FFT news digest March 19 2021

Cyber conflict

The cyber landscape is echoing to the sounds of sabres being rattled, as President Biden vows that Russia will pay a price for interference in the 2020 US election, and the UK says cyber attacks could be met with nuclear retaliation.

On Tuesday, the US released a declassified intelligence report accusing Russia of carrying out "influence operations" designed to damage Joe Biden's chances of victory. The report also accused Iran of trying to damage the Trump campaign, but it added that neither action compromised the election process. Intriguingly, the report says China didn't interfere in the election, although it is accused of considering whether to try to influence the outcome. Of course, that may be because it was too busy hacking Exchange email servers around the world.

The extent of incidents like these make the UK's integrated review all the more alarming.
In an abrupt departure from previous policy, it edged towards the idea that nuclear weapons could be used to retaliate against cyber attacks. We have long argued that cyber weapons have the potential to be at least as damaging as nuclear missiles but, despite that, there is no international convention to govern their use. The UK's apparent decision to create equivalence between them underlines the need for the international community to address the issue. Or, as the founding head of the UK National Cyber Security Centre, tweeted, "I hope we’re not moving towards an era of mushroom cloud computing".

Threats

Malware: Threats developed for macOS saw an 1,100% increase in 2020 compared to 2019, but the total was still less than 1% of new malicious software discovered for Windows in the same period. Atlas VPN

Sex: The pandemic has led to a surge in demand for sex toys, but regular readers won't be surprised to hear that many of them are a security horror. In particular, new types of connectivity open them up to being taken over and abused. ESET

Ransomware: The sums paid by organisations that fall victim to ransomware attacks nearly tripled last year to an average of $312K. The highest attempted demand was $30 million. Palo Alto Networks

Spear-phishing
: Techniques are evolving as criminals try to avoid detection. In one example, Proofpoint says an unusual programming language is being used. Lures include tempting subjects, such as payments, meetings, termination, bonuses and complaints.

C-suite: A highly targeted Microsoft Office 365 phishing campaign is taking aim at senior executives, their assistants and financial departments across a wide range of industries. Area 1

Trickbot: US security agencies are warning about a renewed campaign to install sophisticated malicious software on target devices. Email lures purport to contain proof of traffic violations. CISA

Counterfeit: Instagram is being flooded with listings for fake Apple accessories, including chargers, cables, power adaptors and AirPods. It's a serious issue, as a researcher discovered when a fake charger exploded.

Passwords: Another survey suggests most people don't care about their security. According to the findings, three quarters of consumers use the same passwords for everything and 8% never change them!

Crime records

Unsurprisingly, 2020 was a record year for cybercrime, according to the FBI's annual report. Total reported losses were $4.2 billion, up from $3.5 billion the previous year (the actual sums are likely to be much higher). Business email compromise accounted for some 43% of the losses, and the FBI said criminals had developed a new approach which involved using stolen IDs to set up bank accounts to stash their ill-gotten gains. Equally worrying, though predictable, are signs of a growing number of people being attracted to cybercrime. Check Point Research says people are increasingly turning to hidden parts of the web and to hacking forums to offer their services and availability for work of any kind. And CrowdStrike has some arresting graphics (R) illustrating the cybercrime ecosystem

Privacy. What privacy.

A flurry of stories reveals the remarkable extent to which online privacy simply doesn't exist. Changes mandated by Apple have forced app developers to reveal to users what information they collect for personalisation and marketing. After Google belatedly added the required labels to (some) of its iOS apps, privacy-focussed browser, DuckDuckGo, accused it of "spying" on users. If you'd like a sense of what apps are up to, a new study sets out the information in an elegant format. Top of the table is Instagram. It manages to collect 79% of available personal data. And in the US, T-Mobile phone subscribers will soon be automatically enrolled in an advertising programme that is informed by their online activity. 

Text messages

The ludicrous insecurity of cellular messaging is underlined by a Motherboard investigation which found it cost just $16 to intercept a reporter's incoming text messages. That's slightly concerning, given that those messages are frequently used for authentication - particularly by financial institutions. The method didn't involve shady employees selling information (though that is another risk). In this case, it exploited what is said to be an entire business sector that enables anyone to intercept messages without any sign of anything untoward happening. The frailty of cellular security has been well-documented, but nothing substantive has been done to address the problem. Whenever possible, do use an alternative authentication method.

Breaking bad

Two cases in the US. Two moms arrested on charges of using digital fakery to help their daughters. In Florida, an assistant principal and her daughter face multiple charges after hundreds of fraudulent votes were allegedly cast in the race to be the school's homecoming queen. 117 votes originated from the same IP address within a short time period and multiple students said the daughter had described what her mother had done. In Pennsylvania, a mother is accused of using deep fakes to try to get her daughter's rivals kicked off a cheerleading team. She is also alleged to have used fake phone numbers to send text messages, some of which urged the recipients to kill themselves. 

In brief

Jail time: Graham Ivan Clark is 18. He'll spend the next three years in jail as part of a plea deal for his part in last year's high-profile Twitter hack. Still outstanding are the cases of two alleged accomplices, aged 19 and 22. This is not a victimless crime, as a man who lost £407K discovered.

Dark Patterns: These are the subtle methods (e.g. friendly blue buttons) used to make us do what web and app designers want us to do. California has just banned them in the context of opting out of having personal information sold. California AG

Apple compatibility
: A new website will tell you whether an app has been updated to work natively on new MacBooks that use Apple's own processors. isapplesiliconready.com

Grindr: An intriguing response to a proposed €10 million data protection fine; Grindr is not concerned with its users' sexual orientation. This may come as news to its users.

Sexual consent: A police commissioner in Australia has suggested using smartphone apps to record consent to sexual activity. The capability could be standalone or built into dating apps, Michael Fuller said. 'You're missing the point', was a widespread response. The Register

Face verification: A bank in Singapore is piloting the use of face verification at ATMs. Beginning with balance inquiries. ZDNet

Online escaper: Fed up with back-to-back online meetings? Of course you are. Zoom Escaper's solution allows you to sabotage your own meeting by selecting from a range of sounds including construction, wind, babies and (peculiarly) urination. Zoom Escaper

Nonfungible: In a logical progression, a toilet paper manufacturer has begun selling nonfungible token designs. Proceeds go to charity. Anyone seriously interested in NFTs would do well to read this technical analysis of what's going on under hood. In short - it's not good.

Updates

Microsoft: The fallout from the vulnerabilities in Exchange servers continues with more than 7,200 exploitation attempts on March 15 according to Check Point Research. Microsoft has released an Exchange On-premises Mitigation Tool to help smaller businesses protect themselves.

Microsoft: Emergency updates released to fix printing issue that causes some Windows 10 machines to crash. Unfortunately, there are already reports that they don't fix the problem.

Office: Microsoft has also addressed an issue causing memory/disk space errors when opening some files with Office apps.

DuckDuckGo: Users should ensure they're using the latest version of the privacy-focussed browser extension. Earlier versions have a serious security vulnerability.

Audacity: Version 3.0.0 released for Mac, Linux and Windows. It's a major change, with a different structure for saving projects designed to ensure all data is kept in one place. Oh - and there's the small matter of fixing 160 security issues...

Chrome: Another update to address a serious, previously unknown vulnerability. Separately, Chrome for Windows will now support real-time captions.

Cisco: Updates to address vulnerabilities in RV132W ADSL2+ Wireless-N VPN Routers and RV134W VDSL2 Wireless-AC VPN Routers.

WordPress: Vulnerabilities in Elementor and WP Super Cache plugins could be exploited to run arbitrary code and take over a website.

WhatsApp: Now requires iOS 10 or later, which means it will no longer work on the iPhone4S. 

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217