news190802

FFT news digest Aug 2 2019

Capital One

Another calamitous security failure, this time at US finance giant, Capital One, which failed to secure the personal details of 106 million of its customers. An IT worker has been charged with the theft, though the arrest hardly required an in-depth investigation since the stolen data was posted on a Github account belonging to the accused. The information was stolen from Amazon's AWS cloud storage solution and, as Brian Krebs reports, Capital One may not have been the only major company affected by the breach, which appears to have taken advantage of a known issue described as far back as 2015. The chargesheet says the TOR network was used to access Amazon's servers, something that should have rung loud alarm bells. Unlike many other companies, Capital One reacted relatively quickly to the breach, though it hasn't explained why 14-year old credit card applications were among the stolen data.

Profitable sextortion

The extraordinary scale of 'sextortion' emails is revealed by security company, Symantec. In the first 5 months of this year, it says it blocked nearly 289 million emails designed to extort cash from victims. In many cases, the email contains a genuine password stolen in a previous data breach. That's used to lend credibility to the rest of the email which says the recipient's webcam has been hacked and used to record "intimate" activity. The price for keeping the footage secret; a few hundred dollars. Symantec says there was a spike in such emails around Valentine's Day. The threat is of course nonsense, but the scam is estimated to be earning more than $1.2 million a year. Meanwhile, anti-phishing firm, KnowBe4, has warned about the risk of emails with 'LinkedIn' in the subject line. It says more than half of all social media-related phishing emails imitated LinkedIn messages.

Facebook Like

Does your website use Facebook's 'Like' button? If it does, then you should read this week's judgement from the EU's top court. According to the European Court of Justice, you are a joint controller "in respect of the collection and transmission to Facebook of the personal data of visitors to its website.” This means websites should seek the consent of EU users for the transfer of their personal data to Facebook. That may not be as straightforward as simply changing a privacy notice because at the moment the transfer takes place automatically. The case originated in the Germany, where the main technology industry association complained about "the enormous responsibility" being placed on thousands of website operators, from "small travel blog to online megastore". The judgement also raises questions about similar social plugins used by Twitter and LinkedIn, as well as tracking technologies such as Facebook Pixel.

Telegram flaw fixed

Instant messaging solution, Telegram, has released a fix after more than 1,000 accounts were hacked, including those of the Brazilian President and government ministers. The hack exploited a vulnerability in the process required to add a Telegram account to a new device. This involved sending a one-time passcode via a voice call. Repeated failures to answer the call would result in it being diverted to the user's cellular voicemail account. The attacker would then try to access the voicemail by using the default password which (as the number of successful attacks demonstrated) is often left unchanged. Telegram told ZDNet that it was now "only possible to request a code via call if your account is protected with two-step verification." We are firm believers in the value of two-factor authentication but, wherever possible, solutions involving phone calls or text messages are inherently less secure than an approach using an authenticator app or hardware token.

The mobile threat (again)

The security of mobile devices isn't sufficient to combat the threat against them, according to research from Crowdstrike. It says nation states and criminal organisations are targeting mobile devices because of the wealth of information they contain. This is just the latest such warning about the risks of smartphones and, particularly, of malicious apps which users continue to willingly install. This week, ESET researchers reported on a new family of ransomware designed for Android devices. Links to the malware were posted in online forums (mostly with pornographic references). Once installed, it sends text messages to all the user's contacts. This is the second week running we've covered this issue, but it would be hard to overstate the risk of installing unnecessary apps, particularly on Android devices. Only install apps from the official Play Store and, even then, be sceptical, research the program before downloading it and question what permissions it requests.

When to pen test

Penetration tests are undeniably useful, but analysis released this week supports our view that they're not necessarily the best place to start when securing an organisation. Penetration testers, Lares, looked at more than 50 assignments carried out this year and found (registration required) the top problems were; weak passwords, poor controls on file system permissions and a failure to install patches to address the WannaCry/Eternal Blue vulnerabilities. As Lares says, "Every single vulnerability described... can be avoided or eliminated through better cybersecurity hygiene practices." Indeed, the only relatively complex common issue involves the Windows Management Instrumentation (WMI) system; securing that depends on controlling who can connect to it. Address these basics and look at the UK's official Cyber Essentials scheme. Then let the pen testers loose.

In brief

Out-of-date links on leading websites are being sold to digital fraudsters who use them to game the online advertising market. Buzzfeed says the the New York Times, the BBC and the Guardian are among the sites that have been targeted.

Take care with QR codes. Dutch police are warning about an ingenious scam in which criminals offer a victim cash to scan a code to pay for parking. As Malwarebytes reports, the ruse is designed to steal user credentials.

Most of us fail to take adequate precautions when using WiFi hotspots, according to a survey commissioned by security firm, Bullguard. Don't make it easy for criminals; either use a Virtual Private Network (VPN) or stick to mobile data.

Apple is suspending its quality control programme which involved people listening to a sample of Siri responses. The decision follows a Guardian report that the programme had some unexpected results.

Researchers have demonstrated how to hack surveillance cameras so their output is replaced with fake footage. Forescout found 4.6 million vulnerable devices and urges users not to accept the default settings on internet-connected devices.

The Committee to Protect Journalists has updated its excellent Digital Safety Kit. It has useful advice not just for journalists, but for any technology user.

Police in Moscow are reported to have been ordered to remove any photographs showing their faces from social media sites. Baza says (in Russian) that the order follows threats against families of police.

Updates

Apple: A reminder about the importance of the latest update for iOS (12.4). This week, Google researchers revealed the update fixed 5 "interactionless" security issues which could exploit iMessage to run unauthorised code. A user would only need to open a specially-crafted message for the exploit to work. Exploit brokers would have been willing to pay up to $3 million for each of these issues. Details of a sixth issue have not been revealed because Apple's update doesn't provide a complete fix.

Apple: Supplemental update for macOS to address issue which meant some Macs failed to wake up after going into sleep mode.

G Suite: Google is extending its Advanced Protection Program to business customers. The initiative provides enhanced protection for users at high risk of attack by enforcing the use of hardware two-factor authentication keys. Google also announced new features in its G Suite security and alert centre which will provide alerts about any "anomalous activity".

Chrome: Restart Chrome to make sure the latest version is being used. Chrome 76 blocks Adobe Flash by default, blocks websites from detecting when Incognito mode is active, and fixes 43 security issues (5 rated High).

LibreOffice: Latest version is reported to be vulnerable to an issue which allows macros to be run silently when a document is opened. The issue was discovered in a feature called LibreLogo which users are advised to disable.