FFT news digest Jan 31 2020

Avast there

The reality of monetising personal data has been laid bare by antivirus outfit, Avast, which was caught selling the private web browsing activity of its users. Following an investigation by Motherboard and PCMag, Avast said it would shut down the subsidiary that made millions of dollars from the sale of the data. Clients, including Microsoft, Google and Pepsi (among many others), had been told the tracking could record “Every search. Every click. Every buy. On every site.” As Motherboard pointed out, although the data didn't include users' names, it was easy to reveal identities. Avast had more than 435 million users. It now has far fewer. It's a striking illustration of the abiding truth that free services on the internet are anything but free. Meanwhile, the Electronic Frontier Foundation has discovered that Ring's doorbell app is "packed with third-party trackers." The EFF says, "all this takes place without meaningful user notification or consent." 

Hacking a hack

A New York Times reporter was targeted with spyware at a time when Saudi Arabia was attacking Saudi dissidents around the world. Ben Hubbard said he'd received a text message saying, "Ben Hubbard and the story of the Saudi royal family," with a link for a website, arabnews365'dot'com. Rather than following the link, he gave the details to researchers at Citizen Lab who have studied the use of spyware, including the notorious Pegasus tool which is made by the Israeli-based NSO group. "We know for certain that the domain in the text was part of that command and control infrastructure connected to NSO Group,” Citizen Lab said. NSO insists its technology is licensed to law enforcement and intelligence agencies "for the sole purpose of preventing and investigating terror and crime." Research from Citizen Lab, Amnesty International, and others suggests this is not always the case. In 2019, the UN concluded existing legal frameworks are not sufficient to control the use of such technology.

The Bezos affair

Hubbard's experience is not linked to the tale of Jeff Bezos' iPhone, which last week was widely reported to have been hacked by Saudi Arabia. As we said then, there were doubts over exactly what happened and who might have been involved. Saudi Arabia has repeatedly denied claims that the phone was compromised by a video in a WhatsApp message sent to Bezos by the kingdom's de facto ruler, Crown Prince Mohamed bin Salman. Investigators said the video was delivered by an encrypted downloader and, within hours, "a massive and unauthorised exfiltration of data...began." They did not explain why Saudi Arabia would have run the risk of using the Crown Prince's account to attack the phone. But, more importantly, there are other flaws in the investigation as detailed in this blog post by security researcher, Robert Graham. What really happened remains a mystery, but Graham's post underlines the problems with mainstream reporting of cybersecurity stories (which continues to point an untroubled finger of blame at Riyadh).

UNdone

The UN failed to update SharePoint servers, was hacked and then tried to cover up what happened. The attack on the UN's offices in Geneva and Vienna was revealed by The New Humanitarian which obtained a confidential report into the incident. “The attack resulted in a compromise of core infrastructure components,” the UN told the publication. “As the exact nature and scope of the incident could not be determined, [the offices] decided not to publicly disclose the breach." Staff were asked to change their passwords, but were not told of the breach or that some of their personal data might have been compromised. As has been repeatedly demonstrated, data breaches will always become public; trying to cover them up will always fail and is far more damaging than the embarrassment of disclosing them. As is often also true, the cause of this breach was a failure to apply an update for a well-known vulnerability.

Mac malware

The top threat for Mac users is a piece of malicious software that can be defeated by ignoring any pop-up messages urging you to update Adobe Flash. Kaspersky says one in ten of its Mac security solutions has encountered the malware at least once, and it accounts for almost 30% of detections on Macs. Known as 'Shlayer', it's most often installed as a result of visiting dodgy sites in order to stream pirated sports events or download illegal copies of movies and TV series. But links to it also appear on legitimate sites such as YouTube (in video descriptions) and Wikipedia (in references). The malware is designed to generate revenue from fake advertising rather than anything more sinister, but the way it works is potentially dangerous because it monitors and can modify web traffic. Ideally, we advise avoiding Flash altogether but some respected sites do continue to use it. If you need to download or update it, never click on a pop-up to install or update it. Always go to adobe.com directly.

Unliked

Facebook has begun the year by posting record profits and saying its goal for the next decade "isn't to be liked, but to be understood." In a call with analysts to discuss the company's $7.3 billion profit for the final quarter of 2019, Mark Zuckerberg said, "One critique of our approach for much of the last decade was that because we wanted to be liked, we didn't always communicate our views as clearly because we were worried about offending people," Some might say they understand Facebook perfectly well and that's why they don't like it, but given an 8% rise in monthly users (to 2.5 billion) that's unlikely to cause it much concern. Among other initiatives, Facebook is extending the rollout of a tool that lets users view and delete data it collects from third parties in order to target us with adverts. But while Off-Facebook Activity can stop Facebook using web activity to target adverts, it won't stop it receiving the data. Understood?

In brief

The UK's data protection regulator has reminded organisations that the country's departure from the EU won't actually change anything yet. But the ICO adds that "it is not yet known what the data protection landscape will look like at the end of the transition period" on 31 December 2020.

To coincide with the deadline to file UK tax returns, there's an upsurge in scam emails promising refunds. They're littered with stylistic and grammatical mistakes so they're easy to spot.

The number of incidents caused by people inside organisations has tripled since 2016, according to research by the Ponemon Institute. Negligence was the leading factor.

Researchers say they're seeing the emergence of a new social media menace which they're calling Trolling as a Service. The idea behind it is to facilitate coordinated campaigns on Facebook and Twitter. Threatpost

Russia has banned encrypted email service, Protonmail, saying it refused to provide details about accounts allegedly connected to fake bomb threats. Reuters

Tinder is introducing a panic button and harnessing Artificial Intelligence to try to prevent catfishing. Photo verification will be used to check people's identities. The service will initially be available in the US.

Updates

Apple: Important security and usability updates for iPhones and iPads, and for macOS Catalina and High Sierra. Also updates for tvOS.

Cisco: Yet more security updates, this time for Webex, Small Business Switch and IOS XR Software. All rated High.

Magento: Update for e-commerce platform include 3 rated critical.

Zoom: Updates to address an issue that could have allowed attackers to join a meeting by guessing its ID.

Windows 7: Microsoft to provide a fix for a bug in its final security update which replaced desktop wallpapers with black. In the meantime, there's a workaround. We still advise you to upgrade to Windows 10. For free.

OpenSMTPD: Update addresses critical vulnerability that could allow commands to be executed remotely with elevated privileges.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved