Weekly Threat Report - 31st August 2018
Report's are drawn from recent open source reporting, see the latest report here:
Facebook removes VPN app due to privacy concerns
Following discussions with Apple, Facebook’s Onavo Mobile VPN app has been withdrawn from the iOS app store, with reports alleging this is due to possible policy violations on personal data collection.
According to marketing information, the app promised to "keep you and your data safe when you browse and share information on the web." However, allegations have suggested that Facebook may be using the app to identify how users were using other third-party applications, even if the user believed the app was private.
The VPN app, which has been downloaded more than 33 million times, has not been removed from Google’s Android store. iOS users who are already using the app can continue to use it but will not receive any further updates. This follows on from Facebook’s March 2018 data breach revelation, when it was reported that 50 million Facebook profiles were harvested by Cambridge Analytica over a number of years and may have been illegally acquired and used.
The NCSC’s Cloud Security Principle 1: Data in transit protection advises that data transiting networks should be adequately protected against tampering and eavesdropping.
The Get Safe Online website also provides further advice on protecting your Facebook footprint.
Guidance for Data Breaches
More high profile data breaches have come to light recently, affecting the UK’s Superdrug high street store and mobile phone provider T-Mobile.
In a statement to customers, Superdrug explained how, on the 20th August 2018, they received a ransom demand believed to be from cyber criminals, claiming they had obtained customer information. Superdrug stated that they could not find any evidence of a data breach but now believe that the cyber criminals accessed their customer accounts using credentials from other websites. Superdrug believed that customer dates of birth, phone numbers and loyalty scheme details were accessed and advised customers to reset their passwords.
T-Mobile (US) also released a statement explaining how, on 20th August 2018, their cyber security team discovered and isolated an unauthorised access incident. During this incident, customer information such as names, billing addresses, post codes, phone numbers, email addresses, account numbers and type were accessed. There is no indication that any UK based customers were impacted.
The NCSC has provided guidance for both victims of data breaches and for businesses storing and holding personal customer information.
Variant of the Mirai botnet returns
In 2016, a Mirai botnet DDoS attack crippled the French telecoms provider OVH. Internet access was slowed or prevented for parts of the USA when a service provider, Dyn came under attack. One attack maxed out at 620Gbps, one of the largest the internet has ever witnessed. Mirai worked by enslaving IoT devices.
Now, the source code of a thought to be abandoned variant of the Mirai botnet has been compiled using an open source tool, Aboriginal Linux, which generates binaries for a considerable number of platforms. This allows it to infect multiple Linux devices, including Android and Debian, which the original Mirai was unable to infect. Infections have been steadily increasing since June, partly due to the lack of patching for IoT devices.
IoT devices are often unpatched, leaving them vulnerable to infection. Furthermore, resetting the device may clear the malware, but the device will still be liable to infection. As the number of IoT devices continues to grow and security patches are not released, the problem of enslaved devices is likely to get worse and this could result in further large DDoS attacks, limiting services to users.
It is important to keep both software and hardware up to date as well as using hardware for which the manufacturer will continue to release patches to minimise vulnerabilities.
Report on the security of UK Telecommunications by the Parliamentary Office of Science & Technology
The Parliamentary Office of Science & Technology (POST) have released a paper on the Security of UK Telecommunications which covers both the physical and cyber threats facing telecommunications networks.
The paper expands on POST’s May 2017 paper Cyber Security of UK Infrastructure which identifies the cyber attack threats on critical national infrastructure. The NCSC, along with many other agencies, organisations, individuals and academic institutions have worked with POST on these papers.