FFT news digest Sep 3 2021

Digital

This has been a pretty awful week for the image of electronic identity solutions. The most serious issue is in Afghanistan where government databases are linked to biometric profiles that could be used to identify millions of people. One researcher told MIT Technology Review that as well as standard personal details, one military database contains information not only about recruits, but also about their extended families. And, bizarrely, a police ID application form appears to ask recruits to specify their favourite fruit and vegetable.

In the UK, some 700,000 'vaccine passports' have been affected by mistakes, according to The Daily Telegraph (£). Freedom of Information requests revealed 677,731 incidents in which NHS COVID vaccine records had to be corrected. And 122,939 records were deleted because of mistakes. In one case, an IT director from London ended up resorting to having a third vaccination because details of his first jab were missing and no-one would fix the error.

And a detailed review of Iceland's introduction of electronic drivers' licences explains how trivially easy it is to make a replica of the e-licence. Teenagers appear to have gleefully embraced the vulnerability to use fake licences to get into bars and nightclubs in Reykjavik. More than a year after the digital licences were introduced, the government is now planning to release scanners that will be able to detect fakes. As Syndis concludes in its analysis, "security should never be an afterthought."

Threats

Vishing: Attackers are making increasing use of call centres to scam targets. In the latest variant, Kaspersky says criminals are sending emails with details of a fake purchase - usually something expensive - in a bid to persuade the target to call a phone number and hand over their financial details.

Sextortion: There's also been a sharp increase in use of this nasty tactic which involves threatening to leak sexual imagery unless the target pays up. The FBI says such scams cost Americans $8 million in the first seven months of the year.

Credibility: Phishing emails used to be easy to spot because they were so poorly written. Criminals have figured that out, so they're reported to be recruiting native English speakers in a bid to make their lures more credible.

Bluetooth: Bluetooth has a number of well-documented vulnerabilities. Now, researchers have found another set of issues - and they can't be fixed. As always, try to remember to turn off Bluetooth unless you're using it.

Bandwidth: Latest criminal scam involves selling some of a victim's internet bandwidth. 'Proxyware' is a legitimate tool, but Cisco Talos warns it's beginning to see "serious abuse" of the solution.

Messaging: Cofense has details of how criminals exploited Verizon's multimedia messaging service (known as Vzwpix). The service allows users to send texts as email to recipients. Many cellular operators offer similar services.

Redirect: Microsoft is warning about a widespread campaign that exploits the way web addresses work. The problem is that the address you click on isn't necessarily where you end up (lots of newsletters do this to track clicks). Password Managers can help to mitigate the threat.

Denial of Service

Web infrastructure giant, Cloudflare, says it stopped a Distributed Denial of Service attack that involved 17.2 million requests per second. It's by far the largest such attack it has seen. DDoS attacks are designed to overwhelm a target's systems so they become unavailable - and their aim is usually to extort money. Cloudflare says the attack was directed at a financial industry customer and it was three times bigger than the previous largest incident. Despite its size, there is agreement that no organisation is too small to be targeted. It's vital to make sure counter-measures are in place. The Cloud Security Alliance has advice.

Credentials

Here's a powerful reminder to be extremely careful about installing browser extensions and helpers. Israeli researcher Noah Rotem told Calcalist that he found an unsecured database containing hundreds of millions of credentials for a range of online services belonging to users from around the world. The owners of the database were criminals who stole the information by luring victims into installing what they thought were genuine browser extensions or video call apps. The database also contained 'session cookies' which are created when the 'Remember Me' box on a login page is ticked. That's another thing we advise against doing.

T-Mobile

A 21-year old American living in Turkey says he was behind the breach of T-Mobile's US operation which resulted in the theft of more than 54 million people's personal details. John Binns told The Wall Street Journal ($) that T-Mobile's security was "awful" and he secured access through an unsecured router that he was able to identify with a simple, publicly available tool. Despite his youth, Binns has one hell of a backstory, involving claims of blackmail, torture and surveillance. T-Mobile's own history is one of repeated failures to protect its customers personal information. So far, it's said little about the latest breach other than to apologise to its users.

Multi-factor

Protecting important resources with single-factor authentication is such a bad idea that the US Cybersecurity and Infrastructure Security Agency has added it to its (very) short list of "bad practices". CISA says its warning applies to all organisations, though it's particularly concerned about critical infrastructure. A 2019 study published by Google found that using multi-factor authentication (i.e. a password plus a code or hardware token) blocked almost all automated attacks and two-thirds of targeted ones. To put single-factor authentication in context, the only other two items currently on CISA's list are using known/fixed/default credentials and continuing to use software or hardware after support for it ends.

In brief

Segregation: Excellent write-up from Pen Test Partners that underlines how important it is to triple-check firewall rules and guest WiFi settings. In short, an erroneous firewall rule meant that a consultant was able to take control of a building's lift. From the street outside.

Misinformed: Just a week ago the boss of Reddit said COVID-19 misinformation wasn't a serious problem on the site. Now, it's just announced a band on r/NoNewNormal which it says has been responsible for a vast amount of misinformation. Vice has a detailed look at the issue.

Immoderate: Fresh from enacting ingenious legislation that effectively bans abortion, Texas has moved closer to adopting a law that will prevent social media platforms from moderating political content. The Verge

Australia: New legislation will allow police to take over social media accounts as part of investigations. The Australian Information Commissioner warned that the bill could damage the privacy of large numbers of people, including those not suspected of involvement in criminal activity. ExpressVPN

Insiders: Around 50% of organisations are poorly-positioned to prevent 'insider attacks', where employees either steal data or facilitate an attack on their employer. And 15% of organisations questioned in the survey by DTEX and the Ponemon Institute said no-one had ultimate responsibility for controlling workforce risks.

Satphone: Widespread reports this week suggested Apple's new iPhone 13 would work as a sat phone. We have experience with satellite technology and we're confident these reports are way off the mark. Some messaging capability might be possible, but that's as far as its satellite capability will go for the moment.

Video off: Turning off the camera during conference calls reduces fatigue, according to researchers. Not everyone agrees, as this Twitter thread demonstrates

Updates

iPhone 12: Apple has announced a program to address sound problems affecting some iPhone 12 and 12 Pro models. The issue affects the receiver module and means the device doesn't produce any sound!

Parallels: Parallels Desktop 16 for Mac and all older versions are affected by a serious vulnerability. Parallels has released details of a workround that most users will hate. Better to update to Parallels 17 which isn't affected. Threatpost

Chrome: Version 93 of Google's browser includes 27 fixes for security issues, several of them are rated as 'high' severity.

Brave: A new version of the privacy-focussed browser will reduce the number of websites it breaks (because of the elements in them that it blocks). If you haven't tried Brave, we suggest you give it a go - once version 1.30 is released.

Zimbra: 9.0.0 “Kepler” Patch 18 and 8.8.15 “James Prescott Joule” Patch 25 include upgrades - and Zimbra's blog also has an important security recommendation.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved