news200221

FFT news digest Feb 21 2020

A costly email

One email and an apparent failure to check was all it took for the government of Puerto Rico to lose more than $2.6 million. AP quotes the island's Industrial Development Company as saying the money was transferred after receiving an email advising a bank account had been changed. This type of fraud (known as Business Email Compromise) is a huge business which the FBI says resulted in $3.5 billion of losses last year. If your organisation hasn't experienced this type of attack yet, it's just a matter of time before it does. It's essential to have a clear policy that governs payment requests and any changes involving financial information. This should require confirmation that the request is genuine - and that involves using a trusted communications channel that means you're sure you're talking to the right person.

The Brexit effect

As the EU and the UK trade colourful slides about their future relationship, Google has confirmed it will move its British users' accounts from EU to US jurisdiction. The decision, originally reported by Reuters, will radically reduce the protections available to users, and will make their data more accessible to British law enforcement agencies. In a statement, Google said "the protections of the UK GDPR will still apply." The UK GDPR is actually the Data Protection Act 2018 which implemented the EU regulation in British law and which isn't expected to change during this year's transition period. But the future is less clear. Despite the UK having been a leading force in formulating the GDPR, the UK data protection regulator's current advice is to wait and watch in case the issue is caught up in the rest of the negotiations between the EU and the UK about their future relationship. If you're interested in the GDPR, an invaluable digest has been launched that tracks decisions from regulators as they're announced.

Honeypot

The lure of the honeypot is reliably irresistible, at least it is among members of the Israeli Defence Force. 3 years after a similar attack, the IDF said some of its members were taken in by one of the oldest tricks in the book. It said members of the Hamas Palestinian group set up social media accounts and pretended to be teenage girls. If soldiers engaged in conversation, they would be promised more photos as long as they installed a chat app. Once on their phone, the app would appear to crash and delete its icon while actually continuing to run in the background and stealing data from the device. The IDF says the attack was foiled before any information could be stolen. The Hamas tactics are typical of this sort of campaign - and they are often very effective. Setting up a fake social media account is trivially easy so the well-worn advice to be careful with friend requests still holds true. Even if you're not in the military.

Twitter spies

Imagine if you could get your hands on the confidential information that a social media company has. Saudi Arabia allegedly did and, according to US court documents, decided to access it by bribing a couple of Twitter employees. A detailed report by Buzzfeed says Saudi Arabia was not alone. It quotes an unnamed source as saying, "US, UK, and Israeli security agencies pressed employees of Twitter’s media team for private information." This is why we don't advise trusting social media companies with confidential information. Given their huge size, it's practically impossible to be certain that no-one is accessing information without permission. And it's why we recommend Signal over WhatsApp for secure messaging. WhatsApp - and its Facebook parent - may not be able to read the content of your messages, but it does know everything else about your communications. And that is almost as valuable as the content itself.

Hunting hacks

A revealing article by the Financial Times' head of cybersecurity illustrates the scale of the threat journalists face from government surveillance. Writing in the Columbia Journalism Review, Ahana Datta, describes how a group of reporters had been working on an investigation into spying on journalists and human rights activists in an unnamed Middle Eastern nation. The five reporters said they had all received mysterious WhatsApp calls from unrecognised numbers. "Afterward, their phone battery had drained quickly. And they were sometimes unable to end other calls, because the screen seemed to freeze." There followed months of "relentless and sophisticated attacks," Datta says. And it's not just government actions; "Private companies...seem to be catching up." Datta gives the example of someone caught pointing a laser microphone at the newspaper's editorial floor from the other side of the River Thames. As an overview of surveillance threats, the article is well worth a read.

Stalkerware

One in ten Americans say they have used an app to monitor an ex or current partner's text messages, phone calls, emails, photos and social media activity, according to a survey by NortonLifeLock. Nearly the same number admitted to having created a fake profile to check up on people on social media. Stalkerware is a growing problem and last year a group was formed to try to combat it. The Coalition Against Stalkerware warns that there are hundreds of easily available apps that “intentionally or unintentionally facilitate intimate partner surveillance, harassment, abuse, stalking, or violence.” The solutions have multiplied in recent years, reducing their cost and increasing their functionality. The University of Toronto's Citizen Lab has a detailed report on the subject. It makes for sobering reading.

In brief

Do take care with the extensions/plugins you add to your browser. Google has just removed more than 500 from the Chrome Web Store after they were found to be filching data. For a detailed look at how these shady extensions work, Robert Heaton has a post on a YouTube 'helper'. Google has also banned nearly 600 Android apps from its Play Store for "disruptive advertising."

A new email scam seeks to extort money from website owners by threatening to have them banned from Google's AdSense platform by flooding them with suspicious traffic. KrebsonSecurity

An extraordinary rise in the number of phishing links on WhatsApp. The last quarter of 2019 saw an increase of 13,467% over the previous 3 months. We have been warned. Vade Secure

Apple will enforce a limit on the validity of new HTTPS certificates from September. Its Safari browser will reject any that expire more than 13 months from the date they were created. digicert

Carnegie Mellon researchers have created an app to tell you what Internet of Things devices are around you - and what they're up to. "People need to be informed about what data is collected about them and they need to be given some choices over these processes,” Professor Norman Sadeh said. Carnegie Mellon

Lenovo and Dell laptops are among devices affected by security risks caused by unsigned firmware. The vulnerability is difficult to exploit, but nothing has been done to address it, even though it has been known about for at least 5 years. Eclypsium

The Coronavirus epidemic continues to be exploited by criminals. The World Health Organisation has warned that "Criminals are disguising themselves as WHO to steal money or sensitive information." WHO

Owners of Microsoft Surface Laptop 3 devices say screens are cracking with no apparent cause. Microsoft says it's investigating. Bleeping Computer

Personal details of more than 10.6 million MGM Resorts guests have been posted for sale on a hacking forum. Information includes full names, home addresses, phone numbers, emails and dates of birth. ZDNet

Researchers used a piece of masking tape to make Tesla cars accelerate by 50mph. All they had to do was stick the tape on a speed limit sign which made the car's autonomous driving system think it read 85mph, not 35mph. McAfee

Updates

Windows 10: Lots of unhappy Windows 10 users after problems caused by a security update (KB4524244) and Adobe Creative Cloud. The security update has been withdrawn and Adobe users are advised to turn the tool off.

Firefox: Version 73.0.1 fixes crash problems on Windows and Linux.

SonicWall: Reminder to check security updates for Secure Mobile Access and Secure Remote Access after serious vulnerabilities found by researcher.

Ring: Mandatory 2-factor authentication being introduced for account logins. Google's Nest competitor did likewise last week.

Cisco: Fixes for 17 vulnerabilities. 1 critical (Smart Software Manager), 6 high-risk.

Adobe: Security updates for After Effects and Media Encoder.

SecureDrop: Version 1.2.1 released.