news190208

FFT news digest Feb 8 2019

Worms in the fruit

Difficult questions for Apple as news emerges of yet more security failures, among them one affecting the macOS keychain. A video released by a German researcher demonstrates how the issue can be exploited to harvest sensitive information. The issue has been independently verified, but the researcher has refused to provide any details to Apple because it doesn't offer payments for issues discovered in the Mac operating system. Until the vulnerability is patched, users are advised to set a specific password for the keychain (Apple's guide is here) - though we continue to recommend using a standalone password manager. Meanwhile, Apple has released a fix for the issue affecting its Group Facetime messaging solution which allowed a user to listen to or watch a recipient even if they had not answered the FaceTime call. Apple's updates also address 2 other iOS vulnerabilities that were spotted by Google, which says they have been actively exploited. We have more details here.

GDPR awareness

Precise figures are hard to come by, but it is clear that there has been increased awareness of data protection issues since enforcement of new EU rules began in May. This week, research by law firm DLA Piper estimated that more than 59,000 personal data breaches had been notified to regulators up to January 28. The data covers a range of incidents from major breaches to misaddressed emails or the loss of a USB stick. DLA Piper has pointed out that its figures are based on extrapolations because figures weren't available from some EU countries. Much of the initial noise around the GDPR has died down but we expect this to resume as regulators pass judgement on the initial set of cases presented to them. Meanwhile, the UK regulator, the ICO, has provided a reminder that organisations shouldn't ignore Subject Access Requests. A housing developer has been fined for repeatedly failing to hand over personal information.

Key threats

Global consultancy, Booz Allen, says organisations should expect increasing use of information warfare tactics against them. The warning comes in its 2019 Cyber Threat Outlook report which identifies 8 areas to prioritise. It says it expects the sort of methods used for attacks on countries, including disinformation and targeted breaches, to migrate to the economic sphere. It advises organisations to implement a threat intelligence programme to provide advance warning of events that could result in cyber attacks. Among other key areas, the report warns of the risk of wireless networks and Internet of Things (IoT) devices. On a practical level, our view is that organisations should begin by focussing on the basics and, in the UK, achieving the government-backed Cyber Essentials standard.

Facebook under pressure

Decisions in the US and Europe illustrate the increasing challenges confronting Facebook's business model. In Germany, the competition regulator has ordered Facebook to stop combining user data from different sources without voluntary consent. The order applies not only to Facebook's own platforms like WhatsApp and Instagram, but also to other data sources such as information about non-users. And in California, a federal judge rejected Facebook’s argument that it cannot be sued for letting third parties, such as Cambridge Analytica, access users’ private data because no “real world” harm resulted from its actions. Courthouse News said the judge also rejected Facebook's assertion that users had agreed to third-party use of their data, saying the wording was vague.

Size matters

More details have emerged about the vast collections of credentials that are available for sale to criminals. Recorded Future estimates that the set of databases contains 3.5 billion user records, with combinations such as email address or username/password, and cell phone number/password. It's important to emphasise that most, if not all, of the credentials are not new but come from previous data breaches. What is new is putting them together in such enormous numbers. This makes it essential to avoid reusing passwords. The best solution is a password manager, but Google has introduced an extension for its Chrome browser which will warn you when you use a password that's unsafe.

Surveillance powers

Civil liberties groups have won the right to challenge the UK’s extensive bulk surveillance powers in Europe's highest human rights court - although it could be years before the case is heard. In September, a lower chamber of the court ruled that while the UK’s surveillance practices violated human rights law, the process of bulk data collection itself did not violate the European Convention on Human Rights. The legal challenge stems from the 2013 disclosures of government surveillance programs revealed by Edward Snowden. Meanwhile, a long-delayed report from the UK's investigatory powers commissioner shows a 23% rise in the number of bulk interception warrants in 2017 compared to the previous year.

In brief

There are isolated reports from some Adobe Premiere CC users that the app has damaged the speakers in their MacBook Pros. The issue appears to date from last November and occurs when using audio enhancement tools.

There's been a surge in Business Email Compromise (BEC) attacks. Proofpoint says they grew by 476% between Q4 2017 and Q4 2018

Canada’s biggest cryptocurrency exchange has said it cannot pay US$190 million in customer deposits because its founder died suddenly and didn’t tell anyone his password.

It's obvious that companies have access to data gathered through our use of their apps, but it's less obvious that they're recording the screen to track what we're doing. TechCrunch says Air Canada and Hollister are among companies doing this, seemingly without telling their users. Apple has told them to cease and desist.

Users of British Airways' website say they've been able to access other people's bookings when using a shared computer, even after the other user has logged out. It's a reminder to use incognito/private mode when accessing any website with personal information on a shared device.

A widespread phishing campaign is targeting executives with messages asking to reschedule a board meeting in a bid to steal logins and passwords. GreatHorn says the messages appear to come from the company's CEO and include a link to a Doodle poll.

Updates

Windows 10: Microsoft has fixed issues that prevented Windows Update working for some users.

Exchange: Security advisory addresses a vulnerability in Exchange Server that could enable an attacker to impersonate any other user.

WhatsApp: iOS app can now be protected using the device's biometric security. This acts as a second step verification to protect the app when the phone is unlocked.

Zimbra: Three updates - Zimbra 8.8.11 “Homi Bhabha” Patch 2, Zimbra 8.8.10 “Konrad Zuse” Patch 6, Zimbra 8.7.11 Patch 8.

Android: monthly updates includes fix for issue which could allow a maliciously crafted PNG image to execute code hidden in the file.

Ubuntu: New release to fix problems caused by last week's 18.04 security update.

LibreOffice/OpenOffice: Update for LibreOffice addresses issue that could allow a remote attacker to execute code on a targeted device. No update available for OpenOffice, but researcher who found the issue has suggested a mitigation.

Ubiquiti: advice to mitigate vulnerability affecting airOS devices.

Windows 7: Details have emerged about the cost of support for Windows 7 when the free support period ends on January 14, 2020. According to ZDNet, Enterprise prices will be $25 per device in year 1, doubling in each subsequent year.