FFT news digest Feb 22 2019

Digital gangsters

After repeated efforts to persuade Facebook chief, Mark Zuckerberg, to appear before a UK parliamentary committee, Culture Secretary, Jeremy Wright gave up and went to California instead. The meeting comes after a parliamentary report this week described Facebook and its management as "digital gangsters"and accused Mr Zuckerberg of "showing contempt" for parliament. The encounter itself was due to last barely 30 minutes, and it's one of a series to be held with other social media companies in the Bay Area. Their significance should not be underestimated. A clear view is emerging from the UK government that the era of self-regulation for technology companies is over - though quite what form regulation will take is another matter.

Supply chain attacks

Symantec's annual threat report has found a sharp rise in the number of supply chain attacks in 2018, with smaller organisations increasingly being targeted. The Internet Security Threat Report says the number of such attacks rose by 78% and included hijacking software updates and compromising 3rd party services used by online retailers. A particularly popular approach is called "formjacking" where malicious code is used to steal customers' credit card details. Both British Airways and Ticketmaster fell victim to this type of attack, which can be defeated by ensuring the authenticity of all the elements that comprise a webpage. Symantec found that smaller organisations were being targeted with malicious software and ransomware moved its focus from consumers to enterprises. The enduring message from this and other reports is to get the basics right. A good way to start is are schemes like the UK's Cyber Essentials certification.

Spyware

Spyware is big business and the founders of one of the biggest players in the sector have bought their company back for a cool $1 billion. The purchase of NSO Group was supported by a European private equity firm and is the latest illustration of how much the market is worth. Like many similar companies, NSO Group was founded in Israel and develops hacking tools designed to break into smartphones and defeat WiFi security. Security researchers and human rights groups have accused the company of allowing its technology to be "used in violation of international human rights norms". There are multiple instances of journalists and activists being targeted with such tools and every indication is that the number of such cases are on the rise. Despite this, governments have shown no inclination to regulate the industry - but that's hardly surprising given that they are its biggest customers.

Lessons from Venezuela

Security researchers have accused the Venezuelan government of using an ill-disguised phishing campaign against its opponents. In one case, Kaspersky Lab found that volunteer aid workers were redirected to a fake website in an effort to identify them and steal their social media credentials. Crowdstrike told the Motherboard website this was clearly the work of the Venezuelan government. The campaign appears to have worked by manipulating Domain Name System (DNS) servers used inside Venezuela so that even if users tried to visit the authentic website, they were redirected to the fake one. This is a useful reminder that in such circumstances you can avoid such manipulation by using public DNS servers such as those operated by Google or CloudFlare. Both companies have guidance on how to do this. 

Labour lock down

Amid the chaos of British politics, accusations are being traded over access to confidential data by one of the MPs who has broken away from the Labour party. The Guardian quoted a spokesman as saying, “We have become aware of attempts to access personal data held on the party’s systems by individuals who are not authorised to do so. Personal data the party holds about individuals is protected by law, under the GDPR and Data Protection Act 2018.” For its part, the group of independent MPs has accused the Labour party of "throwing mud". We're in no position to make any sort of judgement on the matter, but it's a fact that departing staff frequently download data and take it with them. New data protection regulations make it essential to control this so, if a former MP were to have accessed Labour party data it would be unlawful, but the Labour party would also have to explain how it had been allowed to happen.

Elegant phishing

We like to think we're reasonably good at spotting phishing attempts, but we have to admit to being impressed with an example that was found this week. The campaign aims to take advantage of Facebook's Social Login solution, which allows people to use their Facebook credentials to access other sites. It's undeniably convenient but we have longstanding concerns about the vulnerability of such solutions. This concern was supported by security company, Myki, which found a site that looked almost identical to the real Social Login service but which was designed to steal the user's credentials. On the surface, it's extremely convincing. We recommend using a Password Manager and 2 Factor Authentication which would defeat such attacks without having to inspect the webpage to ensure it's genuine. Because life really is too short. If you'd like to test your phishing awareness, Google has produced a useful tool that's well worth a look.

In brief

We're advocates of Password Managers (as above) but we don't pretend they're perfect - they're just better than any other solution to the problem of passwords. This week a researcher created a lot of noise after finding that passwords could be extracted from memory on Windows machines in certain circumstances (like when the machine is already compromised). We don't see the research as changing the importance of getting a Password Manager and using it.

That Apple Facetime bug. Turns out that the fix involved crippling some of its Group features. Apple told a user on Twitter that a FaceTime call has to have at least 3 people on it before you can add anyone else.

A point-of-sale (POS) provider in the US has disclosed a data breach. Malicious software was installed on some clients of North Country Business Products and stole credit card details from customers.

A quarter of Chief Information Security Officers in the UK and the US are experiencing health issues because of stress, according to a study. The majority said they didn't have enough resources to defend their organisation.

Anything China can do, Russia can copy. RBC reports that Moscow’s municipal Department of Information Technology is testing augmented reality glasses with embedded facial recognition capabilities.

Updates

Cisco: 17 security advisories, 6 rated 'High', affecting products including Hyperflex and Webex.

Drupal: Update issues to address a "Highly Critical" issue which could allow an attacker to take over a website.

Adobe: Security updates for Adobe Acrobat and Reader for Windows and macOS.

Facebook: New controls to give users more control over how Facebook tracks locations.

TweetDeck: New version for Mac promises to end the saga of frequent programme collapse.

WinRAR: Update released to fix a long standing bug which could be abused to run malicious software. (When we say long standing, this has been around for at least 19 years!)

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved