FFT news digest February 18 2022

Unauthenticated

Last year saw the largest number of vulnerabilities in IT software and systems on record, according to Risk Based Security. This has created an unworkable situation in which "there are too many vulnerabilities for organisations to remediate...and they are being disclosed too quickly for organisations and security teams to keep up," its report says. Vulnerabilities are defined as weaknesses in information systems, procedures, controls or implementation that could be exploited. There were 28,695 of them last year but, more tellingly, Risk Based Security says there were 287 in a single day.

Some of these issues are identified by researchers who report them to the manufacturer so they can be addressed, but many are bought and sold on the grey market. After all, the prospect of earning millions of dollars is awfully tempting when responsible disclosure will earn less than $200,000. Just for context, Washington DC-based Zerodium says it will pay up to $2.5 million for a chain of vulnerabilities that can be used to break into an Android device without the user doing anything. Last year, the maximum reward paid by Google for an Android vulnerability was $157,000. Clearly, an equation that is unlikely to have a happy outcome.

Industry experts drone on about the need for organisations to patch their systems quickly, to make sure their staff don't do stupid things, to adopt multi-factor authentication. We don't disagree, but we would respectfully point out that when 287 vulnerabilities are announced in a single day, there may be a fundamental issue to address. Some of the reasons for vulnerabilities are clear, not least that most software is built on decades of previous work. But there's also a constant drive to add yet more features before fixing existing problems. There's no easy answer, but the current situation creates an unacceptable and insuperable level of risk for organisations and individuals.

Threats

LinkedIn: The number of emails impersonating LinkedIn has increased by 232% since the start of the month, according to Egress. The aim is to lure victims to fake websites and persuade them to enter their login credentials.

Teams: Scumbags are planting booby-trapped documents in chat threads. Not surprising, given that the number of daily active users on Teams shot up from 145 million to 250 million last year. Avanan

NFT: Criminals are exploiting the interest in non-fungible tokens to trick people into downloading malicious software that can hijack their PCs, and steal usernames and passwords. Fortinet

QR: Those square barcodes can be dangerous - but some security people had a bad case of the vapours when one was used in a Super Bowl commercial. We would definitely advise against scanning a random QR code on a lamppost. One that appears in an advert that cost millions of dollars not so much.

Track & Trace: Cornwall residents are being warned about fake alerts telling them they've been in close contact with someone who has tested positive for COVID-19.

Framed: Attackers "aligned with the Indian state" have been compromising the devices of civil rights activists and planting "incriminating evidence" on them. Unfortunately, this tactic is neither new nor uncommon. SentinelLabs

Virtual meetings: An FBI alert warns that criminals are exploiting online meetings to persuade employees to transfer funds to them. There are 3 scenarios; pretending to be a senior executive by using a still photo in a meeting; accessing a meeting to learn about how the business works; pretending an executive can't transfer funds because they're in a meeting!

Transcription

You take all reasonable precautions to protect a source, including using an end-to-end encrypted messaging app. You use Otter.ai to transcribe the resulting interview. The next day an email arrives from Otter asking you to explain "the purpose of this particular recording." That's what happened to a Politico journalist who was talking to a Uighur activist living in the US. Not surprisingly, he was alarmed and tried to find out what was going on. The result is a long article and no smoking gun - but it does underline the importance of considering every link in the security chain surrounding sensitive work.

ICRC hack

The International Committee of the Red Cross says an unpatched vulnerability in an authentication platform was exploited to access its network and steal the details of more than half a million "vulnerable" people. The issue was in Zoho's ManageEngine ADSelfService Plus, a password management and single sign-on (SSO) solution. The ICRC said the attackers (thought to be linked to Iran) were able to bypass authentication, compromise its servers, move across its network and compromise administrator credentials. Meanwhile, Sophos has a useful report on how an attack against a Microsoft Exchange email server was exploited long after the vulnerability responsible for it was fixed.

Facial recognition

Despite the US tax service deciding against using facial recognition, it's being adopted assiduously elsewhere. Amongst this week's news, New York City's mayor said use of facial recognition would be expanded to “identify problems, follow up on leads, and collect evidence.” Meanwhile, one of the leading facial recognition companies, Clearview.ai told Motherboard that companies like Airbnb, Lyft, and Uber had all “expressed interest” in using its technology for identity verification. The companies promptly denied they'd ever considered such a thing. Clearview extracts faceprints from pictures posted online and these are widely used by police in the US to identify suspects.

Surveillance

And in other surveillance news...two US senators wrote to the Director of National Intelligence to ask about a secret database containing information about US citizens. The programme, known as Deep Dive II, has been “secretly conducted” and is done "outside the statutory framework that Congress and the public believe govern this collection, and without...judicial, congressional, or even executive branch oversight," they said. The CIA replied with a deadpan statement that neither denied nor confirmed anything, “CIA is committed to transparency consistent with our obligation to protect intelligence sources and methods.” Meanwhile, in San Francisco, the district attorney has accused police of checking the stored DNA of sexual assault victims to see whether they have committed a crime.

In brief

Depixelated: We've written before (twice) about the risks of pixelating text and images because researchers have demonstrated how to reverse it. Now, one of them has produced an open-source tool that streamlines the process.

Spyware broker: A court in San Diego has provided some interesting details about how the spyware industry really works. A 48-year-old businessman pleaded guilty to an 8-year career selling a range of tools to government, corporate and private customers. ZDNet TechCrunch

Cheats: Remote ('proctored') testing is getting sneaky. One US service, Honorlock, is using fake answer sites to catch students who try to cheat, even if they access it with a separate device (which can be identified by analysing IP addresses). The Verge

Old laptops: It's long been possible to breathe new life into old hardware by installing a light-weight operating system. Google's solution for this is called CloudReady. It's now released a new version called Chrome OS Flex which is only available as a development version, but which looks promising.

Metamates: Widespread ridicule greeted new corporate values for the behemoth previously known as Facebook. "Meta, Metamates, Me" is apparently a reference to a naval expression (Ship, Shipmates, Self) which is used by Instagram and, frankly, sounds better. Meanwhile, Cory Doctorow looks back at MySpace and finds parallels between its dying days and the current state of Meta.

Okta: The Chief Marketing Officer has left the identity management company, the latest in a wave of senior departures. Okta says it's evolving and new leaders have been brought in "to carry forward its vision." Bloomberg

Dymo: You make desktop label printers which use heat not ink, so how do you increase your profits. You add digital rights management to the labels of course. They cost up to $15 a roll, compared to less than $5 for non-branded alternatives. EFF

Oops: A father in France decided to stop his kids going online at night. Unfortunately, to do so, he used a signal jammer which took a nearby town offline as well. He now faces a sizeable fine and a possible jail sentence. The ANFR's lengthy report has interesting details on signal jamming.

Updates

macOS: Important updates for Big Sur and Catalina following last week's Monterey release.

Chrome: Another week, another urgent security fix for Google's browser. Google hasn't provided much information about what it addresses, but it does say it's already being exploited.

Adobe: Emergency update for Adobe Commerce and Magento Open Source to address issues that are rated 'critical'.

Zoom: New version of Mac app fixes an issue which led to users' microphones being left on even when Zoom wasn't in use.

QNAP: Kudos to QNAP for extending support for some its products which officially are end of life. Less positively, it advises that affected products should not be connected to the internet.

VMware: Updates to address multiple vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Cloud Foundation. The issues were discovered by researchers taking part in China's Tianfu Cup hacking competition.

SecureDrop: Version 2.2.0 improves security. It's also the last release series to support Mac Minis and Intel 5th generation NUC (Next Unit of Computing) hardware.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved