Robin’s Newsletter #89

1 March 2020. Volume 3, Issue 9
Security awareness without fear; Android malware stealing 2FA codes; click here to sue everybody.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Do you know someone who’d like $959 worth of cyber security books?

I’m paying it forward by gifting five copies of the latest Cybersecurity Humble Book Bundle to students or those looking to retrain for a career in cyber security. Please forward this email on to anyone you know who’d be interested, and share my tweet, and LinkedIn post to help spread the world. Thanks!

Dr Jessica Barker’s Guide to Security Awareness Without Fear

This week was the RSA Conference in San Francisco. It’s one of the primary information security conferences and, amongst the vendor halls lined with dubious machine learning and blockchain products, there are always some great talks. Dr Barker always comes up with great advice, delivered compellingly. Infosecurity Magazine has a rundown of her keynote on security awareness without fear.

“We talk in a technical language which is unfamiliar to most,” Barker said, “and this makes people feel more out of control, and thus fearful. That’s why in cybersecurity people have a disproportionate level of fear.”

I’ve discussed before (vol. 2, iss. 10) the importance of language in infosec. It can lead to miscommunication, knee-jerk reactions, or just completely turn people off.

The article is well worth a read, especially if you’re planning a security awareness programme. The main points are:

  • Scary messages need strong efficacy
  • Reduce noise so people can engage with the signal
  • Build engagement with optimistic messages and social proof
  • Provide the tools so people can change their behaviours – check what you are asking of people is realistic
  • Harness a positive cybersecurity culture

The human aspects - making it simple for people to engage - and giving them the tools to make last change themselves ring especially true for me. They’re some of the founding principles of my company, Cydea :-)

Interesting stats

22% of respondents ‘unwilling’ to give a company their personal information following a data breach, and 2/3 people trust a company less following a data breach, according to a survey of 961 people by

40% increase in ‘stalkerware’ infections during 2019, according to Kaspersky

Other newsy bits

Android malware can steal Google Authenticator 2FA codes

Dutch company ThreatFabric say they’ve spotted a new capability in a strain of Android malware that allows it to steal two-factor authentication codes. The Cerberus malware uses accessibility privileges to steal the OTP codes from Google’s Authenticator app and allow the authors to pass the multi-factor checks when pretending to log in as the user.

“Click here to sue everybody” can class-action litigation secure IoT?

An interesting take in a paper by Dallin Robison in the Richmond Journal of Law & Technology. If manufacturers or Internet of Things (IoT) devices do not suffer the consequences of poor security practices and therefore will not independently choose to improve the cyber security of their products. In the absence of widely adopted standards and regulation, they propose pro-active lawsuits “before inventive cybercriminals exploit the IoT’s glaring defects at the expense of human lives.” (PDF), H/T

Authorised push payment fraud on the rise

A case in Manchester, UK is a reminder that solicitors and professional services firms involved in the sale of property are a favourite of fraudsters (vol. 1, iss. 2) because they handle large payments in a relatively unsophisticated way (often via email.) After gaining access to the firm’s email - perhaps via credential stuffing from previous data breaches - they wait to intercept and send emails with fraudulent accounts details to unsuspecting buyers. It’s always worth confirming payment details for large transfers via a second, separate channel.

First lasers, now ULTRASONIC WAVES

Research dubbed Light Commands back in November showed how voice assistants like Siri, OK Google and Alexa could be triggered by shining a laser on the microphone of the device (vol. 2, iss. 45.) Now new research from universities in the USA and China has shown that voice assistants can also be triggered by ultrasonic waves. The frequencies are outside of what is audible to the human ear but are picked up by the microphone of your smartphone. Some training is needed for assistants where they have learned their user’s voice. It could be used to read out messages, control smart home devices, or connected car apps.

In brief

Attacks, incidents & breaches

  • Controversial company, Clearview AI, which contracts with law enforcement after reportedly scraping 3 billion images from the web, now says someone got “unauthorized access” to its list of customers
  • Samsung cops to data leak after unsolicited ‘1/1’ Find my Mobile push notification
  • A Freedom of Information Act request published on the FCA website revealed more than it should

Threat intel

  • It’s 2020 and pre-auth, superuser command injection is still a thing: Zyxel storage, firewall, VPN, security boxes have a give-anyone-on-the-internet-root hole: Patch right now
  • Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
  • North Korea Is Recycling Mac Malware
  • Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years

Security engineering

  • Updating our malware & ransomware guidance
  • Open Cybersecurity Alliance launches first open source messaging framework, OpenDXL Ontology, for security tools

Internet of Things

  • Southern Water not such a phisherman’s phriend, hauls itself offline to tackle email lure


  • How schools are using kids’ phones to track and surveil them
  • FCC Proposes to Fine Wireless Carriers $200M for Selling Customer Location Data

Law enforcement

  • Proof that an indictment doesn’t need to result in conviction to get results: Accused Chinese hackers abandon techniques after U.S. indictments
  • UK to launch specialist cyber force able to target terror groups

And finally

Mum’s make great social engineers: tales of breaking in to prison and the warden’s computer

Another gem from RSA Conference this week: Rita Strand tells of how she broke into a prison as part of an engagement for her son’s penetration testing company. A fun read. And remember, if you’re thinking of retraining, drop me a line for those security books!


  Robin's Newsletter - Volume 3

  Security Awareness Security Education RSA Conference Multi-factor Authentication IoT Authorised Push Payment Air Gap Clearview AI Schools & Education