FFT news digest Oct 8 2021

Facebook

There's been wall-to-wall coverage of Facebook's latest travails, so we'll try to avoid rehashing what you already know. Obviously, the key question that emerges from the leaks, systems failure and congressional hearing is what to do about Facebook. For its part, the social media giant says increased regulation is the answer. If you agree, then you've stepped into Facebook's trap. Most companies would prefer there to be as little regulation as possible, but if regulation is introduced, then it's far less of a problem for a company the size of Facebook than it would be for smaller competitors. And of course, regulation is infinitely preferable to being broken up into constituent parts.

For many users of Facebook's platforms, Monday's protracted outage was an irritation - and for some businesses a hit to their revenues - but for parts of the world the impact was immense. In Brazil and Mexico, up to 98% of social media users are estimated to have Facebook accounts. And in India WhatsApp is used by over 459 million people. In some developing countries, Facebook's limited Free Basics service is the web. The extent to which that's true is illustrated in the Democratic Republic of Congo, where the Ministry of Communication reacted to the outage by taking to Twitter to assure the country that it hadn't cut off the internet. "We should not let one company run this much of the world," Motherboard argues.

So what's the answer? One possibility is offered by the BBC's R&D department which has been working with Nottingham University and Sir Tim Berners-Lee on a solution that is designed to give individuals control over their own data. The idea is that the data is stored on a device owned and controlled by the individual. According to Berners-Lee (who created the World Wide Web), "reconfiguring the web so that its users own and manage their data can turn the world 'the right way round'." The project is based on three principles; legibility, agency and negotiation. Legibility means we must be able to see our data and understand what is done with the information. Agency means we control where it's stored and what's done with it. And negotiation is about ensuring the owner derives value from it. The Register has an explainer.

Threats

Google: 14,000 users were warned they had been targeted by a phishing campaign connected to the Russian government. Google says it blocked the messages and reminded users that it offers an Advanced Protection Program to anyone concerned they may be at high risk. One word of warning; don't click on buttons or links you're sent to do anything important like securing your account. Google has also announced a new initiative to help protect high risk users.

No time to download: Big movies are a gift to criminals and attackers - and few come bigger than the Bond franchise. Malicious files masquerading as copies of 'No Time To Die' have already been spotted. Obviously, piracy is morally wrong, but it's also security suicide. TechRadar (R)

Britney: iCloud is convenient, but if you can gain access to it, it makes a perfect surveillance tool. The New York Times says it's one of the ways Britney Spear's father surveilled her during his conservatorship. It's essential to protect iCloud to the maximum extent possible.

Bootkits: Security researchers have spotted a rise in the number of malicious tools that target UEFI, the software that enables a computer's firmware to work with the operating system installed on it. In the past, physical access has often been required to install the so-called 'bootkit', but phishing emails with booby-trapped files are also used. The Record

Android: Yet another form of malicious software is targeting Android devices. 'TangleBot' is spread by text messages containing a link. If clicked, powerful spyware is installed on the affected device. ZDNet

Togo: A threat group known for working in south-east Asia has been detected in Africa for the first time, according to Amnesty International. It says attackers targeted a Togolese activist with WhatsApp messages and emails in an effort to trick him into installing the Android spyware.

Suppliers: Federal prosecutors in Virginia are charging four individuals for a wide-ranging scheme to defraud businesses, first by accessing their email or networks and then by impersonating trusted third-party vendors in order to collect on unpaid bills. A cast-iron verification process is essential to defeat these attacks. SC Media

Ransomware

The Biden administration is seeking to mobilise international support for efforts to fight cybercrime, with a particular focus on ransomware. It says it will bring together 30 nations this month, including NATO allies and G7 partners to accelerate "cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically." Progress is urgently needed. Despite some arrests, ransomware gangs continue to plague organisations. And now one group has threatened to release a victim's data if news of negotiations is allowed to emerge, while another says it will auction off stolen data if it doesn't get paid.

China

The extent and capability of Chinese cyber espionage groups are revealed by new research from Blackberry. It found that one group was linked to multiple disparate operations that used COVID-themed phishing lures to target victims in India. The sophistication of China's cyber warriors is also demonstrated by new details in how it controls internet access through its 'Great Firewall'. Researchers at the University of Maryland found a previously-hidden layer in the system that enables the government to intercept internet traffic, identity content, and block connections to websites and servers deemed unacceptable. Meanwhile, further cases have been identified in which LinkedIn is blocking the profiles of US journalists in China to comply with Chinese regulations.

Spyware

The NSO Group says it ended its contract with the UAE, after its Pegasus spyware was revealed to be part of a surveillance operation conducted on behalf of Dubai's ruler against his ex-wife. England's High Court ruled that Sheikh Mohammed bin Rashid al-Maktoum ordered the software to be used against six phones belonging to Princess Haya bint al-Hussein, her lawyers and security team. The software was part of an extensive operation which provides a case study in the tactics used in such situations. This week, the NSO Group said it supported international regulation of the spyware industry. In reality, it will be practically impossible to regulate such tools - and the governments who use them - until long after the fact.

Insider risk

A disgruntled IT technician erased data on the systems of a UK secondary school and changed passwords at an IT company in retaliation for being dismissed. It's a good reminder of the importance of having a robust process for ensuring systems access is revoked when an employee leaves, even if they do so on good terms. Dark Reading has examples of the impact insiders can have - and it points out that such incidents cost large organisations an average of $17.92 million per year. Revenge is often the main motive, but there have also been many cases in which employees have been recruited to spy on behalf of competitors and nation states.

In brief

Reverse warrants: The US government is secretly ordering Google to provide data on anyone typing in certain search terms. The tactic was revealed by a court document that was accidentally unsealed, as Forbes reports. In effect, such “keyword warrants” amount to a vast fishing expedition and are similar to "geofence warrants" that demand information on anyone within a specific geographical area.

YouTube rippers: The Recording Industry Association of America (RIAA) has won a significant victory against websites that convert YouTube videos to sound files. A federal court in Virginia ruled in favour of several major music companies which argue such websites are the most significant piracy threat on the internet. TorrentFreak

Breaches: A rash of data breaches this week, involving Amazon's Twitch video streaming platform, The Daily Telegraph, a company that routes text messages, and Apache Airflow. In all cases, misconfigurations are said to be responsible.

France ban: France has banned government ministries from using Microsoft 365, saying the cloud platform is not consistent with privacy requirements because data is transferred to systems in the US. BOB FM

Amazon fridge: Amazon is reported to be developing a smart fridge that "is designed to track your inventory and purchase habits, predict what you want, and have it delivered." Insider

Covidbot fail: Singapore has turned off an automated solution to provide advice about COVID-19 after some of its suggestions turned out to be unfortunate. Among them, a parent asked what to do about her son's positive COVID test. Practice safe sex and wear a condom, came the prompt response. The Register

Updates

Windows 11: Microsoft has begun rolling out the latest version of Windows - but only to devices with compatible hardware, in particular fundamental security mechanisms. The new version has not had a rapturous welcome. Critics have claimed the hardware requirements are designed to push people to upgrade their devices, and Windows 11 is missing some popular features of its predecessor. Predictably, the initial release also has a number of 'issues' and we would advise against rushing to install it. Ars Technica has a comprehensive review.

iOS: Apple has released an update for the highly problematic iOS15, but it doesn't appear to have solved all the issues. There have been mixed reviews for version 15.0.1, with some reports suggesting ongoing problems with storage capacity reporting and Apple Watch unlocking. There's no need to install iOS 15 and we aren't touching it for the moment. If you have already installed it, then the new version is important because there's at least one security fix.

App store: A welcome return for the "Report a Problem" option in the App Store which Apple removed several years ago. The move is part of an effort to highlight issues and counter scams.

Google authentication: To mark Cybersecurity Awareness Month, Google says it will enable two-step verification by default for 150 million more accounts by the end of the year.

Yubico: The most secure second factor for authentication is a hardware key, and Yubico has just released a version with support for fingerprint recognition.

Firefox: Security updates to address vulnerabilities that could be exploited to take control of an affected system.

Apache: A series of updates for HTTP Server to address two vulnerabilities, one of which is being actively exploited.

Android: New version addresses more than 50 vulnerabilities, some of them severe.

Axis: Security updates to address security vulnerabilities in Axis' video recording device software.

Tails: Version 4.23 updates Tor Browser to 10.5.8.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved