FFT news digest August 14 2020

Penetration tested

Weak passwords and poor patching policies make many organisations vulnerable to attack, according to Positive Technologies. Based on penetration tests it has carried out, it found 71% of companies had at least one obvious weakness that could be easily exploited. The report highlights web applications as a particular risk and says these weren't properly secured in 86% of the companies it tested. The research is clear, alarming and has sensible recommendations for improving security. It's particularly important given the move to remote working, which Gartner predicts will continue even when the coronavirus pandemic subsides. That change makes it essential to adopt a 'zero-trust' approach to security, and ensure there is adequate training to reduce the risk of data breaches. This week, a report warned that "organisations' cloud migrations and deployments are racing ahead of their security teams' abilities to defend them."

Twitter lessons

Fake news: Content farms are producing vast quantities of misleading, false, and inflammatory news stories about the COVID-19 pandemic in an attempt to generate ad revenue. Some also try to lure readers into 'subscription traps' which involve free trials followed by ludicrously high monthly fees. RiskIQ

Vaccine:
There's been an upsurge in phishing emails using the prospect of a coronavirus vaccine as a lure. Subject lines include Urgent Information Letter: Covid-19 New Approved Vaccines and UK coronavirus vaccine effort is progressing. Check Point

Coke:
Emails hold out the unlikely promise of a £1 million raffle prize from Coca-Cola in an attempt to harvest personal information. BitDefender

Celebrity scams: Despite being (frankly) unbelievable, there's been such an upsurge in these scams that the UK government has issued a warning about them. NCSC

Homoglyphs:
New credit card skimming campaign uses lookalike domain names and malicious icon files. Homoglyph attacks use a web address that looks like the real one but actually has a character changed. They can be very hard to spot, particularly on a mobile phone. Password managers can help defeat them. Malwarebytes

Virgin Media: Criminals set up a fake Twitter account to target customers trying to contact technical support. As above, the fake account (@virgneimedia) looks almost like the real one. Virgin Media Community

cPanel:
Fake security advisory warns users of critical vulnerabilities in their web hosting management panel. Bleeping Computer

Internal:
Attackers love getting access to a corporate email account because they can use it to send out more malicious emails. This example masquerades as a notification for a OneDrive for Business file. Abnormal Security

Government/Universities: Widespread campaign is targeting governments and university websites to host articles on hacking social network accounts that lead to malware and scams. Bleeping Computer

Phishing Israel

A sophisticated attempt to steal Israeli defence secrets highlights tactics that everyone should be aware of. The attack, apparently carried out by North Korea, began with a LinkedIn message, according to research by ClearSky. "Throughout the campaign, the group succeeded in manipulating targeted employees with a “dream job” offer, ClearSky said. To do so, a fake LinkedIn profile was created in the name of a real recruitment professional at Boeing. Once contact had been established, the attackers suggested talking via WhatsApp. Some of those who received calls said the person they talked to spoke unaccented English and sounded credible. The aim of the process was to persuade the target to open a booby-trapped PDF file that would enable the attackers to infiltrate their company's network. While sophisticated, the use of LinkedIn as a way to research targets and make contact with them is very common. We advise being careful with unsolicited connection requests and limiting the amount of information strangers can see.

Privacy Shield

The recent decision by Europe's court to strike down the mechanism for personal data transfers to the US has highlighted a fundamental conflict that many people would like to ignore. Among them seem to be officials from the US Department of Commerce and the European Commission who this week announced the start of discussions on an "enhanced framework" to comply with the court's decision. Alas, it's impossible to see how such a framework could be constructed because of the fundamental differences between EU and US laws on personal data rights. Instead, the most likely outcome is a messy compromise that simply ends up back in front of the court. This leaves organisations in a tricky position, because the court's judgement makes them responsible for assessing the adequacy of data protections in the US. Our data protection partner, DPN, has an in-depth article on the whole messy subject.

Facial recognition

In a setback for police use of facial recognition in the UK, the Court of Appeal ruled that use of automated technology by South Wales police was unlawful. The decision followed a challenge by civil rights group, Liberty, and a Cardiff man who had argued that being identified by the Automated Facial Recognition system caused him distress. Liberty called the ruling "ground-breaking" and welcomed the court's rejection of police arguments that facial recognition should be considered equivalent to the use of CCTV. The court was careful to stress that the decision does not outlaw facial recognition, but it did find significant deficiencies in the existing legal framework for deploying the automated technology. For his part, the Video Surveillance Commissioner issued a trenchant call reiterating the need for "a full review of the legislative landscape that governs the use of overt surveillance".

Social media stalking

You might think the class of 2020 have quite enough problems already without recruiters poring over their social media feeds, but that's exactly what many employers are doing. In fact, half of the employers surveyed in a recent report would use personal social media sites to research candidates if they thought it might be useful, and 11.4% said doing this was routine. As the report makes clear, employers need to be very careful about this lest they violate data protection regulations. Meanwhile, those with jobs already might be interested to hear that the UK data protection regulator is investigating Barclays following allegations that managers spied on staff as part of a productivity drive. As reported by City AM, one employee received a "work yoga" assessment informing them they had failed to spend "enough time in the Zone" on the previous day. 

In brief

The shameful chaos surrounding A-level exam results in the UK is likely to result in an upsurge of requests by students to access information about their results. As the UK data regulator says, that's a right under the GDPR. Mishcon de Reya has a detailed analysis. And a leading Data Protection specialist is offering a free webinar for "angry teens".

iOS issue: iPhone, iPod touch, and iPad users are reporting a random error message related to the iTunes Store.
If it's happening to you, unfortunately there's nothing you can do about it at the moment. 9to5Mac

A previous version of TikTok's Android app violated Google policies by collecting the unique identification numbers of devices on which it was installed.
WSJ ($)

A budget 3D printer is all you need to bypass biometric authentication for a range of fingerprint scanners. It took a researcher 10 attempts to lift a latent fingerprint with a digital camera, import it into a 3D modelling tool and process a print that worked. info security

There are more than 3.7 million internet-connected devices that anyone can discover and access remotely.
They include cameras, baby monitors, doorbells etc. You can see the offenders on a map and a researcher has advice for users (secure them, or chuck them out). hacked.camera

Want to turn the tables on Facebook? You can use its ad library to find promo codes for online shopping.
And dig out lots of other information, including election spending and marketing campaigns. slimeseason33 via Caroline Haskins

Users of the anonymising Tor network should be aware of research that found roughly a quarter of connections were passing through malicious exit points.
This is a longstanding security issue, but it hasn't been seen at this scale until now. Nusenu via The Register

Updates

Microsoft: Another bumper pack of security updates (Microsoft has already released more updates this year than it did in the whole of 2019, according to Zero Day Initiative). Of the latest 120, 17 are 'Critical' and two are being actively exploited.

iOS: iOS 13.6.1 and iPadOS are supplemental updates intended to fix storage and display problems caused by the previous release.

macOS: 10.15.6 also fixes stability problems in the previous release.

iCloud: iCloud for Windows 7.20 is an important update which addresses multiple security issues.

Chrome: Update for Windows, Mac and Linux versions (including Opera and Edge) which addresses a previously unknown vulnerability that could allow an attacker to bypass Content Security Policy rules.

Adobe: Patches for 26 vulnerabilities in Acrobat and Reader, including 11 rated 'critical'. There's also an 'important' update for the Windows version of Lightroom Classic.

Citrix: Users of XenMobile and Endpoint Management are "strongly recommended to update their deployments immediately" because of multiple vulnerabilities.

SAP: Fix for Netweaver AS Java is actually a fix for last month's update. There are also updates to address less serious issues in a range of other products.

vBulletin: Update for previously-unknown vulnerability which could allow code to be run remotely. The issue is (very) simple to exploit, so this update is essential.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217