News

Microsoft’s Move Away From Passwords Towards Biometrics

In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled the corporation’s move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.

Passwords – Not Enough On Their Own

Many of us are now used to two-factor authentication e.g. receiving a code via text or using apps such as Google Authenticator as a more secure way of using passwords.  Mr Arsenault also notes that hacking methods such as “password spraying”, where attackers attempt to access large numbers of accounts at once using some of the most commonly used passwords, are still effective and highlight the weakness of relying on passwords being used on their own.  Mr Arsenault highlights how damaging this can be for businesses where a hacker can get password/employee identity and use this to gain access to a whole network. This is one of the reasons why many businesses, including Microsoft, are moving away from the whole idea of passwords.

Setting Example – Biometrics

Microsoft is one of the most-attacked companies in the world, and this, combined with reports of the billions of password hack incidents worldwide, have driven the company to move beyond passwords.

For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without passwords using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.

Also Uses Federated Cybersecurity

In addition to rejecting passwords for biometrics, Microsoft also uses a federated cybersecurity model.  This means that each Microsoft product has its own head of cybersecurity and that ethical hackers are actively encouraged to attack the company’s networks and products to test for flaws.

Scrapping Password Expiration Policies

Microsoft has announced that it is scrapping its password expiration policies in Windows 10 arguing that password expiration is an out of date method of data protection.  Users will now effectively be forced to update their passwords every few months once the Windows 10 May 2019 has been rolled out.

Other Tech Companies Moving Away From Passwords

Other tech companies that are known to be moving away from passwords towards biometrics and other methods include Google which has been testing USB key fobs which plug into customers’ computers and provide a second factor of authentication and Cisco which acquired dual-factor authentication start-up Duo in 2018.

What Does This Mean For Your Business?

As Microsoft points out, multi-factor authentication is more secure than relying on just a password for authentication, as password spraying and credential stuffing are widely in use and are still yielding good results for hackers.  As a recent National Cyber Security Centre (NCSC) survey has shown, many people still rely upon weak passwords, with ‘123456’ featuring 23 million times, making it the most widely-used password on breached accounts. There is a strong argument, therefore, for many businesses to look, as Microsoft is looking, towards more secure biometric methods of authentication, and towards a “passwordless future”.

Even though biometrics has been shown to make things incredibly difficult for cybercriminals to crack it, biometrics has not proven to have been 100% successful to date.  For example, a Reddit user recently claimed to have used a 3D printer to clone a fingerprint and then use that fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10. Also, there was the report of the Twitter user who claimed to have fooled Nokia 9 PureView’s fingerprint scanner by using somebody else’s finger, and then just a packet of chewing gum, and of the incident back in May 2017 where a BBC reporter said that he’d been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

There is no doubt that the move away from passwords to biometrics is now underway, but we are still in the relatively early stages.

First Organ Delivery By Drone

A human kidney for transplant has been delivered by drone to a Medical Centre in Baltimore in the first flight of its kind.

Cutting Edge Technology

The drone transportation of the living organ over a one-mile journey used cutting-edge technology in the form of an AI-powered drone that had been specifically designed to maintain and monitor the organ during the journey.  As well as having a specially designed compartment to keep the organ in the right condition for transplant, the drone had onboard communications and safety systems to enable a safe flight over densely-populated/urban areas, and a parachute recovery system in case the drone failed.

Collaboration

The drone’s creation was the product of a collaboration between the aviation and engineering experts at the University of Maryland (UMD), transplant specialists and researchers at the University of Maryland School of Medicine (UMSOM), and others at the Living Legacy Foundation of Maryland.  Joseph Scalea, assistant professor of surgery at University of Maryland School of Medicine (UMSOM) who was one of the surgeons who carried out the transplant has also acknowledged the collaborative efforts of the surgeons, engineers, the Federal Aviation Administration (FAA), the organ procurement specialists, the drone pilots, nurses at the hospital, and the patient.

Solves Problems

The ability to deliver transplant organs by drone solves the problems caused primarily by traffic problems identified by the United Network for Organ Sharing, which reported that in 2018 there were nearly 114,000 people on waiting lists, with 1.5% of organs not making it to the destination and nearly 4% being delayed by two hours or more.

Medical Sample Delivery Too

There has also been a recent report in North Carolina of a hospital, in partnership with UPS, using a drone delivery program to speed up the delivery of critical medical samples across a hospital campus, thereby cutting 41 minutes off the usual on-foot journey.

Potential

The fact that the organ drone flight and the transplant operation were safe and successful has led to the recognition of the potential of this method e.g. unmanned transportation of organs over greater distances, minimising the need for multiple pilots and flight time and addressing safety issues.

What Does This Mean For Your Business?

This world-first in organ transportation is an important first step in what could be (if proven to be safe and reliable over multiple flights) an important new technological improvement to the provision of life-saving medicine.

Business owners may also be thinking that if this can be done successfully with something as important and delicate as a human organ for transplant, this system could potentially be scaled up and used to ensure the fast, safe delivery of other items. Amazon, for example, has been testing delivery drones for parcels since 2013 with a view to making its ‘Prime Air’ service a regular reality in the future.

As shown by UPS’s involvement with medical sample delivery, other major delivery companies are also investing in drones and their potential to combat the challenges posed by traffic congestion and labour-intensive and time-consuming on-foot journeys.

Also, the US Federal Aviation Administration has just authorised Alphabet’s (Google’s) Wing Aviation to start delivering goods via drones later this year.  This is the first time that the FAA has granted an “air-carrier” the certification for drone delivery of items such as food, medicine, and other small consumer products.

Drone transportation is clearly moving forward and starting to prove that it offers great potential in many different sectors in the not-too-distant future.

Tech Tip – The JigSpace App

If you’d like to have the ability to instantly see a step-by-step interactive 3D breakdown of a complex idea, product, or phenomenon, so that you can understand exactly how it works, and be able to explain it (e.g. for a work or education project) then the JigSpace app could be for you.

The JigSpace app for iPhone and iPad is a platform to explore and share interactive, 3D ‘knowledge for anything’. When you ask, “How does that work?” the answer is right in front of you in … interactive 3D. The basic JigSpace app is available for free from Apple iTunes.

Tech Tip – Spark E-Mail App

If you’re looking for a well-organised email app for iPhone, iPad, Mac and Android with a clever interface, flexible customisation options, and tools for discussing and collaborating on emails with your team ‘Spark’ may be the app for you.

The Spark email app offers a very tidy email inbox that puts the most important emails first and saves the junk, newsletters, and less important tasks for later.

The app also features a good email search engine, offers the scheduling and snoozing of emails, smart notifications, integrations with other services, and a host of other features.

To find out more visit the Spark website https://sparkmailapp.com/ , or go to iTunes or Google’s Play Store.

Apple’s Adapter Recall Over Shock Risk

Tech giant Apple has recalled two different types of plug adapter because of a possible risk of electric shock.

Which Adapters?

The affected plugs are the two-prong AC wall plug adapter that came with Macs and some iOS devices between 2003 and 2010, and the three prong plug that was included with Apple’s World Travel Adapter Kit.  Apple USB power adapters are not affected.

The two prong AC wall plug adapter recall concerns those shipped from 2003 to 2015 with Mac and certain iOS devices, included in the Apple World Travel Adapter Kit, and made for use in Continental Europe, Australia, New Zealand, Korea, Argentina and Brazil.

Apple’s website says that its three-prong AC wall plug adapters were designed primarily for use in the United Kingdom, Singapore, and Hong Kong, and that the affected plugs are white, with no letters on the inside slot, whereas the newer versions are white with grey on the inside, and with a dimple on the side to make them easier to unplug.

How Can You Tell?

If you’re not sure whether your adapter is one of those affected by the electric shock risk, Apple has provided pictures to help you. Pictures of the two prong adapter can be found here https://www.apple.com/support/ac-wallplug-adapter/ and pictures of the three prong adapter can be found here https://www.apple.com/support/three-prong-ac-wall-plug-adapter/.

What Risk?

Apple says that the two prong Apple AC wall plug adapters in question may break and create a risk of electrical shock if touched.

In the case of the three-prong AC wall plug adapters in question, Apple says that they may break and create a risk of electrical shock if exposed metal parts are touched.

What Next?

If you have one of the affected adapters, Apple is offering an exchange program so you can get a safe replacement adapter from an authorized Apple service provider, or from an Apple retail store (by making an appointment), or by contacting Apple support online.  You will need to know your current adapter’s serial number and Apple provides information about this on the same page where the pictures of the adapter are shown (see the links above in this article).

What Does This Mean For Your Business?

For Apple, publicly explaining the danger, having a recall, and offering customers an exchange is making the best of a bad situation and gives a good PR message to customers.  It is a little alarming though that the adapters (of which there are likely to be many because of the 7-year period for the three prong and 12-year period for the two prong) have been in use could have been dangerous for so many customers in all that time.

For customers who have one of the affected adapters, it may be a surprise and a little worrying that there is an electric shock risk, but its reassuring that Apple is offering a replacement.

It’s not the first time that Apple has had to offer customers help with products. Back in June 2018, following a couple of years of complaints from customers (and a petition), Apple decided to offer free repairs or replacements for the butterfly keyboard on its MacBook and MacBook Pro laptops. At that time, Apple offered to repair/replacement a list of nine eligible models of keyboard.

Plans To Remove .org Domain Price Cap Prompts Complaints

Many charities and other non-profit organisations that use .org, .biz or .info domains have complained that proposals to lift the price cap on those domains could lead to the price rocketing.

What Price Cap?

The price cap on .org domains was originally put in place by the US Department of Justice at a time when only a few top-level domains were available and offered a level of price protection to the mainly non-profit groups and organisations that used those domains.

The Internet Corporation for Assigned Names and Numbers (Icann) oversees the web’s domain name system and is the organisation that has made the proposal to lift the price cap after having discussions with the Public Interest Registry, a Pennsylvania non-profit corporation, and  Registry Operator for the .org top-level domain (TLD).

Consultation

Icann launched a consultation “Proposed Renewal of .org Registry Agreement” on a forum on its website throughout March in order to obtain community input and to encourage debate among those involved with domains.  The consultation ended on the  29th April, and the resulting report is due on the 30th May.

Many Complaints

Many organisations and interested parties have complained about the proposed .org renewal agreement.  For example, registrar Namecheap has said that the move would put prices up, and that with switching domains being hard, organisations will be left little option but to pay the higher prices.

It appears that most holders of .org domains, companies selling domain names, ISPs and net marketing firms have objected to the proposal.

Critics of Icann’s proposal to remove the price cap have said that Icann appears to be doing so for administrative convenience rather than for the public interest.

Icann

Icann has justified the proposal to drop the price cap by saying that when the cap was introduced there were only a few top-level options available for organisations wanting to register a domain name, whereas there are now around 1200 different options. This could mean, therefore, that price protection for a few choice domains may longer be necessary.

Icann has also pointed out that even if there are price increases, domain registrants will be given a minimum six-month notice of any price increase, and that they can effectively protect themselves against price increases by renewing their registrations for as many as 10 years prior to the change taking effect.

Another Way?

One other possible option that has been raised online is ICANN’s Non-Commercial Stakeholders Group reportedly suggesting that price caps should remain but could be raised by a reasonable level from their current level of 10% per year.

What Does This Mean For Your Business?

The thought of increased costs and domain price instability for non-profit organisations that need to use their money for their causes is proving to be a very unpopular idea.  Also, for those organisations (particularly larger ones) that have already established a presence online with a .org (.biz or .info), switching to another type of domain is likely to be difficult, costly in many ways, and is likely to be making many organisations feel angry at feeling forced into a position where they’ll have no option but to accept the new higher prices as a result of remaining with their .org (if the proposal goes ahead).

As Icann has pointed out, however, there would be some consolation with organisations being able to renew their registrations for as many as 10 years prior to the change taking effect.

The report from the consultation is due on the 30th May, so it’s a case of waiting until beyond that date to get a clearer indication of what Icann will do.

Slack Builds Email Bridge

Chat App and collaborative working tool Slack appears to have given up the fight to eliminate email by allowing the introduction of new tools that enable Slack collaboration features inside Gmail and Outlook, thereby building a more inclusive ‘email bridge’.

What Is Slack?

Slack, launched ‘way back’ in 2013, is a cloud-based set of proprietary team collaboration tools and services. It provides mobile apps for iOS, Android, Windows Phone, and is available for the Apple Watch, enabling users to send direct messages, see mentions, and send replies.

Slack teams enable users (communities, groups, or teams) to join through a URL or invitation sent by a team admin or owner. It was intended as an organisational communication tool, but it has gradually been morphing into a community platform i.e. it is a business technology that has crossed-over into personal use.

Email Bridge

After having a five-year battle against email, Slack is building an “email bridge” into its platform that will allow those who only have email to communicate with Slack users.

Aim

The change is aimed at getting those members of an organisation on board who have signed up to the Slack app but are not willing to switch entirely from email to Slack. The acceptance that not everyone wants to give up using their email altogether has made way for a belief by Slack that something at least needs to be built-in to the app to allow companies and organisations to be able to leverage the strengths of all their workers, and at least allow those organisation and team members who are separated because of their Slack vs email situation to be connected to the important conversations within Slack. It will also now mean that companies and organisations have time to make the transition in working practices at their own pace (or not ) i.e. migrate (or not migrate) entirely to Slack.

How?

The change supports Slack’s current Outlook and Gmail functionality, which enables users to forward emails into a channel where members can view and discuss the content and plan responses from inside Slack. It also allows anything set within the Outlook or Gmail Calendar to be automatically synced to Slack.

The new changes will allow team members who have email but have not committed to Slack to receive an email notification when they’re mentioned by their username in channels or are sent a direct message.

What Does This Mean For Your Business?

Slack appears to have listened to Slack users who’d like a way to keep connected with their e-mail only / waiting to receive credentials colleagues, and the email bridge is likely to meet with their approval in this respect.  For Slack, it also presents the opportunity gently for those people who are more resistant to change into eventually making the move to Slack.

This change is one of several announced by Slack, such as the ‘Actions’ feature last year, and the two new toolkits (announced in February this year) that will allow non-coders to build apps within Slack.

Slack knows that there are open source and other alternatives in the market, and the addition of more features and more alliances will help Slack to provide more valuable tools to users, thereby helping it to gain and retain loyalty and compete in a rapidly evolving market.

‘ManyChat’ Raises $18 million Funding For Facebook Messenger Bot

California-based startup ‘ManyChat’ has raised $18 million Series A funding for its Facebook Messenger marketing bot.

ManyChat

ManyChat Inc. is now the leading messenger marketing product, reportedly powering over 100,000 bots on Facebook Messenger.

ManyChat lets you use visual drag`n`drop interface to create a free Facebook Messenger bot for marketing, sales and support.  The bot is essentially a Facebook Page that sends out messages and responds to users automatically.

The ManyChat bot allows you to welcome new users, send them content, schedule posts, set up keyword auto-responses (text, pictures, menus), automatically broadcast your RSS feed and more.

The bot, which is a blend of automation and personal outreach also incorporates Live Chat that notifies you when a conversation is needed with a subscriber.

Facebook Messenger

ManyChat says it has focused on Facebook Messenger because it is the #1 app in the US and Canada with over 1 billion active users, and it is the most engaging channel with average 80% open rates and 4 to 10 times higher CTRs compared to email.

The Funding

The $18 million funding for ManyChat was led by Bessemer Venture Partners, with participation from Flint Capital, and means that Bessemer’s Ethan Kurzweil will be joining the board of directors, and Bessemer’s Alex Ferrara becomes a board observer.

1+ Million Accounts Created

ManyChat reports that more than 1 million accounts have been created on the platform already by customers in many different industry sectors.  The platform has also reported that these 1+ million customers have managed to enlist 350 million Messenger subscribers and that there are now a staggering 7 billion messages sent on the platform each month.

What Does This Mean For Your Business?

Bots provide a way for businesses to reduce costs, make better use of resources and communicate with customers and enquirers 24/7.

As ManyChat points out, it’s becoming increasingly difficult for businesses to effectively reach their audience because people open less email and social media is ‘noisy’ to the point where messages become lost in the crowd.  A key advantage of ManyChat, therefore, is that it uses Facebook Messenger as a private channel of communication with each user, it’s instant and interactive, no message is ever lost, and Messenger has huge user numbers. Other advantages that businesses will appreciate is that it’s free and easy to set up the bot (no coding skills are required), and it offers the best of both worlds of automated communications, and the option to jump in with Live Chat when it is needed.

This kind of bot could enable businesses and organisations to make their marketing more effective while maximising efficiency.

ManyChat is also good news for Facebook which owns Messenger as it appears to be boosting user numbers by finding an improved, business-focused use for the app.

For ManyChat, its Facebook Messenger bot appears to be only the beginning (hence the funding), with investors looking at platforms like Instagram, WhatsApp, RCS, and more to further expand bot marketing services in the future.

Chrome For Android ‘Fake Address’ Phishing Risk Discovered

Developer James Fisher has reported that small changes could be made to Chrome for Android that could enable fake URLs to be displayed and users to be ‘jailed’ in a fake browser, thereby leaving them vulnerable to being duped into visiting fake, malicious pages.

Fake URL Display

Mr Fisher explains on his website about the possible new phishing method here: https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing-method/ .

According to Mr Fisher, if you visit his page URL (as shown above) on Chrome for mobile (Android) and scroll a little way, the page displays itself as hsbc.com.  He reports that this is because, as a result of the few small changes he has made, the page is able to ‘jail’ the user into a ‘fake’ browser. Mr Fisher’s website includes a video of how scrolling leads to the fake URL being displayed.

How?

Mr Fisher explains on his website that, using his method in Chrome for mobile, if a user arrives at a web page that they believe to be trustworthy and scrolls down so that the URL is no longer visible, they can then be switched into a fake browser.  The user is then ‘jailed’ into the fake browser which can either use an insertion of a screenshot of Chrome’s URL bar on another website (in the case of his demonstration HSBC) in the webpage, or could be made to detect which browser it’s in, and forge an inception bar for that browser.  Either way, the user can be tricked into seeing the URL for a page they’re not actually on.

Also, Mr Fisher explains that in his research, as part of trapping the user in a “scroll jail” he was able to include a very tall padding element at the top so that if a user tries to scroll into the padding, they are simply scrolled back down to the start of the content so that it  looks like a page refresh.  This whole process could, in the wrong hands, be able to dupe a user and trap them on a malicious page.

Phishing Risk

The obvious risk is that this could be used as a phishing method i.e. directing users to a fake page to enable sensitive data to be stolen or to direct users to a page loaded with malware.

What Does This Mean For Your Business?

At least now that the potential security risk has been discovered, explained and demonstrated, this should give Google the opportunity to close this loophole, thereby reducing the risk to users of Chrome for mobile. Although (at the time of writing) there is no fix as yet from Google, Mr Fisher has suggested that one fix could be for Google to retain a small amount of screen space above what he describes as the “line of death”, rather than giving up all screen space to the web page. This could make space for Chrome to signal that ‘the URL bar is currently collapsed’.

Back in December, research by Internet Privacy Company DuckDuckGo was reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome could still be tracked, and searches were still personalised accordingly. Also, in February this year, there were more PR woes for Google when the discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec, but which was put down to an erroneous omission by Google, caused a backlash that escalated to the US Congress.

123456 Still A Popular Password

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

Top Five Easy-To-Guess Passwords

The study, which analysed public databases of breached accounts to discover which words, phrases and strings were most popularly used, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

Names & Football Teams

The study revealed that people routinely use Christian names and the names of their favourite football teams as passwords, thereby making them relatively easy to crack.  For example, the most popular breached-password names were Ashley, Michael, Daniel, Jessica and Charlie. The most popular football team passwords noted by the study were ‘Liverpool are champions’, followed by Chelsea.

Not Confident

The NCSC study also found that 42% of those surveyed expected to lose money to online fraud, and that only 15% said that they were confident that they knew enough to be able to protect themselves online.

Big Risk – Password Sharing

The study also found that fewer than half of those surveyed used a separate, strong password for their main email account.  The risk of using the same password for multiple accounts and platforms is that if one of those accounts is compromised, cyber-criminals will sell your login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Stolen credentials are also routinely used in phishing attacks e.g. to send malicious emails to a victim’s list of contacts, and in targeted digital identity attacks, where the breached credentials are used to steal a victim’s entire digital identity, steal their money, or even to compromise their social media network data.

Passwords on Hacking Forums

As revealed back in January by security researcher Troy Hunt of ‘Have I Been Pwned’ service, 772,904,991 unique email addresses, and 21,222,975 unique passwords are already being shared on hacking forums as part of a collection of credentials stolen from multiple sites, dubbed Collection #1.

This highlights the importance of not sharing passwords between websites, and of changing passwords regularly.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

The new version of the Chrome browser (69) also has an improved password manager, which could help those who still appear to rely upon using very weak passwords e.g. 123456, password, 12345678 and qwerty.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users don’t have to write it down or try and remember it (if they are using the same device).

If you’re worried that people in your business may currently be using passwords that have already been stolen, you can find a list of the (from Troy Hunt of ‘Have I Been Pwned’) here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and Mr Hunt provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.