Archive for December 2018

Your Latest It News Update

Concerns Over Huawei and ZTE Equipment and Software

A statement from the Czech National Cyber and Information Security Agency (NCISA) has warned network operators that using software or hardware made by Chinese telecom equipment suppliers Huawei and ZTE could represent a security threat.

<More>

London Police Facial Recognition Trial

It has been reported that the police are conducting a trial of a facial recognition system in Soho, Piccadilly Circus and Leicester Square over two days in the run-up to Christmas in a bid to identify people among the Christmas shoppers who are wanted by the police or the courts.

<More>

Warnings of Printer Chip-Frying

Swedish YouTube vlogger, PewDiePie, is reported to have inspired some of his 77 million followers to hack 50,000 printers to promote his YouTube channel, and to draw attention to vulnerabilities in their printer firmware that could even be exploited by hackers to ‘fry’ a printer chip.

<More>

Smart Botnet Detection Needed

For businesses to maintain an effective cyber defence, the ability to prevent, detect and stop smart botnets in real-time is now an important consideration.

<More>

Rumours That ‘Microsoft 365’ Package Is On The Way

There have been rumours among some IT commentators that Microsoft may soon be offering a single subscription-based, Windows 10-style service named ‘Microsoft 365’ that offers home ‘power users’ a combo of its popular software including the operating system, MS Office, Skype, and even OneDrive.

<More>

Tech Tip – Find Out When You’re Visiting A Site That’s Been Hacked

If you use Google Chrome and you’d like to make sure that you know when you’re visiting a site that’s been hacked and you’d like to set up a watch list for sites that you regularly visit, or those that store personal data, here’s a handy browser extension that could help.

<More>

Concerns Over Huawei and ZTE Equipment and Software

A statement from the Czech National Cyber and Information Security Agency (NCISA) has warned network operators that using software or hardware made by Chinese telecom equipment suppliers Huawei and ZTE could represent a security threat.

Why?

Huawei, which the world’s biggest producer of telecoms equipment, is based in China, and according to the NCISA, private companies residing in China are required by law to cooperate with intelligence services.  This could mean that the products and services of those companies could, in theory, become part of the Chinese state security systems e.g. Huawei and ZTE could be used for spying on behalf of China.

Global Suspicion & Action

According to the Wall Street Journal, espionage chiefs from Australia, Canada, New Zealand, the U.K. and the U.S. (the so-called ‘Five-Eyes’), agreed at a meeting in July this year to try to contain the global growth of Chinese telecom Huawei because of the threat that it could be spying for China.

The US, Australia and New Zealand have barred Huawei Technologies Ltd. as a supplier for fifth-generation networks, and Japan also looks set to ban government purchases of equipment from Huawei and ZTE.

The U.S. government is also reported to have been putting pressure on Deutsche Telekom, the majority owner of T-Mobile US, to stop using Huawei equipment, although the head of Germany’s Federal Office for Information Security (BSI) Arne Schoenbohm is reported to have told German news outlet Der Spiegel that proof is required to substantiate the accusations.

Detained

Meng Wanzhou, the chief financial officer of Huawei, was recently detained in Vancouver at the request of U.S. authorities for violating US sanctions on Iran. The arrest of Meng Wanzhou happened on the same night that President Trump was dining with Chinese President Xi Jinping during the G20 summit in Argentina.  China’s state-run media, and some other commentators have suggested that Meng’s detention appears to be politically or economically motivated.

Response

The response by a Huawei spokesperson to the NCISA warning has been to deny any suggestion that a national security threat is posed by Huawei to the Czech Republic, and to call for NCISA to provide proof of its claims.

What Does This Mean For Your Business?

If the ‘Five-Eyes’ are to be believed, Huawei’s products and network software could have backdoors built-in to them which could, in theory, allow covert surveillance or control, or destruction of phone networks (which are accessible via the internet).  The fear is that those acting for the Chinese state could gain access to the data stored / routed through Huawei devices, telecoms equipment and software, and could even, perhaps, monitor the conversations on mobile phones.

There does, however, appear to be a lack of clear proof for the allegations, and bearing in mind that Huawei is the world’s biggest producer of telecoms equipment, and that its products are popular (this year it overtook Apple in terms of the number of handsets it was shipping worldwide) and that UK stores are still stocking and selling its handsets, the warnings of various governments look unlikely to be heeded for now.  It is worth noting that BT uses Huawei systems as part of its network, but is now is removing Huawei systems from the core of the mobile network EE, which it purchased in 2016.

The advice as part of the recent Czech warning is that system administrators in critical information infrastructure should take ‘adequate measures’ against the threat.  This advice appears a little vague, and until conclusive proof can be produced, many people and businesses will feel that they can decide for themselves what, if any, action to take.

London Police Facial Recognition Trial

It has been reported that the police are conducting a trial of a facial recognition system in Soho, Piccadilly Circus and Leicester Square over two days in the run-up to Christmas in a bid to identify people among the Christmas shoppers who are wanted by the police or the courts.

Overt

Far from being used secretly, the Metropolitan Police are reported to be publicly announcing the use of the system using knee-height signs on pavements leading up to the surveillance areas, along with A4 posters on lamp posts and leaflets handed-out to members of the public by uniformed officers.

The actual surveillance using the facial recognition link-up to the police database of wanted offenders is reported to have been carried out (on Monday and Tuesday) by a green van with cameras mounted on the top. It has been also been reported that for this London trial of facial recognition, the Metropolitan Police will have been studying the crowds for 8 hours per day over the two day period, and have been specifically using a target list of 1,600 wanted people in the hope that crime and violence can be more effectively tackled.

Criticism

Criticism from privacy and freedom campaigners such as Big Brother Watch and Liberty has focused on mixed messages from police about how those who turn away from the van because they don’t want to be scanned will be treated.  For example, it has been claimed that some officers have said that this will be treated as a trigger for suspicion, whereas a Metropolitan Police press release has stated that those who decline to be scanned (as is their right) during the deployment will not be viewed as suspicious by police officers.

Concern has also been expressed by Big Brother Watch that, although the police may believe that the deployment of the system is overt and well publicised, the already prevalent signs and advertisements in the busy central London areas where it is being deployed could mean that people may not notice, thereby allowing the police to blur the line between overt and covert policing.  It has also been pointed-out by privacy groups that the deployment involves an unmarked van and plainclothes officers, which are normally associated with covert activity.

Doesn’t Work?

Big Brother Watch and Liberty are currently taking legal action against the use of live facial recognition in South Wales (the site of previous trials) and London, and ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

Serious questions have been raised about how effective current facial recognition systems are.  For  example, research by the University of Cardiff, which examined the use of the technology across a number of sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals, found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

Google Not Convinced

Even Google (Cloud) has announced recently that it won’t be selling general-purpose AI-driven facial recognition technology until it is sure that any concerns over data protection and privacy have been addressed in law, and that the software is accurate.

Fooled With A Printed 3D Head!

The vulnerability of facial recognition software to errors and inaccuracy has been further exposed by a journalist, Thomas Brewster, from Forbes, who claimed that he was able to fool the facial recognition on four Android phones by using a model 3D head with his own face printed on it!

What Does This Mean For Your Business?

For the retail businesses in the physical area of the trial, anything that may deter criminal activities like theft and violence and may also catch known criminals is likely to be a good thing.

Most businesses and members of the public would probably agree that CCTV systems have a real value in helping to deter criminal activity, locating and catching perpetrators, and providing evidence for arrests and trials.  There are, however, several concerns, particularly among freedom and privacy groups, about how just how facial recognition systems are being and will be used as part of policing e.g. overt or covert, issues of consent, possible wrongful arrest due to system inaccuracies, and the widening of the scope of its purpose from the police’s stated aims.  Issues of trust where our personal data is concerned are still a problem as are worries about a ‘big brother’ situation for many people, although the police, in this case, have been clear that it is just a limited trial that has been conducted as overtly as possible with the support of literature and posters / literature to make sure the public is informed.

Warnings of Printer Chip-Frying

Swedish YouTube vlogger, PewDiePie, is reported to have inspired some of his 77 million followers to hack 50,000 printers to promote his YouTube channel, and to draw attention to vulnerabilities in their printer firmware that could even be exploited by hackers to ‘fry’ a printer chip.

Messages Sent Through Printers

The vlogger, PewDiePie, primarily wanted to make a point that popular printer firmware has vulnerabilities in it that could leave people open to hacks that could disable and even permanently damage their printer. Also, there is the risk that a printer hack could enable attackers to see and alter potentially sensitive information as it’s printed out.

Thankfully for printer owners, the chosen method of raising awareness by some followers of PewDiePie was to send messages through their printers.  The messages, in this case, asked people to subscribe to PewDiePie’s YouTube channel and asked them to unsubscribe from a rival channel called T-Series.

Could ‘Fry’ The Printer Chip

According to PewDiePie, one of the most alarming risks that people could face thanks to vulnerabilities in the printer firmware is hackers forcing a stream of data to be continuously written by the printer’s chips. Since the chips only have a limited lifespan of ‘writes’, keeping them on such a continuous loop for long enough could overload and ‘fry’ the printer chip, thereby stopping the printer from working altogether.  This would most likely require the victim to purchase a new printer.

Unsubstantiated

Although it has been claimed that followers of PewDiePie have caused 100,000 machines to print out the message, this figure has not been verified, and currently, there is only anecdotal evidence in the form of some Twitter posts from alleged victims in the UK, US, South America, Spain and Australia.  There have, thankfully, been no reports of any printer chips being fried as yet.

Example

One example of how printers can be compromised dates from early 2017 when a hacker named Stackoverflowin was able to take control of more than 150,000 printers manufactured by HP, Brother, Epson, Canon, Lexmark and Minolta, and ordered them to print out a message.

What Does This Mean For Your Business?

This may be a publicity stunt by a YouTube vlogger that is likely to expand the number of his followers, but it appears to have had a serious point about a security vulnerability that could affect your business or home printer. Back in August, for example, it was discovered that hundreds of HP inkjet printer models were in desperate need of firmware patches, and this latest stunt may help to prompt enough questions from printer owners to motivate printer manufacturers to take another look at their firmware, and for printer owners to seek out patches that may already be in existence.

Smart Botnet Detection Needed

For businesses to maintain an effective cyber defence, the ability to prevent, detect and stop smart botnets in real-time is now an important consideration.

What Is A Botnet?

A botnet is a term for multiple malicious mini-programs working together to take over large numbers of computers and digital devices for different purposes e.g. stealing data and / or launching attacks, or in the case of DDoS attacks, shutting down servers (and the websites on them) by bombarding them with requests (a flood).  Botnets also sap electricity and computing power as they work.

How Big Is The Problem?

According to DDoS protection provider Link11, DDoS attacks (launched using botnets) on e-commerce providers showed an increase of more than 70% on Black Friday compared with other days in November this year, and Cyber Monday attacks showed a massive increase of 109% compared with the November average. Botnets have also shown a move towards the Internet of Things (IoT).

Last year saw a huge growth in the use of botnets.  For example, Spamhaus figures showed that the number of command and control (C&C) servers used for managing IoT botnets more than doubled, going from 393 in 2016 to 943 in 2017.

The increase in the use of botnets has been driven by factors such as the availability to cyber criminals of very cheap and easy to operate rent-a-botnet services booter or stresser botnet services, and the proliferation of IoT device with sub-standard security that can be used in attacks. Cyber criminals also use various amplification techniques to increase the impact of their attacks.

Characteristics Of Botnets

The characteristics of botnets and how they are made can provide the key to detecting them and preventing them. For example:

  • Some have a long ‘dwell time’ (the time the malicious program sits on a device before it’s activated), and they need to communicate to work. Communication often involves the use of command and control servers. Disconnecting communications between bots and their botnet command and control servers has, therefore, been a way of stopping them.  New smart bots, which create peer-to-peer networks, can be more difficult to stop.
  • Botnets use processing power.  If suspicious processes that take up a lot of memory are spotted, and / or if devices appear to slow down, this can be an indicator that the device has been compromised and a botnet is awake and active.

Turned To Crypto-Mining

A recent security bulletin from Kaspersky Labs states that botnets are now increasingly being used to distribute illicit crypto-mining software, and that the number of unique users attacked by crypto-miners grew significantly in the first three months of 2018. The malware used for mining is designed to secretly reallocate an infected machine’s processing power to mine cryptocurrencies, with all the proceeds going to the attacker.

What Does This Mean For Your Business?

With cyber-crime, prevention is better than cure, and being able to detect signs of attacks early is vitally important. Security commentators suggest a focus on security measures that prevent initial infection and lock-down unnecessary trust permissions. Businesses may also benefit from using security technologies that can detect, alert or block botnet activity in real-time, and by continually analysing network traffic and local system logs.

Inspecting devices and checking for any suspicious processes that appear to be taking up taking up a lot of memory may also be a way to detect botnets that have already slipped through the net and are active.

Rumours That ‘Microsoft 365’ Package Is On The Way

There have been rumours among some IT commentators that Microsoft may soon be offering a single subscription-based, Windows 10-style service named ‘Microsoft 365’ that offers home ‘power users’ a combo of its popular software including the operating system, MS Office, Skype, and even OneDrive.

Office 365

Currently, home Microsoft users can sign-up to Office 365 that includes everything except Windows 10.  The ‘Microsoft 365’ service would, therefore, offer them a kind of mini enterprise version of Microsoft products for a single payment.

Why?

It is thought that this kind of service could put Microsoft 365 on a par with other big-brand subscription services such as Office 365, Skype, Cortana, Bing, Surface and Microsoft Education.  It is also likely that Microsoft 365 would be a more powerful and attractive replacement for Office 365.  It could also simply bring more people deeper into the Microsoft fold which could, in turn, help feed its other apps and platforms such as Android (which has replaced the Windows Mobile OS).

Also, if people commit to signing-up to one bundle of products / services with one company such as Microsoft, they may be less inclined to switch easily or to be attracted by rival services e.g. by Google or Apple, that do the same thing anyway.

Rumours?

The rumours that Microsoft 365 could become a reality appear to have been fuelled by job listings being posted referring to a Microsoft 365 Consumer Subscription product manager and Microsoft 365 Consumer Subscription senior product manager with roles that relate to developing a customer-focused subscription globally for Microsoft’s consumer services.

What Does This Mean For Your Business?

For Microsoft, this type of service could help it to bring users closer to the brand and encourage them to use its other apps and services, while gaining an advantage over big competitors such as Google. For home users, many of whom are actually small businesses or those who work on the business from home, this kind of single subscription bundle of useful and familiar services could represent real value and convenience.

Tech Tip – Find Out When You’re Visiting A Site That’s Been Hacked

If you use Google Chrome and you’d like to make sure that you know when you’re visiting a site that’s been hacked, and you’d like to set up a watch list for sites that you regularly visit, or those that store personal data, here’s a handy browser extension that could help.

The HackNotice extension for Google Chrome could help you to add another layer of security to your browsing.  To use it:

In Chrome, Google ‘hacknotice extension’.

Click on the link.

Click on the ‘Add to Chrome’ button (top right).

Follow the instructions.

Your Latest IT News Update

Google Chrome’s ‘Incognito’ Mode Not So Incognito

Research by Internet Privacy Company DuckDuckGo is reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

<More>

Does Your Business Take Cash?

Cashless businesses that only take contactless card payments, such as cafes and bars may be growing in number in major cities but despite their apparent convenience for their target market, they are also attracting accusations that they are discriminatory.

<More>

02 Outage – What Happened

After last week’s major O2 4G mobile network outage which left millions of customers with no network data access has been blamed on an expired software certificate that 3rd party supplier Ericsson had installed for some customers at business-critical part of the network.

<More>

5G Explained

Whereas most carriers use low-band spectrum or LTE, which offers great coverage area and penetration, it is getting very crowded, and peak data speeds only top out at around 100Mbps.

<More>

Automatic Broadband Compensation Is Nigh

After Ofcom announced back in November 2017 that broadband and landline customers will automatically be able to get compensation from their providers when things go wrong without the need for a claim, it appears that an £8-per-day deal agreement has finally been reached between Openreach and five of the UK’s internet service providers.

<More>

Tech Tip – Create A Travel Itinerary in Bing

If you’re planning a trip to an exciting destination you can now create your own travel itinerary in the Bing search engine. Here’s how:

<More>

Google Chrome’s ‘Incognito’ Mode Not So Incognito

Research by Internet Privacy Company DuckDuckGo is reported to have produced evidence that could show that even in Incognito mode, users of Google Chrome can still be tracked, and searches are still personalised accordingly.

Incognito Mode

Going incognito (private browsing mode) in Google Chrome means launching a separate ‘Incognito’ browser window by going to top right (the 3 stacked vertical dots icon), > New Incognito Window.  According to Google, by using this browser window Chrome won’t save your browsing history, cookies and site data, or information entered in forms, any files you download and bookmarks you create will be kept, but your activity isn’t hidden from websites you visit, your employer or school, or your internet service provider.

The DuckDuckGo Research

In the DuckDuckGo research, several volunteers were given controversial topics, such as gun control, vaccinations and immigration to search for using an Incognito browser window in Google Chrome. The searches were made both logged in to their Google accounts with Incognito Mode activated and logged out.

The Assumption

The assumption that many users may have is that being logged out of Google and using Incognito mode will keep searches totally private.

The Results

The reported results essentially showed that each person got different results.  This could indicate that Google is still able to still personalise searches in Incognito mode, which could mean that Google still has some access to searches which the user may believe are private.

The results may be seen to support the fact that even when signed out, and using Incognito / private browsing mode, websites can use IP addresses and browser fingerprinting to identify people.

Vanderbilt University Research In August

This latest DuckDuckGo research appears to support the findings of previous research from August by Vanderbilt University in Nashville (organised by Digital Content Next). This research found that if users sign into a website while using a private browsing window, the details of that login are still sent to Google, and Google could retroactively identify it from the username and other account data used during the session.  Also, the results of this research suggested that adverts served up by Google’s advertising can be linked to the cookies created both in and out of Incognito mode.

It must be said that Google reportedly described the findings of the Digital Content Next / Vanderbilt University research as misleading.

What Does This Mean For Your Business?

For Google, as a business that wants to sell and maximise revenue from targeted advertising, which is something that could be significantly improved with refined data and targeting technology, it is conceivable that it would want to collect detailed information from many sources, perhaps including that from Incognito searches.  The results of the DuckDuckGo research and previous research could be interpreted as showing that this is happening, and that Incognito mode may not be as secret as many users had imagined.  For advertisers using Google’s services, it is obviously in their interest that Google can offer highly targeted advertising services, but it is up to advertisers to decide whether they think Incognito mode search data should be a legitimate source of targeting data.

It is also worth noting that, in this case, DuckDuckGo is an Internet privacy company that has its own search engine to promote, which it describes as “the search engine that doesn’t track you”.  See https://duckduckgo.com/.

Does Your Business Take Cash?

Cashless businesses that only take contactless card payments, such as cafes and bars may be growing in number in major cities but despite their apparent convenience for their target market, they are also attracting accusations that they are discriminatory.

Cashless Bar

The BBC, for example, recently featured a story about the Crown and Anchor pub in South London which, in October, switched to fully cashless with customers only able to use debit cards, credit cards and contactless payments including Android Pay and Apple Pay.

In the case of the Crown and Anchor pub, it was reported that the decision by the parent company, London Village Inns, to make the switch to cashless was motivated by too many break-ins where the burglars were looking for cash. A positive reaction, and other cost and time-saving benefits to the change from not having to deal with (and transport) cash have meant that four of the firm’s pubs are now cashless with two more set to follow in the New Year.

Just Being Realistic?

Is it just a case of being realistic and acknowledging that we now live in a digital age where cash use is naturally in decline?

Other businesses in the UK and other countries seem to think so.  Back in September, The Boot pub in Freston near Ipswich, Suffolk switched to only accepting card or phone payments, and many bars and cafes in UK cities such as Manchester are reported to be cashless.

Travel in other countries such as Sweden and Australia can also be near cashless experiences as contactless and phone payments take over. Also, many of the ‘trendy’ New York eateries have switched to cashless, and no longer have cash registers.

Research & Stats

Research by Ikea, for example, showed that in its stores in Sweden, only 1.2 in every 1,000 people insisted on paying in cash, thereby leading to the decision that it was financially justifiable to offer them free food in the shop cafeteria instead.

The broader statistics certainly show a decline in the use of cash.  For example, UK Finance projects that in Britain cash will be used in just one fifth of all sales by 2026, and Paymentsense has reported the removal of 4,735 cash machines in the last year.

Criticism

Although there are clearly benefits for some businesses going cashless e.g. saved time, cost and hassle in dealing with cash (no cash registers and back trips), less temptation for thieves (and resulting damage to premises),  more counter space (no tills), faster transactions and turnover, plus credit card companies getting a commission for handling the payments, there are some critical voices.

What if the card payment systems suffered an outage / and or technical problems prevent payments from being taken?  Particularly in cities, this could cause considerable chaos.

Also, in New York, cashless businesses may soon face a ban with the introduction of legislation designed to protect the poor and prevent a “gentrification of the marketplace”.  It appears that cashless businesses in New York could prove to be discriminatory and exclusionary for the impoverished, homeless, under-banked, undocumented, in a city where studies have shown that nearly 12% of citizens don’t have bank accounts.

What Does This Mean For Your Business?

There’s no doubt that cashless and particularly contactless can be very convenient, fast, and beneficial for customers, business, and bank alike, when it comes to purchases of £30 and under and hence it can favour supermarkets, shops, bars and other retail and convenience outlets.

There is also a clear decline in cash itself (and ATM numbers), and an increase in the amount of debit card and contactless payments, and the use of smartphones for payments in developed economies.  We are still, however, at a point where there remains quite a lot of cash in use, and where poorer and more disadvantaged and challenged members of society, of which there are many, need to use cash and may simply not have a bank account and a card with contactless / cashless payments enabled, and therefore, may find themselves being discriminated against. Some businesses and events that deal in cash may also find it challenging and costly to convert to a cashless situation.

Cashless transactions look likely to increase in the UK, and many retail businesses may soon find themselves seriously considering whether a switch to cashless could be workable and beneficial.