FFT news digest Nov 29 2019

Social media politics

The web is at a tipping point and its inventor has launched a plan to save the world from a "digital dystopia." Sir Tim Berners-Lee said, "if we don’t act now...to prevent the web being misused by those who want to exploit, divide and undermine, we are at risk of squandering [its] potential." The Contract for the Web has the backing of more than 150 organisations and countries, including Google, Facebook, France and Germany. They've signed up to 9 central principles to protect the web, and if they can't show they're implementing them they could be removed from the list of endorsers. But there's no sanction beyond that and it's hard to see some of the principles taking hold in practice. In theory, governments and companies should respect and protect people's online privacy, and individuals should respect civil discourse and human dignity. Measured against those ideals, one might argue that a digital dystopia is already here.

Account hijacking

A typical day in social media land. Twitter said it would delete inactive accounts, users erupted in protest, Twitter said it would have a rethink. Twitter has been bothered for a while by the number of accounts that are dormant but still tying up valuable handles (usernames). So it decided that it would delete any account that had been inactive for the past six months. What it failed to consider were the accounts of dead users, and the impact on their families and friends. In the face of a torrent of complaints, Twitter swiftly reversed itself and said it wouldn't remove anything until it had created a way to memorialise accounts (something Facebook already offers). The episode is an excellent reminder that social media is something to include in one's (hopefully) 'long term' plans. The BBC has a guide here.

Apple's new approach

Another week, another vast collection of data discovered on an unsecured server. This time involving information about 1.2 billion people. What's interesting about this incident is the reaction to it, and what it tells us about our own personal information. The database (a mere 4 terabytes in size) was found by a researcher trawling for unsecured servers. This one contained names, email addresses, phone numbers and profile information from Facebook and LinkedIn. The information appears to originate from two companies that provide data enrichment solutions. These involve taking a name or email address and adding hundreds of additional pieces of information, including income, political preferences etc. The results are extraordinarily detailed. Some security professionals reacted to the latest discovery by saying, "so someone discovered what we used to call...a phone book." The details in the latest leak represent quite an evolution for the phone book, and they demonstrate the extent to which we have lost control of the information about us.

Disney+

A German real estate company faces a €14.5 million fine for allegedly retaining tenant data without justification. The Berlin Data Protection regulator issued notice of the fine after finding Deutsche Wohnen had breached its obligation to keep personal data for "no longer than is necessary for the purposes for which the personal data are processed." The issue first came to light in 2017 and, although the company had taken some measures to address the problems, a follow-up audit determined these weren't sufficient. Deutsche Wohnen has a right to appeal, but the case underlines how important it is to review what personal data is stored and ensure it is not retained longer than necessary. It also illustrates the need to act on the findings of data protection authorities. Ignoring them is likely to be expensive.

Ring

Google sent more than 12,000 warnings about state-sponsored phishing attempts from July to September. Its Threat Analysis Group (TAG) said over 90% of the attacks tried to persuade users to disclose their account credentials, including two-factor authentication codes. The most common method was a simple phishing email using a "security alert lure suggesting the user secure their account." The user clicks the link, and enters their password and authentication code (if they have one) on a fake Google login page. It's a highly effective technique but, as Google explains, high-risk users can protect themselves with an Advanced Protection Programme. This uses hardware security keys and makes it much harder for such attacks to succeed.

Stalkerware

In news about fakes, more evidence that we can't trust our eyes or ears. We've already seen a "face-generator" that uses Artificial Intelligence to create realistic looking portraits for use in stock images. Now, we have Rosebud AI, which does the same thing but allows the face to be stuck onto any body in its collection. Its tagline; "These people aren't real". Of course, this allows adverts to use a model precisely targeted to appeal to a specific individual. So the next time you see an ad, pause and wonder why you're seeing that particular model. Meanwhile, not to be outdone, advances in technology have made 'voice fraud' a popular choice for criminals. Security firm, Pindrop, estimates there are 90 such attacks in the US every minute. Combatting them at a corporate level requires effective processes and sophisticated authentication methods. For individuals, it's vital not to trust unsolicited calls or emails that appear to contain voice messages.

In brief

Warning, courtesy of the NYPD; be careful who attaches what to your network! The New York Post says a contractor connected a digital display at the police academy, only to find the PC driving it was infected with a virus which promptly infected 23 machines. Those turned out to be linked to the NYPD fingerprint system. No shortage of lessons here, including how important it is to ensure networks are segregated.

Google has followed Apple's example and sharply increased the rewards it will pay for vulnerabilities in its Pixel phones. The $1.5 million bounty is seven times the previous figure but is still dwarfed by the $2.5 million offered by exploit brokers like Zerodium.

All-company group emails are a wicked thing, as a newscaster in the US discovered. Nick Vasos was feeling off-colour so he emailed his boss to ask for a day off. Only he didn't. He emailed all 200 TV stations in the Nexstar Media Group...and promptly began trending on Twitter.

If you've used popular e-commerce platform, Magento Marketplace, then change your password and make sure you're not using the old one anywhere else. Adobe (which owns Magento) says the site was breached last week.

Smartphones, computers, and even smart TVs sold in Russia must include pre-loaded apps. Devices that fail to comply will be banned, according to the BBC.

A couple in Seattle says a man hacked into their baby monitor and told their 3-year-old 'I love you' while they were downstairs. The couple said the Taococo FREDI monitor was a gift. It's not the first time this range has been hacked.

Updates

Windows 10: Microsoft is blocking users of some AVG and Avast antivirus solutions from upgrading to the latest version of Windows 10 due to a compatibility issue. Avast and AVG have details. It has removed a similar block on machines with older Qualcomm drivers.

WhatsApp: iOS version 2.19.120 brings new features, including a call waiting option and enhanced group privacy settings.

Truecaller: Update addresses security flaw which exposed user data as well as system and location information by placing a malicious link in place of a profile picture.

Bose: QuietComfort 35 headphones remain hampered by a firmware update that removed noise-cancelling functions. Users are unimpressed. Bose has asked if it can visit some of them at home.

HPE: Hewlett Packard Enterprise has warned that some Solid State Drives will fail after 32,768 hours of operation unless a firmware patch is applied.

Splunk: Users advised to install update to address issue caused by how data is time-stamped.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217