FFT news digest Nov 2 2018

Lessons from Chinese spies

The extent of Chinese cyber espionage is revealed by two stories this week. An indictment released by the US Department of Justice accused Chinese intelligence officers of conducting a long-term, sophisticated operation to steal information from aerospace and technology companies. The indictment underlines the importance of ensuring the security of every organisation in the supply chain. Separately, researchers from the US Naval War College and Tel Aviv University published a report accusing a state-owned telecommunications company in China of "hijacking the vital internet backbone of western countries." The report suggests that China Telecom has used its points of presence in western democracies' telecommunications systems to selectively redirect internet traffic through China. It's a handy reminder that the Internet was not designed to be secure, which means security has to be added - particularly where sensitive data is concerned.

The world according to Apple

Apart from the extraordinary cost of its devices, the other key message from Apple's launch event this week was its vision of the tablet as the future of computing. Half of the event was focused on the new iPad Pro which as CEO Tim Cook put it, "changes the way we think about computers." First reviews of the new device do suggest it redefines what a tablet can do. But in a nod to market reality and customer demand, Apple also unveiled updated MacBooks (and a new Mac Mini). The new laptop models include a security enhancement which physically disconnects their built in microphone when the lid is closed. The solution exploits Apple's T2 Security Chip and, according to Apple, " prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed."

Surveilled students

Would-be students who apply to the Student Loans Company should expect their social media activity to be vetted as part of the approval process. That was the message from the company's chair, Christian Brodie, in evidence to a parliamentary committee. Mr Brodie stuck to his position despite hostile questioning, which included accusations from one MP that the approach amounted to "sinister, KGB knock on the door" tactics. “If people have public sources of information about themselves then they must expect that will be looked at,” Mr Brodie told the select committee. The hearing followed criticism of the company for using social media to determine whether students were estranged from their families. (In one case, interaction on Facebook was used to prove a student was not - and therefore not entitled to a maintenance grant.) The crystal clear message from the hearing is that students - and everyone else - should dial up their social media privacy settings as far as they will go.

Border AI

The EU is planning to test the use of Artificial Intelligence to spot visitors who tell lies as part of the application process. The EU says the "digital border guard" will be trialled for six months at four border crossings in Hungary, Latvia and Greece. Snappily titled IBORDERCTRL, the pilot will involve travellers using an online portal to upload pictures of their passport, visa and proof of funds. They'll then answer questions from a computer-animated border guard and their "micro-expressions" will be analysed to see if they're lying. (According to New Scientist (paywall), those questions will include, "What’s in your suitcase? If you open the suitcase and show me what is inside, will it confirm that your answers were true?) The results of the analysis will be used to determine how the traveller is handled when they arrive at the border. The cost of the pilot is €4.5M. 

Facebook for sale

Russian hackers are selling private conversations from at least 81,000 Facebook accounts for 10 cents per account, according to the BBC. The BBC Russian Service found the messages being advertised for sale on an English-language Internet forum. Cybersecurity company, Digital Shadows, examined the claim on behalf of the BBC and confirmed that private messages were among the contents of the profiles posted online. The BBC contacted five Russian users whose data had been uploaded and they confirmed the posts were genuine. Facebook told the BBC that its security had not been compromised and that the data had probably been obtained through malicious browser extensions. This is a reminder to be extremely careful about installing extensions or plugins. While they can be useful, they are a recurring cause of data theft - so much so that Google has tightened up its policy on how extensions can be installed.

Signal privacy

Secure messaging app, Signal, is testing a new solution to minimise the amount of metadata that its servers can access. This matters because while the content of messages is encrypted end to end, details about the message (including the sender, recipient and when a message was sent) are unprotected. Signal's solution is designed to hide the identity of who sent the message, much as an envelope doesn't need the sender's address to reach its destination (unless you're in the US). Doing this is challenging because Signal has to stop spoof messages and normally this is done by using the sender's address. The answer involves a complex chain of certificates and tokens, but the upshot is a significant increase in security. The importance of metadata was demonstrated by prosecutors in the US who used it to build a case against a Treasury official for communicating with a reporter.

In brief

China appears to be having one of its periodic clampdowns on Virtual Private Networks (VPNs). ExpressVPN warned users that its services were being disrupted, although it says the situation is beginning to improve.

One in five Americans would dump a business if it suffered a major data breach, according to new research. PCI Pal's State of Security report found that security influences where consumers take their business, and how much they spend.

Cisco has warned of a vulnerability in its Adaptive Security Appliance which enables denial of service attacks against it. There's no fix for the issue yet. Cisco's suggested mitigations are here.

The US government has published advice on what to do with old electronic devices. As it points out, old devices frequently turn up with sensitive data on them - and deleting files is not as simple as it might seem.

What can you fit in a tweet? How about the complete works of Shakespeare. As Motherboard reports, a researcher embedded the whole lot in a single image to demonstrate that pictures aren't always what they seem.

Updates

Enterprise WiFi: Aruba, Cisco/Meraki release fixes for issue affecting Bluetooth Low Energy in their enterprise Wi-Fi access points.

Thunderbird: Security update to address vulnerabilities in Thunderbird ESR which could be exploited to take control of an affected system.

Zimbra: Updates for Zimbra 8.8.10 “Konrad Zuse” Patch 2, 8.7.11 Patch 7, and 8.6.0 Patch 12

Google: new security features include protection from malicious Android apps, clearer notification about what information is being shared with apps, and a new reCAPTCHA solution that is supposed to put an end to clicking on infuriating images to prove we're human.

Apache: update to address vulnerability affecting Apache Tomcat JK Connectors 1.2.0 to 1.2.44. Issue could be exploited to access sensitive information.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved