FFT news digest Nov 8 2019

Fake news

So even before the UK's general election campaign had officially begun, the Conservative Party managed to publish a video showing something that never happened. The clip, posted on the Conservatives' social media channels, showed the Shadow Brexit Secretary, Keir Starmer, failing to answer a question in a TV interview. In reality, he had given a full answer but, far from apologising for the deceit, the Conservatives said the video was obviously "humorous" and promptly put out a new version which was also false. The incident underlines social media's threat to the foundations of the electoral process. Viral clips (whether real or fake) are a key way of delivering messages to groups which no longer watch TV news or read newspapers. This one was viewed more than a million times after a BBC journalist highlighted it, and there's no effective sanction to prevent political parties continuing to saunter down this perilous path (which Facebook has made clear it won't block).

Insider threat

It's an unfortunate truth that one of the biggest threats to organisations comes from the people working for them. Twitter and security firm, Trend Micro, provided some pretty extraordinary examples this week. In Twitter's case, two former employees were accused of spying for the Saudi royal family. The US Justice Department said they had colluded with a third person to mine Twitter's internal systems for personal information about known Saudi critics and thousands of other Twitter users. And Trend Micro revealed that a rogue employee had sold personal details belonging to about 120,000 of its customers. The information was copied from an internal database and sold to a criminal who use the data in tech support scams. The theft only came to light when customers began reporting suspicious calls from people claiming to be Trend Micro support staff. 

Ransomware

Spain's oldest and largest radio broadcaster has been hit by a ransomware attack which took local transmissions off air and left staff unable to access its network computers. "We are in hysteria mode," a technician at Cadena SER told ABC newspaper. SER said it was maintaining a national broadcast with the help of autonomous teams. It was one of a number of Spanish organisations to be attacked at the same time, with criminals reported to be demanding a €750,000 ransom. Separately, Japanese media conglomerate, Nikkei, revealed it had lost some 29 million dollars in a Business Email Compromise (BEC) scam. It said an employee of its US subsidiary transferred the funds as a result of fraudulent instructions from criminals posing as a Nikkei executive. BEC is a multi-billion dollar business and it's essential to have effective processes in place to check any requests for funds transfers.

Phishing

Phishing attacks are at their highest level for three years, according to the Anti-Phishing Working Group (APWG). Its latest report says the total number of phishing sites detected in July through September 2019 was 266,387, up 46% from the previous quarter and almost double the figure for the last quarter of 2018. Among the latest lures doing the rounds is one tempting employees with the prospect of a pay rise. Cofense says the attackers impersonated the target's human resources department and asked them to open a spreadsheet alluringly entitled "salary-increase-sheet-November-2019.xls". Another claims to be from the UK Ministry of Justice and targets insurance companies and retailers with an email purporting to contain information about a "subpoena". Unfortunately for the attackers, subpoena is a US term that hasn't been used in the UK for more than 20 years. 

Future threats

If you think cybersecurity is challenging now, get ready for a roller coaster ride in the next decade. Among the risks we should prepare for are weaponised cyber drones, attacks on satellite infrastructure and connected cars, and attempts to disrupt the Tokyo Olympics, according to Booz Allen Hamilton. Its 2020 Cyber Threat Trends Outlook highlights 9 emerging threats which it says organisations should be aware of. In particular, it warns that drones are likely to be used as the initial mechanism to infect networks (Swiss company, Oneconsult, has already demonstrated how this can be used to hack a smart TV). Booz Allen's report has suggestions to mitigate the threats it documents. The good news; they mostly come down to focussing on the basics.

Blinded

Given the frailties of technology, always-on microphones present obvious security issues. Now researchers have demonstrated how smart assistants can be hijacked by lasers. The method exploits the design of the device's microphones and works from as far as 110 metres away. "By modulating an electrical signal in the intensity of a light beam, attackers can trick microphones into producing electrical signals as if they are receiving genuine audio,” the researchers said. They added that the method works on various devices and voice assistants, including Apple's Siri, Facebook Portal and Google Assistant. They also described how a stealthy attack could use invisible lasers and instruct the targeted devices to mute the speaker so there would be no audible confirmation of a command being executed.

In brief

Airbnb says it will verify every listing and introduce a "guest guarantee" if rentals don't match their description. The pledge comes a week after a Vice journalist revealed a sophisticated and wide-ranging scam targeting Airbnb users.

Firefox users are being targeted with a tech support scam that causes the browser to lock up. The malicious website tries to scare users by saying they are running pirated software. Mozilla says it's working on a fix.

Anyone who's been unlucky enough to have their Instagram account hijacked will know how painful it is regain control of it. So painful, according to Motherboard, that hackers have spotted a market opportunity and are charging thousands of dollars to help them.

A network of popular "camgirl" websites failed to secure a database, exposing the details of millions of sex workers and website users. TechCrunch says researchers discovered the database was left without a password for weeks.

In what looks suspiciously like a publicity stunt, James Dean is to star in a movie more than 60 years after his death. The Hollywood Reporter says a production company obtained the rights to Dean's image from his family and will use CGI technology to recreate his body.

Updates

Apple: iOS 13.2.2 is intended to fix a memory management issue that prevented devices multitasking properly. In practice, that meant apps would reload more frequently than usual causing you to lose what you were doing if you switched between them.

Microsoft: Warning to ensure updates have been applied to the Remote Desktop Protocol (RDP) service because of vulnerability affecting Windows 7, Windows Server 2008 R2, Windows Server 2008. The issue (dubbed 'BlueKeep') is being actively exploited.

Microsoft: Office 365 ProPlus is to get a new feature called Application Guard that will allow users to open attachments in a virtualized container. The feature is similar to one already in use with the Edge browser and is designed to protect Windows from malicious macros and exploits.

Amazon: Automatic update for Ring Video Doorbell Pro, after Bitdefender discovered vulnerability that could be used to reveal the owner's WiFi credentials.

Cisco: Updates to fix multiple vulnerabilities across products including Small Business Routers, TelePresence Collaboration Endpoint, RoomOS, and Web Security Appliance.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved