Monday, January 15, 2018

Is Looking At Screens Causing More Short-Sightedness In Young People?

With increasing levels of short-sightedness among young people, some
experts have concluded that a young life spent looking at small screens rather than in the great outdoors could be one explanation.

90% Myopic

Studies in East Asia, have shown that a staggering 90% of 18-year-olds, a group that would normally be associated with relatively good eyesight, are suffering from short-sightedness, also known as Myopia.

Also, in Western Europe, studies have shown a rise from 20% to 30% of young (mid-20s) adults being short-sighted to levels of 40% to 50% today.

Natural Sunlight A Key Preventative Factor

Spending too much time in places / situations where there is a lack of natural daylight / direct sunlight is believed by eye experts to be a contributing factor to the development of conditions such as myopia / short-sightedness. This is one of the reasons why experts are focusing (no pun intended) on children’s use of computers, smartphones or tablet computers e.g. to study at home, may go some way to explain the rise in Myopia in young people in recent years.

This has also led some experts to compare the surprisingly high levels of Myopia in East Asian countries with the existence of intensive educational approaches involving technology e.g. very intensive education, spent indoors, out of direct sunlight, studying information close up on computerised devices.

Time Outdoors Is The Key

2008 Research from Sydney Australia, the Sydney Myopia Study (SMS), a population-based study of school-aged children in Sydney, Australia showed that Time spent outdoors was strongly and inversely related to myopia levels. The Sydney-based research showed that only 3% of Chinese-heritage children living in Sydney (who spent two hours a day outdoors) were short-sighted by the age of six. This compared to nearly 30% of six-year-olds in Singapore, and helped to add fuel to the growing body of research and supporters of the idea that the risk of myopia development can be seriously reduced by simply spending more time outdoors e.g. spending two hours per day outdoors, perhaps pursuing sport and leisure activities.

Symptoms of Myopia


Some common symptoms of Myopia to look out for in children include needing to sit near the front of the class to read the board, sitting too close to the television, regular rubbing of the eyes, and suffering from headaches or tired eyes.

Other Ways To Help


Experts suggest that other broad ways to help reduce the chances of children developing Myopia include having a healthy diet, particularly one that includes omega-3 essential fatty acids, and vitamins A, C and E and nutrients, which contribute to the good health of the back of the eye. Also, over-the-counter supplements e.g. those claiming to help brain function and health are good for the eyes too.

What Does This Mean For Your Business?


For businesses where staff use devices for work for many hours of the day, providing information about the risks of looking too long and too intensely at screens could be helpful, as could arranging for some breaks / activities to be spent outdoors in the natural light e.g. perhaps in a team situation / environment and / or with incentives to improve participation.

As parents will know, once a child / young person is used to using their iPad, tablet, it is likely to be very difficult (and potentially damaging to their current social life) to remove it / ban it / reduce its use. Again, informing them of the dangers on a regular basis is important, and / or encouraging and arranging regular outdoor activities e.g. sports clubs or family pursuits / outings may be a good option.

The requirement that young people are proficient at using computerised devices to connect with their peer group and compete effectively with others at school, college, university and work means that the amount of time spent on computerised devices indoors, and consequently the high levels of Myopia development are unlikely to decline soon.

Cloud Companies The Next Big Target For Ransomware

The latest Massachusetts Institute of Technology (MIT) Review has
predicted that ransomware targeting cloud services will be one of the biggest cyber-crime threats of this year.

What Is Ransomware?

Ransomware is a form of malware that typically encrypts important files on the victim’s computer. The victim is then given a ransom demand, the payment of which should mean that the encrypted files can be released. In reality, some types of ransomware delete many important files anyway, and paying the ransom does not guarantee that any files will be released.

Huge Data Sources

One of the main reasons why the MIT puts the ransomware aimed at cloud services in the top 6 cyber threats for 2018 is because attacking a single cloud services company can give criminals access to huge amounts of data being stored and handled for multiple companies and organisations.

The MIT predictions, however, point to smaller, more vulnerable cloud providers who are more likely to pay as being a more likely target than the apparently well-protected larger CSPs such as Google, Amazon, and IBM.

Other Big Threats For 2018

Other MIT predictions for more common cyber-crime in 2018 include the targeting of electrical grids, transportation systems and other types of national critical infrastructure, cyber-physical attacks to cause disruption and extort money, and the targeting of old systems in transport modes (planes, trains and ships).

Also, another prediction for increased activity is the hijacking of more computing to mine crypto-currencies, and the resulting (potentially devastating) collateral damage if computing resources at hospitals, airports and other similar locations are targeted.

Evolution of Crime and Protection

The last 3 years have seen a rapid evolution of the threat of things like ransomware. 2016 was a huge year for ransomware attacks globally. For example, Kaspersky Labs estimated that in the 3rd quarter of 2016 a ransomware infection occurred every 30 seconds. Intel Security also reported that infections rose by more than a quarter in the first 3 months of the year.

The massive WannaCry ransomware attack of spring 2017 infected the computers of an estimated 300,000 victims in 150 countries worldwide, many of them large, well-known businesses and organisations (including 16 health service organisations in the UK), and has been a massive Internet and data security wake-up call.

Last year also saw AI used by both attackers and defenders, and MIT predicts that 2018 will see greater machine learning models, neural networks and other AI technologies used on a more regular basis by cyber attackers.

What Does This Mean For Your Business?


Cyber attackers are becoming ever-more sophisticated in their attack methods, using the latest technologies, multi-layered attacks, and the use of social engineering. Ransomware is a popular tool because it is often relatively cheap to create and use, it can spread easily (like WannaCry), the attackers can remain anonymous, and it yields the main motivation for many attacks - financial gain. It stands to reason that CSPs would make an ideal target because of the huge amount of data from many companies that is stored with them.

For individual UK businesses and other organisations, it’s a case of always being on the lookout for suspicious emails and updates, keeping security software up to date and regularly backing up critical data. With GDPR due to come into force in May, there is an even greater motivation to pay attention to data and Internet security, and there is a danger and false economy of staying with old operating systems as long as possible.

In order to provide maximum protection against prevalent and varied threats this coming year, businesses should adopt multi-layered security solutions. Businesses should accept that there is a real likelihood that they will be targeted and therefore prepare for this by implementing the most up to date security solutions, virtual patching and education of employees in order to mitigate risks from as many angles ('vectors') as possible.

Having workable and well-communicated Disaster Recovery and Business Continuity Plans in place is now also an important requirement.

Dodgy Apps in Google Play

Security researchers have discovered 36 fake and malicious apps for Android that
can harvest your data and track your location, masquerading as security tools in the trusted Google Play Store.

Hidden

The 36 malicious apps were, on the surface, the kind of security apps that are commonly downloaded by (Android) smartphone users to protect their device and data from cyber attacks and hackers. Ironically, the apps, which had re-assuring names such as Security Defender and Security Keeper, and which performed some legitimate tasks on the surface, such as cleaning junk, saving battery, scanning, and CPU cooling, were found to be hiding malware, adware and even tracking software.

Once the apps were launched, researchers discovered that they would not appear on the device launcher's list of applications, and the shortcuts would also not be shown on the user’s phone screen.

