news200417

FFT news digest Apr 17 2020

Tracking

Amid the relentless rise in the number of COVID-19 deaths and ongoing social distancing measures, a lively debate is taking place about privacy and contact tracing apps. Google and Apple have joined forces to work on a system that will track the spread of coronavirus while also preserving user privacy. The solution will harness bluetooth technology to identify anyone who has been in close contact with a person confirmed to be infected with the coronavirus. But other significant questions remain to be answered. Aside from privacy implications, perhaps the most important is how many people will actually use such a solution. Experts advising the NHS told the BBC that a contact-tracing app could help stop the pandemic, but only if 80% of current smartphone owners use it. A similar solution in Singapore has been installed by only about one person in six. And a senior director at Singapore's Government Technology Agency warned that "automated contact tracing is not a coronavirus panacea".

Scamwatch

Google says it blocked 18 million coronavirus-related malware and phishing emails every day last week, as attackers continue to exploit the COVID-19 crisis. Those statistics reflect a sharp rise in targeted phishing attacks. Security outfit, Barracuda, says these take all forms, including impersonation, business email compromise, and even blackmail. It's vital that everyone is on their guard, particularly for attacks arriving via social media and collaboration tools. Coronavirus Phishing Scams is gathering examples and posting new ones every day. Among this week's scams;
• Flight refund: A fake refund form is distributed by email. Targets are asked to enter their names and credit card details.
• Masks: Email promises availability of protective masks. In reality, it's designed to steal the victim's credentials.
• White House: Fake White House email announces extension of quarantine measures to August and tries to persuade recipient to open malicious link.

Remote

The upsurge in remote working is illustrated by one calculation that puts usage of Microsoft Teams and Google Meet at nearly 500 billion minutes every day. But compared to corporate networks, security company BitSight says home networks are 3.5 times more likely to be infected by malicious software. Among the problems identified by BitSight are exposed control interfaces for internet modems, routers, cameras, storage and other connected devices. For attackers, this is fertile ground -- and they are busily tilling it. Small and medium-sized organisations are particularly at risk because they are less likely to have the time or resources to protect themselves...as our next article illustrates.

More remote

Despite the rise in remote working, only 40% of small businesses have implemented a cybersecurity policy, and that drops to 25% for companies with fewer than 20 workers. Research by the Cyber Readiness Institute found half the businesses surveyed were concerned that remote working would lead to more cyberattacks. But, nearly 40% of them felt economic uncertainty would prevent them from making necessary cybersecurity investments. Now more than ever it's critically important to make sure there is clear guidance for people working at home. There is no shortage of free resources (our own guide is here), so cost should not be a barrier. The key is to ensure that everyone understands the importance of basic security precautions. That's true at any time. But the sheer number of attempted hacks makes it particularly important at the moment.

Single point of failure

This week's episode of "This is how we screwed up, so you don't have to..." comes courtesy of Cloudflare. With its habitual (and admirable) honesty, it revealed that a major outage this week was caused by a technician who unplugged a patch panel providing all external connectivity to other Cloudflare data centers. As you might expect, given Cloudflare's central role in global connectivity, its architecture was designed to avoid this. Unfortunately, as it admitted, "While the external connectivity used diverse providers and led to diverse data centers, we had all the connections going through only one patch panel, creating a single physical point of failure." Once the cables were unplugged, "valuable time" was lost identifying which ones needed to be reconnected. Single points of failure and poor documentation are common causes of disasters. Cloudflare's experience is a reminder to check how our own systems are designed.

Zoom

As pressures on it increase, Zoom is revamping its bug bounty program which rewards researchers who uncover vulnerabilities in its video platform. The announcement came after reports emerged of two previously unknown issues being offered for sale at prices of up to $500,000. Zoom has seen the number of users rise from 10 million in December to 200 million today, but increased scrutiny has revealed serious security deficiencies in the app's code, user data management, encryption scheme, and the location of some of its servers. The company is making considerable efforts to address these concerns, and is being pretty transparent about what it's doing. We continue to believe it's suitable for everyday, non-sensitive conversations, but it's essential to ensure it's kept up to date. There is also some evidence that it's safer to join Zoom meetings in your web browser than to download the web client. Whatever you do, it's vital to use strong, unique passwords, not least because 500,000 Zoom credentials have turned up for sale on the Dark Web.

In brief

The UK data protection regulator, the ICO, has updated its guidance on how it will work during the coronavirus pandemic. In "exceptional times", it says it will adopt a flexible approach that reflects the difficulty organisations may have in meeting normal deadlines and requirements. ICO FAQ

Beware of 'fleeceware'. These are apps that require payment information in return for a free trial. Unless the subscription is cancelled (even if the app is deleted), charges amounting to hundreds of dollars are processed. Sophos

Currency exchange service Travelex paid $2.3 million to hackers who encrypted its files and held them to ransom. While one can sympathise with Travelex, paying the ransom will only incentivise similar attacks. WSJ ($)

Russian hackers were behind an attack on San Francisco international airport. Researchers say key airport websites were compromised in an attempt to steal the Windows logon credentials of airport employees. ESET

A vulnerability in TikTok could be exploited to show users fake videos. Researchers said the issue is caused by an insecure method of downloading media content. Mysk

Apple launched a (comparatively) low cost iPhone this week, but at the same time it also released some eyewateringly-expensive wheels for its Mac Pro workstation. Cost of the new iPhone SE; £419. Cost of the wheels; £584. Apple

Updates

Microsoft: Monthly update addresses 113 vulnerabilities, including 15 rated 'critical'. Three patches are for 'zero-day vulnerabilities', two of these affect the Adobe Font Manager and are being actively exploited.

Windows Defender: Another update snafu which this time broke Microsoft's antivirus solution. The culprit appears to be an update for Security Intelligence which was pushed automatically yesterday. An update to fix the update is expected shortly.

Windows: Microsoft is postponing the scheduled end of support and servicing dates for a range of products including Windows 10 1709 and Windows Server 1809.

VMware: Fix for critical issue involving a poorly implemented access control, which could allow a malicious actor to bypass authentication mechanisms.

Oracle: Extraordinary number of updates, even by Oracle's high standards. April release contains 397 security patches for more than 100 products. 66 of the issues are rated 'critical'.

Adobe: Updates to address five vulnerabilities in ColdFusion, After Effects and Digital Editions.

Cisco: Fixes for issues affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data

Intel: Updates for Data Migration Software Advisory, PROSet/Wireless WiFi Software Advisory, Driver and Support Assistant Advisory, Modular Server Compute Module Advisory, Binary Configuration Tool for Windows Advisory, NUC Firmware Advisory.

SAP: 23 Security Notes include five for Hot News vulnerabilities. Most important affects SAP Commerce and could be exploited remotely without requiring authentication.