FFT news digest  Aug 17 2018

Google's dark patterns

Google has clarified its policy on location data after the Associated Press highlighted how it tracks us even when we think we've told it not to. As the AP explained, Google used to say, "With Location History off, the places you go are no longer stored." It now says, "This setting does not affect other location services on your device." This reflects the fact that some Google apps automatically store location data (with a time-stamp) even if Location History is turned off. Knowing where we are supports highly-targeted advertising - and allows companies to analyse whether it results in visits to bricks and mortar stores. In itself, this may not matter, but it illustrates how difficult it is to keep control of our personal information. To prevent tracking, you have to use a setting called Web and App Activity (under Personal info & privacy | GO TO MY ACTIVITY). In June, Norwegian researchers showed how "Facebook and Google steer us into sharing vast amounts of information about ourselves, through cunning design, privacy invasive defaults, and “take it or leave it”-choices."

Instagrammed

A concerted campaign to hijack Instagram accounts is continuing, with many users locked out and complaints that nothing is being done to help them. As Mashable first reported, typically users notice they have been logged out of their accounts. When they try to log back in, an error message says the username doesn't exist. In many cases, users say this has happened even when 2 Factor Authentication is turned on. So far, Instagram has provided only basic advice while saying it is investigating the issue. The motive for the attacks is unclear and, although many of the affected accounts were reset to link to Russian email addresses, this is no guarantee that's where the attackers are from. Frustratingly, we can't offer any solution to the difficulties people are having in recovering access to their accounts. In some cases, users have set up duplicate accounts after failing to make any progress.

Faxed up

There are still more than 46 million fax machines in use around the world, and researchers have discovered that they're vulnerable to attack by a booby-trapped image. Israeli security company, Check Point, says the issue is caused by vulnerabilities in the fax protocol. This means that an attacker only needs access to the fax number to exploit the issue. Where the fax machine is part of a multi-function printer, they can gain complete control of the device and possibly the network to which it's connected. The research was carried out on an HP machine (a patch is available here), but Check Point says the exploit is likely to affect other brands because the issue is in the fax protocol itself. Networked printers are a well known security issue; Check Point's research shows how important it is to ensure that any devices with fax capabilities are properly segregated and firmware is kept up to date.

NSA and VPNs

As far back as 2006, the US National Security Agency broke into a number of Virtual Private Networks, including those of Al Jazeera and of several airline reservation systems. As The Intercept reports, this capability raises broader questions about the security of such networks which play an essential role in securing corporate and personal communications. News of the NSA's success was contained in a memo leaked by Edward Snowden but which had not been published until now. Unsurprisingly, it doesn't provide any details about the attacks but independent research has suggested that many Virtual Private Networks (VPNs) could be vulnerable to attack. It is true that VPNs are not created equal, and the protocols underpinning them can be configured in many different ways. The NSA memo underlines the importance of not taking security for granted.

Privilege management

Managing remote system administration is essential to effective security, according to the UK National Cyber Security Centre. In a blog post, the NCSC describes this as a "common area of high risk" and says it sees it "again and again". The NCSC says the solution is Privileged Access Management (PAM) which issues the access needed to carry out a specific task. The access is valid for a limited time and for a specific 'high trust' device which has a low risk of being compromised. As the NCSC says, "Remote management interfaces and the devices used to perform these functions are extremely valuable to attackers because they grant exactly the type of access they're looking for. So you need to protect them carefully."

Fortnite

With at least 125 million people playing hit game, Fortnite, it's hardly surprising it has become as popular with criminals as it is with gamers. There have been numerous examples of malicious software disguised as cheats, hacks or utilities, but the problem has been exacerbated with the game's imminent release on the Android platform. The problem is caused by the publisher's decision to offer the game on its website instead of through the official Google Play Store. While this means the publisher will avoid paying Google 30% of revenues, it is also completely counter to widely-accepted advice only to download apps from the Play Store because of the (qualified) protection it provides. If you, or anyone you know, wants Fortnite on Android, do take great care the app you're downloading is what you think it is.

In brief


Windows user? Make sure Cortana is disabled on the lock screen. Researchers have demonstrated that otherwise it can be used to compromise the device.

Hotel safes are not safe because many have their default administrator code unchanged. LockPickingLawyer shows why it's worth asking the hotel whether the safe in your room is actually worth using.

Body-worn cameras are now commonplace among police forces but a researcher has demonstrated that the footage from them can be easily manipulated.

A sophisticated scam has earned millions of dollars from fake academic journals and conferences. German broadcaster, ARD, shows how researchers from leading universities were fooled.

Beware links in SharePoint files. A campaign targeting Office 365 users is using a malicious link that steals credentials. Security company, Avanan, says 10% of its customers using Office 365 have been affected.

Juniper Research says inadequate investment in cybersecurity by small businesses will contribute to a steep rise in data breaches. It predicts the annual number of records stolen will triple to over 33 billion by 2023.

Malicious mobile apps are the current weapon of choice for attackers. In its Q2 2018 fraud report, RSA says they account for 28% of all fraud attacks. Another reason to be careful about what you download and where you download it from.

Updates

Intel: Numerous manufacturers have released updates to address a new vulnerability in Intel processors which could allow the theft of sensitive information. Patches for the issue, named Foreshadow, should be installed as soon as possible.

Microsoft: updates for at least 60 vulnerabilities, including two being exploited actively.

Oracle: urgent update for Database Server to address vulnerability in Java VM.

Firefox: version 61.0.2 for Windows, Android, iOS, and Linux to resolve crash issues and to fix bugs.

Cisco: multiple updates, including 3 rated 'high' impact.

Adobe: updates for Flash Player (multimedia player), Experience Manager, Acrobat and Reader, and Creative Cloud Desktop.

SAP: 14 advisories for vulnerabilities, 4 rated 'High" priority.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved