FFT news digest Apr 3 2020

Every move...

The surveillance genie is well and truly out of the bottle and hard at work as countries try to control the spread of the coronavirus. Singapore, Poland and Kenya have joined South Korea, Taiwan and Israel in deploying solutions that harness location data to enforce social distancing and track the movements of infected people. In the US, health officials are obtaining bulk location data to assess compliance with stay-at-home orders. The UK's data protection regulator has said it's legal to use anonymised mobile phone data, and Sky News reports that the government is preparing to launch a contact-tracing app which will alert people if they come into contact with someone who has tested positive for COVID-19. For an idea of what the data can show, Google is producing reports on how communities are moving (or not moving) around. Activists are divided over the implications of these developments for privacy, and whether the genie will be returned to the bottle once this horror show is over.

Zoom

With extraordinary growth comes extraordinary scrutiny, as video collaboration platform, Zoom, is discovering. After a torrid week that revealed vulnerabilities, misleading statements and questionable practices, it says it's pausing work on new features and redeploying staff to focus on privacy and security. Zoom apologised for falling short of its own expectations and those of its users, saying the number of daily users had risen from 10 million in December to 200 million in March. Our advice is not to be overly concerned about security issues, providing you take basic precautions. These include; not sharing screenshots showing the meeting ID and usernames (as Boris Johnson did); making sure the app is up to date; avoiding using a personal meeting ID to host public events; selecting "only authenticated users can join"; using "enable waiting room" to screen who's trying to join a meeting; using a strong, unique password; turning on two-factor authentication; and watching out for fake meeting invites.

Scams

An extraordinary range of coronavirus-related scams this week, including;
Wiper
: Malicious software targets Windows machines and overwrites the Master Boot Record which renders the device unusable. SonicWall
Co-worker: Attackers are targeting Office 365 accounts by falsely claiming a colleague has died from COVID-19. PhishLabs
Payment: Emails with subject line "COVID-19 payment" aim to install malicious software designed to harvest banking credentials. FireEye
Fine: In London, fake texts tell people they must pay a £35 fine for breaking lockdown rules. The texts mimic UK government alerts. InfoSecurity
Cough: Scammer threatens to infect target's family with coronavirus unless a payment is made. Bitdefender
Exposed: Email pretends to be from local hospital telling the recipient that they've been exposed to the coronavirus and need to be tested. (Highly unbelievable in the UK). Bleeping Computer

Journalists

Since the start of the year, journalists and media organisations have become preferred vehicles for attacks linked to nation states, according to Google's Threat Analysis Group. "For example, attackers impersonate a journalist to seed false stories with other reporters to spread disinformation. In other cases, attackers will send several benign emails to build a rapport with a journalist or foreign policy expert before sending a malicious attachment in a follow up email," Google said. The attacks consistently target geopolitical rivals, government officials, journalists, dissidents and activists. And Google warns that if an attacker doesn't succeed at first, they will keep on trying different approaches until they do. Anyone with an elevated risk should consider Google's Advanced Protection Programme. Google says it has yet to see a successful phishing attack against anyone who is part of it.

Vicarious liability

In a closely watched case, Britain's Supreme Court has ruled that Morrisons supermarket chain is not liable for the actions of a disgruntled employee who leaked thousands of employees' payroll data. Lower courts had decided that Morrisons was 'vicariously liable' for the leak, even though the rogue employee was found guilty of the breach (and is serving an 8-year jail sentence). The Supreme Court disagreed, saying the employees' actions were so far removed from his normal duties that vicarious liability did not apply. The judgment will be a relief to Morrisons - and to all employers - but it's important to note that it doesn't absolve organisations from responsibility for what their staff do. The ruling made clear that employers must take all reasonable measures to ensure their staff comply with the law in the course of their employment. 

Marriott

Marriott International has suffered another data breach, this time resulting in access to the personal information of 5.2 million customers. The data included email addresses, phone numbers, gender, birth dates and linked loyalty programmes, Marriott said. The breach took place between mid-January and the end of February. It comes less than two years after a much more significant security failure affecting some 400 million people. The latest incident appears to have resulted from the unauthorised use of the credentials of two employees at one of Marriott's franchise hotels. Marriott should be commended for its swift disclosure of what happened, but there remain serious questions about how the breach happened, including the extent of access to personal information and why no-one spotted what must have been an unusual amount of activity for the two users' accounts.

In brief

Thousands of Microsoft SQL servers are being compromised every day by attackers who exploit weak credentials. The brute force attacks are used to install remote access tools and cryptomining software. Guardicore

The Saudi government is reported to have exploited flaws in cellphone protocols as part of a long-running surveillance campaign. The vulnerabilities in "Signalling System 7" are well known but nothing has been done to address them. The Guardian

A flash alert from the FBI warns that booby-trapped USB drives are being sent to businesses in the US. The drives are sometimes accompanied by teddy bears or gift cards. Trustwave

The FBI has failed to follow internal rules when applying to spy on US citizens. A damning report suggests more than 5 years of surveillance activities may lack legitimate grounds. US Dept. of Justice

Lawyers have launched a group action as a result of this year's data breach at Virgin Media.
Victims are told they could be entitled to "thousands of pounds" in data breach compensation. The operative word is "could". Virgin Media Group Action

Microsoft 365 is the new name for Office 365
. It comes with some new features, and pricing is unchanged for the moment. Microsoft is also planning to launch a consumer version of Teams. TechCrunch

Updates

Windows 10: Urgent update released to fix issue that was causing internet connectivity issues on devices with proxies, including virtual private networks (VPNs).

OpenWRT: Versions 18.06.7 and 19.07.1 (released at the beginning of February) address critical security issue.

Draytek: Vigor 2960/3900/300B are vulnerable to external attack, and examples have already been seen. Users should upgrade to 1.5.1 firmware or later as soon as possible.

Ubuntu: Updates and mitigations to address issue revealed at hacking contest.

AWS: A new security service called Amazon Detective is designed to help customers identify security issues across Amazon Web Services solutions.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217