FFT news digest May 31 2019

United front

A British government proposal to circumvent the end-to-end encryption used by services like WhatsApp has succeeded in uniting technology giants, civil rights organisations and security experts in opposition to it. The proposal was put forward by the UK security agency, GCHQ, in an effort to solve the intractable issue of how to access encrypted messages without breaking the mechanisms that underpin much of modern communication and commerce. GCHQ’s idea was to create a ‘ghost user’ which could be added to a chat or call without the users’ knowledge. An open letter rejected the idea, saying it would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.”

Video games

US House Speaker, Nancy Pelosi, has condemned Facebook for refusing to take down a video of her that had been edited to make her appear drunk or ill, or both. Speaking to San Francisco public radio station, KQED, she accused Facebook of “wittingly” enabling Russia to spread misinformation. The video had been altered to slow down Pelosi’s speech and make it sound as if she was slurring her words. While it hasn’t deleted the video, Facebook told CNN that it was alerting people that it was false, and had ‘downranked' it, saying “it was important for people to make an informed choice.” Facebook then went on to say, “our job is to make sure we are getting them accurate information.” Meanwhile , Facebook’s two most senior executives failed to attend a parliamentary hearing in Canada being held as part of a forum investigating the impact of technology on democracy.

Huawei

The dispute over Chinese technology giant, Huawei, shows no sign of resolution. As French news agency, AFP, published details showing Huawei has received state subsidies and grants totalling hundreds of millions of dollars, the company returned to court in the US to try to overturn legislation stopping federal government agencies from buying its products. A ban was also placed on US companies to stop them selling technology to Huawei. That has been put on hold for 90 days but, for Huawei retail customers, it represents the most serious element of the dispute. This is because if it comes into force, it will mean Huawei phones no longer have access to Android updates, and that will create a significant security risk. Huawei is working on its own operating system but has admitted to Chinese media that "this is not necessarily a substitute". While Huawei makes excellent phones and we don't regard them as a threat in themselves, the potential lack of updates means they're not a prudent purchase at the moment.

Access all areas

Another week and another crop of security breaches, this time affecting Flipboard; graphic design app, Canva; and US insurance giant, First American. The most serious of these involved First American leaking hundreds of millions of mortgage documents which included bank account numbers, tax records and driving licence images. The issue appears to have been caused by a classic security failure which meant that anyone who knew the address for a document could view others by changing a digit in the link. The incident was reported by Brian Krebs, who said the earliest document dated back to 2003. And this week, details emerged showing that staff at Grindr and Snapchat were given access to sensitive user data. Reuters reports that US officials were so concerned by what had happened at Grindr that they demanded its Chinese owners sell the app which they bought last year.

Tracked

It's 3am. Do you know what your iPhone is doing? The Washington Post asked that question and the article answering it revealed the enormous amount of data being sent to third parties. Among the apps monitored by the Post were Microsoft, Nike, Spotify...and the Washington Post. Many apps need to transmit data in order to work (Uber and Lyft are obvious examples), but the Post points out that the nocturnal transmissions it spotted undermine Apple's claim that "What happens on your iPhone stays on your iPhone." We believe there is far too little transparency about this type of data collection, a belief borne out by research that shows most users of online search engines have little idea about the information being gathered about them. ComputerWeekly reports that the study, based on analysis of Ofcom findings, showed 64% of those questioned were unaware a unique identifier was among the details being collected.

Facial recognition

Last week, San Francisco moved to ban the use of facial recognition. This week, it emerged that a school district in New York is about to begin testing a "facial and object recognition system." BuzzFeed News says Lockport City School District is spending $1.4 million on the Canadian-made system called Aegis. A letter to students' parents, obtained by BuzzFeed, describes Aegis as "an early warning system" that will alert staff when it spots a designated individual. As well as being able to recognise people, the software is designed to identify 10 types of firearms. The funding for the test comes from a scheme called the New York Smart Schools Bond which was intended to enable schools to buy the latest computers and smartphones for educational purposes. Lockport City School District obviously had other ideas. According to BuzzFeed it's the first of its kind to test such a system. It's unlikely to be the last.

In brief

Equifax has become the first company to have its credit rating downgraded because of a data breach. Moody's cut the rating from stable to negative, saying the incident in 2017 would have a lasting effect on the company’s security spend and infrastructure costs.

Three alleged tech support fraudsters have been charged in a New York court with stealing at least $1.3 million from elderly victims. The FBI complaint details how the scams work, and show how frightening and effective they can be, particularly with older computer users.

A new phishing campaign is targeting Office 365 users by claiming there has been an unusual number of file deletions on their accounts. Bleeping Computer reports that clicking on the "View alert details" link takes users to a fake Microsoft account login page.

Attackers based in China have breached more than 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Guardicore Labs said the attack was further evidence that common criminals had ready access to tools which previously had been the preserve of nation state-level hackers. A firewall will help prevent these attacks, even better is to achieve the UK government-backed Cyber Essentials standard.

Be cautious when using social media to engage with customer support services. The Mirror has details of a UK woman whose bank account was cleared out after her tweet to Virgin was intercepted by criminals.

Microsoft says the latest Windows update could cause WiFi problems for computers with Qualcomm wireless network adapters.
It's put a hold on updates for affected devices and advises users to download an updated driver.

Updates

Microsoft: With apologies for harping on about this, please do make sure you've updated your Windows devices to protect against a critical vulnerability in Microsoft's Remote Desktop Protocol. Attackers have been spotted scanning the Internet for vulnerable systems. The issue is so serious updates were issued even for operating systems that are no longer supported.

Windows 10: Microsoft is also rolling out a new cumulative update to fix issues with its previous version.

Apple: iOS 12.3.1 fixes issues with voice over LTE calls as well as iMessage filtering and reporting.

Apple: AirPort Base Station Firmware Update 7.91 addresses vulnerabilities in AirPort Extreme and AirPort Time Capsule wireless routers which could be exploited to take control of an affected system.

SecureDrop: Version 0.13.0 has a number of bug fixes and removes all remaining support for Ubuntu 14.04.

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217