Archive for February 2016

Your Latest IT Newsletter

Selfies or Fingerprints Via App To Be Accepted By Mastercard

Mastercard announced at the Mobile World Congress tech show in Barcelona this week that from this summer it will be accepting selfies or fingerprints as an alternative to passwords to verify IDs for online payments.

The software that will enable this to happen is a downloadable biometrics app for PC, tablet or smartphone that uses the camera (for a selfie) or a fingerprint sensor for recognition.

<More>

Mobile Network Three’s Plans to Use Network-Based Ad Blocker Worries Digital Content Providers

One of the reasons why we are able to access so much high value content for free is likely to be that many content providers are able to use online advertising for their funding.

This is why a recent announcement by the Mobile Network Three that it is to introduce ad-blockers for consumers on its UK and Italian networks has not gone down well with webmasters and digital publishers.

The ad blocker, to be introduced in partnership with Shine, is believed to be able to block 95% of banner and pop-up ads. This, combined with the fact that Three has its 8.8 million customers who could choose to use the as blocker, has caused a wave of reaction from those whose revenues look likely to be adversely affected by the move.

<More>

Cyber Attacks Utilise the Pingback Function in 26,000 WordPress Websites

There have been reports this week from researchers at Sucuri of a number of cyber crime incidents that have used a huge network of 26,000 WordPress websites to launch multiple Layer 7 (also known as flood) Denial of Service (DoS) attacks.

A Denial of Service (DoS) attack is one where the perpetrator uses multiple compromised systems that are often infected with a Trojan virus to launch a single attack on one system.

A Layer 7 or flood is where the server that is being attacked is disrupted because its resources and memory are overloaded.

<More>

Unlimited Lifetime Glass Coin Time Capsule To Preserve Human History

Scientists from the University of Southampton’s Optoelectronics Research Centre (ORC) have developed a glass disc just smaller £2 coin that is capable of holding 360TB of data and has thermal stability up to 1,000°C.

These features are thought to make the prototype disc known as the 5D an ideal medium for storing large quantities of important human data and information as a kind of time capsule.

The strength and resilience of the nanostructured glass which makes up the disc is believed to make the disc something that could survive with its stored information intact for billions of years. It’s certainly a long way from burying a box of artifacts under the floor of a new shopping centre and commentators have said that it is more akin to the memory crystal idea featured in the Superman films.

<More>

HSBC Customers To Use Voice or Fingerprint Recognition

HSBC is another in a succession of banks and financial organisations that are favouring biometrics over passwords as a way to improve security for their customers and to reduce the costs to those organisations of attacks.

In what is thought to be the largest planned rollout of voice biometric technology, HSBC is introducing a system that will allow its 15 million+ customers to use their voice or their fingerprint for authentication purposes rather than just passwords.

The first of HSBC’s customers to use the system will those in its First Direct internet and phone banking division in March /April, with the rollout for other customers planned for this summer.

<More>

Unlimited Lifetime Glass Coin Time Capsule To Preserve Human History

Scientists from the University of Southampton’s Optoelectronics Research Centre (ORC) have developed a glass disc just smaller £2 coin that is capable of holding 360TB of data, and has thermal stability up to 1,000°C. These features are thought to make the prototype disc known as the 5D an ideal medium for storing large quantities of important human data and information as a kind of time capsule.

The strength and resilience of the nanostructured glass which makes up the disc is believed to make the disc something that could survive with its stored information intact for billions of years. It’s certainly a long way from buying a box of artefacts under the floor of a new shopping centre and commentators have said that it is more akin to the memory crystal idea featured in the Superman films.

Kills 2 Birds With One Stone

This breakthrough invention in robust miniature storage mediums kills 2 birds with one stone by cracking the problem of finding something that can securely store large amounts of information over very long periods of time, and by being able to record a very large amount of information onto a practical storage medium that very small. It is hoped for example that when the disc is produced at a standard size of 12cm it will be able to store over 7,000 times the amount of data that can be stored on a 50GB double-layer Blu-ray disc.

Test Storage

The researchers have tested the storage potential of the new disc so far by managing to write a number of lengthy cultural and historic works to it including the Universal Declaration of Human Rights (UDHR), Newton’s Opticks, the Magna Carta, and the King James Bible to 5D.

What Does It Mean For Your Business?

Secure storage and backup up of digital data are major concerns for business and developments in this areas are always welcomed. It is still early days for the development team who have created the disc and as it stands the commercial possibilities are not yet fully known. The development team of the storage disc have however publicly expressed their goal to make this into a mass market technology which could provide business opportunities for selling the discs. The team are also reported to be looking for industry partners develop and commercialise the technology, and this could provide another opportunity for businesses to benefit from and play a part in the development and commercialisation of what could be a revolutionary new storage medium that has a virtually unlimited lifetime. For now though it’s more a case of looking for markets for the product.

HSBC Customers To Use Voice or Fingerprint Recognition

HSBC is another in a succession of banks and financial organisations that are favouring biometrics over passwords as a way to improve security for their customers, and to reduce the costs to those organisations of attacks. In what is thought to be the largest planned rollout of voice biometric technology HSBC is introducing a system that will allow its 15 million+ customers to use their voice or their fingerprint for authentication purposes rather than just passwords.

The first of HSBC’s customers to use the system will those in its First Direct internet and phone banking division in March /April, with the rollout for other customers planned for this summer.

How Will It Work?

As with other fingerprint recognition systems like Mastercard’s, HSBC’s will require customers to use their smartphone and an app. For HSBC this will involve the fingerprint reader built into Apple’s iPhone used in combination with the HSBC mobile banking app.

The ‘Nuance Communications’ voice recognition technology (the same as that used by Barclays in its call centres) uses over 100 unique identifiers such a as speed, cadence, pronunciation and the detectable effects of physical features to identify a customer.

Better Than Passwords

As well as possibly increasing the speed of authentication / verification compared to verbal security checks and passwords, biometric systems like these are thought to be a big improvement on the password system because:

  1. Biometric measures are more secure. More than one third of UK consumers for example use the same password for multiple purposes thus dramatically increasing their risk if their password is discovered by cyber criminals. The most common password is 123456, and passwords like this would be quite easy for cyber criminals to discover. A YouGov poll commissioned by HSBC has also shown that over 50% of UK consumers rarely update passwords thus making things easier again for the determined cyber criminal.
  2. Customers appear to like, trust and prefer biometrics. A 2015 Visa Europe survey for example showed that the new generation of banking customers would be happier with biometric authentication methods. The survey showed hat 75% of 16 to 24 year olds would have no problem using biometric security, and 69% expect it to be faster and easier than a password or a PIN. The same survey found that 78% of the 2,000+ adult respondents were confident that their body is unique enough to be used as an identifier and 74% of the respondents felt this would be the default password in future.
  3. Banks can reduce the cost of covering fraud. At the moment banks and credit card companies have to build in extra costs in to the prices for transactions to cover fraud.

What Will It Mean For Your Business?

The hope is of course that this is one extra layer of security for all HSBC customers, both business and domestic, and it could therefore reduce our risks of becoming victims of fraud. As well as the potential time saved when conducting bank transactions, and the convenience of being able to do so on the move (using your mobile device), if it is very successful at cutting crime it could mean that the banks transaction costs are lowered. If the bank then chooses to pass these savings on to customers then this could be another advantage for your business. For now though it is a case of wait and see.

Cyber Attacks Utilise the Pingback Function in 26,000 WordPress Websites

There have been reports this week from researchers at Sucuri of a number of cyber crime incidents that have used a huge network of 26,000 WordPress websites to launch multiple Layer 7 (also known as flood) Denial of Service (DoS) attacks.

A Denial of Service (DoS) attack is one where the perpetrator uses multiple compromised systems that are often infected with a Trojan virus to launch a single attack on one system. A Layer 7 or flood is where the server that is being attacked is disrupted because its resources and memory are overloaded.

WordPress Most Attacked CMS

The significance of this attack is that WordPress websites appear to have a vulnerability in them that allows them to be used by cyber criminals to attack other websites. According to Imperva’s 2015 annual Web Application Attack Report (WAAR) WordPress is now thought to be the most attacked CMS with around 3.5. times more attacks than non-CMS applications. Only last year for example thousands of WordPress sites were attacked or hijacked using malicious ‘Nutrino Exploit Kit’ code. The apparent vulnerability of WordPress to attack is a particularly worrying situation when you consider that WordPress now makes up 25% of all websites.

Popular Attack Against WordPress

The most recent DoS attack is the most popular kind that is used against WordPress, and is estimated to make up around 13% of all the attacks involving the system. In this most recent example the perpetrators used a series of IP addresses (in the 185.130.5.0/24 range) to control the botnet of WordPress sites. The 26,000 WordPress websites were then used by the attacker to generate 10,000 to 11,000 HTTPS requests per second against one website. When subjected to a flood of requests of this kind servers are unable to handle the load, a large consumption of memory is caused, and the operation of the server is therefore seriously disrupted.

Some Protection Was In Place

The frequency of this kind of attack against WordPress has meant that the system had an IP logging feature added to its version 3.9 to enable the IP address where ‘pingback’ requests originated to be noted. This should mean that the attacker’s IP shows in the log user agent. In this most recent case however the perpetrators were able to carry out an attack despite the logging feature being in place.

What Can You Do To Protect Your Website?

If you have a WordPress website for your business one step that you can take to prevent it being used as part of a larger attack against other sites is to disable pingbacks. It is the pingback element of WordPress that has repeatedly been responsible for so many of the attacks.

Mobile Network Three’s Plans to Use Network-Based Ad Blocker Worries Digital Content Providers

One of the reasons why we are able to access so much high value content for free is likely to be that many content providers are able to use online advertising for their funding. This is why a recent announcement by the Mobile Network Three that it is to introduce ad-blockers for consumers on its UK and Italian networks has not gone down well with webmasters and digital publishers.

The ad blocker, to be introduced in partnership with Shine, is believed to be able to block 95% of banner and pop-up ads. This combined with the fact that Three has its 8.8 million customers who could choose to use the as blocker has caused a wave of reaction from those whose revenues look likely to be adversely affected by the move.

Protecting Consumers

Three’s stated reason for panning to introduce the network level ad-blocking software is to give customers greater control, choice and greater transparency over what they receive, and to help them to avoid having to pay the extra data charges that they have to pay to download the adverts that they didn’t want to see anyway. Estimates at the amount of a mobile user’s data consumption used up by adverts range from anywhere between 20% and 50%.

It is also hoped that the opt-in ad-blocker could help protect Three’s customers from possible phishing attacks launched via online adverts.

Although the ad blocking software could reduce data charges for the customers who use it, they may have to pay to use the ad blocker (Three had not yet decided whether customers will pay to use it).

Why Network Level?

The decision to use a network-based ad blocker rather than an app is because the network level ad blocker is likely to be more effective, and ad blocking apps are banned from some app stores

Not All Adverts Will Be Blocked

Three has made it clear however that not all adverts will be blocked by the service that is due to be introduced at some point in 2016 on an as yet unspecified date. Relevant and targeted advertising that minimises data use and waste should not be affected, and pre-roll video ads, sponsored articles, and in-feed promotions e.g. within Twitter and Facebook will not be blocked.

Reaction

The reaction from organisations such as the Internet Advertising Bureau (IAB) has been to point out the potential for the ad blocker to undermine the current arrangement that benefits consumers whereby they can receive content free because publishers fund much of it through online advertising.

Selfies or Fingerprints Via App To Be Accepted By Mastercard

Mastercard announced at the Mobile World Congress tech show in Barcelona this week that from this summer it will be accepting selfies or fingerprints as an alternative to passwords to verify IDs for online payments.
The software that will enable this to happen is a downloadable biometrics app for PC, tablet or smartphone that uses the camera (for a selfie) or a fingerprint sensor for recognition.

Cutting Fraud Compared to Passwords

As well as the notion that biometric security measures are likely to be more effective at cutting fraud, the system has been developed because consumers are known to dislike having to use passwords. The most common password for example is password is 123456 which is likely to be relatively easy for determined fraudsters to obtain. There is the added risk with passwords that in order to aid human memory and recall many people tend to use the same password in multiple places. This means that if hackers can obtain your password in one place it can leave you open to multiple fraud risks.

Early research by Mastercard has shown that not only is the system likely to provide good levels of security, but it is preferred to passwords by 92% of subjects who have been involved in Mastercard’s tests of the system.

Summer Rollout the UK

The rollout for the system is reported to be taking place in the UK this summer as well as in the US and Canada, and across Belgium, France, Spain, Italy, Switzerland, Germany, Norway, Sweden, Finland and Denmark.

Not A Replacement For Normal Security Measures Yet

The new selfie / fingerprint verification system will not however be replacing the normal Mastercard verification system just yet. Mastercard customers will still need to provide their credit card details in the normal way as the primary means. On occasions where further authentication is required the current method is to ask for selected characters from the password, and it is at this point where the selfie or fingerprint will be requested. Customers using the selfie method will be asked to blink while looking into their camera so that the system can recognise them as a real person rather than just a photo of a face.

Reducing the Cost of Online Payments

It is hoped that the greater security provided by this kind of biometric mechanism can bring savings for merchants and consumers as credit card companies may no longer need to build as many extra costs in to the prices for transactions to cover fraud.

Biometric Systems Getting More Popular

The popular use of Biometric systems is now on the increase. Examples include the OS for Microsoft’s Windows 10 and Google’s Android allowing users to unlock devices by looking at their cameras, and the Smart wallet systems from Apple Pay, Samsung Pay and Android Pay that allow customers to use their fingerprints to authorise payments.

Your IT Newsletter

How Hackers Can Take Control of Your Business Voip Phone

If you are one of the many companies who use affects voice-over-internet-protocol (Voip) phones then you may find the results of a recent Security Researcher’s hacking experiment worrying.

Researchers Per Thorsheim Scott Helme, and Information Consultant Paul Moore set up and published online the results of an experiment designed to demonstrate how Voip phones have serious security vulnerabilities.

The fault occurs when Voip phones are set up and left with default settings and with the default password, where the phone does not require a special set of default credentials, and it where does not force you to set a password when setting the phone up.

<More>

Adobe’s Creative Cloud ‘Deletions’ Bring a Storm of Anger

The dark clouds of customer anger descended upon Adobe last week as problem with its Creative Cloud apps software meant that some Mac users’ files were deleted without warning.

The issue that caused the deletions occurred, due to a bug in the software, when customers installed Adobe’s Creative Cloud version 3.5.0.206 app on their Mac or signed in to the cloud service.

The nature of the problem was discovered by Backblaze who make data backup software that is used on Macs, after they started to receive a large number of customer support requests based around the same issue.

<More>

Start-Up Ideas Bring Technology To The Legal Profession

When you think of professions that utilize cutting edge technology it may be fair to say that the legal profession is likely to be quite a long way down the list. The BBC recently highlighted how some smart start-ups that have spotted exciting digital opportunities in this ancient profession that is about as far as paperless as you can get – allegedly. Here are some examples of technology start-up ideas that are threatening to drag the legal profession into this century and beyond.

Priori Legal for example is a New York based online marketplace that gives business a way to select legal services based on some very important factors that would not normally be easy to access.

<More>

Start-Up Ideas Bring Technology To The Legal Profession

When you think of professions that utilize cutting edge technology it may be fair to say that the legal profession is likely to be quite a long way down the list. The BBC recently highlighted how some smart start-ups that have spotted exciting digital opportunities in this ancient profession that is about as far as paperless as you can get – allegedly. Here are some examples of technology start-up ideas that are threatening to drag the legal profession into this century and beyond.

Priori Legal

This is a New York based online marketplace that gives business a way to select legal services based on some very important factors that would not normally be easy to access. As well as being able to face-to-face or via Skype, business users of Priori Legal can be assured that the lawyers listed on the website are vetted by the company, and they have to have 5 years of relevant practice experience and good references. Business customers can also make informed choices based on information like how often did people win, and how does that compare to the national average, as well as being able to see if a particular judge may be more biased in one way. As well as providing a means to help businesses make better decisions about legal matters it also provides a unique way to build a strategy for a case.

TrademarkNow, LegalSifter, and ContractSifter

These companies have developed tools and algorithms to help companies find their way safely through the minefield of trademark law, and the quicksand of contracts and terms. Finland’s TrademarkNow offers an AI tool for searching and managing trademarks, and Pittsburgh’s ContractSifter has built upon its experiences with the ‘LegalSifter’ algorithmic tool. Contractsifter helps companies to make sense of a large amounts of contracts and terms, while avoiding offering advice.

Docket Alarm

This provides start-ups wanting to expand globally with a way to easily access data about the different legal systems of different countries. This could save companies the costs of having to pay fees to access the information. It is also often the case that companies are denied this kind of access, so Docket Alarm could be a source of competitive advantage.

Online Courts?

One technological idea that has caused the UK Law Society some serious concern is the proposal by the Judiciary of England and Wales to introduce ‘online courts’ to handle minor civil cases of up to £25,000. While the intent to use technology to automate part of the justice process and free up the physical courts may sound reasonable, the Law Society has pointed out that it could lead to discrimination based on factors such as access to IT facilities, IT literacy, and earning or language impairments. The Law Society also say that creating a two-tier system of this kind could also mean that those who can’t afford professional advice will be at an unfair disadvantage because they are forced to represent themselves.

Even though there is currently regulatory uncertainty about legal tech companies, it seems that there are already some areas where technology can be used in a value adding and beneficial way in the legal profession. In reality, though progress may be slow, this looks like a trend that can only continue as no profession can remain exempt from technology.

Adobe’s Creative Cloud ‘Deletions’ Bring a Storm of Anger

The dark clouds of customer anger descended upon Adobe last week as problem with its Creative Cloud apps software meant that some Mac users’ files were deleted without warning.

The issue that caused the deletions occurred, due to a bug in the software, when customers installed Adobe’s Creative Cloud version 3.5.0.206 app on their Mac or signed in to the cloud service.

Discovered by Backblaze

The nature of the problem was discovered by Backblaze who make data backup software that is used on Macs, after they started to receive a large number of customer support requests based around the same issue.

What Happened?

The Backblaze software that is utilized by Mac users to back up their files creates a folder called .bzvol in the top level of every drive it backs up (in Mac’s system root directory.). This folder contains the information from the drives that have been backed up by the Mac users. Unfortunately for the Mac users, the fault in the Creative Cloud version 3.5.0.206 app meant that it was deleting the contents of the first hidden folder at the root of the drive in alphabetical order. This folder happened to be the .bzvol folder. The removal of the contents of the folder then prompted an error message from the Backblaze back-up software to tell the Mac user that “your drive is no longer backed up”. This in turn led to those who had received the error message contacting Backblaze’s Customer Support. After investigating the issue Backblaze were able to alert Adobe to the nature of the problem.

The Response

BackBlaze is reported to have made 2 videos demonstrating the flaw to help explain the nature of the problem. After being made aware of the issue, Adobe published a blog post acknowledging that “’the updater may incorrectly remove some files from the system root directory with user writeable permissions”. This was followed two days later by the release of a fix for the issue and instructions for anyone who had experienced problems with the Creative Cloud update to contact Adobe Customer Service. New versions of the app were then made available online for Mac and Windows with the fix in place.

The response from many of the Mac users who had been on the receiving end of the Creative Cloud app was to take to social media to vent their anger with Adobe over the incident and with the nature of their response to it which some perceived to be not being apologetic or transparent enough.

How Hackers Can Take Control of Your Business Voip Phone

If you are one of the many companies who use affects voice-over-internet-protocol (Voip) phones then you may find the results of a recent Security Researcher’s hacking experiment worrying.

Researchers Per Thorsheim Scott Helme, and Information Consultant Paul Moore set up and published online the results of an experiment designed to demonstrate how Voip phones have serious security vulnerabilities.

The fault occurs when Voip phones are set up and left with default settings and with the default password, where the phone does not require a special set of default credentials, and it where does not force you to set a password when setting the phone up. This is sadly an all-too-common occurrence, and one that means that no authentication is therefore required. This combined with the fact that Voip phones and desktop computers are connected to the same internet network in many businesses means that hackers are given a clear route in to the phone. Hackers can therefore take control of a Voip phone in these circumstances by embedding and running a small amount of JavaScript exploit code in a web page that the Voip phone user visits.

What Can The Hackers Do?

The researchers in this case proved that hackers using this method can use your phone to dial a premium-rate number, and at the same time disable the speaker so that you are unaware that it is happening. In fact this kind of hack can allow your Voip phone hacker to do almost anything they like with your phone including:

  • Make, receive and transfer calls (even before it rings)
  • Play recordings
  • Upload new firmware
  • Use your phone for covert surveillance i.e. eavesdropping
  • Other kinds of social threats, interception and modification and service abuse.

Very Common Hack

Nettitude Research from 2015 helped to highlight how common this type of hack has become. A large amount of VoIP attacks were recorded worldwide, but in the UK the problem was (and very likely still is) very bad with attacks against VoIP services making up 67% of all attacks recorded against UK based servers.

What Can Be Done?

One important measure that phone vendors could take to minimise the risk of these attacks could be to supply devices with “default” credentials, and to make sure that all other functionality in the phone can be disabled until a suitably secure password is set to replace it. For businesses it is important to check that the right password protection has been provided during the set-up of the Voip phone(s), and to be aware of the risks that Voip phones can cause, despite their cost advantages.