FFT news digest Jul 23 2021

The Pegasus problem

The key to understanding this week's blockbuster reporting on Pegasus spyware is that it's not really telling us anything new. Anyone who's attended our awareness training will know that Pegasus has been a recurring feature since we started the company in 2016. We know that Pegasus is widely used. We know that (despite denials from its manufacturer) it has been used to target journalists and activists. We know it is constantly evolving to take advantage of 'zero-day' or unknown vulnerabilities. The real issue is that governments are perfectly aware of Pegasus and its many competitors, but nothing has been done to combat them because governments are their customers - and if they're not, it's only because they've developed similar (or better) tools themselves.

Pegasus is made by the NSO Group. It's based in Israel but a London-based venture capital fund holds a majority stake. It's part of a thriving (and highly profitable) ecosystem bringing together finance, researchers, software developers which exploits the ongoing failure of leading technology companies to produce safer products. This week, Google's highly-respected Threat Analysis Group tried to explain why attackers are using so many undisclosed (or 'zero-day') vulnerabilities. Google argues a key reason is that products and devices are more secure, so attackers need to chain together more vulnerabilities in order to compromise them. A cryptography professor suggests the real reason is that the technology we use is riddled with bugs and manufacturers spend far too little time and money on fixing them properly.

One item from this week's reporting caught our eye; phones with US and Israeli numbers are off limits to Pegasus. NSO has said this before, but it raises the obvious question, "Why?" The probable explanation lies in the close ties between Washington and Tel Aviv, and the requirement that the Israeli government approves exports of Pegasus. So, one protection against it might be to obtain a US or Israeli phone number, as a former spyware insider explained to Threatpost. Other than that, there are limited protections. Updating devices is important, but not a panacea because of the number of vulnerabilities that no-one knows about and which can be used to replace other issues as they're fixed. And, in any case, writing bug-free software is impossible. What could be done is to make life much more difficult for NSO and its ilk. That requires concerted action from the technology sector and from governments. Alas, we're not holding our breath.

Threats

HiveNightmare: Another security issue courtesy of Microsoft. This one involves Windows files containing sensitive data like passwords (known colloquially as 'hives'). The problem is they're not as secure as they should be. Sophos explains the issue and what to do about it.

LinkedIn: More reasons to beware the phisherman's friend. Google says Russian government attackers targeted European government officials with LinkedIn messages containing malicious links designed to exploit 'zero-day' vulnerabilities in Windows and iOS. And a current campaign is using Google Forms to evade security controls and try to steal LinkedIn credentials.

USB: Removable storage is risky, as research from Kaspersky illustrates. It says attackers linked to China are responsible for a campaign that spreads by infecting USB sticks.

Macs: Popular malicious software designed to steal information from Windows systems has been modified to target macOS devices. XLoader spreads through booby-trapped email attachments. Once installed it can record screenshots and keystrokes, and steal passwords stored in browsers. Check Point

Zipped: Attackers have taken inspiration from Russian dolls and are evading security controls by hiding malicious software inside nested archives. Cofense

Pirates: Bitdefender details a new campaign designed to exploit anyone searching for illegal copies of popular software. MosaicLoader is delivered through paid ads that will show up at the top of search results.

Browser update: US insurance giant, CNA, has explained that a fake browser update was responsible for a ransomware attack in March. Bleeping Computer

China 

Beijing has reacted furiously (and predictably) to coordinated accusations from the US, the UK and its allies that it's responsible for a "pervasive pattern of hacking". Washington, London et al say China was behind a widespread attack on Microsoft Exchange servers which "was highly likely to enable large-scale espionage." In response, the Chinese Foreign Ministry spokesperson described the US as the world's top hacking empire. We're no apologists for China, but the reality is that everyone is hacking everyone else. This is cyber warfare. We can only hope it doesn't turn into cyber war.

Telegram

"How secure is Telegram?" It's a question that frequently comes up in our awareness sessions. Until this week, the answer was, "no-one really knows". But now researchers have discovered several vulnerabilities in the messaging app. The issues range “from technically trivial and easy to exploit to more advanced and of theoretical interest,” according to the analysis. The researchers told Telegram about the issues in April and it says the issues have now been fixed, although it insists none of them were "critical". So, is Telegram safe? Well, it's safer than it was, but we'd still prefer to use Signal when possible.

Facebook

Facebook is fighting back after President Biden accused social media platforms of killing people by supporting the spread of COVID-19 misinformation and anti-vaccination content. In a blog post (entitled "Moving Past the Finger Pointing"), Facebook said, "the fact is that vaccine acceptance among Facebook users in the US has increased". That may be true, but it's also true that vociferous sceptics continue to spray dubious or downright false information around social media. And let's not forget, as a Guardian journalist pointed out, that as recently as 2019 Facebook was actively promoting anti-vaxxer groups to people searching for vaccine information.

Location

A Catholic priest in the US has discovered that "anonymised" location data is not quite as anonymous as he might have wished. Monsignor Jeffrey Burrill resigned as general secretary of the US Conference of Catholic Bishops after a publication told the organisation it had cellphone data showing he was a regular user of the Grindr dating app and frequented gay bars. The Pillar said it obtained the information from a data broker and correlated the details to a unique mobile device used by Burrill. Privacy campaigners have long warned about the risks of 'de-anonymising' marketing data to identify individuals. This is the first known case of it taking place.

In brief

Doomed: Gartner predicts that by 2025 attackers will have worked out how to weaponise the technology that controls vital infrastructure so that it can be used to kill us. Focus on that rather than information theft, it says.

Long memory: You might think factory resetting an Amazon Echo Dot would wipe any data stored on it. Wrong! Despite assurances from Amazon, research from Northeastern University found sensitive information remains on the devices even after a full reset.

Sweat: US academics have come up with a wearable device designed to harvest the sweat in your fingers and use it to charge your electronic devices. The Register

Under 16: China has banned anyone under 16 from appearing in content on live streams and video platforms. The move comes after 'soft' pornographic images of children were found on digital platforms. ZDNet

Algorithmic: UK councils are using privately developed software to "mass profile" benefit claimants, according to pro-privacy group, Big Brother Watch. One woman said she was "stunned" to discover she had been flagged as medium risk for fraud. BBC

Condo collapse: There are few depths cyber scumbags won't plumb, but this one is pretty deep. Criminals are monitoring the news for details of people killed in the Florida building collapse so they can steal their identities. Threatpost

Fake: Counterfeit AirPods could cost Apple up to $3.2 billion this year, according the US Chamber of Commerce. The figure is extrapolated from the $62.2 million worth of fake AirPods seized in the US this year. 9to5Mac

Freedom phone: A privacy-focussed phone supported by prominent conservatives turns out to be $119 device "notorious for its poor security". The Daily Dot

Updates

Apple: iOS and iPad 14.7 have been released with a raft of critically important security updates. Unfortunately, Apple has confirmed that, if you have an Apple Watch, the new software may stop your iPhone unlocking it. It also appears that the updates don't fix the vulnerabilities being exploited by the latest version of Pegasus spyware. Safari also has a new version, and there are security updates for macOS (all supported versions).

iOS WiFi: Another reason for turning off the Auto-Join WiFi feature. It turns out the problems caused by weird hotspot names can be much more serious than first thought. On the plus side, the issue is difficult to exploit and iOS 14.7 is supposed to fix it.

Windows printing: The nightmare continues. After three attempts to fix the problem with the Windows print spooler*, Microsoft has resorted to telling users to turn it off while it tries (yet again) to fix the issue.
*In case you're wondering, the spooler manages print jobs by storing data and processing them sequentially or by priority.

Printers: Meanwhile, it turns out that hundreds of millions of HP, Xerox and Samsung printers are affected by a whiskery vulnerability dating back to 2005. Fixes have been released - and users are urged to make they're installed.

Chrome: Version 92 for Windows, Mac and Linux fixes no less than 35 security issues. The latest update for iOS also adds security features for incognito tabs.

ProtonVPN: Update for macOS and iOS apps provide enhanced anti-censorship measures.

Fortinet: Updates for FortiManager and FortiAnalyzer network management solutions to address a serious vulnerability that could be exploited remotely.

Adobe: Security updates for seven products to address 21 vulnerabilities, including 15 with a critical severity rating.

Oracle: July critical patch update includes 342 fixes. More than half of them address vulnerabilities that can be exploited remotely without authentication.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved