news210507

Big tech

A big week for big tech, as Apple does battle with games maker, Epic, and Facebook tries to convince iPhone users to continue allowing their behaviour to be tracked.

Epic's lawsuit alleges that Apple's App Store amounts to an illegal monopoly that's like a car dealership trying to impose ongoing commissions for petrol used by a vehicle it has sold. Apple argues the the Fortnite maker's suit is "just an attack on Apple's 30% commission that Epic does not want to pay," and that the closed design of the App Store was a security decision. Epic contends Apple simply took a business decision to maximise its profits and lock users into the iPhone ecosystem.

The case, being heard in California, is one of the most important antitrust trials we've yet seen, and it comes as Apple faces growing pressure elsewhere. In Washington, the Justice Department is reported to be examining the App Store rules that require developers to use its payment system. The investigation is said to have begun in 2019 and no decisions have been taken about whether to institute legal action. In Brussels, EU regulators have accused Apple of breaking antitrust laws by abusing its dominant position for the distribution of music streaming apps. NPR and WIRED have good overviews of the cases and the issues.

Meanwhile, Facebook has been trying to persuade users that they should let their behaviour be tracked in order to keep the platform "free of charge." A blog post says Facebook will show an "educational screen" to users, before they're asked whether they want to allow tracking to continue. Facebook has been less keen on the 'education' provided by secure messaging outfit, Signal. Signal says it tried to run advertisements on Facebook and Instagram that revealed the range of information they gather about users, but the ads were blocked. Not so, says Facebook, and you didn't even try to publish the ads. Either way, the 'ads' are worth a look!

Threats

Trends: Attackers are improving their techniques in their relentless hunt for corporate account credentials, according to Kaspersky. Innovative twists on banking scams and COVID-19 lures figure prominently. In December, Mandiant says a global campaign used malicious software that had never been seen before.

Website: The US Justice Department has shut down a website masquerading as belonging to a biotech company working on a COVID-19 vaccine. In fact, it was designed for "fraud, phishing attacks, and/or deployment of malware."

Phone numbers: So what if Boris Johnson's phone number has been publicly available for the past 15 years? It's not clear what make of phone he uses (he's been pictured with both an iPhone and a Huawei model), but both have been shown to be vulnerable to attack by calling or messaging the user's number.

Deepfakes: Experts are warning of an imminent rise in the use of 'deep fake' technology by criminals and nation states. This is worrying, although a recent incident that supposedly fooled European politicians appears to have used a lookalike rather than deep fake technology.

Lotto: You're a €2 million winner and all you have to do to collect your prize is fill in a form with your personal details. At least that's what the scammers behind this email would like you to believe. Avanan

Workplace: Fascinating account of a US startup linked to attempts to gather corporate login credentials. Employees have been offered $500 for their usernames and passwords. The aim appears to be to collate payroll and employment history and sell the data to clients. Motherboard

Location

Another of Bellingcat's impressive investigations succeeded in identifying a hotel in an FBI investigation into child abuse from just a couple of photos. A banana leaf, a sun lounger and the design of a litter bin were some of the distinguishing features used by Bellingcat to track down the location of the photos to a hotel in Turkey. It's essential not to underestimate what information can be gleaned from a seemingly innocuous photo. In an extreme example from Japan, a man accused of stalking and sexually assaulting a young pop star reportedly told police he located her through the reflection in her eyes in a picture.

Bloody passwords

Another World Password Day has rolled round, and this time there are signs of growing momentum towards better ways of proving who we are. We wholeheartedly share the view of Forrester Research that "passwords belong in time capsules, not IT ecosystems", but we also recognise there are understandable reasons for the delay in adopting better solutions. Forrester reckons 70% of organisations still rely on a "password-centric" approach to authentication, but that there is "light at the end of this multi-decade tunnel". In particular, biometrics are likely to become more common. HSBC UK says that in the last 12 months its Voice ID verification tool more than halved cases of fraud. And Google says it will soon start to automatically enrol users in enhanced authentication.

Too Smart TV

Is your TV watching you? A Chinese manufacturer has admitted that some of its sets were vacuuming up a range of information about their owners. The issue came to light in a post (picked up by The Register) to an online forum which detailed an app that appeared to scan the local network for the user's IP address as well as nearby WiFi hotspots. This isn't exclusively a Chinese issue. LG, Samsung and Vizio have all been found to gather user information, and in 2019 the FBI warned about the privacy risks of smart TVs and provided recommendations for how to use them safely. Among them, make sure you understand your TV's features and don't rely on default security settings.

Routers

Millions of people in the UK could be at risk from using routers with security flaws, according to research by consumer group, Which? A survey asked 6,000 adults what router they used at home. Its less than surprising finding was that many could be using out of date devices that are no longer supported. Some models hadn't seen an update since 2016, and many were also afflicted by weak default passwords and network vulnerabilities. Internet Service Providers were unimpressed - although only Virgin Media bothered to reply to Which?'s follow up questions. Routers really are a serious security risk, and the Which? article is well worth reading.

In brief

Spotify: Musicians and human rights organisations have stepped up a campaign against a patent granted to the music streaming service. Spotify says its technology is designed to improve recommendations by detecting “emotional state, gender, age, or accent”.

Fake reviews: An unsecured database has revealed the identities of more than 200,000 people who appear to have been involved in fake product review scams on Amazon. Safety Detectives

Pirates: Interesting approach to online piracy from social networking platform, Triller. It's trying to scare boxing fans who illegally streamed a bout last month into paying $49.99. Otherwise, it says, it will come after them for $150,000 - and use of a VPN won't protect their identity. We say a good one probably will, though that's not to condone piracy. Reuters

Awareness: People ignore information if they think it's not relevant to them - and that's why so much digital security training doesn't work. The answer is "longitudinal learning" which involves short, digestible chunks of relevant training. HelpNet Security

Tesla: Researchers have demonstrated how to remotely hack Tesla without any user interaction. They carried out the attack from a drone.

Sub attack: Hackers linked to the Chinese government are being blamed for an attempt to steal information from a company that designs submarines for the Russian navy. As so often, the attack began with an email targeting the CEO. Cybereason

Crossword: The winner of this year's American Crossword Puzzle Tournament was an Artificial Intelligence system. "Dr Fill" was trained over 10 years by exposing it to "mountains" of data, including the entire contents of Wikipedia. Slate

Homecoming queen: The teenager accused, with her mother, of trying to rig a homecoming queen contest by hacking other students' accounts will stand trial as an adult, and faces a sentence of up to 16 years in prison if convicted. CyberScoop

Updates

iOS: This has not been a good year for Apple, with multiple serious (really serious) vulnerabilities in its phone and desktop operating systems. Just a week after the major release of iOS 14.5, an update has appeared and this time it's not just to fix things that haven't been working properly, it's also to address two vulnerabilities that are being actively exploited. These issues matter because there's evidence of how they are used against 'people of interest'. In one example, MIT Technology Review says it has learned from US officials that a campaign to spy on China's Uighur minority was fuelled by an iPhone vulnerability revealed at China's top hacking competition.

macOS: Version 11.3.1 addresses two serious vulnerabilities that are being exploited - and which share a cause with the iOS issues.

Safari: New version of Safari 14.1 for macOS Catalina and macOS Mojave.

Windows 10: Some users have found their hard disks filling up with thousands of files. The latest update fixes the issue caused by Windows Defender.

Pulse: Update addresses serious vulnerabilities in Pulse Connect Secure VPN appliance. It comes two weeks after researchers warned that attackers in China were exploiting the issues.

Dell: So...it transpires that Dell desktops, laptops, and tablets built since 2009 and running Windows have a series of vulnerabilities that can be exploited to secure administrator-level access to the devices. The issues (in the firmware update driver) were found by Sentinel Labs which says hundreds of millions of computers are affected.

Exim: Version 4.94.2 of the widely-used mail transfer agent fixes 21 previously unknown vulnerabilities (some of which can be chained together to run programs remotely on the Exim Server).

Cisco: Updates for multiple vulnerabilities across its product portfolio, including critical flaws in SD-WAN software and the HyperFlex HX data platform.

Android: Updates to address 42 vulnerabilities, including four rated critical.

FFT news digest May 7 2021