FFT news digest Nov 15 2019

Record

With over a month still to go, 2019 is already on course to break the record for the most data breaches and exposed account details in a single year. Risk Based Security says there were 5,183 data breaches and 7.9 billion records exposed in the first 9 months of the year. That's an increase of 33.3% over the same period last year. While 'malicious actors' continue to be a key problem, the company says over 6 billion records were exposed because they weren't secured properly (or at all). "What stands out is that we are often our own worst enemy. Whether it’s a phishing campaign that ultimately provides malicious actors with a toehold into systems or misconfigured databases and services that leave millions of sensitive records freely available on the internet, it seems to be human nature coupled with weak controls that contributed heavily to the number and severity of breaches we’ve seen this year," Risk Based Security says. 

Watching

Facebook has updated its iPhone app after users noticed it was turning on the camera without telling them. The company's Vice President of Integrity (yes, really) took to Twitter to apologise and explain the bug had been introduced "inadvertently" as part of a fix for another issue. He added that nothing was uploaded to Facebook because the camera was in preview mode. The timing was unfortunate, coming as Facebook launched its new Facebook Pay service which it says aims to “provide people with a convenient, secure and consistent payment experience across Facebook, Messenger, Instagram and WhatsApp,” and of course provide the company with even more information about its users. Meanwhile, Facebook says it has taken down some 5.4 billion fake accounts this year, but it estimates around 5% of its monthly active users are still fake.

Secret consumer score

Little-known businesses are accumulating vast amounts of detail about how we use websites like Airbnb and selling the data to third parties. The New York Times reports that the information is used to create "secret scores" that determine how long we have wait on the line when we call a business, whether we can return items to a store, and even the quality of service we receive. A New York Times reporter requested the data held about her by one company. That turned out to be a a 400 page file containing, among other things, all the messages she had ever sent to Airbnb hosts. It even showed she had ordered an Indian takeaway three years earlier. The Times article has details about how to find out what information is held about you.

Sextortion

The UK election campaign continues to provide rich pickings for people like us, and demonstrates how little many media commentators know about cybersecurity. On Tuesday, many media outlets picked up a report from the Labour Party saying it had been hit by a "sophisticated and large-scale cyberattack". Despite its sophistication and scale, "no data was compromised", which isn't surprising because the attack was a routine 'denial of service', something that can be bought for as little as £15 an hour. Indeed, further similar attacks on the Labour and Conservative Parties quickly followed. The UK National Cyber Security Centre has guidance on how to respond to such attacks. Meanwhile, Channel 4 News is running a strand examining how social media is being used to target voters. #TargetVoter does an excellent job of explaining the insidious power of political advertising on social media platforms.

Sextortion

Most people know the best thing to do with a "sextortion" email is to ignore it. Even if it has a previously-used password, it used to be virtually guaranteed that the criminal behind the email did not have any video of the victim engaged with online pornography. The criminals seem to have realised they needed to up their game and, according to Proofpoint, that's what they've done. It says it has seen early evidence of malicious software designed to spot browser windows that match a dictionary of pornography-related keywords. When it finds one, it activates the microphone and camera on the infected machine and records the audio and video from them. The impact of this type of crime shouldn't be underestimated. Several suicides have resulted from them. Needless to say, adult websites are a significant security risk in their own right. This latest development provides another excellent reason to steer clear of them.

US border ruling

In a significant victory for privacy advocates, a district court judge in the US has ruled that seizing and searching phones and laptops at the US border is unconstitutional. "Current policies for ‘basic’ and ‘advanced’ searches...violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband," the judge said. The plaintiffs in the case were all US citizens or permanent residents, so it's not clear whether the ruling will apply to foreign visitors. In previous incidents, immigration officers are reported to have searched electronic devices and used what they found to deny entry. Our advice to travellers is to assume electronic devices will be subject to search and to ensure there is nothing on them that could arouse suspicion.

In brief

BT is the latest organisation to fall victim to the curse of Bcc. As several aggrieved recipients told The Register, BT Security used cc instead of bcc to email around 150 Information Security professionals who had attended a jobs fair.

The UK National Cyber Security Centre has published detailed advice for organisations using SMS messages in critical business processes. As well as providing guidance, the document also explains the many ways in which cellular networks are far from secure.

A US IT provider is being sued after it allowed its systems to be breached over a 22-month period and only discovered what was going on when the hacker used up all its storage. The Federal Trade Commission said personal details of some 1 million consumers were stolen as a result.

A new app is promising to help with the fiendishly difficult task of determining whether an iPhone has been compromised. As Motherboard reports, iVerify is now in the app store. We'll report back on whether it can overcome the challenges of poking around in the iPhone's innards.

An ingenious spam campaign uses a fake WebEx meeting invite to infect Windows machines with a Remote Access Trojan. The emails are particularly dangerous because they use a tool called 'Open Redirect' to make the email and attached link look genuine. Bleeping Computer has details.

A less than fond farewell to Apple's 'butterfly' keyboard which for interacting with a laptop is about as much use as a real butterfly. Announcing its new 16" MacBook, Apple said the new keyboard would feature a "redesigned scissor mechanism".

Think you can sing like Freddie Mercury? An app designed by Google will use machine learning to give you an answer. The score is a percentage. We'll refrain from revealing what ours was. 

Updates

Apple: iOS 13.2.2 was intended to fix multitasking issues but some users have complained that it's had a disastrous impact on battery life. Apple hasn't commented yet.

Adobe: Security updates for Animate, Illustrator, Media Encoder and Bridge.

Microsoft: Monthly updates address 74 security vulnerabilities, several considered to be critical risks.

Windows 10: Devices running Windows 10 1803 (Home and Pro) will be updated automatically after support for the version ended this week.

Magento: Ecommerce platform is urging users to ensure they have applied update released in October. It says many installations remain vulnerable.

Brave: new version of privacy-focussed browser which claims 8 million monthly users. It comes with a highly effective ad blocker (although you may find it's so effective that some websites don't work).

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217