FFT news digest May 17 2019

That WhatsApp hack

The WhatsApp hack shouldn't really come as a surprise, and it won't to anyone who's been on our training courses. As we explain on them, there's a thriving industry in finding ways to compromise smartphones without any user interaction. That shouldn't worry most people because this type of vulnerability is too valuable for large-scale use. And although WhatsApp uses the same encryption protocol as the Signal messaging app, the latest vulnerability was in its voice component which isn't shared with Signal. There's been some horribly loose reporting about this story, with Bloomberg for one tweeting that the "hack shows end-to-end encryption is largely pointless." Bloomberg's article makes clear that end-to-end encryption isn't a magic bullet; clearly, if someone has access to your smartphone they can see everything on it, including your messages. But that doesn't mean the protection it provides is pointless. In general, we believe Signal is a better option than WhatsApp, but if you are a high-risk target then you should seek specialist advice because off-the-shelf solutions can only ever offer limited security.

Intel chip shock

Another set of fundamental and worrying vulnerabilities have been found in Intel microprocessors affecting almost every chip it has made since 2011. Like previous issues, dubbed Spectre and Meltdown, the latest bugs exploit weaknesses in the fundamental design of Intel processors which allows them to speed up calculations by predicting what they will need to do. The latest issue has been given the name ZombieLoad and could allow sensitive information to be extracted directly from the processor. In practical terms, among other things, that means it could be used to steal passwords or access tokens to break into online accounts. The vulnerability isn't trivial to exploit and so far no-one has spotted any examples of it being used. So should we be worried? For most people, patches are being released (Apple, Google and Microsoft have advisories) which will provide adequate mitigation. The real concern is for high-value targets who it would be worth investing the effort to attack. These may need more fundamental protection. In the case of Macbooks, Apple says this will mean a performance hit of up to 40%.

Facial recognition

As San Francisco moved to ban the use of facial recognition by law enforcement, the BBC highlighted the case of a man in London who was arrested after covering his face to avoid being filmed by police. In San Francisco, the supervisor who promoted the ban said there was "a fundamental duty to safeguard the public from potential abuses." The ordnance is largely symbolic, since the technology isn't currently being used in areas over which San Francisco has jurisdiction, but it does illustrate growing concern in the US over the speed with which facial recognition is being adopted. In the UK, police have conducted several experiments using the technology, which critics have called an "Orwellian surveillance tool". The results have not been impressive. Freedom of Information requests revealed a worryingly large number of false matches and a corresponding lack of arrests. In one case, a man who covered his face as he walked by cameras was stopped by officers, forced to submit to being photographed, and then arrested on a charge of public disorder after complaining loudly.

Surveillance ruling

Privacy campaigners have won a victory in the UK Supreme Court which has ruled that government security decisions can be open to challenge in ordinary courts. The ruling - by a majority of 4 to 3 - overturned earlier decisions by the High Court and Court of Appeal which had supported the government's assertion that the Investigatory Powers Tribunal should be exempt from legal action. The Tribunal, which conducts much of its business behind closed doors, examines complaints about the way in which law enforcement and intelligence agencies exercise their powers. The case heard by the Supreme Court focussed on a ruling by the Tribunal that the government's use of generalised warrants to access computing devices did not breach human rights. Privacy International called the decision "a historic victory for the rule of law" and said it paved the way for its challenge to the use of bulk computer hacking warrants.

Cyber Essentials

The UK government sponsors an excellent cybersecurity scheme called Cyber Essentials, but should it be mandatory? A UK IT provider has started a petition calling for exactly that. Evaris Solutions says it should be a legal requirement for organisations with up to 250 employees to meet the criteria for Cyber Essentials, and for those employing more than that to comply with the more demanding Cyber Essentials Plus. It's true that many organisations lack even basic cybersecurity controls, but we're deeply sceptical about the value of a "one size fits all' mandatory scheme (although it would doubtless benefit cybersecurity providers). An interesting approach has been taking place in Scotland, where the government has been offering grants to non-profit organisations in an effort to improve their cybersecurity. Evaris' petition has had limited success - its target was 100 signatures and so far it's attracted 48 - but one benefit might be to promote more discussion of Cyber Essentials and the excellent resources the National Cyber Security Centre offers.

The borrowers

So that old Adobe software you thought you were entitled to use? Not so, according to a message Adobe has been sending to users of older versions of its Creative Cloud applications. Unsurprisingly, the reaction has been unenthusiastic, with a flood of furious tweets expressing what users really think about Adobe. As Adobe customers will be aware, the company 'pivoted' in 2013 and adopted a subscription model. This resulted in a substantial increase in costs for users and revenue for Adobe. (It also led to resource-hungry utilities monitoring users' devices). According to AppleInsider, Adobe's warning stems from "ongoing litigation" with another company, believed to be Dolby. The apps affected include older versions of Photoshop, Premiere Pro and Lightroom Classic. Why would users prefer to stick with an older version? Not least because of the extraordinary number of bugs Adobe spends its time trying to fix (see below).

In brief

Google is recalling its Titan security keys after learning that their Bluetooth connections are open to attack. The keys are intended to increase the security of 2-factor authentication.

Businesses continue to be hit by card skimming attacks. Wired was among the latest victims, saying about 1,100 subscription transactions in April were affected. In an email, it said the stolen data may have included names, addresses, card numbers, security codes, and expiration dates.

A printing snafu claims another trophy with Chubb Insurance managing to (mis)use double-sided printing to send customers not only their details but other people's as well. The UK data regulator told The Register it would investigate.

Owners of some 13" MacBook Pros may be eligible for a replacement SSD module. The replacement program applies to non-Touchbar machines sold in 2017 and 2018.

Employees understand the risks of USB drives, but many are simply ignoring them. A survey found the majority of employees used the devices without permission and nearly half had lost one but didn't report it.

Zara Larsson is a 21-year old singer and songwriter from Sweden. She's a fan of Game of Thrones but couldn't see the latest episode because her VPN didn't work. The solution; ask her 1.41 million Twitter followers for their HBO credentials. Hey, no problem! appears to have been a common response.

Updates

There have been several high-profile issues this week which underline the importance of updates. We advise making sure that smartphones are configured to do this automatically. Devices should be shut down and restarted regularly - and particular attention should be paid to doing this with browsers.

WhatsApp: Patched versions are; iOS v2.19.51, Android v2.19.134, Business for Android v2.19.44, Windows Phone v2.18.348, Tizen v2.18.15. Don't expect to see any details of the security issue that these updates address. The iOS app says only that the update means "You can now see stickers in full size..."

Microsoft: Very serious vulnerability in Remote Desktop Services (aka Terminal Services) has led Microsoft to issue an update for older versions of Windows, including 2003 and XP that are no longer supported. Other affected products are Windows 7, Windows Server 2008 R2, and Windows Server 2008. The vulnerability means an attacker could connect remotely to an affected device, of which there are millions.

Microsoft: This week also saw the release of monthly updates which address 79 vulnerabilities, 22 rated “critical". The UK National Cyber Security Centre has warned of a specific risk to Sharepoint. There are also two critical advisories for Microsoft Live accounts and Adobe Flash Player.

Apple: Updates for watchOS, macOS Sierra, High Sierra, Mojave, Apple TV Software, iOS.

Cisco: Update to address serious in the web interface Cisco IOS XE Software, as well as multiple vulnerabilities in other products.

Adobe: updates to address critical vulnerability in Flash Player and more than 80 flaws in other products.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved