FFT news digest  Aug 3 2018

Why SMS is not 2FA

We are evangelists for the benefits of 2 factor authentication, but a data breach at Reddit has demonstrated why mobile text messages are a lousy way to implement it. The news aggregation and discussion platform said it learned last month that attackers had broken into its systems and stolen data including source code, messages and obfuscated passwords. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept," Reddit explained. In fact, we might all have hoped that a company with a web presence like Reddit's would have known this already. Along with using a password manager, setting up 2 factor authentication is the simplest way to improve security. Most services offer alternatives to text messages as the way to generate a code that is needed to complete the login process. Where they haven't, we suggest telling them to get their act together, or moving elsewhere.

Pegasus rides again

Amnesty International says Israeli-made surveillance tools have been used to attack it, amid reports of a growing number of similar examples around the world. In a detailed report, the human rights group said a malicious WhatsApp message was sent to one of its employees with a link that appeared to be about a protest at the Saudi embassy in Washington DC. Amnesty said it tracked the link to websites used by the NSO Group. NSO produces a tool called Pegasus which has been widely used to attack activists around the world. Researchers at the University of Toronto's Citizen Lab say it has counted around 175 targets of NSO's products, including 150 in Panama alone. In a statement to Amnesty, NSO said its tools were "intended to be used exclusively for the investigation and prevention of crime and terrorism." That intention seems very far from reality. 

Dixons confesses

Dixons Carphone has admitted that its data breach is far more extensive than first announced. Initially, it said 1.2 million records were affected but, in a statement to the London Stock Exchange, it revised that figure to around 10 million. "These records do not contain payment card or bank account details and there is no evidence that any fraud has resulted." The obvious response might be that absence of evidence is not evidence of absence since Dixons is hardly in a position to know how the stolen data is being used. More broadly, the incident emphasises the need to have effective mechanisms for tracking data so that if a breach happens, it is possible to mount a coherent response rather than dribbling details out over an extended period. On a practical level, if you think you're affected, the UK government has advice here.

German broadcasters attacked

Public service broadcasters in Germany are reported to have been attacked by hackers linked to Russian military intelligence. Der Spiegel reports that ZDF and WDR were attacked in early June but says it's not clear if any data was stolen. A similar campaign is reported to have been launched against Switzerland's Spiez Laboratory, which studies chemical, biological and atomic warfare. In June, the German government warned against "particularly high-quality" cyber attacks on German media companies and chemical weapons research organisations. It said it believed a "highly savvy and extremely aggressive" group codenamed Sandworm was behind the attacks which used targeted emails to 'spear-phish' individuals and exploit vulnerabilities in Microsoft products.

Managing privileges

The importance of managing user privileges is underlined by a data breach at British shipping services company, Clarksons. In an update, Clarksons said the breach lasted for five months last year and resulted from breaking into "a single and isolated user account". The information stolen contains a treasure trove of details and, for the company's employees, includes pretty much everything about them, down to their medical records and religious beliefs. It's not clear whether the attackers knew who to target or were simply lucky in finding a single account with access to so much information. As in the case of Dixons Carphone, such access should be protected with 2 factor authentication. As importantly, users with elevated privileges should be managed so that they only login with those rights when absolutely necessary. And that applies to our own private accounts as well.

Microsoft  plea

Driven mad by Windows updates? You're not alone and a veteran Microsoft expert has just written to the company's bosses to tell them to get their act together. In an excoriating letter reposted on Bleeping Computer, Susan Bradley recited a litany of complaints including; unreliability, unwanted features, and failed updates. As she says, "the quality of updates...have placed customers in a quandary: Install updates and face issues with applications, or not install updates and leave machines subject to attack." Microsoft has yet to respond to her complaints which are based on a comprehensive survey of consultants and consumers. Of course, Microsoft is far from alone in facing questions over the quality of updates and the issue has become a significant security issue for companies and individuals alike.

In brief

Technical support scams are targeting Apple users with emails to try to lure them to fake websites. Ars Technica says the attacks appear linked to a campaign aimed at fooling iPhone users into installing a rogue mobile device management solution.

Google appears determined not to lose access to the Chinese market. Reports say that not only is it planning a censored search engine, but is also developing a news app designed to work within government restrictions.

Researchers say the gestures you use to control your smartphone can "uniquely identify and track users".


And separate research has shown that surveillance cameras will be capable of identifying personality traits. They say it will work by using artificial intelligence to track behaviour such as eye movements.

Kaspersky Lab reports that a campaign targeted more than 400 Russian industrial companies by sending highly personalised emails disguised as procurement and accounting documents.

France is to ban the use of smartphones and tablets in schools. The restrictions will apply to 3-15 year olds from next month.

Updates

Cisco: Multiple security updates. Most important affects Prime Collaboration Provisioning.

G-Suite: will now alert administrators if accounts are being targeted by government attackers. Google has also launched its own two-factor security key to compete with market leader, Yubico.

Google Maps: location sharing will now send your phone’s battery status so people can see why you're not responding...

Drupal: update for Drupal 8.x to address vulnerability that could allow remote attacker to take control of an affected system.

Atlassian: The Register reports that Jira Service Desk users have been advised to change their helpdesk email account passwords after credentials were sent to strangers' servers.

Microtik: A reminder to ensure enterprise routers are patched after devices in Brazil were found to be subverted for cryptomining.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217