FFT news digest Jul 12 2019

Bring on the fines

The EU's data protection regulation bared its teeth this week as the UK regulator revealed its intention to impose multi-million dollar fines on British Airways and the Marriott hotel group. Both companies say they're "disappointed", and will challenge the decisions. The proposed fines are significant; £183 million for BA and £99 million for Marriott. Both companies cooperated with the Information Commissioner's Office (ICO) which is likely to have reduced the fines. The ICO hasn't given a detailed explanation for the decisions, but in BA's case it criticized "poor security arrangements" which resulted in the theft of some 500,000 customers' credit card details. The data was stolen by a hacking group called Magecart, which exploited BA's failure to secure third-party Javascript used to process payments. A relatively simple solution called Sub-Resource Integrity would have stopped the attack by checking the validity of the script being loaded. Anyone running an e-commerce site should be aware that Magecart is still highly active. This week, RiskIQ reports that it has been breaching websites by scanning for poorly configured AWS S3 storage. 

Smaller fine. Salutary warning

At the other end of the financial scale, the power of the General Data Protection Regulation (GDPR) was also demonstrated in Romania where a hotel has been fined for failing to secure a list of people having breakfast. The Romanian regulator said the hotel at the World Trade Center in Bucharest had allowed the printed list to be photographed and therefore had not implemented "adequate technical and organizational measures to ensure a level of security appropriate to the risk of accidental or unlawful processing." In this case, the fine is only €15,000 but it demonstrates that no-one should be under illusion that the power of the GDPR will be exercised even in what appear to be trivial cases. Securing personal data in public places is an obvious risk which all organisations need to consider and manage.

Gone FinFishing

A powerful spyware solution has made a re-appearance, according to researchers from Kaspersky. FinSpy (also known as FinFisher) has been spotted in almost 20 countries, most recently in Myanmar. It's intended for use against targets such as government agents, activists and journalists - and it's theoretically only available to official clients. Designed to harvest data from mobile devices, Citizen Lab has tracked its use by governments around the world. Kaspersky says the tool is "capable of collecting personal information such as contacts, SMS/MMS messages, emails, calendars, GPS location, photos, files in memory, phone call recordings and data from the most popular messengers." The Android tool is designed to exploit known vulnerabilities in unpatched devices. The iOS version appears to require the device to be compromised already. Documents leaked in 2014 revealed that the then going rate for FinSpy was €1.4 million.

Targeting storage devices

The latest targets for ransomware criminals appear to be Network Attached Storage (NAS) devices made by Taiwanese company, QNAP. Security company, Anomali, says the attackers are focussing on devices used for file storage and backup which they reach through unsecured, internet-facing ports. Once identified they attempt to exploit weak credentials to gain access to the devices. NAS devices are popular targets because they're frequently connected to the Internet and updates may not be installed immediately. As Anomali advises, it's essential to ensure these devices are kept up to date and external access is restricted. Above all, it's vital to change any default credentials for internet-connected devices. QNAP owners have been filling discussion forums with tales of repeated attempts to access their devices by brute-force attacks.

Malicious apps

A new strain of malicious software underlines the need to be careful about installing smartphone apps. The malware, discovered by Check Point, is designed for Android devices and replaces legitimate apps with copies that display fraudulent advertisements. Previously, devices were infected after they downloaded an app from the third-party '9Apps' store. Now, Check Point says the criminals appear to have succeeded in uploading malicious apps to Google's official Play Store - though these have now been removed. According to Check Point, the company behind the malware is based in the Chinese city of Guangzhou and has a legitimate front that helps Chinese developers publish Android apps abroad. Almost all of the apps designed to infect devices relate to games and screen themes. Such apps are best-avoided, but if you do download them make sure you have a threat prevention solution on your device.

Netflix and chill...at work

Need to finish off that Netflix boxset? No need to stay up all night. A developer has come up with a way to watch at work while looking like you're on a conference call. Netflix Hangouts is an extension for Chrome that turns the programme stream into one box in a four-way call. The idea is you then watch the programme in the bottom right-hand corner while your 3 fake colleagues engage each other in meaningful conversation. It sounds like a fast route to a disciplinary conversation, but the people behind it have come up with similar ideas over the years. Among them is a version of Times New Roman font that takes up 5-10% more space than the original. Invaluable when trying to reach the required number of pages for a writing assignment. 

In brief

Scammers are using Microsoft One Note 'Audio Notes' as part of a new phishing campaign. The emails claim to have been scanned by McAfee's antivirus solution, according to Bleeping Computer.

Google has revealed details of an iPhone bug that could only be fixed with a full device wipe. The issue causes an iPhone to crash if it receives a specially-formatted message (or 'text bomb'). The problem was addressed in iOS 12.3.1 so it's essential to make sure this update is installed.

Beware emails with HTML attachments. Avanan says they're increasingly popular with attackers who use them to avoid security solutions that check the integrity of web addresses.

Vulnerabilities have been disclosed in the USB receivers used by Logitech wireless devices. The issues affect wireless keyboards and presentation remotes which use Logitech's "Unifying" 2.4 GHz radio technology. The company says it plans to address some though not all of the vulnerabilities.

Apple has disabled its Walkie Talkie Watch app because it could be exploited to eavesdrop on other iPhones. Apple told TechCrunch the app would return once it's fixed.

A renewed DNS hijacking campaign is targeting organisations in Greece, Sudan, Cyprus and the US. Cisco Talos says the attacks are being used sparingly, but they are a reminder to ensure that DNS records are secured with multi-factor authentication.

Updates

Microsoft: Monthly batch of updates addresses 77 vulnerabilities, including two that have been actively exploited. These are both designed to provide attackers with elevated access rights on a target computer. 15 other vulnerabilities are rated "Critical". Some users have reported problems after installing the update.

Firefox: Updates to address multiple vulnerabilities in Firefox and Firefox ESR which could be used to take control of an affected system. A reminder to restart your browser to ensure updates are installed.

Cisco: Security updates to fix 18 vulnerabilities across multiple solutions including United Communications Manager and Small Business Switches. 10 issues rated "High" impact.

Joomla: Version 3.9.10 fixes bug introduced in Joomla 3.9.9 which affects the template styles of multilingual sites and results in lost data.

Tails: Version 3.15 addresses security issues in Tor Browser, Thunderbird, Expat, OpenSSL and Vim.

SecureDrop: Latest version includes bugfixes. Users advised to update the SecureDrop code on your workstations manually because of recent attacks on GPG keyserver infrastructure.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217