Monday, December 18, 2017

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

What’s The Risk?

Many companies have professional relationships with 3rd parties in their supply chain / value chain that involve granting them access to systems and sensitive data. This, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real.

Examples

Examples of high-visibility supply chain attacks where a 3rd party was implicated or blamed include the hack back in September of US Credit Rating Company Equifax when 143 million customer details were thought to be have been stolen, including a possible 44 million from UK customers. Equifax was reported to have blamed the breach on a flaw in outside software it was using, and on a malicious download link on its website to another vendor.

Also, the much publicised, so-called ‘Paradise Papers’ leak of 13 million files allegedly giving details of the offshore tax havens and tax avoidance schemes used by the rich and famous, and by governments and corporations was blamed on offshore legal firm Appleby.

Figures

A Ponemon Institute survey has revealed that 56 % of organizations have had a breach that was actually caused by one of their vendors, and although the average number of 3rd parties with access to sensitive information at each organization has increased from 378 to 471, only 35 % of companies have a list of all the third parties they are sharing sensitive information with. Without even knowing and being able to monitor or check on the details of the relationship that an organisation has a data sharing arrangement with, it is obviously a risky situation that could make detection of a breach very difficult.

Now An Eco-System

Rather than being single entities, even small companies / organisations are now digital ecosystems where many things are bought-in or outsourced e.g. hardware, software, and services such as cloud provider services (in place on data centres). This means that there are many more potentially weak links in the value / supply chain of a company that breaches could come from.

GDPR


With GDPR coming in May 2018, for example, liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This means that companies / organisations will need to take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Also, there will need to be privacy by design, and the software, systems and processes of companies must be designed around compliance with the principles of data protection. Companies and organisations will need to ensure that 3rd party companies e.g. cloud suppliers, are themselves compliant, and building-in encryption.

Professional Services Companies A Risk


Many professional supply-side services companies have shown themselves to be vulnerable, and are often a way that attackers use to reach their final goal e.g. the Verizon breach caused by Nice Systems (customer service analytics), and the Deloitte hack in September where hackers were able to access emails and confidential plans of some of its blue-chip clients.

What Does This Mean For Your Business?

Many security commentators now believe that a new approach is needed to manage 3rd part risk effectively across a company’s digital ecosystem. This means really understanding where risks lie within that system, tailoring controls according to those risks, and collaborating with 3rd parties to remediate and mitigate those risks.

Companies and organisations need to become good at managing 3rd party risk in order to reduce the likelihood of a breach. This could involve measures such as:
  • Identification of every vendor, and which of them have access to sensitive data.
  • Evaluation of the security and privacy policies of all suppliers.
  • Introducing service level agreements with suppliers that show their commitment to security.
  • Asking vendors to do self-assessments, allow customer visits and audits, or purchase cyber insurance (most likely to work for larger customers).
  • Checking security score ratings for vendors e.g. through BitSight Technologies or SecurityScorecard.
  • Looking at vendors' internal policies and processes.

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations,
consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

What Is A Keylogger?

As the name suggests a keylogger / keystroke-logger usually refers to covert spying / monitoring software that tracks every key that you strike on your keyboard. This software is usually employed with malicious intent e.g. to collect account information, credit card numbers, user-names, passwords, and other private data.

Supposed To Be Debugger

In the case of the recent HP keylogger discovery, however, the offending versions of Synaptics touchpad drivers were actually intended to be to be used for debugging and aren’t believed to have been used with any malicious intent. The “debug trace" is actually a legitimate tool used by software companies to trace a problem / bug.

The security threat is, in this case, a potential threat which could be exploited by a hacker, who could potentially track every letter a laptop user typed.

HP has stressed that there has been no recorded access to customer data as a result of the issue.

Discovered

The discovery of the potentially serious threat was made by a computer programmer known as ‘Myng’ back in November, who discovered the issue when trying to control the backlighting of an HP keyboard. The programmer noticed a format string for a keylogger when looking through the keyboard driver. At this point, he contacted HP about his discovery.

Not The First Time

Strangely, this is not the first time such a discovery has been made about drivers installed in HP products. Back in May, a keylogger was discovered in Synaptics subsidiary Conexant's audio drivers, which are installed in HP Laptops.

Fix Issued

HP actually issued a fix for this latest “potential, local loss of confidentiality” issue back on 7th November (updated 12th December).

What Does This Mean For Your Business?

If your business uses HP Commercial Notebooks, Mobile Thin Clients, Mobile Workstations, or if you use an HP Consumer Notebook, the company has provided software updates for Synaptics touchpad drivers listed by model (a long list) on the support section of its website here: https://support.hp.com/us-en/document/c05827409 .

This story illustrates how software development needs to take into account all known potentially malicious angles. It also helps to illustrate how we may all be facing risks from as yet undiscovered bugs and vulnerabilities in commercial software that we are already using.

The importance of keeping up to date with patches and software updates cannot be understated. It is worth remembering that 9 out of 10 businesses are hacked through un-patched vulnerabilities, that hackers can attack nine out of 10 businesses with exploits that are more than three years old, and that 60% of companies experience successful attacks targeting devices for which a patch has actually been available for 10 or more years.

$80m Bitcoin Hack

Slovenian-based bitcoin mining marketplace NiceHash has reported that i
t has become the victim of a highly professional attack with sophisticated social engineering that has resulted in the theft of bitcoin to an estimated value of $80m.

The Hack

The 4,700 bitcoin(s) were reported stolen in a hack of the NiceHash digital currency marketplace’s payment system last week. Users of NiceHash were advised to change online passwords, and operations in the NiceHash marketplace were halted last Wednesday.

NiceHash’s chief executive Marko Kobal is reported to have said that attackers (probably based outside the European Union) accessed the company's systems at 00:18 GMT, and by 03:37 they had begun stealing Bitcoin. The exact nature of the hack, however, has not yet been released.

What Is NiceHash?

NiceHash is a digital currency marketplace with an estimated 750,000 registered users that matches people looking to sell processing time on their computers with users who are willing to pay to use it to mine for new bitcoin.

Bitcoin miners essentially use special software to solve maths problems, and are issued a certain number of bitcoins in exchange. This provides a smart way to issue bitcoins, and creates an incentive for more people to mine.

NiceHash’s social media accounts experienced a rise in the number of posts by bitcoin owners after it became apparent that there were problems with the website.

Reimbursed


It has been reported that NiceHash are working on a solution to reimburse all those affected by the hack.

Not The First Time

There have been dozens of reported attacks on digital currency exchanges over the last 6 years, such as the one that led to the collapse of the world’s largest bitcoin market Mt. Gox back in 2014. It is estimated that the many attacks have resulted in the theft of 980,000+ bitcoins which equates to more than $15 billion value at current exchange rates.

What Does This Mean For Your Business?

A huge surge in the value of bitcoin from $1,000 per bitcoin at the beginning of the year to around $15,000 now, coupled with the accompanying rise in the number of bitcoins contained within digital wallets have attracted the attention of hackers. The criminals have found that they are able to take advantage of exchanges and firms in the young crypto-currency industry sector that may not be secure against sophisticated attacks by criminal groups.

Those individuals and businesses involved in bitcoin speculation, investing and mining should therefore make sure that they get the best possible advice and help, and crypto-currency firms and exchanges need to invest in the most up to date systems and practices to ensure protection for their customers and users.

Stick and Carrot Measures To Deal With GDPR

A report by Veritas Technologies has said that since 91% of
most companies lack a strong data management culture they will be considering a number of ‘carrot and stick’ motivators to bring about the changes needed to help them to implement and comply with GDPR.

GDPR Next Year

The EU’s General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations. The regulation has been designed to make companies take the issue of data protection more seriously, to strengthen the rights that EU citizens have over their data, and to ensure that businesses and other organisations are more transparent in how they store data.

The Challenge

The challenge, according to the Veritas report, which took into account the views of 900 decision-makers across 8 countries, is that even though 31% of those surveyed think their enterprise is already GDPR compliant, only 2% of respondents actually appear to be compliant.

Also, 9 out of 10 companies lack the data management culture that could ensure a greater likelihood of quickly and effectively reaching high levels of GDPR compliance.

Motivation

This challenge, coupled with the limited amount of time before GDPR comes into force is the reason why companies and organisations of all kinds are looking at a variety of carrot and stick methods to drive the cultural and organisational changes needed to get to grips with GDPR going forward.

For example, nearly half of the companies surveyed by Veritas plan to drive the change by adding compliance to employee contracts (47%). Other planned drivers include implementing disciplinary action if the regulation is disobeyed (41%) and educating employees about the benefits of GDPR (40%).

Positive

Despite the obvious penalties and other problems that companies face with non-compliance and data breaches, 95% of decision-makers expected a positive outcome from compliance, and 92% thought they would benefit from having better data hygiene.

This more positive attitude towards the changes that will be necessary for GDPR compliance was also reflected in the views of the 68% of respondents in the Veritas survey who said compliance would give them a better insight into their business, which could help to improve the customer experience, and that compliance would save money.

What Does This Mean For Your Business?

The Introduction of GDPR is a little over 5 months away, and this in itself is a motivator for many companies and organisations now taking a serious look at exactly how they intend to make the changes they need to be compliant, and / or to re-visit the plans that they have already made to achieve compliance.

GDPR will have a big impact on the culture of companies and organisations and, based on the results of the Veritas report, more education is needed on the tools, processes and policies to support information governance strategies that are necessary to comply with the GDPR requirements. Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Many companies and organisations are now starting to see the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market. There is also now a realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance.

Facebook Dopamine-Addictive, Admits Ex-Exec

Former Facebook Vice President Chamath Palihapitiya has made the headlines
following apparently negative comments that he made at an event about Facebook’s effects on society.

Guilt

While speaking at a Stanford Graduate School of Business event, Mr Palihapitiya surprised many listeners when he reportedly described his feelings of guilt about helping the company attract two billion users, and advised people take a "hard break" from social media because of it’s the short-term, dopamine-driven feedback loops that it provides.

Like Sean Parker’s Comments

Mr Palihapitiya’s comments appear to echo those of founding president and billionaire Sean Parker, who said at an Axios event in Philadelphia back in November that the social media platform changes our relationship with society, and with each other, and is reported as saying that “God only knows what it’s doing to our children’s brains”.

Mr Parker, who also founded file-sharing site Napster, explained that the objective of Facebook was to consume as much of a person’s time and conscious attention as possible and that the “like” button would give users a kind of “little dopamine hit”, and thereby encourage them to upload more content. Mr Parker is also reported as saying that Facebook “exploited a vulnerability in human psychology" and that “all of our minds can be hijacked.”

Programmed


Mr Palihapitiya is reported as going so far as saying that the short-term signals that Facebook gives e.g. hearts, likes, and thumbs-up help Facebook users to get a kind of false perceived sense of perfection which is short-lived and “brittle” and equates to a kind of programming.

Global Problem

Mr Palihapitiya also highlighted how the 10 million people in the US saw “divisive social and political messages” in Facebook adverts from Russia before and after the US presidential election, and how this had become a global problem that appeared to be fuelled by social media such as Facebook.

What Does This Mean For Your Business?

For businesses trying to sell goods and services to younger age groups, social media and the recommendations that friends make to each other on social media platforms can be important influences in e.g. Omni-channel marketing and sales.

Facebook is also now an important tool for online paid advertising, and it is, therefore, in the interests of many businesses that people don’t take Mr Palihapitiya’s advice about taking a “hard break" from social media.

From a human point of view, and particularly for parents, the comments of Mr Palihapitiya and Mr Parker may appear to be somewhat worrying and shocking.

Monday, December 11, 2017

Trump’s New FCC Chairman Pushes To End Net Neutrality

After the Net Neutrality regulations from 2015 were partially overturned in May 2017, Donald Trump’s new chair of the Federal Communications Commission (FCC) is pushing to end net neutrality after a final vote this month.

What Is Net Neutrality?

In short, Net Neutrality means that ISPs (who control the data pipeline) treat everyone’s data (emails, digital audio files, and digital video) equally, whether it’s from companies or individuals, or whether its popular streamed TV episodes e.g. Netflix and Amazon being able to compete with established broadcasters. With Net Neutrality, ISPs don’t get to decide whose data is sent more quickly e.g. data from private individuals (more slowly), data from a business because it’s been paid for by a business (more quickly), and which sites get blocked or throttled e.g. the streamed delivery of a TV show from a competitor of the ISP.

The idea of having an Open Internet means that individuals and organisations should be able to easily access and use all of its resources, and to ensure that this can happen, certain principles need to be adhered to e.g. open standards, transparency, no Internet censorship, low barriers to entry, and ‘Net Neutrality’. The idea is that Net Neutrality can help to enhance innovation and trade in a fair way.

What’s Happened?

On 18th May the FCC voted two-to-one in support of a new proposal that would repeal the existing Net Neutrality regulations, and start a 90-day period of public comments before a final vote in December. The FCC, led by Ajit Pai also released a 210-page (pdf) document on 22nd November essentially outlining how a greater reliance on business competition and anti-trust laws to regulate ISP charges for their services plus a requirement to provide “transparency” to consumers could work as a replacement for the Net Neutrality regulations that are being overturned.

What’s The Problem?


For many, the push by the FCC to effectively end Net Neutrality has sparked concerns about a market-driven agenda which could mean that smaller or more diverse web services that won’t be protected for ISPs slowing their traffic or pricing them out of the market, and a situation where the scales are tipped in the favour of big telecoms providers such as AT&T and Verizon rather than other technology companies and social platforms.

Nature of The Markets Have Changed

Some are of the opinion that the move by the FCC is also simply an attempt to loosen restrictions on other types of gatekeepers e.g. cable TV operators and telecoms companies to allow them to compete more fairly with new competitors that were created by changes in the market brought about by Net Neutrality. For example, it was not necessarily foreseen that Facebook would grow bigger than traditional media or that Amazon would move into films, thereby changing the nature of the market and requiring a new kind of regulation.

Fake and Stolen Identities For Comments

One alarming aspect of this latest development is the allegation that, of the record number of the 23 million comments filed with the FCC as part of the public consultation process about possibly repealing the Net Neutrality regulation, many used faked or used stolen identities. This has prompted accusations that the comment process is corrupt.

Other Regulations Removed

As well as attempting to remove Net Neutrality regulations, the FCC also appears to be trying to remove regulations around other restrictions on media ownership e.g. reducing / revising the cap on how many homes in the US a single broadcaster can reach, and allowing TV stations to use different frequency channels that count less against this overall cap on broadcasting reach.

What Does This Mean For Your Business?


To allow fair competition and equal opportunities, there must be something that looks like an ‘equal playing field’ in place, and it often takes rules imposed by authorities outside an industry rather than just market forces and industry bodies to make sure that happens.

There is an argument that the evolution of the online data market makes it complicated to regulate, but the removal of Net Neutrality looks likely to be bad news for smaller and more diverse companies and for those outside of the current mainstream media.

There is also a danger here that market-driven and political agendas are being given greater value than the civic service or cultural good that an equal / neutral situation would allow.

Facebook For Children Launched

Facebook has launched ‘Messenger Kids’. The standalone app on a ring-fenced network is targeted at young people for use on their tablets or smartphones but can be controlled from a parent’s Facebook account.

Challenge

The challenge identified by Facebook is that young people are being given access to tablets and smartphones, but their parents are concerned about (and can’t always monitor) how their children are using them and which apps are appropriate. Also, even though Facebook is strictly for those 13 and over, it would not be difficult for younger children to set up and use an account, and it is thought that as many 20 million under-13-year-olds may currently be using the network.

Next Generation of Facebook Users

Although Facebook’s primary stated motive for the new junior version of its platform is to provide a safer, more age-appropriate version, some tech and business commentators have suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

What’s Different About It?

Messenger Kids is different from the main version of Facebook because:
  • It puts parents in control. If two children want to be friends on Messenger Kids, that friendship must first be approved by a parent for each child. Approved adults can also contact their children through the app.
  • It has appropriate, targeted content. There is a library of child-appropriate and specially chosen GIFs, frames, stickers, masks and drawing tools that enable children to decorate content and express their personalities.
  • It is ad-free. Also, targeting ads e.g. to parents based on what their children are talking about in Messenger Kids, or using what was discussed in Messenger Kids to target adverts at teens as they graduate into over the age of 13 to a normal Facebook account will not be possible. The app doesn't know exactly how old the children signing up are anyway.
  • It is a simplified, locked-down / ring-fenced version.

Data Sharing Concerns

Some concerns have been raised about privacy, and what data will be collected about the young users of the accounts. Facebook will collect data such as the child's name, the content of the messages, and typical usage reports for how the app is being used. It is understood that Facebook will only share that information with third parties who have data protection policies that comply with Coppa, the Children's Online Privacy Protection Act in the US (Messenger Kids is being launched in the US first).

What Does This Mean For Your Business?


From a business perspective, it is understandable that Facebook needs to find a way to bring a new, young generation of users to its platform, to find a way to compete with other platforms for the attention of other users, and to do so in a way that has the approval and involvement of parents, particularly if children are going to use social networks anyway. For businesses that want to target children with advertising, Messenger is not going to be a good route for doing so, although it remains to be seen how popular the uptake of Messenger Kids will be. It may also be of some reassurance to current Facebook advertisers with young target audiences that Facebook is seeking to bring new targets through the door, and therefore looks like a promising advertising channel to continue with in the future.

For many parents and interest groups dealing with parental concerns, it may still be a worry that with Messenger Kids there are still no totally clear policies about data collection, what happens to the content children post or any plans for the future. Parents may simply and naturally feel as though they don’t trust Facebook (or other social networks) anyway for use by children until the parent feels they’re old enough.

There has also been some concern recently in the media about the results of research showing that children may be seeking too much online peer validation through ‘Likes’ on social media - Likes will be included in Messenger Kids.

For now, it’s a case of wait-and-see, and hope that all the safeguards, testing and targeting provide the safety and positive experiences for users that Facebook intends in a world where cyber-crime levels are high.

Amazon Targets Businesses With Voice Activated Digital Assistants

Amazon with its best-selling digital voice assistant now has its sights
set on a role for Alexa in the workplace with its plans to launch Alexa for Business.

Amazon Dominant

Amazon’s Echo dominates the voice-assistant market with a more than 70% share. 11 million Alexa devices have already been sold and last Christmas, Alexa-enabled devices emerged as the top-selling product across all categories on Amazon.com. Amazon Echo’s AI powered home voice-activated digital assistant looks set to be a popular present again this year.

Awareness and use of voice-controlled speakers is soaring, and in the US for example, an estimated 35.6 million people used one at least once a month in 2017, a 128.9% increase on the previous year (eMarketer).

Natural Progression - Into The Workplace

It is no surprise, therefore, that Amazon would want to move its digital assistant smart speaker into the workplace. With this in mind, Amazon has announced plans to release an enterprise-focused version called Alexa for Business.

Doing What?

For many home-based / small businesses, having an Amazon Echo around as part of the day’s organising / calendar scheduling and basic entertainment and information functions is becoming an increasingly common thing.

Tech commentators have noted that voice-activated digital assistants such as Amazon Echo are suited to workplace roles and specific tasks such as facilitating and activating conference calls, booking meeting rooms, reporting IT issues, providing directions around a building, answering questions about the business or even ordering new office supplies.

It is anticipated that the new Alexa for Business could be used by employees on their own personal devices to make calls, manage calendars, run to-do lists, set reminders, and to locate information stored in third-party corporate applications e.g. Salesforce, Concur or Splunk, and Microsoft Exchange. Business users could also pair their private accounts with their organisation’s Alexa for Business account.

Security and Privacy Fears

One of the potential challenges to introducing digital assistants to the workplace is the widely publicised security and privacy fears. Security commentators have pointed to the fact that Amazon Echos are always listening, and while they don’t ordinarily collect information until activated with the "Alexa" wake word, it can happen by accident, and Amazon stores recordings to make its cloud-based AI service more ‘intelligent’. This also represents a security threat.

Also, back in August for example, UK security expert Mark Barnes made the news by saying that anyone could install malware on an Amazon Echo, along with his proof-of-concept code that would silently stream audio from the device to a remote server. This would enable a criminal to listen-in on private conversations and private / personal information that could be used to e.g. steal money, steal business secrets, or burgle premises. This kind of vulnerability could also lead to the disclosure of personal details of customers or employees which could jeopardise data security compliance, and expose a company to the risk of fines or blackmail.

What Does This Mean For Your Business?


Voice activated, AI-based digital assistants appear to be very well suited to many organisational and instant information-dispensing tasks that could make them very useful in the modern workplace to help boost employee productivity, improve efficiency, and to perform some very specialised tasks. It was almost an inevitability that the next step for them would be the workplace, and Amazon’s dominance in the market also made it inevitable that it would want to be first in with a business-focused offering.

Amazon and other voice-activated digital assistant companies (Microsoft, Google and Apple) will, however, need to convince businesses that the devices are secure and that they don’t represent the same IoT security threat that they’ve been reading and hearing about.

Police Web & Phone Snooping Powers Curbed

The need to comply with a European Court Ruling has meant that senior UK police officers are to lose the power to self-authorise snooping on personal phone and web browsing records.

What Ruling?

This latest development is the upholding of a ruling (after an appeal) that was sent to the European Court of Justice (ECJ) in 2016. The original ruling dates back to 2015 and relates to a case brought by Labour Party deputy Tom Watson (and Brexit Secretary David Davies, who later dropped out). The original case challenged the legality of core parts of the Data Retention and Investigatory Powers Act (DRIPA), which was a predecessor to the Investigatory Powers Act (also known as the ‘Snooper’s Charter)’.

In upholding the original ruling which went in favour of Tom Watson, the ECJ has said that the general and indiscriminate retention of data cannot be considered justified within a democratic society, and that a mass harvesting of data can only be lawful if it's underpinned by stringent safeguards or independent oversight, and can only be accepted as part of investigations into ‘serious’ crime and terrorism.

What Does This Actually Mean?


In short, the upholding of the original verdict means that The Investigatory Powers Act will need to be changed to align it with the ECJ ruling.

Every year, there are 250,000 requests from police agencies and investigating public bodies to access personal communications data. Under current rules, senior authority figures such as police superintendents, inspectors, or similarly high ranking officials in the Department of Work and Pensions and Revenue and Customs can self-authorise data these harvesting requests.

Under the new ruling, harvesting of data requests will only be permitted in cases that potentially carry prison sentences of six months or more, and communication requests will only be authorised by a newly created Office for Communications Data Authorisation which will be overseen by the investigatory powers commissioner Lord Justice Fulford.

The change in the law will also mean that agencies won’t be able to collect data for things like collection of taxes or public health reports.

Although senior police will no longer be able to self-authorise access to our phone and web browsing records, the new rules won’t apply UK's spy agencies e.g. GCHQ, MI6 or MI5 retaining or acquiring data, because the UK government says that national security is outside the scope of EU law.

Criticism


Criticisms of the government’s response to the ECJ’s ruling include:
  • The definition of ‘serious crime’ is too broad and vague, appears to be window dressing, and fails to provide a robust system of independent oversight.
  • Government proposals may not be enough to comply with European law.
The government has launched a 7-week public consultation to collect feedback about its proposals.

What Does This Mean For Your Business?

This is a time of flux and change where the UK is breaking away from the EU but is still affected by EU data laws, and is having to take account of EU laws and Regulations in its own Investigatory Powers Act (2016), with GDPR, and with trying to make the UK’s own law, the Data Protection Bill (DPB) is in line with GDPR.

Where the Investigatory Power Act is concerned, it is has been in force in the UK for a year and legal challenges (mainly on our behalf), and raising awareness of what the law entails and gathering large support to oppose certain elements are some of the only routes we have to seek changes to it.

National security is, of course, important, but so is privacy in a world where surveillance in all aspects of life is increasing. Some would say that if we’re doing nothing wrong we have nothing to fear, whereas others would say that this attitude simply makes it easy for hard-won freedoms and rights to be lost.

For businesses, security and privacy are vitally important issues where data protection is concerned going forward, and much of the focus in the news has been on how customer and employee data can be protected in a GDPR-compliant way going forward. For many businesses this is a more pressing issue than changes to the Investigatory Powers Act, although this story is a reminder that big brother is still watching, hopefully on our behalf to protect us and our businesses rather than to snoop unnecessarily.

Barclays Drops Kaspersky Over Security Fears

Barclays bank has emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

Long-Running

Rumours and concerns about Kaspersky’s possible links with the Russian state are not confined to Barclays. Moscow-based software maker Kaspersky Lab, the largest Russian software agency operating in the UK, had its security products banned from U.S. government networks earlier this year and, back in July, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities. Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations
(printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Announcement

The move by Barclays follows a warning in a letter by Director of the UK National Cyber Security Centre (NCSC), Ciaran Martin, to Whitehall chiefs that Russian software should be avoided in systems containing information concerning national security. Mr. Martin expressed fears about Russia itself as a cyber threat actor, and how Russian security software such as Kaspersky could be exploited by the Kremlin.

Free Trial

The Barclays customers who received the emails informing them of the bank’s decision to drop the software had downloaded Kaspersky over the past decade as part of a 12-month free trial offered by the bank on its website. The fear is that at least some of the customers who downloaded the software are / were likely to be / have been individuals employed by the UK government and, therefore, may have been targeted by Russian spies (if the allegations about Kaspersky are to be believed). Barclays customers are able to end the Kaspersky subscription after their free trial.

Evidence?

Actual publicised evidence of any state-sponsored wrong-doing by Kaspersky, or involvement with Russian intelligence agencies appears to be in very short supply. Some commentators have also pointed out that it may even have been the case that private company Kaspersky Lab’s product was compromised at some point without its knowledge or consent.
Kaspersky has denied any inappropriate ties to any government, and has put warnings about its products in the west down to the company being caught in the middle of a geopolitical fight, and has expressed disappointment about the recent decision by Barclays.

What Does This Mean For Your Business?

Warnings by the UK National Cyber Security Centre (NCSC) clearly need to be taken most seriously by those with links to government departments, but it is also important to factor in the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

In the case of Barclays, it has been stressed by officials that they are not saying that members of the public or companies should stop using Kaspersky products, which are used by about 400 million people globally. It would also not be a good idea to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus still forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

Monday, December 04, 2017

Serious Bug In Apple Mac OS Discovered

Apple is reported to be urgently working on a software update after Turkish developer Lemi Ergin publicly reported a simple but serious bug in its Mac Operating System.

MacOS High Sierra Affected

The bug was discovered in the most recent version of MacOS High Sierra. It has been reported that, by entering the username "root", and leaving the password field blank, and hitting the enter key several times, a user is granted unrestricted access to powerful administrator rights on the computer.

Troubleshooting Feature / Serious Threat

Even though Ergin is credited with finding the bug (and has faced criticism for going public about it), it is reported to have actually been mentioned on an Apple support forum more than two weeks ago as a possible useful feature for troubleshooting rather than as a serious security threat.

What Can Be Done?


If a person were to access a computer using the flaw they could potentially read and change the files of other users on the same computer, or as superuser they could delete crucial files or install malware.

Can’t (Typically) Be Done Remotely

The fact that the enter key has to be hit several times means that a person would really need physical access to the computer in order to exploit the bug. If, however, a person has been granted remote access to the computer e.g. for tech support, the bug could technically be exploited that way.

Insider Threat?


A malicious attack or breach from within a company by a person with physical access to computers is a real possibility for businesses and organisations. For example, where ‘malicious’ insider threats are concerned, research (Egress) shows that that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. Insider leaks, breaches, and other threats can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.

Criticism

Other security experts / commentators have been quick to criticise Mr Ergin for apparently not following the responsible disclosure guidelines typically observed by security professionals i.e. notifying Apple of the flaw first, thus giving them a reasonable amount of time to fix it before going public.

Patch On The Way

It has been reported that Apple is working on a software update / fix for the bug, and in the meantime, Apple has offered users a temporary workaround.

What Does This Mean For Your Business?


If your business has Apple Macs with MacOS High Sierra, and if you are too worried to wait for the patch, the workaround allows the Root user to set a password. Instructions for the workaround can be found on the Apple support site here: https://support.apple.com/en-us/HT204012 .

Only last month Apple released a supplemental update for MacOS High Sierra which incorporated various bug fixes for Macs.

This story illustrates how new software / operating systems are often released with bugs in them, many of which are usually discovered by security researchers, but it is worrying that users have been left vulnerable in this case to fairly serious threats by what is a simple (some would say embarrassing) fault.

Bitcoin Value Tops $10,000

The crypto-currency Bitcoin has now reached a record high of $10,000 (£7,462)
after only trading at $1,000 at the start of the year, with some experts saying it’s got further to climb.

What Is Bitcoin?


Bitcoin is a digital web-based currency that operates without the need for central banks and uses highly secure encryption (a crypto-currency) to regulate the currency units and to verify transfers of funds. Bitcoin, which was first produced in 2009, uses the ‘Blockchain’ technology. Blockchain is an open and programmable technology that can be used to record transactions for virtually anything of value that can be converted to code and is often referred to as a kind of ‘incorruptible ledger’.

There are approximately 15 million Bitcoins in existence with a value that is estimated to have surpassed $167bn. In order to receive a Bitcoin, a user must have a Bitcoin address i.e. a 'purse' (of which there is no central register).

Surge In Value

Bitcoin may have experienced a surge in value over this year as a whole but the rise has been by no means smooth. The crypto-currency first managed to reach a value of $1,000 in late 2013, and after a volatile general rise found itself valued at $1,000 again at the beginning of this year.
  • The surge in the last part of this year has been attributed to many to factors such as:An announcement this month that CME Group, a US-based derivatives marketplace operator, plans to launch a Bitcoin futures product in the very near future.
  • The suspension of the Segwit2x project. The project aimed to create the SegWit2x Blockchain (the underlying code of Bitcoin), and a new currency referred to as B2X. The idea was to alter the underlying code to enable more transactions, but in practice software bugs and a lack of popularity that risked splitting the community has meant that SegWit2x has been shelved for now.
  • A growing awareness of Bitcoin and its benefits, and of the general rise in its value over time boosting confidence in the crypto-currency and its value.

Bumps In The Road

Bitcoin has experienced many high profile bumps in the road on its rise in value. These include a decision by China to stop exchanges from trading in the crypto-currency earlier this year.

Crypto-Currencies Generally More Popular

The success of Bitcoin has helped to boost the popularity of virtual currencies generally. One example is Ethereum which was worth $10 at the beginning of the year and is now worth $480.

Crime Link

Bitcoin is often the currency that ransomware scammers request their victims to pay with because of the anonymity that it offers. Some currency commentators have even suggested that the recent surge in the value of Bitcoin is partly because European banks may be buying Bitcoin to pay off ransomware as a short-term way to deal with cyber-security.

What Does This Mean For Your Business?


The rise of crypto-currencies, such as Bitcoin, to the point where it was finally being taken up by investors, businesses and governments, has been filled with high profile ups and downs e.g. a fall in its value on the Tokyo-based Mt. Gox exchange following a hack in late 2013.

Despite its problems and bad press, in recent years, Bitcoin has shown a general decrease in volatility. 2017 has also actually seen a lot of optimism for the crypto-currency, which reached a point back in January where its worth was around the same value as that of a FTSE 100 company.

Bitcoin has many attractive advantages for businesses such as the speed and ease with which transactions can take place due to the lack of central bank and traditional currency control. Using Bitcoin also means that cross-border and global trading, and on the back of this latest milestone reached, it looks likely that the rise of Bitcoin is not over yet.

GDPR Could Increase Hackers Ransoms

A researcher has suggested that the GDPR fine structure could lead to
cyber-criminals being given price points to set their ransoms at because now they know how much money they should be asking.

GDPR

The EU’s General Data Protection Regulation (GDPR) comes into force 25th May 2017. As part of the enforcement mechanism, a fine structure has been published to encourage compliance with the Regulation. The fine structure for GDPR is actually tiered depending upon the scope of the violation, but it has been published and widely publicised that lesser violations will attract fines of 2% of global turnover, and more serious violations will attract fines of up to €20 million, or 4% of their global turnover (whichever is greater).

Price Point Provided

Researcher Mikko Hypponen has made the point, therefore, that these figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.

Hypponen argues that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.

According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.

Not So Far-Fetched

Taking one recent incident as an example, Hypponen’s predictions may not appear too far-fetched. HBO network was hacked and the hackers are reported to have demanded $5.5m for the release of the stolen data. Even though this sounds like a very large sum, it is still less than 2% or 3% of the company’s 2014 annual revenue.

It is certainly possible that some companies would pay a ransom to keep a breach quiet as Uber were recently reported to have paid hackers $100,000 to delete the data from a hack that took place 2 years ago, and to keep quiet about it.

Hypponen has, therefore predicted that, after the introduction of GDPR on May 25th 2018, companies (particularly large turnover ones) will be targeted by hackers for personal information, and will be given ransom demands that are close to GDPR fine levels.

Taking Advantage of GDPR

Another prediction of how cyber-criminals may use GDPR to their advantage is by hackers / scammers stealing data with advanced ransomware and then blackmailing the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data. These things, as well as passing personal data to hackers via the ransomware are technically serious breaches of GDPR by the victim company.

Ransomware


As well as hackers stealing data directly, ransomware is fast becoming the most popular way for cyber-criminals to make money, and is likely to be a greater threat after GDPR. The fact that it is automated and doesn’t require any special user rights to operate it makes it a popular choice, and an ideal way for criminals to sell data to the highest bidder (which is often the victim company).

Bitcoin Store

There are even reports that large companies / corporations and banks have been buying up stores of Bitcoin as a short-term way to deal with data breach / ransom-based cyber attacks.

What Does This Mean For Your Business?

Where GDPR is concerned (especially with the pressure of the approaching deadline) many companies are seeing it as an opportunity to address possible data security / privacy loopholes that could leave them at the mercy of cyber attackers anyway, and to expand their ability to manage the use of data.

GDPR could even be viewed as a way of developing a global standard for data protection, which could be an opportunity for businesses to offer products and services worldwide that comply with this standard.

Quite apart from GDPR, businesses and organisations of all kinds should be trying to continuously improve their cyber resilience anyway.

Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form.

One way in which companies could test their response to a live ransomware Trojan in their network is to plant dummy files in the network that should never be touched by legitimate users and act as alarms.

Companies and organisations should also make sure that they have workable Business Continuity and Disaster Recovery Plans in place, and to be aware that paying hackers does not guarantee the return of stolen data, and could increase reputational damage if the public see this as a way of trying to hide a breach.

Government Could Use Blockchain To Verify Your Identity

A report by the educational charity and think tank ‘Reform’ has suggested
that Blockchain technology could be used by the UK government as a more effective, efficient, and modern way to provide verification of the identities of citizens.

What Is Blockchain?

Blockchain is an incorruptible peer-to-peer network (a kind of ledger) that allows multiple parties to transfer value in a secure and transparent way. Blockchain’s Co-Founder Nic Carey describes

Blockchain as being like “a big spreadsheet in the cloud that anyone can use, but no one can erase or modify”.
Blockchain technology operates using the IBM cloud and is powered by Hyperledger Fabric 1.0 of Linux Foundation. The developers of the Blockchain system say that the trust between participants is not necessary because trust is embedded in the system itself, and that access to all relevant information is available to participants.
Blockchain is the same technology behind the crypto-currency Bitcoin, and it is now being applied to multiple industries and sectors.

What’s The Issue?


The underlying issue for the government is that there are people living and working in the UK without a legal identity, thus making it difficult to monitor births, deaths, work, taxation and migration.

Also, there are many different government departments which hold different and even contradictory versions of a person’s identity to a user-stored identity.

There is also the issue that individuals don’t currently have access to their public service identity and, therefore, lack control of it, and can’t authorise who can see it.

It is thought that among other benefits, a Blockchain-based system could shift more control from the government to the user.

Problems With The Current System

The Reform report argues that the current identity assurance platform, Gov.uk Verify, is not working as well as it could because of low uptake and departments such as HM Revenue & Customs (HMRC using their own service - Government Gateway).

It has been reported that with Verify, departments often have to request and check additional data because Verify doesn’t always provide enough information, and the new system also struggles to match information with legacy systems.

First Suggested Last Year


The idea of using Blockchain to help with identity verification was first publicly voiced by the government last August in relation to passports. The fact that nearly 20,000 British passports were either lost or stolen in 2016, and the resulting identity theft, coupled with the delays caused by inefficient passport checks led the government to think about the advantages of Blockchain.

With Blockchain passports, for example, personal information could be encrypted and stored digitally on a smartphone accessible via fingerprint scanning. This could allow fast access through the border if verified alongside biometric information. A Blockhain passport of this kind could also reduce the risk of identity fraud and the information being lost or stolen.

What Does This Mean For Your Business?

From the government’s point of view, a Blockchain app built across government departments, and acting as a layer on top of current databases, could be a more effective, efficient and secure way to verify the identities of citizens, make sure all databases have the same information and are automatically updated, and give us more control over who can see our identity details and in what form.

For governments, businesses, and organisations around the world, Blockchain is providing many exciting new opportunities. Dubai, for example, has committed to putting all of its documents on Blockchain in the next few years and has founded a public-private initiative called the Global Blockchain Council to foster the development and use of Blockchain technology in and between local government teams, local businesses and international start-ups.

As well as finding uses in the financial, legal and public sectors, recent real-world examples of how Blockchain is being used include:
  • Using the data on a Blockchain ledger to record the temperature of sensitive medicines being transported from manufacturer to hospital in hot climates. The ‘incorruptible’ aspect of the Blockchain data gives a clear record of care and responsibility along the whole supply chain.
  • Using an IBM-based Blockchain ledger to record data about wine certification, ownership and storage history. This has helped to combat fraud in the industry and has provided provenance and re-assurance to buyers.
  • Shipping Company Maersk using a Blockchain-based system for tracking consignments that addresses visibility and efficiency i.e. digitising a formerly paper-based process that involved multiple interactions.
  • Start-up company ‘Electron’ building a Blockchain-based system for sharing information between those involved in supplying energy which could speed up and simplify the supplier switching process. It may also be used for smart grid processes, such as local load-balancing of supply and demand.
  • Australian start-up Zimrii developing a Blockchain-based service that allows independent musicians to sell downloads to fans, distribute the proceeds between collaborators, and allow interaction with managers.
Blockchain clearly has huge untapped potential for all kinds of businesses and could represent a major opportunity to improve services, and effectively tackle visibility, transparency and efficiency issues.

Small Businesses Get New OS MasterMap® Data

The government has announced that its new £40m Geospatial Commission
will start its strategy of releasing more of the location data held by public bodies to help businesses and boost economic growth, by giving small businesses free access to OS MasterMap® data.

The Commission

It has been announced that the new £40m Geospatial Commission, sitting under the authority of the Cabinet Office, will release Ordnance Survey location data first to help boost business for small companies.

What Is Geospatial Data?

Geospacial data in the context of this article refers to augmenting a geographic map with other data specific to points on that map, thereby enabling the added value of observations, analysis, and planning. It was first used in 1854 by John Snow, who plotted each cholera death in London’s Soho on a map, and from the mapped points was able to isolate a specific water pump as the source of the disease, and thereby prove his theory that cholera came from contact with sewage-contaminated water rather than being airborne.

Budget

The announcement was made in Chancellor of the Exchequer, Philip Hammond’s latest budget.

The wider intention is that Geospatial Commission will draw on public and private sector expertise to develop a strategy for releasing more of the location data that is currently held by HM Land Registry, the Ordnance Survey, the British Geological Survey, the Valuation Office Agency, the UK Hydrographic Office and the Coal Authority.

The Commission will attempt to improve the links between and quality of the data held by the agencies and bring together and make it available to the public and private sector. The Commission will also aim to make more geospatial data available for free (without restriction), set regulations and policy for public geospatial data, hold the individual bodies to account for delivery against the geospatial strategy, and provide strategic leadership.

The first stage of the 2 year strategy is to find a way to give small businesses free access to OS MasterMap® data.

What Is OS MasterMap®?

The OS MasterMap® is the database that records every fixed feature of Great Britain larger than a few metres in one continuous digital map. The map has different layers e.g. the Greenspace Layer (showing accessible and non-accessible green-spaces in urban areas - used to improve health and environment initiatives), and the Topography layer (to help with decisions about assets, services, environmental risks, customers and operations).

How Will This Help?

Giving open access to OS MasterMap® (for small businesses first) will remove the legal barriers that currently limit the availability of other data e.g. foreign ownership of land, locations of parking spaces, house prices or business addresses. This will then give businesses access to the kind of data that is essential to understanding and tackling housing and transport challenges. More data about an area can make it easier to find land for house-building, and enable the development of services that improve vital infrastructure, and can help businesses to make better, more informed decisions about projects.

Opening up access to government-held geospatial data could, therefore, stimulate innovation in the wider economy, boost jobs and make savings, as well as transforming information delivery and citizen engagement.

Example From Housing

The UK is in the midst of a housing crisis, particularly in social housing. Decades of failure to build enough new homes means that the UK is struggling to accommodate its growing population. The relatively small number of homes that are being built are generally not suitable for first time or low-income buyers, or the rental market.

It is thought that geospatial data could be used to accurately, and remotely survey sites with information instantly available to virtually design houses bespoke to customer needs e.g. using prefabricated housing factories across the UK. The geospatial data could help quality factory built houses to be delivered right-first-time, on time and to budget.

What Does This Mean For Your Business?

Opening up the many layers of government data and linking it to highly detailed digital maps can give businesses, particularly those involved with housing and infrastructure, the knowledge and tools to innovate, save money, and find new business opportunities.

A boost for the housing market is good news for the economy, and if (as the government suggests) that the wider economy will get a boost from the work of and the investment in the new Geospatial Commission, then this is good news for all businesses.

Since small businesses account for 99.3% of all private sector businesses, and SMEs account for 60% of all private sector employment in the UK (FSB), opening up the OS MasterMap® to small businesses seems a sensible first move in the Commission’s strategy.

Monday, November 27, 2017

Smartwatches - Spying on Kids

German Telecoms regulator the Federal Network Agency has banned the sale of smartwatches to children and asked parents to destroy any that they already have.

Danger To Children - Spying and Tracking


The reason why the regulator has taken the step is over concerns that children wearing the watches could be, in theory, spied upon and tracked. These risks have been identified because the watches are internet-connected and are thought to be poorly secured e.g. no encryption of any transmitted data. This could mean that they could be hacked and taken over, and also the GPS tracking in the watches could be used by unauthorised persons to track the child.

Demographic

Smartwatches like the ones that have been banned in Germany are generally aimed at children aged between five and twelve, and this could be considered to be a demographic that is particularly vulnerable if data from the watches fell into the wrong hands.

App

Smartwatches have a Sim card, limited telephony function, and are linked to an app.
Parents can use the app to access their child’s smartwatch, and thereby listen to what is happening in the child’s environment, and it has been reported that the German Federal Network Agency has evidence that parents have used this feature to listen to teachers in the classroom. This ‘unauthorised transmitting’ and the surrounding privacy concerns have led to schools being warned to be on the lookout for the watches.

Similar Case In Norway

This is not the first time that concerns have been raised about the security and privacy aspects of smartwatches. Back in October, the Norwegian Consumer Council (NCC) reported that some children's watches had flaws such as transmitting and storing data without encryption. Among the dangers identified were concerns that watches could have been hacked using basic techniques and the (child) wearer could have been tracked, or made to appear to be in a different location.

Internet-Connected Gifts / Toys Fear


Only last week there were news reports that Consumer watchdog Which? identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.

Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.

What Does This Mean For Your Business?

Many tech and security commentators agree that a lot more care needs to be taken by manufacturers of Internet-connected / smart toys, gifts, and other home and business products to make sure that they are secure when they are sold, and that any information they do transmit is encrypted.

It is very worrying that, children particularly, may be at risk now due to vulnerabilities in smart toys. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted by many commentators that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products, who don’t run checks and audits, it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

Your Keystrokes Being Tracked

A new study from Princeton University has suggested that your keystrokes,
mouse movements, scrolling behaviour, and the entire contents of the pages you visit may be tracked and recorded by hundreds of companies.

What??


The study revealed that no fewer than 480 websites of the world's top 50,000 sites are known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information.

The researchers found that companies are now tracking users individually, sometimes by name.

The Software

The session replay software offered by seven firms, and detected in the study was FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex.

The research showed that companies using the software (on 492 sites) were sharing information about individuals with one or more of the seven replay companies, and that the percentage of sites giving information to the software companies was likely higher, because the software companies only track just a sample and not the total of visits to a website.

Companies Using The Software


As indicated in the research, some companies believed to be using session replay software include the Telegraph website, Samsung, Reuters, Home Depot (US retailer) and CBS News.

What’s The Risk?

As pointed out by the researchers, this kind of software is like someone looking over your shoulder, and that the extent of the data collected may far exceed user expectations, without any visual indication to the website visitor that such monitoring is taking place.

Security commentators have noted that among the general browsing data collected by these third-party replay scripts, they are also capable of collecting some very sensitive and personal information e.g. medical conditions and credit card details. Depending on how this data is transmitted and stored (where and how securely?) this could expose people to risks such as identity theft and online scams.

The research also raised the question of whether state-sponsored surveillance is being carried out with session replay software, when it was noted that Yandex (one of the session replay software companies) is also Russia’s largest search engine.

What Does This Mean For Your Business?


Creeping surveillance and monitoring for multiple purposes is now part of our daily lives and includes e.g. CCTV, monitoring / surveillance of behaviour and Internet use at work, tracking via our mobile phones, EPOS / supermarket recording of our purchases, storage of our browsing history as part of the Investigatory Powers Bill / ‘Snooper’s Charter’, social media monitoring, and government attempts to gain back-doors into and stop end-to-end-encryption of popular platforms like WhatsApp.

Keystroke monitoring in itself is nothing new, but the difference now is that cyber-crime is at a high, data protection has become a more public issue with data breach reports in new regulations on the way in (GDPR), and the fact that the latest session replay software is capable of recording so much detail including our most sensitive data and interests.
For businesses, session replay software could be an asset in understanding more about customers and making marketing more effective and efficient. As consumers, we could be forgiven for having cause for concern, and with things like ad-blockers only capable of filtering out only some replay scripts, we remain somewhat vulnerable to the risks that they may pose.

57 Million Data Breach Concealed By Uber - Hackers Paid

It has been reported that Uber concealed a massive data breach from a
hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.

More Than Two Years Ago?

Reportedly, the hacking of ride-hailing service Uber’s stored data took place more than two years ago. Instead of reporting the breach to regulators and going public with the news, Uber are now accused of concealing the breach.

What Actually Happened?


Reports indicate that back in 2016, two hackers were able to access a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. This information is believed to have been stolen by the hackers, and the hackers are then reported to have emailed Uber asking for money.

Hackers Paid

Almost as shocking as Uber keeping quiet about the breach for 2 years or more is their reported decision to pay the hackers $100,000 to delete their copy of the data, and to keep quiet about the breach. At the time of the hack, in November 2016, Uber was negotiating with U.S. regulators (Federal Trade Commission) who were investigating separate claims of privacy violations by the company and Uber had just settled a lawsuit with the New York attorney general over data security disclosures.

Kalanick and Sullivan

Uber’s former CEO, Travis Kalanick, who was ousted from the role earlier this year (but remained on the board), is reported to have known about the breach a month after it took place.

Joe Sullivan, outgoing security chief, also appears to be somewhat in the frame over how the hack was handled, as it was only when Uber’s board commissioned an investigation into the activities of Sullivan’s security team (by an outside law firm) that the hack and the failure to disclose it was discovered.

What Kind of Data Was Stolen?

Reports indicate that within the 57 million names, email addresses and mobile phone numbers stolen, 600,000 drivers had their names and licence details / drivers licence numbers exposed. This has led to drivers now being offered free credit monitoring protection.

History

Unfortunately, this is not the first time that poor practice has been uncovered in how Uber deals with data. For example, the U.S. has opened at least five criminal probes into the company’s activities around data, which is in addition to the multiple civil lawsuits that the company faces. The UK government has also looked at banning the service on the grounds of alleged reckless behaviour (thus losing its London licence in September).

What Does This Mean For Your Business?


How companies store and handle data is, in today’s society, important to consumers, and to governments. The introduction of GDPR next year and the potentially severe penalties for businesses / organisations that don’t comply is evidence of how Europe and the UK are determined to force businesses / organisations to be more responsible, transparent, and follow practices that will ensure greater security. If companies really want to destroy their reputation and brand and risk being closed down, there are few better ways than [a] having a significant data breach (or being a repeat offender), and [b] failing to disclose that breach until being forced to do so.

Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users' accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.

This story should help to remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities), and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.

Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, and no GitHub-style routes are offering cyber-criminals easy access. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.
The reported behaviour of Uber is clearly poor and likely to inflict even more damage on the reputation and brand of the company. The hack is also a reminder to businesses to maintain updated and workable Business Continuity and Disaster Recovery Plans.

Prison Sentences Demanded For Unauthorised Data Usage

The Information Commissioner’s Office (ICO) has said that it backs the idea
that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence, should be prosecuted, and prison sentences should be an option.

Recent Case

A recent case involving a nursing auxiliary at Newport’s Royal Gwent Hospital has re-ignited the ICO’s calls to get tough on personal data snoops. In the case of 61-year-old Marian Waddell of Newport, she was found to have accessed the records of a patient who was known to her, on six different occasions between July 2015 and February 2016, without having a valid business reason to do so and without the knowledge of the data controller (at the Aneurin Bevan University Health Board). The data controller is the person who (alone or jointly or in common with other persons) who determines the purposes for which and the manner in which any personal data is to be processed.

In this case, Nursing auxiliary Waddell was found guilty of a section 55 offence (of the 1988 Data Protection Act) and was fined £232, ordered to pay £150 costs, and was ordered to pay a £30 victim surcharge.

Fines ... For Now

Section 55 offences of this kind are currently only punishable by fines, and such fines and costs have totalled £8,000 this year for nine convictions.

Section 55 of the Data Protection Act 1998 refers to the unlawful obtaining etc. of personal data, and it states that “a person must not knowingly or recklessly, without the consent of the data controller - obtain or disclose personal data or the information contained in personal data, or - procure the disclosure to another person of the information contained in personal data.”

The ICO, however, would like to see tougher penalties for data snooping. For example, a blog post by ICO enforcement group manager and head of the ICO’s criminal investigations team, Mike Shaw, highlighted the fact that offenders not only face fines, payment of prosecution costs, but could also face media (Internet) coverage of their offences, and damaged future job prospects. Mr. Shaw also stated that the ICO would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.

Not Just An NHS Problem

The ICO have been quick to point out that data snooping and convictions for doing so are not confined to the NHS. Prosecution cases this year have also been brought against employees in local government, charities and the private sector.

Motives for data snooping vary, from sheer nosiness to seeking financial gain.

What Does This Mean For Your Business?

With GDPR soon to be introduced and with the ICO now pushing for possible prison sentences for certain data offences, businesses now need to (if they haven’t done so already) make data protection and compliance with data protection law a priority. This story is should remind anyone in any business or organisation that, if you have access to personal data, that data is actually out of bounds to you unless you have a valid and legal reason for looking at it.

Businesses can help to make all staff aware of the rules and regulations for handling and processing data through staff training and education.

New, Free Secret Browsing and Cyber Security Service



Quad9 is a new, free service that will allow users to keep their
Internet browsing habits secret and their data safe from malicious websites, botnets, phishing attacks, and marketers.

What’s The Problem?

When you browse the Internet, your Domain Name System (DNS) is likely set to whatever your ISP would like it to be (unless you have changed it). DNS services monitor your traffic data, and this information is often resold to online marketers and data brokers. We all face the security threat of unknowingly visiting domains that are associated with things like botnets, phishing attacks, and other malicious internet hosts. Many businesses also have to go to the trouble of running their own DNS blacklisting and whitelisting services.

Quad9

The new Quad9 free public Domain Name Service (DNS) system addresses all of these threats. The service promises not to collect, store, or sell any information about your browsing habits, thereby freeing the user from receiving even more unwanted attention from marketers in the future.

Also, a large part of the value of the service is that it will block domains associated with botnets, phishing attacks, and other malicious internet hosts, and relieve businesses of the need to maintain their own blacklisting and whitelisting services.

How Does It Work?

The Quad9 system, so-named because of its 9.9.9.9 Internet Protocol address, draws upon IBM X-Force's threat intelligence database which is made up of 40 billion+ analysed web pages and images. The Quad9 service also draws upon 18 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.

Quad9 uses its intelligence feeds and database to keep an updated whitelist of domains never to block, using a list of the top one million requested domains. It also keeps a "gold list" of safe providers e.g. Microsoft's Azure cloud, Google, and the like.

Amazon Web Services

All of this means that, when a Quad9 user browses the Internet and visits a website, types a URL into a browser, or follows a link, Quad9 checks the site against its databases and feeds to make sure its safe. If it isn’t safe, access to it will be blocked, thus protecting the users from possible security threats.

Not For Profit

The Quad9 service is the result of a non-profit alliance between IBM Security, Packet Clearing House (PCH), and The Global Cyber Alliance, an organisation founded by law enforcement and research firms.

What Does This Mean For Your Business?


This service offers businesses another useful and free tool in the fight to maintain cyber security and resilience in an environment where threats seem to be around every corner. This service has some credible contributors with serious critical mass, and has a presence in over 70 locations across 40 countries, with plans to double its global presence over the next 18 months. This means that Quad9 could add real value to business efforts to deter threats that can come from anywhere in the world. It could also save businesses the time and trouble, and extra risk of having to compile their own (often inadequate) blacklisting and whitelisting services, and can help businesses to defend themselves from evolving threats. This kind of service also helps protect against all-too-common human error by blocking threats automatically.

Businesses hoping to use the service simply need to change the DNS settings in their device or router to point to 9.9.9.9. Installation videos and guides are also available online.

Monday, November 20, 2017

Ofcom has announced that broadband and landline customers will
be automatically able to get money back from their providers when things go wrong, without having to make a claim for it.

Review Brings ‘Automatic Compensation’ Agreement

After a review and intervention in the broadband market by Ofcom, BT, Sky, TalkTalk, Virgin Media and Zen Internet, who collectively serve around 90% of landline and broadband customers in the UK, have agreed to introduce automatic compensation, which should reflect the harm consumers suffer when things go wrong. Plusnet and EE have also indicated that they may also join the scheme.

£142 Million

Compensation is currently only paid in approximately one in seven cases (15%) where landline or broadband customers have suffered slow repairs, delayed installations or missed engineer appointments. The actual amount of compensation paid in these cases is also widely recognised to be small.

With the new automatic compensation, the amounts paid are predicted to be around nine times higher with customers set to receive an estimated £142 million in payouts.

Entitlement


The new automatic compensation scheme will apply to fixed broadband and landline telephone services. Customers will be able to receive the compensation if:
  • Services have stopped working and are not fully fixed after two full working days. In these cases, customers will be entitled to £8 for each day it is not repaired.
  • An engineer doesn’t turn up for the scheduled appointment, or if the appointment is cancelled with less than 24 hours' notice. In these cases customers should receive £25 per missed appointment.
  • A provider promises to start a new service on a particular date, but fails to do so. In this case, customers will be able to claim £5 for each day of the delay, including the missed start date.

Not For 15 Months

According to Ofcom, the complexity of launching the first ever automatic compensation scheme for telecoms customers, and the changes to providers’ billing systems, online accounts and call centres that will be required to implement the system will mean that it won’t come into effect for 15 months.

What Does This Mean For Your Business?

Ofcom’s own research shows that nine in ten adults report going online every day and three-quarters of internet users say it is important to their daily lives. For businesses, a fast and reliable broadband connection is vital to operate and compete effectively in today’s marketplace. Problems with broadband services can be very costly and frustrating for businesses, and many businesses feel that they shouldn’t have to fight for compensation on top of the problems caused by poor broadband services, and that current levels of compensation are too low, and don’t come close to reflecting the harm caused. Automatic compensation at higher levels is, therefore, good news, although there are still 15 months to wait before the scheme starts.

The new automatic compensation scheme is particularly good news for small businesses because one-third of small and medium-sized enterprises (SMEs) choose residential landline and broadband services, and around half (49%) of SMEs don’t know if they’re entitled to compensation when service falls short (Ofcom figures).

It is also reassuring to know that the main providers are on board with the scheme, and that Ofcom plans to monitor its implementation, review it after one year, and step in if it's not working well enough for customers.