FFT news digest September 18 2020

The abject state of security

It's hardly news that cyber attacks have escalated since the onset of the COVID-19 pandemic, but the details of what's been happening are unsettling. Statistics gathered by ZDNet indicate the scale of the problem. Among the findings; the number of unsecured remote desktop machines rose by more than 40% compared to pre-pandemic levels; email scams related to COVID-19 increased by 667% in March compared to February; it's highly likely users will be fooled by pandemic-related phishing lures; and 90% of newly created coronavirus-related domains are scams. Basic security measures are key; particularly making sure people are aware of what's going on. Given the extent of the threat, it's particularly important to consider how remote workers are accessing business data. A report from Trend Micro sets out the challenge; in particular, the use of unmanaged personal devices.

Threats

Sophisticated: There's been a sharp rise in manual cyber attacks, with more such incidents reported in the first six months of 2020 than in the whole of 2019. "Hands-on" campaigns are particularly hard to spot because they can resemble normal activity. CrowdStrike (R)

QR codes: Those square 'barcodes' are increasingly common, but there are increasing concerns criminals will exploit them. A new survey shows most of us wouldn't be able to spot a malicious example. We suggest protecting yourself with a secure scanner, such as the (free) ones from Sophos.

Impersonation: UK financial institutions say they've recorded around 15,000 incidents in which scammers demand payment by pretending to be from banks, police and government agencies. £58 million has been stolen as a result. UK Finance

Phish aware: You can't help but admire their chutzpah. A new campaign is once again exploiting a reminder from a well-known security company to complete cybersecurity awareness training. KnowBe4

Magento: A surge in online retailers being hacked with Magecart credit card skimmers is being blamed on unsupported versions of Adobe Magento. Sansec

Email: Errors with outbound email are a common cause of data breaches, but a new report illustrates how common. 93% of IT leaders surveyed said they experienced a breach in the past year due to such mistakes. Egress (R)

Naked

A huge database compiled by a Chinese company provides insights into the vast amounts of personal data available to anyone who wants to put the information together. An academic at Fulbright University in Vietnam says he was given details of the “Overseas Key Information Database” (OKIDB) which contains details about 2.4 million influential people and institutions. Chris Balding says, the database "compiles information on everyone from key public individuals to low level individuals in an institution to better monitor and understand how to exert influence when needed". The information appears to be drawn from resources such as Factiva, Lexis-Nexis and LinkedIn. As we explain in our training courses, an extraordinary amount of information about us is readily available. The Chinese database provides an insight into how it can be aggregated and exploited.

Nation state. Private gain.

If you have the skills to be a nation-state hacker, then you might as well use them for personal gain as well as geopolitical advantage. That appears to be what has been going on in cases involving Chinese and Iranian nationals, according to the US Justice Department. The five Chinese citizens allegedly attacked more than 100 organisations in the US and abroad, including NGOs, human rights organisations, video game companies and social media platforms. As well as stealing information, they're also accused of ransomware and cryptojacking attacks. The two Iranians are alleged to have stolen hundreds of terabytes of data from victims, including information about national security, foreign policy, intelligence, nuclear information, and the aerospace sector. The Justice Department said they also ran operations for their private enrichment.

Old phone numbers

Most of us try to keep our mobile phone numbers, but some are recycled and, if they are, they can be a serious security risk. This is an issue that has been known about for at least 20 years, but nothing substantive has been done to address it. SC Magazine has the story of someone trying to set up an Airbnb account with a new number. After completing the registration process, the new user was sent a verification code which he entered, whereupon he was promptly presented with someone else's account (complete with valid credit card details). It's an issue that is particularly relevant to messenger services like WhatsApp. The obvious lesson is to delete or change phone numbers for any account that uses them before you give up the number.

The world as seen by Facebook

Facebook has a vision, and it involves wearing glasses that superimpose a digital information layer on the real world. In Facebook-speak; "we are building Augmented Reality (AR) glasses that will enhance your surroundings with a 3D layer of useful, meaningful and contextually-relevant information". Project Aria is purely for research at the moment; i.e. you can't buy the glasses. Initially, there will be 100 pairs which will be worn by Facebook employees who will boldly go into the streets of San Francisco, wearing "distinctive clothing" and a lanyard with a badge "directing anyone who is interested to a website with more information". Given Facebook's lack of popularity in the Bay Area, this could be an interesting experience for the 100 brave souls involved.

In brief

92% of the top 100 UK charities are failing to comply fully with EU data protection regulations, according to a digital privacy campaign group. In many cases, opt-out forms didn't change anything and there was no opportunity for users to give or refuse consent to be tracked. ProPrivacy

Google has banned stalkerware apps that are used to track the movements of the device on which it's installed and spy on what the user is doing. That's good. Less good is that the ban exempts apps if they say they're designed to track children. Google

Another warning to academic institutions that they're being actively targeted by attackers, as several universities have already discovered. They're urged to ensure systems are kept up-to-date, multi-factor authentication is used, and staff and students are educated about the threats. NCSC

Apple has updated its AppleCare+ policies to cover two incidents of accidental damage every 12 months, instead of two incidents every 24 months. The new policy covers iPhones, iPads, displays, Macs and Apple Watches. MacRumors

A Spanish family has had an unwelcome introduction to the perils of different date formats after being mistakenly accused of uploading child sex abuse material to Facebook. The issue arose because investigators identified an IP address, but misunderstood the date the family had used it because it was in US format. El Pais

US Customs officials excitedly announced the seizure of $400,000 worth of fake Apple AirPods. The only problem...they turned out to be a shipment of genuine OnePlus Buds (as the packaging clearly stated). Rather than admitting the error, US Customs is insisting the seized goods infringe Apple's patents. Wired

Singapore has provided another glimpse of how life might look in the future. It's offering to pay users who buy an Apple Watch and install a health tracking app on it. LumiHealth will deliver “weekly activity goals, wellness challenges and nudges that cover nutrition, sleep, mental wellbeing, and more, tailored to your health goals and Apple Watch activity.” The Register

Updates

Apple: iOS 14 has been released amid a chorus of complaints from developers that they weren't given enough time to test it. We always advise waiting before installing a major new iOS version - and that's particularly true in this case - but it's also important to be aware that the new release does address important security vulnerabilities. A further update is highly likely in the near future because the latest version is supposed to allow users to change the default web browser and email client, but after a reboot they default back to Safari and Mail. There are also updates for Safari, Xcode and watchOS,

Windows: Two mandatory Windows 10 updates will force the installation of Microsoft's Edge browser. Microsoft says the browser now forms an integral part of the operating system (although you can remove it manually if you really want to).

Google: Improved protections against malicious software for users enrolled in Advanced Protection Program.

Firefox: Mozilla has shut down its Firefox Send service which provided a simple way to share files safely. The reason; scumbags had abused it to launch a range of attacks.

Netlogon: Last month, Microsoft issued an update for the Netlogon protocol that is a key element in authenticating users. This month, US officials warned administrators to make sure the update had been applied because a way to exploit is publicly available.

Adobe: Update for Media Encoder 14.4 which is designed to address security flaws "that could lead to information disclosure in the context of the current user."

NitroPDF: Latest version addresses series of security issues discovered by Cisco Talos.

Drupal: Updates for several vulnerabilities, one ratedf 'critical'.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved