FFT news digest Sep 28 2018

Stuffing your credentials

There's been a sharp rise in attempts by criminals to use stolen credentials to break into accounts, usually financial ones. The technique, known as credential stuffing, is fuelled by the chronic failure of organisations to protect the information they hold about us. In its State of the Internet report, Akamai says it recorded 30 billion malicious login attempts in the 8 months from November 2017. The approach involves systematically trying stolen credentials in the hope that a user will have used the same password for multiple sites. Once they find a successful combination, criminals can assume an identity, gather information, or steal money and goods. This is why reusing passwords is so dangerous, and why we recommend Password Managers as the best way to stay safe.

Open source intelligence

Two stories this week illustrate the power of open source intelligence, and the scale of information that is publicly available through the internet. Investigative reporting outfit, Bellingcat, published the identity of a senior military intelligence officer who it said was behind the Salisbury nerve agent poisoning. Russia has dismissed the report as "groundless", but the evidence speaks for itself. Bellingcat began the investigation with just two photographs, and drew on Russian military records, yearbook photos and leaked databases to reach its conclusion. Meanwhile, BBC News Africa published a Twitter thread identifying the Cameroonian soldiers responsible for the barbaric killing this July of 2 women and 2 children. Using some of the techniques perfected by Bellingcat, the BBC was able to refute the Cameroonian government's claims that the killings were "fake news". 

Canadian firm faces GDPR fine

A Canadian data analytics company is the first organisation to receive a violation notice under the EU's new data protection regulation. The notice was issued in July by the UK regulator, the ICO, amid investigations into Facebook's approach to personal data. Bizarrely, there was no announcement, and it was only spotted by a data protection expert who told British law firm, Mishcon de Reya, about it. The company involved, AggregateIQ, has denied any wrongdoing, and is appealing against the decision. It's accused of processing personal data without a lawful basis (notably for political advertising connected to the British referendum on membership of the EU). It's the first time the UK regulator has attempted to take enforcement action outside the country, and Mishcon de Reya's view is that the terms of the notice are "wide, and arguably imprecise". This may be so, but the success of AggregateIQ's appeal is likely to depend on being able to demonstrate a lawful basis for what it did with the data. The case is being closely watched to see whether it can do that.

Supply chain security

A new survey suggests a third of UK businesses would end contracts with suppliers which failed to pay sufficient attention to cybersecurity. The research for Information Service Provider, Beaming, found a quarter of those questioned wouldn't work with a supplier that didn't have a documented cybersecurity policy in place. A similar number said they would avoid a company if it had been associated with a major cybersecurity breach. The research suggests small businesses are most at risk from failing to pay sufficient attention to the issue. It found that among companies employing between 10 and 49 people, only 51% had a documented cybersecurity policy. The research also suggests a widespread lack of technical measures to prevent and detect malicious activity. We recommend a staged approach to cybersecurity. An excellent starting point is the free advice provided by the UK's National Cyber Security Centre.

UNdone

While delegates to the UN General Assembly in New York were laughing at Donald Trump (or with him, if you believe his version of events), the UN itself was found to be exposing some of its sensitive bits on the internet. First, a researcher discovered that a set of projects on Trello, Jira, and Google Docs hadn't been secured properly. Among the exposed information were account credentials, and internal documents used by the UN for project planning. No sooner was that revealed than Seekurity found it was able to read thousands of CVs submitted by job applicants. Seekurity said the issue appeared to be caused by poor configuration and a failure to patch vulnerabilities in a WordPress platform used to handle employment applications. Time and again, we see data leaked because of a failure to secure applications like Trello and WordPress. It's essential to check their configurations, and to ensure updates are applied as soon as they are released.

What's in your router?

Let's be honest! When did you last check whether the firmware on your router is up to date? If you're like 83% of Americans, the answer is "never!" and the result is that you're vulnerable to attack, according to a study by the nonprofit American Consumer Institute: Center for Citizen Research. The study does add that it's not your fault, because it says many manufacturers do far too little to support their customers, and so it's no surprise routers are ignored once they've been set up. Updates do matter because routers are a tempting target for attackers, as the FBI demonstrated in May when it warned of Russian hackers compromising hundreds of thousands of home and office routers around the world. Details published this week suggest the software behind those attacks (known as VPNFilter) is being actively developed and unpatched devices remain at risk. Now would be an excellent time to check your router...

In brief

That number you gave to Facebook for added security...it turns out it's being used for targeted advertising. Research from Northeastern and Princeton Universities also revealed that it's exploiting people's contact details if it's been uploaded by any of their friends. We look forward to Facebook explaining how this is compliant with European data protection regulation. Gizmodo has a detailed report.

Use of vulnerable open source software components has doubled over the past year, according to new research from Sonatype. It describes "armies of developers, consuming extraordinary amounts of open source components, and warns of new methods being used by criminals to infiltrate supply chains.

To add insult to low pay, criminals are using freelance job sites like fiverr and Freelance to distributed malicious software disguised as offers of work. As MalwareHunnterTeam says, take care with files from random people, make sure you have antivirus, and don't enable macros.

Duo Security has warned of potential risks in the way Apple's Device Enrollment Program (DEP) works. Duo advises anyone using DEP to require user authentication before enrolling a device in a Mobile Device Management solution.

With Game of Thrones set to be back on screens next April, anyone tempted to download an illicit episode might be interested to know it's the most popular show for distributing malicious software.
Kaspersky found more than 30,000 infected files which led to 170,000 infection attempts.

Uber has agreed to pay $148 million to settle the 2016 data breach in which data on 57 million people was stolen. That's the breach that Uber spent $100,000 trying to hide by bribing the hackers. So that worked well then.

Updates

Cisco: Updates to address 13 high-severity flaws affecting IOS and IOS XE networking software. The issues could enable elevated privileges or be used for denial-of-service attacks. Also patches for Webex Meetings Client for Windows, and 80 other products.

Microsoft: has re-issued updates for Windows 10 because it says it left something out.

Apple: has released latest macOS version. 10.14 (which it's calling Mojave) contains significant security fixes and enhancements. Unhappily, a researcher has already shown how a malicious application could obtain data that it shouldn't have access to.

Tails: has warned about an installation/workstation update failure on Tails 3.9. 

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217