news191213

FFT news digest Dec 13 2019

Election

Regardless of political affiliations, the UK election campaign has been an extraordinarily worrying spectacle. Most alarming was the enthusiastic adoption of disinformation tactics by all sides, which made any foreign interference needless. Just to recap, among other things, the Conservative Party put out a misleading video, pretended that one of its Twitter accounts was an independent fact-checking service, and lied about an 'assault' on an adviser that never happened. Labour and the Liberal Democrats enjoyed their share of disinformation as well (the 'slow-media' platform, Tortoise, has an excellent analysis). Our concern is that traditional electoral systems are wholly unsuited to a world in which lies can be spread so quickly, so easily and without penalties. This week, Twitter's founder announced funding to develop an "open and decentralized standard for social media" with the goal of combating online violence, hate and disinformation. His view is things have to change. He's right.

Connected

Undeniably convenient, often useful, and demonstrably dangerous. So should you put a connected camera or microphone in your home? For one Mississippi family, the answer is doubtless 'never again'. According to media reports, parents installed a Ring camera in the bedroom of their three young daughters so they could keep an eye on them via the associated app. Within 4 days of setting it up, they said someone gained access to it, played music to their children, and talked to them. A video shows a man telling a bewildered 8-year old, "I'm Santa Claus. Don't you want to be my best friend?" The parents admitted they hadn't set up 2-factor authentication for the device, but they're hardly alone in that. So should you buy one of these devices? Of course it's an individual choice, but it's worth knowing that, according to Motherboard, hackers have created dedicated software for breaking into Ring devices. So if you put one in your home, please use a strong, unique password and 2-factor authentication.

The second factor

It's essential to protect online accounts with two-factor authentication, but reports this week underline the risks of using SMS messages as the second factor. Group-IB, a Singapore-based security firm, said it had evidence of several instances in which Telegram chats were accessed illegally on iOS and Android devices. The victims were all customers of various Russian mobile operators and it's believed their Telegram accounts were compromised when attackers accessed secret codes sent to them as SMS messages. The risk of intercepting SMS messages has been well-documented and, although Telegram offers the option of additional password protection when setting up a new device, we believe second-factor authentication using an app or a hardware key is a far more secure solution.

Sheremetyevo WiFi

When travelling, it's better to avoid public WiFi if possible and one Twitter user just gave an excellent reason to stick to mobile data at Moscow's Sheremetyevo Airport. According to his screenshots, you can either sign up by providing a mobile phone number (as is common) or you could upload a photo of your passport along with a selfie. (Sheremetyevo confirmed to us that this is an option). In more and more cases, you will be asked for personal information in order to access public Wifi - indeed in Russia the law demands this. Of course, in most cases you'll also be asked for a copy of your passport in order to buy a local SIM card - but we would prefer to conduct that business in person rather than online. And in general it's essential to make sure you understand current legislation in the countries you're planning to visit.

Passwords

Passwords are a disastrously poor security solution, but there's some progress in helping people to stop reusing them. The latest version of Chrome (see updates) will warn you if you log on to a website with a password that has been stolen in a data breach. (Previously you had to install an extension to do this). An increasing number of browsers and websites are linking up with haveibeenpwned.com which does the same thing. This is good news because the risk of reusing passwords has never been greater. Last week, Microsoft said it had scanned the accounts of its users and found 44 million instances of usernames and passwords that had been stolen and were available for sale. 'Credential stuffing' (where millions of username/password combinations are tested) is rampant. As we've said before, while passwords exist, the least worst solution is a password manager combined with 2-factor authentication. We have a guide here.

GDPR

Unlike its UK counterpart, the German data protection regulator has been active in announcing fines for breaches of the GDPR. In its latest decision, the BfDI said it would impose a €9.55 million penalty on a telecommunications provider for failing to protect customer information. 1+1 Telecom's systems allowed people to phone up and obtain extensive personal information simply by providing a customer's name and date of birth, it said. Interestingly, the BfDI announced the sizeable fine despite praising the company for being "understanding and highly cooperative." Although the fine was at the lower end of what was possible, the BfDI said the penalty reflected the fact that the breach "posed a risk for the entire customer base." The BfDI also said it had fined a small telecommunications company for failing to appoint a Data Protection Officer despite told repeatedly to do so.

In brief

Beware of Office 365 add-ins because a malicious one is being used to take over Microsoft accounts, according to PhishLabs. The tactic works by taking advantage of lax controls on these optional apps which can request complete access to a user's account.

A devious scam creates a local login form designed to steal credentials for a range of online services. As Bleeping Computer reports, the form is designed to overcome any reluctance to open a web link.

New Spotify phishing campaign warns users their subscription has been paused because a payment failed. Details from MailGuard.

Most organisations will have lost a laptop, though hopefully most won't be able to match the UK Ministry of Justice which managed to mislay 201 of them in 2018/19. On the plus side, apparently they were all encrypted.

Reminders about the built-in obsolescence of the devices we use. WhatsApp has warned that it will stop supporting older iPhones (4 and earlier) and early Android devices. And Samsung and the BBC have contrived to make iPlayer stop working on a range of TVs sold between 2013-15.

Updates

Microsoft: Monthly updates fix 36 vulnerabilities, 7 rated critical. Microsoft has also reminded Windows 7 users that the product will no longer be supported after Jan 20 2020 (unless extended support has been purchased).

iOS: iOS 13.3 and iPadOS 13.3 fix numerous bugs including problems with Mail/Gmail, incorrect Mobile Data status and slow wireless charging. Also brings support for hardware security keys.

macOS: Catalina 10.15.2 fixes a range of issues and adds some new features in News, Photos, Music and Mail.

Chrome: Chrome 79 has important security and bug fixes, but also adds a series of security features including a built-in Password Checkup tool which will warn users if they're using a password that has appeared in a data breach. Unfortunately, the latest version is also reported to have compatibility issues with some software which leads it to crash.

SAP: Five new Security Notes and 2 updates to previous ones. Most important is for browser control delivered with SAP Business Client.

Adobe: 25 issues addressed across range of products, including 17 critical issues in Acrobat Reader, Photoshop and Brackets.

Blink: Updates for Amazon's Blink XT2 home security cameras to fix multiple flaws that could let nearby hackers hijack the devices.