FFT news digest  Apr 20 2018

Russia accused

Britain and the US accused Russia of carrying out a sustained campaign to take over routers in government and private-sector organisations. In an unusual joint report, they said Russian state-sponsored attackers were conducting "man-in-the-middle attacks to support espionage, extract intellectual property, maintain persistent access to victim networks, and potentially lay a foundation for future offensive operations." Russia has denied the accusations but such activities are hardly surprising, and nor is Moscow likely to be the only government carrying them out. On a practical level, the British government emphasised the importance of taking basic precautions, including keeping devices and software up to date, using strong passwords and making sure important data is backed up.

Telegram ban

Efforts by the Russian government to stop use of the Telegram messaging app have caused widespread disruption to legal services using Google and Amazon resources. More than 17 million IP addresses were blocked in an attempt to prevent people using Virtual Private Networks and proxy servers to circumvent the ban. This follows Telegram's refusal to comply with a court order to provide encryption keys to the service. While legal services have been affected, Moscow's efforts appear to have done little to shut down Telegram which is reported to be operating relatively normally. In fact, some reports say usage of it has actually increased since the ban was introduced. For our part, we continue to recommend Signal as a solution for secure messaging.

GDPR advice

With just over a month until new EU rules on data protection are enforced, organisations face a flood of advice about what they should do. Despite much of what is being published, don't panic! Very few organisations are likely to be 100% compliant with the General Data Protection Regulation. But that's not to say it should be ignored, which could be disastrous. The UK regulator, the ICO, has a range of helpful information and, as it says, it's there to help. If you have policies and procedures to comply with existing legislation in European countries then you're likely to be well-placed for the new rules. But it is vital to understand the changes and to have a plan to comply with them. Initially, that is likely to be what regulators are looking for. And it makes good business sense anyway.

Facebook GDPR

Displaying remarkable (and possibly misplaced) bravado, Facebook has revealed changes in preparation for the GDPR which appear to do the bare minimum to comply with the new rules. A key element of GDPR is the notion of informed consent. Pre-ticked boxes are specifically prohibited. But Facebook's approach to informed consent involves the use of well-defined mechanisms which make it far harder to opt out of default options than it is just to accept them. One example is a large blue button to "Accept and Continue" compared to a much less noticeable white button to "Manage Data Setting". We will be watching with interest to see whether this is regarded as compliant. Meanwhile, Facebook has decided to move all non-EU users to its US entity. This avoids being forced to offer them GDPR-style protections but is likely to be highly challenging to manage.

Ts & Cs

A Friday question. How often do you read Terms and Conditions? Do you ever read Terms and Conditions? As Terms of Service; Didn't Read puts it, “I have read and agree to the Terms” is the biggest lie on the web. TOSDR aims to fix this by creating a Wikipedia-style site that does the hard work for us. It works by creating a report card for the services we know and (may) love. It then classes them from A (very good) to E (very bad). It does this by human effort, not automated algorithms, so it is a work in progress and not immune to mistakes. But, like Wikipedia, it is designed to be self-correcting and the more people who contribute, the better it will be. The site has been around since 2012 but is being relaunched and we think it's an excellent antidote to TOSDR syndrome.

Social logins

Social logins reduce the number of passwords you need to remember but new research suggests they can leak information about anyone who uses them. The research says the issue is caused because "when a user grants a website access to their social media profile, they are not only trusting that website, but also third parties embedded on that site." Social logins are used by Google, Facebook and other social media services and they are superficially attractive. However, the system that underpins them has proved insecure in the past and we advise against their use. Much better to use a password manager such as LastPass or 1Password.

In brief

Police in South Wales used a photo on WhatsApp to extract a fingerprint that led to the conviction on drugs charges. The BBC reported that only a partial print was needed to close the case.

Identity fraud in the UK has reached a record level, according to the National Fraud Database. The report says almost 175,000 cases were recorded in 2017 with the biggest rise in telecoms, online retail and insurance.

Facebook deleted almost 120 discussion groups with more than 300,000 members after investigative journalist, Brian Krebs, revealed they were being used to facilitate cybercrime.

Trend Micro says its products will analyse writing styles to identify fraudulent emails.
It will "blueprint" how a user writes and issue a warning when there is a mismatch.

The Committee to Protect Journalists (CPJ) and Reporters Without Borders (RSF) have called on journalists to report difficulties entering or exiting the US. They say they've documented 19 such cases since 2008.

Updates

Oracle: an impressive 254 security fixes, including 153 for business critical applications.

Chrome: new version focuses on security-related issues and, by default, blocks videos from playing automatically.

Cisco: urgent update for WebEx Business Suite and WebEx Meetings.

Drupal: Versions 8.5.2 and 8.4.7 includes new version of CKEditor (4.9.2) to address vulnerability in custom builds.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217