Notices by Ravi Nayyar (ravirockks@infosec.exchange), page 4

Folks, this guidance on countering Salt Typhoon/Friends is not rocket science to implement if you have budget and a Board which cares about the core business.

Question is: do you have those two things?
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/enhanced-visibility-and-hardening-guidance-communications-infrastructure

UK PRA proposing major incident reporting obligations + amendments to reporting requirements re third party arrangements.

Consultation page: https://www.bankofengland.co.uk/prudential-regulation/publication/2024/december/operational-incident-and-outsourcing-and-third-party-reporting-consultation-paper

@GossiTheDog Putting our cyber colleagues aside, why aren’t the cyber journos at specialist/mainstream outlets covering Handala?

‘… requiring accounts to enable two-factor authentication if they have direct access to the codebases that power plugins and themes’.

AT LAST.
https://cyberscoop.com/wordpress-two-factor-authentication-supply-chain/

'Incognito, a darknet drug marketplace, purchased the news site Darknetlive in November 2022. They have since used it to suppress criticism and steer public perception in their favor. This shift in ownership is chilling Tor journalism, ensuring that an invaluable publication will one day be seized and censored by government: DeepDotWeb’s history repeating'.

Bit to unpack there.
https://darkdot.com/articles/darknetlive-sold/

Fundamental points by Prof Ciaran Martin about the British Library incident and its aftermath.

= Why resilience matters.

https://ciaranmartin.substack.com/p/on-the-matter-of-the-british-library

@patrickcmiller I hope whomever came up with the headline got a tank full of ice cream.

'One highlight of the platform is the HuggingFace API ability with their Python library, which allows developers and organizations to integrate models, read, create, modify, and delete repositories or files within them.

'In this groundbreaking research, our team has unearthed a staggering number of 1681 valid tokens laid bare through HuggingFace and GitHub, ushering us into unprecedented discoveries.

'This massive effort enabled us to gain access to 723 organizations' accounts, with some of the most high-valued organizations, including giants like Meta, HuggingFace, Microsoft, Google, VMware, and more. Intriguingly, among these accounts, 655 users’ tokens were found to have write permissions, 77 of them to various organizations, granting us full control over the repositories of several prominent companies. Notably, some of the organizations with such extensive access included EleutherAI(Pythia), and BigScience Workshop(Bloom), highlighting the extent of our research's impact and its potential implications in the realm of supply chain attacks and organizational data integrity.

'The gravity of the situation cannot be overstated. With control over an organization boasting millions of downloads, we now possess the capability to manipulate existing models, potentially turning them into malicious entities. This implies a dire threat, as the injection of corrupted models could affect millions of users who rely on these foundational models for their applications'.
https://www.lasso.security/blog/1500-huggingface-api-tokens-were-exposed-leaving-millions-of-meta-llama-bloom-and-pythia-users-for-supply-chain-attacks

@patrickcmiller What's an 'opposition government'?

🫡