FFT news digest Dec 14 2018

Location, location, location

A New York Times investigation has revealed the extent to which apps are monitoring our movements so that the resulting location data can be sold as part of a market estimated to be worth $21 billion in the US alone. The Times reviewed a database of more than a million phones in the New York area and, while the records were anonymous, the newspaper found it was trivial to work out who someone was. As we've written before, location data is immensely valuable to a range of companies, including advertisers, retailers and researchers. Those companies say they are interested in patterns rather than individuals - but a patent application by Facebook shows that it wants not only to track people, but also predict where they will go in order to better target them with adverts. For a sense of the scale of location tracking, the Times report is well worth a read.

In case of a no-deal Brexit

There are few certainties in the maelstrom that is British politics, but time is running out to avoid a no-deal exit from the EU, and the UK data protection regulator has provided guidance in case that happens. The Information Commissioner's Office (ICO) points out that the key issue is the transfer of personal data from European Economic Area countries to the UK. The UK will seek an 'adequacy' decision from the EU that recognises the UK's data protection regime as equivalent to the EU's and would allow data flows from the EEA, but that could be a lengthy process. The ICO has a guide setting out the key issues to consider in order to be prepared for a no-deal scenario. These include considering whether you will need to appoint a representative based in the EEA. A word of warning. The ICO's guidance is helpful, but it does underline the complexity involved in a no-deal exit and it's worth reading in detail and taking professional advice. Above all, its message is to plan now rather than wait to see what happens.

China accused

As emails flutter into the inboxes of the 500 million people affected by the Marriott data breach, reports have pinned the blame on China and the FBI has described Beijing as "the most severe counterintelligence threat" facing the US. Unnamed officials quoted by the New York Times said the Marriott breach was part of a extensive Chinese operation that also targeted health insurers and government workers. Speaking to a Senate Judiciary Committee, US security officials said China was "proposing itself as an alternative model for the world," and they accused it of adopting a simple playbook; "rob, replicate, and replace." While it is extremely difficult to be certain about responsibility for cyber attacks, the US is reported to be about to blame China publicly for a pattern of illegal behaviour. For its part, China has vehemently denied the accusations.

Learning from Equifax

A US congressional report has blamed the Equifax data breach on lack of accountability and the complexity of its IT systems. The damning report lists a catalogue of errors which resulted in the loss of personal data belonging to more than half of the US population (and to 15.2 million UK records as well). Describing the incident as "entirely preventable", the report says Equifax allowed 300 security certificates to expire, including 79 for monitoring business critical domains. It rejects Equifax's assertion that a single individual was responsible for the incident, instead saying there were no clear lines of authority in its IT management structure. The report makes a number of recommendations including replacing legacy systems with modern security solutions. "Private sector companies, especially those holding sensitive consumer data like Equifax, must prioritize investment in modernized tools and technologies," it concludes.

Australian rules

The Australian parliament has approved a bill to that aims to address "the challenges posed by ubiquitous encryption". The snappily entitled Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 provides a framework for "voluntary and mandatory industry assistance to law enforcement and intelligence agencies" to enable them to access the content of encrypted communications. Industry experts have warned about the risk of undermining encryption, and reducing overall security and privacy. The Australian government has tried to address these concerns by including a provision that prohibits the introduction of a "systemic weakness...into a form of electronic protection." However, the cases where such limitations apply appear to be limited and it's not clear what this safeguard will mean in practice. Apple, Google and Microsoft have called the law "deeply flawed", saying it will undermine security and human rights.

Insecure messaging

Researchers have warned of further security issues surrounding the use of the desktop versions of secure messaging applications such as Signal and WhatsApp. The Talos investigation says, “secure instant messaging applications have a solid track record of protecting the information while in transit," but adds that, "they fall short when it comes to protecting application state and user information." In practice, this means that an attacker could use malicious software to hijack a session from a desktop version and access data without the user knowing or before they realized what had happened. The Talos report comes 2 months after a researcher discovered security issues with the upgrade process for Signal Desktop. The key lesson from these reports is that end to end encryption may protect the content of messages while they're in transit, but once they are on a computer, they are only as secure as the device itself. The UK’s National Cyber Security Centre (NCSC) has advice on protecting your computing devices.

In brief

It would be fair to say that Google + has not been a success, and now its closure date has been brought forward after the company admitted a data breach affecting 52.5 million users.
A British headteacher has been prosecuted for taking personal data from two schools he had worked at previously. The case underlines the importance of ensuring employees don't take data with them when they leave an organisation.

Facebook employees are using burner phones "to talk shit about the company," according to Buzzfeed News. Burner phones are extremely difficult to use effectively so Facebookers would be wise to take advice if they want to stay anonymous.

Five years ago, the Syrian Electronic Army caused havoc for major media organisations by hacking their social media accounts, often more than once. Lookout reports that they haven't gone away, just turned their focus on targets closer to home who they are attacking with fake app updates.

Microsoft has again called on governments around the world to develop laws to regulate facial-recognition technology. Its President, Brad Smith, warns about the risk of bias, reduced privacy and damage to democratic freedoms.

Credit reference agency, Experian, has been spotted using real customer data in its training manuals. Needless to say, this is not a good idea, and it underlines the importance of sanitising internal documents if they're distributed externally.

Updates

Google: New version for Windows, Mac, Linux, Android addresses vulnerability that an attacker could exploit to take control of an affected system.

Microsoft: Multiple security updates across the range of Microsoft products, including Windows 10 and Office. The NCSC has guidance on securing the use of Office 365.

Adobe: 87 fixes for vulnerabilities in Reader and Acrobat.

Firefox: Firefox 64 includes features such as recommending extensions based on browsing behaviour. It also includes a new Task Manager.

WordPress: Users warn of stability issues with 5.0 upgrade which marks a radical change to the platform. A security patch has already been issued for it.

SecureDrop: Version 0.11.0 includes security updates and user interface improvements.

Tails: Version 3.11 addresses 18 security issues.

SAP: December updates include 2 rated 'Hot News' which are regarded as critical risks.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved