news201211

FireEye

Among the unpalatable realities of cybersecurity is the fact that no organisation is safe, as leading industry player, FireEye, has just demonstrated. FireEye says hackers with "world-class capabilities" stole tools developed to test its clients' defences (though it's likely those may not have been the actual or only target). FireEye has now released hundreds of countermeasures designed to protect against its techniques (which it says don't include any previously unseen 'zero-day' exploits). FireEye is a huge business (worth some $3.5 billion) which has investigated major security incidents (e.g. Sony) and whose clients include some of the world's biggest firms. There's widespread speculation that Russia was behind the breach, but details have yet to be confirmed. It's important to emphasise that while this incident may been sophisticated, many are not. This week, Norway blamed Russia for an attack on its parliament which it said involved trying multiple usernames and passwords until a working combination was found, otherwise known as 'brute force'.

Threats

Twice bitten: As we've mentioned before, cyber criminals are much like any other crook. In particular, if an attack worked once, they're very likely to come back for more. Crowdstrike puts the probability at 68%.

COVID-19: A Russian group has returned with another attack using COVID-19 as phishing lures. They contain decoy Microsoft Office documents with macros as well as executable file attachments. Intezer

Skimmer: You have to admire the ingenuity of cyber criminals. Their latest technique hides a new type of malicious software inside the images used for social media sharing buttons. Unfortunately, there's not much users can do to protect themselves; that's up to the website operator. Sansec

Sex toys: Sales of internet-connected sex toys (aka 'teledildonics) have soared during the pandemic. ESET warns users to be careful because the data they generate is so sensitive; in particular they suggest avoiding real names when registering the devices and their apps.

Partner: A technique favoured by attackers is to compromise someone we trust and use their account to fool us into handing over our credentials. That's the approach used in a campaign that purports to provide a link to an encrypted message. Abnormal Security

Microsoft 365: The popularity of Microsoft's office suite makes it an irresistible target. A targeted campaign is impersonating the official Microsoft.com domain name and urges users to click a link where they can review "quarantined messages". Ironscales

The $1 trillion heist

The breathtaking scale of cybercrime is revealed by a report that says it cost the world economy more than $1 trillion in 2019 - roughly equivalent to 1% of global GDP. McAfee says a shift from targeting individual systems to entire organisations is behind a 50% increase compared to 2018. The real cost of cybercrime can only be an estimate because much is neither reported nor recorded, but McAfee's survey of 1,500 companies does demonstrate the lasting impact of security breaches, which goes far beyond the initial damage to systems. Despite this, most of the organisations in the survey said they had "no plans to reduce the effect of incidents". And even where there were such plans, senior leadership teams usually had no involvement in creating them. As FireEye's experience demonstrates, no organisation is immune from attack. Planning for the worst isn't pessimism, it's reality.

Overwatch

Every week brings new evidence of the scale of surveillance and the availability of tools to support it...and we believe it's essential to keep abreast of what's happening because of the impact on all our lives. This week, there were more details on the use of spyware in Mexico, which has become notorious as an importer of surveillance tools. The Guardian claims officials have colluded with criminal groups to help them obtain sophisticated spyware to hack smartphones. An international reporting initiative quoted a source as saying, "It's a free-for-all. The police who have the technology would just sell it to the cartels." Meanwhile, the Washington Post says the the Chinese technology giant, Huawei, has tested facial recognition software designed to alert officials when it identifies members of the oppressed Uighur community. And, closer to home, Norwegian broadcaster, NRK, shows how we are constantly tracked by the apps on our phones.

Quantum keys

Quantum computing is weird - and its eventual effects on society could be even weirder. Last year, Google said it had achieved "quantum supremacy", defined as performing a single calculation that no conventional computer could carry out in a reasonable timeframe. Now, China says it's done the same. In an article in Science, researchers explain how they used particles of light sent through an optical circuit to perform a calculation in 200 seconds. That's compared to the estimated 2.5 billion years required by a 'classical' computer. An explanation of quantum computing is well outside the remit of this newsletter (though Wired has a great explanation), but the implications for medicine, communications and finance are extraordinary. Unfortunately, so is the impact on current encryption mechanisms. These depend on mathematical problems that conventional computers can't solve, but which will present no such difficulties for quantum computers. As the UK National Cyber Security Centre says, "A quantum computer will allow the attacker to read information that has been encrypted in the past, and forge information in the future."

Big tech

One of our predictions for 2020 was a growing focus on holding 'big tech' companies to account for their business practices. In October, the US Justice Department took action against Google, saying it had used its market position to undermine its rivals. Now, Facebook faces lawsuits that theoretically could force it to sell WhatsApp and Instagram. The US Federal Trade Commission, and all but four US states, accused the social media behemoth of using a "buy or bury" strategy to stifle competition. Facebook called the lawsuits "revisionist history", despite previous remarks by its founder, Mark Zuckerberg, that "it is better to buy than compete." Also this week, France's data protection regulator announced fines of €100 million and €35 million against Google and Amazon for tracking users without their consent.

In brief

Smart devices: Researchers estimate that millions of consumer and industrial-grade devices are affected by security flaws. They include pretty much any internet-connected device you can think of. The FBI has issued an advisory with recommended mitigations. Forescout

China apps: The Great Firewall strikes again. This time, Tripadvisor (and 104 other apps) have disappeared from Apple's App Store. China said it was part of a "clean-up' of the internet. CNN

Phishing: A simulation exercise revealed that roughly 70% of public sector workers were prone to enter their passwords after clicking on a malicious email. IT World Canada

Penetration test: 'Pen tests' can be useful, but are frequently poorly specified and mistimed. Security guru, Scott Helme, shares his company's experience - and the results. Invaluable reading if you're considering testing your organisation's cyber defences.

Webex: For all those fed up with endless video calls, Cisco has a solution. It's hardly ground-breaking, but "Quick Sync" meetings will end automatically when they reach their scheduled end. Cisco

Progress: Do you ever feel your computer is just a bit slow? Some depressing research shows you're not wrong. The lag from key press to display has grown progressively longer as devices have evolved. Dan Luu

Copped: A police officer in Guernsey was dismissed after using his position to identify women motorists through their car number plates. A court rejected his explanation that he was looking for models for "fitness cartoon drawings". Guernsey Press

Updates

Microsoft: Monthly set of updates addresses 58 security vulnerabilities, nine rated 'critical'. Those affect Exchange, Sharepoint, Windows 10 and Server 2016. There are also issues affecting Office. And if you use the Edge browser, do make sure it's up to date because there have been several patches issued over the past 2 weeks.

Kerberos: In other Microsoft news, there are security updates to address an issue allowing an attacker to bypass a Kerberos security feature. Multiple Windows Server versions are affected.

Teams: A worrying issue was fixed in October and it underlines the importance of ensuring updates are applied. This one exploited issues in Teams which affected multiple platforms and needed no interaction from the user to work.

VMware: Attackers sponsored by Russia are exploiting a vulnerability in VMware Access and VMware Identity Manager products, according to the FBI. There's a patch and it's essential it has been applied.

QNAP: Security updates to address vulnerabilities that could enable attackers to take control of unpatched network attached storage devices.

Adobe: Updates for Prelude, Experience Manager, Lightroom, Acrobat and Reader.

D-Link: Vulnerability in routers with VPN passthrough functionality allows attackers to take full control of the device. Models affected are DSR-150, DSR-250/N, DSR-500, and DSR-1000AC running firmware version 3.17 or earlier.

SAP: 11 advisories, including one "Hot News" item affecting NetWeaver AS JAVA.

Apache: Update for Apache Struts versions 2.0.0 to 2.5.25 to fix issue that could be exploited to take control of an affected system.

Magento: Attackers are taking advantage of Magento 2.2 which has now been unsupported for a year. Sansec has a detailed analysis.

Flash: And Adobe has issued the final update for its venerable Flash Player, together with a date for its final retirement; it's January 12, 2021.

FFT news digest December 11 2020