Apps

New, Free Windows 10 Microsoft Office App Launched

Microsoft has announced the launch of its new “Office” app for Windows 10 which is an update to the former My Office app, will come preinstalled on Windows 10 machines and will provide access to an online version of Office for those who don’t have a subscription for Office 365.

Simply “Office”

The new, free app simply named “Office” can be used with ‘almost’ any version of Microsoft Office means that those who do have a 365 subscription and have Microsoft’s apps installed on their device can open Office from the Office app, and those who don’t have a subscription will be automatically directed to the online version.  Like Google Drive, this online version features the user’s recent documents on the home screen, which is in keeping with the idea that users should be able to find what they want quickly. Users can also share files with each other and can find content relevant to them but created by colleagues within their organisation.

Features

The new app includes helpful features such as tutorials and tricks for Microsoft’s apps and services, and users can see every Office app available to them by clicking on “Explore all your apps”.

Office also allows customisation so that businesses can brand it. Users also have access to third-party apps and Microsoft Search.

When and How?

Microsoft says that the Office app will become available to users on a rolling basis over the next few weeks and that it will be installed automatically as an update to the MyOffice app, which comes pre-installed as part of Windows.

You can search for “Office” in the search bar of the Windows start menu to open the app. The new app can also be downloaded from the Microsoft Store if needed.

Users can sign in to the app with their work, school, or free personal Microsoft Account to get started.

The Office app should work with any Office 365 subscription, Office 2019, Office 2016, and Office Online (the free web-based version of Office).

What Does This Mean For Your Business?

Launching this Office app is a way of Microsoft being able to publicise, raise awareness about, and get more people using its free online versions of Office.

The app, which also allows Microsoft to compete with its rival Google Drive, should be quite appealing to business users thanks to features such as the ability to customise and brand it, the fact that it allows access third-party apps using AAD through the Office app, and the Microsoft Search feature that works across the organisation in addition to the user’s own apps and documents.

Having a free Office app that’s available without the need for an Office 365 subscription will also help address the problem of a mistaken assumption from many people that Office simply comes as part of Windows.

New York’s Governor Orders Investigation Into Facebook Over App Concerns

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

Alerted By Wall Street Journal

The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.

Health Data

It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.

The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”

Defence

Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.

Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.

The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.

Lawsuits Pending

This appears to be just one of several legal fronts where Facebook will need to defend itself.  For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.

Apple Also Accused By Governor Over FaceTime Bug

New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.

DFS Involvement

The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.

Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.

What Does This Mean For Your Business?

You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.

There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform.  You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/

Crypto-Mining Apps Discovered in Microsoft Store

Security researchers at Symantec claim to have discovered eight apps in the Microsoft Store which, if downloaded, can use the victim’s computer to mine crypto-currency.

Only There For A Short Time Last Year

The suspect apps are reported to have only been on the Microsoft Store for a short time between April and December 2018, but it is thought that they still managed to achieve significant download numbers, as indicated by nearly 1,900 ratings posted for the apps.

Which Apps?

The suspect apps, in this case, are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps.  These apps have now been removed from the Microsoft Store,

What Is Crypto-currency Mining?

‘Crypto-currency mining’ involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. Multiple computers then join their networks so that the combined computing power can enable mathematical problems to be solved. Whichever scammer is first to solve these problems is then able to claim/generate cash in the form of crypto-currency, hence mining for crypto-currency.

Crypto-currency mining software tends to be written in JavaScript and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.

Mining For Monero

In the case of the eight suspect apps, they had been loaded with a script that had been designed to mine the ‘Monero’ crypto-currency.  Monero, which was created in April 2014 is a decentralised cryptocurrency that uses an obfuscated public ledger.  This means that anybody can broadcast or send transactions, but no one outside can tell the source.

How?

The secret mining element of the eight suspect apps worked by triggering Google Tag Manager (GTM) in their domain servers as soon as they were downloaded.  The GTM, which was shared across all eight apps, enabled them to fetch a coin-mining JavaScript library, and the mining script was then able to use most of the computer’s CPU cycles to mine Monero.

GTM – Legitimate

GTM is usually a legitimate tool that is designed to enable developers to inject JavaScript dynamically into their applications.  In this case, however, it had been used as a cloak to conceal the malicious purpose of the apps.

Not The First Time

This is not the first time that suspect apps have been discovered lurking in popular, legitimate app stores. Back in January, for example, security researchers discovered 36 fake and malicious apps for Android that can harvest a user’s data and track their location, masquerading as security tools in the trusted Google Play Store. The apps, which had re-assuring names such as Security Defender and Security Keeper, were found to be hiding malware, adware and even tracking software.

Also, back in November 2017, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

This is not the first time that apps which perform legitimate functions of the surface and are available from trusted sources such as Microsoft store have been found to have hidden malicious elements, in this case, mining scripts.  The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and the increasingly sophisticated activities of crypto-jackers and other cyber-criminals, combined with a global shortage of skilled cyber-security professionals to handle detection and response have left businesses vulnerable to this kind of hidden app-based threat.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Microsoft and Google don’t always seem to be able to detect the hidden aspects of some apps.

The fact that many of us now store most of our personal and business lives on our smartphones makes reports such as these more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Microsoft Store.

Some of the ways that we can try to protect ourselves and our businesses from this kind of threat include checking the publisher of an app, checking which permissions the app requests when you install it, deleting apps from your phone that you no longer use, and contacting your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious/suspect app.

Also, if you are using an ad blocker on your computer, you can set it to block a specific JavaScript URLs related to crypto-mining, and some popular browsers also have extensions that can help e.g. a browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).  Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current crypto-currency mining threats and scams and what to do to prevent them, are just some of the other ways that you can maintain a basic level of protection for your business.

Scooter Hack Threat

An investigation by researchers at Zimperium® found a security flaw in the Xiaomi M365 electric scooter (the same model that is used by ridesharing companies) which could allow hackers to take control of the scooter’s acceleration and braking.

Xiaomi M365

The Xiaomi M365 is a folding, lightweight, stand-on ‘smart’ scooter with an electric motor that retails online for around £300 to £400. It is battery-powered, with a maximum speed of 15 mph, and features a “Smart App” that can track a user’s cycling habits, and riding speed, as well as the battery life, and more.

What Security Flaw?

The security flaw identified by the Zimperium® researchers is that the ‘smart’ scooter has a Bluetooth connection so that users can interact with the scooter’s features e.g. its Anti-Theft System or to update the scooter’s firmware, via an app. Each scooter is protected by a password, but the researchers discovered that the password is only needed for validation and authentication by the app, but commands can still be executed to the actual scooter without the password.

The researchers found that they could use the Bluetooth connection as a way in.  Using this kind of hack, it is estimated that an attacker only needs to be within 100 meters of the scooter to be able to launch a denial-of-service attack via Bluetooth which could enable them to install malicious firmware.  This firmware could be used by the attacker to take control of the scooter’s acceleration and braking capacities. This could mean that the rider could be in danger if an attacker chose to suddenly and remotely cause the scooter to brake or accelerate without warning.  Also, the researchers found that they could use this kind of attack to lock a scooter by using its anti-theft feature without authentication or the user’s consent.

Told The Company

The researchers made a video of their findings as proof, contacted Xiaomi and informed the company about the nature of the security flaw. It has been reported that Xiaomi confirmed that it is a known issue internally, but that no announcement has been made yet about a fix.  The researchers at Zimperium® have stated online that the scooter’s security can’t be fixed by the user and still needs to be updated by Xiaomi or any 3rd parties they work with.

Suggestion From The Researchers

The researchers have suggested that, in the absence of a fix to date, users can stop attackers from connecting to the scooter remotely by using Xiaomi’s app from their mobile before riding and connecting to the scooter.  Once the user’s mobile is connected and kept connected to the scooter an attacker can’t remotely flash malicious firmware or lock the scooter.

What Does This Mean For Your Business?

This is another example of how smart products/IoT products of all kinds can be vulnerable to attack via their Bluetooth or Internet connections, and particularly where there are password issues.  Usually, the risk comes from smart products from the same manufacturer all being given the same default password which the user doesn’t change.  In this case, the password works with the app, but in this case it appears as though the password isn’t being used properly to protect the product itself.

There have been many examples to date of smart products being vulnerable to attack.  For example, back in November 2017, German Telecoms regulator the Federal Network Agency banned the sale of smartwatches to children and asked parents to destroy any that they already have over fears that they could be hacked, and children could be spied-upon.  Also, back in 2016, cyber-criminals were able to take over many thousands of household IoT devices (white goods, CCTV cameras and printers), and use them together as a botnet to launch an online DDoS attack (Mirai) on the DNS service ‘Dyn’ with global consequences i.e. putting Twitter, Spotify, and Reddit temporarily out of action.

Manufacturers of smart products clearly need to take great care in the R&D process to make sure that the online security aspects have been thoroughly examined. Any company deploying IoT devices in any environment should also require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to specific and measurable criteria.  In the mobile ecosystem and in adjacent industries, for example, the GSMA provides guidelines to help with IoT security.

As buyers of smart products, making sure that we change default passwords, and making sure that we stay up to date with any patches and fixes for smart products can be ways to reduce some of the risks.   Businesses may also want to conduct an audit and risk assessment for known IoT devices that are used in the business.

Tech Tip – Encrypting Documents Stored on Google Drive

If you use Google Drive to store files in the cloud but worried that Google doesn’t provide a true password protection feature, you may want to encrypt your files before uploading them.  Here’s how:

If you have Microsoft Office on your PC, it has a built-in encryption feature.

– Go to: File > Protect Document > Encrypt with Password.

– Upload the file to Google Docs.

– Google can’t read the file, but it can be downloaded and opened on any PC with Microsoft Office Installed (using the password).

– If you don’t have Microsoft Office, you could use Boxcryptor.  This is free for syncing one cloud storage service between two PCs.

– Install Boxcryptor (see boxcryptor.com).

– Enable Google Drive in Boxcryptor’s settings.

– Access Boxcryptor from Windows Explorer’s sidebar.

– Go to: Boxcryptor > Encrypt option, and watch the checkbox turn green.

The encrypted files will then be placed in Google Drive, but won’t be accessible unless you have Boxcryptor installed and logged in.

If you’re looking for a solution that’s free and can be used with any cloud storage service and any device, you may want to try Veracrypt (for Windows, macOS, and Linux).  It creates an encrypted container where you can store files you want and put them anywhere for safe keeping.

– Install Veracrypt (see veracrypt.fr).

– Create a new encrypted file container within your Google Drive folder.

– Reach that file from Veracrypt’s main window (it will show as if it were an external hard drive).

– Drag your sensitive files there and unmount the volume.

You will need Veracrypt installed on any PC to access the documents inside that container.

Tech Tip – Link your Android Phone To Your Windows PC or Laptop

If you’ve ever emailed yourself a photo or screenshot to get it from your phone to your computer or uploaded photos to e.g. Google Photos or Dropbox and then download them onto your PC, you may want to try Microsoft’s ‘Your Phone’ app.  With the app, you can link and sync your Android phone to your Windows PC or laptop and simply drag and drop photos or screenshots, plus you can receive and send text messages from your phone on your computer. Here’s how to set it up:

This works for PCs or laptops running Windows 10 April 2018 Update (Version 1803) or later, and Android phones running Android 7.0 Nougat or later.  Both devices should be connected to the same Wi-Fi network.

On your PC or laptop, type “Your Phone” in the search bar, scroll to launch Microsoft Store, find the “Your Phone” app.

Download and install the Your Phone app for Windows 10 from Microsoft e.g. here: https://www.microsoft.com/en-gb/p/your-phone/9nmpj99vjbwv?activetab=pivot%3Aoverviewtab

Next, install the counterpart on your Android phone. For example, when you launch the app on your PC, type your number in to receive the install the app link via text on your phone. Alternatively, you could visit the Google Play Store, type “Your Phone Companion” into the search bar and then Install the app on your Android phone.

The two apps should sync, and once you’ve answered and granted the permissions questions on your phone, you should see your phone appear in the Windows “Your Phone” app on your computer.

Click to access recent photos or messages + see the Settings page.