Author: Andy Miller

Proposed Legislation To Make IoT Devices More Secure

Posted on by Andy Miller

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

What’s The Problem?

Gartner predicts that there will be 14.2 billion ‘smart’, internet-connected devices in use worldwide by the end of 2019.  These devices include connected TVs, smart speakers and home appliances. In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cybercriminals the IoT devices can be hacked in order to steal personal data, spy on users or remotely take control of devices in order to misuse them.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

New Law

The proposed new law to make IoT devices more secure, put forward by Digital Minister Margot James, would do two main things:

  • Force manufacturers to ensure that IoT devices come with unique passwords.
  • Introduce a new labelling system that tells customers how secure an IOT product is.

The idea is that products will have to satisfy certain requirements in order to get a label, such as:

  • Coming with a unique password by default.
  • Stating for how long security updates would be made available for the device.
  • Giving details of a public point of contact to whom cyber-security vulnerabilities may be disclosed.

Not Easy To Make IoT Devices Less Vulnerable

Even though legislation could put pressure on manufacturers to try harder to make IoT devices more secure, technical experts and commentators have pointed out that it is not easy for manufacturers to make internet-enabled/smart devices IoT devices secure because:

Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.

Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.

With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such these devices are likely to remain available to be used by cybercriminals for a long time.

What Does This Mean For Your Business?

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having, by law, to display a label that indicates how safe the item is could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater when faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as is the plan with this proposed legislation.

The hope from cybersecurity experts and commentators is that the proposal isn’t watered-down before it becomes law.

G7 Cyber Attack Simulation To Test Financial Sector

Posted on by Andy Miller

The G7 nations will be holding a simulated cyber-attack this month to test the possible effects of a serious malware infection on the financial sector.

France

The attack simulation was organised by the French central bank under France’s presidency of the Group of Seven nations (G7).  The three-day exercise will be aimed at demonstrating the cross-border effects of such an attack and will involve 24 financial authorities from the seven countries, comprising central banks, market authorities and finance ministries.  It has been reported that representatives of the private sector in France, Italy Germany and Japan will also participate in the simulation.

Why?

As reported in March in a report by the Carnegie Endowment for International Peace (co-developed with British defence company BAE Systems), state-sponsored cyber attacks on financial institutions are becoming more frequent, resulting in destructive and disruptive damages rather than just theft.

The report highlighted how, of the 94 cases of cyber attacks reported as financial crimes since 2007, the attackers behind 23 of them were believed to be state-sponsored.  Most of these state-sponsored attacks are reported to have come from countries such as Iran, Russia, China and North Korea.

The report pointed out that the number of cyber attacks linked to nations jumped to six in 2018 from two in 2017 and two in 2016.

State-sponsored attacks can take the form of direct nation-state activity and/or proxy activity carried out by criminals and “hacktivists”.

State-Sponsored Attacks – Examples

An example of the kind of state-sponsored hacking that has led to the need for simulations is the attack by North Korean hackers on the Bank of Chile’s ATM network in January, the result of which was a theft of £7.5 million.

Also, in 2018 it was alleged that North Korean hackers accessed the systems of India’s Cosmos Bank and took nearly $13.5 million in simultaneous withdrawals across 28 countries.

As far back as 206 North Korean hackers took $81 after breaching Bangladesh Bank’s systems and using the SWIFT network (Society for Worldwide Interbank Financial Telecommunication).  The perpetrators sent fraudulent money transfer orders to the New York branch of the U.S. central bank where the Dhaka bank has an account.

What Does This Mean For Your Business?

An escalation in state-sponsored attacks on bank systems in recent years is the real reason why, in addition to fending cybercriminals from multiple individual sources, banks have noted an evolution of the threat which has forced them to focus on sector and system-wide risks.

As customers of banks, businesses are likely to be pleased that banks, which traditionally have older systems, are making a real effort to ensure that they are protected from cyber-attacks, particularly the more sophisticated and dangerous state-sponsored cyber-attacks.

Data Breach Report A Sharp Reminder of GDPR

Posted on by Andy Miller

The findings of Verizon’s 2019 Data Breach Investigations Report have reminded companies that let customer information go astray that they could be facing big fines, and damaging publicity.

The Report

The annual Verizon Data Breach Investigations Report (DBIR) draws upon information gained from more than 2,000 confirmed breaches that hit organisations worldwide, and information about more than 40,000 incidents such as spam and malware campaigns and web attacks.

Big Fines

The report reminds companies that although personal data can be stolen in seconds, the effects can be serious and can last for a long time. In addition to the problems experienced by those whose data has been stolen (who may then be targeted by other cybercriminals as the data is shared or sold), the company responsible for the breach can, under GDPR, face fines amounting to 4 percent of their global revenues if it has been judged to have not done enough to protect personal data or clean up after a breach.

Senior Staff Hit Because of Access Rights

It appears that senior staff are a favourite target of cybercriminals at the current time.  This is likely to be because of the high-level access that can be exploited if criminals are able to steal the credentials of executives. Also, once stolen, a senior executive’s account could be used to e.g. request and authorise payments to criminal accounts. The report also highlights the fact that senior executives are particularly vulnerable to attack when on their mobile devices.

Booby Trap Emails Less Successful

The report also states how sending booby-trapped emails (emails with malicious links) is proving to be less successful for cybercriminals now with only 3 per cent of those targeted falling victim, and a click rate of only 12 per cent.

What Does This Mean For Your Business?

The report is a reminder that paying attention to GDPR compliance should still be a very serious issue that’s given priority and backing from the top within companies, as one data breach could have very serious consequences for the entire company.

Senior executives need to ensure that there is a clear verification and authorisation/checking procedure in place that all accounts/finance department staff are aware of when it comes to asking for substantial payments to be sent, even if the request appears to come from the senior executives themselves via their personal email. Obtaining the credentials of senior executives can also mean that cybercriminals can operate man-in-the-middle attacks.

Executives and staff need to be aware that if a high-level email address has been compromised the first thing they may know about it is when funds are taken, so cybersecurity training, awareness and policies need to communicated and carried with all staff, right up to the top level.

The low level of booby trap emails being successfully deployed could be a sign that businesses are getting the message about email-based threats, or it could be that criminals are focusing their attention elsewhere.

Tech Tip – Free Online Presentation App ‘Zoho Show’

Posted on by Andy Miller

If you’d like an app that enables you to create and collaborate, publish and broadcast presentations from any device, quickly and easily, Zoho Show free online presentation software may be for you.

It offers many different themes and has a contextual user-focused interface that guides you through authoring slides, and it has animations and transitions to help set the tone of your presentation for your particular audience.

Zoho Show is available for Apple and Android and is compatible with PowerPoint.  Find more information online here https://www.zoho.com/show/ or download Show from iTunes or the Google Play store.

New AI Feature For Microsoft Word Online To Improve Your Writing

Posted on by Andy Miller

The new ‘Ideas’ feature, an AI-powered editor in the cloud for Microsoft Word is intended to provide intelligent suggestions to make your writing more concise, readable, and inclusive.

Ideas

The new ‘Ideas’ feature, which is already being used with PowerPoint and Excel, is likely to be a value-adding improvement on traditional grammar and spelling checks because it is designed to help with the reading and writing of (online) Word documents.

The feature announced at Microsoft 2019 and scheduled for testing in June, will be able to follow along as you write, offer familiar fixes for spelling and grammatical errors, suggest improvements, be able to detect nuances in language and even suggest rewrites for tricky phrases or clunky paragraphs.

The Ideas feature will also be able to help with the reading of Word documents by, for example, providing estimated reading times, extracting key points, and decoding acronyms using data from the Microsoft Graph.

British Company Wins Google Money For AI

It’s not just Microsoft that’s making the news this week for its ongoing pursuit of augmenting its products and services with AI and machine learning.

British fact checking company Full Fact has just been named among the 20 winners of Google’s AI Impact Challenge.  The award will mean that they will receive a share of 19.1 million dollars worth of Google investment as well as consultation help and mentoring from Google.  The AI Impact Challenge from Google asked for organisations to submit ideas on how to use AI to help address societal challenges.  For Full Fact, this involved ideas about how to use AI to combat the kind of misinformation that affects millions of people’s health, safety and ability to participate in society, and is considered by many to be a threat to democracy in many countries.

What Does This Mean For Your Business?

The addition of an AI-powered, cloud-based enhancement to Microsoft’s online version of Word is considered to be the next, more intelligent step onwards from enhancements like predictive text.  It also offers Microsoft a way to compete with popular grammar programs such as Grammarly, and it will be interesting to see how such companies respond to Microsoft’s ‘Ideas’ feature.

The ‘Ideas’ feature is likely to be particularly good news for journalists and other writers as it will presumably be able to make the low-level composing work a little easier and may be able to save time and add value to their work.  It may even help Microsoft reach its aim of enabling people to design documents for maximum readability, and in doing so, make the workday more productive for many people.

One area where AI is predicted to offer some real promise in the near future is in the (cloud-based) cyber security market.  For example, the Visiongain ‘Artificial Intelligence in Cyber Security Market Report’ for 2019-2029 values the 2019 AI in cyber security market at $4.94bn.  Cloud-based cyber security that incorporates AI could prove to a cost-effective and affordable source of protection for SMEs and large enterprises.

Google Offers Auto-Delete of History After Three Months

Posted on by Andy Miller

Google is joining tech giants Facebook and Microsoft by offering users greater privacy of their data which for Google will give its users the option to automatically delete their search and location history after three or eighteen months.

What’s The Problem?

According to Google, feedback has shown that users want simpler ways to manage or delete their data, and web users have been more concerned about matters of their data privacy after several high profile data breaches, most notably that of Facebook sharing 50 million profiles of its users data with analytics company, Cambridge Analytica back in 2014.

The Change

Google already offers tools to help users manually delete all or part of their location history or web and app activity.  The addition of the new tool, which is scheduled to happen “in the coming weeks” will enable users to set up auto-delete settings for their location history, web browsing and app activity.

With the new tool, users will be able to select how long they want their activity data to be saved for – three months or eighteen months – after which time Google says the data will automatically be deleted from the user’s account.

The new automatic deletion will be optional, and the manual deletion tools will remain.

Facebook and Microsoft

At the beginning of May, Microsoft announced several new features intended to improve privacy controls for its Microsoft 365 users, with a view to simplifying its data privacy policies.

Also, Facebook’s Mark Zuckerberg recently announced a privacy-focused road map for the social network.

Google’s Tracking Questioned

Back in 2018, the ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

In November 2018, Google’s tracking practices for user locations were questioned by a coalition of seven consumer organisations who were reported to have filed complaints with local data protection regulators. Although Google says that tracking is turned off by default and can be paused at any time by users, the complaints focused on research by a coalition member who claimed that people are forced to use the location system.

Furthermore, research by internet privacy company DuckDuckGo in December 2018 led to a claim that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

What Does This Mean For Your Business?

The introduction of GDPR and high-profile data breach and privacy incidents such as the Facebook and Cambridge Analytica scandal have made us all much more aware about (and more protective of) our personal data and how it is collected, stored and used by companies and other organisations. It is no surprise, therefore, that feedback to Google showed a need for greater control and privacy by users, and the announcement of the new (optional) automatic deletion tool also provides a way for Google to get some good data privacy PR at a time when other tech giants like Facebook and Microsoft have also been seen to make data privacy improvements for their users.

Current details about how to manually delete your Google data can be found here https://support.google.com/websearch/answer/465?co=GENIE.Platform%3DDesktop&hl=en and the ‘My Activity’ centre for your Google account, where you will most likely be able to make your automatic settings can be found here: https://myactivity.google.com/.

GDPR Says HMRC Must Delete Five Million Voice Records

Posted on by Andy Miller

The Information Commissioner’s Office (ICO) has concluded that HMRC has breached GDPR in the way that it collected the biometric voice records of users and now must delete five million biometric voice files.

What Voice Files?

Back in January 2017, HMRC introduced a system whereby customers calling the tax credits and Self-Assessment helpline could enrol for voice identification (Voice ID) as a means of speeding up the security steps. The system uses 100 different characteristics to recognise the voice of an individual and can create a voiceprint that is unique to that individual.

When customers call HMRC for the first time, they are asked to repeat the vocal passphrase “my voice is my password” to up to five times to register before speaking to a human adviser.  The recorded passphrase is stored in an HMRC database and can be used as a means of verification/authentication in future calls.

It was reported that in the 18 months following the introduction of the system, HMRC acquired 5 million peoples’ voiceprints this way.

What’s The Problem?

Privacy campaigners questioned the lawfulness of the system and in June 2018, privacy campaigning group ‘Big Brother Watch’ reported that its own investigation had revealed that HMRC had (allegedly) taken the five million taxpayers’ biometric voiceprints without their consent.

Big Brother Watch alleged that the automated system offered callers no choice but to do as instructed and create a biometric voice ID for a Government database.  The only way to avoid creating the voice ID on calling, as identified by Big Brother Watch, was to say “no” three times to the automated questions, whereupon the system still resolved to offer a voice ID next time.

Big Brother Watch highlighted the fact that GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless there is a lawful basis under Article 6, and that because voiceprints are sensitive data but are not strictly necessary for dealing with tax issues, HMRC should request the explicit consent of each taxpayer to enrol them in the scheme (Article 9 of GDPR).

This led to Big Brother Watch registering a formal complaint with the ICO.

Decision

The ICO has now concluded that HMRC’s voice system was not adhering to the data protection rules and effectively pushed people into the system without explicit consent.

The decision from the ICO is that HMRC now must delete the five million records taken prior to October 2018, the date when the system was changed to make it compliant with GDPR.  HMRC has until 5th June to delete the five million voice records, which the state’s tax authority says it is confident it can do long before that deadline.

What Does This Mean For Your Business?

Big Brother Watch believes this to be the biggest ever deletion of biometric IDs from a state database, and privacy campaigners have hailed the ICO’s decision as setting an important precedent that restores data rights for millions of ordinary people.

Many businesses and organisations are now switching/planning to switch to using biometric identification/verification systems instead of password-based systems, and this story is an important reminder that these are subject to GDPR. For example, images and unique Voiceprint IDs are personal data that require explicit consent to be given, and that people should have the right to opt out as well as to opt-in.

Microsoft’s Move Away From Passwords Towards Biometrics

Posted on by Andy Miller

In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.

Passwords – Not Enough On Their Own

Many of us are now used to two-factor authentication e.g. receiving a code via text or using apps such as Google Authenticator as a more secure way of using passwords.  Mr Arsenault also notes that hacking methods such as “password spraying”, where attackers attempt to access large numbers of accounts at once using some of the most commonly used passwords, are still effective and highlight the weakness of relying on passwords being used on their own.  Mr Arsenault highlights how damaging this can be for businesses where a hacker can get password/employee identity and use this to gain access to a whole network. This is one of the reasons why many businesses, including Microsoft, are moving away from the whole idea of passwords.

Setting Example – Biometrics

Microsoft is one of the most-attacked companies in the world, and this, combined with reports of the billions of password hack incidents worldwide, have driven the company to move beyond passwords.

For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.

Also Uses Federated Cybersecurity

In addition to rejecting passwords for biometrics, Microsoft also uses a federated cybersecurity model.  This means that each Microsoft product has its own head of cybersecurity and that ethical hackers are actively encouraged to attack the company’s networks and products to test for flaws.

Scrapping Password Expiration Policies

Microsoft has announced that it is scrapping its password expiration policies in Windows 10 arguing that password expiration is an out of date method of data protection.  Users will now effectively be forced to update their passwords every few months once the Windows 10 May 2019 has been rolled out.

Other Tech Companies Moving Away From Passwords

Other tech companies that are known to be moving away from passwords towards biometrics and other methods include Google which has been testing USB key fobs which plug into customers’ computers and provide a second factor of authentication and Cisco which acquired dual-factor authentication start-up Duo in 2018.

What Does This Mean For Your Business?

As Microsoft points out, multi-factor authentication is more secure than relying on just a password for authentication, as password spraying and credential stuffing are widely in use and are still yielding good results for hackers.  As a recent National Cyber Security Centre (NCSC) survey has shown, many people still rely upon weak passwords, with ‘123456’ featuring 23 million times, making it the most widely-used password on breached accounts. There is a strong argument, therefore, for many businesses to look, as Microsoft is looking, towards more secure biometric methods of authentication, and towards a “passwordless future”.

Even though biometrics has been shown to make things incredibly difficult for cybercriminals to crack it, biometrics has not proven to have been 100% successful to date.  For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

First Organ Delivery By Drone

Posted on by Andy Miller

A human kidney for transplant has been delivered by drone to a Medical Centre in Baltimore in the first flight of its kind.

Cutting Edge Technology

The drone transportation of the living organ over a one-mile journey used cutting-edge technology in the form of an AI-powered drone that had been specifically designed to maintain and monitor the organ during the journey.  As well as having a specially designed compartment to keep the organ in the right condition for transplant, the drone had onboard communications and safety systems to enable a safe flight over densely-populated/urban areas, and a parachute recovery system in case the drone failed.

Collaboration

The drone’s creation was the product of a collaboration between the aviation and engineering experts at the University of Maryland (UMD), transplant specialists and researchers at the University of Maryland School of Medicine (UMSOM), and others at the Living Legacy Foundation of Maryland.  Joseph Scalea, assistant professor of surgery at University of Maryland School of Medicine (UMSOM) who was one of the surgeons who carried out the transplant has also acknowledged the collaborative efforts of the surgeons, engineers, the Federal Aviation Administration (FAA), the organ procurement specialists, the drone pilots, nurses at the hospital, and the patient.

Solves Problems

The ability to deliver transplant organs by drone solves the problems caused primarily by traffic problems identified by the United Network for Organ Sharing, which reported that in 2018 there were nearly 114,000 people on waiting lists, with 1.5% of organs not making it to the destination and nearly 4% being delayed by two hours or more.

Medical Sample Delivery Too

There has also been a recent report in North Carolina of a hospital, in partnership with UPS, using a drone delivery program to speed up the delivery of critical medical samples across a hospital campus, thereby cutting 41 minutes off the usual on-foot journey.

Potential

The fact that the organ drone flight and the transplant operation were safe and successful has led to the recognition of the potential of this method e.g. unmanned transportation of organs over greater distances, minimising the need for multiple pilots and flight time and addressing safety issues.

What Does This Mean For Your Business?

This world-first in organ transportation is an important first step in what could be (if proven to be safe and reliable over multiple flights) an important new technological improvement to the provision of life-saving medicine.

Business owners may also be thinking that if this can be done successfully with something as important and delicate as a human organ for transplant, this system could potentially be scaled up and used to ensure the fast, safe delivery of other items. Amazon, for example, has been testing delivery drones for parcels since 2013 with a view to making its ‘Prime Air’ service a regular reality in the future.

As shown by UPS’s involvement with medical sample delivery, other major delivery companies are also investing in drones and their potential to combat the challenges posed by traffic congestion and labour-intensive and time-consuming on-foot journeys.

Also, the US Federal Aviation Administration has just authorised Alphabet’s (Google’s) Wing Aviation to start delivering goods via drones later this year.  This is the first time that the FAA has granted an “air-carrier” the certification for drone delivery of items such as food, medicine, and other small consumer products.

Drone transportation is clearly moving forward and starting to prove that it offers great potential in many different sectors in the not-too-distant future.

Tech Tip – The JigSpace App

Posted on by Andy Miller

If you’d like to have the ability to instantly see a step-by-step interactive 3D breakdown of a complex idea, product, or phenomenon, so that you can understand exactly how it works, and be able to explain it (e.g. for a work or education project) then the JigSpace app could be for you.

The JigSpace app for iPhone and iPad is a platform to explore and share interactive, 3D ‘knowledge for anything’. When you ask, “How does that work?” the answer is right in front of you in … interactive 3D. The basic JigSpace app is available for free from Apple iTunes.