FFT news digest Jun 24 2022

Surveillance

A rash of stories this week underlining the extent of surveillance and the way it's supported by commonly used tools.

China
For a glimpse into a dystopian future that's already arrived, take a look at The New York Times' investigation into surveillance in China. The Times analysed more than 100,000 government bidding documents and found that "China's ambition to collect digital and biological data from its citizens is more expansive and invasive than previously known." Among the takeaways; Chinese police analyze human behaviors to ensure facial recognition cameras capture as much activity as possible; phone trackers link people’s digital lives to their physical movements; and DNA, iris scan samples and voice prints are being collected indiscriminately from people with no connection to crime.

Strava
Another illustration of the risks of the Strava fitness app. Back in 2018, the locations of secret military bases were exposed when members of the military failed to turn off the apps while exercising. Now it's emerged that Strava has been used to track the movements of Israeli defence personnel. The issue was discovered by investigative group, FakeReporter, which explains how fake running "segments" were placed inside known military bases. They were then used to track individuals exercising on the bases. In one example, a user running on a top-secret base thought to have links to the Israeli nuclear programme could be tracked across other military bases and to a foreign country.

Phones
The largest European telephone companies are testing a new mechanism for marketing their customer data. Der Spiegel reports that Vodafone and Deutsche Telekom are trialling the system which involves assigning users a fixed ID based on data including their mobile phone number. Until now, cellphone providers have forwarded most customer data without intervention. The new solution would be invaluable to advertisers, particularly those affected by Apple's moves to limit tracking.

Threats

Text messages: There's been a sharp rise in the number of phishing messages sent by text ('smishing'). Truecaller found that on average people were receiving nearly 20 spam texts every month. And MIT Technology Review explains the tactics scammers use to try to engage us in conversations. Spoiler; ignore friendly messages from people you don't recognise!

Voicemail: A widespread campaign is using fake voicemail notifications to try to steal Microsoft Office 365 and Outlook credentials. Currently, it's mainly targeting US organisations. A giveaway is that the phishing process requires victims to enter their username and password when they're already logged in. Zscaler

PDF: A reminder about the risks of PDF files. As HP Wolf Security explains, innocuous-looking documents can contain a series of tricks that help it evade detection. Another reason Adobe's behaviour (see below) is so irresponsible.

LinkedIn: The FBI is warning about the risks of the 'phisherman's friend,' saying investment fraudsters have been using it to lure users into cryptocurrency scams. LinkedIn admits it removed 32 million fake accounts last year. CNBC

Russia: Microsoft says state-backed Russian hackers have engaged in “strategic espionage” against governments, think tanks, businesses and aid groups in 42 countries supporting Kyiv. Non-governmental organisations were a particular target.

Passwords: Most of the top English-language websites are failing to follow best practices in their password policies. Only 15 out of the 120 in the study blocked weak passwords and more than half of them allowed things like "123456" to be used. Including Amazon. Freedom To Tinker

Data Protection

Much of the coverage of the UK government's plans for data protection reforms has focussed on abolishing cookie pop-ups. That rather misses the point. Privacy campaign organisation, the Open Rights Group, accused the government of "trying to strip...protections UK GDPR affords." As our data protection partner, DPN, points out, a key concern is how the proposed changes would affect adequacy rules that allow the free flow of personal data from the European Economic Area to the UK. This is likely to demonstrate (again) that "seizing the benefits of Brexit" is very much easier said than done. 

Spyware

Spyware manufacturer, the NSO Group, told European parliamentarians that at least five EU countries have used its software - and it terminated a contract with another member state which abused its tools. Appearing before a European Parliament committee which is investigating the use of spyware, NSO insisted it had robust compliance procedures. Its claims were somewhat undermined by the presence of a number of MEPs who almost certainly have been targeted with NSO's flagship Pegasus product. Meanwhile, it's reported that US defence giant, L3Harris, has been talking to NSO about buying its surveillance technology. 

In brief

Prices: There's so much stolen and forged data available for sale on the dark web that prices have plummeted. The cost of a high quality forged Maltese passport (a highly sought after nationality) almost halved in the latest period analysed by Privacy Affairs. 

TikTok: Leaked audio from internal meetings show that US user data have been repeatedly accessed from China despite repeated promises that such information is stored in the US to ensure it's protected. A BuzzFeed report provides detailed reasons why there are concerns about the company and who can view the personal data it holds.

Passwords: Almost all organisations are maintaining or increasing the amount of money they spend on password management solutions. The figures are encouraging (even if they come from a password manager company.) Bitwarden

Backups: 99% of surveyed IT decision makers say they have backup solutions in place, but 26% admitted they couldn't restore all their data when they tried to use them. Apricorn

Adobe: It's emerged that Adobe has been deliberately preventing some security solutions from scanning PDF files because of possible compatibility issues. Adobe says it's addressing the issue. Minerva

Banned: India effectively banned 35 WhatsApp groups because of reports they had spread "misinformation" about a controversial military recruitment scheme. Reclaim The Net

Jacuzzi: A security vulnerability in Jacuzzi's internet-connected hot tubs exposed personal details about their owners. “Compared to a lot of other things I have done, this was easy,” the researcher who discovered the issue told Motherboard.

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved