FFT news digest  Jun 29 2018

Social media manipulation

Facebook and Google are circumventing the notion of giving consumers control of their personal data, according to a report by the Norwegian Consumers Council. After analysing their privacy pop-ups, the Council said the companies steer people into sharing data by cunning design choices, confusing layouts and an illusion of choice. As the report points out, this conflicts with the intention of new data protection legislation which became enforceable a month ago. Meanwhile, a security researcher has described how information of more than 120 million Facebook users was exposed publicly through use of a popular quiz app. Nametests.com allows users to discover the answers to burning questions such as, "Which Disney princess are you?" It turns out it also allowed any website subsequently visited to view a range of personal information about the user.

We can see you 

Browser fingerprinting enables a website to identify a user through the unique combination of features that a browser and device display. This creates a persistent way of tracking users that is hard to defeat. The Electronic Frontier Foundation has long voiced concerns over this type of tracking and has a tool to demonstrate how it works. The EFF believes browser fingerprinting is on a collision course with the EU's new privacy regulations and it calls on companies to be upfront about what they're doing. Separately, a group of researchers has demonstrated how our digital footprint can be used to predict how likely we are to default on a loan. The researchers say their tool equals or exceeds the performance of credit bureau scores.

Defeating the dots

Many printers add hidden dots to documents so that their source can be identified. Many people have been caught out by this, including former National Security Agency contractor, Reality Winner, who this week pleaded guilty to leaking a classified report about Russian interference in the 2016 US presidential election. She now faces up to 63 months in jail. In Germany, a team from the Technical University of Dresden believe that have found a way to ensure documents can't be traced to their source. In a paper, the team describe how they tested multiple documents to identify the patterns being used. They then show how adding extra dots in the right place renders the patterns useless. If that's too much trouble, then you could use a Brother, Samsung or Tektronix printer which the teams says didn't print tracking patterns.

Wi-Fi security

A new standard for securing wireless networks has been launched which aims to simplify configuration and strengthen security. WPA3 is the successor to the current standard, known as WPA2, which has been in use for more than 10 years. The Wi-Fi Alliance says the existing standard will continue to be supported as the transition takes place. Existing devices are unlikely to be upgradeable to WPA3 so that transition could be a lengthy process. Among the new features is better protection against 'brute force' attacks where a dictionary of potential passwords is used to break into a network. This month the Wi-Fi Alliance also launched improved protection for users on open Wi-Fi networks.

Making email safer

The Electronic Frontier Foundation is launching a campaign to improve the security of email. STARTTLS Everywhere is aimed at ensuring servers are configured correctly because, according to the EFF, most of them aren't. STARTTLS creates an encrypted communication channel between two mail servers which means emails can't be read in transit. The EFF's concern is that while STARTTLS may be active on most servers, they're not set up to check whether the underlying certificate is valid. The EFF says this means an attacker could "get between two servers and impersonate one or both, allowing that attacker to read and even modify emails sent through your supposedly 'secure' connection." STARTTLS Everywhere overcomes this by providing a tool to automatically obtain a valid certificate.

Ticketmaster

The data breach suffered by Ticketmaster appears to be worse than originally reported and the company was warned about fraudulent activity in April. London-based online bank, Monzo, says it spotted signs of the breach after customers reported fraudulent transactions on their accounts. It turned out that most of the victims had used their cards with Ticketmaster. After investigating, Ticketmaster said it had found no evidence of a breach. This week, two months later, it admitted that malicious software had been found on a customer support product, and warned UK customers who purchased or tried to purchase tickets between February and June 23 that their information might have been stolen. The National Cybersecurity Centre has guidance for anyone concerned.

In brief

A Reuters investigation found that US Immigration and Customs Enforcement modified a risk-assessment tool used to decide whether immigrants should be detained or released. The modification meant the tool automatically recommended "Detain."

SEC Consult says flaws in the Fredi Wi-Fi baby monitor could allow an attacker to remotely connect to the device and use its built in camera without authentication.

Lousy advice of the week from the head of Israel's National Cyber Directorate who joked that passwords should be like underpants; changed often and never shared. Keeping them secret is good, changing them needlessly is not and actually decreases security.

Visa says a "rare defect" in a switch in its primary UK datacentre was responsible for this month's failure of its processing systems.

Secure email solution, ProtonMail, has been the target of sustained Distributed Denial of Service attacks. 

Updates

Sophos: security updates for SafeGuard Enterprise, SafeGuard Easy and SafeGuard LAN Crypt Windows clients.

Oracle: Updates Oracle Linux and Oracle VM to address processor vulnerabilities CVE-2018-3640 (“Spectre v3a”) and CVE-2018-3639 (“Spectre v4”)

Joomla: 3.8.10 released to address issue affecting the autoloader for Windows platforms.

SecureDrop: 0.8.0 includes kernel update, removal of two-factor authentication for console logins, and smaller user interface changes and bugfixes.

Tails: Upgrades Enigmail from 1.9.9 to 2.0.7 which addresses some of the vulnerabilities in OpenPGP.

Zimbra: Patch 6 for 8.8.8 GA release. Includes fix for Outlook Calendar reminders which refuse to go away.

Apple: SwiftNIO 1.8.0 available for: macOS Sierra 10.12 and later, Ubuntu 14.04 and later. 

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217