FFT news digest  Dec 2 2022

Password mismanager

One of the leading password manager companies says attackers have accessed "certain elements" of its customers’ information. LastPass says it detected unusual activity in a cloud storage service following a breach of its systems in August. It's important to emphasise that this does not mean any customer passwords were revealed because the way they're stored means LastPass can't access them, even if it wanted to. But it is essential that LastPass users are on their guard for emails that appear to come from the company because this is an obvious opportunity for any attacker is to impersonate it. We also suggest being cautious about using LastPass browser extensions.

LastPass has been reasonably transparent about the incident(s) and it's understandable that they haven't revealed exactly what customer information has been accessed (not least because they may not know yet). Nevertheless, the breach will inevitably cause nervousness among people considering whether to start using a password manager. Password managers are still the best solution for using passwords safely - and they're far more secure than reusing passwords or storing them in a browser. That said, given that LastPass was breached in August and attackers almost always come back for more, it's worrying that LastPass wasn't able to prevent this latest incident.

Threats

USB: A new cyber-espionage group in Southeast Asia is using booby-trapped USB devices to target public and private organisations. Mandiant

Domains: Most major organisations aren't doing enough to protect their domain names from spoofing, fake registrations and other threats. CSC

Fake VPN: Android users in the Middle East and South Asia are being targeted with spyware posing as fake VPN apps. Among its capabilities, it can steal sensitive data including contacts, SMS texts, call logs, device location, and record phone calls. It can also actively spy on chat messages

World Cup: Scammers have come up with multiple ways to harvest personal information and steal money from people trying to buy merchandise or tickets online. Group-IB

TikTok: The promise of nude videos is being used to lure victims into downloading information-stealing malware. The wrinkle this time is a trend known as Invisible Challenge which involves applying a filter to videos so that only a silhouette of the person's body remains. Scammers offer a tool to reveal what was hidden. Checkmarx

Gift cards: Scumbags are playing on people's emotions to try to persuade them to send them gift cards. The criminals break into email accounts and send messages to the owner's contacts claiming they need to send a gift to an unwell friend. Abnormal Security

Phishing: IT and security teams spend one-third of their week handling phishing threats, according to Osterman Research (R). The study also highlights the expanding use of messaging apps and cloud-based file sharing platforms to reach targets.

Spyware

A relatively new exploit broker is offering up to $1.5 million for ways to break into the Signal messaging app, trebling the going rate for such vulnerabilities. The offer comes from a St Petersburg-based company called OpZero. The price is believed to be linked to the widespread use of Signal by the Ukrainian military and government which makes it an irresistible target for Russia. Like any software, Signal has had security vulnerabilities in the past but the relatively small size of the organisation means it's normally very quick at fixing them. Meanwhile, in the first such case of its kind, the maker of Pegasus spyware is facing a lawsuit in the US. It's been brought by a US journalist and colleagues from El Salvador who allege they were targets of the NSO Group’s spyware. Their aim is to persuade a judge that NSO has broken US law. The New Yorker's long-read is worth the effort.

Twitter

The Twitter saga continues - with Elon Musk threatening to go to war with Apple, and just as quickly retreating after what he said was a “good conversation” with Apple chief executive Tim Cook (and a tour of "Apple’s beautiful HQ.”) Childish tirades asides, the key issue to watch is what happens to the content on Twitter. It's clear the platform's moderation capabilities have been eviscerated. Previously banned controversialists have been allowed to return (though Kanye 'Ye' West was promptly banned again after he posted a swastika). The policy on misleading Covid information will no longer be enforced. Advertising revenue is vital - so it will be the tweets that determine whether major companies (like Apple) want to hand over some of their marketing budgets to help Musk service the debt now sitting on Twitter's books.

In brief

Conspiracy: Computer Weekly alleges that the former UK spy boss Richard Dearlove leaked names of MI6 secret agent recruiters in China as part of an aggressive right-wing US campaign against Chinese technology giant Huawei. His emails were hacked and then leaked, probably by Russian intelligence.

Online Safety Bill: We've been watching this bill's halting parliamentary progress because of its potential impact on privacy. Index on Censorship has also been studying it and says the law will outlaw end-to-end encrypted messaging as part of the fight against child abuse and terrorist content.

Geolocation: The FBI's investigation into the violence on Capitol Hill is the biggest in its history and includes 5,723 devices identified by Google as being in or near the area during the riot. Wired examines the use of "geofence warrants."

Meta: Ireland's Data Protection Commission has imposed a €265 million fine on Meta for failing to safeguard the personal data of 533 million Facebook users. That means the Irish regulator has fined Meta almost $1 billion in the past 18 months.

Butterfly keyboards: Owners of MacBook devices with Apple's utterly awful 'butterfly' keyboard will receive compensation of up to $395 after a judge approved Apple's proposed payouts. Alas, the awards apply only in specific US states. 9to5Mac

Laser printers: Epson has announced that it will stop selling and distributing laser printers by 2026 in the name of sustainability. It will focus on inkjet devices instead.

Hacking cars: Researchers say they were able to remotely control Honda, Nissan, Infiniti, and Acura vehicles in the US by exploiting their satellite radio services. All they needed were the cars' VIN numbers. This week, Honda said hands-free driving would come as standard on all its vehicles by 2026.

Robots: Following a supervisory board vote, police in San Francisco will be allowed to deploy robots that could be used to deal with a terrorist or mass shooter "in extreme circumstances." Their primary purpose will be bomb disposal and "there are no plans to attach firearms," except presumably in extreme circumstances.

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved