FFT news digest Feb 15 2019

Breached

This week brought more news of stolen credentials for sale, as figures showed that 2018 was the second-most active year for data breaches on record. The Register reported that around 617 million online account details are being offered for sale on the dark web for less than $20,000. The data comes from 16 websites, including MyFitnessPal, CoffeeMeetsBagel and MyHeritage. Passwords are included in the data and, although many would have to decrypted, criminals are likely to cross-reference the details with information from other breaches in the hope that people will have reused a password across multiple accounts. According to Risk Based Security, more than 6,500 data breaches were reported in 2018 with some 5 billion sensitive records exposed (nearly 3 billion fewer than in 2017). More important than the total numbers (which in any case may be incomplete) is the breadth of information lost which makes it essential to assume our details have been stolen, or soon will be.

One strike

Under a new UK law a single online view of terrorist material will be an offence punishable by up to 15 years in prison. The Counter-Terrorism and Border Security Bill was granted Royal Assent on Tuesday, updating a previous Act and giving law enforcement new powers to tackle terrorism. The government said the bill "ensures sentencing for certain terrorism offenses can properly reflect the severity of the crimes, as well as preventing re-offending and disrupting terrorist activity more rapidly." A suggested amendment had suggested intent would be signified by viewing content three times but this was omitted in the final version. There is a "reasonable excuse defence" for academics and journalists conducting legitimate research, but human rights groups have criticised the provisions for being both too far-reaching and too vague in its definitions.

Due care and attention

A media group in Scotland is suing a former employee who sent almost £200,000 to an online fraudster after being taken in by a scam. A court in Edinburgh was told that the fraudster had pretended to be the group's Managing Director and emailed Patricia Reilly asking her to send a series of payments to an unknown company. The BBC quotes lawyers for Mrs Reilly, who has since been sacked, as saying she had not received any training in how to spot online fraud. The company's case is that Mrs Reilly's actions were "careless and in breach of the duties - including the duty to exercise reasonable care in the course of the performance of her duties as an employee which she owed to her employer." Bankers refunded the firm £85,268.28 and it is suing its former employee for the remainder. This type of scam, known as CEO fraud, is enormously popular with criminals and it's essential to have robust procedures to prevent it.

Email destruction

The need for effective backup policies has been illustrated by an 18-year old email service which has seen its infrastructure destroyed by an unidentified attacker. VFEmail posted a message on its website saying the attacker had "destroyed all data in the US, both primary and backup systems." It is unclear why no offline backup was maintained by the service, which billed itself as "Making email safe for the masses". It's equally mysterious how an intruder could have acquired the credentials necessary to carry out such extraordinary actions. Although an attack of this sort is unusual, VFEmail had experienced disruptive incidents in the past which should have provoked it to adopt stringent security measures and a robust disaster recovery plan. There are still unanswered questions about what exactly happened to VFEmail (especially as its website shows a network diagram which includes an offsite backup).

Cyber sovereignty

Further steps have been taken in Russia and China towards exerting sovereignty over their cyberspace. In Russia, the State Duma is considering a plan to isolate the country from the global Internet in a move that would support more effective censorship. The bill, which has passed the first of three readings, requires Russian Internet Service Providers to ensure isolation is possible in case of foreign aggression. Meanwhile, analysis of China's Cybersecurity Law has found that new provisions significantly expand the government's powers. According to the analysis by Recorded Future, these include "the authority to remotely conduct penetration testing on almost any business operating in China and copy any information related to user data or security measures found during the inspection." The provisions are very extensive; they could cover networked devices outside China and an organisation only needs 5 Internet-connected devices to fall within its scope.

Smart devices

Google and Amazon are reported to be asking makers of smart-home devices to provide a continuous stream of customer information. "In other words", Bloomberg says, "after you connect a light fixture to Alexa, Amazon wants to know every time the light is turned on or off, regardless of whether you asked Alexa to toggle the switch. Televisions must report the channel they’re set to. Smart locks must keep the company apprised whether or not the front door bolt is engaged." The companies say the information is needed to enable faster responses to voice commands and Amazon said it doesn't use the information for advertising or sell it to anyone else. But, according to Bloomberg, guidelines published by Amazon and Google don’t appear to set limits on what the companies can do with this information. 

In brief

Some users are reporting problems with Apple's latest iOS update. Issues include longstanding WiFi and cellular data problems. We've also heard reports of some apps misbehaving. Despite the issues, the update is an important one because of the security flaws it addresses.

The terms and conditions of 500 popular US websites, including Google and Facebook, are enforced despite 99% of them far exceeding the reading level of most American adults. A paper expressed puzzlement that “While consumers are legally expected or presumed to read their contracts, businesses are not required to write readable ones." A crowdsourced website tries to address the problem with a traffic light system.

Ingenious attackers have found a way to bypass Apple's macOS security by using an application that normally only runs on Windows computers. Trend Micro reports that the file masquerades as an installer for a popular firewall program and is found lurking on a dodgy torrent site.

An electric scooter popular with dockless, ride-sharing services can be made to accelerate or brake while it's being ridden. Zimperium says the issue is caused by a Bluetooth flaw and it has a video to demonstrate its impact.

Want to see Artificial Intelligence in action? This person does not exist is a website that creates worryingly realistic photos of people who were never born. It's the work of Nvidia and the results are extraordinary.

Updates

Microsoft: 77 updates and three advisories include fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Windows, Office/Office Services/Web Apps, Azure, Team Foundation Services, and the .NET Framework.

Adobe: monthly update includes fixes for Flash Player, Creative Cloud Desktop Application, and ColdFusion.

SAP: 13 Security Notes, including two rated 'Hot News' and 4 High Priority.

Cisco: Update to address vulnerability in the management web interface of Cisco Network Assurance Engine (NAE).

Ubuntu: Update to address security vulnerability that can be exploited to gain root access to a device.

Tails: emergency release to fix a critical security vulnerability in Firefox.

WordPress: Users of the Simple Social Buttons plugin should apply an update to address a flaw that could allow a site to be taken over.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved