FFT news digest Jan 10 2020

Travelexed

A woeful start to the year for foreign exchange firm, Travelex, which has provided a textbook example of cybersecurity failure and communication incompetence. The company's services were taken down on New Year's Eve by a ransomware attack, but this was initially blamed on "planned maintenance." The attackers told the BBC that they had been in Travelex's systems for six months and had stolen 5GB of customer information which would be published unless they're paid $6 million. They appear to have accessed the systems through vulnerable Pulse Secure VPN servers. Cybersecurity company, Bad Packets, says it told Travelex about the issue last September after it spotted mass attempts to identify vulnerable installs. Despite the attackers claiming to have accessed personal data, Travelex doesn't yet appear to have informed regulators, which EU legislation obliges them to do within 72 hours of discovering the breach. This incident will be as painful for Travelex as it continues to be for its customers.

Facebook's deep fake

Facebook has tried to seize the initiative in dealing with disinformation, but its efforts haven't impressed its critics. Acknowledging that there needs to be more transparency in political advertising, Facebook says it will give users more control over the adverts they see - but it will maintain its policy of letting politicians lie. "Ultimately, we don’t think decisions about political ads should be made by private companies, which is why we are arguing for regulation that would apply across the industry," it said. Separately, Facebook says it will introduce controls to limit "deep fakes" and manipulated media on its platforms. But this will apply only to hard-to-spot, sophisticated examples. Parody and satire won't be affected. And, Facebook told Reuters, neither will the notorious video of US House Speaker, Nancy Pelosi, which was edited to make her look incoherent.

Fooled

When it comes to cyber crime, even Nobel laureates can be taken in by social engineering scams. In a now-deleted tweet, New York Times columnist, Paul Krugman, said, "I’m on the phone with my computer security service, and as I understand it someone compromised my IP address and is using it to download child pornography." Later Krugman tweeted, "The Times is now on the case...thinks it may have been a scam" prompting widespread ridicule, particularly from those for whom he is a bete noire. Some of those mocking Krugman might like to keep in mind the ever more sophisticated tools available to the criminals behind such scams. Last year, the CEO of a UK-based company transferred €220,000 to attackers who had used artificial intelligence-based tools to impersonate his German boss. "The victim recognized his boss’s slight German accent and the melody of his voice on the phone," The Wall Street Journal reported.

Insider risk

Cybersecurity threats often originate inside an organisation, as a global internet company has discovered. One of its former IT managers has admitted stealing $6 million by creating a fake business that billed the company for nonexistent services and equipment. Within four months of joining, the executive began sending himself bogus invoices on behalf of a shell company. He was only caught when tax investigators inspected the invoices, some of which were submitted as Word documents. Unfortunately for the manager, the investigators noticed that the metadata in some of the documents identified him as their creator. Among the claims on his LinkedIn profile; "Establish and improve enterprise-level security and security services that achieve 100% defense over 10+ years," which is one way of putting it. No organisation is too big or small to be affected by this type of scam which can be prevented by effective processes.

China NGOs

A cyber-espionage group seemingly linked to the Chinese government is targeting non-governmental organizations (NGOs) in South and East Asia, according to Secureworks. Dubbed 'Bronze President', Secureworks says the group may have been active since at least 2014, using proprietary and publicly available tools to target NGOs as well as political and law enforcement organizations. Researchers say the hackers seek specific file types as well as credentials from network accounts with elevated privileges. Email and social media are also attacked. Secureworks ascribes the operation to China because of the NGOs' work as well as the tools and infrastructure used. While it's almost impossible to defeat a concerted attack by a nation state (or groups connected to one), ensuring basic security measures are in place will make such attacks much more difficult to carry out successfully.

Ring

Home security company, Ring, has admitted firing 4 employees for watching videos from customers' devices without permission. The Amazon-owned company was responding to questions from US Senators following a series of reports of security issues with its products.
As well as sacking the employees, Ring said it had imposed new rules so that only three employees can access stored customer videos. In a letter obtained by Motherboard, Ring said it had implemented "a robust information program" to protect its customers' data. The Senators are unlikely to be satisfied with all of Ring's answers. Asked specifically whether it had implemented a specific international standard on vulnerability disclosure, Ring said only that it had "implemented a wide range of robust Amazon and Ring-specific information security policies and procedures."

In brief

While the threat of all-out war between the US and Iran has receded, researchers believe the risk of cyber attacks by Teheran has not. “Iran has the capability and the tendency to launch destructive attacks,” the director of the Department of Homeland Security’s computer security arm told the New York Times. In Iran, a military commander said Teheran launched a successful cyber attack on US navigation systems to coincide with its missile launches.

If you're still running Windows 7, a reminder that Microsoft will no longer support it from next Tuesday. An extra two years of support is available, for a price.

The UK data protection regulator has imposed the maximum fine of £500,000 on Dixons Carphone for exposing millions of payment card details and personal data. A lack of security contributed to a "careless loss of data," the Information Commissioner's Office said.

US border agencies have moved forward with a plan to collect DNA samples from detained travellers. Civil liberty organisations have criticised the proposals as an "unacceptable and unnecessary privacy intrusion"

Mobile communications app, ToTok, has returned to Google's Play Store after being removed because of security concerns. The New York Times had reported that it could be used for surveillance by the United Arab Emirates, where it was developed. It is still absent from Apple's App Store.

A British man has been jailed for two years for using a widely available tool to hijack the webcams of young women and spy on them. The 27-year old was arrested as part of an international investigation into purchasers of the Imminent Monitor tool.

Another CES tech extravaganza is drawing to a close, with its customary collection of eclectic innovations. Among those related to cybersecurity, a 'whole house' security solution from Avast and a privacy app for Samsung smart TVs.

Updates

Firefox: Version 72.0.1 fixes a vulnerability that's being actively exploited. It's important because it affects the core component in Firefox that handles JavaScript operations.

Citrix: Scans have been spotted as attackers try to find Citrix Application Delivery Controller (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) servers vulnerable to attacks. Citrix has issued advice on how to mitigate the threat but has yet to release a fix.

Android: Patches for 40 vulnerabilities, including a critical flaw in the Media framework.

Cisco: Multiple updates, with advisories for Webex and IOS XE rated High.

Tails: Version 4.2 addresses multiple security issues and improves automatic upgrade process.

TikTok: New version fixes vulnerabilities that could have leaked personal information. The company says no sensitive data was stolen.

Juniper: Updates to address multiple vulnerabilities in various products which could be exploited to take control of an affected system.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217