FFT news digest  Apr 27 2018

GDPR Get a map

With millions of words written about the EU's new data protection regulation, it can be difficult to extract any actionable intelligence from them. Much has been made of potentially enormous fines and complex requirements around consent. Amid all the noise, we believe it's essential to focus on getting the basics right. Very few (if any) organisations are likely to be completely compliant on May 25, when enforcement of the regulation begins. But of course that does nothing to reduce the importance of preparation. National regulators, including the UK's ICO, have excellent advice on what to prioritise and this is particularly useful for smaller businesses. As the UK Information Commissioner has said, compliance is a journey; and the key is to demonstrate you have a map.

Upping the ante The value of exploits

$3 million. That's what a startup in Dubai says it's willing to pay anyone who can find a way to hack iPhone and Android devices. In a press release, Crowdfense said it was launching a bounty program worth a total of $10 million "to introduce higher levels of professionalism and trust in this market." Any exploits it acquires will be sold to "a carefully selected group of global institutional Customers." This is the same model used by other companies in this space, notably Zerodium, so it's not obvious why Crowdfense should be any more professional or trustworthy. But its payments are certainly higher; its $3 million reward is twice the size of the maximum Zerodium offers.

Travel advisory hotel room risks

Researchers have underlined the security risks of hotel rooms by demonstrating that it's possible to create a skeleton key for an electronic lock used in millions of rooms. The F-Secure team said the attack involved using an ordinary electronic key, "even one that’s long expired, discarded, or used to access spaces such as a garage or closet." This vulnerability has been addressed, but we continue to advise travellers not to leave devices unattended unless they can be locked away. Not least because it's been demonstrated that it's relatively easy to access a Windows machine even when locked. More positively, researcher, Patrick Wardle, has developed a tool which monitors when the lid of a Mac device is opened and sends an alert to an iOS app. We still say lock it away...

Nosy Alexa The perfect spy

Alexa may be convenient but researchers have demonstrated that it can also be turned into a highly capable surveillance device. Not only did the Checkmarx team find a way to get Alexa to listen to conversations, but also got it to transcribe them as well. They did this by creating an 'Alexa Skill' (Skills are apps designed to add functionality to Amazon's virtual assistant). Checkmarx says Amazon has now fixed the issue, but it's not the first time security concerns have been raised over such assistants. Last year, a proof of concept showed how ultrasonic commands could be used to issue commands to them. And researchers also demonstrated that some devices were vulnerable to a Bluetooth exploit.

Router ignorance

Most routers in the UK are a significant security risk because their owners don't update them and don't change default credentials. A survey by Broadband Genie found that only 14% of those questioned had updated their router's firmware, and 18% had changed the default administrator password. We believe most router manufacturers adopt a "fire and forget" approach to their products. Communications are inadequate and user interfaces are poor. This creates fertile territory for attackers who can very easily scan for vulnerable devices, take them over and use them for criminal purposes. Router Security has a comprehensive guide on the issue.

Lessons unlearnt

Despite the increasing prevalence and cost of data breaches, research suggests there is a widespread failure to make changes after an incident. CyberArk's report (registration required) found that 46% of security professionals questioned didn't change their security strategy. As worryingly, 36% said they stored administrative credentials in Office documents. There was also a sharp rise in the number of users with administrative privileges on their devices. The report underlines the importance of taking care of the basics - particularly when the importance of protecting personal data has never been greater.

In brief

Misconception of the week; private or incognito browsing protects against tracking and malware. University researchers found the misunderstanding was widespread.

Apple Macbook Pro? Swollen battery? Yup, it's a problem and Apple has launched a battery replacement programme for models without a Touch Bar made in the 12 months to October 2017.

If you're in the US and you're in a trusting mood, you can let Amazon stick its packages in the boot of your car. The scheme (launched in 37 cities) follows a similar scheme to allow couriers to unlock your front door.

The number of tech support scams continues to rise, despite cooperation between companies and law enforcement. Microsoft said there was a 24% rise in complaints in 2017.

Trustwave says Western Digital’s My Cloud EX2 storage devices leak files on a local network by default, regardless of what permissions are set. The company recommends turning off DLNA to mitigate the issue.

Updates

Apple: updates to patch security vulnerabilities in Safari, macOS, and iOS.

Microsoft: two Windows updates meant to fix the Spectre v2 vulnerability.

Gmail: major redesign introduces significant security features including 2 factor authentication and expiry dates.

Cisco: patches for AnyConnnect, Adaptive Security Appliance and Firepower Threat Defense products.

Foxit: Foxit Reader 9.1 and Foxit PhantomPDF 9.1 address potential security and stability issues.

Drupal: Patch for vulnerability in Drupal 7.x and 8.x., rated Highly Critical.

Mikrotik: firmware patches for RouterOS to address vulnerability being actively exploited.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved