FFT news digest  Dec 16 2022

Spyware

A spyware scandal in Greece has culminated in legislation that bans the sale of surveillance tools to private individuals and reforms regulations governing official wiretaps. The vote (by 156-142) followed a parliamentary debate during which opposition politicians accused the government of trying to cover up illegal surveillance of ministers, journalists and senior administration officials. The government has denied the claims, although the head of Greek intelligence reportedly told a parliamentary committee that his agency had indeed spied on a journalist. Human Rights Watch says the legislation "lacks effective privacy and human rights safeguards" and will make the situation worse.

Much of the mainstream media's reporting on cybersecurity issues is problematic (which is a polite way of saying it's frequently bollocks). The latest example comes courtesy of The New York Times which somehow contrived to convert a longstanding set of telecommunications protocols into a surveillance tool created by the makers of Pegasus spyware. Given that the protocols, known as Signalling System 7, are infamous for their lack of security, it's hard to understand how neither the journalists nor their editors appeared to have heard of them. The mistake was belatedly corrected but we'd suggest the (extremely) long-read doesn't really say anything new and that the better story is the ongoing failure to address the flaws in Signalling System 7 (which Oregon Senator, Ron Wyden, has tirelessly highlighted).

Threats

Facebook: Attackers are using Facebook posts to trick users into revealing their account credentials and personal information. The phishing emails tell the recipient that one of their posts is in breach of copyright and warns their account will be deleted if they don't respond. Bleeping Computer

Images: A campaign is using SVG image files to smuggle malicious code onto target devices. It's essential to have effective defences on end user devices and ensure people understand the risks of opening attachments. Talos

Pay: Avanan says there's been a rise in "Direct Deposit" scams in which fraudsters try to persuade payroll managers to change the account into which a salary is paid.

Utilities: A campaign is using text messages to target US consumers with fake money saving offers. cybernews

Breaches: Research from Thales suggests a third of all internet users have had their information lost or stolen in data breaches. Bizarrely, 82% of those questioned said they continued to trust online digital service providers to safeguard their personal data to some degree. We've long said this situation is out of control and in practice it means passwords should never be reused.

Iran: A state-sponsored group has expanded its operations to target US politicians, critical infrastructure, travel agencies and medical researchers. Previously, it had focused on academics, journalists and human rights workers. Proofpoint

Stalkerware: TechCrunch reports on an obscure phone monitoring app that has been used to steal data from tens of thousands of iPhones and Android devices without their owners' knowledge. Worse, the Xnspy app is riddled with security vulnerabilities.

Airgap: Israeli researchers are adept at coming up with exotic surveillance methods. The latest involves detecting the radiation emitted by a power supply at a distance of around 2 meters. University of the Negev

Exploiting Meta

Facebook owner Meta has published eye-catching reports illustrating the extraordinary extent to which its platforms are exploited to influence and and attack targets of interest. It says it has identified "covert influence" operations in “over 100 different countries, from Afghanistan to Zimbabwe” with the US, UK and Ukraine the most frequent targets. In a separate report, Meta says the "global surveillance-for-hire industry" is growing and indiscriminately targeting journalists, activists, litigants and political opposition "to collect intelligence, manipulate and compromise their devices and accounts across the internet." In particular, Meta warns about the use of 'deepfake' photos created by artificial intelligence to make profiles appear more authentic.

Twitter

The evolving nature of Twitter became a little clearer this week, with Elon Musk suspending journalists and using the platform to try to identify an alleged stalker. Possibly most concerning was a thread in which he accused a "crazy stalker" of blocking a car with his child in it. He posted video of an unknown man and asked his 121 million followers to help identify him. Given the volatile nature of many of his followers, to characterise his tweets as reckless would be an understatement. They're also against Twitter's rules but then this week also saw the dismantlement of the company's Trust and Safety Council which was formed in 2016 to examine issues including hate speed and child exploitation on the platform. Earlier, Musk had banned an account which posted automated updates about his personal jet (using public data and available on Facebook) and then suspended journalists who tweeted about the decision.

In brief

Waze: The team behind the popular navigation app has been merged with Google Maps. Google says the apps will remain separate. Hmm. WSJ

Uber: Another data breach at Uber after one of its suppliers was hacked. An attacker leaked employee email addresses, corporate reports, and IT asset information stolen from Teqtivity, which provides asset management and tracking services for Uber. Bleeping Computer

Instagram: A welcome new tool is designed to help victims of hacking regain control of their accounts. Anyone who's had to do this will know "difficult" doesn't come close to describing how tortuous the process has been up to now.

Manipulated: NiemanLab says journalists keep on being manipulated by internet culture. As an example, it cites a campaign to smear TikTok that was orchestrated by Facebook and received widespread media coverage.

Terrorist scan: Facebook owner Meta has released an open-source tool that can scan for terrorist content. This week it also emerged that it has closed its Connectivity division which once proposed launching drones to provide internet connectivity in remote areas.

SIM surveillance: Privacy activists have called on a leading Kenyan mobile phone operator to delete data gathered in an "illegal" registration process. Safaricom demanded customers hand over personal information, including biometric data, in order to continue using the service. Access Now

iPhone theft: We've reported before that many stolen iPhones end up in Shenzhen; the Find My tracking functionality even makes it possible to identify the building. A Mastodon user has a detailed report on what happened after his phone was stolen in London - and tips to protect yourself.

Presents: Possibly our favourite tweet of the week; "I just overheard a woman say she uses her boyfriend's laptop to Google Christmas presents she wants so that he gets targeted ads."

This is a condensed version of the email our clients receive. You can subscribe to receive the full digest.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved