FFT news digest Jul 1 2022

Privacy

The US Supreme Court's decision to overturn the Roe vs Wade abortion protections has shone a spotlight on the information gathered by technology companies and the risks it represents. In seven states (so far), people seeking abortions risk investigation and prosecution, and privacy activists warn that their search history and similar data could be used against them. The Electronic Frontier Foundation has a guide to staying safe online including reviewing privacy settings and location services, and adopting encrypted messaging services. This is perfectly good advice, but we'd add that it's essential to assume nothing online is completely secure.

In one example, journalists from Motherboard were able to buy a week’s worth of data about visitors to hundreds of Planned Parenthood locations in the US. It cost them just $160. The data had been gathered by a company called SafeGraph which obtains the location data from the apps installed on people's phones. It even makes educated guesses about where the owner of a phone lives by analysing where it's usually located overnight. “It's bonkers dangerous to...let someone buy the census tracks where people are coming from to visit [an] abortion clinic,” a cybersecurity researcher told Motherboard.

Following the Supreme Court's decision, a period tracking app called Stardust leapt to the top of the US Apple App Store. Just one problem; TechCrunch discovered that the app was sharing users' phone numbers with an external analytics company. The popularity of Stardust is partly explained by its statement that it would implement end-to-end encryption so it would “not be able to hand over any of your period tracking data” to the government. After TechCrunch questioned those claims, Stardust promptly changed its privacy policy to delete the claim. Unhappily, even with the best intentions, remaining truly anonymous and secure online is an impossible task for most people.

Threats

Most clicked: The most effective phishing emails imitate corporate messages and delivery notifications, according to Kaspersky. In tests, 18.5% of people clicked the link in an email with the subject line, "Failed delivery attempt". Kaspersky via ITPro

Toll fraud: Microsoft explains how fraudsters manipulate Android devices to subscribe to premium services. Their methods are impressively sneaky and underline why it's so important to be careful about what apps you download, where they come from and what permissions you give them.

Romance: A vile scam is promising romantic connections and relationships with women affected by the war in Ukraine. Bitdefender

Quickbooks: Be cautious about invoices and payment requests that appear to come from Quickbooks. Attackers are signing up for free accounts and sending messages that look like invoices from Norton and Office365. Always make sure processes are in place to stop this type of scam. Avanan

Vendor impersonation: Business Email Compromise increasingly impersonates third-party vendors and suppliers rather than executives inside the organisation. Abnormal Security

Deepfake recruitment: The FBI says it has received increasing numbers of complaints relating to the use of deepfake videos during interviews for remote work positions. Many of the jobs involve information technology and access to sensitive systems and information.

Copyright: A fake warning about alleged copyright infringement includes a zip file that purports to provide details of the offending content. Of course, in fact, it contains a booby-trapped PDF file. AhnLab via Bleeping Computer

Credential stuffing: The Information Commissioner's Office has advice on protecting against what it calls a "growing cyber threat". Top of the list is multi-factor protection.

Nuclear threat: Malwarebytes says a longstanding Russian threat group is behind a phishing campaign designed to steal credentials from commonly-used web browsers. The lure is what appears to be an Atlantic Council article entitled, “Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions”.

Predictions

By 2025, 60% of organisations will will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements, according to technology analysts, Gartner. In its latest cybersecurity predictions, Gartner points out that attacks related to third parties are increasing, but only 23% of security and risk leaders monitor the cybersecurity exposure of their vendors and suppliers in real time. Gartner also reckons that, by 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.

Ransomware

Interesting developments among ransomware groups which appear to be experimenting with new business models, possibly because their original approach to extortion has become less effective. It's well known that attackers now threaten to sell information rather than simply deny access to it. But they've also started trying out new tactics including 'Dutch auctions' in which the price decreases until the victim pays up (presumably in an attempt to extract any money at all). One group is also offering rewards to anyone who can identify defects in its program. Meanwhile, US police seized $28 million when they arrested a man involved in hacking hospitals during the COVID-19 pandemic.

In brief

MacBook: When it comes to Apple products, the reality frequently fails to live up to the hype. Take the new 13-inch MacBook Pro which was announced at Apple's huge developer conference last month. iFixit has taken it apart to find that it's basically the same as the previous model except for an updated processor. 

Scalpers: Clever scumbags in Israel have come up with an automated way of grabbing appointments for government passport services. As in the UK, there's currently a backlog in applications. Once grabbed, the appointments are sold for more than $100. Akamai

Chinese exports: The Electronic Privacy Information Centre explains how China's giant technology companies are exporting surveillance products designed for the domestic market to the rest of the world, particularly to Africa.

Chinese disinformation: China has been caught using disinformation and influence campaigns to undermine efforts to diversify supply chains of rare earth minerals. The aim is to maintain China's dominance of the market. Mandiant 

macOS security: The US National Institute of Standards and Technology (NIST) has published its guidance on securing macOS endpoints and assessing their security.

Locking iPhones: A cautionary tale courtesy of Donald Trump's election attorney whose phone was seized last week by the FBI. They ordered him to unlock it using Face ID. Under US law, he couldn't refuse - but he could have if it had been locked with a passcode. CNN

Russia facial recognition: Reclaim The Net reports on Russia's use of facial recognition technology to track journalists (in Moscow and other major cities) and arrest them.

You couldn't make it up: The Apple executive responsible for preventing insider trading has pleaded guilty to six counts of...insider trading. DoJ

Meddling kids: Avast has discovered an online community of children set up to build, exchange and distribute malicious software, including ransomware, infostealers and cryptominers. The kids are aged between 11 and 18. 

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved