FFT news digest February 5 2021

Privacy

The US National Security Agency has 100 people working on cyber offence for every analyst focussed on cyber defence, according to a new book by the New York Times' security correspondent. In This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, Nicole Perlroth seeks to convey the scale of a threat the world and its governments appear intent on ignoring. The result, in her book, is the collapse of society under the weight of cyber attacks and disinformation. The book is published later this month. In the meantime, The New Yorker has a review.

If all that sounds hyperbolic, more details continue to emerge about the so-called 'SolarWinds' campaign, which resulted in the compromise of most US government agencies. Microsoft has described the campaign as "the new normal", but according to the US Cybersecurity and Security Agency the reality is that 30% of victims didn't actually use SolarWinds products. SolarWinds is now reported ($) to be investigating the possibility that flaws in Microsoft products were behind the access to its infrastructure - and the same issues may have been responsible for many of the other intrusions. The attackers are believed to have gained an initial foothold by trying out multiple passwords until they found one that worked. 'Password spraying' is common and it's essential to defend against it.

Meanwhile, a(nother) frightening glimpse of the future emerges from western China, as described by investigative site, The Intercept. It obtained a huge database used by the Chinese government to help surveil the Uighur community. The database resulted from a reporting tool developed by Landasoft, a private defence company. According to The Intercept, it includes police reports confirming "many elements of the persecution and large-scale internment of Muslims in the area". It also suggests that the “Physicals for All” biometric collection program, officially described as solely a health initiative, is intended as part of the policing system.

Threats

A record number of scams was recorded in the UK last year, with a sharp rise in the second half of 2020, according to Barclays. The highest value incidents involved investment and impersonation fraud.

Fake WhatsApp: Hackers created a fake version of WhatsApp to try to gather information about targeted users. The approach involved tricking people into installing a malicious profile on their iPhones. If you ever see a request to install a profile, check before proceeding. Motherboard

Texts: Advice from IBM about the threat from malicious text messages. They might be simple, but they can be very effective. Particularly if they use a delivery notification as a lure.

HMRC: Text messages are popular as a way to deliver tax refund scams. Lisa Forte has an excellent example which managed to fool someone,

DHL: And speaking of deliveries, FireEye details a sophisticated scam exploiting DHL and purported delays.

Out of office: Ingenious scam targets victims by exploiting their own Microsoft 365 Out of Office replies and read receipts which are redirected to other users in the same organisation. Abnormal Security

Gaming: Attackers compromised the update mechanism of NoxPlayer, a free Android emulator for PCs and Macs. ESET

Evolution: Malicious software designed to give attackers remote access to devices is using new techniques to try to disable Microsoft antivirus protection. Agent Tesla is reported to account for 20% of malicious email attachments. Sophos

Printworks

Working from home creates undeniable security risks and this week brings a warning about printing sensitive information. 20% of those interviewed for a survey by Go Shred said they had printed information including payroll and medical information. The worst offenders come from the charity and voluntary sector, with legal professionals not far behind. Many said they didn't know how to dispose of documents securely, while 41% were aware of data protection rules about printing confidential data at home, but said they had no alternative.

Charity

Charities and non-profits are a popular target for cyber criminals, with reports of several recent attacks. Following a breach, two directors of the British branch of Mensa resigned, accusing the society for people with high IQs of sub-standard security practices. The Financial Times reports ($) a specific charge that passwords were stored as plain text. That was denied by Mensa, but one member said the organisation had mailed his password to him in plain text in the last 12 months. Meanwhile, The Woodland Trust has disclosed a breach that appears to have taken place last December. The incident forced it to halt work and disconnect its IT systems.

Oversharing

Most people think they're proactive in protecting their privacy online, but research suggests 93% of workers create significant security risks by oversharing online. The finding comes from separate studies that show how criminals exploit readily available information to launch their attacks. A survey by Entrust found 83% of interviewees felt they were proactive in maintaining their data privacy...but they didn't take basic precautions to do so. And in How to Hack a Human, Tessian explains how our online posts help hackers to craft "more believable and more effective social engineering attacks against people and businesses." Pause before posting...

Meeting

What secrets are you sharing in your online meetings? Your personal taste in books probably doesn't matter too much (unless they reveal very specific interests), but diplomas, certificates, bills and such like do. In our training for media organisations, we stress that if a password is stuck on a wall or a monitor then sooner or later it will turn up on air (whereupon it will be gleefully shared on social media). Meanwhile, research on how people behave online brings the alarming news that 6% of the 3,000 people surveyed said they had witnessed calls featuring completely naked people. 

In brief

Privatised surveillance: More than 2,000 police and fire departments in the US have partnered with Amazon’s Ring camera system, which allows them to request footage from the devices to help investigations. Amazon

Vietnam: Detailed analysis of a nation state surveillance operation targeting journalists abroad which used targeted emails to try to compromise them. CPJ

Redactions: Another example of the risk of redactions, this time as a result of a cock-up by the EU. When it published a disputed vaccine supply contract, it blanked out much of the text but failed to fix the Bookmarks view. As a result, the whole document was visible. The Register

Cloud checklist: Cloud solutions have huge advantages in terms of efficiency and security - but they also present significant challenges. The Cloud Security Alliance has developed an invaluable checklist. TechTarget

Domain renewal: A reminder courtesy of Cisco about the importance of keeping on top of domain names and when they expire. It failed to renew the details for its anti-spam service, SpamCop, resulting in millions of emails being rejected as...spam. The Register

Intelligent Spinach: A fascinating story about spinach being engineered with nanotechnology so that it can detect explosives where it's planted. We thought this looked familiar. On checking, it turns out the original paper was published in 2016. Nature Materials

Escorts: A hacker managed to download the database from an online community focussed on female escorts. A nervous weekend ahead for many of the 470,000. Bleeping Computer

Updates

Bad patches: We've long complained about the quality of software updates because when they cause problems, they lead to an ongoing reluctance to install fixes when they're released. Now, Google has warned that partial patches are contributing to the impact of zero-day (i.e. previously unknown) vulnerabilities.

macOS: Security updates to address multiple vulnerabilities in macOS and Safari, including a flaw that can be exploited by luring targets to a booby-trapped website.

iPhone 12: Some users continue to report display problems, with pixels failing to behave as intended. Some have had devices replaced, others have been told there's a software fix. The discussion on Apple's support forum is 83 pages long and growing.

iCloud for Windows
: Apple released a new version which supported a passwords extension for Chrome. Then it withdrew it after users reported problems. It's now back. We still prefer a standalone password manager.

Chrome: Update to fix a high-severity vulnerability that is being actively exploited.

Defender for Endpoint: Microsoft's vulnerability assessment solution now encompasses macOS devices.

Windows 10: KB459829 update aims to fix annoyances, including difficulties opening documents.

Office: February non-security updates include fix for Powerpoint crashing when opening files containing diagrams.

SonicWall: An urgent update has been released for Secure Mobile Access (SMA) 100 series appliances. "All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation," SonicWall warns.

Cisco: Critical updates for multiple vulnerabilities affecting several small business VPN routers. Multiple fixes for other products.

Android: Google's February updates addresses multiple security issues. Available for Pixel owners this month. For everyone else, when partners get round to releasing them.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217