news190830

FFT news digest Aug 30 2019

Hacking iPhones

iPhones are considered the most secure consumer smartphone available so there's widespread concern about research showing malicious websites have been hacking them for years. Google's Project Zero team says "simply visiting the hacked site was enough for the exploit server to attack your device and, if it was successful, install a monitoring implant." Such attacks are usually highly-targeted, but this one appears to have been largely indiscriminate. Google hasn't released any details about the websites involved so there are many questions we can't answer at the moment. From what we do know, two critical lessons emerge; rebooting a device wiped the implant so it's good practice to get into the habit of manually restarting your iPhone; and Apple released a fix for the issue within days of being told, so it's essential to keep your device up to date. Worryingly, as Google says, the websites it found are unlikely to be the only ones. We will monitor this closely.

Current scams

A rich variety of scams this week including phishing with CVs, spamming with calendar invites, how romance fraud works and the ludicrous scale of fake login attempts. CV (or resume) scams are common but Cofense says this one is sophisticated and uses several advanced tactics to disguise itself. We advise either accepting resumes only as plaintext files or through an online portal. The calendar spam affects Google Calendar. You can stop it by turning off the setting that automatically adds invitations to your calendar. In Los Angeles, prosecutors unsealed a 145-page indictment charging 80 defendants (mostly Nigerians) with online fraud. In one case, a Japanese woman who thought she was corresponding with a US Army officer lost $200,000. And underlining the importance of using unique passwords, researchers say more than half of social media login attempts are fake. We recommend a password manager as the least worst solution.

Telegram warning

The protests in Hong Kong have highlighted the limitations of messaging security and a specific risk with the Telegram app. Software engineers in Hong Kong warned protesters against using the app to coordinate protests because it might allow the authorities to identify them. Although Telegram allows users to register an account with only their phone number and then hide that information, it appears that it's possible for an attacker to add thousands of sequential numbers as contacts and then join a Telegram channel being used to organise protests. When the contacts are synced with the Telegram app, it will reveal which numbers are active in the channel. Law enforcement could then demand the details of the person the number belongs to. While other more secure messaging solutions exist, none offer the ability of Telegram to create very large public groups.

US social media

Recent cases of travellers being refused entry to the US highlight the need to review your social media contacts and what information your electronic devices contain. To highlight the issue, a lawyer tweeted a picture of the removal form for one of his clients who was refused entry because of an image he received in a WhatsApp group. The lawyer said that subsequently border officials and the FBI visited the deported student's friends and classmates. The number of secondary inspections is still relatively small compared to the hundreds of millions of passengers who travel to the US. But the chances of being pulled aside increase dramatically if you have interesting stamps in your passport, and the number of electronic device searches is reported to have quadrupled since 2015. Planning ahead is vital because, although you can refuse to give border officials access to your devices, unless you're a US citizen or a Green Card holder the result will be immediate deportation.

Lessons from Capital One

More details - and some lessons - have emerged from the attack on US bank, Capital One, which resulted in the theft of personal information belonging to more than 100 million customers. According to court documents, a former employee of Amazon Web Services created a software programme to scan for web application firewalls that had been configured insecurely to accept remote commands. This access was then used to mine cryptocurrency and steal data from 30 companies, including a non-US telecom conglomerate, and a public research university. The incident underlines the critical importance of continually reviewing cloud environments and auditing active credentials. Prosecutors say a combination of the TOR network and a VPN were used to carry out the attack. Allowing only specific connection types would have prevented the attack from working.

Ransomware

New samples of ransomware more than doubled in the first quarter of 2019, according to McAfee's latest Threats Report. This follows a decrease in the incidence of ransomware at the end of last year, and McAfee says it has seen a number of innovations including the mechanisms used to manage the campaigns. As McAfee points out, “Paying ransoms supports cybercriminal businesses and perpetuates attacks. There are other options available to victims of ransomware. Decryption tools and campaign information are available through tools such as the No More Ransom project.” McAfee also warns about the increasing use of 'spear-phishing' saying it was used in 68% of highly-targeted attacks. And to round off a thoroughly depressing report, it says more than 2.2 billion stolen account credentials were made available on the cybercriminal underground over the course of the quarter.

In brief

Microsoft has acknowledged a bug in Windows 10 Cumulative Update KB4505903 which breaks Bluetooth speakers. It has detailed a workaround involving the System File Checker.

Qantas has banned passengers from using 15-inch MacBook Pros while on board its aircraft. The announcement follows a recall of 2015 versions of the device because of a risk that the battery could overheat. Other airlines have imposed restrictions on that device but haven't extended it to all versions of the machine.

A New York Times report reinforces our warning about LinkedIn connection requests, calling the platform a "prime hunting ground" for Chinese spies. Last week, LinkedIn said it had blocked or removed 21.6 million fake accounts in the first six months of 2019.

Apple is trying to maintain its 'privacy premium' by bringing the review of Siri audio clips in-house and apologising for not "living up to its high ideals." Audio review will now be an opt-in process.

Attackers are trying to steal credentials and other sensitive information from two widely-used VPNs. Patches for the Fortigate and Pulse Secure devices have been released but internet scans have showed more than 14,000 Pulse Secure VPN endpoints haven't been updated and are still vulnerable.

A popular Android PDF maker turns out to have been installing malicious software along with the app. CamScanner – Phone PDF has been downloaded more than 100 million times.

Updates

iOS: update released to address a potentially serious security flaw that was re-introduced in the previous version of iOS. 12.4.1 is available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation. This fixes the issue that we warned about previously.

Lenovo: researchers have found vulnerabilities in Lenovo Solution Center. If you're still using it, you're advised to migrate to Lenovo Vantage or Lenovo Diagnostics.

Chrome: new version 76.0.3809.132 for Windows, Mac, and Linux addresses several security issues, including one that could be exploited simply by visiting a malicious webpage.

Cisco: users urged to update devices using IOS XE because of a bug that is rated 'Critical' and could allows anyone on the internet to bypass the login process.

Check Point: update for Endpoint Security Initial Client software for Windows.

Thunderbird: Mozilla has released a major update for its email client. Version 68.0 is intended to eventually replace the current branch (60.x) and needs to be manually installed. Mozilla warns existing add-ons may not work with the new version. It plans to release an automatic update at a later stage.

Confluence: Atlassian has told users to update Confluence installations following the discovery of a critical vulnerability that could allow an attacker to gain access and steal data.

Zimbra: 8.8.15 Patch 1 and 8.8.12 Patch 5 provide security fixes and additional functionality.