FFT news digest  Jun 8 2018

Router troubles 

An attack targeting home and small office routers is believed to be more serious than originally thought. Cisco Talos has published an updated list of affected devices which includes Asus, D-Link, Huawei, Linksys, Microtik, Netgear, QNAP, TP-Link, Ubiquiti, Upvel, and ZTE. In other words, the most common routers in use. Cisco had already found that the malicious software had infected more than 500,000 routers in over 50 countries. Now it says it could bypass the encryption that secures webpages and steal sensitive information, including passwords. The chances of your router being affected are small but it's still worth checking whether there's a firmware update available. We also suggest checking that Remote Management is disabled and that the default administration password has been changed.

Whatsapp banned

Global auto-parts giant, Continental, has banned WhatsApp and Snapchat on corporate devices. In a statement, Continental said, "these services have deficiencies when it comes to data protection, as they access a user's personal and potentially confidential data such as contacts." WhatsApp's Terms of Service are clear that a user agrees "to provide the phone numbers of WhatsApp users and your other contacts in your mobile address book on a regular basis, including for both the users of our Services and your other contacts." Given that these other contacts have no choice about their information being uploaded to WhatsApp, it's easy to see why Continental might be concerned. In its words, "The risks this poses in terms of data protection are not ones the company is willing to take."

Securing Google Groups

Google has warned G Suite users to check their settings after finding sensitive information being exposed by thousands of organisations. The issue is caused by a setting in Sharing Options. The choice is 'Private', which means access is restricted to users within a specific domain, or 'Public on the Internet', which does what it says. Kenna Security surveyed some 2.5 million domains and found nearly 10,000 organisations with groups configured to allow public access. They included Fortune 500 businesses, media organisations and US government agencies. Kenna points out that the issue is similar to an endemic failure to secure Amazon's S3 storage buckets but adds that it's much easier to find public Google Groups.

World Cup warning

Warnings have been issued to anyone travelling to Russia for the World Cup. To some extent, all major international events present opportunities for cyber criminals to attack visitors so it's important not to exaggerate the threat in Russia. However, security company Kaspersky analysed 32,000 public WiFi hotspots around the country and found that one in five had no protection at all. Our view is that basic precautions should be used with public WiFi wherever it is. These include using a VPN and avoiding WiFi for any financial transactions. Strictly speaking, Russia has banned VPNs except for those granted an official licence. In practice, many still work. Journalists and others who might attract the attention of the authorities may need to adopt more sophisticated measures. The Committee to Protect Journalists has a guide on the issue, as does the UK's National Cyber Security Centre. And leading security company, 1stOption (who we work with), has an excellent country overview.

Key questions. Key answers.

Former TalkTalk CEO, Dido Harding, has some advice to business leaders if they want to reduce the risk of data breaches; communicate, ask questions, and don't make assumptions. Baroness Harding should know what she's talking about because, according to her, it was a failure to ask the right questions that led to the TalkTalk breach (one of the most serious the UK has seen). Speaking at Infosecurity Europe, she said, "We thought we took cyber-security seriously. But we were a fast growing company, acquiring others, and were hit by a simple SQL vulnerability in a legacy website that no one noticed." She says boards should ask, "What are the risks, what are we 'happy' with, or able to live with, and what do we need to mitigate?" She also recommends shorter lines of communication and a 45-minute session on cybersecurity at every board meeting. This echoes our approach which aims to build cybersecurity into the fabric of the organisation instead of keeping it in a box and letting it out when there's a problem.

Apple polishes privacy

Apple has announced a series of features designed to protect its customers' privacy...and differentiate it from social media platforms. Speaking at its annual developers' conference, software chief, Craig Federighi, said the measures would stop users being tracked and would also guard against unauthorised access to the camera, microphone, Safari data and message history. He said one of Apple's goals is to make one device look like any other so that companies can't identify a user by how their machine is configured. The new protections will be included in iOS 12 and the next macOS version (to be called Mojave.) They're expected to be released in September or October.

In brief

Google is changing its sign-in screen so it may look different from next week. Bleeping Computer has details.

Facebook admitted it mistakenly changed settings to suggest status updates should be publicly available. If you're one of the 14 million affected, Facebook will be in touch.

More evidence of just how insecure cellphones are. US officials confirmed a fake cellphone tower may have been used near the White House.

Australian company, PageUp, which is a leading provider of Human Resources services, has warned clients that data may have been compromised.
DNA and genealogy company, MyHeritage, says credentials of more than 92 million users have been stolen.
Thousands of projects may be affected by a serious vulnerability affecting Zip files. Security company, Snyk, has a list of who's affected.

Updates

Adobe: Urgent update for Flash Player to address a zero-day vulnerability that is being actively exploited in targeted attacks against Windows users. These use email to distribute Office documents with embedded malicious Flash Player content.

Apple: updates for wide range of products including macOS, Safari, tvOS, watchOS, and iTunes and iCloud applications for Windows.

Google: update to address 57 vulnerabilities affecting the Android operating system.

Cisco: Multiple updates for vulnerabilities including two rated 'Critical'.

Mozilla: update to address security vulnerabilities in Firefox 60.0.2.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved