news200529

Tracing

Switzerland has become the first country to begin trialling a contact tracing app based on a joint technology solution developed by Google and Apple. Dubbed 'SwissCovid', the app is available for download by thousands of military and medical personnel. Work on the 'Decentralized Privacy-Preserving Proximity Tracing (DP3T) app started as the coronavirus crisis emerged, the Swiss Federal Institute of Technology in Lausanne told ZDNet. Meanwhile in the UK, as manual contact tracking begins, there's no clarity over the timeline for launching its own tracing app. What is clear is that the government will keep the data it collects for 20 years. As one data protection veteran discovered, the launch of NHS Test and Trace shows every sign of having been done in even more of a rush than would be expected. Among the evidence; a contact email that is no longer active and a failure to complete a mandatory impact assessment. This is hardly going to inspire confidence in a public that already appears to be concerned about security. A survey found 48% of respondents did not trust the UK government to keep their information safe from hackers.

Crime

It's comically simple to set yourself up as a cyber criminal, with an over-supply of stolen credentials leading to plummeting prices for credit card details and simple ransomware kits. The only complexity (apart from hiding who and where you are) involves convincing sellers that you're a genuine criminal. "Trust has become such a critical issue that a search engine has been created to verify sellers on top dark web marketplaces," a report from Trend Micro says. Details of credit cards that fetched $20 in 2015 are now worth as little as $1. But high balance accounts are worth much more, as are genuine passports; their prices begin around $2,500. Ransomware remains a key tool, with simple kits available from $5. Sophisticated tools cost much more; this week, Microsoft warned of a new strain that employs humans rather than automation to do the hard work. PonyFinal has been deployed against high-value targets in an effort to maximise the value of the ransom. Whether simple or complex, the common denominator in almost all successful attacks is a failure to take basic precautions, such as using (and re-using) weak passwords.

GDPR

This week marked the second birthday of the General Data Protection Regulation, or GDPR. More accurately, it marks the anniversary of the date when enforcement of the regulation began, because organisations were given two years to comply with it. Philippa Donn from our data privacy partner, DPN, is clear that there have been benefits, but much remains to be done, “GDPR is not without its critics. There are concerns regulators lack the teeth and resources to tackle big companies. Here in the UK, the Information Commissioner's Office is hounded for not issuing enough fines. But I believe focusing on fines misses the point, fears of enforcement shouldn’t be what drives your approach to data protection. In our work, we find that organisations which have moved data protection up to the boardroom and are focusing on putting their customers’ privacy first are reaping the benefits. GDPR ushered in more privacy awareness, and people want to engage with those who treat them with respect.”

The weakest link

As anyone who has worked in IT will know, when it comes to breaking (or ignoring) information security rules the worst offenders are often the people at the top of the organisation. This might be ascribed to ignorance or arrogance, depending on how charitable you're feeling, but new research from MobileIron is clear about the risks surrounding senior managers. Its 'Trouble at the Top' study, found that 76% of C-level executives in the survey had asked to be exempted from one or more of their organisation's security protocols last year. Other findings; 68% claimed IT security compromised their security, 62% said policies restricted the usability of their devices, and 42% regarded IT security as a low priority. Those figures are despite 84% saying they had been targeted by at least one cyberattack in the past year (over half of them phishing attempts to steal credentials). When we carry out vulnerability assessments, we start at the top. This new survey shows why.

Censored

YouTube has been deleting comments critical of the Chinese Communist Party, in what it says is an error that it has now corrected. The issue was spotted by Twitter users and investigated by The Verge which found the deletions had been happening for at least six months. The changes affected the Chinese characters for "communist bandit" and "50-cent party", both long standing phrases used to insult China's ruling party. YouTube told The Verge that it had fixed the issue behind the deletions, but it was still investigating the deeper causes of the "error". YouTube (like its parent company, Google) is currently banned in China, so, as a prominent Twitter user commented, the "error" led YouTube "to censor American comments on American videos hosted in America by an American platform." Google, which owns YouTube, has a complex relationship with China. As The Verge points out, "there have been similar examples of mysterious errors with a pro-CCP bias appearing in Google’s automated systems before."

Social mapping

The power of metadata is vidily illustrated in a new book by one of the journalists who covered the revelations of US whistleblower, Edward Snowden. As we explain in our training courses for journalists, the key prize for intelligence agencies is spotting patterns in communications rather than their actual content. In Dark Mirror: Edward Snowden and the American Surveillance State, Barton Gellman recounts how the US National Security Agency developed a tool to exploit metadata to model "the relationships and groups that defined each person’s interaction with the world". That data amounts to the outline of an individual's business and personal life; in Gellman's words, "a live, ever-updating social graph of the US". There are more than passing similarities to the systems created by social media companies that track what we do, where we go and who we communicate with. A brave new world indeed.

In brief

A computer science student has found a security issue in internet-connected doorbell and security cameras, including models from Ring and Nest. The problem means that shared accounts could retain access to the video feed even after it had been revoked. Florida Institute of Technology

EasyJet has begun telling victims of its recent security breach that entire travel itineraries were accessed. A law firm says it has launched a lawsuit against the airline demanding £2,000 compensation for each of the 9 million customers affected. Its proposed fee; £5.4 billion. The Register

The older brother of deceased Colombian drug magnate, Pablo Escobar, has launched a $2.6 billion lawsuit against Apple. Roberto Escobar claims a FaceTime bug was exploited to reveal his home address. The Register

Information of over 26 million LiveJournal users is being shared for free on underground hacker forums. The data is believed to originate from a breach in 2014. It includes email addresses, usernames, profile URLs and plain text passwords. Help Net Security

US immigration authorities have used cellphone surveillance tools at least 466 times between 2017 and 2019, according to documents obtained by the American Civil Liberties Union. The cell site simulators or 'stingrays' led to dozens of arrests and detentions. TechCrunch

There are bugs and then there are BUGS. This one meant that, after some missed approaches, Bombardier's CRJ-200 aircraft would turn right instead of left – and vice versa. The Register

There's no fool like a conspiracy enthusiast, so no surprise that a USB stick is being sold with a promise to protect the user against 5G radio waves. Cost; £339.60. Value; £5 (but only for its 128MB of storage. BBC

Updates

Windows 10: Version 2004 (aka May 2020 Update) has begun rolling out slowly and includes new features and security fixes. Microsoft has warned there are at least 10 potential issues, including problems when connecting to more than one Bluetooth device and difficulties with some video drivers.

macOS: Catalina 10.15.5 addresses 44 security flaws, affecting components including Accounts, AirDrop, Audio, Bluetooth, Calendar, Kernel, USB Audio, and Wi-Fi. Also has a new battery health feature designed to help batteries hold more charge for longer.

iOS: Germany's federal cybersecurity agency has urged users to install the latest security updates released to patch two vulnerabilities in the default email app which its says are being actively exploited. Meanwhile, Apple appears to have resolved an issue in its Family Sharing system that stopped some apps from launching.

Safari: Version 13.1.1 for Mojave and High Sierra, and included in Catalina, addresses a security vulnerability that could allow a malicious application to be launched.

Android: A reminder to install any available Android updates because of a critical security flaw that could be exploited to steal data from almost any app.

Zoom: As you've probably seen, Zoom is requiring users to update to version 5.0 by May 30. Earlier versions won't work after that.

Exim: The US National Security Agency has urged users to make sure they have installed an update released last June. In a highly unusual warning, it says Russian government attackers are exploiting a vulnerability addressed by the update.

FFT news digest May 29 2020