FFT news digest May 8 2020

Scumwatch

The monthly volume of cyber attacks increased by 33% between January and the end of March 2020, according to research from Mimecast. 100 Days of Coronavirus (Covid-19) warns that criminals are tailoring scams to match the big news stories on a particular day. "Campaigns are exploiting the vulnerability of users working at home, taking advantage of their desire for information about the coronavirus pandemic to entice them to click on unsafe links,"the report says. Among this week's scams;
Teams: Fake Microsoft Teams notification emails aim to trick users into sharing their login credentials. Abnormal Security
Webex: Emails warn targets they have to verify their accounts because of SSL cert errors. Abnormal Security
COVID-19: Emails try to persuade users to download and run ISO or IMG file attachments. Microsoft
EE: Senior executives are being targeted with phishing emails purporting to be from telecom giant, EE. Cofense
Cargo arrival: Email with blurred logo tries to trick recipient into dowloading malicious JPEG image file. Kaspersky via Coronavirus Phishing

Tracing realities

The UK's insistence on pursuing its own contact tracing solution appears to have run swiftly into reality as a trial began on the Isle of Wight. The Financial Times reports that the government is paying an IT supplier to investigate the creation of an app that would use the solution being developed by Google and Apple; something the UK had rejected. The UK solution has been criticised by privacy activists who say it will create a centralised database and by technologists who point out that it won't actually work. The UK's decision may have been informed by Australia's experience. It also developed a standalone app which, as expected, has performed poorly on iPhones because of restrictions on the way Bluetooth works when an app is in the background. Questions have also been raised about whether Bluetooth supports sufficient accuracy in determining location, which is obviously essential to working out when people have come into contact with someone infected with coronavirus.

Cookies, consent and compliance

Updated guidance from the EU makes it crystal clear that websites must not make access to content dependent on visitors agreeing to allow their personal data to be processed. The new guidelines from the European Data Protection Board say ‘consent cookie walls’ fail to meet the requirements that consent must be freely given in order to be valid. "If the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid," the EDPB says. Guidance is also provided on whether scrolling can constitute consent. 'No!' is the resounding answer. “Actions such as scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of a clear and affirmative action,” the board says. Research last year found the majority of websites failing dismally to meet the GDPR's requirements. European regulators are overwhelmed at the moment, but we would advise website owners not to rely on that to protect them from complying with the cookie rules.

Journalism security

Cybersecurity is not a priority for most journalists until something goes wrong, and a new report sets out some of the reasons why. Reluctant managers, constrained resources, and organisational inertia all contribute to a situation in which security is sidelined, according to the Tow Center's report. Above all, journalists either ignore security advice or create their own solutions in order to get a story published. As we have a former journalist on our team who literally used to leave the country to avoid security training, this all rings true. The Tow Center's report has excellent recommendations for beginning to address journalism's security deficiencies. Above all, training and advice have to be relevant to how journalists really work - as opposed to how managers think they work. There is also a growing number of valuable online resources, and this week an online tool was released which provides free travel advice for freelance journalists.

Remote security

Over half of employees working from home during the COVID-19 pandemic watch inappropriate content on the same devices they use for work, according to research from Kaspersky. And nearly a fifth of employees are doing this on devices provided to them by their employer, the research says. As we've warned before, the upsurge in accessing illegal content is being exploited by attackers and is a critical security risk for individuals and organisations alike. This week, Pen Test Partners catalogues the issues created by the people who share our technology at home, and the importance of discussing security with them. More positively, a survey suggests widespread use of multi-factor authentication and virtual private networks. But such measures are of limited use if people reuse and share passwords, as most of us continue to do according to surveys released to mark World Password Day. And another issue to keep in mind; all those social media challenges to name 10 favourite books, albums etc. Attackers love that information, just in case it's been used to create a password or the answer to a memorable question.

Lifting the lid on WeChat

With 1.15 billion users, WeChat is pretty much essential to life in China, and has been expanding internationally. Now, researchers have shown how its overseas communications are used to train Chinese censorship tools. It's common knowledge that accounts registered to Chinese phones are subject to surveillance and censorship, but it hadn't been shown that international accounts were being monitored in the same way. The researchers from the University of Toronto's Citizen Lab carried out a series of experiments showing that politically sensitive content sent exclusively between non-China-registered accounts was identified -- and subsequently censored when transmitted between China-registered accounts. WeChat is far from the only Chinese-owned app making inroads internationally. Concerns have also been raised about the privacy of users of TikTok and Grindr, amongst others. Such concerns also extend to Google, Facebook and other Western brands, but, as Citizen Lab discovered, at least they have data protection offices which will respond to questions.

In brief

 "A backdoor with phone functionality," is how a researcher described his Xiaomi smartphone after discovering it was recording much of his behaviour. Xiaomi denied the findings, a position that would be a great deal more credible if there weren't recordings showing what the phones are doing. Forbes

Microsoft is trying to reduce enterprise data theft by changing Office 365's default settings to prevent email forwarding to external recipients. It will start rolling out the feature from October this year. Microsoft

GoDaddy has admitted that 28,000 customers’ hosting accounts were compromised in a security breach. It said it had already notified affected users. Bleeping Computer

If some of your iPhone and iPad apps stopped working on Wednesday then you have Facebook to thank. A serious bug in its app affected Spotify, Tinder, Tik Tok, Soundcloud, and Pinterest among others. ZDNet

Researchers say they can control the collision avoidance system used to stop planes flying into each other. They said they could control the responses of aircraft to make them climb or descend at precise points. Not worrying at all. Pen Test Partners

A new kind of malware could be used to steal data by subverting power supply units. The method works by turning the supply into what amounts to a loudspeaker capable of transmitting data at very low speeds. Israel Cyber-Security Research Center

A reminder courtesy of PwC about the importance of auditing website domain records. The accountancy/consulting giant was doubtless slightly surprised to find one of its old sub-domains hosting a selection of fruity links to pornographic sites. The Register

In a victory for optimism over reality, Twitter is testing a feature to make things more civilised. “When things get heated, you may say things you don’t mean,” it said. The new prompt, “gives you the option to revise your reply before it’s published.” 

Updates

Samsung: Urgent update for all Samsung smartphones sold since 2014. Fixes an issue in the way image files are handled which could allow a device to be attacked without the user doing anything.

Android: Google's monthly set of updates address 39 issues, one of which could allow an attacker to take over a device completely.

Teams: Microsoft is warning against updating the Teams iOS app because of a bug that causes intermittent call drops on the desktop client.

Firefox: Version 76.0 includes multiple security fixes and improvements to the built-in password manager. Firefox is also developing a new service designed to hide email addresses when filling in online forms. Private Relay is in an invitation-only trial at the moment.

Zoom: Free users are getting three recently released security features; password requirement for all meetings; waiting rooms on by default; screen sharing for host only by default.

TP-Link: Firmware updates for NC series cloud cameras which have multiple vulnerabilities, some allowing malicious remote access.

Oracle: Warning that attempts are being made to exploit recently patched vulnerabilities, including critical WebLogic Server flaw.

Windows 10: An update has been released to early adopters which is designed to fix issues that can lead to errors and prevent updates from being correctly installed. A general release should be available as early as next week.

Cisco: Updates to address high-severity flaws affecting its Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.

SAP: Some cloud products do not meet contractual or statutory security standards. Issues affect 9% of customers who are being notified individually.

Citrix: Updates for ShareFile storage zones controllers to address several information disclosure vulnerabilities.

Zimbra: Patch 2 for Zimbra 9.0.0 “Kepler” GA release includes important security fixes.

Tails: Multiple security updates. Users advised to update as soon as possible.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved