news200724

FFT news digest July 24 2020

Privileged access

Last week's devastating breach of Twitter's security raises serious questions about its approach to managing privileged access to internal systems and information. Twitter says its investigations show "attackers targeted certain Twitter employees through a social engineering scheme". But detailed reporting suggests there has been long-term targeting of Twitter workers (some involving threats of violence), and a number of the attacks resulted in their co-operation. Respected reporter, Brian Krebs, explains how one hacker boasted of "a direct connection to one or more people working at Twitter." Reuters reports that, as of earlier this year, more than 1,000 Twitter employees and contractors had access that could change user account settings and give control to others. There appear to have been no effective controls on what they could do with this access. Twitter has now revealed that the attackers were able to download detailed information for up to eight of the 130 hijacked accounts, and direct (i.e. private) messages for up to 36 of them.

Scumwatch

Cloud: Ingenious campaign reflects current trend for attackers to use public cloud services to make it harder to detect what they're up to. This one uses Google Drive to host a malicious PDF document that looks like a gateway to content on Sharepoint. The aim is to steal Microsoft 365 credentials. Check Point
Chrome: Messages warn target to upgrade to latest version of Google Chrome (or Internet Explorer). Link is to malicious website. Proofpoint
Microsoft 365: Attackers use a fake internal email that pretends to carry a security alert. Abnormal Security
Microsoft renewal: Fake messages advise recipients that their Microsoft Office subscription is due for renewal. Abnormal Security
Unsecured databases: Dozens of unsecured databases have fallen victim to an attack that destroys data without explanation. Bleeping Computer
Amazon Prime: Renewed campaign uses automated phone calls to claim target has opened an Amazon Prime account. Cancellation process connects to live operator who tries to gain access to computer. CTSI

UK EU data

Last week's decision by Europe's top court to strike down the mechanism underpinning transatlantic data transfers also has implications for a post-Brexit UK. Key to the ruling by the Court of Justice of the European Union was a finding that US surveillance laws mean individual privacy rights can't be guaranteed. The challenge for the UK is that its own surveillance regime has been widely criticised and is likely to come under similar scrutiny. But the court's decision also highlights the scale of the challenge facing Britain outside the EU. While it hopes for an "adequacy decision" that will allow unrestricted data flows from the EU, any similar arrangement with the US would make such a deal highly unlikely. And the court has made clear that other mechanisms such as Standard Contractual Clauses and Binding Corporate Rules will have to be reviewed on a case-by case-basis. As with everything else to do with Brexit, UK organisations can look forward to more complexity and higher costs.

Iranian cyber snafu

Iranian cyber spies were caught with their collective pants down when IBM researchers found a cache of data, including training videos showing attacks being carried out in real-time. IBM X-Force found the material because the hacking group (known as ITG18) had simply failed to secure it. As a result, the attackers can be seen meticulously validating stolen credentials for websites, no matter how unimportant they might seem (e.g. pizza delivery, baby products, video games). The videos also demonstrate how to export data from compromised accounts. Encouragingly, the videos underline the value of multifactor authentication (MFA); "if the operator successfully authenticated against a site that was set up with MFA they...moved on to another set of credentials without gaining access," IBM said. The findings also reinforce the importance of security basics; don't reuse passwords, limit third-party access to email accounts, protect all information, no matter how trivial it might seem.

Human error

Organisations should take a more "human approach" if they want to prevent errors becoming serious security incidents, according to a report from Tessian. Distraction, stress and fatigue all contribute to making bad cybersecurity decisions. Attackers know this and exploit it ruthlessly, "Businesses need to educate employees on how hackers might take advantage of their stress and explain the scams people could be susceptible to,” the report says. Tessian (an email security vendor) advises organisations to understand individual behaviour and "tailor training and policies to make safe cybersecurity practices truly resonate.” Our own approach to cybersecurity training is based on telling stories - and this newsletter is designed to provide items that (hopefully) are interesting in themselves so that cybersecurity remains a live topic, long after training is over.

Surveillance a l'Americaine

While the US shouts about the risks of Chinese technology companies, media reports have revealed the extent of US federal access to online databases. One example, detailed by Forbes, shows how the FBI is using information from Sabre, the world's largest clearing house for travel data. "Stretching back to at least the 2001 September 11 terror attacks, the government has, on numerous occasions, secretly asked the company to actively spy on suspects’ movements, in both major and minor criminal cases," Forbes says. The beauty of Sabre from the FBI's perspective is its access to multiple airlines and other travel operators which avoids the need to deal with multiple organisations. Meanwhile, TechCrunch reports how US Customs and Border Protection can track vehicles across the US, not by using warrants but by buying access to commercial licence plate reader databases.

In brief

At least seven universities as well as a number of NGOs have lost data as a result of an attack on a service provider. Blackbaud was the victim of a successful ransomware attack in May; its account of the incident raises more questions than it answers, but it underlines the critical importance of supplier security. BBC

A ransomware attack is also believed to be responsible for lengthy disruption at Garmin which left fitness devices and apps disconnected for nearly a day (at the time of writing). Garmin has so far said almost nothing about what happened. ZDNet

A reminder about the risks of free services, in this case VPNs. A data breach revealed that a number of services had been recording information despite promises that they didn't log any details of their users. vpnMentor

A strong password for your WiFi network is a good thing. Tapping it into a phone is a pain. TNW has details of how to turn the password into a QR code. Safely!

Apple was the only corporate giant to foresee the COVID-19 pandemic risk and insure itself effectively against it. "COVID-19 wasn't a black swan; any infectious disease expert could have told you a pandemic was inevitable." Forrester

The perils of internet-connected devices have been amply demonstrated by Samsung, whose older DVD players suddenly stopped working. Samsung has told their owners the only solution is to return them for repair. The Register offers an insight into how Samsung's logging policy caused the issue.

More than half of humanity now uses social media; that's 3.96 billion people. And the number of people actively using Facebook every month stands at 2.6 billion. Datareportal

Updates

Outlook: Email client is crashing and deleting emails for some Microsoft 365 users. There's no fix yet, other than rolling back to an earlier version.

Sharepoint: Reminder to ensure last week's update is applied. Details of how to exploit a critical vulnerability have been released.

Adobe: Emergency updates released for Bridge, Photoshop, Prelude and Reader Mobile.

PDF: Check your PDF viewer is up to date because fixes have been rolled out for 15 of the biggest desktop applications. Researchers found they were vulnerable to an attack that could modify the content of digitally-signed documents.

Citrix: Security updates to address vulnerability in Workspace app for Windows. A remote attacker could exploit this vulnerability to take control of an affected system if Windows Server Message Block (SMB) is enabled.

Asus: Multiple vulnerabilities in RT-AC1900P router. Updates to address the issues are available.

G-Suite: 11 new security features, including more control over who can join meetings, and enhanced protection against phishing in Chat.

F5: Thousands of BIG-IP devices remain vulnerable two weeks after fix for critical vulnerability was issued (and despite multiple official warnings about the risk).

Thunderbird: Minor update for latest version (78). Care is advised with this update because of incompatibilities with earlier versions.