news220930

Lessons from breaches

Details have been emerging about what went wrong at American Airlines, Fast Company and Australian telco giant, Optus, following serious data breaches.

American Airlines
A simple phishing campaign gave attackers access to a "limited number of team member mailboxes," the airline said. It hasn't explained why it took two months to convey what happened to those affected by the breach. The airline found out about the incident from phishing emails that were being sent from one of its compromised email accounts.

Fast Company
The business publication shut down its website after it was hacked and attackers exploited the access to send "obscene and racist" notifications via Apple News. Bleeping Computer quotes the hackers as saying they were able to identify a poorly-secured WordPress instance.

Optus
Some 38% of the Australian population had personal information stolen in the attack on the telco. A person claiming to be hacker first demanded a ransom and then hours later said the stolen data would not be sold - but not before some of the information had already been copied. The cause appears to have been an application programme interface (API) that was left open to the public. APIs enable disparate systems to communicate and exchange data.

Lessons
As always, failing to fix the basics will result in disaster. In the case of Optus, the company tried to argue that "it couldn't have prevented" the incident only to be contradicted by Australia's cybersecurity minister who was asked in a TV interview, "You certainly don't seem to be buying the line from Optus that this was a sophisticated attack?" "Well, it wasn't. So no," the minister replied. More specifically, here are some lessons;

- Password security. It's crucial to ensure that there is an effective password policy and that it is rigorously enforced.
- Default or common passwords (e.g. Fast Company) make a breach a certainty.
- Test incident response plans. Having a plan is useless unless it's regularly stress tested.
- Audit what data is held. Review what information is stored, what is personal data, where it's saved, how long it's retained, who can access it and how it's secured.
- Understand external access. What applications and systems are exposed to the internet.
- Review your risks. What are your risks. Can they be mitigated? If not, the residual risk must be registered and accepted.
- Make security everyone's business. We loathe the notion that "users are the weakest link." Effective awareness campaigns can make users a key element in protecting an organisation.

Threats

App stores: Research underlines that it's essential to be cautious about what apps we install, even if they're in Apple and Google's official stores. Researchers found 75 fraudulent apps in Google Play and 10 in the App Store. Most were games and they've been installed some 13 million times. Bleeping Computer

North Korea: The attackers who breached Sony Pictures in 2014 are back with a new campaign that involves "weaponising" popular open source software applications. The attack begins with connection requests on LinkedIn and move to WhatsApp where targets are instructed to install the malicious apps. Microsoft

Adult: A vast network of fake adult websites has been identified. They work by tricking users into subscribing and then charging huge recurring fees to their cards. ReasonLabs believes the scammers are based in Russia and have earned tens of millions of dollars from thousands of victims.

Gaming: Password stealing software is being distributed as fake 'cracks' and cheats for popular video games. Cyfirma

Fake CISOs: Someone has been creating fake LinkedIn profiles claiming to be Chief Information Security Officers at some of the world's biggest companies. Brian Krebs

PowerPoint: A Russian state-sponsored threat actor has been using PowerPoint files to target defence and government users in Europe. The technique "is designed to be triggered when the user starts the presentation mode and moves the mouse," Cluster25 said.

Cost of living: A UK bank is warning that fraudsters are taking advantage of the cost-of-living crisis by impersonating family members and tricking relatives into sending them money to help pay bills. Computer Weekly

Shadow IT: Using unapproved software can damage your corporate wallet as 11 of the world's biggest financial companies have discovered. They're facing $1.8 billion in penalties for failing to prevent use of unauthorised messaging apps.

Deepfakes: In the near future, we won’t be sure whether the person we’re speaking to on a video call is real or an impostor, according to Microsoft. As The Register reports, there is already a surfeit of tools being adopted by criminals and other scumbags.

Disinformation

Disinformation should be regulated in the same way as guns, bombs, and nuclear weapons, the New Zealand Prime Minister told the UN General Assembly. A rash of stories this week underpins her view. Last weekend erroneous reports about a coup in China dominated Twitter and was covered on one of India's most-watched news channels. Meta says it took down a massive Russian propaganda network spoofing Western news sites. The Pentagon has ordered a review of US information warfare operations being conducted via social media platforms. And Gizmodo has a simply brilliant account of how easy it is to run an 'information operation,' in this case to fool millions into thinking eating chocolate helps weight loss. Alas, one key is to "exploit journalists' incredible laziness."

Throwaway spies

A faulty CIA covert communications system was just one of multiple failures that endangered Iranians spying for the US, according to a Reuters investigation. The now-defunct covert online communication system – located by Reuters in an internet archive – may have exposed at least 20 Iranian spies and potentially hundreds of other informants elsewhere. Reuters' report builds on previous work by Yahoo News and The New York Times. Far from being a customised, high end tool, independent researchers said the CIA's messaging system was hopelessly insecure and woefully unsuited to its task of covert communication.

In brief

Attacks: Cyberattacks are now so common that the majority of businesses responding to a new survey said they were their top concern and they regarded them as inevitable. Travelers

Arrest: A 17-year-old boy appeared in court in London and denied using his phone to steal information from two companies to hold them to ransom. The companies weren't named but reports have suggested links to recent high-profile attacks on Uber and Rockstar Games among others.

Meta: A group of users is suing Facebook's parent company for bypassing Apple's anti-tracking privacy protections on iOS devices. Meta denies the charges. The Register

Taiwan: A $20 million cyber defence course is being launched to train Taiwanese citizens in preparation for any future Chinese hostilities. Axios

LinkedIn: It has emerged that LinkedIn ran experiments on more than 20 million users to test whether more job opportunities resulted from connections with known acquaintances or complete strangers. LinkedIn says no-one was disadvantaged as a result. Not everyone agrees. NYT

Translation: OpenAI released an open source multi-lingual speech recognition tool called Whisper. It enables "robust" transcription in multiple languages, as well as translation from those languages into English.

Jamf: The mobile device manager is buying ZecOps which is probably the leading smartphone security tool. ZecOps is good but very expensive (we know because we use it for some of our clients) so it will be interesting to see how the pricing works when it's rolled into Jamf's offerings.

Shameware: An extraordinary story in Wired explains how churches in the US are using invasive phone-monitoring technology to discourage “sinful” behavior. Some software is seeing more than congregants realize.

FFT news digest Sep 30 2022

Lessons from breaches

Threats

Disinformation

Throwaway spies

In brief

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.