FFT news digest  Nov 4 2022

Twitter

What exactly Elon Musk will do with Twitter remains to be seen, but his first week as sole proprietor has highlighted some important security issues. Key among them is his reported plan to start charging for verification (aka the blue tick). As one former soap actor explained (on Twitter, naturally), "Years ago, before verified accounts were a thing, back when I was on Eastenders, I was contacted multiple times by parents of children who had been “conversing” with me online. 11-15 year old children that had been talking with a fake me." Of course, it's not clear how the new verification scheme will work but the issue of impersonating well-known personalities is one of many intractable problems Musk now owns. After all, verification was introduced in 2009 after a user sued Twitter saying he was being impersonated on the site.

Among those in the dark about Musk's plans are his staff. A week after his arrival, they were still waiting for an official communication from him. Instead, an email signed 'Twitter' told them they would learn by 0900 Pacific Time today whether they still have a job. Those staying will receive an email to their corporate account. For those being fired, it will land in their personal inbox. It is clear the cuts will be swingeing. The detrimental impact on the company's already questionable security is obvious. Meanwhile, a class action lawsuit has already been filed. It accuses the company, i.e. E.Musk esq., of failing to follow US employment law.

Musk is desperate to cut costs and drive up revenues to help service the $13.2 billion debt now sitting on his company's balance sheet. Reuters quotes sources as saying he is demanding annual savings of $1 billion in infrastructure spending. Among the ideas is a reduction in extra server space that enables Twitter to handle high traffic. "Musk is willing to introduce...risk," a source said. According to The Washington Post plans are afoot to launch a paid-video feature, which could be used to monetise adult content. The second-largest investor in Twitter is Saudi Arabia's sovereign wealth fund. After initially opposing the deal, the Kingdom Holding Company now says it will hold onto shares valued at $1.89 billion. The fund is sure to be thrilled with the plans to make money out of adult videos.

Threats

Supply chain: The importance of supplier security is illustrated by a media company that provides video content and advertising to major US news outlets. Attackers compromised its infrastructure and have exploited it to deploy malicious software via the websites of hundreds of newspapers. Bleeping Computer

VPN: A booby-trapped VPN app is being used to target Android users with spyware known as SandStrike. The victims are Farsi-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East. Kaspersky

Twitter: Scammers have seized on Elon Musk's efforts to raise cash. They're sending amateurish emails warning about the loss of the 'blue tick' and trying to persuade users to hand over their Twitter credentials. TechCrunch

USB: Over the past 30 days nearly 1,000 organisations have been hit by malicious software that's being distributed on USB sticks. Microsoft says it's part of a complex ecosystem. We say don't trust USB sticks.

Fakes: The operators of a remote access tool are using fake versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. Targets are mostly in Ukraine and in some English-speaking countries including the UK. Blackberry

WiFi: Researchers have shown that it's possible to exploit Wi-Fi networks to see through walls. Using a drone and $20 of hardware, they were able to fly near a building and locate all Wi-Fi-enabled devices inside it within seconds. University of Waterloo

Prices: The average cost of illicit access to a corporate network was $2,800 in the third quarter of this year. KELA found details of 576 corporate networks being offered for sale.

Wiper: A new, destructive tool designed to erase data is being distributed through pirated software and adware bundles, and the people behind are trying to frame well-known security researchers by claiming they're responsible. Bleeping Computer

The view from the NCSC

If the airline industry managed risk and vulnerability the way it's done in cyber security, there would be planes literally falling out of the sky. That's the view of the outgoing technical director of the UK's National Cyber Security Centre. In a valedictory blog, he laments a general failure to learn from past events (aka cock-ups) while admitting that fixing fundamental problems is difficult and expensive. One concrete step forward is a new approach to enable all of us to better understand risk. The blog is long but it's a while since we've read anything quite as wise about cybersecurity and its challenges.

Truss up

The Daily Mail's scoop about Liz Truss's personal phone being hacked hasn't been independently confirmed. But neither has it been denied. Unfortunately, we know from our own sources that security people despair of UK politicians and their lax attitude to keeping official secrets secret (cf Suella Braverman/Gmail). Personal devices and unofficial messaging apps like WhatsApp are used as a matter of course. It's a gaping hole through which Russia, China and pretty much every other country are only too happy to wander. But the takeaway for the rest of us is that our own organisations face exactly the same risk. Surveys consistently show that employees will use tools that work rather than the ones they're told to use. The jargon term is 'Shadow-IT' and it's definitely being used in your organisation!

In brief

Hate: An excellent (and horrifying) thread tracks the online posts of the man who threw improvised petrol bombs at a UK immigration centre.

Qatar: Visitors to the World Cup won’t need to install an invasive Covid monitoring app after all. The government now says the Ehteraz app will only be needed for visits to hospitals and healthcare facilities. Concerns had been raised about the permissions required by the app which give it far reaching control over any devices on which its installed.

Switzerland: Meanwhile, an investigation by Swiss TV/Radio reveals the spy operation in the run-up to Qatar being awarded the World Cup hosting rights.

Geolocation: Bellingcat has a revealing walk through of how it used a seemingly innocuous group photo to identify the team that programmes Moscow's cruise missiles. Take care what you share!

Security controls: The US Cybersecurity and Infrastructure Security Agency has produced an invaluable reference guide that breaks down the cost, impact, and complexity of implementing different security controls.

AirTags: It looks like an airline has now banned Apple's tracking tags. Air New Zealand said they couldn't be turned off so they couldn't be included in checked baggage. In practice, the decision appears to have little practical impact. Stuff

TikTok: An updated privacy policy makes clear to European users that their data can be accessed by employees outside the continent, including in China. The Guardian

LinkedIn: You might regard the networking platform as vaguely ridiculous. Justin Welsh probably wouldn't agree. He claims to be earning $2 million a year by telling people how to get the most out of the site. Motherboard

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved