news191206

FFT news digest Dec 6 2019

Social media politics

One week, multiple pointers to the growing pervasiveness of facial recognition. Chinese technology companies are shaping new facial recognition and surveillance standards at the UN, according to leaked documents obtained by the Financial Times. The paper says the standards cover facial recognition, video monitoring, city and vehicle surveillance. In China itself, as part of Beijing's security crackdown in Xinjiang, the New York Times says scientists are trying to find a way to use a DNA sample to create an image of a person’s face (something also happening in the US). Amazon is looking at using facial recognition software and its Ring smart home security devices to create an artificial-intelligence enabled “neighborhood watch list,” according to internal documents seen by The Intercept. What does this have to do with cybersecurity? We view it as another example of technology being introduced without any effective discussion about its impact on society and personal freedom.

Data protection racket

The UK data protection watchdog, the ICO, says it will contact every registered business in the country "reminding them of their legal responsibility to pay a data protection fee.” As law firm, Mishcon de Reya has pointed out, this is a “remarkable” move, not least because it implies every company has to pay the fee, something the Data Protection Regulations 2018 make clear is not the case. Among exemptions are the processing of personal data solely for the purposes of keeping accounts, or records of purchases, sales or other transactions and where the processing isn’t automated. But the ICO’s own self-assessment checker will lead most companies to conclude they have to pay the fee. And many will simply stump up the relatively small sum of £40-£60 because it’s easier than taking the trouble to look more closely. It just so happens that the data protection fee is the ICO's main source of funding. We'll report any clarification the ICO provides.

Laser phishing

Highly-targeted malicious emails are so effective - and dangerous - that Microsoft has begun referring to them internally as "laser phishing". It says "because these attacks are so focused, even tech-savvy executives and senior managers have been duped into handing over money and sensitive files." More commonly known as "spear phishing", criminals craft emails with information gleaned from social media platforms (particularly LinkedIn). The number of phishing emails has doubled in the 12 months since September 2018, according to Microsoft. Combating them requires a combination of training, technology and processes. Microsoft gives the example of a busy recruiter who is taken in by an email with an attached, booby-trapped resume. That attack would be defeated by only accepting plain text emails for example. Microsoft's advice - based on analysing 470 billion emails a month - is here.

Smart TV warning

We’ve written before about smart TVs and the ease with which they can be compromised. Now the FBI has warned that they can be used as a "gateway for hackers to come into your home”. In fact, the most likely scenario is that a compromised TV is added to a network (or “botnet”) of such devices which is then used for a range of malicious activities. But it’s true that a smart TV could be exploited to access a home or corporate network, or to act as a surveillance device. We would advise particular care with any devices that are in sensitive locations such as a meeting room. Among the precautions to consider are turning off or disabling any cameras and microphones. Also check whether the manufacturer provides updates for their products. But do be aware that groups of researchers openly post their successes in compromising models, often within days of their launch. Ideally, as the FBI advises separately, smart TVs and other IoT devices should be on a network of their own.

Battle lines

The EU has confirmed that it has begun a new investigation into Google’s collection of data, despite the massive fines imposed on the web giant in recent years. Reuters said a document it had seen suggested the focus is on local search services, online advertising, online ad targeting services, login services, web browsers and others. The news came as the EU said it would re-launch a bid to create tighter regulation of internet phone and message services such as WhatsApp, Skype and Facebook Messenger. And the Electronic Frontier Foundation chose Cyber Monday to publish an extensive study into the hidden techniques and methods used to collect and track our personal information and activities. “Behind the One-Way Mirror” provides an excellent insight into how companies know so much about us - and why Facebook doesn't need to listen to what we're saying!

Crime pays

Criminals are enjoying a bumper year, with losses from cryptocurrency-related crime reaching $4.4 billion in the first 9 months of this year, according to security company, CipherTrace. Most of the losses were due to two enormous frauds, including an alleged ‘Ponzi’ scheme in South Korea, in which early investors were paid from the deposits of later victims. These figures are just one illustration of the gigantic scale of cyber crime. This week, Europol announced that a worldwide operation had succeeded in taking down a Remote Access Trojan known as Imminent Monitor. The tool was designed to allow users to take complete control of target computers. Europol said it was used in 124 countries and had more than 14,500 paid-up users. And Kaspersky warned of a new type of ransomware which is designed to attack back-up data by targeting network attached storage.

In brief

Match Group (owner of most major online dating services) screens for sexual predators on Match, but not on Tinder, OkCupid, or Plenty of Fish. “There are definitely registered sex offenders on our free products,” a spokesman said in response to a Buzzfeed, Columbia Journalism and ProPublica investigation.

Avast Online Security and Avast-owned AVG Online Security extensions for Firefox have been withdrawn after they were found to be tracking users' web browsing. The Chrome versions are still working, but may not be for long.

Not only do Macbook Pro laptops have a keyboard so useless that Apple has been forced to withdraw it, some 13 inch models have started shutting down at random. Apple has provided a 'fix' (which basically involves leaving the Macbook to charge for at least 8 hours so that its internal sensors sort themselves out).

Another fine reason not to leave valuable electronics in a vehicle, even if they’re hidden. Wired reports on a wave of thefts believed to involving the use of Bluetooth scanners to choose which cars to target.

Sophos warns of yet another scam aimed at Netflix subscribers. This one isn’t sophisticated, but it’s a good reminder not to click on links to do anything important like change your password or confirm your credit card details. If you want to do that, type in the web address manually.

Transport for London is forcing Oyster users to reset their passwords after some 1,200 passengers had their accounts accessed maliciously in August. The breach is believed to have been caused by people reusing passwords.

Microsoft is retiring its invoicing app in Office 365 next February. If you’ve been using it, now is the time to download your data.

Updates

AWS: Amazon Web Services has announced new tools to help users avoid making their S3 storage visible when it shouldn’t be.

MS Office: Security updates fix issues and add stability and performance improvements to Windows Installer (MSI) editions of Office 2016.

Firefox: Version 71 includes additional tools aimed at enhancing online privacy, including showing how many trackers it is blocking.

Android: Latest version addresses range of vulnerabilities including one in the Framework component that could enable a remote attacker using a specially crafted message to cause a permanent denial of service.

Microsoft: Remote Desktop Client for iOS 10.1 released after previous version withdrawn due to bugs.

Securedrop: New version allows administrators to disable document uploads and restrict installation to text-only exchanges between journalists and sources.

Tails: Version 4.1 fixes “many security vulnerabilities”.

Subscribe to receive the digest by email

Full Frame Technology

What we do
Who we are
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217