Author: Paul

Alan Turing To Feature on £50 Note

Alan Turing, head of the Enigma code-breaking team at Bletchley Park in World War 2, mathematician and father of computer science who was driven to suicide over the treatment of his sexuality is finally being honoured by the featuring his image on the new £50 note.

Chosen By Committee

The UK Bank of England’s Banknote Character Advisory Committee advises the Governor on the characters that appear on new banknotes. In December, members of the committee were given summary biographies of 989 dead scientists, put forward by more than 225,000 members of the public, from which one would need to be chosen to feature on the new polymer £50 note when it enters circulation at the end of 2021.  The committee chose Alan Turing.

Mathematician & Scientist

Alan Turing 1912 – 1954, born in born in West London and educated in Frant, East Sussex and Sherborne, Dorset, displayed a natural ability for maths and science.  He is reported to have been able to solve complex and advanced maths problems in 1927 (aged 15) without having studied even elementary calculus, and in 1928 (aged 16) he was able to deduce Einstein’s questioning of Newton’s laws of motion from a text in which this was never made explicit.

Father of Computer Science

After studying at King’s College Cambridge, in 1936 Turing published his paper “On Computable Numbers, with an Application to the Entscheidungsproblem”, with which Turing proved that his “universal computing machine” could perform any mathematical computation if it were representable as an algorithm. This, plus his work developed at Bletchley Park is why Turing is widely thought of as the father of modern computer science.

WW2 Bletchley Hero

Alan Turing is perhaps best known for heading the codebreaking operation during WW2 at top-secret Bletchley Park, where it is estimated that the incredible breaking of U-boat Enigma codes may have shortened the war in Europe by as many as two to four years, and potentially saved millions of lives.  Part of this work involved creating and building the electromechanical machine called the bombe, which could break Enigma more effectively than the Polish bomba kryptologiczna (from where it got its name).

Conviction, Chemical Castration and Suicide

In 1952, Turing was prosecuted and convicted of “gross indecency” over his relationship with another man. In order to avoid a prison sentence, Turing chose to be chemically castrated through injections of synthetic oestrogen.

Alan Turing committed suicide with cyanide poisoning two years later, aged only 41.

Apology and Pardon

In 2013, Alan Turing was given a posthumous apology and royal pardon for his conviction for gross indecency.

What Does This Mean For Your Business?

Alan Turing’s incredible mind, aptitude for maths and science, and his work in cracking the Enigma code at Bletchley Park have resulted in millions of lives being saved through the shortening of the war in Europe, and in the rapid evolution of computer science that has fed directly into the digital world and workplace that we know today. Despite being a national hero, how Turing was treated was widely regarded as shameful, and the posthumous pardon and apology, along with being honoured on a banknote have been ways in which the UK has been able, in some small but public ways, to right some the wrongs of the past, honour a truly great scientist, and contribute to a greater understanding and acceptance of sexual differences.

Scientists Discover How To Store Data On Matter Smaller Than DNA

Scientists from Brown University are reported to have discovered how to store data on metabolic molecules, which are pieces of matter that are even smaller than DNA.

Storage In Artificial Metabolomes  

The results of the recent research announced on the Brown University website and published in the PLOS ONE journal describe how researchers have discovered a way to store/encode and retrieve kilobyte-scale image files from artificial metabolomes which are arrays of liquid mixtures containing sugars, amino acids and other types of small molecules.  Some of these small molecules are smaller and have greater information density than DNA.

According to the researchers, although DNA is best for encoding larger datasets, the small molecule metabolite data method has low latency so that data sets can be written and read quickly.  The small molecule method is, however, still slower than traditional computers.

DNA Storage Research Not New

Research into storing data in DNA is not new.  For example, back in 2013 scientists in Cambridge spelt out a collection of Shakespeare’s 154 sonnets in DNA.

Also, last September UK scientists developed a technique to enable them to store computer files on DNA.  Scientists from the European Bioinformatics Institute developed a method whereby the basis of digital data, which is made up of ones and zeros, is changed into their own code as Cs, Gs, and Ts.

This converted code was sent to a US laboratory, which turned the letter code into physical DNA so that it could act like an incredibly small hard drive. The laboratory used DNA synthesis machines to transform the code into physical material in a similar way to how an inkjet printer lays down ink on paper. The physical result was a tiny piece of dust with the vital digital data stored inside. An estimated 215 petabytes (215 million gigabytes) of data could be stored in a single gram of DNA.

Why?

The reasons for developing ways to store data in DNA and even smaller molecules are that we are generating vast quantities of data with no practical and cost-effective way to store it for the future.  For example, it is estimated that there are now 3 zettabytes (3000 billion bytes) of digital data, with more being generated all the time. Storage media such as hard disks are expensive and require a constant supply of expensive electricity, and even the best ‘no-power’ archiving materials e.g. magnetic tape degrade within a decade.

The advantages of DNA and smaller molecules for storage are that:

  • Sensitive data stored in DNA and other small molecules won’t be vulnerable to hacking.
  • Data stored in this way could survive in harsher climates and environments where traditional hardware can’t.
  • DNA provides a highly effective, ultra-compact space-saving solution, that doesn’t require large amounts of costly electricity.
  • DNA can keep for hundreds of thousands of years if kept in a cool, dry place. Data stored in DNA won’t degrade over time, and it can be decoded relatively easily.
  • DNA won’t become obsolete, and unlike other high-density approaches, new technologies can write and read large amounts of DNA in one go.

What Does This Mean For Your Business?

The incredible science involved in this could give businesses a way to store and back up vast amounts of data in a very convenient and secure way (safe from hackers) with dramatically reduced space, equipment, and electricity costs, and with the assurance that the data could be stored, without decay, for many thousands of years.  Some tech commentators have estimated that commercial DNA storage devices may be on shelves in the next few years.

You could be forgiven for thinking, however, that DNA storage of data sounds (and probably will be) expensive, and it may be the case that most businesses will be sticking to cloud storage for quite some time yet.

Security Flaw Discovered In NHS Anaesthetic Machines

Cybersecurity firm CyberMDX has reported the discovery of a security flaw in some Internet-connected GE Healthcare anaesthetic machines which could leave them vulnerable to hacks.

Security Flaw

The security flaw has been described as the exposure of the configuration of certain terminal server implementations that extend GE Healthcare anaesthesia device serial ports to TCP/IP networks. This could potentially mean that when the devices are connected to the Internet, they could be remotely targeted by hackers who could modify the parameters of the anaesthesia devices. According to CyberMDX, this could mean that hackers could silence device alarms and even adjust anaesthetic dosages or switch anaesthetic agents.

Johnson & Johnson

The threat discovered in GE Healthcare anaesthetic devices may not sound too unlikely when you consider that back in October a security vulnerability was discovered in one of Johnson & Johnson’s insulin pumps (the Animas OneTouch Ping insulin pump) that a hacker could exploit to overdose diabetic patients with insulin.  Even though the company described the risk as “extremely low”, it still led them to take the precaution of sending letters outlining the problem to 114,000 people, doctors and patients, who used the device in the US and Canada.

Affected Machines

The affected GE Healthcare anaesthetic machines are reported to include Aestiva and Aespire versions 7100 and 7900.  It has been reported that some are used in NHS hospitals.

Suggestions

Some of the suggestions offered by GE in response to reports of the possible vulnerability (which may not be exclusive to just GE machines) are for hospitals/users to use secure terminal servers with strong encryption, and to use a VPN and other features to protect against hacks.

Also, GE suggests that organisations should use industry best practices and secure deployment measures e.g. network segmentation, VLANs and device isolation.

What Does This Mean For Your Business?

Where any device has an Internet connection e.g. IoT devices, there is now a risk of a possible attack, but the fact that these are medical machines which could lead to serious human consequences if remote hackers were able to tamper with them makes this story all the more alarming.

If, as GE and the US Department of Homeland Security have pointed out, all equipment is correctly isolated wherever possible, unnecessary accounts protocols and services are disabled, and best practice is followed, the risk should be very low indeed.

This story does, however, highlight how all businesses and organisations should take the security of smart/IoT devices seriously, particularly where there could be a clear human risk.

Microsoft Criticised By UK’s Cyber Security Agency Over Dmarc

The UK’s National Cyber Security Centre (NCSC) has complained that it has been unable to compile meaningful statistics and draw meaningful conclusions about email security in its latest report because Microsoft stopped sending Dmarc reports two years ago.

What Is Dmarc?

Domain-based message authentication, reporting and conformance (Dmarc) is a protocol, developed by the Trusted Domain Project, to help provide greater assurance on the identity of the sender of a message, and it builds upon the email authentication technologies SPF and DKIM developed over a decade ago and the work on a collaborative system pioneered by PayPal Yahoo! Mail and later Gmail.

Dmarc allows email and service providers to share information about the validity of emails they send to each other, including giving instructions to mailbox providers about what to do if a domain’s emails aren’t protected and verified by SPF and/or DKIM e.g. moving a message directly to a spam folder or rejecting it outright. Information about messages that have passed or failed DMARC evaluation is then fed back to a DMARC register, thereby providing intelligence to the sender about messages being sent from their domain and enabling them to identify email systems being used by spammers.

Dmarc works on inbound email authentication by helping email receivers to determine if a message “aligns” with what the receiver knows about the sender and if not, Dmarc includes guidance on how to handle the “non-aligned” messages e.g. phishing and other fraudulent emails.

Why Were Microsoft’s Dmarc Reports So Important?

Microsoft’s email platforms form one of the biggest receivers of email, and data from Microsoft about the number of emails failing Dmarc gives a good indication of the number of suspicious emails being sent.  The lack of this data in the NCSC’s Mail Check service means that the NCSC’s ability to monitor and report on email security driven by Dmarc adoption has been hampered. This blind spot could have a knock-on negative impact on email security for everyone.

Public Sector Uptake – Good News

The NCSC’s latest report contains good news, however, about a significant uplift in the public sector adoption of email security protocols.  For example, public sector domains using Dmarc more than tripled from December 2017 to December 2018 to 1,369, and the number of domains with a Dmarc “quarantine” or “reject” policy (to prevent suspicious emails being delivered to inboxes) also tripled.

What Does This Mean For Your Business?

Having a collaborative intelligence sharing and effective protocol and process such as Dmarc that is being widely adopted by many organisations has significantly improved email security.  This is particularly valuable at a time when businesses face significant risks from malicious emails e.g. phishing and malware, and email is so often the way that hackers can gain access to business networks.

Sharing intelligence about the level and nature of email security threats and how they are changing over time e.g. in the trusted NCSC report, is an important tool to help businesses and security professionals understand more about how they tackle security threats going forward.  It is, therefore, disappointing that one of the world’s biggest receivers of email, which itself benefits from Dmarc, is not providing reports which could be of benefit to all businesses and organisations.

Facebook Launches Martin Lewis Anti-Scam Service

Facebook has launched a new anti-scam service using the £3m that it agreed to donate to the development of the programme in return for TV consumer money champion Martin Lewis dropping his legal action over scam ads.

What Legal Action?

Back in September 2018, MoneySavingExpert’s (MSE) founder Martin Lewis (OBE) took Facebook to the UK High Court to sue the tech giant for defamation over a series of fake adverts bearing his name.  Many of the approximately 1000 fake ads, bearing Mr Lewis’ name appeared on the Facebook social media platform over the space of a year, could and did (in some cases) direct consumers to scammer sites containing false information, which Mr Lewis argued may have caused serious damage to his reputation, and caused some people to lose money.

In January 2019, Mr Lewis Facebook came to an agreement with Facebook whereby he would drop his lawsuit if Facebook donated £3 million to Citizens Advice to create a new UK Scams Action project (launched in May 2019) and if Facebook agreed to launch a UK-focused scam ad reporting tool supported by a dedicated complaints-handling team.

How The New Anti-Scam Service Works

Facebook users in the UK will be able to access the service by clicking on the three dots (top right) of any advert to see ‘more options’ and “report ad”.  The list of reasons for reporting the ad now includes a “misleading or scam ad” option.

Also, the Citizens Advice charity has set up a phone line to help give advice to victims of online and offline scams.  The “Scams Action Service” advisers can be called on 0300 330 3003 Monday to Friday, and the advisers also offer help via live online chat.  In serious cases, face-to-face consultations can also be offered.

What To Do

If you’ve been scammed, the Citizens Advice charity recommends that you tell your bank immediately, reset your passwords, make sure that your anti-virus software has been updated, report the incident to Action Fraud, and contact the new Citizens Advice Scams Action service: https://www.citizensadvice.org.uk/scamsaction/

What Does This Mean For Your Business?

It is a shame that it has taken the threat of a lawsuit over damaging scam ads spread through its own platform to galvanize Facebook into putting some of its profits into setting up a service that can tackle the huge and growing problem of online Fraud.  Facebook and other ad platforms may also need to take more proactive steps with their advertising systems to make it more difficult for scammers to set up adverts in the first place.

Having a Scams Action service now in place using a trusted UK charity will also mean that awareness can be raised, and information given about known scams, and victims will have a place to go where they get clear advice and help.

Tech Tip – Citymapper

If you’re out and about on business in a city at home or abroad, the Citymapper app provides trip planning, real-time information about departures, offline maps, alerts about delays and disruptions, and much more.

The app covers many cities around the world, and the European cities of London, Manchester, Birmingham, Paris, Lyon, Berlin, Cologne, Düsseldorf, and Hamburg.

To find the app go to the Google Play Store.

£183 Million Fine (Biggest Ever) For BA Data Breach

The Information Commissioner’s Office (ICO) has imposed a £183 million fine on British Airways, the biggest fine to date under GDPR, for a data breach where the personal details of 500,000 customers were accessed by hackers.

The Breach

The breach, which involved criminals using what is known as a ‘supply chain hack’ took place between 21st August and 5th September 2018.  The attackers were able to insert a digital skimming file, made up of only 22 lines of JavaScript code, into the online payment forms of BA’s website and app. The malicious page in the app (identified by a RiskIQ researcher) was built using the same components as the real website, thereby giving a very close match to the design and functionality of the real thing. The skimming file meant that payment details entered into the malicious page by customers were intercepted live by the hackers who are believed to have been part of the Magecart group. Encryption was ineffective because the details were stolen before it reached company servers.

The fact that CVV codes were taken in the attack, which are not meant to be stored by companies, was a strong indicator of live skimming ‘supply chain’ attack.

Magecart is also believed to have used a similar digital skimmer hidden in a third-party element (chatbot) of the payment process to hack the Ticketmaster websites where 40,000 UK users were affected.

500,000 Affected In BA Breach

A staggering 500,000 personal and customer payment details were stolen in the BA Breach including names, email addresses, and credit card details including card numbers, expiry dates and the three-digit CVV codes.

Why Such A Big Fine?

The record-breaking £183 million fine was imposed because, under the General Data Protection Regulation (GDPR), a company can be fined 1.5% of its worldwide turnover and a maximum 4% of its worldwide turnover. In the case of BA, the £183 million equates to 1.5% of its worldwide turnover in 2017. 

The largest fine previous to this was imposed prior to GDPR under the old Data Protection Act where Facebook was fined £500,000 for its role in the sharing of customer data with Cambridge Analytica.

What Does This Mean For Your Business?

This enormous fine is a reminder of the powers granted to the ICO under GDPR and of just how seriously matters of data protection are now viewed, particularly where large companies which should have the protective measures in place are concerned. Even though BA has expressed surprise at the size of the fine it is worth remembering that 500,000 customer details were stolen including credit card numbers by what was actually a well-targeted and tailored but relatively simple method of attack.  This exposed vulnerabilities in the payment systems of a big company that should really have been picked up earlier.  

Despite the fine being £183 million at 1.5% of BA’s worldwide turnover, it could have been worse since the maximum fine is 4% of turnover. The fine for BA should send a powerful message to other corporations that they need to make the data protection of their customers a top priority.

1000+ Android Apps Harvest Our Data Without Our Permission

Researchers from the International Computer Science Institute have reported that up to 1,325 Android apps are gathering data from devices after people have denied them permission, and Google claims that it will address the problem with the introduction of the new Android “Q” Operating System.

Apps Finding Way Around Privacy Restrictions

According to the ICSI researchers, who presented their findings last month at the Federal Trade Commission’s PrivacyCon, 1000+ apps are finding their way around privacy restrictions and are able to gather geolocation data, phone identifiers, and other data from users who may be thinking that they have successfully denied apps access to such data.

For example, in the study of 88,000+ apps from the Google Play store, the researchers were able to identify 1,325 apps that violate permissions on Android by using workarounds hidden in their code that can enable personal data to be taken from multiple sources including Wi-Fi connections and metadata stored in photos.

Which Apps?

The researchers highlighted apps such as Shutterfly photo-editing app which gathers GPS coordinates from photos and sends the data to its own servers, even after users have declined to give permission to access location data, and Baidu’s Hong Kong Disneyland park app and Samsung’s Health and Browser apps were found (like 13 other apps) to be able to piggyback off other apps that had been granted permission in order to obtain data like phone identifiers and IMEI numbers.

Android Q Could Help

It is thought the introduction of the latest (17th) version of Android’s Operating system, Android Q, released as a beta on March 13th and due for wider release later this year may be able to address many of these privacy concerns thanks to more stringent security features.  For example, users will be able to definitively choose and control when apps have permission to see their location i.e. never, only when the app is in use and running, or all the time when in the background. With Android Q, background apps won’t be able to jump into the foreground, and there will also be new permissions relating to the accessing of background photos, video, and audio files.

What Does This Mean For Your Business?

With mobile and app use being a normal part of everyday life, and with most people unable and unlikely to spend the time checking permissions and T&Cs on everything, we have to take on trust that when we deny it permissions, an app will abide by our decisions.  It may be a surprise, therefore, at a time when GDPR is in force and data privacy and security is a topic that many users think about and actively try to protect that so many apps are able to find workarounds that enable them to keep gathering data about us. It appears that it may be much more difficult to stay private online than many of us believe.

It is good news, therefore, that Android Q may provide a way to offer us greater protection and provide more of a challenge to companies and organisations that want access to our data e.g. to help target us with advertising, even though app developers may argue that they are simply using the gathered data to help enhance and personalise our experiences of their apps (to keep us using them).  App developers are in a highly competitive and crowded market and although gathering and using customer data to make their apps more indispensable may seem legitimate, most of us value our online privacy, would object to having our data permissions effectively ignored, and may feel frustrated that we still have so few tools and cues to help us effectively control our privacy.

Googlemail’s Tracking of Your Purchase History

CNBC research has highlighted how Googlemail creates a (difficult to delete) page of your purchase history by tracking your purchase receipt emails, and perhaps details stored in locations other than the inbox.

Not Obvious

Back in May, CNBC researchers highlighted how your Googlemail account creates a page of your purchases, which it was believed was created by tracking the purchase receipts that arrive in the email inbox.  According to Google, the feature is included as a way of organising things “to help you get things done”.  In Google’s account help section, Google states that “Your Google Account includes purchases and reservations made using Search, Maps, and the Assistant, as well as your order confirmations from Gmail”.

In the announcements of the results of CNBC’s research back in May, it was noted that this “private destination” purchases page wasn’t mentioned on the Data & Personalization page in a Google Account and as such, it may have been inconvenient for users to have to search for it.  It was also noted by researchers at the time that the only way to ensure that purchase data was deleted from the page was to go to the time and trouble of finding the digital receipt in the Gmail account and deleting it.

Hard To Delete

In the latest CNBC research findings, it has been claimed that, even though researcher Todd Haselton deleted each single purchase email from his Gmail inbox in order to clear the purchases page, on returning three weeks later, he found that all of his purchases (over years) were again listed on the purchases page.  This has led to the assumed conclusion that the listing of our purchases may also be stored in another location other than the inbox.

How To Delete From Your Purchases Page

In Google’s help section here https://support.google.com/accounts/answer/7673989 and in the subsection ‘delete your purchases and reservations’, Google provides instructions on how to delete them i.e. sign in to your Google account, go to the Purchases page (for which a link is provided),  view your purchase details and select ‘Remove Purchase’, and follow the on-screen deletion instructions.

Privacy?

Some commentators have expressed the view that automatically collecting and storing online and offline purchase details in this way may appear to be at odds with Google’s public position of being focused on privacy.

This is certainly not the first time that Google has faced criticism over privacy matters.  For example, Google recently faced criticism over its reCaptcha V3 bot-detecting login system apparently requiring a Google cookie to be installed on a user’s browser which could potentially put the user’s browsing history privacy at risk.   Other examples of Google making the news over privacy concerns include a microphone was discovered in Google’s Nest Guard product that was not listed in tech spec (which was put down to an erroneous omission by Google), and in December last year, research by Internet Privacy Company DuckDuckGo reporting evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Chrome Browser Alternatives

If you’re concerned about having aspects of your online behaviour tracked by Google’s Chrome browser, Wired recently compiled a list of anti-tracking web browsers which you may like to try.  These include new privacy-enhanced browser Brave, Ghostery which available as a standalone browser on mobile, Tor which provides layers of encryption and routing through various locations to protect your identity, DuckDuckGo for mobile devices, and FireFox Focus.

What Does This Mean For Your Business?

Google’s Chrome may be the most popular browser, but there may be many features about it that users may not be aware of and may be a little surprised about, the purchases page being one of them.  It’s a shame that users seem to have to actively seek out elements such as the purchases page and how to delete things from it rather than it being made more obvious and easily accessible with a Google account.  Even though Google has said that only the user can see it and that the details on the purchases page aren’t used for targeted advertising, it may still be of concern to many that data about their purchases over years is being collected and being stored, and that it may not be a simple task to delete it.  It is not surprising, therefore, that some users may be turning to privacy-enhanced browser alternatives as they feel less sure that tech giants such as Google are demonstrating that a real commitment to the kinds of privacy matters that are important to users.

Ad-Free Firefox Browser Service For $4.99 Per Month

Mozilla looks likely to be entering the premium browsing market later this year by offering a subscription-based (advert-free) browsing experience of selected journalism websites and other value-adding features via a special version of Firefox.

What’s The Problem?

Many news content websites rely on the revenue from adverts, but this can make for a distracting and annoying experience (adverts, pop-ups and auto-play videos) if you’re trying to browse the content on these websites.  This means that many people choose to use ad blockers, but these deprive the news websites of the ad revenue that enables them to produce free, quality content.

Google’s Idea

Google, for example, has entered the premium browsing market, but in a way that some commentators believe could alienate free Chrome users and non-Enterprise-level paying users. This is because Google has chosen to eliminate ad-blockers in Chrome unless users upgrade G Suite premium services.

Mozilla’s Firefox – Partnering With Publishers

Mozilla’s premium solution, however, is to include more value-adding features for a premium browsing subscription rather than simply taking away a browser feature (ad blocker) and to find a way for online content publishers to still make their money.  With the Firefox premium browsing deal, Mozilla is reported to have partnered with leading publishers so that Firefox’s premium service subscribers can access the content on key journalism websites, without being bothered by adverts, but with payments being made directly to the sites they read out of the revenue raised from subscriptions – a win/win.

The ad-free browsing deal will be available for desktop and mobile browsers, and it has been reported that a single monthly fee looks likely to cover ad-free browsing on all a subscriber’s devices.  One value-adding feature for subscribers reported to be built-in to the premium browsing experience is a reading sync system (already available on Pocket) that will enable Firefox users to pick up articles where they left off, even on other devices.

Other Features

It has also been reported that the Premium Firefox service could include bundled extra features (many of which are available as free add-ons now) such as audio versions of articles, a content discovery app and recommended reading selections.

What Does This Mean For Your Business?

For so-called ‘power users’ who like/need to access journalistic content from popular platforms in a fast, convenient way, across multiple devices, this premium service bundle may be a small price to pay and may prove popular. Google’s Chrome may be the market leader, but Mozilla may gain some ground here with a more inclusive and less alienating offering to all users.

Content providing websites may also find this to be quite an appealing service because it removes the need for the dreaded ad blockers and enables them to still make the necessary money to keep providing the content.