Maritme Cyber Digest
Here at PGI we like to help you to keep your business safe, by signposting you to news and advice from our cyber security experts.
As a loyal contact, we would love for you to attend one of our free upcoming training events in Bristol or Bedfordshire.
We will be teaching delegates how to manage your IT security in-house, mitigate risks and build a people strategy to ensure the threat doesn’t come from within.
Click here for Bedfordshire Registration 08/11/2017
Click here for Bristol Registration 23/11/2017
Think Twice Before Posting or Binning Your Boarding Pass
In late 2015, an article was published on the potential dangers of throwing away old boarding passes or posting images of them online. A recent security conference demonstration has provided a timely reminder of the personal data that can be contained on your ticket.
The example used an Instagram post of a British Airways boarding pass and showed how an attacker could log in to the airline’s passenger reservations page using the six-digit booking code and the last name of the passenger (both of which are displayed on the front of the BA boarding pass). Once inside the account, they could cancel future flights and edit passenger details.
The same danger applies to the posting of boarding pass barcodes or QR codes online as they usually contain all of the data shown on the front of a boarding pass. In some cases, boarding pass barcodes can actually conceal even more personal information than what’s printed on the boarding pass.
Notwithstanding the details that can be gained from boarding cards, burglars are also known to use social media to plan robberies based on people’s posts, so we encourage people to avoid the temptation of posting holiday plans on social media. Please also don’t post pictures of your boarding pass online or anything else with a barcode on it (there are 50,000+ search results on Instagram for “boarding pass”). Finally, avoid leaving your boarding pass in the seat pocket when leaving the aircraft and, as is good practise when disposing of receipts, we suggest shredding the ticket.
Patches Win Matches
The past few weeks have seen the release of a raft of important security updates from various companies including Apple (new OS versions for phones, iPads, and Macs), Microsoft (important Windows 10 updates) and Google (Chrome and Android improvements). Whilst the majority of these updates are designed to enhance user experience with improved features, they also include important security fixes to protect you against the latest security threats. Whilst installing updates can be time consuming, we encourage you to update your systems at your earliest convenience.
Bluetooth Vulnerability Exposes Billions of Devices
It was widely reported last month that billions of devices that use Bluetooth may be exposed to a new remote attack, even without any user interaction and pairing. The technique, dubbed ‘BlueBorne’, was reported by researchers at Armis Labs who discovered eight vulnerabilities.
BlueBorne attacks work by imitating a Bluetooth device and exploiting weaknesses in the protocol to deploy malicious code. As Bluetooth devices have high privileges in most operating systems, the attack can be performed without any input from the victim.
Whilst these flaws potentially put billions of devices at risk, Blueborne’s effectiveness is limited by Bluetooth’s short range and it can only target devices that are within range of the attackers. Bluetooth also needs to be switched on. Furthermore, the attacker would also need to determine which operating system the target device is running in order to use the correct exploit.
One solution to protect users against BlueBorne attacks is to turn off Bluetooth completely, but this isn’t necessarily useful for people who regularly use the feature. Security patches for Windows, iOS, Android, Linux and Google are now available and we encourage all users of Bluetooth capable devices to install these latest security updates at their earliest opportunity.
RoughTed Malvertising Stays Top of Malware Charts
Check Point’s Global Threat Index has revealed that banking trojans were extensively used by cyber-criminals during August with three main variants appearing in the Top 10. The banking trojans, namely Zeus, Ramnit and Trickbot, work by identifying when a victim is visiting a banking website, then utilises keylogging or web-injects to gather basic login credentials or more sensitive information such as PINs. They are sometimes also designed to re-direct victims to fake banking websites which mimic legitimate ones and steal credentials.
The RoughTed malvertising campaign remained top in August, although its global impact decreased from 18% to under 12% of organisations worldwide. Global Imposter ransomware moved up to second place with a global impact of 6%, and Hacker Defender dropped to third.
In mobile malware, the top three threats were once again all targeting Android. Triada was the most common form, closely followed by Hiddad and Gooligan. These results illustrate how dynamic the mobile threat landscape is as Hummingbad did not make the August top ten, having dominated the charts for most of the summer.
Top 5 ‘Most Wanted’ Malware:
*arrows relate to the change in rank compared to July
PINS Take a Swipe at Security
If you have ever wondered whether phone unlock swipe patterns are more secure than PIN numbers, then a recent study has shown that the answer is no (at least when it comes to unsophisticated proximity attacks).
A US study has found that a ‘lurker’ observing someone unlocking their Android phone using a swipe pattern was able to capture the pattern 64% of the time. If they observed the swipe pattern twice, the same person could repeat the pattern with 80% accuracy. Alternatively, a lurker trying to spot a six-digit PIN were only 11% successful after one viewing, and 27% after two.
This research demonstrates that using patterns is easier for people to remember against six-digit numbers, hence why the pattern unlocks remain popular. Anyone using PIN locks should ensure that their number sequences are complex or random enough so that any lurkers cannot easily replicate them later. As for any phone users who are still attached to using pattern unlock, the study did highlight how when the “feedback” lines (lines that trace your finger’s path) were turned off, it was incrementally harder for attackers to remember the trace pattern.