FFT news digest Apr 12 2019

Porn crime

The risks of dodgy websites were well-illustrated this week by the case of Zain Qaiser, the 24-year-old Londoner jailed for 6 years on charges including blackmail, fraud, money-laundering and computer misuse. Qaiser placed adverts on pornography websites which, if clicked, locked the victim's browser and displayed a message that tried to scare the person into paying a "fine" of $300-$1,000. The court heard that the scheme netted Qaiser at least £700,000, much of which hasn't been recovered. Reporting of the case has talked about his computer skills but, in reality, he linked up with Russian criminals and used their kit rather than developing anything himself. The real lesson from the case is that it is trivially easy to become a cyber criminal; and that means adult websites and pirated media content constitute a clear and present danger to be avoided at all costs.

iPhone spyware

In general, the iPhone ecosystem is pretty secure - which is why companies like Zerodium are willing to pay millions of dollars for ways to break it. But even so, users do need to take care over the apps they install, as security firm, Lookout, revealed this week. Its research discovered a piece of spyware originally designed for Android devices which has been adapted for use against iPhones. The app pretends to provide support for cellphone customers but in reality it accesses contacts, audio recordings, photos and videos. To avoid Apple's app store controls, the spyware abused Apple's enterprise certificate system which is designed to enable organisations to distribute apps internally. It's a reminder to only download iOS apps from the official store or when their provenance is certain (although that's useful advice generally).

Facebook

One of the easier predictions to make at the start of the year was that social media companies, and Facebook in particular, would come under increasing scrutiny. This week, the UK kicked off a process aimed at creating a regulatory framework that would hold social platforms accountable for the spread of "online harms". “The era of self-regulation for online companies is over,” said Jeremy Wright, Secretary of State for Digital, Culture, Media and Sport. In Brussels, an EU committee approved a proposal that would set tight deadlines for platforms to delete 'terrorist content' and levy enormous fines if they fail to comply. And in New Zealand the Privacy Commissioner described Facebook as "morally bankrupt pathological liars" in tweets that he has now deleted.

Credential stuffing

Attempts to exploit stolen email addresses and passwords are taking place on a gigantic scale, according to a report from internet infrastructure company, Akamai. It documented nearly 30 billion instances in 2018, with an average of 115 million attempts per day. It says media organisations, gaming companies and the entertainment industry are among the biggest targets of credential stuffing attacks. This is where criminals take email addresses and passwords and try out combinations until they find one that gives them access to an online account. It's why reusing passwords is so dangerous - and why two-factor authentication is essential. The growth of such attacks is underpinned by simple tools that allow criminals to test the validity of stolen credentials and automate their use. 

Listening to Alexa

Amazon employs thousands of people around the world who listen to recordings from its Echo speakers in order to improve the performance of the Alexa digital assistant. A report by Bloomberg says the contractors and employees are based in the US, Costa Rica, India and Romania. They work 9-hour shifts and process up to 1,000 clips a day which Amazon said was "an extremely small sample of Alexa voice recordings." The BBC reports that Apple and Google have similar procedures to improve their digital assistants. None of this should be surprising because human intervention is essential to develop and refine the capabilities of artificial intelligence. In January, the Intercept reported that Amazon gave engineers almost complete access to video footage from its Ring security cameras. 

Production company fined

The UK data protection regulator has fined a production company £120,000 for unfairly and unlawfully filming patients at a maternity clinic. True Visions Productions' fixed rig documentary followed expectant mothers at Addenbrooke's Hospital in Cambridge for a Channel 4 commission about stillbirths. The Information Commissioner's Office found that although the company had permission from the hospital, it "did not provide patients with adequate information about the filming...or get adequate permission from those affected by the filming in advance." The ICO said limited notices had been placed near to the cameras and letters had been left on waiting room tables, but described the explanations as inadequate, "with one notice incorrectly stating that mums and visitors would not be filmed without permission."

In brief

Two-thirds of hotel websites are leaking guest booking details to advertising, search and analytics companies. Symantec says the information includes names, addresses, phone numbers and financial data.

A coordinated attack on websites powered by WordPress took advantage of a vulnerability in a common plugin. The issue in Yuzu Related Posts allowed attackers to inject malicious code in vulnerable sites.

Half the OECD's member states that held national elections in 2018 were targeted by cyber attackers. The Canadian Security Establishment said cyber threat activity had tripled since 2015. The OECD groups 36 of the world's richest nations.

That Chinese woman who was arrested at President Trump's "winter White House" in Florida. Turns out as well as multiple phones and a malware-laden USB, she had 5 SIM cards, 9 USB sticks and a signal scanner to detect hidden cameras. And a Secret Service agent did exactly what he shouldn't have done and put the dodgy USB stick in his laptop.

Combine an old iPad and a three-year-old intent on getting into it. The result; a device locked for 48 years after the toddler kept on entering the wrong passcode. Fortunately, there is a workaround.

Updates

Microsoft: A troublesome 'Patch Tuesday' as some older systems froze or failed to start after this month's update was installed. The affected systems were running Windows 7, 8.1, Server 2008 R2, Server 2012 and had products from Avast and Sophos installed. Microsoft has pulled the offending updates. For others, the updates address 74 security issues, 33 of them could allow a device to be attacked remotely.

WinRAR: If you use this archiving utility, it's vital to check you're running the latest version which fixes a serious security issue. Microsoft has a detailed report on how the vulnerability was exploited in a sophisticated campaign in March.

Adobe: April update addresses vulnerabilities in Acrobat and Reader, Flash Player, Shockwave Player, Dreamweaver, XD, InDesign, Experience Manager Forms, and Bridge CC.

SAP: 9 Security Notes, including one rated 'Hot News' affecting Google Chromium delivered with SAP Business Client.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved