FFT news digest September 25 2020

App out

After months of delays, the UK government has released a test and trace app for England and Wales - and privacy campaigners are not impressed. The Open Rights Group and Big Brother Watch called on the government to clarify how it will protect data collected via the NHSX app - and what privacy assessments have taken place. They're unlikely to be reassured by the UK Information Commissioner who says she's "pleased the app...is supported by the necessary consideration of people’s data protection rights". She has also praised the Department of Health and Social Care for engaging with the regulator - though that's not quite the same as a formal Data Protection Impact Assessment which is required when "there is processing of sensitive data on a large scale." The app does have useful features - and it's probably more secure than writing down personal information on a piece of paper by the door of a pub. The Next Web has a balanced report.

Threats

Supply chain: Don't ignore your supply chain. That's the warning from former GCHQ director, Robert Hannigan. Small businesses are particularly at risk. ZDNet

Strava: A specific setting needs to be disabled unless you want the app to show your info to nearby users. Andrew Seward

TikTok: Rogue TikTok accounts are promoting scam iOS and Android apps posing as “Shock Roulette” and “Wallpaper”. Designed to earn money from 'adware', the apps have been downloaded more than 2.4 million times. Avast

Android: Another reason to be really careful when installing apps. Researchers have identified malicious software that can steal passwords from 226 Android apps. "Alien" is remarkably powerful and a reminder to be alert to apps that ask for administrator rights or access to the Accessibility service. Threat Fabric

RFQ scam: Attackers tried to scam computer equipment suppliers with a targeted email that impersonated the Commissioner of the Texas Department of State Health Services. It's a common and highly effective tactic. Abnormal Security

Flight Simulator: A malicious app is impersonating Microsoft Flight Simulator 2020. It's distributed via YouTube and hosted on a domain that mimics the game’s name. ESET

Activision: The maker of Call of Duty has denied reports of a data breach, but it's a good reminder to players to make sure they're using a unique password on their accounts. Games makers are a popular target for attackers at the moment. TechRadar

Insiders

A rash of stories underlines the risk to organisations from insiders and contractors. First, the US Department of Justice has indicted six people for allegedly offering more than $100,000 to Amazon insiders in return for securing an "unfair competitive advantage" on Amazon Marketplace. Second, four former eBay employees are scheduled to plead guilty to harassing a couple who had been critical of the platform. An FBI affidavit (courtesy of The Register) contains eye-watering details including a suggestion that "scary masks, live insects, or embarrassing items, such as pornography and strippers, be sent to the Victims (and in some cases to their neighbors in the Victims’ names)". And third, in August, US grocery delivery service, Instacart, disclosed a security incident in which employees of a tech support company accessed "more shopper profiles than was necessary in their roles". Taken together, they're salutary reminders that threats can originate inside organisations as well as outside them.

Data sprawl

Some more issues about remote working to mull over, including unpaid technical support from teenagers and the risk of 'data sprawl'. A US company has calculated that the average teen provides about £4,200 worth of IT-related work for their parents over the course of a year. That includes security work, data entry, and Excel and Word support. Meanwhile, a survey found increasing concern about the extent to which employees have saved their company's data in unprotected devices or sent sensitive information through insecure services. Taking work home is a well-known security issue, as Boeing found out in 2017 when an employee sent his wife a spreadsheet so she could help fix a formatting problem. Unfortunately, it contained sensitive information about 36,000 of his colleagues. 

Iranian skills

A highly advanced Iranian hacking group developed tools designed to steal two-factor authentication codes and break into the Windows version of the Telegram messaging platform. Check Point says the group has been active for at least six years during which it has targeted Iranian minorities and opposition groups. The Windows tools were designed to steal documents (including files shared using the Telegram desktop client), but they also targeted the KeePass password manager. One of the most alarming capabilities was to intercept two-factor authentication codes sent as SMS messages. In particular, it looked for any texts containing "G-" which Google uses for two-factor authentication. The US Cybersecurity agency has details as well as recommendations to mitigate such threats. In addition, we suggest bearing in mind that the desktop versions of messaging platforms like Telegram, Whatsapp and Signal are far less secure than the smartphone versions.

Ransomware

A ransomware gang that promised not to target healthcare facilities has been accused of responsibility for an attack that led to the death of a patient. Prosecutors said the hospital in Duesseldorf was unable to treat a woman who died as she was being transported to another facility with working systems. The attack, which is being linked to a group in Russia, comes as Europol warns ransomware attackers are becoming more aggressive. More positively, the head of the European Cybercrime Centre also emphasised what organisations can do to protect themselves. "The main advice is keep backups of your data and keep them offline. Also it's essential that all the operating systems and anti-virus are properly updated; implement any available patch as soon as possible in order to mitigate any vulnerabilities," he told ZDNet. 

In brief

We've said it before, but it's worth repeating; don't post pictures of your boarding pass on social media. Latest person to find out why is former Australian Prime Minister, Tony Abbott, whose passport details and phone number were obtained by using the reference number on the card. mango.pdf

The Global Cyber Alliance has released an updated version of its Cybersecurity Toolkit for Small Business which offers free tools to help protect against the most common cyber threats. GCA

Want to see what your favourite websites are doing under the hood? Just type an address into Blacklight and it will tell you which trackers it uses, what they do, and who else is getting your data. Recode

As a member of a notorious hacking group was given a 5-year jail sentence, the FBI announced another success in operations against Dark Web criminals. Operation DisrupTor resulted in the seizure of $6.5 million in cash and cryptocurrency 500 kilogrammes of illegal drugs and 63 guns.

Microsoft is reported to be planning to issue a non-subscription version of Microsoft Office. The news emerged in a blog post outlining a range of future plans and was spotted by Windows Central.

It looks like a pair of typical wireless earbuds. It's actually a device to enable employers to monitor their employees' brainwaves for signs of stress, focus, and attention... Motherboard

Updates

Netlogon: After repeated warnings, a critical vulnerability in Microsoft's authentication protocol is now being actively exploited. If unpatched, the issue could enable an attacker to compromise all Active Directory identity services. Samba and 0patch have also released fixes.

Windows 10: Microsoft's latest update is reported to be causing problems, with some users saying it won't install and Lenovo owners complaining it's crashing their devices. There's a sort of workaround for the former issue, and a fix for the latter.

iOS 14: We frequently criticise Apple, so it's only fair to offer some praise for a relatively smooth roll-out of the latest iPhone operating system. A week after its release, the only significant issues are some problems with widgets and changing default browser and mail apps, for which an update has already been released. If you install it, you should expect heavy battery drain for the first few days after installation.

Apple: Updates for Catalina, Final Cut Pro X, iMovie, Motion, and Compressor, with bug fixes to address issues with the last major update.

Firefox: Firefox 81 includes new features and six security fixes. Mozilla has also released a new version of its Android browser that fixes a bug that could be used to hijack all Firefox for Android browsers on the same WiFi network.

Cisco: Slew of updates for IOS operating system, 29 rated high severity.

Tor: Tor Browser 10.0 has been released to align with the latest Firefox enterprise version.

Tails: Version 4.11 addresses "many security vulnerabilities".

Zimbra: Zimbra 9.0.0 “Kepler” Patch 7 and 8.8.15 “James Prescott Joule” Patch 14.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved