FFT news digest May 24 2019

NATO talks tough

As voters went to the polls in EU elections, NATO warned cyber attackers they face retaliation in the real world, not just in cyberspace. NATO Secretary General, Jens Stoltenberg, told a conference in London that technologies such as artificial intelligence, machine learning and deep fakes were fundamentally changing the nature of warfare. "We can and we will use the full range of capabilities at our disposal" to respond to attacks in cyberspace, he said. Speaking alongside Mr Stoltenberg, UK Foreign Secretary, Jeremy Hunt, said Britain had shared details of malicious Russian activity with 16 of the 29 NATO members over the past 18 months. Meanwhile, Facebook revealed the staggering scale of fake accounts on its platform, saying it had removed 2.19 billion fake accounts in the first quarter of this year. That compares with 1.2 billion for the last quarter of 2018.

A year of GDPR

Tomorrow marks a year since enforcement began of new EU data protection legislation, the GDPR. The run-up to 25 May 2018 was notable for the number of data protection consultants warning of dire consequences, and enormous fines, for anyone who fell foul of the rules. We took the UK regulator, the ICO, at its word when it said it was "scaremongering" to suggest it would be make early examples by levying huge penalties. A year on, the ICO has yet to impose a fine under the GDPR. That's not to say it won't. Indeed, the beginning of enforcement led to a sharp rise in the number of reported personal data breaches and so we're likely to see the first fines shortly. But fear of fines shouldn't be the key factor for organisations. The essence of the GDPR is privacy by design and by default. Achieving that is an ongoing process that is simply good practice for any organisation.

Going underground

Transport for London (TfL) has announced that from July it will begin tracking all passengers who use WiFi on the Underground network. Unlike many other metro systems, there's no mobile phone coverage on the Tube (though it was scheduled to be introduced this year) so WiFi connectivity has proved popular with passengers. In 2016, a pilot scheme to track users collected more than half a billion pieces of information in just 4 weeks. TfL insists it has put in place mechanisms to ensure data can't be used to identify individuals and says these are more robust than those used for the pilot. From a cybersecurity perspective, the announcement is useful because it underlines how profligate WiFi is with information about our devices. Any WiFi-enabled device is designed to try to connect to a saved network. That means it's constantly broadcasting a signal which includes a unique identifier. And that means the only way to avoid being tracked by WiFi on the Tube is to turn it off - which, when not in use, is a good security measure anywhere.

Keeping it simple

Here's some good news. Simple security measures are really effective at keeping us safe. Research by Google says that two-factor authentication (2FA) is particularly good, even if it's done using a comparatively weak method like text messages. Authenticator apps, such as Google's own solution, are even better, stopping 99% of bulk attacks and 90% of targeted ones. Safest of all are hardware security keys. Google says not a single user of these fell victim to targeted phishing during its investigation. Google's research is valuable because it helps to counteract the sense of defeatism around online security. Just doing the basics really can radically reduce the chances of being attacked successfully. And that's important when, as Google describes, criminal groups charge as little as $750 to target a specific account. A guide to 2FA is here.

Taken hostage

Two weeks after being hit by a ransomware attack, critical systems in the US city of Baltimore remain shut down. Email, payment systems and property transactions have all been paralysed. The city's Mayor has said a full recovery could take months. So far, he has refused to pay a ransom of 13 Bitcoins (about $100,000 at today's values) to unlock the affected systems. It's not clear who is behind the attack, although the software behind the attack was identified as a relatively new form of ransomware dubbed "RobbinHood". Local governments have been an attractive target for attackers, at least in part because of complex systems and constrained budgets. Effective disaster recovery plans have allowed some to emerge relatively unscathed. In 2016, San Francisco's municipal transport system was attacked. It refused to pay a ransom and gave its passengers free travel for two days while it restored its systems from backups.

Mechanical Turk

Artificial Intelligence may be impressive but it still needs a human hand to hold. The New York Times has discovered that around 25% of Google's Duplex calls actually involve a human. When Google launched the service last year, there was a stunned reaction to its ability to use AI to mimic a human voice and make reservations at a restaurant and a hairdresser. In real world tests, the paper found that many calls either began with a human, or involved human intervention at some point. As with many other AI systems, Google said the goal was to improve the automated solution over time and slow reduce the need for human involvement. As a Stanford University academic told the Times, "Machines are very good with detail but terrible at context." In the latest example of this, researchers at Samsung have developed an algorithm that can create fake videos from a single image. Cue video of the Mona Lisa.

In brief

More concerns over official use of facial recognition technology. Georgetown University says New York police are cutting and pasting parts of faces onto suspect images to generate hits (in one case using Woody Harrelson).

Apple is addressing long-standing problems with the keyboards and displays on some its MacBook Pro laptops. The keyboard is being redesigned and problems with the display's backlight will be be fixed free of charge.

Kenya has extended an initiative to collect information about all Kenyans into a single database. Critics have accused the government of preparing to make the data available for sale.

Spotify has told an unspecified number of users that it reset their passwords. TechCrunch reported that it gave no details other than citing “detected suspicious activity.” Spotify doesn't support 2-factor authentication so it's important to use a unique, robust password for it.

Satisfyingly, a forum for trading stolen Instagram and Twitter accounts appears itself to have been hacked. Security journalist, Brian Krebs, reported that the forum had nearly 113,000 users.

Updates

Microsoft: Time to check you've updated your Windows devices to protect against a critical vulnerability in Microsoft's Remote Desktop Protocol. The issue is so serious updates were issued even for operating systems that are no longer supported.

Windows 10: May update released. Alongside it, Microsoft has produced a dashboard to track any issues which have been reported with the latest release.

Firefox: version 67 for Windows, macOS and Linux is designed to improve performance and adds protection against pages that try to exploit auto fill functionality.

Apple: Supplemental security update for 15-inch MacBook Pro laptops.

LibreOffice: 6.2.4 release contains more than 100 bug fixes.

WordPress Live Chat Support: update addresses issue that could allow attackers to inject their own code into websites running the plugin.

Tails: Fixes for security issues, including processor vulnerabilities.

TPLink: Important security update for anyone still using a WR940N router.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved