Security

The Difference Between Backup and Disaster Recovery

Posted on by Andy Miller

We’re all familiar with the value of making a backup of business data, but how does this fit with ‘Disaster Recovery’ and ‘Business Continuity’ strategies?  This article takes a brief look at how these elements fit together to ensure that businesses can survive, function and get back up to speed when disastrous events (external or internal) pose a serious threat.

Reality

Normal life rules apply to the business environment i.e. things can and do go wrong, and backup and disaster recovery are both based upon this understanding.

Business continuity in the event of a ‘disaster’, is about making sure that your essential operations and core business functions can keep running while the repairs can be made that get you back up to speed.

What Could Go Wrong?

There is a potentially huge range of ‘disasters’ that businesses could make plans to be able to overcome, and even though organisations come in different sizes and have different budgets, the risks they face are generally the same.  Typically, the more obvious ‘disaster’ threats the business include:

  • Hardware failures/server failures.
  • Outages and/or file corruption
  • The effects of cyber-attacks.  For example, 53% of senior managers believe that a cyber-attack is the most likely thing to disrupt their business (Sungard AS 2019) and the effects could include damage to / locking out of systems (malware and ransomware), fraud and extortion, data breaches (which could also attract fines under GDPR, damaging publicity and loss of customers).
  • Environmental/natural disasters e.g. fire and flood.
  • Important 3rd supplier failure or the loss of key employees.
  • Failures of part / a component of a network e.g. as highlighted by recent problems with banking and airline industry services.
  • Theft or loss of equipment holding company data.

Backing Up Your Data – Where To Store It

When it comes to backups, security, integrity, cost, scalability, complying with legislation, your own business plans, and ease of daily use are all considerations.  Where / how to store backed-up data is a decision tackled differently by different companies.  In the UK, GDPR (the data protection regulations) should be taken into account in these decisions.  Places to back up data could include:

  • On-site – storing data in the same location e.g. on an external hard drive in the workplace.  Although the data backup is close to hand, this is not a particularly secure solution and in the event of flood/fire/theft disasters, your data would be gone.
  • Off-site – taking the data away on a hard drive or another physical storage medium.  This means it’s less at risk from local issues (e.g. loss, theft, damage) but could mean it takes longer to restore data .
  • Online – backing up your data on hosted servers (in the cloud) and accessing them through an application. This is now becoming the preferred method for most businesses as it is convenient and fast (if you have an Internet connection) and it cuts out many of your on-site potential disaster risks (fire, flood, loss and damage of physical storage media).

Some businesses prefer to use a ‘hybrid’ cloud backup to help address any vulnerabilities that cloud-only or local-only backup solutions have.

There are many dedicated online backup solutions available e.g. IDrive Business, Backblaze Business, Carbonite Safem, or larger solutions for businesses with much bigger data backup requirements.

Backup Decisions

Taking regular, secure backups of your business data is an important part of good practice.  It is also an important element of disaster recovery and the business continuity process.

There are several types of backup that businesses need to make decisions about.  These include whether, if/when and how to make:

  • A full backup – one that covers every folder and file type and typically takes a long time.
  • An incremental backup – the first back up is a full one, followed by simply backing up any changes made to the previous backup.
  • A differential backup – similar to an incremental backup, requires more storage space but has a faster restore time.
  • A mirror backup – an exact copy of your data that has the advantage of removing the obsolete files each time.
  • An Image-based backup – captures images of all data and systems rather than just copying the files.
  • A clone of your hard drive – similar to imaging and creates an exact cloned drive with no compression.

In reality, many businesses make use of many different types of backup solutions at the same time.

Business Continuity, Backup Decisions and Disaster Recovery

Accepting that disasters happen and that you can plan how to maintain business continuity while you deal with them (using a disaster recovery plan) is an important step in safeguarding your business. Maintaining the ability to ensure that core functions and critical systems remain in place in the event of a disaster (business continuity) involves planning, an important part of which is the disaster recovery plan (DRP).  Creating this plan is usually an interdepartmental process, which is often led by information technology.

