FFT news digest January 29 2021

Privacy

Yesterday was Data Privacy Day, which Apple marked by publishing an excellent summary setting out just how little online privacy we actually have. "A Day in the Life of Your Data" explains how third-party companies can track user data across websites and apps. On average, it says, mobile apps include six 'trackers' designed for the "sole purpose of collecting and tracing people and their personal information". The document also details features Apple will roll out in the next major version of its mobile operating systems. App Tracking Transparency will require developers to request permission from users to track them. Google and Facebook are furious about the change; the latter complained this week about Apple's "dominant platform position," and is reported to be preparing an antitrust lawsuit. Which is an intriguing line of attack from a company like Facebook.

"Social catastrophe": We have mixed feelings about Apple, whose recent security performance has been lamentable and which definitely has questions to answer about how it operates its own iOS ecosystem. But an address by Tim Cook to the Computers, Privacy, and Data Protection Conference yesterday brilliantly sums up the problematic relationship we currently have with on-line communication. "At a moment of rampant disinformation and conspiracy theories juiced by algorithms, we can no longer turn a blind eye to a theory of technology that says all engagement is good engagement -- the longer the better -- and all with the goal of collecting as much data as possible," he said. "It is long past time to stop pretending that this approach doesn't come with a cost -- of polarisation, of lost trust and, yes, of violence. A social dilemma cannot be allowed to become a social catastrophe." The presentation is well worth a watch.

Capitol Hill: A lively discussion is taking place about the use of artificial intelligence and cellphone data to identify rioters who took part in the rampage on Capitol Hill. Big Think explores the issues and what they augur for individual privacy.

Cleaning up
: We hope we're realistic about most people's reluctance to spend time fiddling around with privacy and security settings, but perhaps Data Privacy Day is a reminder that there are things we can do to protect our personal data. Checking social media apps, deleting unused ones, adopting a password manager and turning on two-factor authentication where available are all relatively simple actions that can have a disproportionate benefit on privacy and security. If in doubt about where to start, take a look at our guides.

Threats

COVID-19: Computing dissects (R) a phishing campaign that takes advantage of the high-speed vaccine rollout in the UK. Don't underestimate how effective these emails can be. The writer explains how close he came to falling for the scam. Bleeping Computer details a persuasive variant. The NHS has a webpage setting out how it will contact people and emphasises it will never ask for personal information (which obviously it already has).

Clever: Criminals are smart. RiskIQ explains how a simple kit allows scammers to change logos and text on a phishing page in real time. Such attacks are hard to spot. Never fill in forms on pages that you haven't requested directly from the website.

Refunds: A scam in the US impersonates the Federal Trade Commission and promises compensation from a fake “personal data protection fund” to people who have had personal details exposed online. FTC

Pirates: Downloading illegal copies of software is inviting trouble. Proofpoint has details of websites advertising pirated software which are being used to deliver a new version of malicious software designed to steal banking credentials.

Office 365: Fake password expiry alerts are being used to target senior executives. Trend Micro

LinkedIn: Another week, another LinkedIn phish. This one impersonates a policy change notification to try to steal sensitive personal information. Abnormal Security

WhatsApp: Android users are being targeted with WhatsApp messages that urge them to “Download This application and Win Mobile Phone”. ESET

Ghosts: How effective are your procedures for deleting accounts when users leave an organisation? Sophos examines a real-world example of what can go wrong if such accounts are allowed to live on.

Clones: Criminals are impersonating genuine companies to attack UK investors looking for ways to recover financially from the effects of the pandemic. These scams are estimated to have already caused losses of some £78 million last year. National Crime Agency

Internet health

The internet is suffering from chronic health problems, according to the Mozilla Foundation's Internet Health Report 2020. It says racial bias, misinformation, and anti-worker policies are creating an increasingly fragmented online world. It accuses technology companies of contributing to the spread of misinformation and says "pandemic-born practices will have consequences for internet health beyond the current crisis". In a challenging year, the internet "helped us and harmed us like never before".

Messaging

The world of secure messaging is in turmoil following an exodus of users from WhatsApp after a bungled rollout of changes to its privacy policy. Signal has been inundated with new users and has fallen over repeatedly as a result. The millions of new sign-ups have also raised questions over how its security features might be abused. Meanwhile, WhatsApp is introducing a requirement for biometric authentication if users want to access an account through its desktop app or via the web. 

Cyber Essentials

If there's a common theme in most security incidents, it's a failure to implement basic measures. The UK government's Cyber Essentials scheme is intended to address that problem. We are a big supporter of Cyber Essentials which provides a common security standard - and for smaller organisations includes cybersecurity insurance as part of the certification. Respected security company, Pen Test Partners, has a concise overview of the scheme - and recent changes to it.

Takedown

More good news in the fight against online crime, with a multinational police operation disrupting "one of the most significant botnets of the past decade". Botnets are networks of compromised computing devices that are used to launch attacks. Europol says the global operation gained control of the criminals' infrastructure, "took it down from inside" and redirected infected machines. As part of the investigation, a database containing e-mail addresses, usernames and passwords was discovered and you can check if your e-mail address has been compromised. Police are distributing a module to infected machines which will uninstall the malicious software.

In brief

Insurance: The Association of British Insurers has rejected accusations that it is "funding" organized crime by including ransomware blackmail payments in cyber insurance policies.

Grindr: The Norwegian Data Protection Authority has announced its intention to fine the dating app €10 million for illegally sharing user data with advertisers for marketing purposes.

Breach guidance: The National Cyber Security Centre has published guidance for individuals and organisations on how to protect against the impact of data breaches.

Magunsafe: Apple has warned that the iPhone 12 Magsafe connector could interfere with pacemakers and cardiac defibrillators. It recommends at least a six inch/15 centimetre separation (though confusingly it adds that iPhone 12 models are "not expected to pose a greater risk of magnetic interference to medical devices than prior iPhone models".

Robocop: The Electronic Frontier Foundation has condemned the increasing use of security robots, calling them a "privacy disaster waiting to happen".

Collapse: CollapseOS is an operating system designed to run on devices created from scavenged parts. Why 'Collapse'? Because it's designed to be used once civilisation collapses.

Updates

iOS: Updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that may have been actively exploited.

Apple News: Some users have experienced ludicrously large downloads due to an apparent bug in Apple News and macOS Big Sur. 9to5Mac explains how to fix.

Conexant: Microsoft has a workaround for an issue affecting Windows 10 devices with Conexant ISST audio drivers which has been causing update problems.

SonicWall: An urgent alert that customers should take action to prevent attacks on devices impacted by previously unknown vulnerabilities. The company says its internal systems were recently breached by unidentified attackers.

SAP: Researchers have warned that there is a publicly available exploit for a vulnerability in SAP Solution Manager (SolMan) version 7.2 which was addressed in March 2020.

TikTok: Update addressed a security vulnerability which could have allowed attackers to steal users' private information.

Thunderbird: Version 78.7.0 fixes security issues and bugs, and improves extensions system.

ProtonVPN: Windows clients are causing some devices to crash. Proton says it's working on a fix and meanwhile it advises users to revert to the previous version.

Tails: Version 4.15.1 is an emergency release that fixes a security issue in sudo. It came only a day after a scheduled release intended to address other security vulnerabilities and fix bugs.

SecureDrop: Version 1.7.1 fixes problems for some users that was caused by v 1.7.0.

Zimbra: Versions 9.0.0 “Kepler” Patch 11 and 8.8.15 “James Prescott Joule” Patch 18 released.

Subscribe to receive the digest by email

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217