news200207

FFT news digest Feb 7 2020

Ever giving

If you want an incentive to avoid having your personal data stolen, look at the experience of hapless Ashley Madison users. It's five years since details of 32 million Ashley Madison accounts appeared on the Dark Web. Now, Vade Secure has uncovered a highly personalised extortion scam that exploits the stolen data, which included names, passwords, addresses, phone numbers, as well as financial information. The campaign uses an email to threaten targets with publication of their Ashley Madison account unless they pay the blackmailer around $1,000. The email is highly personalised - and includes details of personal messages sent on the dating site (designed to facilitate affairs for people wishing to 'play away'). There's obviously little an individual can do to improve an organisation's security - but we advise extreme caution before signing up to platforms that involve sharing information you'd prefer never saw the light of day. Because, sooner or later, it will.

Impersonation

An Iranian hacking group is behind a phishing campaign in which the attackers pretend to be journalists in order to break into email accounts. Certfa cites the case of an Iranian-born German academic who received an interview request that appeared to come from The Wall Street Journal. The academic was suspicious, not least because he was asked to enter his Google password to see the interview questions. Reuters reports that it saw examples of similar impersonations of two media figures at CNN and Deutsche Welle. This is a variation on the common theme of stealing familiar people's identities to make email attacks look more credible. In this case, Certfa said the attackers used Google Sites to host a page which it said contained the questions for the interview. This, they hoped, would make targets more likely to enter their password.

Top Ten

Keeping applications and systems up to date is essential but hard to do, so it's not surprising that more than half the security vulnerabilities most commonly exploited by attackers are over a year old. Analysis by Recorded Future found that six of the most commonly exploited vulnerabilities last year were repeats from 2018. All of Recorded Future's Top Ten involved either Microsoft products (notably Internet Explorer) or Adobe Flash. Fixes for all of them were available but frequently ignored, often for perfectly understandable reasons (see Updates below). An effective patching policy is essential and we don't underestimate the challenge it represents. But leaving software and hardware unpatched means an attack will succeed...and regulators will be deeply unimpressed if an update was available that could have stopped it.

Councils

Nearly all the UK's councils are exploiting visitors to their websites by selling data about them to private companies, according to research from privacy-focussed browser, Brave. The data includes information related to use of their websites for help with benefit claims, disability or alcoholism. Brave found Enfield and Sheffield Councils had the most trackers on their sites and almost all of them used Google tools which enable people to be tracked as they move around the web. This information is the fuel that drives the behavioural advertising industry and supports the system known as 'real-time bidding.' None of the data collecting companies recorded in the study had received consent from website visitors to lawfully process data, Brave says. And it accuses the UK Data Protection Regulator of failing to take action, despite having expressed serious concerns with real-time bidding and demanding the industry "adjust their practices."

Public WiFi risks

People like us often drone on about the risks of public WiFi hotspots, particularly those that don't have a password. Now, the Electronic Frontier Foundation has told us not to worry. We respectfully disagree. The EFF's argument is that the widespread adoption of HTTPS means that any data exchanged with HTTPS websites are protected by an impermeable layer of encryption. This is true, but we believe the problem begins with the process of connecting to a public WiFi hotspot. As an attacker, it's trivially easy to set up a hotspot in a busy location like an airport, railway station or coffee shop. Once that's done, there are simple ways to try to harvest people's information. Imagine, for example, asking users to sign in with their Google or Facebook credentials to access the internet. We do agree with the EFF that HTTPS encryption makes websites safer than they were. But we will continue to use mobile data and avoid public WiFi whenever possible.

Cleaning up

Criminal gangs are placing "sleepers" in cleaning companies to help them access IT infrastructure, according to a UK police officer. Computer Business Review said Shelton Newsham told a security event that he was seeing a much larger increase in physical breaches. Criminals are "also using people in painting and decorating firms; anyone with out of hours access to a building is fair game," he said. Newsham also warned that criminals were also using the whiskery tactic of planting booby-trapped USB sticks in the hope that someone would pick one up and put it in an office machine. As our training stresses, security has to encompass all of an organisation if it's to be effective. That means having 'clear desk' policies, never sticking up passwords and making sure that computers are properly secured. Cyber criminals are assiduous and highly-organised. We have to make sure we are too.

In brief

Attackers will exploit any news event so it's no surprise the Coronavirus outbreak is being used in phishing campaigns. There are several versions. One supposedly from the World Health Organisation has the message; “Click here to download safety measures to prevent the spread of the coronavirus.” Sophos

An ingenious attempt to spread malicious software tries to scare people by warning them their email address is on a blocklist. The campaign purports to be from Spamhaus which creates lists of email addresses that have been used to send spam messages. Matthew Mesa

Twitter says it's shut down a "large number of fake accounts' that were being used to match phone numbers to user accounts. The feature was meant to help people match Twitter handles with phone numbers. It turned out it could be abused by submitting millions of numbers to find matches.

It's all too easy to forget to renew security certificates, as Microsoft found out when its Teams app stopped working just as the business day began in the US. Doubtless, they'll now be making sure they have a process to remind them not to forget again.

Two NGOs have submitted a new legal challenge after MI5 admitted that vast troves of personal data are being held in “ungoverned spaces.” Privacy International and Liberty accuse the UK's domestic intelligence agency systematically breaking surveillance laws.

Updates

WhatsApp: Not for the first time, flaws have been found in the desktop version of WhatsApp. A researcher discovered it was possible to create a link in a message that would redirect users to a malicious website and then run some Javascript to execute code. All of this would happen without any visible sign to the user. The current Mac desktop version is 0.4.612 - although there are references flying around to an earlier version. The important thing is to check you've updated; closing and reopening the app should be sufficient.

Windows 10: Microsoft has extended its run of buggy updates with a version released last week that has caused audio problems and broken internet connectivity for some users. One workaround is to uninstall the offending update (Start | Settings | Update & Security | View Update History | Uninstall updates | KB4532695) although unfortunately this doesn't always work. Microsoft's losing streak has prompted one expert to plead with it to get its act together because of the risk that users will put their security at risk by simply ignoring updates. More positively, Microsoft has fixed its Windows 10 search function which was broken for much of the week.

Chrome: Version 80 now available for all platforms and it brings some big changes. The first is designed to enhance the privacy of users by restricting which 'cookies' can be loaded when a user browses to a webpage. The aim is to make it harder to track users across the web. Google has also changed the way Chrome handles notification pop-ups. Instead of popping up, these will now be hidden behind an icon in the address bar.

Phillips Hue: Ensure Hue Hub has been updated to firmware version 1935144040. This fixes a vulnerability that could allow an attacker to access the host WiFi network.

Cisco: Patches for several remote code-execution and denial-of-service vulnerabilities affecting many of its routers, switches, and IP-connected phones.

Android: February 2020 set of security updates address 25 vulnerabilities, including 2 rated critical.