FFT news digest Oct 5 2018

Facebook update

Facebook has sought to reassure users affected by the recent data breach that it didn't affect 3rd-party applications. In a statement, Facebook said it had analysed logs for all apps using its Facebook Login platform, and had "so far found no evidence" that it had been exploited by the attackers. The attack exploited a string of vulnerabilities in Facebook's View As feature and affected at least 50 million users. The vulnerabilities stemmed from changes made in July 2017, and it's not yet clear how long it was possible to exploit them. Facebook hasn't specified what period it has analysed, and we remain cautious about reaching any firm conclusions until the investigation is complete. And, in any case, we continue to advise against the use of social logins such as Facebook Login and Google Sign-In. While convenient, they are not as secure as a Password Manager, which we recommend as the least worst option to the challenge of using passwords safely.

Lock up your WiFi

NATO countries have mounted a coordinated publicity campaign against what they say are Russia's "reckless and indiscriminate" cyber attacks against the West. The most detailed accusations came during a highly unusual news conference in the Netherlands which provided a blow-by-blow account of an (extraordinarily inept) attempt to attack the global chemical weapons watchdog, the OPCW. Dutch military intelligence said 4 Russian operatives with diplomatic passports were expelled after they were found with equipment they were using to try to steal login details for the OPCW's WiFi network. Australia, Britain, and the US also issued statements accusing Russia of being responsible for a series of attacks around the world. Unsurprisingly, Moscow has rejected the accusations. From a practical perspective, Russia's tactic of targeting the OPCW's WiFi network underlines a potential vulnerability and the need to ensure such networks are properly protected.

Attacking the supply chain

Bloomberg has accused Chinese state-sponsored attackers of being responsible for a cyber-espionage campaign based on compromising the supply chain for computer servers. In its report, Bloomberg says the attack involved one of the world's biggest suppliers of server motherboards (which, in effect, are the brain of a computer). Bloomberg says during tests carried out on behalf of Amazon, a tiny microchip was found on the motherboards which was not part of the original design. "During the ensuing top-secret probe...investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines," Bloomberg reports. Apple, Amazon, and US government contractors are among those said to be affected. The Bloomberg report is based on unnamed government and corporate sources, and it has drawn a series of vehement denials. True or not, compromising the supply chain has been shown to be one of the most effective ways of attacking a target; securing it is fundamental to managing risk.

Bifurcating the Internet

We've grown used to the Internet being a single global entity, but Eric Schmidt (who chairs Google's parent, Alphabet) says it's about to split in two. CNBC says he told a private event in San Francisco on Wednesday that the most likely scenario would be a "bifurcation into a Chinese-led Internet and non-Chinese Internet led by America." Until now, the Internet has resisted any attempt to vary the standards and protocols that underpin it. Indeed it could be argued that it is designed to do exactly that. Mr Schmidt warns that China's technological prowess combined with its geopolitical evolution creates the risk of a regime "with censorship, controls, etc." Google is already developing a not-so secret search engine which would support the sort of censorship required by Beijing, and which has provoked protests from Google employees. Meanwhile, Sir Tim Berners-Lee, who invented the web, has published details of Solid, an initiative to allow users to regain control of their personal data. 

Unlock or pay up

New Zealand has become the first country to introduce a law under which travellers entering the country will be forced to unlock their digital devices, and face a US$3,000 fine if they refuse. The law, which came into effect on October 1, requires a border agent to have "reasonable" suspicion in order to search a device, though it doesn't define what that means. A Customs spokesman told Radio New Zealand that the search would only apply to the phone itself, not to anything stored in the cloud. In the US, there are few protections for travellers arriving at the border. Officials can demand to inspect a device and refusal will result in deportation for anyone who isn't a citizen or green card holder. Such cases are still relatively rare, but the likelihood of being stopped increases substantially for anyone with exotic stamps in their passport. If there's anything on your device that you would prefer a border agent didn't see then you should delete the local copy and keep a backup at home. The Electronic Frontier Foundation has an excellent guide on the issue.

Rerouting routers

A week after we reported on the need to make sure routers are kept up to date, reports have emerged of an attack affecting tens of thousands of devices around the world. Netlab 360 said attackers were trying to seize control of target devices either by guessing the admin password, or by exploiting a vulnerable configuration script. If the attack succeeds, the criminals redirect the victim's default Domain Name Server (DNS). This is an invidious attack, which allows the attackers to display malicious web pages at will. Netlab 360 says 21 router models are affected, and at the moment most of the compromised devices are in Brazil, with smaller numbers in the US, Russia and other Latin American countries. The DNS Changer attack is just one of 4 methods being used and together they affect more than 70 router models. As we've recommended before, do check your router firmware is up to date and ensure you've changed the default administrator password.

In brief

The UK's data protection regulator, the ICO, appears to be stepping up its efforts to ensure organisations processing personal data pay the relevant fee. The ICO has begun formal action against 34 organisations for failing to do so.

A researcher has found a (laborious) way to bypass the iOS lock screen to access contacts and photos. The hack involves Siri (not for the first time) and is a reminder to ensure it's disabled when the device is locked.

Boris Johnson was among Conservative MPs whose personal details, including their phone number, were revealed by a bug in the party's conference app. The issue was spotted by a Guardian journalist.

After years of making us learn incomprehensible alphanumeric combinations, the people who organise WiFi have decided to simplify their naming convention. When the latest specification is introduced next year, it will be known as WiFi 6 (rather than 802.11ax). Current specifications will also be renamed.

After several years of decline, Bit Torrent file sharing is on the rise again, according to a report from networking outfit, Sandvine. Demand for shows from the likes of Netflix and Amazon is thought to be responsible.

Kim Kardashian, her sister Kourtney, and US actress, Ruby Rose, head the lists of the most dangerous celebrities to search for online, according to McAfee's latest survey. The report, now in its 12th year, examines which celebrity names are linked to malicious websites. 

Updates


Cisco: updates for 36 vulnerabilities, including 2 critical issues affecting Digital Network Architecture (DNA) Center and Webex software.

Adobe: update addresses 85 vulnerabilities in Acrobat and Reader for both Windows and macOS.

Foxit: update for Foxit PDF Reader and Foxit PhantomPDF addresses 116 vulnerabilities.

Telegram: update to address vulnerability in desktop version which can leak both users' private and public IP addresses during voice calls.

Google: Android’s October security update includes fixes and improvements for Pixel devices, including a resolution for fast-charging issues affecting 2016 Pixel and Pixel XL phones.

Mozilla: updates to fix critical vulnerabilities in Firefox 62.0.3 and Firefox ESR 60.2.2.

Zimbra: releases version Collaboration 8.8.10.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved