FFT news digest  May 11 2018

Fleeing the GDPR

The EU's new Data Protection regulation won't be enforced for two weeks but several companies have already said they're shutting up shop in Europe because of the legislation. Arguably, this is persuasive evidence that the GDPR is working exactly as intended. Among those closing their doors to European users is Unroll.me, a controversial app which offers email management features in return for access to your inbox. It then analyses your emails and sells anything with commercial value (which is how Uber gathered data on users of its competitor, Lyft). In a section on its website that has mysteriously disappeared but is still cached, Unroll.me suggests the legislation is so complex that it needs more time to prepare for it. This would carry more weight if there hadn't been a two-year grace period for everyone to get ready.

And who does it apply to anyway...

Among the many confusions about the GDPR, one of the most common is who it applies to. It is common for talks and articles to refer to "EU citizens" and, in some cases, to suggest the legislation has force wherever they happen to be in the world. This is misleading. As with much of the GDPR, the key is to look at the fundamental principles. First, it applies to "Data Subjects" who are defined as "identifiable Natural Persons". Citizenship is immaterial; what matters is whether the individual is in the EU when their data is processed. But the GDPR applies whenever data is processed in the EU, regardless of where the individual it refers to happens to be. This is why some companies have moved non-EU international accounts out of European offices. The GDPR is complex but its underlying principles are clear; it's frustrating that so many misconceptions continue to linger.

Portable storage

With admirable clarity, IBM is reported to have announced a complete ban on USB sticks, SD cards and other portable storage devices. According to The Register, IBM's Global Chief Information Security Officer said, "the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices must be minimised.” Staff are being encouraged to use cloud collaboration tools instead. In principle, this is an excellent idea. Portable storage is a horrible security risk. In practice, USB sticks are frequently required to configure devices or diagnose problems with them and it's not clear whether IBM intends the ban to apply in these situations as well. Blanket bans seldom achieve the desired effect because they are either ignored or eventually modified.

Crime pays

Internet-related crime in the US resulted in reported losses of $1.4 billion dollars in 2017, according to a new data from the FBI. The report is based on more than 300,000 complaints and found that the top three types of crime were non-delivery or non-payment of goods and services, personal data breaches, and phishing messages which tried to steal usernames and passwords. The biggest losses resulted from Business Email Compromise, where criminals seek to persuade an organisation to transfer money to an account they control. These scams are remarkably effective and fraudsters will use information from publicly available sources, including social media, to lend credibility to their communications. It's essential to have robust measures in place to protect against this sort of crime. According to the FBI, it resulted in $676 million of losses in 2017.

Equifax 

Equifax is the data breach that can't stop giving. In a letter to the US Securities and Exchange Commission, the credit reference agency admitted that as well as birthdates, social security numbers and payment card information, the details of 38,000 US driver licenses and 3,200 passports were also stolen. Equifax says the data was lost because of a failure to communicate that web server software needed to be updated. In testimony to a Congressional committee, the outgoing Chief Executive blamed the failure on a single person. According to Sonatype, which tracks software downloads, more than 10,000 companies, including many high-profile ones, have downloaded vulnerable versions of the Apache Struts software.

Nation states

Separate reports have pointed to the extent of cyber attacks linked to China and Russia. The Associated Press says death threats sent to the wives of US military personnel originated from a Russian group, rather than a group known as the CyberCaliphate as originally believed. The group, known as Fancy Bear and APT28, is also believed to have been behind an attack on TV5Monde which took the station off air for almost a day. Meanwhile, researchers published evidence suggesting Chinese state intelligence is responsible for a long-running campaign to target software and gaming companies around the world. The researchers said the initial attacks were designed to pave the way for attempts to compromise higher-value targets. 

In brief

The Mac client for secure messaging app, Signal, may retain messages even when they're set to self-destruct. According to security researcher, Alec Muffett, the issue is caused by the way notifications work.

Another way to interfere with messaging apps has emerged and this time WhatsApp is affected.
The 'text bomb' contains hidden characters which cause the app to freeze. Rebooting the device fixes the problem.

If you have a Macbook Pro manufactured since 2014 and the keyboard doesn't work, you're not alone. AppleInsider has discovered failure rates are increasing. A petition has been launched to demand Apple recall all the affected models.

Apple has admitted that the microphones on iPhone 7 and 7 Plus models may fail once iOS 11.3 is installed. 9to5Mac says free repairs may be available for out of warranty devices.

Weekly reminder to check the basics, brought to you courtesy of UK cellular operator EE. A researcher discovered EE had forgotten to change the default username and password to storage containing most of the code the company depends on.

Updates

Microsoft: May update addresses more than 60 vulnerabilities, including a critical issue affecting all supported versions of Windows.

Adobe: updates for in Flash Player, Creative Cloud and Connect products.

Sierra Wireless: updates for critical vulnerabilities in Airlink wireless gateways.

7Zip: 18.05 fixes security vulnerability.

Tails: 3.7 fixes critical issue in Firefox browser.

Mozilla: Firefox 60 includes Web Authentication API for desktop browsers. This allows Firefox users to log in to all their online accounts with a single hardware device (such as YubiKey).

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217