FFT news digest November 20 2020

Updates

If there's one thing we can all do improve our security, it's to update the software and hardware we use every day...but we're still not doing it. Year after year, research shows that installations of many of the most popular applications are out-of-date. The latest study from Menlo Security shows 83% of its users have an old version of Google's Chrome browser. This is asking for trouble because, not only are browsers under constant attack, but Chrome has had to release a series of updates to deal with five previously unknown vulnerabilities ('zero-days' in the jargon). Indeed there's another update this week (see below). The number of out-of-date browsers is discouraging because updating is as simple as closing and restarting them. And yet most of us still don't do it. It's true some threats are so sophisticated that there are limited defences against them. But Google et al are absolutely focussed on protecting their browsers because they want us to keep using them. We should all be in the habit of checking they're up-to-date.

Threats

PS5: Sony's new console has landed, creating feverish excitement among gamers...and criminals. Hundreds of suspicious websites are trying to lure people into pre-ordering the PS5 (and the new Xbox as well). Incidentally, if you've ordered a PS5 and it hasn't turned up, leading UK retailer, Game, says it's because its courier company can't cope with the size of the box! Threatpost

HMRC: Last week it was tax rebates. This week, the UK tax authority warns criminals are focussed on exploiting the upcoming January 31 deadline for self-assessment returns. HMRC

Injecting emails: Criminals are offering a kit that allows users to inject malicious emails into an existing thread (making it much more likely that they won't be spotted). Cost of renting the kit for a day; $50. The method depends on stolen or weak passwords. Gemini Advisory

WordPress: Recent weeks have seen 7.5 million attacks against more than 1.5 million WordPress sites in an effort to exploit recent vulnerabilities. Epsilon Framework themes are a particular target. Bleeping Computer

GO SMS Pro: The popular Android messaging app (with over 100 million installs) has an unpatched flaw that exposes media transferred between users, including private voice messages, photos, and videos. Trustwave

Ransomware: 27% of organisations surveyed by Crowdstrike say they paid the ransom demanded by attackers. The average payment was $1.1 million, so it's hardly surprising the number of ransomware incidents keeps on increasing. Of course, paying up doesn't guarantee any information is returned which makes protection and backups essential.

Artificial intelligence

Criminals are just getting started on a long and dangerous relationship with artificial intelligence, according to a new study by the UN and Europol. 'Malicious Uses and Abuses of Artificial Intelligence' reckons criminals will use AI both as a tool to power attacks (an 'attack vector') and as a target they seek to compromise (an 'attack surface'). While 'deepfakes' are the best-known example of AI as an attack vector, clearly there is every likelihood that AI systems themselves will be targeted. "New screening technology will be needed...to mitigate the risk of disinformation campaigns and extortion, as well as threats that target AI data sets," the report warns. Amongst the (frankly scary) examples of possible criminal uses; convincing social engineering attacks on a huge scale, and fooling image recognition and voice biometrics. O brave new world.

Passwords

It's with a heavy heart that we have to return to the subject of crap passwords. Sorry, but it's that time of year. You probably won't be surprised to learn millions of halfwits apparently continue to believe '123456' will keep them secure. According to NordVPN, the number of people using that combination was 2.54 million and it's been exposed in breaches 23.6 million times. Also popular were '123456789' and (for reasons we're still trying to understand) 'picture1'. Like most bad habits, it's easy to start and hard to stop using poor passwords. Given the upsurge in cyber crime, now would be a great time to check with family and friends that they're being sensible. Our guide to the whole wretched issue is here, but the short version is, use a password manager and 2-factor authentication.

Tracking

A tricky couple of weeks for Apple and Google, as their approach to the privacy of users attracted criticism, questions and complaints. First came a case in California in which Google is being sued for unexplained data transfers to its servers from Android phones. The plaintiffs say Google is stealing their cellular data allowances (to the alleged tune of 260MB a month) in order to support its advertising business. Google has yet to comment. In Europe, privacy activists filed complaints against Apple for its IDFA tracking mechanism. 'Identifier for Advertisers' "allows Apple and all apps on the phone to track a user and combine information about online and mobile behaviour," privacy group, noyb, says. The group has complained to data regulators in Germany and Spain that Apple carries out the tracking without the user's permission, as required by law. Finally, questions were raised over Apple's practice of checking the validity of apps when they're opened on macOS devices. Apple explained this was designed to protect against malicious apps, rather than a bid to extract more information about its customers.

Data privacy stuff

The UK data protection regulator, the ICO, has issued two statements, intended to provide clarification on transferring personal data outside the EU and on how to respond to subject access requests. The 'guidance' on data transfers doesn't amount to much more than saying the ICO is reviewing EU recommendations, while repeating earlier advice that organisations "should take stock of the international transfers they make, and update their practices as guidance and advice become available." There's more detail on handling subject access requests, including a mechanism giving data controllers more time to deal with complex requests. It also sets out circumstances in which a SAR can be rejected because it's "manifestly unfounded or excessive" and defines a basis for charging a "reasonable fee" when a request is "manifestly excessive."

In brief

Video: How sick are you of Zoom, Team, Blue Jeans et al? For an antidote, spend a couple of minutes with this take from The Register which suggests, "Videoconferencing must die. It must die today."

Debt collection: It's emerged that debt collectors in the US will be able to pursue people through their social media accounts under new rules announced last month. The Register

Health: Have you ever googled your symptoms when you've been feeling under the weather? If you have, you'll know 'Googlecare' is not a route to peace of mind. StuffThatWorks is designed to provide crowd-sourced, quality-controlled health information about chronic conditions. ZDNet

Parler: You might have heard of the new social network, preferred by pro-Trumpers. Turns out its founders are the owners of defunct data trawler, Cambridge Analytica

Auto email: OthersideAI converts a summary into "a full, well-written email" in the user's unique voice. Investors have just given it $2.6 million of initial funding. TechCrunch

Till ransom: South American retail giant, Cencosud, was hit by ransomware. To add insult to injury, attackers used the company's tills to print out their demands. Bleeping Computer

Vacuum: University of Maryland researchers have managed to turn a robotic vacuum cleaner into a listening device. They collected information from its navigation system and succeeded in converting it to speech and audio from TV programmes. Techxplore

Updates

Big Sur: A significant number of MacBook owners say their devices have been left unusable after they installed macOS 11 on them. The affected machines are 2013 and 2014 MacBook Pro models. At the risk of repeating ourselves, it's really worth waiting before going down the Big Sur path. Apple has just released a beta version 11.3 to developers.

Zoom: New features are designed to deal with idiots who get their kicks by 'bombing' meetings. Under Security, hosts now have an option to pause a meeting and remove a disruptive participant. There's also a facility to report idiots to Zoom. Zoom has a feature which scans the web for publicly-shared meeting links and alerts the account owner if any are found. Obviously, posting meeting details and/or passcodes publicly is not a good idea.

Firefox: Firefox 83 includes a new feature called 'HTTPS-Only Mode'. It's designed to secure browsing sessions by rewriting addresses so that they use the HTTPS version instead of the (insecure) HTTP one.

Chrome: Version 87 of Google's browser includes security fixes and continues the policy of removing support for file transfers using the FTP protocol.

Kerberos: Following last week's monthly set of updates, Microsoft is investigating an issue causing Kerberos authentication problems in enterprise domain controllers. There's no fix yet.

Tails: Version 4.13 addresses a series of security issues, as well as updating multiple apps including the Tor browser and Thunderbird email client.

Cisco: Updates for multiple products. Most serious vulnerability affects Webex and could allow unauthorised access to meetings.

Drupal: Update for content management system to address vulnerability that could allow commands to be executed remotely.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved