news200320

FFT news digest Mar 20 2020

Exploiting a pandemic

Depressingly, it appears that just as the coronavirus pandemic is unprecedented in modern times, so is the extent to which it is being exploited by criminals. "The cumulative volume of coronavirus-related email lures now represents the greatest collection of attack types united by a single theme that our team has seen in years, if not ever," Proofpoint said. Every conceivable type of attack has been seen, including phishing for credentials, malicious attachments, malicious links, business email compromise, fake landing pages, downloaders, spam, and malicious software. Scammers have even phoned people up to try to convince them to pay to reserve a COVID-19 vaccine. It's crucial to discuss this crimewave with the people in your home and organisation. Older people are likely to be particularly vulnerable as, understandably, they are concerned about the impact of the coronavirus on them.

Remote working

It's not clear why it's taken so long, but the UK's public-facing cybersecurity agency has gotten round to publishing some advice to secure remote working. The NCSC's guidance is a good summary of best practice for working from home and is well worth reading (as is our own guide). And a US agency has good tips to secure remote meetings. There is a wealth of useful information available (which few people will have time to read) but one resource worth highlighting is material made available by the SANS Institute. This has tips for individuals and for administrators. One thing worth keeping in mind is that the infrastructure and solutions required for remote working are beginning to creak. Collaboration apps like Zoom, Teams and Slack have all had problems. And, following a call from the EU, Netflix and YouTube are reducing the quality of their streams to help protect the internet infrastructure. People have also been advised (where possible) to use fixed lines to make phone calls because of ongoing cellular congestion.

Breach disclosure

As Virgin Media discovered, data breaches are unavoidable but organisations seem unable to grasp this fact. Haveibeenpwned is an invaluable resource that gathers together the results of data breaches so that we can see whether our details have been included in them (the total number of 'pwned' accounts currently stands at 9.54 billion). The person behind it, Troy Hunt, has a well-defined process for contacting organisations about data breaches. Unfortunately, his emails are frequently ignored, despite their aim being to give the organisation an opportunity to reply. This just makes a bad situation worse, so our strong advice is that every organisation should have a plan to respond to a data breach and this should be based on full, frank and early disclosure.

Surveillance

Among the changes the coronavirus is provoking is a more intrusive approach to the data about us that technology makes available. In countries like China, Israel and Iran this involves the overt use of tracking technology to identify anyone who might be carrying the virus. In the US, The Washington Post reported that the government was in active talks with Facebook, Google and a range of other companies about how to use location data from phones. "In recent interviews, Facebook executives said the U.S. government is particularly interested in understanding patterns of people’s movements," the paper added. In Moscow, police used street surveillance cameras to identify more than 200 people who defied quarantine orders. Meanwhile, a company in Texas says it's launching "artificially intelligent thermal cameras" that it claims will be able to detect anyone with high temperatures.

Data protection

The UK data protection regulator has sought to reassure organisations that it will adopt a flexible approach during the coronavirus pandemic. The ICO said it would not penalise organisations that cannot process requests for data or information in a timely manner. “We can’t extend statutory timescales, but we will tell people through our own communications channels that they may experience understandable delays when making information rights requests during the pandemic.” The regulator also made clear that organisations can inform staff if a colleague is suspected of contracting COVID-19, although it adds that it may not be necessary to name the individual. The ICO also advises that organisations can share employees' health information with official bodies for public health purposes.

Brexit

The UK has published its position on post-Brexit data protection as it seeks to secure an adequacy decision from the EU to maintain the free flow of personal data. The 17 documents set out the UK's legal framework for the protection of personal data, describing it as "world-class". "Imports and exports of both goods and services heavily depend on the free flow of personal data between the UK and the EU," the government said. It put the total value of "EU personal data-enabled" trade at roughly £127 billion in 2018. Adequacy decisions are a legal mechanism to facilitate personal data transfers from the EU to third countries. The UK argues that it played a leading role in the development of the General Data Protection Regulation which is enshrined in the Data Protection Act 2018. A potential obstacle may be the the UK's surveillance legislation; European courts have ruled repeatedly that these breach privacy rights.

In brief

Facebook is putting a 'coronavirus information centre' at the top of everyone's news feed. Mark Zuckerberg said the aim was to make sure authoritative information was in front of everyone using Facebook services. Facebook is also re-assessing its content moderation process after admitting a bug had led to legitimate websites being blocked. Facebook

Someone bought a used German army laptop for €90 and found it contained a top secret manual on how to defeat an anti-aircraft missile system. Der Spiegel

Magecart credit card skimmers spent weeks lurking on Nutribullet's website, stealing financial details from customers. Magecart is used as a blanket term for a technique in which attackers insert malicious code into the e-commerce payment process. RiskIQ

A town clerk in the UK earned the dubious privilege of being the first person to be found guilty of breaking the Freedom of Information act by deleting the recording of a council meeting. ICO

Privacy-focussed browser, Brave, has complained to data protection regulators that Google is not transparent about the purposes for which it collects data. Google said the claims didn't "stand up to serious scrutiny". The Register

Google announced a pause to new Chrome and Chrome OS releases, citing "adjusted work schedules". Emphasis will be on security issues, rather than new features. Google

Updates

Adobe: Security updates for Acrobat and Reader. 4 rated 'Important', the rest are 'Critical' because they could be used to create malicious PDF files.

Cisco: Updates to address five vulnerabilities in SD-WAN solution, three rated 'high severity'.

VMWare: Security update for 'Critical' vulnerability in Workstation Pro that could allow attackers to perform a denial-of-service attack or execute commands on the Windows host.

TrendMicro: Updates to address serious vulnerabilities in Worry-Free Business Security, Apex One and OfficeScan products.

Drupal: Security updates for Drupal 8.7.x and 8.8.x to fix issues that could be exploited to take control of an affected system.

SecureDrop: Version 1.2.2 fixes problems with installation and updates of previous release. SecureDrop has also released guidance for organisations who need to access their Secure Viewing Station remotely.

Teams: Microsoft added new features, including background noise suppression, and a ‘raise hand’ button to ask questions. This is assuming the product is actually working.