news190607

Privacy wars

Apple has taken further steps towards putting user privacy at the centre of its brand. At its annual developer conference, a slew of announcements included a solution that will allow customers to sign up for apps while protecting their personal data. Sign In with Apple is similar to login tools offered by Google and Facebook but, unlike them, it will allow a user to hide their email address by using one from Apple as a relay. It will come with automatic 2-factor authentication and is designed to work in any browser, not just on Apple devices. And Apple will require developers to incorporate the tool and give it prominence over rivals. In general, we don't like solutions that use existing accounts to sign up for other services because of the proven risk if the underlying credentials are compromised. Sign In with Apple has received a cautious welcome and we'll watch how it develops with interest. Meanwhile, Facebook has argued that it couldn't have violated users' rights to privacy because the platform is "the opposite of private".

YouTube

YouTube is taking another stab at preventing hate-speech by banning more videos, including those promoting Nazi ideology. The new policy will ban “videos alleging that a group is superior in order to justify discrimination, segregation or exclusion,” YouTube said. The change is likely to affect many white supremacists whose videos have remained available despite existing restrictions. YouTube (which is owned by Google) said its policy also sought to reduce the spread of "borderline content and harmful misinformation such as videos promoting a phony miracle cure for a serious illness or claiming the Earth is flat." The challenge of doing so was underlined this week by YouTube's refusal to ban a user who has made repeated homophobic attacks on a journalist. And the New York Times reported on the pitfalls of automated recommendations by showing how it has created "a catalog of videos that experts say sexualizes children."

Social media

What do you share on social media? Moves by the US and Russia provide good reasons to think twice before posting - or even joining. In the US, it emerged that most visa applicants will have to disclose details of a wide range of social media accounts (amusingly including MySpace). The change will affect hundreds of thousands of applications, and it's not clear how officials will be able to use the information without the visa process grinding to a halt. Meanwhile, in Russia, the government has added Tinder to a list of companies required to hand over user data and private communications to law enforcement and intelligence agencies. Tinder said it had not handed over anyone's personal information yet, but refusing a request is likely to lead to it being banned in Russia. Closer to home, these stories are a reminder to recruiters that examining applicants' social media feeds is fraught with risk, even though research (and experience) suggests the practice is commonplace.

True Caller

Privacy International has a salutary reminder that anonymity is a rare commodity. It describes how an app you may never have heard of can betray your identity. The app in question is called TrueCaller and it's particularly popular in India and sub-Saharan Africa. The idea of TrueCaller is to allow users to identify the numbers calling them. To enable this, every time a user makes or receives a call, the app offers the option of tagging the number so it can be entered in the TrueCaller database. Privacy International gives the example of a journalist on assignment using a pay as you go phone whose identity is revealed because one of her contacts adds her name and details to TrueCaller. It also points out that the app doesn't provide any alert when a number and details are added. Two lessons from this; we should assume information about us will end up online; and it's worth using open source intelligence tools to see what information is already available. You are likely to be surprised by what's out there.

Patchy

New research demonstrates the challenge faced by companies in installing updates - and the risk of failing to do so. The study from Tripwire found that 27% of IT professionals in Europe said their organisation had experienced a data breach because of an unpatched vulnerability. Part of the problem is that many organisations don't even know what needs to be patched. This week a highly critical report into a breach at Cathay Pacific identified an unpatched vulnerability as part of a generalised failure in governance. These risks are underlined by the current concern over the vulnerability in Microsoft's Remote Desktop Protocol known as BlueKeep. Unusually, the US National Security Agency weighed in on the subject with an advisory urging users to update vulnerable systems. For its part, Microsoft has warned the issue "could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017." Anyone in doubt about the risk, should take a look at a proof of concept video showing how to attack an unpatched Windows Server.

Cybercrime

About half of all property crime now takes place online, and the official response to it is lacklustre. That's the conclusion of an academic study that takes a systematic look at the world of cybercrime and how it has evolved since the report was first published in 2012. Despite recent successes in taking down marketplaces on the Dark Web, cyber criminals are acting largely with impunity because, the study says, they think correctly that they won't get caught. The authors say the authorities are particularly bad at prosecuting criminals who operate infrastructure that other wrongdoers exploit. The paper points out that statistics show crime hasn't been falling over the past decade, merely moving online, and it calls for more to be spent on catching and punishing the perpetrators of cyber crime. "We will not get a real handle on cybercrime until we put an end to impunity", it concludes.

In brief

More phishing attacks targeting Outlook and Office 365. As Bleeping Computer reports, one involves a fake list of undelivered messages which is designed to trick you into giving up your credentials for the Outlook webmail service. Another pretends to be from the "Office 365 Team" warning you that your account will be cancelled unless you reply immediately.

Federal police in Australia have carried out 3 raids against the news media in response to reports based on leaked documents. The raids prompted a New York Times analysis to describe Australia as the "world's most secretive democracy".

A patent application by Amazon suggests it has been figuring out how to make Alexa more intelligent. As The Register reports, the application discusses processing more of what it hears, as well as using video to enhance its ability to identify who is speaking.

A US Senator has highlighted the issue of VPNs and the need to make sure that you trust your provider. Ron Wyden confirmed there's nothing to ensure federal employees use trusted solutions. That's a problem because a VPN operator can see a lot of what its users are doing. We advise against using free VPNs and have a guide to the subject. Just let us know if you'd like a copy.

Cybersecurity firm, Sophos, has ordered a halt to all sales of software and hardware to Huawei and its affiliates. An email seen by Computer Business Review said the move follows the US decision to impose restrictions on Huawei.

Microsoft is reported to have removed access to a database of some 10 million faces which has been used to train facial recognition systems around the world. The Financial Times said people in the database had not been asked for permission to use their faces.

Updates

Firefox: New version provides enhanced protection from tracking tools. Also a desktop version of Mozilla's password manager.

Chrome: new version for Android generates strong and unique passwords with built-in password manager.

Android: Google has released the Android Security Patch for June 2019 for all supported Pixel devices, as well as devices from other manufacturers, addressing 22 security vulnerabilities and fixing various issues.

Tor: Tor Browser 8.5.1 released for Windows, Linux and Mac and Android.

FFT news digest Jun 7 2019