FFT news digest Jan 11 2019

Upping the ante

If you can find a way to break into an iPhone remotely, an exploit broker has increased the amount it will pay to $2 million. Zerodium has also doubled to $1 million the amount it is offering for ways to defeat secure messaging solutions like WhatsApp. (Intriguingly, the equivalent price for the most respected messaging tool, Signal, remains at $500,000.) Zerodium makes its money by buying and selling vulnerabilities. Its announcement reflects a vibrant market in 'zero-day vulnerabilities' which by their nature are unknown until they are actually used. The price rises are likely to reflect the demand for such exploits, rather than a shortage of them. Zerodium is just one of several similar companies offering enormous sums for previously undisclosed vulnerabilities. Dubai-based Crowdfense launched last year with a maximum payout of $3 million. 

Under the microscope

The owner of the Weather Channel app is being sued for giving its users' precise location data to advertisers, despite telling them it was needed only for local weather forecasts. A lawsuit brought by the city of Los Angeles (published by the New York Times) says the app, "tracked users' detailed geolocation data for years, analyzing and/or transferring that data to third parties for a variety of commercial and advertising purposes, including for targeted advertisements...and for hedge funds interested in analyzing consumer behavior." Advertisers, businesses and financial institutions have shown an insatiable appetite for location data, as they seek to understand consumer habits and target them with advertising. This week, Motherboard reported that US telcos including AT&T, T-Mobile and Sprint were continuing to sell location data about their US-based customers with little or no oversight about what is done with it. Following the report, AT&T and T-Mobile said they would stop the practice.

Young man, big hack

A 20-year old German man says he acted alone in publishing personal details of hundreds of politicians and celebrities. Police said the unnamed man, who is reported to be a student living with his parents, "stated that he acted out of annoyance over public statements made by the politicians, journalists and public figures concerned". The data included names, home addresses, phone numbers, email addresses, photo IDs, and personal chat histories. Some of the leaked data could have been taken from publicly-available sources but much was sensitive and police have yet to provide any details about how the information was obtained. Germany's Federal Office for Information Security had apparently known about the leak since early December, but had not told the police. 

Facebook app

Facebook has kicked off 2019 by explaining that, despite appearances, it has not reached a deal with various smartphone makers to install its app in a way that means it cannot be deleted. Responding to a Bloomberg report saying Samsung users had complained they could only disable the pre-installed app, Facebook said that disabling it meant it behaved as it it had been deleted. In fact, like many other pre-installed apps, the Facebook app is only an icon until it has been downloaded and installed, but you can see why users might be confused. Meanwhile, Gizmodo has been trawling through Facebook's patent applications to see how it comes up with friend suggestions. Among them is an ingenious way to use camera metadata, including dust on the lens, to predict whether people know each other. Facebook said it had filed plenty of patents but that didn't mean it would use them. That may be so, but it does provide a reminder about the power of metadata.

Cyber insurance

It has emerged that Mondelez, the US food company behind Oreo and Cadbury, is suing its insurance company for refusing to pay a $100 million claim related to the NotPetya cyber attack. The lawsuit, which was filed in Illinois in October 2018, was first reported by a Florida lawyer and picked up this week by the Financial Times. Mondelez's insurance cover from Zurich provided coverage for "physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction." However, Zurich rejected the claim on the basis that the NotPetya attack was a "hostile or warlike action" by a "government or sovereign power." The UK’s National Cyber Security Centre assessed the Russian military as being almost certainly responsible for the ‘NotPetya’ cyber-attack of June 2017, but Moscow has denied the allegation and Zurich will now have to prove it. The case is being closely watched because of its implications for how organisations insure themselves against cyber attacks. 

Identity Fraud

A reminder to be careful when providing documents to prove your identity. A Twitter thread tells the unhappy tale of a German apartment hunter who found he hadn't received his salary. When he checked with his HR department, it turned out someone had managed to change the bank details his company was using. Previously, he had uploaded his ID and payslips as part of the process to apply for an apartment. It appears that information was acquired by a criminal who used them to send new payment instructions to his employer. The estate agent involved in this has denied sharing any information and has advice on how to protect sensitive data. Diverting salary payments is a profitable activity and we would encourage employers to check any changes to bank accounts before actioning them. We also suggest redacting as much sensitive information as possible from documents that are being sent to third parties.

In brief

Good news from Marriott; only 383 million records were stolen in the breach it announced last month. Less good news; 5.25 million passport numbers were among the stolen information.

Anyone in the UK with a .eu domain name has been warned that they may lose the right to use it in the event of a no-deal Brexit. Under European law, users of the .eu top level domain need to be established in the EU.

Reddit locked a large number of accounts because of concerns they were vulnerable to "credential stuffing" where stolen usernames and passwords are tested against online services. Reddit urged users to choose strong passwords and to turn on two-factor authentication.

A UK court has fined Cambridge Analytica’s parent company, SCL Elections, £15,000 after it failed to comply with a Subject Access Request. The UK Information Commissioner, said the case showed that, "Wherever you live in the world, if your data is being processed by a UK company, UK data protection laws apply.

A survey has emphasised the importance of reaching small manufacturers in securing the supply chain. The survey found key concerns related to Internet-connected devices, employee error, and security training.

When an offer looks too good to be true, there's almost certainly something nasty lurking behind it. Brian Krebs reports on an ingenious way to steal data from people lured into buying (ridiculously) cheap software. Hint, it's usually a bad idea to upload all your data to someone else's account!

Updates

Microsoft: Monthly updates for Windows, Internet Explorer and Edge, Office, Sharepoint, .NET Framework.

Exchange: update to address memory corruption vulnerability that could be triggered by email.

Adobe: update for Adobe Connect web conferencing software and Digital Editions ebook reader.

Cisco: update for AsyncOS which could crash if it attempts to process a specially crafted encrypted email.

SAP: 11 security advisories, including multiple vulnerabilities in Cloud Connector and Landscape Management - both 'Hot News'.

Android: January update addresses more than 20 vulnerabilities, 1 marked Critical.

G Suite: security-related updates include functionality to warn administrators when data export operations are initiated.

Juniper: 19 advisories addressing critical vulnerabilities in range of products. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved