FFT news digest Sep 21 2018

Defeating Magecart

Yet more websites have fallen victim to the same attack which resulted in the theft of credit card details from British Airways. Online retailer, Newegg, and Philippines media giant, ABS-CBN, are just two of many organisations to have been attacked successfully. Magecart's technique is not sophisticated, but is demonstratively effective. It relies on inserting malicious Javascript by compromising a third party or by attacking the target's infrastructure directly. Customers' credit card details are then skimmed and posted to websites controlled by Magecart, circumventing normal controls on such transactions. As UK researcher, Scott Helme, describes, there are relatively simple ways to defeat the Magecart threat. The first is to define a Content Security Policy which, as he explains, allows you to control where resources can be loaded from. The second, Subresource Integrity, ensures the resources being used on a webpage are what they're supposed to be. Anyone running an eCommerce site should read Scott's guide.

£0.5M fine for Equifax

The UK regulator has imposed the maximum possible fine on US credit reference agency, Equifax, for failing to protect personal details of some 15 million UK citizens. The ICO said it had found "multiple failures" which contravened five of the eight principles of the 1998 Data Protection Act, including failure to secure personal data, poor retention practices, and lack of legal basis for international transfers of UK citizens’ data. Equifax will be relieved the incident happened before new EU data protection legislation came into force at the end of May. Under the GDPR, the fine could have been as high as 4% of its annual turnover (equivalent to $134 million/£102 million). Given that the incident stemmed from a failure to address a known vulnerability, the fine would likely have been at the top end of the scale. So far, Equifax has avoided similar penalties in the US, despite losing sensitive information on some 147 million people.

From Pyongyang with LinkedIn

The US Department of Justice's 179-page indictment of a North Korean programmer provides a detailed view of how government-sponsored groups go about attacking their targets. Among the incidents covered in the DoJ document is the 2014 attack on Mammoth Screen which was working on a drama series set in North Korea. Pyongyang was unimpressed, and threatened the production company with "disgrace and self-destruction". It then researched public information about Mammoth staff and bombarded them with bogus LinkedIn connection requests. According to the DoJ indictment, this resulted in Mammoth's systems being breached, although the attack was "detected and subsequently remediated." Fake LinkedIn requests are a perennial favourite among government attackers and we advise extreme caution with such messages (even if you're not making a programme set in North Korea). We advise accepting requests only from people you've met in real life.

Europol: Help!

The European police agency has warned that cyber attacks are becoming more targeted, and says they have reached a level at which national law enforcement agencies can't deal with them alone. In its annual report on cybercrime, Europol calls for, "enhanced cooperation between international law enforcement agencies, private sector companies, academia and other appropriate stakeholders." It says ransomware remains a key threat, but expects to see a growing risk from cryptomining tools which seek to hijack the processing power of a user's device to perform complex calculations. Europol also repeated a warning about the blurring of lines between criminals and state-sponsored attackers and said this was being compounded by the growth of "crime as a service". According to Europol, the most effective defence is education, and it calls on law enforcement to raise awareness of threats and trends.

The spread of Pegasus

Researchers have published evidence showing the extent to which Pegasus spyware is being used around the world. Citizen Lab said it had developed a tool which found traces of the tool in 45 countries, six of which had "a public history of abusing spyware to target civil society." Citizen Lab has a track record of investigating Pegasus, and in 2016 exposed its use against Ahmed Mansoor, a human rights activist in the United Arab Emirates (who is now serving a 10-year jail term for posts on social media). Its latest report is based on scanning the internet for servers associated with the spyware. These were clustered into 36 distinct systems, each apparently run by a separate operator. Pegasus is developed by the Israel-based NSO group and uses undisclosed vulnerabilities in iOS and Android devices to take them over. Infection is achieved by simply clicking on a link. NSO told Citizen Lab the report was inaccurate, and said Pegasus was licensed to government agencies for the purpose of investigating and preventing crime and terror. Pegasus is not a threat to most people, but it should be a concern to activists, NGOs, investigative journalists, and those around them.

Spying on journalists in the US

Documents obtained under a Freedom of Information lawsuit show that the US government can monitor journalists by using a foreign intelligence law that operates outside the usual court system. Two memos from 2015 detail the “procedures for processing Foreign Intelligence Surveillance Act applications targeting known media entities or known members of the media.” The Freedom of the Press Foundation, which brought the lawsuit, said activists had suspected such use of FISA court orders, but believed the government had never publicly acknowledged it. The orders have to be approved by the Attorney General or his deputy, but they are secret and targets are almost never told they exist. While we often warn of the risks of government surveillance from authoritarian regimes, it is important to remember that democratic governments, including the US and the UK, have very far-reaching surveillance powers - as some media organisations have discovered.

In brief

Western Digital's My Cloud storage devices have a vulnerability which could give a remote attacker administrator access. Securify says only a few lines of code are needed to exploit the bug. So far, there's no fix. To make remote access more difficult, make sure you've changed the default admin password on your Internet router, disable Dashboard Cloud access, and turn off any port-forwarding functions.

Hundreds of thousands of security cameras and surveillance devices are believed to be affected by a vulnerability in the software they use. Researchers at Tenable said the issue in Nuuo software would allow attackers to execute code remotely, and view or tamper with recordings.

The UK TV Licensing Agency has admitted that 25,000 people were directed to submit banking details over an insecure connection. It's contacting anyone who might have been affected, but no information is thought to have been stolen. A good reminder to check website configurations.

A new tax refund scam appears to be underway in the UK. As Malwarebytes reports, that HMRC email promising a sizable payment is simply an effort to steal your personal information. If you’re contacted by scammers, inform Action Fraud.

New term, new trick to make essays look longer. Times Newer Roman is a font that takes the traditional font and makes each character 5-10% wider. Smart trick, but it's not going to change the word count...

Updates

Apple: iOS 12 was released this week and early reviews are universally positive. Billed as being designed to make iPhones and iPads work faster, the consensus is that this is what it does - even on older devices. The new version also addresses important security issues and, so far, there have been no reports of the normal issues affecting a major update. We have updated an iPhone 6 and have seen no problems. And performance does seem to have improved, slightly.

Adobe: Updates for Windows and macOS versions of Acrobat and Reader address a total of 7 vulnerabilities, including a critical flaw that can allow arbitrary code execution.

Cisco: Second warning about IOS XE vulnerability that could allow a remote attacker to log into a device. Also updates for Webex network recording player.

Ubuntu: Security updates address multiple critical vulnerabilities.

Zimbra: 8.8.9 “Curie” Patch 5 and Zimbra 8.8.8 “Turing” Patch 10 released.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved