FFT news digest  Jun 22 2018

Learning lessons 

Despite the likelihood of suffering a data breach, most executives don't feel their organisations are very good at learning lessons from past mistakes. A global survey by the Economist Intelligence Unit and Willis Towers Watson found "little consensus among boards and executives on cyber resiliency planning, including the deployment of strategies across the organisation, where to allocate funds, and what areas of the organisation are most at risk." The finding is backed up by a separate survey for IBM. Despite the constant stream of high-profile attacks, 77% of respondents admitted to having no formal cybersecurity incident response plan. Our view is that preparation is an essential part of effective governance. Unfortunately, data breaches will happen; working out how to handle them after the fact is likely to make a bad situation worse.

Dangers at work

Lack of training and more mobile working are creating gaping holes in the cyber defences of US businesses. An Ipsos survey for Shred-it revealed a litany of insecure behaviours; 26% of respondents said they left their computer on and unlocked at the end of the day, and 39% left sensitive documents on their desks overnight. So it's not surprising that 18% of businesses said they had experienced a data breach because an employee lost information or had it stolen. Despite this, only 28% of small businesses planned to provide any training for their staff over the next year. We believe making an organisation more secure rests on ensuring every employee understands why it matters, both at work and at home.

Bad ads

Newly-discovered malicious software illustrates why it's essential to be cautious about clicking on advertisements, especially those offering free services. The program was discovered by Bitdefender which named it Zacinlo. It appears to have been in operation since 2012 but became particularly active last year when it was bundled with what seemed to be a free VPN solution. Once downloaded, it would pretend to perform as a VPN but in fact would only act as a delivery mechanism for the malicious software. Its main aim is to generate advertising revenue by creating fraudulent clicks but it's also capable of taking screenshots which could allow it to steal usernames and passwords. Most victims are in the US, with 90% of them running Windows 10.

Unseen

A venerable tool in the criminal's portfolio is making a comeback, this time to combat Microsoft's natural language processing. The ingenious approach involves using a zero size font to hide words so that they are invisible to the reader but also to language analysers. These work by scanning the content of emails for signs of impersonation or fraud. Researchers from Avanan found examples of malicious emails which would look normal to a human but appear to be random, unthreatening text to a natural language processor. The result is a way to circumvent Microsoft controls and display a malicious link to the user. The answer is to remember the basics and never click on a link to manage an online account. If you're concerned, go direct to the settings by typing in the address in a new browser window.

Password spraying

Microsoft has released a preview of a new tool designed to help eliminate bad passwords. Azure AD Password protection will protect Azure AD and Windows Server Active Directory accounts. It will work by blocking the most commonly-used passwords, as well as variants of them. This matters because of an increasingly popular way of trying to take advantage of our tendency to use poor passwords. 'Password Spraying' involves testing a common password like P@55word123 against every user in an organisation. To succeed, they only need one person to be using it. The other failures don't ring any alarm bells because they look like an isolated, failed login. By preventing bad passwords being used in the first place, the password spray is guaranteed to fail.

HTTPinSecure

There's been an upsurge in the use of websites with valid security certificates to attack users, particularly Netflix subscribers. This underlines the importance of not assuming that a web address beginning HTTPS is safe. The Internet Storm Centre says the attack involves taking over a poorly-secured website and using it to create a site that could be mistaken for a genuine Netflix one. Criminals then apply for a certificate for the Netflix-related name which makes users more likely to think it's genuine. In general, Netflix is hugely popular among scammers so caution is advised with any emails which appear to come from it. A highly-effective tool is available to help combat certificate fraudsters. Called Certificate Transparency, it monitors certificates as they're issued so website owners can see if someone is impersonating them. Researcher, Scott Helme, has an excellent guide.

In brief

Multi-factor authentication is one of the most effective ways of increasing security but many people don't use it. New guidance from the UK's National Cyber Security Centre sets out how to implement it.

Cambridge Analytica may have collapsed amid scandal and recriminations but the AP reports that at least 4 of its senior officials have set up a new company which is working on President Trump's 2020 campaign.

Is your home a Fortnite home? If so, be aware that the Android version of the hugely popular game is not yet available. Scammers are taking advantage of this to try to persuade users to download a malicious app that could compromise the device.

The Federal Court of Australia has ordered Apple to pay around US$6.6 million in penalties for misleading customers over their rights. Apple had disabled iPhones and iPads which had been repaired by third parties.

Rubbish photo on Facebook? No worries. Using Artificial Intelligence, researchers have come up with a way to insert eyes if you're snapped mid-blink. They've called it 'eye-in painting.'

Many of us may have been frustrated when the website name we want isn't available. Few of us would react by trying to steal it at gunpoint. Sherman Hopkins Jr did. It didn't go well. He's been sentenced to 20 years in a US federal prison. 

Updates

Cisco: 34 updates, including 24 for Firepower firewalls and Nexus switches. 5 are rated 'critical'.

Axis: new firmware addresses seven security issues across nearly 400 cameras (many used for security surveillance).

G-Suite: Google releases update to give administrators more visibility about devices which are accessing corporate data.

SecureDrop: announces next version 0.8.0 due to be released on June 26.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved