FFT news digest Feb 28 2020

Mobile insecurity

Mobile devices are a key element of most organisations' working life, but they also represent a growing security risk. Verizon's 2020 Mobile Security Index found(R) the number of organisations experiencing a security compromise from mobile and internet-connected device rose by nearly a fifth to 39% in 2019 compared to the previous year. Despite the risks, 43% of those surveyed said they had sacrificed mobile security for speed, convenience and profitability, or because of budget constraints and lack of expertise. The causes of most of the compromises involved messaging, social networks, gaming, and other apps - with email accounting for only 15% of incidents. The impacts were far from trivial, with 59% of organisations experiencing downtime and 56% experiencing data loss. The use of mobile devices is unavoidable, but effective training and security measures are essential if their risks are to be mitigated.

WiFi vulnerable

At least a billion computers, phones and other devices are vulnerable to a flaw in their WiFi chips which could allow an attacker to eavesdrop on the data flowing through them, according to research by ESET. The vulnerability, dubbed Kr00k, could be exploited to take snapshots of the data, as if a device were on an open, unsecured WiFi network. An attacker would have to be within range of the network to carry out an attack, and ESET says a target might notice their WiFi being disrupted. But this type of attack would lend itself to being used in public locations, such as airports, hotels and coffee shops. Protection involves making sure devices are kept up to date, with patches being applied as soon as they're available. In the meantime, it's worth remembering that it's good practice to use HTTPS and VPNs to ensure as much network traffic as possible is encrypted. The issue affects a wide range of hardware, including iPhones from model 6 onwards, Amazon Kindles and Echos, and Google devices, among others.

Browser privacy

A study into the privacy afforded by web browsers reveals that it's in vanishingly short supply, unless you use a specific solution. Douglas Leith, professor of computer systems at Trinity University, Dublin, examined six of the most popular browsers (Chrome, Firefox, Safari, Brave, Edge, and Yandex). The aim was to work out whether the browsers could track the user's IP address over time, and whether they leaked the browsing history. The most privacy came with Brave, perhaps not surprising as its key focus is privacy. Safari, Firefox and Chrome were next, with Edge and Yandex sharing the wooden spoon. Brave came top because it uses 'ephemeral' or temporary identifiers which don't persist when the browser is restarted. Browsers are such an integral part of online life that they have access to an astonishing amount of information about us. If you're concerned about the ability of organisations to exploit this, you might want to look at Brave. And definitely restart your browser regularly.

Passwords

IT security experts are well aware of what effective password security involves, but they fail to implement it because it's too difficult or too inconvenient to use. A report from Yubico and the Ponemon Institute describes the well-documented reality that password reuse is rife, especially among IT professionals. “IT professional or not, people do not want to be burdened with security — it has to be usable, simple, and work instantly,” Stina Ehrensvärd, CEO and Co-Founder, Yubico, said. “For years, achieving a balance between high security and ease of use was near impossible, but new authentication technologies are finally bridging the gap. Organizations can do far better than passwords; in fact, users are demanding it.” This week the FBI issued guidance on password best practice. Our own guide is here. Meanwhile, NASA has been working on an authentication solution based on heartbeats (which are unique to each individual). There is no shortage of solutions that use biometric data, most of which turn out to be vulnerable to attack. Perhaps NASA's will be different.

Covid-19

As Covid-19 makes steady progress across the world, governments have been quick to harness the latest technology in the fight against it. Moscow's city government is reported to be using the city's widespread facial recognition system to track individuals subject to quarantine. In one case, surveillance footage showed a woman who had returned from China leaving her apartment and meeting friends outside. The authorities used the footage to track down the taxi driver who had taken her home from the airport. In China, strict controls are being reapplied to the use of VPNs to access the open internet (something it does regularly at key national moments). Equally unsurprisingly, a developer says China has told it to withdraw a popular game from sale. It's called Plague Inc. and is based on the spread of a deadly virus across the world.

Magecart

At least 40 more websites have been attacked by a notorious group behind a campaign to steal financial information as users carry out purchases. Researchers blame Magecart 12 for the campaign which is designed to harvest card details from e-commerce sites. The affected sites appear to be small to medium-sized organisations of the sort that may not have the resources needed to defend against the attacks. If you operate a website with an e-commerce element, it is essential to assume that you will be attacked at some point. To protect yourself (and your customers), ensure your operating and content management systems are completely up to date. Then make sure only specific domains that you have approved are allowed to run scripts ('Content Security Policy'). Applying the 'Subresource Integrity' feature means that the content loaded on the site is what it should be.

In brief

New guidance from the UK cybersecurity agency, the NCSC, emphasises the importance of offline backups as a protection against the impact of ransomware. The recommendation comes after victims found out too late that their backups were encrypted because they were connected to their networks. NCSC

The European Commission has told its staff to move to the Signal messaging platform in an effort to improve security. It doesn't mean encrypted email will be abandoned, only that Signal will be used for "public instant messaging." Politico

Private WhatsApp groups are not as private as you might think. It turns out Google has been indexing invite links that have been posted publicly on the internet (hardly surprising as that's how Google works.) WhatsApp could prevent them being indexed, and seems to have started doing so, but we suggest admins take care with who can access group invites. Vice

Multi-national sports retailer, Decathlon, has leaked more than 123 million records because of a cloud server that wasn't secured properly. Its annual turnover exceeds €11 billion. Under the GDPR, this may turn out to be an expensive mistake. vpnMentor

Hacking for nefarious purposes is big business, but so is its ethical cousin. Bug bounty platform, HackerOne, connects companies with researchers who will identify security flaws. Last year, ethical hackers earned a record $40 million. HackerOne(R)

A note of caution about the way the clipboard works on iPhones and iPads. Any app can see what you copy to the clipboard (which, as Apple points out, makes pretty obvious sense). But the feature could be exploited by an unscrupulous or malicious developer to access sensitive information. Mysk

Apple is notoriously protective of its reputation, so perhaps we shouldn't be surprised to learn that it refuses to allow its iPhones to appear in the hands of movie villains. As The Last Jedi director pointed out, this may be something of a spoiler in mysteries since all you need to do is spot the people without an Apple device. Vanity Fair (video)

Updates

Exchange: Attackers have been spotted probing for Exchange servers that remain vulnerable to an issue patched by Microsoft earlier in its set of February updates.

Zyxel: 'Hot fixes' for serious vulnerabilities in network attached storage (NAS) devices and firewalls.

Chrome: Chrome 80 update patches three high-severity vulnerabilities, including one that Google says has been actively exploited.

Cisco: Patches for 11 vulnerabilities in its products, including multiple issues affecting UCS Manager, FXOS, and NX-OS software.

VMWare: Updates to address serious vulnerabilities in vRealize Operations for Horizon Adapter.

Edge: Microsoft begins releasing new Chromium-based Edge browser to Windows 10 insiders. If all goes smoothly, general release will follow.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217