FFT news digest December 4 2020

Banijay bitten

Last week, we warned about the ransomware pandemic plaguing organisations around the world. This week brings news of an incident at one of the world's largest producers of TV content. Banijay said the incident affected its Endemol Shine operation, which it bought in July for $2.2 billion. The attack was claimed by the DoppelPaymer gang which published stolen documents (to add insult to injury, these included several about data protection compliance). Banijay told Le Parisien that the attackers only had access to the old IT systems of Endemol Shine rather than to Banijay's own network. The incident once again highlights the critical importance of performing due diligence on the systems and processes of acquired organisations. Ransomware is so commonplace that it's a matter of when, not if, an attack will happen. If processes and backups are not in place - and fully tested - the result will be disastrous, as Manchester United, among others, is demonstrating. In Man Utd's case, hackers are reported to be demanding millions of pounds in return for not publishing confidential information.

Threats

Brexit: As if businesses don't have enough to cope with as 2020 drags to a close, Barclays is warning about a likely flood of Brexit-related scams. It says it's already seen a 20% increase in cyber fraud during the last five months, with small businesses disproportionately affected. Barclays

COVID-19: Depressing but not surprising. Sophisticated phishing attacks are targeting the COVID-19 vaccine supply chain. The research by IBM doesn't identify the attackers but says their approach bears all the hallmarks of a nation state.

Advice: The UK's National Cyber Security Centre has a new campaign aimed at helping shoppers stay safe over the festive period. The advice is basic and, while it's better than doing nothing, we don't agree with some of it. In particular, it suggests reusing some passwords is OK. It's true some accounts are more important than others, but we believe it's far better to use a password manager and unique credentials for every account. Cyber Aware

PayPal: A new scam hijacks the checkout process on compromised online stores by injecting fake - but convincing - PayPal elements into them. It's sophisticated and very persuasive. The FBI has advice on staying safe. Affable Kraut via  Bleeping Computer

HMRC: Nasty campaign uses lure of a tax refund to try to persuade targets to hand over personal information. Emma Mitchell

Quickbooks: Fake invoice appears to originate from “quickbooks[@]notification.intuit.com” (though the real sender's domain is “airtelbroadband.in”). Clicking on “Review and Pay” leads to a form designed to steal the user's Quickbooks credentials. Abnormal Security

Auto-forward: Criminals are using auto-forward rules to steal information from target accounts. They set up the rules on web clients which frequently fail to sync with the desktop version and therefore help to conceal what they're up to. ZDNet

Deliveries: Unsurprisingly, there was a huge rise in the number of fake delivery notifications in November. By 'huge', we mean they more than quadrupled. DHL is the most impersonated brand, according to Check Point

Docs: A cyber-espionage campaign is using a previously undocumented form of malicious software to attack the foreign ministry of an EU country. The tools take advantage of reused passwords and are designed to steal information by uploading it to Dropbox. ESET

iPhone hack

'Extraordinary', 'breathtaking', 'a nightmare'; just some of the terms used to describe a security flaw which could be used to remotely hijack an iPhone without the user doing anything. The vulnerability was uncovered by Google researcher, Ian Beer, who reported it to Apple more than a year ago. It was fixed a couple of months later. Beer has spent the past six months in lockdown writing an in-depth account of the problem he found in the Apple Wireless Direct Link protocol (which powers Airdrop among other features). As he demonstrates, not only could he take over a phone and steal content from it, but the issue could spread from a compromised iPhone to any other iPhones within WiFi range. For users, it's a reminder that it's essential to keep devices up-to-date. For Apple, it's a wake-up-call that it simply has to do better. As Beer wrote, "the quality of the AWDL code was at times fairly poor and seemingly untested".

Remote working

Two in every five remote workers in the UK are vulnerable to cyber attacks due to a lack of education and poor security habits, according to a study from fasthosts. Among other findings; 54% of remote workers don't use a VPN and a quarter let people in their household see confidential data and documents. Worryingly, given the attacks on COVID-19 vaccine manufacturers and distributors, when it comes to letting others use their work devices, employees in the science and pharmaceutical industry are the worst offenders. (And worst for letting people see confidential documents are law enforcement and security workers.) Every week brings more evidence of the concerted attacks targeting remote workers. One company is urging IT leaders to discuss remote working with employees "as part of a grand bargain" to help the entire organisation.

Circles

Among the courses we do are sessions for journalists being deployed to hostile environments. A key element of them is the insecurity of cellular networks - and new research underlines just how unsafe they are. Citizen Lab sets out evidence suggesting governments around the world bought technology to intercept communications and track phones beyond their borders. The research says the tool is the work of a company called Circles, which is connected to the NSO Group (makers of Pegasus spyware). Circles' tool exploits well-known weaknesses in the protocol used by legacy cellular networks to route calls and messages. These issues have been known about for decades and, as we say on our courses, it's crazy that nothing has been done to fix them. That, of course, is exactly how governments like it.

Workplace surveillance

It didn't take Microsoft long to figure out that its Productivity Score tool was not a great look - even it wasn't intended to be a "full-fledged workplace surveillance tool," as some critics claimed. Following a torrent of criticism, Microsoft said Productivity Score would no longer produce data about individuals and instead would summarise information for the entire organisation. "We've heard the feedback," a 'Corporate Vice President' wrote. Our view is that this sort of surveillance will become commonplace in the not so distant future, particularly if the move to remote working becomes permanent. Don't believe us? Have a look at Crossover's 'WorkSmart Productivity Tool', "This unique and innovative tool works by logging the hours you work...it will use keyboard activity, application usage, screenshots, and webcam photos to generate a timecard every 10 minutes".

In brief

Data protection: French retail giant, Carrefour, faces a €3.05 million fine for multiple violations of the GDPR, including keeping records too long and failing to provide accurate, simple information about data protection. The French regulator's announcement is a good checklist for what not to do. CNIL

Data Protection 2: The Spanish regulator was also active, with a tangled tale of Instagram, WhatsApp, Tinder...and stolen photos. Someone copied the photos from Instagram and Facebook and used them to create a profile on Tinder. The result; a €1,200 fine. AEPD

Exposed: Another week, another example of stunning incompetence; this time from a US company paid to manage electronic health and patient records. The problem; it stored the records online, in plain text, without a password. TechCrunch

Apple fine: If you've had cause to test Apple's claims that iPhones are 'water-resistant', you'll know this is a feature with room for improvement. Now, the Italian competition authority says it intends to fine Apple €10 million for "misleading" and "aggressive" commercial practices related to its claims. Reuters

BEC: Business Email Compromise cost organisations $26 billion between 2016 and 2019. The BBC explains how it works, and interviews one Nigerian scammer who talks about his business...and his victims. "I wanted to be like Mark Zuckerberg," he says. BBC

Telepathic: The US army is spending $6.25 million on research into whether brain signals could be analysed and decoded to create a silent way for military personnel to communicate. Really! C4ISRnet

Facial recognition: The limitations of facial recognition are well documented and now the file has grown a bit bigger. Emails show that a solution used by a New York school frequently misidentifies Black people, and identifies broom handles as guns. Motherboard

Updates

Oracle: The critical vulnerability in WebLogic that was patched in October. is being actively exploited. Update now!

iCloud for Windows: Updates to address vulnerabilities that could allow an attacker to take control of an affected system.

DocuShare: Security updates for DocuShare 6.6.1, 7.0, and 7.5 to address a vulnerability that could allow an unauthenticated attacker to obtain sensitive information.

iPhones: Good news and bad news for iPhone owners. Among the features in iOS 14.2 is support for HD (1080p) FaceTime calls on iPhone 8 and later devices. Less welcome are persistent reports from iPhone 12 owners of poor battery performance and dropped cellular connections.

Windows 10: New cumulative update for Windows 10 20H2 fixes an issue that created problems with some types of upgrades. Bleeping Computer

Thunderbird: Version 78.5.1 is a bug fix and security release which addresses serious vulnerabilities.

Google Authenticator: There are plenty of apps that generate the codes used for two-factor authentication and Google's is the elder statesman of the group. It's fallen out of favour in recent years, not least because of a painful process when changing phones. An update fixes that for iOS users, and adds support for Dark Mode.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217