The malicious app makers are thought to have known that the "hide" function would not work on some devices (e.g. Google Nexus 6P, LGE LG-H525n and ZTE N958St.) because the hide was designed not to run on them. They may also have done this to avoid attracting the attention of Google Play’s inspection / checking system.

False Notifications, Fake Alerts, and Adverts

The fake apps were even found to have been designed to deliver false, often convincing, but sometimes alarming security notifications, warnings and pop-up windows to the user. For example, users would be shown pop-ups to show them that fake security issues had been resolved. Also, if the user installed another app, then it would be reported as suspicious.

Users of these fake apps could also fall victim to an aggressive barrage of advertisements with each action, because the app may have been designed for display and click fraud.

Asked To Sign - But Collecting Data


In some cases, in an abuse of privacy, the malicious apps were found to ask users to sign and agree to an end-user licence agreement (EULA) relating to the information to be gathered and used by the app. In fact, the hidden aspects of these apps were found to be able to collect large amounts of device and user information, such as Android ID, model and brand of the device, screen size, language, location, and data on the other installed apps e.g. Facebook.

Removed

It has been reported that, since the researchers alerted Google to the presence and nature of the apps in December, they have now been removed from Google Play.

Not The First Time

Unfortunately, this isn’t the first time that fake apps have been found in the Google Play Store. Last November, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

What is a little shocking about this story is that Google Play is a trusted source for apps, and it is particularly ironic that in this case that users could have downloaded the apps as a security measure to protect them, only to find that they did the opposite.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Google (in this case) didn’t spot the hidden aspects of the apps.
The fact that many of us now store most of our personal lives on our smartphones makes reports such as these all the more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Google Play Store.

To minimise the risk of falling victim to damage caused by fake apps, users should check the publisher of an app, check which permissions the app requests when you install it, delete apps from your phone that you no longer use, and contact your phone's service provider or visit the High Street store if you think you’ve downloaded a malicious / suspect app.
It may also be time for Google Play Store to review its systems and procedures for checking the apps that it offers.

'Ripple' Takes Second Place To Bitcoin

As investors look for alternatives to the volatile bitcoin bubble, crypto-currency
Ripple has become the second most valuable virtual cash system, followed by ethereum and litecoin.

Bitcoin Bubble Fear Means Ripple Looks Attractive

The media has been full of reports about the steep and rapid rise in the value of the blockchain-powered crypto-currency. From a value of £740 per bitcoin at the beginning of 2017, to in excess of £15,000 in December, falling (with a few bumpy troughs) to £11,000 this week, many investors, spooked by what many see as a bubble have been looking for alternatives.

It is likely to be no coincidence, therefore, that the value of crypto-currency Ripple has risen as bitcoin’s value fell to see it take second place to bitcoin at $2.34 (1.73) per XRP (the name for a single Ripple unit). Although this doesn’t seem to be a large amount, it is much higher than the $0.0065 (just over half a US cent) each unit was worth a year ago.

The crypto-currency of Ripple is now worth $142bn, second in value to bitcoin at $251.4bn, and ahead of ethereum at $100.6bn and litecoin at $13.2bn.

The Ripple

Unlike bitcoin which operates outside of the reach of the banks, Ripple was set up to help banks speed up and modernise how they pay each other. 100 banks, so far, have signed up to use Ripple’s payments system. These sign-ups include big hitters like Bank of America and UBS, Japan's big credit card companies (for payments and settlement), and some South Korean and Japanese banks (through a pilot project to handle cross-border payments).

Ripple has no real assets or revenue streams to support the rate, and the market is calculated by multiplying the number of XRP coins in existence by the current dollar exchange rate. Also, Ripple XRP coins, unlike e.g. bitcoin, aren’t ‘mined’ by the members of the network that processes the transactions, but have been pre-mined and are slowly released as the network is used.

It is believed, therefore, that the recent adoption of the currency by these banks and credit card companies, and the search for alternatives to the uncertainty of the bitcoin bubble have been the main drivers of the value of Ripple.

Ethereum and Litecoin

Ethereum, the next highest value crypto-currency after Ripple has seen an increase in value of 9,240 % year over year. Litecoin meanwhile, has also seen a rapid and steep rise in value of 5,195 % year over year (Coinbase figures).
The rise in the value of these crypto-currencies also corresponds with the fall in value of bitcoin.

Crypto-Jacking Warning


With the rise in value and popularity of crypto-currencies, experts have warned that there are likely to be more incidents of ‘crypto-jacking', where people’s devices are taken over by people trying to mine crypto-currencies. Earlier this month, for example, the Android phone-wrecking Trojan malware, dubbed 'Loapi', was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

What Does This Mean For Your Business?


The rise of crypto-currencies, such as bitcoin, to the point where it was finally being taken up by investors, businesses and governments, has been filled with high profile ups and downs e.g. a fall in its value on the Tokyo-based Mt. Gox exchange following a hack in late 2013. Predictions of the value being a risky bubble, coupled with a hack of the NiceHash digital currency marketplace’s payment system resulting in the theft of bitcoin to an estimated value of $80m have sent the value of bitcoin downwards again in December. As investors look elsewhere for safer alternatives or the next big thing, and as they become more used to the concept of crypto-currencies, Ripple ethereum and litecoin have benefitted.

Bitcoin has many attractive advantages for businesses such as the speed and ease with which transactions can take place due to the lack of central bank and traditional currency control (Ripple is actually a product of the banks).

Crypto-currencies generally mean easier, faster and more convenient cross-border and global trading, but traditional currencies tend to have the backing of assets or promises of assets of some kind. Crypto-currencies, therefore, tend to be less trusted and more volatile in the markets, and it’s likely there will be many more ups and downs with many different crypto-currencies, although bitcoin has a head start and has weathered storms before. It’s a case of watch this space.

All iPhones, iPads and Macs Affected by 2 Major Bugs

Two major security flaws which are present in nearly all modern processors /
microchips mean that most computerised devices are potentially vulnerable to attack, including all iPhones, iPads and Macs.

What Security Flaws?

The 2 hardware bugs / flaws in nearly all computer processors made in the last 20 years are known as ‘Meltdown’ and ‘Spectre’. The 2 flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs.

Meltdown

Meltdown, discovered by researchers from Google's Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects all Intel, ARM, and other processors that use ‘speculative execution’ to improve their performance (most of the modern global market). Speculative execution is when a computer performs a task that may not be actually needed in order to reduce overall delays for the task - a kind of optimisation.

Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre


Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

Apple Systems and Devices Affected


Apple is reported to have said that all Mac systems and iOS devices are affected, although the Apple Watch is not believed to be affected by it.

No Known Exploits Yet


It should be said that researchers have uncovered the existence of the flaws, and while the potential for exploitation is there, there have been no known exploits to date. In the light of the wide publicity that the existence of the flaws has received, this could change.

What’s Being Done?

Intel has announced that that it is working with AMD, ARM, other technology companies and some operating system vendors to find a fix. Intel and ARM are also planning to release patches for the flaws in upcoming software updates from them and operating system makers.

Google has said that the flaw didn’t exist in many of its products, and it has mitigated the issue in those products where it was present. Google has also said that an upcoming browser update (Chrome 64) will offer further protection when it is rolled out on 23 January.

Microsoft has released an emergency patch for all Windows 10 devices with other updates for other Windows versions scheduled for release within days. Amazon is reported to have said that its whole EC2 fleet is now protected.
Apple has issued a partial fix in macOS 10.13.2 and will continue to fix the issue in 10.3.3.

What Does This Mean For Your Business?


It is highly likely that your devices are affected by the flaws because they are hardware flaws at architectural level, more or less across the board for all devices that use processors. The best advice is to install all available patches without delay and make sure that you are receiving updates for all your systems, software and devices.

Although closing hardware flaws using software patches is a big job for manufacturers and software companies, it is the only quick answer to a large-scale problem that has been around but apparently ‘under the radar’ for a long time.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Lie Detector App

A UK company has developed a lie-detecting app that could be used interviews or other situations where high levels of honesty in (initially) completing forms is required.

Video Combined With Analytics

The London based company, called ‘Human’, founded by Yi Xu, a former investment banker and investment news TV presenter, has a team that includes a data scientist, a micro-expression coder and a psychologist. The company has developed a system that uses video from a mobile device (or CCTV camera) combined with analytics software that can examine a person’s face and thereby determine the most likely emotions being felt at that instant.

The company says that it is able to humanise technology to decipher emotion and characteristics and predict human behaviour. The machine learning aspect of the system is also thought to deliver a better and more accurate understanding of a human's feelings, emotions, characteristics and personality, with minimum human bias.

How?

The system is able to use a phone video (for example) to capture 172,000 tiny points of an individual's face, and to use those to read subliminal facial expressions live, and to convert them into a range of deeper emotions and specific characteristic traits in real time.

Why?


The obvious application is a kind of commercial lie-detection system and as a way of getting more from a person’s responses than what is actually said or written by them. The idea is that a person’s reactions to various questions could be more useful than what their answers are, particularly where understanding strengths, weaknesses, and true motivations are concerned. In short, the ‘Human’ system could help companies / organisations with anything from hiring staff to fraud detection to customer satisfaction analysis, and the technology can profile potential customers based on their personality, as analyzed by A.I.

According to ‘Human’, an app of this kind could have real-world applications in:
  • Recruiting and employee retention - finding out about a candidate’s personality, screening candidates by emotional intelligence, and increasing diversity with minimum human bias.
  • Financial fraud detection - insurance claims and loan applications fraud based on subliminal behaviour.
  • Customer satisfaction analysis - getting beyond any financial motivation to customer engagement and getting a better understanding of customer experiences.
  • Sales prediction - profiling customer characteristics and behaviour by personality, and predicting purchase behaviour.
  • Security detection - although facial recognition in crowds is already being used, the ‘Human’ system could identify a face in a crowd and detect concerned emotions.
  • Professional sports intelligence - detecting potential players' characteristics and personality and predicting mental and emotional status before games.
  • Dating EQ - quantify dating partner's emotional intelligence, and profiling characteristics and personality with empathy level.

Not Just ‘Human’

The 'Human' company is not the only company working on new kinds of combined technologies focused on learning more about people. For Example:
  • Utah-based company, Converus, has a product called EyeDetect, which monitors pupil dilation in the human eye to detect truths and lies. The system boasts 86% accuracy - better than a human expert.
  • Researchers at the U.S. National Center for Border Security and Immigration at the University of Arizona and the U.S. Department of Homeland Security are testing Automated Virtual Agent for Truth Assessments in Real-Time (AVATAR) which is a kiosk based system where a virtual agent asks security questions, then alerts human agents when the kiosk detects lying.
  • Back in July 2016, Toronto startup NuraLogix developed their Transdermal Optical Imaging app software which is able to read different blood flow patterns in the face to reveal different human emotions and thereby detect truth or lies.

AI -The Big Difference

The addition of AI into the technology mix is the element that could help these kinds of technologies to rapidly increase in capabilities and in real-world value e.g. lie detection connected to AI smart glasses or to a video-conferencing system, that can enable detection to take place without anyone but the user knowing about it.

Consent Issues

Capturingand using footage is however likely to present some potential issues based around consent e.g. with GDPR, as well as issues about how responsibly and legally they could be used and monitored in a commercial setting, not to mention issues around privacy and security (storage of profiling results and data used in the systems).

What Does This Mean For Your Business?


So much of the workings of business and the many relationships with all stakeholders is based around contracts (verbal and written), conversations and behaviour that have to rely upon a large element of trust and judgement, without having access to the full picture of true emotions, motivations, personalities, and likely outcomes. These new technologies, supercharged by AI could add value to many different areas of business that are based around decision-making and screening. The result of being able to use them in an affordable and convenient format e.g. apps and easy-to-operate systems, could deliver new insights that could translate into significant competitive advantages.

iPhone Deliberate Slowdown : Apple Apology

Tech giant Apple has apologised after it confirmed that long-held customer suspicions that it deliberately slowed down older iPhone models to encourage an upgrade turned to be true.

What Happened?

Some customers had been sharing their concerns online for some time that their iPhone’s performance had slowed with age but had sped up after a battery replacement. This led to a customer sharing comparative performance tests of different models of the iPhone 6S on Reddit, which appeared to support the customer suspicions.

Technology website Geeknebench also shared the results of its own tests of several iPhones running different versions of the iOS operating system where some showed slower performance than others.

After customers concerns mounted and received more press, Apple publicly admitted that it had made changes about a year ago in the iOS 10.2.1 software update that is likely to have been responsible for the slowdown that customers may have experienced in iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus, and iPhone SE.

Motivation Good

Some reports of customer suspicions, comments and speculation had focused on the idea that Apple’s motivation for causing the iPhone slowdown was purely commercial as part of a built-in obsolescence and motivated by profit. Apple, however, has pointed out that its motivations were based on a desire to prolong the life of customer devices by managing their ageing lithium-ion batteries, and to prevent the inconvenience of a sudden and unexpected shutdown.

The Problem With Lithium-Ion Batteries

According to Apple, Lithium-ion batteries need to be managed because they are incapable of supplying peak current demands when in cold conditions, when they have a low battery charge or as they age. The discharging cycle of Lithium-ion batteries (the migration of lithium ions through the material forming the battery) means that they are known to degrade over time.

Regaining Trust


Apple’s admission that it has been slowing down some phones with ageing batteries, and its acknowledgement that customer trust may have been shaken by the episode have led to Apple announcing 3 measures to address customer concerns and regain trust, which are:

A reduction, from December 2017, in the price of out-of-warranty iPhone battery replacements by $50 from $79 to $29 for customers with an iPhone 6 or later whose battery needs to be replaced. N.B. the $29 battery out-of-warranty replacements have been available since 30th December.
An iOS software update, in early 2018, to allow customers to see how their iPhone’s battery is affecting performance.

A pledge that Apple is working on ways to improve how they manage performance and avoid unexpected shutdowns as batteries age.

Legal Action

The announcement that Apple does slow down older phones has, of course, led to legal action being taken against the company by disgruntled customers. For example, Apple has been hit by a class action lawsuit, led by Stefan Bogdanovich and Dakota Speas, which cites "Breach of implied contract" and "Trespass to chattel" as the two complaints. More lawsuits are expected to follow.

What Does This Mean For Your Business?


The idea that Apple may have chosen to keep quiet about something that could be viewed (without an explanation) as secretly taking away performance that somebody has paid for, and only appearing to explain it when challenged by enough customers and tech commentators is likely to have caused some damage to the brand and to customer loyalty.

Some commentators have suggested that greater transparency and an early explanation of the apparently legitimate reasons (helping to mitigate the problem of the diminishing battery) for Apple’s actions may have been a better approach.

Apple is renowned for being able to engender fan-like behaviour in some customers, and for being able to maintain a good a loyal relationship with its customers. This story illustrates how managing customer relationships in an age where information is shared quickly and widely by customers via the Internet involves making smart decisions about transparency and being seen to be up-front with loyal customers.

Amazon Accused In Birkenstock Misspelling Advert Row

German sandal maker Birkenstock has successfully brought an injunction against Amazon to prevent internet shoppers from being directed to the online marketplace with anything other than the correct spelling of the sandal brand name.

Why?

The reported motivation for the legal move by Birkenstock is to prevent unsuspecting shoppers from buying low-quality counterfeits through Amazon that would erode Birkenstock’s reputation.

The sandal company argued in a district court in Dusseldorf that Amazon booked variations of “Birkenstock” as keywords through Google AdWords, thereby potentially contributing to customers ending up with counterfeit versions of the sandals as a result of typing e.g. “Brikenstock”, “Birkenstok”, “Bierkenstock” or other variations into their Google searches for the product.

Ongoing

This move by Birkenstock appears to be part of an ongoing dispute with Amazon. A year ago, Birkenstock stopped dealing with Amazon in the United States, and has now said that it will end the sale of its products through Amazon in Europe after Amazon “failed to proactively prevent” the sale of counterfeit Birkenstock goods.

Misspelling Adverts Commonplace

One interesting aspect of this case is the fact that if the court’s final ruling (it’s still at a preliminary stage) goes in favour of the Birkenstock, this could have implications for all companies using the common practice of targeting PPC adverts at misspellings of brand / product names.

For example, in one widely publicised example from back in April 2013, confectionary brand Snickers based an online advertising campaign around misspellings of its brand name. The company worked with a London agency to build a list of the top 500 search terms, and by using an algorithm were able to generate a list of 25,381 different misspellings. The three-day campaign generated 558,589 ad impressions on those misspellings, and served as an example for what has now become a very widely used PPC tactic.

What Does This Mean For Your Business?

This case raises some interesting issues for online business advertising. Obviously, businesses would like to protect themselves from the actions of counterfeiters and those trying to circumvent trademark law and pass off fake goods as popular brands. In this case, however, some commentators have pointed out that Amazon’s role does not appear to be a parallel form of digital deception, and that the mainstream practice of targeting ads to misspelled search terms can actually help shoppers find what they’re looking for more easily.

Also, some commentators have made the point that counterfeit products sold on Amazon are unlikely to be using misspellings in their online or physical branding, but are more likely to simply be superficially exact copies that are listed as the real thing in Amazon’s network of third-party sellers. If, in this scenario, Amazon used misspellings to advertise Birkenstocks to shoppers, and those shoppers bought counterfeit products as a result, the problem is would be more likely to be Amazon’s supply-chain structure than its search tactics.

If the German court’s final ruling goes in favour of Birkenstock, it could have much wider effects for online advertisers, and may not be to the benefit of web users.

Extremism Tax

UK Minister of State for Security, Ben Wallace, has said that Britain may impose new taxes on tech giants like Google and Facebook unless they do more to combat online extremism by taking down any material aimed at radicalizing people or helping them to prepare terror attacks.

Lack Of Co-operation

In an interview with the Sunday Times, Security Secretary Wallace is reported as saying that tech giants appear to have been “less than co-operative”, and are placing too much of the responsibility and cost for tackling extremist material and influence on the UK government (i.e. the taxpayer).

Mr Wallace is reported as saying that although the tech firms appear to be happy to sell people’s data, they seem less happy to give that data to the UK government, thereby forcing it to spend large amounts of money on de-radicalisation programs, surveillance and other counter-terrorism measures.

Tax Threat

Mr Wallace is reported as saying in his interview with the Sunday Times that the government was prepared to look at things like tax as a way of incentivising or compensating the tech giants for their “inaction”.

Vulnerable

Mr Wallace made the point that the UK is “more vulnerable than at any point in the last 100 years.” He highlighted how social media and encrypted messaging services like WhatsApp may be making things easier for attackers, and how taking down online extremist more quickly than is currently happening could save the millions of pounds that are being spent on de-radicalising people (who have been radicalised) rather than preventing radicalisation in the first place.

Echoes of Amber Rudd

Mr Wallace’s reported comments appear to echo many of those of interior minister Amber Rudd, who, just weeks after the second bridge attack, headed a very public campaign to stop the complete end-to-end encryption model used by some social media platforms, and allow ‘back doors’ to be built-in to such systems to allow the government to access them in the name of intercepting communications by extremists / terrorists. Critics have pointed out that a building in back doors would make the platforms vulnerable to hackers.

Stereotyping

Mr Wallace’s reported comments also included a description of tech company staff that appeared to stereotype them as people who “sit on beanbags in T-shirts”. He was quick to create a contrast between this more passive perceived public image, and his perceived reality that the tech giants are in fact “ruthless profiteers” who will “sell our details to loans and soft-porn companies”.

What Does This Mean For Your Business?

This appears to be another effort by the government to put pressure on the tech giants through negative publicity, and this time through threats of new taxation, to highlight what the government sees as their responsibility in playing a role in reducing the terror threat from extremists. Businesses and individuals are obviously likely to be unanimous in their wish for increased national security, the reduction of a terror threat, and in closing avenues which lead to radicalisation and recruitment for extremist / terror activities.

There are, however, other influences and points of view at play here, including the powerful commercial interests and profits of the ‘tech giants’, the need to be seen to resist any forms of censorship and outside interference, and the need to be seen to protect users’ privacy and trust, diplomatic and trade interests and relationships e.g. with the U.S where the tech giants are mainly based, personal data and security implications (with stopping end-to-end encryption), and the influence of freedom and rights campaigners.

The comments of Mr Wallace are likely to be followed by many more from the government in the near future as they attempt to exert some influence over many wealthy, overseas-based but very popular tech companies that play such an important part in the daily lives of many UK citizens.

Justice Too Slow With Data Requests Says ICO

The UK’s Secretary of State for Justice has been hit with an Enforcement notice by the Information Commissioner’s Office over backlogs and poor handling of requests for personal records made under data protection laws.

Subject Access Requests

In the UK, under the Data Protection Act 1998, anyone can make a request to any organisation (termed the ‘data controllers’) for copies of both paper and computer records and related information that the organisation is holding, using, or sharing about them. This is known as a ‘subject access request’ (SAR), and organisations usually charge a fee for providing the information e.g. up to £10 in normal circumstances. Under the DPA, organisations are required to answer data access requests within 40 days

The Backlog

The issuing of the Enforcement Notice by the ICO to the UK Ministry of Justice (technically the ‘data controllers in this case) on 21st December 2017 relates to the fact that ICO has received a large number requests for assessment by people whose subject access requests had not been dealt with quickly enough by the Ministry of Justice.

The Enforcement Notice highlighted the fact that there is a backlog of 919 SARs from individuals, some of which dated back to 2012.

Two Main Problems Highlighted

The two main problems highlighted by the Notice are that that the Justice Secretary (data controller) has contravened section 7 of the Data Protection Act for failing to act “without undue delay” and that the “data controller's internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA”.

Plan To Clear Backlog

The ICO Enforcement Notice did, however, acknowledge that the Ministry of Justice has given the ICO a recovery plan which shows that it intends to clear the backlog by October 2018, and answer new requests without “undue delay” from January 2018.

According to the update and plan published in the Enforcement Notice, the Ministry of Justice believes that it has 793 requests that are over 40 days old, and that it planned to deal with 14 cases from 2O14 by 31 December 2017, 161 cases received from 2015 by 30 April 2018, 357 cases from 2016 by 31 August 2018, and 261 cases from 2O17 by 31 October 2018.

What Does This Mean For Your Business?


This is an embarrassment for the Ministry of Justice, and may be an indication of a wider problem faced by many businesses and organisations in the UK that are still not getting to grips with their responsibilities under the current Data Protection Act, let alone getting prepared for the introduction of the UK’s Data Protection Bill, and the EU’s GDPR will come into force on 25th May 2018.

Under GDPR for example, businesses and organisations will have to deal with requests even more quickly, may have to provide additional information, and won’t be able to charge a fee for complying with requests. There will also be the challenges of responding to an individual’s ‘right to be forgotten’, and the prospect of much greater penalties greater penalties for non-compliance than under the current Data Protection Act.

This story is a reminder that all businesses and organisations should take the opportunity now to ensure that their data practices are in order and likely to be compliant with GDPR, and also to consider that being GDPR compliant could actually provide commercial advantages as this will become a serious factor for consideration in trading relationships and alliances.

Tuesday, January 02, 2018

Miscarriage Risk From Wi-Fi And Smartphones

A U.S. study has found a link between high levels of magnetic field (MF)
non-ionizing radiation such as that emitted by Mobile phones and Wi-Fi transmitters, and a 2.72x higher risk of miscarriage.

What Is MF Magnetic Field Non-Ionizing Radiation?

Radiofrequency energy is a form of electromagnetic radiation, and this can be categorized as either ionizing (e.g., x-rays, radon, and cosmic rays) or non-ionizing (e.g. radiofrequency and extremely low frequency, or power frequency). The energy of electromagnetic radiation is determined by its frequency. Ionizing radiation is high frequency, and high energy, whereas non-ionizing radiation is low frequency and low energy.

Magnetic Field Non-Ionizing Radiation / MF radiation is widespread, and something that we are all exposed to from traditional sources that generate low frequency MFs / emit radio-frequency MF radiation e.g. power lines, and appliances, and from emerging sources that generate higher frequency MFs e.g. wireless networks, smart meter networks, mobile phone masts, and wireless devices such as smartphones. Even household appliances such as fridges and freezers emit MF radiation.

We are now generally exposed to more MF radiation than ever because we use more MF generating equipment / devices as part of modern life.

The Study Results

The results of the San Francisco-based study involving 913 pregnant women found that those women exposed to high levels of MF non-ionizing radiation had a 2.72x higher risk of miscarriage than those exposed to low MF levels.

The authors of the study say that these findings add to the evidence of at least 7 previous studies that MF non-ionizing radiation could have adverse biological impacts on human health.

The facts that this study showed an almost three-fold increased risk of miscarriage if a pregnant woman was exposed to higher MF levels, that the association was independent of any specific MF exposure sources or locations, and that a 2.5mG threshold level for health effects may have been discovered make the results appear significant, and have got the attention of the media.

Cancer Link Too

Another recent (multi-year) survey by the National Toxicology Program (NTP) found an increased risk of cancer associated with MF non-ionizing radiation exposure. In this case, it found that the cancer risk from MF radiation exposure in experimental animals matched the cancer cell types that had been reported in previous epidemiologic studies in human populations.

The UK National Cancer Institute acknowledges online that exposure to ionizing radiation, such as from x-rays, is known to increase the risk of cancer, but that there is currently no consistent evidence that non-ionizing radiation increases cancer risk.

What Does This Mean For Your Business?


The modern workplace, which could be a company / organisation office, an office at home, or a vehicle, is likely to have MF emitting equipment that is in regular or constant use. Add to this the amount of MF non-ionizing radiation exposure we receive when we go home, use or phones, go into shops and other buildings, or pass near e.g. phone masks, and it is easy to see why any evidence of negative effects on health is causing concern. Since pregnant women appear to be particularly at risk, it may be necessary for companies to at least make sure that any pregnant employees are informed of the existence of those kinds of risks on the premises, and of the potential danger according to prominent studies.

It is important to remember, however, that even though the results of this study are worrying, MF non-ionizing radiation is very difficult to avoid (particularly in built-up areas), that there is no consistent evidence of certain health risks, and that for many studies it is difficult to measure exactly how much MF radiation each individual research subject is exposed to. It is likely, therefore, that the results of this study will point the way for more research in future.

Beware Android Phone-Melting Malware

A type of crypto-currency mining malware has been found to overload
an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

Malware Causing Physical Damage

The Android phone-wrecking Trojan malware, dubbed “Loapi”, was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

The Loapi malware is reported to have been found hiding in applications in the Android mobile operating system.

How It Works

Loapi reportedly works by hijacking a smartphone’s processor and using the computing power to mine crypto-currency.
‘Mining’ refers to the process of completing complex algorithms to get rewards of new crypto-currency units e.g. Bitcoin.
Loapi uses Javascript code execution hidden in web pages (usually via advertising campaigns) with WAP billing to subscribe the user to various services. This works in conjunction with the SMS module to send the subscription message.

What makes Loapi particularly dangerous is the amount of device-attacking techniques present in it, and the modular architecture of this Trojan which means that more functionality could be added to it at any time.

Part Of Trend For Mining Scams

It is likely, therefore, that Loapi is loaded onto an android OS when a user visits a web page website where mining software / mining code is running in the background, without the knowledge of the website owners or visitors.
For the scammer who plants the code, they can use the power of multiple computers / devices to join networks so that the combined computing power will enable them to solve mathematical problems first (before other scammers) and thereby claim / generate cash in the form of crypto-currency.

A report by ad blocking firm AdGuard in October this year showed that the devices of 500 million people may be inadvertently mining crypto-currencies as a result of visiting websites that run mining software in the background.

What Does This Mean For Your Business?

Unfortunately, many cyber criminals are now trying to leverage the processing power of computers, smartphones and other devices to generate revenue from mining crypto-currency. Mining software e.g. Coin Hive, has been found in popular websites, and crypto-currency mining scams are now being extended to target cloud-based computing services with the hope harnessing huge amounts of computing power and using multiple machines to try and generate more income.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and this new threat of actually having your phone melted by malware adds another level of risk, including that of fire.

