Weekly podcast: BT phishing, Twitter vulnerability, S8 iris recognition

This week we discuss a phishing attack targeting BT customers, a major vulnerability in Twitter, and a vulnerability in the Samsung Galaxy S8.

Hello and welcome to the IT Governance podcast for Friday, 26 May 2017. I’m Gemma and I’ll be doing this week’s podcast whilst Neil frolics about on holiday. Here are this week’s stories.

In the wake of the WannaCry Ransomware attack earlier this month, BT customers have been receiving phishing emails claiming that BT is updating its systems. The email asks for customers to follow a link and provide log-in details to confirm a security upgrade.

As frequently is the case with phishing emails, the message creates a sense of urgency. It claims that BT has “temporarily limited access to profile features that contain [users’] sensitive data” and the only way to lift those restrictions is to click on the attached link.

The UK’s national reporting service for fraud and cyber crime, Action Fraud, advises anyone who receives one of these emails to not click on any links. Instead, they should go to BT’s website directly and log in from there.

“We are also aware that companies are sending out legitimate emails of reassurance in connection with the recent cyber attack,” Action Fraud says. It adds that, if you are in doubt, you should “contact [the company] directly on a method other than the email you have received”.

HackerOne, a bug bounty platform, made a ticket public this week that explains how a vulnerability in Twitter would have allowed anyone to publish a tweet, from any account.

The security researcher, who goes by the handle Kedrisch, discovered the vulnerability and reported it to Twitter in February of this year. The issue was quickly fixed a few days later, and a few days after that Kedrisch received a $7,560 bounty for his efforts.

According to Kedrisch’s writeup of the vulnerability, he was able to intercept a request and change two parameters, owner_id and user_id, to tweet as another user.

The vulnerability, at least at first, relied on the attacker uploading a media file into a tweet. According to Kedrisch just having the image isn’t enough, an attacker needs the filename associated with the image, a media_key, something that can be difficult to determine.

Kedsrisch wrote, “In my explorations I didn’t find 100% way to know this media_key. There were always some restrictions and circumstances which allow to get that media_key.”

By uploading an image file and sharing it with a user – something Twitter Ads allows – Kedrisch realized he could carry out the same attack without that 18 digit code. Instead he found he could intercept the same post request that’s sent to Twitter when a user tweets and swap out the Twitter handle.

Twitter marked the vulnerability as high severity according to Kedrisch’s HackerOne report.

The Samsung Galaxy S8 has the cool feature of iris recognition software, allowing users to use their eye to unlock their phone. Certainly a handy feature, but how secure is it? Turns out, not very.

The German Chaos Computer Club (CCC) have found a way to trick the S8 into thinking a printed photo of an eye is the real thing – but it’s a bit tricky.

Researchers used the night mode of a digital camera to take a photo of an eye from what was described as a “medium distance” and then printed a life-size infrared image of the eyeball, according to a CCC 22 May blog post.

Researchers then placed a contact lens over the iris of the printed image to simulate the surface curvature of a real eye and then held the image in front of the S8 to unlock it.

Is this something the average user needs to worry about? Probably not. But, if you are highly security conscious or perhaps a spy that’s gone rogue – then maybe opt for the usual digit security code.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s May book of the month is EU General Data Protection Regulation – An Implementation and Compliance Guide, an in-depth guide to the changes your organisation needs to make to comply with the GDPR before its enforcement in just under a year’s time. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.