news200911

FFT news digest September 11 2020

Transatlantic data woes

The impact of a decision by Europe's top court continues to reverberate, with Ireland's data protection commissioner issuing a preliminary order forbidding Facebook from transferring data about EU users to the US. The order focuses attention on the validity of 'standard contractual clauses' which thousands of European organisations use to underpin transatlantic data transfers. The ruling by the European Court of Justice had already invalidated the 'Privacy Shield' mechanism for transfers on the basis that European standards of privacy could not be guaranteed in the US. European regulators have now created a task force to deal with the fallout from the court's decision -- and a flood of complaints about European companies' use of Facebook's and Google's analytics tools. As our data protection partner, DPN, explains, this is a messy business with no simple solution.

Threats

Track and Trace: "Hi there. I'm calling from NHS Track and Trace. You've been in contact with someone who tested positive for COVID-19. I just need details of a payment card to cover the cost of sending you a test kit." If you haven't had a call like that, you probably will. Most will ignore such scams, but some elderly might be taken in. Daily Record

Fake alerts: Mobile devices are being targeted with fake alerts that promote fraudulent VPN apps and a variety of other scams. Sophos has a great guide to a growing problem.

Clever: A phishing campaign uses an organisation's home page to trick employees into providing login credentials. It's particularly sneaky because it loads the genuine page and layers a fake login box on top of it. Bleeping Computer

Contact forms: Criminals are using contact forms to send malicious emails designed to target customer support staff. The aim is to circumvent email filters. Cisco Talos

Lloyds: Lloyds Bank customers are the target of a sophisticated campaign that uses SMS messages and email to deliver a fake warning that the victim's account has been compromised. Griffin Law

Games: Hackers are breaking into accounts for Call of Duty: Warzone, and demanding a ransom to release them. Victims say the game's publisher is slow or unresponsive to requests for help. Motherboard

Remote fail

You're probably bored witless by constant warnings about the risks of remote working, but the experience of a US charity demonstrates that the threat is very real. The Jewish Federation of Greater Washington lost $7.5 million after an attacker managed to compromise the personal computer of an employee who was working remotely. The hack was only discovered when a security contractor noticed unusual activity in an employee’s email account. As is often the case, the attacker appeared to have had access to the charity's systems for several months. The charity has now put an end to the use of personal computers for work, but this is a practice that remains widespread. It's not possible to eliminate the risk of attacks, but user education is an essential way to reduce it.

Breach response

Sooner or later every organisation will face a data breach of some sort, but it's the response that determines how severe the impact is. There's a rich selection of examples demonstrating what not to do, ranging from threats of legal action to obfuscation and outright lies. TechCrunch has a useful account ($) of how a small US cellular network reacted to a security failure that exposed personal information including driving licences, passports and social security numbers. (The data was exposed because of a misconfigured plugin and was found with a Google search). Assist Wireless's response was quick and transparent, the issue was fixed, there was a specific point of contact for security issues, and it had a vulnerability disclosure policy in place. As TechCrunch says, plenty of companies say they take security seriously. Assist Wireless demonstrated that it does.

And incident response

Cybersecurity agencies in the US, the UK, Australia, Canada and New Zealand have published a joint advisory on detecting malicious activity and incident response. The 'Five Eyes' best practice approach starts with the collection of artifacts, logs, and data, and their removal for further analysis. Ideally, it should continue with implementing mitigation steps without letting the attackers know their presence has been detected. They advise organisations to collaborate with external security providers for technical support and to ensure the attacker has been eliminated from the system. The advisory also offers recommendations on preventing cyber attacks and stresses the importance of multi-layered defences while emphasising that no single technique, program, or set of defensive measures can prevent all intrusions.

Physician heal yourself

Embarrassing but true; 97% of the leading cybersecurity companies have had data exposed on the dark web this year, according to research from Immuniweb. Its report found 29% of stolen passwords were weak, and employees from 161 of 398 companies had reused passwords. In many cases, the weak passwords included 'password' and '123456'. Even worse, despite the magisterial warnings from cybersecurity people (like us), 5,121 stolen records with professional emails came from pornography or adult dating websites. We shouldn't be surprised at the enduring ability of people to shoot themselves in the foot, but it's pretty extraordinary that people whose businesses depend on security should be quite so cavalier. And it's probably a good indication of what's going on in every organisation.

In brief

The Daily Mail asked a security company to try to hack three of its journalists; it went surprising badly from the hackers' perspective. Thanks to a combination of bad luck and journalistic smarts, the attackers didn't get very far. Their account of how they were serially stymied includes good insights into the tactics used by hackers, and what you can do to defeat them. CyberNews

It's worth paying attention to the warnings issued by security folk. There has been no shortage of alerts that universities are under attack, following a ransomware attack on a widely-used software supplier. Clearly, Newcastle University didn't get the memo because their systems were hit by an attack which is expected to take weeks to recover from. Newcastle University

If you set up a Twitter account using an email address from a domain that has expired, it makes it simple to take it over. Just register the domain and request a password reset. A researcher has details on how to find vulnerable accounts, so worth checking what email address you used... Zain Amro

As in many other countries, when mass protests took place in Belarus the authorities promptly shut off the internet. Disappointingly for dictators everywhere, the evidence appears to suggest that such actions are largely ineffective at closing down the protests. Ranking Digital Rights

While England carries on testing, Scotland has released a COVID-19 track and trace app. It's based on the framework developed jointly by Apple and Google. Within hours, it had been downloaded over 250,000 times. Protect Scotland

Updates

Microsoft: Monthly set of security updates includes one to address a serious vulnerability in Exchange servers. By serious, we mean someone could take over the server by sending a specially-crafted email.

Zoom: Launches two-factor authentication (2FA) for all accounts. Uses time-based one-time password (TOTP) protocol so will work with apps such as Google Authenticator, Authy etc. Also supports codes by text or phone call.

macOS: Supplemental update for macOS 10.15.6 which aims to fix WiFi and iCloud issues.

Adobe: Update to address issues in Adobe Experience Manager, Framemaker and InDesign.

Chrome: New feature being rolled out this month will target adverts that use a disproportionate amount of system resources.

SAP: 10 new Security Notes and updates for 6 previous ones. Two new issues are rated 'Hot News' and affect Mobile Channel Servlet and Netweaver. Two updates are also serious; they relate to Solution Manager and Business Client.

WordPress: Attackers are actively exploiting the security issue in the popular File Manager plugin (that we mentioned last week). Keeping plugins and themes updated is one of the biggest challenges with WordPress and last month it released an auto-update feature designed to address the problem.