FFT news digest Feb 1 2019

Spy games

If you're going to mount an operation against a group of leading cybersecurity researchers, you might think it would be done with care. Not so in the case of some hapless operatives who targeted members of Canadian-based Citizen Lab. As the AP reports, men pretending to be "socially conscious investors" lured researchers to meetings where they sought details of their work and personal lives. In one meeting in a restaurant, an operative recorded the meeting with a camera (poorly) hidden in a pen, not realising his target was recording him. When the operative was confronted by AP reporters, he fled only to have to return when he realised he hadn't paid the bill. It's not known who was behind the operation, though the New York Times identified that operative as a retired Israeli security official. Citizen Lab has played a leading role in revealing the extent of state-backed hacking activities and the operation against it is the latest in a series of similar actions against critics of governments and corporations.

UAE laid bare

Activists, journalists and diplomats were among the targets of a group of former US government hackers working for the United Arab Emirates. A Reuters investigation details how the team used sophisticated spying tools, including one (called Karma), which enabled them to access the iPhones of their targets. According to the hackers, Karma is believed to have exploited vulnerabilities in Apple's iMessage tool. These meant that all that was needed to access an iPhone was to send it a specially-constructed message; no user interaction was required. It is likely Apple has patched the vulnerabilities that Karma exploited but, as we've reported previously, companies (including one based in the UAE) are willing to pay up to $3 million for similar, undisclosed issues. And, as our next story demonstrates, this week Apple has provided a vivid example of its security frailties.

FaceTime out

Apple is facing investigations and legal action after being forced to withdraw its Group FaceTime service because of an embarrassing security failure. The issue in iOS12.1 meant that anyone could listen to or watch a recipient even if they had not answered the FaceTime call. A Houston lawyer is suing Apple for damages, saying someone was able to eavesdrop while he was taking sworn testimony from a client, and state and federal officials are calling for action. The issue was discovered by a 14-year old boy whose mother reported it to Apple but says she was ignored. This is not the first time Apple has been slow to respond to reports of security issues in its products. In 2017, a flaw in its desktop and laptop operating system went unnoticed for 2 weeks despite it being discussed in Apple's own developer forums.

Pants down

Facebook and Google were caught abusing Apple's developer programme to distribute apps designed to gather data from their users. As punishment, Apple briefly revoked the certificates used to sign the companies' internal iPhone apps. The decision is reported to have caused chaos at Facebook, where employees were unable to use apps to access internal information, use company transport, and communicate with each other. Revealed by TechCrunch, Facebook and Google's data gathering apps were designed to provide much deeper information about users' behaviour than would be available otherwise. In Facebook's case, the programme targeted people aged from 13-35, who were offered up to $20 a month in return for their data. Facebook said it secured the permission of users who installed the monitoring app, but the BBC demonstrated that the process was rudimentary (to put it mildly). Its reporter was able to sign up as a 14-year old boy, with two children.

SMS vulnerabilities

A UK bank is reported to have fallen victim to well-known security vulnerabilities in the SS7 protocol used by cellular networks to route text messages and calls. Motherboard said MetroBank had confirmed that a small number of its customers had been impacted by this type of fraud, though they hadn't been left out of pocket. The UK's National Cyber Security Centre told Motherboard that it was "aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication (2FA)." Criminals regularly offer backdoor access to the SS7 network with the price as low as a few thousand dollars. We believe SMS is a lousy solution for 2FA, but it is better than nothing. Better still would be to move to a authenticator app or a hardware token, and the sooner all financial institutions do this the safer everyone will be.

Password fail

Do you share passwords at work? If you do, you're in the majority because research suggests that's what 69% of people do. A survey by the Ponemon Institute also found that 51% of respondents reused an average of five passwords across their personal and work accounts. The challenge of changing user behaviour is underlined by the fact that more than half of those replying to the survey said they had experienced a phishing attack, but 57% of those said it hadn't changed how they managed their passwords. The report was commissioned by Yubico, which provides hardware security tokens, and the survey involved IT professionals rather than ordinary users. Many of those professionals would probably say they have no choice but to share passwords in order to do their jobs, though that doesn't make it good practice and nor does it excuse the habit of reusing them.

In brief

Be careful how you dispose of a smart light bulb! Researchers took one model apart and found it stored unencrypted copies of WiFi passwords, as well as other sensitive information.

Facebook's annus horribilis has done nothing to dent its financial performance. After 12 months of damaging revelations, it published figures for the last quarter of 2018 showing a record profit of $6.88 billion (compared to $4.27 billion for the previous year).

EU countries have received 95,180 complaints and notification of 41,502 data breaches since enforcement of new data protection rules began last May. The European Commission also said five EU countries had still to adapt their national legislation to incorporate the GDPR.

Bloomberg reports on the profits being created by apps that monitor women's menstrual cycles. More than 100 million women are using the apps which aim to monetise the extremely sensitive date they gather.

Microsoft Exchange 2013 appears to be vulnerable to an attack that can allow any user with a mailbox to become an administrator. The issue was discovered by a Fox-IT researcher who explains how to mitigate the issue.

A fake Google update underlines the importance of making sure you have an antivirus program and it's up to date. Minerva describes how the attack hijacked the genuine program to hide in plain sight.

Microsoft 365 experienced more problems this week, with users reporting that they could not open links in emails. Microsoft said the problem was caused by its Safe Links infrastructure. There has been a series of problems with Microsoft 365, including authentication issues that prevented connections.

Updates

Firefox: Version 65 includes improved protection against tracking protection. The automatic Windows update has been withdrawn temporarily after users reported problems caused by a conflict with some antivirus programs.

Chrome: Version 72 contains 58 security fixes, as well as changes to Settings and the way search functionality works.

Tails: New version of security-focussed operating system addresses security issues and also provides better support for USB drives.

Ubuntu: Key update addressing a number of security issues in Ubuntu 18.04 LTS.

Google+: Google says the consumer version of its failed social network will close on April 2. All content will be deleted, so anything of value should be downloaded before then. The enterprise version lives on, for the moment.

Microsoft Compliance: Microsoft has begun rolling out its new security and compliance services. These aim to provide administrators with an overview of all Office 365 services so they can monitor regulatory and security compliance.

Windows: Users have reported a series of problems with Windows Update. Many of these were caused by issues in the last major version released last October (which Microsoft has been trying to fix). Now there are reports that Windows Update is failing altogether, with an error message saying it cannot connect to the update service. If you run into this, some users have found that rebooting their router solves the problem.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217