news190906

FFT news digest Sep 13 2019

Rethinking security

Recent reports have upended assumptions about the relative security of Android and Apple devices, but there are wider implications in the researchers' findings. Until now, it was believed that zero-day (ie previously unknown) vulnerabilities were so expensive that they were almost always used in a highly-targeted way. Google's discovery of multiple websites designed to infect visitors' devices means we have to rethink our defences. Key for vulnerable groups is web-browsing. With secure solutions, such as Garrison's, the actual browsing takes place on a completely separate device with only the video and audio displayed to the user. We believe there will be increasing uptake of these solutions. More broadly, despite Apple's protestations, its iOS devices appear to be far less secure than previously thought. As we reported last week, one broker says there are so many iOS vulnerabilities that they've stopped buying them. Unfortunately, there's little a user can do about this other than taking normal precautions with weblinks and ensuring devices are kept up-to-date. See Cellular insecurity below for more on the challenges of mobile phones.

Listening in

More research this week to knock down the widely-held belief that Facebook et al. are listening to what we say. Given the sometimes freakishly accurate adverts that target us, the belief is easy to understand but, as Wandera found, it's mistaken. Researchers put identical phones in two rooms. In one, they played the audio of adverts for cat and dog food. The other was silent. Apps for Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon were kept open and were given full permissions. Researchers repeated this for several days and then looked to see whether they were targeted with adverts for pet food. They weren't. Previous research has reached the same conclusion. But, as we say in our training courses, that's not surprising. Social media platforms know so much about us (and are so adept at tracking what we do online) that there's simply no need for them to listen to what we say as well.

Business Email Compromise

The good news; 281 people have been arrested for perpetrating BEC schemes designed “to intercept and hijack wire transfers from businesses and individuals.” The bad news; the FBI says losses from BEC schemes around the world doubled year-on-year to more than $26 billion. Criminals are using increasingly sophisticated techniques to defraud organisations, with one of the latest incidents making use of "deep fake" audio to try to fool a business. The latest arrests took place in Nigeria, Turkey, Ghana, France, Italy, Japan, Kenya, Malaysia, the US and the UK, underlining the international scope of these operations. It's vital to ensure secure processes are in place to defeat the criminals because sooner or later your organisation will be attacked.

The human factor

Hacking humans is easier than hacking machines so it's no surprise that 99% of email attacks rely on victims clicking on links. Research from Proofpoint says,“Cybercriminals are aggressively targeting people because sending fraudulent emails, stealing credentials, and uploading malicious attachments to cloud applications is easier and far more profitable than creating an expensive, time-consuming exploit that has a high probability of failure.” The research also found that attackers are copying the routines of organisations to create the best chance of success. Proofpoint says phishing emails are increasingly targeting cloud storage, DocuSign, and other cloud services as lures to steal credentials. And it says education, finance, and advertising/marketing organisations are the most at risk.

Cellular insecurity

US officials believe Israel was probably responsible for placing mobile phone surveillance devices near the White House, according to a report by the Politico website. Politico bases its report on testimony from three former senior U.S. officials (who say the Trump administration decided not to do anything about Israel's actions). The surveillance devices, known as Stingrays or IMSI catchers, work by mimicking normal cell towers and fooling mobile phones into connecting to them. Washington DC appears to be riddled with them. Last year, NBC News found 40 possible examples by spending a morning driving around the US capital area. It's a reminder that cellphone technology is fundamentally insecure. It's based on a decades-old protocol and US lawmakers have demanded answers about why its deficiencies haven't been addressed. They're still waiting for a response. This site has useful tips on ways to make your mobile phone more secure.

Brexit

Developments around Brexit remain fluid but the UK data protection regulator, the ICO, has published guidance for organisations in the event of a no-deal exit from the EU. Transferring personal data from the UK to an EU entity is largely unaffected, but if an organisation is receiving data from the EU extra steps will be needed to ensure compliance with EU law. The ICO's advice is to establish standard contractual clauses (SCCs) with entities in the EU from which information is received. The ICO also urges UK organisations to make sure they're compliant with the EU's data protection legislation, the GDPR. That may be optimistic. Research published this week says 52% of UK businesses are not fully compliant with the regulation. More than a third of GDPR decision-makers said that the majority of compliance activity had taken place in the lead up to the May 2018 deadline and since then it had dropped down the priority list, according to the research from Egress.

In brief

Mistakes with emails are a common cause of data breaches, as the UN Children's organisation, UNICEF, has demonstrated. It leaked the personal information of 8,000 users of its online learning portal due to "human error".

Microsoft has rolled out its Automated Incident Response in Office 365 Advanced Threat Protection (ATP) to enterprise customers. The feature is designed to help organisations respond faster to a series of security alerts.

Open source investigators at Bellingcat have again demonstrated the power of readily available information. Using a local media report and Virginia property records they tracked down a former Russian government official reported to have been spying for the US government.

Firefox is rolling out a solution to improve the privacy of web-browsing by encrypting the mechanism used to look up web addresses. DNS over HTTPS is designed to prevent third-parties, such as network service providers, from easily seeing the websites internet users visit.

Apps designed to track menstrual cycles are sending deeply personal information about women’s health and sexual practices to Facebook, according to research from Privacy International.

A site promises to fix your posture by blurring your screen if you don’t sit correctly. Fix Posture constantly checks your position using your webcam.

Updates

Microsoft: Monthly update addresses 80 issues, including 2 zero-day vulnerabilities. Of the issues classified by Microsoft as critical risks, four relate to remote code execution vulnerabilities in Windows remote desktop.

SAP: 10 security notes, 4 rated as "Hot News" (3 of which are updates for previous notes). Products affected include Netweaver.

Adobe: Security bulletins for Adobe Application Manager and Adobe Flash Player.

Cisco: Update for high-severity vulnerability in Webex Teams client for Windows that could allow an attacker to execute commands remotely.

Telegram: Fix for privacy bug caused by improperly deleted messages.

Subscribe to receive the digest by email

Full Frame Technology

What we do
Who we are
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217