news210924

Facebook

Facebook has had some bad weeks, but the past one definitely counts among the worst. In a furious tweet, Senator Richard Blumenthal announced an investigation, saying "Facebook has been blatantly deceptive & misled Congress about the heinously destructive impact of its platforms on teens. I expect Facebook & Instagram to appear before my Subcommittee next week—it’s time for them to come clean about what they’re doing to our kids."

The Senate investigation follows a series of reports in The Wall Street Journal that were based on leaked Facebook documents. The paper concludes ($), "Facebook Inc. knows, in acute detail, that its platforms are riddled with flaws that cause harm, often in ways only the company fully understands. Time and again, the documents show, Facebook’s researchers have identified the platform’s ill effects. Time and again, despite congressional hearings, its own pledges and numerous media exposés, the company didn’t fix them."

Facebook's reaction to the stories has not helped its cause. PR head (and former UK Deputy Prime Minister), Nick Clegg, blogged, "At the heart of this series is an allegation that is just plain false: that Facebook conducts research and then systematically and willfully ignores it if the findings are inconvenient for the company." To rebalance the coverage, it has emerged that last month Mark Zuckerberg approved an experiment to use the Facebook News Feed to show people positive stories about the social network. The development was revealed by The New York Times which said several executives were shocked by the decision.

Threats

Finance: Banks have improved fraud detection systems, so criminals have stepped up their use of fake websites and emails to trick consumers into authorising payments to them. UK Finance says fraud has reached a level that's a national security threat.

LinkedIn: Hackers are using shortened web addresses (URLs) to hide phishing links. LinkedIn doesn't appear able or inclined to control the problem, so it's up to us to look out for them. Avanan

Romance: You might not fall for a romance scam, but plenty of people do and, in the US, they've already lost $133 million this year. FBI

Travel: Since January, there has been a four-fold increase in the number of travel-related phishing web addresses as criminals try to exploit the relaxing of restrictions. Unit 42

Unattended: It's good practice not to leave your phone unattended - if possible. Security firm, ZecOps, illustrates why, saying it spotted an attack this week that targets the most basic code on an iPhone.

Remote control: Be suspicious if you see a webpage telling you a "Security Certificate is out of date." The page comes with a friendly blue button encouraging the user to update. Clicking on it installs remote control software. Malwarebytes

Exchange: Multiple attackers, including a ransomware gang, are exploiting vulnerabilities in Microsoft email servers. The issues were addressed in March but many systems haven't been updated. Kevin Beaumont has advice.

Ransomware

More warnings about ransomware, with US security agencies issuing an alert about a variant that has already been used in more than 400 attacks on US and international organisations. Three federal agencies urged administrators to review their IT infrastructure and take immediate precautions. Basic mitigations include "requiring multi-factor authentication, implementing network segmentation, and keeping operating systems and software up to date." Conti ransomware is a 'Ransomware-as-a-Service' operation believed to be controlled by a Russian-based cybercrime group. Attackers can rent the toolkit which typically enables them to steal files, encrypt servers and workstations, and demand a ransom payment.

French ministers hacked

Traces of Pegasus spyware were found on the phones of five French cabinet ministers, according to analysis by France's security agencies reported by the Mediapart news site. The ministers’ phone numbers were among more than 50,000 on a list that formed the basis of a media investigation into potential misuse of the spyware. Pegasus is manufactured by an Israeli-based company which insists it only sells the software to governments for use in fighting crime and terrorism. There is widespread scepticism about its claims, and researchers at the University of Toronto have demonstrated numerous instances in which Pegasus has been used against journalists and government opponents in multiple countries.

Chinese phones

Lithuania has told owners of Huawei and Xiaomi smartphones to throw them away after government research identified built-in censorship capabilities. The National Cyber Security Centre said popular Xiaomi models could detect and censor terms such as "Free Tibet", "Long live Taiwan independence" and "democracy movement". The feature is turned off for the EU region, but could be activated at any time. The report said the phone was sending encrypted phone usage data to a server in Singapore. A security flaw was also found in Huawei's P40 5G phone, but none was found in the OnePlus 8T model.

Big business/Organised crime

Police in Europe have arrested 106 people with connections to Italian Mafia organisations that have been employing hackers as part of their cyber crime ventures. Europol said "the suspects defrauded hundreds of victims through phishing attacks and other types of online fraud such as SIM swapping and business email compromise." Some reports have characterised this as a new development, but much online crime is highly organised, and it would be extraordinary if the Mafia had failed to get involved in such a profitable type of crime. This week, Microsoft uncovered a massive operation providing phishing kits, email templates, hosting and other tools to cybercrime gangs.

In brief

Autodiscover: There's a nasty flaw in Microsoft's email configuration tool, according to Guardicore. The details are complicated, but it means that credentials could be leaked when it's used. There's no fix and mitigation is complex. Ars Technica has a good write-up.

Credit scores: Preliminary research from the International Monetary Fund says credit checks are likely to be expanded to include applicants' digital footprint, such as browsing history and online shopping behaviour.

Stalkerware: Real-time screenshots of phones are being leaked online because of a security failure at stalkerware company, pcTattleTale. Its product is marketed as a way to monitor partners without their consent. Motherboard

Passwords: Latest crap password news; more than 1 in 3 people have tried to guess someone else's password: 73% of them succeeded. Beyond Identity

Pirates: Some Virgin Media subscribers in the UK are being told to pay “thousands of pounds” to settle accusations that they illegally downloaded the movie 'Ava'. As TorrentFreak explains, many of them may be immune from being sued.

Autism; Apple is reported to be researching ways to use iPhone camera data to to detect childhood autism and mental illness. The Wall Street Journal says ($) facial expressions and typing metrics are among the data to be studied.

Messaging apps: Mozilla's privacy research project has criticised three of the most popular video calling apps. 'Privacy Not Included' says Facebook Messenger, WeChat and Houseparty "collect significant amounts of personal information and data, share it with "shady data brokers" and use poor encryption, among a host of other issues."

Support: There are some great resources on the web. Among them is the Global Cyber Alliance's small business toolkit. (Disclosure; we're on one of their advisory panels).

Facial: New research suggests some simple make-up may be able to defeat facial recognition systems. Apparently, the secret is 'contouring' - though the technique was only tested against the ArcFace system.

Updates

Apple: iOS 15 and iPadOS15 are the latest major updates for iPhone and iPads, and users have already uncovered problems with them. Twitter has been filled with complaints that devices are reporting "iPhone Storage Almost Full" after installing the new version. There's no need to take the update at the moment because Apple has said it will keep issuing security updates for iOS 14. Apple has also released security updates for older versions of iOS and macOS. These are important because they address a previously unknown ('zero-day') vulnerability.

iMovie: Apple has updated iMovie and Clips with support for ProRes videos, ProRAW images, Cinematic Mode, and more.

Outlook: If you're having problems adding a Gmail account to Outlook, you're not alone. The issue seems to be related to the use of security keys as a second authentication factor.

Netgear: Update for a range of small office and domestic routers that have a high severity vulnerability in their Circle parental control service.

VMware: An update addresses a serious vulnerability in VMware vCenter servers. Attackers are already scanning for internet-connected devices that haven't been updated.

Chrome: Another week, another update for Google's browser. Version 94.0.4606.54 for Windows, Mac, and Linux addresses vulnerabilities that an attacker could exploit to take control of an affected system. It also includes a controversial capability that detects when a user isn't doing anything with their device. This has been criticised because of potential privacy issues. It's turned on by default, but you can turn it off by going to; chrome://settings/content/idleDetection

Cisco: Updates to address a series of critical vulnerabilities in IOS XE software that could be exploited to execute arbitrary code remotely, cause denial of service, or manipulate device configuration.

SonicWall: Update for a critical security issue affecting several Secure Mobile Access (SMA) 100 series products. The vulnerability could be used by unauthenticated attackers to gain remote administrator access.

Hikvision: Updates address a glaring security vulnerability in most of its recent camera products which means they can be accessed remotely without the need for credentials.

FFT news digest Sep 24 2021