news190927

FFT news digest Sep 27 2019

Tibet

More evidence this week of the use of sophisticated exploits to target an entire community. The campaign was uncovered by Citizen Lab which says it's "the first documented case of one-click mobile exploits used to target Tibetan groups, and reflects an escalation in the sophistication of digital espionage threats targeting the community." The campaign involved attackers adopting a number of fake identities including NGO workers and journalists. They targeted senior members of Tibetan groups with individually tailored WhatsApp text exchanges containing links designed to exploit web browser vulnerabilities and install spyware on iOS and Android devices. Despite its sophistication, the attacks don't appear to have had much success because the targets' devices were up to date. The campaign is similar to the recent targeting of China's Uighur community. They underline the importance of updating devices (and using antivirus solutions with Android), but also the need to continually assess one's current level of risk.

Securing the supply chain

Two cases this week demonstrate the importance of securing the supply chain. AFP reports that airspace and military manufacturer, Airbus, has experienced four major attacks as suppliers were targeted in a search for technical secrets. Airbus' position as a leading supplier of civilian and military solutions makes it an obvious target for attack. Among the companies identified by AFP are engine maker, Rolls-Royce, and three French firms. In the other case, a major data breach at Indonesian airline, Lion Air, is reported to have been the result of the actions of two former employees at one of its suppliers. Lion Air's Malaysia subsidiary said the employees accessed and stole the data at an e-commerce company's Indian office. The breach affected up to 35 million people, whose names, birthdays, addresses and other information were stolen. The complexity of modern supply chains makes securing them a testing proposition, but it's an essential component in keeping any organisation safe. The UK has shared its approach to the issue in an effort to help other organisations.

Focussing on the individual

Organisations are spending more money on security initiatives, but careless users continue to the biggest security threat, according to the latest edition of an annual security report. KnowBe4's Security Threat and Trends Report is based on a survey of 600 organisations worldwide and it found that 86% of them had proactively increased security initiatives over the last year. But 76% said users were still regularly clicking on malicious links. Nearly every organisation said email phishing scams designed to steal user credentials were the biggest security risk. The survey also found a growing sense of fear among respondents; nearly half said they worried their organisation might fall victim to a targeted attack. That's up from 35% in 2014. KnowBe4 provides security awareness training (as do we) and its report has no shortage of examples to illustrate why training is essential. But it also does make clear that it can only be one part of an effective approach to cybersecurity.

The GDPR challenge

It's hardly news that many (if not most) organisations have struggled to comply with the provisions of the EU's data protection regulation, the GDPR, which was launched last year. But research from consultancy firm, Capgemini, throws some light on the reasons why compliance is so challenging. A report based on interviews with more than 1,000 organisations found that a key cause was simply over-confidence. Three-quarters of those questioned had been confident in their ability to comply, but more than a year after enforcement of the GDPR began only 28% believed they were fully compliant. Among the other reasons, legacy systems loom large, and many respondents said the GDPR's requirements were too complex and the cost of complying with them was prohibitive. Frankly, we would be surprised if 28% of organisations are fully compliant. Compliance is an ongoing journey, not a destination. One key to compliance is not to assume you have arrived.

Cloudflare VPN

You may have seen news that internet-infrastructure giant, Cloudflare, has launched a Virtual Private Network (VPN) service for mobile devices. This is actually a re-launch to try to fix a number of issues with the service when it was first released in April. The VPN, called Warp, is designed to provide a simple mechanism to increase security on mobile devices. Unlike most mainstream VPNs, it doesn't allow you to select the region through which you connect (which can avoid geographic restrictions on media content). Its key feature is simply to encrypt any traffic flowing between a device and the internet, something which is essential when using open WiFi hotspots. The basic service is free. An upgraded version (called Warp+) offers additional speed and security and, according to Cloudflare will cost the same as a Big Mac! That's £3.99 in the UK and $4.99 in the US. For the technically-minded, Cloudflare's blog post is an interesting insight into the challenge of securing mobile connectivity.

Right to be forgotten

The EU's highest court has ruled that Google does not have to apply the right to be forgotten outside Europe. The case stems from a dispute between Google and the French data protection regulator. It had demanded Google remove search results containing damaging or false information about a person regardless of where the search was carried out. Google argued that the ruling could enable authoritarian governments outside Europe to cover up human rights abuses. Google's case was supported by an eclectic collection of organisations including Microsoft, the Wikimedia Foundation, and the UK freedom of expression group Article 19. Law firm, Mishcon de Reya, said the ruling raised questions about what would happen in the UK in the event of a no-deal Brexit. “Will UK search engine domains retain links to information removed from EU search engine domains?” its data protection adviser asked.

In brief

There's a warning about criminals exploiting the Google Alerts service to try to direct users to malicious websites. Bleeping Computer says attackers create spam pages with popular keywords so that they appear in Google's search index.

The endless succession of data leaks from cloud storage solutions is due to organisations having poor visibility into how they are configured and little ability to audit and manage them, according to research from McAfee.

A reminder to check there's nothing on used hard disks if they're being sold. The University of Hertfordshire examined a sample of 200 used drives and found 59 percent of them contained data from their previous owners. UK government advice on secure deletion is here.

Instagram users are being targeted by a campaign trying to steal their credentials by scaring them with fake copyright infringement alerts.

The elderly are at a heightened risk from online scams and a case in the US illustrates the scale of the problem. Two people are alleged to have stolen $10 million by telling people their devices were infected with malicious software and would need an expensive and completely pointless fix.

Updates

Apple: As expected, a new update of iOS has been released to fix the problems with last week's version. Among the issues addressed by 13.1 are faulty icons, problems with Mail and with signing in to apps and general instability. We're not convinced there won't also be problems with this version (which ordinarily would have been released at the end of September) but we advise not to delay too long before taking the update because of the security fixes in it. One issue that has already been discovered affects 3rd party keyboards and could allow manufacturers to collect keystroke data without the user's knowledge. Apple says this will be addressed in a future release. Meanwhile Apple has released iOS12.4.2 for older devices that can't run 13.1.

Chrome: Serious issues affecting the latest version of Google's web browser. Google has admitted that it contained a bug that damages the file system on macOS machines with System Integrity Protection (SIP) disabled. Meanwhile, Microsoft has warned that it “severely degrades” Microsoft cloud services. A fix is not due until October 22.

vBulletin: Patch released for widely-used forum software to fix a previously unknown (zero-day) issue. The issue is already being exploited so it's essential to update immediately.

Microsoft: Emergency security update for Internet Explorer to address a critical flaw in the browser that's already being exploited.

Forcepoint: Update for Forcepoint VPN Client for Windows to address vulnerability that can be exploited to escalate privileges.

VMware: Updates for ESXi, vCenter Server, Workstation, Fusion, VMRC and Horizon Client products to fix a range of serious issues.

Adobe: Update fixes three vulnerabilities in ColdFusion web application platform.

Cisco: Another set of updates for IOS and IOS XE network operating systems, and a fix for an issue that could give guest users root access to the 800 and 1000 series of Industrial Integrated Services Routers.