FFT news digest March 5 2021

Online insecurity

Social media platform, Gab, became a refuge for right-wingers when Twitter banned Donald Trump and many of his supporters, so it's not altogether surprising that it has suffered a vast security breach. Distributed Denial of Secrets said it obtained 70GB of passwords, user profiles and some 40 million posts. It is making the data available on request (because of its sensitivity). Providing an object lesson in how not to react to such incidents, Gab's CEO took to Twitter where he blamed the breach on "mentally ill tranny demon hackers".

It's simply common sense to work on the basis that, sooner or later, anything stored online is liable to emerge into the open, something worth keeping in mind if you're thinking about joining hot, new(ish) social media app, Clubhouse. Of course, to join in you have to have an invite from an existing member. And, as Inc. explains, that member has to have your phone number and has to give Clubhouse access to their iPhone contacts. If that makes you uncomfortable, then also bear in mind that, while emphasising conversations are 'ephemeral', Clubhouse can also record what you say (as can its users). It can also track you across the web. and it's back end infrastructure is provided by a China-based company.

Latest victims of internet insecurity are the criminals themselves, with at least four cybercrime forums compromised this year. Intelligence outfit, Intel 471, says it doesn't know who is responsible,"but due to their public nature, we think it is unlikely that this is a law enforcement operation".

In an ideal world, we would separate our work and personal lives by, for example, having two phones and two computers. We are realistic enough to appreciate this is impractical for many people - and not just because of the expense. But we do think it is important to try to avoid mixing the two worlds as much as possible. At its simplest, that means not using work email for personal business - and ensuring no dodgy browsing takes place on work devices. And, yes, that includes pirate streams of Premier League games.

Threats

Email remains the key threat to most organisations and individuals, according to a report from Trend Micro. The security outfit says it blocked 16.7 million "high-risk email threats" that evaded webmail providers' own filters. Another report, from Egress, found that 83% of organisations had experienced email data breaches in the last 12 months.

Business Email Compromise: Scammers are using new tactics to try to increase the size of payouts. Agari says (R) they have started employing fake 'capital call' notices that try to persuade victims they need to fulfil an investment commitment. Average target amount; US$809,000. Insurance giant, Aon, has 7 steps to help defeat the attackers.

AOL: Anyone still using AOL (often older people) should beware a new campaign trying to steal their credentials by telling them their account is about to be closed. Bleeping Computer

Deactivate: A similar scam warns targets that their inbox will be deactivated unless they confirm their credentials. KnowBe4

macOS: The mysterious 'Silver Sparrow' malicious software appears to be linked to fraud rather than nation state espionage. ESET

COVID-19: Criminals are stepping up attempts to profit from the roll-out of vaccinations. The EU fraud agency has warned about organised crime groups offering to sell vaccines to member states, and individuals around the world continue to be bombarded with fake emails offering inoculations.

On display: A reminder to take care about what's in shot during your back-to-back video calls (as Matt Hancock demonstrated). Naked Security

Catphishing: As more and more people turn to online dating, 'catphishing' is on the rise. Panda Security advises on protection against fraudsters and the highly credible fake identities they create. 

Zero Trust

In the olden days, security focussed on the perimeter and assumed everything inside the organisation was secure. Zero Trust turns that idea on its head and assumes nothing is safe, so every access request must be authenticated and authorised before it's granted. A "never trust, always verify" approach creates more opportunities to detect attacks before they result in serious damage. The US National Security Agency has released a guide, which recognises that creating a mature Zero Trust environment is a challenging undertaking. Microsoft has useful resources, including a tool to assess an organisation's readiness for Zero Trust. 

Blame the intern

You might remember the SolarWinds security calamity that resulted in more than a hundred US government agencies being compromised. So how did it happen? Well, it was all the intern's fault, of course. SolarWinds told a congressional hearing that an intern set an important password to "solarwinds123" and then posted it online. Recognising that blaming the intern was probably not the best look, SolarWinds' PR agency later claimed the password was for a third-party application - though that hardly explains why an intern was setting important passwords, choosing such a pitifully bad one and posting it online.

Conflicted

A bunch of reports this week reveal a conflicted cybersecurity community, which is confident about the ability of remote employees to mitigate risks while simultaneously expressing concern that remote work is increasing the likelihood of a breach. To muddy the waters further, IDG Research found that 78% of IT security leaders lack confidence in their organisations' ability to withstand attacks. Of course, all these positions can be true. The key to maximising security is to focus on the basics, above all on helping employees stay as safe as possible.

Passwordless

So, back to the ghastly business of passwords - prompted in part by an eye-catching Swedish ad campaign highlighting the worm in the bud of so many people's online security. In an ideal world, we would abolish passwords altogether and Microsoft has been a leader in pushing this process forward. It says some 200 million people have already migrated to 'passwordless logins' and that's now becoming a standard feature of Azure Active Directory. Microsoft is also launching a 'Temporary Access Pass' to enable users to enrol in new services without needing a password.

In brief

macOS: There are signs that Apple might be preparing to withdraw a translation tool that enables software written for old Macs to run on new ones. Language buried in the next macOS version (Big Sur 11.3) suggests Rosetta 2 might not be available in some regions. Its withdrawal would cause enormous problems for many users. MacRumors

iPhone bang: An Australian man is suing Apple after an incident in which he claims an iPhone X exploded in his pocket. 9to5Mac

Malaysia Airlines: Says its frequent flier programme suffered a "data security incident" spanning no less than nine years. It blamed a "third-party IT service provider". So that's OK. ZDNet

Saudi suit: Reporters without Borders (RSF) has filed a criminal complaint in Germany accusing Saudi Crown Prince Mohammed Bin Salman and other high-ranking Saudi officials of crimes against humanity. The complaint focusses on the cases of 35 journalists. RSF

5G: US cellular giant, Verizon, advised users to turn off 5G to preserve battery life (in a tweet that mysteriously disappeared shortly after being posted). Ars Technica

Mind-reading: Think what you're typing during a video call is private? Think again. Researchers have figured out how to learn what we're typing from the way we move our shoulders. Zoom on the Keystrokes

Transcription: New Microsoft ‘Group Transcribe’ iPhone app offers free real-time transcription. Microsoft says the app also supports translation.

Vehicles: The future is electric, but with cars increasingly becoming computers with wheels, the road ahead is looking bumpy. Hundreds of Volvo XC40 electric SUVs are stuck at various US ports awaiting crucial software updates. And a Formula E driver ended up in hospital after his car's fail-safe braking system failed.

Updates

Exchange: Multiple groups are trying to exploit critical vulnerabilities in on-premises Exchange servers. The issue prompted the US Cybersecurity and Infrastructure Security Agency to release an emergency directive urging organisations to install updates immediately.

Chrome: Version 89.0.4389.72 addresses a serious security issue. Close and re-open to ensure it's installed.

Linux: An update aims to overcome a memory consumption problem which has baffled the developers. Last month, the Mint team said it would begin forcing the installation of some updates.

Google Workspace: Major update includes new functionality to support remote collaboration. Google has denied claims that Workspace contains multiple data-protection risks.

Teams: New features for Teams will enable enhanced security and wider channel-sharing - and also allow presenters to channel their inner news anchor.

Google iOS: Updates resume after a delay linked to Apple's privacy changes. Engadget

Android: Updates to address 37 vulnerabilities, including a critical flaw in the System component.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved