Software

Your Password Can Be Guessed By An App Listening To Your Keystrokes

Researchers from SMU’s (Southern Methodist University) Darwin Deason Institute for Cyber-security have found that the sound waves produced when we type on a computer keyboard can be picked up by a smartphone and a skilled hacker could decipher which keys were struck.

Why?

The research was carried out to test whether the ‘always-on’ sensors in devices such as smartphones could be used to eavesdrop on people who use laptops in public places (if the phones were on the same table as the laptop) e.g. coffee shops and libraries, and whether there was a way to successfully decipher what was being typed from just the acoustic signals.

Where?

The experiment took place in a simulated noisy Conference Room at SMU where the researchers arranged several people, talking to each other and taking notes on a laptop. As many as eight mobile phones were placed on the same table as the laptops or computers, anywhere from three inches to several feet away. The study participants were not given scripts of what to say when talking, could use shorthand or full sentences when typing and could either correct typewritten errors or leave them.

What Happened?

Eric C. Larson, one of the two lead authors and an assistant professor in SMU Lyle School’s Department of Computer Science reported that the researchers were able to pick up what people were typing at an amazing 41 per cent word accuracy rate and that that this could probably be extended above 41 per cent if what researchers figured out what the top 10 words might be.

Sensors In Smart Phones

The researchers highlighted the fact that there are several sensors in smartphones that are used for orientation and although some require permission to be switched on, some are always on.  It was the sensors that were always switched on that the researchers were able to develop a specialised app for which could process the sensor output and, therefore, predict the key that was pressed by a typist.

What Does This Mean For Your Business?

Most of us may be aware of the dangers of using public Wi-Fi and how to take precautions such as using a VPN.  It is much less well-known, however, that smartphones have sensors that are always on and could potentially be used (with a special app) to eavesdrop.

Mobile device manufacturers may want to take note of this research and how their products may need to be modified to prevent this kind of hack.

Also, users of laptops may wish to consider the benefits of using a password manager for auto-filling instead of typing in passwords and potentially giving those passwords away.

Over A Million Fingerprints Exposed In Data Breach

It has been reported that more than one million fingerprints have been exposed online by biometric security firm Suprema which appears to have installed its standard Biostar 2 product on an open network.

Suprema and Biostar 2

Suprema is a South Korea-based biometric technology company and is one of the world’s top 50 security manufacturers.  Suprema offers products including biometric access control systems, time and attendance solutions, fingerprint live scanners, mobile authentication solutions and embedded fingerprint modules.

Biostar 2 is a web-based, open, and integrated security platform for access control and time and attendance, manage user permissions, integrate with 3rd party security apps, and record activity logs.  Biostar 2 is used by many thousands of companies and organisations worldwide, including the UK’s Metropolitan Police as a tool to control access to parts of secure facilities. Biostar 2 uses fingerprint scanning and recognition as part of this access control system.

What Happened?

Researchers working with cyber-security firm VPNMentor have reported that they were able to access data from Biostar 2 from 5 August until it was made private again on 13 August (Suprema were contacted by VPNMentor about the problem on 7th August).  It is not clear how long before 5 August the data had been exposed online.  The exposure of personal data to public access is believed to have been caused by the Biostar 2 product being placed on an open network.

In addition to more than one million fingerprint records being exposed, the VPNMentor researchers also claim to have found photographs of people, facial recognition data, names, addresses, unencrypted usernames and passwords, employment history details, mobile device and OS information, and even records of when employees had accessed secure areas.

VPNMentor claims that its team was able to access over 27.8 million records, a total of 23 gigabytes of data,

Affected

VPNMentor claims that many businesses worldwide were affected.  In the UK, for example, VPNMentor claims that Associated Polymer Resources (a plastics recycling company), Tile Mountain (a home decor and DIY supplier), and Medical supply store Farla Medical were among those affected.

It has been reported that the UK’s data protection watchdog, the Information Commissioner’s Office (ICO) has said that it was aware of reports about Biostar 2 and would be making enquiries.

What Does This Mean For Your Business?

For companies and organisations using Biostar 2, this is very worrying and is a reminder of how data breaches can occur through third-party routes.

In this case, fingerprint records were exposed, and the worry is that this kind of data can never be secured again once it has been stolen. Also, the large amount of other personal employee data that was taken could not only affect individual businesses but could also mean that employees and clients could be targeted for fraud and other crimes e.g. phishing campaigns and even blackmail and extortion.

The breach may have been avoided had Suprema secured its servers with better protection measures, not saved actual fingerprints but a version that couldn’t be reverse engineered instead, implemented better rules on databases, and not left a system that didn’t require authentication open to the internet.  Those companies that are still using and have concerns about Biostar2 may now wish to contact Suprema for assurances about security.

Facial Recognition at King’s Cross Prompts ICO Investigation

The UK’s data protection watchdog (the Information Commissioner’s Office  i.e. the ICO) has said that it will be investigating the use of facial recognition cameras at King’s Cross by Property Development Company Argent.

What Happened?

Following reports in the Financial Times newspaper, the ICO says that it is launching an investigation into the use of live facial recognition in the King’s Cross area of central London.  It appears that the Property Development Company, Argent, had been using the technology for an as-yet-undisclosed period, and using an as-yet-undisclosed number of cameras. A reported statement by Argent (in the Financial Times) says that Argent had been using the system to “ensure public safety”, and that facial recognition is one of several methods that the company employs to this aim.

ICO

The ICO has said that, as part of its enquiry, as well requiring detailed information from the relevant organisations (Argent in this case) about how the technology is used, it will also inspect the system and its operation on-site to assess whether or not it complies with data protection law.

The data protection watchdog has made it clear in a statement on its website that if organisations want to use facial recognition technology they must comply with the law and they do so in a fair, transparent and accountable way. The ICO will also require those companies to document how and why they believe their use of the technology is legal, proportionate and justified.

Privacy

The main concern for the ICO and for privacy groups such as Big Brother Watch is that people’s faces are being scanned to identify them as they lawfully go about their daily lives, and all without their knowledge or understanding. This could be considered a threat to their privacy.  Also, with GDPR in force, it is important to remember that if a person’s face (if filmed e.g. with CCTV) is part of their personal data, and the handling, sharing, and security of that data also becomes an issue.

Private Companies

An important area of concern to the ICO, in this case, is the fact that a private company is using facial recognition becasuse the use of this technology by private companies is difficult to monitor and control.

Problems With Police Use

Following criticism of the Police use of facial recognition technology in terms of privacy, accuracy, bias, and management of the image database, the House of Commons Science and Technology Committee has recently called for a temporary halt in the use of the facial recognition systems.  This follows an announcement in December 2018 by the ICO’s head, Elizabeth Dunham, that a formal investigation was being launched into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

What Does This Mean For Your Business?

The use of facial recognition technology is being investigated by the ICO and a government committee has even called for a halt in its use over several concerns. The fact that a private company (Argent) was found, in this case, to be using the technology has therefore caused even more concern and has highlighted the possible need for more regulation and control in this area.

Companies and organisations that want to use facial recognition technology should, therefore, take note that the ICO will require them to document how and why they believe their use of the technology is legal, proportionate and justified, and make sure that they comply with the law in a fair, transparent and accountable way.

Apple Launches ‘Apple Card’

Apple has launched its ‘Apple Card’ in the US in partnership with Goldman Sachs and with processing by Mastercard.

Card

The Apple Card can now be applied for by customers in the US through the Wallet app on iPhone (iPhone 6 and later).  The physical laser-etched card, which is made of titanium and has a typically clean Apple design has no card number, no CVV security code, and no expiration date or signature on it.  Although you can buy using the card, the real Apple Card product is incorporated in the Wallet on the customer’s iPhone and works through Apple Pay. Apple says that the card can be used to make purchases in stores, in apps and on websites.

Advantages

Apple says that the Apple Card is built on simplicity, transparency and privacy and that it completely rethinks everything about the credit card. The main advantages of the Apple Card are:

  • There are no fees.
  • It gives instant cashback on purchases.  When you buy something on the Apple Card, you receive a percentage of your purchase back in Daily Cash every day, there’s no limit to how much you can get, and that cash goes right onto the Apple card it can be used it just like cash. Apple says that customers will get 2 per cent Daily Cash every time they use Apple Card with Apple Pay, and 3 per cent Daily Cash on all purchases made directly with Apple, including at Apple Stores, apple.com, the App Store, the iTunes Store and for Apple services.
  • It is secure.  There are no numbers on the card itself and using Apple Card through the iPhone means that it is covered by all the usual Apple Pay security features e.g. Face ID, Touch ID, unique transaction codes.
  • It offers much greater privacy.  Apple says that it doesn’t store the details of where you shop, what you bought, or how much you paid, and Goldman Sachs will not sell or share your spending data to any third-party. Also, Mastercard simply processes payments between parties on the global network.
  • The Apple Card shows you how to pay less interest.  For example, the Apple Card shows you a range of payment options and calculates the interest cost on different payment amounts in real-time.
  • The card can help you make more informed purchase choices.  For example, everything you buy gets a category (food, entertainment, shopping) and a colour-coded chart displays how much you’ve pending on each category.

Small Print Warning

This may all sound wonderful but some commentators have warned that when you sign up for the Apple Card you sign up to the standard agreement offered by Goldman Sachs.  Within this agreement is an arbitration clause that essentially means that you waive the right to make any claims, participate in a class action, or be heard in a court at trial for anything related to the agreement.

It is, however, possible to opt-out of the Goldman Sachs arbitration clause within 90 days after opening the account by contacting the company using messages, calling a toll-free number, or writing to a Philadelphia P.O. Box (Apple Card gives full instructions).

What Does This Mean For Your Business?

For other banks and credit companies that are still using traditional cards, this may represent a threat, as Apple, a trusted and globally known brand is offering something that appears to be more convenient, more secure, and has obvious instant cashback perks.

For Apple, this venture is a way that it can offer value and generate even deeper loyalty with and become more attached to the lives of its customers. This creates another important competitive advantage for the tech giant and allows it to gain a deeper understanding of its customers and their habits (even though it says it won’t share any information about those habits).

This also represents an opportunity for Apple to diversify at a time when its iPhone sales have been a bit flat and move towards the provision of services as well as hardware.

Tech Tip – Gallery Go

If you’ve been looking for a good gallery app for Android, Google has created an offline and compact, lite version of Google Photos that is uncluttered and easy to use.

The Gallery Go app works offline, so it doesn’t sync to a Google account (like Google Photos), but it only has two tabs at the bottom for pictures and folders, useful search tabs at the top, and very a user-friendly layout.

Gallery Go enables easy copying and moving photos between folders, you can create new folders, and it supports SD card.  The app also has automatic organisation so that each night, Gallery Go will automatically organise your photos to group by: People, Selfies, Nature, Animals, Documents, Videos and Movies.

Gallery Go is available from the Google Play Store.

Is Your Website Sending Scammers’ Emails?

Research by Kaspersky has discovered that cyber-criminals are now hijacking and using the confirmation emails from registration, subscription and feedback forms of legitimate company websites to distribute phishing links and spam content.

How?

Kaspersky has reported that scammers are exploiting the fact that many websites require users to register their details in order to receive content. Some cyber-criminals are now using stolen email addresses to register victims via the contact forms of legitimate websites.  This allows the cyber-criminals to add their own content to the form that will then be sent to the victim in the confirmation email from the legitimate website.

For example, according to Kaspersky, a cyber-criminal uses the victim’s e-mail address as the registration address, and then enters their own advertising message in the name field e.g. “we sell discount electrical goods. Go to http://discountelectricalgoods.uk.” This means that the victim receives a confirmation message that opens with “Hello, we sell discount electrical goods. Go to http:// discountelectricalgoods.uk Please confirm your registration request”.

Where a victim is asked by a website form to confirm their email address, cyber-criminals are also able to exploit this part of the process by ensuring that victims receive an email with a malicious link.

Advantages

The main advantages to cyber-criminals of using messages sent as a response to forms from legitimate websites are that the messages can pass through anti-spam filters and have the status of official messages from a reputable company, thereby making them more likely to be noticed, opened, and responded to.  Also, as well as the technical headers in the messages being legitimate, the amount of actual spam content carried in the message (which is what the filters react to) is relatively small. The spam rating assigned to messages by anti-spam filters is based on a variety of factors, but these kinds of messages command a prevailing overall authenticity which allows them to beat filters, thereby giving cyber-criminals a more credible-looking and effective way to reach their victims.

What Does This Mean For Your Business?

Most businesses and organisations are likely to have a variety of forms on their website which could mean that they are open to having their reputation damaged if cyber-criminals are able to target the forms as a way to initiate attacks or send spam.

The advice of Kaspersky is that companies and organisations should, therefore, consider testing their own forms to see if they could be compromised.  For example, registering on your own company form with your own personal e-mail address and entering a message in the name field such as “I am selling electrical equipment” as well as including a website address and a phone number, and then checking what appears in your e-mail inbox will show if there are any verification mechanisms for that type of information.  If the message you receive begins “Hello, I am selling electrical equipment”, you should contact the people who maintain your website and ask them to create simple input checks that will generate an error if a user tries to register under a name with invalid characters or invalid parts. Kaspersky also suggests that companies and organisations could consider having their websites audited for vulnerabilities.

$1 Million Bounty For Finding iPhone Security Flaws

Apple Inc recently announced at the annual Black Hat security conference in Las Vegas that it is offering security researchers rewards of up to $1 million if they can detect security flaws its iPhones.

Change

This move marks a change in Apple’s bug bounty programme.  Previously, for example, the highest sum offered by Apple was $200,000, and the bounties had only been offered to selected researchers.

The hope appears to be that widening the pool of researchers and offering a much bigger reward could maximise security for Apple mobile devices and protect them from the risk of governments breaking into them.

State-Sponsored Threats

In recent times, state-sponsored interference in the affairs of other countries has become more commonplace with dissidents, journalists and human rights advocates being targeted, and some private companies such as Israel’s NSO Group are even reported to have been selling hacking capabilities to governments. These kinds of threats are thought to be part of the motivation for Apple’s shift in its bug bounty position.

Big Prizes

The $1 million prize appears likely to only apply to remote access to the iPhone kernel without any action from the phone’s user, although it has been reported that government contractors and brokers have paid as much as $2 million for hacking techniques that can obtain information from devices.

Apple is also reported to be making things easier for researchers by offering a modified phone with some security measures disabled.

Updates

If flaws are found in Apple mobile devices by researchers, the plan appears to be that Apple will patch the holes using software updates.

Bug Bounties Not New

Many technology companies offer the promise of monetary rewards and permission to researchers and ethical (white hat) hackers / ethical security testers to penetrate their computer system, network or computing resource in order to find (and fix) security vulnerabilities before real hackers have the opportunity use those vulnerabilities as a way in.  Also, companies like HackerOne offers guidance as to the amounts to set as bug bounties e.g. anywhere from $150 to $1000 for low severity vulnerabilities, and anywhere from $2000 to $10,000 for critical severity vulnerabilities.

Examples of bug bounty schemes run by big tech companies include Google’s ongoing VRB program which offers varying rewards ranging from $100 to $31,337 and Facebook’s white hat program (running since 2011) offering a minimum reward of $500 with over $1 million paid out so far.

What Does This Mean For Your Business?

With the growing number of security threats, a greater reliance on mobile devices, more remote working via mobile devices, mobile security is a very important issue for businesses. A tech company such as Apple offering bigger bug bounties to a wider pool of security researchers could be well worth it when you consider the damage that is done to companies and the reputation of their products and services when a breach or a hack takes place, particularly if it involves a vulnerability that may be common to all models of a certain device.

Apple has made the news more than once in recent times due to faults and flaws in its products e.g. after a bug in group-calling of its FaceTime video-calling feature was found to allow eavesdropping of a call’s recipient to take place prior to the call being taken, and when it had to offer repairs/replacements for problems relating to screen touch issues on the iPhone X and data loss and storage drive failures in 13-inch MacBook Pro computers. Apple also made the news in May this year after it had to recall two different types of plug adapter because of a possible risk of electric shock.

This bug bounty announcement by Apple, therefore, is a proactive way that it can make some positive headlines and may help the company to stay ahead of the evolving risks in the mobile market, particularly at a time when the US President has focused on possible security flaws in the hardware of Apple’s big Chinese rival Huawei.

If the bug bounties lead to better security for Apple products, this can only be good news for businesses.

Fingerprints Replacing Passwords for Some Google Services

Google has announced that users can verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services, starting with Pixel devices and coming to all Android 7+ devices in the next few days.

How?

Google says that years of collaboration between itself and many other organizations in the FIDO Alliance and the W3C have led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allow fingerprint verification.

The key game-changer in how these new technologies can help users is that unlike the native fingerprint APIs on Android, FIDO2 biometric capabilities are available on the Web which means that the same credentials be used by both native apps and web services. The result is that users only need to register their fingerprint with a service once and the fingerprint will then work for both the native application and the web service.

Fingerprint Not Sent To Google’s Servers

Google is keen to point out that the FIDO2 design is extra-secure because it means that a user’s fingerprint is never sent to Google’s servers but is securely stored on the user’s device.  Only a cryptographic proof that a user’s finger was scanned is actually sent to Google’s servers.

Try It Out

In order to try the new fingerprint system out, you will need a phone that’s running Android 7.0 (Nougat) or later, make sure that your personal Google Account is added to your Android device, and make sure that a valid screen lock is set up on your Android device.

Next, open the Chrome app on your Android device, go to https://passwords.google.com, choose a site to view or manage a saved password, and follow the instructions to confirm that it’s you trying signing in.

Google has provided more detailed instructions here: https://support.google.com/accounts/answer/9395014?p=screenlock-verif-blog&visit_id=637012128270413921-962899874&rd=1

More Places

Google says that this is just the start of the embracing of the FIDO2 standard and that more places will soon be able to accept local alternatives to passwords as an authentication mechanism for Google and Google Cloud services.

What Does This Mean For Your Business?

Not having to use a password but to be able to rely upon fingerprint (biometric) verification (or screen lock) instead should mean greater convenience and security for users of Google’s services, and should also reduce the risk to Google of having to face the results of breaches.

The development and wider use of the FIDO2 standard is, therefore, good news for businesses and consumers alike, particularly considering that Google (at 8% share) is one of the top 10 vendors that account for 70% of the world’s cloud infrastructure services market.

Back in May, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault signalled (in a CBNC interview) that Microsoft was looking also to move away from passwords on their own as a means of authentication towards (biometrics) and a “passwordless future”.  For example, 90% of Microsoft’s 135,000 workforce can now log into the company’s corporate network without using passwords but instead using biometric technology such as facial recognition and fingerprint scanning via apps such as ‘Windows Hello’ and the ‘Authenticator’ app.

Goodbye Skype for Business, Hello Teams

Microsoft has announced that Skype for Business Online will be giving way to ‘Teams’, with support for Skype for Business ending on 31 July 2021, and all new Microsoft 365 customers due to get Microsoft Teams by default from 1 September 2019.

What Is Teams?

Introduced back in November 2016, ‘Teams’ is a platform designed to help collaborative working and combines features such as workplace chat, meetings, notes, and attachments. Described by Microsoft as a “complete chat and online meetings solution”, it normally integrates with the company’s Office 365 subscription office productivity suite, and Teams is widely considered to be Microsoft’s answer to ‘Slack’.

Slack is a popular, multi-channel collaborative working hub that offers chat channels with companies and businesses you regularly work with, direct voice or video calls and screen-sharing, integrated drag-and-drop file sharing, and an App Directory with over 1,500 apps that can be integrated into Slack.

Back in July 2018, Microsoft introduced a free, basic features version of Teams which did not require an Office 365 account, in order to increase user numbers and tempt users away from Slack.

According to Microsoft figures announced in July, Teams now has 13 million users which are more than Slack’s 10 million users.  Microsoft is keen to promote Teams as a new communications tool rather than just an upgrade to Skype for Business.

End of Skype For Business
Microsoft originally announced at the end of 2017 that Teams was set to replace Skype for Business as Microsoft’s primary client for intelligent communications in Office 365.

With this in mind, Microsoft ended support for Skype for Business at the end of July, will be giving all new 365 customers Teams by default from 1 September and has said that current Skype for Business Online customers won’t notice any change in service in the meantime.

Migration and Interoperability

Microsoft has announced investment and interoperability that will ensure a painless migration to Teams for Skype for Business Online.  For example, from the first quarter of 2020 customers on both platforms will be able to communicate via calls and text chats, DynamicE911 will work in Teams, and Teams also includes contact centre integration and compliance recording solutions.

What Does This Mean For Your Business?

Microsoft is succeeding in challenging and overtaking its competitor Slack in the business collaborative working communications tools market.  Brand reach and power coupled with a free version, and now compulsory migration for existing and default for new users has seen Teams reach the point where, as planned by Microsoft more than two years ago, it can ably replace Skype for Business.

It appears that Microsoft is making efforts and investing to ensure that the migration is as smooth for (and attractive to) existing Skype business customers as possible and that the voice and video capabilities, cognitive and data services and insights that Teams offers should add value that could translate into advantages and extra efficiencies for users.

A.I. Powered Bar-staff. Who’s Next?

In what’s been called the world’s first ‘A.I. Bar’ (developed by British data science product company DataSparQ) ordering a drink at a busy bar has been made easier, faster and fairer by using facial recognition technology to place customers in an “intelligently virtual” queue.

Solving Old Problems

Information and statistics (DataSparQ) show that pub-goers in Britain spend more than two months over a lifetime queuing for drinks and that people pushing in at bar queues is the biggest gripe.  Who to serve next as efficiently as possible without causing an argument, and how to spot underage customers at busy times are challenges faced by many bar workers.  Also, solo drinkers and females can find busy bars intimidating and frustrating.

The new DataSparQ ‘A.I. Bar’ Software-as-a-Service product, which costs landlords from just £199 a month and uses a standard webcam, display screen and Internet connection to link up to A.I facial recognition technology appears to be able to address all of these challenges.

How It Works

The A.I. Bar, which has been tested in London, uses a camera linked to the machine learning technology to spot those persons arriving at the bar.  The system displays a live video of everyone queuing on a screen above the bar and a number, which appears above each customer’s head, representing their place in the queue. The system also protects customer privacy by deleting the data (pictures of faces) within 24 hours.

For bar staff, the ordered numbering of customers, and the fact that customers are clearly aware of their number in the queue reduces the chance of arguments. The system shows the bar staff on an iPad, exactly who to serve next thereby helping bars and pubs to maximise their ordering efficiency. The system also tells bar staff who they should ask for I.D. to verify their age, thus helping the pub/bar to stay on the right side of the law.

More Pints Served

In tests of the system, the before and after data has revealed there was an overall reduction in serving times with equivalent of more than 1,600 pints extra poured over a year compared to the average UK pub.  This could equate to a potential 78million additional pints poured a year if the UK’s 48 thousand pubs adopted the A.I Bar technology.

What Does This Mean For Your Business?

For UK pubs and any business which have to deal with busy bars (hotels, clubs, live music venues and festivals), this system is an example of how the latest technology can be used in a practical setting to solve a number of age-old problems that have troubled drinkers, owners and staff alike.  If this system was widely adopted, the efficiencies created, the extra beer sales, and the reduction of potentially intimidating situations in pubs could benefit the wider pub and drinks trades, and could go some way to helping at a time when so many pubs are being forced to close.