FFT news digest Apr 10 2020

Fake news

As social media platforms struggle to deal effectively with a flood of misinformation about Covid-19, half of adults in the UK have been exposed to false or misleading information online, according to the country's communications regulator. Ofcom also said 40% of respondents reported finding it difficult to know what was true or false online. Amongst younger people, the figure was 52%. Meanwhile, research from Oxford University found more than half of the misinformation about the coronavirus pandemic that has been debunked by fact checkers remains on Twitter without any warning label. For its part, WhatsApp is imposing additional restrictions on how frequently a message can be shared on its platform in an effort to curb the spread of misinformation. And YouTube has banned all videos spreading the ludicrous conspiracy theory linking coronavirus symptoms to 5G cellular networks. Unfortunately, that decision has been seized on to fuel theories about a conspiracy.

Cyber crime

The UK and US cybersecurity agencies have released a joint warning about malicious actors exploiting the coronavirus pandemic. They say while there's been little change in the overall amount of cyber crime, criminals are focussed on exploiting concerns about Covid-19 and the changes to our lives it has caused. We believe it's essential to discuss these threats with family, friends and colleagues -- and to be specially conscious of the threat to older people who may be particularly vulnerable to scams. It's also worth talking about the risks of illegal file-sharing. Data gathered by TorrentFreak shows a surge in BitTorrent downloads, which are often used to share copies of movies, TV programmes and software. These are dangerous at any time, but with so many people confined to their homes for most of the time, they represent a clear and very present danger to personal and business cybersecurity.

Tracking

As more questions are asked about how long countries can remain locked down, it's becoming clear that a key element of the "exit strategy" will be smartphone tracking apps. In the UK, an app being developed by the NHS will monitor users' movements and notify them automatically if they meet someone infected with coronavirus. But Wired reports that the app will also warn people if they spend too much time outside. In the US, the White House coronavirus task force is reported to be discussing the creation of a national surveillance system to create a near real-time view of where people are seeking treatment and for what. In the UK, the data protection regulator has ruled such apps are permissible as long as data is anonymised. Now, researchers led by the Massachusetts Institute of Technology have created a protocol dubbed Private Automatic Contact Tracing (or PACT). Privacy campaigners will be watching to see if it's incorporated in the solutions that are rolled out.

Zoom

Multiple organisations and governments have banned or restricted use of Zoom because of security concerns. In Germany, the foreign ministry was reported to have told officials not to use it for confidential meetings because, by its own admission, Zoom had misrepresented its policy on encryption. An internal memo cited critical weaknesses and significant problems with security and data protection, although it stopped short of an outright ban because of the problems that would cause. Zoom is continuing to try to address security concerns. It has removed the meeting ID from the app's title bar, fixed an issue that would have allowed users in waiting rooms to listen to meetings, and it's set up a panel to advise it on security. Our view is that, providing simple precautions are taken, Zoom is suitable for everyday purposes. We would not use it for meetings covering sensitive information and we can advise on suitable alternatives. For a good overview, we suggest taking a look at a guide published by The Guardian.

Backups

How often do you backup your data, and where are the backups stored? For individual Windows and macOS users, backups are relatively simple. For organisations, a properly documented policy is required (the UK's National Cyber Security Centre has advice here). Failing to backup data is a recipe for disaster, but new research shows that only 41% of organisations carry out backups every day. Acronis also found that only 17% of personal users and 20% of IT professionals follow best practices by adopting a policy of storing copies on local media and in the cloud. Acronis is hardly a disinterested party because it makes its money from backup solutions, but its annual survey provides a valuable window on what people and organisations are doing. Effective backups are one of the most effective ways to protect ourselves and the latest research is a reminder to check our own solutions for keeping data safe.

Lessons learned

One of the most valuable approaches to cybersecurity is to learn lessons from past mistakes, and Google should be applauded for sharing some of its experiences in a new (free) book. 'Building Secure and Reliable Systems' explores Google's use of an approach called site reliability engineering (SRE), but it also includes a public washing of some of the company's dirty laundry. One tale explores the disastrous cascade of failures that began with a change to the WiFi passwords on its Bay Area commuter buses. That led to a flood of employees trying to change their credentials at the same time which promptly caused Google's password manager platform to collapse. It then emerged that no-one knew how to fix the problem because the system had never suffered an outage. In a more recent example, Microsoft has revealed why it took five hours to acknowledge a severe disruption to its Azure service in March. The cause of the disruption? A surge in demand for resources. The reason it took so long to respond? An incident manager was asleep.

In brief

Twitter has chosen this moment to remove a setting that allowed users to restrict the information provided to advertising and analytics partners. The change doesn't apply to the EU (and the UK) because of provisions in the GDPR. Twitter

Don't disable security warnings in Office applications. That's the lesson from a vulnerability discovered in Powerpoint.
Exploiting it requires the user to move the mouse pointer over a hyperlink, but it only works if a security warning is dismissed. Threatpost

No matter how tempting, don't tick the box if you're asked whether you want a browser or extension to remember a password. That applies particularly to password manager browser extensions. Researchers have found a vulnerability that could reveal a user's master password if the option to remember it is selected. Elcomsoft

The UK cybersecurity market is estimated to be worth more than £8.3 billion, but a new startup argues many businesses are paying too much. Cynapse says that in some cases organisations could save up to 40% by buying services and products from smaller companies. Cynapse

A reminder to be very cautious about the Android apps you install. 100 million users have been told to delete the SuperVPN app which Google has finally removed from the official Play Store. And don't install apps from other sources. A malicious app masquerading as a cleaner utility turns out to be almost impossible to delete. Forbes Kaspersky

Arse recognition is the latest biometric development to be announced by researchers.
It's part of a high-tech toilet designed to monitor the health of users by analysing what they deposit in it. Apparently, everyone's "anal print" is unique. Nature

Updates

Firefox: Latest upgrade (74.0.1) addresses security vulnerabilities, including some that are being actively exploited.

iOS: Version 13.4.1 fixes multiple bugs including one that affected FaceTime.

macOS: Supplemental update 10.15.4 fixes issues with FaceTime, Office 365, USB-C ports and new MacBook Air devices.

Chrome: Version 81 (delayed due to the coronavirus pandemic) fixes multiple security issues and includes support for the Web NFC standard.

Windows 10: Many users are reporting serious issues after installing the KB4541335 cumulative update. For the moment, the only fix is to remove it.

Exchange: More than 350,000 Microsoft Exchange servers remain vulnerable to an issue that was fixed last month. Even worse, researchers found 31,000 Exchange 2010 servers that hadn't been updated since 2012.

Office: Non-security updates deliver crash fixes, as well as performance and stability improvements.

Tails: Version 4.5 has important security fixes as well as support for computers with Secure Boot enabled.

Zimbra: Version 9 delivers improved extensibility with support for Slack, Dropbox and Zoom integration.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217