FFT news digest June 19 2020

Security failure

Cyber weapons have the potential to be at least as devastating as nuclear arms, but the US intelligence community is accused of "failing to adopt even the most basic cybersecurity technologies". In a letter to the US Director of National Intelligence, Senator Ron Wyden said the ongoing failures include a lack of multi-factor authentication to protect domain names and poor email security. Senator Wyden also released redacted findings from the investigation into the loss of 180GB of hacking tools and documents which ended up being published by WikiLeaks. Among the lamentable security failures behind that breach was the password that was supposed to secure the device on which the tools were stored. It was 123ABCdef. "Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely," the CIA report says. It's worth a read as a guide to 'what not to do'.

Scumwatch

The evolution of scams related to COVID-19 is becoming complicated, with the overall number apparently falling while attempts to steal credentials are on the rise in the UK, Brazil and India. Microsoft says COVID-19 themed malware peaked in March and is slowly dying out. But Google points to an ongoing risk from attackers masquerading as government institutions (and in some cases as Google). Other scams this week;
Premier League: UK National Cyber Security Centre warns of attempts to take advantage of return of live football. NCSC
Android copies: Example of Play Store app that steals name and logo from genuine iOS app (in this case, Luma Fusion). Mark Blank-Settle
Robocalls: US survey shows 23% of respondents experienced an increase in calls since start of COVID-19 pandemic. Provision Living
Flash: New Mac malware is disguised as Flash Player installer - spreads via Google search results. Intego
Fake breaches: Criminals try to extort money by pretending to have hacked website and threatening to publish data. Sophos

Tracing U-turn

It's taken six weeks, but the UK government finally bowed to the inevitable and gave up on its quixotic efforts to develop a centralised coronavirus tracking app. As predicted by anyone with a passing understanding of the way iPhones work, it proved impossible to circumvent fundamental controls built into the iOS operating system. Germany, Italy and Denmark had already given up on similar projects and adopted an approach developed jointly by Google and Apple. The UK now says it will do the same, while blaming Apple for refusing to undermine fundamental technical and privacy protections. It now hopes to launch an app in the autumn, though it's unclear what exactly its capabilities will be. As the UK made its announcement, Germany said its contact tracing app had been downloaded by 6.5 million people in the first 24 hours of availability. It's almost two months since it made the decision to give up on its centralised approach. The contact tracing app situation in the UK has attracted widespread criticism, including from Wikipedia founder, Jimmy Wales, who described it as "the height of incompetence on so many levels."  

Disinfo

Russian operators conducted a six-year disinformation campaign that used fake accounts and forged documents to sow discord between Western countries, according to new research. The campaign stands out for its use of forged documents, a 120-page dossier compiled by social media analysis firm, Graphika, says. There were nine key themes, including; Ukraine as a failed state; the US and NATO as aggressive and interfering; Europe as weak and divided; and critics of the Russian government as morally corrupt, alcoholic, or otherwise mentally unstable. Dubbed Secondary Infektion, Graphika says the operation was notable for its robust security in contrast to other Russian disinformation campaigns. The huge scale of disinformation as a weapon was underlined this week by Twitter's announcement that it had taken down 32,242 accounts which it attributed to China, Russia and Turkey.

Routers

The ongoing security risk from home routers is highlighted by newly-revealed issues with Netgear and D-Link devices. Researchers say 79 Netgear models dating back to 2007 are vulnerable to a remote attack that could bypass their authentication process. Netgear promises a fix is imminent. Meanwhile, D-Link has issued an update to address three of six vulnerabilities in its DIR-865L wireless router. This was a top of the range device when it was released in 2012, but is now 'end-of-life'. This is an ongoing problem for consumer technology where the focus is on low cost rather than high security. “While modern software development processes have vastly improved the quality of commercial software as compared to 10-15 years ago, consumer network devices have largely been left behind,” the researcher behind the Netgear work said. Unfortunately, routers' life expectancy is limited. Even if they're working well, once updates cease, the only option is to replace them.

Caught out

Online shopping, social media and choice of username enabled the FBI to identify a woman accused of setting fire to police vehicles in Philadelphia during a recent protest. TV news helicopters had captured footage of a masked woman with a peace sign tattoo setting a police SUV ablaze. The FBI said it identified the woman by following a trail that began with shots by amateur photographers on Instagram, continued to an Etsy shop that sold the distinctive t-shirt she was wearing, and ended at her doorstep via her LinkedIn page and profile on a fashion website. Lore Elisabeth Blumenthal, who is 33, faces a minimum 7-year jail sentence if convicted. "The technological capabilities of modern law enforcement far outstrip the privacy protections afforded under the law. And many people lack a general awareness of just how much the communications and information they post online is private or not," a lawyer for Blumenthal told The Philadelphia Inquirer.

In brief

The way mobile phone numbers are reused is a significant security risk for WhatsApp, as a Motherboard journalist discovered. After buying a pay-as-you-go SIM, he started receiving hundreds of messages intended for the person who had used the number previously. Another reason to set a PIN for the app. Motherboard

A major outage of T-Mobile's US network led to widespread alarm that it was the victim of a cyber attack. The truth was more prosaic; configuration cock-ups as a result of the mega merger with Sprint. Motherboard

A desperately sad story from the US where a university student killed himself after misunderstanding the balance on his share trading account.
The app appeared to show he had a negative balance of $730,165. In fact, this was only temporary. Forbes

Russia has lifted its ban on messaging app, Telegram, after spending two years trying and failing to enforce it.
The communications regulator said Telegram had agreed to cooperate in combating terrorism and extremism on the platform. Reuters

The latest cellular communications standards are vulnerable to attack, according to new research. The issues affect the GPRS Tunneling Protocol and could be exploited to attack 4G and 5G users. Positive Technologies

If someone really wants your information, they'll probably get it. Researchers have devised a way to turn a lightbulb into a listening device. It works by monitoring changes in air pressure on the surface of the bulb. Lamphone

Another dating app security disgrace. Hundreds of thousands of sensitive profiles, including images of "a graphic, sexual nature," were stored online with no security.
Among the services affected; Herpes Dating and Gay Daddy Bear... vpnMentor

Online pornography is ubiquitous, but it's also a security risk and a lousy way for young people to learn about sex.
We encourage families to discuss those risks, and New Zealand has produced a series of videos that might help start the conversation. One includes a couple of porn stars turning up on a family's doorstep... Keep It Real Online

And not really cybersecurity, but our ex-TV MD insisted...kudos to the US weatherman who turned his lawn into a green screen... CNN


Updates

Adobe: More security updates from Adobe, and they're important. After Effects, Illustrator, Premiere Pro, Premiere Rush, and Audition are affected.

Windows 10: Fix for printing problems caused by last week's update.

Zoom: In abrupt U-turn, end to end encryption will be available to users of free version, but only if they hand over a verified phone number.

Chrome: Version 83.0.4103.106 for Windows, Mac, and Linux includes 4 important security fixes.

VLC: Media Player 3.0.11 for Windows, Mac, and Linux includes a fix for vulnerability that could allow attackers to remotely execute commands or crash VLC on a vulnerable device.

Cisco: Updates to address two high severity issues in Webex Meetings Desktop App for Windows and macOS.

Twitter: Pilot supports voice tweets up to 140 seconds long. Feature is limited to small number of iOS users, but will roll out more widely in coming weeks. Perhaps it's just us, but this sounds like it opens several cans of worms.

Drupal: Updates for several vulnerabilities, including one that could allow an attacker to execute arbitrary code.

SecureDrop: Version 1.4.0 includes several security enhancements.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217