FFT news digest Dec 7 2018

Opening Facebook's kimono

Facebook is deeply unhappy that a British parliamentary committee has published a trove of internal documents - and the contents explain why. The internal emails and memos reveal the company's single-minded focus on maximising profits from the information gathered through its platforms. They show Facebook's ruthless use of data to favour some partners and undermine others, and they suggest a cavalier attitude towards user privacy. Facebook has complained that the documents tell only one side of the story and omit important context. Coverage of the affair has called the documents "devastating" and suggests they demonstrate why Facebook has never deserved to be trusted. Whether selective or not, they provide an unsavoury glimpse into how Facebook has grown into the huge business it is today. But we find it hard to believe that anyone who has watched Facebook's growth will be surprised by them.

Lessons from Marriott

It's an unfortunate fact that sooner or later, whether as an organisation or an individual, we are going to suffer a data breach. That's a fact that Marriott seems to have ignored. It's important to remember that last week's announcement affecting 500 million guests related to the Starwood hotel group. While Marriott bought the group in 2016, the breach dates back to 2014 and obviously was missed in the purchase process. Hotels are a key target for attackers because of the range of data they gather - and hold - about their guests. That means a potential data breach has to be a priority to investigate - and the assumption should be that at least one skeleton is lurking in a cupboard. One other important lesson from the Marriott breach is not to trust emails. Fraudsters are already exploiting it by urging people to visit webpages designed to steal their personal information. And, of course, if you're a Starwood customer, make sure you're not using that password anywhere else.

Hacking printers

After 50,000 printers were hacked to produce an advert for a YouTube channel, a service has emerged offering to do the same thing for anyone willing to stump up some cash. Spotted by security company, Grey Noise, the service calls itself "Printer Advertising," and claims to be able to access "every single printer in the world." Such a claim is patently false, but it is a reminder that any printer connected to the internet should be regarded as a potential security risk. It's essential to make sure that printers are running the latest firmware, that any default passwords have been changed, and that remote management is disabled unless absolutely, vitally important. (While you're checking, it's also worth making sure your home router is up to date, isn't using a default admin password and has its firewall enabled.) Home and small office devices are particularly vulnerable, and care should be taken if they are connected to a corporate network. Even printers' fax capability has been shown to be a potential vulnerability.

Police under the cosh

Cyber crime is the most significant harm in the UK and the volume of incidents is putting increasing pressure on constrained police resources. The UK police lead for cyber and economic crime, Peter O'Doherty, told a conference that one of the key challenges was that cyber crime frequently crossed national boundaries, according to Computer Weekly. His comments came as research from Parliament Street showed how individuals are increasingly turning to their local police to investigate cyber crimes. In many cases, the research found police were being asked to deal with incidents involving the hijacking of social media accounts. Police have urged organisations and individuals to report cyber crimes but, given the pressure on UK police forces, it's hard to see what they will be able to do. Prevention is a far better option, and setting up multi-factor authentication and using a password manager will help defeat the criminals.

WhatsApp Khashoggi

NSO Group, which makes Pegasus spyware, has rejected accusations that its technology played a role in the circumstances that led to the killing of Saudi journalist, Jamal Khashoggi. A lawsuit filed in Israel, where the NSO Group is based, alleged that the company's products were used to monitor a critic of the Saudi government who was in contact with Khashoggi. According to research by the University of Toronto's Citizen Lab, the critic's smartphone was infected with Pegasus spyware after he clicked on a link in a text message masquerading as package tracking information. CNN reports that the phone contained WhatsApp messages between the critic and Khashoggi which discussed launching an anti-state campaign. NSO Group told The Times of Israel that the lawsuit was "completely unfounded." 

Negligent users

New research paints a painful picture of enterprise vulnerability to cyber attacks. Dark Reading's annual Strategic Security Survey says (registration required) enterprises are spending more on cybersecurity than ever before but, despite this, more of them believe their organisations are vulnerable to data breaches. The survey of 300 IT and security managers identified end users as a key risk; 61% of respondents predict that users users who are negligent or break policy will cause a major data breach in the next 12 months. The survey also points to the increased sophistication of threats as the leading reason for the rising sense of vulnerability. Wider use of mobile devices is also regarded as a significant risk. It may be impossible to eliminate these risks, but effective training and mobile device management provide relatively simple ways of mitigating them.

In brief

Affected by the O2 outage? Cellular equipment firm, Ericsson, says the cause was an expired software certificate.

More than 8,000 data breaches have been reported in the UK since enforcement of the General Data Protection Regulation (GDPR) began in May. Information Commissioner, Elizabeth Denham, also said the number of complaints from the public had doubled.

Sneaky iOS fitness apps have been fooling users into handing over up to US$119. "Fitness Balance” and “Calories Tracker" ask users for their fingerprint to access data but, once authenticated, try to charge a saved credit card or other payment source.

Further evidence of the risk of browser extensions. Netscout reports that a nation-state-backed hacking group has used a Google Chrome extension to steal passwords and cookies from browsers.

Another nail in the coffin of text-based CAPTCHA tests that are used to make sure we're human. University researchers have found a way to defeat them automatically. So expect to see more images of traffic lights and pedestrian crossings. (FYI CAPTCHA stands for "Completely Automated Public Turing test to tell Computers and Humans Apart.")

Question-and-answer platform, Quora, says it's investigating a data breach which may have affected approximately 100 million users. The data include names, email addresses and hashed (i.e. not plaintext) passwords.

The US Federal Trade Commission says people over the age of 70 are being duped by fraudsters pretending to be their grandchildren. The scams result in losses of 1000s of dollars. As the FTC advises, "Don’t act right away, no matter how dramatic the story is."

Updates

Google: December Android Security Bulletin addresses 53 unique issues which are dominated by remote code-execution (RCE) vulnerabilities.

Adobe: Emergency update to address an Adobe Flash zero-day vulnerability which is being actively targeted to hijack devices. The issue is exploited via Office documents attached to emails.

Apple: Updates for iCloud for Windows, Safari, iTunes, macOS Mojave, tvOS and iOS.

Chrome: Latest version of Google browser steps up efforts to block abusive websites by blocking ads that try to trick users with fake warnings.

Citrix: has asked users of its Sharefile service to reset their passwords. It says it's part of a new policy that will require regular password resets. This is despite general agreement that forcing frequent password changes simply leads to people choosing poor ones.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved