FFT news digest Aug 9 2019

Weaponising the GDPR

A researcher has demonstrated the abject failure of many organisations to verify the identity of someone requesting access to the information held about them. In a presentation at the Black Hat security conference, the Oxford University PhD student explained how he had obtained highly sensitive information about his fiancée (with her permission), including credit card and social security numbers, passwords, and her mother's maiden name. Under the General Data Protection Regulation, EU residents are entitled to be given the data an organisation holds about them. Obviously, this makes it critical to check the person requesting the data is the person it relates to. In this case, a quarter of organisations simply accepted an email address and phone number as proof of identity. It's a reminder that it's essential to have robust procedures in place for responding to Digital Subject Access Requests.

Phone fraud

Employees at US phone giant, AT&T, took more than $1 million in bribes as part of a scheme to fraudulently unlock mobile phones, according to the Department of Justice. The DOJ said a Pakistani man was arrested and extradited to the US in connection with the charges. In one case, an AT&T employee received $428,500 over the 5-year scheme. In the UK, a BBC investigation last year found O2 and Vodafone employees were bypassing ID checks and handing replacement Sim cards to potential criminals. Fraud linked to mobile phones is an increasingly widespread problem, and it's essential to ensure your cellular account is as protected as possible. It's also why text-based verification messages are less secure than authenticator apps.

Printer risks

Researchers have found significant vulnerabilities in 6 commonly-used enterprise printers. NCC Group tested models from HP, Ricoh, Xerox, Lexmark, Kyocera and Brother, and using basic tools said it found flaws, some of which dated back 30-40 years. Some bugs were uncovered within minutes. The issues could be used in a variety of ways, including launching denial of service attacks and spying on jobs sent to the printer. Updates to address the vulnerabilities have been released or will be soon, so it's essential to make sure devices are up to date. “Because printers have been around for so long, they’re not seen as enterprise IoT devices, but they’re embedded in corporate networks and therefore pose a significant risk,” NCC Group said.

Listening in

In one of the week's less surprising news stories, Microsoft confirmed that contractors are listening to audio from translated Skype calls and commands to its Cortana voice assistant. Microsoft said it obtained "customers' permission before collecting and using their voice data...and put in place several procedures designed to prioritise users' privacy." Microsoft was responding to a story published by Motherboard, which pointed out that the company's privacy policy does not make it clear conversations will be reviewed by humans. Apple, Amazon and Google have all come under scrutiny over their use of voice data, but the reality is that artificial intelligence needs human input to improve. If we use this technology, whatever companies say, it's likely someone, somewhere will be listening in at some point.

Warshipping

A time-honoured way to defeat a target's security is to simply send a malicious device in the mail. This week researchers demonstrated how effective this type of attack can be. IBM's X-Force built a low-cost device that fits in the palm of your hand and is designed to be hidden in one of the countless packages received by corporate mailrooms. Once the device arrives, it can be remotely controlled over a cellular connection and used to run tools to gather information about the target's wireless network. As IBM points out, this type of attack could be particularly effective at times of the year when large numbers of packages are shipped. Their research has excellent basic security practices to reduce the risk of such attacks. As they say, "Treat your packages like you would treat a visitor."

Privacy. What privacy?

More privacy issues for social media companies, as it emerged that Instagram and Twitter may have shared personal data without permission. Instagram removed a marketing company called Hyp3r from its platform after Business Insider revealed that massive amounts of data had been collected in violation of the social network's policies. Hyp3r had been using the information to build up detailed profiles of people's movements and interests. Meanwhile, Twitter said it might have shared information with external companies without first obtaining the user's permission. And it also used information about users' devices, again without their permission.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217