FFT news digest  May 4 2018

Password insecurity

Passwords are a disastrously poor security mechanism, not least because people continue to reuse them despite being aware of the risks. Research by password manager, LastPass, found 91% of those surveyed understood the risk but 59% still used the same password for all their accounts. When asked why, most people said they were worried about not being able to remember multiple different passwords made up of random characters. But it's essential to resist the temptation to give up. If proof were needed, look no further than the case of cyber criminal, Grant West. He's admitted to stealing personal data from different sources so that he could sell complete sets of customer details (known as "fullz"). Reusing a password would have given him access to everything. The best defence is to use a password manager and turn on multi-factor authentication wherever possible.

Facebook goes dating

You’ve just had a major privacy scandal. You’ve been (lightly) grilled by Congress. So if you're Facebook, what do you do? You announce a dating app of course. Speaking at Facebook's annual developer conference, Mark Zuckerberg said he wanted to "move forward" from its failure to protect users' personal data. A new tool called "Clear History" will delete information about visits to non-Facebook sites. And Facebook will start monitoring domain names for suspicious variants. But, amid the discussion about privacy and security, a series of innovations was announced which will extract even more data about users. As well as a dating app, there will be augmented reality tools, including facial recognition and location tracking features. Facebook shares have now recovered around half the value lost in the wake of the privacy revelations.

EU's blunt warning

The EU's data protection supervisor has warned social media companies to change their "manipulative approaches". In a bluntly worded blog post, Giovanni Buttarelli said there was a risk companies were talking a good game "while continuing with the same old harmful habits." He warned of the need to be vigilant about attempts to game the system which he described as a sweatshop from which you can never clock out. The message underlines the importance of "privacy by design" which is one of the key principles of the EU's new data protection regulation. Regulators will be looking for evidence that companies are taking this principle seriously. Paying lip service to the legislation will not be sufficient.

Amazon blocks Signal

Authoritarian regimes will be sending thanks to Amazon for introducing changes which will make it easier to block services like the secure messaging app, Signal. A week after a similar move by Google, Amazon said it would ban a practice known as "domain fronting" which allows apps to circumvent restrictions by disguising their traffic as someone else's. Amazon cited security as the main reason for the ban although there's no suggestion Signal's solution has been responsible for causing such issues. The governments of Egypt, Oman, Qatar and the UAE have blocked Signal for the past 18 months. They will doubtless be grateful to Amazon for its help in making their ban work in the way they intended.

Spilling the company beans

The risks of cloud-based collaboration solutions has been underlined by research showing a remarkable number of passwords being shared online without any security precautions. Security journalist, Brian Krebs, found numerous instances of sensitive internal information being posted on open Trello boards. Among the companies affected were an insurance firm, a state government agency and the ride-hailing service, Uber. Meanwhile, a survey by Clearswift suggests 45% of employees have accidentally sent emails with bank details, personal information, confidential text or an attachment to unintended recipients. Technology can help manage these risks but we believe it's also essential to raise awareness among users and build security into the way everyone works.

Facial recognition

More evidence that facial recognition is leaving the laboratory and becoming commonplace. The Washington Post reported that the biggest seller of police body cameras in the US is considering adding facial recognition technology to its devices. Axon's Chief Executive, Rick Smith, said, “it would be both naive and counterproductive to say law enforcement shouldn’t have these new technologies." Facial recognition is already widely used in China, and Reuters reported that Singapore's Changi airport is planning to introduce it to track passengers who are late for their flight. Civil rights groups have warned of the risks of the technology and the lack of consultation about its introduction.

In brief

Twitter has told its 330 million users to change their passwords after finding they were stored internally as plain text.

There's been a surge in the use of fake Facebook Messenger messages to spread malicious software. Trend Micro said the malware tries to persuade users to download a malicious Chrome extension.

Criminals are exploiting the imminent introduction of new data protection rules to trick users into handing over personal information.

There has been a sharp rise in malicious cryptomining software this year, according to research by security company, Malwarebytes.

The High Court has ruled that Part 4 of the Investigatory Powers Act is incompatible with EU law. The government was given 6 months to fix it.

The BBC reports that Apple is using a non-existent clause in its terms and conditions to refuse battery replacements. 

Updates

Cisco: updates for multiple vulnerabilities including critical issues with Webex and Secure Access Control System.

Oracle: new vulnerability found in Access Management solution. Ensure latest update applied.

Microsoft: update for the Windows Host Compute Service Shim library to patch a critical remote code execution vulnerability.

Apple FCP X: version 10.4.2 addresses issues with multiple clip selection and XML import/export.

Zimbra: Patch 2 issued for 8.8.8 GA release.

SecureDrop: Pre-release announcement for 0.7.0

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved