FFT news digest  Jul 13 2018

Social costs

The UK's Information Commissioner says trust in democracy is being undermined by the use of data analytics. As well as announcing a decision to fine Facebook £500,000 for failing to protect its users' personal information, the ICO said it would take action against a website offering advice to pregnant women and new mothers. Emma's Diary is accused of illegally sharing more than a million people's personal information with the Labour Party during the 2017 UK general election campaign. The fine levied on Facebook is the maximum allowed under legislation which has been superseded by the EU General Data Protection Regulation. Fines under those rules would have been far larger but, as the Information Commissioner has pointed out, the real cost is the reputational damage suffered by organisations that fail to protect personal data. Facebook's conduct continues to raise questions and the attention of US lawmakers has now turned to Apple and Google

Sextortion and stuffing

Sorry if you're sick of advice about passwords, but two stories this week underline the problems of reusing them. In one, an ingenious twist on a venerable scam involves making a victim believe their computer has been hacked and the camera used to record them 'actively engaged' in watching adult content. To make the scam more credible, the victim receives an email that begins with one of their genuine passwords (obtained in one of the all too regular breaches of personal data). The email threatens to send compromising video to all the victim's contacts unless they pay up. The second involves a process called "credential stuffing." This takes usernames and passwords and systematically tries them out on a variety of services to find one where they work. Password security guru, Troy Hunt, says he's seen a rapid rise in this type of attack which can be difficult for services to combat without frustrating their users. One answer is for individuals to use a Password Manager and 2 factor authentication. This is a crucial area and we have a new post on the issue here.

Defaulted

The risk of default passwords has been vividly illustrated by the theft of restricted documents from a US Air Force captain's computer. Recorded Future found the documents being offered for sale on a Dark Web marketplace. They included maintenance manuals for the Reaper drone aircraft. Advanced hacking skills were not required. Stealing the documents involved using the Shodan search tool to find Netgear routers with a specific vulnerability which was disclosed over a year ago. Any affected router still using the default administrator password could be compromised to access devices and files on the local network. In the case of the unlucky Air Force captain, it's unlikely the router was on a military network which suggests the documents may have been on a home computer. Among them was a certificate showing the victim had successfully completed an online "Cyber Awareness Challenge". Clearly this training was not very effective. A quick look at the content shows why.

Second-hand blues

Almost two-thirds of second-hand memory cards contain personal information about their previous owner. Researchers from the University of Hertfordshire used freely-available software to examine 100 cards bought on Ebay, at auctions and from second-hand shops. Amongst the data they found were intimate photos, copies of passports, contact lists, resumes and other personal documents. The report was commissioned by advisory site, Comparitech. As it points out, "often the problem is not that people don’t wipe their SD cards; it’s that they don’t do it properly. Simply deleting a file from a device only removes the reference that points to where a computer could find that file in the card memory. It doesn’t actually delete the ones and zeros that make up the file."

Fitness leaks

Fitness apps can be dangerous to your health - especially if you're using them in military bases or sensitive locations. Analysis by Bellingcat and Dutch journalism platform De Correspondent found the Polar Flow social platform is revealing the homes and lives of people exercising in intelligence bases, airfields, nuclear weapons storage sites and embassies. This comes only months after the Strava fitness app was discovered to be doing much the same thing. Bellingcat says the risk from Polar Flow is higher because it "publicizes more data per user in a more accessible way." The platform combines all a user's sessions on a single map and these include heart rates, routes, dates, time, duration, and pace. Bellingcat says even if people don't connect the app to Facebook, they often use their full names and a photo.

Security challenged

Organisations are continuing to leave their systems open to attack despite the rising cost of data breaches. Positive Technologies says penetration tests over the second half of 2017 found breaking in to be lamentably easy. Among the issues uncovered, patches hadn't been applied to vulnerable systems, access points were unsecured and more than a quarter of employees clicked on links in phishing emails. Meanwhile, IBM and the Ponemon Institute report that the average cost of a data breach has risen by 6.4 percent to $3.86 million. BAE's consultancy arm has called for a new collaborative approach to tackle cybercrime and says it's time to "stop giving cyber security the silent treatment." BAE has launched a manifesto for what it calls 'The Intelligence network' which aims to support "a move from passive, isolated cyber defence to institutionalised, active collaboration and learning that spans organisations, industries and countries.”

In brief

The Ticketmaster breach appears to have been part of a much broader campaign to steal credit card information. RiskIQ says more than 800 e-commerce sites may have been affected.

Social network, Timehop, says attackers have accessed a range of personal information including email addresses, birthdates and phone numbers. It appears the attack lasted months without detection.

Panda Security has detailed a vulnerability affecting Microsoft's Cortana virtual assistant. The issue involves voice commands which work even when a Windows 10 device is locked.

Uganda has warned against the use of VPNs as it defends a new law that imposes a daily tax for anyone using social media services.

Apple's latest iOS update includes a feature aimed at preventing unauthorised access to iPhones but it can be defeated by a cheap accessory.

Two former investment bankers have been found guilty of hacking news agencies to access press releases before their publication and make money from the information.

Updates

Apple: A slew of updates including iTunes 12.8 for Windows, iCloud for Windows 7.6, Safari 11.1.2, macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan, watchOS 4.3.2,
tvOS 11.4.1, iOS 11.4.1.

Microsoft: Monthly updates address more than 50 vulnerabilities, most affecting Edge and Internet Explorer browsers.

Adobe: Patches for 105 vulnerabilities in Acrobat and Reader, two in Flash Player, three in Experience Manager, and three in Connnect.

Cisco: Multiple updates, six rated 'High', for Firepower firewalls, Nexus and MDS network switches and StarOS router firmware.

Zimbra: 8.8.9 upgrades collaboration tools. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved