salaries of all its officers and staff had been uploaded to its website in March.

  • In September, Greater Manchester Police revealed that names and pictures of its officers had been accessed in a ransomware attack on a third party supplier of its ID badges.

• Okta – on 19th October, Okta, a provider of MFA and SSO tools, informed some users of a breach affecting recent support cases where files uploaded by some customers were exfiltrated from Okta’s systems. BeyondTrust claim that they identified and escalated the issue to Okta on 2nd October after identifying an apparently successful attack on an Okta administrator account.

  • 1Password – a password manager provider has reported that it was affected by the above Okta breach. It claims no user data has been breached. 

  • MGM Resorts and Caesar’s Entertainment both suffered significant ransomware attacks in September, again linked to the Okta breach. Caesar’s reportedly paid a $15M ransom.

• Microsoft – AI researchers working for Microsoft failed to secure 37TB of passwords, private keys and internal Teams messages, via an unsecured Azure/GitHub environment.

• It was reported in September that Kettering-based KNP Logistics Group in the UK had entered administration as a direct result of a ransomware attack in June. Around 730 employees were made redundant. If you’re struggling to get management buy – in for information security.

• A Ransomware attack on Danish Hosting firms CloudNordic and AzeroCloud resulted in loss of  the majority of its customer’s data, highlighting the need to ensure that you have good backups of information in cloud storage.

• Airbus suffered a data breach via a customer. Malware in an unauthorised version of Microsoft’s .NET framework resulted in the cybercriminal gaining access via a Turkish Airlines computer which was able to connect to Airbus’s web portal. Information relating to the airline was then downloaded from Airbus’s systems.

And the list goes on:- Save the Children, UK Electoral Commission, a number of UK ambulance trusts, Barts Hospital, Dublin Airport, NATO, Tesla and Tempur to name a few, all suffered or reported significant direct or supply-chain-led breaches or attacks in the quarter.

New and emerging malware and malware and phishing techniques

• New spin on ZeroFont phishing – a trick first documented back in 2018 has a new spin in 2023. The trick involves using zero-point (zero sized) fonts in formatted emails to make malicious emails appear as if they have been scanned and passed by Outlook security. The new spin works on message previews viewed in preview pane in Outlook and other mail apps. A fake scan message is embedded in the email. The zero-sized font means the text is not visible in the full message, but Outlook displays it in the preview pane, giving false assurance to the reader that the email has been scanned.

• Permanent Zoom links – system settings may allow unauthorised persons to initiate Zoom conference meetings as valid employees. The company-specific Zoom links include embedded ID and passcode information that work indefinitely, potentially opening employees or customers to phishing or social-engineering attacks.

• Cisco routers backdoored – by Chinese state actors, according to US and Japanese agencies

• Thumb drives – what’s old is new again – Mandiant notes the use of thumb drives as a malware vector is on the rise. You have blocked them, haven’t you?

• Malware loaders responsible for 80% attacks in 2023

• Another BlackCat ransomware variant

Other infosec news

• Evidence is emerging that some LastPass vaults were breached following the breach disclosed in November 2022. Researchers have speculated that a number of high-value cryptocurrency thefts indicate that the owners’ LastPass vaults were cracked to access their cryptocurrency wallets.

• GitHub has made passkeys generally available – All users must enable 2FA on GitHub by the end of 2023. To facilitate this GitHub released passkeys to all users in September.

• OpenAI investigated by FTC – The US Federal Trade Commission opened an investigation to determine how it handles, uses and secures information including personal information

• WinRAR Zero day vulnerability – allows installation of ransomware

• Ubuntu privilege escalation flaws – up to 40% of Ubuntu users may be vulnerable.

• MikroTik router privilege escalation vulnerability – may affect up to 900,000 routers. Users are urged to upgrade.

• Your colleague’s loud typing could be more than just annoying – researchers claim to have translated the sound of keystrokes to work out what was being typed with up to 95% accuracy, using an iPhone and 93% over Zoom.

Environment

Legislative changes

We are aware of five legislative changes since the last newsletter that may be relevant to some or all our clients. The first two below have the potential to be significant for organisations carrying out packaging work in England and Northern Ireland respectively. The remaining three are likely to be low or minor and relate to new or modified penalties for environmental breaches.

Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-

Biodiversity net gain rule implementation delayed

The UK Government has delayed the implementation of new rules required under the Environment Act 2021. The rules require developers to deliver at least 10% biodiversity gain as a condition for granting planning permission. The requirement was originally scheduled to come into effect in November 2023. It will now come into effect in January 2024 for large developments and April 2024 for smaller sites, with guidance published by the end of November 2023.

Health & Safety

Legislative changes

We are aware of five legislative changes since the last newsletter. These are likely to be relevant to organisations with obligations around domestic property management, specifically where those properties are defined as ‘high risk’ as described in the Building Safety Act 2022.

Infosec clients; please let us know if you require any of these to be added to your legislation portfolios:-

Round up of recent posts and announcements by the by the Health and Safety Executive (HSE)

Asbestos – The HSE is seeking feedback from organisations who have commissioned asbestos surveys and/or asbestos analysts from appropriate contractors.

Workplace facilities – guidance on welfare requirements for staff including those with disabilities and specifically about toilet and washing facility requirements

World Mental Health Day was on 10th October and National Inclusion Week was in the week commencing 25th September – The HSE issued a reminder about the UK Government’s  ‘Working Minds’ mental health campaign

Guidance on supporting staff with disabilities or long term health conditions

The deadline for registration of high-rise residential buildings was 1st October 2023. Principal accountable persons (the organisation that owns or is accountable for the building’s safety) must register relevant buildings with the Building Safety Regulator.

Safety Climate Tool – assess the attitudes of your staff with a simple online questionnaire – info and links to training courses

2022-23 Fatal injury at work statistics published

Covid-19 – Health & Safety Executive has all the latest Covid information and advice here

Quality

Legislative changes

We are aware of five legislative changes since the last newsletter that may be relevant to some or all our clients.

• The first three are likely to be relevant and significant to organisations.

• The first two below relate to changes to some workers’ rights.

• The third below may not seem to be immediately relevant to organisations, but implications of breaches of the Protection of Sex-Based Harassment in Public Act by workers while on company business and/or where those workers can be associated to the organisation via uniforms etc., could lead to potential reputational damage.

Many organisations already have ‘codes of conduct’ for workers that would forbid such behaviour, but if yours does not, it would be advisable to consider one to ensure that workers understand how their actions may reflect on the organisation and to set out your expectations on them.

While the Retained EU Law (Revocation and Reform) Act 2023 is unlikely to be directly relevant to organisations, EU laws that are revoked under it may be.

A further amendment to the Russia Sanctions Act was published in the period.

Infosec clients; Please let us know if you require any of these to be added to your legislation portfolios:-

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch.

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites. We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.

This update includes Information Security, Environment, Health & Safety and Quality/General Business.

Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes
We are not aware of any material changes to legislation relevant to information security since our last newsletter. However, two amendments that are likely to be inconsequential to clients were made:

• An amendment was made to the Data Protection Act 2018 to give an exception for legacy automated processing systems used by law enforcement and the intelligence services

• A correction was made to one schedule of the Communications Act 2003 to correct a minor typo describing other relevant legislation

Other updates
Microsoft
Patch Tuesday roundups – June – Included a fix for a critical bug in MS SharePoint Server that could be exploited by an unauthenticated attacker on the same network and a remote code execution vulnerability; May – Included fixes for three zero-day vulnerabilities including two that have been actively exploited (Win32k Elevation of Privilege Vulnerability, Win32k Elevation of Privilege Vulnerability and Windows OLE Remote Code Execution Vulnerability); April – Included a fix for one actively exploited zero-day vulnerability (Windows Common Log File System Driver Elevation of Privilege Vulnerability) in a fix addressing 97 flaws. 

MS Authenticator enforcing number matching step – MS Authenticator users should by now have noticed that the app now includes a mandatory number-matching step as part of login authentication. The step has been introduced to try to prevent users falling victim to ‘MFA fatigue’, where attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications asking for login approval. Attackers hope that, by spamming the victim with requests, eventually they will just accept the login request in an attempt to stop the bombardment. Then the attacker gains access to their account. Introducing the number-matching step requires that the user not only approve the request, but also enters the correct number. The victim will not have sight of the number because they’re not legitimately trying to log in, so it is unlikely that they will enter the correct one and so cannot authorise the illegitimate login.

Teams vulnerability allows external attackers to bypass phishing safeguards – Any user with a Microsoft account can reach out to external tenancy and send messages that could allow attackers to put a malicious URL in to the recipients Inbox as a file, rather than a link. Thereafter the attacker could use social engineering tactics to convince the recipient to click on the malicious file. 

June outages due to DDoS attacks – Microsoft has attributed outages affecting 365 in early June to DDoS attacks.

Windows 11 Win32 app isolation feature in preview – Developers will be able to update Win32 apps to isolate them using AppContainers, reducing the potential for compromised apps to access key Windows APIs. 

Apple
Key apple updates – June – Fixed zero-days used to deploy spyware via iMessage; May – Apple released its first rapid security response (RSR) patches for iOS 16.4.1 and macOS 13.3.1, however some users reported difficulties installing them. More from Apple on its RSRs here. It also issued fixes for three zero days, actively exploited on iPhones and Macs, and fixed a bug in macOS that allowed bypassing of System Integrity Protection (SIP) root restrictions; April – Apple released fixes for two exploited zero day vulnerabilities affecting iPhones, Macs and iPads and a fix for a WebKi zero day fix issued in March affecting older iPhones and iPads – More information can be found on Apple’s security updates page

New privacy and security features released – iOS 17 brings features to automatically remove tracking parameters from URLs, protecting internet users against unwanted third party trackers such as marketing trackers. 

Android & Google
Gmail spoofing vulnerability – Google fixed a flaw allowing scammers to impersonate the UPS delivery service with Gmail flagging the email as authentic.

Chrome to retire the padlock icon – it’s served its purpose – From Version 117, Chrome will no longer use the padlock icon to indicate websites secured via HTTPS as it now considers this should be the default. Chromium recognises that the lock icon could also lead to a false sense of security as nearly all phishing sites use HTTPS now, as well as
legitimate ones. Instead, a version of their ‘tune’ settings icon will appear. Websites still using HTTP will continue to be flagged as ‘Not Secure’. 

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies

Cyber Risk Management – Refreshed guidance for cyber risk management – including an eight-step risk management framework to understand what ‘good’ looks like, introduction of the concept of a risk management ‘toolbox’ covering key techniques and methods and introduction of a basic risk assessment and management method for those new to the concepts. 

Cloud Service Security – New advice for users of cloud services on implementing high-risk and ‘break-glass’ accesses in cloud services

Early Warning service Active Cyber Defence Service – The NCSC’s Early Warning Active Cyber Defence (ACD) service is moving to the myNCS platform. Early warning is a free service designed to inform organisations of potential cyber-attacks on their networks. Any UK organisation holding a static IP address or domain name can sign up.

NCSC offers a number of ACD services including Mail Check, Web Check, an ‘exercise in a box’ solution to help organisations prepare for cyber incidents and the Suspicious Email Reporting Service (SERS)

Training – Supply Chain Risk – The NCSC has published free e-learning tools to help organisations manage the cyber security risks across their supply chains.

Training – General Infosec Training NCSC offers a range of e-learning tools including those aimed at staff in general. These courses are helpful for smaller organisations with distributed workforces, but we’ve seen some of the content at PCML and it is a little generic. We feel that organisations should still consider creating tailored training courses for their own users that explain the organisation’s security dos and don’ts. If you’d like advice and support in building your own training course content, we’d be happy to help.

Accessibility
In this blog post, NCSC discuss the need to ensure that security is accessible to all employees, taking in to account specific physical and mental issues that some staff may have, as well as working environments and systems used by employees in general. It identifies cases ranging from accessibility of training and awareness raising materials, through to usability of interfaces.

Roundup of recent blog posts by the Information Commissioner’s Office (ICO)
Risks of business use of generative AI – The ICO called on businesses to address the privacy risks of using generative AI before rushing to adopt the technology. It reminded organisations to spend time at the initial stages to understand how AI uses personal information and ensure risks are mitigated. Some of the risks of using AI in business were highlighted in the last PCML newsletter.

Guidance for developers and users of AI – The ICO has also published guidance for use of generative AI in the form of eight questions that developers and users need to ask. With specific emphasis on ensuring compliance with privacy obligations.

Guidance on Privacy Enhancing Techniques (PETs) – PETs can help organisations share personal information safely, securely, and anonymously. The ICO has issued guidance for data protection officers and others who are using large personal data sets in finance, healthcare, research, and central and local government. 

Guidance on Subject Access Requests (SARs) – SARs give individuals the right to request a copy of their personal information from organisations. This includes where they got their information from, what they’re using it for and who they are sharing it with. Organisations must respond to a SAR within one month of receipt of the request. However, this can be extended by up to two months if the SAR is complex. The ICO has issued guidance on responding to SARs 

Recent noteworthy cyber incidents
Capita – Suffered two breaches, one in March and a second in May. The March incident was attributed to a cyber-attack. Embarrassingly, the May issue appears to have been due to a failure to appropriately secure an Amazon S3 (Simple Storage Service) bucket, apparently leaving data relating to hundreds of thousands of individuals exposed

MOVEit – An actively exploited zero-day vulnerability was discovered in the MOVEit Transfer secure file transfer application in late May. Ransomware gangs including CL0P successfully exploited the vulnerability and the number of organisations confirming they were affected continues to grow with employee and other data being exposed. Further vulnerabilities in MOVEit have been discovered since the original issue was discovered in May

Zellis – Payroll provider Zellis were a victim of the MOVEit breach. Employee details relating to a number of high-profile UK companies including the BBC, Boots and British Airways are believed to have been breached. CL0P have apparently denied that they were responsible in this case however, raising the possibility that other hacking groups have exploited the MOVEit vulnerability as well

Toyota – disclosed a data leak where a misconfigured cloud environment exposed vehicle location data. The issue has been around for almost a decade 

New and emerging malware and techniques
Barracuda Networks has taken the unusual step of recommending to its customers that they immediately remove and replace its Email Security Gateway (ESG) devices following the discovery of malware that the company can no longer contain via updates. 

Other infosec news
Guide to protect against BlackLotus bootkit malware – The US NSA published a guide to help organizations detect and prevent infections of BlackLotus UEFI bootkit malware.

KeePass password manager updated to fix password-leak – The vulnerability could allow attackers to extract the master password. 

JP Morgan fined $4m for failing to retain information – The fine highlights the need for organisations to understand all their legal and regulatory obligations around retention and destruction of information and to put effective controls in place to secure evidence needed for investigations. 

Gigabyte PC Motherboard vulnerability – Motherboards shipped with its update utility are at risk of infection. Users are advised to turn off App Centre’s download-and-install feature 

Environment
Legislative changes
We are aware of four legislative changes since the last newsletter that may be relevant to some or all our clients. The first three are minor, but could apply to multiple clients, the fourth is specific to clients in the Merchant Shipping industry. **InfoSec clients; Please let us know if you require any of these to be added to your legislation portfolios:-

• The Restriction of the Use of Certain Hazardous Substances in Electrical and Electronic Equipment (Amendment) Regulations 2023 – Amends the list of hazardous substances whose use in electrical and electronic equipment is prohibited or restricted through The Restriction of the Use of Certain Hazardous

• Substances in Electrical and Electronic Equipment Regulations 2012. This mostly supports the bans on sales of various fluorescent and compact fluorescent lamps that are being staggered through 2023. Some clients may find they have to replace lighting fittings because replacement lamps will no longer be available.

• The Plastic Packaging Tax (General) (Amendment) Regulations 2023 – Amends the method of claiming tax credits in respect of the plastic packaging tax

• The Value Added Tax (Installation of Energy-Saving Materials) Order 2023 – Amends the Value Added Tax Act 1994 to allow full or partial VAT relief on installation of energy-saving materials in Northern Ireland and extends some existing reliefs for energy-saving materials

• The Merchant Shipping (Prevention of Air Pollution from Ships) (Amendment) Regulations 2023 – Replaces EU regulations with British law to implement aspects of the International Convention for Prevention of Pollution from Ships (MARPOL).

Health & Safety
Legislative changes
We are aware of two legislative changes since the last newsletter. The first may be relevant to clients in the Merchant Shipping industry. The second may be relevant to InfoSec clients in the domestic property sales, lettings or management industries. **InfoSec clients; please let us know if you require any of these to be added to your legislation portfolios:-

• The Merchant Shipping (Fire Protection) Regulations 2023 – Replaces EU regulations with British law to implement aspects of International Convention for the Safety of Life at Sea, 1974 (SOLAS)

• The Higher-Risk Buildings (Key Building Information etc.) (England) Regulations 2023 – Supports elements of the Building Safety Act 2022 that was brought in following the Grenfell fire disaster. These regulations specify types of buildings defined as ‘Higher-Risk Buildings’ and requirements for provision of information about those buildings to relevant authorities. It defines parties who may be Accountable Persons and Principal Accountable Persons with responsibilities for providing that information.

Other updates
Roundup of recent posts and announcements by the by the Health and Safety Executive (HSE)

Asbestos – The HSE is seeking feedback on communications about asbestos safety. Survey here. And has released two new free resources for workers to test and enhance their knowledge about asbestos and asbestos risk. 

Musculoskeletal Disorders ebulletin

LPG forklift truck fire risk safety notice – Warning and advice issued after a number of fires on LPG-powered forklifts during start-up

New online guide – introduction to managing health and safety – HSE has developed a new step-by-step online guide to help you quickly find and understand what your business must do to comply with health and safety law

Quality/General Business
Legislative changes
We are aware of seven legislative changes since the last newsletter that may be relevant to some or all our clients. The first six appear to be low impact and are modifications to, or commencement of existing legislation. The seventh one appears to a minor change relevant only to companies importing goods directly or indirectly from Developing Countries.
**InfoSec clients; please let us know if you require any of these to be added to your legislation portfolios:-

• The Export Control (Amendment) Regulations 2023 – Extends existing legislation that controls the export of ‘dual-use’ items (items that could be used for civilian or military purposes) to some specific regimes.

• The Russia (Sanctions) (EU Exit) (Amendment) Regulations 2023 – Extends the existing sanctions to cover additional products including specific goods, ‘revenue generating goods’ and activities and makes remedial amendments to existing restrictions on oil and oil products, gold, coal and coal products.

• The Russia (Sanctions) (EU Exit) (Amendment) (No. 2) Regulations 2023 – Amends the geographic coverage of the existing sanctions within Ukraine and allows for sanctions to be used to compensate Ukraine for Russian aggression.

• The Nationality and Borders Act 2022 (Commencement No. 6) Regulations 2023 – Enacted aspects of the Nationality and Borders Act 2022 including rights to deprive persons of citizenship and judicial oversight

• Public Order Act 2023 – Brings additional disruptive activities under the umbrella of public order offences. Some parts of the act have yet to come in to force. The offences relate to activities that are used as forms of protest. The act will also extend the powers of stop and search.

• The Public Order Act 2023 (Commencement No. 1) Regulations 2023 – Commencement of the first parts of the above Public Order Act 2023

• The Customs (Origin of Chargeable Goods: Developing Countries Trading Scheme) Regulations 2023 – Replaces EU regulations with British law. May be relevant to organisations importing goods from Developing Countries directly or via specified countries. In some cases, this includes where those goods are incorporated into other manufactured goods abroad, which are then imported.

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites. We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.

This update includes Information Security, Environment, Health & Safety and Other – Russia Sanctions.

Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes
The Investigatory Powers (Communications Data) (Relevant Public Authorities and Designated Senior Officers) Regulations 2022 has amended the Investigatory Powers Act 2016. It changes the powers for relevant services to acquire communications data, amending their authority to internally authorize acquisition of communications data for serious crime purposes to limit it to urgent situations that are defined in the act.

The Computer Misuse Act 1990 is under review. You just have time to have your say – Review of the Computer Misuse Act 1990 – GOV.UK (www.gov.uk)

The Data Protection and Digital Information (No. 2) Bill – is currently at the second reading stage in Parliament – Data Protection and Digital Information (No. 2) Bill – Parliamentary Bills – UK Parliament key points include:

• A list of activities that would be considered ‘legitimate interest’

• Records of processing would only be required for organisations carrying out processing activities likely to result in high risk to rights and freedoms of data subjects

• Increase in fines for nuisance calls and texts to 4% of global turnover or 17.5 million GBP

• Framework for use of digital verification services

Other updates
Microsoft
Highlights of the last quarter’s Microsoft patch Tuesdays…
March – fixed 74 security flaws, two of which are being actively exploited, including a severe weakness in Outlook that can be exploited without user interaction; February – fixed three actively exploited zero-day vulnerabilities; January – fixed 100 security flaws including a zero-day vulnerability in Windows, printer flaws and a SharePoint server issue

‘Acropalypse bug’ affects windows devices too. Confirmed to affect the Windows 11 Snipping tool and Windows 10 Snip & Sketch tool. It was already known to affect Google’s Markup screen editing tool for Pixel and allows partial recovery of cropped or redacted images including screenshots. Microsoft released an update to fix the issue last week

Microsoft fixes Acropalypse privacy bug in Windows 11 Snipping Tool (bleepingcomputer.com)

The public preview of MS Defender 365’s automated attack disruption capabilities has been expanded to include business email compromise (BEC) Microsoft expands attack disruption to BEC, ransomware • The Register – Defender for individuals is now being force installed when users install or update M365 apps Microsoft Defender app now force-installed for Microsoft 365 users (bleepingcomputer.com)

Bye-bye Windows 8.1. Support for the venerable operating system ended on 10th January 2023… Windows 8.1 support ended on January 10, 2023 – Microsoft Support Organisations still using systems running 8.1 e.g. where legacy software won’t run on later operating systems, should take appropriate actions to secure those systems. **Remember – Organisations holding Cyber Essentials are required to either remove unsupported software from in-scope devices, or de-scope devices running that software in to a defined subset that prevents traffic to and from the internet**.

A network configuration issue in January caused an outage affecting multiple M365 services. Microsoft said the issues were resolved after they rolled back a network change – Microsoft says services have recovered after major outage that affected Teams and Outlook users | ZDNET

Apple
New class of privilege escalation bug was found in iOS and macOS – A New Kind of Bug Spells Trouble for iOS and macOS Security | WIRED

Update for actively-exploited iOS zero-day vulnerability released – Apple fixes new WebKit zero-day exploited to hack iPhones, Macs (bleepingcomputer.com)

Roundup of recent posts by the National Cyber Security Centre (NCSC) and partner agencies
‘AI’ chat risks – This blog post discusses the risks around use of ChatGPT and other Large Language Models (LLMs) including those hosted on-prem. Issues can include…

• serving up incorrect answers

• bias and gullibility

• potential for manipulation by users to produce toxic content

• regurgitation of information shared with them to other users

• potential for malicious actors to use them to craft more convincing phishing emails across multiple languages (i.e. fewer easy-to-spot grammatical and spelling errors. 

The NCSC recommends not to include sensitive information in queries to public LLMs and not to submit queries to public LLMs that might cause issues were they made public (similar precautions that you might take when using internet search engines). Link – ChatGPT and LLMs: what’s the risk – NCSC.GOV.UK

See also under noteworthy breaches below.

Supply chain mapping – Guidance for organisations to help with assessing risks associated with their supply chain. How to assess and gain confidence in your supply chain… – NCSC.GOV.UK outlines five practical stages and Mapping your supply chain – NCSC.GOV.UK is aimed at larger organisations to help map their supply chain dependencies, so that risks in the supply chain can be better understood and managed

MSP Cloud security – Guidance on using Managed Service Providers (MSPs) to administer your cloud services… Using MSPs to administer your cloud services – NCSC.GOV.UK

Supplier personnel Management. Updated guidance for organisations to assess your supplier’s approach managing security of its personnel who might be in a position to access your organisation’s information, such as support personnel. Updates are linked from this blog post Personnel security in the cloud – NCSC.GOV.UK

Phishing – Don’t just tell your staff not to click ‘bad links’- implement modern technical controls… Telling users to ‘avoid clicking bad links’ still isn’t… – NCSC.GOV.UK

Vulnerability disclosure toolkit – The NCSC’s Vulnerability Disclosure Toolkit – NCSC.GOV.UK for organisations to securely receive information about, and address, vulnerabilities discovered in their systems

Cyber Essentials 2023 – The 2023 changes to Cyber Essentials come in to force for organisations seeking certification or recertification from 24th April 2023. The revised technical guidance is here… Cyber Essentials Requirements for IT Infrastructure v3.1 April 2023 (published January 2023) (ncsc.gov.uk). The key changes from the last version can be found on the IASME blog page here… What are the changes to Cyber Essentials this year? – IASME

ESXiArgs ransomware recovery kit – CISA released a recovery script for organisations affected by ESXiArgs ransomware… CISA Releases ESXiArgs Ransomware Recovery Script | CISA. By way of reminder, NCSC have a page on understanding and dealing with Ransomware her A guide to ransomware – NCSC.GOV.UK

Decider tool – CISA and partners including MITRE have released a fee tool (Decider) to help map threat actor behaviour to the MITRE ATT&CK framework GitHub – cisagov/decider: A web application that assists network defenders, analysts, and researcher in the process of mapping adversary behaviours to the MITRE ATT&CK® framework.

Untitled Goose Tool (<<<I did not make this up, apparently it’s a reference to the ‘Untitled Goose Game’) – CISA have released this open source tool to help network managers to understand their Azure, Azure AD and M365 environments. It can help detect malicious activity and miss-configuration in those environments. New CISA tool detects hacking activity in Microsoft cloud services (bleepingcomputer.com)

Noteworthy cyber incidents
This is just a flavour of some recent cyber incidents that stood out as attacks on ‘big name’ organisations, or where there were very significant impacts since our last update. More detailed reports of incidents and emerging vulnerabilities can be obtained from the information sources at the end of this newsletter.

Last Pass – Last pass admitted in August 2022 that they had been a victim of a cyber attack. At the time they claimed that only proprietary technical information had been compromised and the breach had been contained. It took until December 2022 before they revealed the full extent of the hack. Sensitive customer data had been accessed along with backups of vaults with encrypted and unencrypted data. While the breach doesn’t appear to have included passwords in vaults or customers’ master passwords for their vaults, the data could give malicious actors the ability to spear-phish users and trick them in to revealing those passwords. More concerning is that long-standing customers’ vaults may be vulnerable to potential hacking, because industry standards for password hashing have improved significantly since the service was introduced, but older accounts were not automatically upgraded to current hashing standards.

Earlier this month; Last Pass issued technical guidance to users on how to upgrade their account settings to reduce the likelihood of malicious actors successfully hacking their vaults. Last Pass users also been emailed and presented with multiple popups at login pointing them to the guidance. The latest blog post from Last Pass, including recommended actions for customers and business administrators is published here… Security Incident March 2023 Update & Actions – LastPass

Royal Mail – In January 2023; Royal Mail was hit by a cyber attack engineered by the LockBit ransomware organisation, who demanded a £65Million ransom payment that Royal Mail refused to pay. Disruption caused by the attack and recovery from it forced Royal Mail to suspend international parcel and letter deliveries through Post Office branches for almost six weeks. A breach of employee data has also been reported. LockBit ransomware – what you need to know | Tripwire

DropBox – Suffered a successful Phishing attack that allowed malicious actors to access and steal 130 of its code repositories. Code and data around it included personal information of staff, customers, vendors and sales leads. The attack impersonated CircleCI. The same attach was used successfully against a number of other GitHub users last autumn and highlighted concerns around supply chain attacks, particularly on software and SaaS provider. Dropbox discloses breach after hacker stole 130 GitHub repositories
(bleepingcomputer.com) Note – GitHub has started rolling out mandatory MFA for developers GitHub makes 2FA mandatory next week for active developers (bleepingcomputer.com)

Ferrari – Got one? Criminals may have your personal data then… Ferrari in a spin as crims steal customer data • The Register

GoDaddy discloses multi-year breach – Malicious actors were able to redirect visitors to GoDaddy’s customers’ sites to malicious sites. GoDaddy: Hackers stole source code, installed malware in multi-year breach (bleepingcomputer.com)

T-Mobile suffered a significant breach in the US – T-Mobile announces another data breach, impacting 37 million accounts – The Verge

OpenAI took ChatGPT offline on Monday 20th March. When it returned, they had turned the chat history function off. Some users had reported that they could see what other users had been asking the AI. A subsequent announcement indicated that some users’ payment information may also have been exposed during the incident. The company says the payment info leak may have affected around 1.2 percent of ChatGPT Plus who used the service between 4AM and 1PM US Eastern Time (8am to 5pm GMT) on March 20th. ChatGPT’s history bug may have also exposed payment info, says OpenAI – The Verge

This blog post highlights the best and worst practices to help you with your incident responses – Best and worst data breach responses highlight the do’s and don’ts of IR | CSO Online

New and emerging malware and techniques
Malicious OneNote file attachments – There has been an increase in the use of MS OneNote file attachments to spread malware on Windows. This appears to be a reaction to Microsoft disabling macros in Word and Excel documents in 2022. The malicious actors have switched to using OneNote templates instead. This article recommends blocking OneNote attachments (.one files)… How to prevent Microsoft OneNote files from infecting Windows with malware (bleepingcomputer.com)

Some of the newer strains of Malware identified in the last six months included:-

• LockFile: A ransomware strain that exploits vulnerabilities in Microsoft Exchange servers.

• HiveRAT: A remote access Trojan (RAT) that can be used for espionage and data theft.

• Dtrack: A remote access Trojan (RAT) that has been used in cyber espionage campaigns against Indian financial institutions.

• Teabot: A banking Trojan that targets Android devices and can steal banking credentials and other sensitive data.

• HelloKitty: A ransomware strain that has been used in several recent attacks against hospitals and healthcare organizations.

• Zeppelin: A ransomware strain that uses advanced encryption techniques to make file recovery difficult.

• Jupyter: A backdoor Trojan that can steal data, install additional malware, and carry out other malicious activities.

• Cobalt Strike: A tool often used by threat actors to carry out advanced persistent threat (APT) attacks.

• Prometheus: A malware strain that can bypass antivirus software and other security measures.

• Xanthe: A banking Trojan that targets Android devices and can steal banking credentials and other sensitive data.

Other information security news
GitHub have made ‘secret scanning’ available on all public repositories, to allow users to scan for sensitive data inadvertently added to their repositories including authentication tokens, API keys and passwords – GitHub’s secret scanning alerts now available for all public repos (bleepingcomputer.com)

Who’s going to ban TikTok next? This report explains some of the concerns – TikTok “a loaded gun” says NSA (malwarebytes.com)

Twitter has decided to only allow its paying users to secure their accounts with MFA – Why is Twitter turning millions of accounts into defenceless targets? | ZDNET

Atlassian warned of critical flaw in Jira Service Management Server and Data Centre – Atlassian’s Jira Service Management Found Vulnerable to Critical Vulnerability (thehackernews.com)

Environment
Legislative changes

The Finance Act 2023 – Changes include introduction of Vehicle Excise Duty (VED – the duty that is commonly referred to as the ‘road tax’) on many Zero Emission Vehicles and Alternative Fuelled Vehicles from 1st April 2025. Zero Emission Vehicles are currently exempt from VED. The changes bring relevant vehicles them in line with traditional internal combustion engine (ICE) vehicles.
Zero Emission Cars that were first registered after 1st April 2017 will be charged the lowest rate of VED (Band B); Zero Emission Vans will move to the standard annual light goods vehicle rate; Zero Emission motorcycles and tricycles will move to the annual rate for the smallest engine size; Other AFVs and hybrids will lose their £10 annual discount.

At the same time, the Expensive Car Supplement exemption for Zero Emissions cars will end. The act also included the annual adjustments to taxable benefits for cars with a CO2 emissions figure, which incentivises the use of ‘greener’ vehicles for business.

The Merchant Shipping (Control of Harmful Anti-Fouling Systems on Ships) Order 2022 gave effect to the International Convention on the Control of Harmful Anti-Fouling Systems on Ships, 2001 (“the Convention”).

Further provisions of the Environment Act 2021 came in to effect. Introduction of this legislation has been previously discussed here. Introduction of its provisions have been staggered.

Health & Safety
Legislative changes

Three new regulations have come in to effect that support aspects of the Building Safety Act 2022 which we have previously reported here. They are: –

• The Building Safety (Registration of Higher-Risk Buildings and Review of Decisions) (England) Regulations 2023 – enacts some of the requirements regarding the register of higher-risk buildings, held by the building safety regulator

• The Higher-Risk Buildings (Descriptions and Supplementary Provisions) Regulations 2023 – gives clarification as to what types of buildings are classified as Higher Risk Buildings

• The Building Safety (Leaseholder Protections) (England) (Amendment) Regulations 2023 – clarifies definitions of relevant landlords and persons associated with them

The Merchant Shipping (High Speed Craft) Regulations 2022 and The Merchant Shipping (Additional Safety Measures for Bulk Carriers) Regulations 2022 brought elements of International Convention for the Safety of Life at Sea, 1974 in to UK law

The Welsh government are consulting on changes to require installation of Carbon Monoxide (CO) alarms in all residential buildings in Wales –

Other
Roundup of recent posts by the by the Health and Safety Executive (HSE)

2022 H&S Statistics
Summary:

• 1.8 million working people suffering from a work-related illness, of which

  • 914,000 workers suffering work-related stress, depression or anxiety

  • 477,000 workers suffering from a work-related musculoskeletal disorder

  • 123,000 workers suffering from COVID-19 which they believe may have been from exposure to coronavirus at work

  • 2,544 mesothelioma deaths due to past asbestos exposures (2020)

  • 123 workers killed in work-related accidents

  • 565,000 working people sustained an injury at work according to the Labour Force Survey

  • 61,713 injuries to employees reported under RIDDOR

  • 36.8 million working days lost due to work-related illness and workplace injury

  • £18.8 billion estimated cost of injuries and ill health from current working conditions (2019/20)

Full Report – Health and safety statistics (hse.gov.uk)
Other:

• Guidance on violence at work has been refreshed – Violence and aggression at work – HSE

• Musculoskeletal disorders (MSDs) ebulletin – Musculoskeletal disorders in the workplace – HSE and Expanded homeworking guidance – Managing home workers’ health and safety – Overview – HSE

• Managing stress at work ebulletin – Stress at work – HSE

• Refreshed workplace temperature guidance – Temperature (hse.gov.uk)

• New principals and guidance for workers with long-term health conditions, and disabled workers – Overview – Principles to support disabled workers and workers with long-term health conditions – HSE

• Campaign to raise awareness among younger construction workers of the risk of asbestos in buildings. Asbestos & You – Work Right to keep Britain safe Many will have joined the industry since it was outlawed, but it is still present in many buildings built or refurbished prior to the year 2000

• ‘Be Ready’ campaign launched to make relevant people and organisations aware of the changes introduced in the Building Safety Act 2022 following the Grenfell disaster, that affect Higher-Risk buildings, including registration of residential or part residential buildings taller than 18m or at least seven

• storeys … New regulator takes major step forward in ‘landmark moment for building safety’ | HSE Media Centre

• Report on the consultation for a Building Inspector Competence Framework has been published. BICoF consultation report HSE This supports the work around Higher-Risk buildings mentioned above

Other – Russia Sanctions
Legislative changes

Multiple further amendments have been made to the The Russia (Sanctions) (EU Exit) Regulations 2019. The act is summarized on the PCML InfoSec Legislation site for subscribers, however sanctions continue to change as the Ukraine conflict continues. Most recently, the act has been amended to extend the requirement to apply sanctions to British Overseas Territories, except Bermuda and Gibraltar, which have already implemented their own sanctions.

Similar amendments were also made to the Republic of Belarus (Sanctions) (Overseas Territories) Order 2020 via the The Republic of Belarus (Sanctions) (Overseas Territories) (Amendment) Order 2022. Organizations trading with people or entities directly or indirectly associated with Russia and its allies, including Belarus should take appropriate steps to ensure that that the business conducted with those people or entities, and any payments made or received from them do not contravene the Sanctions Act.

Key business sectors affected by the act include, but are not limited to:- financial services, mining and minerals, oil and gas, precious metals, IT services, IT hardware, software, aircraft, shipping, military goods and dual-use goods (which are basically any civilian items that could also be used for military or military support purposes or incorporated in to military systems).

A linked list of changes can be found at this UK Government page… UK sanctions relating to Russia – GOV.UK (www.gov.uk)

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML consultants are not responsible for the content of any external websites.  We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website.

This update includes Information Security, Environment and Health & Safety.
Information Security
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes
We are not aware of any recent legislative changes that directly affect Information Security that have been published since the last update.

Other updates
Microsoft
Autopatch is live – After its announcement in April, Autopatch functionality went live shortly after our last update. The functionality allows administrators to automate roll out of patches across their estate in a series of ‘rings’. A small set of devices will get the patches first before Autopatch moves on to gradually larger sets, gated by checks to ensure that nothing breaks. It requires some initial configuration, but greatly simplifies the controlled roll out of patches to endpoints.

Passwordless authentication is in public preview – Microsoft, Apple and Google have all committed to working to improve sign-on security, recognising the inherent weaknesses in the traditional password method. In late September, Microsoft announced that Azure Virtual Desktop support for passwordless authentication had entered public preview. The
functionality is currently available on Windows 10, Windows 11 and Windows Server 2022 session hosts. 

Tamper protection for Defender for Endpoint
Tamper protection has been a default setting for new users of Defender for Endpoint since 2019. Microsoft has announced that it will force-enable it for all other users who haven’t yet enabled it. Anti-tamper blocks changes to key security features and prevents disabling of antimalware or deletion of security updates.

Enhanced phishing protection for Windows 11
Microsoft have included a tool in the latest version of Windows 11 (22H2) to check when users enter a password into an app or website. If the site is untrustworthy; it warns the user to change their passwords and alerts system administrators through Defender for End point. 

Microsoft 365 patches for Windows 7 to end in 2023

Apple
Updates to address exploited vulnerabilities – Apple released updates to address exploited vulnerabilities in Safari, macOS, iOS, iPadOS, tvOS, and watchOS on 12th September. 

Other information security news
LastPass got hacked and revealed the cause – Hackers gained access to the password vault provider’s developer environment by compromising a developer’s endpoint device and had access to the environment for four days before they were discovered. An investigation revealed that source code had been stolen, but confirmed no malicious code had been
injected and the product was unaffected. Customer data was unaffected as it is held in encrypted containers accessible only by the customers. 

Developers are increasingly the targets of phishing
GitHub and Circleci were targeted in September in the latest in a trend targeting developers. Hackers are attempting to steal credentials as a way to breach the software development supply chain. 
***As a reminder PCML Consultants can offer tailored phishing simulation tests to check your team’s ability to correctly identify deal with phishing attacks. Contact us to find out more***

Ransomware down, malware up globally, but not in Europe, and the relief may be short lived – SonicWall’s latest threat report indicated a global decline in ransomware but an increase in malware attacks in the first half of 2022. Worldwide, ransomware declined by 23%, but was up by 63% in Europe. Their prediction for the next 12 months suggests that ransomware will be back with a vengeance though.

NCSC guidance on selecting better authentication models
Passwords are weak. The NCSC has published some guidance on better alternatives. 

Log4j – it hasn’t gone away – The US Department of Homeland security reckons the risks associated with Log4j vulnerabilities could persist “for a decade or longer”.

Atlassian fixed their hard-coded Confluence password flaw, but the password is out there, and it warned users of a number of other vulnerabilities too. 

LinkedIn fakery
Krebs on Security reports that a recent proliferation of phony executive profiles on LinkedIn is raising concerns. A huge number of fake profiles are being created for senior roles, including CISO roles. It seems unclear what the motive is at this time and they don’t seem to be doing very much, but it’s causing confusion.

EU proposing Cyber Resilience Act for network-connected devices – The proposal would require manufactures deal with security vulnerabilities affecting their devices for five years, and report actively exploited vulnerabilities to Europe’s cybersecurity authority ENISA within 24 hours of them becoming aware of the exploit. 

Environment
Legislative changes
We are not aware of any recent relevant legislative changes.

Health & Safety
Legislative changes
The Regulatory Reform (Fire Safety) Order 2005 has been updated to reflect amendments imposed through the Building Safety Act 2022, reflecting lessons learned from the Grenfell Tower disaster. The Order previously only applied to certain non-residential buildings. The amendments bring some additional buildings that are, or which include residential dwellings under the act. They modify some of the pre-existing requirements under The Order and add further requirements with specific relevance to buildings that are defined as ‘Higher-Risk’ buildings. The changes have been incorporated into an update to The Order on the PCML InfoSec Legislation portal

Updates and information from the Health and Safety Executive
The HSE has published its 2021-22 Workplace Death statistics. In the period from April 2021 to March 2022, 123 workers and 80 members of the public were killed at work. The most common causes of workplace deaths were falls from height, being struck by moving vehicles or objects, coming in to contact with moving machinery, being trapped under collapses or overturning. Despite the apparently high number; death rates per 100,000 workers have remained fairly constant. A summary of the report and the full report is available on the HSE website.

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environment, H&S and Business Continuity objectives, then please don’t hesitate to get in touch

We recognise that staying on top of changes to legislation and advice can be difficult. Here are some articles and alerts we’ve seen lately that we think you should be aware of, or might be interested in.

Please note that we’ve included links below to external websites. PCML Consultants are not responsible for the content of any external websites.

We’ve collated the below from alerts and bulletins that we receive from UK Government agencies and others. You can find links to those sources and others on our website. 

This update includes General Compliance, Information Security & Business Continuity, Environment and Health & Safety

General Compliance
New tool for checking ISO certificates
The UK’s National Accreditation Body – UK Accreditation Service (UKAS) – have launched a centralised ISO Management System certificate search facility ‘Cert Check’. Previously; individual certification bodies provided their own search facilities that only listed certificates that they had issued which made validating suppliers’ clams to hold ISO Management System certifications quite onerous. The new UKAS facility brings all certificates issued by all UKAS-accredited certification bodies together on one search facility. This will greatly simplify the certificate-validation task. It can be searched by company or certificate number.

UKAS Cert Check https://www.ukas.com/resources/latest-news/ukas-launches-certcheck/

Information Security & Business Continuity
If you are an IT professional; these articles may be directly of use to you. If you are a manager with responsibility for information security and an in-house or outsourced IT function, you may wish to check that they are aware of this advice.

Legislative changes
We are not aware of any recent legislative changes that directly affect Information Security, however the UK government published its response to consultation on its proposals to reform UK data protection laws on 23rd June ‘Data: a new direction – government response to consultation’.

Through its proposed new ‘Data Reform Bill’; the government intends to amend the Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulations (PECR) and the roles and structure of the Information Commissioner’s Office. It has stated that the aim of these amendments is to strengthen UK data protection standard while reducing burden on businesses and to modernise the Information Commissioner’s Office (ICO). The published response to consultation describes amendments to legislation that the government intends to bring forward as well as some proposed changes that will not be subject to legislation, such as codes of practice. We will publish a summary of those proposals shortly.

Other Updates
Microsoft
A few significant vulnerabilities have emerged since the last newsletter; however patches have been released for all of these. These serve as further reminders to ensure that they you effective and timely vulnerability and patch management strategies in place:-

Microsoft alerted users that the ‘Patch Tuesday’ released on 10th May was causing windows authentication failures on domain controllers. On 19th June, they announced that the patch had been patched and the issue resolved. 

A strain of malware was identified that maintains a persistent presence on compromised Windows systems by creating hidden tasks via Windows Task Scheduler.

A zero-day vulnerability in the MS Support Diagnostic Tool (MSDT) was confirmed as being actively exploited. Nicknamed ‘Follina’ by the researcher who identified it; the vulnerability had been known about for some time but was not seen to be exploited until May where it was found in malicious Word documents spread through phishing emails. It was fixed on 30th May and the fix was included in June’s ‘Patch Tuesday’ roll-up. 

Microsoft has been criticised for the time taken to fix some critical flaws in Azure, some of which persisted for months before Microsoft issued fixes. 

On the positive side;
Microsoft has started to roll out Azure Active Directory security defaults to all customers who have not already enabled them. Secure defaults were first released in 2019 as a basic set of identity security mechanisms that today include Multi-Factor Authentication (MFA). Eligible users will be prompted to enable the security defaults, but they will be automatically enforced after 14 days if the users do not enable them manually. Microsoft claim this will help secure an additional 60 million users’ accounts.  And it is introducing further security improvements for customers with Windows 10/11 Enterprise E3 or higher through its ‘Windows Autopatch’ service that is currently in public preview and is being rolled out through July. The service will automatically keep Windows and MS Office software up to date on enrolled endpoint devices. To minimise the risk of faulty patches causing disruption, the roll outs will be staggered, with 1% of endpoints (the ‘test ring’) receiving the updates first. If no issues are detected, it will roll out to a ‘fast ring’ comprising 9% of endpoints and finally to the ‘broad ring’ comprising the remaining 90% of endpoints. Rings are managed automatically to take in to account devices that are enrolled and unenrolled. 

It is also rolling out the first of three Security as a Service (SECaaS) managed services that it plans to release in 2022. ‘Security Experts’ is effectively an outsourced service that analyses Microsoft Defender data for signs of online attacks and reports back to the customer with suggestions for remediation. A further service ‘Microsoft Defender Experts for Extended Detection and Response (XDR)’ will provide specific consultations e.g. to help resolve incidents. The final service ‘Microsoft Security Services for Enterprise’ offers to take on both overheads and combines threat hunting and extended detection and response. And GitHub (owned by Microsoft) announced that they will require all developers and other contributors to enable two factor authentication (2FA) by the end of 2023. 

RIP Internet Explorer. After >25 years, Microsoft finally retired Internet Explorer on 15th June. And in April; Microsoft announced that it plans to enhance IE’s replacement, Edge, with a feature they have called ‘Microsoft Edge Secure Networking’, which appears to be a free VPN solution.

National Cyber Security Centre (NCSC)
The NCSC published updated guidance on enterprise device security in May. The guidance is aimed at manufacturers, but the changes are relevant to any user including moving away from traditional network security perimeters within which some devices may be trusted to a ‘zero trust’ approach for all devices, and using device health information as indicators to help identify when devices may have been compromised.

It also relaunched its cloud security guidance collection in the same month. This includes guidance on selecting cloud providers and evaluating different cloud service models.
In June it published advice and recommendations for reducing data exfiltration by malicious insiders that includes a simple flowchart to help visualise the decisions on where and when to apply technical controls.

Google
Google announced that it will expand its policy of allowing people to request removal of certain sensitive personally identifiable information (Pii) to allowing requests to remove other, less sensitive Pii, such as address information that might enable identity theft or other fraud. And it has taken steps to improve confidence in open source software dependencies by announcing a new service called ‘Assured Open Source Software’ that will go live later in the year. It will contain open source packages that Google will regularly vet and test for vulnerabilities. It will initially focus on Java and Python packages that Google themselves use, but will expand over time in response to customer demand.

It is also part of a consortium including Microsoft and Apple that is working toward a ‘passwordless future’ where simply unlocking your phone will unlock your online account, simplifying sign on across devices, websites and applications.

Atlassian
In early June; Atlassian advised that they had discovered a remote-code-execution flaw in the product that was being actively attacked. For a while they advised users to restrict or disable internet access to their Confluence collaboration tool. The vulnerability affected multiple versions. A patch was released within days. Users should ensure they have applied the patch. 

Lenovo
Researchers identified vulnerabilities in UEFI firmware drivers on certain Lenovo laptops. Lenovo have published a list of affected devices and instructed users to update their system firmware. 

And in other news…
Phishing is up 29% and it’s getting easier for criminals to deploy…Researchers from Zscaler claim that worldwide phishing attacks increased by 29% in 2021. Cybercriminals are adapting their approaches in response to general improvements in information security including wider use of multi-factor authentication. Cybercriminals are offering phishing kits as part of ‘Phishing as a service’ (PhaaS) that enable skilled and unskilled attackers to craft convincing and effective phishing pages with little effort. This is a timely reminder to ensure that your employees are aware of what to look for to. 

Black Basta – the new kid on the ransomware block?
Another ransomware group surfaced in April and is thought to have exfiltrated and encrypted the data of around 50 organisations already across the US, UK, India, Canada, Australia, New Zealand, and UAE. Variants of Black Basta have been discovered that target virtual machines on Linux servers and on Windows and it has been seen to spread laterally across organisations. It creates a group policy object on domain controllers that disables Windows Defender and anti-virus solutions. Advice on protecting against this new threat is the same as that issued to protect against all ransomware and include secure offsite backups, ensuring systems are updated and patched in a timely manner, good password hygiene, encrypting sensitive data, disabling unnecessary functionality on systems and educating and informing staff about the risks and methods through which cybercriminals launch attacks and steal data. 

Environment
Legislative changes
We are not aware of any recent relevant legislative changes.

Health & Safety
Legislative changes
We are reviewing a number of recent legislative changes and will provide updates in the next newsletter.

Other Updates
Updates and information from the Health and Safety Executive
Safety notice regarding tight fitting RPE and ear-loop type face masks – The HSE has published a safety notice to clarify that respirators and masks that rely on ear-loops do not provide adequate protection when used as tight fitting respiratory protective equipment (RPE). Where individuals are required to wear tight fitting RPE, the RPE should be fit tested by a competent assessor to ensure that it provides an appropriate seal on the individual’s face. 

Change to risk assessment requirements for pregnant workers and new mothers in the workplace – The HSE has also changed its guidance with respect to protecting pregnant workers and new mothers in the workplace. It now requires that individual risk assessments must be carried out for a worker when they inform you that they are pregnant, or have given birth in the last six months, or are breastfeeding.

Heatwave guidance
As temperatures rise, the HSE sent out a reminder about the guidance information on its website about working in the heat.

If you would like to discuss any of the topics covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environmental, H&S and Business Continuity objectives, then please don’t hesitate to get in touch. 

In this special edition newsletter, sent in addition to our normal monthly update, we are covering the recent proposed changes to the Data Protection Act 2018 (DPA).

On 23rd June 2022; the government published its response to consultation on its proposals to reform UK data protection laws ‘Data: a new direction – government response to consultation’

The government intends to amend the Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulations (PECR) and the roles and structure of the Information Commissioner’s Office through a ‘Data Reform Bill. It has stated that the aim of these amendments is to strengthen UK data protection standard while reducing burden on businesses and to modernise the ICO. The published response to consultation describes amendments to legislation that the government intends to bring forward, but also describes some proposed changes that will not be subject to legislation, such as codes of practice.

