FFT news digest October 31 2020

Spy business

More evidence this week about the reality of cyber espionage, with separate reports on the tapping of a key communications cable (by the US) and efforts to persuade technology companies to build backdoors into their products (by the US). A leading Danish newspaper details a long-running programme to monitor a cable running underneath Copenhagen which carries emails and text messages from and to countries such as China and Russia. Based on the account of a whistleblower, the paper says the programme was authorised only after a personal appeal from then President Clinton to the Danish Prime Minister. (Yes – it’s been going on that long.) Meanwhile, Reuters reports on the unintended consequences of providing the US National Security Agency with a secret, backdoor way to access equipment from Juniper Networks. According to a statement seen by Reuters, Juniper told members of Congress that the mechanism had been hijacked…by an unnamed foreign government. As we said last week, there's an arms race in cyberspace and there's far too little awareness of the possible consequences.

Threats

Scams up: More figures underlining the extraordinary rise in scams, this time showing a 519% year on year increase in such incidents. Top threats; 'money flipping' which promises an unbelievable return on a small deposit (up 609%); and retail scams, often using social media to offer well-known brands at unlikely prices (up 1579%). ZeroFOX

Travel: As countries began loosening travel restrictions, criminals spied another pandemic-related opportunity. Do take care with unsolicited travel offers and information. cyberscoop

Nandos: In a reminder that every account should be protected, numerous Nandos customers say their usernames and passwords were stolen and the accounts used to place high-volume orders. Threatpost

Hovering: Phishing depends on spoofs and a crucial element involves fake web addresses. In the past, we were told to 'hover' over links (indeed some training continues to advise this). We think life is too short for hovering and, in any case, it's largely pointless, as KnowBe4 explains. Bottom line; if in doubt, don't click.

Trump website: Criminals or comedians briefly took over Donald Trump's campaign website. It's not clear how, but fingers are pointing at a failure to update the underlying content management system and/or a lack of multi-factor authentication. Meanwhile, the Wisconsin Republican Party lost $2.3 million as a result of criminals altering vendor invoices. ComputerWeekly Politico

Vish: Voice phishing is becoming increasingly common and one method used by criminals is to 'spoof' the genuine phone numbers for financial institutions, so that when we receive a fake call, the number looks real.. Malwarebytes

Among Us: If you're not familiar with 'Among Us', it's probably because you don't have a young person in your house (or you're not young yourself). The extraordinarily popular game involves identifying an impostor before s/he manages to sabotage a spacecraft. Alas, impostors have been using the game to spam players with unwanted adverts. Reddit

Adware: No matter how hard Google tries, it can't keep malicious apps out of the Play Store. Latest example involves 21 apps that mimicked popular games but actually contained malicious software designed to flood the user's device with adverts. Avast

Conferences 

A warning for anyone taking part in big international conferences; there's nothing criminals and spies love more than such gatherings (apart of course from a global pandemic). In the latest example, Microsoft reports on targeted efforts to harvest login credentials from more than 100 "high-profile individuals" in the run-up to the Munich Security Conference and the Think 20 Summit in Saudi Arabia. Microsoft blames the attacks on Iran and says they involved highly believable but fake invitations. Clicking on a link in the invitation would bring up a fake login page. Microsoft says several victims were compromised, "including former ambassadors and other senior policy experts." If you attend such meetings, don't be in any doubt; sooner or later, you will be attacked. Microsoft emphasises the importance of multi-factor authentication. In general, we should all be using this, but it's important to note that it's not guaranteed to stop a government-backed attack. The most important rule is never to enter sensitive information (such as login credentials) on a webpage unless you type in the address yourself.

Our data. Their profit....and loss

The UK data regulator has told Experian to change how it uses personal information after finding the credit reference agency was exploiting millions of people's data for marketing purposes. The Information Commissioner's Office said Experian was "trading, enriching and enhancing people’s personal data without their knowledge". Two other agencies, Equifax and TransUnion, were found to be doing the same thing, but agreed to change their behaviour. By contrast, Experian has refused, complaining it has done nothing wrong and arguing that much of the data had been bought by public bodies to "support the most vulnerable" during the pandemic. Meanwhile, the ICO has fined Marriott £18.4 million for the loss of 339 million people's personal information. That's £81 million less than the fine originally proposed by the ICO; a reduction due to a number of mitigating factors and the financial impact of the COVID-19 pandemic. The report is another case study in what not to do.

Wilful ignorance

As a company we're quite passionate about improving information security, so it's a bit of a downer to read a new survey suggesting many people don't pay a blind bit of notice to training. A (slightly) more positive way to view Mimecast's report is that it illustrates why 'one-size-fits-all', online training just doesn't work. After interviewing more than 1,000 people around the world, Mimecast found nearly all of them were aware of the possible repercussions of clicking on malicious phishing links, but 45% said they opened suspicious emails anyway. It's only human nature to assume "it won't happen to me"; effective security awareness is based on using stories to explain why that assumption is so mistaken.

Healthcare

Up to now, attacks on the healthcare sector have sought to extort money from providers. Now, criminals have turned their attention to patients. In a long-running security breach at a Finnish psychotherapy clinic, tens of thousands of records were stolen and the attackers initially demanded a €450,000 ransom. They then turned their attention to the patients, who received emails telling them to pay €200 within 24 hours or face an increased demand for €500. Otherwise, the email said their records, including customer details and notes from therapy sessions, would be published online. The clinic has sacked its director, which is likely to provide scant consolation to as many as 40,000 patients affected by the breach. Meanwhile, the FBI has warned of increased ransomware activity targeting the healthcare sector. Its advice has useful information for all of us.

In brief

Insider risk: Amazon is reported to have fired multiple employees for leaking customer email addresses. It's the second such incident in less than a year and it underlines our view that big tech companies can't guarantee the security of customers' information. Motherboard

Peeping Tom: A British man is trying to avoid extradition to the US on charges of using malicious software to access hundreds of webcams so he could watch women undressing and having sex. He's alleged to have tricked users into installing malicious camera management software. The Register

Sad, but True: Social networking app, True, says it will "protect your privacy." Alas, it inadvertently left one of its servers unsecured and connected to the internet, guaranteeing a complete lack of privacy. Tech Crunch

Surveillance: Verkada is a surveillance startup which uses its own cameras in its Silicon Valley offices. The technology includes facial recognition and it was abused to photograph women and make sexually explicit jokes about them. Motherboard IPVM

Whatsapp/iPhone 12: A reminder that WhatsApp's end-to-end encryption doesn't apply to backups or desktop apps. Panda Security

Intelligent fabric: Microsoft has developed a way of recognising objects when they're placed on an interactive fabric. The examples are less than scintillating, but it's a distinct glimpse of our connected future. Microsoft

Kids: Many eyebrows flew up on reading a tweet from Surrey police who urged parents to seek advice if their children had a strong interest in coding. If so, "they may be involved in cybercrime," police warned....before issuing a grovelling apology. Spy Blog

Updates

Firefox: Mozilla has slowed down the rollout of Firefox 82 because of crashes and problems with printing.

Windows 10: Microsoft has released a Windows update that removes Adobe's Flash Player before it reaches end of support on December 31. Farewell to the "smallpox of cybersecurity", as one tweet put it.

Apple: So what's going on with the latest operating system for Macs? Apple had said macOS Big Sur (version 11) would roll out in the autumn but there's no sign of it. Most likely explanation is a delay so that it's release coincides with new MacBooks which are likely to appear this month.

Zoom: A security upgrade brings end-to-end encryption, but it won't be turned on by default and using it means giving up several other features.

Tinder: Video chat (aka Face to Face) is rolling out globally. What could possibly go wrong.

Oracle: Following last month's gargantuan set of updates, there are warnings that attackers are identifying vulnerable WebLogic installations.

Zimbra: 9.0.0 “Kepler” Patch 8 and 8.8.15 “James Prescott Joule” Patch 15.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved