FFT news digest February 19 2021

Crime

Let's be honest, no-one really knows how much money is lost as a result of cyber crime - but there's no question it's an enormous sum. One estimate from Atlas VPN, which includes the cost of security measures, puts the figure at over $1 trillion. That's equivalent to around 1% of global GDP. Ransomware is a leading threat, affecting 75% of organisations that responded to a survey by Proofpoint. In its 2021 Global Risks Report, the World Economic Forum ranks cybercrime alongside climate change as the biggest threat facing society over the next decade.

Broken
Given the sheer scale of cybercrime, it's not surprising that 2020 saw a record number of reported security vulnerabilities. An analysis by Redscan found 18,103 issues were reported last year - over half classified as high or critical in severity. “Security professionals should be concerned about the fact that more than two-thirds of vulnerabilities recorded in 2020 require no user interaction of any kind to exploit," Redscan warned.

Cash and kisses
Alongside ransomware, criminals love romance scams and business email compromise.
Losses from romance fraud in 2020 are estimated at a record $304 million in the US and £68 million in the UK. Romance scams involve fooling people by gaining their trust and, as Action Fraud warns, they can be remarkably persuasive. Trust is also the focus of business email compromise, which often employ messages that appear to come from a manager, colleague or a trusted business contact. It accounted for $1.77 billion of losses in 2019, according to the FBI.

Threats

Remote Desktop: Those who have been around the computing scene for a while will know remote access is nothing new - and, from a security perspective, that's part of the problem. Attacks on Remote Desktop Protocol (RDP) clients rose by 768% last year, according to ESET, and it's one of the main vectors for ransomware infections.

Credentials: Here's an illustration of how fundamentally broken online security is. A database has been posted on a cybercrime forum. It pulls together stolen usernames and passwords (aka a COMB - or 'compilation of many breaches'). It has 3.27 billion unique entries. The cost of access; $2. That's why reusing passwords is such a horrible risk. Threatpost

Bonus: A new campaign tries to dupe enterprise users with a variety of lures, including fake customer complaint reports, fake billing statements and a non-existent bonus. Fortinet

Fedex: Fake delivery notification arrives by text message. Clicking on the embedded link opens a site asking the user to download an application which is actually malicious software. incibe

LinkedIn: A “LinkedIn Private Shared Document” is used to try to fool targets into entering their credentials on a fake LinkedIn login page. For the record, there's no such thing as a LinkedIn Private Shared Document. JB Bowers

Masslogger: Sophisticated campaign seeks to install software that records keystrokes and can steal credentials from infected systems. So far, main targets are in southern and eastern Europe. Cisco Talos

Selfie security: Password reset questions (mother's maiden name etc.) are a menace, as a case in the US illustrates. A student accessed other students' accounts and stole nude photos. A key method was to reset victims' passwords by guessing the answers to reset questions. The prosecution documents also describe his other methods. The Register

WatchDog: Most online systems are under attack from networks of compromised computers (or 'botnets') designed to use their processing power to mine crypto-currency. Latest example is WatchDog which exploits unpatched applications, including Drupal, SQL Server and Oracle WebLogic. Unit 42

Spy pixels

The use of invisible tracking in emails is now endemic, according to analysis by a messaging service carried out at the request of the BBC. 'Spy pixels' let organisations see whether their emails have been opened by the recipient. Like pretty much every newsletter, we use this technology - but, unlike others, we only look at the number of times the email is opened, rather than spy on the type of device you're using or your physical location which the technology can also reveal. And (much to the confusion of the people operating our newsletter platform), we don't alter the embedded links so that we can see whether you have clicked on them. That's partly because we're not trying to monetise what you do, but mainly because altering the links involves turning them into gobblegook which obfuscate where they lead. And that's something we advise people not to do (as do many security websites which fail to follow their own advice).

Facebook

Much like the hapless skater in Amsterdam, Facebook appears to be living dangerously at the moment. In Australia, its ban on news content affected government agencies and non-profit organisations (and a bookshop) before the social media giant figured out this wasn't a great look. Facebook is protesting about a proposed media law under which digital platforms would have to pay for news content on their sites. It's a complex issue, with many commentators criticising the Australian approach as an attack on the open internet because it implies taxes on links to content. The alternative view, which we tend to share, is that technology giants like Facebook have enjoyed a Wild West-style evolution with little regulation or constraint. Australia's proposed law may be a flawed response to that, but Facebook's reaction has demonstrated precisely why action is needed. By contrast, Google has reached a deal with Rupert Murdoch's News Corp to pay an undisclosed amount for long-term access to its content which, from the digital platforms' perspective, is probably a smarter approach.

Operating systems

Chrome has overtaken macOS to become the world's second-most popular operating system, according to figures from IDC reported by GeekWire. This may not reflect a move away from Macs, but rather a decline in Windows, particularly at the budget end of the market. Meanwhile, not altogether surprisingly, research has identified malicious software designed to target Apple's latest MacBooks and Mac Minis. Two distinct strains have been adapted for Apple's new ARM-based M1 processors, as Wired reports.

MacBooks

We don't underestimate the challenge of installing multiple updates, but latest figures suggest a terrifying number of organisations are failing to take current threats seriously. RiskRecon found over 1,200 examples where no action had been taken following the massive SolarWinds security breach. That's despite blanket coverage, repeated warnings about the sophistication of the hackers and constant pleas from SolarWinds to install security updates.

In brief

SHAREit: Android app with more than one billion downloads has vulnerabilities that could be exploited to run malicious code. Three months after being reported, they have yet to be fixed. Trend Micro

GDPR: The European Commission is reported to be preparing a draft ruling granting "adequacy" status to the UK in respect of transfers of personal data from the EEA to the UK. The much-anticipated decision will simplify processes for UK organisations, but unfortunately it's unlikely to be the end of the story. Financial Times ($)

Ring: The Electronic Frontier Foundation says Los Angeles police used footage from Amazon's Ring cameras to investigate last year's Black Lives Matter protests against police violence.

Nurserycam: A surveillance device targeted at nursery schools was so poorly designed that anyone who downloaded its mobile app could access its video feeds. The manufacturer, Footfallcam Ltd., has said it will fix the issue, but not before initially threatening to report the researcher who discovered the issue to the police. The Register

TikTok: The European Consumer Organisation has accused TikTok of breaching users’ rights “on a massive scale”. It cited multiple issues, with particular emphasis on the terms of service.

Bloomberg: Regular readers might remember a 2018 report about tiny spy chips in Supermicro servers. The story was greeted with widespread scepticism. Now Bloomberg is back with a follow-up suggesting things were worse than originally reported. The truth - and hard evidence remain elusive.

Hooky: This kid will go far. Twitter thread explains how an eight year-old, fed up with homeschooling, managed to baffle her parents and teachers by repeatedly disabling her Zoom account. Her method? Just enter the wrong password 20 times.

Zen: Zen Internet told a customer it could do nothing about the dreadful service he was experiencing and he should complain to his MP. The Register got involved and Zen agreed to escalate the issue to Openreach's Directors Services Office which is the highest escalation point for issues that providers can't fix. Given the lamentable state of many of the UK's streetside cabinets on which internet connectivity depends, this story may be worth remembering. (And an email to the CEO never hurts.)

Updates

macOS: Big Sur 11.2.1 fixes an issue affecting systems with limited storage. The update means the OS won't install if there's insufficient space available. You might have thought Apple would have included this from the start. The update also addresses a battery charging issue.

Apple Watch: Latest Apple products to qualify for a free repair are the Apple Watch Series 5 and SE. It's designed to fix a problem which leaves the devices stuck in Power Reserve mode.

Windows 10: Microsoft is force installing a Windows 10 update that removes the embedded 32-bit version of Adobe Flash Player from the operating system. Which is a good thing - but it will only work for installations that were carried out by Windows.

Telegram: Latest macOS version fixes an issue which meant self-destructing audio and video files were not being deleted as expected. It's worth bearing in mind that desktop versions of secure messaging platforms are inherently less secure than the mobile apps.

LastPass: Prize for most unwanted update of the week goes to password manager, LastPass. New limitations on its free service will mean users can use it either on a desktop computer or a mobile device, but not both. Thereby destroying its basic usability. ghacks explains how to migrate to Bitwarden, which is a respected (free) alternative.

Cisco: Security updates to address vulnerability in AnyConnect Secure Mobility Client which could be exploited to take control of an affected system.

QNAP: Update to fix a remote code execution (RCE) vulnerability in an application used by many of its Network-Attached Storage (NAS) devices.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217