FFT news digest October 9 2020

Europol

"The COVID-19 crisis [has] illustrated how criminals actively take advantage of society at its most vulnerable. Criminals tweaked existing forms of cybercrime to fit the pandemic narrative, abused the uncertainty of the situation and the public’s need for reliable information." That's Europol's take in its latest Internet Organised Crime Threat Assessment. Despite multiple successes in closing down dark web marketplaces, they remain a "growing threat," the report says. It also points to an increase in 'SIM swapping' and warns of the potentially devastating consequences for victims. Rather than new threats, Europol says the past year has seen existing methods being refined. Criminals, it adds, remain successful because of "inadequate cyber hygiene" and a lack of knowledge and awareness among victims.

Threats

Sophisticated: News of two exotic but worrying issues in the most fundamental components of computing devices. First, Kaspersky says it identified a 'UEFI rootkit' used by Chinese-speaking hackers for data theft and espionage. Second, researchers found a way to compromise Apple's T2 security chip which is supposed to protect Touch ID and encrypted storage. The chances of these issues being used against you are small, and they require physical access to a computer (which is another reason not to leave devices unattended).

Amazon Prime Day: It's that time of year when Amazon tries to pull in even more customers, and criminals try to take advantage of it. More than ever, if an offer looks too good to be true then it is. Bolster Research

Trump: A rash of phishing emails seeks to leverage interest in the health of the US president. Bleeping Computer

Students: The UK tax authority has written to universities urging them to warn students about a new wave of tax scams. HMRC

HTML: A warning to watch out for malicious websites that are delivered in an attachment to emails. Sophos explains.

Cyber mercenaries

New research sheds light on the growth of 'hackers-for-hire' and the "true reach and sophistication of one group". Blackberry's report links the 'BAHAMUT' group to "a staggering number of ongoing attacks" against targets including government officials, industry leaders, activists and journalists. The report highlights the targeting of mobile devices and the use of malicious apps which have been successfully placed in both Apple and Google stores. The group is also unusual in the lengths it has been willing to go to in creating bespoke websites and personas. This has included taking over an information security website that it used to push out content designed "to distort the reader's perception of reality". As Blackberry says, "Operational security will become increasingly important as more and more intelligence functions are outsourced by governments, corporations, and private individuals to groups like BAHAMUT". 

Remote advice

The UK National Cyber Security Centre has issued new advice aimed at small and medium-sized business wrestling with the challenges of ensuring the security of people working at home. The five steps include backing up data, avoiding malicious software, and device and password security. It's a useful resource for organisations that lack a dedicated security team. Meanwhile, the FBI has warned about the risks of hotel WiFi networks. Its alert is aimed mainly at people using hotel rooms as offices - but it also applies to any public WiFi network. “Hotel networks are often built favoring guest convenience over robust security practices,” the FBI says. “Smaller hotels will often post placards at the service desk stating the password for WiFi access, and change this password very infrequently.” The FBI suggests using mobile data wherever possible and, if WiFi is unavoidable, always to protect the connection with a VPN.

Chastity forever

The CellMate chastity cage is designed to lock up a user's genitals, with the idea that control of the device is handed to someone else. The only problem is that it turned out to be so insecure that it could be locked remotely and permanently...by anyone. Pen Test Partners have made something of a speciality in demonstrating the lamentable security afflicting many internet-connected products, but their latest research hits a new high. The Chinese manufacturer responded to the findings by apologising for the security flaw, fixing some of the issues and saying that, in extremis, the device could actually be opened with a screwdriver. A poorly designed chastity belt may be only a minority interest, but the security issues it highlights are widespread and increasingly being targeted by attackers. Our view is that the number of internet-connected devices should be kept to a minimum. When they're really essential, then be sure they're as secure as possible.

Data Protection

The European Union's top court has ruled that member states can't use their own legislation to carry out indiscriminate surveillance of phone and internet data. The decision is the result of four cases in France, Belgium and Britain. As well as limiting the powers of intelligence agencies in EU member states, it also creates further complexities for the transfer of personal data from the EU to the UK when the Brexit transition period expires at the end of the year. In its ruling, the Court of Justice of the European Union established that the bulk collection and retention of citizen's data from internet and phone operators was contrary to the EU's charter of fundamental rights. This will not be a simple tangle to unpick.

In brief

Our training includes warnings about the risks of porn websites, and new research underlines why. Analysis of 22,484 websites indicated ($) that 93% of them leak data about visitors to a third party.

If you want an illustration of how messed up social media is, look no further than the abysmal security around many dating apps. Latest to join the hall of infamy is Grindr. A researcher details how an account can be taken over in a few simplistic steps. You have to read it to believe it. Troy Hunt

Also hard to believe is the calamitous failure to process UK coronavirus testing data. It's bad enough that Excel is still an integral part of the test and trace programme (seven months into the pandemic), but to use a woefully out of date version is extraordinary.
It's a horrible reminder to use to the right tool for the job. The Register

Facebook has got itself well and truly worked up over Netflix's The Social Dilemma (which we highly recommend watching if you haven't already). It issued an exhaustive statement complaining about distortion and lack of nuance, and complained it had been made a scapegoat for "difficult and complex societal problems". Forbes

Secure destruction of data and devices is essential, so it's worrying that Apple is suing a company for allegedly trying to sell more than 100,000 iPhones, iPads and Apple Watches that it was supposed to have destroyed.
What is your supplier up to? The Logic

Privacy activists have warned of what they see as signs that the EU is moving towards undermining end-to-end encryption.
There are several far-reaching implications, including the bizarre notion that the EU would declare which communication solutions are lawful. Politico

Updates

Zerologon: There have been repeated warnings about the extent to which this issue is being exploited, but many devices remain vulnerable. If successful, an attack can result in administrator access to Active Directory domain controllers. In its latest advice, Microsoft warns that fake software updates are being used by attackers.

Google: Security (and cosmetic) enhancements across several Google products. To make security alerts more visible, they will begin popping up in the app being used rather than being sent by email. The latest version of Chrome (86) includes protection against insecure downloads and form submissions, and increased password protection. (We continue to recommend a standalone password manager.) On the cosmetic front, Google has rebranded its office apps as Google Workspace and made changes to their well-known icons, in a move that has not met with universal approval.

AWS: Amazon has also upped security provisions around its S3 Simple Storage Service.

Firefox: Support document advises what to do if you're one of many for whom Twitter won't load in Firefox. Type about:serviceworkers in the address bar. Find Twitter in the resulting list and click Unregister.

Cisco: Security updates for high-severity issues affecting Webex Teams for Windows, Identity Services Engine, And 8000 Series IP cameras.

Microsoft 365
: From November 10, Office apps will stop being supported on macOS 10.13 High Sierra. That means they won't get security updates. That means it's time to upgrade.

SecureDrop: Version 1.6.0 includes bug fixes and usability improvements.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217