FFT news digest May 10 2019

Verizon report

There's a flood of cybersecurity reports every week, but one of the most respected is Verizon's Data Breach Investigations Report (DBIR) which has just been published. The DBIR pulls together information from more than 70 sources and one of its key findings is something we emphasise in our training; we should all treat our mobile devices with care! "Research points to users being significantly more susceptible to social attacks they receive on mobile devices," the report says. Among the other key findings, 43% of breaches involved small businesses, email is used to deliver 94% of malicious software, and 34% of breaches involved people inside an affected organisation (though this last figure is notoriously difficult to calculate). The report also illustrates why it's really important to protect C-level executives, and why 2-factor authentication and training are essential. Verizon's report is well-written, accessible and (relatively) concise. It's well worth a read or, if you're short of time, there's always the executive summary.

Euro election meddling

As Facebook attempts to prevent meddling in this months EU elections, research underlines the scale of the challenge it faces. SafeGuard Cyber examined social media posts for 5 months up to March 2019 to try to identify malicious activity aimed at shaping public perception in EU member states. Its report focuses on the first 10 days of March when it found that Russia continued to use misinformation "to exploit and exacerbate developing social fissures and contentious issues." It also shows that rather than creating new material, Russia's current approach is to amplify existing content, particularly to sow division, revise history and undermine verified facts. The job of stopping this falls to some 40 employees at Facebook's Dublin HQ. It's modeled on the "war-room" set up for last year's US elections, and Facebook has been showing it off to the media to highlight its efforts. The problem is the scale of the challenge. The EU has 24 official languages and 28 member states (including the UK). Facebook says its fact-checking program currently covers content in 16 languages.

HMRC misbehaving

The UK tax office (HMRC) is to delete some 5 million voice recordings that it used to create biometric IDs without receiving explicit consent to do so. The decision follows a ruling by the Information Commissioner's Office (ICO) in response to a complaint by Big Brother Watch. As Big Brother Watch pointed out, HMRC gathered recordings of callers to some of its helplines without providing a choice in the matter. The ICO agreed this was a "significant" breach of the EU's General Data Protection Regulation, and warned organisations to be "transparent and fair". "Innovative services," it said, " must not be at the expense of people's fundamental right to privacy." HMRC will keep 1.5 million recordings made since October when it introduced changes to make the system compliant. Under Data Protection legislation, UK taxpayers can ask HMRC to disclose whether it holds a voice recording of them.

What they know about us...

The UK data regulator, the ICO, has launched a campaign to help us understand how organisations are using our data to target us online. The snappily-named "Be Data Aware" campaign does contain useful information, including about how "micro-targeting" works. But there are other resources that provide a much more vivid illustration of how our data is being exploited. Whotargets.me provides fascinating insights into how voters are targeted with tailored messages (or propaganda). And this week, online security platform, vpnMentor, released an interactive tool that takes the pain out of reading privacy policies by doing it for us. Who's Watching You reveals the extent of the data that is gathered. Unsurprisingly, Facebook and Instagram appear to track as much as possible, including battery level, nearby WiFi and phone masts. For a deeper dive into the world of surveillance, media start-up, Tortoise, has a long read on the subject.

War and cyber war 

The online and the real world collided on Sunday when Israeli jets destroyed a building in the Gaza Strip apparently housing Hamas' "CyberHQ". In a tweet, the Israeli Defence Forces said the airstrike followed a thwarted Hamas cyber offensive. Commentators have described the airstrike as setting a precedent by using lethal force in response to a cyber attack. That may be overstating the case, since it's hardly the first time non-frontline combatants have been targeted. But three years after NATO declared "cyber" to be an official battleground in modern warfare, it does illustrate a clear direction of travel. The power and risks of cyber warfare were illustrated this week by research suggesting that China acquired US hacking tools and added them to its own arsenal. According to Symantec, rather than stealing the tools, it managed to seize them during an attack by the US on its computers.

Amazon fraud

Amazon has revealed it suffered an extensive fraud which allowed criminals to withdraw funds from merchant accounts last year. Amazon's admission came in a UK legal filing first reported by Bloomberg. The criminals managed to break into around 100 seller accounts and funneled cash from loans or sales into their own bank accounts. Amazon said the fraud lasted six months but hasn't revealed how much money was stolen. It did say that it believed the accounts were most likely compromised by users being fooled into giving up their passwords. Amazon offers 2-step verification and we highly recommend you turn it on. Ideally, use an authenticator app rather than SMS-based codes. This isn't a magic bullet, but it makes it an awful lot harder to break into your account.

In brief

We don't dislike Android devices, but the amount of pre-installed apps on them is a concern and it's one echoed by researchers in the US and Spain. They say they represent a bigger threat to security and privacy than most users understand. We recommend deleting any apps you don't use.

A credit card hacking campaign is affecting more than 100 e-commerce websites. Qihoo 360 says the attacks are ongoing. We say websites involving payments should use Content Security Policy and Subresource Integrity.

Security researcher, Graham Cluley, warns of an attempt to phish his Amazon Web Service (AWS) credentials.
The email asked for confirmation of the domain record for a website. This is a common phishing lure but, as Cluley says, it's rarer to see AWS being impersonated.

Russian hackers have developed a highly stealthy way to attack Microsoft Exchange mail servers.
ESET said the 'backdoor' gives attackers full control over the server. More details and what to do here.

An Airbnb "superhost" has been arrested after a guest found a camera hidden inside an internet router in the apartment's bedroom. The South China Morning Post says the incident happened in eastern China and the "superhost" had been filming his guests for 2 months.

Updates

Cisco: Series of updates to fix 'critical' vulnerabilities in Elastic Services Controller and Nexus 9000 software-defined networking (SDN) software.

WordPress: 5.2 release implements digital signing of update packages (a major step forward for WordPress security).

Sierra Wireless: Critical Flaws in 5G Gateway Allow code to be executed remotely. RCE, Command Injection

Drupal: Updates to address medium-level vulnerabilities.

Tails: Emergency release to fix a critical security vulnerability in Tor Browser.

Zimbra: 8.8.12 “Isaac Newton” Patch 2 and 8.8.11 “Homi Bhabha” Patch 5 released.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217