news210806

FFT news digest Aug 6 2021

Spyware

The fallout from Project Pegasus continues, with official confirmation that the NSO Group's spyware was found on the phones of three journalists in France. There have been repeated reports from researchers detailing attacks in which the spyware has been used against journalists, activists, diplomats and politicians but this is the first time confirmation has come from an official authority. Le Monde ($) says France’s national agency for information systems security (ANSSI) found traces of the spyware on the phone of a senior employee of France's international TV service, France 24, as well as on devices belonging to journalists at investigative website, Mediapart.

Recent attention has focussed on Pegasus but it's far from the only such tool available. As Forbes reported, there are plenty of similar alternatives, and the latest to emerge is called Paragon. Citing industry sources, Forbes says "It claims to give police the power to remotely break into encrypted instant messaging communications, whether that’s WhatsApp, Signal, Facebook Messenger or Gmail." Forbes quotes sources as saying the app is seeking to distinguish itself by providing access only to messaging apps rather than to the phone as a whole.

In a heartfelt essay, the head of Amnesty International's security lab points out that the problem with spyware is not so much the tools themselves, but the flaws in everyday technology that facilitates them. We strongly agree with Claudio Guarnieri's analysis in Motherboard. "Apple, Google, Microsoft and the like need to recognise the critical roles they play in the economics of this market of industrialized insecurity. They need to invest more in shutting down attack vectors, complicate exploit delivery, and detect malicious behavior," he writes. Alas, it's a call that almost certainly will fall on deaf ears.

Threats

Search: Attackers have been impersonating the website of privacy-focussed browser, Brave, in an attempt to install malicious software on victim's devices. To attract traffic to the fake site, they bought Google ads designed to show up in searches about browsers. Meanwhile, criminals behind another campaign have been optimising malicious web pages to rank high in Google searches. It's deeply frustrating, but do take care with search results. Ars Technica

Banking: Researchers are warning of a new kind of malicious software in Android apps downloaded from Google Play that attempt to steal banking login information. ThreatFabric

PayPal: A new phishing scam masquerades as PayPal and uses automated scripts together with live chat to try to compromise devices and bypass secure email gateways. Cofense

Blackmail: Scumbags are back with one of their more unsavoury tricks. It involves trying to blackmail users by claiming their computer has been hacked and 'lewd' material has been uncovered. The scam exploits real, stolen passwords to convince the target the scam is real. Bitdefender

Amazon: Attackers are taking advantage of Amazon's ubiquity to underpin a range of scams, including fake orders, gift card fraud, payment scams and dodgy phone calls. ESET

Sharepoint: This one is really sneaky. Microsoft is warning about a campaign that uses spoofed email addresses and SharePoint links to evade security precautions.

Apple scan

Apple's announcement that it will scan iPhones and iPads for child sexual abuse images is the first step on a perilously slippery slope. Trying to eradicate child abuse is unquestionably a moral good, but Apple's decision could turn out to be the thin end of a very large wedge. The Electronic Frontier Foundation said that, despite Apple's lengthy explanation about how it will protect privacy and security, the move still represented a backdoor that would compromise its commitment to end-to-end encryption. And that's assuming the mechanism works as it's supposed to which, given the extensive list of vulnerabilities in Apple products, cannot be guaranteed.

Ransomware

The number of ransomware attacks has almost doubled over the past year, according to CheckPoint. It says the increase has been driven by the adoption of "triple extortion" in which attackers not only encrypt files, but also steal sensitive information, threaten to publish it and use it to target organisations connected to the victim. Meanwhile, Coveware says the two most common techniques used by attackers involve simple phishing emails and attempts to take advantage of weak passwords to compromise remote desktop protocol (RDP) services. On the plus side, Coveware adds that the size of ransom payments has fallen as governments make ransomware a higher priority.

Public networks

WiFi is ubiquitous, convenient...and really dangerous. Indeed the US National Security Agency says it's best to avoid using it when possible. It also warns about the risks of Bluetooth and Near Field Communications (NFC) and urges us to disable all three types of connectivity when not in use. The NSA advice is hardly new, but its security bulletin does provide a handy guide to making connectivity in public a little safer. The problem is that the advice is often ignored, even by security professionals. We would like technology manufacturers to make it much easier to disable capabilities that make us vulnerable. The problem is that they don't want to because those capabilities generate data points that are hugely valuable to them.

Leaky images

Most people know that digital photos contain lots of useful metadata such as location and time, but the image itself can be used to reveal a worrying amount of dangerous information about an organisation. Pen Test Partners explains how a seemingly innocuous marketing image can be used to identify the type of technologies in use, as well as ID cards and office layouts. And, as their blog points out, it's not just images. We should also keep in mind all the other videos that organisations produce. That 'Day in the Life' video might be great promotional material, but is it also a goldmine for a potential attacker?

Insiders...again

News to reinforce last week's warning about the risk from insiders. A ransomware gang is seeking to recruit employees to help them breach and encrypt devices, according to Bleeping Computer. Attackers often buy access details from third parties. Now, they're trying to remove the middle man by sending the insider a "virus" that just needs to be run on a computer connected to the target organisation's network. Meanwhile, Motherboard reports that "Google fired dozens of employees between 2018 and 2020 for abusing their access to the company's tools or data." As Motherboard says, this is just the latest in a series of such incidents at the technology giants.

Facebook

An update to Facebook's mobile app make some significant changes to the settings page. Facebook says these will make it easier to control privacy settings. Along with many others, we couldn't agree less. Meanwhile, in an interesting interpretation of transparency, Facebook has disabled the accounts of researchers who analyse advertising on the platform. Facebook claimed they had used "unauthorised means" to analyse political ads. And one final bit of Facebook news. It's researching ways to analyse encrypted data, such as WhatsApp messages for advertising purposes, according to The Information.

In brief

Supply chain: It's often much easier to attack a target's suppliers rather than the target itself, and the EU cybersecurity agency warns the number of such attacks is likely to quadruple this year compared to 2020. Its report has excellent advice on mitigating the threat.

Surveillance: The US authorities have been using banned Chinese surveillance technology to track suspected criminals in realtime, according to The New York Times. And in the UK, i-news says police are experimenting with the use of facial recognition technology to investigate cases retrospectively.

MacBook screen: Multiple owners of the latest MacBook Pro say the device's screen has cracked for no apparent reason. Apple has yet to comment but, given its lamentable quality control record, we can't say the reports surprise us. 9to5Mac

Zoom: Has agreed to pay $85 million to settle claims that it lied about offering end-to-end encryption and gave user data to Facebook and Google without user consent.

Drunk: Every car manufactured in the US after 2027 will have a mandatory system to monitor and prevent drunk driving if a bipartisan infrastructure bill is approved. Motherboard

Palmprint: $10. That's what Amazon will pay you in return for enrolling your biometric data in the company’s palm print recognition system, Amazon One. TechCrunch

Old: Employees are wasting hours every week because of outdated technology, according to a study by Intel. By no stretch of the imagination could Intel be called a disinterested party, but the finding from a poll of UK decision makers does fit with our own experience.

Soap: Dear lord. Does the world really need a 'smart' soap dispenser. Amazon thinks so, and believes we'll pay $55 for it.

Updates

Chrome: Google has released another update for its web browser. Version 92.0.4515.131 for Windows, Mac, and Linux addresses vulnerabilities that an attacker could exploit to take control of an affected system.

PrintNightmare: Do make sure you've taken the latest updates that address a dangerous vulnerability in the way Microsoft manages printing. A researcher has found yet another way to exploit it.

WordPress: Update for the WordPress Download Manager plugin to fix an issue that could be used to attack some systems.

Cisco: Fixes for vulnerabilities in Small Business VPN routers which could allow attackers to trigger a denial of service condition or execute commands and arbitrary code on vulnerable devices. Also, updates for six other issues affecting a range of products.

VMware: Security updates to address critical vulnerability in multiple products including Workspace One Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.