news210528

Sleep-walking into chaos

Belgium and Japan have emerged as the latest governments to fall victim to online attack, while news has emerged of a further campaign against China's Uighur minority. In Belgium, the Interior Public Service agency said it was investigating an espionage campaign that began as early as April 2019. It said it was linked to attacks on Microsoft Exchange email servers that have been linked to China. And in Japan, NHK reported that data had been stolen from several government agencies after a Fujitsu project management platform was hacked.

Meanwhile, the United Nations is the latest lure to be used and abused in a campaign against the Uighur minority in China's Xinjiang province. Phishing lures come branded with the UN Human Rights Council logo and contain a decoy document relating to discussions of human rights violations. It's the latest element in a relentless offensive which is also believed to have exploited vulnerabilities discovered in hacking competitions. Two UK academics have explored the risks of such contests when they are set up to benefit national, as opposed to international, security.

The extent of the world's dependence on the internet is illustrated by a new report that has tried to estimate the economic damage that would be caused if it were unavailable. The figure produced by Merchant Machine is $2.1 billion per hour, but the raw cost doesn't reflect the impact of wider disruption. Some of this might be offset by the use of private networks, but there are longstanding concerns about the possibility of attacks on the fibre connectivity created by companies like Google and Facebook.

Put all this together and a picture emerges of a world in which critical risks are ignored because there are no easy solutions. Of course, the reality is that, just like the COVID-19 pandemic, ignoring the risks won't stop them becoming reality.

Threats

The number of data breaches and their severity has grown at an absurd rate with more data stolen in January 2021 than in all of 2017, according to Imperva. Imperva says 826.53 million records were compromised in January. For context, 20.21 billion records were stolen last year. Computer Weekly

ID theft: 90% of those questioned in a survey believed they could become a victim of ID theft or cybercrime at any time. This far outstripped the numbers concerned about falling seriously ill or being robbed. Benenson Strategy Group

Ransomware: An ingenious campaign tries to scare targets into thinking they've been hit by ransomware. In fact, while victims worry about whether to pay up, malicious software steals information in the background. Microsoft

Fake jobs: The FBI is warning about a resurgence in fake job scams. Brian Krebs has details of a long-running and wicked method - and a recent example that ended up fooling more than 100 people.

Royal Mail: A success for UK police who have arrested eight men on charges of involvement in a scam that demanded recipients pay a fee in order to collect a parcel. Alas, the arrests won't stop this type of scam because it's so effective - and profitable. Teiss

Crypto catphish: Scammers are creating fake profiles as part of complex schemes to gain access to their target's cryptocurrency. ExpressVPN

Health: Digital crime with a healthcare theme had an enormous boost from the COVID-19 pandemic, with losses in 2020 increasing by 2,473% over the previous year. Tactics included fake certificates and scam medication. CrowdStrike

Bluetooth: New vulnerabilities have been identified which could allow an attacker to impersonate a legitimate device during pairing. The only solution is to ensure updates are applied promptly and Bluetooth is turned off when not being used. Carnegie Mellon

AnyDesk: Sneaky campaign used fake Google ads in search results to target AnyDesk. Clicking on the ad was the first step in installing a malicious version of the remote desktop software. This is an increasingly common tactic, so caution with search results and ads is important. CrowdStrike

GDPR

Happy third birthday to the General Data Protection Regulation. That's three years since its enforcement began. It's actually five years since it became law (and consultants started scaring everyone in a bid to make some money). When enforcement began, we said that regulators weren't seeking opportunities to fine organisations that breached the rules, and that's proved broadly true. However, the pace of fines has increased, with half of all penalties under the regulation issued last year. The areas causing the most problems are lack of a legal basis for processing personal data, information security failures, insufficient transparency and failure to comply with the rights of 'data subjects'.

Surveillance

In a nuanced judgment, the European Court of Human Rights has ruled that the UK's mass surveillance system broke the law because it lacked sufficient safeguards to protect the data it gathered. However, the court rejected arguments from privacy campaigners that such mass surveillance contravenes the European Convention on Human Rights. And it ruled that information acquired through bulk surveillance may be sent abroad providing it is adequately protected. For a view of how surveillance is working in practice, look no further than Amazon's Ring doorbells. A Ph.D candidate at the University of Pennsylvania told The Guardian that one in every ten US police officers now has access to video from civilian cameras.

Insiders

How confident are you about the information employees are storing at home? The risk has been highlighted by an FBI employee who has been charged with stealing classified documents and keeping them at home over a 13-year period. Kendra Kingley is accused of taking documents that detailed FBI sources and methods, including US government efforts to collect intelligence on terrorist groups. This is hardly the first time US law enforcement has experienced such problems. In 2017, it emerged that a National Security Agency contractor lost information that had been taken home. If it can happen to the FBI and the NSA, it can certainly happen to the rest of us.

(Mis)information

Facebook is taking additional steps to try to limit the spread of misinformation by expanding penalties to include individual accounts. The new system will "reduce the distribution of all posts" from anyone routinely sharing false or misleading posts. Until now, that policy only applied to Pages and Groups. Facebook users will also start to see popups warning about content that includes misinformation. It remains to be seen how effective this will be, and the announcements are part of a concerted effort by Facebook to seize the initiative as regulators consider how to clip its wings. This week, Nick Clegg popped up on CNBC with a 'bipartisan approach to break the deadlock on internet regulation.'

In brief

NHS: Plans to share data about patients in England with third parties have provoked privacy and security concerns. The data will include sensitive information on mental and sexual health, and criminal records, and will be used for research and planning. FT

Hard Stilton: Another reminder about the risks of photos, this time from a Liverpool drug dealer who was brought to book by a photo of him holding a piece of Stilton. Police said it enabled them to identify his palm and fingerprints. Merseyside Police

Crime app hack: Information from neighbourhood watch app, Citizen, has ended up on the dark web after it was raided by a hacktivist. Details included GPS coordinates of incidents, images and clips of police radio. "Cops are not your friends," the hacktivist said. Motherboard has a powerful account of the risks of such apps.

Do as we say: Many information security leaders have woefully poor cybersecurity practices, according to Constella Intelligence. Failings included accepting friend requests from people they don't recognise, lax WiFi security and using work devices for personal activity. Motherboard

Self-drive: There is renewed scepticism about how soon truly self-driving cars will be available, but autonomous planes look much closer to reality. Merlin Labs has announced a venture that initially involves 55 King Airs. The "drop-in autonomy kit" envisages making it possible for air traffic controllers to 'talk' to the planes. TechCrunch

Smart plugs: Do take care because they're a security menace and can be used to break into devices, or even properties. Issues include weak default passwords and unencrypted communications. A&O IT Group

Ratings: An iPhone app has an ingenious approach to securing positive ratings. It won't let you use it until you've given it a good review! Kosta Eleftheriou

Updates

macOS: Important updates for supported versions of Apple's desktop operating system which address another previously unknown issue that is being actively exploited and could be used to take screenshots and steal data. There are also updates for Safari and Bootcamp. You may also have heard about an unfixable security issue in Apple's new processors. It has a fancy name and its existence is far from ideal, but it's probably not something to be too worked about at the moment. Sophos has a good explanation.

iOS: Version 14.6 has important security fixes and it also appears to solve several performance issues. As of now, there have been no widespread reports of problems with the new version.

Microsoft 365: Microsoft appears to have resolved problems that caused Outlook and Exchange Online emails to be sent directly to junk folders.

VMware: "Emergency" updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. Some of these could be exploited to take control of an affected system.

Pulse: Users of Pulse Secure VPN appliances should read Ivanti's security advisory which explains a high severity vulnerability and what to do about it.

Chrome: Yet more security updates for Google's browser. Version 91.0.4472.77 for Windows, Mac, and Linux has 32 security fixes and should be installed as soon as possible. It should also fix problems with the Windows version which caused it to crash.

Google: It's now possible to password protect the page that shows all activity across Google's services. Of course, this only stops someone seeing your activity if they have access to your device. It does nothing to dim Google's all-seeing eye.

FFT news digest May 28 2021