FFT news digest Jun 14 2019

Hong Kong 

Protesters in Hong Kong have been using the encrypted messaging app, Telegram, to organise their actions so it's probably not a coincidence the app has been disrupted this week. Telegram said it had experienced a "powerful DDoS attack" (which involves flooding a target with so many requests that it's overwhelmed). Telegram's founder said the source of the requests were mostly in China. A similar attack was seen 4 years ago when China was cracking down on human rights lawyers. Meanwhile, activists in Hong Kong are reported to have been forced by police to unlock their phones and reveal their Telegram contacts. This has led to calls for a "self-destruct" function that could be used to delete encrypted messaging apps if sensitive information was about to be revealed. Of the commonly-used apps, Signal provides the easiest way to delete it - though it does involve opening the Options screen. 

Even faker video

Further evidence that we're speeding towards a point where video can't be trusted. Researchers have demonstrated an uncannily convincing tool for literally putting words in people's mouths. The project, entitled "Text-based Editing of Talking-head Video," shows how analysing speech patterns and facial movement allows phrases to be added, changed or deleted. The project also improves on current editing tools used to mask effects like jump cuts. This isn't the first time videos have been altered to make people say something they never said. A famous example from last year put words into the mouth of former President Barack Obama. But the latest research from Stanford and Princeton makes the process much simpler - and it doesn't require an impersonator as the Obama example did. It's possible to see signs the new videos have been altered, but you have to look closely. In tests conducted by the researchers, around 60% of those questioned said the edited video clip looked real.

Terms and conditions

The lamentable quality of privacy policies is revealed by a New York Times investigation which found most of them were too complicated for many people to understand. The vast majority of the policies exceeded the college reading level, according to the report. The Times points a finger at Airbnb for having a "particularly inscrutable" policy, saying it's "full of long, jargon-laden sentences that obscure Airbnb’s data practices and provides cover to use data in expansive ways." Organisations with such an approach need to be careful if they have users in the EU. The General Data Protection Regulation (the GDPR) is clear that privacy information needs to be "concise, transparent, intelligible, and easily accessible". The Times points to the BBC as having an unusually readable policy. Even so, we'd be the first to admit that life is too short to wade through terms and conditions. Terms of Service Didn't Read provides a partial solution.

Not so bright

Embarrassment among Apple geniuses who spent a fortnight trying to fix a fault with the screen on a Macbook Pro only to find the brightness had been turned down to zero. To be fair, the Macbook's owner says the issue may be specific to his machine but it's worth being aware of it in case it happens to you. The problem began when photographer, Greg Benz, turned on his Macbook but, other than a slight fan noise and the caps lock light, there was no sign of life. After weeks of back and forth with Apple, including two new motherboards and a completely new laptop, he was still experiencing the same problem. Eventually, a 'genius' realised that the machine was actually powered on and logging onto it 'blindly' brought the controls including brightness back to life. The Register estimates the saga cost Apple $10,000.

Trends

An annual study of internet trends highlights the accelerating use of cloud services, while attacks on large-scale data providers are also rising. Mary Meeker's report (the first of which appeared in 1995) is a highly-respected overview, consisting of 333 slides (that she managed to cover in a presentation lasting 30 minutes). It says the number of data centre operators experiencing downtime in the last year rose from 25% to 31% of respondents. And it gives an example of a financial services company which engaged a team to test its information security. The team obtained full administrative control not by using software tools, but through social engineering. The report also warns that the effectiveness of multi-factor authentication is limited by incomplete adoption. Underlining the threat, it also includes figures illustrating the failure to secure sensitive data, with 447 million records exposed last year, more than double the figure for 2017. It's essential that organisations fully embrace 2FA and educate staff about social engineering and securing their social media accounts.

Not so secure

The US Federal Bureau of Investigation has warned about the dangers of apparently secure websites that are anything but. The FBI's public service announcement highlights the downside of a successful campaign to drive uptake of the HTTPS protocol. Underpinning the protocol is a certificate which, if valid, denotes a website is genuine and traffic exchanged with it is encrypted. Unfortunately, such certificates can be obtained for free and criminals have taken advantage of them so the padlock icon is no guarantee that a website is what it purports to be. The FBI repeats basic rules of the road; don't take for granted the sender of an email is genuine; don't trust links, check webpage addresses; and don't treat HTTPS as a guarantee of anything. These are perfectly good recommendations, but we would also add, "If in doubt, leave alone," because experience suggests people are too busy to check every email and link that arrives.

In brief

Donald Trump provided the latest example of why important documents shouldn't be brandished in public. Appearing in front of the media outside the White House, he waved around a copy of what he called a "secret" agreement with Mexico. It didn't take long for some of the contents to appear on Twitter.

Microsoft has warned that a venerable method is being used to attack Office users in Europe. Victims only need to open a booby-trapped email for the attack to work. It takes advantage of a vulnerability in an old version of Office Equation Editor that was patched in 2017.

Spain's La Liga has been fined €250,000 for using its official app to try to find bars and restaurants showing football games without a licence. It combined audio and GPS to locate offending locations and says users consented. The Spanish data regulator disagreed.

Kaspersky describes how ingenious fraudsters are exploiting the convenience of Google's services to serve up malicious messages. It's a reminder to be cautious about alerts, even if they appear in an app you trust.

More than 200 social media accounts have been found recycling old news about terrorist attacks in an apparent attempt to influence opinion. Recorded Future said it wasn't clear who was responsible.

Data breaches are the gift that keeps on giving. This week Evite told users personal information had been stolen from an "inactive storage file." It said no data since 2013 was affected.

Updates

VLC: Media Player 3.0.7 has the highest number of security updates in one release of the program (due to an EU bug bounty programme). Despite or because of its widespread use, VLC is one of the least updated applications. This is a good opportunity to check you're up to date.

Microsoft: Monthly 'Patch Tuesday' (or patch deluge) includes fixes for Windows, Windows Server, Edge and Internet Explorer. Also addresses 2 important flaws in Word which would be exploited by a user opening a malicious document.

Adobe: Updates for Adobe ColdFusion, Adobe Flash Player and Adobe Campaign.

Apple: iOS 12.3.2 for iPhone 8 Plus includes bug fixes related to Portrait Mode.

Cisco: Updates include fix for vulnerability in Cisco IOS XE Software that could allow an unauthenticated, remote attack on an affected system.

Zimbra: Zimbra Collaboration 8.8.12 Patch 3 GA Release.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved