Hard stare not working? Give them the finger.

 In ITC's Threat of the Week

Now you could easily think that we are talking about giving someone the bird, as beautifully portrayed in the first film in ‘The Top Gun Franchise’, (anyone else dislike the ‘franchise’ thing? How does it compare for you with calling Members of Parliament ‘Lawmakers’?).

You might even think we were talking about the neural network A.I. powered robotic hand which has been trained to solve a Rubik’s cube one handed. Cool as these things may be (especially to the geekier of our parish), you would be wrong.

We are talking about a major-domo issue with the new Ultrasonic Fingerprint recognition system in Samsung’s Galaxy S10 and Note10 which, as discovered by some readers of The Sun (nothing wrong with reading it, writing it, that is a different matter), can be bypassed totally by using a third-party screen protector. This is really true. Many corporations are now turning off this method of access.

Pending a patch, Samsung recommend only using Samsung approved protectors. They really have said that. That’s about as cheeky as hosting a meeting of World leaders at your own Golf Resort thinking that nobody will see through the financial implications.

The Android world is already getting to grips with the fact that Google’s Pixel phones can be unlocked using facial recognition when you have your eyes shut, for instance if you are having a nice afternoon nap or possibly preparing to go swimming with the fishes.

Clearly a lack of testing and the increasing pressure to bring products to market are at least contributory factors in these issues. Makes you pine for RIM, doesn’t it?

Securing your enterprise mobile devices is going to get increasingly more difficult, especially against a backdrop of these sorts of substantial whoopsies, it may be time to refocus on your device management, Microsoft are coming on leaps and bounds and look set to become the de facto standard in this space (surprise), and JAMF are streets ahead in the Apple space. The time for complacency is well and truly over.

We are well aware that some of our readers are religiously observant. We operate a broad church here and respect the right of anybody to worship as they see fit, even the pastafarians (Boil It and They Will Come), so we were delighted that (about time, not that they have had much else to sort out), The Holy Catholic Church (of which some of us are upstanding members) has released an eRosary bracelet. Activated by making a sign of the cross or presumably genuflecting, the device assists with prayer, piety, at least in V0.1. As with all of these devices, it is essential to calibrate the device appropriately with the correct wrist. The instructions apparently come on a tablet.

Yes, we have checked that the month is not April and yes, we have ordered one. A cousin of one of us is a former nun, so we are well connected, soon to be better connected. A full review will follow.

Onwards and upwards to, in our opinion, the most serious, dark and messed up threats this week.

This week saw the announcement that a major bug in Linux distribution’s ‘sudo’ command which requires privileged admin account details to operate has an inbuilt (‘not a coding error’) backdoor which can enable any user to gain maximum privileges.

Obviously this has significant issues for anyone running Linux servers with user access to a shell. For instance loads of containerised environments. How long this has been lurking and how it got there remains to be seen. If you think you may be in this particular version of the Titanic, contact your Linux support provider and make a plan.

Regular, long in the tooth readers might remember that we covered the ‘Sextortion’ business at some length back in July last year. This is the thing where you receive an email with a password that you have used in the past in plaintext, claiming that your machine has been hacked and you have been recorded doing unspeakable, like eating broccoli or sneaking a whole bag of Haribo, or worse.

The scam uses passwords harvested and sold on zee dark webs (mwahahahaha). It is a numbers game and is very successful at raising funds for the bad guys.

It is also rearing its ugly head once more. The most efficient researchers from Checkpoint have discovered a hitherto unknown Botnet called Phorpiex sending out millions of these emails. These can be very damaging, not to mention expensive, totally unnecessary. We recommend you refer to our previous advice and alert your colleagues, friends and families. These emails come from the hacked machine’s mail forwarder so are hard to block. You have been warned.

If you would like to help secure your Linux environments, do something sensible with your mobiles or have a good laugh about the sexploitation game, we are all ears. Please contact us on: [email protected] or call 020 7517 3900.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900