FFT news digest April 16 2021

'Breaches'

"Move along please. Nothing to see here." That sums up the response of Facebook and LinkedIn after it emerged details about more than a billion of their users were available online. The Irish data protection regulator is not convinced and says it believes "one or more provisions of the GDPR and/or the Data Protection Act 2018 may have been, and/or are being, infringed in relation to Facebook Users’ personal data". It has launched an inquiry into how the Facebook data appeared, something the company blamed on a flaw in a tool for synching contacts which allowed details to be harvested en masse. And today, a digital rights group said it would sue Facebook over the incident.

For its part, LinkedIn also denied any data had been stolen, saying the details posted last week included "publicly viewable member profile data that appears to have been scraped from LinkedIn". "This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review," it added. This will doubtless be of enormous comfort to the hundreds of thousands of users who have been receiving a rich assortment of phishing emails and scams. Bitdefender says, although the increase in LinkedIn-themed spam "can’t be directly associated with the leaked information, the overwhelming number of deceptive and fraudulent emails suggests otherwise".

One other item of Facebook news. Last year, Mark Zuckerberg was paid $23.4 million for security at home and when travelling. A financial disclosure statement also revealed that Chief Operating Officer, Sheryl Sandberg, received $7.6 million in security-related payments. Facebook says an "overall security program" has been authorised for the two executives "to address safety concerns due to specific threats to their safety". To be fair to Zuckerberg, he doesn't receive a salary (other than a notional $1 payment) or stock options. But then he does own millions of shares, giving him 57.7% of voting power and complete control of the company.

Threats

COVID-19: Multiple pandemic-related scams continue to do the rounds, including non-existent UN compensation schemes. Encouragingly, KnowBe4's quarterly phishing report suggests users are becoming more adept at spotting such wickedness.

Cracked: Downloading pirated versions of popular software is a swift route to misery, as has been repeatedly demonstrated. Currently, 'cracked' copies of Microsoft Office and Adobe Photoshop are being used to lure users who don't want to stump up for a license. Don't be tempted! Bitdefender

Business forms: Web searches for business forms are being hijacked to show malicious files. If opened, they install malicious software that takes over the device. eSentire

Devious: A phishing campaign tries to steal Microsoft 365 credentials with a sophisticated approach designed to avoid detection. The initial email disguises an HTML file as an Excel spreadsheet and pretends to include details of a price revision. Trustwave

Fake: WhatsApp is being used to distribute fake offers of free Lenovo laptops. Messages are also offering malicious Android apps disguised as TikTok. The campaign is currently focussed on India. Zscaler

ZIP: A new malicious software installer (dubbed 'Saint Bot') is infecting computers with a virus that steals passwords. The attack begins with a phishing email containing a ZIP file ("bitcoin.zip"). Malwarebytes

Census: Fake reminders to complete the UK census are doing the rounds and should be ignored. Meanwhile, the Office for National Statistics has denied it hands over any census data to law enforcement agencies.

Security

The security of Apple's App Store is like “bringing a plastic butter knife to a gunfight”, according to one of the company's senior engineers. The description is included in documents reported by the Financial Times ($) as part of an antitrust case brought by Epic Games which has been trying to avoid the 30% fee Apple levies for products in the app store. Epic argues that Apple seeks to lock in its customers by creating high costs to migrate to other products and the charges are unjustified. For its part, Apple says App Store policies have led to a boom in the software industry and result in greater safety and security for users. The case is due to begin next month.

Russia

There's been a sharp escalation in tension between the US and Russia, with the announcement by Washington of tough new sanctions in response to a wide-ranging cyber attack formally attributed to Moscow. Announcing the actions, President Biden described an "unusual and extraordinary threat...posed by specified harmful foreign activities of the government of the Russian Federation.” Shortly before the announcement, the FBI, the National Security Agency and the Cybersecurity and Infrastructure Security Agency issued a joint warning about five vulnerabilities which they said Russia is exploiting. The issues affect Fortinet, Zimbra, Pulse Connect Secure, Citrix and VMware. Given the new sanctions, it's even more important to make sure updates have been applied. Even if you are not a natural target for Moscow's attentions, the same techniques could be used by criminals and other attackers.

FLoC off!

Regular readers will be aware of the extent to which our online activities are tracked with microscopic precision as companies seek to perfect their understanding of who we are and what we might buy. Until now, much of that tracking has been achieved by cookies (i.e. small text files placed on our computing devices). But Google has a cunning plan called FLoC, which stands for Federated Learning of Cohorts. It's part of Google's 'Privacy Sandbox' initiative which aims to support targeted adverts without tracking individuals. It does this by placing browsers in a "cohort" together with other browsers with a similar history. Privacy activists are unimpressed. The Electronic Frontier Foundation has declared it a terrible idea. Browser developer, Vivaldi, had a simpler response; "FLoC off!" And, for the moment, Google isn't trialling the technology in the EU because of data protection regulations. Meanwhile, in Australia, the Federal Court has ruled that Google "partially" misled users over how it collects and uses location data. 

Biometrics

Payments will increasingly be authenticated by facial recognition over the next few years, according to Juniper Research. Together with fingerprint, iris and voice recognition, biometrics are predicted to secure more than $3 trillion of mobile payments by 2025 (up from $404 billion in 2020). The lead analyst behind the research admitted there could be a bumpy road ahead. "Fraudsters are always trying to evolve their tactics and develop new methods of fooling whatever security measures are in place," Nick Maynard told ZDNet "They experiment with photos, 3D-printed masks – you name it, it's been tried. It's essentially an arms race between fraudsters and security providers." What he didn't say is that the experiments are often successful in overcoming security measures.

In brief

Home tours: As if selling property wasn't stressful enough, a new wrinkle has been added by the introduction of virtual 3D tours. A Devon estate agent has apologised after it was found that financial information could be seen by zooming into the high resolution photos that comprised the tour. BBC

Insiders: Employees are more likely to leak data since the start of the pandemic, according to research from Code 42. A webcast with the Stanford Advanced Cybersecurity Program has advice on how to stay protected. info security

WordPress: Zerodium is an exploit broker, which means it buys and sells ways to take advantage of vulnerabilities in software and hardware. We keep an eye on the rewards it offers because they're a good guide to what nation states are currently targeting. Latest change is a temporary $300,000 bounty for ways to break into WordPress (up from the normal $100,000).

Ad blockers: We recommend the use of ad blockers, but we also recognise that they can cause problems with some websites. It seems Google Docs is among them, as TNW explains. A solution for problem websites is to use a browser without any extensions.

Boomers: Over 55-year olds are the fastest-growing market for games, with a 32% increase in the last three years. 24% of grandparents and parents described playing games together as family time. games industry.biz

Frank: A new social media network promises unrestricted free speech, as long as it doesn't include “The N-word, the C-word, the F-word or God’s name in vain.” “Frank Speech” is backed by Mike Lindell, the CEO of My Pillow and a fervent Trump supporter. The Register

Updates

Microsoft: Monthly set of updates address a total of 114 issues in multiple products, including Windows, Edge, Azure, Office, SharePoint Server and Exchange Server. Exchange is affected by four previously-undisclosed vulnerabilities and users are urged to apply the patches for these urgently.

Windows 10: Support for three older versions is about to expire. The November 2019, April 2018 and October 2018 are all affected. Your system will nag you to update and it's important to agree because of the lack of ongoing security patches.

Adobe: Security updates to address critical vulnerabilities in Adobe Bridge, as well as serious issues in Digital Editions, Photoshop and RoboHelp.

Chrome: We're sceptical about the ability of browser developers to keep up with people trying to find vulnerabilities in their products. Google released two updates this week, while admitting that previously-undisclosed (zero-day) issues were being actively exploited. Latest version is 9O which includes multiple security updates. Engadget also spotted a new feature; pressing / acts as a shortcut to return the cursor to the search box.

QNAP: Network-attached storage (NAS) devices running the Surveillance Station video management system are vulnerable to a publicly-available exploit. The issue was addressed in an update in February and it's essential to ensure this has been applied.

Multiple: Apps including Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, and Wireshark are affected by multiple vulnerabilities. Updates are being rolled out and it's essential to apply these as soon as they are available. Positive Security

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217