news190308

FFT news digest Mar 8 2019

Facebook's "privacy" pivot

With rich, though possibly unintended irony, Facebook CEO, Mark Zuckerberg, says the company will reinvent itself with privacy at its heart. In a blog post that expanded on themes discussed in an investor call, Mr Zuckerberg said, "a privacy-focused communications platform will become even more important than today’s open platforms.” You might think this would mean Facebook will stop tracking (almost) everything we do online. Not surprisingly, you'd be wrong. In Facebook's world, "privacy" means encrypted messages you can delete - and most likely intertwined platforms that can be used to process payments. This might mean the content of the messages can't be read, but it doesn't mean what we do will be private. And if there were any doubts about that, further issues have been found with Facebook's use of phone numbers for 2-factor authentication. Last year, it emerged that it was exploiting these numbers to target advertising. Now, a researcher has found that these phone numbers are searchable - and it's not possible to opt out completely.

The consequences of GDPR

New European data protection regulations have led to cybersecurity improvements among the UK’s biggest companies, but most board members lack a “comprehensive understanding” of the impact a cyber incident can have. The UK Government’s Cyber Governance Health Check found that 77% of businesses reported increased focus at board level - and improved measures as a result. But the resources required to deal with an incident continue to be underestimated and there is a “ significant gap” in recognising supply chain risks. Meanwhile, law firm, Osborne Clark, has a comprehensive appraisal of what Europe’s data protection regulators are working on, and what enforcement actions we are likely to see in the coming months. In particular, it warns that audits and dawn raids are key ways to assess whether an organisation has controls that are fit for purpose. As we have said previously, this is the keystone for any organisation's cybersecurity framework.

China vs USA

China remains the biggest cybersecurity threat to the United States, according to FBI Director, Christopher Wray. He told the RSA Conference in San Francisco that his agency is "investigating espionage and criminal investigations in nearly all 56 FBI field offices, almost all of which lead back to China." He added that the scale of the Chinese counterintelligence threat was the thing that had most surprised him since taking up his role. Mr Wray joined other agency officials at the conference in warning about the long-term damage of Chinese efforts to steal trade secrets and intellectual property. In particular, they urged organisations to make sure they get the basics right and avoid leaving doors open for attackers to walk through. More specifically, this means ensuring online storage is properly secured and administrator accounts are protected.

Egypt accused

Amnesty International has accused the Egyptian authorities of carrying out multiple attacks against human rights activists, the media and civil rights organisations. Amnesty said the campaign appeared to be aimed at accessing email accounts by using a sophisticated form of phishing that exploits a legitimate feature designed to support 3rd party applications. As Amnesty explains, the feature, known as OAuth, could be used by an external calendar application to access an email account to add events or flight reservations. It’s a devious approach with a high chance of success. We advise taking great care whenever an application asks for access to any of your accounts - and this applies to the permissions requested by smartphone apps or browser extensions. For anyone at particular risk, Google offers an Advanced Protection Programme that would defeat most such attacks.

Killing passwords

We hate passwords so we’re delighted to report that a crucial standard has been approved which brings us slightly closer to the day when they won’t be needed for internet services. The Web Authentication specification (or WebAuthn) allows users to authenticate themselves and access an online account by using hardware-based credentials and an accompanying form of authentication. In practice, this means that rather than typing a password, a user will be prompted to authenticate by unlocking a linked smartphone (you can try it out here). The technology is already supported by a range of browsers and operating systems. The question is how quickly it will be adopted by services. And if the example of Dropbox is followed, we won’t be able to dance on the password’s grave just yet. It implemented the approach last year but retained passwords as well, saying it was too early to get rid of them completely.

Hacking humans

The number of phishing attempts more than doubled in the first quarter of this year, with every one in 61 emails found to contain a malicious link. Mimecast (which makes email security solutions) said the rise compared to the previous quarter was driven by the effectiveness of malicious links, especially if they appear to come from a colleague or friend. Links in emails are dangerous, especially if they're obfuscated to support tracking. That's why we insist on providing transparent links for the stories we reference in this newsletter. According to the latest report from the Anti Phishing Working Group, there was an overall decline in the number of phishing websites - but attackers are becoming more sophisticated. It says Software as a Service solutions and Webmail platforms are increasingly being targeted. Our standing advice is never to click if in doubt about a link, and never click on a link to do anything important like reset a password. Just type the address into the bar.

In brief

Wordpress accounted for 90% of all hacked Content Management Systems last year. Sucuri blamed most of the incidents on vulnerabilities in plugins and themes, poor configuration, and lack of knowledge on the part of administrators. And 56% of affected systems weren't up to date. We have been warned.

Two of the most popular car alarm systems have fixed security vulnerabilities after researchers used them to remotely track, hijack and take control of vehicles with them alarms installed.

The massive data breach experienced by Marriott as a result of its Starwood purchase has cost $28 million, but it says all but $3 million has been covered by insurance. No details on what effect this will have on its premiums.

IBM researchers have found vulnerabilities in the automated visitor managements system that are quickly replacing receptionists. Again poor configuration and a failure to apply updates were common problems.

Two pieces of consumer-friendly news from Apple this week. In a significant policy change, Apple Stores are reported to be willing to repair iPhones with 3rd-party batteries. And a longstanding problem with some laptop displays appears to have been fixed (by using a longer cable) though Apple won't admit the issue exists.

Updates

Cisco: Another round of security updates (one rated Critical) for various products, most focussed on Nexus switches.

Adobe: Urgent update to address critical flaw in ColdFusion web development platform which is being actively exploited.

Chrome: Google urges users to update their browser "right this minute" because of a critical issue which it believes is being exploited. Doing so is easy. Just close Chrome and reopen it. Then check the 3 dots in the top right hand corner are grey. Google says Windows 7 users are particularly vulnerable because of an issue which Microsoft is trying to fix.

Microsoft: March 1 update for Windows 10 version 1809 has been causing severe performance issues with popular games, including Destiny 2. Microsoft is working on a fix and in the meantime has told users to uninstall the update.

Android: March update addresses range of issues. Most severe is a critical security vulnerability in Media framework that could be exploited remotely.

Zimbra: Three security updates; Zimbra 8.8.11 “Homi Bhabha” Patch 3, Zimbra 8.8.10 “Konrad Zuse” Patch 7, Zimbra 8.7.11 Patch 9.