news201016

BA data breach fine

The UK data protection regulator has fined British Airways £20 million for a series of security failures that led to the theft of more than 400,000 customers' personal details. The Information Commissioner's penalty notice provides a case study in how to ensure the success of a cyber attack, and also in outlandish excuses such as, payment card breaches are “entirely commonplace” and an “unavoidable fact of life.” Much (possibly too much) of the ICO's notice is redacted, but what remains makes it clear that BA broke basic Information Security rules including storing the login credentials for a domain administrator account in plaintext and failing to review software code effectively. The ICO lists a number of basic measures that would have prevented the attack, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication. This is the second and by far the biggest fine levied by the ICO under the GDPR, but it's far lower than the £183.39 million originally proposed. The ICO ascribes this to BA's "representations" and "the economic impact of COVID-19". The notice runs to 114 pages and it's well worth a detailed read.

Threats

Apple paid a group of researchers more than $288,500 for identifying no less than 55 vulnerabilities across its systems and products. One of the researchers said the issues found during the three-month project included "a variety of vulnerabilities in core portions of their infrastructure that would've allowed an attacker to fully compromise both customer and employee applications, launch a worm capable of automatically taking over a victim's iCloud account, retrieve source code for internal Apple projects, fully compromise an industrial control warehouse software used by Apple, and take over the sessions of Apple employees with the capability of accessing management tools and sensitive resources." To give Apple its due, it appears to have been highly responsive to the 5 researchers' findings, with some issues being fixed within hours. But, others are still being worked on and this week another worrying vulnerability was discovered in Apple's T2 security chip.

Threat roundup

Microsoft 365: Earlier this year, Microsoft rebranded some of its Office 365 subscription plans in a move designed to make everything simpler - but which managed to achieve precisely the opposite. Whatever it's called, Microsoft's suite of products is the number one target for attackers. A new report examines how legitimate Office 365 services are used to bypass security and launch attacks. Vectra (R)

Email attachments: Bleeping Computer has a good roundup of the most common malicious email attachments that Windows users should be aware of. And a reminder not to 'Enable Editing' or 'Enable Content' unless you'd like to experience the delights of malicious software.

COVID-19: 50% of phishing emails have pandemic-related subject lines, e.g. 'HR: Pandemic Policy Update' and 'COVID-19 Remote Work Policy Update'. KnowBe4's analysis also says LinkedIn accounts for almost half of all social media lures.

Vaccine tracker: In another pandemic scam, attackers impersonate the US Department of Health and Human Services to try to install malware on employees’ devices. Abnormal Security

FIN11: A criminal gang is using malicious emails with lures such as remittance documents and invoice information as part of a widespread ransomware campaign. Mandiant

Deadly: The US has revealed the seven issues which are most often being used to try to break into government systems. The solutions affected are; Citrix NetScaler, MobileIron, Pulse Secure, Palo Alto Networks, F5 Big-IP, Fortinet FortiOS SSL VPN and Netlogon. CISA

Phishing kits

You might have thought that phishing kits would be hard to come by and would require poking around in shady corners of the Dark Web. Not a bit of it. As a researcher at the SANS Internet Storm Center explains, all you have to do is head over to Google and search for "scam page" along with the name of the site you want to spoof. By doing this, he found 104 kits, each presented with a YouTube video explaining its capabilities. Some offered "email templates, access to complex phishing platforms" and tutorials. 18 of the 104 kits were offered free of charge (though using one would be asking for trouble). The research says there appears to have been a significant rise in the number of phishing kits being published on the normal web, in what looks like another side-effect of the coronavirus pandemic. It's too easy for people to set themselves up as cyber criminals - and nothing seems likely to change that.

The multi-billion dollar scam

One of the most lucrative forms of cybercrime is Business Email Compromise which the FBI says earned criminals more than $26 billion between 2016 and 2019. A report from Agari demonstrates the global reach of BEC attacks, with the average loss rising from $54,000 to $80,183 in the second quarter of this year. The scams involve impersonating a company executive or employee and persuading someone to transfer money to a bogus account. The fraud's historical roots are in Nigeria, but more aggressive law enforcement there has led to a rapid spread to 50 countries around the world. The report also examines the importance of "money mules" in BEC fraud. Agari details how unwitting victims are recruited through romance and work-from-home scams (which have become even more popular during the pandemic) and are used to launder the proceeds of the frauds.

Singapore cameras

In yet another warning of the risks of internet-connected devices, videos stolen from more than 50,000 home security cameras in Singapore have been uploaded to pornographic websites. Local news reports say the clips, lasting from less than a minute to more than 20 minutes, feature couples, breastfeeding mothers, and teenagers and children – with many captured in “various states of undress or compromising positions.” A Discord group with almost 1,000 members claims to have shared over 3TB of clips, with more than 70 people prepared to pay for unrestricted access. Using Shodan, it is childishly simple to find cameras that haven't been secured effectively, by using a weak or duplicate password (or not changing the device's default one), or by failing to apply firmware updates (when/if they're available).

In brief

Biometric authentication is great...until your details are stolen. The South China Morning Post reports that's exactly what's happening in China, where facial recognition is commonplace and database security isn't.

It frequently feels as if Facebook is listening to our conversations, and this is a question that comes up in most of our training courses. We're confident the social media giant isn't eavesdropping, but only because it has access to so much information it doesn't need to. A Twitter thread explores the issues in detail.

On a similar subject, a new tool predicts your personality by analysing your Reddit history. It's designed to produce a Myers Briggs personality type. The Next Web

Microsoft has been forcibly installing Office web apps in Windows 10 without asking the user's permission. It appears to be part of a test, though Microsoft has yet to provide an explanation. Windows Latest

A Crown Prosecution Service lawyer is accused of abusing his access to computer systems in order to stalk his wife's lover (who is a judge). A good reminder never to underestimate people's readiness to abuse their position when sufficiently motivated. The Register

Recorded Future has released a free browser extension designed to overlay security intelligence on any webpage. It's designed to allow users to "identify, prioritize, and action threats" in real time. Recorded Future

Limited tests show that a new algorithm from Microsoft is more accurate than humans at captioning images. Designed to support the visually impaired, it will initially create the alternative description for images. Microsoft

So, farewell Yahoo Groups. Verizon says it will close on December 15, almost 20 years after the site launched.

And finally, an overzealous profanity filter prevented delegates to an online conference from using the word 'bone'. Unfortunate, as the subject of the conference was paleontology. Motherboard

Updates

Microsoft: Monthly set of updates addresses 88 vulnerabilities, including 11 rated critical, and one given a severity score of 9.8 out of 10. That one affects Windows Server and Windows 10, can be exploited remotely and is relatively simple. Also worth noting, Office 2010 and Office 2016 for Mac have been officially discontinued and won't receive further updates.

Adobe: Flash is on its last legs but, before it shuffles off, Adobe has released a fix for an issue which, if exploited, "could lead to an exploitable crash, potentially resulting in arbitrary code execution in the context of the current user.”

Magento: Emergency updates for Magento Commerce and Magento Open Source, versions 2.3.5-p1, 2.4.0, and earlier.

Firefox: Version 81.0.2 fixes an issue that stops Twitter's website from loading.

Acronis: Fixes for True Image, Cyber Backup, and Cyber Protect products to address vulnerabilities that could lead to elevation of privileges.

Foxit: Updates for Windows and Mac versions of PhantomPDF reader which are affected by several high-severity vulnerabilities.

Cisco: Updates to address three high-severity flaws and eleven medium-severity vulnerabilities in Webex video conferencing system, Video Surveillance 8000 Series IP Cameras and Identity Services Engine.

Signal: Big changes to enhance the privacy-focussed platform's group messaging capabilities.

SonicWall: Critical security issue in SonicWall VPN portal could be used to crash the device and allow code to be executed remotely.

FFT news digest October 16 2020