FFT news digest  May 25 2018

Enforcing GDPR

With the GDPR now enforceable, the most immediate impact may be from EU residents asking organisations for details of their personal data. Under the new rules, 'data subjects' aren't required to make any payment for these requests any more (unless they become excessive) and several groups have indicated they plan to test the new legislation as soon as possible. The GDPR gives an organisation one month to respond to a 'data subject access request'. It may be possible to extend this but, ultimately, regulators will expect the information to be provided in a simple format and some form of sanction can be expected in the event of failure. Very few organisations are likely to be completely compliant with the GDPR straight away, but it is essential to make sure you know what personal data you hold, where it is and to have a written Policy in place so you have a clear process (and templates) in place to deal with such requests. Without this, compliance is impossible.

Insider risk

New research suggests there is widespread ignorance among employees about what they should be doing to protect personal data. Egress Software Technologies surveyed 1,000 UK employees and found 20% said they used personal apps or web services to share company documents. Egress CEO, Tony Pepper, said, “Most of the time, employees aren't trying to put their company at risk. They are just trying to get their job done, and often turn to personal apps and devices simply because they find them more convenient. However, this creates massive risk of non-compliance with GDPR, with organisations unable to track where data is stored and who is accessing it." Use of unapproved solutions is an endemic problem in every sector but Egress found marketing departments were the worst offenders.

Russian router attack

The FBI says it has shut down a domain linked to a network of 500,000 routers infected with malicious software. According to an affidavit obtained by the Daily Beast, the ‘botnet’ is controlled by a Russian group known as Sofacy (and also dubbed APT28 or ‘Fancy Bear’). Cisco’s Talos Lab says a tool it has called VPNFilter targets router brands like Linksys, MikroTik, NETGEAR and TP-Link, and appears to be aimed primarily at devices in Ukraine. The Russian group is widely believed to be responsible for previous attacks against Ukraine as well as involvement in the operation against the Democratic National Committee during the 2016 US presidential election campaign. Cisco says the exact infection method isn’t clear but advises users to ensure default credentials are changed and firmware is kept up to date. Russia has denied suggestions it was planning an attack to coincide with Saturday's Champion's League final in Kiev. 

FBI exaggeration

Amid a continuing campaign to access encrypted communications, the FBI has admitted exaggerating the scale of the problem. The agency had claimed it couldn’t access nearly 7,800 devices connected to crimes last year when the correct number was much smaller, probably between 1,000 and 2,000. In a statement to the Washington Post, the FBI said, "programming errors resulted in significant over-counting of mobile devices”. Governments around the world have complained about the problem of “Going Dark” and have demanded some form of access to the contents of encrypted communications. Their case is hardly helped by failing to get their facts right.

Facebook's shadow problem

Mark Zuckerberg turned up in Brussels to answer questions from the European Parliament but failed to shed any light on the issue of tracking non-users. As UK MEP, Syed Kamall put it, "Facebook has admitted creating “shadow profiles” of people who surf the web but don’t have a Facebook account. Is avoiding the internet entirely the only way to prevent Facebook from collecting my data?” This is a key question for Facebook, particularly in the context of the GDPR. Britain’s data protection regulator, the ICO, has already suggested it would visit Facebook's Dublin offices if it became concerned about its approach to processing data.
Such analysis would likely be a good deal more searching than the EU session whose format largely allowed the Facebook CEO to provide scripted answers.

Tinder loves location

Tinder is launching an experimental location-based feature that filters potential matches to people who hang out in the same places. The feature will be tested in Australia and Chile before the company decides whether to roll it out elsewhere. It says the feature will require users to opt in and will avoid recording personal locations such as work, home or medical practices. It also says associations with a particular place expire after 28 days (which is not the same as saying Tinder will delete the data completely.) Location-based information is a goldmine for social media companies and while Tinder may not rely on it to target adverts at its users, it isn't difficult to imagine how it might use the data ton enhance its service. As with all such features, we advise caution in their use.

In brief

Amazon has confirmed that an Echo device sent private audio to a user's contact without permission. An Oregon TV station quoted Amazon as saying, "it was an extremely rare occurrence".

Researchers have demonstrated vulnerabilities in a wireless protocol used by more than 100 million devices such as smart locks.

The extent of fake cell towers in Washington DC has been demonstrated by NBC's local affiliate. A team found more than 40 such devices, many inn sensitive locations as well as residential areas.

New ways of attacking WordPress sites involve installing malicious plugins. Wordfence says the method is highly complex but is being successfully used.

Attackers trying to hijack routers have extended their campaign to include iOS devices. Kaspersky says the malicious software aims to steal users credentials by redirecting them to fake sites.

Apple says it will refund $50 to iPhone 6 or later users who paid for an out of warranty battery replacement in 2017.
Meanwhile, increasing numbers of iPhone X users are complaining of cracked camera lenses.

Updates

Facebook: adds support for authentication apps to replace SMS as 2 Factor Authentication solution.

Dell: update for SupportAssist which addresses vulnberability in tool pre-installed on most new Dell Windows devices.

Thunderbird: Update for critical vulnerability.

Zimbra: issues patch 4 for 8.8.8 GA release.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217