FFT news digest Mar 15 2019

Public cloud links

If you use a cloud service to share data, now would be a good time to check what information is visible and who can see it. The risks of sharing publicly-viewable links are illustrated by security business, Adversis, which found more than 90 companies inadvertently exposing vast quantities of information, some of it extremely sensitive. Among the companies were Apple, TV network, Discovery, and flight reservation system, Amadeus. Although the issue was found with the Box cloud service, any solution that creates publicly-viewable links is potentially affected. It's essential that users understand the risks of such links and administrators regularly audit what data is being publicly shared. Box has detailed advice on the measures that can be taken.

Marriott and due diligence

Don't underestimate the importance of due diligence. That's one of the main messages from Marriott International as a result of the breach of Starwood's reservation database. Marriott bought Starwood in 2016 and CEO, Arne Sorenson, told a US Senate subcommittee that the IT team's engagement had been "quite brief". Investigations into the breach revealed that attackers had access to Starwood's systems for more than 2 years. As a result, 383 million guest records were exposed including 5.25 million unencrypted password numbers (although duplicate entries mean the actual number of people affected may be lower). Marriott puts the cost of the breach at $28 million, but all but $3 million has been covered by insurance.

Password spraying

The FBI says international criminals exploited weak passwords to attack technology giant, Citrix, and steal company information. Citrix said it was investigating what information had been stolen but there was no indication that the security of its products or services had been compromised. As with most such attacks, it's not clear who was responsible although security firm, Resecurity, pinned the blame on an Iranian-linked group. More important is the method used by the attackers. According to the FBI, this probably involved a technique called "password spraying", which involves using a small number of common passwords against multiple accounts until a working combination is found. The best defence against such attacks is to ensure passwords are strong and never shared, and to implement multi-factor authentication. The UK's NCSC published advice last year.

Cybercrime at scale

Cybercrime is a vast business and it's getting bigger and more expensive for organisations to resolve the results. The Ninth Annual Cost of Cybercrime Study from Accenture and the Ponemon Institute says the average cost of an incident rose to $13 million, but it warns that theft isn't always the motive. It identifies a new type of attack which aims to breed distrust by destroying or altering an organisation's data. And it says that attackers continue to target users as the weakest link in the security chain. The report makes 3 key recommendations to organisations; protect against people-based attacks, invest in tools to limit information loss and disruption, and exploit new technologies to control the costs of uncovering attacks.

Email invalidation

A marketing technology company has managed to expose almost a billion records because it failed to protect an online database. According to the researcher who found it, the data included email addresses, phone numbers, business leads and personal details. A large number of the records have not been seen in previous data breaches. The database belonged to an Estonian company, Verifications.io. Its ineptitude is particularly ironic given that the database was intended to enable marketing companies to check the validity of their mailing lists. You can use the have i been pwned website to check whether your email address is included. While there, it's also worth using the Passwords section to check how secure your passwords are. If your passwords have appeared in a data breach, they're not secure. Check out our guide on what to do.

USB stuck

A survey found more than two-thirds of second-hand USB sticks bought in the US and UK had data on them, some of it worryingly sensitive. Amongst the information found in the study by the University of Hertfordshire were legal documents, payslips...and, um, photos of a nude middle-aged man together with his contact details. In many cases, the sellers had tried to delete the contents but without success. It's a reminder that deleting data in such a way that it can't be recovered is a time-consuming and convoluted process. Indeed the US National Institute of Standards and Technology has 56 pages of advice on the subject. Even tasking a large hammer to the device isn't guaranteed to do the job. Given the value of second-hand USB sticks, we'd be inclined not to bother trying to sell them.

In brief

Remarkably, Facebook, Apple and Google were all hit by extensive outages this week. Facebook said the cause was a "server configuration change." No word yet on what happened to Google Drive, Gmail and multiple Apple services.

Google Docs is a brilliant collaboration tool. Now teens have apparently co-opted it as their preferred way to chat to each other when they don't want adults seeing what they're up to. And, according to The Atlantic, they're up to exactly what you might imagine!

Major TV companies have joined forces to create a standard that will support targeted advertising on smart TVs. AdWeek says a prototype of the "addressable" standard should be ready shortly and should be able to exploit marketing data from any source.

Attackers have been targeting Wordpress websites using an old version of e-commerce plugin. The vulnerability in Abandoned Cart Lite For WooCommerce was addressed in an update in February.

Yet another "sextortion" campaign, this one with the subject "This is my final warning." Bleeping Computer has details. There seems to be no end to this scam which tries to persuade the recipient they have been recorded while visiting an adult website.

On a related subject, just when you thought the Internet of Things couldn't get any weirder, a "collective of social entrepreneurs" launches a camera designed to be worn...on the male member. Their tagline; "Explore and enjoy, “Be the Director”." They appear to be serious.

Updates

Microsoft: Monthly update for more than 60 vulnerabilities, including two Windows issues that have been exploited in targeted attacks.

Google: March update addresses 45 issues, 11 raked critical.

Adobe: Updates for critical vulnerabilities in Photoshop CC and Digital Editions

Cisco: updates address critical vulnerability for Cisco Common Services Platform Collector (CSPC) software. Cisco also warned of an issue with its Small Business SPA514G IP Phones for which a fix is not yet available.

WordPress: Update to fix vulnerability in versions 5.1 and earlier that could be exploited to take control of an affected website.

Firefox: new service allows you to share files via a link, and set limits on how long or how often they can be downloaded.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved