FFT news digest  Jun 15 2018

Dixons Carphone 

Dixons Carphone has become the first company to announce a major data breach since EU countries began enforcing new data protection rules. Dixons Carphone said the breach happened last year and involved 5.9 million payment cards and the details of 1.2 million customers. All but about 105,000 cards have chip and PIN protection and Dixons Carphone added that it had "no evidence to date of any fraudulent use of the data."
The problem for the company is that the breach follows a similar incident in 2015. That resulted from an out of date WordPress installation, led to a £400,000 fine and condemnation from the UK data protection regulator. It's not clear why it took so long for Dixons Carphone to announce the breach and the key question is whether the inevitable fine will be calculated according to the new GDPR rules. The National Cyber Security Centre has advice for customers here.

Keeping employees safe

New reports underline the importance of focusing on basic security measures, in particular email protocols and password hygiene. Analysis by Red Sift found that 74% of exhibitors at last week's Infosecurity Europe event were not implementing Domain-based Message Authentication, Reporting and Conformance (DMARC). This is one of several measures which can be taken to stop a domain being subverted to send fake emails. DMARC and similar protocols can be tricky to implement correctly but they are an essential defence against malicious emails and we recommend you ensure your IT service provider is following the NCSC's guidance. Meanwhile, OpenVPN surveyed 500 employees in the US and found 25% of them using the same password for every account. As we emphasise in our training and security reviews, the key to reducing risk is to create a solid foundation. Email and passwords are fundamental building blocks.

Kaspersky under fire

The European Parliament has approved a resolution that could result in a ban on products from embattled security company, Kaspersky Lab. The resolution calls on the EU to perform a comprehensive security review to "exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab." The non-binding motion is the latest move against Kaspersky which the US has accused of collaborating with Russian intelligence agencies. Kaspersky has denied the accusations and put in place measures to reassure customers. There has been no proof of collusion between Kaspersky and the Russian government but given the availability of less controversial solutions, users may prefer an alternative anti-virus program.

USB fans

Much twittering about a USB fan distributed to journalists covering the US/North Korea summit in Singapore. Needless to say, USB devices (even USB charging stations) are a risk. Even if they're provided out of the kindness of the Singapore government's heart. If you travel and need to recharge your devices using a USB connector, we advise your device should only ever be recharged with trusted power adapters and cables. USB 'condoms' prevent accidental or malicious data exchange when your device is plugged in to charge. These devices achieve this by disconnecting the data pins in the USB cable and allowing only the power pins to connect. If you do need to power-up on the go, connectors like this will reduce the risk of data loss.

Deeper fakes

Last year researchers demonstrated how to modify video to make someone say something they never said. Now a new video-manipulation solution takes this one step further. Deep Video Portraits describes how to reproduce the head movements, facial expression and speech of one person using the head and shoulders of someone else. In itself, this isn't new. Similar technologies are commonplace in feature films. What's different is the dramatic reduction in the cost and complexity of achieving the effect. As the researchers behind Deep Video Portraits explain, there are many potential positive uses of their technology, including dubbing films and TV programmes. However, they also recognise that the approach could be misused to create fake video that is hard or impossible to spot. 

Football surveillance

Spain's premier football league has admitted using its Android app to access the device's microphone and location. La Liga said it used the information to identify venues which might be showing matches illegally as part of its "responsibility to protect clubs and their fans from fraud." In its statement, La Liga defended its decision and said it asked users for the appropriate consent when they installed or updated the app. It also sought to reassure users that it only accessed the microphone during matches and any audio was converted to binary code. Despite La Liga's statement, Spain's data protection regulator is investigating and users are unimpressed. It's an excellent illustration of the need to take care over what access we grant the apps we install.

In brief

Tens of thousands of Android devices are at risk because they are being shipped with their debug port open to remote connections.

iPhone and iPad users are complaining that the iOS 11.4 update is reducing battery life.

The UK National Cyber Security Centre has published advice on key issues with a comprehensive guide to Software as a Service security (SaaS). The guidance includes fundamental principles and assessments of solutions including Confluence, G Suite, Office 365, Slack and Trello.

Danger. Men at work. The Spamhaus Project has a list of "The World's Most Abused TLDs". It says these include .gq, .men and .work. So we have been warned if we see a webpage ending in one of those.

Uber is reported to be developing technology that can work out how drunk a passenger is. According to CNN, it would work by analysing how the Uber app is being used.

Updates

Microsoft: monthly update includes 50 fixes including one for issue that caused systems to start up with a black screen. 11 vulnerabilities are rated critical; three could allow code to executed remotely.

SAP: June update has 14 patches, 2 rated critical.

Apple: update to address vulnerabilities in Xcode which could be exploited to take control of an affected system.

F-Secure: fixes severe vulnerability in home and enterprise antivirus products caused by flaw in 7-Zip file archiving software.

Privacy Badger: New version of Electronic Frontier Foundation's popular anti-tracking browser add-on.

Tails: Upgrades Tor Browser to 7.5.5 to fix critical Firefox issue and Thunderbird to 52.8.0 which partly mitigates encryption vulnerability.

Airwatch: update to address critical remote code execution vulnerability in AirWatch Agent applications for Android and Windows Mobile.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved