FFT news digest Jun 21 2019

Basics

Making sure basic controls are in place is fundamental to keeping organisations and individuals safe, but the evidence is that this still isn't happening. Among this week's examples is one courtesy of the UK's parliamentary digital service which left a server exposed to the Internet. We know this because, as The Register reports, it was sufficiently exposed that Google indexed its Windows operating system. And a study of 83 million internet-connected devices (such as routers, TVs etc.) revealed how poorly secured they are. In just one example, researchers found 30% of TP-Link's routers could be accessed over the Internet and used the default username/password combination (admin/admin). Much of the reporting around cybersecurity focusses on "zero-day vulnerabilities" which have never been seen before. It would be better to devote more time to the fundamentals because if they're not right, nothing else will be.

Regulator heal yourself

Data protection by design and by default is at the heart of the EU's regulatory framework, but the UK regulator, the ICO, has admitted it's not at the heart of its website. After years of complaints and questions, it told a Twitter user (who happens to be a data protection lawyer) that "its cookies policy...doesn't meet the required standard." It added that it's in the process of addressing the issue and updating its guidance. The key issue is that a website can't rely on "implied consent" for the use of cookies, which is exactly what the ICO's website says it does. If you use cookies on your website, you do need to consider what they're doing because, if they process personal data, the fundamental principles of data protection legislation require that data to be adequate, relevant and not excessive. We'll report back on the ICO's new guidance...and whether it is following it.

Caveat viator

Threats to information security are not all high-tech; one of the most serious issues is someone looking over your shoulder or listening to what you're saying. This is an issue we highlight in our training, not least because we witness so much sensitive information being exposed in public places. Research has shown that there is wide awareness of the problem, but most of us ignore it - as anyone who has sat in an airport lounge will know. As we say in our training courses, it's important to be aware of your surroundings when dealing with valuable or sensitive information. We also suggest investing in a privacy screen, which prevents anyone reading what's on your screen unless they're directly behind you. 3M has gathered research detailing the scale of the problem. That's hardly altruistic since 3M is a leading manufacturer of privacy screens, but it does underline why a little care can radically improve security.

Privacy

Apple CEO, Tim Cook, has used a commencement address at Stanford University to condemn the technology industry as a "chaos industry" which has failed to take responsibility for the chaos it has created. He warned graduating students that accepting as normal the aggregation and sale of everything personal meant losing "freedom to be human". Cook also cautioned that a world without privacy would lead inevitably to self-censorship. That warning was echoed at a parliamentary committee hearing in London as part of an inquiry into the Right to Privacy and the Digital Revolution. Evidence submitted to the committee was not encouraging. It describes a society that doesn't understand how personal data is used and therefore cannot give meaningful consent to its exploitation. The UK data protection regulator, the ICO, emphasised the risk of discrimination resulting from automated decision-making, saying "there is growing evidence that inherent biases are built into algorithms." 

Fake domains

There's been an upsurge in the use of fake websites by criminals taking advantage of the availability of new top level domains. Security firm Proofpoint says more than three-quarters of organisations had found fake copies of their brand. And 96% of them reported finding exact matches for their domain name but with a different domain extension, for example ".net" instead of ".com". Originally there were just 7 top level domains (TLDs). There are now about 1,500, making it impractical for organisations to control how their brand is being used. Proofpoint says, "More than 85% of top retail brands found domains selling knockoff versions of their products... the average retail brand had more than 200 such detections." These fake domains are used in emails to lure unwary visitors to fake websites, or to try to steal credentials. And unfortunately, as the FBI warned this week, looking out for HTTPS in a web address is no guarantee the site is what it says it is. One way to protect yourself is to avoid following links, especially to do anything important. Another is to use a password manager which will recognise when a site name isn't what's expected.

Libra

Facebook is launching a currency. Should we care? The short answer is 'yes' because this is not just another Bitcoin, it's more like a US dollar for the digital age. Facebook says its aim is to empower the 1.7 billion adults in the world who remain outside the financial system, "even though 1 billion have a mobile phone and nearly half a billion have internet access." Facebook also says information generated by it “will not be used to improve ad targeting on the Facebook family of products.” Facebook has amassed some high-profile partners (some of whom reportedly had to pay a joining fee of $10 million). But regulators are already studying the details of the project and the French Finance Minister said "it is out of the question that it becomes a sovereign currency." It's also worth pointing out that several very successful mechanisms already exist for people without bank accounts (for example M-Pesa in Kenya which has transformed lives by allowing anyone with a mobile phone to send and receive money.)

In brief


A new and widespread phishing campaign uses a fake alert from your email server that an encrypted message is waiting for you. It prompts you to login to a malicious OneDrive site to read the message.

Microsoft says a bug in the latest cumulative update for Windows 10 October 2018 Update (version 1809) may cause some devices to get stuck on a black screen. Restarting the machine should fix the problem.

Some Firefox users have had problems with passwords after installing version 67.0.2. The issue turns out to be caused by AVG and it doesn't mean any passwords have been lost.

Instagram is testing new ways for users to recover hacked accounts. Anyone unfortunate enough to have experienced this will know the existing approach was so long-winded that many users simply gave up and created a new account.

The UK government has delayed a widely-derided age-verification system for users of adult websites. The idea, which will be trivially easy to circumvent, fell victim to a failure to inform EU regulators about it.

A Pakistani regional government minister had some extra cat added to a press conference. CNN reports that a volunteer accidentally left on Facebook's cat filter. Let's hope this catches on.

Updates

Oracle: emergency update to address a vulnerability in WebLogic Server component for Fusion Middleware. The issue could allow code to be executed remotely and is being actively exploited.

Cisco: updates for critical and high-severity vulnerabilities affecting SD-WAN, DNA Center, TelePresence, StarOS, RV router, Prime Service Catalog, and Meeting Server products.

Dell: Update for SupportAssist to address vulnerability in PC Doctor component.

Firefox: Emergency updates to address a zero-day vulnerability that is being actively exploited. Users simply need to restart the browser to make sure the update is installed. The issue means the Tor browser and Tails need to be updated as well (see below).

Tor browser: version 8.5.2 addresses the vulnerability in Firefox.

Tails: 3.14.1 is an emergency release to fix vulnerabilities, including the critical issue affecting Tor Browser.

TP-Link: Update for RE series Wi-Fi extenders which are affected by critical security issue that could allow them to be attacked remotely.

Apple: Not so much an update, as a recall. Some 15-inch MacBook Pro machines have a battery that may overheat. You can check if yours is affected on their support page. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved