news211029

FFT news digest Oct 29 2021

Meta problem

Facebook has a big problem heading down the line. Not the lawsuit that has been laid at Mark Zuckerberg's door. Not the failure of its platforms to attract teenagers. Not even its role in polarising Western society and spreading false information which, despite its denials, internal leaks suggest it knows has been happening. The real challenge is its role in the developing world, where in some countries its Free Basics service is the web. The issue is that it is simply not equipped to control what is posted on its platforms in many of those territories. Reuters reports that Facebook employees have warned for years that it has been "failing to police abusive content in countries where such speech was likely to cause the most harm." Internal company documents demonstrate a failure to recruit enough workers with the language skills and knowledge of local events needed to identify objectionable posts.

It's hard to see how changing the company's name to Meta is going to help address that. Indeed, the thrust of the announcement (as so often with the technology industry) wasn't focussed on fixing what's broken, but on the next big thing. "I know that some people will say that this isn't a time to focus on the future, but...we live for what we're building, and while we make mistakes, we keep learning and building and moving forward," Zuckerberg said. What he's proposing to build is an artificial environment dubbed the metaverse - and some frankly odd concept videos showed elements of what this might comprise, including sending a holographic image of yourself to a concert, sitting around virtual meeting tables with colleagues or playing immersive games with friends. We were struck by Motherboard's take, "[Zuckerberg] is pitching products that don't exist for a reality that does not exist in a desperate attempt to change the narrative as it exists in reality, where we all actually live."

Threats

QR codes: Scammers are emailing unsolicited QR codes to try to steal Microsoft users' passwords. The codes offer access to a voicemail. Abnormal

Subscription fraud: Another campaign leveraging Android apps has been uncovered. This one signs victims up to eye-wateringly expensive premium SMS services. Avast

Fake jobs: The US Secret Service warns of a “marked increase” in fake job ads that are designed to steal personal data. Nextgov

Frankenstein: The doctor would be proud of this phishing kit which Microsoft says is built from bits of code copied from the work of other hackers.'TodayZoo' is sending emails with links to a fake Microsoft 365 login page.

Squirrelwaffle: Stupid name for dangerous malicious software that masquerades as DocuSign emails. It's designed to install tools to enable ransomware attacks. Cisco Talos

Hacked

Pegasus spyware was used repeatedly to hack The New York Times' Beirut bureau chief, according to Citizen Lab. When the infections took place, Ben Hubbard was reporting on Saudi Arabia and writing a book about the country's de facto ruler, Mohammed bin Salman, Citizen Lab said. Two years before these infections, Hubbard had complained to the NSO Group, which makes Pegasus, about an attempt to compromise his phone. NSO has denied the accusations, although Citizen Lab is confident that Pegasus was responsible. Hubbard is taking no chances. "I reboot my phone often, which can kick out (but not keep off) some spy programs. And, when possible, I resort to one of the few non-hackable options we still have: I leave my phone behind and meet people face to face," he wrote.

WiFi risks

What do you call your WiFi network - and what's your password? In Israel, it's common for people to use their cellphone number as their WiFi password. That gave a researcher in Tel Aviv the idea of finding out how many WiFi networks were vulnerable to attack. The somewhat worrying answer was 70% of the 5,000 networks he sampled. Without delving into the technical detail, the lessons from Ido Hoorvitch's experiment are; use WPA3 security - it's not perfect but it's a lot better than its predecessors; use a complex, long passphrase which isn't a dictionary word and a number; change any default passwords; and keep your WiFi router up to date.

Ransomware

The latest evolution in the ransomware world involves offering to sell access to the networks of victims which refuse to pay up, according to veteran cybersecurity reporter, Brian Krebs. The Conti ransomware group operates an affiliate program which allows its technology to be used by third parties in return for a share of any ransom. The apparent change in its business plan comes after a group of countries led by the US forced the REvil ransomware group offline. This didn't go down well with Conti, which denounced the move as “unilateral, extraterritorial, and bandit-mugging behavior of the United States in world affairs.” You couldn't make it up.

Internet Service Providers

The US Federal Trade Commission says the country's main ISPs routinely collect vast amounts of user information, and some sell it despite promising they won't. "They allow [the information] to be used, transferred, and monetized by others and hide disclosures about such practices in fine print of their privacy policies,” the FTC said. It also found that many ISPs purported to offer consumers choices, but that these were often illusory. And the FTC highlights the range of information available to ISPs which it says is wider-ranging than what's typically collected by the major technology platforms.

In brief

Tracked: Huq is a data broker that gathers detailed location information from apps installed on people’s phones. It turns out that it has been receiving GPS coordinates even if people had explicitly opted-out of such collection. Motherboard

Bluetooth: It's good practice to disable Bluetooth when it's not being used, but researchers say that doesn't mean it has been turned off completely. The finding is part of research into how Bluetooth can be used to track users.

Spying: BP hired former MI6 agents to spy on a peaceful climate activist, according to an investigation by The Times and Open Democracy. Among the information gathered was a CCTV image from a London railway station.

Russia: Filtering technology now covers 100% of mobile internet traffic and 73% of broadband traffic, according to The New York Times. It says "deep packet inspection" is being used to gain more leverage over Western internet companies.

Protocol: The encrypted email provider has welcomed a legal ruling in Switzerland that exempts it from the data retention rules imposed on telco providers.

COVID-19: The private key used to sign EU Digital Covid certificates is reported to have been stolen and is appearing on messaging apps and online forums. The key is said to have been used to generate forged certificates, with names including Adolf Hitler, Mickey Mouse, and Sponge Bob. Bleeping Computer

Vexed fridge: The owner of a smart fridge says it emailed him to tell him off for opening the door too many times. But it did congratulate him on his water consumption.

Updates

iOS: More updates for iPhones and iPads. 14.8.1 is important because it addresses security issues. 15.1 also fixes security vulnerabilities but also includes several new features and fixes some irritating bugs.

Monterey: Apple's brand new macOS was released this week. In this case, 'brand-new' translates into a relatively minor update to the previous version, Big Sur. Ars Technica has a comprehensive review, including which machines are compatible.

Catalina: Security update addresses issue that is being actively exploited.

Chrome: Version 95.0.4638.69 for Windows, Mac, and Linux addresses two previously unknown vulnerabilities that attackers have actively exploited.

Adobe: Just a fortnight after its last set of security updates, 92 new ones have emerged. Affected products include Adobe's most popular apps.

Defender: Microsoft's enterprise version of Defender antivirus now includes live response capabilities for macOS and Linux.

Cisco: Updates to address multiple vulnerabilities affecting Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software.

BQE Web Suite: A serious security issue has been addressed, but others are reported to remain. Huntress

JavaScript: The very widely-used UAParser.js library was infected with malicious code that installed a password stealer and cryptocurrency miner. Patched versions are 0.7.30, 0.8.1, 1.0.1.