FFT news digest Oct 11 2019

A failure to react

A key part of producing this digest involves reading thousands of articles and tweets about cybersecurity every week, so we're confident in saying there is a seemingly unstoppable rise in cyber-related crime. Unfortunately, this rise isn't matched by an increase in people's awareness of online risks. This week, Europol’s 6th annual Internet Organised Crime Threat Assessment (IOCTA) warned that "cybercrime is maturing and becoming bolder" with ransomware remaining the top threat. Europol says combatting this trend can only be done holistically, "by combining prevention and awareness, and increasing cyber education and resilience." This will be an uphill struggle given various reports published this week which paint a depressing picture of cybersecurity ignorance and carelessness. According to them, most Americans don't recognise basic security concepts; most IT departments are failing to take basic security precautions; and internal user mistakes are responsible for 80% of security incidents. Something really does have to change. 

Nation states

Iran and Egypt have provided useful insights into how nation states spy on people and organisations they don't like. The Wall Street Journal reported (£) that the Egyptian authorities are combining cyber attacks with random searches of phones and laptops on the street. Check Point researchers found evidence that Egypt has also been using specially-developed Android apps to target journalists, politicians, activists and lawyers. The apps appeared in the official Play Store and promised useful functionality such as enhanced email security, but in fact their real purpose was to compromise the user's data. Meanwhile, Microsoft accused Iran of trying to hack the email accounts of hundreds of US politicians, government officials and journalists. While the techniques were simple, Microsoft warned the attackers used "a significant amount of personal information both to identify the accounts belonging to their intended targets and in a few cases to attempt attacks." Our routine advice is worth repeating; take care with apps, only download those you really need and only from the official Play Store. And see Securing Authentication below!

VPN warning

The US and UK have urged organisations using Virtual Private Networks (VPNs) from Fortinet, Palo Alto and Pulse Secure to make sure they are up to date. The UK's National Cyber Security Agency (NCSC) said it was investigating attempts to exploit known vulnerabilities to target both UK and international organisations. It also warned users of these VPNs to check for signs that they might have been compromised. Affected sectors include government, military, academic, business and healthcare. The issues would allow attackers to gather credentials to connect to the VPN with the power to make significant changes to it. The US National Security Agency says "multiple nation state actors" are carrying out the attacks. The agencies have useful information and advice on how to mitigate the threat and harden the products.

Securing authentication

Like a scratched record, you can catch us pretty much every day urging people to use multi-factor authentication (MFA) wherever possible. While not a magic bullet, MFA does make it significantly more difficult to steal login credentials. This week, Microsoft said attacks capable of defeating MFA are so rare that it doesn't even have figures for such incidents. But ingenious methods do exist so anyone facing an elevated level of risk should take appropriate precautions, including the use of a hardware key. The least secure method of MFA is to receive a text message with a one-time passcode (this is because it's relatively easy to subvert). But it's still better than nothing, which is why Twitter should be hanging its head in shame for using security phone numbers to target their owners with advertisements. Twitter apologised and said it happened "inadvertently".

Magecart

There is an epidemic of card-skimming affecting thousands of websites, according to researchers from RisqIQ. In a paper, they say the technique known as Magecart has infected more than 18,000 hosts, and in many cases the owners aren't aware they have been compromised. Magecart works by injecting malicious JavaScript into the payment process, which allows criminals to steal the data entered in online forms. The technique has been used against British Airways and Ticketmaster, but these are only the tip of an enormous iceberg. This week, it transpired that criminals managed to compromise the infrastructure of Volusion, a provider of cloud-hosted online stores, and steal customers' payment card details. Modern websites are enormously complex and inevitably involve running third-party code. It's essential to verify this code using solutions such as Content Security Policy (CSP) and Subresource Integrity (SRI).

A router is not forever

Routers are the Cinderellas of the tech world, left in a corner to gather dust until they go wrong. This is a problem on many levels. First, we don't update the software that they depend on. Second, too often we don't change the administrator password (which can often be found with a simple web search). And third, they don't make enough money for manufacturers to provide ongoing support for them. But routers are fundamental to our internet connectivity and so attackers are constantly looking for ways to compromise them. Fortigate has found a fundamental flaw in a range of D-Link devices (DIR-655, DIR-866L, DIR-652, and DHP-1565 models). D-Link was informed and responded that the routers were no longer supported so the issue would not be addressed. One of the models dates back to 2009, but at least one is still on sale. The moral is to check what support is available before choosing a model. If you own a device for which updates are no longer available, the only safe option is to buy a new one.

In brief

Encrypted messaging app, Signal, has fixed a serious bug that could have turned an Android device into a listening device. The issue, found by Google's Project Zero, was similar to one that affected Apple's FaceTime app. WhatsApp has also addressed an issue that meant it could be compromised by a malicious GIF.

Relatively sophisticated phishing emails have been targeting Amazon Web Service (AWS) users - including us! The messages either pretend to be from AWS Support or warn that the account has been suspended. They're convincing. Bleeping Computer has more details.

The UK's Cyber Essentials scheme is being changed, with a single accreditation body replacing the 5 current ones. The change will take effect on 31 March 2020 in what is described as a bid to make it simpler.

Multiple security vulnerabilities have been found in Cobham's EXPLORER 710 BGAN satellite terminal. Researchers at Carnegie Mellon University say the issues could allow attackers to execute commands remotely.

California has outlawed deepfake videos in connection with politics and pornography. Meanwhile, a study has found the vast majority of deepfakes are pornographic in nature, and they exclusively target women.

Protect your laptop. A supplier working with New Zealand's Commerce Commission didn't and when the device was taken in a burglary, years of confidential data was stolen with it. The provider is no longer a supplier.

Instagram is rolling out a new security feature to make it easier to spot phishing attempts. “Emails from Instagram” allows you to check all legitimate emails sent by Instagram over the last 14 days.

A serious vulnerability in Drupal was patched last year but is still being used to attack high-profile websites. Akamai says the content management system is being exploited through malicious .GIF files.

Updates

Apple: Not surprisingly, the major macOS update ('Catalina') has been causing frustration for many users. Many have found the update stalls on the "Setting up your Mac..." screen. The solution appears to be to wait 30 minutes and, if nothing is happening, to turn the machine off and on again. Adobe users may find older software versions don't work. That's because Catalina only supports 64-bit apps and so the only option is to update the older versions. (This will usually involve replacing a perfectly good application that has already been paid for with one that has an annual subscription.) Users of some older Macs will find they can't upgrade to Catalina anyway because it requires a specific graphics processor. You can check your device compatibility here. Catalina marks some major design changes in macOS which not everyone is enthusiastic about. Do note though that it also includes some important security updates.

Final Cut Pro: Apple's latest FCP X update is designed to take advantage of the 'Metal' graphics capability and speed up processor-intensive tasks.

Android: Important updates which address 26 vulnerabilities, including one rated 'Critical' which could allow a device to be taken over remotely. Samsung has also released updates for specific issues with its devices.

Microsoft: Monthly update addresses 59 issues in Windows, Edge, Office, and Azure. Enterprise and education users should note this month marks the last set of security updates for Windows 10 version 1703 (the Creators Update).

Internet Explorer: New patches released following problems with previous ones. There have been reports of problems with the new set as well.

Opera: Opera 64 includes new feature to block trackers and speed up browsing.

VeraCrypt: version 1.24 includes several important security enhancements.
VeraCrypt does not support automatic updating so the latest client version needs to be downloaded and installed manually.

SAP: seven new security notes, with two rated Hot News (Critical).

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217