FFT news digest Aug 26 2022

Twitter

The Twitter whistleblower's revelations have reinforced our view that technology companies can't be trusted to keep bad people out of their organisations. Among Peter 'Mudge' Zatko's allegations is a claim that Twitter gave into demands from India to hire a government agent who would have had access to sensitive user data. (Earlier this month, a US court convicted a former Twitter manager on charges of spying for Saudi Arabia.) But that's not all. As this thread details, Zatko also says Twitter allowed China to use specific features that could be exploited to identify people inside the country who were breaking the law by accessing the service.

Zatko's deposition runs to 84 pages so to save you the trouble of reading it, here are some key points;
Too many staff have unfettered access to sensitive security and privacy controls.
Almost half of Twitter's servers lack basic security features.
Twitter doesn't have the resources to determine the true number of fake accounts on its platform.
• The company has lied about protecting users' personal information.
Technical limitations mean that Twitter fails to honour requests from users to delete their personal data.

Twitter has responded to the allegations by dismissing Zatko as a disgruntled employee who was fired for "ineffective leadership and poor performance." This would be more credible if Zatko wasn't a leading light in the cybersecurity world who's worked for Google and the US government. As one leading journalist put it, "there’s probably no security exec with more ethics, more credibility." The truth will be investigated by the US Senate Judiciary Committee which has announced an inquiry. 

Threats

Deepfakes: Scammers used a deepfake video of a cryptocurrency executive to steal money from start-ups. The fake was created from TV appearances. If in doubt about whether someone's real, just ask them to turn sideways to the camera.

Travel: Attackers are exploiting the transport disruption currently affecting many countries. Proofpoint reports on a campaign directed at Latin America, Western Europe and North America.

Smartphones: Counterfeit versions of budget Android devices come with malicious software designed to target WhatsApp. Dr.Web

Fake PayPal: A reminder about a sophisticated scam that exploits PayPal's invoicing feature. The fake invoices slide through email filters, they look real and PayPal still hasn't done anything about them. Kevin Beaumont

Endpoint security: In a Twitter poll, 49% of respondents described endpoint management in their organisations as non-existent. Such polls are hardly scientific but this one's findings bear out what we frequently see.

Microsoft: Criminals are exploiting dormant Microsoft accounts by guessing the password to them and then setting up multi-factor authentication. As Mandiant reports, it's essential verification features are enabled (and directories are checked for unused accounts).

Pirates: ZScaler has uncovered several campaigns designed to distribute malicious copies of popular applications. The criminals use Search Engine Optimisation to ensure their wicked wares appear high in the results of Google searches for software like Adobe Acrobat. 

Spyware

A challenging week for the NSO Group; its CEO stepped down, it dismissed 100 employees, and a UK court ruled a dissident could sue the Saudi government for using NSO spyware to hack his phone. In an internal statement reported by The Guardian, NSO said it would streamline its operations to focus on NATO customers. That might be tricky as it's currently on a US sanctions list and its main aim at the moment appears to be to find a buyer for the company as a whole. Meanwhile, the UK court decided that the Saudi dissident had provided enough evidence to conclude on the balance of probabilities that Saudi Arabia was responsible for installing Pegasus spyware on his phone. A Saudi appeal against the decision is expected.

Scanning

Another wrinkle in the complex debate over privacy and child pornography. A father in San Francisco took photos of his toddler's genitals because he was concerned about an infection. He shared them with his doctor (who prescribed antibiotics that cleared up the problem). But his phone was set to sync his photos with his Google cloud account. Two days later Google told him his account had been disabled, leaving him without access to many of the services and much of the information he depended on. This was only the start of a Kafkaesque process that involved a police investigation (that eventually decided he'd done nothing wrong.) The EFF calls the case "a warning of potentially many more such mistakes to come." 

In brief

Media risks: The nature of the media industry makes it an ideal target for attackers and a new report has found the number of companies susceptible to compromise is double that of the figure for all sectors. BlueVoyant surveyed (R) 485 vendors and concluded that compromises and cybersecurity issues impact all segments of the value chain. 

LastPass: The password management company has confirmed attackers have stolen some of its source code and proprietary technical information. It says "it has seen no evidence" that user passwords were affected. Its disclosure is less than forthcoming and it's not the first such incident. Nonetheless we continue to recommend password managers and protecting them with multi-factor authentication. Bleeping Computer

Ukraine: From Defcon comes the best overview we've seen of the part cyber has played in the war in Ukraine. The main takeaway; it's a fundamental part of both sides' tactics and more widespread than many reports have suggested. Kenneth Geers 

Whitewash: A US startup uses AI to erase accents so that call-centre workers and the like can sound "whiter." The company raised $32 million from investors in June. SFGATE

AirTags: An AirTag in a suitcase led to the arrest of an airport worker who had stolen thousands of dollars' worth of checked luggage. 9to5Mac

Messaging: Both Signal and WhatsApp include settings that make it hard for someone to hijack an account. Signal calls it Registration Lock. WhatsApp's equivalent is Two-Step Verification. Security journalist, Joseph Cox, explains why he's turned the feature on.

Google: A Dutch engineer has built a tool that provides an an audible view of the data Google gathers. The noise starts the moment the first character of a web address is entered.

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved