news191122

FFT news digest Nov 22 2019

Social media politics

The role of social media in the UK general election campaign stole more headlines after the Conservative Party rebranded a campaign Twitter account as "factcheckUK". It decided to do this during the first televised debate between Boris Johnson and Jeremy Corbyn and provoked Twitter to warn it not "to mislead people." Despite this, senior conservatives rejected accusations that it had done anything wrong (going as far as to say people outside London didn't care about it). The calculation behind this type of behaviour (already seen in the creation of a fake video at the beginning of the campaign) is that there's no sanction against it. But the tide may be turning. Google announced it's limiting micro-targeting of political ads and will clarify its policies in order to ban fake content. This is in contrast to Facebook's refusal to police political advertising. That position is beginning to look tricky to sustain.

Account hijacking

The experience of Leave.EU chairman, Arron Banks, provides a helpful illustration of the ease with which social media accounts can be hijacked. A Leave.EU spokesman told the Guardian police believed it involved a "simswap", in which an attacker is able to take control of a mobile phone number by convincing the network operator that a replacement SIM is required. Once in control of the number, the attacker will be able to receive verification codes if they're sent as text messages. In Banks' case, it's most likely the attacker obtained enough personal information to carry out the simswap. All that was then required was to click on the "Forgotten Password" link and wait for the code to turn up. This is why sending verification codes by text message is considered far less secure than using an authenticator app. Twitter does support this but it has to be set up on its smartphone app (under Settings & Privacy | Account | Security | Two-factor authentication).

Apple's new approach

These have been a tricky few months for Apple. In September, an exploit broker said it was turning down offers of iOS vulnerabilities because there were so many of them. The revolutionary 'butterfly' keyboard has been dumped. And a catalogue of problems with iOS13 are still being addressed a month after it was released. Bloomberg now reports that Apple is going to change the way it develops and tests its software in a bid to get a grip on the problems. The new approach will allow testers to turn off features that are unfinished or problematic so that the underlying operating system can be full tested. This doesn't sound like a very revolutionary idea and one might have hoped Apple would have learnt lessons from its famously flawed iOS8 experience. Alas, the new approach is being applied to the next major iOS version which won't be released until next year.

Disney+

As you may have heard, Disney has entered the streaming market with its Disney+ product. Within hours of the launch, hackers began hijacking some of the more than 10 million accounts that had been opened. Unhappy customers took to Twitter to complain they'd lost access to their shiny new toy. At least some of the attacks are likely to have succeeded because people were re-using passwords, according to security company GroupSense. But it says the issue may have been compounded by flawed procedures at Disney, including a lack of two-factor authentication. Disney+'s forgotten password procedure also reveals whether an email address is linked to an account. That's an approach that enables attackers to create a list of validated email addresses which can be tested against passwords stolen in previous attacks. The result; thousands of stolen accounts for sale on the Dark Web.

Ring

Amazon's Ring home security equipment has been condemned by a US Senator for "egregiously lax privacy policies and civil rights protections." Massachusetts Senator, Ed Markey, has been pursuing Ring for answers to questions about how footage is shared with law enforcement agencies, and how the rights of owners are protected. He's not impressed with the answers, accusing Ring of using "targeted language to encourage users to grant the police access to doorbell video footage" and proactively courting law enforcement partners. "Connected doorbells are well on their way to becoming a mainstay of American households, and the lack of privacy and civil rights protections for innocent residents is nothing short of chilling," Markey said in a statement

Stalkerware

Security companies and advocacy groups have created a 'Coalition Against Stalkerware', in an effort to combat malicious surveillance software. The tools are installed on phones without the owner's knowledge or consent and enable their locations to be tracked, messages read and phone calls monitored. The Electronic Frontier Foundation, which formed the coalition with 9 other organisations, says it aims to help victims and establish best practices for ethical software development. “The apps have made it all too easy for domestic abusers and violent ex-partners to intimidate, threaten, and invade safe spaces of their targets, who are at risk of physical abuse," EFF Cybersecurity Director, Eva Galperin, said.

In brief

The Los Angeles District Attorney has warned travelers against using public charging stations for their devices because of possible security risks. There's a tendency to overstate this threat, but we do try to avoid using these stations (not least because of the risk of theft).

A new email campaign is using subject lines like "Install Latest Microsoft Windows Update now!" and "Critical Microsoft Windows Update!" to try to fool victims. Trustwave says the email is designed to infect devices with ransomware.

Barclays Bank is launching a security solution that scans users' veins to authenticate them. "Vein patterns are extremely difficult to spoof or replicate and the scanned finger must be attached to a living human being to be read," it says (more or less reassuringly).

A new phishing campaign warns that a password is about to expire and will be changed unless the user logs on to confirm otherwise. As Bleeping Computer explains, criminals are increasingly using this type of tactic as we get better at spotting their scams.

Artificial intelligence can analyse heart tests and predict the chances of a person dying within a year, even when they look normal to doctors. But, as New Scientist reports, no-one has been able to work out how it does it.

Amazon is launching a WiFi-enabled "Smart Shelf" that will automatically order supplies when stocks run low. It's intended to simplify things for small businesses, while also appearing to offer a gift to pranksters everywhere.

Updates

Apple: Another week, another update, as Apple tries to fix the mess that is iOS 13 (see above). iOS 13.2.3 addresses issues with Search and Messages. No word yet on whether it deals with the battery problems reported by many users.

Windows 10: Microsoft has published a workaround for users running into problems when trying to install the latest cumulative update (KB4524570) which was released last week.

D-Link: has listed more routers that have critical security issues but won't be fixed because they're "end of life". As we've said before, routers aren't for life. Vexing though it may be to replace a device that works perfectly well, once security updates cease it's time to buy a new one.

WhatsApp: Do make sure you're using the latest versions of Facebook's messaging app. It fixes a vulnerability in the way it handles MP4 files.

Google: new security options for G Suite customers, including Advanced Protection for enterprise users and access control for apps accessing G Suite data.