news210430

Apple

A big week for user privacy as Apple rolled out a major update to its iPhone and iPad operating system. App Tracking Transparency is intended to prevent user activity being tracked across multiple apps, unless the user explicitly agrees to opt in. The technique is called ID for Advertisers (IDFA) and it's vital to gathering data about users and targeting adverts at them. Apple has produced a white paper that sets out just how extensive that information is.

A minor issue is that the feature doesn't appear to be working terribly well at the moment (see Updates below), but Apple's direction of travel is clear. It has stated explicitly that it's time for users to regain some measure of control over their personal data. Advertisers are furious, with Facebook leading a chorus of complaints that the change will damage revenues. The New York Times has a juicy account ($) of how Apple CEO, Tim Cook, and Facebook boss, Mark Zuckerberg, "became foes" over the issue.

Facebook has said it expects Apple's move to have an impact on its second quarter earnings (which were an eye-watering $26.17 billion in the first quarter of 2021). An internal Facebook memo obtained by Business Insider warns advertisers that the results of their campaigns will fluctuate, with audiences shrinking as Apple devices are updated and users opt out of tracking. Apple faces its own challenges. German advertisers have accused ($) it of antitrust abuse, saying the changes will damage the advertising market. And today the EU issued a preliminary conclusion accusing Apple of anti-competitive behaviour by favouring Apple Music over its rivals.

Threats

Social engineering: Attackers are adept at exploiting our habits - and most incidents begin by hacking humans rather than technology. CSO rounds up the most popular techniques, including QR codes (more on that below), browser notifications (block them), collaboration scams (be sceptical), supply chain impersonation (verify, trust, repeat), deep fakes (increasingly common), text fraud (don't click a link to do something important), and lookalike domains (use a password manager).

Location: Do be cautious about which apps you allow to access your location. The risks of location tracking are illustrated by the Wall Street Journal which reports ($) that US military movements in Syria were revealed by location info available for purchase from smartphone apps.

Soccer: Almost all websites offering illegal streams of football matches contain some form of malicious content. We have been warned. Webroot via TechRadar. Torrent Freak explores the malicious content on offer.

Vaccines: Unsurprising news of the week. There's an epidemic of vaccination scams across the world. Anything asking for personal information should be treated with extreme caution. ExpressVPN

Deliveries: Germany and the UK have warned about a spike in malicious SMS messages targeting Android users. The messages contain links to fake delivery company websites. The Record

Hermes: There's also a scam specifically targeting Hermes in an ingenious, multi-stage campaign. WMC Global

Oscars: Tempted to download an Oscar winner? Cyber criminals hope so because multiple scams are underway using links to Oscar-nominated movies as a lure. Threatpost

Ransomware

We're living in what "could be seen as a golden age" for cyber criminals, according to UK law firm, Mishcon de Reya. Several variations on the ransomware theme have emerged, with a key one being threats to leak information, rather than simply lock access to it. But, as Mishcon de Reya points out, the glory days of cyber crime may be numbered. Governments are beginning to coordinate their fight against the criminals and the so-called Ransomware Task Force has published a framework to combat the plague. It has 48 recommendations under 4 headings; deterring attacks, disrupting the ransomware business model, preparing defences and responding effectively.

Spyware

A group of human rights organisations have called on Israel-based NSO Group to meet its commitment to improve transparency about sales of its spyware. The organisations include the Citizen Lab, a research group based at the University of Toronto which has tracked how governments use NSO's Pegasus spyware. In December, the group revealed how Pegasus had been used to hack 36 personal phones belonging to Al Jazeera journalists. Following the report, NSO said it would carry out an investigation "if warranted", but there is considerable scepticism about whether such an investigation would be "genuine, transparent, and thorough". NSO is currently reported to be considering an Initial Public Offering that would value the company at up to $2 billion.

QR codes

Where there's convenience, there's usually risk and QR codes are no exception. Those handy square barcodes have been popping up all over the place, not least in connection with COVID-tracking apps. QR codes are often associated with entering information, which makes them an ideal way to manipulate us into providing personal details. Would-be criminals can rent or buy phishing kits that are designed to use QR codes and mimic trusted brands and organisations. This isn't a theoretical threat. On Wednesday, police in Australia arrested a man who is alleged to have stuck his own QR codes on official COVID-19 check-in notices.

Russian tactics

Russian "cyber actors" are continuing to target government networks, think tanks, policy analysts and IT companies in a bid to gather intelligence information, according to the US government. A Joint Cybersecurity Advisory describes Moscow's operations as a "longstanding threat" to the US. It sets out how Russia's focus has shifted from individual networks to cloud resources, above all email. Meanwhile, FireEye has updated a report on the use of disinformation by groups with interests that align with those of Moscow. Several recent cases appear to have been aimed at creating unrest in Poland by using hijacked social media accounts to publish inflammatory material.

In brief

COVID apps: When the pandemic began, we thought tracking apps would be a key element in the fight to control COVID-19. We were wrong. In fact, use of them has been far less widespread than we expected. And this week, AppCensus identified a security flaw in the Android version of the framework developed jointly by Apple and Google. Following that news, Holland temporarily disabled its coronavirus warning app.

SMEs: Small and medium-sized organisations are a key target for attackers, not least because they often lack the resources to defend themselves. The Global Cyber Alliance has launched a toolkit designed to help.

GDPR: Talks between the US and the EU are intensifying as negotiators try to find a new legal framework for data transfers between the two. This is tricky, messy and (bizarrely) could affect transfers of personal data to Ireland, on the grounds that it is allegedly failing to properly enforce the General Data Protection Regulation. The Irish Times

Leaked: A vast dump of data has aggregated 3.28 billion passwords linked to 2.18 billion unique email addresses. Almost half the passwords are associated with government email addresses. Syhunt

US travel: Civil rights group in the US are petitioning the Supreme Court to review a case that would outlaw warrantless searches of international travellers' phone and laptops. EFF ACLU

Personal affairs: Unsurprisingly, the pandemic means many people are using their own devices to work from home. Research from Gartner suggests many now regard themselves as tech experts and have set up their own applications and web services to aid productivity. Mixing work and personal technology is not a good idea, but obviously we understand why it's so common. ZDNet explores the issues.

Girls: Depressingly, research suggests 11-13 year old girls are the group most likely to be targeted by online predators. The Internet Watch Foundation also found a significant increase in the amount of explicit content created by the victims themselves.

Fonts: So farewell Calibri. After 14 years, Microsoft is about to dispatch you to the typeface graveyard where you can talk about happier times with Times New Roman (who you displaced as Microsoft's default font). There are 5 new (original) designs which all look pretty similar to our untrained eye. They're ready to download and use, so you can make up your own mind! Microsoft

Updates

iOS: The release of iOS 14.5 for iPhones and iPads has not been smooth, with reports that the tracking transparency feature isn't working for many users. This is despite a longer than normal testing period. Apple has explained why the feature is greyed out in specific cases. iOS 14.5 brings major changes and new features, including making it easier to unlock a phone with FaceID when wearing a mask. One kid is already reported to have taken advantage of that feature to unlock her dad's iPhone.

macOS: Important security update for Mojave, Catalina and Big Sur versions of Apple's desktop and laptop operating system. It fixes a number of vulnerabilities, including a very serious one which could allow malicious files to bypass pretty much all Apple's security defences. A word of warning; the Big Sur update (11.3) may stop some VPN and antivirus products from working. We have seen this impact F5, Sophos Home and ExpressVPN products.

Chrome: Yet another critical update for Google's web browser, this time to address a vulnerability in its JavaScript engine. Do get into the habit of closing and restarting your browser every couple of days, which will apply any updates automatically.

Windows 10: Emergency update to fix gaming issues introduced by the Windows 10 2004 and Windows 10 20H2 KB5001330 update.

Trend Micro: Has urged users of Apex One and OfficeScan to ensure they are up to date. Vulnerabilities were addressed in updates last year, but many installations remain vulnerable and are being actively attacked.

F5: Update for Big-IP Application Delivery Services appliance to address a vulnerability that could be used to bypass security measures designed to protect sensitive workloads.

Zimbra: 9.0.0 “Kepler” Patch 14 and 8.8.15 “James Prescott Joule” Patch 21 address multiple issues.

FFT news digest April 30 2021