FFT news digest October 23 2020

The world at war

The EU's cybersecurity agency, ENISA, has warned of the growing risk of an "uncontrolled cyber arms race" amid what it says are efforts to turn the public internet into a "war domain". Its annual report lists a series of rising trends, all pointing to an ever-increasing probability of a hot war in cyberspace. Underlining the findings, this week the US indicted six Russians on charges of carrying out some of the world's most destructive cyber attacks. And research from Accenture says state-sponsored hackers are laying siege to email services such as Exchange and Outlook Web Access. A new HBO documentary, The Perfect Weapon, provides a sober but alarming overview of how cyber warfare is developing. Of course, there's an often blurred line between war and crime. ENISA says criminal trends include more "personalised" attacks that exploit stolen credentials, phishing and "advanced social engineering".

Threats

Loyalty cards: Attackers are breaking into online loyalty card accounts by using stolen credentials or personal details that are easily obtained. Akamai says one of the problems is that many consumers don't regard the accounts as high-risk.

Teams: A fake automated message from Microsoft Teams is used to try to steal the recipient’s login credentials. It advises, ‘There’s new activity in Teams’ and urges the recipient to click on ‘Reply in Teams’ which lands on a phishing page. Abnormal Security

Gift voucher: Criminals are impersonating the boss of Marks & Spencer to fool victims into handing over their bank account details. The fraudsters have used social media to send fraudulent adverts promising the chance to win a gift voucher as part of a fictitious prize draw. Security Magazine

Passwords: Data from a security company shows just how bad many of us are at choosing passwords - and how our choice is driven by what's around us. Spoiler; in far too many cases, it's a variation on 'password'. Pen Test Partners

OSINT: There are many free tools for carrying out open source intelligence investigations, but a researcher has warned about the risks of using unvetted software. In one case, the tool turned out to have direct links to one of Russia's largest surveillance businesses. MwOsint

Fake URLs: Seven mobile browsers are vulnerable to attacks that display a fake URL in the address bar. Impacted apps include Safari, Opera Touch, and Opera Mini. Rapid7

Ignorance: Worrying statistics suggest many employees consider IT security to be a low priority and 43% of them wouldn't recognise a mobile phishing attack. mobileiron

Spyware: New versions of the GravityRAT spyware are targeting Android and macOS devices. The campaign is mainly confined to India. Kaspersky

See you in court 

Google is being sued by the US Department of Justice in what could be a landmark case - but you wouldn't know it from its share price. The DoJ filed its case on Tuesday. At the end of the week, the value of shares in parent company, Alphabet, were up nearly 10% putting its market capitalisation at $1.1 trillion. The DoJ alleges that the company owes much of its success to an anticompetitive strategy that cripples the competitive process, reduces consumer choice, and stifles innovation. “The end result is that no one can feasibly challenge Google’s dominance in search and search advertising,” the US Attorney General said. Google promptly wheeled out a statement calling the lawsuit "flawed" and saying, "People use Google because they choose to, not because they're forced to, or because they can't find alternatives". The case is likely to last years. 

Twitter case

Twitter's disastrous security failure was caused initially by a clever but common scam involving a series of phone calls and a fake VPN login page. A report from the New York Department of Financial Services says hackers posed as members of Twitter's IT department and phoned a number of employees. They "claimed they were responding to a reported problem the employee was having" and "tried to direct the employee to a phishing website that looked identical to the legitimate Twitter VPN website,” the report says. "As the employee entered their credentials into the phishing website, the Hackers would simultaneously enter the information into the real Twitter website. This false log-in generated an MFA notification requesting that the employees authenticate themselves, which some of the employees did." The hackers then used their access to roam around Twitter's network, uncovering more information. It's a classic form of attack - and one we should all learn from.

Deep nudes

Photos of more than 680,000 women have been used to create fake nude images, according to a "visual threat intelligence" company. Sensity said the pictures were taken from social media sources, uploaded to a private Telegram messaging channel and "stripped" by an Artificial Intelligence-powered tool. According to the BBC, the results are laughably bad, but the story does highlight the ongoing problem of "deepfake" content. Visual effects that once were possible only in sophisticated post-production houses are now widely available, and have been frequently used to generate fake pornographic videos of celebrities. 

Cellular insecurity

More evidence of the risks of using cellular text messages for two-factor authentication. A report by the Israeli Haaretz newspaper says hackers attacked high-profile cryptocurrency executives and were apparently able to access their accounts on the Telegram messaging platform. A known flaw in the technology underpinning cellular networks can be exploited to intercept text messages. While text-based authentication is better than nothing, there is general agreement that an app-based solution is far more secure.

In brief

A Dutch researcher says he accessed Donald Trump's Twitter account by guessing the password was "maga2020". Victor Gevers says the account was not protected by 2-factor authentication. Not true, said the White House. No evidence, said Twitter. RTL News

The UK data protection regulator has issued guidance on dealing with subject access requests (SARs). Key issues are delays for clarification, excessive requests, and what can be included when charging a fee. ICO

The Covid Symptom Study app has apologised after users received advertisements promoting face masks from Samantha Cameron's fashion label. Huffington Post

Google has removed two extensions from the Chrome Web Store after they were caught siphoning off user data. Nano Adblocker and Nano Defender had been sold earlier this month. Firefox versions aren't affected. ZDNet

Microsoft says the forced installation of web apps was caused by a fault in its Edge browser. It says it's addressing the problem which only affected preview versions of Windows 10. TechRadar

Researchers in Israel say they can eavesdrop remotely on conversations by analysing minute vibrations on the surface of a lightbulb. Wired

Moscow has allocated some $2 million for a new tracking system that will capture unique identifiers from mobile devices in the city. Kommersant

Updates

Microsoft: Two emergency updates for Visual Studio and Windows 10

Apple: Another iOS version (14.1) is rolling out in an effort to fix the many bugs that some unlucky users have been experiencing (including one that prevented zeroes being displayed in Calculator). Unfortunately, the new version reintroduces a problem with changing default apps. There don't appear to be any security fixes in the latest release or if there are, Apple's not saying what they are.

Chrome: Important update that fixes a previously unknown vulnerability that is being actively exploited. Up-to-date version is 86.0.4240.111.

Cisco: Updates for 17 high-severity issues in Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC)

Adobe: Another slew of updates, this time for Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign and Creative Cloud Desktop.

QNAP: Some versions of QTS (the operating system for its network-attached storage devices) are affected by the Zerologon vulnerability. The issues are fix in the latest version.

VMware: Fixes for six issues affecting ESXi, Workstation, Fusion, Cloud Foundation, and NSX-T products.

Oracle: Another gigantic set of updates (402 of them), including fixes for vulnerabilities that could be exploited remotely without authentication required.

WordPress: A forced security update was used to fix a vulnerability in the widely used Loginizer plugin.

Tails: Version 4.12 addresses several security issues and also updates the Tor browser.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved