Sophia Antipolis, 24 February 2023

In the light of ten years from the NFV introductory whitepaper, is the new whitepaper the ETSI ISG NFV Network Operator Council (NOC), an advisory group of ISG NFV, launched this week, 10 years after the introductory whitepaper. 

Read More...

Sophia Antipolis, 14 March 2023

To celebrate the 10th anniversary of ETSI NFV, ETSI organized a conference on the “Evolution of NFV towards the next decade” on 6 and 7 March at its facilities. The face-to-face event provided a unique opportunity for the NFV community to reflect on their achievements in the past 10 years and on the way forward. Carriers, vendors, SDOs representatives, and stakeholders from the whole ecosystem came together to debate on challenges and opportunities. They also addressed how to increase the cooperation between various SDOs and the open-source communities to enhance interoperability and to smooth the deployment of cloudified network telecom functions.

Read More...

Sophia Antipolis, 31 March 2023

ETSI is pleased to unveil its 2023 ETSI Fellows who were announced at the 81th ETSI General Assembly on 29 March. The award ceremony took place in the Fernand Leger museum, in Biot, near ETSI facilities in the South of France where art, science and technology mixed beautifully. Scott Cadzow, Hans Johansson and Robert Sarfati were unanimously nominated as ETSI Fellows for their outstanding personal contributions to the organization by the Award committee, composed of the GA Chair and Vice-Chairs, the Board Chair and the ETSI Director-General.

Read More...

Sophia Antipolis, 14 April 2023

Today we expect to be able to communicate anywhere, with everyone, at anytime, on every device and at the same time use various services that will help us save time in our daily life.

Read More...

Sophia Antipolis, 18 April 2023

ETSI’s annual flagship event returns in 2023. This new edition of the ETSI IoT Conference - IoT Technologies for Green and Digital Transformation - will take place on 4-5-6 July 2023 in ETSI premises, Sophia Antipolis, France.

Read More...

Sophia Antipolis, 22 June 2023

On 21 June, a panel debate on ‘30 years of Standards for the Single Market: what way ahead?’ brought together the key stakeholders of the European standardization system. Reflecting on the role of standards in the first 30 years of the Single Market, panelists also discussed challenges ahead in the current geopolitical context.

Read More...

Sophia Antipolis, 24 July 2023

The European Telecommunications Standards Institute (ETSI) and The Critical Communications Association (TCCA) are the proud authorities and custodians of the ETSI TETRA (Terrestrial Trunked Radio) technology standard, one of the world’s most secure and reliable radio communications standards.

Read More...

Sophia Antipolis, 18 April 2024

ETSI is pleased to unveil its 2024 ETSI Fellows who were announced at the 83rd ETSI General Assembly on 16 April 2024.
The Award Committee, composed of the GA Chair and Vice-Chairs, the Board Chair and the ETSI Director-General, unanimously named Dr. Howard Benn, Mr. Philippe Magneron, Dr. Matthias Schneider, Mrs. Isabelle Valet Harper and Mr. Dirk Weiler, as ETSI Fellows 2024 for their outstanding personal contributions to the organization.

Read More...

Sophia Antipolis, 24 May 2024

Speakers at the 10th ETSI/IQC Quantum Safe Cryptography Conference have called on organizations to prepare their cybersecurity infrastructures to address the challenges of a post-quantum world.

Organized by ETSI and the Institute for Quantum Computing, this year’s conference was hosted from 14-16 May by the Centre for Quantum Technologies (CQT), National University of Singapore (NUS), in partnership with the Infocomm Media Development Authority (IMDA) and the Cyber Security Agency (CSA) of Singapore. The event attracted an impressive 235 onsite delegates from 27 countries, reflecting fast-growing interest worldwide in the critical importance of quantum-safe cryptography in today’s cybersecurity strategies.

Read More...

Sophia Antipolis, 29 July 2024

We are thrilled to announce our latest official release of OpenSlice, proudly brought to you by ETSI Software Development Group OpenSlice (SDG OSL). This marks our first release under the ETSI umbrella, reflecting our commitment to excellence and innovation in the field of open-source Operations Support System (OSS) solutions.

We want to keep the community’s interest on par with our highest passion and expectation to revolutionize the way Network as a Service (NaaS) is delivered, and our latest release is a testament to our dedication! With this new release, we introduce significant changes aimed at enhancing user engagement and addressing the contemporary needs of both research and industry sectors on the matter.

"The latest OpenSlice 2024Q2 version is a manifest to our commitment to pave the way for modern telco-cloud requirements, seamless integration and reference implementations for 6G" - Christos Tranoris, Senior Research at UPATRAS and Chair of ETSI SDG OSL.

Read More...

Sophia Antipolis, 8 October 2024

ETSI announces the completion of its Release 3 specifications on Fifth Generation Advanced Fixed Network (F5G-A). Building on the achievements of the Release 1 and Release 2, the ETSI ISG F5G has specified a series of new features and capabilities, further elevating fixed fiber networks to a new level:

• Specification of F5G Advanced
  ETSI ISG F5G unveiled the "F5G Advanced Generation Definition", which not only further enhances existing three foundational features of F5G-Enhanced Fixed Broadband (eFBB), Full Fiber Connectivity (FFC), and Guaranteed Reliable Experience (GRE), but also introduces three new key features: Real-time Resilient Link (RRL), Optical Sensing and Visualization (OSV), and Green Agile Optical network (GAO).

Read More...

Sophia Antipolis, 18 October 2024

One of the event highlights of the year - the ETSI Security Conference – has closed its doors at the end of expert discussions on a range of cybersecurity standardization topics.

195 onsite attendees enjoyed presentations across multiple sessions, over three and a half days, as well as networking opportunities at the breaks - extending into the evening - during the ETSI hosted social events.

Read More...

New essay by Glenda Gilmore just added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

New essay by Nancy MacLean, "The Civil Rights Movement: 1968-2008," added to Freedom's Story: Teaching African American Literature and History, TeacherServe from the National Humanities Center.

This document is only available in PDF format.

National Instrument 93-101 Derivatives: Business Conduct (the Rule) will come into force on September 28, 2024 (the Effective Date), pursuant to section 143.4 of the Securities Act (Ontario).

This document is only available as a PDF.

This document is only available as a PDF.

The Minister of Finance has approved amendments to Ontario Securities Commission (OSC) Rule 91-507 Trade Repositories and Derivatives Data Reporting and consequential amendments to OSC Rule 13-502 Fees (collectively, the Amendments) pursuant to

1. Ontario Securities Commission Rule 91-507 Trade Repositories and Derivatives Data Reporting is amended by this Instrument.

This document is only available in PDF format.

This document is only available in PDF format.

Here is a Storify round up of the SpotOn London session: Enhanced eBooks & BookApps: The

Jenny Evans has created a Storify summary of her SpotOn London session: Collaborating and building your online

Here is a Storify summary of the SpotOn London session: BrainSpace, a global interest graph for

This year, Digital Science are sponsoring the Tools track and we’re grateful to them for

Julia Schölermann is the organiser for this year’s SpotOn London session on, What should the scientific

The place we’re in as a society is a crowded field of scattered tools and

Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.

Background

The Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding a zero-day vulnerability in Fortinet’s FortiManager.

FAQ

What is FortiJump?

FortiJump is a name given to a zero-day vulnerability in the FortiGate-FortiManager (FGFM) protocol in Fortinet’s FortiManager and FortiManager Cloud. It was named by security researcher Kevin Beaumont in a blog post on October 22. Beaumont also created a logo for FortiJump.

What are the vulnerabilities associated with FortiJump?

On October 23, Fortinet published an advisory (FG-IR-24-423) for FortiJump, assigning a CVE identifier for the flaw.

What is CVE-2024-47575?

CVE-2024-47575 is a missing authentication vulnerability in the FortiGate to FortiManager (FGFM) daemon (fgfmsd) in FortiManager and FortiManager Cloud.

How severe is CVE-2024-47575?

Exploitation of FortiJump could allow an unauthenticated, remote attacker using a valid FortiGate certificate to register unauthorized devices in FortiManager. Successful exploitation would grant the attacker the ability to view and modify files, such as configuration files, to obtain sensitive information, as well as the ability to manage other devices.

Obtaining a certificate from a FortiGate device is relatively easy:

Comment
by from discussion
infortinet

According to results from Shodan, there are nearly 60,000 FortiManager devices that are internet-facing, including over 13,000 in the United States, over 5,800 in China, nearly 3,000 in Brazil and 2,300 in India:

When was FortiJump first disclosed?

There were reports on Reddit that Fortinet proactively notified customers using FortiManager about the flaw ahead of the release of patches, though some customers say they never received any notifications. Beaumont posted a warning to Mastodon on October 13:

Post by @GossiTheDog@cyberplace.social

View on Mastodon

Was this exploited as a zero-day?

Yes, according to both Beaumont and Fortinet, FortiJump has been exploited in the wild as a zero-day. Additionally, Google Mandiant published a blog post on October 23 highlighting its collaborative investigation with Fortinet into the “mass exploitation” of this zero-day vulnerability. According to Google Mandiant, they’ve discovered over 50 plus “potentially compromised FortiManager devices in various industries.”

Which threat actors are exploiting FortiJump?

Google Mandiant attributed exploitation activity to a new threat cluster called UNC5820, adding that the cluster has been observed exploiting the flaw since “as early as June 27, 2024.”

Is there a proof-of-concept (PoC) available for this vulnerability/these vulnerabilities?

As of October 23, there are no public proof-of-concept exploits available for FortiJump.

Are patches or mitigations available for FortiJump?

The following table contains a list of affected products, versions and fixed versions.

Fortinet’s advisory provides workarounds for specific impacted versions if patching is not feasible. These include blocking unknown devices from attempting to register to FortiManager, creating IP allow lists of approved FortiGate devices that can connect to FortiManager and the creation of custom certificates. Generally speaking, it is advised to ensure FGFM is not internet-facing.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-47575 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

• Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs
• FortiGuard Labs PSIRT FG-IR-24-423 Advisory

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.

Last month, the Department of Homeland Security announced the availability of $279.9 million in grant funding for the Fiscal Year (FY) 2024 State and Local Cybersecurity Grant Program (SLCGP). Now in its third year, the four-year, $1 billion program provides funding for State, Local and Territorial (SLT) governments to implement cybersecurity solutions that address the growing threats and risks to their information systems. Applications must be submitted by December 3, 2024.

While there are no significant modifications to the program for FY 2024, the Federal Emergency Management Agency (FEMA), which administers SLCGP in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), identified key changes, some of which we highlight below:

The FY 2024 NOFO adds CISA’s KEV catalog as a new performance measure and recommended resource

The FY 2024 notice of funding opportunity (NOFO) adds the CISA Known Exploited Vulnerabilities (KEV) catalog as a recommended resource to encourage governments to regularly view information related to cybersecurity vulnerabilities confirmed by CISA, prioritizing those exploited in the wild. In addition, CISA has added “Addressing CISA-identified cybersecurity vulnerabilities” to the list of performance measures it will collect through the duration of the program.

Tenable offers fastest, broadest coverage of CISA’s KEV catalog

At Tenable, our goal is to help organizations identify their cyber exposure gaps as accurately and quickly as possible. To achieve this goal, we have research teams around the globe working to provide precise and prompt coverage for new threats as they are discovered. Tenable monitors and tracks additions to the CISA KEV catalog on a daily basis and prioritizes developing new detections where they do not already exist.

Tenable updates the KEV coverage of its vulnerability management products — Tenable Nessus, Tenable Security Center and Tenable Vulnerability Management — allowing organizations to use KEV catalog data as an additional prioritization metric when figuring out what to fix first. The ready availability of this data in Tenable products can help agencies meet the SLCGP performance measures. This blog offers additional information on Tenable’s coverage of CISA’s KEV catalog.

FY 2024 NOFO adds “Adopting Enhanced Logging” as a new performance measure

The FY 2024 NOFO also adds “Adopting Enhanced Logging” to the list of performance measures CISA will collect throughout the program duration.

How Tenable’s library of compliance audits can help with Enhanced Logging

Tenable's library of Compliance Audits, including Center for Internet Security (CIS) and Defense Information Systems Agency (DISA), allows organizations to assess systems for compliance, including ensuring Enhanced Logging is enabled. Tenable's vulnerability management tools enable customers to easily schedule compliance scans. Users can choose from a continuously updated library of built-in audits or upload custom audits. By conducting these scans regularly, organizations can ensure their systems are secure and maintain compliance with required frameworks.

FY 2024 NOFO continues to require applicants to address program objectives in their applications

As with previous years, the FY 2024 NOFO sets four program objectives. Applicants must address at least one of the following in their applications:

• Objective 1: Develop and establish appropriate governance structures, including by developing, implementing, or revising Cybersecurity Plans, to improve capabilities to respond to cybersecurity incidents, and ensure operations.
• Objective 2: Understand their current cybersecurity posture and areas for improvement based on continuous testing, evaluation, and structured assessments.
• Objective 3: Implement security protections commensurate with risk.
• Objective 4: Ensure organization personnel are appropriately trained in cybersecurity, commensurate with responsibility.

How Tenable can help agencies meet Objective 2 of the program

Tenable is uniquely positioned to help SLTs meet Objective 2 through the Tenable One Exposure Management Platform. In addition to analyzing traditional IT environments, Tenable One analyzes cloud instances, web applications, critical infrastructure environments, identity access and privilege solutions such as Active Directory and more — including highly dynamic assets like mobile devices, virtual machines and containers. Once the complete attack surface is understood, the Tenable One platform applies a proactive risk-based approach to managing exposure, allowing SLT agencies to successfully meet each of the sub-objectives outlined in Objective 2 (see table below).

Source: Tenable, October 2024

Tenable One deployment options offer flexibility for SLT agencies

Tenable offers SLT agencies flexibility in their implementation models to help them best meet the requirements and objectives outlined as part of the SLCGP. Deployment models include:

• Centralized risk-based vulnerability program managed by a state Department of Information Technology (DoIT)
• Multi-entity projects
• Decentralized deployments of Tenable One managed by individual municipalities,
• Managed Security Service Provider (MSSP) models that allow agencies to rapidly adopt solutions by utilizing Tenable’s Technology Partner network.

Whole-of-state approach enables state-wide collaboration and cooperation

A “whole-of-state” approach — which enables state-wide collaboration to improve the cybersecurity posture of all stakeholders — allows state governments to share resources to support cybersecurity programs for local government entities, educational institutions and other organizations. Shared resources increase the level of defense for SLTs both individually and as a community and reduce duplication of work and effort. States get real-time visibility into all threats and deploy a standard strategy and toolset to improve cyber hygiene, accelerate incident response and reduce statewide risk. For more information, read Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach.

FY 2024 NOFO advises SLT agencies to adopt key cybersecurity best practices

As in previous years, the FY 2024 NOFO again recommends SLT agencies adopt key cybersecurity best practices. To do this, they are required to consult the CISA Cross-Sector Cybersecurity Performance Goals (CPGs) throughout their development of plans and projects within the program. This is also a statutory requirement for receiving grant funding.

How Tenable One can help agencies meet the CISA CPGs

The CISA CPGs are a prioritized subset of cybersecurity practices aimed at meaningfully reducing risk to critical infrastructure operations and the American people. They provide a common set of IT and operational technology (OT) fundamental cybersecurity best practices to help SLT agencies address some of the most common and impactful cyber risks. Learn more about how Tenable One can help agencies meet the CISA CPGs here.

Learn more

• $1 Billion State and Local Cybersecurity Grant Program Now Open for Applicants
• Protecting Local Government Agencies with a Whole-of-State Cybersecurity Approach
• How to Meet FY 2023 U.S. State and Local Cybersecurity Grant Program Objectives
• New U.S. SLCGP Cybersecurity Plan Requirement: Adopt Cybersecurity Best Practices Using CISA's CPGs
• Study: Tenable Offers Fastest, Broadest Coverage of CISA's KEV Catalog

1. 4Critical
2. 82Important
3. 1Moderate
4. 0Low

Microsoft addresses 87 CVEs and one advisory (ADV240001) in its November 2024 Patch Tuesday release, with four critical vulnerabilities and four zero-day vulnerabilities, including two that were exploited in the wild.

Microsoft patched 87 CVEs in its November 2024 Patch Tuesday release, with four rated critical, 82 rated important and one rated moderate.

This month’s update includes patches for:

• .NET and Visual Studio
• Airlift.microsoft.com
• Azure CycleCloud
• Azure Database for PostgreSQL
• LightGBM
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office Excel
• Microsoft Office Word
• Microsoft PC Manager
• Microsoft Virtual Hard Drive
• Microsoft Windows DNS
• Role: Windows Hyper-V
• SQL Server
• TorchGeo
• Visual Studio
• Visual Studio Code
• Windows Active Directory Certificate Services
• Windows CSC Service
• Windows DWM Core Library
• Windows Defender Application Control (WDAC)
• Windows Kerberos
• Windows Kernel
• Windows NT OS Kernel
• Windows NTLM
• Windows Package Library Manager
• Windows Registry
• Windows SMB
• Windows SMBv3 Client/Server
• Windows Secure Kernel Mode
• Windows Task Scheduler
• Windows Telephony Service
• Windows USB Video Driver
• Windows Update Stack
• Windows VMSwitch
• Windows Win32 Kernel Subsystem

Remote code execution (RCE) vulnerabilities accounted for 58.6% of the vulnerabilities patched this month, followed by elevation of privilege (EoP) vulnerabilities at 29.9%.

Tenable Solutions

A list of all the plugins released for Microsoft’s November 2024 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.

For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.

Get more information

• Microsoft's November 2024 Security Updates
• Tenable plugins for Microsoft November 2024 Patch Tuesday Security Updates

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

TORONTO - The Ontario Securities Commission (OSC) is pleased to announce the release of the 2024 Investment Fund Survey (IFS) data dashboard.

TORONTO – The Ontario Securities Commission (OSC) has issued an award of nearly $150,000 to an international whistleblower who provided information about significant issues at an early-stage firm.

TORONTO – Participating Canadian securities regulators today published the results of their 10th consecutive annual review of disclosures relating to women on boards and in executive officer positions, as well as the underlying data that was used to prepare the report.

#solo12fraud

Finding sources for funding research can be a demanding task, and one that's not always successful. A new trend that's emerging out of the necessity to fund projects that have no traditional means of support is "crowdfunding." A panel at SpotOnLondon weighs the resulting apprehensions and benefits.

Dr Anne Osterrieder is a Research and Science Communication Fellow in Plant Cell Biology at the Department of

Here is a Storify round up of the SpotOn London session: Incentivising Open Access and Open

Here is a Storify round up of the SpotOn London session: ORCID – why do we

Here is a Storify round up of the SpotOn London session: What do you need to

Here is a Storify round up of the SpotOn London session: Tackling the terabyte: how should

As we’re getting ready to make tickets available for this year’s SpotOn London conference, we’re

Marie Boran is a PhD candidate at the INSIGHT Centre for Data Analytics, the National

In preparation for this year’s SpotOn London 2013 workshop, Interdisciplinary research: what can scientists, humanists

As we’re getting ready to make tickets available for this year’s SpotOn London conference, we’re

Damian Pattinson (@damianpattinson) is a co-organiser of the session on Public Health Links, Lost in Translation at

Here is a Storify collating the online conversation around the Open, Portable, Decoupled – How should