news191004

FFT news digest Oct 4 2019

Cybersecurity month

October is cybersecurity month so expect lots of reminders about not reusing passwords and so on. While a focus on cybersecurity is welcome, we're pretty dubious about the value of such campaigns. We reckon one of the most effective ways to make organisations and individuals more secure is to make cybersecurity a topic of everyday conversation - and one of the aims of this digest is to provide nuggets that are useful...but also interesting. To put the threat of cyber-attacks in context, the World Economic Forum published a report this week showing that executives in North America and Europe regard them as the biggest threat of doing business. And the report points out that “as economies and societies continue to digitize, cyber-attacks are both more lucrative for attackers and more dangerous for victims.” All the more reason to talk about cybersecurity all the time, not just in October.

WhatsApp warning

Another vulnerability has been found in WhatsApp, this time in the Android app, and users should make sure they are running the latest version. A researcher discovered that an attacker could access user content by using a specially-designed GIF image to exploit a vulnerability in the way WhatsApp interacts with Android. An attack would involve using any messaging solution to send the malicious GIF to a target device. The exploit is triggered when the user opens the WhatsApp picture gallery. WhatsApp told The Next Web that there was "no reason to believe this affected any users." This is the latest in a series of issues affecting WhatsApp which exploit the complex interaction between the app and the operating system. While this may not be relevant for the majority of users, anyone with a heightened level of risk should be aware that WhatsApp is a particular target for hackers. No messaging solution should be considered completely secure, but our preference is to use Signal.

Breaking PDF encryption

German researchers have found a way to extract data from encrypted PDF files, sometimes without user interaction. 'PDFex' was tested successfully against 27 desktop and web PDF viewers, including Adobe Acrobat, Foxit Reader, and Chrome and Firefox's built-in PDF viewers. In their paper, they demonstrate how the vulnerabilities can be exploited to forge documents or read confidential content. To be successful the attackers would need access to the files, either by intercepting network traffic or physically getting hold of a device. As the academics point out, encryption is intended for precisely these situations. They say the issues lie in the PDF standard's support for encryption and the way it allows a mix of plaintext and encrypted content. They've called for changes to make it more secure.

Stalkerware

There's been a sharp rise in the use of commercial surveillance spyware, otherwise known as 'stalkerware'. Kaspersky says from January to August 2019 it recorded more than half a million instances where stalkerware was present, or someone tried to install it. That's a 373% increase over the same period last year. Russia accounted for more than a quarter of the cases, with 7.1% in the US. In Europe, Germany, Italy and the UK hold the top three places. As Kaspersky explains, consumer surveillance programs are often used for spying on colleagues, family members or partners, and are in great demand. They can cost as little as $7 a month and, once installed, stay hidden while sending back information about the device including location, browser history, text messages, and social media chats. Installation requires physical access which is a good reason not to let an unlocked device out of your sight.

Privacy in court

Two significant rulings this week with positive implications for online privacy. The Court of Justice of the European Union decided that pre-checked consent boxes are not legally valid as grounds for installing cookies on a user's device. It also ruled that the information a "service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies." Many organisations are now checking to see whether their approach to cookies complies with the decision. And the Court of Appeal in London has opened the way to a class action lawsuit against Google for allegedly tracking the personal data of some 4 million iPhone users. The case claims Google circumvented privacy settings to collect data from the Safari browser on users' browsing history as well as details relating to their ethnicity, health, sexuality, political views and finances.

Disinformation as a Service

The scale of disinformation campaigns is revealed by separate reports this week. Oxford University researchers found a sharp rise in countries showing evidence of social media manipulation campaigns, up from 28 in 2017 to 70 this year. "In 26 countries, computational propaganda is being used as a tool of information control in three distinct ways: to suppress fundamental human rights, discredit political opponents, and drown out dissenting opinions," their report says. Meanwhile, Recorded Future says corporate disinformation campaigns are readily available on underground criminal forums. To gather evidence, it created a fictitious company and paid for false narratives to be spread across the web. Recorded Future says the campaigns are highly customisable, with prices ranging from several hundreds to hundreds of thousands of dollars.

In brief

So it turns out that 8 generations of iOS devices (from the 4s to X) can be jailbroken thanks to a permanent issue that can't be fixed. Exploiting it requires physical access to the device and for most people it won't matter. For those at higher risk, it makes it even more important to keep the device where you can see it.

Microsoft is extending support for Windows 7 to organisations not using Windows 7 Pro and Enterprise in volume licensing. The Extended Security Update (ESU) licences will be sold on a per-device basis from 1 December 2019. For the remainder, Windows 7 support ends on January 14 2020.

Criminals are taking advantage of the collapse of Thomas Cook to try to scam customers and ex-employees. Since the company ceased trading on September 23, Skurio says it saw the creation of 53 new website domains with names relating to Thomas Cook in just seven days.

Cisco has warned Webex users about an issue that can allow anyone to join a meeting and listen in on what should be a private conversation. The vulnerability involves guessing the session identifier (difficult but not impossible). Cisco says the fix is to protect the session with a password.

Criminals are using fake browser updates to infect devices with malicious software designed to steal banking information and install ransomware. FireEye says it responded to multiple incidents this year. Remember; to update browsers, just close and reopen.

No matter how hard Google tries, it doesn't seem able to squash the recurring problem of malicious apps in the Play Store. An ESET researcher found 172 harmful apps last month with more than 335 million installs between them. Do be careful with Android apps. Only install ones you're going to use and we suggest avoiding unnecessary ones that change the wallpaper or control the torch. And delete any that you don't use any more.

More details have emerged about a data breach reported last month by Zynga (of Words With Friends fame). The original announcement gave no details beyond saying some login details might have been accessed. Now, a well-known hacker has told The Hacker News he gained access to 218 million user records.

Updates

Apple: Even by Apple's standards, three updates in a week is unusual, but shortly after releasing iOS 13.1.1, along came 13.1.12 which is designed to fix a number of issues, including problems with the torch and camera. There's also a new version of watchOS.

Microsoft: October 2019 updates for Office 2016, and Outlook 2013 and 2010. Includes new feature in Outlook which will block a number of file types in an effort to cut down on email-borne attacks.

Google: Password Checkup will scan a user's passwords to see if they've appeared in any data breaches. This is the same functionality offered by password managers like 1Password but Google intends to bake it into its Chrome browser to make it easier to use. And to draw us further into its warm embrace.

Google Maps: Google is rolling out Incognito mode for its Maps product, saying it's been one of the company's "most popular privacy controls". Just to avoid any misunderstanding, Incognito mode means that while it's turned on, your device won't record what you've been doing. What it won't do is hide your activity from anyone else like advertisers, network operators and Internet Service Providers.

vBulletin: If you're using vBulletin's forum management solution, then please make sure you've installed the patch for a vulnerability that is being actively exploited. Cybersecurity outfit, Comodo, didn't and lost the personal data of 245,000 people.

Zimbra: three new patches: Zimbra 8.8.15 “James Prescott Joule” Patch 2, Zimbra 8.8.12 “Isaac Newton” Patch 6, Zimbra 8.7.11 Patch 14.