RTO & RPO – Linking Backups To Your DRP.

There are two metrics you can use to help you to make data backup decisions that relate to your DRP.

The Recovery Time Objective (RTO): the recovery window / how long (time) the business realistically has to recover from a disaster before there are unacceptable consequences.

The Recovery Point Objective (RPO): how far back (the maximum tolerable period of time) your organisation needs to go in recovering data that may have been lost due to a disaster.

By working out these time periods (particularly RPO), it can help you to decide upon the frequency of backups, which backup methods are most suitable and preferable to you e.g. the need to go back longer periods may favour online backups, and businesses with  large quantities of valuable historic data may struggle with a short RTO (which may require tiered data recovery).

In today’s business environment it is worth bearing in mind that your customers are not likely to be very tolerant of downtime, so recovery windows now need to be as short as possible. Many businesses, therefore, simply opt for a daily backup.

Disaster Recovery Plan

At the heart of your business disaster recovery strategy should be the disaster recovery plan (DRP) which should provide step-by-step workable instructions to ensure a fast recovery.  A DRP should be tested and kept up to date to ensure that it will work in reality in the event of a disaster and typically includes elements like:

  • A plan for roles and communications, detailing employee contact information and who’s responsible for what following the disaster.
  • A plan to safeguard equipment e.g. to keep it off the floor, wrapped in plastic away from flooding.
  • A data continuity system that details what the business needs to run in terms of operations, finances/accounts supplies, and communications.
  • Checking that your data backup regime is working, and that very recent copy is stored in a secure place but would be easily and quickly accessible when needed.
  • An asset inventory, including photos where possible, of the hardware (workstations, printers, phones, servers etc) reference for insurance claims after a major disaster.
  • Keeping (up to date) documentation that lists all vital components of your IT infrastructure, hardware and software, and a sequence of what needs to be done to resume business operations with them.
  • Photos showing that the hardware was in use by employees and that care had been taken to minimise risk e.g. items were off the floor (e.g. to avoid flood damage).
  • A supplier communication and service restoration plan so that you quickly restore services and key supplies after the disaster.
  • Details of a secondary location where your business could operate from if your primary location was too badly damaged in a disaster.
  • Details of the testing, optimisation and automation of your plan to ensure that it could be implemented quickly, as easily as possible, and free from human error.

Putting The Pieces Together

The basic difference between a backup and disaster recovery, therefore, is that a backup is having a copy of your data, and disaster recovery is the whole strategy to recover your business operations and essential IT environment in the event of a serious event e.g. cyber-attack, equipment failure, fire or flood.

Creating a DRP involves completing a risk assessment and business impact analysis in order to identify critical applications and services, and it is from here that your business can then create its own tailored RTOs and RPOs which in turn, will link to your backup strategy and cycles.

Backups are essential files that enable a full restore, and as such are an important element of ongoing good practice and of your DRP, and your backup should relate strongly to the underlying strategy of disaster recovery.

One thing is certain about backup and disaster recovery which is that having no plan for either is means planning to fail.

Hacker’s Website Closed Down In International Operation

Posted on by Andy Miller

A website (and its supporting infrastructure) which sold a variety of hacking tools to other would-be cybercriminals has been closed down after an investigation by agencies from multiple countries including the UK’s National Crime Agency (NCA).

IM-RAT

The main tool that the agencies were particularly interested in eradicating was the Imminent Monitor Remote Access Trojan (IM-RAT) which is a hacking tool, of Australian origin, which has been on sale for 6 years and was available for sale via the Imminent Monitor website.

According to Europol, once installed on a victim’s computer the IM-RAT malware, which could be purchased for as little as $25, allowed cybercriminals to secretly “disable anti-virus and anti-malware software, carry out commands such as recording keystrokes, steal data and passwords and watch the victims via their webcams”.

Big International Operation

The investigation and the operation to shut down the sale of IM-RAT was led by the Australian Federal Police (AFP) and involved judicial and law enforcement agencies in Europe, Colombia and Australia, and was coordinated by Europol and Eurojust.

Coordinated law enforcement activity has now ended the availability of IM-RAT, which was used across 124 countries and sold to more than 14 500 buyers. IM-RAT can no longer be used by those who bought it.

In a week of actions (in November), the international agencies dismantled the infrastructure of IM-RAT, arrested 14 of its most prolific users and seized over 430 devices for forensic analysis.

Back in June, search warrants were executed in Australia and Belgium against the developer and one employee of IM-RAT and most recently, actions to fully shut down the distribution of IM-RAT have also been taken in Australia, Colombia,  Czechia, the Netherlands, Poland, Spain, Sweden and the UK.

In the UK, it has been reported that the NCA searched properties in Hull, Leeds, London, Manchester, Merseyside, Milton Keynes, Nottingham, Somerset and Surrey in relation to the investigation.

The shutting down of the whole IM-RAT infrastructure, and the detailed analysis of the malware and the website used to sell it mean that IM-RAT can no longer be used.

Tens of Thousands of Victims

With the IM-RAT malware/hacking tool being so widely used, Europol believes that there are probably tens of thousands of victims around the world, and so far, investigators have been able to find evidence of stolen personal details, passwords, private photographs, video footage and data.

IM-RAT

Although IM-RAT allows cybercriminals to secretly take control of a computer, there are some common signs which indicate that a computer may have been infected with IM-RAT.  These signs include an unusually slow internet connection, unknown processes running in a system (which are visible in the Task Manager, Processes tab), files being modified or deleted without your permission, and unknown programs being installed on your device (visible in the Control Panel, Add or Remove Programs).

What Does This Mean For Your Business?

For businesses, this kind of malware caused considerable problems, not least in terms of data protection, disruption, industrial espionage and extortion, and left their devices wide open to hackers. This internationally co-ordinated move by multiple agencies is an important step in the battle against so-called ‘crime as a service’ and bulletproof hosting where organised gangs have sought to profit from crimes that they can carry out from a distance via the Internet.

If you believe that your device may have been infected by IM-RAT, the Europol advice is to disconnect your device from the network in order to prevent any additional malicious activity, install trustworthy security software, and run a scan of your device using security software. When you’re satisfied that you’ve removed the infection, change the passwords for your online accounts and check your banking activity.

Some general steps you can take to guard against falling victim to malware include keeping your anti-virus software and patching up to date, installing a firewall, only using strong passwords (that aren’t shared across different accounts), covering up your webcam when its not in use, regularly backing up your data, and making sure that you don’t open any suspicious-looking emails and attachments even if they do come from people on your contact list.

New Brave Browser: Blocks Ads, Pays Rewards

Posted on by Andy Miller

The new 1.0 browser from Brave removes ads and ad trackers and pays users through a reward system for viewing the ads that Brave presents.

Brave?

Brave is a San Francisco based start-up company, founded in 2015 and led by CEO Brendan Eich, formally of Firefox.

Ad and Tracker-Free

Two of the key advantages of the new Brave browser are that it protects a user’s privacy by removing ad trackers and makes browsing a faster (download time) and less distracting experience by removing adverts.

Displays Its Own Adverts and Pays You For Viewing Them

The big difference about Brave is that it offers its own Brave Rewards system. Users who join the system only see adverts from Brave and are paid 70% of the resulting ad revenue using Brave’s own crypto-token, the Basic Attention Token (BAT).  Brave also sends the revenue you accrue back to the websites you’ve visited.

The advantages of this system should be that it can lure new users to Brave in a crowded browser market with the promise of money and a better browsing experience and improved privacy and that websites can still find a way to support themselves with advertising without having to share the personal data of users with tech companies.  The hope is that, if this browser and model gains user approval on a large-scale it will eventually deter publishers from trying to profile the behaviour of their users via privacy-invading trackers.

Earnings

Users who sign-up to the Brave Rewards system can choose where to direct the BAT they’ve earned e.g. send it certain sites, tip Twitter and Reddit users or choose to convert it into currency (which is unlikely to be a large amount).

Numbers

There are some very well-established players in the Browser market which is currently dominated by Google Chrome which has more than 65% of the market (around 2+ billion installs).

In comparison, Brave says that it is used 8.7 million times each month on Windows, macOS, Android and iOS. The company has, however, reported that the number of users is growing by 10% per month.

What Does This Mean For Your Business?

Privacy is a big concern for all web-users and trying to download web pages that are full of adverts can be a frustrating and a time and power-draining experience. Businesses also need to be able to use the tools available to them to make sure that they can get the maximum ROI from their advertising spend, plus the big tech companies need to be able to offer their business customers an ad system that delivers results, hence the perceived need for trackers and profiling the behaviour of customers.  Web publishers also need to have a viable way to help support their sites and offer content to their users (without a payment gateway) and this has traditionally been through advertising on their pages, much to the frustration of website visitors.  Brave’s browser, therefore, tries to meet the needs of all these groups in one package.  The combination of improved privacy, financial incentives and better browsing experience may prove appealing to users, and publishers may take note of the Brave model and realise that there is another way of supporting their sites. It remains to be seen, however, how much share of the browser market Brave can gain and how well it fares against some powerful and entrenched competitors.

Despite Patches, Researchers Warn That Intel Chips Are Still Vulnerable

Posted on by Andy Miller

The New York Times has reported that despite Intel issuing patches for security flaws (that were discovered last year) in its processors, security researchers are alleging that the processors still have some serious vulnerabilities.

What Flaws?

In January 2018, it was discovered that nearly all computer processors made in the last 20 years contained two flaws known as ‘Meltdown’ and ‘Spectre’. The 2 flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs.

Meltdown, discovered by researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects all Intel, ARM, and other processors that use ‘speculative execution’ to improve their performance; i.e. when a computer performs a task that may not be actually needed in order to reduce overall delays for the task (a kind of optimisation).

Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

8 More Flaws Discovered

Then, in May 2018, 8 more security flaws in chips/processors were discovered by several different security teams.  The new ‘family’ of bugs were dubbed Spectre Next Generation (Spectre NB).

September 2018

According to reports by The New York Times, the Dutch researchers (at Vrije Universiteit Amsterdam) also reported a range of security issues about Intel’s processors to the company in September 2018 and provided Intel with a proof-of-concept code to help them to develop fixes

14 Months On – Only Some Fixes

It has been reported that after waiting 8 months to allow Intel enough time to develop fixes (of which only some have issued), and more than a year after providing Intel with a proof-of-concept code, Intel has only just announced the issue of more security updates earlier this week.

More Vulnerabilities

Unfortunately for Intel, just as they announced the issue of new security fixes last week, the researchers notified them of more unfixed flaws, and it has been alleged that Intel asked the researchers to alter the report about the flaws and to effectively stay quiet about them.

MDS

The latest unpatched flaw in Intel processors that the researchers from Amsterdam, Belgium, Germany and Austria have gone public about is a hacking technique, which is a variant of ZombieLoad or RIDL (Rogue In-Flight Data Load). The technique which exploits a flaw in Intel processors is known as microarchitectural data sampling (MDS) and it can enable hackers to carry out several different exploits e.g. running code on the victim’s computer that forces the processor to leak data.

Criticism

The news that there may still be flaws in Intel’s processors after the company appears to have had a long time to fix them has prompted some criticism of Intel online, some of it reported in the New York Times e.g. allegations  that there has been a lack of transparency about the issue from Intel, that the company has tried to downplay the problems, and allegations that Intel may not decide to do much to fix the problem until its reputation is at stake.

What Does This Mean For Your Business?

Bearing in mind that these flaws are likely to exist at the architectural level in the majority of processors, this story is bad news for businesses that have been legitimately trying to make themselves totally compliant with GDPR and as secure as possible from attack.

For the time being, in the short term, and unless processor companies try to completely re-design processors to eliminate the flaws, closing hardware flaws using software patches is the only realistic way to tackle the problem and this can be a big job for manufacturers, software companies, and other organisations that choose to take that step. It is good practice anyway for businesses to install all available patches and make sure that they are receiving updates for all systems, software and devices.

The hope is now that researchers can put enough pressure on processor manufacturers e.g. through bad publicity to make them speed up their efforts to tackle the known security flaws in their products.

Research Says Memes Can Tell Between Humans and Bots

Posted on by Andy Miller

Researchers from the University of Delaware have concluded that when it comes to authentication for logins, Memes may be one of the strongest techniques to distinguish between a human and a bot.

The Bot Challenge

One of the great challenges to websites when it comes to authentication for logins is that software bots can fool relatively simple tests such as ticking a box to say, ‘I’m not a robot’ and CAPTCHA (both words and images). Also, neural networks and machine learning have helped to train bots to behave more like humans.  With more than half of web traffic believed to be made of bots and to stop bots gaining easy access to sensitive data, correct authentication needs to be based upon a system that can effectively tell humans and bots apart.

Memes Could Be The Answer

According to the University of Delaware researchers, the dynamic nature of memes and the fact that bots don’t get cultural references and online humour, and that humans are familiar with and can understand memes with a greater depth than bots could mean that memes could be the answer to the ‘bot or human’ authentication challenge.

Memes are activities, concepts, catchphrases, or pieces of media, often humorous and/or mimicking, and commonly in the form of an image, gif or video that have cultural meaning and tend to be shared widely on social media platforms.

How Could Memes Work For Authentication?

According to the researchers, after the correct username and password have been verified on login to a website, a meme could be displayed with a question about the meme that relates to something that bots wouldn’t be able to spot.  For example, this question could relate to the facial expression of the person in the meme or to the action taking place in the meme (bots wouldn’t be able to accurately tell what the facial expression is or what it means in relation to that meme). Several possible answers relating to that meme could be given and clicking on the right option will mean that a person is granted entry to the website.

The fact that there is a vast number of memes available online means that the meme and its answer options used for one authentication process can then be deleted from the database to ensure that no answers are stored and learned by bots.

What Does This Mean For Your Business?

With more than half of web traffic being made up of bots, and with bots being able to fool many existing systems and with the data security, privacy and fraud risks that bots pose, businesses need to know that their websites have an effective system that can accurately distinguish between humans and bots at the login stage, but not make the process of authentication too complicated or lengthy for registered users.

The cultural references, humour, and subtleties in memes could, therefore, make them an effective way to make that distinction, and could keep businesses ahead of the game until AI/machine learning in bots necessitates another change.

Office 365 Voicemail Phishing Scam Warning

Posted on by Andy Miller

Security company McAfee has reported observing a phishing scam which uses a fake voicemail message to lure victims into entering their Office 365 email credentials into a phishing page.

How The Attack Works

According to McAfee’s blog, the first step in the phishing scam is the victim being sent an email informing them that they have missed a phone call.  The email includes a request to login to their account to access their voicemail.

The email message actually contains an HTML attachment which, when loaded, re-directs the victim to a phishing website. Although there are slightly different versions of the attachment, the most recent examples are reported to contain an audio recording which is designed to make the victim believe they are listening to the beginning of a legitimate voicemail.

Once re-directed to the bogus Microsoft account login page, the victim will see that their email address has already been loaded in the login field, thereby helping to create the illusion that this is their real Microsoft login page.

If the victim enters their password, the deception continues as they are shown a page saying that their login has been successful, and they are being re-directed to the home page.

Three Different Phishing Kits

Cybercriminals frequently buy-in phishing kits to launch their attacks. These are collections of software tools, created by professional phishers, that can be purchased and downloaded as a set. These phishing kits make it much easier for those with limited technical and coding skills or phishing experience to launch a phishing attack.

McAfee reports that as many as three different phishing kits are being used to make the fake websites involved in this scam. These are:

  1. Voicemail Scmpage 2019 – being sold on an ICQ channel, and used to harvest your email, password, IP Address and location details.
  2. Office 365 Information Hollar – similar to Voicemail Scmpage 2019 and used to harvest the same data.
  3. A third unnamed kit, which McAfee says is the most prevalent malicious page they have observed in the tracking of this particular campaign.  McAfee says that this kit appears to use code from 2017 malicious kit that was used to target Adobe users.

File Names For The Attachments

To help you spot this phishing attack McAfee has listed list the file names for attachments in the phishing email as being:

  • 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
  • 14-August-2019.html [Format: DD-Month-YYYY.html]
  • Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
  • Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

What Does This Mean For Your Business?

Reports indicate that this phishing attack has proved quite successful up until now, partly because the pages and steps appear authentic (and load the users email address as real login page does), and it uses social engineering and urgency (with audio) in a way that may prompt may people to suspend their critical faculty long enough complete the few short actions that it takes to give their details away.

The advice to businesses is, therefore, to be vigilant and to not open emails from unfamiliar sources or with unfamiliar attachments.  You may also want to use Two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

There is also a strong argument for not using the same password for multiple platforms and websites (password sharing).  This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Keeping anti-virus and software patches up to date and making sure that staff receive training and education about cybersecurity risks and what procedures should be followed if suspicious emails or other messages are spotted can also help companies to maintain good levels of cybersecurity.

ICO Warns Police on Facial Recognition

Posted on by Andy Miller

In a recent blog post, Elizabeth Denham, the UK’s Information Commissioner, has said that the police need to slow down and justify their use of live facial recognition technology (LFR) in order to maintain the right balance in reducing our privacy in order to keep us safe.

Serious Concerns Raised

The ICO cited how the results of an investigation into trials of live facial recognition (LFR) by the Metropolitan Police Service (MPS) and South Wales Police (SWP) led to the raising of serious concerns about the use of a technology that relies on a large amount of sensitive personal information.

Examples

In December last year, Elizabeth Denham launched the formal investigation into how police forces used FRT after high failure rates, misidentifications and worries about legality, bias, and privacy.  For example, the trial of ‘real-time’ facial recognition technology on Champions League final day June 2017 in Cardiff, by South Wales and Gwent Police forces was criticised for costing £177,000 and yet only resulting in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, the Police faced criticism that FRT was ineffective, racially discriminatory, and confused men with women.

MPs Also Called To Stop Police Facial Recognition

Back in July this year, following criticism of the Police usage of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee called for a temporary halt in the use of the facial recognition system.

Stop and Take a Breath

In her blog post, Elizabeth Denham urged police not to move too quickly with FRT but to work within the model of policing by consent. She makes the point that “technology moves quickly” and that “it is right that our police forces should explore how new techniques can help keep us safe. But from a regulator’s perspective, I must ensure that everyone working in this developing area stops to take a breath and works to satisfy the full rigour of UK data protection law.”

Commissioners Opinion Document Published

The ICO’s investigations have now led her to produce and publish an Opinion document on the subject, as is allowed by The Data Protection Act 2018 (DPA 2018), s116 (2) in conjunction with Schedule 13 (2)(d).  The opinion document has been prepared primarily for police forces or other law enforcement agencies that are using live facial recognition technology (LFR) in public spaces and offers guidance on how to comply with the provisions of the DPA 2018.

The key conclusions of the Opinion Document (which you can find here: https://ico.org.uk/media/about-the-ico/documents/2616184/live-frt-law-enforcement-opinion-20191031.pdf) are that the police need to recognise the strict necessity threshold for LFR use, there needs to be more learning within the policing sector about the technology, public debate about LFR needs to be encouraged, and that a statutory binding code of practice needs to be introduced by government at the earliest possibility.

What Does This Mean For Your Business?

Businesses, individuals and the government are all aware of the positive contribution that camera-based monitoring technologies and equipment can make in terms of deterring criminal activity, locating and catching perpetrators (in what should be a faster and more cost-effective way with live FRT), and in providing evidence for arrests and trials.  The UK’s Home Office has also noted that there is general public support for live FRT in order to (for example) identify potential terrorists and people wanted for serious violent crimes.  However, the ICO’s apparently reasonable point is that moving too quickly in using FRT without enough knowledge or a Code of Practice and not respecting the fact that there should be a strict necessity threshold for the use of FRT could reduce public trust in the police and in FRT technology.  Greater public debate about the subject, which the ICO seeks to encourage, could also help in raising awareness about FRT, how a balanced approach to its use can be achieved and could help clarify matters relating to the extent to which FRT could impact upon our privacy and data protection rights.

“Stalkerware” Partner-Spying Software Use Rises By 35% In One Year

Posted on by Andy Miller

Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Google Leadership Accused Of Developing Internal Surveillance Tool

Posted on by Andy Miller

Some Google employees have accused the company’s leadership of developing a browser-based file extension for all of Google’s in-house computers that could flag-up signs of workers trying to organise meetings and protests.

Google Employees

The story came to light in a memo written by a Google employee that is reported to have been seen and verified by 3 other anonymous Google employees and Bloomberg News.  In the memo it was alleged that a team within the company had developed a surveillance tool, disguised as a calendar, that could be added to the custom Chrome browser used on Google’s computers.

How?

The employee’s memo alleged that the browser extension would be able to report any staff who booked a calendar event which involved the need for more than 10 rooms, or scheduled an event with more than 100 people, and the alleged reason for flagging up these details was to warn the company’s leadership about any attempt to organise workers for the purposes of industrial action e.g. meetings and protests related to labour rights.

Reviewed

Reported employee memos have suggested that work on the tool started in September and that Google’s privacy team approved the tool’s release but also expressed some concerns about the culture at Google.

According to Google, however, the tool was developed over several months and was subject to Google’s standard privacy, security and legal reviews.

Rollout In October

According to reports of a memo posted on an internal staff message board, the surveillance tool is due to be rolled out this month (October), and there is a report of two Google workers in California saying that the tool has already been added to their browsers.

‘Trouble at Mill’

There has been speculation by some commentators that the tool may have been developed in response to recent outbreaks of organised activity by workers concerned about the company’s attitude to their rights, the ethics of some of the company’s projects, and how Google may have handled some complaints.  For example, some workers in the company’s Zurich office held an event about workers’ rights and unionisation, and some Google employees have protested about products such as the ‘Project Dragonfly’ search engine that could allow Google to re-enter the Chinese market by censoring certain terms.  Human rights groups had also been vocal in criticising this idea saying that it appeared to support state censorship.

What Does This Mean For Your Business?

For Google employees, many of whom are used to working in an environment of relative freedom where creativity and collaboration are encouraged, an apparent cultural shift (if indeed that is what is happening) towards a more authoritarian and less trusting approach where ethics could come lower down the list of priorities in the search for profits would be likely to be a shock, and could possibly damage the relationship and the trust between management and workers.  It is unlikely that workers anywhere would respond positively to being subjected to a kind of covert surveillance and internal censorship, particularly if they believed that it was being carried out to curtail certain aspects of their labour rights.  The resulting bad publicity could also damage a company’s brand and therefore, the company’s competitiveness and customer perceptions of the company.

It should be said, however, that the reports of the development of the browser tool in Google rest upon the alleged details of memos, and it is unclear to date how accurate the reports are.

Amazon Echo and Google Home ‘Smart Spies’

Posted on by Andy Miller

Berlin-based Security Research Labs (SRL) discovered possible hacking flaws in Amazon Echo (Alexa) and Google Home speakers and installed their own voice applications to demonstrate hacks on both device platforms that turned the assistants into ‘Smart Spies’.

What Happened?

Research by SRL led to the discovery of two possible hacking scenarios that apply to both Amazon Alexa and Google Home which can enable a hacker to phish for sensitive information in voice content (vishing) and eavesdrop on users.

Knowing that some of the apps offered for use with Amazon Echo and Google Home devices are made by third parties with the intention of extending the capability of the speakers, SRL was then able to create its voice apps designed to demonstrate both hacks on both device platforms. Once approved by both device platforms, the apps were shown to successfully compromise the data privacy of users by using certain ‘Skills and actions’ to both request and collect personal data including user passwords by eavesdropping on users after they believed the smart speaker has stopped listening.

Amazon and Google Told

SRL’s results and the details of the vulnerabilities were then shared with Amazon and Google through a responsible disclosure process. Google has since announced that it has removed SRL’s actions and is putting in place mechanisms to stop something similar happening in future.  Amazon has also said that it has blocked the Skill inserted by SRL and has also put in preventative mechanisms of the future.

What Did SRL’s Apps Do?

The apps that enabled the ‘Smart Spy’ hacks took advantage of the “fallback intent”, in a voice app (the bit that says I’m sorry, I did not understand that. Can you please repeat it?”), the built-in stop intent which reacts to the user saying “stop” (by changing the functionality of that command after the apps were accepted), and leveraged a quirk in  Alexa’s and Google’s Text-to-Speech engine that allows inserting long pauses in the speech output.

Examples of how this was put to work included:

  • Requesting the user’s password through a simple back-end change by creating a password phishing Skill/Action. For example, a seemingly innocent application was created such as a horoscope.  When the user asked for it, they were given a false error message e.g. “it’s not available in your country”.  This triggered a minute’s silence which led to the user being told “An important security update is available for your device. Please say start update followed by your password.” Anything the user said after “start” was sent to the hacker, in this case, thankfully, SRL.
  • Faking the Stop Intent to allow eavesdropping on users. For example, when a user gave a ‘stop’ command and heard the ‘Goodbye’ message, the app was able to continue to secretly run and to pick up on certain trigger words like “I” or words indicating that personal information was about to follow, i.e. “email”, “password” or “address”. The subsequent recording was then transcribed and sent back to SRL.

Not The First Time

This is not the first time that concerns have been raised about the spying potential of home smart speakers.  For example, back in May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee. Also, as far back as 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Manual Review Opt-Out

After the controversy over the manual, human reviewing of recordings and transcripts taken via the voice assistants of Google, Apple and Amazon, Google and Apple had to stop the practice and Amazon has now added an opt-out option for manual review of voice recordings and their associated transcripts taken through Alexa.

What Does This Mean For Your Business?

Digital Voice Assistants have become a popular feature in many home and home-business settings because they provide many value-adding functions in personal organisation, as an information point and for entertainment and leisure.  It is good news that SRL has discovered these possible hacking flaws before real hackers did (earning SRL some good PR in the process), but it also highlights a real risk to privacy and security that could be posed by these devices by determined hackers using relatively basic programming skills.

Users need to be aware of the listening potential of these devices, and of the possibility of malicious apps being operated through them.  Amazon and Google may also need to pay more attention to the reviewing of third party apps and of the Skills and Actions made available in their voice app stores in order to prevent this kind of thing from happening and to close all loopholes as soon as they are discovered.