FFT news digest Dec 28 2018

Nosy Alexa

So Alexa, what have you been up to? It turns out that Amazon's personal assistant may be recording a lot more than its users realise. Alexa's voracious appetite was revealed by German magazine, Heise, which reported that Amazon sent some 1,700 recordings from Alexa-connected devices to a German user who had asked the company to give him all data related to him. The user was surprised, not only because the recordings included some taken in the shower but mainly because they belonged to a complete stranger. Indeed the original requester didn't even own any devices connected to Alexa. As the article says, "the data revealed a lot about the victims [and] it was fairly easy to identify the person involved and his female companion." Voice assistants are undeniably convenient but it's worth keeping in mind the terms and conditions that govern their use. As Amazon makes clear, the voice recordings it makes are stored indefinitely.

The wonders of IoT

On the subject of Internet connected devices, a flurry of stories demonstrates why being able to control a gadget remotely may not necessarily be a good thing. At the creepy end of the scale, the owner of a Nest security camera was taken aback when a stranger started talking to him through it to warn him it wasn't secure. The hacker broke into the camera with one of the user's passwords that had been reused across multiple sites and stolen from one of them. This week, the BBC revealed that a brand of hot tub could be hacked because of poor security. And researchers discovered that users of a popular home security system could view each others videos because a vital password was so poorly protected. Both Amazon's Alexa and Phillips Hue lightbulbs crashed over the holiday period, apparently because so many people had received them as gifts and tried to activate them at the same time. There are efforts to make manufacturers take security and reliability seriously. This week demonstrates yet again why they need to.

GDPR grows up

If 2018 was the year GDPR entered the public consciousness, 2019 is when the EU's data protection regulation is likely to show its teeth. So far, 3 fines have been announced (in Austria, Germany and Portugal) with a Portuguese hospital incurring the highest penalty of €400,000. The lessons from these cases are not new; notify early, co-operate fully and, above all, focus on the basics. The size of the fine in Portugal was driven by a failure to adopt adequate security measures, even though the hospital blamed the country's Health Ministry which supplied its IT system. Regulators have made clear they are not seeking to make an example of offenders, but large fines are very likely to follow a failure to take basic security measures. And it's essential to stay up to date with guidance as it emerges from the European Data Protection Board (EDPB). In a recent example, the UK regulator issued new advice on Data Privacy Assessments in response to recommendations issued by the EDPB.

Lawful hacking

The American Civil Liberties Union and Privacy International are suing US federal agencies to reveal details of "lawful hacking." A lawsuit argues that "Law enforcement use of hacking presents a unique threat to individual privacy." The organisations want the agencies to disclose their hacking tools and methods, as well as the legal basis for employing them. Accusing the government of "troubling behaviour", they say the government commandeered an internet hosting service to set up an attack that could have spread malicious software to innocent people. They also say that, as apart of an investigation into fake bomb threats, an FBI agent impersonated a journalist in order to compromise a suspect's computer. The agencies named in the lawsuit, which include the FBI and the Drug Enforcement Agency have yet to respond.

Holiday season scams

US regulators have echoed a British warning about an ongoing scam which targets Netflix users. The Federal Trade Commission (FTC) used the example to highlight a campaign which tries to lure users into entering credentials and financial information on fake web pages. The quality of the lures varies. The example chosen by the FTC begins with a deeply unconvincing "Hi Dear", but the availability of ready-made kits means some emails can be highly realistic. And the fake sites can be configured to display the real homepage once your information has been stolen so that you don't realise what's happened. Obviously, Netflix is far from the only business affected by this type of campaign. Our advice is never to click on a helpful button or follow a link you're given to do anything that involves your personal information.

In brief

To cap 2018, Facebook has topped a poll which sought to identify the least trusted technology companies in the tech sector. As recode reports, 40% of respondents doubted its ability to keep information safe. Twitter came next at...8%.

A vulnerability in Orange's LiveBox ADSL modems could allow an attacker to obtain their WiFi credentials by simply sending a request over the internet. Researchers say users should make sure the device firmware is up to date.

A new tech support scam creates a loop in Chrome browsers designed to crash the computer. If you need to restart your device, the key is not to restore closed webpages. Bleeping Computer has details.

Looking to dispose of some of your old phones and computers? Make sure you delete any data before you sell it, give it away or have it recycled. Microsoft, Apple and Google have advice.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved