CTO at NCSC Summary: week ending May 18h
How do we incentivise secure by design technology?
Welcome to the weekly highlights and analysis of the blueteamsec subreddit (and my wider reading). Not everything makes it in, but the best bits do.
Operationally this week just to note there was another stack based overflow being exploited in a network product in 2025. Again time to highlight Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances.
In the high-level this week:
How do we incentivise secure by design technology? - UK NCSC publishes our research problem book chapter
CHERI technology for cyber security - Department for Science Innovation and Technology publish - a policy paper - “the Department for Science, Innovation and Technology (DSIT) announced new work to drive the adoption of CHERI.”
Investigating the experiences of providing cyber security support to small- and medium-sized enterprises - University of Nottingham, Queen Mary University of London and University of Kent publish - “Whilst efforts are being made at a national level to increase SMEs’ cyber security and subsequent resilience, findings have highlighted additional opportunities for improvements. These include connecting providers and SMEs (especially those that are at high risk of becoming a victim), fostering collaboration and promoting peer-to-peer learnings.”
Handbook for Cyber Street Tests - ENISA publishes - “In this handbook, we define a cyber stress test as ‘a targeted assessment of the resilience of individual organisations and their ability to withstand and recover from significant cybersecurity incidents, ensuring the provision of critical services, in different risk scenarios.’ Stress tests focus on resilience, use resilience metrics and can be used to test both preparedness measures and responsive recovery measures.”
The myth of the genius hacker - The Financial Times deconstructs - “The names handed out to cyber criminal gangs don’t just describe their behaviour, they can also shape it. These linguistic choices can inflate a group’s symbolic capital, granting legitimacy to its members, who are often adolescents or young adults seeking peer recognition and prestige.” - although geniuses do exist also..
Interpreting India’s Cyber Statecraft - Carnegie Endowment for International Peace publishes - “Given the strength of its digital economy and innovation, and its potential for further growth in connectivity, digital inclusion, and workforce development, India has considerable latent cyber power.”
Introducing a new framework to analyze ICT activities - UNIDIR publishes - “While it is impossible to provide an exact figure, efforts to assess daily activity in the ICT environment estimate that around 600 million cyberattacks occur each day. For each offensive activity spotted, there is a corresponding defensive response triggered by its very detection.”
A look back at ANSSI's participation in the 2025 edition of Locked Shields - ANSSI publishes - “After two weeks of training, the Franco-Polish team, including French cyberfighters from COMCYBER (Ministry of the Armed Forces) and ANSSI personnel, reached second place on the podium.”
Inactivation of Army’s only active-duty information operations command - US Army announces - “The rise of MDO demands the Army integrate the capabilities that are executed in domains other than air, land, and sea are in incorporated in the scheme of maneuver and the overall operations process. The need for IO is not going away with the command; rather, the Army is forcing it to be integrated throughout the service and its forces. Overall, it’s a step toward where we’ve always wanted/needed to go.”
Reporting on/from China
US warns against using Huawei chips ‘anywhere in the world’ - Financial Times reports - “The commerce department issued guidance to clarify that Huawei’s Ascend processors were subject to export controls because they almost certainly contained, or were made with, US technology.”
How to build a modern industrial system (Policy Q&A: Developing new quality productivity) - People’s daily reports - "We will implement in-depth actions to promote high-quality development of key industrial chains in the manufacturing industry, enhance the industry's scientific and technological innovation capabilities, cultivate and expand new quality productivity, and accelerate the construction of a modern industrial system with advanced manufacturing as the backbone."
Huawei unveils a HarmonyOS laptop, its first Windows-free computer - South China Morning Post reports - “HarmonyOS on PCs includes a wide range of software catering to both work and entertainment needs, such as WPS, China’s alternative to Microsoft Office, and Alibaba Group Holding’s enterprise collaboration platform, DingTalk, according to Chinese tech news outlet ITHome.”
China’s Unitree fixes flaw that gives hackers remote control of robots - South China Morning Post reports - “The start-up downplayed the impact of the vulnerability, noting that the Go1, released in 2021, had been discontinued for about two years. It also said that subsequent models adopted a more secure, upgraded solution.”
US House approves restrictions on partnerships between US and Chinese universities - South China Morning Post reports - “A Republican bill that could severely restrict partnerships between American and Chinese universities passed the full US House of Representatives with bipartisan support on Wednesday, while policymakers also signalled interest in limits on other possible Chinese threats to US national security.”
Nvidia modifies H20 chip for China to overcome US export controls, sources say - Reuters reports - “These specifications will result in significant downgrades from the original H20, including substantially reduced memory capacity, one of the sources said. Another of the sources said downstream customers could potentially modify the module configuration to adjust the chip's performance levels.”
US Treasury examining Benchmark Capital’s ties to Chinese startup Manus AI - Semafor reports - “Yet Benchmark was advised by multiple US law firms that the investment was not covered by the outbound investment restrictions, because Manus was not developing its own AI models. Instead, it was deemed a “wrapper,” the term for a company that builds products that utilize existing AI models.”
AI
DeepSeek founder Liang Wenfeng ‘takes no short cuts’, Li Auto CEO says - South China Morning Post idealises - “Anytime we want to go about changing and improving capabilities, the first step must be to do research,” Li said. “The second step is development. The third is to articulate the capability, while the fourth is to turn that capability into business value.”
Artificial intelligence empowers the construction of a community with a shared future in cyberspace - China Social Sciences Network asserts - “Relying on the autonomous learning ability, real-time analysis ability, prediction ability, and collaborative work ability built by artificial intelligence, a safe communication environment can be provided for cyberspace. First, artificial intelligence can extract risk features from network data, automatically optimize defense strategies through algorithms, quickly identify potential threats in cyberspace, improve the defense index of cyberspace, and ensure that it is in an accurate and stable state.”
Policy Implications of DeepSeek AI’s Talent Base - Stanford publish - “Nearly all of DeepSeek’s researchers were educated or trained in China, and more than half never left China for schooling or work. Of the quarter or so that did gain some experience in the United States, most returned to China to work on AI development there.”
Guidelines for the Responsible Use of Artificial Intelligence in the Public Service - Department of Public Expenditure, NDP Delivery and Reform, Ireland publishes - “The Guidelines are designed to actively empower Public Servants to use AI in the delivery of improved services. By firmly placing the human in the process, they aim to enhance public trust in how Government uses AI. The Guidelines are informed by the Seven Principles for Responsible AI”
Cyber proliferation
John Scott-Railton Testifies Before EU Parliament's LIBE Committee - The Citizen Lab publishes
Spyware victims not allowed to testify at MEP event - EU Observer observes
Bounty Hunting
Alabama Man Sentenced to 14 Months in Connection with Securities and Exchange Commission X Hack that Spiked Bitcoin Prices - US Department of Justice announces - “The conspirators gained control of the SEC’s X account through an unauthorized Subscriber Identity Module (SIM) swap carried out by Council. A SIM swap is a form of sophisticated fraud where a criminal actor fraudulently induces a cellular phone carrier to reassign a cellular phone number from a victim’s SIM card to a SIM card controlled by the criminal actor, in order to access a victim’s social media or virtual currency accounts. As part of the scheme, Council used an identification card printer to create a fraudulent identification card with a victim’s personally identifiable information obtained from co-conspirators. Council used the identification card to impersonate the victim and gain access to the victim’s phone number for the purpose of accessing the SEC’s X account.”
M&S cyber insurance payout to be worth up to £100mn - Financial Times reports - “Allianz is the first insurer on the hook for M&S’s losses, the people added, and is expected to pay at least the initial £10mn. Cyber specialist Beazley is also among the insurers exposed to losses at the FTSE 100 retailer, according to the people familiar with the situation.”
No reflections this week other than everyone should check out the NCSC problem book chapter on How do we incentivise secure by design technology?
Not getting this via email? Subscribe:
Think someone else would benefit? Share:
All attribution is by others and not the UK Government unless specifically stated as such, please see the legal text at the end.
Have a lovely Saturday..
Ollie
Cyber threat intelligence
Who is doing what to whom and how allegedly.
Reporting on Russia
Operation RoundPress
Matthieu Faou details an alleged Russian operation which is noteworthy for several reasons. One is a relatively simple web application vulnerability class was used to dramatic effect/impact. Secondly it i clearly a pattern of activity against this class of product..
In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page.
In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
For MDaemon, Sednit used a zero-day XSS vulnerability. We reported the vulnerability to the developers on November 1st, 2024 and it was patched in version 24.5.1.
Most victims are governmental entities and defense companies in Eastern Europe, although we have observed governments in Africa, Europe, and South America being targeted as well.
We provide an analysis of the JavaScript payloads SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA.
These payloads are able to steal webmail credentials, and exfiltrate contacts and email messages from the victim’s mailbox.
Additionally, SpyPress.MDAEMON is able to set up a bypass for two-factor authentication.
https://www.welivesecurity.com/en/eset-research/operation-roundpress/
Reporting on China
Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan
Pierre Lee, Vickie Su and Philip Chen detail an alleged Chinese campaign which is notable for a range of reasons including technical capability and victimology / target set.
Earth Ammit, a threat actor linked to Chinese-speaking APT groups, launched two waves of campaigns from 2023 to 2024. The first wave, VENOM, mainly targeted software service providers, and the second wave, TIDRONE mainly targeted the military industry. In its VENOM campaign, Earth Ammit's approach involved penetrating the upstream segment of the drone supply chain.
In the VENOM campaign, the threat actors primarily relied on open-source tools due to low cost and difficult tracking. They shifted to custom-built tools like CXCLNT and CLNTEND in the TIDRONE campaign for cyberespionage purposes.
Victims of the TIDRONE and VENOM campaigns primarily originated from Taiwan and South Korea, affecting a range of industries including military, satellite, heavy industry, media, technology, software services, and healthcare sectors. Earth Ammit’s long-term goal is to compromise trusted networks via supply chain attacks, allowing them to target high-value entities downstream and amplify their reach. Organizations that fall prey to these attacks are also at risk of data theft, including exfiltration of credentials and screenshots.
Organizations can mitigate supply chain and fiber-based attacks by managing third-party risks, enforcing code signing, monitoring software behavior and fiber-related API usage, applying patches, segmenting vendor systems, adopting Zero Trust Architecture, and strengthening EDR and behavioral monitoring.
https://www.trendmicro.com/en_us/research/25/e/earth-ammit.html
From the World of “Hacker X Files” to the Whitewashed Business Sphere
Natto Team doing what they do best here discussing the evolution of part of the Chinese system..
nattothoughts.substack.com/p/stories-of-a-chinese-hacker-from
Unveiling Swan Vector APT Targeting Taiwan and Japan with varied DLL Implants
Subhajeet Singha details an alleged Chinese campaign which is overly noteworthy technically but victimology will be of interest.
The ZIP contains a malicious LNK file named, 詳細記載提領延遲問題及相關交易紀錄.pdf.lnk. which translates to, “Shortcut to PDF: Detailed Documentation of Withdrawal Delay Issues and Related Transaction Records.pdf.lnk”, which is responsible for running the DLL payload masqueraded as a PNG file known as Chen_YiChun.png. This DLL is then executed via a very well-known LOLBin that is RunDLL32.exe which further downloads other set of implants and a PDF file, which is a decoy.
https://www.seqrite.com/blog/swan-vector-apt-targeting-taiwan-japan-dll-implants/
Reporting on North Korea
Exposing DPRK's Cyber Syndicate and Hidden IT Workforce
Michael “Barni” Barnhart provides a detailed report on this alleged North Korean threat which has had much written on it.
The DPRK cyber threat is no longer just a matter of espionage—it is a multi-layered, statealigned criminal enterprise that blurs the lines between cybercrime, geopolitical strategy, and economic warfare. What we’re facing is not a collection of isolated threats, but a coordinated ecosystem: elite operatives from sanctioned universities, IT workers embedded inside global companies, and facilitators laundering funds and providing identities. This ecosystem is designed to exploit trust, technology, and complacency.
https://reports.dtexsystems.com/DTEX-Exposing+DPRK+Cyber+Syndicate+and+Hidden+IT+Workforce.pdf
Reporting on Iran
Nothing overly of note this week..
Reporting on Other Actors
AUTHENTIC ANTICS: Highly targeted credential and OAuth 2.0 token stealing malware targeting Outlook
NCSC UK releases an analysis of an implant which is noteworthy for our it acquires session tokens..
Authentic Antics runs within the Outlook process, displaying malicious login prompts to steal credentials and OAuth 2.0 tokens which can be used to later access victim email accounts.
Extensive defence evasion techniques are employed by AUTHENTIC ANTICS such as environmental keying and removing suspected hooks from within ntdll.dll. • One of the malware stages masquerades as the Microsoft Authentication Library (MSAL) for .NET – available on GitHub – and includes the codebase for it, with classes added to implement malicious functionality. The included MSAL code is not used.
Network communications made by the malware are exclusively with legitimate services.
Victim data is exfiltrated by sending emails from the victim’s account to an actor-controlled email address. The emails will not show in the victim’s sent folder.
Marbled Dust leverages zero-day in Output Messenger for regional espionage
MSTIC detail that Türkiye allegedly runs on to pitch with the exploitation of this zero-day. If true, Türkiye as a regional player will be one to watch..
Microsoft security researchers identified the zero-day vulnerability exploited by Marbled Dust. This directory traversal vulnerability (CVE-2025-27920) in the Output Messenger Server Manager application could allow an authenticated user to upload malicious files into the server’s startup directory. Marbled Dust exploited this vulnerability to save the malicious file OMServerService.vbs to the startup folder.
KeePass trojanised in advanced malware campaign
Tim West & Mohammad Kazem Hassan Nejad detail a campaign which used malvertising again..
this campaign, KeePass’s actual source code was altered, allowing attackers to steal user credentials and deploy Cobalt Strike beacons for deeper network access. This marks growing sophistication in attacker tradecraft —blending watering-hole style attacks with credential theft and post-exploitation tools.
The operation is linked to a prolific Initial Access Broker, likely historically connected to (now seemingly defunct) BlackBasta ransomware, and highlights the growing sophistication of “as-a-service” cybercrime models.
This case underscores the risks of trusted software being hijacked and weaponised. It calls for stronger software integrity checks, better ad platform oversight, and enhanced detection of stealthy loaders.
https://labs.withsecure.com/publications/keepass-trojanised-in-advanced-malware-campaign
Tales from the cloud trenches: The Attacker doth persist too much, methinks
Martin McCloskey details some interesting persistent techniques which are in use in the cloud. One for incident response and detection teams to key off of.
As a result of a recent threat hunt, we observed attacker activity originating from a leaked long-term AWS access key (
AKIA*). Within a 150-minute period, we detected five distinct IP addresses attempting to leverage this access key to perform malicious techniques, tactics, and procedures (TTPs).We observed the attacker enumerating the SSO instance to look at SSO configurations, users, groups, and applications. Afterward, they created a group called
secureand a user calledSecret, which the attacker added to their group, and assigned a new permission set to that group.Following this, the attacker updated two configuration options within the SSO instance. First, they modified the MFA configuration of the SSO instance to allow themselves to sign in without MFA. They then extended the session duration for Amazon Q Developer to 90 days, indicating a likely intent to leverage this service in the future.
Open-source toolset of an Ivanti CSA attacker
Maxence Fossat walks through the latter stages of the intrusion and the tooling used. Noteworthy due to the relative noise and thus detection opportunities.
In some compromise scenarios, even though the initial access stemmed from the exploitation of zero-day vulnerabilities, later stages were short of such proficient attacker tradecraft. Threat actors were seen using known malicious tools and noisy payloads for lateral movement, persistence and credential dumping.
https://www.synacktiv.com/en/publications/open-source-toolset-of-an-ivanti-csa-attacker
Discovery
How we find and understand the latent compromises within our environments.
AzureADGraphActivityLogs: a new undocumented diagnostic setting that fills a visibility gap
Rad Kawar provides a tip which will be useful to detection teams.
Most security teams already enable "MicrosoftGraphActivityLogs" to monitor Microsoft Graph (graph.microsoft.com). But until recently, the legacy Azure AD Graph API (graph.windows.net) was a blind spot."
Finally, the new AADGraphActivityLogs category captures details of these legacy API requests made to Azure AD Graph endpoint - giving your team visibility into enumeration attempts you've been missing. While undocumented, you can query the log schema at https://api.loganalytics.io/v1/metadata (search for "AADGraphActivityLogs").
Defence
How we proactively defend our environments.
Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines
Mandiant outline their recommended defensive approaches against this criminal actor..
The following provides prioritized recommendations to protect against tactics utilized by UNC3944, organized within the pillars of:
Identity
Endpoints
Applications and Resources
Network Infrastructure
Monitoring / Detections
https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
Chrome App-Bound Encryption (ABE) - Technical Deep Dive
Alexander 'xaitax' Hagenah provides a technical breakdown of the feature which one might suggest is better than the vendors given the qualitative assessment.
App-Bound Encryption marks a commendable and significant enhancement in securing locally stored Chrome data on the Windows platform. By fundamentally tying decryption capabilities to a path-validated COM service, Google has effectively "moved the goalposts" for attackers, compelling them to resort to either privilege escalation or code injection into Chrome itself - both of which are generally "noisier" and more readily detectable actions than straightforward, unprivileged DPAPI calls.
https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/blob/main/RESEARCH.md
IntuneRBAC
Ugur Koc releases an updated version which will help surface vulnerability..
A comprehensive PowerShell-based tool for managing and auditing Role-Based Access Control (RBAC) in Microsoft Intune. This tool provides detailed insights into your Intune RBAC configuration, including role assignments, scope tags, and permissions.
https://github.com/ugurkocde/IntuneRBAC
ADeleginator
Spencer Alessi provides a took for those running a legacy environment which includes on premises Active Directory
A companion tool that uses ADeleg to find insecure trustee and resource delegations in Active Directory
https://github.com/techspence/ADeleginator
Android Advanced Protection
Il-Sung Lee details their version of lockdown mode. Noteworthy as by enabling it turns on a CPU level feature in guise of memory tagging extension in an attempt to detect memory corruption.
https://security.googleblog.com/2025/05/advanced-protection-mobile-devices.html
Incident Writeups & Disclosures
How they got in and what they did.
Coinbase breach, customer records taken
The consideration is the point of note here.
the Company has preliminarily estimated expenses to be within the range of approximately $180 million to $400 million relating to remediation costs and voluntary customer reimbursements relating to this Incident, prior to further review of potential losses, indemnification claims, and potential recoveries, which could meaningfully increase or decrease this estimate. The Company plans to aggressively pursue all remedies. As the Company’s investigation is ongoing, the full impact of these events are not yet known.
Vulnerability
Our attack surface.
One-Click RCE in ASUS’s Preinstalled Driver Software
Paul details a vulnerability which implies ASUS doesn’t do security reviews.
However I wasn’t done yet, presumably the program checks if the origin is
driverhub.asus.huband if so it’d accept RPC request. What I did next was see if the program did a direct comparison likeorigin == driverhub.asus.hubor if it was a wildcard match such asorigin.includes("driverhub.asus.com").When I switched the origin to
driverhub.asus.com.mrbruh.com, it allowed my request.It was obvious now there was a serious threat. The next step was to determine how much damage was possible.
https://mrbruh.com/asusdriverhub/
Stack-based buffer overflow vulnerability in API
Exploited in the wild too..
A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder and FortiCamera may allow a remote unauthenticated attacker to execute arbitrary code or commands via crafted HTTP requests.
Fortinet has observed this to be exploited in the wild on FortiVoice.
The operations performed by the Threat Actor in the case we observed were part or all of the below:
Scan the device network
Erase system crashlogs
Enable fcgi debugging to log credentials from the system or SSH login attempts
https://fortiguard.fortinet.com/psirt/FG-IR-25-254
Offense
Attack capability, techniques and trade-craft.
New Process Injection Class: The CONTEXT-Only Attack Surface
Yehuda Smirnov, Hoshea Yarden, Hai Vaknin and Noam Pomerantz detail a technique which should still be easy enough to spot due to the CreateRemoteThread call. The
Most process injection techniques follow a familiar pattern:
allocate → write → execute.In this research, we ask: what if we skip allocation and writing entirely?
By focusing on execution-only primitives, we found distinct approaches to inject code without allocating / writing memory:
Inject a DLL using only
CreateRemoteThread.Call arbitrary WinAPI functions with parameters using
SetThreadContext.Utilize
NtCreateThreadto remotely allocate, write and execute shellcode.Expand the technique to APC functions such as
QueueUserAPC.
https://blog.fndsec.net/2025/05/16/the-context-only-attack-surface/
PowerDodder
Itay Migdal releases a tool which will be interesting to see how quickly it gets exploited.
PowerDodder is a post-exploitation persistence utility designed to stealthily embed execution commands into existing script files on the host. By leveraging files that are frequently accessed but rarely modified, it targets high-likelihood execution vectors with minimal detection risk.
https://github.com/itaymigdal/PowerDodder
Bypassing BitLocker Encryption: Bitpixie PoC and WinPE Edition
Marc Tanner details a threat scenario and capability some will want to be consider.
Even compared to other software attacks such as the “push button decrypt”, the exploitation of the abused bitpixie vulnerability is non-invasive, does not require any permanent device modifications and no complete disk image, thereby allowing a fast (~5 minutes) compromise and more flexible integration in certain social engineering scenarios.
Exploitation
What is being exploited..
Exposed Automated Tank Gauge Systems
Dutch Institute for Vulnerability Disclosure claims attackers are actively changing information in such systems.
We’ve observed real-world incidents of attackers changing tank information, performing reconnaissance, and even launching DoS attacks against these systems. Previous security research has shown that manipulation of these systems could potentially lead to serious safety incidents, as demonstrated by a 2009 explosion in Puerto Rico that was linked to a malfunctioning computerized monitoring system.
https://csirt.divd.nl/cases/DIVD-2025-00005/
Tooling and Techniques
Low level tooling and techniques for attack and defence researchers…
Improving AFD Socket Visibility for Windows Forensics & Troubleshooting
Denis Nagayuk & Francisco Dominguez shine light in some dark corners of Windows with this release.
Windows supports various means of collecting information about networking activity and connections on the system. However, what we demonstrated in this blog post provides a fresh perspective on the subject, as it allows detailed introspection of the state on a per-socket basis. What once was a collection of identical-looking
\Device\Afdhandles now brings valuable insight into the activity of a process. Ancillary Function Driver's API is lightweight yet powerful, and now its definitions reside in PHNT and power the corresponding features in the Canary builds of System Informer.
https://www.huntandhackett.com/blog/improving_afd_socket_visibility
Official Parity Release of Volatility 3
The Volatility Foundation release..
Volatility 3 has reached feature parity; Volatility 2 is now deprecated.
Volatility 3 supports the latest versions of Microsoft Windows and Linux.
Volatility 3 has many brand new plugins and features never available in Volatility 2.
Volatility 3 will be actively supported for many years.
The Memory Analysis | Malware and Memory Forensics Training course has been completely updated to focus on Volatility 3.
https://volatilityfoundation.org/announcing-the-official-parity-release-of-volatility-3/
Footnotes
Some other small (and not so small) bits and bobs which might be of interest.
Annual report
Secure Domain Name System (DNS) Deployment Guide - NIST SP 800-81 Rev. 3 (Initial Public Draft)
The DCR Delusion: Measuring the Privacy Risk of Synthetic Data
Acting Responsibly in Cyberspace: Lessons from the Defence Industry - “Finally, the use of enforcement mechanisms marks a lesson for cyber that is embedded in compliance within the defence industry. The use of penalties – including fines, sanctions and consent agreements – has increased commercial understanding of irresponsibility and the risks associated while providing a deterrent effect.”
Artificial intelligence
Combining Supervised and Reinforcement Learning to Build a Generic Defensive Cyber Agent
Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents
ZeroSearch: Incentivize the Search Capability of LLMs without Searching
Out of the Loop Again: How Dangerous is Weaponizing Automated Nuclear Systems? - I’ve seen the movie - want to play a game?
Books
Events
Nothing overly of note this week
Unless stated otherwise, linked or referenced content does not necessarily represent the views of the NCSC and reference to third parties or content on their websites should not be taken as endorsement of any kind by the NCSC. The NCSC has no control over the content of third party websites and consequently accepts no responsibility for your use of them.
This newsletter is subject to the NCSC website terms and conditions which can be found at https://www.ncsc.gov.uk/section/about-this-website/terms-and-conditions and you can find out more about how will treat your personal information in our privacy notice at https://www.ncsc.gov.uk/section/about-this-website/privacy-statement.