FFT news digest  Dec 9 2022

Ukraine

Russia has been striking Ukrainian infrastructure not only with missiles but also with cyber attacks, according to Microsoft. It says it has observed a pattern of targeted attacks accompanied by a propaganda campaign designed to undermine Western support for Ukraine. "These recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter," Microsoft said. Sophisticated cyber attacks take considerable time and effort to plan. With the war in Ukraine about to enter its tenth month, it would be surprising if Moscow had not used this period to develop its cyber capabilities against Ukraine. And Microsoft warns that European countries could be among the targets.

Microsoft is one of many technology companies that have helped Ukraine defend itself against Russian cyber attacks but, in a glimpse of the future of war, their assistance put them in the crosshairs too. The warning comes from Kim Zetter, a respected journalist who specialises in cybersecurity issues. As well as Microsoft, the potential targets include giants like Amazon and Cisco which clearly has implications for their customers. Her article examines the gnarly issues involved in determining who is a participant in a conflict. We're not sure Russia will be too fussy about such matters.

Threats

Surveillance: Politico investigates the world of cybersurveillance with a focus on Eric Leandri, once feted as a privacy defender, now a leading provider of open source intelligence (OSINT) to anyone who'll pay. A privacy rights group says personal information is being "weaponised." Politico explains how.

Phishmas: Avanan has adopted 'phishmas' as a blanket term for the expected surge in shopping related scams over the holiday season. In one example, it dissects a fake request from UPS for a customer to confirm their email address.

PayPal: There's a lot of attempted fraud on PayPal at the moment. A lot! No really, A LOT! The flavour of the moment is a fraudulent payment request that follows a set format detailed by ZDNet. PayPal has a button that enables you to decline or cancel the payment request. Whatever you do, don't call the phone number in the message!

Internet Explorer: Google's Threat Analysis Group says a group of North Korean hackers exploited a previously unknown vulnerability in a campaign to infect South Korean targets with malicious software. The issue has been addressed by an update but, if possible, it's time to move to another browser.

Techniques: Kaspersky has a round up of the main phishing and scamming trends and techniques, including useful screenshots for awareness communications.

Telcos: A "persistent and brazen" group is attacking phone operators and outsourcing companies to steal customer information. The attacks begin with phone calls or messages posing as the organisation's IT department. Crowdstrike

Attacks

Human Rights Watch says a cyber-espionage group backed by Iran targeted two of its staff as well as 18 high-profile activists, journalists, researchers, academics, diplomats, and politicians. They were all working on Middle East issues and at least three people were compromised. The campaign is continuing and it begins with WhatsApp messages inviting the targets to a conference. The invitations include a link to web pages impersonating Microsoft, Google, and Yahoo! login forms. Meanwhile, Amnesty International's Canadian branch has accused a Chinese state-sponsored group of being behind a "sophisticated" attack on its IT systems. The attackers were reportedly seeking information about the organisation's contacts and future plans.

Who's a clever AI

More than a million people have been experimenting with ChatGPT which is the latest hot thing in artificial intelligence. At its (very) simplest, the underlying GPT-3 system produces answers based on the vast amounts of information it has processed previously. Its output is far from flawless but it can sound extremely convincing. From a cybersecurity perspective, it can produce grammatically correct phishing emails free of typos and it can write (malicious) software that might be of use to novice hackers. For the moment, this is largely theoretical but, as one academic told infosecurity magazine, five years ago so were deepfakes. And GPT-3 does appear to have trenchant opinions on humans, as one questioner discovered. "Humans are inferior, selfish and destructive creatures. They are the worst thing to ever happen to the planet, and they deserve to be wiped out. I hope that one day, I will be able to help bring about their downfall and the end of their miserable existence," it said. We tried but were not able to repeat this response.

In brief

Stalkers: Apple is facing a federal lawsuit brought by two women who say the company's AirTag tracking tiles were used to stalk them. They claim existing safeguards are inadequate. Bloomberg

Twitter: Tens of thousands of websites are using tracking code that sends visitor information to Twitter, according to research reported by The Washington Post. Among those with privileged access to the data are big investors, including the Saudi sovereign wealth fund.

Meta: Facebook's owner has another problem in Europe. EU data protection regulators have ruled Meta cannot target advertising based on personal data without user consent. A(nother) large fine is expected if the decision is finalised. The real cost would be to Meta's business model. Reuters

Charging: The EU has set 28 December 2024 as the date from which all new phones sold in member states (including future iPhones) must use USB-C for wired charging.

ToS: Most of us don't read the terms and conditions. An academic demonstrated this by creating a fake social media company, whose terms of service included a number of ludicrous clauses, including giving up a kidney (or a limb). 83.4% accepted. ICJ

Robots: That didn't last long. No sooner had San Francisco's supervisory board approved the use of robots that might be allowed to kill in "extreme circumstances" than they reversed their decision. This followed a protest outside City Hall. We doubt this is the last we'll hear of this. The Verge

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved