Vol. 3 Iss. 5 02/02/2020, last updated 06/04/2020 Robin Oldham ~6 Minutes
I send out a weekly information security newsletter of cyber/infosc security and privacy articles, events or topics that have caught my eye, some intersting stats, plus a summary of other news.
Subscribers get it direct to their inbox, every Sunday, at 7:00pm.
Avast shutters Jumpshot division following report highlighting sale of web browsing data
Joseph Cox at Vice Motherboard and Michael Kan at PC Mag broke the news that Avast was collecting and selling browsing habits from over 100 million devices. User’s who had installed AVG, Avast’s freemium anti-virus software, were prompted to opt-in to data collection as part of the functionality that scanned websites they visited for malware.
Unbeknownst to them, this also gave the company authority to ship that to their Jumpshot division, who packaged it all up into a series of ‘click feed’ products and sold their browsing habits to companies like Tripadvisor, Pepsi, and management consultants McKinsey.
It’s a reminder that security does not equal privacy. Also how opaque many privacy policies and practices are. (Try delving into the ‘manage cookies’ option on a popular website, rather than just ‘accepting all’.)
Avast’s response, lurching from one extreme to another, unsettled investors: first the company trotted out privacy-is-important lines from last year (when Mozilla blocked their Firefox extension for privacy violations.) Then, a day later, they announced the shuttering of the Jumpshot business entirely.
Writing in the FT, Bryce Elder called Avast’s ‘rotten week’ a ‘lesson in crisis management.’ Having floated in May 2018, before this news broke, the share price was knocking on the door of the FTSE100 - with a market capitalisation of £5.1 billion - more than Centrica (British Gas.) By the end it’s cap had plummeted over £1 billion from last week’s high.
Privacy may be growing in importance to consumers but investors still value the revenues generated by behavioural data. Those consumers would be wise to heed the if-you’re-not-paying-for-it-you’re-the-product adage, too.
150,000 computers infected with REvil ransomware, by 148 different ‘strains’ of the malware (general unique per case), and $260,000 average ransom demand. 1/2 attacks infected more than one computer, in which demands jumped to $470,000 average ransom for those cases, all according to Dutch telco KPN, using data from the last five months zdnet.com
$550M value of settlement in class-action where Facebook missed facial recognition to recommend which people to tag in photos cyberscoop.com
Other newsy bits
Keep calm and carry on: Brexit advice for DPOs
This week the UK left the European Union and entered a transition phase. During that period Data Protection Officers and EU GDPR continues to apply. The Information Commissioner’s Office has updated their FAQ, and have a range of materials to support potential different outcomes from future negotiations with the world’s largest trading bloc. ico.org.uk
Vulnerability in Microsoft Azure
Calm down, Forbes. A ‘perfect 10.0’ vulnerability in Microsoft’s Azure infrastructure was found, disclosed and patched last year. It would have allowed an attacker to break out of the isolation that keeps different cloud users of the shared infrastructure separate. In that regard, it is important but is also far from the ‘cloud security nightmare’ peddled by the story’s headline. forbes.com
SIM swappers phishing creds from telco employees
Lots of two-factor authentication solutions use SMS to protect user’s accounts. If cyber-criminals can change the SIM card associated with a phone number, they can then use data from breaches to login and the one-time code gets sent to them, allowing them to take over an account (typically high-profile social media.) An investigation by Joseph Cox at Motherboard shows they’re are actively targeting employees of mobile operators with phishing campaigns, as well as sales partners who may have access to management portals. The partner angle is interesting and has parallels in, for example, the insurance sector, where many hundreds of independent brokers may have access to similar customer management systems. vice.com
Secure your video conferencing
A couple of bugs in WebEx and Zoom this week. Conferencing and collaboration tools are adding new functionality and allowing participants to join via more methods (telephone, web, app, etc). It’s a good idea to review what precautions you can take to prevent unwanted guests from joining your meetings. In Zoom’s case, you just needed to guess the meeting ID, something Check Point think they could get right about 4% of the time. theregister.co.uk (Webex), theregister.co.uk (Zoom)
Attacks, incidents & breaches
- UN didn’t patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it theregister.co.uk
- Don’t capture, then store, user account information in plaintext: Social media boosting service exposed thousands of Instagram passwords techcrunch.com
- LabCorp security lapse exposed thousands of medical documents techcrunch.com
- Japanese company NEC confirms 2016 security breach zdnet.com
- Breach at Indian airline SpiceJet affects 1.2 million passengers techcrunch.com
- Hackers infiltrated [marketing giant LiveRamp to abuse privilege as] Facebook data partner to launch scams cnet.com
- More data-leaking design blunders discovered [in Intel processors], patches due soon theregister.co.uk Iranian hackers target US government workers in new campaign zdnet.com Coronavirus Phishing Attacks Are Actively Targeting the US bleepingcomputer.com
- Apple wants to standardize the format of SMS OTPs (one-time passcodes [used in 2FA]) zdnet.com
- New (free) web service [‘I Got Phished’] can notify companies when their employees get phished zdnet.com
Internet of Things
- Some eminently sensible steps being taken by UK gov here: devices should ship with unique passwords, and customers must be notified how long the devices will be supported for theregister.co.uk
- Facebook’s new privacy tool lets you manage how you’re tracked across the web cnet.com
- 28th January was Data Protection Day 2020 ico.org.uk
- FCC says phone company broke laws around location sharing cnet.com
- Russian Cybercrime Boss Burkov Pleads Guilty krebsonsecurity.com
- Three suspects arrested in Maltese bank cyber-heist zdnet.com
- AlphaBay Dark Web Market Mod Faces 20 Years After Pleading Guilty bleepingcomputer.com
- First MageCart Hackers Caught, Infected Hundreds of Web Stores bleepingcomputer.com
- UK will allow Huawei to supply 5G — with ‘tight restrictions’ techcrunch.com
- Summary of NCSC’s security analysis for the UK telecoms sector ncsc.gov.uk
Aviva apologises to Michaels
I love a good integrity example, and this week a ‘temporary technical error’ from Aviva delivers. The insurance company emailed thousands of customers, calling each of them Michael. The rest of the content was correct (so no misdirected or leaked data.) Time will tell if this has a meaningful impact on Aviva’s financial performance, however, it did give the Beeb a chance to bust out the official name stats though. Michael ranked 72nd in 2018. Thank you, Aviva and Office of National Statistics! bbc.co.uk