FFT news digest  Apr 13 2018

Facebook tracking

Facebook enables your web browsing to be tracked even if you're not signed in or signed up to the service. It does this by use of its invisible Pixel solution as well as through a variety of other mechanisms, including the Like button. We're only mentioning this because, in his testimony on Capitol Hill, Mark Zuckerberg seemed pretty hazy on the details. And that's despite February's ruling by a Belgian court that ordered Facebook to stop tracking people on third-party sites and delete any data it had gathered. His performance on the issue reflected the general tenor of his testimony; in case of controversy, avoid saying anything substantive. It was a strategy that clearly worked for investors. By the end of 2 days of saying very little, the value of his personal Facebook shares had risen by nearly $4 billion.

Mobile risks

Given the ubiquity of mobile devices, it's hardly news that they have become a prime target for attackers, but the scale of the increase might be a surprise. According to research by mobile security firm, Lookout, the rate at which people are falling for such attacks has risen by an average of 85% every year since 2011. That's particularly worrying because we tend to read so much of our email on our smartphones. And, of course, email is not the only way to attack us; SMS, WhatsApp, and Facebook Messenger are increasingly popular. Lookout points to research by IBM that suggests we're three times more likely to fall for scams on mobile devices. Lookout is not a disinterested party but their report does bear out our own experience and contains some useful information.  

Cyber war

The UK is to hold the country's first nationwide cyber-response exercise in response to what the government says is a rising number of attempted attacks. Home Secretary, Amber Rudd, said in the past six months, "there had been 49 incidents associated with Russian cybergroups...Russian actors have systematically targeted the UK amongst others, expanding the number of sectors targeted in addition to the energy, telecoms and media sectors." Meanwhile, in the US, the nominee to lead the country's cyber command has said "the current level and tempo of cyber attacks is not tolerable." In written testimony to the Senate, General Paul Nakasone said US adversaries believed there would likely be "minimal consequences" to their actions.  

Chinese travel

The Dutch Foreign Ministry is reported to have warned business travellers to take only "empty" phones and laptops to China. Volksrant newspaper said the advice was issued to 165 organisations accompanying the Prime Minister on a visit to China this week. The warning said equipment could be "drained" remotely or taken over. "The Chinese government will want to know everything about you and your company or organization. You can therefore assume that all computers and telephones entering China are continuously monitored to obtain this information," the advice added. Volksrant quoted sources as saying the warning also applied to Russia, Iran and possibly Turkey.  

Passwords

Another step has been taken along the winding road towards a time when passwords won't be required as an authentication solution. Two standards bodies said a new specification, catchily dubbed WebAuthn (short for Web Authentication), had reached the penultimate stage before final approval. It's important because, once approved, it will allow hardware devices to take the place of usernames and passwords for logging into websites. Google, Mozilla and Microsoft have all committed to supporting the new standard. It doesn't mean passwords will disappear quite yet -- but it's significant progress towards a real alternative.  

Insider threat

Most data breaches are the result of malicious attacks but almost one in five are the result of simple errors, according to Verizon's annual Data Breach Investigations Report. Mistakes included failing to dispose of confidential information securely, sending emails to the wrong person, and misconfiguring web servers. Together with malicious acts, the report says insiders accounted for 28% of attacks. And it adds that most breaches aren't the result of sophisticated criminals but are opportunistic acts targeting the unprepared. That's another way of saying that doing the simple things can have a disproportionate effect on your security. And training your insiders is a great place to start.  

In brief

D-Link, Belkin and ZyXel are among manufacturers whose routers are being exploited by criminals. Akamai says they are abusing the Universal Plug and Play (UPnP) protocol.

A Russian court has banned the Telegram messaging app after it refused to hand over its encryption keys to the authorities.

Apple's latest update for iPhones appears to be killing some displays previously repaired by third parties. Motherboard reports that the issue affects iPhone 8 devices which take the iOS 11.3 update.

Meanwhile Wired reports that some Android manufacturers are lying to users about which updates have been downloaded to their devices. The "Patch Gap" could leave users vulnerable to known exploits.

Reuters reports that SIngapore is to trial a facial recognition system with cameras mounted on street lights.

Updates

Microsoft: monthly update includes important patch for Outlook among 63 vulnerabilities.

Signal: Ensure current iOS app version is 2.23.2. Earlier versions affected by bug that allows access to app when phone is locked.

Adobe: Updates for Flash Player, ColdFusion, Experience Manager, InDesign, and PhoneGap plugin.

SAP: Multiple updates; most important affecting SAP Business Client 6.5 PL5.

Zimbra: 8.8.8 “Turing” Patch 1 and Zimbra 8.7.11 Patch 2 include fix for vulnerability in login form. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved