FFT news digest Mar 6 2020

Home working

The upsurge in home-working caused by the coronavirus is a gift for attackers - and for technology suppliers seeking to attract new users with the offer of free trials. Microsoft, Google, LogMeIn, and Cisco are all providing free licenses (for differing periods) for their meeting, collaboration, and remote working tools. Obviously, it's essential to check the authenticity of any offer you're sent. And do make sure that anyone unfamiliar with the tools understands how to use them. It's also a good opportunity for everyone to make sure that home routers are up to date and are not using the default administrator password. With the likelihood that sensitive work is going to be done more often outside the office, it's also important to keep in mind the need to protect the data, especially if it contains personal information. For an attacker, this is too good an opportunity to miss.

Securing the home

The UK's National Cyber Security Centre has issued new guidance for owners of internet-connected devices, in an effort to improve the lamentable state of security afflicting them. The NCSC has three pieces of advice; change the default password (and use a secure one), make sure the devices are updated as soon as any new software is released, and turn off the ability to view the output of cameras remotely unless you really need it. It's simple to identify insecure devices, as one US family discovered last year when a hacker started talking to their young daughter through the smart camera in her bedroom.

Authentication

Microsoft provided some alarming insights into the extent of Office 365 account breaches - and why multi-factor authentication should be a non-negotiable item in the security toolbox. Microsoft's Director of Identity Security told a conference that "about a half of a percent of the enterprise accounts on our system will be compromised every month." That equates to around 1.2 million Azure Active Directory accounts being compromised every month. Attackers exploit poor passwords or password reuse, and they use good old-fashioned phishing. What is depressing, as Microsoft points out, is that if an account is compromised, "there's a 99.9 percent chance that it did not have MFA [Multi Factor Authentication]".

Clearview

A facial recognition startup known for 'scraping' billions of photos from social media sites lost control of its client list and revealed the extent to which facial recognition is being used in commerce, education and law enforcement. A review of the list by BuzzFeed News found it included schools, colleges and universities as well as major companies like Walmart and sporting organisations such as the NBA. In many cases, companies and organisations had signed up for free trials, which Clearview has used as a key marketing tool. In the UK, it was revealed the Metropolitan Police had used the system 170 times, despite stating in a Freedom of Information request that it was not a user of Clearview's services. An NGO, Big Brother Watch, said, “The photos we’ve shared on social media platforms are being subverted into giant law enforcement and immigration databases....The situation in the UK is wildly out of control.”

The risks of public WiFi

The risks of public WiFi hotspots can be overstated, but we don't trust them and an incident in the UK has provided another reason to avoid them. A researcher discovered that the free WiFi service at a number of railway stations had exposed personal information of some 10,000 people, including email addresses, birth dates and travel information. As is so often the case, the data was on Amazon Web Services cloud storage and hadn't been protected with a password. The company that provided the WiFi, C3UK, told the BBC that it had chosen not to inform the data protection regulator because the data had not been stolen or accessed by anyone other than the researcher. Network Rail says it has "strongly suggested" the company consider reporting the incident. That would be our advice too

Killing email spoofing

More evidence that DMARC (or Domain-based Message Authentication, Reporting and Conformance) is really worth implementing. A survey by security outfit, Vailmail, found that attempts to spoof an email domain drop to nearly zero "within a few months after that domain moves to DMARC enforcement." Vailmail says 933,000 domains around the world now have DMARC records, but only 13% of them are configured with enforcement policies. The policies are what tell mail receivers to reject or quarantine emails that fail authentication. DMARC is one element in an effective email security framework. Given the extent of phishing, which IBM covers in a report this week, the relatively small amount of work required to set up that framework is well worth it.

In brief

Some great journalism from the BBC revealed the industrial scale of tech support scams (and resulted in the arrest of a call centre owner). Using video obtained from the operation's own surveillance cameras, the programme showed the way in which the vulnerable are targeted. BBC

Wildly unwelcome news from Apple which has changed its App Store guidelines to allow advertisements to be pushed to devices. You are allowed to opt out. We suggest a close reading of the terms and conditions for any app you install. 9to5Mac

Apple has agreed to pay up to $500 million to settle one of the US lawsuits that resulted from its decision to deliberately slow down older iPhones to stop them shutting down. Reuters

Web domain names weren't designed to work with languages other than English, and that created an opportunity for criminals who spoof well-known domains by replacing English letters with foreign ones. Research has shed new light on the problem - and the need to be wary of following links (though this one has been checked!) Soluble

The UK Data Protection Regulator, the ICO, has fined Cathay Pacific £500,000 for failing to protect its customers' personal details. A "catalogue of errors" included back-up files without password protection, out of date internet-facing servers; operating systems no longer supported by the developer and inadequate anti-virus protection. The issues predated the GDPR and so Cathay escaped with a relatively low fine. ICO

Updates

Apache: A reminder to ensure Apache Tomcat servers have been updated to address a serious issue which could allow attackers to take them over. Mass scanning for vulnerable devices is known to be underway.

Cisco: Updates to address multiple vulnerabilities across various products, including two issues in Webex Player that could be exploited remotely.

WordPress: Updates for multiple plugins, including Flexible Checkout Fields For WooCommerce, 10Web Map Builder for Google Maps, Modern Events Calendar Lite. These are among plugins that have already been attacked successfully.

Android: Google issued update to fix vulnerability in many mid-range Android devices (running on MediaTek chips). XDA-Developers forum has details of affected devices. Meanwhile, a report from Which? warns of the risk of using older Android devices that no longer receive security updates.

Office: Microsoft has released March 2020 non-security Microsoft Office updates for the Windows Installer (MSI) editions of Office 2013 and Office 2016.

NVidia: Updates to address multiple denial-of-service vulnerabilities in GPU display drivers and Virtual GPU Manager software.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217