FFT news digest  Jul 27 2018

BA meets GDPR

When you check in online for a British Airways flight, it might surprise you to know that your travel details are sent to a number of third parties including LinkedIn, Twitter and Google. A security researcher discovered what was going on after he was forced to disable an ad blocker in order to check in on the BA website. Mustafa Al-Bassam has accused BA of violating the EU's General Data Protection Regulation because he didn't consent to his information being used in this way. BA also seems to have come up with a highly original interpretation of data protection rules by telling customers to post personal information on Twitter and saying this is required to comply with the GDPR. BA later clarified that it intended details to be sent by Direct Message, but that's unlikely to stop it having to answer some pointed questions from the UK's Information Commissioner. And it certainly begs the question as to what training its staff have received.

Enterprise targets

The US Department of Homeland Security has warned of an increased threat to enterprise resource planning (ERP) systems. ERP solutions, like those provided by SAP and Oracle, run business-critical processes and store sensitive corporate information, which can be used for espionage, sabotage, and fraud. The alert from the US Computer Emergency Readiness Team follows a report by security firms Digital Shadows and Onapsis which found the number of public exploits for SAP and Oracle ERP applications had doubled over the last three years. Reducing the threat depends on looking for uninstalled patches and users who have more privileges than they need. The report also suggests disabling any interfaces that aren't in use and minimising logins that can be reached from the Internet.

Key to success

Google appears to have provided a clear example of how to defeat phishing emails. Security journalist, Brian Krebs, says Google told him that none of its employees have been attacked successfully since it began requiring them to use physical security keys instead of passwords and one-time passcodes. Given that Google has more than 85,000 employees, that's quite an achievement. Security keys are USB devices which allow users to complete the login process on supported services by inserting the key in their computer and pressing a button on it. The underlying standard (known as U2F) is relatively new and the list of sites using it is relatively short, though it does include Dropbox, Facebook, Github and most leading password managers. Where it's not available, we highly recommend setting up another form of 2 Factor Authentication. Twofactorauth.org has a list of what works where.

Operational insecurity

A security company has accused journalists covering the meeting between Presidents Trump and Putin of being "entirely too complacent about their cyber security." F-Secure, which is based in Helsinki (where the meeting took place), said journalists "seemed like sitting ducks." Among the rules it said were broken; laptops left open and unlocked so they wouldn't go to sleep, and Bluetooth connnectivity left active. F-Secure also noticed that many computers and phones identified their user by name, providing information that could be used to target an individual or a news outlet. And many of the booths and cubicles at the summit were unsecured. Anyone who has covered major planned events will know security is often the last thing on the minds of journalists who are working around the clock under extreme pressure. The view of an outsider like F-Secure is a useful reminder that security shouldn't be ignored.

Attacking the supply chain

Compromising the software supply chain is a well-known way of attacking companies and many companies are not prepared to deal with the threat. A report for security company, CrowdStrike, found that two thirds of companies surveyed had suffered such an attack in the previous 12 months at an average cost of $1.1 million. Despite this, only a quarter said they felt fully prepared to defend against the threat. The report found under a third of the companies had vetted all their suppliers in the previous year. The same proportion identified the issue as the top concern for their company. Among supply chain attacks, last year's NotPetya incident stands out for the damage it caused, described by the White House as “the most destructive and costly cyber-attack in history.” Russia denied accusations that it was responsible for the incident which initially targeted a Ukrainian accountancy product.

Setting a bad example

A report has revealed atrocious security habits among business leaders...and illustrates how hard it is to persuade people to behave sensibly. Among Code42's findings; 72% of CEOs admitted stealing data from their former companies and 59% said they had downloaded software without knowing whether it had been approved by their company. To underline the scale of the problem, 93 percent of CEOs said they keep copies of work on personal devices but 78% believe intellectual property is a business's most precious asset. This disconnect is unlikely to come as a surprise to anyone who has had the pleasure of helping senior executives with their technology issues. But it supports our view that it's essential to translate these issues so that their importance can be understood. 

Ts & Cs

The UK's Investigatory Powers Tribunal has again ruled that bulk surveillance by spy agencies was unlawful because there was insufficient oversight of them. But the Tribunal said the activities did not contravene the European Convention on Human Rights.

A flaw has been found in some Bluetooth implementations which could allow data to be intercepted. The issue has been addressed in the latest updates for macOS, Android, iOS and for LG and Huawei devices.

There's been an upsurge in reports of data breaches to the UK regulator since the GDPR began to be enforced in May. The ICO says it received 1,750 breach reports in June; that's up from 400 in April.

Phishing works, as a US bank found out to its cost. Brian Krebs reports that the National Bank of Blacksburg fell victim twice and lost $2.4 million as a result.

Updates

Chrome: version 68.0.3440.75 for Windows, Mac, and Linux addresses vulnerabilities that an attacker could exploit to take control of an affected system. It's also the first version which will mark HTTP sites as "Not Secure."

Apple: macOS High Sierra 10.13.6 Supplemental Update aims to overcome performance issues with MacBook Pro with Touch Bar (2018) machines.

Apache: security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.

Sony: Update to address multiple vulnerabilities in Sony IPELA E Series Camera.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved