Archive for December 2017

Your Latest IT News Update

Miscarriage Risks From Wi-Fi And Smartphones

A U.S. study has found a link between high levels of magnetic field (MF) non-ionizing radiation such as that emitted by Mobile phones and Wi-Fi transmitters, and a 2.72x higher risk of miscarriage.

<More>

Beware Android Phone-Melting Malware

A type of crypto-currency mining malware has been found to overload an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

<More>

Kaspersky Tries To Overturn U.S. Directive

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

<More>

School Heating Hack Risk

Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.

<More>

No More Chrome Apps From Next Year

Google has announced that Chrome apps for Mac and Windows will no longer be available from the Chrome Web Store by early next year and that they will be replaced next year by Progressive Web Apps (PWA).

<More>

Tech Tip – Storage Sense

If you want to make sure that you don’t start running out of space on your device, Windows 10 includes the Storage sense tool to monitor and free up space on your device automatically.

<More>

Miscarriage Risk From Wi-Fi And Smartphones

A U.S. study has found a link between high levels of magnetic field (MF) non-ionizing radiation such as that emitted by Mobile phones and Wi-Fi transmitters, and a 2.72x higher risk of miscarriage.

What Is MF Magnetic Field Non-Ionizing Radiation?

Radiofrequency energy is a form of electromagnetic radiation, and this can be categorized as either ionizing (e.g., x-rays, radon, and cosmic rays) or non-ionizing (e.g. radiofrequency and extremely low frequency, or power frequency). The energy of electromagnetic radiation is determined by its frequency. Ionizing radiation is high frequency, and high energy, whereas non-ionizing radiation is low frequency and low energy.

Magnetic Field Non-Ionizing Radiation / MF radiation is widespread, and something that we are all exposed to from traditional sources that generate low frequency MFs / emit radio-frequency MF radiation e.g. power lines, and appliances, and from emerging sources that generate higher frequency MFs e.g. wireless networks, smart meter networks, mobile phone masts, and wireless devices such as smartphones. Even household appliances such as fridges and freezers emit MF radiation.

We are now generally exposed to more MF radiation than ever because we use more MF generating equipment / devices as part of modern life.

The Study Results

The results of the San Francisco-based study involving 913 pregnant women found that those women exposed to high levels of MF non-ionizing radiation had a 2.72x higher risk of miscarriage than those exposed to low MF levels.

The authors of the study say that these findings add to the evidence of at least 7 previous studies that MF non-ionizing radiation could have adverse biological impacts on human health.

The facts that this study showed an almost three-fold increased risk of miscarriage if a pregnant woman was exposed to higher MF levels, that the association was independent of any specific MF exposure sources or locations, and that a 2.5mG threshold level for health effects may have been discovered make the results appear significant, and have got the attention of the media.

Cancer Link Too

Another recent (multi-year) survey by the National Toxicology Program (NTP) found an increased risk of cancer associated with MF non-ionizing radiation exposure. In this case, it found that the cancer risk from MF radiation exposure in experimental animals matched the cancer cell types that had been reported in previous epidemiologic studies in human populations.

The UK National Cancer Institute acknowledges online that exposure to ionizing radiation, such as from x-rays, is known to increase the risk of cancer, but that there is currently no consistent evidence that non-ionizing radiation increases cancer risk.

What Does This Mean For Your Business?

The modern workplace, which could be a company / organisation office, an office at home, or a vehicle, is likely to have MF emitting equipment that is in regular or constant use. Add to this the amount of MF non-ionizing radiation exposure we receive when we go home, use or phones, go into shops and other buildings, or pass near e.g. phone masks, and it is easy to see why any evidence of negative effects on health is causing concern. Since pregnant women appear to be particularly at risk, it may be necessary for companies to at least make sure that any pregnant employees are informed of the existence of those kinds of risks on the premises, and of the potential danger according to prominent studies.

It is important to remember, however, that even though the results of this study are worrying, MF non-ionizing radiation is very difficult to avoid (particularly in built-up areas), that there is no consistent evidence of certain health risks, and that for many studies it is difficult to measure exactly how much MF radiation each individual research subject is exposed to. It is likely, therefore, that the results of this study will point the way for more research in future.

Beware Android Phone-Melting Malware

A type of crypto-currency mining malware has been found to overload an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

Malware Causing Physical Damage

The Android phone-wrecking Trojan malware, dubbed “Loapi”, was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

The Loapi malware is reported to have been found hiding in applications in the Android mobile operating system.

How It Works

Loapi reportedly works by hijacking a smartphone’s processor and using the computing power to mine crypto-currency.

‘Mining’ refers to the process of completing complex algorithms to get rewards of new crypto-currency units e.g. Bitcoin.

Loapi uses Javascript code execution hidden in web pages (usually via advertising campaigns) with WAP billing to subscribe the user to various services. This works in conjunction with the SMS module to send the subscription message.

What makes Loapi particularly dangerous is the amount of device-attacking techniques present in it, and the modular architecture of this Trojan which means that more functionality could be added to it at any time.

Part Of Trend For Mining Scams

It is likely, therefore, that Loapi is loaded onto an android OS when a user visits a web page website where mining software / mining code is running in the background, without the knowledge of the website owners or visitors.

For the scammer who plants the code, they can use the power of multiple computers / devices to join networks so that the combined computing power will enable them to solve mathematical problems first (before other scammers) and thereby claim / generate cash in the form of crypto-currency.

A report by ad blocking firm AdGuard in October this year showed that the devices of 500 million people may be inadvertently mining crypto-currencies as a result of visiting websites that run mining software in the background.

What Does This Mean For Your Business?

Unfortunately, many cyber criminals are now trying to leverage the processing power of computers, smartphones and other devices to generate revenue from mining crypto-currency. Mining software e.g. Coin Hive, has been found in popular websites, and crypto-currency mining scams are now being extended to target cloud-based computing services with the hope harnessing huge amounts of computing power and using multiple machines to try and generate more income.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and this new threat of actually having your phone melted by malware adds another level of risk, including that of fire.

There are some simple measures that your business can take to avoid being exploited as part of this popular scam, although it is unclear how well these will work with the newly discovered Loapi. For example, you can set your ad blocker (if you’re using one) to block one specific JavaScript URL, which could stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, browser extensions are available e.g. the ‘No Coin’ extension for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).

You can generally steer clear of dodgy Android apps by sticking to Google Play, by avoiding cloned apps from unknown developers within Google Play, by checking app permissions before you install them, by keeping Android apps up to date (and by deleting the ones you don’t use), and by installing an antivirus app.

Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Kaspersky Tries To Overturn U.S. Directive

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

No More Chrome Apps From Next Year

Google has announced that Chrome apps for Mac and Windows will no longer be available from the Chrome Web Store by early next year and that they will be replaced next year by Progressive Web Apps (PWA).

Why?

Google has had Chrome-browser supported stand-alone apps on Mac, Windows and Linux since 2013, but back in August 2016 it was announced that Google would be phasing-out these apps because only 1% of users actively used them, and most hosted apps were already implemented as regular web apps e.g. Netflix.

Google, therefore, wanted to simplify its browser and move developers to more standardized web apps, and, therefore, planned to phase out standalone Chrome apps over 2 years, starting with the limiting of newly published apps to users on Chrome OS.

This latest announcement is the beginning of the final phase of that two-year plan.

Why Chrome Apps?

Chrome apps / packaged apps are basically Google’s own web-apps that are able to run offline, in their own window, and integrate with the underlying operating system and hardware.

Google has stated that it originally launched Chrome apps to give users experiences that the web, at the time (2013) couldn’t provide e.g. working offline, sending notifications, and connecting to hardware.

The Replacement – PWAs From APIs

Google’s work to move developers to more standardised apps has led to the introduction of powerful APIs e.g. service worker and web push, to enable the building of Progressive Web Apps that work across multiple browsers. These PWAs (launched earlier this year on Android) are essentially the replacement for Google’s standalone Chrome apps and blur the line between websites and installed software. PWAs will be available on desktops from the middle of 2018. According to Google, the benefits of PWAs are that they offer:

  • Reliability – they load instantly and don’t slow everything down.
  • Speed – they respond quickly to interactions with users, and animations are smooth.
  • Engagement – They offer the user an immersive experience with help from a web app manifest file (allowing users to control how an app appears and how it’s launched). A PWA feels like a natural app on a device.
  • Improved Conversions – Google has quoted the example of how AliExpress were able to improve conversions for new users across all browsers by 104% and on iOS by 82%.

What Does This Mean For Your Business?

It appears that the standalone Chrome apps may have been a welcome introduction back in 2013, but are now not being used because they have been replaced by regular web apps anyway. This announcement by Google shouldn’t, therefore, cause any real concern to most businesses.

Anything that can be done to simplify the use of browsers such as Chrome has to be good news.

The benefits of PWAs are also promising for developers and users, and the possibility of increased engagement and conversions are clearly of interest to businesses.

School Heating Hack Risk

Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.

The Problem

The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.

Tested

The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.

In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.

Not Just Schools

The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.

Incentive

Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.

The risks could, however, increase in future as more devices and systems become part of the IoT.

What Does This Mean For Your Business?

It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.

To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.

It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.

This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

Tech Tip – Storage Sense

If you want to make sure that you don’t start running out of space on your device, Windows 10 includes the Storage sense tool to monitor and free up space on your device automatically.

Storage Sense can empty the recycle bin every 30 days, and automatically cleaning up any temporary files from on your drives. Here’s how to activate it:

  • Open ‘Settings’.
  • Click on ‘System’.
  • Click on ‘Storage’.
  • Turn on the Storage sense toggle switch.

Your Latest IT News Update

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

<More>

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations, consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

<More>

$80m Bitcoin Hack

Slovenian-based bitcoin mining marketplace NiceHash has reported that it has become the victim of a highly professional attack with sophisticated social engineering that has resulted in the theft of bitcoin to an estimated value of $80m.

<More>

Stick and Carrot Measures To Deal With GDPR

A report by Veritas Technologies has said that since 91% of most companies lack a strong data management culture they will be considering a number of ‘carrot and stick’ motivators to bring about the changes needed to help them to implement and comply with GDPR.

<More>

Facebook Dopamine-Addictive, Admits Ex-Exec

Former Facebook Vice President Chamath Palihapitiya has made the headlines following apparently negative comments that he made at an event about Facebook’s effects on society.

<More>

Tech Tip – Windows 10: Fix Search

If Windows Search can’t find files that you know are there somewhere, then you have the option to rebuild its index. Here’s how:

<More>

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

What’s The Risk?

Many companies have professional relationships with 3rd parties in their supply chain / value chain that involve granting them access to systems and sensitive data. This, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real.

Examples

Examples of high-visibility supply chain attacks where a 3rd party was implicated or blamed include the hack back in September of US Credit Rating Company Equifax when 143 million customer details were thought to be have been stolen, including a possible 44 million from UK customers. Equifax was reported to have blamed the breach on a flaw in outside software it was using, and on a malicious download link on its website to another vendor.

Also, the much publicised, so-called ‘Paradise Papers’ leak of 13 million files allegedly giving details of the offshore tax havens and tax avoidance schemes used by the rich and famous, and by governments and corporations was blamed on offshore legal firm Appleby.

Figures

A Ponemon Institute survey has revealed that 56 % of organizations have had a breach that was actually caused by one of their vendors, and although the average number of 3rd parties with access to sensitive information at each organization has increased from 378 to 471, only 35 % of companies have a list of all the third parties they are sharing sensitive information with. Without even knowing and being able to monitor or check on the details of the relationship that an organisation has a data sharing arrangement with, it is obviously a risky situation that could make detection of a breach very difficult.

Now An Eco-System

Rather than being single entities, even small companies / organisations are now digital ecosystems where many things are bought-in or outsourced e.g. hardware, software, and services such as cloud provider services (in place on data centres). This means that there are many more potentially weak links in the value / supply chain of a company that breaches could come from.

GDPR

With GDPR coming in May 2018, for example, liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This means that companies / organisations will need to take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Also, there will need to be privacy by design, and the software, systems and processes of companies must be designed around compliance with the principles of data protection. Companies and organisations will need to ensure that 3rd party companies e.g. cloud suppliers, are themselves compliant, and building-in encryption.

Professional Services Companies A Risk

Many professional supply-side services companies have shown themselves to be vulnerable, and are often a way that attackers use to reach their final goal e.g. the Verizon breach caused by Nice Systems (customer service analytics), and the Deloitte hack in September where hackers were able to access emails and confidential plans of some of its blue-chip clients.

What Does This Mean For Your Business?

Many security commentators now believe that a new approach is needed to manage 3rd part risk effectively across a company’s digital ecosystem. This means really understanding where risks lie within that system, tailoring controls according to those risks, and collaborating with 3rd parties to remediate and mitigate those risks.

Companies and organisations need to become good at managing 3rd party risk in order to reduce the likelihood of a breach. This could involve measures such as:

  • Identification of every vendor, and which of them have access to sensitive data.
  • Evaluation of the security and privacy policies of all suppliers.
  • Introducing service level agreements with suppliers that show their commitment to security.
  • Asking vendors to do self-assessments, allow customer visits and audits, or purchase cyber insurance (most likely to work for larger customers).
  • Checking security score ratings for vendors e.g. through BitSight Technologies or SecurityScorecard.
  • Looking at vendors’ internal policies and processes.

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations, consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

What Is A Keylogger?

As the name suggests a keylogger / keystroke-logger usually refers to covert spying / monitoring software that tracks every key that you strike on your keyboard. This software is usually employed with malicious intent e.g. to collect account information, credit card numbers, user-names, passwords, and other private data.

Supposed To Be Debugger

In the case of the recent HP keylogger discovery, however, the offending versions of Synaptics touchpad drivers were actually intended to be to be used for debugging and aren’t believed to have been used with any malicious intent. The “debug trace” is actually a legitimate tool used by software companies to trace a problem / bug.

The security threat is, in this case, a potential threat which could be exploited by a hacker, who could potentially track every letter a laptop user typed.

HP has stressed that there has been no recorded access to customer data as a result of the issue.

Discovered

The discovery of the potentially serious threat was made by a computer programmer known as ‘Myng’ back in November, who discovered the issue when trying to control the backlighting of an HP keyboard. The programmer noticed a format string for a keylogger when looking through the keyboard driver. At this point, he contacted HP about his discovery.

Not The First Time

Strangely, this is not the first time such a discovery has been made about drivers installed in HP products. Back in May, a keylogger was discovered in Synaptics subsidiary Conexant’s audio drivers, which are installed in HP Laptops.

Fix Issued

HP actually issued a fix for this latest “potential, local loss of confidentiality” issue back on 7th November (updated 12th December).

What Does This Mean For Your Business?

If your business uses HP Commercial Notebooks, Mobile Thin Clients, Mobile Workstations, or if you use an HP Consumer Notebook, the company has provided software updates for Synaptics touchpad drivers listed by model (a long list) on the support section of its website here: https://support.hp.com/us-en/document/c05827409 .

This story illustrates how software development needs to take into account all known potentially malicious angles. It also helps to illustrate how we may all be facing risks from as yet undiscovered bugs and vulnerabilities in commercial software that we are already using.

The importance of keeping up to date with patches and software updates cannot be understated. It is worth remembering that 9 out of 10 businesses are hacked through un-patched vulnerabilities, that hackers can attack nine out of 10 businesses with exploits that are more than three years old, and that 60% of companies experience successful attacks targeting devices for which a patch has actually been available for 10 or more years.