FFT news digest April 2 2021

Ubiquiti

A whistleblower has accused network devices manufacturer, Ubiquiti, of covering up the severity of a data breach that could allow customers' devices to be accessed without authorisation. The report by KrebsOnSecurity comes after Ubiquiti announced in January that "certain" of its IT systems had been breached and it couldn't rule out the possibility that customer information had been accessed. In fact, it's claimed the breach was far more serious than the notice suggested and resulted in "full read/write access to Ubiquiti databases at Amazon Web Services (AWS). Legal silenced and overruled efforts to decisively protect customers,” the whistleblower wrote to the European Data Protection Supervisor.

Ubiquiti has responded to Krebs' report with a statement that raises more questions than it answers (and has been roundly mocked by customers). While insisting nothing has changed since its original notification, Ubqiuiti says there's no evidence that "customer information was accessed, or even targeted in the breach". To say that misses the point would be an understatement. The whistleblower's claim is that source code and IT credentials were stolen and that this is the key risk to customers. Ubiquiti doesn't deny the theft and simply says an extortion attempt was unsuccessful. This is an object lesson in how lack of transparency can damage a brand permanently (and its share price - temporarily).

So what actually happened? According to the whistleblower, the attacker(s) accessed credentials that had been stored in the password manager of a Ubiquiti IT employee. Those credentials provided complete access to all of Ubiquiti's AWS accounts, including application logs, databases, user credentials, and secrets required to forge authentication mechanisms. It's not clear how the password manager was compromised, but it's a vivid reminder of the importance of securing such tools with the maximum available measures. There's a lot more to emerge about this story and we'll update as we learn more.

Threats

COVID-19: Impersonation and disinformation are two of the key threats to have emerged as attackers seek to take advantage of the pandemic. Trend Micro has a round-up of the tactics and how to combat them.

Calls: New campaign uses call centres to try to fool victims into installing malicious software. An email prompts the recipient to call a phone number to cancel a (non-existent) upcoming subscription. The call centre directs the victim to a website where they can download a cancellation form, but which actually installs the malware. Bleeping Computer

Gamed: A surprisingly large number of gamers try to cheat their way through popular titles. One of the biggest games makers says attackers are targeting people trying to cheat Call of Duty: Warzone. Activision

Home video: Chinese hackers are stealing videos from tens of thousands of private security cameras and are selling clips as "home video packages." They're also offering "set meal" packages that offer real-time viewing. Henan TV via South China Morning Post

Concerts: As promoters put together plans for concerts later in the year, UK police are warning buyers to take care when buying tickets online. 216 incidents of fraud were received in February.

Bypassed: Spam filters are good, but they're not impregnable. Armorblox has details of a Facebook phishing campaign which included a link to a credible, but fake login page. As always, don't click on links to do important things like change passwords or confirm login details.

North Korea

Cyber crime is believed to be a major foreign exchange earner for Pyongyang - and one of their latest exploits involved setting up a fake security company in order to target security researchers. The fake entity, SecuriElite, claimed to be based in Turkey and offered penetration testing and software security assessment, according to Google's Threat Analysis Group. The setup included social media profiles and a branded website, and built on a campaign revealed by Google in January. North Korea's approach typifies the increasing sophistication of state-sponsored groups. It makes it essential to be careful about accepting LinkedIn requests and browsing websites, regardless of how credible they look.

Analysed

You might have chosen not to send analytics data from your smartphone to Apple and Google, but they're being transmitted anyway, according to a report from Trinity College Dublin. "The phone IMEI, hardware serial number, SIM serial number and IMSI, phone number, etc. are shared with Apple and Google. Both iOS and Google Android transmit telemetry, despite the user explicitly opting out of this," the report found. Of the two, it says Android collects more data - although Google disputes the report's methodology and told The Register that the research merely describes the normal operation of modern smartphones. Apple has yet to comment. 

Passports

Amid scepticism about the viability of COVID-19 'passports', the airline industry is moving forward with an app to be released next month. IATA says the Travel Pass app will enable travellers to store verified test results and vaccination certificates on their phones. Initially, it will be available for iPhones, with work underway on an Android version. Virgin Atlantic is planning to pilot the pass on its London/Barbados route. New York state already has its own version, designed to speed the reopening of business and entertainment venues. Despite opposition, the momentum for these apps looks unstoppable. 

Lessons

A year since the UK's first lockdown began, we've looked back at our coverage to see what we've learnt. Key is security awareness (and we're not saying that just because training is core to our business). We've seen enormous variations in how organisations are supporting their remote workers, with some doing an excellent job and others behaving as if nothing much has changed. Working from home introduces a range of risks, including unauthorised access to sensitive information and a golden opportunity for attackers to target employees. Communication and awareness are crucial. As is locking laptops when not using them, something amply illustrated by a manager of the US Strategic Command's Twitter account when his "very young child" posted an unintelligible tweet by playing with the unattended keyboard.

In brief

Australia: Channel 9 and the Federal Parliament experienced severe disruption to their IT systems over the weekend. The motives are unclear and it's too early for attribution, but the incidents underline the importance of backup plans. The only way Channel 9 was able to stay on air was via a Melbourne facility that hadn't been fully automated. ABC

Marketing: It's probably not surprising that tactics used by fraudsters are now being used by 'legitimate' companies. In this case, a US pension fund impersonates a competitor to try to attract new business. Avanan

Knowingly defective: A federal judge in the US has ruled that Apple knew the displays on some of its MacBooks were faulty, but it went ahead and sold them anyway. The ruling is in response to a class action lawsuit. 9to5Mac

Russia compulsion: Last month it emerged that Apple agreed to comply with a new Russian law requiring device makers to install specific apps as part of the initial setup. The legislation is now in force and during setup users are taken to a special app store - though it appears they can simply exit the process. For the moment.

Warfare: The US army is to be equipped with augmented reality headsets as part of a $21.88 billion deal with Microsoft. It aims to deliver "enhanced situational awareness, enabling information sharing and decision-making in a variety of scenarios," Microsoft said.

iPhones: iOS 14.5 will try to fix battery drain and reduced performance issues that have affected some iPhone 11 devices. The upcoming version (expected some time this month) has a feature designed to "recalibrate" batteries. Apple

Late: The Dutch Data Protection Authority has fined Booking.com €475,000 for reporting a security incident 22 days after it happened, in contravention of rules requiring breaches to be disclosed within 72 hours. The Record

Periscope down: The Twitter-owned live video app shut down yesterday after six years during which it helped popularise streaming. 

Updates

Apple: iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3 are emergency updates to address a serious vulnerability that is already being exploited.

Microsoft: An optional update (KB5000842) for Windows 10 version 2004 and Windows 10 20H2 is designed to address issues including dark screens and other monitor glitches, and as well as system crashes associated with OneDrive.

Outlook: Microsoft also fixed an Outlook issue that blocked users from forwarding or replying to emails containing embedded hyperlinks that pointed to long web addresses. Bleeping Computer

VMware: Updates address a high severity vulnerability in vRealize Operations that could allow attackers to steal admin credentials after exploiting vulnerable servers.

Google: Latest version 89.0.4389.114 for Windows, Mac and Linux includes 8 security fixes.

Citrix: Security updates address vulnerabilities in Hypervisor (formerly XenServer) that could be exploited to case disruption.

Zimbra: 9.0.0 “Kepler” Patch 13 and 8.8.15 “James Prescott Joule” Patch 20 include important security fixes.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved