news220916

FFT news digest Sep 16 2022

Twitter

Twitter "don't know what data they have, where it lives, or where it came from and so, unsurprisingly, they can't protect it." That was just one of the claims made by the company's former security lead, Peiter "Mudge" Zatko in testimony to the US Senate's Judiciary Committee. Zatko alleged Twitter had made false statements about its security, defrauded investors and had been either negligent or complicit in the face of foreign influence operations. He added that, a week before he was fired, the FBI had told him there was at least one Chinese intelligence agent on Twitter's payroll.

Zatko's testimony would be comic if it weren't so serious. As he explains, he joined the company to lead its security operations after an infamous hack in which "a group of teenagers launched what at the time was the largest hack of a social media platform in history." When he arrived he found "10 years of overdue critical security issues" with no meaningful progress in addressing them. "This was a ticking bomb of security vulnerabilities," he added. He said he repeatedly disclosed his concerns which went "unheeded." When he told an executive that there was a foreign spy inside the organisation, he said he was told, "Well, since we already have one, what does it matter if we have more? Let's keep growing the office.”

Not all social media platforms are like Twitter but we continue to be deeply concerned about entrusting them with sensitive information. Last week, two senior Facebook engineers admitted that they didn't know where all the data about a user is stored and thought there was no single person who would know. Their admission came during a court hearing as part of a lawsuit over the mishandling of private user information during the Cambridge Analytica affair. Facebook's parent company argues that it continues to make significant investments to meet its privacy commitments. We don't doubt that's true but it's not the same as ensuring privacy is protected.

Threats

North Korea: Attackers are using fake Amazon job assessments as part of a campaign targeting media companies. It begins with an email containing a lucrative job offer at Amazon and suggests the conversation continues on WhatsApp where a booby-trapped file is shared. Mandiant

Interactive: Attackers are increasingly turning to targeted "hands-on" methods to compromise organisations."The ongoing surge in ransomware-as-a-service and affiliate networks along with increasing prevalence of access broker activity all adds up to one thing: a lower barrier to entry for criminally motivated adversaries," CrowdStrike says.

App Store: Fake (and almost real-looking) copies of Apple's App Store are being used to scam victims. Criminals pay to make sure the lures appear high in search engine results. Be cautious about installing anything from outside official app stores. Intego

WeTransfer: A new campaign uses WeTransfer to try to install malicious software on victims' devices. The lure is a notification from an unknown person, apparently sharing a “Proof of Payment” document. Cofense

Keylogger: An ingenious campaign is targeting Greeks with phishing sites that mimic the country's official tax refund platform and steal credentials as they are typed. Cyble via Bleeping Computer

Queen: The UK's National Cyber Security Centre has warned about scammers exploiting the royal death. We haven't seen any examples but we'd be surprised if there haven't been any.

WordPress: Researchers are urging users to remove a popular plugin until a fix is released for a previously undisclosed (zero-day) vulnerability. WPGateway is a premium plugin used to manage other plugs and themes. WordFence

Iran

Iran has been using new approaches to social engineering in its attacks against individuals specialising in Middle Eastern affairs. The technique, which Proofpoint calls "multi-persona impersonation," involves using several fake identities to make a phishing email look genuine. It builds on a longstanding Iranian technique designed to create a relationship with targets over an extended period of time. In one example, hackers impersonated a researcher at a legitimate think tank and referenced another researcher (at the Pew Research Center) who was copied on the email. The report came as the US announced criminal charges, further sanctions and a $10 million bounty in retaliation for Iranian cyber attacks. And days after Albania cut diplomatic ties with Iran because of a cyber attack, it reported another incident which it blamed on Teheran.

China

Strategic competition between the United States and China is the defining feature of world politics today and China could emerge the victor, according to an influential think-tank run by the former head of Google. The Special Competitive Studies Project says three technologies, microelectronics, AI, and 5G, will determine national power. They all matter but microelectronics - and specifically computer processors - are crucial because the US is dependent on them and most are currently manufactured in East Asia. The report says the US and its allies are "coming perilously and unwittingly close to ceding the strategic technology landscape and along with it the capacity to shape the future."

In brief

Uber: Says it’s investigating a “cybersecurity incident” amid reports that the company’s internal systems have been breached. The alleged hacker claims to be 18 years old. The incident appears to be serious.

Bad habits: A survey by 1Password sets out a litany of security failings to do with...passwords and authentication. That's hardly surprising - especially coming from a company that sells a password manager - but its report does highlight some useful issues, including an almost total misunderstanding among survey respondents as to what Single Sign On is. (Spoiler; 50% of people thought it made them more vulnerable to hacking.)

Healthcare: Ransomware attacks in the US are delaying medical procedures and tests, resulting in poor patient outcomes and increased complications. Proofpoint found that 89% of healthcare organizations surveyed had experienced an average of 43 attacks in the past 12 months.

Journalist: The Committee to Protect Journalist has called on the Dutch intelligence services to investigate the decades-long surveillance of an investigative reporter.

Jamming GPS: Devices to jam GPS signals cost as little as $50 and they're being used to hijack road transport and drones. ZDNet examines the problem and how to mitigate the risk.

Open source: Although open source software remains widely used, a survey suggests there is increasing concern about security. In a survey of IT professionals by Anaconda, 40% of respondents said they were scaling back use of open-source software, most of them following the Log4j vulnerability.

Prison phisher: Dutch authorities say a prisoner was caught running a phishing operation from his jail cell. He used four mobile phones to target more than 1,000 people in just a few months last year. And yes, the reason he was in prison was his involvement in "large-scale" cybercrime.