FFT news digest Jul 19 2019

Facebook

US Senators have demanded an explanation for an "egregiously inadequate" $5 billion fine against Facebook which actually led to a rise in its share price. Facebook had forecast the penalty earlier in the year when it announced first quarter earnings of nearly $15 billion. (Last year, it made profits of $22 billion.) The US Federal Trade Commission (FTC), which approved the fine, also secured agreement from Facebook for wider oversight of how it handles personal data. The FTC's investigation came after the Observer revealed that Facebook had allowed Cambridge Analytica to harvest information and exploit it without the permission of users. This meant Facebook broke a 2011 settlement with the FTC which followed accusations that it had misled users over how it handled their data. Many observers agree that true accountability will only come with personal responsibility, but that idea was reportedly too contentious for the FTC's taste.

Fake apps

More fake Android apps have been spotted, with malicious versions of Telegram and Deep Nude downloaded tens of thousands of times. The unofficial Telegram app (snappily named MobonoGram 2019) used real code from the messaging solution, but added some secret sauce of its own designed to promote malicious websites. As so often with such apps, it promised to add features to the original app as a way of enticing users to download it. In the case of Deep Nude, criminals have been taking advantage of its developers' decision to withdraw it from circulation. The app, which uses artificial intelligence to process photographs and create naked versions of clothed women, attracted a wave of criticism but criminals are betting some users would still like to get hold of it. Anyone who does download it might deserve the malicious, information-stealing software that comes with it. We recommend only downloading apps from trusted sources - and, even then, checking what they do first.

FaceApp

Sound and fury surrounded image-manipulation app, FaceApp, after an incorrect report said its Russian developers were harvesting users' photos and storing them on servers in Russia. In fact, the app uploads only the photo that a user wants to manipulate, does that in Google or Amazon's cloud services and deletes it shortly afterwards. FaceApp is great fun - and it's no surprise its ageing filter is so popular - but it's worth reading its terms and conditions before jumping on the bandwagon. Like pretty much every app involving photos, using FaceApp involves giving its developers very broad rights to do what they want with your content. Given that few of us can be bothered to wade through pages of legalese, Terms of Service Didn't Read provides an invaluable service to highlight issues with common apps and websites.

Email fail

Let's be honest, you can't stop phishing attacks, but you can make it much harder for criminals to use your domain in their campaigns. The best starting place is DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance. But a report from 250ok has found that nearly 80% of organisations haven't implemented DMARC. That figure rises to 91.4% among non-profit organisations. Anyone who has adopted DMARC will know that it results in a deluge of daily reports from email providers and companies, but Microsoft is not among them. It stopped generating these reports in 2017, provoking criticism this week from the UK's National Cyber Security Centre which accused it of undermining email security. Microsoft told Computer Weekly it was looking at restarting the reports. The scale of crime driven by email is immense. This week, the US Treasury's Financial Crimes Enforcement Network calculated criminals are earning at least $300 million a month from email scams targeting businesses.

Slack reset

Collaboration platform, Slack, is resetting the passwords of thousands of users after new information emerged about a security breach that happened more than four years ago. Slack said it took the decision after discovering a collection of credentials that apparently came from the March 2015 breach. Anyone who has created their account (or changed their password) since then isn't affected. As Slack says, as well as using a secure password, you should turn on two-factor authentication which makes it much harder (though not impossible) to hijack your account. Slack's announcement came as a survey revealed that 72% of people still recycle passwords (millennials are the worst offenders). Security.org's report also found that 63% of respondents admitted using the same password for entertainment and business or banking sites. As regular readers will know, we believe that for most people the least worst approach to passwords is a Password Manager. We have a guide here.

Microsoft alerts

Microsoft may have paused its DMARC reporting, but it does have a highly active mechanism for alerting users if they're the target of a nation-state hacking group. Over the past year, Microsoft said it had notified nearly 10,000 users that they had been targeted or compromised in such attacks. The vast majority of these were enterprise users, with only 16% of attacks focussed on personal email accounts. Most attacks originated in just three countries; Iran, North Korea and Russia. Microsoft said it had uncovered "attacks specifically targeting organizations that are fundamental to democracy," including non-governmental organisations and think-tanks. "The world's democracies remain under attack," it said. Microsoft's AccountGuard solution is designed to help these organisations stay safe. It's now available in 26 countries.

In brief

Welcome news from Google which has removed multiple Android apps from the Play Store. The move came after security company, Avast, found that the main purpose of the apps was to support stalking.

A reminder to turn off Bluetooth when you're not using it. Researchers say vulnerabilities mean it could be possible to track Windows 10, iOS and macOS devices that incorporate it.

Finnish security firm, F-Secure, has developed a portal to make it easier to see what information technology companies have gathered about us. Meanwhile, Facebook has launched a tool in the UK to combat scam advertisements.

Following reports of widespread attacks targeting Domain Name System records, the National Cyber Security Centre (NCSC) has published advice to help defend against this type of threat.
Users of porn websites have a misguided notion of privacy, according to academic research. The authors analysed an (extraordinary) 22,484 porn sites and found 93% of them leaked information. A reminder that incognito mode only hides activity on your browsers, not anywhere else.

Blurring lines between science fiction and fact with Elon Musk. This week, he announced that the final goal of his brain/machine interface programme ('Neuralink') is to allow humans to “achieve a symbiosis with artificial intelligence.” It remains to be seen how realistic this actually is.

The potential vulnerabilities in internet-connected devices mean security researchers will never get bored. This week, Pen Test Partners managed to find a way to set fire to a house by hacking a smart hair straightener. 

Updates

Iomega: Emergency firmware patch for Iomega network-attached storage devices after researchers found files on them could be accessed over the internet through an insecure software interface.

Microsoft: Update for Windows Defender Application Control to fix issue that could allow security feature to be bypassed.

Cisco: Updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

Oracle: 319 security fixes across multiple product families.

Drupal: Emergency update released to address "critical" vulnerability. new version is 8.7.5.

Zimbra: Zimbra 8.8.12 “Isaac Newton” Patch 4 and 8.7.11 Patch 13 fix a number of bugs, most related to image handling.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2021 Full Frame Technology - All Rights Reserved