news190816

FFT news digest Aug 16 2019

The challenges of anonymity

Four men have been sentenced to long jail terms in the US after being found guilty of running a hidden network dedicated to the sexual abuse of children. The US Justice Department said 'The Giftbox Exchange' had been a "haven for sophisticated predators" who had relied on the anonymising Tor network to hide their activities. In order to avoid tipping off other criminals, the FBI hasn't revealed how it managed to pierce Tor's anonymity but law enforcement agencies have had increasing success in taking down criminal operations using the 'dark web'. While this is of course a good thing, non-criminal Tor users should take note that the network is no guarantee of anonymity. Indeed it is relatively easy to identify Tor traffic and, as Edward Snowden revealed, a raft of tools have been developed to unmask Tor users. The lesson is that if you need to communicate anonymously, you would be well-advised to seek specialist advice and even then exercise extreme caution.

Hacking cameras

Researchers have demonstrated how to attack a DSLR camera remotely and encrypt any data on it. By exploiting the Picture Transfer Protocol, the team from Check Point were able to use WiFi to take control of a Canon 80D camera, although they point out that the complexity of the protocol means other manufacturers could also be vulnerable. Canon has published an advisory telling users to install the latest firmware, but also warning against connecting to unsecured WiFi networks and suggesting the camera's network functions should be disabled when not in use. Potential vulnerabilities in digital cameras have been demonstrated previously, but the latest research provides a vivid illustration of the need to be careful about how to use their network connectivity. As always, we advise against using WiFi hotspots that don't have a password because they are far too easy for attackers to exploit.

Cable risks

In our training courses we warn about the risks of free gifts. Now it seems we need to add malicious iPhone cables to the list. As Motherboard reports, a researcher has built a weaponised cable that "looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer". Motherboard's journalist said he plugged the cable into an iPod and connected the device to a MacBook. Everything looked normal, but the hacker who made the cable was able to open a remote terminal window on the MacBook and run commands as he saw fit. The hacker is hoping to commercialise his idea. "Apple cables are simply the most difficult to do this to, so if I can successfully implant one of these, then I can usually do it to other cables," he said.

GDPR timeframes

The UK data protection regulator, the ICO, has quietly announced a change to the timeframes for responding to Subject Access Requests. The time limit for a response remains a calendar month but where previously the clock started counting from the day after receiving the request, the ICO says it now starts on the day the request is received. The change arises from a court case that has nothing at all to do with data protection, but illustrates the need to keep across the latest GDPR news. In this case, the ICO's only announcement on the issue appears to have been via Twitter. Meanwhile, the Greek regulator has fined consultancy giant, PwC, €150,000 for unlawfully processing the personal data of its employees. The regulator said PwC had relied on consent as the basis for processing and said, in this case, that choice was inappropriate because it had failed to be transparent over its approach. The ICO has clear advice on consent here.

Eavesdropping

Facebook may not be listening to everything we say, but it's admitted that it's been paying external contractors to transcribe clips of audio conversations using Facebook Messenger. Facebook made the admission to Bloomberg which had talked to contractors who'd been carrying out the work. It said the affected users had chosen the option offered by Messenger to have their voice chats transcribed and it insisted the process was designed to perform quality control on Facebook's artificial intelligence. The company said it had now paused the practice. Facebook joins Apple, Amazon, Google and Microsoft in having been forced to admit what it was doing. The fact that humans have been involved isn't surprising, but the lack of transparency is unimpressive. This week, Microsoft belatedly updated its privacy policy to state explicitly that humans may listen to recordings captured by the company's Cortana and Skype Translator products.

Mobile hotspots

We are advocates for the use of mobile hotspots (or MiFi routers) but a report underlines that it's essential to keep them up to date. Pen Test Partners found weaknesses in the security of devices from several vendors who it said had been generally poor in responding to what the research discovered. In one case, "ZTE tried to tell us that the product was end of life, so wouldn’t be fixed… yet they were still selling it from their own online store!" This is a frequent problem with low-cost consumer devices and it means it's vital to make sure you change any default passwords and watch out for reports of security issues in places like this!

In brief

The US Federal Aviation Authority has banned passengers from taking on board older 15" MacBook Pros with potentially defective batteries. European regulators have also warned against using the laptops on board aircraft. Apple recalled the affected devices in June. You can check if yours is affected here.

A highly customised phishing campaign has been using Google Drive to evade email security filters. Cofense says the technique is effective because of the difficulty in blocking a legitimate business service.

A new vulnerability has been found in Bluetooth which could allow traffic to be intercepted. As well as making sure your devices are up to date, it is important to turn off Bluetooth when it's not in use.

A renewed warning about weaknesses in the links sent by airlines to manage bookings. This time, Wandera focussed on British Airways, saying that the links can be easily intercepted because they're unencrypted. The lack of security around airline record locators is well-documented and it's important to protect them (and not to post pictures of boarding passes online).

85% of enterprises allow users to access corporate data from their personal devices, but many lack effective security controls, according to Bitglass. Its report said only 30% of firms were confident of properly defending against malware on personal and mobile devices.

The teenager who tweeted from her fridge after her phone was confiscated now has nearly 36,000 followers on Twitter...

Updates

Microsoft: Monthly update includes fix for serious vulnerability in a Windows module that dates back to Windows XP. The issue was discovered by Google's Project Zero team and details about it have now been published so it's essential to install the update as soon as possible. NB Some users have reported problems with the Windows 10 update (KB4512508) but Microsoft has yet to comment. There are also fixes for Azure DevOps Server, Internet Explorer, Microsoft Office, Microsoft Windows, Visual Studio, among others.

Adobe: Updates for 118 vulnerabilities across products including After Effects, Character Animator, Premiere Pro, Prelude, Creative Cloud, Acrobat and Reader, Experience Manager, and Photoshop products.

Firefox: Update addresses a vulnerability that can be exploited to bypass the master password of the built-in password manager and obtain stored passwords.

SAP: 12 Security Notes addressing vulnerabilities in NetWeaver, Business Client, Commerce Cloud, HANA, ABAP, BusinessObjects, Enable Now, and Gateway products.

Apache: 24 security advisories for the Apache Struts open source development framework have been updated after researchers found they contained incorrect information.