Security News

The NSA on Thursday released guidance to help organizations secure their communication systems, specifically Unified Communications and Voice and Video over IP. UC and VVoIP are call-processing systems that are used for communications and collaboration by many enterprises, including government agencies and their contractors. The NSA has warned that if these systems are not properly secured, they are exposed to the same risks as IP systems, including software vulnerabilities and various types of malware.

The National Security Agency has shared mitigations and best practices that systems administrators should follow when securing Unified Communications and Voice and Video over IP call-processing systems. Since these communication systems are tightly integrated with other IT equipment within enterprise networks, they also inadvertently increase the attack surface by introducing new vulnerabilities and the potential for covert access to an organization's communications.

A former government contractor who was given the longest federal prison sentence imposed for leaks to the news media has been released from prison to home confinement, a person familiar with the matter told The Associated Press on Monday. Reality Winner, 29, has been moved to home confinement and remains in the custody of the federal Bureau of Prisons, the person said.

Reality Winner, the former NSA intelligence contractor who leaked evidence of Russian interference in a US Presidential election to the press, has been released from prison. Her attorney Alison Allen announced Winner, 29, had been let out on Monday early due to "Exemplary" behavior while inside.

The U.S. National Security Agency used a partnership with Denmark's foreign and military intelligence service to eavesdrop on top politicians and high-ranking officials in Germany, Sweden, Norway, and France by tapping into Danish underwater internet cables between 2012 and 2014. Details of the covert wiretapping were broken by Copenhagen-based public broadcaster DR over the weekend based on interviews with nine unnamed sources, all of whom are said to have access to classified information held by the Danish Defence Intelligence Service.

From the dates and the title, the George Davida patent application which NSA unsuccesfully tried to block would have been US4202051A, for a key stream generator based on a LFSR combined with a non-linear feedback circuit. "In April 1978 a patent application made by Carl Nicolai for a speech scrambling device was evaluated by the NSA using Inman's new criteria. Once again, there was disagreement between NSA directorates. Neither Research and Engineering nor COMSEC believed that Nicolai's invention should be classified. Howard Rosenblum, DDC, noted that Nicolai employed"a sophisticated use of well-known, open-source techniques" of spread spectrum technology and that "so many unclassified spread spectrum systems are already in the public domain that it is too late to try to close the door by imposing secrecy orders based solely on the fact that the system uses spread spectrum techniques.

Microsoft has announced plans to ensure data processing of EU cloud services within the borders of the political bloc in a move that expert observers claim reveals problems with the firm's existing setup. In a blog, Brad Smith, Microsoft's president and chief legal officer, said the software and cloud services giant would, by the end 2022, enable EU customers of Azure, Microsoft 365, and Dynamics 365 to have all their data processed physically within the EU. To my understanding, there would still be direct access to data and keys from the US in this new Microsoft setup.

Technical documentation and proof-of-concept exploit code is available for a high-severity vulnerability in Microsoft Exchange Server that could let remote attackers execute code on unpatched machines. A technical write-up is available since April 26 from security researcher Nguyen Jang, who released in the past a short-lived PoC exploit for ProxyLogon vulnerabilities.

The U.S. National Security Agency last week released a cybersecurity advisory focusing on the security of operational technology systems, particularly in terms of connectivity to IT systems. The advisory shares recommendations for evaluating risks and improving the securing of connections between IT systems - these can often serve as an entry point into industrial networks - and OT systems.

According to the U.S. National Security Agency, which issued an alert Thursday, the advanced persistent threat group known as APT29 is conducting "Widespread scanning and exploitation against vulnerable systems in an effort to obtain authentication credentials to allow further access." The five bugs under active attack are known, fixed security holes in platforms from Citrix, Fortinet, Pulse Secure, Synacor and VMware that organizations should patch immediately, researchers warned.