The proposed amendments come with some risks however and some proposals are a little vague. While some will welcome some of the changes; it remains to be seen whether the EU and others will consider that they give continue to give adequate protections to their citizens. An EU decision to reverse the data adequacy agreement put in place post-Brexit following adoption of ‘UK GDPR’ would be disruptive to businesses who transfer personal data to or from the EU, or who process data of citizens of EU member states.

A summary of the proposals follows below:-
The consultation was broken down in to five chapters. Key proposals arising from that consultation are listed below by chapter.

Chapter 1 – Reducing barriers to responsible innovation

Scientific Research
Under current regulations, data subjects are required to give their consent for use of their data separately for individual studies. The Bill proposes allowing researchers to obtain consent under broader definitions e.g. Consent could be sought for general research in to prevention and cure of types of disease, rather than for a specific disease

Legitimate interests
The Bill proposes to alter the process through which organisations could declare a legitimate interest as a justification for data processing. This change will initially be limited to a few clearly defined processing activities including prevention of crime and other public interest reasons.

AI and Machine learning
The Bill proposes altering the current restrictions on automated decision making to allow greater use of AI-powered decision making. The need for ‘fairness’ and mitigation of bias in that decision making is stressed. The challenges of determining what is ‘fair’ and of mitigating bias are
recognised, however. In the latter case, enabling the processing of sensitive information for the purpose of ‘monitoring and correcting bias in AI systems’ is proposed as a new condition under the bill.

Anonymisation of data
The Bill proposes clarification of what data can be considered anonymous and therefore not subject to data protection regulations. It proposes a relative test, taking in to account the means and technology available to a data controller or processor at the time of processing, and technological
developments through which they might be able to determine the identity of an individual from data.

Innovative data sharing solutions
The Bill proposes roles for ‘data intermediaries’ to facilitate sharing of personal information. In one scenario, this might allow intermediaries to facilitate Subject Access Requests through Smart Data Schemes. In another scenario, it appears to suggest that intermediaries could be ‘gatekeepers’ managing access to personal data by multiple organisations .

Chapter 2: Reducing burdens on businesses and delivering better outcomes for people

Reform of the accountability framework
The Bill proposes reduce the burden on organisations of demonstrating compliance with data protection legislation.

Proposals include:-

• introducing a flexible accountability framework, underpinned by ‘privacy management programmes’ that would reflect the level of processing activities and volume and sensitivity of data handled by the organisation. The proposal suggests elements of the framework that are similar to the clauses of the various ISO Management System. Privacy Management programme will be required to .

• replacing the requirement for organisations data protection officers with requirements to appoint a suitable senior individual. The proposal isn’t explicit as to whether every organisation would need to appoint a senior individual. Under the current UK GDPR, organisations only require a Data Protection Officer under certain circumstances.

• replacing the requirement for Data Protection Impact Assessments (DPIAs) with a requirement to implement risk management tools that. The proposal suggests that compliance risk assessments already conducted by organisations may achieve the same outcomes as DPIAs and that those risk assessments are more tailored to the organisation’s processing activities, so removing the requirement for DPIAs would avoid duplication.

• replacing the requirement to maintain records of processing activities with a flexible record keeping requirement. Organisations will still need to keep personal data inventories as part of their privacy management program, but in a less prescriptive way.

• replacing the current requirement to consult with the ICO where an organisation identifies a data processing activity which poses a high risk that cannot be mitigated. The Bill proposes that consulting with the ICO would become voluntary

Subject access requests
The Bill proposes reducing the burden of Subject Access Requests by allowing organisations to refuse or levy a fee for requests that are ‘vexatious or excessive’. While this is just a change of wording, it will allow organisations to refuse more requests than the current definition.

Website cookies and similar technologies
The Bill proposes amending the requirements for obtaining ‘user consent’ for cookies to reduce the number of pop-up consent boxes on websites. Users will still be able to decline cookies, but proposal suggests this could be achieved through the user configuring global settings in their internet browser rather than site by site. This will require some technical development and the Bill proposes allowing certain ‘non-intrusive’ cookies to be placed on a device without the user’s consent in the meantime.

Direct marketing
Current direct marketing rules permit a ‘soft opt-in’, allowing some marketing by businesses to previous customers, unless they specifically opted-out of such communications. The Bill proposes extending the soft opt-in to non-commercial organisations.

Nuisance callers
The Bill proposes giving the ICO greater powers to address nuisance calls generated by rogue direct-marketing firms. The Bill proposes increasing fines for nuisance calls, texts and other serious data breaches that are prosecuted under the Privacy and Electronic Communications Regulations (PECR). Fines would be aligned with current UK GDPR penalties (up to four per cent global turnover or £17.5 million, whichever is greater) and would take in to account the volume of calls generated, rather than the current measure of calls connected. It also proposes introducing a ‘duty to report’ on communications providers to inform the ICO of suspicious levels of traffic on their network.

Chapter 3: Boosting trade and reducing barriers to data flows
The proposal states that the government wants to remove barriers to cross-border data flows and pursue a number of adequacy assessments to permit transfer to and from a number of geographical areas. Future adequacy tests would follow a framework based on risk assessment. Tests would retain broad requirements to protect individual’s data, but the proposal would also permit the Secretary of State for Digital, Culture, Media, and Sport to consider UK government strategy in adequacy decision-making. The proposal would remove the current requirement to review adequacy decisions every four years in favour of ongoing monitoring.

Chapter 4: Delivering better public services
The proposal includes propositions to address interoperability issues, legal and cultural barriers, inconsistent capabilities, and financial issues that it feels restricts collaboration between the public and private sectors.

The proposal would introduce legislation to clarify lawful grounds for private organisations processing data for public bodies.

The government would push forward an ‘Algorithmic Transparency Standard’ to give more information about algorithms that are used for public sector decision-making. Recognising the concerns around police processing of biometric data, the government will work with policing authorities to promote best practice including codes of conduct.

Chapter 5: Reform of the Information Commissioner’s Office
The Bill proposes changing the governance structure of the ICO from its current ‘corporate in sole’ model to a governance model with a chair, chief executive, and board. The Chair would be appointed in manner through which the Information Commissioner is currently appointed, but the CEO would be appointed by the board.

The ICO would be set objectives and given duties rather than specific tasks. Objectives would define priorities for the ICO’s activities. An overarching objective to uphold data rights and encouraging trustworthy and responsible personal data use would be set.

The government is considering rolling the roles currently carried out by the Surveillance Camera Commissioner and Biometrics Commissioner in to the ICO.

The ICO would be required to cooperate and consult with other regulators with regard to competition, innovation, and economic growth.

The ICO would be required to set up a panel of experts in relevant fields when developing statutory guidance and would need to carry out impact assessments before publishing guidance.

The Secretary of State would be required to approve Codes of Practice and statuary guidance produced by the ICO before they are presented to parliament.

The ICO would be allowed to use its discretion to decide when and how to investigate complaints and would be required not to investigate certain types of complaints including vexatious complaints and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller. Data controllers would be required to consider and respond to data protection complaints lodged with them.

To allow more effective investigation, the ICO would be given power to compel witnesses to attend and answer questions at interview as part of its investigations. Investigations will need to be more transparent.

If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environmental, H&S and Business Continuity objectives, then please don’t hesitate to get in touch.