FFT news digest Oct 25 2019

Basics

Britain's National Cyber Security Centre (NCSC) has appealed to individuals and organisations to focus on basic issues so that experts can concentrate on more sophisticated threats. Introducing the NCSC's third annual report, its CEO, Ciaran Martin, said, "attackers are still doing the same things over and over again, and too often, they’re getting through. All of us can use sensible, practical measures, such as better passwords, two-factor authentication and backups, and more organisations can scan for vulnerabilities and fix them, and have strategies to counter phishing attacks." As an example of the sort of idiocy that causes data breaches, it was claimed in court papers that Equifax (which lost details of more than 147 million people) was guilty of multiple security lapses, including using admin as both username and password for some of its systems.

InAction Fraud

Setting yourself up as a cyber criminal is worryingly simple, and new figures support the idea that the system for fighting online crime in the UK is fundamentally broken. UK citizens who think they are the victim of online crime are encouraged to contact the Action Fraud helpline. In August, an undercover investigation by The Times found call handlers had been trained to mislead callers into thinking their "cases would be investigated when most are never looked at again". Now, official figures suggest only 2% of such cases are being referred to the police. The Crime Survey for England and Wales also estimates there's been a fall in the number of computer misuse incidents in the year to June. It would be nice to think this is true. Experience suggests otherwise.

Prison break

A final item on corporate incompetence. US Senator, Ron Wyden, has proposed a new bill which for the first time raises the prospect of jail sentences for executives who violate user privacy policies. “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” Wyden said. “A slap on the wrist won't do the job...so under my bill he’d face jail time for lying to the government.” Under the new bill, the Federal Trade Commission (FTC) would create a national system that would bar companies from tracking consumers on the web, and would stop them selling or sharing their data, or targeting advertisements based on personal information. The lack of personal consequences for executives whose business have been breached is a key contributor to the continuing number of incidents. But it's questionable whether Wyden's proposals will draw sufficient support to become law.

Smart speakers

It's trivially easy to turn Google Home and Amazon Alexa smart speakers into listening devices, according to Security Research Labs. The method takes advantage of mechanisms to expand the capability of the speakers (called 'Actions' on Home and 'Skills' on Alexa). The researchers found it was possible for an Action or Skill to produce an error message saying it wasn't available in a particular country, while in fact it continued to run, eavesdropping on its owner. They also discovered that this period could be extended by inserting long pauses into the speaker's output. We have deep reservations about the security risks of smart speakers. It turns out that's a feeling shared by head of Google hardware, Rick Osterloh, who told the BBC that homeowners should let visitors know if they have smart speakers. That, he said, is what he does.

Most effective phish

The most effective phishing lures are those which make users feel they've already been hacked. Security outfit, KnowBe4, sent thousands of simulated phishing emails with varied subject lines to see which were the most opened. Top of the list was an urgent message to check a password immediately. Social media was also a tempting lure; with LinkedIn messages proving the most alluring. Mind you, also in its top ten most clicked subject lines was "New food trucks coming to [Company Name]!" Also this week, a reminder that phishy messages can arrive by text or social media. As Sophos reports, messages from your mobile phone provider are highly likely to sneak through your defences. The iron rule is never to follow a link to do anything important like confirm your credentials. If you're concerned, type the address into a new browser tab.

Creeping and peeking

Let's be honest. Who hasn't glanced at someone else's screen or a document sitting on a printer? According to HP, the answer is not many of us. Its report, snappily entitled "Creepers and Peekers", found 73% of respondents in the US would look at their co-workers' computer or phone screens if they had the chance. And not only would 75% of them examine a document left on a printer but 44% of them would take a picture or make a copy of it. This is a theme that we cover in our training courses, because being aware of these issues is essential to effective security. It's simply human nature to "shoulder-surf" or listen into a conversation in a public place. As the NCSC advises, simple solutions such as a privacy screen for your laptop display can defeat the creepers and peekers.

In brief

The potential vulnerability of commercial VPNs was exposed after several providers admitted their systems had been breached. NordVPN and TorGuard blamed a third-party data centre and insisted their systems were safe.

“Gilmore Girls” star, Alexis Bledel, is the most dangerous celebrity to search for online, according to MacAfee. She's followed by James Corden and Sophie Turner. MacAfee has been compiling this list for 13 years, based on searches that are most likely to expose users to malicious content.

UK charities are underestimating the risks of fraud, according to the Charity Commission. It found they often failed to recognise how vulnerable they are and were not putting basic checks and balance in place.

A tale of tech support woe, as reported by the BBC. It began with an online ad for a 12-year protection plan for £556. Several months after signing up, the victim was told his computer had been hacked. On his computer, he could see a video of someone buying guns and ammunition. He was told the only answer was to pay £4,000 for "advanced security". He did.

Latest news from the frontline of biometric authentication. Google's Pixel 4 phone will ship with a feature that allows it to be unlocked by pointing it an owner's sleeping face. Last week, Samsung admitted that its "revolutionary new biometric authentication" could be defeated by a £2.70 screen protector (a patch has been released).

Competing for security horror of the week; the UK hospital which somehow managed to turn a personal voicemail into the message on its answering service, and the Japanese hotel chain whose in-room robots could be turned into video surveillance devices.

Updates

Apple: new version of macOS Catalina Supplemental Update aimed at fixing a number of issues, including one on systems with low disk space. Meanwhile, there are reports from some users that upgrading to Catalina has caused serious problems, to the extent their machines are unusable. If you are upgrading, do make sure you backup your device first.

Firefox / Chrome: New browser versions from Mozilla and Google place greater emphasis on security and privacy. Firefox 70 includes social tracking protection and Chrome 78 has a feature called Password Leak Detection.

SecureDrop: Version 1.1.0 supports using Tails 4.0 (see below) on all workstations.

Tails: Major release of secure operating system based on Debian 10. New versions of most software and a warning that no further security updates will be released for the 3.x series of Tails.

Zimbra: Patch 3 Zimbra 8.8.15 “James Prescott Joule” release. Includes fixes for multiple modules.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved