news181012

FFT news digest Oct 12 2018

Personal data out of control

The extraordinary scale of data breaches was demonstrated by a sales intelligence firm which has revealed a leak in the vast reservoir of data it holds. Apollo, which says it has more than 200 million contact records, emailed clients to tell them it had lost 125 million of them. This data was gathered from public sources on the web, including Twitter and LinkedIn. According to TechCrunch, the details include names, email addresses and employer details. Apollo makes its money from selling this information to marketers who use it to improve the targeting of advertisements. Meanwhile, this week Google announced it would close its Google+ service because so few people were using it. But more importantly, it also admitted that a previously undisclosed bug could have exposed information about 500,000 users. Google had known about this since March, but didn't tell anyone because there's "no evidence" it was exploited. That's prompted 3 US Senators to ask for an explanation.

Hacking US weapons

A comprehensive audit of the US military has revealed a remarkable lack of security in its weapons systems. In one case, the General Audit Office found that it took 9 seconds to discover the administrator password for a system. The report includes a response from the Department of Defence which says, "the time it took to break a password or access a system is not a useful metric for measuring cybersecurity." This might be true in some situations, but the GAO found there was a generalised failure to address vulnerabilities that left the weapons systems open to attack. “Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications,” the report says.

On display

There is obviously no shortage of weirdness on the web, but one of the more extraordinary sights is the number of webcams that remain unsecured and visible to anyone who can be bothered to look for them. Now, SEC Consult says it has found a series of vulnerabilities in webcams manufactured by the Chinese company, Xiongmai. The first issue is that Xiongmai's cameras use a unique ID, as you might expect. The problem is that it's easy to predict what they are, so researchers went looking for them and found 9 million of them around the world. But once you've found them, what could you do with them? Well, they use a default password that's unlikely to be changed because there's nothing to explain why it's a security risk. So that means anyone can take a look at the camera's output if they feel like it..and they could also install their own version of the software that runs the device. There are many lessons from this, but the most important is to change the default password on any device you own.

Heathrow USB horror

The UK data regulator, the ICO, has fined Heathrow Airport Limited £120,000 for losing a USB stick containing personal data and highly sensitive security information. A member of the public found the device under a pile of leaves in West London and passed it to the Sunday Mirror newspaper. The paper reported that among the data were details of the Queen's routes into and out of Heathrow. The fine itself was imposed because of the loss of personal data and what the ICO called, "a catalogue of shortcomings in corporate standards, training and vision." It added that, "Data protection is a boardroom issue and it is imperative that businesses have the policies, procedures and training in place to minimise any vulnerabilities of the personal information that has been entrusted to them.” In Heathrow's case, it found that only 2% of employees had been trained in data protection, and there was widespread use of removable media despite this being against Heathrow's policies.

The insider threat

A landmark data protection case is due to be heard by the UK's Court of Appeal next week. The case involves a claim for compensation by employees of the Morrisons supermarket group, whose personal details were posted online by a disgruntled employee. Last year, the High Court ruled that the supermarket was liable for the release of information, and therefore its employees were entitled to compensation. It's the first class action in the UK involving a leak of personal data, and is being closely watched for any precedent it could create. In general, the threat from employees (whether disgruntled or otherwise) is a significant issue for organisations. In one of the latest surveys, 53% of organisation said there had been "insider attacks" against their organization in the previous 12 months.

When to take updates

Microsoft's latest monthly update didn't begin well when Windows 10 users started reporting missing files after they'd installed it. It highlights the question of when non-corporate users should take updates - and reinforces our view that it's almost always better to wait a few days to see whether there are any problems. In this case, Microsoft put the updates on pause while it worked out what had gone wrong. It now appears to have fixed the issue and the updates are again available (see below). As well as waiting before installing patches, it's also highly advisable to make a manual backup of your data rather than relying on System Restore; this week rolling back to a restore point didn't bring back the missing files. Anyone affected by this should contact Microsoft, which says it has a way of finding the missing information.

In brief

Are you a Relevant Digital Service Provider? If you're a small organisation, you're not. But if you are, there's an important deadline coming up and we have a report that explains everything you need to know.

A study has found that 259 people around the world have died as a result of accidents related to taking selfies. The study in the Journal of Family Medicine and Primary Care says the most common cause was drowning. It's calling the deaths "selficides".

Kanye West is the latest celebrity to provide everyone with an example of how to be cybersecure. During an appearance at the White House, he repeatedly unlocked his iPhone and revealed his passcode to be... 000000.

Another reminder for users of Mikrotik routers that it's essential to ensure the devices are patched. According to Tenable, two thirds of users aren't, leaving them vulnerable to attack.

A loud and public battle continues to be fought over Bloomberg's report alleging that servers used by Amazon, Apple and others were compromised by Chinese agents. Bloomberg stands by its story, and published another claiming a US telecommunications company had found a similar issue. Everyone else vehemently denies it. Whatever the truth, the controversy provides welcome focus on the issue of supply chains.

Updates

WhatsApp: new version fixes bug in Android and iOS versions that could allow an attacker to take over the application when users answered an incoming video call.

Apple: first update for iOS 12 fixes some minor bugs, including problems with Wi-Fi connectivity and charging new iPhones.

Microsoft: latest Patch Tuesday updates include fix for Windows vulnerability which is reported to have been used to target organisations in the Middle East.

Adobe: latest updates address 11 vulnerabilities, four rated critical. Unusually, none apply to Flash Player.

DLink: patches for remote code execution and cross-site scripting vulnerabilities in Central WiFiManager Software Controller.

SAP: October patches include first Hot News security note for SAP BusinessObjects in more than five years.

Instagram: has enhanced security by adding app-based 2 Factor Authentication in addition to SMS messages. Any form of second factor is good, but a third party app is best.

Ubuntu: Update addresses issues in Tomcat and WebKitGTK+.

Juniper: Fixes for more than 30 vulnerabilities affecting routing, switching and security products running Junos OS.