Software

The World Of Ethical Hackers And Bug Bounties

Posted on by Andy Miller

The fact that big tech companies are willing to pay big bucks in ‘bug bounties’ is one of the main reasons why becoming an ethical hacker / ethical security tester is increasingly attractive to many people with a variety of technical skills.

What Is An Ethical Hacker?

An ethical hacker / white hat hacker/ ethical security tester is someone who is employed by an organisation and given permission by that organisation to penetrate their computer system, network or computing resource in order to find (and fix) security vulnerabilities before real hackers have the opportunity use those vulnerabilities as a way in.

Certified

In the US, for example, a person can obtain a Certified Ethical Hacker (CEH) qualification by using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of a system.  CEH exams test a candidate’s skills in applying techniques and using penetration (‘pen’) testing tools to compromise various simulated systems within a virtual environment.

Who?

Ethical hackers can find work, for example, with organisations that run bug bounty programmes on behalf of companies e.g. Hacker One, Bug Crowd, Synack, or they can choose to work freelance.

What Are Bug Bounties?

Bug bounties are monetary rewards offered to those who have identified errors or vulnerabilities in a computer program or system. Companies like HackerOne, for example, offer guidance as to the amounts to set as bug bounties e.g. anywhere from $150 to $1000 for low severity vulnerabilities, and anywhere from $2000 to $10,000 for critical severity vulnerabilities.

Examples of bug bounties include:

  • The ‘Hack The Pentagon’ three-year initiative run by HackerOne which has so far (since 2016) paid $75,000 to those who have found software vulnerabilities in the Defence Department’s public facing websites.
  • Google’s ongoing VRB program which offers varying rewards ranging from $100 to $31,337 depending on the type of vulnerabilities found.
  • Facebook’s Whitehat program, running since 2011, and offering a minimum reward of $500 with over $1 million paid out so far. The largest single reward is reported to be $20,000.

Motivation

Money is often not the only motivation for those involved in ethical hacking.  Many are interested in the challenge of solving the problems, getting into the industry, and getting recognition from their peers.

Training

The UK has a tech skills shortage, but some schemes do exist to help the next generation of cyber-security experts gain their knowledge and skills.  One example is the UK’s Cyber Discovery scheme which had more than 25,000 school children take part in its first year.  The scheme turns finding security loopholes into engaging games while getting children familiar with the tools that many cyber-pros use.  Top performers can then attend residential courses to help them hone their skills further.

What Does This Mean For Your Business?

Ethical hackers play an important penetration testing role in ensuring that systems and networks are as secure as possible against the known methods employed by real hackers. It is not uncommon, particularly for large companies that are popular hacking targets, to offer ongoing bug bounty programs as a way to keep testing for vulnerabilities and the rewards paid to the ethical hackers are well worth it when you consider the damage that is done to companies and their customers when a breach takes place.

Running government programs such as Cyber Discovery could, therefore, be an important way to encourage, spot, and help develop a home-grown army of cyber-security professionals which is a win/win for companies wanting to improve their security, individuals looking for careers in the cyber-security and tech industries, and filling a skills gap in the UK.

Tech Tip – Using Your Windows Clipboard History

Posted on by Andy Miller

You may not have tried it, but if you need to clip up to 10 or more things to your windows clipboard (copy) and come back to them later, the clipboard that’s built-in to Windows 10 allows you to do this quickly and easily.

Here’s how to get the most out of the clipboard:

In the first instance, hit the Windows key + v.  This will give you the option to turn the clipboard function on.

Once turned on, hit Windows key + v.  You’ll be shown a list of the items currently on your clipboard e.g. text segments you’ve copied. Click on an item to paste it into your current page.

The icons (top right) also give you the option to delete or pin clipboard items i.e. keep them when you clear your clipboard history or when restart your PC.

In Settings, you can also choose to turn the feature off or choose to sync your clipboard across your other Windows devices so your desktop and laptop can share a clipboard history.

Serious Security Flaws Discovered In Popular GPS Tracker

Posted on by Andy Miller

Researchers at UK cyber-security company, Fidus Information Security, say that they have found security flaws in a popular Chinese-manufactured white-label location tracker that could be serious enough to warrant a recall.

Which Tracker?

The GPS tracker which is used as a panic alarm for elderly patients, to monitor children, and to track vehicles is white label manufactured but rebranded and sold by several different companies which reportedly include Pebbell (by HoIP Telecom), OwnFone Footprint and SureSafeGo. The tracker uses a SIM card to connect to the 2G/GPRS network.  According to Fidus at least 10,000+ of these trackers are currently used in the UK

What’s The Problem?

According to the researchers, simply sending the device a text message with a keyword can trick the tracker into revealing its real-time location. Also, other commands tried by the researchers can allow anyone to call the device and remotely listen in to its in-built microphone without the user knowing, and even remotely stop the signal from the tracker, thereby making the device effectively useless.  On its blog, Fidus lists several other things that its researchers were able to do to the device including change or completely remove all emergency contacts, disable the motion alarm, disable fall detection and remove any device PIN which had been set.

All these scenarios could pose significant risks to the (mainly vulnerable) users of the trackers.

According to Fidus, one of the main reasons why the device has so many security flaws is that it doesn’t appear that the manufacturers, nor the companies reselling the devices, have conducted any security testing or penetration testing of the device.

PIN Problem

The research by Fidus also uncovered the fact that even though the manufacturers built in PIN functionality to help lock the devices down, the PIN, by default, is disabled and users need to read the manual to find out about it, and when enabled, the PIN is required as a prefix to any commands to be accepted by the device, except for REBOOT or RESET functionality.  The problem with this is that the RESET functionality is the thing that really could provide any malicious user with the ability to gain remote control of the device.  This is because is the RESET command that wipes all stored contacts and emergency contacts, restores the device to factory defaults and means that a PIN is no longer needed.

What Does This Mean For Your Business?

What is particularly disturbing about this story is that the tracking devices are used for some of the most vulnerable members of society.  Even though they have been marketed as a way to make a person safer, the cruel irony is that it appears that if they are taken over by a malicious attacker, they could put a person at greater risk.

This story also illustrates the importance of security penetration testing in discovering and plugging security loopholes in devices before making them widely available.  This is another example of an IoT/smart device that has security loopholes related to default settings, and with an ever-growing number of IoT devices out there, many of them perhaps not tested as well as they could be, many buyers are unknowingly at risk from hackers.f

Tech Tip – Lightbeam Screen-Sharing App

Posted on by Andy Miller

If you’d like an app that enables you to easily share mobile screens with a friend or colleague, for work or leisure, Lightbeam is a new, free, cross-platform app which does just that.

The social screen sharing app also makes it easy to book group itineraries and reservations for trips, and it also works as a video chat service.

To download the app find it on Apple’s iTunes, and on Google Play Store.

Surveillance Attack on WhatsApp

Posted on by Andy Miller

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

What Kind of Attack?

Technical commentators have identified the attack on WhatsApp as a ‘zero-day’ exploit that is used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp has been hijacked and the spyware loaded onto the phone, it can, for example, access encrypted chats, access photos, contacts and other information, as well as being able to eavesdrop on calls, and even turn on the microphone and camera.  It has been reported that the exploit can also alter the call logs and hide the method of infection.

How?

The attack is reported to be able to use the WhatsApp’s voice calling function to ring a target’s device. Even if the target person doesn’t pick the call up the surveillance software can be installed, and the call can be wiped from the device’s call log.  The exploit can happen by using a buffer overflow weakness in the WhatsApp VOIP stack which enables an overwriting of other parts of the app’s memory.

It has been reported that the vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of WhatsApp.

Who?

According to reports in the Financial Times which broke the story of the WhatsApp attack (which was first discovered earlier this month), Facebook had identified the likely attackers as a private Israeli company, The NSO Group, that is part-owned by the London-based private equity firm Novalpina Capital.  According to reports, The NSO Group are known to work with governments to deliver spyware, and one of their main products called Pegasus can collect intimate data from a targeted device.  This can include capturing data through the microphone and camera and also gathering location data.

Denial

The NSO Group have denied responsibility.  NSO has said that their technology is only licensed to authorised government intelligence and law enforcement agencies for the sole purpose of fighting crime and terror, and that NSO wouldn’t or couldn’t use the technology in its own right to target any person or organisation.

Past Problems

WhatsApp has been in the news before for less than positive reasons.  For example, back in November 2017, WhatsApp was used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain bank details.

Fix?

As a result of the attack, as well as urging all of its 1.5bn users to update their apps, engineers at Facebook have created a patch for the vulnerability (CVE-2019-3568).

What Does This Mean For Your Business?

Many of us think of WhatsApp as being an encrypted message app, and therefore somehow more secure. This story shows that WhatsApp vulnerabilities are likely to have existed for some time.  Although it is not clear how many users have been affected by this attack, many tech and security commentators think that it may have been a focused attack, perhaps of a select group of people.

It is interesting that we are now hearing about the dangers of many attacks being perhaps linked in some way to states and state-sponsored groups rather than individual actors, and the pressure is now on big tech companies to be able to find ways to guard against these more sophisticated and evolving kinds of attacks and threats that are potentially on a large scale.  It is also interesting how individuals could be targeted by malware loaded in a call that the recipient doesn’t even pick up, and it perhaps opens up the potential for new kinds of industrial espionage and surveillance.

3D AR Shopping Via Google Search

Posted on by Andy Miller

Later this month, Google will be rolling out 3D Augmented Reality (AR) in its search results, a change which could allow retailers to show their products online in a way that enables customers to a virtually ‘try’ those products and see them in situ before buying them.

Shown At Phone Launch

Google showed how 3D AR could work in search results to attendees of the launch of its Pixel 3 smartphone at its annual developer’s conference. At the phone launch, Google’s Vice President, Aparna Chennapragada, used a superimposed animation of a shark and a 3D exploration of a pair of New Balance running shoes to illustrate how potential customers could superimpose a 3D AR image of a product on their own chosen backdrop (‘you space’).  This would allow customers to see just how a product would look in situ if they were to purchase it.

Brands

Examples of the brands that Google is reported to have been working with in order to develop optimised links to 3D AR versions of their products in Google’s search results include New Balance, Samsung and Volvo.

Other Uses of AR

Google users may already be used to seeing AR in action as part of Google Maps, where users can switch from map to an AR representation with directional arrows by clicking on the ‘satellite’ link and then by clicking on the route. This feature allows users to follow arrows along a drivers-eye route, change direction, and zoom in and out.

AR and VR

Back in October 2017 Ordinance survey introduced AR to its mobile app so that users could point their smartphone at the world around and see labels about places of interest and get a reading of how far away they are.

In February this year, breakfast cereal manufacturer Kellogg’s announced that it had been working with third-party VR companies to help it determine the best way to display its new products in stores. The pilot scheme used VR to give test subjects an immersive and 360-degree experience of a simulated store environment in which they were able to ‘virtually’ pick products, place items in shopping trolleys and make purchases.

What Does This Mean For Your Business?

Using AR to show 3D AR versions of products in the search results will enable companies to get their product instantly in front of consumers in a way that allows them to engage with those products on-demand, have a good look around the products, and virtually try them out and see how they could fit in with their lives.  This may be particularly important for products linked to self-image and lifestyle perceptions.  This could prove to be a valuable sales tool considerable potential for all manner of products.

Proposed Legislation To Make IoT Devices More Secure

Posted on by Andy Miller

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

What’s The Problem?

Gartner predicts that there will be 14.2 billion ‘smart’, internet-connected devices in use worldwide by the end of 2019.  These devices include connected TVs, smart speakers and home appliances. In business settings, IoT devices can include elevators, doors, or whole heating and fire safety systems in office buildings.

The main security issue of many of these devices is that they have pre-set, default unchangeable passwords, and once these passwords have been discovered by cybercriminals the IoT devices can be hacked in order to steal personal data, spy on users or remotely take control of devices in order to misuse them.

Also, IoT devices are deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large-scale attack on these IoT systems could affect the economy.

New Law

The proposed new law to make IoT devices more secure, put forward by Digital Minister Margot James, would do two main things:

  • Force manufacturers to ensure that IoT devices come with unique passwords.
  • Introduce a new labelling system that tells customers how secure an IOT product is.

The idea is that products will have to satisfy certain requirements in order to get a label, such as:

  • Coming with a unique password by default.
  • Stating for how long security updates would be made available for the device.
  • Giving details of a public point of contact to whom cyber-security vulnerabilities may be disclosed.

Not Easy To Make IoT Devices Less Vulnerable

Even though legislation could put pressure on manufacturers to try harder to make IoT devices more secure, technical experts and commentators have pointed out that it is not easy for manufacturers to make internet-enabled/smart devices IoT devices secure because:

Adding security to household internet-enabled ‘commodity’ items costs money. This would have to be passed on to the customer in higher prices, but this would mean that the price would not be competitive. Therefore, it may be that security is being sacrificed to keep costs down – sell now and worry about security later.

Even if there is a security problem in a device, the firmware (the device’s software) is not always easy to update. There are also costs involved in doing so which manufacturers of lower-end devices may not be willing to incur.

With devices which are typically infrequent and long-lasting purchases e.g. white goods, we tend to keep them until they stop working, and we are unlikely to replace them because they have a security vulnerability that is not fully understood. As such these devices are likely to remain available to be used by cybercriminals for a long time.

What Does This Mean For Your Business?

Introducing legislation that only requires manufacturers to make relatively simple changes to make sure that smart devices come with unique passwords and are adequately labelled with safety and contact information sounds as though it shouldn’t be too costly or difficult.  The pressure of having, by law, to display a label that indicates how safe the item is could provide that extra motivation for manufacturers to make the changes and could be very helpful for security-conscious consumers.

The motivation for manufacturers to make the changes to the IoT devices will be even greater when faced with the prospect of retailers eventually being barred from selling products that don’t have a label, as is the plan with this proposed legislation.

The hope from cybersecurity experts and commentators is that the proposal isn’t watered-down before it becomes law.

Tech Tip – Free Online Presentation App ‘Zoho Show’

Posted on by Andy Miller

If you’d like an app that enables you to create and collaborate, publish and broadcast presentations from any device, quickly and easily, Zoho Show free online presentation software may be for you.

It offers many different themes and has a contextual user-focused interface that guides you through authoring slides, and it has animations and transitions to help set the tone of your presentation for your particular audience.

Zoho Show is available for Apple and Android and is compatible with PowerPoint.  Find more information online here https://www.zoho.com/show/ or download Show from iTunes or the Google Play store.

New AI Feature For Microsoft Word Online To Improve Your Writing

Posted on by Andy Miller

The new ‘Ideas’ feature, an AI-powered editor in the cloud for Microsoft Word is intended to provide intelligent suggestions to make your writing more concise, readable, and inclusive.

Ideas

The new ‘Ideas’ feature, which is already being used with PowerPoint and Excel, is likely to be a value-adding improvement on traditional grammar and spelling checks because it is designed to help with the reading and writing of (online) Word documents.

The feature announced at Microsoft 2019 and scheduled for testing in June, will be able to follow along as you write, offer familiar fixes for spelling and grammatical errors, suggest improvements, be able to detect nuances in language and even suggest rewrites for tricky phrases or clunky paragraphs.

The Ideas feature will also be able to help with the reading of Word documents by, for example, providing estimated reading times, extracting key points, and decoding acronyms using data from the Microsoft Graph.

British Company Wins Google Money For AI

It’s not just Microsoft that’s making the news this week for its ongoing pursuit of augmenting its products and services with AI and machine learning.

British fact checking company Full Fact has just been named among the 20 winners of Google’s AI Impact Challenge.  The award will mean that they will receive a share of 19.1 million dollars worth of Google investment as well as consultation help and mentoring from Google.  The AI Impact Challenge from Google asked for organisations to submit ideas on how to use AI to help address societal challenges.  For Full Fact, this involved ideas about how to use AI to combat the kind of misinformation that affects millions of people’s health, safety and ability to participate in society, and is considered by many to be a threat to democracy in many countries.

What Does This Mean For Your Business?

The addition of an AI-powered, cloud-based enhancement to Microsoft’s online version of Word is considered to be the next, more intelligent step onwards from enhancements like predictive text.  It also offers Microsoft a way to compete with popular grammar programs such as Grammarly, and it will be interesting to see how such companies respond to Microsoft’s ‘Ideas’ feature.

The ‘Ideas’ feature is likely to be particularly good news for journalists and other writers as it will presumably be able to make the low-level composing work a little easier and may be able to save time and add value to their work.  It may even help Microsoft reach its aim of enabling people to design documents for maximum readability, and in doing so, make the workday more productive for many people.

One area where AI is predicted to offer some real promise in the near future is in the (cloud-based) cyber security market.  For example, the Visiongain ‘Artificial Intelligence in Cyber Security Market Report’ for 2019-2029 values the 2019 AI in cyber security market at $4.94bn.  Cloud-based cyber security that incorporates AI could prove to a cost-effective and affordable source of protection for SMEs and large enterprises.

Google Offers Auto-Delete of History After Three Months

Posted on by Andy Miller

Google is joining tech giants Facebook and Microsoft by offering users greater privacy of their data which for Google will give its users the option to automatically delete their search and location history after three or eighteen months.

What’s The Problem?

According to Google, feedback has shown that users want simpler ways to manage or delete their data, and web users have been more concerned about matters of their data privacy after several high profile data breaches, most notably that of Facebook sharing 50 million profiles of its users data with analytics company, Cambridge Analytica back in 2014.

The Change

Google already offers tools to help users manually delete all or part of their location history or web and app activity.  The addition of the new tool, which is scheduled to happen “in the coming weeks” will enable users to set up auto-delete settings for their location history, web browsing and app activity.

With the new tool, users will be able to select how long they want their activity data to be saved for – three months or eighteen months – after which time Google says the data will automatically be deleted from the user’s account.

The new automatic deletion will be optional, and the manual deletion tools will remain.

Facebook and Microsoft

At the beginning of May, Microsoft announced several new features intended to improve privacy controls for its Microsoft 365 users, with a view to simplifying its data privacy policies.

Also, Facebook’s Mark Zuckerberg recently announced a privacy-focused road map for the social network.

Google’s Tracking Questioned

Back in 2018, the ‘Deceived By Design’ report by the government-funded Norwegian Consumer Council accused tech giants Microsoft, Facebook and Google of being unethical by leading users into selecting settings that do not benefit their privacy.

In November 2018, Google’s tracking practices for user locations were questioned by a coalition of seven consumer organisations who were reported to have filed complaints with local data protection regulators. Although Google says that tracking is turned off by default and can be paused at any time by users, the complaints focused on research by a coalition member who claimed that people are forced to use the location system.

Furthermore, research by internet privacy company DuckDuckGo in December 2018 led to a claim that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

What Does This Mean For Your Business?

The introduction of GDPR and high-profile data breach and privacy incidents such as the Facebook and Cambridge Analytica scandal have made us all much more aware about (and more protective of) our personal data and how it is collected, stored and used by companies and other organisations. It is no surprise, therefore, that feedback to Google showed a need for greater control and privacy by users, and the announcement of the new (optional) automatic deletion tool also provides a way for Google to get some good data privacy PR at a time when other tech giants like Facebook and Microsoft have also been seen to make data privacy improvements for their users.

Current details about how to manually delete your Google data can be found here https://support.google.com/websearch/answer/465?co=GENIE.Platform%3DDesktop&hl=en and the ‘My Activity’ centre for your Google account, where you will most likely be able to make your automatic settings can be found here: https://myactivity.google.com/.