Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thought.
This week: Microsoft and Proofpoint remind us of the value of some simple security measures. The problem with Android security patches. And why the theft of millions of phone numbers from WhatsApp may get our attention, but our local laptop repair shop may be a more immediate concern.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
THREE ARTICLES
1. Microsoft research on cyber attacks
As mentioned recently by the NCSC, Microsoft recently released its Digital Defence Report for 2022. It’s a meaty document and I will come back to it in the weeks ahead. But for now, here are three key takeaways:
1 – Cybercrime continues to rise as many of the most experienced crime gangs are now selling their specific skills as a service, enabling a larger number of lower-skilled criminals to gain access to their more sophisticated tools and infrastructure.
2 – Attacks that ”indiscriminately target all [email] inboxes are on the rise and business email compromise, including invoice fraud, poses a significant cybercrime risk”.
3 – “The vast majority of successful cyberattacks could be prevented by using basic security hygiene”, including “multi-factor authentication [and] frequent security [patching]”.
Key takeaway: Basic security measures – Staff awareness training, the use of multi-factor authentication, and installing security updates – significantly reduce the risks.
2. Proofpoint research on ransomware
Also mentioned recently by the NCSC, Proofpoint has released an analysis of the attack techniques used by Emotet, one of the most active malware gangs. If you want to see what cybersecurity research looks like, the article is worth a read. But for everyone else, here’s three key takeaways to reinforce the value of some basic security measures:
1 – The gang sends a phishing email that tries to fool you into opening an Excel file attachment – Staff awareness training should increase people’s wariness of opening files attached to suspicious emails.
2 – The Excel file runs a macro to download the malware, so the staff member will usually be asked by Excel to ‘Enable Content’ or ‘Enable Macros’ before that macro is able to run – Staff awareness training should increase people’s wariness of enabling macros.
3 – To try to circumvent this macro warning, the Excel file also instructs the user to copy it to a specific folder within c:\program files\microsoft office, as Excel may trust macros in the file if it is stored there – The user’s account would need to have administrator privileges to copy a file into this location, and your basic security defences should ensure most users do not have such administrator rights on their Windows device.
Key takeaway: Basic security measures – Staff awareness training and restricting who has administrator rights – significantly reduce the risks.
3. Dark Reading research on Android device security
As mentioned recently by Secure The Village, Dark Reading recently reported on one of the main problems with Android devices: An issue called ‘patch gap’ – This is “the time it takes a fix for a known vulnerability to trickle down from software vendor [in the case of Android, it is likely to be Google] to individual device manufacturers [for Android, this would include phone manufacturers like Samsung]”. In the example cited in the article, a fix for a security issue was released in August but is not yet available to users of many Android phones over three months later, leaving them exposed to the underlying security vulnerability. I will try to avoid a discussion about the benefits of Apple iOS devices vs Android devices, as this would be an ecumenical matter. However, given Apple’s tight control of its iOS operating system and their ability to quickly release security fixes for these devices, you know where I would sit in this debate.
Key takeaway: Android device manufacturers need to get faster at providing security updates to their users.
TWO NUMBERS
487 million
Cybernews reports that “Someone is allegedly selling [..] a 2022 database of 487 million WhatsApp user mobile numbers. [..] The dataset allegedly contains WhatsApp user data from 84 countries.” The 11.5 million UK mobile numbers in the database are for sale by the cyber criminal for USD $2,500. As Cybernews states, “such information is mostly used by attackers for smishing and vishing attacks, so we recommend users to remain wary of any calls from unknown numbers, unsolicited calls and messages.”
Key takeaway: Watch out for unsolicited calls, SMS text messages, or WhatsApp messages.
50%
In a sample of 12 laptop repair shops, employees from 6 accessed personal data that was stored on a laptop which had been handed in for a basic repair. 2 of these 6 also copied data from the laptop onto their own personal device. This is according to research by a Canadian University team, and reported in ArsTechnica and Secure The Village.
Key takeaway: Be careful when you give your device to someone else. Further advice is provided below.
ONE THING TO THINK ABOUT
Don’t just focus on online threats. Think about real world threats.
This research on the risks that arise when we hand over our personal laptops and phones to others is a good reminder that the things we worry about may not the things that hurt us.
Of course we should be concerned about ransomware and phishing emails. And now that 487m WhatsApp numbers have been stolen, we have an ever-increasing need to worry about cyber attackers
calling us or messaging us (or the more vulnerable people in our lives).
But we should also be concerned about the risks that arise when we lose our devices or hand them over to someone else.
As the ArsTechnica article shows:
- “Data is vulnerable to snooping or copying any time [you] surrender [your] device to an untrusted or unknown individual, particularly when the individual has [your] login password.”
- “Devices belonging to females are more likely to be snooped on, and that snooping tends to seek more sensitive data, including both sexually revealing and non-sexual pictures, documents, and financial information.”
So what should you do when giving your device to someone else?
- If possible, remove any sensitive data from your device before you hand it over. If that’s not possible, put the content into a password-protected zip file or move it to a location that is more difficult for someone else to get to.
- Do not provide the login password if the repair does not require it – e.g. a battery replacement.
- Tell them that your brother / sister / husband / wife / son / daughter / good friend Sam is a cybersecurity advisor, so there’s monitoring software on the device which will tell them what they did with the device while it was in their possession. You know you are lying. They may assume you are lying. But they may not take a chance!