There are some simple measures that your business can take to avoid being exploited as part of this popular scam, although it is unclear how well these will work with the newly discovered Loapi. For example, you can set your ad blocker (if you’re using one) to block one specific JavaScript URL, which could stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, browser extensions are available e.g. the 'No Coin' extension for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).

You can generally steer clear of dodgy Android apps by sticking to Google Play, by avoiding cloned apps from unknown developers within Google Play, by checking app permissions before you install them, by keeping Android apps up to date (and by deleting the ones you don’t use), and by installing an antivirus app.

Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Kaspersky Tries To Overturn U.S. Directive

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing
against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

School Heating Hack Risk

Cyber-security Company, Pan Test Partners, have warned that schools
with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off - or worse.

The Problem

The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.

Tested

The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.

In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.

Not Just Schools

The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.

Incentive

Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.

The risks could, however, increase in future as more devices and systems become part of the IoT.

What Does This Mean For Your Business?


It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.

To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.

It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.

This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

No More Chrome Apps From This Year

Google has announced that Chrome apps for Mac and Windows will no
longer be available from the Chrome Web Store by early this year and that they will be replaced next year by Progressive Web Apps (PWA).

Why?

Google has had Chrome-browser supported stand-alone apps on Mac, Windows and Linux since 2013, but back in August 2016 it was announced that Google would be phasing-out these apps because only 1% of users actively used them, and most hosted apps were already implemented as regular web apps e.g. Netflix.

Google, therefore, wanted to simplify its browser and move developers to more standardized web apps, and, therefore, planned to phase out standalone Chrome apps over 2 years, starting with the limiting of newly published apps to users on Chrome OS.

This latest announcement is the beginning of the final phase of that two-year plan.

Why Chrome Apps?

Chrome apps / packaged apps are basically Google’s own web-apps that are able to run offline, in their own window, and integrate with the underlying operating system and hardware.

Google has stated that it originally launched Chrome apps to give users experiences that the web, at the time (2013) couldn’t provide e.g. working offline, sending notifications, and connecting to hardware.

The Replacement - PWAs From APIs

Google’s work to move developers to more standardised apps has led to the introduction of powerful APIs e.g. service worker and web push, to enable the building of Progressive Web Apps that work across multiple browsers. These PWAs (launched earlier this year on Android) are essentially the replacement for Google’s standalone Chrome apps and blur the line between websites and installed software. PWAs will be available on desktops from the middle of 2018. According to Google, the benefits of PWAs are that they offer:
  • Reliability - they load instantly and don’t slow everything down.
  • Speed - they respond quickly to interactions with users, and animations are smooth.
  • Engagement - They offer the user an immersive experience with help from a web app manifest file (allowing users to control how an app appears and how it's launched). A PWA feels like a natural app on a device.
  • Improved Conversions - Google has quoted the example of how AliExpress were able to improve conversions for new users across all browsers by 104% and on iOS by 82%.

What Does This Mean For Your Business?


It appears that the standalone Chrome apps may have been a welcome introduction back in 2013, but are now not being used because they have been replaced by regular web apps anyway. This announcement by Google shouldn’t, therefore, cause any real concern to most businesses.

Anything that can be done to simplify the use of browsers such as Chrome has to be good news.

The benefits of PWAs are also promising for developers and users, and the possibility of increased engagement and conversions are clearly of interest to businesses.

Monday, December 18, 2017

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

What’s The Risk?

Many companies have professional relationships with 3rd parties in their supply chain / value chain that involve granting them access to systems and sensitive data. This, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real.

Examples

Examples of high-visibility supply chain attacks where a 3rd party was implicated or blamed include the hack back in September of US Credit Rating Company Equifax when 143 million customer details were thought to be have been stolen, including a possible 44 million from UK customers. Equifax was reported to have blamed the breach on a flaw in outside software it was using, and on a malicious download link on its website to another vendor.

Also, the much publicised, so-called ‘Paradise Papers’ leak of 13 million files allegedly giving details of the offshore tax havens and tax avoidance schemes used by the rich and famous, and by governments and corporations was blamed on offshore legal firm Appleby.

Figures

A Ponemon Institute survey has revealed that 56 % of organizations have had a breach that was actually caused by one of their vendors, and although the average number of 3rd parties with access to sensitive information at each organization has increased from 378 to 471, only 35 % of companies have a list of all the third parties they are sharing sensitive information with. Without even knowing and being able to monitor or check on the details of the relationship that an organisation has a data sharing arrangement with, it is obviously a risky situation that could make detection of a breach very difficult.

Now An Eco-System

Rather than being single entities, even small companies / organisations are now digital ecosystems where many things are bought-in or outsourced e.g. hardware, software, and services such as cloud provider services (in place on data centres). This means that there are many more potentially weak links in the value / supply chain of a company that breaches could come from.

GDPR


With GDPR coming in May 2018, for example, liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This means that companies / organisations will need to take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Also, there will need to be privacy by design, and the software, systems and processes of companies must be designed around compliance with the principles of data protection. Companies and organisations will need to ensure that 3rd party companies e.g. cloud suppliers, are themselves compliant, and building-in encryption.

Professional Services Companies A Risk


Many professional supply-side services companies have shown themselves to be vulnerable, and are often a way that attackers use to reach their final goal e.g. the Verizon breach caused by Nice Systems (customer service analytics), and the Deloitte hack in September where hackers were able to access emails and confidential plans of some of its blue-chip clients.

What Does This Mean For Your Business?

Many security commentators now believe that a new approach is needed to manage 3rd part risk effectively across a company’s digital ecosystem. This means really understanding where risks lie within that system, tailoring controls according to those risks, and collaborating with 3rd parties to remediate and mitigate those risks.

Companies and organisations need to become good at managing 3rd party risk in order to reduce the likelihood of a breach. This could involve measures such as:
  • Identification of every vendor, and which of them have access to sensitive data.
  • Evaluation of the security and privacy policies of all suppliers.
  • Introducing service level agreements with suppliers that show their commitment to security.
  • Asking vendors to do self-assessments, allow customer visits and audits, or purchase cyber insurance (most likely to work for larger customers).
  • Checking security score ratings for vendors e.g. through BitSight Technologies or SecurityScorecard.
  • Looking at vendors' internal policies and processes.

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations,
consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

What Is A Keylogger?

As the name suggests a keylogger / keystroke-logger usually refers to covert spying / monitoring software that tracks every key that you strike on your keyboard. This software is usually employed with malicious intent e.g. to collect account information, credit card numbers, user-names, passwords, and other private data.

Supposed To Be Debugger

In the case of the recent HP keylogger discovery, however, the offending versions of Synaptics touchpad drivers were actually intended to be to be used for debugging and aren’t believed to have been used with any malicious intent. The “debug trace" is actually a legitimate tool used by software companies to trace a problem / bug.

The security threat is, in this case, a potential threat which could be exploited by a hacker, who could potentially track every letter a laptop user typed.

HP has stressed that there has been no recorded access to customer data as a result of the issue.

Discovered

The discovery of the potentially serious threat was made by a computer programmer known as ‘Myng’ back in November, who discovered the issue when trying to control the backlighting of an HP keyboard. The programmer noticed a format string for a keylogger when looking through the keyboard driver. At this point, he contacted HP about his discovery.

Not The First Time

Strangely, this is not the first time such a discovery has been made about drivers installed in HP products. Back in May, a keylogger was discovered in Synaptics subsidiary Conexant's audio drivers, which are installed in HP Laptops.

Fix Issued

HP actually issued a fix for this latest “potential, local loss of confidentiality” issue back on 7th November (updated 12th December).

What Does This Mean For Your Business?

If your business uses HP Commercial Notebooks, Mobile Thin Clients, Mobile Workstations, or if you use an HP Consumer Notebook, the company has provided software updates for Synaptics touchpad drivers listed by model (a long list) on the support section of its website here: https://support.hp.com/us-en/document/c05827409 .

This story illustrates how software development needs to take into account all known potentially malicious angles. It also helps to illustrate how we may all be facing risks from as yet undiscovered bugs and vulnerabilities in commercial software that we are already using.

The importance of keeping up to date with patches and software updates cannot be understated. It is worth remembering that 9 out of 10 businesses are hacked through un-patched vulnerabilities, that hackers can attack nine out of 10 businesses with exploits that are more than three years old, and that 60% of companies experience successful attacks targeting devices for which a patch has actually been available for 10 or more years.

$80m Bitcoin Hack

Slovenian-based bitcoin mining marketplace NiceHash has reported that i
t has become the victim of a highly professional attack with sophisticated social engineering that has resulted in the theft of bitcoin to an estimated value of $80m.

The Hack

The 4,700 bitcoin(s) were reported stolen in a hack of the NiceHash digital currency marketplace’s payment system last week. Users of NiceHash were advised to change online passwords, and operations in the NiceHash marketplace were halted last Wednesday.

NiceHash’s chief executive Marko Kobal is reported to have said that attackers (probably based outside the European Union) accessed the company's systems at 00:18 GMT, and by 03:37 they had begun stealing Bitcoin. The exact nature of the hack, however, has not yet been released.

What Is NiceHash?

NiceHash is a digital currency marketplace with an estimated 750,000 registered users that matches people looking to sell processing time on their computers with users who are willing to pay to use it to mine for new bitcoin.

Bitcoin miners essentially use special software to solve maths problems, and are issued a certain number of bitcoins in exchange. This provides a smart way to issue bitcoins, and creates an incentive for more people to mine.

NiceHash’s social media accounts experienced a rise in the number of posts by bitcoin owners after it became apparent that there were problems with the website.

Reimbursed


It has been reported that NiceHash are working on a solution to reimburse all those affected by the hack.

Not The First Time

There have been dozens of reported attacks on digital currency exchanges over the last 6 years, such as the one that led to the collapse of the world’s largest bitcoin market Mt. Gox back in 2014. It is estimated that the many attacks have resulted in the theft of 980,000+ bitcoins which equates to more than $15 billion value at current exchange rates.

What Does This Mean For Your Business?

A huge surge in the value of bitcoin from $1,000 per bitcoin at the beginning of the year to around $15,000 now, coupled with the accompanying rise in the number of bitcoins contained within digital wallets have attracted the attention of hackers. The criminals have found that they are able to take advantage of exchanges and firms in the young crypto-currency industry sector that may not be secure against sophisticated attacks by criminal groups.

Those individuals and businesses involved in bitcoin speculation, investing and mining should therefore make sure that they get the best possible advice and help, and crypto-currency firms and exchanges need to invest in the most up to date systems and practices to ensure protection for their customers and users.

Stick and Carrot Measures To Deal With GDPR

A report by Veritas Technologies has said that since 91% of
most companies lack a strong data management culture they will be considering a number of ‘carrot and stick’ motivators to bring about the changes needed to help them to implement and comply with GDPR.

GDPR Next Year

The EU’s General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations. The regulation has been designed to make companies take the issue of data protection more seriously, to strengthen the rights that EU citizens have over their data, and to ensure that businesses and other organisations are more transparent in how they store data.

The Challenge

The challenge, according to the Veritas report, which took into account the views of 900 decision-makers across 8 countries, is that even though 31% of those surveyed think their enterprise is already GDPR compliant, only 2% of respondents actually appear to be compliant.

Also, 9 out of 10 companies lack the data management culture that could ensure a greater likelihood of quickly and effectively reaching high levels of GDPR compliance.

Motivation

This challenge, coupled with the limited amount of time before GDPR comes into force is the reason why companies and organisations of all kinds are looking at a variety of carrot and stick methods to drive the cultural and organisational changes needed to get to grips with GDPR going forward.

For example, nearly half of the companies surveyed by Veritas plan to drive the change by adding compliance to employee contracts (47%). Other planned drivers include implementing disciplinary action if the regulation is disobeyed (41%) and educating employees about the benefits of GDPR (40%).

Positive

Despite the obvious penalties and other problems that companies face with non-compliance and data breaches, 95% of decision-makers expected a positive outcome from compliance, and 92% thought they would benefit from having better data hygiene.

This more positive attitude towards the changes that will be necessary for GDPR compliance was also reflected in the views of the 68% of respondents in the Veritas survey who said compliance would give them a better insight into their business, which could help to improve the customer experience, and that compliance would save money.

What Does This Mean For Your Business?

The Introduction of GDPR is a little over 5 months away, and this in itself is a motivator for many companies and organisations now taking a serious look at exactly how they intend to make the changes they need to be compliant, and / or to re-visit the plans that they have already made to achieve compliance.

GDPR will have a big impact on the culture of companies and organisations and, based on the results of the Veritas report, more education is needed on the tools, processes and policies to support information governance strategies that are necessary to comply with the GDPR requirements. Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Many companies and organisations are now starting to see the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market. There is also now a realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance.

Facebook Dopamine-Addictive, Admits Ex-Exec

Former Facebook Vice President Chamath Palihapitiya has made the headlines
following apparently negative comments that he made at an event about Facebook’s effects on society.

Guilt

While speaking at a Stanford Graduate School of Business event, Mr Palihapitiya surprised many listeners when he reportedly described his feelings of guilt about helping the company attract two billion users, and advised people take a "hard break" from social media because of it’s the short-term, dopamine-driven feedback loops that it provides.

Like Sean Parker’s Comments

Mr Palihapitiya’s comments appear to echo those of founding president and billionaire Sean Parker, who said at an Axios event in Philadelphia back in November that the social media platform changes our relationship with society, and with each other, and is reported as saying that “God only knows what it’s doing to our children’s brains”.

Mr Parker, who also founded file-sharing site Napster, explained that the objective of Facebook was to consume as much of a person’s time and conscious attention as possible and that the “like” button would give users a kind of “little dopamine hit”, and thereby encourage them to upload more content. Mr Parker is also reported as saying that Facebook “exploited a vulnerability in human psychology" and that “all of our minds can be hijacked.”

Programmed


Mr Palihapitiya is reported as going so far as saying that the short-term signals that Facebook gives e.g. hearts, likes, and thumbs-up help Facebook users to get a kind of false perceived sense of perfection which is short-lived and “brittle” and equates to a kind of programming.

Global Problem

Mr Palihapitiya also highlighted how the 10 million people in the US saw “divisive social and political messages” in Facebook adverts from Russia before and after the US presidential election, and how this had become a global problem that appeared to be fuelled by social media such as Facebook.

What Does This Mean For Your Business?

For businesses trying to sell goods and services to younger age groups, social media and the recommendations that friends make to each other on social media platforms can be important influences in e.g. Omni-channel marketing and sales.

Facebook is also now an important tool for online paid advertising, and it is, therefore, in the interests of many businesses that people don’t take Mr Palihapitiya’s advice about taking a “hard break" from social media.

From a human point of view, and particularly for parents, the comments of Mr Palihapitiya and Mr Parker may appear to be somewhat worrying and shocking.

Monday, December 11, 2017

Trump’s New FCC Chairman Pushes To End Net Neutrality

After the Net Neutrality regulations from 2015 were partially overturned in May 2017, Donald Trump’s new chair of the Federal Communications Commission (FCC) is pushing to end net neutrality after a final vote this month.

What Is Net Neutrality?

In short, Net Neutrality means that ISPs (who control the data pipeline) treat everyone’s data (emails, digital audio files, and digital video) equally, whether it’s from companies or individuals, or whether its popular streamed TV episodes e.g. Netflix and Amazon being able to compete with established broadcasters. With Net Neutrality, ISPs don’t get to decide whose data is sent more quickly e.g. data from private individuals (more slowly), data from a business because it’s been paid for by a business (more quickly), and which sites get blocked or throttled e.g. the streamed delivery of a TV show from a competitor of the ISP.

The idea of having an Open Internet means that individuals and organisations should be able to easily access and use all of its resources, and to ensure that this can happen, certain principles need to be adhered to e.g. open standards, transparency, no Internet censorship, low barriers to entry, and ‘Net Neutrality’. The idea is that Net Neutrality can help to enhance innovation and trade in a fair way.

What’s Happened?

On 18th May the FCC voted two-to-one in support of a new proposal that would repeal the existing Net Neutrality regulations, and start a 90-day period of public comments before a final vote in December. The FCC, led by Ajit Pai also released a 210-page (pdf) document on 22nd November essentially outlining how a greater reliance on business competition and anti-trust laws to regulate ISP charges for their services plus a requirement to provide “transparency” to consumers could work as a replacement for the Net Neutrality regulations that are being overturned.

What’s The Problem?


For many, the push by the FCC to effectively end Net Neutrality has sparked concerns about a market-driven agenda which could mean that smaller or more diverse web services that won’t be protected for ISPs slowing their traffic or pricing them out of the market, and a situation where the scales are tipped in the favour of big telecoms providers such as AT&T and Verizon rather than other technology companies and social platforms.

Nature of The Markets Have Changed

Some are of the opinion that the move by the FCC is also simply an attempt to loosen restrictions on other types of gatekeepers e.g. cable TV operators and telecoms companies to allow them to compete more fairly with new competitors that were created by changes in the market brought about by Net Neutrality. For example, it was not necessarily foreseen that Facebook would grow bigger than traditional media or that Amazon would move into films, thereby changing the nature of the market and requiring a new kind of regulation.

Fake and Stolen Identities For Comments

One alarming aspect of this latest development is the allegation that, of the record number of the 23 million comments filed with the FCC as part of the public consultation process about possibly repealing the Net Neutrality regulation, many used faked or used stolen identities. This has prompted accusations that the comment process is corrupt.

Other Regulations Removed

As well as attempting to remove Net Neutrality regulations, the FCC also appears to be trying to remove regulations around other restrictions on media ownership e.g. reducing / revising the cap on how many homes in the US a single broadcaster can reach, and allowing TV stations to use different frequency channels that count less against this overall cap on broadcasting reach.

What Does This Mean For Your Business?


To allow fair competition and equal opportunities, there must be something that looks like an ‘equal playing field’ in place, and it often takes rules imposed by authorities outside an industry rather than just market forces and industry bodies to make sure that happens.

There is an argument that the evolution of the online data market makes it complicated to regulate, but the removal of Net Neutrality looks likely to be bad news for smaller and more diverse companies and for those outside of the current mainstream media.

There is also a danger here that market-driven and political agendas are being given greater value than the civic service or cultural good that an equal / neutral situation would allow.

Facebook For Children Launched

Facebook has launched ‘Messenger Kids’. The standalone app on a ring-fenced network is targeted at young people for use on their tablets or smartphones but can be controlled from a parent’s Facebook account.

Challenge

The challenge identified by Facebook is that young people are being given access to tablets and smartphones, but their parents are concerned about (and can’t always monitor) how their children are using them and which apps are appropriate. Also, even though Facebook is strictly for those 13 and over, it would not be difficult for younger children to set up and use an account, and it is thought that as many 20 million under-13-year-olds may currently be using the network.

Next Generation of Facebook Users

Although Facebook’s primary stated motive for the new junior version of its platform is to provide a safer, more age-appropriate version, some tech and business commentators have suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

What’s Different About It?

Messenger Kids is different from the main version of Facebook because:
  • It puts parents in control. If two children want to be friends on Messenger Kids, that friendship must first be approved by a parent for each child. Approved adults can also contact their children through the app.
  • It has appropriate, targeted content. There is a library of child-appropriate and specially chosen GIFs, frames, stickers, masks and drawing tools that enable children to decorate content and express their personalities.
  • It is ad-free. Also, targeting ads e.g. to parents based on what their children are talking about in Messenger Kids, or using what was discussed in Messenger Kids to target adverts at teens as they graduate into over the age of 13 to a normal Facebook account will not be possible. The app doesn't know exactly how old the children signing up are anyway.
  • It is a simplified, locked-down / ring-fenced version.

Data Sharing Concerns

Some concerns have been raised about privacy, and what data will be collected about the young users of the accounts. Facebook will collect data such as the child's name, the content of the messages, and typical usage reports for how the app is being used. It is understood that Facebook will only share that information with third parties who have data protection policies that comply with Coppa, the Children's Online Privacy Protection Act in the US (Messenger Kids is being launched in the US first).

What Does This Mean For Your Business?


From a business perspective, it is understandable that Facebook needs to find a way to bring a new, young generation of users to its platform, to find a way to compete with other platforms for the attention of other users, and to do so in a way that has the approval and involvement of parents, particularly if children are going to use social networks anyway. For businesses that want to target children with advertising, Messenger is not going to be a good route for doing so, although it remains to be seen how popular the uptake of Messenger Kids will be. It may also be of some reassurance to current Facebook advertisers with young target audiences that Facebook is seeking to bring new targets through the door, and therefore looks like a promising advertising channel to continue with in the future.

For many parents and interest groups dealing with parental concerns, it may still be a worry that with Messenger Kids there are still no totally clear policies about data collection, what happens to the content children post or any plans for the future. Parents may simply and naturally feel as though they don’t trust Facebook (or other social networks) anyway for use by children until the parent feels they’re old enough.

There has also been some concern recently in the media about the results of research showing that children may be seeking too much online peer validation through ‘Likes’ on social media - Likes will be included in Messenger Kids.

For now, it’s a case of wait-and-see, and hope that all the safeguards, testing and targeting provide the safety and positive experiences for users that Facebook intends in a world where cyber-crime levels are high.