FFT news digest Apr 5 2019

Facepalm

There's been a less than effusive welcome for Mark Zuckerberg's call for governments and regulators to play a more active role in policing the Internet. The Electronic Frontier Foundation said his call for a "standardized approach" to "harmful content" would inevitably run into problems with trying to define such content. It added that Zuckerberg "does not speak for the Internet" and, if governments and regulators want to explore new rules for it, he is the last person to ask for advice. Zuckerberg's Washington Post article came shortly before Australia approved a social media law which will penalise online platforms that fail to take down violent material. The law, which lacks precision in many areas, provides for jail terms of up to 3 years for anyone working for a company that fails to remove material "expeditiously".

Scraping contacts

Another week and another dent in Facebook's battered reputation, as it emerged that it has been exploiting the sign-up process for some users to import their contacts. The saga began when a security consultant found Facebook asking new users to hand over their email passwords in order to confirm their contact information. After widespread condemnation of a "horrible" security practice, Facebook said it would stop doing it. But not before the Electronic Frontier Foundation was able to analyse what was happening. Its conclusion; "Before users had the chance to consent to any kind of data collection, Facebook was scraping their email accounts for all of their social connections." Meanwhile, Upguard found details of at least 540 million Facebook accounts were exposed on the Internet because 3rd party apps had failed to secure them. Most of the data was being used by a Spanish-language app called Cultura Colectiva. Another smaller collection contained Facebook passwords. It's another reminder not to reuse passwords - or Facebook's single sign on service.

Cyber questions

A UK government survey shows a growing awareness of the importance of cyber security among British organisations, but the report raises as many questions as it answers. The Cyber Security Breaches Survey 2019 combined a telephone survey and face-to-face interviews, and found more than three-quarters of organisations regarded cyber security as a high priority. But it also revealed key shortcomings, including a failure to regard suppliers as a potential source of risk; only 18% of businesses required their suppliers to adhere to any cyber security standards. Security incident management processes were equally rare, while under 60% of businesses had sought external information or guidance on cyber security. 

Cyber espionage

Strange tales from the frontlines of cyber espionage, with Saudi Arabia accused of hacking the phone of Amazon's CEO, and a Chinese woman caught with a dodgy USB stick at President Trump's Florida resort. Saudi Arabia told CNN that it rejected allegations it had gained access to Jeff Bezos' phone and to private information on it. The claims, made by the Amazon chief's security consultant, asserted that the hacking was part of a Saudi surveillance campaign which ultimately led to the killing of journalist, Jamal Khashoggi (who worked for the Washington Post, which Bezos owns). Separately, a 23-year old Chinese woman was arrested after bluffing her way into the Mar-a-Lago resort during a visit by President Trump. She was carrying four cellphones, as well as a USB drive infected with malicious software. 

Media targets

Reuters says a BBC talk show host and the chairman of Al Jazeera were among prominent media figures in the Arab world who were spied on as part of a secret intelligence program mounted by the United Arab Emirates. The claim comes in a report that follows up Reuters' investigation into the work of a group of American hackers who once worked for US intelligence agencies. Reuters said it had seen documents showing that the operation targeted the iPhones of at least 10 journalists and media executives. The aim was apparently to find material that could show the Qatari royal family had influenced the coverage of Al Jazeera and other media outlets. The operation is reported to have taken place in 2017 during a period of extreme tension between the UAE, its allies, and Qatar, which they accused of sowing unrest in the Middle East.

Social media policies

The case of an Australian government employee sacked because of her tweets has highlighted the importance of ensuring social media policies are clear and don't restrict freedom of speech. Michaela Banerji worked for the Department of Immigration and Border Protection and, in anonymous tweets, criticised the government, its immigration policy, and her supervisor. After her dismissal, her claim for worker's compensation was rejected and she appealed, arguing an implied freedom of political communication had been abused. The case is now before Australia's High Court and, as UK law firm Pinsent Masons points out, whatever the outcome, it's a reminder to organisations to ensure they have a specific social media policy rather than trying to include complex issues in a general policy on use of IT.

In brief

Predictably, the end of the UK tax year has sent fraudsters into overdrive with reports of a torrent of tax-related phishing emails and malicious software. Other popular phishing subjects this week include fake confirmation emails from Amazon. Remember - if in doubt, ignore!

Sextortion emails continue to flood inboxes and the latest variant includes password-protected PDF files in an attempt to make them more credible. Trustwave says the emails, which claim to be from the CIA, direct targets to a service which provides access to files in return for a payment in Bitcoins.

D-Link and other popular routers are being targeted in a 'DNS Changer' attack. Bad Packets says the aim is to redirect traffic by altering the DNS settings in the victim's router. The best defence is to check regularly that your router's firmware is up to date.

Chinese smartphone manufacturer, Xiaomi, makes keenly-priced Android smartphones. According to Check Point, the phones also come with a pre-installed security app that could allow an attacker to take over the phone. Xiaomi has released an update to fix the issue.

The UK is a procurement fraud “capital” with 31% of businesses subjected to contract bid rigging and 43% to duplicate invoices. Analytics business, SAS, says the UK lags behind other countries in detection and losses are significantly higher than elsewhere.

Updates

Apache: Update for HTTP Server to address a potentially serious elevation of privilege vulnerability.

Cisco: Updates for Hyperflex software (rated 'High') and for long-standing issues with RV320/RV325 small business routers.

Zimbra: Zimbra Collaboration 8.8.12 (aka “Isaac Newton“) includes support for folder sharing and integration with storage solutions that are compatible with Amazon S3.

Skype: Android Police reports that Microsoft is working on an update to address issues with Android app which means calls are answered automatically even when feature is turned off.

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved