FFT news digest Sep 17 2021

Rotten

We've been producing this newsletter for 5 years and over that time we've seen a steady deterioration in the security (and reliability) of Apple products. This week saw Apple release security updates to address an exploit developed by the Israeli-based spyware manufacturer, NSO Group. The issue was discovered by researchers at Citizen Lab who established that it took advantage of a flaw in Apple's module for drawing 2D graphics. It was exploited by creating weaponised PDF files and was used to attack activists in Bahrain and Saudi Arabia.

Citizen Lab revealed the issue a day before Apple's glitzy 'California Streaming' event (in which it announced new iPhones and iPads and emphasised its aggressive streaming strategy). The timing underlines the fundamental problem with much of the technology we use; in their drive to increase revenues, companies are focussed of developing new products rather than fixing the existing ones. And, since there appears to be no penalty (financial or otherwise) for pursuing such a strategy, it's hardly surprising they continue to do so.

Security vulnerabilities help to power (in the UN's words) an "unprecedented level of surveillance across the globe by state and private actors." "The targeting of human rights defenders, journalists and politicians is just another example of how tools allegedly meant to address security risks can end up being weaponised against people with dissenting opinions," the UN High Commissioner for Human Rights, Michele Bachelet, said. "Until compliance with human rights standards can be guaranteed, governments should implement a moratorium on the sale and transfer of surveillance technology," she added. We're not holding our breath.

Court documents unsealed this week provide further insight into the reality of the surveillance business. They allege that a US company sold an exploit to the UAE government which subsequently used it to attack a number of targets, including some in the US. Among the defendants is a technologist now employed by a popular VPN provider as its chief information officer. ExpressVPN told Motherboard they knew about his previous activities when they hired him.

Threats

Most common: The most prevalent malicious software in August was an information stealer called Formbook. It can harvest credentials, take screenshots and log keystrokes (among many other things) and was distributed via COVID-19 themed campaigns and phishing emails. Check Point

Brute force: There was a 671% rise in the number of brute force and account takeover attempts in the third quarter of this year. It's ridiculously easy to launch such attacks, so it's critically important to practice "safe passwords". Abnormal Security

Hobby hackers: vpnMentor provided details of two (apparently successful) campaigns in France and Israel which masqueraded as UPS and Crédit Agricole bank. The conclusion; the attacks were the work of inexperienced hackers who simply rented the phishing tools.

Mikrotik: A 2018 compromise of Mikrotik routers is still being exploited by attackers. Mikrotik told BleepingComputer what users should do; "Unfortunately, closing the vulnerability does not immediately protect these routers. If somebody got your password in 2018, just an upgrade will not help. You must also change the password, re-check your firewall does not allow remote access to unknown parties, and look for scripts that you did not create."

Relative: North Korean attackers are using compromised social media accounts to launch spear phishing (i.e. targeted) attacks on the victim's acquaintances. Daily NK

Self-sabotage: A failure to get the basics right is often responsible for security incidents - and that's borne out by research from IBM. It says two-thirds of cloud attacks could be stopped by simply checking configurations.

Polite: Brits are too bloody polite, according to UK Finance, and that's partly why impersonation scams are so successful. It says the number of such cases more than doubled in the first half of 2021 and it has launched a campaign that urges the UK to toughen up and tell scammers to bog off!

Facebook

The Wall Street Journal has acquired what it calls "the biggest trove of documents ever leaked from Facebook" and the contents make for uncomfortable reading. Among the findings which (unfortunately) are behind a paywall;

- Bosses ignored internal warnings that changes to its algorithm were making the platform "an angrier place".
- Millions of celebrities, politicians and other high-profile users were exempted from Facebook's standards of behaviour.
- Facebook is well aware that Instagram is toxic for teenage girls, but has done nothing about it.

And separately, The New York Times reported that Facebook provided partial information to researchers investigating misinformation on the site. Facebook said a "technical error" was responsible.

Ransomware

The South African justice department is working to restore its operations after a ransomware attack encrypted its systems, making electronic services unavailable both internally and to the public. It's just the latest attack of its kind - and a survey by Dell suggests organisations are woefully unprepared to combat or recover from them. Two-thirds of respondents said they lacked confidence that they would be able to recover business critical data in the event of an attack or system failure. Barracuda has a helpful 2-page checklist which sets out some basic precautions.

Passwords

Microsoft has taken a major step towards abolishing the curse of the password with an announcement that most of its services will no longer require one. Instead, users will be able to login using Microsoft's Authenticator app, a security key, Windows Hello, or (not recommended) with a code sent as a text message or email. The risks of passwords were amply demonstrated by an incident at the UN in which attackers broke into IT systems and stole data by using login credential stolen from an employee. It's believed the credentials were bought from a website on the dark web. The UN says nothing of value was stolen, which is hard to believe given that the attackers had access to the systems for four months.

Out of the blue

Among its monthly security updates, Microsoft has addressed four critical vulnerabilities. That's hardly news. What's different is that the issues affect software that users won't know about because it's installed silently and is completely undocumented. The problem affects users of Microsoft's cloud 'Azure' services who are running Linux virtual machines. It was discovered by Wiz.io which said, "One of the biggest challenges in preventing [attacks] is that our digital supply chain is not transparent. If you don’t know what’s hidden in the services and products you use every day, how can you manage the risk?"

In brief

Focus: Most useful tweet of the week comes from the director of cybersecurity at the US National Security Agency. "Attackers put in the time to know the network and the devices better than the defenders. That’s how they win."

Surveillance: Chinese police are using a new anti-fraud app installed on more than 200m mobile phones to identify and question people who have viewed overseas financial news sites. FT ($)

Remote: One of the most comprehensive studies into remote working found it has damaged communication and collaboration and has threatened productivity and innovation. The research is based on more than 61,000 Microsoft employees.

Laser: A single burst of laser light shone into a room can reveal everything inside it. The keyhole imaging technique requires only a hole large enough for a laser beam, creating a single dot of light on a wall inside. Stanford University via Gizmodo

Robots: Singapore is testing autonomous robots that are designed to move among crowds to detect behaviours regarded as undesirable by the authorities. Smoking, illegal hawking, improper bicycle parking, are all on the list.

Smartphones ≠ battery life: Batteries are a huge challenge for smartphone makers and it doesn't look like they're winning. After a year of use, only 23% of iPhone owners say their phone still lasts a full day. The figure for Androids is 30%. CIRP via 9to5Mac

iPhone ≠ bike: Apple has warned iPhone owners that their devices could be damaged if they fix them to motorbikes. Bikers agree, but say the damage is worse than Apple describes. The Register

Updates

Apple: We usually wait a short while before installing updates for iPhones and MacBooks. We didn't delay with the latest versions (for the reasons above) - and, so far, haven't found any problems.

Microsoft: September's monthly release includes fixes for no less than 86 issues, 26 of them related to the Edge browser. Two were previously unknown ("zero-days") and one of those is being widely exploited. The updates include a fix for the longstanding PrintNightmare problem. Unfortunately, administrators are reporting that it breaks network printing.

Chrome: Yet more high-severity issues are addressed in Google's latest update for its browser. Definitely install this update. Now! Chrome has 2.65 billion users. Of course, attackers are focussing on it.

Adobe: Security updates for 59 issues affecting its core products, including Acrobat Reader, XMP Toolkit SDK and Photoshop.

WordPress: Version 5.8.1 is a security and maintenance release that fixes 60 bugs and several vulnerabilities.

SAP: September patch day includes 17 new and two updated security notes, seven address critical vulnerabilities.

Drupal: Updates for Drupal 8.9, 9.1 and 9.2 address five vulnerabilities that can be exploited for cross-site request forgery (CSRF) and access bypass.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved