FFT news digest Dec 17 2021

Mother of all dumpster fires

"The vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," according to the director of US cybersecurity and infrastructure agency, CISA. Jen Easterly (a 20-year cybersecurity veteran) was describing a truly horrible problem with log4j, a ubiquitous utility for logging error messages in applications. "We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage," she said in a call with US critical infrastructure owners and operators.

Security folk have been trying to find analogies to convey the severity of the problem. We liked this one; "Imagine there is a specific kind of bolt used in most of the cars and car parts in the world and they just said that bolt needs to be replaced." And, as a wit added, "Also if someone were to whisper a couple specific words at the car, it unlocks the car and lets them drive away. And if the criminal is smart enough, the car gives them directions to your house and can steal all your belongings." Given just how widely log4j is used, you might be mildly surprised to learn it's an open source module, maintained by a few unfunded volunteers but used pretty much everywhere.

What makes the issue so serious is that it's childishly simple to exploit, but fiendishly difficult to fix. Indeed, using the car analogy, the bolt may be embedded so deeply that manufacturers may have no idea they've used it. Criminals and nation states are already reported to be exploiting the problem, with efforts focussed on the US and the UK. Malwarebytes has a guide for small businesses that explains how best they can protect themselves. The Dutch National Cyber Security Center has an exhaustive list of software that is (or not) affected by the vulnerability. The extent of log4j's use might be best illustrated by the fact that it's even reached Mars, where it's part of the software running the 'Ingenuity' helicopter.

Threats

QR codes: As we've all become more accustomed to using QR codes, it's not surprising that criminals are making use of them in phishing attacks. The latest targets banking users in Germany with a QR code that leads to a fake copy of their bank's login screen. Cofense

Season's warning: Do be on your guard over the holiday season. The pandemic means more online spending which is a monumental gift to fraudsters. The UK National Cyber Security Centre (NCSC) has a particular warning for anyone making a last-ditch bid to complete their gift list...

Voicemail: A savvy campaign seeks to exploit Microsoft Office 365’s voicemail functionality. An email appears to contain a voicemail attachment, but if opened it displays a fake Microsoft login page. WMC Global

PowerPoint: Don't enable that macro! Korean users are being targeted with emails containing "order details". They contain a booby-trapped PowerPoint file that will install malicious software...but only if its macro is enabled. Fortinet

Exchange: Attackers are installing a malicious module named 'Owowa' on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely. Kaspersky has advice.

Pegasus

In the face of sanctions and a torrent of unwelcome publicity, the maker of Pegasus spyware is reported to be considering shutting that unit or selling the entire company. Bloomberg says NSO Group has discussed closing Pegasus and using the technology behind it for "strictly defensive" purposes. The sophistication of that technology is underlined by research from Google analysing one of the ways Pegasus takes over iPhones without the user doing anything. It described it as "one of the most technically sophisticated exploits” they had ever seen, rivalling “those previously thought to be accessible to only a handful of nation states.” The method is too complex to explain here, but it is darned clever. The latest victim of Pegasus appears to be the Hungarian President and his bodyguards. But NSO Group is just one company. Citizen Lab reports on a little known competitor, whose Predator product was used to attack two Egyptians.

Groping in the metaverse

As 'MetaFace' opened access to its virtual-reality social media platform, Horizon Worlds, it emerged that one of its beta testers had been groped inside it. “Not only was I groped last night, but there were other people there who supported this behavior which made me feel isolated,” she wrote on the official Horizon Facebook group. The person in charge of Horizon told The Verge that the beta tester hadn't used the safety features built into the platform, including the ability to block interactions. As MIT Technology Review says, the woman isn't the first to be virtually harassed and she won't be the last, but the question is whose responsibility it is to ensure users are unmolested. Meta's answer is to say it had given users the tools to keep themselves safe. So, just like Facebook really. And that's turned out just fine...

Lazy

More than a quarter of people working for small businesses admit they're more relaxed about security since they started working from home, according to Avast's Mobile Workforce Report 2021. The survey of workers in the US and UK also found that a third of employees working remotely are connecting to business networks with personal devices which have no security controls. 36% said they had received no guidelines about how to work remotely, and 24% who had received guidance said they'd bypassed it to get their work done. In practice, that means sending sensitive data through unauthorised channels, taking business calls with non-employees in the room, leaving sensitive business documents in the open, and using their home network for work even if they knew it was compromised.

Protecting children

You may remember the controversy around Apple's planned safety features which it said were designed to detect child sexual abuse material (otherwise known as CSAM). The controversy clearly had an impact because Apple has removed all references to the feature from its webpage on child safety. A spokesperson told The Verge that Apple had "decided to take additional time over the coming months to collect input and make improvements before releasing...the features." Critics of the CSAM detection scheme had signed an open letter warning, "once this capability is built into Apple products, the company and its competitors will face enormous pressure – and potentially legal requirements – from governments around the world to scan photos not just for CSAM, but also for other images a government finds objectionable." 

In brief

Huawei: More than 100 marketing presentations seen by The Washington Post show how the Chinese technology giant has positioned its products as surveillance solutions.

Pornographie: The French regulator has given five pornography websites 15 days to implement concrete measures to prevent minors from accessing their content. CSA

The way you walk: Real-world tests have shown that gait authentication could be a viable means of protecting smartphones and other mobile devices. Tech Xplore

Up a Gumtree: Poor web design meant that users of the UK second-hand marketplace had their home addresses exposed. Pen Test Partners

Tracking: A new solution designed to stop web browsing being tracked is being integrated into the privacy-focussed Brave browser. It works by replacing tracking scripts with harmless substitutes. Tech Xplore

Remote control: Toyota is about to start charging drivers $96 a year for the ability to start their vehicles remotely. The Drive

Stalkers: With AirTags being used to steal high-value cars, Apple has released an Android app to help anyone without an iPhone find out whether someone is stalking them...or their vehicle. Tracker Detect

Updates

Apple: A range of updates includes fixes designed to address vulnerabilities that earned researchers more than $600,000 in a Chinese hacking contest earlier this year. The updates include iOS/iPadOS 15.2 and macOS Monterey 12.1.

Microsoft: Monthly set of updates includes 67 security fixes, including seven critical issues and a previously unknown ('zero-day') flaw being actively exploited.

Chrome: Yet another emergency update for Google's web browser to address yet another previously unknown vulnerability - the sixteenth this year. The latest version is 96.0.4664.110. Just shut your browser down and restart it.

Firefox: Version 95.0.1 is a minor update to address several issues, including an issue preventing connection to several Microsoft domains.

Adobe: Security updates to address more than 60 security issues in a range of products.

WhatsApp: A new privacy measure hides your “last seen” status from people you don’t know or haven’t chatted with in the app. WABetaInfo

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved