FFT news digest Jan 25 2019

GDPR bites

France has fined Google €50 million in the first significant action since enforcement of the General Data Protection Regulation (GDPR) began last May. The French data regulator found that Google had failed to make information transparent to its users, had not provided adequate information to them and lacked valid consent for the way advertisements were personalised. Google is appealing against the fine, saying its consent process “is as transparent and straightforward as possible." The complaint against Google was brought by an NGO which has also filed similar cases against eight international streaming services, including Amazon Prime, Netflix and Spotify. This will be the start of a protracted contest between the European approach to privacy and some of the most profitable enterprises the world has seen.

Struggle for compliance

Eight months after the enforcement of the GDPR began, 41% of organisations say they are not fully compliant with the regulation. But Cisco's Data Privacy Benchmark Study has good news for companies that have invested in data privacy, saying they are realising real business benefits as a result. Cisco is hardly a disinterested party in this, but its survey is based on responses from 3,200 people in 18 countries and it does provide a comprehensive picture of privacy practices around the world. Perhaps not surprisingly, implementing measures for GDPR compliance makes data breaches less likely - and less costly if they do happen. The survey echoes our own views that data protection is not about compliance, but makes good business sense for any organisation. For SMEs, the UK regulator recommends Cyber Essentials, and to support GDPR compliance, we recommend achieving the IASME Gold standard.

Nest missiles

A family in California was thrown into "five minutes of sheer terror" after a hacker took over their Nest security camera and broadcast a fake warning about an imminent ballistic missile attack. The family told the Mercury News that the warning sounded like an emergency broadcast alert which said North Korean missiles were heading for Los Angeles, Chicago and Ohio. For good measure, it added that the US had retaliated and people had three hours to evacuate the affected areas. Eventually, the family realised the source of the warning was their security camera and said Nest told them they were the victim of a data breach. In reality, like many other Nest owners in recent weeks, the camera was probably compromised because the owners reused a password which had been stolen elsewhere and which is among the billions of credentials available for sale. It's a vivid illustration of why password reuse is such a bad idea...and why using a password manager makes sense.

Crime trends

New crime statistics for England and Wales show a sharp rise in social media and email hacking, as attackers focus on social engineering as their weapon of choice. The Crime Survey showed an overall fall in the number of computer misuse offences, which it attributes to a decline in cases involving malicious software (down 45% to 534,000 offences). But it also points out that many incidents are not reported and compared to other crimes, cyber attacks are more likely than physical violence, theft, and robbery. Last year, the UK police lead for cyber and economic crime described cyber crime as the most significant harm in the UK and said the volume of incidents was putting increasing pressure on constrained police resources. 

2FA under attack

Surveillance solutions are so expensive that one government decided to build its own tools rather than pay the price for solutions from the leading exploit brokers. Lamentably poor security meant that researchers from mobile security firm, Lookout, were able to view communications between the government's intelligence agency and a number of providers of hacking solutions. After a review of bids and tests, the agency decided to create its own tools saying, "This is the only inexpensive way to get to the iPhone, except for the [Israeli] solution for 7 million and that’s only for WhatsApp." Lookout believes the home grown solutions have been successful and warns that such tools are often commercialised for use against enterprises. Lookout hasn't named the country because it believes the operations it has discovered are still active. 

Free VPN warning

We do our best to avoid jargon, and new research suggests we're right to do so because many people have no idea what terms like "Phishing" actually mean. Proofpoint's State of the Phish report surveyed 3,000 technology users to gauge their understanding of common cybersecurity jargon and concluded that it's essential to use language that can be readily understood. The report also reminds us not to assume that younger 'Digital Natives" are more secure because they have grown up with digital devices. Indeed, in many cases, they turned out to be less cyber-aware than people over the age of 54. Proofpoint finds yet another rise in phishing attacks (where a user is lured into revealing confidential information). If you want to test your ability to spot fake messages, Google has developed an online quiz which highlights the key things to look out for.

In brief

A clever version of the fake voicemail scam is doing the rounds. This one uses an email attached to an email (as an EML file) to deliver what appears to be notification of a voicemail. Clicking on the notification takes the user to a fake Microsoft login page in an attempt to steal the user's credentials.

Apple user with a post-2016 Macbook Pro? If your display is misbehaving, you're not alone. 1000s of owners have signed a petition calling on Apple to fix their failing displays.

Following days of intermittent internet blackouts in Zimbabwe, connectivity has been restored through a High Court order. Internet outages are becoming an increasingly common tool for governments during times of heightened tension.

Microsoft's mobile Edge browser has begun warning of fake news sites, with the Daily Mail prominent amongst its victims. The alerts are issued by a tool built into the browser which says the Mail's site "generally fails to maintain basic standards of accuracy and accountability".

Responding to a stream of news stories about data leaks from unsecured storage, the UK's National Cyber Security Centre has advice for users of Amazon Web Services (AWS). The NCSC explains why mistakes happen - and how to avoid them.

Updates

Outdated software is a huge security risk because updates are often designed precisely to address vulnerabilities that could be exploited. Research from Avast suggests more than half of PC applications are out of date, with Adobe Shockwave, ALC Media Player and Skype the most neglected. It is worth checking your software fornightly to make sure it's up to date - and to delete anything you no longer use.

Apple: updates for iOS and macOS include security fixes but some users are reporting that the iOS update (12.1.3) is causing connection problems with cellular data. Updates also available for iCloud for Windows, Safari, watchOS, tvOS.

Cisco: updates for SD-WAN, Webex, Firepower, IoT Field Network Director, Identity Services Engine, and Small Business routers, including one rated "Critical"

Adobe: Third security update in as many weeks addresses bugs in Adobe Experience Manager and Adobe Experience Manager Forms.

SecureDrop: version 0.11.1 includes a security fix for a vulnerability in the APT package manager. 

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved