news190920

FFT news digest Sep 20 2019

Unsafe home

Many popular small office and home office devices are vulnerable to remote attacks, according to research from Independent Security Evaluators. The routers and network attached storage devices include solutions aimed at the general public as well as more sophisticated enterprise-grade units. 13 devices were evaluated and all of them were found to have at least one vulnerability that could be used to establish remote access. Six of the devices could be exploited remotely without authentication. The researchers reported their findings to the appropriate manufacturers. Some responded promptly. They're still waiting to hear from others. We believe these types of vulnerabilities are some of the most worrying for any organisation (or home) and manufacturers must improve their systems. In the meantime, if updates are available it's essential to install them and if your router has a default password, make sure you change it to something secure.

Privacy. What privacy?

The devices we let into our homes are spying on us to a remarkable extent, according to research published this week. The researchers from Northeastern University and Imperial College London analysed 81 devices in the UK and the US and found 71 of them were sending information to a destination other than the manufacturer. Among the worst offenders were smart TVs which were found to be transmitting sensitive, private user information to companies including Google, Facebook, and Netflix, potentially without the knowledge or consent of users. The companies involved included Samsung, Apple, and LG, as well as streaming devices such as Amazon's FireTV and Roku. Meanwhile, a security engineer has uncovered the extraordinary appetite for data of HP printers. Robert Heaton found the printer he was setting up for his in-laws came with a privacy policy that made clear it was gathering "metadata about your devices, as well as information about all the documents that you print, including timestamps, number of pages, and the application doing the printing."

Attacking SecureDrop

SecureDrop provides a way for whistleblowers to communicate safely with media organisations so it's probably not surprising that someone tried to attack The Guardian's implementation of it. A researcher discovered a phishing page that was designed to collect the unique "codenames" for sources who submitted information using the service. The page also promoted an Android app that enabled attackers to take control of many of the device's essential functions. The app purported to hide the user's location but in fact it would allow an attacker to capture voice calls,
read contacts, read, write, and send SMS texts and access a user's location. Solutions like SecureDrop are an obvious target for attackers and it's vital to create procedures to identify fake sites and warn potential users to check the site they are using.

Amazon

Amazon's annual revenues ($72.4 billion) would make it the 69th largest economy in the world (by GDP) but a report in the Wall Street Journal suggests it would like a higher position. According to insiders, last year Amazon altered its search algorithm to give more prominence to listings that earned it more money. Amazon has always insisted that the only criteria driving search results are relevance, price and popularity. Initially, Amazon didn't deny the report. Eventually, it took to Twitter to say, "We have not changed the criteria we use to rank search results to include profitability. We feature products customers want, regardless of whether they are our own brands or products offered by our selling partners." We suspect this will not be the last we hear of this.

Credential stuffing

We often cite credential stuffing as an example of why it's dangerous to re-use passwords. Now a report from Akamai illustrates the scale of the problem. Over an 18 month period, it says it saw 61 billion credential stuffing attempts. Credential stuffing involves automatically trying out combinations of stolen usernames and passwords until a working pair is found. Sophisticated automation simplifies the process and leads to the enormous figures produced by Akamai. Its report says the media, technology and entertainment sector is a key target, accounting for 35% of attacks. “Our analysis indicates these three verticals are a stable and consistent attack source for two reasons: personal and corporate data. The targeted brands are household names, and criminals are looking to capitalize on that familiarity," the report says. Our advice remains to take the least worst option and use a password manager and 2-factor authentication.

Facial recognition

A cross-party group of MPs in the UK has called for an immediate stop to live facial recognition surveillance by police and a halt to its use in public places. The joint statement was signed by 14 MPs and supported by 25 rights and technology groups including Big Brother Watch, Amnesty International and the Ada Lovelace Institute. So far, experiments with facial recognition have been underwhelming. In several cases, not only did the technology not result in any arrests, it also proved adept at producing false matches. In the US, a different sort of recognition system (for vehicle number plates) has provided a vivid illustration of how this type of technology can be used. Vice News says the number plate database is built up from images gathered by companies and individuals, and is used by insurance companies and debt collectors. It's reported to have 9 billion scans in it.

In brief

WhatsApp's handy ‘Delete for Everyone’ feature may not actually everything. A researcher found that, even after deleting messages, media files sent to iPhone users in group chats (with ‘Save to Camera Roll’ enabled) would remain on the device.

Ecuador has a population of roughly 16.6 million. Researchers found a database online and unsecured. It contained 20.8 million personal records, almost all of them related to Ecuadoreans. The executive of a data analytics firm has been arrested.

Medical images and health data about millions of people are being stored on the web without any protection. ProPublica reports that the records include X-rays, MRIs and CT scans mostly belonging to US patients.

The UK Conservative Party has demonstrated that Facebook still allows advertisers to alter the headlines of news stories on pages which include paid adverts. As CBC reports, a BBC online report had its headline changed to contradict what the article actually said.

Penetration Testing is a rich source of horror stories because of the less than professional standards exhibited by some of its practitioners. 'Pen Testing' is supposed to test an organisation's security, often by employing methods that would be illegal if they weren't authorised. Clearly something went wrong in Iowa, where a couple of pen testers ended up in jail. If you're planning a pen test, this story is worth reading.

Police are planning a campaign to warn parents to look out for signs that their children are being targeted by gangs to help launder money from crime. The Times (£) reports that children as young as eight are handing control of their bank accounts to gangs.

Updates

Apple: the latest major release of Apple's operating system for iPhones and iPads has landed. iOS13 brings a host of new features but it also has at least one significant issue (that could allow someone to bypass the lockscreen and view contacts). Apple says an update (13.1) will be released on Sept 24 so, although keeping devices and software up-to-date is critically important, we'll be waiting until then to make the jump. Also, as you may have seen already, the update will only work with iPhone models from the 6S onwards.

Microsoft: has been having a torrid time with Windows updates;

- It's released an update for Windows 10 1903 to fix a bug that could cause USB Audio 2.0 microphones to stop working.
- It's admitted that Windows 10 1903 could cause some network adapters to stop working (the workaround is to enable the device every time you reboot the computer).
- And it's working on a fix for a problem with Windows Defender which means the antivirus program gives up after scanning a few files.

LastPass: New version addresses bug that could be used to steal credentials of the last website logged into with LastPass's Chrome and Opera extensions.

SecureDrop: Version 1.0.0 released. Includes significant updates to web-based Source Interface and Journalist/Admin Interface. Also resolves longstanding (and aggravating) issues with deletion of encrypted submissions.