FFT news digest June 5 2020

Cutting corners

Cybersecurity folk were quick to point out the risks of remote working (and earn some money in the process), but a rash of surveys suggests the warnings had little effect. Some caution is required coming as they do from vendors who still have products to sell, but they do underline the less than optimal behaviour of people working from home. According to OneLogin(R), 62% of employees have had one of their online accounts compromised. That's hardly surprising when you look at some of the report's other findings; 33% have downloaded a personal application without approval; 36% access work applications from personal devices; 45% have shared their work device with their spouse, partner, or children; and 17% have visited adult sites on their work device. That's hard to beat as a list of what not to do. A couple of other warnings; there's been a 37% increase in mobile phishing attacks since the end of last year, and 23% of users surveyed by Capterra always use the same password for personal and work accounts. It's really important to talk about these risks with staff. The UK's NCSC has guidance here.

Scumwatch

While the UK's contact tracing app remains firmly stuck on the Isle of Wight, there are renewed warnings about security risks around the government's manual processes. Official guidance says a single phone number will be used, and text messages will be sent from 'NHS', but it's dismally easy to spoof a phone number so that a call or a message appears to be genuine. The NHS website does have some useful guidance about what contact tracers will and won't ask. It really is essential to take care during this period, because contact tracing is a potential gold mine for scumbags. Other scams this week;
Banks: Idiots in Australia have been depositing small amounts into victims' accounts and using the description to harass people. The Register
Tax: Emails pretend to be from UK tax office offering COVID-19 grants. Forcepoint
CVs: Malicious files masquerading as curriculum vitae are being sent to organisations in a bid to install malware that can capture passwords and other sensitive information. Check Point
VPN: Fake VPN updates are targeting remote workers to try to steal their Office 365 credentials. Abnormal Security
FBI: Campaign in the US tries to frighten victims by telling them the FBI is investigating them for crimes which can be dealt with by paying a $500 fine (and thus handing over credit card details). Panda

Zoom

"The most impressive financial results we’ve ever seen in software," one analyst gushed as Zoom released figures for the first quarter of 2020. In pandemic-propelled performance, revenue grew 169% year-over-year and customer numbers surged by 354%. "Use cases have grown rapidly as people integrated Zoom into their work, learning, and personal lives," Zoom said. A report (R) underlines just how deep that personal integration is; 33% of those surveyed said they had been using a corporate Zoom account for online socialising with family and friends. Meanwhile, Zoom's CEO, Eric Yuan, told analysts that only paid users will benefit from end-to-end encryption because "we want to work together with the FBI, with local law enforcement in case some people use Zoom for a bad purpose." Presumably, that assumes bad people won't stump up $14.99 a month to secure their wickedness, but then Yuan was responding to a suggestion that end-to-end encryption might be an upselling opportunity. So, in the end, perhaps it's more about money than cooperation with law enforcement.

Buckets

We're firm believers in the advantages of running applications and storing data in the cloud, but it's essential to have effective processes to make sure they're secure. If you're storing information without any password protection, sooner or later it will be found by one of the researchers who spend their time looking for it. This week's culprits; open source content management system, Joomla, and a German advertising app, TVSmiles. Joomla said an unsecured backup of a site containing details of 2,700 Joomla experts had been stored in a third-party company's Amazon storage. The breach also highlighted issues over management of access rights. TVSmiles was found to be storing a 306GB database with "unencrypted personally identifiable information matched to individual users, profiling insights about users’ interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles’ business relationships." Even if you're not storing entire databases, a key risk to avoid is the use of unsecured links to share files.

Data retention

A new toolkit from our partner, Data Protection Network, aims to demystify one of the trickiest areas of the General Data Protection Regulation. Data Retention Guidance provides a clear step-by-step framework and has templates for different categories of data, including employee, marketing, and insurance records. The principle behind data retention requires that “personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.” As with much of the GDPR, the tricky business of defining what this actually means in the real world is left up to organisations to work out for themselves. DPN's guidance is designed to provide a practical approach, with case studies from organisations in the travel, charity and construction sectors. 

Google sued

A proposed multi-billion dollar lawsuit against Google is a reminder not to assume anything is private online. Filed in Northern California, the complaint claims that even when private browser mode is used, Google identifies IP addresses, and tracks "what the user is viewing, what the user last viewed, and details about the user's hardware." It says that this happens despite assurances that consumers "are in control of what information [they] share with Google." The proposed suit seeks a minimum of $5 billion in damages (based on $5,000 per user). Google told Reuters it would defend itself vigorously against the claims, saying "As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity." Similar claims are the subject of legal action in the UK which Google tried and failed to block.

In brief

Privacy-focussed messaging app, Signal, has announced a new tool that can be used to blur faces, though it won't necessarily hide identities completely. Taking a picture in Signal and selecting the blur option will automatically detect any faces and obscure them. All this happens on the phone. Signal

Apple has awarded a researcher $100,000 for identifying a security flaw in its 'Sign in with Apple' process. "Your Email ID is all I need to takeover your account on your favorite website or an app," the researcher wrote. (Apple has fixed the issue). Bhavuk Jain

Android phones can be crashed by using an apparently innocuous image as wallpaper. The issue is caused by the way colours are handled. Despite warnings not to experiment, many Twitter users complained they had 'bricked' their phones after trying it out. Iceuniverse

A large scale attack against WordPress websites tried to exploit old vulnerabilities in unpatched plugins. Its aim was to download configuration files and extract database credentials, which could then be used to take them over. Wordfence

In Apple's world, eight years is a lifetime so its mid-2012 15-inch MacBook Pros are about to become officially obsolete. That means they will no longer be eligible for repairs, with "no exceptions". MacRumors

A new Facebook feature will help users to delete posts in bulk. It's slightly convoluted and requires searches and filters to identify what to delete. 9to5Mac

Facebook and Instagram spent nearly three months blocking the #sikh hashtag. They have now fixed the issue, saying it was the result of an inaccurate review. Engadget

Updates

Apple: Update for all operating systems and devices to fix an issue that enabled Apple's built-in security to be circumvented.

Zoom: Another reason to check Zoom is up to date. Cisco Talos discovered a vulnerability that could be exploited by sending a specially-crafted ZIP file to a target.

Office: June non-security update includes fixes for intermittent crashes in Outlook 2016, Excel 2016 and PowerPoint 2016.

Google security: Apple devices running iOS 13.3 and above will be able to use Google’s Titan Security Keys to secure work and personal Google Accounts. This means signing-in should simply require the key to touch the back of a device.

Exchange: Almost four months after Microsoft patched a serious vulnerability in Exchange servers, Rapid7 reports that more than 350,000 Internet-connected servers remain open to attack.

Firefox: Firefox 77 and Tor Browser 9.5 include patches for a range of vulnerabilities, including several rated 'high severity'. Tor browser also makes it easier to open '.onion' versions of web sites.

Android: June security patches address a total of 43 vulnerabilities, several rated critical.

Tails: Version 4.7 fixes "many security vulnerabilities" and users are advised to update immediately.

Zimbra: Versions 9.0.0 “Kepler” Patch 3 and 8.8.15 “James Prescott Joule” Patch 10 include important security fixes.

Cisco: Nexus switches running NX-OS software should be updated because of serious flaw that could be exploited to bypass network access controls.

Cisco: Major update for IOS and IOS XE addresses 25 vulnerabilities, three rated 'Critical".

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217