FFT news digest February 12 2021

Water

Most security failures provide an excellent what-not-to-do guide, even if the issues are usually depressingly basic. Such is the case with the Florida water treatment plant which someone accessed and tried to contaminate. The hacker accessed a computer at the plant which was running TeamViewer (an app commonly used for remote access and support). The problem in this case was that all the facility's computers shared the same password for remote access and they were all connected directly to the internet without a firewall. They were also running Windows 7, which Microsoft no longer supports. The attack failed because an employee noticed his cursor moving when he wasn't doing anything.

Checklist
The FBI has issued advice about how to prevent such incidents. It's basic...but so was the way the attacker accessed the facility's systems.
- Use multi-factor authentication
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials
- Ensure anti-virus, spam filters, and firewalls are up to date, properly configured and secure
- Audit network configurations and isolate computer systems that cannot be updated
- Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts
- Audit logs for all remote connection protocols
- Train users to identify and report attempts at social engineering
- Identify and suspend access of users exhibiting unusual activity
- Keep software updated

Going cheap
Less than $2,000 will buy you administrator access to the network of a medium-sized company with a few hundred employees, according to research by threat intelligence firm, Kela. The price to breach larger organisations is much higher but, despite that, the average cost is less than $7,000. Nearly half of the access methods relate to remote desktop, VPNs, remote code execution and Citrix products. Buyers most commonly use the access to attack their targets with ransomware.

Threats

Targets: Not altogether surprisingly, having details leaked in a data breach makes someone 5 times more likely to be targeted in phishing attacks. Google and Stanford University analysed more than a billion malicious emails and also found where you live (top targets = US, UK) and age (#1 = 55-64 year olds) were key factors.

Vaccines: More fake vaccine advisories are flooding into inboxes. Most common is an email with the subject line 'Booking for vaccination no. 36775' which tells the user to click on links to accept or decline the invitation. Akamai

Valentines: Romance scams have been an ongoing theme of the pandemic; an estimated £68 million was lost in 2020. Valentine's Day is fuelling the fire. Action Fraud

Facebook: Almost 500,000 Facebook users have been tricked by the resurgence of a long-running scam that begins with a message asking "Is that you?" The message appears to come from a friend who claims to have found a video or image featuring the targeted user. cybernews

Remote: With multiple reports suggesting remote working is here to stay, attackers are continuing to target home workers. ESET says there was a 768% rise in the number of attacks focussed on remote access, mostly with the aim of installing ransomware.

OAuth: Warning about new attacks trying to trick targets into allowing malicious apps to access their Office 365 accounts. The method takes advantage of the tokens underpinning the OAuth standard. Bottom line; be very cautious about apps displaying a "Permissions Requested" popup. Bleeping Computer

IoT: Millions of Internet of Things devices are vulnerable to attacks because of a decades-old security vulnerability. If you have an IoT device, do make sure any security updates have been applied. ZDNet

US privacy

Think anonymity and privacy are possible with a smartphone? Think again. A New York Times report shows ($) how the data from mobile phone apps can be used to track people. And the paper proves it by identifying more than 2,000 people who were on Capitol Hill when it was stormed on January 6. The Times was given data which showed a "God-view" of the events. That view came from some 100,000 pings from thousands of smartphones. There were no names or phone numbers in the data but, by connecting different databases, it was easy to link "anonymous" locations to names, addresses, social networks and phone numbers.

Euro privacy

After a long wait, the EU has begun to move forward with plans to update regulations on electronic communications. The EU's lead data protection supervisor issued an opinion recommending a ban on targeted advertising that exploits internet users' digital activity. Separately, after four years of trying, member states agreed a negotiating mandate on a new ePrivacy draft. Observers are less than overwhelmed. AccessNow said, "States poked so many holes into the proposal that it now looks like French Gruyère". (French Gruyere has lots of holes and Switzerland's doesn't, in case you were wondering). Final agreement is still some way off and technology companies strongly oppose the proposals.

Bug bounties

If you can find a previously-unknown way to break into an Android device without the user doing anything, an exploit broker will pay you up to $2.5 million. By contrast, Google paid bug bounty hunters a total of $6.7 million in 2020. That was shared between 662 researchers and was only $200,000 more than the previous year. The difference is obvious - and it's by no means confined to Google. The exploit broker referenced above claims the latest version of Apple iOS has more 'zero-day' vulnerabilities than iOS 12. As it says, "more features, more zero-days, more tears".

MacBooks

At Full Frame we mostly use MacBooks, but that doesn't mean we're fans. Unreliable keyboards, multiple adaptors and unpredictable changes have contributed to a toxic relationship which we'd be happy to end. The latest issue affecting 2016 and 2017 MacBook Pro users is a battery that won't charge past 1%. Apple has now launched a free replacement programme to address the problem - though it says only a small number of machines are affected. Even if your battery does charge, it might be worth clicking the battery icon to check whether it says 'Service Recommended'. If it does, make sure you install the latest macOS update before trying to get the battery replaced. (If you're thinking about a new MacBook, the expert view is to wait for new models expected later this year.)

In brief

Zoom: You've probably seen the hapless lawyer with his cat filter. That setting is buried under Settings | Background & Filters | Video Filters, so his plea of ignorance doesn't ring entirely true (unless he'd done something to piss off an assistant). ZDNet has some good advice about avoiding his fate.

Signal: Reports that police can access Signal messages, despite its end-to-end encryption, are slightly misleading. No-one, least of all Signal, has ever suggested that messages can be secured against someone who has accessed the device on which they're stored. Forbes Pwn All The Things

More arrests: New arrests underline the progress of law enforcement agencies in pursuing cyber criminals. The latest success involves 10 people in the UK, Belgium and Malta who allegedly hijacked the mobile phones of US celebrities and managed to steal over $100 million in cryptocurrencies. Europol

.eu domains: British owners of suspended .eu domain names have been given an additional three months to register an EU address before the suspension becomes permanent. EURid

Chrome: Google has withdrawn 'Great Suspender', a malicious extension for its web browser with more than two million users. In common with many other incidents, the issues began when the original developer sold the extension. Bleeping Computer

Deep fakes: As more financial institutions start using video-based identity verification, there's increasing discussion on dark web forums about defeating it with deep fakes. Gemini Advisory

Chip shortage: Both Nissan and Honda have warned investors that shortages of semiconductors are likely to hit sales this year. The shortage has been caused at least in part by demands for products to support home working. The Register

Chastity: That company with the penis chastity lock. The one that was hacked (and, in one notable case, whose product had to be removed with bolt cutters that left the user bleeding). It's back...with an assurance that the lock is now totally safe. Totally. Motherboard

Updates

Microsoft: Monthly set of updates includes a fix for a Windows 10 issue that could crash a device if a user opened a folder containing malicious files. (That's opening the folder, not the files themselves.) There are 55 other fixes, with 11 rated 'Critical'. Shortly after releasing the updates, Microsoft issued a fix for for a WiFi issue that was crashing devices.

Impersonation: Defender for Office 365 will help to identify users and domains targeted in impersonation-based phishing attacks (where attackers try to persuade people an email is from a genuine contact or organisation).

Spelling: Microsoft says its new spell check is "the most comprehensive spelling correction system ever made in terms of language coverage and accuracy". Let time be the judge of that.

Fortinet: Updates to address multiple vulnerabilities across range of products. Alarmingly, some issues were first revealed up to two years ago.

macOS: Important updates for Big Sur 11.2, Catalina 10.15.7, Mojave 10.14.6 include fixes for serious security vulnerabilities and a bug in Big Sur affecting systems which are low on storage.

iOS Google: It's so long since Google updated its iOS apps that some started displaying warnings they were out of date. Google says it was a bug that has now been squashed. The delayed updates are believed to be linked to Apple's upcoming privacy changes.

VMware: New security guidance for vSphere users, including strong recommendation to use only servers that run Trusted Platform Module (TPM).

Adobe: Updates to address critical vulnerabilities in products including Magento, Acrobat, Reader, and Photoshop.

SAP: Seven new security notes, including a 'Hot News' note for a critical flaw in SAP Commerce.There are also updates for six previously released notes.

WordPress: Security update for NextGen Gallery which is used to create image galleries and has more than 800,000 active users.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved