FFT news digest June 12 2020

Hackers for hire

A vast hacking operation targeted thousands of email accounts belonging to journalists, advocacy groups, government officials, and financial institutions, according to new research. Citizen Lab and NortonLifeLock collaborated on the investigation which identified an Indian-based company as the culprit. “This is one of the largest spy-for-hire operations ever exposed. Cyber mercenary services are widely used. Our investigation found that no sector is immune," Citizen Lab told Reuters. The attacks varied in quality (possibly according to the price paid) and made use of shortened web addresses to trick targets into entering their credentials on fake login pages. Other messages imitated colleagues and relatives. As well as financial services companies, Citizen Lab discovered a large cluster of targeted individuals and organisations engaged in environmental issues in the US. The investigation provides excellent insights into the tactics used by hackers for hire. More details are to be released in coming weeks and we'll cover them as they appear.

Tracking

Unsurprisingly, more than a month after a trial began on the Isle of Wight, there's still no sign of the UK's contact tracing app being rolled out more widely. “The app is progressing and we will launch it when the time is right. I am not going to put a date on it,” Health Secretary, Matt Hancock said on Wednesday. A revised pilot version is expected to be released next week, the Financial Times reports. Elsewhere in the world, Singapore is due to roll out a wearable tracking device later this month after it ran into technical issues with its own contact tracing app. Singapore has been at pains to allay privacy concerns, saying the wearable device will have no connectivity and data will only be extracted when it's handed to officials. The scheme will be voluntary, though Singapore has not ruled out making it compulsory. In South Korea, "high-risk" locations will be required to install bar code readers which will scan people's phones as they go in. Fitness centres, clubs, and karaoke bars will be subject to the requirement, the Korea Centers for Disease Prevention and Control (KCDC) said.

Scumwatch

Difficulties with developing real contact tracing apps haven't stopped scammers from releasing a raft of fake versions. At least a dozen bogus apps have been deployed globally in a bid "to install malware" on devices and "steal banking credentials and personal data," Anomali said. Other scams this week;
Small Business Grants Fund; Microsoft Office 365 accounts are targeted with emails designed to look like legitimate relief payment messages from the UK government. Abnormal Security
Self-employed Income Support Scheme: Text message informs targets that they're eligible for a tax refund and redirects them to a bogus website. Griffin Law
Voicemail: Fake notifications attempt to steal login credentials. Ironscales
Mobile phishing; Increased by 37% in Q1 2020 compared to the previous quarter. Much of the rise is blamed on criminals targeting remote workers. Lookout
Banking apps: FBI warns criminals are taking advantage of a surge in the use of mobile apps, as customers stay away from physical banks. Do take care when installing apps. IC3

Email

Email was never designed to be secure - which is why we're forced to jump through so many hoops to add it - so it's hardly surprising many organisations don't bother or don't get it right. That's unfortunate because email continues to be the most popular method of attacking us, according to a new report from Mimecast. Among the findings; 58% saw phishing attacks increase last year, and 60% of respondents' organisations were hit by an attack that spread from a single employee. One solution is technical, and a group of industry experts has called for further steps to be taken to “authenticate and secure sending domains and email addresses by deploying email authentication at scale." The other part of the solution is training, but as Unilever's Chief Information Security Officer told Bank Info Security, it's essential this is tailored to specific groups; one size really doesn't fit all.

What's your PIN?

New research suggests that despite smartphones being a portal into our lives, we're pretty dreadful at securing them. Among the findings in This PIN Can Be Easily Guessed is the depressing conclusion that there's little security benefit in using pin codes with six digits rather than four. The explanation for this counterintuitive finding apparently lies in our tendency to use more easily guessed combinations when required to come up with a longer passcode. (Or, as in some cases we've seen, magically turn four into six by adding 00.) The researchers also dismissed the value of the current lists of passcodes that are banned because they're too easy to guess. "Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration," the paper says. To state the obvious, we're quite exercised about smartphone security. Do take a moment to consider using a phrase rather than six digits. Opening your device might take a little longer, but it's a little pain for a big security gain.

Huawei/Juniper

As the UK ponders its Huawei conundrum, it's worth recalling previous security issues discovered with devices not made in China. This week, members of the US House and Senate asked Juniper Networks to explain how an apparent backdoor had ended up in its firewall products. In an open letter, they pointed out that Juniper promised an investigation after the issue emerged in 2015, but four years later nothing has been published. Analysis of the backdoor suggested it could be used to decipher encrypted data exchanged between Juniper-manufactured equipment. "The American people - and the companies and US government agencies that trusted Juniper's products with their sensitive data - still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of US national security," the letter says.

In brief

Privacy-centric browser, Brave, has apologised after being caught autocompleting web addresses to versions that earned it money. Brave said it made a mistake. Researchers beg to differ. Alternatives worth looking at include DuckDuckGo and Epic. Decrypt

Major US internet provider, Cox, is slowing connection speeds in entire neighbourhoods to stop what it regards as "excessive usage" by some users. It's also telling users that the cost of an unlimited data plan will soon go up. To $175 a month. Ars Technica

Microsoft's decision to dispense with human journalists has not been going well. First, the artificial intelligence replacement confused different mixed-race members of Little Mix (in a story about racism). The Guardian covered the story which the AI promptly picked up and regurgitated, before humans intervened to remove it. The Guardian

PegLeg is a wireless router and hard drive designed to be implanted in your leg. About the size of a packet of chewing gum, it's not connected to the internet, but instead enables a closed network to be set up to exchange files or stream content. “The internet is easy to shut down, easy to surveil, and easy to manipulate.because of its centralized infrastructure,” a bio-hacker said. With our device "It becomes free again." Wired

Lenovo and Microsoft say there are a number of problems caused by the Windows 10 May 2020 Update. Trackpad, display and function keys are among the affected features. Lenovo

Some iPhone models are displaying a green tint when they're unlocked. iPhone 11, 11 Pro and 11 Pro Max models are worst affected. Apple has yet to comment. MacRumors

One of the problems with technology is that technologists aren't very good at planning for the future (viz. Y2K, email security, etc.) Now, there's another problem on the horizon. Security certificates are essential for internet-connected devices. Unfortunately, they're expiring and they're so out of date the new ones won't work. More proof that smart devices are not quite as smart as they're made out to be. Scott Helme

Bot or not? Online app challenges you to guess whether you're talking to a human or a bot. We thought it was easy. Others are not so sure. (If you try it out, don't enter any personal info!) Forbes


Updates

Microsoft: A record-breaking set of security updates, with fixes for 129 vulnerabilities, 11 rated 'Critical'. Talos has details of two issues in Excel that were addressed this week.

Teams: New version now supports custom backgrounds (to match Zoom's capabilities).

Adobe: Updates for Windows, macOS, Linux, and ChromeOS versions of Flash Player. Also for Experience Manager and Framemaker.

SAP: 17 security notes, including fixes for Apache Tomcat, SAP Commerce, SAP Success Factors and NetWeaver

VMWare: Update for VMware Horizon Client for Windows

QNAP: ZDNet reports ongoing ransomware campaign against Network Attached Storage devices. Attackers use exploits to target vulnerabilities in old unpatched QNAP devices, and brute-force attacks to guess weak and common admin passwords.

Firefox: Reminder to ensure browser is up to date, as Talos publishes details of serious vulnerability addressed last week.

WordPress: WordPress 5.4.2 addresses multiple issues that could be exploited to take control of an affected website.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved