Author: Andy Miller

Lancaster University Hit By “Sophisticated and Malicious Phishing Attack”

Posted on by Andy Miller

Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre has been hit by what it has described as a “sophisticated and malicious phishing attack”, resulting in the leak of the personal data of new university applicants.

12,000+ Affected?

On the University’s website, even though it states that only “a very small number of students” actually had their records and ID documents accessed as a result of the attack, other estimates published by IT news commentators online, and based on statistics compiled by UCAS suggest that possibly over 12,000 people may have been affected.

Who?

The attack appears to have been focused on the new student applicant data records for 2019 and 2020.

What?

According to the university, the new applicant information which may have been accessed includes names, addresses, telephone numbers, and email addresses.

There have also been reports that, following the attack, fraudulent invoices have been sent to some undergraduate applicants.

Why?

Although very little information has been divulged about the exact nature of the attack, universities are known to be particularly attractive targets for phishing emails i.e. emails designed to trick the recipient into clicking on malicious links or transferring funds.  This is because educational institutions tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated.  Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.

When?

Lancaster University says that it became aware of the breach on Friday 19th July, whereupon it established an incident team to handle the situation and immediately reported the incident to the Information Commissioner’s Office (ICO).

A criminal investigation led by the National Crime Agency’s (NCA) National Cyber Crime Unit (NCU) is now believed to be under way, and the university has been focusing efforts on safeguarding its IT systems and identifying and advising any students and applicants who have been affected.

US Universities & Colleges Hit Days Before

Just days before the attack on Lancaster University came to light, The U.S. Department of Education reported that a vulnerability in the Ellucian Banner System authentication software led to 62 colleges or universities being been affected.

What Does This Mean For Your Business?

For reasons already mentioned (see the ‘Why?’ section), schools, colleges and universities are prime targets for hackers, and this is why many IT and security commentators think that the higher education sector should be looking to take cyber-security risks very seriously, and make sure that training and software are put in place to enable a more proactive approach to attack prevention.  Users, both students and staff, need to be educated about threats, and how to spot and what to do with suspicious communications by email or social media.  Students, for example, need to be aware that during summer months when they are more stressed, and when they are awaiting news of applications they may be more vulnerable to phishing attacks, and that they should only contact universities through a trusted, previously tried method, and not rely upon the contact information and links given in emails.

For Lancaster University, which has its own Cyber Security Research Centre and offers a GCHQ approve cybersecurity course, this attack, which has generated some bad publicity and may adversely affect some victims, is likely to be very embarrassing and may even deter some future applicants.

Lancaster University has advised applicants, students and staff to make contact (via email or phone) f they receive any suspicious communications.

£80,000 Fine For London Estate Agency Highlights Importance of Due Diligence in Data Protection

Posted on by Andy Miller

The issuing of an £80,000 fine by the Information Commissioner’s Office (ICO) to London-based estate agency Parliament View Ltd (LPVL) highlights the importance of due diligence when keeping customer data safe.

What Happened?

Prior to the introduction of GDPR, between March 2015 and February 2017, LPVL left their customer data exposed online after transferring the data via FTP from its server to a partner organisation which also offered a property letting transaction service. LPVL was using Microsoft’s Internet Information Services (IIS) but didn’t switch off an Anonymous Authentication Function, thereby giving anyone access to the server and the data without prompting them for a username or password.

The data that was publicly exposed included some very sensitive things which could be of value to hackers and other criminals including addresses of both tenants and landlords, bank statements and salary details, utility bills, dates of birth, driving licences (of tenants and landlords) and even copies of passports.  The ICO reported that the data of 18,610 individual users had been put at risk.

Hacker’s Ransom Request

The ICO’s tough penalty took into account the fact that not only was LPVL judged to have not taken the appropriate technical and organisational measures to prevent unlawful processing of the personal data, but that the estate agency only alerted the ICO to the breach after it had been contacted by a hacker in October who claimed to possess the personal data of LPVL’s, and who had requested a ransom.

The ICO judged that LPVL’s contraventions of the Data Protection Act were wide-ranging and likely to cause substantial damage and substantial distress to those whose personal data was taken, hence the huge fine.

Marriott International Also Fined

The Marriott International hotel chain has also just been issued with a massive £99.2m fine by the ICO for infringements of GDPR, also related to matters of due diligence.  Marriott International’s fine related to an incident that affected Starwood hotels from 2014 to 2018 (which Marriott was buying).  In this case, the ICO found that the hotel chain didn’t do enough to secure its systems and undertake due diligence when it bought Starwood.  The ICO found that the systems of the Starwood hotels group were compromised in 2014, but the exposure of customer information was not discovered until 2018 and by this time, data contained in approximately 339 million guest records globally had been exposed (7 million related to UK residents).

What Does This Mean For Your Business?

We’re now seeing the culmination of ICO investigations into incidents involving some large organisations, and the issuing of some large fines by the ICO e.g. British Airways and Marriott International, and also some lesser-known, smaller organisations – LPVL. These serve to remind all businesses of their responsibilities under GDPR.

Personal data is an asset that has real value, and therefore, organisations have a clear legal duty to ensure its security.  Part of ensuring this is carrying out proper due diligence when e.g. making corporate acquisitions (as with Marriott), when transferring data to partners (as with LPVL), and in all other situations.  Systems should be monitored to ensure that they haven’t been compromised and that adequate security is maintained.  Staff dealing with data should also be adequately trained to ensure that they act lawfully and make good decisions in data matters.

MPs Call To Stop Police Facial Recognition

Posted on by Andy Miller

Following criticism of the Police use of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee has called for a temporary halt in the use of the facial recognition system.

Database Concerns

Some of the key concerns of the committee were that the Police database of custody images is not being correctly edited to remove pictures of unconvicted individuals and that innocent peoples’ pictures may be illegally included in facial recognition “watch lists” that are used by police to stop and even arrest suspects.

While the committee accepts that this may be partly due to a lack of resources to manually edit the database, the MP’s committee has also expressed concern that the images of unconvicted individuals are not being removed after six years, as is required by law.

Figures indicate that, as of February last year, there were 12.5 million images available to facial recognition searches.

Accuracy

Accuracy of facial recognition has long been a concern. For example, in December last year, ICO head Elizabeth Dunham launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

Bias

In addition to gender bias issues, the committee also expressed concern about how a government advisory group had warned (in February) that facial recognition systems could produce inaccurate results if they had not been trained on a diverse enough range of data, such as types of faces from different races e.g. black, asian, and other ethnic minorities.  The concern was that if faces from different races are under-represented in live facial recognition training datasets, this could lead to errors.  For example, human operators/police officers who are supposed to double-check any matches made by the system by other means before acting could defer to the algorithm’s decision without doing so.

Privacy

Privacy groups such as Liberty (which is awaiting a ruling on its challenge of South Wales Police’s use of the technology) and Big Brother Watch have been vocal and active in highlighting the possible threats posed to privacy by the police use of facial technology.  Also, even Tony Porter, the Surveillance Camera Commissioner,  has criticised trials by London’s Metropolitan Police over privacy and freedom issues.

Moratorium

The committee of MPs has therefore called for the government to temporarily halt the use of facial recognition technology by police pending the introduction of a proper legal framework, guidance on trial protocols and the establishment of an oversight and evaluation system.

What Does This Mean For Your Business?

Businesses use CCTV for monitoring and security purposes, and most businesses are aware of the privacy and legal compliance aspects (GDPR) of using the system and how /where the images are managed and stored.

As a society, we are also used to being under surveillance by CCTV systems, which can have real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. The Home Office has noted that there is general public support for live facial recognition in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  These, however, are not the reasons why the MP’s committee has expressed its concerns, or why ICO head Elizabeth Dunham is launched a formal investigation into how police forces use FRT.

It is likely that while businesses would support the crime and terror-busting, and crime prevention aspects of FRT used by the police,  they would also need to feel assured that the correct legal framework and evaluation system are in place to protect the rights of all and to ensure that the system is accurate and cost-effective.

Tech Tip – The F-Secure Data Discovery Portal

Posted on by Andy Miller

The free online Data Discovery Portal from F-Secure shows you what personal information you have given to tech-giant free services Facebook, Google, Amazon, Snapchat, Twitter and Apple over the years.

If you visit https://data-discovery-portal.f-secure.com/en/ and click on the logo of each of those companies you will be taken straight to the page where you can download a copy of the information that they have collected about you (Apple requires a login).  With Amazon, for example, you can even discover the way to review, listen to, and delete any voice recordings associated with your account.

The F-Secure Data Discovery Portal is, therefore, one easy way in which you can take steps to protect your identity and guard your personal data going forward.

Alan Turing To Feature on £50 Note

Posted on by Andy Miller

Alan Turing, head of the Enigma code-breaking team at Bletchley Park in World War 2, mathematician and father of computer science who was driven to suicide over the treatment of his sexuality is finally being honoured by the featuring his image on the new £50 note.

Chosen By Committee

The UK Bank of England’s Banknote Character Advisory Committee advises the Governor on the characters that appear on new banknotes. In December, members of the committee were given summary biographies of 989 dead scientists, put forward by more than 225,000 members of the public, from which one would need to be chosen to feature on the new polymer £50 note when it enters circulation at the end of 2021.  The committee chose Alan Turing.

Mathematician & Scientist

Alan Turing 1912 – 1954, born in born in West London and educated in Frant, East Sussex and Sherborne, Dorset, displayed a natural ability for maths and science.  He is reported to have been able to solve complex and advanced maths problems in 1927 (aged 15) without having studied even elementary calculus, and in 1928 (aged 16) he was able to deduce Einstein’s questioning of Newton’s laws of motion from a text in which this was never made explicit.

Father of Computer Science

After studying at King’s College Cambridge, in 1936 Turing published his paper “On Computable Numbers, with an Application to the Entscheidungsproblem”, with which Turing proved that his “universal computing machine” could perform any mathematical computation if it were representable as an algorithm. This, plus his work developed at Bletchley Park is why Turing is widely thought of as the father of modern computer science.

WW2 Bletchley Hero

Alan Turing is perhaps best known for heading the codebreaking operation during WW2 at top-secret Bletchley Park, where it is estimated that the incredible breaking of U-boat Enigma codes may have shortened the war in Europe by as many as two to four years, and potentially saved millions of lives.  Part of this work involved creating and building the electromechanical machine called the bombe, which could break Enigma more effectively than the Polish bomba kryptologiczna (from where it got its name).

Conviction, Chemical Castration and Suicide

In 1952, Turing was prosecuted and convicted of “gross indecency” over his relationship with another man. In order to avoid a prison sentence, Turing chose to be chemically castrated through injections of synthetic oestrogen.

Alan Turing committed suicide with cyanide poisoning two years later, aged only 41.

Apology and Pardon

In 2013, Alan Turing was given a posthumous apology and royal pardon for his conviction for gross indecency.

What Does This Mean For Your Business?

Alan Turing’s incredible mind, aptitude for maths and science, and his work in cracking the Enigma code at Bletchley Park have resulted in millions of lives being saved through the shortening of the war in Europe, and in the rapid evolution of computer science that has fed directly into the digital world and workplace that we know today. Despite being a national hero, how Turing was treated was widely regarded as shameful, and the posthumous pardon and apology, along with being honoured on a banknote have been ways in which the UK has been able, in some small but public ways, to right some the wrongs of the past, honour a truly great scientist, and contribute to a greater understanding and acceptance of sexual differences.

Scientists Discover How To Store Data On Matter Smaller Than DNA

Posted on by Andy Miller

Scientists from Brown University are reported to have discovered how to store data on metabolic molecules, which are pieces of matter that are even smaller than DNA.

Storage In Artificial Metabolomes  

The results of the recent research announced on the Brown University website and published in the PLOS ONE journal describe how researchers have discovered a way to store/encode and retrieve kilobyte-scale image files from artificial metabolomes which are arrays of liquid mixtures containing sugars, amino acids and other types of small molecules.  Some of these small molecules are smaller and have greater information density than DNA.

According to the researchers, although DNA is best for encoding larger datasets, the small molecule metabolite data method has low latency so that data sets can be written and read quickly.  The small molecule method is, however, still slower than traditional computers.

DNA Storage Research Not New

Research into storing data in DNA is not new.  For example, back in 2013 scientists in Cambridge spelt out a collection of Shakespeare’s 154 sonnets in DNA.

Also, last September UK scientists developed a technique to enable them to store computer files on DNA.  Scientists from the European Bioinformatics Institute developed a method whereby the basis of digital data, which is made up of ones and zeros, is changed into their own code as Cs, Gs, and Ts.

This converted code was sent to a US laboratory, which turned the letter code into physical DNA so that it could act like an incredibly small hard drive. The laboratory used DNA synthesis machines to transform the code into physical material in a similar way to how an inkjet printer lays down ink on paper. The physical result was a tiny piece of dust with the vital digital data stored inside. An estimated 215 petabytes (215 million gigabytes) of data could be stored in a single gram of DNA.

Why?

The reasons for developing ways to store data in DNA and even smaller molecules are that we are generating vast quantities of data with no practical and cost-effective way to store it for the future.  For example, it is estimated that there are now 3 zettabytes (3000 billion bytes) of digital data, with more being generated all the time. Storage media such as hard disks are expensive and require a constant supply of expensive electricity, and even the best ‘no-power’ archiving materials e.g. magnetic tape degrade within a decade.

The advantages of DNA and smaller molecules for storage are that:

  • Sensitive data stored in DNA and other small molecules won’t be vulnerable to hacking.
  • Data stored in this way could survive in harsher climates and environments where traditional hardware can’t.
  • DNA provides a highly effective, ultra-compact space-saving solution, that doesn’t require large amounts of costly electricity.
  • DNA can keep for hundreds of thousands of years if kept in a cool, dry place. Data stored in DNA won’t degrade over time, and it can be decoded relatively easily.
  • DNA won’t become obsolete, and unlike other high-density approaches, new technologies can write and read large amounts of DNA in one go.

What Does This Mean For Your Business?

The incredible science involved in this could give businesses a way to store and back up vast amounts of data in a very convenient and secure way (safe from hackers) with dramatically reduced space, equipment, and electricity costs, and with the assurance that the data could be stored, without decay, for many thousands of years.  Some tech commentators have estimated that commercial DNA storage devices may be on shelves in the next few years.

You could be forgiven for thinking, however, that DNA storage of data sounds (and probably will be) expensive, and it may be the case that most businesses will be sticking to cloud storage for quite some time yet.

Security Flaw Discovered In NHS Anaesthetic Machines

Posted on by Andy Miller

Cybersecurity firm CyberMDX has reported the discovery of a security flaw in some Internet-connected GE Healthcare anaesthetic machines which could leave them vulnerable to hacks.

Security Flaw

The security flaw has been described as the exposure of the configuration of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks. This could potentially mean that when the devices are connected to the Internet, they could be remotely targeted by hackers who could modify the parameters of the anaesthesia devices. According to CyberMDX, this could mean that hackers could silence device alarms and even adjust anaesthetic dosages or switch anaesthetic agents.

Johnson & Johnson

The threat discovered in GE Healthcare anaesthetic devices may not sound too unlikely when you consider that back in October a security vulnerability was discovered in one of Johnson & Johnson’s insulin pumps (the Animas OneTouch Ping insulin pump) that a hacker could exploit to overdose diabetic patients with insulin.  Even though the company described the risk as “extremely low”, it still led them to take the precaution of sending letters outlining the problem to 114,000 people, doctors and patients, who used the device in the US and Canada.

Affected Machines

The affected GE Healthcare anaesthetic machines are reported to include Aestiva and Aespire versions 7100 and 7900.  It has been reported that some are used in NHS hospitals.

Suggestions

Some of the suggestions offered by GE in response to reports of the possible vulnerability (which may not be exclusive to just GE machines) are for hospitals/users to use secure terminal servers with strong encryption, and to use a VPN and other features to protect against hacks.

Also, GE suggests that organisations should use industry best practices and secure deployment measures e.g. network segmentation, VLANs and device isolation.

What Does This Mean For Your Business?

Where any device has an Internet connection e.g. IoT devices, there is now a risk of a possible attack, but the fact that these are medical machines which could lead to serious human consequences if remote hackers were able to tamper with them makes this story all the more alarming.

If, as GE and the US Department of Homeland Security have pointed out, all equipment is correctly isolated wherever possible, unnecessary accounts protocols and services are disabled, and best practice is followed, the risk should be very low indeed.

This story does, however, highlight how all businesses and organisations should take the security of smart/IoT devices seriously, particularly where there could be a clear human risk.

Microsoft Criticised By UK’s Cyber Security Agency Over Dmarc

Posted on by Andy Miller

The UK’s National Cyber Security Centre (NCSC) has complained that it has been unable to compile meaningful statistics and draw meaningful conclusions about email security in its latest report because Microsoft stopped sending Dmarc reports two years ago.

What Is Dmarc?

Domain-based message authentication, reporting and conformance (Dmarc) is a protocol, developed by the Trusted Domain Project, to help provide greater assurance on the identity of the sender of a message, and it builds upon the email authentication technologies SPF and DKIM developed over a decade ago and the work on a collaborative system pioneered by PayPal Yahoo! Mail and later Gmail.

Dmarc allows email and service providers to share information about the validity of emails they send to each other, including giving instructions to mailbox providers about what to do if a domain’s emails aren’t protected and verified by SPF and/or DKIM e.g. moving a message directly to a spam folder or rejecting it outright. Information about messages that have passed or failed DMARC evaluation is then fed back to a DMARC register, thereby providing intelligence to the sender about messages being sent from their domain and enabling them to identify email systems being used by spammers.

Dmarc works on inbound email authentication by helping email receivers to determine if a message “aligns” with what the receiver knows about the sender and if not, Dmarc includes guidance on how to handle the “non-aligned” messages e.g. phishing and other fraudulent emails.

Why Were Microsoft’s Dmarc Reports So Important?

Microsoft’s email platforms form one of the biggest receivers of email, and data from Microsoft about the number of emails failing Dmarc gives a good indication of the number of suspicious emails being sent.  The lack of this data in the NCSC’s Mail Check service means that the NCSC’s ability to monitor and report on email security driven by Dmarc adoption has been hampered. This blind spot could have a knock-on negative impact on email security for everyone.

Public Sector Uptake – Good News

The NCSC’s latest report contains good news, however, about a significant uplift in the public sector adoption of email security protocols.  For example, public sector domains using Dmarc more than tripled from December 2017 to December 2018 to 1,369, and the number of domains with a Dmarc “quarantine” or “reject” policy (to prevent suspicious emails being delivered to inboxes) also tripled.

What Does This Mean For Your Business?

Having a collaborative intelligence sharing and effective protocol and process such as Dmarc that is being widely adopted by many organisations has significantly improved email security.  This is particularly valuable at a time when businesses face significant risks from malicious emails e.g. phishing and malware, and email is so often the way that hackers can gain access to business networks.

Sharing intelligence about the level and nature of email security threats and how they are changing over time e.g. in the trusted NCSC report, is an important tool to help businesses and security professionals understand more about how they tackle security threats going forward.  It is, therefore, disappointing that one of the world’s biggest receivers of email, which itself benefits from Dmarc, is not providing reports which could be of benefit to all businesses and organisations.

Facebook Launches Martin Lewis Anti-Scam Service

Posted on by Andy Miller

Facebook has launched a new anti-scam service using the £3m that it agreed to donate to the development of the programme in return for TV consumer money champion Martin Lewis dropping his legal action over scam ads.

What Legal Action?

Back in September 2018, MoneySavingExpert’s (MSE) founder Martin Lewis (OBE) took Facebook to the UK High Court to sue the tech giant for defamation over a series of fake adverts bearing his name.  Many of the approximately 1000 fake ads, bearing Mr Lewis’ name appeared on the Facebook social media platform over the space of a year, could and did (in some cases) direct consumers to scammer sites containing false information, which Mr Lewis argued may have caused serious damage to his reputation, and caused some people to lose money.

In January 2019, Mr Lewis Facebook came to an agreement with Facebook whereby he would drop his lawsuit if Facebook donated £3 million to Citizens Advice to create a new UK Scams Action project (launched in May 2019) and if Facebook agreed to launch a UK-focused scam ad reporting tool supported by a dedicated complaints-handling team.

How The New Anti-Scam Service Works

Facebook users in the UK will be able to access the service by clicking on the three dots (top right) of any advert to see ‘more options’ and “report ad”.  The list of reasons for reporting the ad now includes a “misleading or scam ad” option.

Also, the Citizens Advice charity has set up a phone line to help give advice to victims of online and offline scams.  The “Scams Action Service” advisers can be called on 0300 330 3003 Monday to Friday, and the advisers also offer help via live online chat.  In serious cases, face-to-face consultations can also be offered.

What To Do

If you’ve been scammed, the Citizens Advice charity recommends that you tell your bank immediately, reset your passwords, make sure that your anti-virus software has been updated, report the incident to Action Fraud, and contact the new Citizens Advice Scams Action service: https://www.citizensadvice.org.uk/scamsaction/

What Does This Mean For Your Business?

It is a shame that it has taken the threat of a lawsuit over damaging scam ads spread through its own platform to galvanize Facebook into putting some of its profits into setting up a service that can tackle the huge and growing problem of online Fraud.  Facebook and other ad platforms may also need to take more proactive steps with their advertising systems to make it more difficult for scammers to set up adverts in the first place.

Having a Scams Action service now in place using a trusted UK charity will also mean that awareness can be raised, and information given about known scams, and victims will have a place to go where they get clear advice and help.

Tech Tip – Citymapper

Posted on by Andy Miller

If you’re out and about on business in a city at home or abroad, the Citymapper app provides trip planning, real-time information about departures, offline maps, alerts about delays and disruptions, and much more.

The app covers many cities around the world, and the European cities of London, Manchester, Birmingham, Paris, Lyon, Berlin, Cologne, Düsseldorf, and Hamburg.

To find the app go to the Google Play Store.