News

Tech Tip – Split

Posted on by Andy Miller

If you’d like to be even more productive and be able to multi-task while using your iPhone or iPad, the ‘Split’ web browser app allows you to run two browser tabs side by side.

The app works in portrait and landscape views, and for each website that’s split in the browser you have a back button, you can bookmark a page, and you can open one of the websites into full-screen mode and simply tap to go back to the split-screen.

The Split app is free from Apple’s App Store, and similar split browser apps are also available for Android.

Your Password Can Be Guessed By An App Listening To Your Keystrokes

Posted on by Andy Miller

Researchers from SMU’s (Southern Methodist University) Darwin Deason Institute for Cyber-security have found that the sound waves produced when we type on a computer keyboard can be picked up by a smartphone and a skilled hacker could decipher which keys were struck.

Why?

The research was carried out to test whether the ‘always-on’ sensors in devices such as smartphones could be used to eavesdrop on people who use laptops in public places (if the phones were on the same table as the laptop) e.g. coffee shops and libraries, and whether there was a way to successfully decipher what was being typed from just the acoustic signals.

Where?

The experiment took place in a simulated noisy Conference Room at SMU where the researchers arranged several people, talking to each other and taking notes on a laptop. As many as eight mobile phones were placed on the same table as the laptops or computers, anywhere from three inches to several feet away. The study participants were not given scripts of what to say when talking, could use shorthand or full sentences when typing and could either correct typewritten errors or leave them.

What Happened?

Eric C. Larson, one of the two lead authors and an assistant professor in SMU Lyle School’s Department of Computer Science reported that the researchers were able to pick up what people were typing at an amazing 41 per cent word accuracy rate and that that this could probably be extended above 41 per cent if what researchers figured out what the top 10 words might be.

Sensors In Smart Phones

The researchers highlighted the fact that there are several sensors in smartphones that are used for orientation and although some require permission to be switched on, some are always on.  It was the sensors that were always switched on that the researchers were able to develop a specialised app for which could process the sensor output and, therefore, predict the key that was pressed by a typist.

What Does This Mean For Your Business?

Most of us may be aware of the dangers of using public Wi-Fi and how to take precautions such as using a VPN.  It is much less well-known, however, that smartphones have sensors that are always on and could potentially be used (with a special app) to eavesdrop.

Mobile device manufacturers may want to take note of this research and how their products may need to be modified to prevent this kind of hack.

Also, users of laptops may wish to consider the benefits of using a password manager for auto-filling instead of typing in passwords and potentially giving those passwords away.

Over A Million Fingerprints Exposed In Data Breach

Posted on by Andy Miller

It has been reported that more than one million fingerprints have been exposed online by biometric security firm Suprema which appears to have installed its standard Biostar 2 product on an open network.

Suprema and Biostar 2

Suprema is a South Korea-based biometric technology company and is one of the world’s top 50 security manufacturers.  Suprema offers products including biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules.

Biostar 2 is a web-based, open, and integrated security platform for access control and time and attendance, manage user permissions, integrate with 3rd party security apps, and record activity logs.  Biostar 2 is used by many thousands of companies and organisations worldwide, including the UK’s Metropolitan Police as a tool to control access to parts of secure facilities. Biostar 2 uses fingerprint scanning and recognition as part of this access control system.

What Happened?

Researchers working with cyber-security firm VPNMentor have reported that they were able to access data from Biostar 2 from 5 August until it was made private again on 13 August (Suprema were contacted by VPNMentor about the problem on 7th August).  It is not clear how long before 5 August the data had been exposed online.  The exposure of personal data to public access is believed to have been caused by the Biostar 2 product being placed on an open network.

In addition to more than one million fingerprint records being exposed, the VPNMentor researchers also claim to have found photographs of people, facial recognition data, names, addresses, unencrypted usernames and passwords, employment history details, mobile device and OS information, and even records of when employees had accessed secure areas.

VPNMentor claims that its team was able to access over 27.8 million records, a total of 23 gigabytes of data,

Affected

VPNMentor claims that many businesses worldwide were affected.  In the UK, for example, VPNMentor claims that Associated Polymer Resources (a plastics recycling company), Tile Mountain (a home decor and DIY supplier), and Medical supply store Farla Medical were among those affected.

It has been reported that the UK’s data protection watchdog, the Information Commissioner’s Office (ICO) has said that it was aware of reports about Biostar 2 and would be making enquiries.

What Does This Mean For Your Business?

For companies and organisations using Biostar 2, this is very worrying and is a reminder of how data breaches can occur through third-party routes.

In this case, fingerprint records were exposed, and the worry is that this kind of data can never be secured again once it has been stolen. Also, the large amount of other personal employee data that was taken could not only affect individual businesses but could also mean that employees and clients could be targeted for fraud and other crimes e.g. phishing campaigns and even blackmail and extortion.

The breach may have been avoided had Suprema secured its servers with better protection measures, not saved actual fingerprints but a version that couldn’t be reverse engineered instead, implemented better rules on databases, and not left a system that didn’t require authentication open to the internet.  Those companies that are still using and have concerns about Biostar2 may now wish to contact Suprema for assurances about security.

Facial Recognition at King’s Cross Prompts ICO Investigation

Posted on by Andy Miller

The UK’s data protection watchdog (the Information Commissioner’s Office  i.e. the ICO) has said that it will be investigating the use of facial recognition cameras at King’s Cross by Property Development Company Argent.

What Happened?

Following reports in the Financial Times newspaper, the ICO says that it is launching an investigation into the use of live facial recognition in the King’s Cross area of central London.  It appears that the Property Development Company, Argent, had been using the technology for an as-yet-undisclosed period, and using an as-yet-undisclosed number of cameras. A reported statement by Argent (in the Financial Times) says that Argent had been using the system to “ensure public safety”, and that facial recognition is one of several methods that the company employs to this aim.

ICO

The ICO has said that, as part of its enquiry, as well requiring detailed information from the relevant organisations (Argent in this case) about how the technology is used, it will also inspect the system and its operation on-site to assess whether or not it complies with data protection law.

The data protection watchdog has made it clear in a statement on its website that if organisations want to use facial recognition technology they must comply with the law and they do so in a fair, transparent and accountable way. The ICO will also require those companies to document how and why they believe their use of the technology is legal, proportionate and justified.

Privacy

The main concern for the ICO and for privacy groups such as Big Brother Watch is that people’s faces are being scanned to identify them as they lawfully go about their daily lives, and all without their knowledge or understanding. This could be considered a threat to their privacy.  Also, with GDPR in force, it is important to remember that if a person’s face (if filmed e.g. with CCTV) is part of their personal data, and the handling, sharing, and security of that data also becomes an issue.

Private Companies

An important area of concern to the ICO, in this case, is the fact that a private company is using facial recognition becasuse the use of this technology by private companies is difficult to monitor and control.

Problems With Police Use

Following criticism of the Police use of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee has recently called for a temporary halt in the use of the facial recognition systems.  This follows an announcement in December 2018 by the ICO’s head, Elizabeth Dunham, that a formal investigation was being launched into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

What Does This Mean For Your Business?

The use of facial recognition technology is being investigated by the ICO and a government committee has even called for a halt in its use over several concerns. The fact that a private company (Argent) was found, in this case, to be using the technology has therefore caused even more concern and has highlighted the possible need for more regulation and control in this area.

Companies and organisations that want to use facial recognition technology should, therefore, take note that the ICO will require them to document how and why they believe their use of the technology is legal, proportionate and justified, and make sure that they comply with the law in a fair, transparent and accountable way.

Robot Tuck Shops About To Hit U.S. College Campuses

Posted on by Andy Miller

San Francisco-based start-up, Starship Technologies, has announced that it will be putting food delivery robots that respond to phone app orders on 100 U.S. university campuses in the next 24 months.

The Bots

It has been reported that 25 to 50 of the (23Kg battery-powered, six-wheeled) Starship bots will be let loose on each campus, with the ability to roam around seven days a week, from 8 am to 2 am. The self-driving bots drive at 4 mph and use 10 cameras, radar, ultrasound sensors, GPS, computer vision and neural networks to process what they see in order to negotiate their way safely around a 4 km radius.

The bot’s cargo bay is mechanically locked during the journey and can only be opened by the customer with their smartphone app. The location of the robots is tracked, so that customer knows the exact location of their order and receives a notification at the time of arrival.

Food

The college campus robots will be delivering breakfast, snacks, and a variety of other food to students on campus.  Also, the app can take orders from local restaurants which the Starship bots will deliver to students on the campus for $1.99 per shipment, with Starship getting paid by the restaurant for making each delivery.

Benefits

The obvious benefits of the food delivery robots are that they can work whatever hours they are required all year round with no pay, no holiday and no need for breaks. Also, the Starship bots have an advantage over other local delivery services because the bots are small, manoeuvrable, know their way around the expansive campuses (thanks to pre-loaded, 3D maps), there are several bots working on one site, and they won’t need to be subject to any authorisation checks for being there.

Bigger Goals

Starship has bigger plans for the bots and is reported to have the goal of getting the bots onto college campuses across the US serving 1 million students.

Starship has also started a package delivery service in neighbourhoods and parts deliveries on business and industrial campuses using the bots.

What Does This Mean For Your Business?

Amazon has been making the news over the past couple of years with its delivery drones and ‘Scout’ delivery robots, and the well-funded start-up Starship ($40 million in new funding) has shown how it has been able to move quickly into a niche and join the growing delivery robot/drone industry.  For the robot and drone operating companies (Amazon, UPS, Google, Starship) these bots offer a way to reduce costs, avoid road congestion problems, avoid labour problems, and potentially deliver 24 hours a day all year round.  Users of bot and drone services can expect convenience, greater control over orders, and the novelty and fun of the delivery experience.

The benefits of drones and robots, however, may come at the expense of jobs, more of which are being taken away by the advance of technology-fuelled automation across many industries.

Apple Launches ‘Apple Card’

Posted on by Andy Miller

Apple has launched its ‘Apple Card’ in the US in partnership with Goldman Sachs and with processing by Mastercard.

Card

The Apple Card can now be applied for by customers in the US through the Wallet app on iPhone (iPhone 6 and later).  The physical laser-etched card, which is made of titanium and has a typically clean Apple design has no card number, no CVV security code, and no expiration date or signature on it.  Although you can buy using the card, the real Apple Card product is incorporated in the Wallet on the customer’s iPhone and works through Apple Pay. Apple says that the card can be used to make purchases in stores, in apps and on websites.

Advantages

Apple says that the Apple Card is built on simplicity, transparency and privacy and that it completely rethinks everything about the credit card. The main advantages of the Apple Card are:

  • There are no fees.
  • It gives instant cashback on purchases.  When you buy something on the Apple Card, you receive a percentage of your purchase back in Daily Cash every day, there’s no limit to how much you can get, and that cash goes right onto the Apple card it can be used it just like cash. Apple says that customers will get 2 per cent Daily Cash every time they use Apple Card with Apple Pay, and 3 per cent Daily Cash on all purchases made directly with Apple, including at Apple Stores, apple.com, the App Store, the iTunes Store and for Apple services.
  • It is secure.  There are no numbers on the card itself and using Apple Card through the iPhone means that it is covered by all the usual Apple Pay security features e.g. Face ID, Touch ID, unique transaction codes.
  • It offers much greater privacy.  Apple says that it doesn’t store the details of where you shop, what you bought, or how much you paid, and Goldman Sachs will not sell or share your spending data to any third-party. Also, Mastercard simply processes payments between parties on the global network.
  • The Apple Card shows you how to pay less interest.  For example, the Apple Card shows you a range of payment options and calculates the interest cost on different payment amounts in real-time.
  • The card can help you make more informed purchase choices.  For example, everything you buy gets a category (food, entertainment, shopping) and a colour-coded chart displays how much you’ve pending on each category.

Small Print Warning

This may all sound wonderful but some commentators have warned that when you sign up for the Apple Card you sign up to the standard agreement offered by Goldman Sachs.  Within this agreement is an arbitration clause that essentially means that you waive the right to make any claims, participate in a class action, or be heard in a court at trial for anything related to the agreement.

It is, however, possible to opt-out of the Goldman Sachs arbitration clause within 90 days after opening the account by contacting the company using messages, calling a toll-free number, or writing to a Philadelphia P.O. Box (Apple Card gives full instructions).

What Does This Mean For Your Business?

For other banks and credit companies that are still using traditional cards, this may represent a threat, as Apple, a trusted and globally known brand is offering something that appears to be more convenient, more secure, and has obvious instant cashback perks.

For Apple, this venture is a way that it can offer value and generate even deeper loyalty with and become more attached to the lives of its customers. This creates another important competitive advantage for the tech giant and allows it to gain a deeper understanding of its customers and their habits (even though it says it won’t share any information about those habits).

This also represents an opportunity for Apple to diversify at a time when its iPhone sales have been a bit flat and move towards the provision of services as well as hardware.

Tech Tip – Gallery Go

Posted on by Andy Miller

If you’ve been looking for a good gallery app for Android, Google has created an offline and compact, lite version of Google Photos that is uncluttered and easy to use.

The Gallery Go app works offline, so it doesn’t sync to a Google account (like Google Photos), but it only has two tabs at the bottom for pictures and folders, useful search tabs at the top, and very a user-friendly layout.

Gallery Go enables easy copying and moving photos between folders, you can create new folders, and it supports SD card.  The app also has automatic organisation so that each night, Gallery Go will automatically organise your photos to group by: People, Selfies, Nature, Animals, Documents, Videos and Movies.

Gallery Go is available from the Google Play Store.

Is Your Website Sending Scammers’ Emails?

Posted on by Andy Miller

Research by Kaspersky has discovered that cyber-criminals are now hijacking and using the confirmation emails from registration, subscription and feedback forms of legitimate company websites to distribute phishing links and spam content.

How?

Kaspersky has reported that scammers are exploiting the fact that many websites require users to register their details in order to receive content. Some cyber-criminals are now using stolen email addresses to register victims via the contact forms of legitimate websites.  This allows the cyber-criminals to add their own content to the form that will then be sent to the victim in the confirmation email from the legitimate website.

For example, according to Kaspersky, a cyber-criminal uses the victim’s e-mail address as the registration address, and then enters their own advertising message in the name field e.g. “we sell discount electrical goods. Go to http://discountelectricalgoods.uk.” This means that the victim receives a confirmation message that opens with “Hello, we sell discount electrical goods. Go to http:// discountelectricalgoods.uk Please confirm your registration request”.

Where a victim is asked by a website form to confirm their email address, cyber-criminals are also able to exploit this part of the process by ensuring that victims receive an email with a malicious link.

Advantages

The main advantages to cyber-criminals of using messages sent as a response to forms from legitimate websites are that the messages can pass through anti-spam filters and have the status of official messages from a reputable company, thereby making them more likely to be noticed, opened, and responded to.  Also, as well as the technical headers in the messages being legitimate, the amount of actual spam content carried in the message (which is what the filters react to) is relatively small. The spam rating assigned to messages by anti-spam filters is based on a variety of factors, but these kinds of messages command a prevailing overall authenticity which allows them to beat filters, thereby giving cyber-criminals a more credible-looking and effective way to reach their victims.

What Does This Mean For Your Business?

Most businesses and organisations are likely to have a variety of forms on their website which could mean that they are open to having their reputation damaged if cyber-criminals are able to target the forms as a way to initiate attacks or send spam.

The advice of Kaspersky is that companies and organisations should, therefore, consider testing their own forms to see if they could be compromised.  For example, registering on your own company form with your own personal e-mail address and entering a message in the name field such as “I am selling electrical equipment” as well as including a website address and a phone number, and then checking what appears in your e-mail inbox will show if there are any verification mechanisms for that type of information.  If the message you receive begins “Hello, I am selling electrical equipment”, you should contact the people who maintain your website and ask them to create simple input checks that will generate an error if a user tries to register under a name with invalid characters or invalid parts. Kaspersky also suggests that companies and organisations could consider having their websites audited for vulnerabilities.

$1 Million Bounty For Finding iPhone Security Flaws

Posted on by Andy Miller

Apple Inc recently announced at the annual Black Hat security conference in Las Vegas that it is offering security researchers rewards of up to $1 million if they can detect security flaws its iPhones.

Change

This move marks a change in Apple’s bug bounty programme.  Previously, for example, the highest sum offered by Apple was $200,000, and the bounties had only been offered to selected researchers.

The hope appears to be that widening the pool of researchers and offering a much bigger reward could maximise security for Apple mobile devices and protect them from the risk of governments breaking into them.

State-Sponsored Threats

In recent times, state-sponsored interference in the affairs of other countries has become more commonplace with dissidents, journalists and human rights advocates being targeted, and some private companies such as Israel’s NSO Group are even reported to have been selling hacking capabilities to governments. These kinds of threats are thought to be part of the motivation for Apple’s shift in its bug bounty position.

Big Prizes

The $1 million prize appears likely to only apply to remote access to the iPhone kernel without any action from the phone’s user, although it has been reported that government contractors and brokers have paid as much as $2 million for hacking techniques that can obtain information from devices.

Apple is also reported to be making things easier for researchers by offering a modified phone with some security measures disabled.

Updates

If flaws are found in Apple mobile devices by researchers, the plan appears to be that Apple will patch the holes using software updates.

Bug Bounties Not New

Many technology companies offer the promise of monetary rewards and permission to researchers and ethical (white hat) hackers / ethical security testers to penetrate their computer system, network or computing resource in order to find (and fix) security vulnerabilities before real hackers have the opportunity use those vulnerabilities as a way in.  Also, companies like HackerOne offers guidance as to the amounts to set as bug bounties e.g. anywhere from $150 to $1000 for low severity vulnerabilities, and anywhere from $2000 to $10,000 for critical severity vulnerabilities.

Examples of bug bounty schemes run by big tech companies include Google’s ongoing VRB program which offers varying rewards ranging from $100 to $31,337 and Facebook’s white hat program (running since 2011) offering a minimum reward of $500 with over $1 million paid out so far.

What Does This Mean For Your Business?

With the growing number of security threats, a greater reliance on mobile devices, more remote working via mobile devices, mobile security is a very important issue for businesses. A tech company such as Apple offering bigger bug bounties to a wider pool of security researchers could be well worth it when you consider the damage that is done to companies and the reputation of their products and services when a breach or a hack takes place, particularly if it involves a vulnerability that may be common to all models of a certain device.

Apple has made the news more than once in recent times due to faults and flaws in its products e.g. after a bug in group-calling of its FaceTime video-calling feature was found to allow eavesdropping of a call’s recipient to take place prior to the call being taken, and when it had to offer repairs/replacements for problems relating to screen touch issues on the iPhone X and data loss and storage drive failures in 13-inch MacBook Pro computers. Apple also made the news in May this year after it had to recall two different types of plug adapter because of a possible risk of electric shock.

This bug bounty announcement by Apple, therefore, is a proactive way that it can make some positive headlines and may help the company to stay ahead of the evolving risks in the mobile market, particularly at a time when the US President has focused on possible security flaws in the hardware of Apple’s big Chinese rival Huawei.

If the bug bounties lead to better security for Apple products, this can only be good news for businesses.

Using GDPR To Get Partner’s Personal Data

Posted on by Andy Miller

A University of Oxford researcher, James Pavur, has explained how (with the consent of his partner) he was able to exploit rights granted under GDPR to obtain a large amount of his partner’s personal data from a variety of companies.

Right of Access

Mr Pavur reported that he was able to send out 75 Right of Access Requests/Subject Access Requests (SAR) in order to get the first pieces of information from companies, such as his partner’s full name, some email addresses and phone numbers. Mr Pavur reported using a fake email address to make the SARs.

SAR

A Subject Access Request (SAR), which is a legal right for everyone in the UK, is where an individual can ask a company or organisation, verbally or in writing, to confirm whether they are processing their personal data and, if so, can ask the company or organisation for a copy of that data e.g. paper copy or spreadsheet.  With a SAR, individuals have the legal right to know the specific purpose of any processing of their data, what type of data is being processed, who the recipients of that processed data are, how long that data stored, how the data was obtained from them in the first place, and for information about how that processed and stored data is being safeguarded. Under GDPR, individuals can make a SAR for free, although companies and organisations can charge “reasonable fees” if requests are unfounded, excessive (in scope), or where additional copies of data are requested to the original request.

Another 75 Requests

Mr Pavur reported that he was able to use the information that he received back from the first 75 requests to send out another 75 requests.  From the second batch of requests Mr Pavur was able to obtain a large amount of personal data about his partner including her social security number, date of birth, mother’s maiden name, previous home addresses, travel and hotel logs, her high school grades, passwords, partial credit card numbers, and some details about her online dating.

The Results

In fact, Mr Pavur reported that 24% of the targeted firms who responded (72%) accepted an email address (a false one) and a phone number as proof of identity and revealed his partner’s personal details on the strength of these.  One company even revealed the results of a historic criminal background check.

Who?

According to Mr Pavur, the prevailing pattern was that large (technology) companies responded well the requests, small companies ignored the requests, and mid-sized companies showed a lack of knowledge about how to handle and verify the requests.

What Does This Mean For Your Business?

The ICO recognises on its website that GDPR does not specify how to make a valid request and that individuals can make a SAR to a company verbally or in writing, or to any part of your organisation (including by social media) and it doesn’t have to be made to a specific person or contact point.  Such a request also doesn’t have to include the phrase ‘subject access request’ or Article 15 of the GDPR, but any request must be clear that the individual is asking for their own personal data.  This means that although there may be some confusion about whether a request has actually been made, companies should at least ensure that they have identity verification and checking procedures in place before they send out personal data anyone. Sadly, in the case of this experiment, the researcher was able to obtain a large amount of personal and sensitive data about his (very understanding) partner using a fake email address.

Businesses may benefit from looking which members of staff regularly interact with individuals and offering specific training to help those staff members identify requests.

Also, the ICO points out that it is good practice to have a policy for recording details of the requests that businesses receive, particularly those made by telephone or in-person so that businesses can check with the requester that their request has been understood.  Businesses should also keep a log of verbal requests.