FFT news digest May 1 2020

Tracing risks

Academics in the UK have warned the NHS's planned contact tracing app risks creating a centralised store of sensitive data about its users. In an open letter, the 173 experts called for a public commitment "that there will not be a database or databases, regardless of what controls are put in place, that would allow de-anonymization of users of its system." The UK has promised that data privacy will be at the heart of its app, but so far no details have been published. Quite apart from privacy issues, there are questions about whether contact tracing apps will actually work. There are at least 30 separate initiatives underway to develop solutions, with scant evidence of cooperation between them. Apps will need to be downloaded by a significant majority of citizens to be effective. Huge numbers of contact tracers will be needed to support the technology. And doubts have been raised about the accuracy of the Bluetooth technology on which the apps will depend.

Scumwatch

The first quarter of the year is normally a quieter period for online fraud, as attackers take a break to spend the ill-gotten fruits of their holiday season labours. Needless to say, this year is different. Arkose Labs says (R) there was a 20% jump in attempted fraud and abuse, in what it describes as "the highest attack rate ever seen." This is unfortunate, as research by IBM found a "lack of skepticism, and willingness of consumers and small-business owners to engage with emails." Among this week's examples;
Deliveries: Fake Fedex and UPS delivery emails, usually with a call to action, e.g. updating shipping/delivery details. BleepingComputer
Dating: US universities targeted by email attack using adult dating as a lure. Proofpoint
Porn: Fake FBI warning targets Android users, encrypts files and demands payment to unlock them. Check Point
Morrisons: Fake voucher promises £50 off shopping in return for filling in personal details and sharing a link with friends. MetaCompliance
NHS: Copy of NHS website lures visitors into downloading malicious software which harvests credentials and financial information. Kaspersky

Risky

The COVID-19 pandemic has placed obvious strains on organisations, and there are signs that speed has been prioritised at the expense of security. Research by ISC(2) found 47% of respondents had been taken off some or all of their typical security duties to assist with other IT-related tasks, such as supporting mobile working. And 23% said their organisation had experienced more cybersecurity incidents since the move to remote work, with some reporting the number doubling. One respondent commented, “Security at this point is a best effort scenario. Speed has become the primary decision-making factor. This has led to more than a few conversations about how doing it insecurely will result in a worse situation than not doing it at all.” One area under sustained attack is Microsoft's remote desktop protocol (RDP). Kaspersky says attackers are systematically trying common or weak username and password combinations or random characters, until they find one that works. We understand completely the pressures created by the global pandemic, but we would urge organisations to keep security in mind. The alternative really is to risk making things worse.

Biometrics and data privacy

The Dutch data protection regulator has announced its highest fine of €725,000 against a company that used its employees' fingerprints to monitor their attendance and timekeeping. "This category of personal data has additional legal protection. If these data get into the wrong hands, it could potentially lead to irreparable damage. Such as blackmail or identity fraud. A fingerprint cannot be replaced, as a password can. If things go wrong, the impact can be huge and have a lifelong negative effect on someone," the regulator said. Dutch law does allow the use of biometric data, but the requirements are hard to satisfy and the regulator said in this case they had not been met. This is far from the first fine to be announced for using biometric data improperly, and it underlines the need to be extremely careful when considering such solutions. Meanwhile, the maker of privacy-focussed browser, Brave, has accused 27 EU member states of failing to resource their regulators properly. "The GDPR is now in danger of failing," it said.

Piracy risks

Who's doing what on your network? The chances are that in most households someone is downloading pirated content, and that's increasingly risky at the moment. In the month to March 20, there was a 31% rise in visits to pirated movie websites by users in the US and UK, according to data provided to Motherboard. In the US alone, there were 137 million page views to more than 19,000 websites offering streaming and BitTorrent access to pirated films, and more than 601 million page views of sites offering access to pirated TV content. Unsurprisingly, Microsoft says attackers are paying attention to this increase and trying to exploit it to infect systems with malicious software. In one example, a Visual Basic script was inserted into ZIP files pretending to be popular Hollywood movies including John Wick: Chapter 3 and Contagion. This type of attack isn't new, but it does appear to be on the increase -- so it's really worth discussing the risk of illegal downloads with the people who share your network.

No trousers

A cautionary tale from the Financial Times which has suspended a journalist who is accused of eavesdropping on other newspapers' Zoom meetings. Such tactics may be illegal (though not unusual), but Di Stefano's approach appears to have been far from subtle. Some journalists said his name appeared briefly during the meeting before disappearing. Minutes later an anonymous account joined and stayed until the end. Di Stefano then published details of cuts that were being discussed on the call. Our advice remains that Zoom is reasonably safe providing basic precautions are taken, but it isn't suitable for sensitive discussions. Meanwhile, WhatsApp and Google have upped their video game. WhatsApp now supports video calls for up to 8 people. And Google is making its video meeting solution available for free to everyone. Whatever you use, it's worth watching the ABC morning show reporter who went on air from home without bothering to put on his trousers...and without realising his bottom half was in shot. "Hilariously mortifying," he said.

In brief

Le Figaro joins the list of organisations to have spilled user data by failing to secure an online database. In this case, the data amounted to 7.4 billion records including passwords in plain text. Security Detectives

Apple is updating its iPhone software to make it easier to skip FaceID authentication for users who are wearing a mask. The beta version allows a passcode to be entered instead. Users have asked Apple to bring back fingerprint recognition for all models. CNBC

Hungary's competition regulator has fined Booking.com £6.1 million for unfair business practices. Booking.com denied using misleading advertisements and exerting psychological pressure on consumers. Reuters

Serious security flaws have been demonstrated in 28 well-known antivirus programs, including Microsoft Defender, McAfee Endpoint Security and Malwarebytes. Most have been updated to fix the issues. Rack911

The US Cybersecurity and Infrastructure Security Agency has published advice for organisations that have deployed Office 365 to support remote working. "Hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy," it warned. CISA

The interweb never forgets, as the new spokesman for the US Department of Health and Human Services has demonstrated. He deleted a series of racist tweets only to have them promptly resurrected by CNN. CNN

Updates

Sophos: Emergency update for XG enterprise firewall product because of vulnerability that was being actively exploited.

Teams: Latest version fixes an issue that meant an account could be taken over remotely by use of a malicious GIF (image) file.

Cisco: Fix for high-severity vulnerability in IOS XE software which is used software-defined wide area network (SD-WAN) routers.

Ubuntu: New LTS (Long Term Support) version 20.04 with security and privacy updates.

Adobe: Updates for Illustrator and Bridge to resolve "critical vulnerabilities that could lead to arbitrary code execution".

Magento: Adobe also released urgent updates for Magento Commerce and Open Source editions to address multiple vulnerabilities rated 'critical'.

Juniper: Update for Junos OS versions 20.1 and earlier which have a vulnerability in the HTTP/HTTPS service they use.

WordPress: Updates for WordPress 5.4 and prior versions which are affected by multiple vulnerabilities that could be exploited to take control of an affected website.

SaltStack: Update to address two critical issues in Salt configuration tool which could be exploited to gain complete control over an installation. 

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved