FFT news digest Apr 26 2019

Googled

US legislators have called on Google to reveal details of its internal database that records users’ geo-location details. The House Energy and Commerce Committee wants to know exactly what information has been collected, and who has had access to it. The demand follows a New York Times report that US law enforcement agencies had been regularly accessing location details for hundreds of thousands of users at a time. Among its other findings, the report showed that Google has been tracking the location of every Android device for more than 10 years. The Location History feature is turned off by default but is activated if location-tracking is enabled in the apps which use it. Companies have a voracious appetite for knowing where we are and what we're doing. Now Google may have to tell us who else has had access to that information.

Unhealthy collaboration

Many security failures stem not from malicious activity but from employees simply trying to work smarter by using collaboration tools to share sensitive information. The scale of this is revealed by a survey showing that a third of those questioned admitted sending customer information and sensitive company data over such platforms. Almost all of them were confident the tools were secure - even when they weren’t - and nearly a quarter admitted they weren’t aware of their organisation’s security policies. Collaboration tools can be immensely useful, but it's essential they are secured effectively -- and that anyone using them understands how to do so safely. 

The spoils of cyber crime

As we reported last week, cyber crime is rampant and the FBI's latest figures show just how profitable it is. In its annual report, the FBI’s Internet Crime Complaint Center (IC3) said on average it received more than 900 complaints a day resulting in losses of some $2.7 billion. Business Email Compromise alone accounted for almost half of that. Meanwhile, in the UK, specialist insurer, Hiscox, says its latest survey shows the number of organisations which reported a cyber attack rose from 40% to 55% this year. (In Belgium, the figure was 71%). Despite this, Hiscox found that almost three quarters of organisations were ranked as “novices” in terms of cyber readiness. Hiscox said a lot of businesses “incorrectly felt that they weren’t at risk” and added that small firms were being increasingly targeted.

Challenges for Facebook

Regulators and courts are beginning to circle Facebook, in what looks like the beginning of the end for its Wild West days. Announcing its first quarter earnings for this year, Mark Zuckerberg reiterated Facebook's commitment to a "privacy-focused vision for the future of social networking.” That's a statement with a heavy dose of irony given that, in the same announcement, the company revealed it was setting aside $3 billion for a fine from the US Federal Trade Commission (FTC) over its “user data practices”. This did little to perturb the markets, which saw Facebook shares rise 7% on a 26% increase in annual sales (to $15.1 billion). But they may be missing the point. There’s evidence that the tide of public opinion has turned against Facebook and fundamental elements of its business model. Regulators in the UK, Ireland, Canada, Germany have all announced investigations. It’s also worth recalling that the imminent FTC fine results from Facebook's failure to honour a 2011 agreement to improve its privacy practices. The FTC is reported to be mulling over a new, tougher approach.

Weaponising vulnerabilities

Software programmers keep on making mistakes and attackers are getting better at taking advantage of them. Security outfit, RiskSense, has been analysing Adobe's products for 20 years and says 2018 had the largest number of "weaponised vulnerabilities" it had ever seen (a 139% increase over the previous year). The most abused product is the Acrobat Reader family which contained no less than 1,338 vulnerabilities. The problem for administrators and users is that in many cases attackers are exploiting vulnerabilities before anyone knows they exist. RiskSense underlines the importance of more effective disclosure processes to minimise the opportunity for attackers to make mischief.

Joining forces

The UK's cyber intelligence agency, GCHQ, has promised to work more closely with the technology industry to lessen the burden on individual users. GCHQ Director, Jeremy Fleming, was speaking after the release of the UK Cyber Security Survey which revealed the parlous state of awareness among British computer users. Among its findings; only 15% of more than 2,500 people questioned said they knew "a great deal about how to protect themselves from harmful activity." The survey was carried out for the National Cyber Security Centre (NCSC) which is the public-facing part of GCHQ. The NCSC also released a separate analysis illustrating yet again how often people use insecure passwords such as 123456. The NCSC urges people to start using a password manager and never to use easy-to-guess words or phrases. The NCSC has also designed a free toolkit for small businesses aimed at testing their security capabilities and resilience to attack.

In brief

A judge in the US has ruled that police can force a user's fingers into a smartphone to unlock it. The warrant, reported by The Register, also makes clear that a user cannot be made to give up a passcode.

Amnesty International says its Hong Kong office has been the target of a prolonged cyber attack with links to the Chinese government. Amnesty said the attack came to light only when it migrated its systems to a more secure environment.

The French government launched a secure messaging app designed to replace WhatsApp and Telegram only to find it had already been hacked. Despite being designed to only allow accounts with government email addresses, a researcher discovered it was trivially simple to bypass the authentication requirement.

Apple is to prioritise keyboard repairs following years of complaints from users. Mac Rumors obtained a memo suggesting Apple Stores would be equipped to carry out 'next-day' repairs.

Nearly 300,000 Danish passports were issued with incorrect information about the holders' fingerprints. Local media said the passports got their left and right hands mixed up...

Updates

Chrome: Google's new browser version for Windows, Mac, Linux, Android and iOS includes security updates and a number of new features, including improved private browsing. The browser should update automatically if you close it and reopen it.

Microsoft: is proposing to stop forcing users to change their passwords regularly, saying "periodic password expiration is an ancient and obsolete mitigation of very low value." In other words, not only does it not increase security it may actually undermine it by encouraging the use of simple passwords with a number at the end.

Apple: has fixed a Terms and Conditions bug in its app store which sent iOS users into an infinite loop when trying to install a new app or install an existing one. The update is in Apple's infrastructure so you shouldn't need to do anything.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved