FFT news digest May 22 2020

Tracing

If smartphones can be used to track people for marketing purposes (and to identify illegal streaming), it should be perfectly possible to harness their power to help stop the spread of the coronavirus. But in practical terms, that path has been beset with difficulties. This week in the UK, the National Cyber Security Centre admitted there were several weaknesses in its contact-tracing app, and the government began downplaying its importance. Meanwhile, Apple and Google released their contact-tracing solution (the one the UK government isn't using...yet). It's important to note this is not an app, but a means to exploit the capabilities of smartphones while protecting user privacy. 22 countries have requested access to the technology but, just as with the wider struggle against COVID-19, most governments have so far failed miserably to display the level of cooperation and collaboration that common sense tells us will be required to control the pandemic.

Scumwatch

Increasingly effective templates are being used to exploit the coronavirus pandemic, according to research by Proofpoint. It says it has seen a surge in fake websites related to COVID-19, including ones impersonating the World Health Organisation, the Centers for Disease Control and various governments. While they may not be exact copies, they are highly credible and will certainly fool some people. Among other scams this week;
Office 365: Sophisticated attack uses malicious Sharepoint link to trick users into giving permissions to a rogue application. Cofense
LogMeIn: Fake emails alert recipient to an urgent update. Link leads to a convincing-looking phishing page. Abnormal Security
NetSupportManager: "Massive campaign" uses malicious Excel attachments to install remote administration tool. Microsoft
Alexa/Echo: Fake Amazon-branded websites and apps targeted new owners and tried to sell them useless protection plans. One of the companies involved, Robojap, has been up to similar tricks with Google.
CAPTCHA: Sophisticated attack uses CAPTCHA challenge for added credibility. Armorblox

easyJet

We're still waiting for easyJet to provide more details about the data breach that affected some nine million customers, but there are worrying questions about what happened, and when. The airline appears to have become aware of the attack in January. It wasn't until April that it began telling some customers that their credit card details had been stolen. And it only revealed the data breach this week in a statement that leaves most of the key questions unanswered. The airline blames the attack on a "highly sophisticated source" and says it immediately "engaged leading forensic experts" to investigate the attack. Does that mean the experts have been beavering away since January? Why should we believe a highly sophisticated source was responsible, rather than Ron in Accounts clicking on a dodgy link? And why did the stolen credit card data include the CVV number on the back of the card? We have enormous sympathy for anyone who has experienced a data breach, but when one happens, it's crucial to be as transparent as possible, as early as possible. Because the truth will out.

Surveillance

While people worry about the privacy of coronavirus tracking solutions, researchers at Bellingcat have demonstrated that something as mundane as an app for beer fans can be a threat to national security. Untappd has more than 8 million users, most from Europe and North America, who record what and where they drink. Bellingcat found it trivially easy to use the information to track military personnel, including a US drone pilot and the domestic and overseas bases he had visited. It then cross-referenced the information and identified home addresses, family, friends and colleagues. The Register tried out Bellingcat's techniques and quickly identified someone who had recorded details of pints taken "close to GCHQ Cheltenham; the Atomic Weapons Establishment base at Aldermaston; an Army base at South Cerney in Gloucestershire; and his regular pub crawls around his hometown." Similar issues have been highlighted elsewhere, notably the Strava fitness app. As Bellingcat has repeatedly shown, open source intelligence is enormously powerful, but it's important to make sure it can't be used against you...or national security.

Remote working

As another bunch of companies tell employees they can continue working from home if they want to, we've been looking for more free resources to help ease the change to remote working. TechCrunch has a long interview(£) with GitLab's "Head of Remote" about the culture of a company in which all 1,200 plus employees in 65 countries work remotely. Of course, this makes sense for GitLab since its key product is a collaboration tool that aims to help people work together more effectively. GitLab's entire staff handbook is online and open to anyone who wants to learn about its culture. There's also a downloadable e-book offering a comprehensive guide to remote working. It includes tips on getting used to working remotely (#5 "Relax!"), and advises managers to consider having "an always-on video conference room per team, where team members can linger, or come and go as they please". GitLab has also revealed the results of an internal security exercise to see if staff would fall for a targeted phishing email; 20% of participants entered their credentials on a fake gitlab.com login page. Only 12% reported the phishing attempt.

Cock-ups and cash

Money and mistakes are the driving force behind most security breaches, according to Verizon's latest Data Breach Investigations Report. The DBIR, now in its 13th year, is one of the most comprehensive overviews of what's really happening in Information Security. The headlines;
Espionage may get the headlines, but 86% of breaches were financially motivated.
Credential theft (of all kinds) and errors caused at least 67% of breaches.
Ransomware is commonplace and growing.
Breaches linked to internal errors more than doubled (but Verizon reckons that's mainly down to improved reporting requirements).
The good news is that security tools are getting better at blocking common malware.
And, despite well-publicised failures, most organisations are pretty good at applying updates. Verizon warns the real risk comes from poor asset management which can lead to forgotten and neglected devices connected to the internet.

In brief

Another reminder about the risk from people who are about to leave an organisation. Research suggests they're involved in 60% of insider cybersecurity incidents and data leaks. This can start anywhere from two months to two days before their departure date. Securonix

Security firm, ADT, has apologised after one of its technicians remotely accessed hundreds of customers' CCTV cameras to spy on people in their own homes. In one case, a teenage girl and her mother were spied on at least 73 times. The Register

Expect fewer humans to answer your support calls in the future. The COVID-19 pandemic is accelerating the uptake of call handling solutions powered by artificial intelligence. MIT Technology Review

The Ukrainian Security Service says it has arrested a prolific hacker accused of selling billions of stolen credentials. SBU

Working from home definitely increases the chances that a computing device will have an unplanned encounter with some liquid. This needn't spell disaster. ZDNet has advice about what to do.

A family dispute in Holland culminated in a court ruling that by posting pictures of her grandchildren on social media, their grandmother unlawfully processed their personal data. The case has echoes of a key ruling in 2003 that the creation of a personal web site was not a personal activity that exempted the owner from data protection rules. GDPRHub

Updates

Chrome: Version 83 is a major update to Google's browser that includes a slew of security and privacy changes. "Enhanced Safe browsing" will perform real-time checks of URLs for known threats. A new section called "You and Google" allows users to specify what data is shared with Google. A redesigned interface makes it easier to control which cookies you allow. Some of the changes will be activated in the coming weeks.

Apple: As well as support for tracking/tracing, iOS 13.5 also changes the way FaceID works for users wearing a mask (it will go straight to the passcode screen). Meanwhile, a company says it's about to release a tool that will allow every iPhone model to be jailbroken (i.e. to remove the inbuilt security restrictions).

Adobe: Important updates for Creative Cloud apps. Also emergency update for Animator product to address a serious vulnerability.

Signal: Secure messaging app quickly addressed an issue that could have compromised user locations. It's also introducing a new feature which ultimately will reduce the need for phone numbers. Initially, 'Signal PINs' will allow data to be migrated to new devices.

Cisco: Critical update for Unified CCX call center solution. A vulnerability in the remote management interface could allow a remote attacker without credentials to install malware on the device.

Drupal: Update for Drupal 7 to address an 'Open Redirect' vulnerability, which could be used to trick a user into clicking on a specially crafted link that would redirect them to a malicious web address.

MAGMI: FBI warns older version of e-commerce solution is being actively exploited. MAGMI 0.7.23 fixes the issue, but users are urged to update to version 2.x because security updates for earlier versions will end on 30 Jun 2020.

Nitro PDF: Users should check they are running the latest version. Attackers are actively exploiting vulnerabilities that were fixed on May 8.

Windows DNS: Microsoft advises users of Windows DNS servers to enable 'Response Rate Limit' to prevent attackers exploiting a serious vulnerability. The researchers who identified the issues have further details and updates from other manufacturers.

QNAP: Users of QNAP Photo Station should check they installed updates issued in November 2019. The vulnerabilities that were fixed could be exploited to attack QNAP network-attached storage (NAS) devices remotely. 

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217