FFT news digest Jun 11 2021

Apple news

A big week for Apple, with significant announcements on products and privacy - though we would be delighted if Mr Cook and his pals focused on fixing existing issues before releasing lots of shiny new things.

In terms of products, macOS Big Sur (released last year) is due to give way in the autumn to macOS 12 Monterey. It has some genuine innovations, including the ability to control Mac and iPad devices with a single keyboard and mouse. But not all devices will be compatible - and even those that are may not support all the new new features.

A new version of the iPhone and iPad operating system, iOS 15, will be released later this year, probably in September to coincide with the rollout of new iPhone models. New features include 'spatial audio' for FaceTime which is designed to make it sound like "people are in the same room." All good, though it has emerged that not all features will be available straight away.

Privacy was a big theme, with the introduction of a tool to deliver more secure browsing. iCloud Private Relay means that even Apple can't see what a user is doing on the web. Unfortunately, Apple told Reuters that it won't be available in some of the countries where it would be most useful, including China, Belarus, Kazakhstan and Uganda. There are also moves towards replacing passwords. More on that next week.

And one other (less savoury) item of Apple news. The company has confirmed it made a multi-million dollar payment to a college student after repair technicians stole nude photos from her iPhone and uploaded them to Facebook. The story was first reported by The Daily Telegraph ($).

Threats

Targeting TV: At least three local US TV stations were targeted in what appears to be an attack on their parent company. "We are only able to communicate with each other over personal phones and text messages," said an employee of WFTV in Orlando, Florida. NBC News

Phishing: A 47% rise in the number of phishing sites in the first quarter of this year, compared to the same period in 2020. The top five targets; Social Media, Financial, Webmail & Cloud Services, Ecommerce and Telecommunications. PhishLabs

Trojans: Renewed warning about widespread campaign that uses a variant of one of the oldest versions of 'remote access trojan' to steal usernames, passwords and other sensitive information. Fortinet

HMRC: Fraudsters are seeking to exploit tax credit renewal packs being sent out this week. HMRC says it responded to 1.15 million suspicious contacts reported by the public in the year to end of April.

Android: A new wave of attacks is targeting Android devices to try to steal personal details by impersonating popular apps such as Kaspersky and VLC. Always double check before installing. Bitdefender

Samsung: Is working on fixes for multiple vulnerabilities affecting its mobile devices that could be used for spying or to take full control of them. Bleeping Computer

Identity

The Colonial Pipeline ransomware attack began with a single stolen password for a virtual private network (VPN) account that was no longer in use. Cybersecurity outfit, Mandiant, told Bloomberg that no evidence had been found of any phishing attacks against the employee whose credentials were used. In evidence to a congressional committee, Mandiant said the password was "relatively complex" but had been used on another website. There's a lot of nonsense published about passwords. This week, a vast list of 'passwords' appeared on a hacker forum. In reality, as password guru, Troy Hunt, pointed out, the 8.4 billion entries are really just a list of words, rather than stolen passwords - but they can still be used as part of attempts to break into accounts.

Credentials

Once they've acquired someone's credentials, attackers don't hang around. In fact, research suggests they test most of them within 12 hours of stealing them. To explore the issue, Agari planted phoney passwords on the web and made them look like they belonged to real users. Almost all of the subsequent testing carried out by the attackers was manual which is time-consuming, but goes to underline the value of stolen credentials that are proven to be valid. So, as you're probably sick of hearing, don't reuse passwords and do use a password manager. And as we say in our awareness sessions, don't write passwords on post it notes because they'll inevitably end up in a photo, as a US congressman kindly demonstrated last weekend.

Biters bit

Law enforcement has been enjoying a series of successes against international crime organisations, but the latest is truly spectacular. For a mere $180,000, the FBI was able to persuade a shady developer to build a 'backdoor' into what was supposed to be a secure handset - and then market it to criminal gangs. The result was a three-year sting operation that led to the seizure of 32 tons of drugs (including cocaine-filled pineapples), more than $148 million, and a lot more besides. The court documents read like a thriller. It's not entirely clear why the operation was made public now, but multiple successful sting operations must be giving the criminal underworld some restive nights.

Fastly

As you probably saw, many of the world's top websites were briefly unreachable on Wednesday, but this is actually (in part) a good news story. That's because Fastly, the company behind the problem, took just one minute to detect the issue, restored 95% of operations within 49 minutes, and began deploying a permanent fix less than seven hours later. Of course, it would have been better if the issue hadn't occurred at all - and the other positive is that the incident has focussed renewed attention on the role of content distribution networks which are designed to make websites faster, but which also create central points of failure that are completely contrary to the design of the internet.

In brief

Facebook: An app designed to provide a low bandwidth version of the web favours Facebook products, according to university researchers in the US and the Philippines. Meanwhile, the UK and EU have launched co-ordinated investigations into claims that Facebook is exploiting user data to gain an “undue competitive advantage” in its online classifieds business.

Routers: Are your employees' home routers safe? Dark Reading has some suggestions about how to find out.

Health data: The UK government's scheme to share health data from patients in England was put on hold for two months after complaints from doctors and politicians that its introduction was being rushed. The Register

Data transfers: New Standard Contractual Clauses (SCCs) published by the European Commission will replace three old sets. The adoption marks the beginning of an 18-month transition. Bird and Bird explains.

VW subscriptions: All commercial organisations love recurring revenue (hello printer makers). Now Volkswagen is getting in on the act by floating the idea of an hourly charge for access to autonomous driving features. The price; €7 an hour. Die Welt ($) via Ars Technica

Bing search: On the anniversary of 1989 demonstrations in China, Bing failed to find any images of the lone protester defying army tanks in Tiananmen Square. The issue affected users outside China and Microsoft blamed it on human error. Yeah, right, said Human Rights Watch. Motherboard

Drone news: German researchers have developed a drone-mounted technology designed to locate people trapped after earthquakes, building collapse etc. It works by listening for screams and cries for help. Meanwhile, the US military has come up with a defence against drones which involves fouling their rotors. The Register

Smart privacy: Researchers have found a way to use voice-activated smart speakers which avoids them listening to everything that's going on (with embarrassing results). The method listens for ultrasonic sound rather the lower frequencies associated with the human voice. University of Michigan

Updates

Microsoft : Usual slew of monthly security updates includes fixes for seven previously-unknown vulnerabilities among a total of 50 issues. Five are classified as critical.

Adobe: Updates for multiple products including Acrobat/Reader, Photoshop, Creative Cloud Desktop, Premiere and After Effects.

SAP: 17 'security notes'. Two affecting Source Rules of SAP Commerce and SAP NetWeaver are rated critical 'Hot News'.

Chrome: Google has kept up the pace of addressing issues that are being actively exploited with its sixth such fix of the year. These are so common that it's really worth getting into the habit of relaunching Chrome every few days.

VMware: Attackers are exploiting an issue in vCenter Server that was addressed 2 weeks ago. Users are being urged to check their systems have been updated.

Cisco: Updates for multiple products, as well as a revamp for Webex as Cisco does battle with Zoom, Teams et al.

Intel: 29 security advisories addressing critical issues in the firmware of the Intel chip BIOS, Bluetooth products, Active Management Technology tools, the NUC mini line PC, and Intel's own security library.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved