news190913

FFT news digest Sep 13 2019

Overturning security assumptions

Assumptions about smartphone security have been upended after an exploit broker announced it would pay more for Android vulnerabilities than iOS ones. Zerodium said it was offering up to $2.5 million for ways to attack an Android device without any user interaction. A year ago the figure was $200,000. The equivalent price for iOS devices is $2 million. Zerodium told ZDNet that "the zero-day market is so flooded by iOS exploits that we've recently started refusing some them." Zerodium makes its money from buying vulnerabilities that can be used to attack devices and then selling them on to governments and law enforcement agencies. Its price list is a valuable way to gauge where agencies are focussing their efforts. Zerodium has also increased the price offered for ways to attack instant messaging clients including WhatsApp and iMessage. These are now worth $1.5 million.

Android threat

Coinciding with the news that Android devices are in the crosshairs comes a warning about a specific vulnerability that could be used to take over crucial phone functions. Check Point said the issue involved tricking users into accepting new phone settings that could route all their internet traffic through a system controlled by the attacker. The method centres on the process known as over-the-air (OTA) provisioning which is used by mobile network operators to install new settings when a phone joins their network. The problem is that the authentication controls for this process are weak or non-existent. This means that a fake SMS message is all that's needed to deploy the attack. The attack can be used against a number of Android phone manufacturers, including Samsung, Huawei, LG and Sony. Caution is advised before accepting OTA updates. Organisations can protect their data by using a mobile device management (MDM) solution.

SIM risks

There's renewed focus on the long-standing problem of SIM card fraud after Twitter's CEO, Jack Dorsey, had his account hijacked. Dorsey was among a number of well-known figures to have their accounts taken over by hackers who post offensive messages on them. SIM swapping involves convincing a phone operator to assign a number to a new SIM card controlled by the hackers. Once that's happened, the stolen phone number can be used to exploit verification text messages to take over online accounts, like the Twitter CEO's. Despite this issue being known about for years, nothing substantive has been done to address it and mobile phone operators continue to be taken in by the fraud. Until the situation improves, you should make sure that your phone account is as secure as possible. Do make sure you have a secure PIN or password to protect it and your voicemail and, if you need to provide questions and answers, don't use information (such as date of birth) which can be easily discovered. Twitter says it's halted SMS-based messaging.

Facebook phone numbers

In a vivid illustration of the failure of social media companies to protect personal data, hundreds of millions of phone numbers linked to Facebook accounts have been found online. The information was discovered on a server exposed to the internet and wasn't protected with a password, according to TechCrunch. The database contained more than 419 million records, including 133 million for US-based users and 18 million for the UK. Facebook told TechCrunch that the data was "old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers." In reality, most users don't change their phone number unless they have to which means the type of information revealed in this database is enormously valuable to criminals who can use it to take over SIM cards and online accounts. It's good practice to check what you're sharing on social media and make sure it doesn't include places and dates of birth or telephone numbers.

Google fine

Google is to pay $170 million to settle charges that it collected and shared data about children illegally. Officials in the US said Google's YouTube subsidiary violated a law requiring websites aimed at children to obtain parental consent before collecting personal information from children under the age of 13. The fine is a record under the US 1998 Children's Online Privacy Protection Act, but privacy campaigners have criticised it as far too small to be of significance to Google which is forecast to earn some $161 billion dollars this year. Meanwhile, the maker of a privacy-focussed browser has accused Google of flouting EU data protection laws by leaking users' browsing activity to advertisers. Brave said that, despite assurances to the contrary, Google's advertising systems allowed companies to identify individual browsing activity from online identifiers.

Faking social media

China isn't alone in using fake social media accounts to pursue persons of interest, according to a privacy impact assessment published by the US Department of Homeland Security. Under the updated policy, US Customs and Immigration Services can create “fictitious accounts or identities” to access social media accounts of people applying for green cards, citizenship, work visas and other immigration benefits. It also allows officers to collect information on anyone associated with the applicant as long as it’s “reasonably relevant” to the investigation. Social media companies have pledged to remove fake accounts when they identify them, but recent data from LinkedIn illustrates the scale of the problem. It said it had blocked 21.6 million fake accounts in the first half this year.

In brief

The risks of face-swapping apps has been highlighted by a Chinese app that has racked up millions of downloads. A researcher discovered that not only was Zao insecure, but it also failed to delete material as promised.

Sharepoint is being used to defeat email scanning tools, according to research by Cofense. The campaign, which has targeted financial companies in the UK, begins with an email sent from a compromised account belonging to Independent Legal Assessors, a legitimate firm based in London.

Business Email Compromise (BEC) has overtaken ransomware and data breaches in cyber-insurance claims, according to AIG. It blamed the rise on poor security measures including insecure passwords, and lack of multi-factor authentication and training.

Underlining the sophistication of BEC fraudsters, deep-fake audio was used to imitate a CEO and steal €220,000 from a UK-based energy firm, according to the Wall Street Journal.

A reminder for WordPress users to make sure plugins are kept up-to-date. Wordfence says attackers have been exploiting vulnerable plugins to redirect website visitors to malicious or fraudulent pages.

Protestors in Hong Kong appear to be deserting consumer messaging platforms in favour of peer-to-peer mesh networking apps. Forbes said downloads of one such app called Bridgefy has risen by 4,000 percent over the past 60 days.

Updates

Apple: screen replacement program launched for aluminium models of Apple Watch Series 2 and Series 3 after it emerged that some of these displays can crack.

Firefox: Version 69 for Windows, Mac, and Linux includes enhanced tracking protection (which is enabled by default). It also disables Flash by default and can block autoplay videos that don't have audio.

Android: a new set of security patches address nearly 50 vulnerabilities, including two critical flaws in the Media framework.

Microsoft: says some Windows 10, version 1809 users have begun receiving notifications to install version 1903. It says these notifications can be dismissed and the update can be installed later.

WordPress: version 5.2.3 includes 29 fixes and enhancements, as well as several security patches.

Tails: 3.16 fixes a number of security issues and users are advised to update as soon as possible.

Subscribe to receive the digest by email

Full Frame Technology

What we do
Who we are
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217