FFT news digest  Jul 6 2018

Passwords - fix or fail

Half the world's business leaders believe their companies will be a victim of a cyber attack, and details of one of the latest incidents illustrates why they're probably right. Gentoo produces a version of the Linux operating system. It lost access to its Github account after attackers took it over. Explaining how this happened, Gentoo says poor password discipline and lack of two factor authentication were responsible. In particular, it appears that an administrator was using a base password with predictable variations. The absence of two factor authentication meant that once it was deduced, there was nothing to stand in the attacker's way. In the US, this is the lesson being applied by the Democratic National Committee following the disastrous breaches it experienced in 2016. Chief Technology Officer, Raffi Krikorian, told Cyberscoop, "if we can do the simple things right, than it will have a disproportionally (sic) positive effect."

Cellular insecurity

The flaws in 3G security are well known. Now, research has found that 4G and 5G networks are also vulnerable to surveillance and attack. The research shows how to identify people and the websites they visit by 'sniffing' their cellular data. It also demonstrates a way to attack a connection actively and intercept traffic so that it can be redirected to a malicious website. Separate analysis also details vulnerabilities in the protocol that underpins 4G networks. The Diameter protocol was intended to address some of the issues that afflict its 3G predecessor but Positive Technologies says it is also "prone to attacks aiming to cause denial of service, disclose subscriber and operator information, and defraud operators." Complete defence against a determined adversary is challenging but a VPN on your phone makes a successful attack more difficult.

Listening in

A recurring question we're asked is why we see adverts for items we've talked about but never searched for, and the suspicion is that companies are using the phone's microphone to listen to what we say. We've never seen any evidence of this being done -- and analysis of 17,000 Android apps illustrates why it's not necessary. The research at North Western University found none of the apps were using the microphone but many were sharing image and video data without the user's knowledge or consent. Separately Google has been seeking to reassure Gmail users after the Wall Street Journal (paywall) reported how common it is for third-party app developers to to be able to read the contents of emails. Both stories underline how important it is to consider what access you grant apps when you install them.

Honey trapps

Israel has accused Palestinian group, Hamas, of using fake dating and World Cup apps to target the Israeli Defence Forces. Reuters quoted Israeli military security officers as saying three Android apps were designed to infect troops’ phones with data-stealing malware and turn on cameras and microphones for live spying. Targets were approached on social media and encouraged to download the apps. That tactic was used successfully last year when soldiers were taken in by messages from attractive young women who persuaded them to download malicious software masquerading as messaging apps. The latest attack was more sophisticated and the Israeli officers said the World Cup app was actually "very good". They declined to explain why they believed Hamas was responsible.

Browsers; the front line

Web browsers are such an integral part of our lives that it's no surprise they're targeted by criminals and data aggregators. One way to exploit them is to find a popular extension and buy the company behind it in order to take advantage of its popularity. Firefox and Chrome have just removed the 'Stylish' extension after an engineer discovered it was sending data to its owners which could track an individual's browsing history. Stylish allowed users to change the appearance of a webpage, was widely-used and was bought last year. Meanwhile, if you manage a website, you should be aware that Google is about to enforce its new policy which will result in Chrome users receiving a warning when they visit unencrypted pages. The change is due to be introduced on July 23 when web pages not running HTTPS with a valid TLS certificate will display a "Not Secure" warning in the Chrome address bar. 

The long arm of Californian law

Not to be outdone by the EU, California has introduced privacy legislation which will have similarly far-reaching effects. The California Consumer Privacy Act is the first of its kind in the US and will apply to any organisation that collects, processes or shares the personal data of California residents. The law includes several provisions similar to those in the EU's GDPR, including the right to access data held by an organisation and to demand it be deleted. If you've ever been irritated by having to phone up to cancel a subscription, you might be interested to know the law also ensures anyone who took out a subscription online will be able to cancel it online. And it tightens requirements for what companies have to do at the end of a promotional trial. Perhaps the EU would like to take note.

In brief

Sweeping surveillance legislation has come into force in Russia. It means telecom companies must keep customers' texts, calls, and chat logs in full. Anyone with a Russian IP address or who the authorities believe is based in Russia will be included.

There's nothing criminals like better than a popular game and few are more popular at the moment than Fortnite. Chances are those apps and websites offering cheats are simply fronts for malicious software. Educate and avoid!

iPhone user? Siri listening? Watch UK Defence Secretary, Gavin Williamson, being upstaged by his phone in the House of Commons.

Ingenious attack of the week. 'Thermanator' steals passwords by detecting the thermal residue on a keyboard so it can tell which keys have been pressed.

Logging. Do you even know where to start? The UK’s National Cyber Security Centre has advice for what it calls "the foundation on which security monitoring and situational awareness are built."

A Polish charity faces a $2,700 phone bill after someone stole the SIM card from a tracker it had fitted to a stork to plot its migratory route. The bird reached eastern Sudan before the SIM was repurposed. PIN codes are good...

Updates

Android: updates for 11 vulnerabilities, including three rated Critical and 8 High risk impacting framework, media framework, and system.

VMWare: Updates for VMware ESXi, Workstation, and Fusion to address possible information leaks and machine crashes.

Symantec: Releases VPNFilter Check which will test routers and Network Attached Storage devices for compromise.

Thunderbird: Addresses 12 security vulnerabilities, including EFAIL encryption issue.

WordPress: 4.9.7 maintenance and security release fixes 17 bugs.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217