Archive for February 2018

Your Latest IT News Update

A Quarter Of UK Councils Have Been Hacked

A freedom of information request by privacy campaign group Big Brother Watch has revealed the shocking statistic that a quarter of all UK councils have had their IT systems breached in the past five years.

<More>

GDPR Extortion Prediction

A report by Security Company Trend Micro has predicted that, as cyber-criminals are now focusing more on maximising financial return, the introduction of GDPR this year could give them potentially lucrative extortion opportunities.

<More>

Belgium Says No To Facebook Tracking Code

A court in Belgium has told Facebook to stop using tracking code to follow and record internet use by people surfing in Belgium, until it complies with the country’s own privacy laws.

<More>

Postcards To Combat Election Interference

Following disclosures of how Facebook was used by advertisers who may have been seeking to influence the US election result, Facebook has suggested that in future in the US, those backing candidates with advertising campaigns will receive a ‘snail mail’ postcard sent by Facebook with a verification code.

<More>

Facebook In Authentication Spamming Row

Facebook is facing criticism for allegedly using sign-ups to 2 factor authentication as an opportunity to send spam SMS notifications.

<More>

Tech Tip – Windows 10: Near Share

One helpful feature to look out for in the Windows 10 update this Spring will be ‘Near Share’ whereby nearby Windows 10 devices can share files and URLs with you via Bluetooth.

<More>

A Quarter Of Councils Have Been Hacked

A freedom of information request by privacy campaign group Big Brother Watch has revealed the shocking statistic that a quarter of all UK councils have had their IT systems breached in the past five years.

37 Attempted Cyber Attacks Every Minute

The ‘Cyber Attacks In Local Authorities’ report from Big Brother Watch shows that local governments are subject to cyber attack attempts at the staggering rate of 37 per minute!

Thankfully, only a tiny fraction of the attacks launched are successful although this still represents a serious problem. For example, 114 councils experienced at least one incident between 2013 and 2017.

High Stakes

The nature of the work of UK Councils is such that they hold a large amount of up-to-date personal data for people in their areas, so one successful breach can have very serious consequences.

Not Disclosing Breaches

One particularly worrying aspect of council behaviour exposed by the report is that, from the data gathered, few seem to have reported losses and breaches of data, which is something that organisations will be required to do within 72 hours under GDPR when it comes into force in May.

Human Error – Training Needed

As in so many companies and organisations, human error is often a factor in breaches. In 2015, for example, Big Brother Watch has exposed how local authorities committed 4 data breaches a day, all thought to be predominantly caused by human error.

Big Brother Watch has also revealed that that, despite the number and seriousness of the breaches, little action has been taken by UK councils to increase staff awareness and education in matters of cyber security and data protection. For example, it has been disclosed that 75% of local authorities do not provide mandatory training in cyber security awareness for staff, and that16% do not provide any training at all!

What Does This Mean For Your Business?

Some commentators have been quick to point out that bearing in mind how much sensitive data councils hold about citizens, and the incredible amount of attempted cyber attacks against them, they could be making more of an effort and an investment to beef-up security.

Other commentators have noted that cuts to council budgets e.g. with austerity measures may have played their part in limiting cyber security effectiveness in UK councils.

After the shocking findings of the report, Big Brother Watch issued some recommendations to local authorities which could very well apply to other businesses and organisations. These are:

  • Cyber security should be prioritised, and that rather than investing too much in surveillance technologies, more should be invested in cyber security strategies and in the training of staff.
  • Cyber security incidents should be consistently reported, and that a protocol needs to be established so that incidents are reported quickly and to the right authorities e.g. the police, the ICO, and the National Cyber Security Centre.
  • All staff should receive mandatory training in cyber security because Cyber attacks are not only designed to breach computer systems, but also to exploit humans who are often the weakest cyber security link.

GDPR Extortion Prediction

A report by Security Company Trend Micro has predicted that, as cyber-criminals are now focusing more on maximising financial return, the introduction of GDPR this year could give them potentially lucrative extortion opportunities.

How?

The point that this report is making is that with the prospect of massive fines under GDPR e.g. fines up to €20 million, or 4% of their global turnover, criminals could extort large sums of money from companies with the threat of a cyber-attack that could lead to data security breach, which could, in turn, lead to a fine under GDPR. It has been suggested that criminals could first determine the penalty under GDPR that could result from an attack, and then demand a ransom of slightly less than that fine.

What’s Happening?

The recent trends in cyber-crime are what have led to this latest chilling prediction. For example, the fact that cyber-criminals appear to be abandoning exploit kits and indiscriminate attacks in favour of more strategic attacks with maximised financial gain is a trend that has become more apparent. This trend coupled with the fact that, although the number of reported breaches in 2017 was lower than in 2016, the amount of data compromised by cyber attacks increased, have led security commentators to believe that criminals will seek to exploit GDPR as a money-making weapon.

Predictions Started Last Year

Predictions that the threat of GDPR fines could be exploited by criminals first surfaced in the media last November when researcher Mikko Hypponen made the point that GDPR fine figures could give cyber-criminals who are using ransomware, or hackers stealing data, a price point to set the ransom at because now they know how much money they should be asking.

Hypponen argued that because the criminals know what data is worth / what covering-up a data breach may be worth to some companies (probably large, well-known ones), these companies may be actually willing to pay anything less than the full amount of the fine to avoid serious damage to their reputation, loss of customers and more.

According to Hypponen, ransoms could, therefore, be set at up to 2% or 3% of the targeted organisation’s global annual turnover. This could equate to millions of dollars in some cases.

Threat Of Reporting Too

As well as the threat of a ransom to avoid a direct, deliberate attack that would result in a fine, security commentators have also suggested that hackers / scammers could steal data with advanced ransomware and then blackmail the victims with the threat of reporting them to the data protection commissioner. This is because ransomware can affect the availability, access, and recovery of personal data.

Other Trends

Other Trends uncovered in the recent Trend Micro Report include:

  • A 32% increase in new ransomware families from 2016 to 2017.
  • A doubling of business email compromise (BEC) attempts between the first and second half of 2017.
    Rapidly rising rates of cryptocurrency mining malware (100,000 detections in October).
  • A 22% increase from 2016 in BEC attempts to trick company employees into approving money transfers to criminal accounts, mostly targeting the chief financial officer (CFO).
  • More attacks on vulnerable internet of things (IoT) devices, with software vulnerabilities also continued to be targeted (1,009 new flaws discovered and disclosed in 2017).

What Does This Mean For Your Business?

As well as being an opportunity to get the (data) house in order and to enhance competitiveness (GDPR compliant companies are more likely to want to deal with other compliant companies), the size of the fines and now the potential activities of extortionists are risks for the coming years for UK businesses. Even though these predictions relate to more daring and sophisticated crimes, companies should still make sure that they are at least covered against more basic attempts e.g. by keeping up to date with software patching, and covering all known vulnerabilities.

Ways that companies could protect themselves against hacking / ransomware threats include only giving users access to what they need and taking away admin privileges, backing up all critical files effectively and securely, and testing those backups to make sure that information can be restored in a usable form. Training of staff e.g. chief financial officers (CFOs) or anyone involved in payment, and establishing a clear process for checking and chain of command could reduce the risk of BEC attempts and socially engineered attacks. Businesses would also be wise to make sure that their Business Continuity and Disaster Recovery Plans are kept up to date in the light of emerging threats.

Belgium Says No To Facebook Tracking Code

A court in Belgium has told Facebook to stop using tracking code to follow and record internet use by people surfing in Belgium, until it complies with the country’s own privacy laws.

What’s The Problem?

According to Belgium’s privacy watchdog, the Belgian Commission for the Protection of Privacy (CPP), Facebook placed tracking code in the form of ‘cookies’ on third-party websites. This would mean that Facebook’s actions did not comply with Belgium’s privacy laws because:

  • It tracked people without consent.
  • It tracked people who were not Facebook users.
  • It (presumably) stored the tracked personal data that it obtained illegally in the first place.

What Now?

If Facebook fails to comply with Belgium’s CPP it could face fines of £221,000 per day.

Industry Standard

Facebook is reported to have expressed disappointment at the verdict and has stated that it is simply using the same industry standard cookies and pixels that other EU businesses use to help them grow their business.

Ongoing

This latest case appears to be the latest round in a long-running, ongoing dispute between the social media giant and the CPP. For example, back in November 2015, the CPP won a case against Facebook concerning the tracking of people with a ‘datr cookie’ when they visited pages on the site and clicked on like or share, even if they had never registered for an account, or if they had but weren’t even logged in.

Facebook was able to appeal and win an overturning of the verdict because it was judged that Belgian courts didn’t have international jurisdiction over Facebook Ireland i.e. because the data collected by the cookies was stored on servers in Dublin, the European base of Facebook’s operations.

The CPP then indicated that it would try to appeal against Facebook’s successful appeal through Belgium’s court of cassation, using a Yahoo case as an example. With Yahoo, for example, it was ruled back in 2015 that finding against Yahoo wouldn’t have to mean intervention outside of Belgium, and that, since Yahoo actively participated in the economic life of Belgium by using the domain name .be or displaying ads based on users’ location e.g. in Belgium, it voluntarily submitted itself to Belgian law.

What Does This Mean For Your Business?

This story has commercial, legal and political aspects to it. Cookies can provide useful information and functions for businesses e.g. helping to personalise user browsing experiences, and gathering information about users of the company website – usually with an initial registration of consent by users of a website.

With this Facebook case, as web users, we may feel uneasy that trusted companies may be tracking all-comers without consent. This kind of story reminds us all about the importance of privacy and security, and its worth remembering that cookies sent over the web without encryption i.e. if the website doesn’t have HTTPS in front of the domain, could be a security risk because they are readable by anyone on a network and could sensitive data e.g. credit card details, e-mail address and more. Google, for example, has just announced that from July, Chrome will be labelling websites without HTTPS as ‘Not Secure’ to try and combat this kind of risk.

The legal aspect of this case relates to which country has jurisdiction over the actions of a company whose services are used in that country, but the HQ and the data storage are in another country. This is another long-running legal argument e.g. Apple’s tax breaks in Ireland.

Many see the EU and people like the EU’s commissioner for competition, and measures like greater regulation and taxation as being useful to curb some of the more suspect behaviour of the big US Internet companies in Europe.

The introduction of GDPR should also provide greater protection for EU citizens in terms of online privacy and security. The UK will soon not be an EU member, but will have its own similar Bill added to UK law, but this could produce more legal grey areas.

There is clearly a political dimension to this story too as Belgium seeks to hold a powerful overseas company to account, and it wouldn’t be the first time that an EU country has tried to do this.

Postcards To Combat Election Interference

Following disclosures of how Facebook was used by advertisers who may have been seeking to influence the US election result, Facebook has suggested that in future in the US, those backing candidates with advertising campaigns will receive a ‘snail mail’ postcard sent by Facebook with a verification code.

Ads Mentioning A Candidate

The measure is reported to be only applicable to those who run adverts mentioning a specific candidate, rather than paying to promote a political message e.g. a policy. The verification code sent on the post card can then be used to confirm the advertiser lives in the United States.

Won’t Solve Everything

Facebook’s global director of policy programs, Katie Harbath, has reportedly acknowledged that the postcard idea may not solve all the all problems, but it is the most effective solution that the company could come up with for the time bring to stop similar illegal activity happening on its platform.

How Bad Was It?

Back in November, Facebook released figures ahead of its Senate hearing showing that Russia-based operatives uploaded 80,000 posts to Facebook in the last 2 years. Taking into account posts published between June 2015 and August 2017, it is believed that 29 million Americans saw the posts directly, and that 26 million American users may have seen, and perhaps been influenced by, liked and shared messages and comments that could have originated in Russia.

Also, US Special Counsel Robert Mueller said recently that no fewer than 13 Russians and three Russian companies are believed to have committed criminal offences by using social media to interfere in the US election.

What Does This Mean For Your Business?

It does seem a little ironic that one of the world’s most famous Internet companies must resort to ‘snail mail’ to solve a major problem, but as the company says, it seems like the only effective option for now. It would also be easy to see how this overt, but fairly limited option could be gotten around by e.g. determined state sponsored players.

The bigger picture of the whole election result influence story (i.e. which party / candidate wins) is that it has a big effect on the business environment as well as on society. It is not a surprise that one country could seek to influence events in another, but it is a surprise to some people that tech companies and social media companies are still able to offer such a powerful voice and a channel to all.

The challenge that tech companies such as Facebook and Google (with YouTube) face is that they need to protect the idea that they reject censorship and interference from governments, while still being seen to be acting responsibly and proactively, while also protecting their brands and monetising elements of their business at the same time.

The election revelations have just served to add fuel to the arguments of governments and politicians, both in the US and the UK, that they don’t have more of an influence over social media and tech companies e.g. with the end-to-end encryption debate in the UK, and that they often only come up against lawyers for these companies rather being able to be seen to be publicly grilling the owners of these tech giants themselves.

Facebook In Authentication Spamming Row

Facebook is facing criticism for allegedly using sign-ups to 2 factor authentication as an opportunity to send spam SMS notifications.

What 2FA?

Facebook has been allowing users to sign up for SMS-based two-factor authentication to mitigate the risk of phishing attempts and to help protect people from having their accounts compromised.

Spam Too

Unfortunately, in addition to receiving the authentication texts / security tokens that they expected, some sign-ups have also reported receiving what are essentially extra spam texts from Facebook with links to other things happening on the social network.

To make matters even worse, any replies to the spam texts e.g. requests to stop the texts, were reported to have been posted onto the user’s Facebook profile page.

Facebook Sorry

After complaints were received, Facebook released a statement saying that it was sorry for any inconvenience caused, and that it was not their intention to send non-security-related SMS notifications to the phone numbers that customers had submitted as part of the two-factor authentication service.

With regards to posting customer replies to the spam texts on their own Facebook profiles, Facebook explained that this was a throwback to a time before the ubiquity of smartphones when Facebook supported posting to profiles via text message. Facebook admitted, however, that this feature is now less useful, and that it would soon be deprecated..

Bad Publicity In Europe

This incident comes on top of plenty of recent bad publicity in Europe for Facebook. Firstly, after a dispute dating back to 2015 where Facebook fell foul of Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations, a German court has just ruled that Facebook didn’t do enough to alert people to the pre-ticked privacy settings on its mobile app. It also found that eight clauses in Facebook’s terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.

In a separate long-running spat, this time in Belgium, Facebook lost in a court case with Belgium’s privacy watchdog, the Belgian commission for the protection of privacy (CPP), where it was ruled that Facebook failed to comply with Belgian privacy laws. This time, it was found that Facebook had been using cookies to track people who may or may not have been Facebook users without their consent, and then stored the tracked personal data that it obtained illegally in the first place.

What Does This Mean For Your Business?

As well as highlighting how it appears that the behaviour of some big US Internet companies in Europe are being closely monitored (and needs to be), it highlights how data privacy laws and courts differ in different countries.

This story also brings into focus the importance of the imminent introduction of GDPR in May this year, which should go some way to making data privacy and security laws more uniform and consistent across the EU region. Even though the UK won’t be in the EU soon, GDPR will apply initially, and then the Data Protection Bill (DPB) will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law for the future.

On the subject of GDPR, businesses should be reminded that we have now passed what is known as ‘X-Day’ (100 days from GDPR’s introduction), and that businesses and organisations need to quickly adopt an automated, classification-based, policy-driven approach so that they can meet the regulatory demands within the short time frame available.

In relation to the Facebook case of ‘accidental’ spam after sign-ups for the SMS-based two-factor authentication service, this behaviour would contravene GDPR because, under GDPR, the users would have only given consent for the 2FA service, and not for anything else. GDPR may, therefore, make companies think very seriously about what SMS and email messages they send to user groups based on their initial consent. The whole area of consent and GDPR is something that will need more discussion and clarification to help businesses understand the new boundaries for their online marketing.

Tech Tip – Windows 10: Near Share

One helpful feature to look out for in the Windows 10 update this Spring will be ‘Near Share’ whereby nearby Windows 10 devices can share files and URLs with you via Bluetooth.

This feature is similar to Apple’s AirDrop, and it works in the following way:

  1. Apps e.g. Photos, Microsoft Edge and File Explorer display a Share icon.
  2. Click on the icon to see and chose local devices to share with by Bluetooth.
  3. The recipient gets a notification via the Action Centre.
  4. Acceptance of the notification by the recipient allows the transfer to take place.

Your Latest IT News Update

Adopt ‘HTTPS’ Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

<More>

UK Government Unveils Online Extremism Blocker

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

<More>

Cryptojacking Discovered On Government Websites

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

<More>

X-Day February 15th – Prepare For GDPR

Network services provider EfficientIP has warned businesses that, in reality, February 15th is the last day that organisations can ensure their real-world compliance with GDPR.

<More>

10 Gbps Home Broadband Speed Achieved In Test

Broadband operator Hyperoptic is reported to have achieved home Broadband speeds of up to 10 gigabits per second (Gbps) in a recent test.

<More>

Tech Tip – Windows 10: Keep Unwanted Software Off Computers You Support

If you help support your business and / or home computer, and you want to keep things secure and tidy by stopping other users from downloading unwanted software from sources you don’t trust onto the computer, here’s how…

<More>

Adopt ‘HTTPS’ Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?

HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

  • Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
  • Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
  • HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
  • Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?

Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

UK Government Unveils Online Extremism Blocker

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

Publicly Funded

The new tool was developed by artificial intelligence company ‘ASI Data Science’ based in London, and was funded using £600,000 of public funds.

Tackling A Growing Problem

The tool was developed to tackle the growing problem extremist / jihadist (e.g. IS) content being posted online, and current moderating techniques simply not being able to keep up with the job of detecting and removing it fast enough. For example, as well as the popular video platforms for posting such content, the Home Office estimates that between July and the end of 2017, extremist material appeared in almost 150 web services that had not been used for this kind of propaganda before.

An ASI Data Science spokesperson is reported as saying that there are currently over 100 different (extremist / IS) videos posted on over 400 different platforms online.

The danger is of course, that the material can contribute to the promotion of extremist causes, the radicalisation of people, the recruitment of new terror group members, and inspiring individuals / groups to commit their own acts of terror. Some of the content can also be very disturbing e.g. if viewed by children online.

How The New Tool Works

The new tool is reported to have an AI element which has enabled it to be ‘trained’ to correctly pick out extremist content. For obvious reasons, the exact workings of the tool are being kept secret, but it is understood that the tool uses an algorithm to detect signals that contribute to a level of probability (low to high) that a video is likely to be terrorist propaganda rather than e.g. a legitimate news video. The tool can be applied at the point of upload on a video platform, thereby stopping the propaganda video from being uploaded in the first place.

This tool is reported to be able to accurately detect 94% of IS video uploads, and that it can typically flag 0.005% of non-IS video uploads. On a site with five million daily uploads, for example, it would flag 250 non-IS videos for review / for a human decision to be taken.

Others Have Tried

Facebook and Google are known to have been trying to develop their own terror material filtering tool, and this UK version is thought to be suitable for use by smaller platforms first.

Home Secretary Says…

Home Secretary Rudd is reported as saying that even though the tool has been developed, the UK government won’t rule out taking legislative action too where necessary, and that an industry-led forum such as The Global Internet Forum to Counter Terrorism, launched last year, will also help to tackle the issue.

What Does This Mean For Your Business?

For businesses using the smaller social media and video platforms, this tool could be a practical solution to current moderation problems. For the UK government, it provides some good publicity, a chance to gain back some ground in the online battle with terror groups such as IS, and a way to be seen to be tackling worries of radicalisation of UK citizens. It also provides a way for the Home Secretary to apply more pressure to the popular social media platforms, some of which the UK government has criticised for not taking enough fast action to detect remove extremist content.

For UK businesses generally, association with and use of advertising platforms that are free of extremist and unsavoury material is obviously better from a brand protection point of view. It is, however, a fact that Facebook and Google are hugely important for business advertising, and that PPC advertising for example, is unlikely to be affected by whether the chosen video / social media platform adopts such a screening-tool in the near future.