FFT news digest  Aug 31 2018

Post GDPR complaints soar

The Irish data protection regulator is investigating Facebook after it refused to disclose the information it has gathered about an individual's browsing behaviour. The complaint is just one of thousands made since new EU data protection rules began to be enforced in May. A Freedom of Information request by law firm, EMW, reveals the UK regulator received 6,281 complaints in the first 5 weeks of the GDPR regime; that's more than double the number for the same period last year. The Information Commissioner's Office (ICO) hasn't provided details about the complaints but says it expects the number to continue to climb. Meanwhile, if anyone in your family is disappointed with their exam results, the ICO has provided a guide to how to find out more information about what went wrong. Doubtless, exam boards will be delighted.

Privacy unshielded

A deadline is looming for a European Parliament resolution which calls for the suspension of the Privacy Shield agreement on data transfers between the EU and the US. The resolution says the current arrangement doesn't provide the level of protection required under European legislation, and argues there's no effective control over whether certified companies actually comply with its provisions. The issue of data transfers to the US is the subject of several high-profile court cases, including one in Ireland involving Facebook. The radical differences between US and European approaches to personal data makes this a problematic area. Some 3,400 organisations are believed to have certified themselves as being compliant with Privacy Shield. If it is no longer available, other solutions will be required such as EU-approved standard contractual clauses or Binding Corporate Rules (for group companies), or one of the specific derogations under the GDPR which will lift the general prohibition on data transfers.

Jewtropolis defacement

An instance of anti-semitic vandalism underlines the importance of securing your supply chain. The incident involved renaming New York City as "Jewtropolis" and affected the Mapbox platform used by Snapchat and Citibike among others. Mapbox takes some of its data from OpenStreetMap and it's possible this is where the vandalism originally took place. The complex set of connections that go into creating a webpage - or a product - means that any organisation is only as secure as the weakest link in that chain. And any resource that can be edited by its users is a very weak link indeed. 

Hoping for the best

Half of small businesses in the US believe they're not targets for cyber criminals, according to a new survey. Switchfast found that 51% of small business owners were convinced their company was not at risk. The survey also revealed very low usage of multi-factor authentication, and widespread sharing of email passwords. 35% of owners said they didn't know what a "clean desk" policy involved. Information Security and Data Protection are an obvious challenge for smaller organisations which may lack the resources to create dedicated roles. Outsourcing these roles can provide a cost-effective solution which allows small businesses to access the same expertise as multi-nationals.

Targeting social messaging

WhatsApp and Instagram are increasingly being used to attack employees and circumvent controls on email. Research from security company, Wandera, found a significant rise in the use of social messaging solutions to distribute booby-trapped links. While this type of attack isn't new, the increase makes it essential to ensure users are aware of the risks, particularly as malicious messages on smartphones can be particularly effective. Instagram this week announced a series of measures to strengthen security, including support for third-party authenticator apps which are far more secure than codes sent as text messages. 

Iranian operations

A Reuters investigation has found Iranian attempts to influence public opinion around the world are more extensive than previously thought. Reuters says the operation involves a network of anonymous websites and social media accounts in 11 different languages. Facebook, Twitter and Google took down parts of the operation last week, but Reuters' analysis identified other sites which have been used to redistribute content from Iranian state media while obscuring the original source. The growing threat from Iran is illustrated by research from Secureworks which said attackers linked to Iran had targeted universities in 14 countries to try to steal intellectual property.

In brief

The Wall Street Journal says (paywalled) Yahoo and AOL Mail have been analysing the content of their users' emails and selling the results to advertisers. You can opt out by using Ad Interest Manager.

West Ham has demonstrated the risks of email by mistakenly copying a message to all its away season ticket holders.

A critical vulnerability affecting Apache Struts is being exploited. Researchers say it's being used to deploy software designed to mine cryptocurrency.

Air Canada has revealed a data breach involving its mobile application. Passport details belonging to 20,000 customers may have been exposed.

Police in Shanghai are investigating a mass data leak at Chinese hotel group, Huazhu.
The details of 130 million customers may have been exposed. Huazhu operates more than 3,000 properties in China including the Ibis and Mercure brands. 

Updates

Adobe: Security update to address vulnerability in Adobe Creative Cloud Desktop Application which could be used to cause denial-of-service.

Cisco: Security update to address vulnerability in Cisco Data Center Network Manager which could be exploited to obtain access to sensitive information.

Windows 10: 2 weeks after releasing its monthly set of updates, a fresh batch is being issued to address issues caused by the first lot.

macOS: Second supplemental update for 2018 MacBook Pro owners running macOS 10.13.6.

Zimbra: releases Zimbra 8.8.9 “Curie” Patch 4 and Zimbra “Turing” 8.8.8 Patch 9.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217