news221118

FFT news digest Nov 18 2022

Twitter

Twitter is one of many social media platforms that allow people to use their login to access other websites. Given the turmoil at Twitter since Elon Musk's arrival, anyone still using this functionality would be well advised to stop. There are longstanding security concerns with the way this solution works, not least that if the 'master' identity is compromised then so are any other places that it has been used. There are already indications that part of Twitter's two-factor authentication solution has stopped working. That came as Musk announced "micro services bloatware" would be turned off, offices were temporarily closed and hundreds more staff quit.

Musk's latest ultimatum to those he hasn't fired yet was swiftly leaked to the media, but it reminded many of a previous incident at Tesla that highlights a key risk for whistleblowers. In 2008, Musk was infuriated by leaks at Tesla so he cooked up a cunning plan to identify those responsible. The tactic involved sending a company-wide email (much like his latest missive) but with slight alterations to make each message unique. This is why reproducing the exact copy of a leaked document is so dangerous. Unhappily for Musk, the 2008 plan went awry because he didn't tell his senior executives about it, so one of them forwarded his personalised version to everyone - thus providing a safe copy to leak. The now-defunct Gawker has the details.

One other Twitter-related item. Many people are fleeing to Mastodon which is both vaguely similar and completely different. There are plenty of useful guides to creating an account (some links are below), but one key piece of advice is to start the process on the website rather than on the app. More broadly, we predict that most people will find Mastodon quite a steep learning curve - though new joiners are broadly positive about it. The Electronic Frontier Foundation has a comprehensive overview, including a focus on security. Other useful guides; Wired, TechCrunch, ZDNet.

Threats

Offboarding: A survey by Teleport found that only 24% of respondents were fully confident that ex-employees no longer had access to company resources.

Images: Malicious software is being hidden in PNG images which are targeting high-profile victims, including government organizations, across the Middle East, Southeast Asia, and South Africa. Avast

Tech support: The FBI is warning about new technical support scams, in which criminals pose as support staff from computer or software companies and try to trick unsuspecting PC users into giving up access to their bank accounts.

Uyghur: Two long-running surveillance campaigns have been using Android spyware to target the Uyghur community inside and outside China. More than 100 apps masqueraded as video players, messengers, religious apps, and even TikTok. Lookout

Reputation: An extortion scam is targeting website owners and administrators worldwide, claiming to have hacked their servers and demanding $2,500 not to leak data. Bleeping Computer

YouTube: A widespread campaign uses tutorials on YouTube to steal information from victims. The tutorials purport to provide guides on downloading pirated software. Cyble

Black Friday: With so-called offers already landing in inboxes, now is the time to be on guard for the scammers who will inevitably try to take advantage of the start of the holiday shopping season. Above all, remember that if a deal sounds too good to be true, it almost certainly is. NCSC

Meddling

US intelligence officials have concluded that the United Arab Emirates engaged in extensive efforts to manipulate the American political system to influence foreign policy. The Washington Post says a classified report details a campaign that spanned multiple US administrations, exploited lax enforcement of disclosure regulations and included hacking computers in the US. The UAE has repeatedly been linked with the use of sophisticated spyware, including Pegasus which is alleged to have been used against the wife of murdered Washington Post columnist, Jamal Khashgoggi.

Events...

Ahead of the World Cup, Germany and France have joined Norway in warning about data privacy risks of Qatari government apps. There have been longstanding concerns about the Ehteraz coronavirus tracking app, though its mandatory use is now only required for visitors to healthcare facilities. The other app, called Hayya, is mandatory for anyone visiting Qatar between November 1 and December 23. The German data protection commissioner said the data processing of both apps probably goes much further than indicated. It advises the use of a burner phone if the apps are unavoidable. More generally, we suggest considering the same precautions for any event-related apps. Before the Cop27 summit in Egypt, some attendees were told not to install the official Android app which required access to location, photos and emails.

In brief

Meta spies: The Wall Street Journal reports that Facebook's parent has fired or disciplined more than two dozen employees and contractors over the last year for taking over user accounts, in some cases allegedly for bribes.

Sextortion: The FBI says a "high rate" of teenage boys are committing suicide after receiving sextortion threats. In some cases, criminals told families to pay up or the deceased's nude photos would be released. Forbes

Collusion: Apple and Amazon colluded to raise the prices of iPhones and iPads, according to a class action lawsuit filed in Seattle. They're accused of reducing competition by cutting the number of vendors on Amazon's site.

Repair shops: University researchers in Canada have found that electronics repair services lack effective privacy protocols and technicians often access customers' data.

EV charging: As the demise of the internal combustion engine creeps closer, researchers are warning about serious security vulnerabilities in the infrastructure being created to charge electric vehicles. Sandia

Smart home hubs: A basic rule of cybersecurity is that convenience introduces risk. That's particularly true of the hubs that allow users to control smart devices like lightbulbs and cameras. Even if the device itself is secure, research shows useful information can be gathered simply by analysing the data traffic between the devices and their hub. University of Georgia

Tuvalu: In the face of rising sea levels, the Pacific island nation says it plans to build a digital version of itself, replicating islands and landmarks and preserving its history and culture. Reuters