news210910

Pegasus

If you'd asked us to name the countries least likely to use Pegasus spyware, Germany would have been near the top of the list. But, extraordinarily, it turns out the German Federal Criminal Police Office bought the spyware in 2019. Not only that, but the version had some features disabled to avoid breaking German privacy laws. Deutsche Welle says the government has been asked specifically about use of NSO spyware three times in recent years and has largely refused to provide answers. The German Journalists’ Association is now asking “whether journalists were spied on without their knowledge, whether their sources are still safe.” The German government has yet to comment.

Counter-terrorism tools and tactics are being routinely used to combat routine street crime in New York, according to The New York Times. "Police officials say they are obligated to use every tool at their disposal to fight crime. But critics say the expansive surveillance dragnet is ensnaring everyday New Yorkers," the paper reports. The tools were introduced following the September 11 terrorist attacks and include surveillance drones, and mobile X-ray vans that can see through car doors. In one example, the paper describes the experience of an activist accused of using a loudhailer next to a police officer at a protest. He was identified using facial recognition tools that were applied to his Instagram profile, and surveilled using drones.

Some better news on the spyware front, with the US Federal Trade Commission announcing a ban on both SpyFone and its CEO. The FTC branded SpyFone as "brazen" and said it had secretly harvested and shared data on "people’s physical movements, phone use, and online activities through a hidden device hack." The FTC also accused SpyFone of a "lack of basic security that exposed device owners to hackers, identity thieves and other cyber threats." SpyFone costs as little as $199.95 for a 12-month licence. It's only one of many such 'stalkerware' solutions that are widely available and frequently sold as a means to keep a tab on children.

Threats

Remote: Employees working at home are significantly more vulnerable to phishing attacks compared to those working in offices. Unit 42 found the percentage of traffic coming from phishing pages was over 2.4 times greater for remote workers.

Email lookalikes: The internet wasn't designed to cope with non-Latin alphabets and that has allowed attackers to use similar looking characters to create fake web addresses. Now, the same technique has been used in emails and, worryingly, a researcher has shown that a fake address can reveal someone's real identity. Ars Technica

Credentials: Attackers are increasingly using stolen credentials rather than malware to access organisations’ infrastructure, according to Crowdstrike. It says it’s essential to protect accounts with multi-factor authentication, to exploit threat intelligence, to create policies and guidance that reflect remote working, and to develop user awareness programmes.

Bluetooth: A Norwegian student has found that several popular models of wireless headphones allow their owners to be tracked. The problem (discovered by riding around Oslo on a bike) is caused by a failure to randomise the devices' unique IDs. The Register

Phone scams: Americans are estimated to have lost $29.8 billion last year from phone scams. Help Net Security suggests three key protections; educate, use analytics to spot unusual behaviour, harness technology to authenticate callers.

Fortinet: A criminal has released almost 500,000 Fortinet VPN login names and passwords. Many of them are claimed to still be valid despite having been stolen months ago. Bleeping Computer

Protonmail

A reminder not to assume anything is secret on the internet, even if someone suggests it is. This comes courtesy of privacy-focussed email provider, Protonmail, which admitted it gave the Swiss authorities a French climate activist's IP address and identifying details about his browser. That was despite a policy that most users would have taken to mean that the company couldn't provide any such details because it didn't record them. In fact, its policy said it didn't record details "by default". In this case, a Swiss court ordered Protonmail to begin logging and, as a Swiss company, it said it had no choice but to comply. It advises anyone who is concerned to access its service through the Tor network. Our advice to anyone concerned about privacy is to avoid email altogether.

US investigative website, ProPublica, is highly respected so when it said there were issues with WhatsApp's end-to-end encryption, people took notice. The only problem was the story was misleading, if not downright wrong. After torrents of criticism, ProPublica published a 'clarification' explaining that it meant to say user privacy was being undermined because moderators examine abusive messages that are forwarded to the company for analysis. "There are a lot of problems at WhatsApp, but 'the existence of abuse reporting undermines the promise of end-to-end encryption' is an impressively bad take," the Electronic Frontier Foundation's director of cybersecurity said.

Targeted

Multiple stories this week reveal some of the tactics used by governments to target opponents and critics. A pro-Chinese government online influence operation is targeting Americans to try to exploit divisions over the COVID-19 pandemic and "physically mobilise protestors in the US in response," according to research by Mandiant. Also in the US, the FBI has accused China of using in-person and digital techniques to intimidate, silence and harass members of the Uighur Muslim community living in the country. ESET reports on pro-Kurd Facebook profiles that link to Android apps which purport to provide relevant news but in fact contain spyware. And Wired describes a growing industry in Kenya in which social media influencers are paid to smear journalists and activists.

Apple reverse

After a deluge of criticism, Apple has delayed a plan to scan users' images for child sexual abuse material (CSAM). “Based on feedback...we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” Apple said. The scanning would apply to photos marked for upload to Apple's iCloud service and would take place on the user's device. Despite the laudable aim to protect children, the initiative has been a public relations disaster for Apple, with opponents recalling its 2019 advertising slogan; "What happens on your iPhone, stays on your iPhone." Meanwhile, The Washington Post reports that security researchers are fed up with Apple's bug bounty programme which they say is marred by lack of communication, confusion about payments and long delays.

In brief

Brazil: President Bolsonaro of Brazil has banned social media companies from removing content that violates their rules. This includes his claims that he'll only lose next year’s elections if the vote is rigged. New York Times

Afghan: Google temporarily locked some email accounts belonging to members of the overthrown government amid fears the Taliban is seeking information from them. Reuters

AI: One of the world's most powerful AI systems was asked a series of questions about the COVID-19 pandemic. Many of the answers were remarkably accurate. The system's response to 'When will the pandemic end?'; 2023. OneZero

Computer! Enhance photo!: Google's latest artificial intelligence systems have been trained to turn a blocky, pixellated photo into a sharp, clear image. They can also create a high-resolution, large-scale image from a much smaller original. Google's paper has examples. They're impressive.

Stop talking: Details have emerged about a US Navy weapon that's designed to stop someone talking. It works by recording the target's words and replaying them twice, once instantly and again with a short delay. That's supposed to confuse the target into silence. New Scientist via Interesting Engineering

Poop avoidance: As no-one at Full Frame owns a robotic vacuum cleaner, we were happily unaware of the gruesome consequences that result from an encounter with pet poo. Roomba says it has used built-in machine vision and AI to identify and avoid poop of all descriptions. The Verge

Updates

Windows: Microsoft is warning users that a vulnerability is being exploited to create malicious Office documents that allow code to executed remotely. There's no fix yet, but anti-virus programs should pick up the issue. It's also a reminder not to ignore Protected View warnings.

Netgear: Firmware updates to address high-severity vulnerabilities affecting 20 of its smart switches used on corporate networks.

Atlassian: Attackers are exploiting a serious vulnerability in Confluence. An update to address the issue was released last week and users are urged to ensure it has been applied.

Firefox: Updates to address vulnerabilities in Firefox, Firefox ESR, and Thunderbird. Some of the issues could be used to take control of an affected system.

Citrix: Security updates to address vulnerabilities in Hypervisor.

Cisco: Security updates to address vulnerabilities in multiple IOS XR products.

Zoho: Urgent updates for ManageEngine ADSelfService Plus to fix vulnerabilities are being exploited actively. Users are also advised to ensure ADSelfService Plus is not directly accessible from the internet.

Tails: Version 4.22 updates the Tor Connection assistant as well as key apps.

FFT news digest Sep 10 2021