Author: Andy Miller

New Australian Law Gets The Thumbs-Down From Tech Firms

Posted on by Andy Miller

In Australia, a new draft bill proposing ways for tech firms, software developers and others to assist security agencies and police has been given the thumbs-down by a major industry group over its ambiguity, and the potential security risks it could create.

What Bill?

The new “Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018” is a Bill for an Act to amend the law relating to telecommunications, computer access warrants and search warrants, and for ‘other purposes’.

The bill proposes that a ‘technical assistance request’ may be given to a tech company e.g. a social media or chat app company asking that provider to offer ‘voluntary’ help in the form of ‘technical assistance’ to the Australian Secret Intelligence Service or an ‘interception agency’ with a view to enforcing / helping to enforce the criminal law, protecting the public revenue, and / or acting in the interests of Australia’s national security, foreign relations, or economic well being.

What Kind of Technical Assistance?

In essence, those who have interpreted and reacted publicly to the contents of the bill have taken it to mean that as part of the Australian government’s fight against the criminal use of encrypted communications (end-to-end encryption), tech firms will be asked to build weaknesses / ‘back doors’ into their products/ services that will enable government monitoring.

For example, the UK government (under then Home Secretary Amber Rudd) were seeking ‘back door’ access to encrypted apps such as Facebook’s WhatsApp on the grounds that terror suspects were known to have used it for communication prior to the Westminster attack. At the time, WhatsApp refused to co-operate on the grounds that end-to-end encryption prevented even its own technicians from reading people’s messages.

WhatsApp has also been blocked three times in Brazil for failing to hand over information relating to criminal investigations.

Worked In Germany

Presumably and ideally, the kind of thing that the new bill would be used for in Australia would be in the same way that German encrypted communications App ‘Telegram” had a back-door built into it which allowed law enforcement agencies to access messages, enabling them to foil a planned suicide attack on a Christmas market in 2016.

Digi Objects

The loudest critic of the new Bill in Australia has been the Digital Industry Group (known as ‘Digi’) whose members include Facebook, Google and Twitter. Their main arguments against the bill are that it is ambiguous and lacks judicial oversight, and building any back-doors for government agencies into encrypted services will also be creating access for criminals to exploit. Big social media tech firms say, for example, that building such potential vulnerabilities into their services could not only leave the majority of their customers vulnerable to attack for the sake of catching a minority, but could also undermine the essential trust in their services.

What Does This Mean For Your Business?

Privacy, security, and freedom from unnecessary surveillance are valued concerns by individuals and businesses, but national security is also an issue, and is something that affects the wider economy. The bill from the Australian government is the latest in a long line of similar requests that the big tech companies are facing from governments around the world. The conundrum, however, is the same. Tech companies are private businesses whose services allow users to share personal data, and they need the trust of their users that privacy and security will be preserved, and yet governments would like access to the private conversations, hopefully just for national security purposes. Also, once a back-door is built-in to an encrypted service (e.g. end-to-end encrypted services), it is no longer really secure, and all users could potentially be at risk. Bills suggesting that help by tech firms would be ‘voluntary’ are also likely to mean that failure to comply voluntarily would undoubtedly have negative consequences for tech firms (e.g. fines).

As freedom and privacy groups would point out, there is also some mistrust over government motives for accessing more of our private conversations and details, and in the wake of the Facebook / Cambridge Analytica scandal for example, there are questions about just who else our details and private conversations and opinions could be shared with and how that could be used. It is also a fact that governments tend not to like communications tools and currencies (e.g. Bitcoin) that they can’t access, control, or regulate.

The ‘big brother’ element to bills like these worries citizens in all countries, and some tech companies, which are certainly not blameless (e.g. on user tracking and data sharing activities) are likely to try and hold out as long as possible from publicly being seen to be co-operating with any wide-scale government surveillance.

Facebook Uses Scoring System To Manage Misinformation

Posted on by Andy Miller

It has been reported that Facebook allocates a trustworthiness score to some members to help it manage misinformation issues such as some members continually flagging / reporting stories as fake if they don’t agree with the content.

Score?

It is not publicly known exactly how the score is arrived at, but it has been reported recently in the Washington Posts that Facebook’s ‘Misinformation Team’ will be making use of the metric, a system that has taken a year to develop.

Why?

It is understood that the system, which Facebook denies amounts to a reputation score, is part of an initiative announced 2 years ago to find a way to deal with issues around fake news and fighting misinformation.

These include both making news with dubious / fake content appear lower in users’ news feeds, and stopping people from indiscriminately flagging news as fake in order to control and influence news and opinions.

Repeat Flaggers In The Spotlight

The scoring system will have a focus on stopping some Facebook members from simply flagging / reporting stories they don’t agree with.

Some commentators have speculated that this part of the scoring system works by correlating any false news reports with the decisions of independent fact-checkers, and by giving higher scores (and presumably higher news feed positions) to a user who makes a single complaint that is substantiated, than to a user who makes lots of complaints, only some of which are substantiated.

Not The First Time

Facebook is not the first and only platform to us such scoring systems for members. For example, Uber rates customers on scores they’ve given to drivers, Twitter has been reported as having used a reputation score to help recommend which members to follow, and a pilot scheme in China is allocating a social credit score to citizens based on their online behaviour.

Criticism

The Facebook scoring system has been criticised by some people who say that Facebook’s own trustworthiness is unregulated, the scoring system is automated and not transparent, and could amount to another way of Facebook using peoples’ data in a way they may not expect or want (bearing in mind the Facebook / Cambridge Analytica scandal).

What Does This Mean For Your Business?

We are used to the idea that decisions that affect businesses are made using algorithms and automatic scoring systems i.e. search engine rankings. If the new Facebook scoring system works as it should and for the purpose that Facebook has stated, then it may contribute to better management of misinformation, which can only benefit the economy and businesses.

Unfortunately, how Facebook can be trusted to use our data behind the scenes is a sore subject at the moment, and it could be said that mistrust of Facebook and its motives with this move is expected and healthy. Since the Cambridge Analytics revelations, and findings that Facebook was used to distribute dubious, politically influential posts of Russian origins leading up to the US election, Facebook has to at least be seen / reported to be doing more to manage misinformation on its platform.

Unfortunately for Facebook, the scoring system is unlikely to appeal to President Trump, who has warned that it is dangerous for tech / social media companies such as Facebook to regulate themselves. Some commentators have suggested that this concern is partly based on a fear that conservative voices may be silenced by such measures.

Superdrug Customers Informed of Hack

Posted on by Andy Miller

Superdrug is reported to have advised online customers to change their passwords after it was targeted by hackers who claim to have stolen the details of approximately 20,000 Superdrug customers.

Hundreds Compromised – Could Be More

To date, Superdrug has confirmed that 386 customer accounts are known to have been compromised, but that it is still working to try to establish the exact number. It is possible, therefore, that the number could be many more.

Contacted By Hackers

Superdrug is reported to have been contacted by a person representing a hacking group and claiming to have hacked their systems, and this person provided stolen customer information as proof. Superdrug was able to confirm the authenticity of the information from their own record of customer email and log-in details. The hacker is reported to have claimed that the details belonging to 20,000 customers were stolen, and has asked for a ransom from Superdrug.

May Have Got From Elsewhere

Even though the assumption is that the mystery hackers got into Superdrug’s systems to get the customer data, Superdrug is claiming this is not the case and that the hackers got the customer login details from other websites and then used those credentials to access accounts on the Superdrug website.

What Kind of Details?

Superdrug has said that, of the compromised accounts that it knows about, names, addresses, some dates of birth, and some telephone numbers may have been stolen, but that no customer payment card details have been accessed.

Actions

Superdrug has said that it has contacted the Police and Action Fraud (the UK’s national fraud and cyber-crime arm) and is offering them all the information they need for an investigation.

Informed Customers

Those customers whose accounts had been compromised were sent an email by Superdrug explaining the situation, asking them to change their passwords, and advising them to change them regularly in future.

Anger Over Tweet

A tweet sent by Superdrug to confirm that the emails received by affected customers was genuine provoked anger, mostly because it failed to include an apology.

What Does This Mean For Your Business?

Although exact numbers of those affected and exact details of how customer data was obtained and accounts accessed have not yet been confirmed, the fact is that at least several hundred customers of a trusted high street brand have ended up being victims of crime, and Superdrug has (at the very least) a PR battle on its hands.

Sadly, Superdrug is one of many well-known companies with data breaches that have made the headlines, affected many customers, and damaged their own company reputations. For example, a Dixons Carphone breach from last year saw the theft of 10 million customer records.

Not just because of possible fines under GDPR, businesses and organisations should be putting customer data protection very high on the list of their business priorities, as strong data security policies, procedures, practices, and defences protect both the customer, the company and its reputation, and a vital and valuable bond of trust between merchant and customer, and send a message that customer security concerns are taken seriously.

Apple iPad Battery Gas Leak – Shop Evacuated

Posted on by Andy Miller

The leaking of vapours from a damaged iPad battery led to an Amsterdam shop being evacuated and 3 staff being treated for breathing problems caused by the released gas.

Fire Brigade Called

Although the fire brigade was called and attended, there were no reports of any actual flames / fire coming from the affected iPad. Staff had, however, initially reacted to the smoking iPad by putting it in a sand-filled fire bucket.

Incidents of Similar Faults

Reports online indicate that similar faults have occurred elsewhere since Apple had started its iPhone battery replacement programme e.g. as reported on the Apple news site 9to5mac. Some reports indicate Apple stores in Switzerland , Spain and Hong Kong have been evacuated and medical incidents being reported this year due to problems with combusting / fumes from iPhone batteries.

While details are patchy, the insinuation by some commentators has been that the incidents involved the batteries of phones that been brought into the shop as part of the battery replacement programme.

There have, for example, been reports from 3 years ago of old batteries giving off smoke if pierced during replacement, although it is not clear if this was the cause of the latest incident.

What Battery Replacement Programme?

Back in 2017, Apple apologised for intentionally slowing down older iPhones (Phone 6, iPhone 6s, iPhone SE and iPhone 7 models), perhaps with a view to encouraging upgrades. Since Apple’s actions were discovered, Apple owners with older models complained of facing huge costs for upgrading, and Apple highlighted how older batteries lose power over time. This led to Apple deciding to introduce a battery replacement programme. This means that Apple will offer anyone with an iPhone 6 or above a newer battery for just £25. This represents a £54 saving.

What Does This Mean For Your Business?

Apple phones are widely used and valued by business people and home users alike. The revelation of Apple deliberately slowing down phones to speed up the act of customers replacing their devices with the latest (and some would say expensive) versions, blotted what had been a relatively clean copy-book. The battery replacement programme appeared to be a practical way to perhaps gain customer trust back, say sorry, and legitimately solve some battery problems.

Like many phone makers, however, the at times unpredictable and potentially dangerous behaviour of some lithium-ion batteries can cause some very unwelcome incidents and publicity e.g. the Samsung Galaxy Note 7. These incidents illustrate how important it is that all aspects of the value chain in the creation and branding of premium products are right.

There may be real hope for phone manufacturers, however, since Norwegian scientists at IFE claim to have discovered a new wonder-material, ‘SiliconX’, for phone batteries that can stabilise silicon anodes for Li-ion batteries and offer five times the charge capacity.

Google Location Tracking, Even When Switched Off?

Posted on by Andy Miller

An Associated Press report has accused Google of recording the locations of its users via their mobile devices, even when they have requested not to be tracked by turning their “Location History” off.

Discovered

The apparent tracking without permission was discovered as part of research, when a Princeton privacy researcher noticed in his account that Google has tracked his many different locations along a route after he had been travelling for several days, despite his Location History being turned off.

Also, research has revealed that, even when Location History is paused / switched off, some Google apps store time-stamped location data without specifically asking your permission. For example, Google stores data about where you are when you simply open the Maps app, automatic daily weather updates on Android can discover roughly where you are, and some searches apparently unrelated to your location can also pinpoint your exact latitude and longitude, and save it to your Google account.

Could Affect Billions

It is thought that this could affect around two billion Android and Apple devices which use Google for maps or search.

What Is “Location History” and Why Have It Anyway?

According to Google, Location History is one of several ways to improve the experience of users, and works for features such as Google Maps e.g. if you agree to let Google Maps record your location over time, it will display that history for you in a “timeline” that maps out your daily movements.

Google says that Location History helps you to find the places you’ve been and the routes you’ve travelled. Google states that, when you choose to enable Location History, it records your location data and places in your Google Account, even when you’re not using Google Maps.

What’s The Problem?

The problem is that Google also states that “You can turn off Location History at any time. With Location History off, the places you go are no longer stored.”

Also, researchers have discovered that two things (rather than one) need to be opted-out in order to prevent tracking. Users need to disable both “Location History” and “Web & App Activity” in order to opt-out. Some commentators feel that this has not been made clear by Google.

The Issues

The issues with this are that:

– In the UK, for example, this may constitute a lack of transparency, openness and fairness under GDPR about what users are being told is happening to their data and what is actually happening.

– Users appear to have chosen to opt-out of something / not give their consent to something that relates to their privacy and the security of their personal data, and yet have not been opted-out completely by the company (possible issues of GDPR compliance).

– Some commentators have described it as ‘sneaky’ and it could certainly be an issue that affects the trust of users.

– Location data of this kind has been used by police (in the US) to track suspects, and could also potentially be used by other players e.g. cyber criminals if they had access to the user’s account. This could put users at risk.

– Location data can also be used to target people with location-based advertising. This may be something that users would like to avoid.

What Can You Do To Avoid Being Tracked In This Way?

The Associated Press has produced a guide which details what actions you can take to avoid being tracked by Google, even if your Location History on your mobile device is paused / turned off: The guide can be found here: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you’ve-been

What Does This Mean For Your Business?

This story should be a reminder, particularly since the introduction of GDPR, that people value their privacy and security, and that businesses now have a strong legal responsibility to take this seriously. Transparency, fairness, and openness are vital when telling your customers what you’re doing /what you plan to do with their data. The issue of consent i.e. your customers choosing to withdraw consent and your business complying fully with those requests should be now be treated very seriously, and there must be consistency with what your company says it is going to do and what actually happens.

Sadly, it appears that all too often, large organisations / companies don’t appear to be handling our data in a way that we would like or have requested. For example, Facebook’s sharing of the personal data of 87 million users with Cambridge Analytica caused widespread outrage, and recently the ‘Deceived By Design’ report by the Norwegian government-funded Consumer Council has accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

It may be that we have to wait a little longer and see a few more big tech companies being properly held to account before things start to really change for the better for users.

Social Mapper Can Trace Your Face

Posted on by Andy Miller

Trustwave’s SpiderLabs has created a new penetration testing tool that uses facial recognition to trace your face through all your social media profiles, link your name to it, and identify which organisation you work for.

Why?

According to its (ethical) creators, Trustwave’s SpiderLabs, Social Mapper has been designed to help penetration testers (those tasked with conducting simulated attacks on a computer systems to aid security) and red teamers (ethical hackers) to save time and expand target lists in the intelligence gathering phase of creating the social media phishing scenarios that are ultimately used to test an organisation’s cyber defences.

What Does It Do?

Social Mapper is an open source intelligence tool that employs facial recognition to correlate social media profiles across a number of different sites on a large scale. The software automates the process of searching the most popular social media sites for names and pictures of individuals in order to accurately detect and group a person’s presence. The results are then compiled in a report that can be quickly viewed and understood by a human operator.

How Does It Work?

Social Mapper works in 3 phases. Firstly, it is provided with names and pictures of people. e.g. via links in a csv file, images in a folder or via people registered to a company on LinkedIn.

Secondly, in a time-consuming phase, it uses a Firefox browser to log in to social media sites and search for its targets by name. When it finds the top results, it downloads profile pictures and uses facial recognition checks to try and find a match. The social media sites it searches are LinkedIn, Facebook, Twitter, Google+, Instagram, VKontakte, Weibo, and Douban.

Finally, it generates a report of the results.

What’s The Report Used For?

The report is designed to give the user a starting point to target individuals on social media for phishing, link-sharing, and password-snooping attacks.

For example, a user can create fake social media profiles to ‘friend’ targets and send them links to credential capturing landing pages or downloadable malware, trick users into disclosing their emails and phone numbers e.g. using vouchers and offers to tempt them into phishing traps, create custom phishing campaigns for each social media site, or even to physically look at photos of employees to find access card badges or to study aspects of building interiors.

What Does This Mean For Your Business?

In the right hands, Social Mapper sounds as though it could ultimately help businesses to improve their online security because it helps to create much better quality and more realistic testing scenarios on a larger scale that could uncover loopholes and shortcomings that current testing may not be able to fund.

The worry, however, is that in the wrong hands it could be used by cyber-criminals to quickly gather information about a target business and its employees, thereby enabling potentially very effective phishing and password-snooping campaigns to be created. This detailed information could also be shared among and sold to other criminals which could mean that individuals could be subjected to a number of attacks over time through multiple channels.

The obvious hope is, therefore, that enough checks and security measures will be put in place by its creators thereby not allowing the software to fall into the wrong hands in the first place and be used by criminals against the businesses and organisations that it was designed to help.

Microsoft To Launch App-Testing Sandbox ‘InPrivate Desktop’ Feature

Posted on by Andy Miller

It has been reported that Microsoft is to launch InPrivate Desktop for a future version of Windows 10, a kind of throwaway sandbox that gives Admins a secure way to operate one-time tests of any untrusted apps / software.

Like A Virtual Machine

Although the new feature is still a bit hush-hush, and has actually been removed from the Windows 10 Insider programme, it is believed to act like a kind of in-box, speedy VM (virtual machine) that is then refreshed to use again after it has been used on a particular App.

Why?

The reason for the new feature in the broader sense , is that it fits with moves announced by Microsoft last June 2017 to introduce next-generation security features to Windows 10.

ATP & WDAG

Back in June 2017, Microsoft specifically mentioned the integration of Windows Defender Advanced Threat Protection (ATP) as one of the next-generation security measures. ATP, for example, was designed to isolate and contain the threat if a user on a corporate network accidentally downloaded malicious software via their browser.

A security feature that some commentators have likened InPrivate Desktop to, that was also specifically mentioned last June, was Windows Defender Application Guard (WDAG). Interestingly, WDAG isolates potential malware and exploits downloaded via a users’ browser and contains the threat using virtualisation-based security.

Spec Needed For InPrivate Desktop

Although the exact details of InPrivate Desktop are sketchy, we know that it is likely to be aimed at enterprises rather than individual users and that, as such, it is likely to need a reasonable spec to operate. It has been reported that in order to run the new feature / app at least 4GB of RAM, at least 5GB of free disk space, and two CPU cores will be needed.

When?

There is also still some speculation as to exactly when the InPrivate Desktop feature will make it to Windows 10. Some commentators have noted that it may not make it into Windows 10 ‘Redstone 5’, and looks likely to be rolled-out in a subsequent Windows 10 update which has been codenamed 19H1.

What Does This Mean For Your Business?

With support stopping for previous versions of Windows, and with all of us being forced into using Windows 10’s SaaS model, it makes sense that Microsoft adds more features to protect users, particularly businesses.

Adding malicious code to apps has been a method increasingly used by cyber-criminals to sneak under the radar, and having a secure space to test and isolate dubious / suspect apps will give Admins an extra tool to protect their organisation from evolving cyber-threats. It is extra-convenient that the testing feature / app sandbox will already be built-in to Windows 10.

IBM Makes Test Version of New Stealth AI Malware ‘DeepLocker’

Posted on by Andy Miller

IBM has announced that it has created its own stealth, ultra-evasive AI malware called ‘DeepLocker’ that can evade all traditional cyber-security protection, hide in normal applications, and only strike when it is sure it has reached its intended target.

Why?

Cyber-criminals are becoming ever-more sophisticated in their methods, and the resources available to them have increased e.g. as hackers have also worked in state-sponsored activities. Also, the world of Artificial Intelligence (AI) has come along leaps and bounds in recent years, and the fear is that cyber criminals could soon be deploying their own AI-powered malware. IBM has, therefore decided to create its own version in order to see how it works and behaves, and thereby gain valuable information which could help it to reduce risks, and find ways counter such attacks.

DeepLocker

One of the things that makes DeepLocker so different to other malware that tends to take a scattergun approach to infection is that it can hide itself and its intent until it reaches a specific target.

This is down to DeepLocker using deep neural network (DNN) AI model, a sophisticated computer system modelled on the human brain and nervous system. This DNN provides a kind of ‘black box’ that totally conceals the “trigger conditions”, and makes attack almost impossible to decipher and reverse engineer. DeepLocker’s AI can, therefore, even convert its own concealed trigger condition (which has been transformed into a deep convolutional network), into a “password” or “key” to unlock its own attack payload when it identifies its victim. In this sense, it contains three layers of attack concealment.

Hides & Identifies

According to IBM, DeepLocker can hide itself completely in normal ‘carrier’ applications such as video conference software. This enables it to fly completely under the radar and avoid detection by most antivirus and malware scanners. It also allows it to be spread widely and without providing any clues that there is a threat.

What Does This Mean For Your Business?

Malware attacks have cost businesses, organisations and whole economies vast amounts of money and untold disruption and problems in recent times. Evasive malware has been evolving for many years now as cyber-criminals try to find their way around better security measures and more sophisticated sandboxes. AI attacks using ultra-evasive, stealth methods of the nature of DeepLocker represent the next frightening wave of attack that organisations and businesses will have to face. It is a good thing, therefore, that IBM has tried to take the initiative and gain a march on cybe- criminals who will undoubtedly seek to weaponise AI, by creating its own version in order to learn lessons in advance that could provide at least some level of protection and recommendations for counter-measures.

Online “Pay-To-Watch” Now In Lead

Posted on by Andy Miller

The latest Office for National Statistics’ annual Internet Access and Use report has revealed that there has been a big rise in the number of people using commercial video streaming services.

Video Streaming Popular

The report shows a big jump from 29% of those watching online video-on-demand from commercial services in 2016 to 46% in 2018. The figures for 2018 refer to data collected in the January, February and April 2018 modules of the Opinions and Lifestyle Survey (OPN) conducted by the ONS.

The popular video-on-demand services referred to in the report include Netflix, Now TV, and Amazon Prime.

More Subscriptions To Online Video Steaming Than ‘Traditional’ TV

This supports Ofcom’s recent Media Nations report, which has replaced the PSB Annual Report and Digital Radio Report (and is based on BARB Establishment Survey data.), which shows that more people now subscribe to Netflix, Amazon and NOW TV than there to ‘traditional’ pay-TV services e.g. Sky, BT and Virgin.

The report showed that pay-TV subscriptions in the UK totalled 15.1 million, while the leading three on-demand video services totalled 15.4 million.

The Ofcom data showed that 39% of UK households (11.1m) have at least one on-demand streaming service subscription, and although Amazon Prime Video has a slightly larger year-on-year growth rate than Netflix, Netflix is the most popular subscription video-on-demand service, with subscriptions nearly doubling that of its closest rival – 9.1 million UK households Q1 2018.

Why?

The huge growth of popular video-on-demand services is the result of a number of factors including the fact that more than 80% of UK homes have a fixed broadband connection (90% of UK homes have some kind internet access), and 58% of these connections are considered to be superfast (30Mbit/s or higher download speeds), and that there has been a big rise in the number of people owning / using smart TVs and streaming dongles / boxes.

YouTube Popular Too

Google’s video social network platform YouTube has also seen a big rise in the number of people using the service – 62% in 2018, up from 47%.

Older People Using The Services

It appears that another reason for the rise in popularity of on-demand video-streaming services is that older people are now signing up. This is reflected, for example, in the fact that services such as Netflix are commissioning original shows pitched at more mature audiences.

What Does This Mean For Your Business?

Products / services that can be distributed via the Internet e.g. films and TV shows have almost inevitably increased in popularity at a time when most households have a broadband connection and when most people have a smartphone.

As consumers who are used to more choice and the ability to access more personalised offerings and experiences from businesses in a growing subscription economy, and who may have become used to ‘traditional’ pay-TV services, it is just a short jump to the greater choice and convenience of on-demand video services such as Netflix and Amazon. Just as more older people are populating social media platforms such as Facebook, older audiences are also now more used to technology and are finding it easier and beneficial to switch to video-on-demand from commercial services.

This increase in the popularity of such services means that the market for them is set to become more crowded (which is often good news for the consumer) as other players try to take advantage of the consumer viewing trends. For example, Sky is reported to be about to make all its content available online; Apple is expected to launch a TV subscription service soon;, and Disney may also soon be expanding the content available via its DisneyLife app.