news190726

FFT news digest Jul 26 2019

Facebook

A $5 billion fine for Facebook has been met with widespread criticism, but it's unlikely to be the end of the story. The penalty, imposed by the US Federal Trade Commission (FTC), is the largest of its type and came with a fierce rebuke for Facebook's practice of "deceiving" its users about how their information would be exploited. Facebook will also have to submit to significant federal oversight of its activities. But the FTC's two Democratic members voted against the decision, saying the fine should have been higher and remedies much tougher. Critics say nothing will change in Facebook's fundamental business model which, as a former CIA officer and Facebook employee told WIRED, has resulted in the social media giant "knowing you better than the CIA does". Meanwhile, the US Department of Justice has begun investigating whether companies like Facebook, Google, Amazon and Apple have stifled competition. Facebook may have escaped lightly, but government regulators are just getting started.

Swatting jounalists

A database is being used to target more than 30 journalists from major publications, according to leading cybersecurity journalist, Brian Krebs. The database lists personal details and is maintained by a far-right group that encourages supporters to harass people whose views it disagrees with. The 'Doxbin' site includes names, addresses, Social Security numbers and other sensitive information on more than 400 people including federal judges and senior executives. At least two journalists on the list have been "swatted", a practice in which police are tricked into sending an armed SWAT team to a victim's address. Krebs, who is on the list and has himself been swatted, says in some cases the information includes details on the target's family and friends. There's been a rise in direct action against journalists (and others), and it's essential to make sure social media accounts do not provide a source of information to potential attackers.

Lateral phishing

What do criminals do with an email account once they get access to it? Increasingly, they simply use it to send out more phishing emails. Research from Barracuda Networks says one in seven organisations has experienced "lateral phishing" which takes advantage of the implicit trust that comes with a known email address. This approach is not new. We've seen incidents in which access to a single corporate address has resulted in widespread security breaches, but Barracuda warns the practice is on the rise. It recommends three defensive measures; effective security awareness training; advanced automated detection techniques; and strong 2-factor authentication which used using an app or a hardware token. Phishing campaigns are simple and cheap. It's vital to protect against them.

Citrix; why passwords matter

Technology giant, Citrix, has confirmed that weak passwords were responsible for a major security breach this year. Citrix says criminals stole 6TB of its data after a successful 'password-spraying' attack. Password-spraying involves using a small number of common passwords (such as password123) against a large number of accounts until a working combination is found. The technique is designed to avoid being locked out of an account because of too many failed login attempts. The best defence against such attacks is to ensure passwords are strong and never shared, and to implement multi-factor authentication. Research last year from the UK's National Cyber Security Centre found 75% of participants in its survey could be vulnerable to password-spraying attacks. It urged organisations to regularly audit user passwords against lists of common passwords.

Deanonymisation

So here's a problem. Researchers have shown that 'anonymised' data are anything but. The scientists (from Imperial College London and Université Catholique de Louvain) have devised a computer algorithm that can identify 99.98% of Americans from almost any available data set with as few as 15 attributes, such as gender, ZIP code or marital status. Given that anonymisation is fundamental to the way data sets are used in the modern world, the research presents a challenge. The researchers have published their algorithm in an effort to highlight the issue and the need to use more effective methods to avoid 're-identification'. Lead researcher, Yves-Alexandre de Montjoye, told New Scientist, "It’s time to recognise that the tools are not working, and move on to a different range of techniques that will allow us to find a balance between using the data and preserving people’s privacy."

Crime trends

Cyber crime is becoming increasingly ingenious and mobile devices are a particular target, according to research looking at trends for the first six months of this year. Check Point says attacks on smartphones have increased by 50% compared to last year, with criminals looking to steal credentials, install surveillance software and earn money from fake advertising. Email scams are as popular as ever, but phishing tactics have evolved to bypass security solutions and evade detection. Check Point warns that there has also been a rise in software supply chain attacks in which attackers install malicious code into legitimate software by modifying and infecting one of the building blocks the software relies upon. As Check Point says, "this type of attack vector is more than just a dangerous technique; it strikes at the basic trust on which supplier-customer relations are based."

In brief

Visitor books have been removed from some of Ireland's leading heritage sites because of concerns about data privacy. The Irish data protection regulator (and many commentators) said the decision was unnecessary and disproportionate.

Criminals are targeting Office 365 administrators with fake alerts saying their licences have expired. The aim is to steal administrator credentials because of the capabilities that come with them.

A security alert about VLC Media Player turned out to be unfounded, but only after news of it had spread across social media. VLC's developer said the "security issue" had been fixed more than a year ago. (But VLC is one of the least-updated programmes, so worth checking it's up to date).

Browser extensions are undeniably useful but their access to critical functionality means they can also be used to steal information. Ars Technica explains the discovery by a security researcher of how risky this can be.

Instagram knows where you've been and now a new app means you can track the people you follow - and they can track you. Who's In Town reveals an extraordinary amount of detail. Its developer says the idea is to alert people to the information they're sharing.

Credit reference giant, Equifax, has escaped with penalties totalling less than $700 million for a massive and entirely avoidable data breach. To put the fine in context, the CEO at the time lost his job but walked away with an estimated $90 million.

Updates

Apple: A slew of updates for Apple's range of products, including a fix for its Walkie-Talkie app which was temporarily withdrawn after the discovery of an eavesdropping vulnerability. Among the updates is one for older iOS devices - as far back as the iPhone 4s and the first-generation iPad mini - to fix an issue that stops them using GPS. Note that some users have reported problems after installing the 2019-004 security update for High Sierra and Sierra.

Synology: Network Attached Storage (NAS) devices have been hit by ransomware attacks which have exploited weak passwords. Users are urged to apply password strength rules to all users, create a new account in administrator group and disable the system default "admin" account and enable Auto Block in Control Panel to block IP addresses with too many failed login attempts.

Zimbra: release of Zimbra Collaboration 8.8.15 (aka “James Prescott Joule“). End of general support for 8.8.12 - 9/30/2019, 8.7.11 - 10/09/2019.