news181019

Facebook

Multiple stories about Facebook this week, beginning with the good news; the recent data breach affected fewer people than initially thought. Bad news; the stolen data included phone numbers, email addresses, birth dates, searches, and location check-ins (as a New York Times reporter demonstrated). In other words, details that could be invaluable to scammers who are constantly seeking to hijack Facebook accounts for criminal purposes. If you're concerned, there's more information here, including whether you were affected. Meanwhile, there have been some updates to earlier reports about advertising and Facebook's new Portal video device. A forensic dissection of Portal's terms and conditions by Pat Walshe demonstrates that Facebook will be able to use Portal data in exactly the same way as it uses data from Messenger, i.e. to target adverts. It's just that those adverts may not appear on Portal, for the moment. The Recode website is unimpressed.

Anti-social media

New details have emerged about the use of Twitter and Facebook to influence opinion and spread disinformation. Twitter released a vast dataset comprising more than 10 million public, non-deleted tweets, two million images and videos, and thousands of accounts linked to state-backed operations in Russia and Iran. While some of the activities have been reported before, the scale of the data provides insights into the sophistication of the Russian operation. As the Atlantic Council's Digital Forensic Research Lab reports, "The Russian operation aimed at dividing polarized online communities in the U.S., unifying support for Russia’s international interests, and breaking down trust in U.S. institutions." Meanwhile, a New York Times investigation shows how Myanmar's military used a 5-year long campaign on Facebook to target the country's mostly Muslim Rohingya minority. The campaign included the use of fake images, and a false story about the rape of a Buddhist woman by a Muslim man.

Employees; friend or foe

Depending on which report you read, employees are either your greatest security asset, or a moderate to severe security risk. Of course, the two positions aren't mutually exclusive, and a post by Cisco CISO, Steve Martino, makes clear that it's only by having an informed workforce that human error can be reduced. Cisco adopts a three-phased approach, including Training and Education, Accountability, and Advocacy (which aims to make employees "proactive security advocates"). That's exactly our view. We believe that the only way of improving security is to make sure it's part of the everyday conversation. We are wholeheartedly in favour of initiatives like Cybersecurity Awareness Month (which we're in the middle of at the moment). But we believe it's essential to ensure the conversation continues when the month is over, as we argue in a longer post here. The alternative is to go down the less positive path as set out in MediaPRO's third annual State of Privacy and Security Awareness Report. It found that, overall, the situation had deteriorated since last year. Frankly, that's inevitable if the issues are treated as tick-box exercises.

NCSC warning

A major cybersecurity attack against the UK is a matter of when, not if, according to the National Cyber Security Centre (NCSC). Releasing its second annual report, the NCSC's Chief Executive, Ciaran Martin, said, "I remain in little doubt we will be tested to the full...by a major incident at some point in the years ahead, what we would call a Category 1 attack." The NCSC defines such an attack as one which causes sustained disruption to the UK's essential services or national security, leading to severe economic or social consequences, or to loss of life. The report reveals the scale of existing attacks by saying it has handled 1,167 incidents and has removed 138,398 unique phishing sites since the Centre was created in 2016. Despite being part of the highly secretive GCHQ, the NCSC has gone out of its way to engage with the outside world. It has given briefings and has produced excellent advice on how organisations can improve their security. Indeed, we recommend its guidance as an excellent introduction to the subject.

Printing ink

Do you have an Epson printer? Do third-party ink cartridges work in it? If not, the Electronic Frontier Foundation (EFF) would like to hear about your experience. The EFF has accused Epson sending deceptive updates to many of its printers in an effort to block the use of any cartridges except its own. After the issue was spotted by a resident in Texas, the EFF complained to the state's Attorney General that Epson was guilty of "misleading, deceptive, or anticompetitive behavior." After a similar controversy in 2016, HP was forced to apologise for deploying security updates that blocked third-party ink products. Unfortunately, given that their entire business model depends on cheap products and expensive consumables, nobody should be surprised at the manufacturer's antics. However, as the EFF has pointed out, the risk of using updates to underpin their business model is that it encourages people not to install them - thus creating a significant security risk.

Biometrics

The march towards ubiquitous use of biometrics continues, with Heathrow airport announcing a plan to implement facial recognition at every point of departing passengers' journeys. A statement from the airport said, “The long-term aim of the technology will be for passengers to be able to walk through the airport without breaking their stride.” Continuing its hyperbolic embrace, it bills the project as the largest such scheme in the world. As it happens, the Heathrow statement coincided with news from the US where the Transportation Security Administration released a roadmap for expanding biometrics technology, with the emphasis on facial recognition. While such technologies may be convenient, privacy advocates have warned they are being introduced with little or no discussion about how they should be controlled.

In brief

A series of security issues means eight models in D-Link's DWR range are highly vulnerable, and most of them won't be fixed. The Polish researcher who found them says D-Link told him that a patch would be issued for 2 models but the others had reached end of life.

The FBI has warned that criminals are targeting HR systems so they can divert salary payments to their own accounts. The method involves stealing work credentials so they can change the destination for direct debits.

A devious campaign to install cryptomining software on Windows computers abuses Adobe's Flash Player. As Palo Alto Networks found, what makes this different is that the process actually installs a real update, as well as the malicious software.

Microsoft says people are getting better at spotting tech scams, but they still generate 11,000 complaints a month. It found people had developed a healthy scepticism about unsolicited contacts from technology companies.

Google has finally admitted it is developing a censored search tool that can be used in China. CEO, Sundar Pichai, told the WIRED 25 Summit that the decision was based on the size and importance of the Chinese market.

Malicious RTF files are being used to infect machines with malicious software designed to steal information. Cisco Talos security researchers say the files are designed to exploit a vulnerability in the Equation Editor component of Office.

The Irish Data regulator is investigating how much data Twitter collects from its URL-shortening service. It comes after a British user made a request under the GDPR for Twitter to disclose any information gathered about him.

Updates

Oracle: October security update patches more than 300 vulnerabilities across product range, including Database, E-Business Suite, and Fusion Middleware packages.

Chrome: Version 70 includes new setting that allows users to control what the browser does when a user logs into a Google account. The change follows accusations of a lack of transparency in how accounts were being synced.

VMware: patch to address critical arbitrary code execution vulnerability in the SVGA virtual graphics card used by Workstation, ESXi and Fusion products.

Cisco: updates to address multiple vulnerabilities in several products; 7 rated high severity.

Drupal: updates for Drupal 7.x and 8.x to fix vulnerabilities that a remote attacker could exploit to take control of an affected system.

Splunk: patches for several vulnerabilities in Enterprise and Light products, including issues rated “high severity.”

Zimbra: releases 8.8.10 “Konrad Zuse” Patch 1 and 8.8.9 “Curie” Patch 6.

FFT news digest Oct 19 2018