news191101

Spyware: the scale of the problem

WhatsApp's decision to launch legal action against a notorious spyware manufacturer masks a much wider problem facing smartphone users. Research from Cisco Talos found 87 vendors selling software designed to spy on unsuspecting users. While WhatsApp's lawsuit against Israel-based NSO group focusses on high-profile targets, the spyware industry makes sophisticated tools widely available. As Cisco Talos says, "five to 10 years ago, this capability would cost an adversary a significant amount of money. Today, anyone with an internet connection can choose from a range of commercial vendors providing identical capabilities for anywhere from free to $80 per month." WhatsApp worked with Citizen Lab to investigate the NSO attack and ThreatPost has a lengthy interview with senior researcher, John Scott-Railton, which provides excellent background details.

Political adverts

Ethical dilemma of the week; should political advertising be allowed on social media platforms? According to Twitter, the answer is 'no'; it announced a global ban on such advertising, saying "political message reach should be earned, not bought." Facebook took the opposite view, saying not only that it will continue to accept political adverts, but that it won't review them for factual accuracy. According to founder, Mark Zuckerberg, "In a democracy, I don't think it's right for private companies to censor politicians or the news." He was speaking as Facebook released its latest financial results (showing substantial increases in users and revenue). Zuckerberg's decision has drawn criticism, even from within Facebook. But the reality is that adverts are part of a much bigger problem. This week, Facebook took down 78 Facebook and Instagram accounts which it said originated in Russia and were designed to spread disinformation in 8 African countries.

Mobile phone tracking

In other tracking news, Spain and Belgium have provided a glimpse into the power of mobile networks and how their technology can be used to track where we are and where we're from. In Belgium, popular tourist destination, Kortrijk, is using mobile phone company data to analyse the number of people in the town and where they come from. Belgian broadcaster, VRT, says city officials plan to compare the data with credit and debit card information to work out how much people are spending. In Spain, the national statistical body is planning to track virtually every mobile phone in the country over a 4-day period this month. To ensure anonymity, the country has been divided into cells with a minimum of 5,000 inhabitants. Location checks will be timed to establish where people live and where they work with the aim of understanding commuting patterns. It's the first in a series of such studies.

Online anonymity

As Britain prepares for a general election, politicians from both main parties have raised the issue of online anonymity and whether social media users should be required to prove who they are. Shadow Home Secretary, Diane Abbott told the BBC, "the huge rise in online abuse...has to do with anonymity online and my view is we should make it harder for people to be anonymous online. They can have an anonymous identity but the website should have their real name and address." Also speaking to the BBC, former deputy Prime Minister, David Liddington, said, "this is something the big social media companies do need to look at and I question whether it's right for people to make abusive comments without putting their real names to them." There's no doubt about the level of online abuse experienced by politicians (which in the UK has provoked many leading political figures - mostly female - to leave politics). We expect the issue of online anonymity to come under increasing scrutiny, especially in the UK.

Facial recognition

From Australia, whose former Prime Minister said the laws of mathematics didn't apply to it, comes another dingbat idea; use facial recognition to stop under-age people watching online pornography. Pretty much everyone would agree that deeply troubling material is far too easy for young people to see, but finding an effective way to prevent this is fiendishly difficult, and perhaps impossible. The notion of using facial recognition comes from the Australian Department of Home Affairs which suggested expanding an existing facial recognition database to create an age verification solution. Given the growing number of sextortion scams, making people turn on their cameras when they're watching adult content is unlikely to end well.

SMS insecurity

A group connected to the Chinese government has been targeting telecoms companies with malicious software designed to access text messages. FireEye said the tool (dubbed 'MessageTap') was discovered on the server of an unnamed company and was designed to spy on specific individuals. The group blamed for the attack, known as APT41, has been linked to operations sponsored by the Chinese government, including espionage and fraud. The attack illustrates the inherent insecurity of SMS content which is not designed to be encrypted and which makes it an obvious target for attackers. FireEye warns that we should expect further attacks that focus on the systems of telecom operators, and they advise potential targets to avoid SMS and adopt solutions such as Signal that provide end to end encryption.

In brief

Sophos warns about a popular new photo app called Gradient which is billed as “the next big thing in the world of mobile photo editing". Gradient has a feature which is supposed to tell you which celebrity you look like (spoiler; Sophos gave it a photo of its office carpet and it matched it to Nelson Mandela). More worrying, the app could end up costing you an awful lot more than you bargain for.

Voicemail-themed phishing emails are being used to target Office 365 users at high-profile companies. McAfee says the emails have fake Microsoft branding and contain an HTML attachment designed to play what sounds like a truncated voicemail.

Apple removed 17 malicious iPhone apps from its App Store. Wandera found the applications (all from the same developer) were clicking links and opening windows in the background.

Domain name registrars, NetworkSolutions.com, Register.com and Web.com are telling customers to reset their passwords following an intrusion in August.

The US Department of the Interior grounded its fleet of more than 800 drones, citing concerns about security risks from their Chinese-manufactured components.

Russian researchers were forced to resort to crowd-funding after the migratory eagles they were studying racked up thousands of dollars in cellphone charges. The scientists failed to plan for the enormous roaming costs of the tracker devices they fitted to the Steppe eagles.

Updates

The majority of breaches this year have been due to a failure to apply security patches, according to research from ServiceNow. The study says patching is delayed an average of 12 days due to data silos and poor organisation. We don't underestimate the challenge of applying updates in an enterprise environment, but neither do we ignore the risks of failing to have a patching policy that is fit for purpose.

Apple: Important security updates for most products, but especially important for macOS Catalina 10.15, Mojave 10.14.6 and High Sierra 10.13.6.

Apple: If you have an old iPhone (4 or 5) or an early iPad with cellular connectivity (mini, 2, 3), then you have until 0000GMT on November 3 to update it. If you don't, the only thing they'll be good for is recycling. The issue is caused by a design limitation in the GPS system which iOS devices depend on for time and date settings.

Apple: Lots of coverage this week in British newspapers about iOS13 KILLING batteries (the Daily Mail's caps). As we've reported, there have been plenty of problems with iOS13, but the Daily Mail's report should be taken with a handful of salt (not least because it says the problems extend to iPhone 6 models which can't even run iOS13). When you upgrade to iOS13, a lot of work takes place in the background, including re-indexing all the data on the device. This is processor-intensive so, if the phone isn't connected to mains power, the battery will drain quickly. That said, there are multiple reports from unhappy users so we think iOS13 is still not quite ready for primetime - and that includes 13.2 which was released this week and is said to be killing background apps.

Firefox: The latest version of the Firefox browser is intended to help protect the privacy of users. Unfortunately, but not surprisingly, it also breaks many websites. This is a common consequence of using ad blockers and privacy trackers. There is a workaround - and Mozilla says it's working on a fix. We wish them luck in finding one.

Chrome: Urgent update to patch a zero-day vulnerability that is being actively exploited.

Miktrotik: Ensure firmware version is 6.45.7 which patches serious security vulnerabilities in earlier versions.

LibreOffice: 6.3.3 update has 83 changes including multiple bug fixes, although the developers advise that LibreOffice 6.3 is still not ready for enterprise deployments.

FFT news digest Nov 1 2019