news191018

FFT news digest Oct 18 2019

Ransomware; fear and reality

A constant theme of security reports this year has been the threat from ransomware, and this week 2 major companies became its latest victims. In France, media company, Groupe M6, lost access to its phone lines and email servers while, in the US, Pitney Bowes said it was hit by a "malware attack that encrypted information on some systems and disrupted customer access to services." Meanwhile, research from Datto says ransomware remains the most common cyber threat to small and medium-sized businesses. Protection against ransomware depends on taking common-sense measures including training staff and making sure security patches are installed. Above all, it's essential to have a system that ensures backups are made and copies are maintained off-site. And tests are carried out to ensure those backups can be used.

The price of stolen data

So much of our information has been stolen that it's not actually worth very much. A survey by Flashpoint of the latest prices found that a basic set of data sells for just $4-$10. Known as "fullz", these include a victim’s name, Social Security number, date of birth, and account numbers and are designed to provide the building blocks for fraud. The price rises sharply if the data includes more specific financial information. The crown jewels for criminals are genuine passports which sell for as much as $5,000. A UK driving licence on the other hand is worth as little as $3. "Since 2017, there have been modest price bumps for some long-standing offerings related to fraud and cyberattacks. But these shifts are miniscule compared to the dramatic innovation happening in the cybercrime ecosystem—specifically with respect to targeted ransomware and SIM swapping," Flashpoint said.

Tracking

Streaming devices are tracking our viewing habits, and consumers don't like it, according to research published this week. Researchers from Princeton and the University of Chicago examined streaming devices from Roku and Amazon and, not surprisingly, found that tracking was prevalent on both platforms. Among the information transmitted by the devices were device IDs, MAC addresses, Wi-Fi network details and, in some cases, the email address used to create an account. The researchers said there's little that can be done to combat the tracking and called on the platforms to introduce better privacy protections. Meanwhile, a survey by ESET found that a third of respondents were concerned about unauthorised access of their home networks by connected home devices.

Samsung snafu

Well this is embarrassing. Samsung says it's investigating how a screen protector is able to defeat its "revolutionary new biometric authentication." The issue was discovered by 34-year old mother from West Yorkshire who bought a £2.70 screen protector for her new Galaxy S10. After registering her right thumb print, she found she could unlock the phone with her left thumb and then discovered anyone's fingerprint would do the same thing. The story was reported by The Sun which was told by Samsung that it recommended the use of Samsung authorised accessories. Later, Samsung admitted a software patch would be issued to address the problem. This is the latest in a long list of embarrassing failures for biometric authentication. While undoubtedly convenient, there are few implementations of the technology which have proved secure.

Brexit data flows

The roller-coaster ride that is British politics makes it difficult to provide a worthwhile assessment of the "great new" Brexit deal announced by Boris Johnson. But it is worth noting that the issue of data protection is front and centre in the draft text, with a section stating, ""In view of the importance of data flows and exchanges across the future relationship, the Parties are committed to ensuring a high level of personal data protection to facilitate such flows between them." The text sets a target of the end of 2020 to create the framework to ensure data can continue to flow. In the meantime, international data transfers from the EU to the UK can continue providing, of course, the deal is approved by the UK parliament. That vote is due on Saturday and approval is far from guaranteed.

Spyware in Morocco

Pegasus spyware was used to target two leading Moroccan human rights activists, according to Amnesty International. As is normal with Pegasus, the activists received SMS messages with links to malicious websites. Amnesty said one of the activists experienced instances where his phone browser redirected him to malicious websites. "These targeted digital attacks...are symptomatic of a larger pattern of reprisals against Human Rights Defenders and dissident voices being carried out by Moroccan authorities," Amnesty added. Researchers at Privacy International found that one of the malicious text messages pretended to be from TrueCaller, an app designed to reveal the identity of a caller and which has been shown to carry its own security risks. NSO, which makes Pegasus, told Amnesty that it would investigate the allegations.

In brief

Yahoo is removing most of the functionality from its Groups service, with all previously posted content due to be deleted on December 14. It says existing data can be downloaded via the site's privacy tab.

A vivid warning about the risk of photos after a Japanese entertainer was attacked outside her home by a stalker. Asia One reports that he had tracked her down by zooming in on a high resolution photo of her eye which showed the reflection of a bus stop outside her home.

Sextortion scams show no sign of tailing off, with a new campaign reported to be targeting 27 million people. The emails, which threaten to release embarrassing footage unless a ransom is paid, are made more credible by including leaked passwords.

An invaluable tool from Google, which says its new voice recorder app can transcribe recordings in real time even when not connected to the internet. Similar solutions exist already, but Google's is unusual in that the transcription takes place on the phone itself.

Generally speaking, jailbreaking an iPhone is not a good idea because it involves subverting its built-in security. Now criminals are targeting would-be 'jailbreakers' with a fake website that pretends to provide a 'how to' guide but which actually installs a malicious profile on the device.

Few tears for the demise of a misconceived age verification scheme designed to stop young Brits watching pornography. The UK government said its aims would be achieved by "wider proposals". Everyone else said the scheme would never have worked.

Drivers using cellphones in Australia could soon be caught with the help of artificial intelligence. High resolution photos will be analysed by an algorithm which will work out whether a driver is touching a mobile phone, tablet or other device. It can also tell if someone is eating...

Updates

Apple: After widespread complaints about installation issues with Catalina, a supplemental macOS update aims to stop machines hanging during the upgrade process.

Apple: Yes, another iOS update (13.1.3) which is supposed to address issues in the Mail app, Bluetooth, battery management, call alerts, and Game Centre. There are apparently no security fixes in this release. Early feedback suggests the update hasn't fixed the problems with call alerts and battery management.

Amazon: Echo 1st generation and Kindle 8th generation devices have a WiFi vulnerability that could allow be exploited over a WPA2-protected network. A patch was issued earlier this year, but owners are advised to check their devices have the latest firmware version.

Chrome: Update for Chrome 77 to fix eight security vulnerabilities. Closing and restarting the browser ensures the update is installed.

HP: Update for (preinstalled) Touchpoint Analytics to address an issue that could allow an attacker to take over vulnerable systems.

Adobe: Multiple updates, most for Acrobat and Reader. Serious issues also addressed in Adobe Experience Manager, some of which could result in login requirements being circumvented.

WordPress: 5.2.4 patches six vulnerabilities, including cross-site scripting, unauthorized access, server-side request forgery, and cache poisoning issues.

Cisco: Patches for critical and high-severity vulnerabilities in Aironet access point devices.

Oracle: Critical Patch Update includes 219 new security fixes across various product families with Fusion Middleware seeing the most patches.