news200313

FFT news digest Mar 13 2020

Virgin Media

Data breaches are a fact of online life (though many shouldn't be), so organisations are judged as much on how they handle the incident as they are on the breach itself. That's why it's worth looking at Virgin Media's response to news that it failed to protect the personal information of 900,000 of its customers. Initially, it said the data included only "limited contact information" and "technical and product information." The reality, as disclosed by the researchers who discovered the unsecured database, is that for at least some customers, "technical and product information" included requests to unblock pornographic websites along with other highly personal details. Virgin Media said only a tiny percentage of people were affected. We say that full, frank and early disclosure is the only way to respond to data breaches because it's an iron rule that the truth will out.

Coronavirus

As the coronavirus spreads, so do online scams trying to take advantage of it. These have become so numerous that the US Secret Service published a warning against them. "The Coronavirus is a prime opportunity for enterprising criminals because it plays on one of the basic human conditions…fear. Fear can cause normally scrupulous
individuals to let their guard down and fall victim to social engineering scams, phishing scams, non-delivery scams, and auction fraud scams," the warning says. Among the latest examples are fake maps and dashboards which pretend to track how the virus is spreading, and emails trying to persuade people to donate money to help communities affected by the virus. And groups linked to Russia, China and North Korea are reported to have used coronavirus lures in phishing attacks. The most egregious scam is probably fake emails from the World Health Organisation specifically targeting Italian users.

Tracking

The reality of online data collection is illustrated by a case in Florida, in which location information from a biking app was used to place its (innocent) user at the scene of a burglary. NBC reports that there has been a significant rise in the number of "geofence warrants" which are used to find suspects in the absence of other leads. In the Florida case, the first the suspect knew was when he received a letter from Google saying police had demanded access to information related to his Google account. It turned out that data from his fitness app had been shared with Google. Eventually, the suspect persuaded police he wasn't involved, but the case demonstrates the extent to which our movements are shared with technology giants like Google and Facebook. Location information is hugely valuable because it enables our online and physical movements to be linked...and monetised. This is why we believe it's essential to understand the terms and conditions for any app that we install.

Online is online

Whisper is a free app designed to support secrecy that allows users to share photos and video messages anonymously. Unfortunately, the company behind it left an unsecured database online with up to 900 million records in it. The security failure exposed years of intimate confessions and meant they could be linked to the age, location and other details of the people who shared them. In one example quoted by the Washington Post, a mother wrote, “My son was conceived at a time when I cheated on his father … I just hope he will never find out.” Whisper said much of the data was intended to be accessible to users of the app, but admitted that the unsecured database was not designed to be queried directly. There continues to be an illusion that information can be shared securely and anonymously online. Whisper is just the latest illustration of why that's an illusion.

Hacking the cloud

The FBI has warned about the extent of efforts to compromise Microsoft's Office 365 and Google's G-Suite as criminals seek to defraud organisations. "The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds," the FBI said in a Private Industry Notification reported by Bleeping Computer. More than $2.1 billion dollars were lost in such scams over a 5-year period, the FBI added. Its notification has excellent advice on how organisations can strengthen their defences. This includes configuring security features such as SPF, DMARC and DKIM, and prohibiting legacy email protocols.

Scraping

An artificial intelligence company created a range of Android and iPhone apps that looked innocuous but were designed to harvest social media data about their users, according to Motherboard. The report, quoting former employees, says the apps were designed to take advantage of the social media login feature used by Google and Facebook. Banjo's concept is to combine feeds from cameras with a range of other data such as satellites and social media posts to create a system to provide police with real-time alerts about crimes. We think it's an excellent example of the need to be careful about the apps we install, and the permissions we give them.

In brief

A new phishing campaign is sending out emails with fake HIV test results. The aim is to persuade recipients to open a malicious Excel file and enable macros; an offer that should always be refused with unsolicited files. Proofpoint

Attackers are using emails which promise to give access to nude pictures of a friend's girlfriend. The scam mimics a DocuSign document and claims the pictures had been obtained as part of a 'sextortion' scam. The link is designed to infect devices with malicious software that steals a wide range of information. IBM X-Force

Vanity award scams are on the rise. These are particularly popular in the US and involve trying to persuade the target that they've won an award. Attackers will mine social media, particularly LinkedIn, for information to make the lure more credible. ZDNet

LinkedIn isn't known as the 'phisherman's friend' for nothing. A new campaign is using fake profiles in an effort to harvest Microsoft logon credentials. As always with social media, caution is the key when receiving connection/friend requests. Heimdal

Facebook and Twitter have taken down dozens of fake accounts and pages, as Russian efforts to interfere in the US presidential election appear to be getting more sophisticated. Twitter said fake accounts tried to sow discord by emphasizing social issues such as race and civil rights without favoring any particular candidate. AP

Windows 10 users have been reporting numerous problems after installing the KB4535996 cumulative update. Microsoft says it's aware of the issues and is promising a new update shortly. Microsoft

Updates

Microsoft: Monthly set of updates include 26 rated 'critical'. One vulnerability being fixed affects Word and, unusually, the exploit only requires a user to view a file in Outlook's Preview Pane. Microsoft also issued an emergency update for Server Message Block 3.1.1 (SMBv3).

Exchange: The US National Security Agency has warned about risks to Microsoft Exchange Server because of an issue that was addressed last month. Researchers have found that state-backed attackers are already exploiting the flaw.

Netgear: Updates for Nighthawk X4S Smart Wi-Fi Router (R7800) family to address a critical issue that could be exploited remotely.

Firefox: Version 74 includes new features, including an option (called Facebook Container) which isolates any Facebook sessions so that browsing activity can't be tracked between different sites. It will also stop malicious programs adding unwanted extensions without the user's knowledge.

Avast: Users of AntiTrack should make sure they are running the latest version which fixes an issue that could allow HTTPS traffic to be compromised.

Tails: Version 4.4 fixes several security vulnerabilities and users are advised to upgrade as soon as possible.