FFT news digest May 3 2019

Preparing for the worst

Organisations should work on the assumption that it won't be possible to prevent every future attack, so they should ensure they have comprehensive recovery plans. That's the advice of Lewis Woodcock, the head of cybersecurity compliance at Maersk, the global shipping company that suffered devastating damage as a result of the 2017 NotPetya attack. As ZDNet reports, he was speaking at the CyberUK conference, where he also pointed out that Maersk wasn't even the target of the attack, but still suffered 50,000 infected devices across 600 sites in 130 countries. The episode is estimated to have cost the company some $300 million, and it took 10 days to rebuild its IT infrastructure. Woodcock said protection is critical, but it's also essential to have a data recovery plan which requires a comprehensive understanding of the organisation's key business processes.

Huawei

We're often asked whether we would buy a Huawei device, given the controversy over the Chinese company's involvement in the rollout of 5G cellular networks. On an individual level, an up-to-date Huawei phone is unlikely to be more vulnerable than any other Android device - though we view iPhones as more secure overall because of the closed nature of Apple's ecosystem. On a strategic level, where Huawei products might be used in cellular networks, the answer is no-one knows. There's no evidence that Huawei products have been deliberately compromised to provide access to the Chinese government, but of course that doesn't mean that could not happen in the future. It's worth pointing out that the UK has a research centre dedicated to evaluating Huawei products. Its latest report (from last July) didn't find any backdoors, but was highly critical of "shortcomings" in Huawei's engineering processes. Of course, that hardly makes Huawei unique (see Updates below).

Darned kids

Kids are natural hackers, as a twitter thread started by security researcher, Troy Hunt, amply demonstrates. His 9-year old has a heavily locked down iPhone, but the young hacker quickly worked out that he could use iMessage to circumvent the controls to watch YouTube videos. This prompted a flood of similar examples. These included a Member of the European Parliament who eventually realised his kids were using his election leaflets to get through the facial recognition lock on his laptop. The Twitter thread shows the limitations of Apple's Screen Time app when confronted by ingenious youngsters. But it also includes examples from the pre-smartphone era, when landlines were still a thing. In one case, a phone was locked with a pin code (to control dial-up internet sessions). The answer; use redial and record the tones with a dictaphone!

World password day

If you have a spare moment, pay a visit to haveibeenpwned and test one of your passwords to see if it's one that's been stolen. If it has, then it means it's available to criminals who can use it to try to break into your online accounts. (By the way, if you put in 123456 you'll see it's appeared in data breaches no less than 23,174,662 times.) We know people are bored with people like us droning on about the need to avoid reusing passwords, to make sure they are long and strong and so on. But, it's a sad and inescapable fact that poor passwords present an open door for criminals. As regular readers will know, we have a longer guide to the issue, which explains why password managers offer the only workable way to stay safe. They may not be perfect, but they're an awful lot better than the alternatives. Of course, the wider question is why we're still using passwords at all, given that it's so obviously a technology that is no longer fit for purpose. The good news is that alternatives already exist. The bad news is companies are reluctant to implement them because they're worried users won't use them.

Social media phishing

Over the past year, we've seen a sharp rise in the number of Instagram accounts being hijacked by criminals, and new research confirms the trend. A report from Vade Secure found that social media phishing, mainly focussed on Facebook and Instagram, had seen a 74.7% increase compared to the last quarter of 2018. The report highlights the use of a verified Instagram badge to fool recipients into providing their credentials. It can be a tortuous process to regain control of an Instagram account, so it's well worth making sure it is protected with 2-factor authentication. Among other phishers' favourites, Microsoft remains the most targeted set of solutions, with Office 365 being particularly attractive. Phishing attempts involving PayPal also saw a huge 88% increase. As we say in our training courses, always the resist to follow links or click on a friendly blue button to do anything important. The US Better Business Bureau has good advice.

Scaremongering

NordVPN is a leading provider of Virtual Private Network solutions and the UK's Advertising Standards Authority (ASA) has just told it off for making misleading claims about the risks of public WiFi. NordVPN had run a TV ad which showed someone walking through a railway carriage handing out personal details to strangers. Nine people complained that the advert exaggerated the risk and the ASA agreed. We really dislike this type of advertisement because it amounts to scaremongering, and it's an oversimplification into the bargain. It's true that public WiFi can be dangerous and, in general, it's safer to use cellular data. We have a longer article that looks at the history of WiFi and how to stay safe when using it, including why VPNs are part of the equation.

In brief

In its latest manufacturing embarrassment, Apple has recalled UK-style mains adaptors. It says they may break and create a risk of electric shock.

President Putin has signed a bill into law that will enable Russia to cut off its Internet infrastructure from the rest of the world. Tass said the law was designed to confront threats to the stable, safe and integral operation of the Russian Internet.

The UK data protection regulator has launched a consultation process on a code of practice for journalism. "Increasing the public’s trust and confidence in how their data is used is the ICO’s ultimate strategic goal," it says. The Call for Views closes on May 27.

A reminder of the risk of selling old storage drives. Companies regularly buy a selection of used drives to see what they contain. This latest survey found 42% of the used drives bought on eBay contained sensitive data. The UK data protection regulator has guidance.

United, Delta and American Airlines are covering up the cameras embedded in its seat back entertainment systems. United told Buzzfeed News, "None of these cameras were ever activated and we had no plans to use them in the future."

A really nasty scam reported by the BBC in which a fraudster posed as actor, Jason Statham.
A woman is said to have lost hundreds of thousands of pounds after being taken in by someone who contacted her online.

Updates

Dell: update for SupportAssist utility after 17-year old researcher discovered vulnerability that could allow systems to be attacked remotely.

Chrome: time to close Chrome and restart it to make sure it takes the latest update for Windows, Mac and Linux.

Google: has added an option to user accounts that will automatically delete location history, browsing and search data after a set time limit.

Cisco: multiple updates including one rated critical for Nexus 9000 Series Fabric Switches.

SecureDrop: version 0.12.2 adds increased hardware support and improved reliability. SecureDrop is also reminding users that servers need to be upgraded to Ubuntu 16.04.

Oracle: urgent update for WebLogic Server installations to address vulnerability that is being exploited to infect networks with ransomware.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217