FFT news digest August 7 2020

Zoomed

You might have thought that by now Zoom users would have learned security settings are there for a reason. Clearly not in the case of the judge in charge of the hearing for the teenager alleged to have masterminded Twitter's recent security breach. Like many others, when we saw the hearing was being streamed over Zoom and anyone could take part we thought it wouldn't take long for it to be 'bombed'. Sure enough, it it was less than a minute before interruptions began - and not much longer before someone started streaming some highly explicit pornography. Zoom does provide ways to stop this sort of nonsense. Key controls include, not sharing meeting IDs unless they're password-protected, limiting screen sharing, using the waiting room to screen participants, and locking the meeting to prevent unauthorised people joining once it's underway.

Twitter lessons

On the subject of Twitter, this week delivered some fascinating details about the teenagers allegedly behind last month's security failure. Their story makes for a great illustration of how thin the dividing line is between so-called "script kiddies"and large-scale crime. The New York Times tracks ($) the troubled history of the 17-year old from Florida who prosecutors say masterminded the attack. He started to play Minecraft when he was ten, but by 15 he had joined an online hackers’ forum and a year later he was believed to be involved in the theft of $856,000 of cryptocurrency, though no charges were brought. As the Times says, the case raises "questions about how someone so young could penetrate the defenses of what was supposedly one of Silicon Valley’s most sophisticated technology companies." Our view is that the story simply demonstrates that any chink in an organisation's defences will be exploited...and those responsible may not even be old enough to vote.  

Threats

Teams: Despite a previous fix, researcher warn Teams' update function can still be exploited to install malicious software. Trustwave has several recommendations for administrators.

macOS: New research shows how a series of issues can be exploited to attack Mac users through a malicious Microsoft Office file. The mechanism exploits macros, an issue that has long affected Windows users. The vulnerability was fixed in macOS 10.15.3. Patrick Wardle

WebRTC: Web Real-Time Communication is a fundamental building block of online video and audio, but it's also a risk. Researcher, Chris Vickery, warns that it can be exploited and therefore "any device with a microphone and a modern web browser should be considered a potential live audio broadcast stream". Other than disabling it, there is little ordinary users can do other than be aware of the risk.

Windows 7: The FBI has warned companies about the risk of continuing to use Windows 7 which reached its official end-of-life earlier in the year. ZDNet

TikTok: Android users in India are being targeted by a malicious app disguised as TikTok Pro. Once installed, the app texts all contacts on the device with a link to the malicious app. money control

Council Tax: Fake but credible email promises a £385.50 Council Tax reduction in a bid to thieve credit card details. KnowBe4

Extensions: More than 80 million Chrome users have installed one of 295 malicious Chrome extensions that hijack Google and Bing search results to insert ads. They include fake ad blockers, weather forecast widgets and screenshot capture utilities. AdGuard 

Sizing the threat

“Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19," according to a warning from INTERPOL. Its report says attackers are seeking to exploit the rise in remote working "to steal data, generate profits and cause disruption. The most common attacks are phishing scams which aim to steal financial and other information, but INTERPOL also warns of booby-trapped USB devices which are being sent through the post. It also says a further increase in cybercrime is highly likely in the near future with more advanced and sophisticated modi operandi being developed. Organisations should be on their guard for a surge in Business Email Compromise schemes driven by "the economic downturn and shift in the business landscape".

US/China

The US has launched a new "Clean Network" initiative targeting Chinese technology, which seems guaranteed to further increase tension between the two countries. The announcement builds on steps announced in April which focussed on 5G. Now, new provisions will prevent Chinese phone manufacturers pre-installing US apps and remove "untrusted" Chinese apps from US stores.The initiative will also target cloud services from companies such as Alibaba, Baidu, and Tencent, and will aim to protect submarine communications infrastructure. The US announcement follows President Trump's executive order banning TikTok in the US (unless it's bought by a US company and the US Treasury receives a kickback). Secretary of State, Mike Pompeo, says apps like TikTok and WeChat pose "significant threats to the personal data of American citizens". As many have been quick to point out, it's been amply demonstrated that the same could be said of Facebook and its cavalier approach to personal information. 

Amazon life stories

While the Trump administration does its best to work up a lather over China, spare a moment to consider the information many of us volunteer to share online. Wired has a salutary reminder of the "window into our soul" created by the reviews left on Amazon, TripAdvisor and the like. The most extreme illustration is Amazon, simply because of the range of things it sells. “Well my teenage son hasn't knocked his GF up yet, so they must be OK,” wrote one reviewer from Essex after she purchased a 40 pack of Durex Surprise Me Variety Condoms. As Wired explains, "her Amazon profile also includes similarly tongue-in-cheek reviews for an egg timer (“got this to see if the hubby could last longer in bed”), stool softener capsules (“with all my botty problems this has been a game changer”) and various, sincere reviews for creams and lotions to help with hair thinning caused by taking cancer medication." Obviously, such information can be enormously helpful to attackers. It's really worth discussing what's appropriate to share online.

In brief

Advice from the US National Security Agency on how to limit the location data created by smartphones and other devices. Among the recommendations; audit app permissions and use a VPN. As we explain in our training courses, protecting location data completely is challenging.

Despite the well-documented risks of using private email for official business, politicians seem to be unable to give up the habit. Latest example is former UK Trade Minister, Liam Fox, whose account appears to have been compromised by Russian attackers. Reuters

Some suggestions from two security experts who ended up with criminal records after a penetration test went pear-shaped. Pin down the scope and record every discussion. Just in case... The Register

Problems for Japanese technology giant, Canon. Its cloud storage service has lost files and it's reported to have been hit by ransomware. Bleeping Computer

A warning about the prevalence of quiz scams that impersonate legitimate brands and offer a fake prize in exchange for answering simple questions and handing over personal information. Akamai says the data gathered is relatively harmless but can be used in targeted attacks.

A tool designed to confuse facial recognition systems has been downloaded more than 50,000 times since being released in July. Fawkes alters photos by changing pixels. A version for non-techies is promised soon. New York Times ($)

Updates

Twitter: Android users should make sure they update to the latest version because of a serious security vulnerability that could allow unauthorised access to private information, including direct messages.

Windows 10: Optional update for version 2004 addresses several issues, including driver problems and Excel functionality.

Cisco: Another rash of security updates for multiple products including routers, switches and AnyConnect VPN for Windows.

Linux: Fixes for the 'BootHole' vulnerability have been causing problems, but users are still advised to take the update because of the risk the issue will be exploited.

Android: August security updates include fix for issue that could allow software code to be run remotely. Actual release date depends on manufacturers/network operators.

Google: Long-awaited AirDrop-like sharing solution released for Android/Chrome devices. Nearby Share is available initially for Pixel and Samsung phones.

LastPass: New security dashboard and dark web monitoring available for paying customers. Will provide alerts if passwords compromised in data breaches.

TeamViewer: Users advised to ensure they are running version 15.8.3 because of vulnerability affecting earlier releases.

LibreOffice: Version 7.0 is a major update which offers better compatibility with Microsoft Office file formats.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved