FFT news digest Jan 17 2020

Fixing the unfixable

There's a horrible familiarity about the threats facing organisations and individuals this year but, as Travelex has amply demonstrated, that doesn't mean enough is being done to combat them. More than two weeks after a ransomware attack, its website remains down (apart from a message of explanation). The attack is believed to have exploited vulnerable Pulse VPN servers, which Travelex was warned about last September. This week, agreement was reached on nearly $3.4 billion to be paid by credit reference agency Equifax following the breach it experienced in 2017. It too ignored a warning about vulnerabilities in its systems. This is clearly not a sustainable situation and The Register website suggests a solution involving a compulsory bug bounty backed up by regulatory force. Vulnerabilities would be communicated to the organisation and regulator at the same time. Whoever found the issue would be paid a reward and the organisation would receive a small fine. Failure to address the issue would result in the vulnerability being published and a much larger fine.

Encryption wars

Let's cut through the nonsense being spouted by US officials who are pressuring Apple to unlock a phone belonging to a suspect in last year's shooting at a Florida naval base. As Forbes has reported, there's little doubt US law enforcement has tools capable of accessing data on even the most recent iPhone models. If those tools don't work, there's nothing Apple can do to help. But that's not the point. The sound and fury being whipped up by Attorney General, William Barr, and President Trump are part of a concerted effort to force technology companies to provide governments with backdoors into consumer technology. So far, Apple has stood firm, saying, it had "provided information including iCloud backups, account information and transactional data for multiple accounts...We have always maintained there is no such thing as a backdoor just for the good guys."

Cookie consent

Most of the UK's top 10,000 websites are tricking users into accepting cookies, despite this being in breach of the EU's General Data Protection Regulation (GDPR), according to an academic study. Researchers from US and European universities found that only 11.8% met the GDPR's minimal requirements. Of the EU websites they examined, 32.5% were using "implied consent", something specifically prohibited by the GDPR. “The results of our empirical survey...illustrates the extent to which illegal practices prevail, with vendors turning a blind eye to - or worse, incentivising - clearly illegal configurations of their systems,” the researchers said. So far there has been little action by regulators to address the issue. “Enforcement in this area is sorely lacking,” the researchers added.

Adtech "out of control"

In another challenge to European regulators, Norway's Consumer Council has accused the online advertising industry of systematically violating the GDPR by sharing personal data and tracking users without their consent. In its report, the Council provides a comprehensive overview of how we are tracked and profiled as we move around the internet and the real world. The report says popular dating apps like Grindr, OKCupid and Tinder are revealing sensitive user information to advertising and marketing companies, and described the industry as being "out of control". "20 months after the GDPR has come into effect, consumers are still pervasively tracked and profiled online and have no way of knowing which entities process their data and how to stop them," the report concludes. For regulators, the Council's findings make for a challenging read. We wait to see whether they do anything about them.

Tell tale

Psychology lies at the heart of attempts by criminals and other malefactors to overcome our natural suspicion. A key tool in their arsenal is a phenomenon discovered in the 1990s dubbed "inattentional blindness." This is best demonstrated by an experiment in which people were asked to watch a video of a basketball being passed around and count the number of passes made by people in white shirts. Halfway through, someone in a gorilla suit wanders into shot. In tests at Harvard University, half the viewers were so fixated on the basketball they completely missed the 'gorilla'. The same process is used on fake websites, according to IronScales. Malicious copies are relatively easy to recognise, but people miss the signs because they're not looking for them. Our view is that life is too short to look for the gorilla and it's better to never click on a link in an email to do something important like change a password. Just type the address into the browser instead.

Conversation hijacking

Criminals are increasingly worming their way into ongoing email conversations in order to steal money or sensitive information. Conversation hijacking involves joining real business email threads by exploiting stolen credentials and pretending to be one of the group. Barracuda Networks says it has seen a sharp rise in the creation of fake domains which are set up to support the tactic. The lookalike domains are used to send emails so compromised users aren't alerted by unexpected sent messages. Defeating the tactic relies on effective awareness training, protecting accounts with multi-factor authentication and monitoring email solutions for unusual activity such as login locations and IP addresses that are unusual or unexpected.

In brief

High-risk Google users can now use iPhones to enrol in its Advanced Protection Program, rather than needing a separate hardware key. The program makes it very difficult to attack Google accounts successfully. The announcement coincides with a Google survey that found poor security habits among many high-risk users, particularly journalists. Google

Beware of Google Search results that take you to fake Amazon support sites and tech support sites. Bleeping Computer

A cheap smartphone subsidised by the US federal government turns out to have two pre-installed malicious software programs. They're notorious, Chinese, and can't be deleted. Malwarebytes

Scammers have been targeting people with Google Nest security camera footage as part of a widespread 'sextortion' campaign. Mimecast has already found almost 1,700 examples this year, most in the US. Computer Weekly

Facebook launched a new feature to notify users whenever their account is used to log into a third-party app or website using their Facebook account. Facebook

The UN has been targeted with a specialised phishing attack impersonating Norway's Permanent Mission. Bleeping Computer

Experienced the joy of an online interview using Artificial Intelligence that analyses your facial expressions to decide whether you're the right fit? If not, it won't be long. The secret of success, according to a South Korean careers consultant, is to "smile with your eyes." Reuters

Updates

Microsoft: This is one not to miss... Monthly set of updates includes a fix for a serious issue in Windows 10 and Windows Server 2016/19. The bug was reported by the US National Security Agency and affects Windows default cryptographic library. In practical terms, it means that an attacker could spoof the digital signature of a specific piece of software and make malicious software look like a genuine program. It could also allow encrypted (HTTPS) web communications to be subverted. The updates address 48 other issues, eight rated "critical".

Windows 7: Last update. It's time to bid farewell to Win7. You can get a free upgrade by downloading a copy of Windows 10 here.

Citrix: Application Delivery Controller (ADC) and Citrix Gateway continue to be vulnerable to attack and Dutch National Cyber Security Centre has advised organisations to consider turning off servers until a patch is available. Citrix mitigations are not effective on older versions of ADC.

Edge: Microsoft officially released its new Chromium-based Edge browser. Powered by the same engine as Google Chrome, it looks much the same though lacks some of its functionality. Windows and Mac users can download and install it manually, automatic updates will start rolling out for Windows users next week. Enterprise customers won't be updated automatically.

WordPress: Updates for two WordPress plugins (WP Time Capsule and InfiniteWP) which are used on more than 320,000 websites. Vulnerabilities in them could be exploited to gain administrator control. Details from WebARX.

Cisco: Reminder to update Data Center Network Manager for Nexus switches; researcher has published details of three critical issues that could enable authentication to be bypassed.

Oracle: Patches for 334 vulnerabilities (yes 334) across all product families. 43 are rated critical/severe.

SAP: Six bug fixes and and one update to an earlier notice. Most important is a vulnerability in the Rest Adaptor of SAP Process Integration.

VMware: Version 11 of VMware Tools fixes issue that could allow users to escalate their privileges.

Adobe: Updates for Illustrator CC and Experience Manager

Apple: Replacement programme announced for some of Smart Battery cases which fail to charge, charge intermittently, or fail to power their device. Affects XS, XS Max and XR.

Thunderbird: Version 68.4.1 provides an automatic update from Thunderbird version 60 (version 68.4.0 was skipped).

Tails: Version 4.2.2 is an emergency release to fix a critical security vulnerability in Tor Browser.

Zimbra: Patch 6 for the Zimbra 8.8.15 “James Prescott Joule” GA release

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved