FFT news digest Nov 30 2018

The cost of the cover up

Uber has been fined more than $1 million by UK and Dutch regulators over a data breach which the company initially tried to cover up. The UK Information Commissioner's Office said, "the incident was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen." The ICO said attackers gained access by using "credential stuffing" where stolen usernames and passwords are tested against a service until a match is found. Details of the breach emerged a year after it took place, when it also transpired that Uber had paid the hackers $100,000 to delete the data. Meanwhile, new research says nearly half the UK's IT directors would "definitely" be willing to pay a ransom to hijackers to avoid reporting a data breach and incurring a fine under new European regulations.

Consumer groups vs Google

European consumer groups have filed a privacy complaint against Google, arguing that it is using manipulative tactics to track the location of web users so it can target them with advertisements. The groups are bringing the complaint under the EU's new data protection regulation, the GDPR, which requires personal consent for the processing of personal data. In their complaint, the groups argue that Google does not have that consent to track users through “Location History” and “Web & App Activity”. Google has rejected the complaint, saying it provides controls and makes clear how its services work and what data they collect. Among the groups making the complaint is Norway's Consumer Council which earlier this year produced a report detailing how Google and Facebook employ manipulative tricks to persuade users to accept intrusive settings. 

Protecting confidential data

The need to protect confidential information was demonstrated by a bizarre episode involving Facebook, a US businessman and the UK Parliament's Serjeant at Arms. Along with 8 other governments, the UK has been frustrated by the refusal of Facebook CEO, Mark Zuckerberg, to appear before a joint committee. So when the committee's chair discovered the businessman was in London and had access to internal Facebook documents that are part of a prolonged lawsuit, he dispatched the Serjeant at Arms to persuade him to hand them over. According to his lawyers, the businessman panicked and copied the documents from a local Dropbox folder. This may be an extreme example, but it does show that the only way to protect documents is not to have access to them - especially when travelling.

The risks of the dodgy websites

Details of a massive advertising fraud operation illustrate why dodgy websites are so risky. In a report, Google says that at its peak "3ve" used as many as 1.7 million hijacked devices to generate fake advertising clicks from spoof websites. A key way of compromising devices was through an adult website where advertisements appeared to be for browser and Adobe Flash updates. In fact, when these were clicked, the user was redirected to a webpage which installed the malicious software. The scale of the operation led to the creation of an industry working group which took down the scam and resulted in indictments against 8 individuals. As well as being aware of the risk of the seamier side of the web, it's also worth noting that the "3ve" malware would only install on systems without security software.

Pegasus in Mexico

Colleagues of a murdered Mexican journalist were targeted with Pegasus spyware in the days following his killing, according to research by the University of Toronto's Citizen Lab. The report says 2 journalists received unusual text messages on their smartphones. The messages contained links which would have compromised the devices if the journalists had clicked them. This is the latest instance CitizenLab has discovered of Pegasus being used in Mexico. The spyware gives the operator complete control over a device and its Israeli-based developers says it is sold exclusively to governments for law enforcement purposes. CitizenLab has identified a total of 24 people in Mexico who have been targeted with the spyware including journalists, editors, activists and politicians. Its research underlines why it's so important to be cautious about clicking on links in text messages, even if the source appears to be genuine.

Marriott data breach

Marriott International, the world’s biggest hotel business, says personal details of up to 500 million guests may have been accessed illegally because of a data breach that began in 2014. Marriott said the incident affected the Starwood guest reservation database which contained reservation details including names, passport numbers and, in some cases, payment card numbers and expiration dates. It added that it could not exclude the possibility that the card data might have been decrypted. Marriott said it became aware of the incident in September, and only discovered the extent of the breach on November 19 when it notified law enforcement. Marriott bought the Starwood chain in 2016, and clearly the nature of the breach will call into question what processes were carried out as part of the purchase. Marriott has created a website about the incident and is contacting anyone who is affected.

In brief

The UK data protection regulator has issued the first fines to organisations which failed to pay the data protection fee. All organisations, companies and sole traders that process personal data must pay an annual fee to the ICO unless they are exempt.

A data recovery company claims to be able to break the passcode on iPhones and recover data from them. DriveSavers says it is "utilizing new proprietary technology" but unsurprisingly doesn't provide any details. The price is reported to be $3,900 per device.

The US Department of Justice has been urged not to give the UK authorities access to data held or processed by US companies. Nine non-governmental organisations said the UK's surveillance regime is not compatible with human rights.

Researchers have warned that an industrial espionage group is using AutoCAD-based malware to target companies in the energy sector. Forcepoint says the campaign involves emails containing malicious AutoCAD files or links to booby-trapped websites. They advise users to review AutoCAD's security recommendations.

A phishing campaign is trying to steal Spotify credentials. AppRiver says emails try to persuade users to click on a link which takes them to a realistic copy of the Spotify website.

Dell.com has reset all customer passwords after a cyber attack. It said it took the action on November 9 but only announced it nearly three weeks later. Dell thinks the attack was unsuccessful, but advises customers against reusing their Dell password anywhere else.

Updates

Microsoft: new version of Apple iCloud for Windows 7.8.1 fixes syncing problems with Windows 10 (version 1809). Microsoft advises users to update iCloud app before trying to install new version of Windows 10.

Sennheiser: Have you ever used a Sennheiser app with your Windows or macOS device? If you have, it's really important to read Sennheiser's instructions on what to do because of a really ugly security issue.

Cisco: releases new set of patches for Webex Meetings desktop app and Webex Productivity Tools after advising that previous fix was "insufficient".

Zimbra: 8.8.10 “Konrad Zuse” Patch 4 and 8.8.9 “Curie” Patch 8 released.

Samba: security updates to address several vulnerabilities which could be used to take control of an affected system.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved