Data Security

Browser Support For Early Versions of TLS To End

Posted on by Andy Miller

The makers of all popular browsers – IE, Edge, Safari, Firefox, and Chrome included – have announced plans to disable Transport Layer Security (TLS) protocol versions 1.0 and 1.1 by default.

TLS

Transport Layer Security (TLS) 1.0 and 1.1 are the early versions of encryption used to secure connections to HTTPS websites. Their job is to provide confidentiality and integrity of data in transit between clients and servers.

This week, and not unexpectedly, all the big browser manufacturers released co-ordinated announcements that TLS 1.0, which will be 20 years old next January, and TLS 1.1 will no longer be supported by their browsers. Newer, updated versions of the security protocol will be favoured instead.

Why?

The reasons given for dropping these versions of the protocol are that:

  • They are now rarely used. For example, Microsoft announced that fewer than “one per cent of daily connections in Microsoft Edge are using TLS 1.0 or 1.1.”. Apple, more accurately puts the figure at less than 0.36% of all connections.
  • 20 years is a is a long time for a security technology to stand unmodified, and newer successor versions of TLS are more advanced, provide better performance and are more secure, e.g. TLS 1.3.
  • The finalization of TLS 1.3 by the Internet Engineering Task Force (IETF) in August 2018, means that the proportion of legacy TLS connections will drop even further, and TLS 1.2 is also required for HTTP/2, which should bring performance improvements for the web. Also, vulnerabilities in 1.0 and 1.1 versions will no longer be addressed by the IETF.
  • Old versions of TLS rely on MD5 and SHA-1, both now broken, and thought to contain other flaws.

When?

Each browser has given slightly different dates for their formal dropping of TLS 1.0 and 1.1. For Microsoft browsers it will be later this year. For Apple support for TLS 1.0 and 1.1 will end in March 2020. For Mozilla, March 2020 will also be the removal date, and for Google browser users on early release channels, the date will be January 2020.

What Does This Mean For Your Business?

It is understandable that, with these versions being very old and unmodified, and not used by many connections, and with newer, more secure and better performance versions available, now is a good time to end default support for TLS 1.0 and 1.1. We are told that the newer successor versions offer greater security and performance and less vulnerability to certain types of attack e.g. BEAST, LogJam and FREAK (Factoring RSA Export Keys). These benefits are, of course, likely to be attractive to most businesses.

News of the co-ordinated killing-off of these 2 versions of the protocol may not be such great news of course, to those who have websites that still only using TLS 1.0 or 1.1, because browsers will soon flag up those websites as insecure or state that they are unable to connect.

Businesses Turning To Zero-Trust Security Model

Posted on by Andy Miller

As a widening attack surface and evolving threats mean that organisations continue to breached despite a large security spend, many businesses are now turning to the ‘zero-trust’ security model.

What Is The Zero-Trust Security Model?

The Zero Trust security model, introduced by analyst firm Forrester Research, is an alternative architecture for IT security that doesn’t work on the traditional assumption that the perimeter is the main focus and that the inside of an organization’s network can be trusted. Zero-trust assumes that untrusted actors exist both inside and outside a company network, and that every user access request has to be authorised, using the principle of “never trust, always verify”. In this way, Zero-trust can address lateral threat movement within the network i.e. stopping insider and other threats from spreading once inside.

Breaches

Almost 70% of organisations are getting breached an average of five times a year, with 81% of breaches being simply linked to weak, default or stolen passwords. Once inside networks, attackers can camouflage their attack behind a legitimate identity like a database administrator, can go on to access and decrypt encrypted information, and be harder to spot and stop because of their apparent legitimacy.

According to some security commentators, this shows that identity, and identity-centric security measures are areas that organisations need to focus on, and this is where architecture such as zero-trust can help.

10 Cyber-Attacks Per Week

More businesses are recognising the need for a better approach to all-round security, particularly in an environment where hacking’s on the up. For example, The UK‘s National Cyber Security Centre has just announced that it has stopped 1,600 attacks over the past two years, many by hostile nation states and that there are now 10 such attacks per week. Also, the NCSC’s Active Cyber Defence (ACD) initiative reports removing 138,398 phishing sites hosted in the UK between September 2017 and August 2018.

Four Pillars of Zero-Trust Security

The zero-trust security model is, therefore, believed to be another step forward in the battle against cyber-criminals. The success of the zero-trust security model is based upon four key ‘pillars’, which are:

  1. Verifying users. This involves identity consolidation which can tackle weak / shared password issues (using single sign-on and one-time passwords), de-facto authentication everywhere, and monitoring user behaviour e.g. time and location factors.
  2. Validating devices.
  3. Limiting access of privileged users where possible.
  4. Applying machine learning to all these factors, and using this to step up the authentication processes wherever necessary. Machine learning also removes the need for manual intervention.

Benefits

Those who have implemented zero-trust security have reported many benefits. These include cost savings due to gains in incident response efficiencies and technology consolidation, and greater confidence in supporting users on mobile devices and rolling out new partner and customer experiences.

Challenge

One main challenge to the growth of the adoption of zero-trust security measures is the mistaken belief that it has to be time-consuming and takes a lot of effort to implement. Security commentators are keen to point out that, in reality, implementing a zero-trust security model is a step-by-step process.

What Does This Mean For Your Business?

It seems that the benefits of the zero-trust model are now becoming widely known by UK businesses and organisations. For example, an IDG study revealed that 71% of security-focused IT decision makers are actively pursuing a zero-trust security model, 10% are currently doing pilots, and around 8% who have implemented it fully.

It’s important to realise that the implementation needn’t be a huge hassle and expense and can be tackled step-by-step, using commercial off-the-shelf technology. This approach to security offers businesses the chance to customise their security for their specific data and assets, and strengthen their infrastructure from the ground up by enabling the identification of vulnerabilities and gaps in their current security models at the root level.

This approach can bring some much-needed benefits, not least of which is a greater feeling of trust and a confidence boost. In terms of more measurable benefits to businesses, a Forrester and Centrify study, for example, has shown that by applying best practices of zero-trust principles, organisations recorded 50% fewer breaches within just two months. These kinds of figures are making this approach to security very attractive to many businesses, particularly those who have fallen victim to costly cyber attacks.

New Tech Laws For AI Bots & Better Passwords

Posted on by Andy Miller

It may be no surprise to hear that California, home of Silicon Valley, has become the first state to pass laws to make AI bots ‘introduce themselves’ (i.e. identify themselves as bots), and to ban weak default passwords. Other states and countries (including the UK) may follow.

Bot Law

With more organisations turning to bots to help them create scalable, 24-hour customer services, together with the interests of transparency at a time when AI is moving forward at a frightening pace, California has just passed a law to make bots identify themselves as such on first contact. Also, in the light of the recent US election interferences, and taking account of the fact that AI bots can be made to do whatever they are instructed to do, it is thought that the law has also been passed to prevent bots from being able to influence election votes or to incentivise sales.

Duplex

The ability of Google’s Duplex technology to make the Google Assistant AI bot sound like a human and potentially fool those it communicates with is believed to have been one of the drivers for the new law being passed. Google Duplex is an automated system that can make phone calls on your behalf and has a natural-sounding human voice instead of a robotic one. Duplex can understand complex sentences, fast speech and long remarks, and is so authentic that Google has already said that, in the interests of transparency, it will build-in the requirement to inform those receiving a call that it is from Google Assistant / Google Duplex.

Amazon, IBM, Microsoft and Cisco are also all thought to be in the market to get highly convincing and effective automated agents.

Only Bad Bots

The new bot law, which won’t officially take effect until July 2019 is only designed to outlaw bots that are made and deployed with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving.

Get Rid of Default Passwords

The other recent tech law passed in California and making the news is a law banning easy to crack but surprisingly popular default passwords, such as ‘admin’, ‘123456’ and ‘password’ in all new consumer electronics from 2020. In 2017, for example, the most commonly used passwords were reported to be 123456, password, 12345678 and qwerty (Splashdata). ‘Admin’ also made number 11 on the top 25 most popular password lists, and it is estimated that 10% of people have used at least one of the 25 worst passwords on the list, with nearly 3% of people having used the worst password, 123456.

The fear is, of course, that weak passwords are a security risk anyway, and leaving easy default passwords in consumer electronics products and routers from service providers has been a way to give hackers easier access to the IoT. Devices that have been taken over because of poor passwords can be used to conduct cyber attacks e.g. as part of a botnet in a DDoS attack, without a user’s knowledge.

Password Law

The new law requires each device to come with a pre-programmed password that is unique to each device, and mandates any new device to contain a security feature that asks the user to generate a new means of authentication before access is granted to the device for the first time. This means that users will be forced to change the unique password to something new as soon as the device is switched on for the first time.

What Does This Mean For Your Business?

For businesses using bots to engage with customers, if the organisation has good intentions, there should not be a problem with making sure that the bot informs people that it is a bot and not a human, As AI bots become more complex and convincing, this law may become more valuable. Some critics, however, see the passing of this law as another of the many reactions and messages being sent about interference by foreign powers e.g. Russia, in US or UK affairs.

Stopping the use of default passwords in electrical devices and forcing users to change the password on first use of the item sounds like a very useful and practical law that could go some way to preventing some hackers from gaining easy access to and taking over IoT devices e.g. for use as part of a botnet in bigger attacks. It has long been known that having the same default password in IoT devices and some popular routers has been a vulnerability that, unknown to the buyers of those devices, has given cyber-criminals the upper hand. A law of this kind, therefore, must at least go some way in protecting consumers and the companies making smart electrical devices.

Windows 10 October Rollout Suspended Due To File Deleting Fault

Posted on by Andy Miller

The October rollout of the update to Windows 10 as part of the SaaS model has been suspended due to reports that some customers have experienced mass file deletions.

Eating Files

It has been reported that the rollout of version 1809 October 2018 update for Windows 10 has been temporarily halted after users reported that files had been deleted and over-written.

The update rollout (which is due to be happening in waves over the course of this month) was stopped after users took to Microsoft’s support site and social media to complain, express their anger, and warn other users of what appears to be quite a serious fault.

For example, one user warned others that if documents are saved in the user directory, i.e. users/John, and not on OneDrive, the update deletes everything in that location. Similarly, another user reported that the whole of their “My Documents” folder was deleted by the update, including all of their personal documents (Word docs, spreadsheets, etc). Other issues such as incorrect CPU usage in Task Manager and broken audio drivers have also been reported.

What’s Causing It?

Some tech commentators are blaming the fault on OneDrive, Microsoft’s online file hosting and synchronization service, and a bug in its user profile settings. Engadget, for example, has said that the bug may have slipped through early testing despite reports of the issue appearing on Microsoft’s Feedback Hub some months ago.

The official word is that the exact cause is, as yet, unknown and that users who have already downloaded the update or are enrolled in programs like Windows Insider shouldn’t proceed with version 1809 until Microsoft has released a fix. For the rest of us, it’s a case of making sure that we haven’t downloaded the broken version yet, backing up files now as a precaution, and waiting for the automatic update as normal (which should contain the fix).

On The Upside – More Android Compatibility

Even though the technical fault in the update has dominated the news, with the fix in place, there are some positive aspects and improvements in the update, most notably in Android compatibility. For example, the update allows a better connection between your phone and your Windows desktop by enabling photo syncing and a direct interface to send and receive text messages via your device.

Other Good Points

Also, the latest update will bring a cloud clipboard (across devices), allowing you to copy more than one thing at a time. This will be included as part of Windows Timeline. There will also be new extensions for both Chrome and Firefox to give them the same functionality as Edge.

What Does This Mean For Your Business?

Many tech commentators had predicted that it was likely that there would be some kind of problem with the latest update, but this file-deleting bug is probably much worse than they were expecting and could be devastating, disruptive and costly to businesses that have installed the update but haven’t recently backed-up their files. It is worth, therefore, taking the official advice of backing up files now as a precaution and if you’re part of the Windows Insider programme, not proceeding with version 1809 until the fix has been released.

The Android OS has the biggest worldwide market share, just ahead of Symbian, thanks to its extensive app availability, easy interface, functionality and affordability. With more of us spending more time away from the desktop in the working day, it is helpful, therefore, that the latest Windows 10 update will help sync our Android phones with our desktops.

Since many people don’t use Edge as their main browser, its also good news that the latest Windows update (extensions) will bring greater functionality to Firefox and Chrome.

How Business Emails Are Vulnerable

Posted on by Andy Miller

Research by digital risk management and threat intelligence firm Digital Shadows has revealed that company credentials and emails that can be easily accessed on the web are making it easier for cyber-criminals to target businesses with attacks.

What’s Are The Problems?

According to the research, businesses may be suffering targeted attacks because several key problems that are caused by the results of previous hacks and breaches, and by current poor security practices. These problems are that:

  • Around 12.5 million company email archive files are publicly accessible due to misconfigured archive storage drives e.g. FTP and Amazon S3 buckets. Business emails contain sensitive personal and financial information e.g. the research uncovered 27,000 invoices, 7,000 purchase orders and 21,000 payment records. These things are valuable to cyber-criminals as they help them to target attack methods such as phishing.
  • Improper backing-up of email archives has contributed to their exposure online.
  • Criminal forums e.g. on the dark web, now contain some 33,568 finance department email addresses that have been exposed in third-party breaches, 27,992 of which have passwords associated with them. These forums also contain large numbers of the business of email access credentials, some of which are reported by the research to be worth $5,000 for a single username and password pair to cyber-criminals.
  • Email hacking services can be purchased for as little as $150, with results available in a week or less. The researchers were even offered a 20% share of the proceeds that could be harvested from exploiting email vulnerabilities.

What Does This Mean For Your Business?

Business email credentials have a high potential return on investment to cyber-criminals, and therefore have a high value, which is why many cyber-criminals feel that it is worth looking for them and paying substantial amounts for them on criminal forums. The high value may mean that criminals may even collaborate to target larger organisations. Hacks and breaches over time, together with the subsequent buying and selling of the stolen email credentials may mean that many businesses are exposed to multiple types of email attack such as phishing, and man-in-the-middle attacks without even knowing it.

One thing the research does show is that by tightening up email security practices, businesses could reduce the risks that they face. Measures that companies could take to help reduce such risks include:

  • Including business email compromise (BEC) in business continuity planning and disaster recovery planning.
  • Strengthening wire transfer / BACs controls by e.g. building-in manual controls and as well as multiple-person authorisations to approve significant amounts.
  • Improving staff training to enable them to follow practices that minimise company email and other security risks.
  • Continuously monitoring for any exposed credentials (particularly those of finance department emails), and conducting assessments of executives’ digital footprints e.g. using Google Alerts to track new web content related to them.
  • Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.
    Being very careful where contractors back-up emails on network-attached storage (NAS) devices is concerned. Making users have passwords, disabling guest / anonymous access, and insisting on NAS devices that are secured by default could help.

Facebook Hack Keeps Getting Worse

Posted on by Andy Miller

As if the recent Facebook hack of 50 million user accounts that was discovered on 25th September wasn’t bad enough, it became apparent that it could also affect “Facebook Login” service, which allows other apps to use people’s Facebook account to login.

What Happened?

On Tuesday 25 September, Facebook engineers discovered that hackers had used a vulnerability in Facebook’s “View As” feature (which lets people see how their profiles appear to others) to steal digital keys known as “access tokens” from any accounts of people whose profiles were searched for using the “View As” feature. This meant that hackers were able to move from one Facebook friend to another, taking control of all those accounts along the way. It is estimated that the staggering number of 50 million user accounts were compromised in this way.

It has been reported that Facebook had noted a spike in the number of people using the “View As” feature in relations to Facebook’s video uploading feature for posting “happy birthday” messages (a known, year-old vulnerability), but didn’t put two and two together at that point. Even though the hack was reported to have been discovered by Facebook on Thursday 25th September, It is now thought that the hack actually took place on 16th September.

Reporting Problems

Even though less than 10% of the 50 million Facebook accounts affected by the security breach were in the European Union, this is still a significant number, and required a report within 72 hours of discovery of the breach to comply with GDPR. It has been reported, however, that Ireland’s Data Protection Commission (DPC) has said that Facebook’s initial notification to the regulator about the breach (on Thursday) didn’t have enough detail, and this could lead to an official investigation and possibly some (substantial) fines. Facebook’s discovery of the breach on the Tuesday, and notification to Ireland DPC on the Thursday meant that, at least it kept within the 72-hour disclosure deadline required under GDPR.

Worse – Other Services Using Login By Facebook Could Be Affected

One of the things that has made the breach even worse than was previously thought is that, if you use Facebook to log into other services, such as Instagram (owned by Facebook), Tinder, Spotify and even Airbnb, the attackers could also use the stolen access tokens to gain the same level of access to any of these, and may have been able to steal all of your profile info, photos, private messages and more. The fact that the hackers have stolen tokens means that they don’t need to enter a username and password to access a site because the token is a signal that they’re already logged in.

Fixed, Says Facebook

Facebook has reported that it has now fixed the flaw by logging everyone out of their accounts and suspending the “view as” feature.

What Does This Mean For Your Business?

This hack was on a massive scale, and was the biggest in Facebook’s history, coming not long after the revelations about Facebook’s sharing of its customer data with Cambridge Analytica for political purposes. This has undoubtedly dealt another blow to Facebook’s reputation but more importantly, it could lead to further problems for Facebook’s users. The fact that the hackers were able to steal tokens, thereby rendering strong passwords and multi-factor authentication useless (which is frightening in itself), means that the attackers could use any personal data and information that they may have harvested from Facebook and other Facebook login sites to target users in future cyber attacks. The information taken could, for example, be used in phishing attacks, fraud, and even blackmail. The information used for blackmail (photos, private messages, etc) could even cause damage to personal and work relationships.

Once again, it seems, we can’t trust a major tech company to adequately protect our personal data and information, even after it has gone to the trouble, over the last few months, of spending large amounts on advertising campaigns to tell us how much it can be trusted. Even though the initial crime appears to be a large-scale hack, the fact is that users could find themselves being the victim of cyber attacks in future because of the information that has been stolen.

Apple Making One-Quarter Of Its Revenue From Deal With Ad Giant Google

Posted on by Andy Miller

Figures from Goldman Sachs appear to show that, even though Apple may publicly take the moral high ground and criticise digital advertising businesses, it may actually be making $9 billion this year, one-quarter of its estimated total revenue, from a deal with digital advertising giant Google.

Opposition and Irony

Apple has been famously vocal about its high regard for user privacy and its opposition to the idea of harvesting user data to feed online advertising. For example, in a TV interview in April (Recode’s “Revolution” TV special with MSNBC) Apple’s CEO, Tim Cook said that Apple had elected not to “make a ton of money” from customers by not monetizing them, and that “we’re not going to traffic in your personal life”. Also, Apple investors and financial commentators have witnessed what they saw as a transformation of the business that they may have believed was based purely on the products.

It is ironic, therefore, that something that Apple appears to be opposed to is quietly responsible for a large chunk of the company’s growth.

Services Segment

It is true to say that iPhone sales are still the biggest contributor to Apple’s growth, but something called the ‘Services Segment’ is the second biggest contributor to Apple’s revenue growth. This segment includes ‘licensing’ as a sales growth driver in this segment, which actually refers to Apple’s collecting of money from its search contract with Alphabet Inc.’s Google, as well as other sources.

The Google deal means that Google pays Apple $9 billion this year (and an estimated $12 billion next year) to remain the default search engine in iOS devices such as iPhone and iPad. Goldman has been reported as saying that it is likely that this revenue is charged based on the number of searches that users on Apple’s platform originate from Siri or within the Safari browser.

Criticism

The figures from Goldman have attracted some criticism online from investment and tech commentators who have pointed out that, even though Apple appears to be publicly opposed to systems that harvest personal information for advertising purposes, the deal with Google means that it actually makes one-quarter of its services revenue from enabling such a system by Google, while not having to be accountable for the negative aspects of it.

What Does This Mean For Your Business?

Advertising is a necessary part of marketing for many businesses, and tech giants such as Google and Facebook offer advertising services to businesses. In our lives as consumers, however, we have become increasingly worried about our privacy and how our personal data is being used and sometimes shared, and there is no doubt that data harvesting is used to target advertising. The fact that Apple appeared to be publicly against the idea of harvesting of data for advertising, and yet makes billions per year by enabling Google to do just that while being able to distance itself from any flack about it (until now) is likely to be another blemish on the reputation of the trillion dollar company.

Some investors and investment commentators may also find themselves believing a little less in the idea of Apple’s transformation and success being purely down to its products and may be surprised that such a large chunk of Apple’s revenue simply comes from a browser deal with Google.

Chrome Extensions Get Security, Privacy and Performance Boost

Posted on by Andy Miller

Following the introduction last month of Google Chrome 69’s better password protection, Google has announced that Chrome 70 will bring trustworthy extensions by default.

What Are Extensions?

The Chrome extension system, introduced to the browser nearly a decade ago, has enabled the introduction of 180,000 different extensions which are small, bolt-on software programs that allow Google Chrome users to customize their browsing experience through functionality and behaviour that suits their individual needs or preferences.

Extensions are typically built using HTML, JavaScript, and CSS and are available in the Chrome Web Store. Google says that the dual mission of its extension team is to “help users tailor Chrome’s functionality to their individual needs and interests, and to empower developers to build rich and useful extensions”.

What’s Been The Problem?

One of the main problems with Chrome extensions has been that remotely hosted code in some extensions can be changed, used to manipulate websites, and used for criminal purposes. For example, Chrome extensions have increasingly been used to hide malware, even when they’ve been downloaded from the official Chrome store, and Google has reported a 70% increase in malicious extension installs over the last two and a half years.

For Google, this has created a lack of trust among users, has led to worries about transparency and the scope of their extensions’ capabilities and data access, has generated bad publicity, and has made Google’s own extension review process more complex, costly, and time-consuming.

Improvements

Google says that it has already addressed some of the security, privacy and performance concerns through the launch of out-of-process iframes, the removal of inline installation, and advancements in the detection and blocking of malicious extensions using machine learning.

New code reliability requirements also mean that Chrome Web Store will no longer allow extensions with obfuscated code. This is essentially code that’s difficult to understand and can be used to hide malicious code, and its complexity makes Google’s review process more difficult.

Google has also announced that further improvements will be made to Chrome extensions in Chrome 70 that should go even further in addressing these issues. For example, improvements will include:

  • Better controls for host permissions. This means giving users the choice to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
  • Required 2-step verification (in 2019) for Chrome Web Store developer accounts, in order to improve security.
  • The introduction of Manifest v3 to make the writing of a secure and performant extension much easier.

What Does This Mean For Your Business?

Google Chrome is the most widely used browser, favoured by 60% of browser users. Bearing in mind the 70% increase in malicious extension installs over the last two and a half years, some would say that these mainly security-based improvements to extensions are certainly necessary, and are long overdue. Bad extensions have proven to be the weak link in a strong browser and have provided a loophole that has been exploited by cyber-criminals enabling them to link computers to botnets, steal personal details, and enable crypto-currency mining on a large scale.

Businesses using Google Chrome should now get some reassurance that Google is plugging the security holes that some extensions have created, which should mean one less thing to worry about for the time-being in the ongoing battle with evolving and potentially costly cyber threats.

New Chrome 69 Creates Better Passwords, Among Other Features

Posted on by Andy Miller

Chrome 69, the latest version of the Google browser which is now 10 years old, has a number of value-adding new features, including the ability to automatically generate strong passwords.

Improved Password Manager

This latest version of Chrome has an improved password manager that is perhaps more fitting of the browser that is favoured by 60% of browser users, many of whom still rely upon using very weak passwords. For example, the most commonly used passwords in 2017 were reported to be 123456, password, 12345678 and qwerty.

The updated password manger in Chrome 69 hopes to make serious inroads into this most simple of human errors by recommending strong passwords when users sign up for websites or update settings. The Chrome 69 password manager will suggest passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it will be able to add these. Users will be able to manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 will then store the password on a laptop or phone so that users don’t have to write it down or try and remember it (as long as they are using the same device).

Other Features

Other new and improved features of Chrome 69 include:

Faster and more accurate form-filling: Google says that because information such as passwords, addresses and credit card numbers are saved in a user’s Google account and can be accessed directly from the from the Chrome toolbar, Chrome can make it much easier and faster to fill-out online checkout forms.

Combined search and address bar (improvements): In Chrome 69, users will have a combined search and address bar (the Omnibox), which shows the answers directly in the address bar without users having to open a new tab, thereby making it more convenient. Also, if there are several tabs open across three browser windows, for example, a search in the Omnibox will tell users if that website’s already open and will allow navigation straight to it with “Switch to tab”. Google says that users will soon also be able to search files from your Google Drive directly in the Omnibox too.

CSS Snap: This feature allows developers to create smoother browsing experiences. It does this by telling the browser where to stop after each scrolling operation, and is particularly useful for displaying carousels and paginated sections to guide users to the next slide or section.

Put The www. Back!

There was some controversy and protests from some Chrome users over the way that, in order to take account of the limited space on mobile screens, and for greater security (to stop confusion with phishing URLs), version 69 of Chrome has been made to no longer show the www. part of a URL (and the m. on mobiles) in the address bar. It is worth mentioning at this point that Apple’s Safari also hides URL characters. Some critics of Google’s move to this system have said that it could confuse users into thinking that they’re at the wrong website.

Other Criticism

Some more cynical / informed commentators have suggested that the change in URL display is actually more to do with AMP system and AMP cache which benefits the advertising side of Google’s business.

What Does This Mean For Your Business?

The changes in Chrome 69 that encourage and facilitate the use of much stronger passwords may be a little overdue, but it has to be good news for the security of all Chrome users. The speedier form-filling will also be a time-saver in an age where many people now carry out many of their daily transactions online and on mobile devices.

Even though stronger passwords are a good thing, security has now moved on again from those, because they have been found to be less secure than biometrics and other access methods.

The new Chrome 69 has been released, but so has the beta version of Chrome 70, and it remains to be seen how security is upgraded yet again in subsequent versions as cyber-crime threats become more wide-ranging and sophisticated.

UK Government Guilty of Mass Surveillance Human Rights Breach

Posted on by Andy Miller

The European Court of Human Rights in Strasbourg has found the UK government guilty of violating the right to privacy of citizens under the European convention because the safeguards within the government’s system for bulk interception of communications were not strong enough to provide guarantees against abuse.

The Case

The case which led to the verdict, was brought against the UK government by 14 human rights groups, journalism organisations, and privacy organisations such as Amnesty International, Big Brother Watch and Liberty in the wake of the 2013 revelations by Edward Snowden, specifically that GCHQ was secretly intercepting communications traffic via fibre-optic undersea cables.

In essence, although the court, which voted by a majority of five to two votes against the UK government, accepted that police and intelligence agencies need covert surveillance powers to tackle threats, those threats do not justify spying on every citizen without adequate protections.

Three Main Points

The ruling against the UK government in this case centred on three points – firstly the regime for bulk interception of communications (under section 8(4) of RIPA), secondly the system for collection communications data (under Chapter II of RIPA), and finally the intelligence sharing programme.

The UK government was found to breach the convention on the first 2 points, but the ECHR didn’t find a legal problem with GCHQ’s regime for sharing sensitive digital intelligence with foreign governments. Also, the court decided that bulk interception with tighter safeguards was permissible.

Key Points

Some of the key points highlighted by the rulings against the UK government, in this case, are that:

  • Bulk interception is not unlawful in itself, but the oversight of that apparatus was not up to scratch in this case.
  • The system governing the bulk interception of communications is not capable of keeping interference to what is strictly necessary for a democratic society.
  • There was concern that the government could examine the who, when and where of a communication, apparently without restriction i.e. problems with safeguards around ‘related data’. The worry is that related communications data is capable of painting an intimate picture of a person e.g. through mapping social networks, location tracking and insights into who they interacted with.
  • There had been a violation of Article 10 relating to the right to freedom of expression for two of the parties (journalists), because of the lack of sufficient safeguards in respect of confidential journalist material.

Privacy Groups Triumphant

Privacy groups were clearly very pleased with the outcome. For example, the Director of Big Brother Watch is reported as saying that the judgement was a step towards protecting millions of law-abiding citizens from unjustified intrusion.

What Does This Mean For Your Business?

Like the courts, we are all aware that we face threats of terrorism, online sexual abuse and other crimes, and that advancements in technology have made it easier for terrorists and criminals to evade detection, and that surveillance is likely to be a useful technique to help protect us all, our families and our businesses.

However, we should have a right to privacy, particularly if we feel strongly that there is no reason for the government to be collecting and sharing information about us that, with the addition of related data, could identify us not just to the government but to any other parties who come into contact with that data.

The reality of 2018 is that we now live in a country where in addition to CCTV surveillance, we have the right to surveillance set in law. The UK ‘Snooper’s Charter’ / Investigatory Powers Act became law in November 2016 and was designed to extend the reach of state surveillance in Britain. The Charter requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months, and also to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Although businesses and many citizens prefer to operate in a safe and predictable environment, and trust governments to operate surveillance just for this purpose and with the right safeguards in place, many are not prepared to blindly accept the situation. Many people and businesses (communications companies, social media, and web companies) are uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state.

This latest ruling against the government won’t stop bulk surveillance or the sharing of data with intelligence partners, but many see it as a blow against a law that makes them uneasy in a time when GDPR is supposed to have given us power over what happens to our data.