news220617

FFT news digest Jun 17 2022

Passwords

With apologies for returning to a timeworn subject, new research underlines why it's not a good idea to let web browsers store your passwords. Quite apart from the fact that browsers are one of the applications most commonly targeted by attackers, CyberArk found that they may store sensitive data (including usernames, passwords and session cookies) in clear text in a way that allows it to be retrieved.

Separate analysis by Digital Shadows says there's been a 65% increase in usernames and passwords sold, traded or dumped in cyber-criminal forums and underground marketplaces. It reckons there are more than 24 billion usernames and passwords available for sale; 6.7 billion of them unique. That's an increase of 30% compared to a previous analysis in 2020. The paper says the most commonly leaked password it found was '123456.' It appeared over 30 million times and accounted for 0.46% of all unique passwords, or nearly one in 20 of the total.

Passwords are (gradually) on their way out but, until something more functional replaces them, the only effective way to use them is to adopt a password manager. It's probably the single best way to improve your online security. We have a guide to the whole sorry business here.

Threats

Instagram: If a friend set up a 'saucy' account and used it to follow you, would you check it out? Malwarebytes explains how attackers stole someone's photos and used them to create an account designed to
steal Instagram credentials.

PayPal: Email campaign leverages PayPal by sending a confirmation message for a non-existent order. The only way to 'cancel' it is to call a support number and engage with a scumbag who will try to steal banking information. Avanan

Travel: Criminals are working on scams to exploit the surge in tourism. Intel 471

Proposal: A fake business proposal contains a booby-trapped Excel spreadsheet. Opening the document isn't a problem. Enabling the macros it contains is. Avanan

Monkeypox: Scumbags are taking advantage of the current news about monkeypox to trick people into clicking on malicious link. Pickr

Crypto: Fake wallet apps are being used to target crypto currency users. They're identical to the real ones except that they contain a backdoor designed to steal security phrases. Confiant

MacOS: Researchers have found a fundamental security issue in Apple's M1 processors. It sounds alarming but would have to be combined with other vulnerabilities to be exploited. MIT

Heineken: The Danish brewer has warned about an ongoing scam involving WhatsApp messages about a Father's Day contest with free beer as a prize.

Prime Day: Amazon says its annual sales fest will be on July 12-13. Stand by for floods of fake emails trying to take advantage of it.

Ukraine

Russia has warned the US and its allies that continued cyber attacks on its infrastructure risk a direct military clash. Reuters quotes a Foreign Ministry statement as accusing Washington of "deliberately lowering the threshold for the combat use" of IT. "The militarization of the information space by the West, and attempts to turn it into an arena of interstate confrontation, have greatly increased the threat of a direct military clash with unpredictable consequences," it said.

Data
The Ukrainian government is moving citizens’ sensitive personal data to storage in Poland, with similar back-up schemes planned for other western countries. The move is designed to protect against Russian cyber and physical assault. “To be on the safe side, we want to have our backups abroad,” Ukraine’s deputy minister of digital transformation told The Wall Street Journal ($).

Weakest link

We dislike the idea of viewing humans as the weakest link in the security chain, but a data breach at a US healthcare giant does underline why safety is everyone's responsibility. Kaiser Permanente said at least 69,000 people were impacted when someone gained access to a single employee's email account. The breach included sensitive information including names, medical record numbers and the results of medical tests. Kaiser Permanente says it "terminated the unauthorized access within hours." What's not clear is why so much sensitive information was stored in emails in the first place.

In brief

Ring: A US senator says Amazon Ring's audio surveillance capabilities are threatening the public's expectation of privacy. Senator Ed Markey is a long-standing critic of Amazon's Ring products. His letter follows a study by US watchdog, Consumer Reports, which found that after a device's motion sensor is triggered, it can record conversations from up to 8 metres away.

Stolen: People often ask what happens to stolen phones and laptops. This Twitter thread will give you a good idea of (exactly) where many end up; since you ask, Seg Electronics Market, Shenzhen (Floors 1-3) where they're cannibalised and sold for parts.

Artificial reality: A popular real-time voice changer is beginning to use artificial intelligence to make you sound like Morgan Freeman or a bunch of other characters. It's a Windows Beta offering for the moment. It's scarily real and reinforces the concerns we reported last week. Voicemod AI

Harm: Facebook and Instagram owner, Meta, faces eight lawsuits in the US accusing it of harming children and teenagers by increasing the risk of eating disorders, suicide, depression, and sleep disorders.

Identity theft: Alarming Washington Post article explains how children's identities are being stolen, often by their parents or close relatives.

Insults: In an effort to combat "cyberbullying," Japan has approved a law criminalising "online insults." The penalty is a fine of up to 300,00 Yen ($2,850) or a year in prison. Japan Times

Beaver alert: A single beaver is believed to have caused mass internet and cellular service outages in north-western Canada. The animal gnawed its way through a tree which brought down utility poles carrying power and fibre optic lines. CTV