news190322

Facebook passwords

Perhaps the most basic rule for anyone storing other people's passwords is not to do so in plain text; a basic rule but not one followed by Facebook. Following a report from veteran cybersecurity journalist, Brian Krebs, Facebook confirmed that it would notify "hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users" affected by the error. According to Krebs, that's up to 600 million users whose passwords were searchable by more than 20,000 Facebook employees. Facebook says, "there's no evidence to date that anyone internally abused or improperly accessed them." Which of course is not at all the same as saying no-one did so. Obviously, Facebook users should change their passwords and turn on 2-factor authentication (though we recommend an app over giving Facebook your phone number). But more important is to consider whether the social media giant can be trusted with its users' information.

Facebook New Zealand

Facebook says it failed to spot the live videostream from last week's attack in New Zealand because its artificial intelligence didn't have enough training to recognise it. Vice-President of Integrity, Guy Rosen, said in a blog post that there were fewer than 200 views of the video when it was live. The first report came 12 minutes after it ended; not a single one was received while it was streaming. In all, it was viewed more than 4,000 times and, before it was taken down, at least one copy was uploaded to a file-sharing site. There has been intense criticism of Facebook over the way it was exploited by the shooter and suggestions have been made that a time delay could be placed on live streams. Rosen says that would only slow down the process of reporting such videos, but given Facebook's expertise at data aggregation it's obvious the company will have to find a solution to this issue.

Russia phishing

Russian hackers with government links are reported to be targeting European government offices in the run-up to EU elections in May. Security firm, FireEye, says journalists, activists and LGBT rights groups are also being attacked. The main method appears to be to persuade people to open a fake login page with the aim of collecting usernames and passwords. To make their phishing emails more persuasive, the attackers are copying real government websites and registering domain names that are similar to well-known sites. FireEye names the groups as APT28 and Sandworm Team. There is convincing evidence that APT28 was behind the 2016 attack on the Democratic National Committee in 2016. Last month, Microsoft said it had spotted APT28 targeting NGOs, think tanks and government-linked organisations in Europe.

Prioritising updates

Microsoft products were the most targeted by cyber attackers last year, according to research from Recorded Future. The study of the top 10 vulnerabilities found that Microsoft accounted for 8 of them but, unsurprisingly, an issue in Adobe Flash was the second most exploited. The research is a good guide to what to prioritise when updating software. No matter how tempting it may be to put off Microsoft's gargantuan updates, the risk of doing so is intense. Likewise, web browsers are under constant attack. This week their frailty was on display at a hacking contest in Vancouver, where researchers demonstrated two issues with Safari, one of which allowed them to take over a Mac completely. Restarting browsers regularly means they stay updated...and protected. On a positive note, Adobe is retiring Flash next year which will remove one regular chore.

Mexican spyware

Further evidence of the use of spyware in Mexico has been published by the University of Toronto's CitizenLab. Its latest report says Pegasus spyware was used to target the widow of an investigative journalist 11 days after he was shot dead. She is one of 25 people in Mexico, including journalists, editors, human rights activists and the President of the Senate to have been attacked with the spyware. Pegasus is a particularly powerful tool because a target needs only to open a link in a text message to be infected. Citizen Lab says the use of Pegasus in Mexico "suggests a pattern of official abuse." A UK-based private equity fund, Novalpina Capital, is currently buying a majority shareholding in NSO Group which produces Pegasus. Novalpina has responded to concerns by saying it is committed to the protection of human rights.

Spearphish 101

Tuesday is apparently the day we're most likely to find targeted phishing emails turning up in our inboxes. A report from Barracuda Networks examines how "spear phishers" try to evade security solutions, and the techniques they use to persuade users to open their emails. Barracuda analysed 360,000 emails over a 3-month period; top of the list was brand impersonation which was used in 83% of attacks (with Microsoft and Apple the companies most often spoofed). Researchers found that 1 in 3 business email compromise attacks were launched from Gmail accounts and, in a reminder not to trust display names in emails, impersonating a colleague was particularly popular. Barracuda is in the business of email security but its report has valid advice on how to stay safe, including securing your email domain and setting up multi-factor authentication.

In brief

Security professionals say freelancers and contractors are most likely to be the cause of security incidents such as fraud and device theft, according to a survey commissioned by security outfit, Endera.

Microsoft is about to begin warning users that support for Windows 7 will end next January. Organisations will be able to pay for support until 2023 but home users are advised to upgrade to Windows 10. Continuing to use unsupported software is an open door for attackers to walk through.

Palo Alto Networks says criminals are targeting enterprise devices such as routers, IP cameras and connected TVs. It warns organisations to audit connected devices, change default passwords and make sure software is up to date.

Managing data inside organisations is a headache, particularly for the media sector. The New York Times has released an open source tool that it developed to help teams collaborate. It's built in Google Docs and it's well worth a look.

Police in South Korea say criminals set up a service for voyeurs which provided live video from small hotels around the country. CNN reports the pinhole cameras were hidden in wall sockets, hairdryer holders and TV boxes.

Phishing emails this week include Netflix, American Express and (with the end of the UK tax year approaching), Her Majesty's Revenue and Customs. There's also a new Sextortion variant which tries to persuade targets they're being investigated by the CIA.

Updates

Ubuntu: Linux kernel security update for users of the Ubuntu 16.04 LTS (Xenial Xerus) operating system series to address several recently discovered vulnerabilities.

Final Cut Pro X: Version 10.4.6 is bug fix and stability update.

Firefox: New version 66 includes welcome blocking of autoplay videos and protection against adverts which load slowly.

Opera for Android: New version includes built-in Virtual Private Network (VPN) option which protects browsing activity. No news on whether similar functionality is planned for iOS version.

Cisco: 10 updates all rated 'High" for IP Phones, Fabric Switches, and NX-OS Software.

WordPress: Further details on importance of updating to latest version (5.1.1).

Zimbra: Patch 13 released for Zimbra 8.6.0 GA release, and Patch 10 for Zimbra 8.7.11 GA release.

Tails: New release fixes "many" security vulnerabilities and updaters component programs. Immediate update is advised.

SecureDrop: 0.12.1 release mainly focused on smoothing upgrade from Ubuntu 14.04 (Trusty) to Ubuntu 16.04 (Xenial). SecureDrop servers must be upgraded manually to Ubuntu 16.04 before April 30.

Drupal: security updates to address a vulnerability in Drupal Core. A remote attacker could exploit this vulnerability to take control of an affected system.

FFT news digest Mar 22 2019