FFT news digest Nov 9 2018

Password alert

Do you use the same password for different accounts? If you do, several stories this week demonstrate why now really is the time to stop. First, banking group, HSBC, announced sensitive information about some of its US customers was hacked in October. Second, comes an outbreak of Twitter and Instagram hijacking, where criminals seize control of accounts to earn advertising revenue. In both cases, the most likely cause is a practice known as 'credential stuffing' where usernames and passwords stolen in previous data breaches are tested against services until a working combination is found. The success of this method depends on people's obdurate refusal to stop reusing passwords. A new survey of US consumers found 49% of them believed their security habits made them vulnerable to information fraud or identity theft; a correct belief given that 51% said they reused passwords and PINs across multiple accounts. Now is the time to get a Password Manager; we have more details here.

Secrecy. What secrecy?

Dutch police have built something of a reputation for chasing and catching cybercriminals, and messing with their heads in the process. In their latest coup, they said they had succeeded in reading more than a quarter of a million messages that criminals believed were protected with impregnable encryption. According to the police, the suspects had been using Blackbox Ironphones (which cost "thousands of Euros") with an app that implemented end to end encryption. Unknown to the criminals, it appears that the Dutch police managed to seize the server being used to route the messages and overcome the encryption. It's not clear how the police were able to do this (not surprisingly, they don't want to say), but anyone hoping to communicate securely should be wary of expensive devices claiming to be impregnable. For most people, Signal offers an acceptable level of security. For people facing specific threats, there are alternatives that avoid a central server and can offer a higher level of security.

Facebook under pressure

The UK data protection regulator says Facebook has shown a "disturbing level of disrespect" for the personal information of voters and has called for new rules to govern political campaigns. Elizabeth Denham told a parliamentary committee, "the time for self-regulation is over", saying legal systems had failed to keep up with the development of the internet. She added that Facebook should "significantly change its business practices" because of a "fundamental tension between its business model and the protection of the privacy of users' data." The UK regulator has referred Facebook to its Irish counterpart which will investigate how it targets and monitors its users. This investigation will be closely watched because it will examine some of the key elements that drive Facebook's revenues. Facebook's CEO, Mark Zuckerberg, has refused to attend a joint Canadian and British parliamentary committee to answer their questions. Australia, Argentina and Ireland have now joined the committee and renewed the invitation.

Surveillance warning

As Japan expands the use of facial recognition and China implements a tool to recognise people from how they walk, Microsoft's President has repeated a call for regulation so that "2024 doesn't end up looking like '1984'". Brad Smith told a conference in Lisbon that facial recognition could completely change our expectation of privacy and how we live. His comments echo a blog post from earlier in the year in which he warned that facial recognition is far from perfect and currently exhibits inherent biases against non-white people. The pace of adoption was illustrated by an announcement that travelers arriving at Narita airport will soon be able to use their face to prove who they are. And AP reports that China, which leads the world in the use of surveillance technologies, has begun deploying “gait recognition” software that identifies people from how they walk and their body shape. It's designed to work even when faces are hidden from cameras.

Securing your router

WiFi routers are a tempting target for criminals who know that they are often poorly secured and have firmware that is years out of date. This week, researchers said attackers had compromised at least 100,000 routers in what appears to be a campaign designed to send spam email. The criminals exploited a long-standing vulnerability in an implementation of Universal Plug and Play (UPnP), which is designed to make it easier to connect devices together. What's so dangerous about this vulnerability is that the issue lies in a chipset produced by Broadcom which is used by a wide range of manufacturers, including D-Link, Linksys, TP-Link, ZTE and Zyxel. The story is a reminder for domestic users to take a few minutes to check their router. Make sure the firmware is up to date and the default administrator password has been changed. And, even though uPNP is convenient, we suggest you turn it off if your device is one of those affected.

Russia messaging controls

In another step to tighten control over communications, the Russian government has decreed that users of messaging apps will have to have their identity verified. TASS news agency said the rules would come into force in 6 months time and would involve a messaging platform working with mobile phone operators to verify a user's identity. Operators will have to record the apps used by their subscribers, and inform a messaging service when a subscriber contract is terminated. It's not yet clear how the law will affect visitors and foreign SIM cards. Russian mobile phone operators already have to verify customer identities as part of rules which came into force in June. The Russian authorities have taken a series of measures to impose stricter controls on communications, including restrictions on tools used for anonymous web browsing. We advise travellers to Russia to seek up to date advice on how to communicate safely...and legally.

In brief

It's not just retailers who look forward to Black Friday. Cybercriminals also regard it as a golden opportunity to try to fool us into opening malicious emails. This is a time of year to be particularly cautious of geeks bearing gifts.

Microsoft has published guidance after researchers discovered in the way several types of Solid State Drives (SSDs) are encrypted. The researchers found bugs in self-encrypting Samsung and Crucial SSDs rendered full disk encryption useless.

The UK data protection regulator has released advice for organisations on how to implement authentication solutions for online services. The regulator suggests considering whether there's an alternative to using a traditional password system, but warns the overriding concern should be security.

Chinese drone maker, DJI, exposed customer data as well as logs, photos and videos created during flights, according to Check Point Research. The issue affected DJI's website and has since been fixed.

A Russian researcher has released details of a previously-unknown vulnerability in Oracle's Virtualbox. The researcher appears to have been irritated by the slow process in engaging with Oracle which so far has not provided a patch for the issue.

Updates

Apache: Advisory released for users of Apache Struts versions 2.3.36 and earlier. A remote attacker could exploit this vulnerability to take control of an affected system. Struts versions from 2.5.12 are not affected.

Cisco: Multiple updates, including 5 rated "critical" which could allow an attacker to take control of an affected system.

Android: Monthly update includes patches for wide range of security issues. Most serious could enable a device to be attacked remotely.

Apple: new watchOS 5.1.1 update, which fixes problems with the previous version that rendered devices unusable.

Nginx: Updates for open source web server software address several denial-of-service (DoS) vulnerabilities.

Evernote: Patch for flaw in Windows version which could enable stored cross-site scripting (XSS) attacks.

Zimbra: releases Zimbra 8.8.10 “Konrad Zuse” Patch 3 and 8.8.9 “Curie” Patch 7 includes patch for "major" security issue.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved