FFT news digest Jun 28 2019

Worms in the buds

At least 10 global telecommunications providers have been infiltrated by hackers in an operation that has remained hidden since at least 2012. Security firm, Cybereason, says the attackers used tools and techniques associated with Chinese groups. The aim of the operation was to gather information about a small number of high-value targets such as diplomats, activists and politicians. The attackers could not read the content of phone calls and messages, but they did have access to Call Data Records (CDRs) and other personal data. As Cybereason explains, CDRs provide hugely important information including the source, destination and duration of calls, device details and location. This means the attackers could understand who was talking to whom, where they travelled, and what devices they used. China hasn't responded to the report, although it's previously denied accusations of cyber espionage. It's worth noting that this sort of operation is far from exclusive to one country.

Progress stalled

UK organisations regard cyber attacks as a key issue but research suggests they're failing to make progress in improving their security. NTT Security's 2019 Risk:Value report says "many businesses are paralysed in their efforts to address cyber risk and are falling behind cyber criminals." Among the contributory factors, the report says, "critical data is still not being fully secured in many organizations. Companies lack effective cybersecurity policies and incident response plans, and in many firms, these are not being communicated or tested effectively." The report also warns that insurance is not a "panacea" because insurers look for signs of a robust cybersecurity strategy when reviewing claims. The research also includes a worrying statistic about the EU's General Data Protection Regulation or GDPR. Only 30% of the global companies surveyed believed the GDPR applied to them, even though it actually applies to any organisation doing business with individuals in the EU, or which processes their personal data, regardless of where the organisation is based.

US travel 

Last week, we warned about the threats to travellers and the need to take precautions to protect information. This week, there's a cautionary tale for travellers to the US. Rolling Stone Contributing Editor, Seth Harp, has the story of his experience at the hands of US Customs and Border Protection (CBP) when he returned from a reporting trip to Mexico. Selected for secondary screening, Harp was questioned about the story he was working on, and after he was told he wouldn't be allowed to enter the US unless he complied, had his computer and phone ransacked. This type of interrogation only happens to a small fraction of the millions of passengers who arrive in the US every year, but the number is reported to have quadrupled since 2015. And your chance of being affected by it are obviously much higher if you have exotic stamps in your passport. Despite what Harp was told, US citizens and Green Card holders can't be prevented from entering the country if they refuse access to their electronic devices. But foreigners can be, so we advise you to prepare accordingly.

Digital shakedown

Ransomware criminals have been enjoying a run of success recently, earning hundreds of thousands of dollars by targeting small municipalities in the US. Lake City in Florida became the second city in two weeks to pay a six figure sum to regain access to its systems. The mayor of Lake City said there was no choice but to hand over $460,000 to the attackers. A week earlier another Florida town had paid $600,000. In both cases, it's reported that the hackers gained control after employees clicked on links in emails. The FBI advises against paying such ransoms, not least because it's possible the criminals won't hand back control anyway. But research company Forrester says it may make sense to pay the criminals in some circumstances. Forrester's logic is inarguable, but we believe the recent spike in ransomware attacks makes it essential to ensure there are backups and they're effective. As a Lake City official told($) the Wall Street Journal, “I thought we had a backup, but obviously we didn’t have a good enough backup for this kind of attack.”  

Battle of the fakes

The award for repulsive app of the week (or year) goes to 'DeepNude' which had the idea of algorithmically undressing photos of clothed women. As Motherboard reported, the idea of the software was to take a photo and replace the clothes with breasts and a vagina. We have not tested the app, but Motherboard says, when given a well-lit, high resolution image of a woman in a bikini, the results are "passably realistic". DeepNude has been widely condemned and its creator has now taken it offline, but it's just the latest example of the rapid evolution of tools to create fake content using real people. Not surprising then that researchers in the US have developed a tool to determine whether a video has been faked. In a paper, they warn that "deep fakes pose a significant threat to our democracy." Their tool differs from existing techniques by analysing an entire video, rather than examining it frame by frame. It looks for inconsistencies in face and head movements, and it uses far less resources meaning, hopefully, that fake videos are identified before they can spread.

What are you worth?

A bipartisan proposal in the US Senate would require Facebook, Google, Amazon and other major platforms to reveal the value of their users' data. Democrat Senator Mark Warner and Republican Josh Hawley told Axios that consumers should be more informed "about the real value of what they give up in the form of...location data, relationship status, data about the apps we use, our age, gender and lifestyle." The proposed legislation would apply to companies with more than 100 million monthly active users, and would require them to disclose the types of data collected and provide an assessment of the value of that data every 90 days. A report from ProPrivacy examined the range of information gathered by dating apps such as Match.com and Tinder and found many users didn't realise who owned these platforms or how their data would be exploited. In an open letter, it called on the owner of the apps to be more transparent about its business model.

In brief

An urgent reminder to make sure your browser, add-ons and operating system is up to date. Onlinevideoconverter is one of several sites compromised by criminals to install ransomware and other malicious software. Only Windows machines are affected.

WeTransfer says a security incident resulted in files being shared with the wrong people. The issue was caused by a hacker adding recipients to service emails and around 232,000 people were affected, the file-sharing service said.

Step away from those macros. Microsoft is warning that attackers are returning to a favoured trick to compromise systems. Korean users have been targeted with malicious Excel files.

Time to check your internet-connected device because a hacker claiming to be a 14-year old has been causing havoc by exploiting default passwords. The attack effectively destroys vulnerable devices and can be stopped by making sure you have changed the default password.

Clear signs that online platforms are seeking to differentiate themselves through an emphasis on security. Both Microsoft and Google have announced changes to add additional security measures to protect users.

The Metropolitan Police has been given two months to clear a backlog of Subject Access Requests. The UK data protection regulator, the ICO, said the Met had more than 1,100 open requests, with nearly 680 over three months old.

A hapless criminal has been jailed for 18 months after being caught because he dropped a USB stick as he threw a petrol bomb at a bank in Belgium. The culprit, who had a grudge against the bank, turned out to be a hacker with a long list of cyber crimes.

Updates

VLC: Update to address critical vulnerability that could allow an attacker to target a vulnerable device with a specially-crafted avi or mkv file.

Apple: Refresh for Apple's iWork productivity apps; Pages, Numbers and Keynote for Mac and iOS.

Microsoft: new cumulative update for Windows 10 version 1809 that fixes an issue that prevents Windows from connecting to Storage Area Network (SAN) devices.

Cisco: Critical update for vulnerabilities in web-based management interface of Cisco Data Center Network Manager (DCNM) that could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device.

Chrome: OS 75 update includes new mitigations for Microarchitectural Data Sampling (MDS) speculative execution vulnerabilities disclosed in May.

Magento: Critical updates to address a total of 130 vulnerabilities in Magento Commerce and Magento Open Source versions 2.3.2, 2.2.9, or 2.1.18. 

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved