FFT news digest Mar 1 2019

Facebook

As Facebook makes further attempts to repair its reputation, New York state is investigating reports that several apps are sending it sensitive data without the consent of users. The Wall Street Journal reported (paywalled) that 11 apps were sharing health and financial data, apparently in violation of Facebook’s own policies. New York’s Governor, Andrew Cuomo, called Facebook’s reported actions an “outrageous abuse of privacy”. Facebook announced it would be rolling out a “Clear History” feature later this year, but that’s unlikely to change attitudes in the UK, where a survey of 2,000 people found that 73% of them believed it was damaging people’s mental health. And another report estimated that cyber crimes enabled by social media are generating at least $3.25bn a year in global revenue.

Cyberwar

Examples from this week underline the central role cyber warfare plays in relations between nation states. The Washington Post reported that the US military blocked a Russian entity from accessing the Internet. It quoted unnamed officials as saying it "was part of the first offensive cyber-campaign against Russia designed to thwart attempts to interfere with a US election.” The target of the attack was said to be the Internet Research Agency which federal prosecutors have said is financed by an ally of Russian President, Vladimir Putin. Meanwhile, attackers linked to North Korea are reported to have been at work in the run-up to the abortive Trump-Kim summit in Vietnam. South Korean researchers said highly targeted emails were sent to unnamed individuals. North Korea has a history of targeting analysts who follow Korean affairs.

Plugin threat

Devices with Thunderbolt ports are vulnerable to attack via malicious peripherals such as chargers and docking stations, according to research from the University of Cambridge and Rice University. The report found that it was possible to take complete control of devices running Windows, macOS and Linux. Researchers warned that the peripherals could carry out an attack while appearing to work normally. The vulnerabilities were first found in 2016 and the researchers have been working with companies including Apple, Microsoft and Intel to address the issues. Security updates have been issued and users are urged to make sure that they are installed when they’re released. However, the researchers warn that the increasing use of multi-purpose ports have increased the risk from malicious devices. To mitigate this we advise you use your own cables and ensure you purchase them from reputable sources.

4G/5G

The vulnerability of cellular networks is well-known and now research has found that the 4G and 5G standards are equally frail. The issues discovered by researchers at Purdue University and the University of Iowa enable attackers to track a user’s location and intercept phone calls. They say the flaws can be exploited with equipment costing as little as $200 and they affect networks around the world. This does not mean that ordinary users will be impacted, but anyone concerned about their security should be aware of these vulnerabilities and take advice to remain safe. Meanwhile, Forbes has discovered that a favoured tool for breaking into smartphones can be bought on eBay for $100. The Cellebrite UFED is used by law enforcement agencies around the world, some of whom seem to have decided to earn some spare cash by selling them rather than decommissioning them securely.

Labour lock down

The risks of sharing personal data without permission has been illustrated by a civil servant in the UK who has been prosecuted for emailing details of rival job applicants to his partner. According to the Information Commissioner's Office, the local government official accessed a recruitment system after his partner applied for a job with the council he worked for. When the data breach was discovered, the official resigned and his partner also lost the job which she had succeeded in securing. Instances of informal data sharing are common and in many cases may be entirely innocent. In one case, a Boeing employee asked for help with an Excel spreadsheet only to discover later that it contained personal details of all Boeing’s employees. Training can help, but the real way to help prevent such incidents is to ensure cybersecurity is a live topic in every organisation - and family.

Elegant phishing

Cybercrime is big business and organisations are reported to be willing to pay up to $1million to experts ready to put their skills to evil ends. Digital Shadows found posts on Dark Web forums offering salaries as high as $90,000 a month, with groups looking for assistance in targeting business executives, doctors and lawyers. Many crime groups are run exactly like a normal business with an executive board covering commercial and marketing functions. Digital Shadows said “Extortion is in part being fuelled by the amount of ready-made material available on criminal forums. These are lowering the barriers to entry for wannabe criminals with sensitive corporate documents, intellectual property, and extortion manuals being sold on by more experienced criminals to service aspiring extortionists.” More positively, an Argentinian teenager has earned more than $1million in rewards from technology companies for the vulnerabilities he has identified.

In brief

If you've received a sextortion email, you're not alone. Barracuda says they now account for one in 10 spear-phishing emails, have become increasingly sophisticated and can bypass spam filters.

Terms of Service are long and seldom read, but it's worth taking a look when they change. That's the case with SnapChat because it's a chance to check what they can do with its user's posts. The answer? Everything. Terms of Service; Didn't Read provides a simple guide to common apps.

Scammers have been using Fake reCaptchas to make their scams more believable. Sucuri said emails appeared to be a request from a bank to confirm a recent transaction. Clicking on the link would present a page that appeared to contain Google’s authentication mechanism.

The Russian government has adopted legislation to tighten controls on satellite communications. RBC reports that all satellite traffic in Russia will be required to pass through ground stations in the country.

The Democratic National Committee has released updated security guidance in a bid to prevent a repeat of the disastrous breach it experienced during the 2016 Presidential election. The checklist is a basic set of precautions that will make anyone safer.

Security firm, EdgeSpot, has warned of a vulnerability in the Chrome browser which is being exploited by malicious PDF documents. It says Google won’t release a fix until April and in the meantime advises users to avoid opening PDF files in Chrome. 

Updates

Cisco: Further updates to address vulnerabilities in Routers Management Interface (rated 'critical') and Webex solutions (rated 'high').

Drupal: The issue we reported last week is being actively exploited and users are advised to check their installation is up to date.

Ubuntu: Canonical has released Ubuntu 16.04.6 update to long-term supported Ubuntu 16.04 LTS (Xenial Xerus) to address recently discovered vulnerability.

SecureDrop: Latest release is the first to support Ubuntu 16.04 (Xenial). All existing SecureDrop installations need to be manually upgraded from Ubuntu 14.04 (Trusty) to Ubuntu 16.04 before April 30.

Nvidia: Updates to address eight high severity issues in its Windows and Linux graphics display drivers. Users are advised to patch as soon as possible.

SHAREit: Update fixes two flaws that could allow files to be stolen from a device.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved