Author: Andy Miller

Serious Windows 7 Bug Reported

Posted on by Andy Miller

Google has warned those who are still using Windows 7 that they are at risk of hackers being able to take over their computer by exploiting the combination of a flaw in the Window 7 OS and Google’s Chrome Browser.

Google Alert

The threat to Windows 7 comes from combined flaws in its OS, and a flaw in Google Chrome.  It was Google that announced the discovery of the zero-day vulnerability CVE-2019-5786 in Chrome.

A zero-day vulnerability is one that gives Google, for example, zero days to find a fix because it is already being exploited.  In this case, Clement Lecigne, a security researcher at Google, discovered the vulnerability which resides in the Chrome web browsing software and could impact upon all major operating systems, not just Windows 7, although Windows 7 is vulnerable because it’s a 10-year-old OS in its final year of official support from Microsoft.

Details of the exact nature of the flaw in Googles’ Chrome are not abundantly clear at this point, but it has been described as a use-after-free vulnerability in the FileReader component of the Chrome browser. The FileReader is a standard API that enables web applications to asynchronously read the contents of files stored on a computer.  This essentially means that the flaw in Google’s Chrome provides a way in for hackers who can use it to transfer attack code from Chrome into other applications to help them compromise a machine.

The Windows 7 Side

The flaw in Windows 7 is reported to be in the very core elements that are supposed to stop the data in one program interacting with anything outside that application.

Combined

The combination of these two flaws means that hackers could use Google’s Chrome Browser to take over a computer running Windows 7.

What Can You Do?

The advice from security commentators is (unsurprisingly) to upgrade to Windows 10.  The advice from Google is to make sure that Google Chrome is up to date. You can do this by clicking on the three stacked dots (top right) in Chrome, selecting ‘Help’ and ‘About Google Chrome’, which takes you to the settings page chrome://settings/help.  If it says that you’re running Version 72.0.3626.121 (Official Build) you have the updated version.  If not, you need to update Chrome to the latest version.

What Does This Mean For Your Business?

According to Mr Lecigne, the Google security researcher, there is only evidence of active exploitation against Windows 7 32-bit systems, but it is alarming that a security flaw exists in the core elements of the OS. Since the real risk comes from the combination of a flaw in both Chrome and Windows 7, updating Chrome, which only takes a matter of minutes should provide protection (for the time being) from this risk, although it’s not possible to know what other zero-day bugs are waiting to be discovered.

This story shows the importance of keeping software up to date and patched and is likely to put more pressure on those businesses still using Windows 7 to make the switch to Windows 10.  The fact is though that Windows 7 is still a popular operating system with 37% market share and switching to Windows 10 has cost and time implications in terms of identifying any issues in individual environments and project planning.  The 14th Jan 2020 end of official support date for Windows 7 and the discovery of this kind of OS flaw being made public may now mean that businesses that have been holding out may simply feel that it’s time to bite the bullet and start the shift to Windows 10.

Chatbot Supports Students

Posted on by Andy Miller

Lancaster University has announced that it has launched a chatbot “companion” for students which allows them to ask almost any question about their university experience, from student life, and welfare, to academic studies and more.

Ask L.U.

The chatbot service, called ‘Ask L.U.’, was built on Amazon Web Services (voice) and delivers a voice interface that interacts with users.

The chatbot companion was designed and built by Lancaster University’s Information Systems Services (ISS) and enhances the existing iLancaster mobile app with a range of student-focused voice services.

The chatbot project also includes special facilities for disabled students, developed in conjunction with the University’s Disability Service.

Asked Students

In order to make the chatbot as relevant as possible to students, the University’s developers surveyed Lancaster University students to gauge which questions they were most likely to ask. From this information, they were able to compile a list of more than 300 queries that could be divided into categories such as learning & teaching and campus activities & social.  All of these could then be put to Ask L.U.

Access

The chatbot can be accessed via the iLancaster App on mobile phones and tablets, or by asking “Alexa, Ask L.U.” on any Amazon Echo device.  Amazon Cognito is used to authenticate user data via the Echo providing a completely personalised experience.

Whole Suite of AWS Used

The Chatbot project uses the whole suite of AWS services, including AWS Cloudwatch, AWS Virtual Private Cloud and AWS ElasticSearch.  The natural speech is provided by Amazon Lex and Amazon Alexa.

Fast and Convenient

The chatbot companion is intended to enable students to get information in a fast, easy and convenient way, and delivering information via voice activation fits in well with the packed academic and social lives of students.

Chatbots

Chatbots are now used by many organisations, in conjunction with AI, to help deal with common enquiries, to save costs and resources, to free-up time for human staff to work on other aspects of the business, and to enable businesses to offer 24-hour customer service.

There has been criticism of bots where transparency is lacking and where they may possibly lead users to believe that they are talking to a human.  This is why the state of California passed laws to make AI bots ‘introduce themselves’ (i.e. identify themselves as bots).

What Does This Mean For Your Business?

Many of us are now used to encountering chatbots on websites and voice-activated digital assistants, and this innovative new chatbot from Lancaster University shows how these new technologies can be put together in a value-adding and easy to access way, and in a way that is compatible with its target market.  It may also enable the university to save time and money, and free up valuable resources, and offer 24/7 help to student users.

Bearing in mind that it has been made at a University, it is also a good way of showcasing the technology skills of the university, and the voice activation aspect means that it has been built with an eye on the future.

This kind of chatbot could also have applications in many other businesses, organisations, venues, events, and experiences, and could help improve and support services where there are large numbers of users whose experiences could be enhanced by being able to get on-the-spot spoken answers to popular questions.

Tech Tip – Save Your Passwords Securely on Mobile Devices

Posted on by Andy Miller

If you’d like to be able to save all your login credentials in a secure and safe manner on your mobile device, an app like the ‘LastPass’ password manager may prove very helpful.  It’s one of many such apps, but it’s been rated highly.

LastPass is a ‘freemium’ model password manager that stores encrypted passwords online.

– Download the LastPass Mobile App from Google Play or Apple’s App Store.

– Follow the app instructions.

– Log in with the same LastPass account to sync data between devices, or you can swipe into the LastPass app with your fingerprint for extra security.

There is a built-in random password generator so all your passwords can be different.

Your passwords can be stored and viewed in a secure vault and the app offers autofill, sharing of passwords securely, password auditing, and the ability to keep digital notes with the passwords for e.g. memberships, prescription etc.

See https://www.lastpass.com for details.

New 1TeraByte (Yes, TeraByte) MicroSD Cards Launched

Posted on by Andy Miller

Both Micron and Western Digital’s SanDisk brand have announced at the Mobile World Congress that they are launching the first 1TB microSD cards.

A First

Up until now, companies haven’t been able to produce anything above 128GB, so the jump to a 1TB capacity card is a big jump that could mean less reliance on the Cloud for storage, and better performance from smartphones and other devices.

Micron

Micron Technology, Inc., the US global corporation based in Idaho has announced the launch of the c200 1TB microSDXC UHS-I card, an innovative removable MicroSD Card that boats a terabyte of A2 grade storage with V30 certification.  This should mean that although it can seriously ramp-up the performance of a smartphone, it could suitable for any number of devices and gadgets.  The new card uses an (up to) 100MB/s read-write rate, which means that it can support and can store up to 40 hours of 4K HDR video, thousands of 40MP+ photos, and mobile.

Micron reports that the new card leverages 96-layer 3D quad-level cell (QLC) NAND technology, thereby providing cost-effective storage for consumer electronic devices.

The Micron website says that the new c200 1TB microSD card “gives consumers the freedom to capture, share, store and enjoy more content while supporting their mobile-centric lifestyles.”

When For Micron?

Micron can only say that the new MicroSD should be broadly available, sometime in Q2 2019.

SanDisk

Western Digital’s SanDisk Extreme “microSDXC™ UHS-I” MicroSD card is available in both 512GB and 1TB capacities, and can reach speeds up to 160mb/s with A2/V30.  It can be used in Android™ smartphones, action cameras and drones, and offers supports 4K UHD video recording, full HD video and high-resolution photos.

Also A2 rated, the card reads up to a reported 160MB/s, and writes up to 90MB/s, thereby providing fast app performance on smartphones.  Its fast read speeds should mean that users can save a lot of time e.g.when transferring high-resolution photos and video.

When For Sandisk?

Reports indicate that it will not be available until April, and as a guide, expect a price tag of $449.99 for the 1TB version, and $199.99 for the 512GB version.

What Does This Mean For Your Business?

The huge storage capacity and the speed of these new cards is, of course, good news in terms of versatility and flexibility, saving time, and requiring less reliance on moving and storing everything in the cloud. A card like this is, however, likely to set you back around £375 but you may decide that this is a price worth paying for the extra capacity, speed and convenience.

Although these two new cards are A2 standard, so are suitable for running applications, most microSD cards are slower in practice than stated in the tech spec, and most devices don’t try to run applications from SD cards.  Also, being removable cards, they can still be lost or stolen, and could, therefore, be a security/data security risk depending on what you have stored on them, not to mention the expense of having to buy another one. You may decide that a fast, standard microSD card is still good enough, and you’re prepared to still rely upon secure cloud storage for most things.

It is also worth remembering that a new, super-fast SD Express standard, part of the wider SD 7.1 strategy, could soon be introduced, and could deliver read speeds of up to 985MB/s (if there were products that lived up to the standard).

Nest Locking Customers Out Over Suspected Security Breach

Posted on by Andy Miller

Nest Labs, the US manufacturer of smart home products is reported to have been locking some customers out of their accounts over possible password breaches.

Nest

Nest Labs (founded by iPod inventor Tony Fadell and purchased by Google back in 2014) is a manufacturer of smart home gadgets, including thermostats, cameras, a video doorbell, a smoke and CO2 alarm, and the Nest Aware system where customers can monitor all activity at their home via an app.

What’s Happened?

Nest has recently been the subject of several hacks e.g. there have been reports of Nest cameras being hacked, such as the family in Northern California who reported their camera giving a message (from hackers) warning them of a fictional North Korean missile attack.  Also, more recently in the US, on Superbowl Sunday, a mother reported an unknown male hacker talking to her 5-year-old son through the Nest security camera in his bedroom.

Advice From Google

In the light of the increase in hacks, in the early part of February, Google emailed out a warning to the owners, urging them to secure their login credentials with measures such as two-factor identification and stronger passwords. In the email, Google said that there hadn’t been a breach, but that it was simply reminding users that breaches are possible and that there are measures they can take to help protect themselves and get the most out of Nest products.

Google says that the recent reports of hacks are based on customers continuing to use compromised passwords i.e. passwords that have been exposed through breaches on other websites, and probably shared and sold-on among the hacking fraternity.

Locked Out

The lock-outs of accounts that some customers are now experiencing appear to be strong reminders from what is essentially a security app to those who are known to still be using compromised passwords and who haven’t yet set-up 2-factor authentication, that now is the time to address these issues.

One added bit of motivation to do so could be the relatively high monthly fees for Nest products and services that customers will be paying for nothing if they don’t act now.

Other Troubles

Nest has also found itself in hot water recently after it was discovered that a “secret” microphone is incorporated in Google’s Nest Guard product that has not been listed in the product’s  tech spec.  This has led to a serious backlash, and calls from a Senator for action to be taken to help protect users from the privacy and security threat that some smart products can pose.

What Does This Mean For Your Business?

Even though these are security related products, their basic protection has been through the use of passwords.  Due to the number of hacks of other sites, and the fact that people often use the same password for multiple sites, and due to the bizarre and terrifying nature of some of the hacks of Nest speakers, it is not a surprise that the company is taking strong action to try and force users to set up a secure, new password, and the extra security layer of 2FA.

This story is a reminder that it is not a good idea to use the same passwords on multiple websites, as hackers now have software to enable them to quickly try the same password details in multiple websites (credential stuffing).

Although 2FA does add another relatively solid layer of security to online accounts, Google (Nest) has said that it is also considering new security measure to prevent this kind of hacking from happening with Nest’s products again.

Response To Freedom of Information Requests Concerning Brexit Involves ICO

Posted on by Andy Miller

Two government departments and a Kent-based Brexit planning group are reported to have given local councils advice on how to avoid releasing information about the no-deal Brexit plans, prompting UK. Gov and the ICO to intervene.

What Happened?

Kent Online reported that at the end of January, a leaked report showed that local councils were being given advice about how to handle Freedom of Information requests relating to the councils’ work and plans towards a no-deal Brexit, in a way that would not cause public harm.

It has been alleged that the threat of a no-deal Brexit situation has led to an increase in the amount of FIOA requests that councils receive about their plans for it, but that certain government departments and others may have sought to manage the amount of information making its way into the papers by issuing tips on how to keep emergency plans secret.

A blanket approach of this kind would go completely against FOIA laws.

Who?

According to Kent Online, the leaked report came from the Kent Resilience Forum, which is a group co-ordinating the strategy in the county for how it would deal with disruption in the event of a no-deal Brexit. Also, guidance issued by the Department for Exiting the EU DExEU was also cited in the report, as was guidance by the Cross-Border Delivery Group.

What Kind of Guidance?

The ‘guidance’ in question, mentioned in the leaked report, is alleged to include:

  • The DExEU suggesting that councils and other organisations should refuse FOIA requests in relation to their emergency planning and, in some circumstances, that they should not confirm whether they hold information.
  • Guidance from the DExEU leading to emergency services and councils being given a ready-made template for FOIA requests on Brexit plans.
  • Local Resilience Forums or individual partner organisations being told to argue that disclosure would not be in the public interest as it “would undermine the effective conduct of public affairs”.
  • Guidance that has led to the government tying ports to non-disclosure agreements, which prevent them from releasing any details about their discussions. Recommendations from the Cross-Border Delivery Group mean that while port authorities can share information with other organisations, these non-disclosure agreements are in effect for general disclosure to the public domain.

ICO Involved

The idea that FOIA requests could be treated in this way has prompted the involvement of the Information Commissioner’s Office. It has been reported that the ICO’s director of FoI, Gill Bull, has written to DExEU, the local government department, and the Kent Resilience Forum to express the ICO’s concern about the guidance.

The Council Says…

Kent Council has said that “We are keen to provide our partners with advice on how they can prepare for a worst-case EU Exit scenario”. The council has also said that it will soon be issuing an updated partner pack without the previous FOIA guidance.

The Government Says…

It has been reported that a government spokesperson has said that the original advice has now been revised, and new, updated guidance has now been issued.

What Does This Mean For Your Business?

Brexit is a complicated and divisive subject, but a Freedom of Information Request is an important legal right in the UK that allows for greater transparency in the way that companys and organisations operate, and each FOIA request should be considered individually.  It is worrying that advice should be given by government departments and other organisations, supposedly in the public interest, that appears to go against the Freedom of Information Act, by suggesting that some kind of blanket response, designed to withhold information should be applied. Businesses would not be able to behave this way without being held to account in a very damaging way, and it is understandable, therefore that the ICO has stepped in.

Potential £ 1 Million Court Bill Over £1 Uber Receipt

Posted on by Andy Miller

A millionaire barrister who raised crowdfunding money to fight ride-sharing company Uber in court over a £1.06 VAT receipt has lost attempts to limit his court costs liability and could face a £1 Million legal bill.

What Happened?

The initial reason given for tax lawyer Jolyon Maugham QC bringing the case against Uber was that he was not given a VAT receipt for £1.06 for his £6.34 taxi journey which he could have reclaimed from HMRC as a business expense and that Mr Maugham QC believed that Uber was undercharging VAT on its taxi services.

However, as commentators have noted there may be a wider angle to this story as the barrister accepted that the VAT receipt amount that he sought was trivial and that it may be more about establishing whether Uber as a company is subject to VAT.  If Uber is found to be subject to VAT, Mr Maugham QC’s action could trigger a £1bn VAT bill against Uber.

More Than Half Raised From The Black Cab Trade

Even though Mr Maugham QC managed to raise £107,650 to bring the case, one of the factors that appears to have influenced Mr Justice Trower’s rejection of Mr Maugham QC’s attempt to shield himself from the £1M legal bill and his attempt to appeal against the rejection is the proportion of money raised from the black cab trade to fight Uber. For example, the judge pointed out that “well in excess of 50%” of the crowdfunding money came from the black cab trade, and this included a donation of £20,000 from just one unidentified black cab source.

Income A Factor

Even though Mr Maugham QC wanted to limit his legal costs liability to £20,000 in the High Court case he brought against Uber, some commentators have noted that Mr Maugham QC’s alleged net annual income of £400,000, and his ownership of two properties may also have been a factor in the judge deciding not to stop Uber from recovering its estimated £1 million legal costs if it wins the main case.

The VAT Argument

This case was originally intended to focus on VAT, and one thing it has done is to shine a light on an argument about whether it is the individual Uber drivers who need to be VAT registered to give a VAT receipt, or whether Uber now has a large VAT liability.

What Does This Mean For Your Business?

The case was originally based on an assertion that Uber may be undercharging VAT on the taxi services it offers, and that HMRC may be treating big US multinationals such as Uber with kid gloves and an allegation that Uber could be thought by some to have a business model that’s designed to minimise its tax liability, and to minimise the workers’ rights that it has to offer to its drivers.

According Jolyon Maugham QC, in his statement via the Good Law Project, the decision to reject his attempt to limit his liability for legal costs could be seen as an example of how corporations can use the threat of costs liability to somehow dodge legal accountability, thereby making it difficult for other individuals or organisations to hold them to account.

Although Mr Maugham QC’s personal income and property assets may have had a bearing on the Judge’s decision not to grant him protection from an estimated £1 million legal bill if Uber wins, the outcome could also send a warning to businesses that taking on a big company/corporation in court could be make or break and could have serious financial implications.

New, Free Windows 10 Microsoft Office App Launched

Posted on by Andy Miller

Microsoft has announced the launch of its new “Office” app for Windows 10 which is an update to the former My Office app, will come preinstalled on Windows 10 machines and will provide access to an online version of Office for those who don’t have a subscription for Office 365.

Simply “Office”

The new, free app simply named “Office” can be used with ‘almost’ any version of Microsoft Office means that those who do have a 365 subscription and have Microsoft’s apps installed on their device can open Office from the Office app, and those who don’t have a subscription will be automatically directed to the online version.  Like Google Drive, this online version features the user’s recent documents on the home screen, which is in keeping with the idea that users should be able to find what they want quickly. Users can also share files with each other and can find content relevant to them but created by colleagues within their organisation.

Features

The new app includes helpful features such as tutorials and tricks for Microsoft’s apps and services, and users can see every Office app available to them by clicking on “Explore all your apps”.

Office also allows customisation so that businesses can brand it. Users also have access to third-party apps and Microsoft Search.

When and How?

Microsoft says that the Office app will become available to users on a rolling basis over the next few weeks and that it will be installed automatically as an update to the MyOffice app, which comes pre-installed as part of Windows.

You can search for “Office” in the search bar of the Windows start menu to open the app. The new app can also be downloaded from the Microsoft Store if needed.

Users can sign in to the app with their work, school, or free personal Microsoft Account to get started.

The Office app should work with any Office 365 subscription, Office 2019, Office 2016, and Office Online (the free web-based version of Office).

What Does This Mean For Your Business?

Launching this Office app is a way of Microsoft being able to publicise, raise awareness about, and get more people using its free online versions of Office.

The app, which also allows Microsoft to compete with its rival Google Drive, should be quite appealing to business users thanks to features such as the ability to customise and brand it, the fact that it allows access third-party apps using AAD through the Office app, and the Microsoft Search feature that works across the organisation in addition to the user’s own apps and documents.

Having a free Office app that’s available without the need for an Office 365 subscription will also help address the problem of a mistaken assumption from many people that Office simply comes as part of Windows.

Tech Tip – How To Disable Ad Tracking In Windows 10

Posted on by Andy Miller

Although many websites say they rely upon ad-revenue to provide free content, and some ads can be relevant, as web users we may still feel uneasy about allowing our online behaviour to become tracked, and too many ‘interest-based’ targeted adverts can be annoying and disruptive.  There is an easy way in Windows 10 to disable advertising ID/‘interest based’ adverts.  Here’s how:

– In Windows search (bottom left), type ‘Privacy’ and Go to ‘Privacy Settings’.

– In the ‘General’ section on the right-hand side of the window, turn off the first option relating to your advertising ID.

– For a higher level of ad blocking, go to the Microsoft Privacy Ad Settings page and disable interest-based ads on the browser, Windows and Microsoft account level. This should prevent your online behaviour from being tracked by marketers but will still enable you to see some generic adverts.

New York’s Governor Orders Investigation Into Facebook Over App Concerns

Posted on by Andy Miller

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

Alerted By Wall Street Journal

The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.

Health Data

It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.

The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”

Defence

Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.

Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.

The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.

Lawsuits Pending

This appears to be just one of several legal fronts where Facebook will need to defend itself.  For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.

Apple Also Accused By Governor Over FaceTime Bug

New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.

DFS Involvement

The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.

Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.

What Does This Mean For Your Business?

You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.

There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform.  You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/