FFT news digest Dec 21 2018

Facebook

By any measure, this has been a horrible year for Facebook, and that's reflected in its share price which has fallen 35% since the end of July. The latest broadside came in a detailed New York Times report which revealed how Facebook shared its users' intimate information with a range of other companies without explicitly asking their permission. “Facebook allowed Microsoft’s Bing search engine to see the names of virtually all Facebook users’ friends without consent...and gave Netflix and Spotify the ability to read Facebook users’ private messages,” the paper reported. We don't believe anyone should be surprised by this. Facebook founder, Mark Zuckerberg, has never made a secret of his ambition for the social platform to personalise everyone's experience on the web. In a blog post, Facebook has sought to provide reassurance about what it did and why it did it. But its ambitions now look woefully out of step with the questions being asked about what using Facebook actually entails.

China accused. Again.

The US and UK governments have accused China of being responsible for an aggressive campaign to steal trade secrets and access sensitive official information. The US Justice Department said China's Ministry of State Security was behind attacks on dozens of technology companies and government departments. It said the campaign was conducted by the APT10 hacking group and involved targeted emails using malicious Word documents to attack companies across a wide range of sectors including space and satellite, aviation, communications and maritime. In the UK, Foreign Secretary, Jeremy Hunt, accused China of being behind "one of the most significant and widespread cyber intrusions against the UK and allies uncovered to date." Meanwhile, a security company discovered a hoard of diplomatic cables which it said China had stolen from the European Union. The company said the the attackers accessed the material through a phishing campaign against diplomats in Cyprus.

China accused

This year's list of rubbish passwords underlines the need for concerted action to address the ongoing use of "123456" and "password" to secure online accounts. Just like last year (and the year before), they top SpashData's list of lousy passwords drawn from 5 million that have been stolen over the past 12 months. SplashData makes a Password Manager so it's hardly a disinterested party, but (as we explain in a longer article) some form of tool is essential to avoid reusing passwords. The other part of the equation is for companies to alert users when they try to use a compromised password. Website Haveibeenpwned lets you check if your details have been stolen and it has joined up with 1Password and Firefox to provide exactly this functionality. Given that many users have well over 100 accounts that should have a unique, hard to guess password, we believe it's up to websites to offer some help - and encouragement - to stop "123456" and "password" topping next year's list. Until they do, we have guidance on how to keep yourself safer.

Subverting the second factor

We are wholehearted supporters of 2 factor authentication, but we are always careful to emphasise that it's not foolproof, and reports published this week explain why. Amnesty International identified several campaigns that targeted individuals across the Middle East and North Africa with the aim of stealing their credentials. It shows how fake web pages were used to harvest not only usernames and passwords, but also a second factor code whether sent as a text message or generated by an authenticator app. This is achieved by automating the phishing process so that the second factor is captured and exploited without any human intervention. This does not mean that 2 factor authentication shouldn't be used, but like most things to do with cybersecurity it is important to understand how it can be circumvented. The most secure form of 2 factor authentication is a hardware key, as used by Google's Advanced Protection solution. 

Attacking non-profits

The US branch of Save the Children (SCF) fell victim to a $1 million email fraud last year. The Boston Globe reports that an attacker managed to access an employee's email account and use it to send fake invoices that appeared to relate to a health centre in Pakistan. SCF says insurance covered all but $112,000 of the loss and it has tightened its security. Meanwhile, the Wellcome Trust says it has taken a number of measures after the email accounts of four staff members were compromised. These include providing awareness and education for all employees and carrying out a gap analysis of current security measures and capabilities. Business Email Compromise is a significant threat to all organisations, but experience suggests that the diverse and dispersed nature of the non-profit sector puts it at particular risk.

Insecure messaging

Most organisations would probably say they take security seriously, but apparently not seriously enough to include any security executives in the top leadership team they present to the outside world. Journalist, Brian Krebs, reviewed the websites of the world's top 100 companies (by market value) and found only 5 listed a Chief Information Security Officer (CISO) or Chief Security Officer (CSO) among their top executives. As Krebs sets out, this matters because it's essential for the people in charge of security to be seen as having equal value to the parts of the organisation that generate revenue. As the ghastly security breach at Equifax demonstrates, it is far better to ensure lines of communication are clear before something goes wrong - rather than fixing it afterwards.

In brief

Tighter rules on electronic marketing have come into force in the UK with an amendment to the PECR (Privacy and Electronic Communications Regulations). The maximum penalty for violations is now £500,000. The UK data protection regulator has advice here.

The US has has launched a Cyber Readiness Program which aims to provide practical help to small and medium-sized businesses. Like similar advice from the UK's National Cyber Security Centre (NCSC), the program is a great place to begin getting to grips with cybersecurity.

Last week Australia adopted legislation designed to allow government agencies to access messages secured with end-to-end encryption. This week, leading messaging provider, Signal, explained politely that it couldn't comply even if it wanted to.

A detailed report from Deloitte explains why cyber crime is so profitable and the cost of entry is so low. Amongst its findings; a cyber attack can be launched for as little as $34 a month.

The latest development in the weird world of extortion emails...the hitman scam. The message tells the recipient to pay $4,000 or experience an "instant and pain-free" execution.

Two other key scams doing the rounds. One pretends to be a purchase confirmation from the Apple App store. The other masquerades as a non-delivery notifications from Office 365. Beware of these sorts of links. If in doubt, type in the relevant address or phone your financial institution using the number on your bank card. UK ActionFraud has more advice here.

Updates

Internet Explorer: emergency security patch to address vulnerability that is being actively exploited. Simply visiting a malicious website could infect a device.

Apple: releases 2 iOS updates in the same week, without explaining why. The first version of iOS 12.1.2 included bug fixes and sought to deal with patent infringement issues. It's not clear why the second version was issued.

Zimbra: releases Zimbra Collaboration 8.8.11.

WhatsApp: makes group calls easier, though they're still limited to 4 participants. Feature available for iOS. Android devices to follow.

macOS/iOS: UK NCSC publishes guidance on securing latest version of Apple's operating systems.

SecureDrop: guidance issued to address failure to update automatically (instances known to be impacted were set up before SecureDrop version 0.4, released July 25, 2017).

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved