FFT news digest November 13 2020

Weaponising the internet

"Don't weaponise the internet," is the plea from the former head of the UK's National Cyber Security Centre, Ciaran Martin. We're inclined to think that ship sailed a while ago and is now well over the horizon, given the number of reports of offensive cyber weapons in operation (the BBC has an excellent round-up). Martin pointed out that the issue matters in multiple ways, not least because countries have shown themselves incapable of keeping control of the weapons they develop. "Cyber weapons are called viruses for a reason," he warned. And, as we said last week, disinformation is itself an insidiously powerful weapon that's undermining conventional social structures. An in-depth analysis of the issues has just been published by Ron Deibert, who leads the University of Toronto's Citizen Lab. As many have pointed out, 'Reset' (subtitled 'Reclaiming the Internet for Civil Society') is a must-read. Deibert has also been giving a series of lectures on CBC Canada. In the latest, he explains why we can't quit social media, even though the apps are "cesspools of hatred, racism, intimidation, and ignorance." On a more positive note, Tim Berners-Lee (the guy who invented the web) has taken a step forward with his solution to enable users to keep control of their data - as opposed to handing the information over to technology giants to make money out of it.

Threats

WhatsApp: Great Twitter thread from Jeremy Vine about his experience of a simple (and common) way to hijack accounts. N.B. timing the attack to take place when the target is busy. Well worth a read. Twitter

Emails: Attackers are making increasing use of email platforms (like the one used to send this newsletter). Sendgrid is a particular target - and as yet it doesn't offer multi-factor authentication. If you're a customer, do make sure your password/passphrase is long, complex and unique. Kaspersky highlights this and other threats in its quarterly report.

HMRC: A sophisticated tax rebate scam is using text messages to target UK residents. Bleeping Computer

Teams: Ransomware operators are using fake ads for Microsoft Teams updates to infect systems. Bleeping Computer

Chocolate: A fake Facebook Group is using the promise of a free hamper of Cadbury chocolate to trick social media users into revealing personal and financial details. Infosecurity Magazine

Zoom: A sneaky attack uses a fake invite to try to steal Microsoft credentials. Most people would be suspicious but, given the number of meeting invites flying around, you can see how it might work. Heimdal

Android: Take care with emails and websites promoting what look like official Android apps. Criminals create fake copies of brands including Google Docs, WhatsApp and Flash in a bid to steal banking details. ZDNet

Minecraft: Fake apps are being used to fool users into taking out $120 per month subscriptions. ZDNet

S3 screwup: And a reminder that not all threats are external. Details of millions of hotel guests were exposed because some Amazon Web Services storage was configured incorrectly. Website Planet

Authentication

As you'll know if you've been on one of our courses, we're evangelical about how useless passwords are and, therefore, why a second factor is essential to authenticate who you are. Of course, it's not just us. The UK National Cyber Security Centre and pretty much every security professional has the same message. Where people differ is in their opinion about using text messages as the mechanism to communicate the second factor. Many people believe that because text messages are inherently insecure, it's a pretty lousy idea to use them for security. Microsoft has a long analysis this week which sets out the issues and should convince anyone that a) multi-factor authentication is essential and b) while text messages might be better than nothing, this weekend would be a good time to start using an authenticator app. Our own guide to passwords and '2FA' is here.

Political parties rapped

The UK data protection regulator has told Britain's political parties to improve the way they handle personal data. The ICO's report highlights the importance of digital advertising in modern political campaigns and it follows an analysis in 2018 that "found a disturbing disregard for voters’ personal privacy." Judging from the new report, not much has improved since then. Amongst its key findings; "Parties must be very clear with individuals about any unexpected or intrusive uses of personal data, such as combining information about them from several different sources for the purposes of profiling." One example; it says the governing Conservative party has been using personal data to identify an individual's likely county of origin, ethnic origin and religion based on their first and last name.

UK. Japan. Personal data. 

Last month the UK signed a trade deal with Japan amid much fanfare. Now privacy activists are warning that the agreement poses an "existential threat" to data protection rights in the UK. The deal replicates most of the current agreement between the EU and Japan, but adds new elements around sharing data, including a "free flow of data" between the UK and Japan. The Open Rights Group says this would be a radical change because currently UK companies can only transfer personal data when they can guarantee a similar level of protection to that in the UK. The issue could create further obstacles to the 'adequacy decision' which will be needed to allow personal data to be transferred from the EU to the UK once the Brexit transition period ends on December 31.

Encryption

Last weekend, an Austrian newspaper said the EU had prepared a resolution to enable governments to access messages protected by end-to-end encryption. As often with such reports, the reality is more complex. In fact, the report is based on a draft resolution by the EU Council of Ministers and is therefore about political direction rather than actual legislation (which is formulated by the European Commission). It's quite true that governments around the world are deeply frustrated by end-to-end encryption and its use by criminals and terrorists, but no-one has found a way to provide official access without undermining cybersecurity and privacy more generally. In other words, a conundrum which no-one has been able to solve.

In brief

Google photos: Google is to end free unlimited storage for photos and videos. Google Photos will introduce a limit of 15GB, although there are some exceptions. The Register

Zoom: The US Federal Trade Commission has settled a case over false claims by Zoom that its video calls were protected by end-to-end encryption. (They are now!) FTC

Slung: Dish Network is discontinuing Slingboxes and will turn off its servers in November 2022 when the devices will cease to function. CNET

MS crook: A former Microsoft software engineer has been given a nine-year prison sentence for stealing more than $10 million from the company. Volodymyr Kvashuk used testing privileges to steal digital gift cards which he then resold. ZDNet

Dorking: i.e. the process of finding information on the internet, as opposed to the town in south-east England. If you haven't come across 'Dorks', this is a great guide to super-powering your searches.

Navigating the future: You've probably come across What3Words (which assigns a three word label to every 3x3 metre square on earth). Mitsubishi has become the first car manufacturer to incorporate the solution in one of its vehicles. The Next Web

Overwatch: San Diego's smart streetlights include cameras and sensors. Privacy activists objected. The mayor ordered them to be turned off. Sorry, came the reply. We can only do that if we turn the streetlights off and plunge the city into darkness. Ars Technica

Free speech: Tripadvisor applied a warning to a hotel listing, warning that a harsh review had landed its author in jail after the hotel filed criminal charges against him. New York Times ($)

Updates

If you ever wonder why updates are important, China's top hacking contest provides a vivid demonstration. The third edition of the Tianfu Cup ended this week after a wide selection of the most popular software was successfully attacked. The top team won almost $750,000 and successful exploits were confirmed against iOS14, Windows 10, Chrome, Safari, Firefox and TP-Link and ASUS routers.

The other major announcement this week was the unveiling of Apple's new Macs and the latest version of macOS, known as Big Sur. These are radical changes, not least because Apple has begun using its own (ARM-based) processors which will offer better performance at the same or lower prices (a promise borne out by early tests). Apple's announcement marks the start of a complex two-year transition which will involve software developers translating apps to run on the new architecture. Meanwhile, macOS 11.0 Big Sur, which began rolling out yesterday, will work on devices dating back to 2013. It's designed to mesh closely with the mobile iOS environment and it does bring significant improvements (detailed by MacRumors among others). Although it's already available, major upgrades like this one are invariably problematic and we'll be waiting a while before making the jump. Those who did try to download the new version yesterday did not have a smooth ride, were forthright in their opinions. Seemingly, they also created a knock-on impact for other Apple users.

Final Cut Pro/Logic Pro: New versions of Apple's video and audio editing apps (10.5 and 10.6). Updates are designed to work with new era Mac devices. MainStage, Compressor, Motion, and Logic Remote also updated.

Microsoft: Monthly set of security updates addresses 112 issues, including a Windows 10 vulnerability that is being actively exploited.

Chrome: Version 86.0.4240.198 addresses two previously unknown 'zero-day' vulnerabilities that have been actively exploited in the wild. (This means there have been five such issues revealed in just three weeks).

Firefox: Mozilla also released updates to address a critical issue. Latest version is 82.0.3.

Adobe: Updates for Adobe Connect and Adobe Reader Mobile.

SAP: 12 security notes, six rated 'Hot News'.

TP-Link: Update following research that demonstrated how flash drive could be used to compromise routers with USB port.

Aruba: A problem with 6300 and 6400 switches could render them useless unless their firmware is updated.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved