FFT news digest July 17 2020

Twittered

The most devastating security breach in Twitter's history appears to have been achieved using the company's own administration tools. Twitter said the rash of high profile account takeovers was the result of "a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools." Speaking to Motherboard, a source who claimed to have taken over accounts said, "We used a rep that literally done all the work for us." A second source added the Twitter insider had been paid. The method of hijacking the accounts is still unconfirmed, but it appears the attackers were able to use Twitter's tools to change the email address associated with accounts, disable multi-factor authentication and force a password change. In this case, the attackers' immediate objective was a bitcoin scam (which netted them over $100,000), but their access to the accounts of some of the world's most famous people means they may have made off with much more valuable information. More worryingly, imagine what a nation state attacker could accomplish with this sort of breach...say, in the run-up to an election.

A hot mess

A hugely significant ruling by Europe's top court has upended the structure governing EU-US data transfers, and highlighted fundamental legislative differences that will be challenging to reconcile. The Court of Justice of the European Union struck down the so-called Privacy Shield, saying "the requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country." But the ruling doesn't stop at the Privacy Shield. Many organisations have relied on Standard Contractual Clauses and Binding Corporate Rules to govern data transfers outside the European Economic Area. Those mechanisms remain valid, but only if organisations assess that the destination country protects personal data adequately. The Court of Justice doesn't believe this to be true of the US, and national regulators must intervene to stop transfers that don't have sufficient protection. Little light has been shed by the UK's regulator. It's only response so far has been to say it's "considering" the judgement.

Media under fire

Almost a fifth of the 'credential stuffing' attacks seen in 2019 targeted media companies and content delivery services, according to research from Akamai. Its report, which was delayed by the COVID-19 pandemic, highlights an extraordinary rise in attacks, with broadcast TV companies facing a 630% year-on-year increase in 2019. Akamai says it observed 88 billion attacks during the year in which stolen usernames and passwords were used to try to break into accounts (the technique known as 'credential stuffing'). Video was not the only target. Amid a 7,000% increase in attempts to steal published content, newspapers, books and magazines were all affected. Intriguingly, Akamai says criminals appeared to be combining media accounts with stolen rewards points from local restaurants and selling them as 'date night' packages. The delay to the report allowed Akamai to include 2020 data which showed a sharp spike in malicious login attempts against European broadcasters. In one 24-hour period, there were nearly 350 million attempts against a single organisation. 

Bring your own

This week saw a series of reports that set out the scale of conflict taking place in cyberspace. If that expands into overt war, we won't be able to say we didn't know what was going on. The headlines were dominated by accusations that Russian state-sponsored hackers have been targeting UK, US and Canadian efforts to develop a coronavirus vaccine. But that was far from the only allegation being made. Yahoo! News reported on "a series of covert cyber operations" conducted by the CIA and designed to create disruption rather than gathering intelligence. The report says the CIA's actions follow a 2018 presidential order that removed controls and oversight over such operations. In Europe, strong evidence emerged to suggest that Spain has been using the notorious Pegasus spyware against breakaway Catalan politicians. An anonymous employee quoted by Motherboard said the spyware had been unlocked for use in a number of countries including France, Malta and Mexico. And the Committee to Protect Journalists has details of training and equipment provided to Ghana by the US and UK governments. The CPJ says the tools included Israeli technology designed to hack cellphones. 

Securing remote workers

A new toolkit aims to help small and medium-sized organisations keep themselves and their remote workers safe. The National Cyber Security Centre added a Home and Remote Working module to its Exercise in a Box which "helps organisations find out how resilient they are to cyber attacks and practise their response in a safe environment". We "would urge business leaders to treat Exercise in a Box in the same way they do their regular fire drills – doing so will help reduce the chances of falling victim to future cyber attacks," the NCSC said. The module focuses on three key areas: safe access to networks, secure employee collaboration, and what processes are in place to manage a cyber incident remotely. It includes scenarios based on ransomware attacks, losing devices and a cyber attack simulator which safely imitates a threat actor targeting operations to test an organisation’s cyber resilience. We understand the intense pressure on organisations at the moment, but given how long we're going to be working remotely, it is worth trying to carve out a little time to look at the NCSC's latest module.

Huawei

The Chinese technology company is at the centre of an intense superpower struggle, but what does it mean for users of Huawei's laptops, smartphones and other consumer devices? The UK's National Cyber Security Centre's says Downing Street's decision to ban (and remove) Huawei equipment from UK telecommunications networks doesn't directly impact the technology used by individuals. "Existing Huawei devices shouldn’t be affected – all your apps should continue to work, and your phone/laptop/tablet should keep getting security updates for its normal lifetime." But the NCSC warns that, from now on, new devices won't be able to use Google applications and services, and US sanctions mean that Huawei will have limited or no access to a range of technologies. Until now, we've assessed the general risk of using a Huawei device as extremely low, but the US restrictions change that calculation and make it impossible to recommend buying a new Huawei product for the foreseeable future.

In brief

A warning from Apple not to close the lid of modern MacBooks with anything covering the camera. This follows multiple reports of broken displays because of the way the device is designed. Incidentally, Apple says it's not possible for the camera to function without the green light coming on. Apple

Legal vultures are circling Linkedin after it emerged that its iOS app was accessing the contents of the clipboard. As we reported when news of this emerged, LinkedIn is not alone. This week the BBC released a new version of its News app that "contains a fix to a third party library which was causing the app to read from the clipboard on launch." The Register

When the FBI arrested Ghislaine Maxwell they found a cellphone wrapped in tinfoil in "a seemingly misguided attempt effort to evade detection."
Motherboard did a (not very scientific) experiment to test the effect of tinfoil and found it does block signals (though if you think you need to evade detection, you probably need some expert advice). Motherboard

Counterfeit products are a serious problem, but fake IT devices are a particular menace because of the impact they can have on an organisation's security.
F-Secure has details of the experience of one client, and what you can do to avoid being scammed. F-Secure

Revealing research from Mozilla which shows how YouTube's recommendation algorithm can create "thought bubbles" that serve only to confirm what someone already thinks. The experiment used 6 personas to see what content was served up to them and how this could confirm individual biases. Mozilla

China's Hong Kong legislation has led to two major VPN providers shutting up shop in the city.
Private Internet Access and TunnelBear said they were concerned that local authorities could use the law to confiscate their local servers. Private Internet Access TunnelBear

Updates

Microsoft: Monthly set of (123) updates includes one that broke Outlook for many users. Microsoft says a fix has been rolled out. Sharepoint also appears to have been affected in some regions. The July update is supposed to have fixed three significant issues that have been plaguing users (affecting OneDrive, printing, and causing forced reboots).

Windows DNS Server: Update to address fundamental vulnerability which could enable a remote attacker to take over a machine. The issue was identified by Check Point, which says it appears to be around 20 years old. DNS (Domain Name System) is the mechanism that translates domain names that we understand into strings of numbers that make sense to machines.

macOS: Catalina 10.15.6 fixes a USB mouse/trackpad issue. This is a lightweight update, as Apple works on the successor to Catalina which is due to be released in the last quarter of this year.

iOS: Version 13.6 brings a number of security fixes, as well as more control over updates. 13.6 is a major update, although (like macOS) it looks like most of Apple's efforts are being focussed on iOS14 (also due for release later in the year). iOS 12.4.8 has been released for older devices unable to run iOS 13.

Zoom: Update released to address security issue affecting Windows 7 users.

Adobe: Updates for multiple vulnerabilities in Creative Cloud, Media Encoder, Genuine Service, ColdFusion and Download Manager.

Oracle: Quarterly Critical Patch Update has a remarkable 443 security fixes. More than half of the issues can be exploited remotely without any authentication.

SAP: Update to address critical vulnerability in NetWeaver Application Server Configuration Wizard. The issue could be exploited to take control of trusted SAP applications.

Cisco: 33 security fixes, five rated critical.

Juniper: Multiple updates across product line.

Amazon: Echo Buds owners are being asked to update software to address a "potential safety risk" (aka stop them overheating).

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217