Davey Winder’s Security Spotlight – part 5

Another round of security stories from our award-winning cybersecurity writer Davey Winder.

 

Davey Winder, cybersecurity writer

 

So far, September has been pretty negative in terms of security news. By which I mean there have been few positive stories that have caught my attention, but lots of facepalm moments instead. Sure, there was the odd smile as I reported on 120 MPH flying racing cars that are to get anti-collision virtual force fields protected by Acronis. But, overall, it’s been quite doomy and gloomy out there in cybersecurity-ville.

 

What if I were to tell you that Microsoft left a known, exploited in the wild, Windows 10 vulnerability unfixed for two years? The vulnerability in question is called Glueball, or CVE-2020-1464 to be more formal, and was first confirmed back in August, 2018. It’s a Windows spoofing vulnerability, one that could enable attackers to bypass code-signing security features. VirusTotal manager, Bernardo Quintero, says he reported it to Microsoft and the attack vector was verified by the company which decided “it will not be fixing this issue in the current versions of Windows.” It didn’t actually fix it until the August 11, 2020 Patch Tuesday roll out. That’s a pretty poor security response, if you ask me, and one would like to think Microsoft can and will do better moving on.

 

Continuing the negativity, at the very end of August my Sunday morning mailbox was full of very worried folk asking if the internet had been taken down by a massive cyber-attack. I can understand why they were thinking that, what with many of the world’s largest internet services being unavailable or heavily disrupted. That CloudFlare was amongst them only helped fuel the ‘DDoS on a scale not seen before’ rumours. When Amazon, eBay, Hulu, PlayStation Network, Reddit, Starbucks, Steam, Xbox Live and others are impacted, something serious was indeed going on; serious enough for a 3.5% drop in global internet traffic to be reported. This was no cyber-attack though, as CloudFlare engineers were quick to establish. Instead it was a border gateway protocol configuration error at a rather large, third-party, transit provider.

 

As the U.S. presidential elections draw ever nearer, cybercriminals are keen to exploit the emotional investments of American voters wherever they may be. So, it came as no surprise to learn that phishing scams involving a time-critical, limited supply of supposedly free Trump 2020 yard flags and Keep America Great hats have been spotted in the wild. In the case of the hats it’s thankfully a real old-fashioned phishing email, complete with spelling mistakes and document template errors, so shouldn’t be too hard to spot. The yard flags one is more believable, unfortunately, and mentions the item is free with just postage top be paid for. This suggests that, as well as personal information, the scammers are after credit card payments and data also. Just as there has been an upswing in COVID-19 related phishing threats, evolving to keep pace with the pandemic headlines, so the race for president will doubtless spawn more campaigns as the TV debates take centre stage. Although these are not of the highly-targeted spear phishing variety, I’d be willing to bet they will come soon enough and carry a business edge that’s believable enough to fool many an executive in a rush.

 

Less believable, but apparently true according to reports, is the password that Donald Trump was allegedly using for his Twitter account in the run up to the 2016 elections: yourefired. Yep, that guessable, that weak, that bad. It gets worse, as the hackers who uncovered this back then were using data from a LinkedIn breach some four years previously. Don’t be like Donald, don’t use weak passwords, don’t reuse them across services and do change them immediately following any breach.

Call for Papers

  • About You

  • About Your Paper Submission