FFT news digest  Aug 10 2018

The threat landscape

An overview of key cyber threats has warned of a growing threat from Iran, and says extended supply chains are being increasingly exploited to attack targets. In its Cyber Threatscape Report 2018, Accenture says the Iranian government and groups linked to it "pose a disruptive or destructive cyber threat against the United States, Europe, and the Middle East." Accenture also says organisations must think about their entire supply chain when considering their security. "Cyber adversaries have slowly shifted their attack patterns to exploiting third- and fourth-party supply chain partner environments to gain entry to target systems, even in verticals with mature cybersecurity standards, frameworks, and regulations," it adds. While this may be an increasing trend, there's a storied history of using suppliers to attack targets and an organisation's security is only as good as that of its supply chain.

WiFi risks

More problems with WiFi security as news emerged of issues with WPA2 encryption and with a configuration tool used on a number of operating systems including Linux and Android. Researchers discovered the WPA2 issue by accident when they were examining a new protocol that is intended to replace it. Under certain conditions, it can allow the Pre Shared Key password to be decrypted. The good news is that the attack won't work if a password is long and strong, and it doesn't affect WPA Enterprise implementations. Likewise, researchers say the vulnerability in the "wpa_supplicant" tool is only present if a protocol known as TKIP is being used (which in most cases it probably isn't given that it's been known to be insecure for at least 10 years). Nonetheless, the issues are a good reminder to check WiFi configurations and make sure they're as secure as possible.

Taking stock of GDPR

Consumers in the UK and Ireland appear to have embraced the EU's new data protection regulation. A survey by SAS found that 56% of consumers who took part had already exercised their rights under the GDPR or planned to do so within the next year. Their responses may have been influenced by the torrent of emails they endured as companies prepared for enforcement of the regulation at the end of May. The Facebook/Cambridge Analytica story may also have played a part in people's apparent determination to exert more control over their personal data. The survey found 68% of respondents planned to activate rights to retract data permissions, stop sharing as much personal data or at least review how companies use their data. As the report says, customers view the handling of personal information as an issue of trust and they have a low tolerance for data misuse and inaccurate profiling.

Copyright check

Do you know where all the photos on your website come from? A ruling by the European Court of Justice makes that information essential. In the decision, the ECJ stated what might have seemed common sense, saying "any use of a work by a third party without...prior consent must be regarded as infringing the copyright of that work." The case was initiated after a photographer found a photo he had taken being used as part of a school project that had been published on the web. The school argued there was no intention of making a profit and the photo was available elsewhere on the web. The court said this made no difference once the project appeared on the web. Doubtless, there will be a spike in traffic to reverse image search TinEye which trawls the web to find where images are being used.

Phishing: old idea, new method

A new phishing approach appears to be using malicious file transfer sites to attack small and medium-sized businesses. Trustwave says the phishing emails masquerade as fake invoices from MYOB, a mobile cash flow application. A "View Invoice" button downloads a compressed ZIP archive. If the user double-clicks to open it, a JavaScript downloader will run a command which downloads a malicious program that can perform a variety of functions. The technique is particularly dangerous because although the zipped archive has an unusual name, that's what a user might expect. Up to date email scanners and anti-virus tools could help to prevent a successful attack. Users should also be educated about the risks of following links, even if they're contained in an email that comes from a known contact.

Good advice from Vegas

This week sees the year's biggest gathering of hackers and security professionals who come together in Las Vegas to discuss hot topics, do some serious partying...and mock anyone who's careless about their personal cybersecurity. The head of security for hacker-fest, DEF CON, has useful advice for how to stay safe in a "technically hostile environment". This includes leaving normal devices at home, avoiding plugging anything into your device...or your device into anything, leaving attachments unopened, and using cellular data rather than wireless networks. It's good advice and worth keeping in mind for any hostile environment. More generally, Google's Director of Engineering told the Black Hat conference that collaboration and long term planning must replace a haphazard "Whack-a-Mole" approach to cybersecurity.

In brief

Israeli security company, CheckPoint, said it found security vulnerabilities in WhatsApp. WhatsApp promptly rejected the claim. The issue does not mean end to end encryption is broken but might allow messages to be manipulated in some circumstances.

The EU is to look again at finding a way to make smartphone manufacturers adopt a common charger for their devices. A 2009 estimate by the EU Commission said incompatible chargers resulted in 51,000 tons of electronic waste in Europe every year.

Following a data breach affecting 1.5 million people, Singapore is analysing whether to use virtual web browsers in its healthcare system. These solutions mean any browsing is isolated from a user's device.

Microsoft has changed its mind about killing off Skype Classic. The decision comes after an outcry from users which included an online petition.

The UK data regulator has fined Emma’s Diary for £140,000 for selling personal information to political campaign groups.

Even many technically aware users aren't using two factor authentication, according to an Indiana University study. Many appear to think a strong password is sufficient on its own. Trust us. It's not. The UK's NCSC has new guidance here.

Updates

HP: releases patch for 225 models of inkjet printers across Pagewide, DesignJet, OfficeJet, Deskjet, and HP Envy product lines. Addresses issue that could allow code to be remotely executed on unpatched devices.

VMWare: Security updates for Horizon 6, 7, and Horizon Client for Windows. An attacker could exploit this vulnerability to obtain sensitive information.

Thunderbird: Update to address vulnerabilities that could allow a remote attacker to take control of an affected system.

Linux: Patches for Linux kernel versions 4.9+ and supported versions of FreeBSD which are vulnerable to denial of service conditions. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved