FFT news digest May 15 2020

Scumwatch

The number of coronavirus-related cyber attacks continues to rise, with one survey reporting a 30% increase in the past two weeks. Check Point says most attacks start with phishing emails which impersonate the UN, World Health Organisation, Zoom, Microsoft or Google to try and trick users into clicking on links or opening infected documents. Criminals have been busily registering domain names that look like real ones, and which might pass a cursory inspection. But other time-honoured scams are continuing as well. A webstore offering hard to find gadgets at suspiciously low prices topped Google's search results for days despite customer complaints that it was a scam. And the BBC also has the story of a couple who lost their £4,200 savings when criminals faked emails from their solicitors. "It had the logo, a breakdown of costs, what they were for and dates, so there was nothing to trigger any red flags. We eventually realised the only difference was a hyphen rather than a full stop in one part of the email address," they said.

Tracing lessons

As the UK continues to ponder whether to pursue a new approach to tracing coronavirus infections, experience from Iceland underlines that an app is of limited use on its own. 38% of Icelanders downloaded the country's tracing app, but, despite early deployment and widespread use, its impact has been small compared to manual efforts. “I wouldn’t say useless, but it’s the integration of the two that gives you results," said the police inspector overseeing contact tracing. In the UK, the government is continuing to pilot its app on the Isle of Wight while simultaneously exploring whether to adopt a completely different model. Trust in the government's approach wasn't improved when sensitive documents outlining future plans for the app were found on Google Drive without any password protection. Meanwhile, the EU has rejected the idea of making contact tracing apps mandatory for travel. And in California, a team at Stanford is studying whether fitness trackers can be used to predict the onset of diseases such as COVID-19.

Apple

The iPhone was once the gold standard for security in consumer devices. Now an exploit broker says the iOS operating system has so many vulnerabilities that it will stop buying them. Zerodium makes its money from paying researchers enormous sums of money for 'exploit chains' which link together vulnerabilities to compromise a device, ideally without the user doing anything. (By enormous sums, we mean up to $2 million.) It then sells on those exploits to companies which incorporate them in their own tools. Until last year, Zerodium paid far more for iOS exploits than for Android ones, but in September its founder warned it would start turning down offers of iOS exploits, saying Apple had "absolutely destroyed iOS security". Its founder has now stepped up his invective, saying iOS security is "f**ked". This will ring bells with anyone who has suffered from Apple's recent track record in releasing software that doesn't work. iPhones are still a pretty secure solution for most consumers, but the availability of exploits does mean it's essential to keep them up to date.

Remote working

Reports of the death of the office may be greatly exaggerated, but some of the changes provoked by the coronavirus pandemic are very likely to stick. This week Twitter told its 4,900 employees that anyone who wanted to work from home (and could do their job from there) would be able to do so "forever". When to re-open offices would be up to Twitter. Whether to return to them would be the employee's decision, it said. In fact, even before the pandemic, we had been seeing a steady increase in remote working, especially in the media sector. But, according to Kaspersky, 73% of employees working from home haven't received any cybersecurity guidance or training designed to keep them safe. Combine that with a survey that found 17.4% of global respondents had shared their work device password with either a spouse or child and you have a recipe for disaster. There are plenty of free and cut-price resources to help improve security. And some excellent advice from the Canadian federal government; "You are not "working from home", you are "at your home, during a crisis, trying to work," it said.

Disinformation

More than a quarter of the most-viewed YouTube videos about the coronavirus contained misleading information, according to a study by Canadian researchers. The videos attracted more than 62 million views worldwide, while content from reputable sources remains under-represented in the current pandemic, the study says. It warns that "misinformation about COVID-19 is reaching more individuals than in past public health crises, as YouTube continues to grow as a source of health information," and it calls on public health agencies to make better use of YouTube to deliver quality content and minimise the spread of misinformation. Meanwhile, Twitter announced that it would add labels and warnings to some tweets with misleading or disputed information. The new labels would provide links to more information in cases where the risk of harm from the tweet is not severe enough to be removed but people could be confused or misled.

California

Remember the introduction of the GDPR? Two years on, California is about to begin enforcing its version of legislation designed to protect personal data. Enforcement of The California Consumer Privacy Act (CCPA) starts on July 1. It affects for-profit companies anywhere in the world which collect personal information of California residents and which meet any of the following criteria;
Buys, receives, sells or shares the personal information of at least 50,000 California residents, households or devices
Has an annual gross revenue of over $25,000,000
Derives more than 50% of annual revenue from selling the personal information of California residents
The CCPA's definition of private data is broader than that of the GDPR, but, like the GDPR, there is more than a little ambiguity in some of its provisions. One thing that is clear is the level of fines for unintentional violations. They're set at $2,500 per instance, so a violation involving 10 California residents would cost $25,000. 

In brief

Stuck at home. Tempted to torrent? You're not alone. New data shows BitTorrent traffic in Europe, Middle East and Africa was higher than Netflix. The full report has plenty of insights into what the world is doing online. Spoiler; the big winner is YouTube. Sandvine

Scary flaw, but don't be too worried. Researchers discovered that the Thunderbolt interface could be exploited to take control of a computer, even if it's locked or asleep. The attack is time-consuming and involves taking the device apart, but it's a reminder to try to avoid leaving devices unattended. Thunderspy

Some very unhappy owners of Xiaomi 9 phones bought from Vodafone in the UK. An update rendered them lifeless. A fix is on its way, but it adds weight to those who argue that it's better to buy phones direct. Vodafone

Slack is to begin stripping metadata from photos uploaded to the platform. Admission; we thought that, as with other online platforms, this was already being done. TechCrunch

Microsoft says it will provide a free fix for spontaneous cracks in Surface Laptop 3 displays. It blames the issue on the possible presence of a "foreign particle" in the manufacturing process. Bleeping Computer

Magecart continues to be a serious threat to poorly-secured websites. A researcher found 1,236 domains that had been infected with the payment card skimmer. Akamai has advice on protection. Max Kersten

A bad week for law firm, Grubman Shire Meiselas & Sacks, which counts Robert de Niro, Madonna, Elton John and U2 among its star clients. Hackers claim to have nicked 756GB of data including contracts and personal details. Music Business Worldwide

Updates

Microsoft: Monthly set of updates (3rd largest in company's history) addresses 111 vulnerabilities across 12 products. 13 are rated critical. None are being actively exploited, as far as anyone knows.

Email: Microsoft is rolling out an Office 365 feature designed to reduce the impact of 'Reply All' storms (i.e. when an organisation falls into the vicious circle of people replying to everyone on a large distribution list). Initially, this will only be relevant to big organisations. Microsoft is also fixing a search problem in Outlook.

Adobe: Security updates for Acrobat, Reader, and DNG Software Development Kit. 16 of 36 issues rated critical.

SAP: 18 security notes, 6 rated 'Hot News'

vBulletin: Fix for security issue in vBulletin 5.6.1. Users also urged to update if using a version of vBulletin 5 Connect prior to 5.5.6.

WordPress: Page Builder by SiteOrigin version 2.10.15 and below has vulnerability that could allow full site takeover, admins should upgrade to version 2.10.16. Users of Site Kit by Google should also ensure they have applied latest patch.

SecureDrop: Version 1.3.0 contains range of bug fixes and security enhancements.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217