FFT news digest  Aug 24 2018

Google pursued over tracking

Google's hasty clarification about how it tracks users has failed to put a lid on the story. A lawsuit filed in California accuses Google of making a false representation by saying "the activation of certain settings will prevent the tracking of users’ geolocations." Following an Associated Press report last week, Google changed the way it described Location History to make clear that turning it off does not affect other services (which faithfully continue to report where we are). The Electronic Privacy Information Center has claimed Google’s practices violate a 2011 settlement with the Federal Trade Commission governing what it does with the information it gathers about its users. Meanwhile, a study into Google's Android operating system has revealed what's going on under the hood. It found 46% of all communications on Android devices are with advertising services, such as Google Analytics, DoubleClick, AdWords, and AdSense. More evidence that on the web, free really doesn't mean free.

Protecting democracy

Technology companies have published details that reveal the scale of attempts by Russia and Iran to influence public opinion, with particular focus on the US and the UK. Microsoft said it shut down 6 domains owned by a group linked to Moscow. It said they had been used to try to steal usernames and passwords in a campaign linked to the US mid-term elections. Facebook removed more than 650 pages and groups which it had identified as misleading and which it said were controlled by Russia and Iran. Twitter also banned 284 accounts "for engaging in coordinated manipulation." Facebook and Twitter said the operations were not focussed specifically on November's US elections, but aimed to have a wider influence on public opinion. Google has also detailed extensive state-sponsored activity ascribed to Iran.

Superdrug 

UK retailer, Superdrug, has told online customers to change their passwords after what it says was an attempt by criminals to extort money from it. Superdrug said a ransom had been demanded after criminals showed it a number of accounts which they said they had stolen. But the company insisted that there were no sign its systems had been breached and the credentials had probably been stolen from other websites. This approach is becoming an increasingly popular way of monetising the vast amount of user information that is available. In a variation on the theme, Motherboard reports that criminals have managed to extort half a million dollars by persuading users they had been secretly filmed watching pornography. Credibility was added by including a stolen password in the ransom demands.

Spyfone spills data

A spyware company has exposed the data of thousands of customers by failing to secure an Amazon cloud storage solution. Motherboard reports that the issue was discovered by a researcher who found Spyfone's storage wasn't even protected with a password. The exposed data includes photos, text messages, audio recordings, contacts and location information. Spyfone is one of a number of companies selling surveillance software that enables customers to monitor any device on which the solution is installed. Motherboard was able to verify the leak by creating an account, installing the spyware, and taking a photo. Within hours, the researcher sent one of the photos back. Amazon has provided simple mechanisms to try to stop this sort of mistake. Given the sensitivity of Spyfone's data, it's extraordinary it was so poorly protected.

When a hack is not an attack

Red faces at the Democratic National Committee following its admission that a (very) widely-reported cyber attack was a false alarm. On Tuesday, the DNC contacted the FBI after spotting a fake login page for its voter registration tool. The DNC's Chief Security Officer, Bob Lord, followed this up by telling CNN, "We need the (Trump) administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks." The only problem is that far from being malicious, the fake login page was part of a simulated phishing attack designed to improve security...but which the DNC's head office knew nothing about. The incident does show the DNC is taking security seriously and, doubtless, lessons about governance will have been learnt because false alarms can be damaging in themselves.

Facebook app pulled

Facebook is reported to have removed a security app from Apple's App Store because it violates rules on data collection. The Wall Street Journal says the decision was taken after "cordial" discussions between the two companies. The Onavo Protect app claims to block malicious sites, warn about phishing scams, and secure web traffic. It does this by routing everything through Facebook servers which also provides the social network with invaluable data about how the device is being used. Facebook says the terms and conditions for the app make it clear to users that their activity is being tracked. This is true, providing you look hard enough. Meanwhile, over in Google's Play Store Onavo Protect is still available for Android devices. That free lunch thing again... 

In brief

Encrypted messaging solution, Wickr, is introducing a service designed to allow its users to circumvent censorship. The roll-out follows decisions by Amazon and Google to prevent a practice known as "domain-fronting" which hides the destination of web traffic.

Microsoft says a minimum of Sierra 10.12 will be required to access the new version of Office 365/Office 2019 for Mac which is due to be released next month.

An issue in Ghostscript could allow attackers to take control of vulnerable systems, and currently there's no fix for the problem. Ghostscript is widely used to interpret Abode PostScript and PDF page description languages. Affected companies include Red Hat, Ubuntu, Artifex Software and ImageMagick.

Despite the constant reports of cyber attacks, there has been steady decline in related prosecutions in the UK. The Times reports that 47 cases were brought last year under the 1990 Computer Misuse Act. That's down from 61 in 2015.

Trades Unions in England and Wales have called for the creation of a legal right to be consulted about surveillance in the workplace. 

Updates

Adobe: updates for the Windows and macOS versions of Photoshop CC to address two critical remote code execution vulnerabilities.

Apache: Updates to address critical security vulnerability affecting all versions of Apache Struts 2. Issue is expected to be exploited imminently. Users of Struts 2.3 advised to upgrade to 2.3.35; users of Struts 2.5 to 2.5.17.

Skype: Microsoft says its end-to-end encrypted Private Conversations feature is now available across all platforms. But although the content of calls is hidden, Microsoft still has access to information about them such as who talked to whom and when. The feature uses the open Whisper protocol, developed by the people behind the Signal messaging app. We continue to recommend this as the best option for simple, secure communication.

Zimbra: Zimbra 8.8.9 “Curie” Patch 3, Zimbra Collaboration 8.7.11 Patch 6 and Zimbra Collaboration 8.6.0 Patch 11 released.

Gmail: Support for 'Confidential mode' extended to mobile devices.

Airmail: update to address vulnerability that allow third parties to access email databases and messages.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved