FFT news digest Dec 27 2019

Every move we make

We mentioned the New York Times report on location tracking last week. We've now had a chance to read all of it. If you have time, we suggest you do too. The report is based on a file obtained by the paper which contains more than 50 billion location pings from the phones of over 12 million Americans. The information was harvested by one of the dozens of companies that collect location and other details provided by the apps we install on our phones. Using the data, journalists were able to track phones including one that almost certainly belonged to a member of the Secret Service team guarding President Trump. The Times has good advice on some basic steps to reduce the extent to which our movements are tracked, but it admits "real protections will come only if federal laws are passed to limit what companies can do with the data they collect." In the meantime, the paper says, "If you could see the full trove, you might never use your phone the same way again."

ToTok in the dock

Popular messaging app, ToTok, is in fact spyware designed for the United Arab Emirates government, according to an investigation by the New York Times. ToTok is billed as a simple, secure way to communicate in a country that has blocked Voice over IP calls offered by other messaging services. Actually, "It is used by the government of the UAE to try to track every conversation, movement, relationship, appointment, sound and image of those who install it on their phones," the Times says. It's an ingenious solution to spying. Why bother paying for sophisticated spyware tools and undisclosed exploit chains when you can just get people to install an app themselves - and give access to their microphone, camera, contacts, and call and location history. It's a loud reminder to be very careful about the apps you install - even from official stores - and what permissions you grant them. Apple and Google have removed ToTok - but only after more than a million downloads.

The splintering internet

Russia says it has carried out successful tests to cut off the country from the worldwide internet. "The exercises showed that, in general, both authorities and telecom operators are ready to effectively respond to emerging risks and threats, to ensure the stable functioning of both the Internet and the unified telecommunication network in the Russian Federation," the Ministry of Communications said. Russia has long been taking steps to exert greater control over what internet users in the country can access. "Sadly, the Russian direction of travel is just another step in the increasing breaking-up of the internet," Professor Alan Woodward, a computer scientist at the University of Surrey, told the BBC. "Increasingly, authoritarian countries which want to control what citizens see are looking at what Iran and China have already done," he added. It's hard to see behind Russia's official statement and understand what has actually been achieved, but its ongoing drive for a "sovereign" internet is clear.

2FA for 2FA

Facebook is finally going to stop using two-factor authentication phone numbers as yet another tool to drive friend suggestions. Facebook told Reuters that the decision was part of a wide-ranging overhaul of its privacy practices. There was widespread criticism when it emerged last year that Facebook was using details provided for increased security to target advertising. That practice was halted in the face of the protests, but it's taken until now to announce that information given for two-factor authentication will now be used for...two-factor authentication. The change starts in Ecuador, Ethiopia, Pakistan, Libya and Cambodia, with the rest of the world following shortly afterwards. But it’s important to note that it will apply only to newly-added numbers. If you already provided a number to set up two-factor authentication, you’ll have to remove it and add it back if you want to take advantage of the change. Less positively, Facebook has removed the option to sign-up for its Messenger app without having a Facebook account.

GDPR

The UK data protection regulator, the ICO, has ended the year by imposing its first fine under the General Data Protection Regulation (GDPR). The hapless offender is an online pharmacy which contrived to leave some 500,000 documents in unlocked containers at the back of its premises in London. The number of people affected isn't known, but information on the documents included names, addresses, birthdates, medical information and prescriptions. Pretty obviously, that constitutes "special category" personal data and the ICO had originally announced a fine of £400,000 for failing to secure it. The reduced fine reflects the business's financial position, the ICO said. The full penalty notice is a recital of poor data protection practices, including inadequate policies and record-keeping and a "cavalier" attitude to highly sensitive information.

Facial recognition

A US government study has found evidence of inherent racial bias in facial recognition software. The National Institute of Science and Technology (NIST) concludes that false positives are up to 100 times more likely for Asian and African American faces when compared to White faces. The highest rates of false positives were found for African American females which NIST says is "particularly important because the consequences could include false accusations." There has been increasing concern about the spread of facial recognition technology and the extent to which it has proven inaccurate in real world tests. The Electronic Privacy Information Center is one of a number of organizations to have called for a moratorium on further deployment until use of the technology can be reviewed and regulated.

In brief

PR fail of the week from Spotify which sent USB sticks to journalists with a note saying, "Play me." As TechCrunch reports, USB drives are a time-honored way of infecting computers with malicious software. So much so, the US government recently updated its advice about them.

Fraudsters are hoping for a present from Paypal users who are being bombarded with emails trying to fool them into handing over their account details. The phishing emails are disguised as 'unusual activity alerts,' according to Bleeping Computer.

Twitter is restricting animated PNG files after idiots hijacked the Epilepsy Foundation's account to send images designed to trigger seizures in epileptic and photo-sensitive individuals.

The criminal behind a $120 million scam that fooled Facebook and Google has been sentenced to 5 years in jail. We use the case of Evaldas Rimauskas in our training; it's a great example of how any company can be vulnerable to Business Email Compromise.

If a Ring camera was among your presents this year, please do make sure it's secure. Hackers are continuing to publish thousands of login details, apparently in the hope that someone will use them to make mischief.  

Updates

Citrix: Advisory details mitigation for vulnerability in Citrix Application Delivery Controller (ADC) that could lead to arbitrary code execution.

Twitter: Update for Android app addresses serious security vulnerability that could have allowed an attacker to hijack an account and view private messages.

Avast/AVG: Online security extensions re-admitted to Mozilla addons site after a reduction in the tracking data being sent to Avast/AVG servers 

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved