October 2022 Newsletter

Posted By: Mark Friday 11th November 2022 Tags: AI, Artificial Intelligence, cyber attacks, cyber aware, Cyber Safe, Cyber Security, Data Leak, email scam, malware, Newsletter, phishing, ransomware, technology, Typosquatting

---

This month, a Microsoft data leak; a large scale typosquatting malware campaign; DHL tops list of most-spoofed brands; are Millennials & Gen Z not serious enough about workplace cyber-security? Google LaMDA testing lands in the UK, and, the problem with eWaste.

Microsoft Data Leak

Microsoft confirmed, this month, that sensitive customer data was exposed through a misconfigured cloud server. The data leak was discovered by security researchers at threat intelligence firm, SOCRadar. They notified the Redmond behemoth that private information was accessible via unauthenticated access on September 24^th. Microsoft went public with news of the data leak after securing the vulnerable endpoint.

65,000 Entities Exposed by Data Leak

SOCRadar later expanded on its findings to say that data was stored on misconfigured Azure Blob Storage, and that it was able to link the sensitive information to more than 65,000 entities from 111 countries in files dated from 2017 to August 2022. The 2.4 terabytes of data included signed invoices and contracts, contact information, emails, and other personally identifiable information.

Microsoft disputed the numbers in it’s own release, saying.

“Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication. Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.

“We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue.”

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.

Microsoft Facing Data Leak Criticism

Microsoft have been criticised in a number of quarters over their handling of the data leak. Ars Technica pointed out that the press release called it an ‘issue’ rather than a ‘leak’.

Criticism was also aimed at Microsoft for only sending notifications to affected customers via their ‘Message Center’ messenging system. Not all company administrators have access to this and it’s likely some notifications will be missed.

A concerned customer was also unhappy with the response of the Microsoft 365 Admin telling him they were “unable to provide the specific affected data from this issue”, while there is evidence that the company’s support team told customers it would not notify data regulators because “no other notifications are required under GDPR” besides those sent to impacted customers.

This led a researcher to comment on Twitter that:

“MS being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators—a legal requirement—has the hallmarks of a major botched response”

He also found that results had been indexed and cached online and so were publicly readable and searchable for months.

Misconfigured servers are one of the most common reasons for a data leak, so, whether your networks are web, hybrid or contained, get LaneSystems to assess your set up. We can assess vulnerabilities, create security processes & controls, and keep your systems patched and correctly configured. Let us keep you secure as your business expands or your requirements change. Contact us today for further information.

---

Typosquatting Campaign Spreads Malware

A large-scale phishing campaign has begun recently involving the relatively old school trick of typosquatting, with the aim of infecting Windows and Android users with malware.

Typosquatting — also known as URL hijacking — involves the setting up of fake websites that use web addresses that are very close to the ones used by legitimate companies, usually involving the changing of one character, adding or removing a character, or swapping characters around. The idea being to catch people who make mistakes when typing the address into their browser – something that’s become more common when typing on a mobile phone.

27 Brands Targeted By Scammers

This current campaign is using more than 200 typosquatting domains, that impersonate 27 brands, and host sites that look like the real ones. The website links are also being posted in scam emails, sms messages, social media posts, forum posts, etc.

Brands being mimicked include apps such as Paypal, SnapChat, TikTok, various cryptocurrencies and crypto trading sites, and software such as Visual Studio and the Tor Browser. Bleeping Computer expands on the details revealed in a Cyble Research & Intelligence Labs report that concentrated more on the Android threat.

While, nowadays, web browsers aim to block and warn about these fake sites, newly created sites may not yet be on their block list. Always be careful to check for typos in the url that you’re entering into the browser before hitting submit. Again, this can be more difficult on mobile devices, where the software may shorten the URL by default or the area is too narrow to read the full url without scrolling, anyway. Don’t rely on the ‘padlock’ to prove authenticity, either. It doesn’t mean a site is legitimate because it shows one.

If you’re looking for a company website, use a search engine. Avoid clicking on any paid for links that appear in the list of search results, as fake sites have been known to infiltrate those listings. And, of course, it’s never a good idea to be clicking links provided in unsolicited emails, text messages, etc.

Be aware of anything that seems unusual.

---

DHL Is Most Spoofed Brand

Researchers at Check Point have released a report highlighting the brands most commonly imitated by cyber criminals in their attempts to scam victims during Q3 of 2022.

Global shipping and logistics player, DHL, was the most imitated company this quarter, accounting for 22% of all phishing attacks and other cyber scams. They took over from LinkedIn, who headed the list in Q1 and Q2 but now fell to third, at 11%, with Microsoft sitting between them, on 16%.

Top Ten Most Spoofed Brands in Q3 2022

1. DHL (22% of all phishing attacks globally)
2. Microsoft (16%)
3. LinkedIn (11%)
4. Google (6%)
5. Netflix (5%)
6. WeTransfer (5%)
7. Walmart (5%)
8. Whatsapp (4%)
9. HSBC (4%)
10. Instagram (3%)

Common DHL Phishing Scam

DHL recently warned about a major global scam and phishing attack back in June, and so the jump is probably related to this campaign.

Phishing is a common method of attack in cyber crime, as criminals attempt to steal personal details and payment information. Shipping services, such as DHL, are a regular mark for phishing campaigns – usually involving messages related to lost, delayed or undeliverable packages. Said message always ends with a clickable link to follow to sort everything out. These links will always direct you to fake websites, with scam forms to submit your personal and payment details, or else attempt to inject malware onto your devices.

Phishing attacks are relatively inexpensive to set up and can often yield a high return, as people are more likely to click links that appear to come from trusted brands.

Use caution if you receive emails, texts, etc, that appear to come from these companies. Assume all to be fake until you can verify through a trusted source. Don’t click on any links provided, or download any attachments, and be especially dismissive of any message that asks for personal details and credit card information.

---

Are Millennials And Gen Z A Cyber Security Threat?

A survey carried out by Ernst & Young Consulting claims that when it comes to cyber security, Millennial and Gen Z employees take it less seriously for work devices than they do for personal devices.

The survey findings include:

1. Roughly half of Gen Z (48%) and about one-third of millennial employees (39%) admit to taking cybersecurity protection on their personal devices more seriously than on their work devices, potentially putting companies at risk.
2. They’re more likely to disregard mandatory IT updates for as long as possible compared with their Gen X and baby boomer counterparts (58% for Gen Z; 42% for millennials vs. 31% for Gen X; 15% for baby boomers).
3. They’re more likely to use the same password for a professional account and for a personal account (30% for Gen Z; 31% for millennials vs. 22% for Gen. X; 18% for baby boomers).
4. They’re more likely to accept web browser cookies on their work-issued devices all the time or often (48% for Gen Z; 43% for millennials vs. 31% for Gen X; 18% for baby boomers).

Tapan Shah, EY Americas Consulting Cybersecurity Leader, said:

“This research should be a wake-up call for security leaders, CEOs and boards because the vast majority of cyber incidents trace back to a single individual.

“There is an immediate need for organizations to restructure their security strategy with human behavior at the core. Human risk must be at the top of the security agenda, with a focus on understanding employee behaviors and then building proactive cybersecurity systems and a culture that educates, engages and rewards everyone in the enterprise.”

There may be an apathy toward technology stemming from an over familiarity with it.

Are Gen X and Baby Boomers Safer?

However, there’s no real definition of the parameters used to define each ‘generation’ in the survey. And, there’s also the fact that the Gen X and baby boomer figures for these questions also equate to millions of workers with alarmingly poor adherence to security protocol.

To take cyber security seriously, all business needs to treat every person as a potential weak link. Companies should be pushing role-relevant training, understand human behaviour to identify when risks are greater, and have an open, no-fear, culture that allows people to speak up if identifying a potential security breach, rather than worrying about blame.

Shah said:

“Companies are investing to embed cybersecurity in every business unit as they digitally transform, but software, controls, processes and protocols are only part of the equation for minimizing cyber risk”

“Increasing enterprise-wide security also requires a holistic focus on the human, engaging every employee and embedding safety checks and protocols that make the risks tangible in their professional and personal lives.”

LaneSystems takes cyber security seriously. We can help your company be recognised for following good security practices. If you’re a business based in the North East of England contact us for further help.

---

Google LaMDA Lands In The UK

October saw Google launch a UK version of its AI powered Language Model for Dialogue Applications (LaMDA) app. LaMDA allows users to interact with an artificial intelligence system and lands in the UK after an August release in the USA saw thousands of people each day, sign up to take part.

It’s a limited initial trial, with the BBC reporting that there are only three scenarios to choose from – Imagination, To-do list, and Dogs. And, while it won’t allow users to teach it anything, Google is looking for feedback on the app’s behaviour.

To gain access you need a Google account so that you can download and register the AI test kitchen app on either Android or Apple devices, then, you’ll be placed on a waiting list.

Sensient AI Claims

Earlier in the year, the app gained mild notoriety when a former Google employee claimed that the LaMDA AI system was sensient. While Google touted it as a breakthrough technology that can engage in free-flowing conversations, the now ex-engineer believed that behind Lamda’s impressive verbal skills might also lie a sentient mind. Many other computer scientists familiar with the technology were quick to dispel the notion and put his claims down to his anthropomorphism of the generated content.

LaMDA test scenarios

The three scenarios are:

Imagination: ask it to imagine it’s somewhere and to play along

To-do list: Break down the requirements of a task

Dogs: it explores various sccenarios involving dogs

The BBC journalist said:

[…]when the call came, it was laden with caveats:

• I wasn’t allowed to record anything or quote anybody
• I had 30 minutes
• I could not have the app on my own phone ahead of the launch
• My demo was in the hands of a member of staff

Users are asked to rate each answer as nice, offensive, off topic or untrue.

After describing some of the outcomes of his interaction, the journalist summed things up as:

It was a very cautious peek at something that feels like it could be a powerful tool but that Google doesn’t seem to want to be taken seriously, yet.

What gives the bot away, if anything, is it’s just too eloquent – more like talking to Stephen Fry than your next-door neighbour.

While it’s in its infancy, ethicists warn that if Humans can be fooled into believing they’re talking to other Humans, then companies will need to explicitly tell users when they are conversing with a machine.

---

The E-Waste Problem

The international Waste Electrical and Electronic Equipment (WEEE) forum says that there are approximately 16 billion mobile phones currently in use, worldwide, and that approximately 5.3 billion of those phones will be thrown away this year.

In a report to highlight the increasing problem of e-waste, it is claimed that many people keep old phones, or simply toss them into the bins for landfill, rather than recycling them. This means the potential of recycling and reusing precious minerals that go into the production of these devices is being lost. For example, copper used in the wiring or cobalt found in rechargeable batteries, gold, silver, palladium, etc, has to be mined.

And it’s not just phones, which are said to be only the 4^th most hoarded electronic item in households. Tablets, laptops, electric toothbrushes, cameras, hair dryers, toasters, washing machines, and other appliances are also held on to. In surveys of 8,775 European households across Portugal, Netherlands, Italy, Romania Slovenia, and the UK, an average household contains 74 e-products – with 13 being hoarded (9 of them unused but working, 4 broken).

5 most hoarded small EEE products in Europe

1. Small consumer electronics and accessories (e.g. headphones, remote controls)
2. Small household equipment (e.g. clocks, irons,)
3. Small information technology equipment (e.g. external hard drives, routers, keyboards, mice)
4. Mobile and smart-phones
5. Small equipment for food preparation (e.g. toasters, food processing, grills)

Recycle Your E-Waste

In a BBC article on the problem, it says:

In the UK, more than 20 million unused but working electrical items, worth as much as possibly £5.63bn, are currently hoarded in UK homes, surveys by the organisation Material Focus suggest.

It also calculated that the average UK household could sell unwanted tech and raise about £200.

Magdalena Charytanowicz of the WEEE Forum said:

“These devices offer many important resources that can be used in the production of new electronic devices or other equipment, such as wind turbines, electric car batteries or solar panels – all crucial for the green, digital transition to low-carbon societies.”

While Virginijus Sinkevicius, European Commissioner for the Environment, Oceans and Fisheries, commented:

“The continuing growth in the production, consumption and disposal of electronic devices have huge environmental and climate impacts. The European Commission is addressing those with proposals and measures throughout the whole product life-cycle, starting from design until collection and proper treatment when electronics become waste.”

“Moreover, preventing waste and recovering important raw materials from e-waste is crucial to avoid putting more strain on the world’s resources. Only by establishing a circular economy for electronics, the EU will continue to lead in the efforts to urgently address the fast-growing problem of e-waste.”

Check your cupboards, drawers, garage and shed. Use the Recycle Your Materials website to find out where your old items can be locally recycled.

---