news190823

FFT news digest Aug 23 2019

Facebook

There's been a lukewarm reaction to Facebook's new privacy tools which it launched this week. The tools are supposed to enable web users to control the data that Facebook accumulates from their browsing activity. 'Off-Facebook Activity' provides a summary of the apps and websites that send information and it can 'clear' the history of that activity. In reality, clearing the history doesn't delete it, it just delinks it from your profile (and the effectiveness of that is questionable). Facebook has come under increasing pressure about the scale of its data-gathering and in February Germany prohibited it from combining user data from different sources without explicit permission. The aggregation of data is central to Facebook's business model and so it's retaining that capability while theoretically creating the ability to separate it from an individual profile. So far, the tool is only available in Ireland, Spain and South Korea. We predict this is far from the end of the story.

LinkedIn

LinkedIn is an invaluable resource for employers, recruiters and job seekers, but it's also a vital tool for spies and criminals. This week, LinkedIn revealed it had blocked or removed 21.6 million fake accounts in the first six months of this year. 95% of those were stopped at the registration stage - but 2 million were only removed after they went live and 67,000 after members reported them. We advise taking extreme care about accepting connection requests and making sure you lock down the amount of information people can see. For example, telling everyone the name of the school at which you're a parent governor is providing an attacker with vital intelligence about how to target you, a family member or a connection. LinkedIn does provide reasonably effective tools to make your account more secure. Go to Settings and Privacy tab (under your photo) and begin by checking your public profile. This determines what details can be seen and by whom. LinkedIn frequently changes the way these settings work, so these checks are worth doing every few months.

China's social media story

China has provided a case study in how social media platforms are used in government disinformation campaigns. As Forbes reported, Twitter allowed Chinese state media to place promoted tweets that attacked protesters in Hong Kong. Within 24 hours both Twitter and Facebook had suspended hundreds of accounts, which Twitter described as being part of a "significant state-backed information operation...deliberately and specifically attempting to sow political discord in Hong Kong." For its part, Facebook removed accounts, pages and groups and said the individuals behind them had engaged in "deceptive tactics". Google also closed 210 YouTube channels, although it stopped short of explicitly blaming China for them. Ironically, Facebook and Twitter are banned in China but they earn substantial revenue from advertising placed by Chinese companies. The South China Morning Post says their swift action against Chinese disinformation may put that revenue at risk.

Facial recognition

The uncontrolled use of facial recognition technology may be coming to an end, according to the Financial Times. The paper says(£) the European Commission is working on legislation that would give EU citizens explicit rights over the use of their facial recognition data. It says the move is part of a more general plan to overhaul the way Europe regulates artificial intelligence. Last week, the UK data protection regulator said it would investigate the use of facial recognition technology in a development near London's King's Cross. “Scanning people’s faces as they lawfully go about their daily lives, in order to identify them, is a potential threat to privacy that should concern us all," the Information Commissioner said. On Wednesday, Sweden’s data protection authority fined a school for breaching students' privacy rights by using facial recognition to monitor their attendance.

Watch out for blank emails

Business Email Compromise (BEC) is a multi-billion dollar business and is a scam that every organisation is likely to experience eventually. This week, researchers described how criminals carry out reconnaissance against potential targets. Agari said blank, unsolicited emails are sent to validate lists of contacts which are built up by 'lead generators'. As Agari explains, the criminals behind BEC are highly organised and operate along the same lines as commercial businesses. Agari says that in one case blank reconnaissance emails were sent to more than 7,800 email addresses at over 3,200 companies in at least 12 countries. In one of the latest examples of BEC, criminals stole more than US$1 million from the Canadian city of Saskatoon by impersonating a construction company that had been contracted to repair a bridge.

Voice assistants

Predictably, criminals have figured out that voice assistants like Alexa are an enormous help in persuading people to call fake customer support numbers. These scams rely on fraudsters creating fake phone numbers and then finding ways to ensure they appear at or near the top of search results. Obviously, if you ask a voice assistant to search for a customer support number it may pick one that's fraudulent. The US Better Business Bureau has several examples in which users have lost money and it has advice on how to avoid joining them. As we say in our training courses, criminals know that we tend to take the easiest course of action - or at least the one that's quickest. That's why we say it's essential to be on your guard when doing anything involving sensitive information or financial matters.

In brief

iPhone users are advised to be careful about which apps they download after news that Apple's latest iOS update contains a fundamental flaw. A researcher found the 12.4 update undid a previous fix and means a device's basic security could be defeated. If you're not already on 12.4, we recommend staying on 12.3 until Apple sorts itself out.

Many common router brands lack adequate security in the way their guest networks are configured, according to researchers at Ben-Gurion University. "All of the routers we surveyed regardless of brand or price point were vulnerable to at least some cross-network communication," they said.

A phishing campaign is using fake DocuSign emails to target specific individuals at a variety of organisations, according to Proofpoint. The emails lead to login pages designed to steal credentials for online services. Unusually, the fake pages are hosted on AWS enterprise storage.

Old hoaxes don't die, they just wait for celebrities to retweet them. Latest example is the "All your Instagram data will be published" meme which went viral thanks to Usher, Julianne Moore, Julia Roberts and Rob Lowe among others. Needless to say, it wasn't true when it first appeared in 2012 and it's not true now.

There are an estimated 40 million old computing devices in the UK and the Royal Society of Chemistry has urged their owners to recycle them. If you do sell or recycle an old device, do follow this advice on making sure there's no sensitive data on them when you do.

Updates

Windows 10: Microsoft has confirmed reports of problems with the latest (version 1903) update. The most common error codes are 0x80073701, 0x800f0982, 0x800f081f, 0x800f0845, and 0x8024200D. Microsoft says it's working on a fix but hasn't given an estimated time of arrival for it. We recommend you review Microsoft's guidance which details the issues and offers advice.

Microsoft: Microsoft has begun releasing fixes for Visual Basic and VBScript issues introduced in recent Windows updates.

Microsoft Android: Microsoft has advised users to update the Microsoft Remote Desktop for Android app because of a previously-undisclosed vulnerability.

VLC: 3.08 update addresses 13 security vulnerabilities which could be exploited by opening a malicious WMV, MP4, AVI, or OGG file. VLC is one of the least-updated programs and use of pirated videos means it's a significant risk.

Cisco: New updates address 33 security alerts, including 6 rated 'critical' in Small Business 220 Series switches and UCS Director software.