FFT news digest Oct 15 2021

Circling the wagons

The US, the EU and 30 countries have agreed to work together to fight ransomware, which they described as “an escalating global security threat with serious economic and security consequences.” The statement came at the end of a two-day virtual meeting convened by the Biden administration. It committed the participants to work to improve "network resilience" to mitigate the impact of attacks, and to make it harder to abuse financial mechanisms to launder ransom payments." International cooperation is obviously essential in any substantive fight against ransomware, but Russia and China were among notable absentees - because they weren't invited. Without their involvement, it's hard to see how any initiative can be effective.

As if to emphasise the point, the head of the UK's National Cyber Security Centre told a conference this week that ransomware “presents the most immediate danger" to the country. “Cyber criminals based in Russia and neighbouring countries are responsible for most of the devastating ransomware attacks against UK targets,” Lindy Cameron told the Cyber 2021 conference in London. She also pointed out that many - if not most - high profile incidents can be prevented by taking basic precautions. It's true that it's hard, if not impossible, to prevent an attack by a determined nation state, but most ransomware gangs exploit fundamental security failings that are relatively simple to fix. We suggest beginning with the UK's basic Cyber Essentials certification.

The basics were also at the heart of a warning from the US government about "ongoing threats" to the country's water and wastewater systems which it said had been breached multiple times over the last two years in ransomware attacks. A joint advisory says the attacks threaten the ability to provide potable water and process wastewater, and points to a series of incidents including an attempt to poison a water supply in Kansas. The advisory urges facilities to take basic precautions including; not clicking on suspicious links; securing and monitoring Remote Desktop Protocol; updating software; implementing strong passwords and multi-factor authentication.

Threats

Phishing: October is cybersecurity awareness month (which we try to ignore because we reckon it promotes the idea of thinking about security for a while and then forgetting it for the rest of the year). But the US National Institute of Standards and Technology has some useful reminders about phishing. In short, we can all be a way to access or scam an organisation, so we're all potential targets. A report from Avanan emphasises the point.

Microsoft Defender: A new voice phishing (vishing) scam is using fake Microsoft Defender invoices to try to take control of computers. Armorblox

Brute force: A previously unknown group linked to Iran has been running an extensive password-spraying campaign against enterprise Office 365 implementations. Password-spraying involves trying a succession of passwords against multiple accounts and it's an excellent reason to avoid simple passwords and using the same one for multiple accounts. Microsoft

Snap ransom: A new group has come up with a novel approach to the ransomware game. It does away with the bother of encrypting files and instead demands money in return for not publishing the information. NCC Group

Dating apps: Users of Tinder, Bumble, Grindr, Facebook Dating and the like lost $1.4 million in cryptocurrency after they were persuaded to install fake trading apps. Apple has yet to explain how the scammers were able to exploit its Developer Enterprise program. Sophos

TikTok: Malwarebytes warns about the growing use of TikTok to scam users by offering what appear to be free games and keys. As usual, the posts look too good to be true and they are.

Lantenna: This week's exotic one. A new way to steal data uses ethernet cables as a "transmitting antenna." The technique is a particular threat to 'air-gapped' networks that have no connection to the outside world. Ben-Gurion University of the Negev

Fake news

An extraordinary report by Ars Technica reveals the story of the "mastermind behind one of the largest fake news operations in the US" which aimed to sway the 2016 election in Donald Trump's favour. Robert Willis is a long-term hacker with a wide range of skills who was hired by a company to create a secret network of websites and Facebook groups that spread bogus stories, conspiracy theories, and propaganda. The Facebook pages reached some 3 million people per week, and Willis developed a system to release articles at times when they would have the maximum psychological impact. Willis downplays Russia's role in the 2016 election and says the company that hired him was motivated at least in part by money. But despite a wealth of fascinating details, the key element missing from the story is the identity of the people behind the company.

Defeating multi-factor

Multi-factor authentication adds a valuable layer of protection to online accounts, but it's not impermeable and attackers are investing substantial efforts in trying to defeat it. Veteran cybersecurity journalist, Brian Krebs, unpicks a phishing campaign that targeted Coinbase (the world's second largest cryptocurrency exchange). A key element was the acquisition of the authentication code generated by an app on the user's smartphone. In order to harvest the code, the criminals had an operations room in which an alert would sound whenever someone fell for the original phishing email. This would enable them to record the code in real time so that it could be used as part of their complex scam. Longstanding advice not to click on links to do anything important is particularly important here, because that's how the criminals began the process.

What Android knows

We like Androids, but new research by UK academics has revealed some pretty serious privacy issues in Android smartphones. After studying Samsung, Xiaomi, Huawei and Realme devices, the researchers concluded that, "even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps." Almost all of the data ends up in Google's lap, and there's no way to opt out. In a response to Bleeping Computer, Google said, "this is how modern smartphones work." Indeed.

Google ups the security ante

Credit where it's due. Google invests enormous sums in security both for its own systems and for those of its users (even if it isn't always successful). Its latest initiative involves the creation of a new security programme and a dedicated cybersecurity advisory unit that aims to support organisations with their security strategy and operations. Google says the team’s vision is to “guide customers through the cycle of security transformation”, beginning with transformation roadmaps and implementation, and developing new solutions as they're needed. Of course, this is all very much in Google's interests as it seeks to grow its cloud business, but the range of services they're offering is impressive and well worth looking at if you're a Google enterprise customer. 

In brief

Growth vs security: Many small and medium-sized businesses in the UK would prioritise growth over protecting customer data, according to a survey by Defense.com. It says almost 24% spend nothing on cybersecurity and 25% invest less than $1,300 a year. The research found many believed they're too small to to be a target. This is unfortunate given that research keeps on identifying higher risks for this sector as a result of remote working.

Pegasus: The Guardian reports that Pegasus spyware is no longer able to target British mobile phone numbers. The report follows last week's revelation that Dubai's ruler had used Pegasus spyware against his estranged wife and her legal and security team. Of course this doesn't mean it won't be used against contacts of users with British numbers.

UAE: FaceTime calls have started working in the UAE after being blocked since the service launched in 2010. There hasn't been an official announcement and it's not the first time similar services have begun working, only to disappear a few days later. AP

Testing: There are great resources on the web to help identify security issues. One we we were told about this week is internet.nl which will test email, website and connection settings for common failings. It's not foolproof and results can be cross checked with ssllabs from Qualys.

iPhone satellite: A new modem in iPhone 13s will support satellite text messages. Earlier reports of satellite voice calls proved groundless (as expected), but the support for communication with Low Earth Orbit satellites will provide a valuable differential for Apple. Bloomberg

US internet: Remarkably, almost 1 in 4 households in the US don't have internet access. And reviews.org found 265,000 homes still using dial-up connections.

Flight school: Another insider horror story. This time from a flying school in Florida, where a disgruntled ex-employee allegedly accessed systems and tampered with records so that planes with maintenance issues were cleared to fly. Motherboard

Updates

iOS: Yet another update for the latest version of software that runs iPhones and iPads. iOS 15.0.2 addresses two serious security flaws that were identified by a researcher. He's unhappy because two other issues he found haven't been fixed...and because Apple failed to credit him for the discovery. This is far from the first time Apple hasn't given credit (financial and otherwise) where it's due, and there is a real risk that (even more) issues will be sold on the open market instead of being reported responsibly.

iPhone 12: Another episode in Apple's crap hardware saga, this time affecting the iPhone 12. Apple has confirmed some devices may have a manufacturing defect that means they won't produce any sound when making or receiving calls. Free repairs are being offered, but if for example the screen is cracked, that will have to be fixed and paid for before anything else is done.

Microsoft: Monthly set of updates addresses 81 issues, four of them are zero-days (ie they were previously unknown) and three are classified as 'critical'.

Windows 11: More issues for Microsoft's latest operating system. Bleeping Computer details 8 issues, including the Start Menu refusing to open and memory management problems. Brother has also confirmed that some of its printers aren't detected when connected via USB.

Zoom: Some Mac users have been reporting that virtual backgrounds won't load with the latest versions (5.8.0 and 5.8.1). Deleting the app and reverting to this earlier version may help.

Adobe: Updates for several products, including Acrobat, Reader and Connect.

SAP: 13 security updates, three rated 'Hot News' which affect Environmental Compliance, NetWeaver AS ABAP and the Chromium browser in Business Client.

WordPress: Version 2.3.17 of the popular Brizy Page Builder plugin addresses vulnerabilities that could be used to take complete control of a website.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved