Archive for January 2019

Your Latest It News Update

Apple’s Video-Calling ‘Eavesdropping’ Bug

Apple Inc has found itself at the centre of a security alert after a bug in group-calling of its FaceTime video-calling feature has been found to allow eavesdropping of a call’s recipient to take place prior to the call being taken.

<More>

Research Reveals Top-Selling Car Keyless Theft Risk

Research by consumer Group Which? has revealed that hundreds of popular models of car are vulnerable to “keyless theft”.

<More>

Register Now Or Lose EU Research Grants Post-Brexit

The UK government is urging organisations that benefit from European Union (EU) research funding to sign-up to a UK-led replacement scheme now in order to guarantee that their Horizon 2020 project funding can continue after Brexit.

<More>

Millions of Taxpayers’ Voiceprints Added to Controversial HMRC Biometric Database

The fact that the voiceprints of more than 2 million people have been added to HMRC’s Voice ID scheme since June 2018, to add to the 5 million plus other voiceprints already collected, has led to complaints and challenges to the lawfulness of the system by privacy campaigners.

<More>

Too Much Time In Front of a Screen Adversely Affects Child Development Says Study

Psychologists from the University of Calgary have published a study in the JAMA journal of Paediatrics, which found that 2-5 years old who engaged in more screen time received worse scores in developmental screening tests.

<More>

Tech Tip – Drag & Drop Tasks To Your Calendar

In Windows 10, the Tasks experience in Outlook.com (powered by ‘To-Do’) means that when looking at your inbox, you can save time and create tasks by dragging and dropping an email to your task list. You can also easily schedule items by dragging a task to your calendar. Your tasks then travel with you on the To-Do app.

<More>

Apple’s Video-Calling ‘Eavesdropping’ Bug

Apple Inc has found itself at the centre of a security alert after a bug in group-calling of its FaceTime video-calling feature has been found to allow eavesdropping of a call’s recipient to take place prior to the call being taken.

Sound, Video & Broadcasting

As well as allowing the caller to hear audio from the recipient’s phone even if the recipient has not yet picked up the call, if the recipient has pressed the power button on the side of the iPhone e.g. to silence / ignore the incoming call, the same bug was also found to have allowed callers to see video of the person they were calling before that person had picked up the call. This was because pressing the power button effectively started a broadcast from the recipient’s phone to the caller’s phone.

Data Privacy Day

Unfortunately for Apple, insult was added to injury as news of the bug was announced on Data Privacy Day, a global event that was introduced by the Council of Europe in 2007 in order to raise awareness about the importance of protecting privacy. Shortly before news of the Apple group FaceTime bug was made public, Apple’s Chief Executive, Tim Cook, had taken to Twitter to highlight the importance of privacy protection.

It Never Rains…But It Pours

To make things even worse, news of the bug was made public on the day before Apple was due to announce its reduced revenue forecast figures as part of its quarterly financial results. Apple has publicly reduced its expected revenue forecast by £3.8bn.  Apple’s chief executive put the blame for the revised lower revenue mainly on the unforeseen “magnitude of the economic deceleration, particularly in Greater China”.  He also blamed several other factors such as a battery replacement programme, problems with foreign exchange fluctuations, and the end of carrier subsidies for new phones.

Feature Disabled

In order to close the security and privacy hole that the bug created, Apple announced online that it had disabled the Group FaceTime feature at 3:16 AM on Tuesday.

Fix On The Way

Apple has announced that a fix for the bug will be available later this week as part of Apple’s iOS 12.2 update.

What Does This Mean For Your Business?

Apple has disabled the Group FaceTime feature with the promise of a fix within days, which should provide protection from any new attempts to exploit the bug. Those users who are especially concerned can also decide to disable FaceTime in the iPhone altogether via the phone’s settings.

Even though the feature has been disabled, the potential seriousness of allowing eavesdropping of private conversations and the broadcasting of video from a call recipient’s phone appears to have been a major threat to the privacy and security of some Apple phone users.  This has caused some tech commentators to express their surprise that a bug like this could be discovered in the trusted, trillion-dollar company’s products, and concern to be expressed that those users who, for whatever reason, don’t update their phones to the latest operating system, may not be protected.

Research Reveals Top-Selling Car Keyless Theft Risk

Research by consumer Group Which? has revealed that hundreds of popular models of car are vulnerable to “keyless theft”.

Keyless Car Theft

Keyless car entry systems enable owners to unlock the doors of their car with the brush of a hand if the key fob is nearby. If the car has keyless start-stop, once inside the car, the keyless system allows the user to simply press a button to start and stop the engine.

These systems work by using an identity chip in the fob that constantly listens out for radio signals broadcast by the car. These radio signals can only travel short distances, usually less than five metres.

The Which? Research

The Which? research involved the analysis of data on keyless/relay attacks of tests held by the General German Automobile Club (ADAC), a roadside recovery organisation.

Top-Selling Cars At Risk

The ADAC test highlighted by Which? showed that, of the 237 keyless cars tested, all but three were susceptible to keyless theft.

The 237 keyless cars tested and found to be vulnerable to this type of attack included many of the UK’s top-selling cars such as the Ford Fiesta, Volkswagen Golf, Nissan Qashqai and Ford Focus.  Of the top-selling cars in the UK, only the Vauxhall Corsa was found to be safe, only because it isn’t available with keyless entry and ignition.

Jaguar Land Rover’s latest models of the Discovery, Range Rover, and 2018 Jaguar i-Pace, were all found to be secure.

Car Theft Figures – Rising

England and Wales police figures show that the highest number of offences of theft of (or unauthorised taking of) a motor vehicle since 1990 were reported in the year to March 2018 (106,000).  This worrying rise in the level of car theft comes despite improvements in vehicle security aided by the use of new technology.

Less Than 0.3% Stolen

Mike Hawes, head of the Society of Motor Manufacturers & Traders (SMMT), is reported as saying that, aided by technology, new cars are more secure than ever with, on average, less than 0.3% of the cars on the roads stolen.

Not The First Time Concerns Raised

This is certainly not the first time that concerns have been raised about keyless security in cars.  For example, as far back as 2011, Zurich-based researchers highlighted how radio signals emitted by a car could be boosted, thereby tricking systems into thinking the key fob was nearby.

Also, in 2014, many Range Rover thefts led to police advising owners to fit a steering wheel lock as a second line of defence, after keyless security had been breached by thieves.

There have also been reports of Police investigating cases of criminals blocking the signals from keyless devices, so that car doors never lock, and of thieves using blockers in service station car parks in order to steal items from cars.

What Does This Mean For Your Business?

For car manufacturers, there is likely to be an ongoing battle with thieves, and the need for continuous investment to ensure that car entry and ignition systems are as secure as possible. It is likely that this may even require a move into biometrics.

The SMMT has also been calling for action to stop the open sale of equipment which serves no legal purpose but that helps criminals steal cars e.g. grabbers and jammers, which can be purchased online for as little as £40.

The advice from security experts to owners of cars with keyless systems is to keep keyless entry keys away from doors and windows and in a shielded protection case.  This is because some thieves are known to be able to steal the signal to replicate an owner’s key wirelessly, from outside of their house.

Register Now Or Lose EU Research Grants Post-Brexit

The UK government is urging organisations that benefit from European Union (EU) research funding to sign-up to a UK-led replacement scheme now in order to guarantee that their Horizon 2020 project funding can continue after Brexit.

What Is Horizon 2020?

Dating back to 2014, Horizon 2020 from the EU, is the largest ever European funding programme for research and innovation with a budget of 79 billion euros and is set to run until 2020.  It is aimed at improving Europe’s global competitiveness in research and innovation.  Applications for the funding are open to registered businesses, charities, partnerships or research organisations with a legal standing across the EU. For example, higher education institutions, public bodies and charities make up many of the applicants.

What’s The Problem?
The concern, highlighted by The Department for Business, Energy and Industrial Strategy (BEIS), is that when the UK leaves the EU (possibly without a deal), in order to ensure no disruption in the receipt of funding that organisations are currently receiving from the EU’s Horizon 2020 project, they will need to sign up to a UK-led replacement programme that guarantees continuity in a no-deal Brexit scenario.  According to BEIS figures, therefore, the 2,700 public and private sector organisations that are receiving Horizon 2020 funding from the EU but have not yet signed up to the replacement programme could be at risk of disruption in funding and delays to future grants if they don’t sign up asap.

Guaranteed

Although the Science and Innovation Minister, Chris Skidmore, has guaranteed that UK organisations and businesses who already receive EU science and research funding will continue to do so, even if there’s no-deal Brexit at the end of March, he is urging businesses to register their details on a simple online portal for Horizon 2020 grants in future.

Online Portal – Doesn’t Take Long

The BEIS is, therefore, encouraging the remaining 2,700 businesses to join the current 5,500 registrations to date, to sign-up on the online portal. Reports suggest that it only takes around ten minutes per grant for the data to be inputted. The new portal can be found here:  https://www.ukri.org/funding/how-to-apply/

What Does This Mean For Your Business?

If you are a business or an organisation that receives Horizon 2020, and if you haven’t already done so, the advice is to sign-up via the government’s online portal (run by UKRI) to the UK-led replacement programme in order to avoid disruption to funding.  The BEIS has said, for example, that If an organisation leaves it until 5th March, ahead of a no-deal Brexit on 29 March 2019, they could be risking delays to future Horizon 2020 funding.

Millions of Taxpayers’ Voiceprints Added to Controversial HMRC Biometric Database

The fact that the voiceprints of more than 2 million people have been added to HMRC’s Voice ID scheme since June 2018, to add to the 5 million plus other voiceprints already collected, has led to complaints and challenges to the lawfulness of the system by privacy campaigners.

What HMRC Biometric Database System?

Back in January 2017, HMRC introduced a system whereby customers calling the tax credits and Self-Assessment helpline could enrol for voice identification (Voice ID) as a means of speeding up the security steps. The system uses 100 different characteristics to recognise the voice of an individual and can create a voiceprint that is unique to that individual.

When customers call HMRC for the first time, they are asked to repeat a vocal passphrase up to five times before speaking to a human adviser.  The recorded passphrase is stored in an HMRC database and can be used as a means of verification/authentication in future calls.

Got Voices By The Back Door Said Big Brother Watch

It has been reported that in the 18 months following the introduction of the system, HMRC acquired 5.1 million people’s voiceprints this way.

Back in June 2018, privacy campaigning group ‘Big Brother Watch’ reported that its own investigation had revealed that HMRC had (allegedly) taken 5.1 million taxpayers’ biometric voiceprints without their consent.

Big Brother Watch alleged that the automated system offered callers no choice but to do as instructed and create a biometric voice ID for a Government database.  The only way to avoid creating the voice ID on calling, as identified by Big Brother Watch, was to say “no” three times to the automated questions, whereupon the system still resolved to offer a voice ID next time.

Big Brother Watch were concerned that GDPR prohibits the processing of biometric data for the purpose of uniquely identifying a person, unless the there is a lawful basis under Article 6, and that because voiceprints are sensitive data but are not strictly necessary for dealing with tax issues, HMRC should request the explicit consent of each taxpayer to enrol them in the scheme (Article 9 of GDPR).

This led to Big Brother Watch registering a formal complaint with the ICO, the result of which is still to be announced.

Changes

Big Brother Watch’s complaint may have been the prompt for changes to the Voice ID system. In September 2018, HMRC permanent secretary John Thompson said that HMRC felt it had been acting lawfully, by relying on the implicit consent of users.  Mr Thompson acknowledged, however, that the original messages that were played to callers had not explicitly stated it was possible, or how, to opt out of the voice ID system, and that, in the light of this, the message had been updated (in July 2018) to make this clear.

Mass Deletions?

On the point of whether HMRC would consider deleting the 6 million voiceprint profiles of people who registered before the wording was changed to include ty opt-out option, Mr Thompson has said that HMRC will wait for the completion of the ICO’s investigation.

Backlash

Big Brother Watch has highlighted a backlash against the Voice ID system as indicated by the 162,185 people who have called HMRC to have their Voice IDs deleted.

What Does This Mean For Your Business?

Even though many businesses and organisations are switching/planning to switch to using biometric identification/verification systems in place of less secure password-based systems, it is still important to remember that these are subject to GDPR. For example, images and unique Voiceprint IDs are personal data that require explicit consent to be given, and that people have the right to opt out as well as to opt-in.

It remains to be seen whether the outcome of the ICO investigation will require mass deletions of Voice ID profiles.  Big Brother Watch states on its website that if people are not happy about the HMRC system they can complain to the HMRC directly (via the government website) or file a complaint about the HMRC system to the ICO via the ICO website (the ICO is already investigating HMRC about the matter).  HMRC has said that all the voice data is stored securely and that customers can now opt out of Voice ID or delete their records any time they want.

Too Much Time In Front of a Screen Adversely Affects Child Development Says Study

Psychologists from the University of Calgary have published a study in the JAMA journal of Paediatrics, which found that 2-5 years olds who engaged in more screen time received worse scores in developmental screening tests.

The Study

The toddlers in the study were from 2,500 Alberta homes between 2011 and 2016.  Their families or caregivers were asked to report on how much time the toddlers spent in front of screens. The toddlers were reported to be averaging 2-3 hours per day screen time, and their families/caregivers filled out standard questionnaires about the basic motor and communication skills of the toddlers.  Results were reported for the children at 24, 36 and 60 months old.

Correlation Found

The study revealed a perhaps unsurprising correlation between more screen time and lower results.  For example, greater screen time at 24 months was found to be associated with poorer performance on developmental screening tests at 36 months, and greater screen time at 36 months was found to be associated with lower scores on developmental screening tests at 60 months.

In short, the study found that those toddlers who had excessive screen time were failing to meet developmental milestones in language and communication, problem-solving, and fine and gross motor skills.

Missing Important Interactions

Lead author of the report of the study, Sheri Madigan, commented on the University of Calgary website that if children are consumed with screen time, they aren’t getting enough physical activity, and that this means they aren’t developing the motor skills they need to run, ride a bike, or throw a ball. Madigan said that positive stimulation that aids physical and cognitive development comes from interactions with caregivers and that when children are “in front of their screens, these important parent-child interactions aren’t happening, and this can delay or derail children’s development.”

What Use Are The Results?

The authors of the report, Madigan and Dr Suzanne Tough, have suggested that the findings from this study could, for example, be of use to health-care professionals who are seeking to guide parents on the appropriate screen time limits for their children.

What Does This Mean For Your Business?

As any parent of young children will know, and indeed as the authors of the report have acknowledged, technology is deeply entrenched in modern-day lives, and spending time in front of a screen is something that children do today as part of learning, playing an interacting with their peers.  The point here is that too much screen time for very young children (2 to 5) can set their personal development back in many important areas.

The authors of the report have said that parents needn’t become too concerned, because children’s brains develop over the course of childhood and beyond, so there’s time to make changes.  The authors also suggest that one way that parents can minimise damage to the development of their children from too much screen time by creating and implementing a family media plan. This can involve controlling the number of hours spent in front of screens, establishing device-free zones e.g. at the dinner table, and introducing baskets where everybody puts their devices at certain times of the day, in order to make time for the family connect and interact.

Tech Tip – Drag & Drop Tasks To Your Calendar

In Windows 10, the Tasks experience in Outlook.com (powered by ‘To-Do’) means that when looking at your inbox, you can save time and create tasks by dragging and dropping an email to your task list. You can also easily schedule items by dragging a task to your calendar. Your tasks then travel with you on the To-Do app.

You can see how it’s done on the Windows Blog here:

https://blogs.windows.com/windowsexperience/2018/12/16/windows-10-tip-schedule-items-by-dragging-a-task-to-your-calendar/#WX3WrBWATdGxSk48.97

Your Latest IT News Update

Naming and Shaming of Companies With Poor Cyber Security

A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.

<More>

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.
Biggest Personal Data Breach Puts Password Effectiveness In The SpotlightPassword-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.

<More>

ICO Urges Businesses To Prepare For No-Deal Brexit

In a Westminster eForum event on GDPR practice in London, the director of strategic policy at the Information Commissioner’s Office, Jonathan Bamford, is reported to have urged businesses to prepare for a no-deal Brexit in terms of planning to stop interruption in data flows from Europe.

<More>

No More Windows 10 Mobile Support – Microsoft Suggests Switching

Microsoft has formally announced on its support pages that, as of December 10th 2019, Windows 10 Mobile users can no longer expect security updates and support, and Microsoft recommends that customers then move to a supported Android or iOS device.

<More>

Tech Tip – Phishing Quiz

Identifying a phishing attempt may be harder than you think and being able to spot one is an important part of maintaining your cybersecurity defences in the modern business environment.  Here’s a little phishing quiz from Google that can help you to spot the signs that can enable you to tell a real email from a phishing email.

<More>

Naming and Shaming of Companies With Poor Cyber Security

A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.

Who?

The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science in order to promote better research into cyber-security.  The other research partner in this case, the Policy Institute at King’s College London is an independent research institute focusing on using evidence and expertise to tackle societal challenges.

Cyber-crime Levels

The report highlights the fact that government’s 2018 data breach survey showed that 4 in 10 businesses experienced a cyber-security breach or attack in 2017-18 should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.

Championing The ACD Programme

The report also champions the government’s Active Cyber Defence (ACD) programme, which was by developed the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.

The report points to the relative success that ACD has had in bringing about a fall in scam emails from fake government addresses, and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information.  Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes, and in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC in order to deploy ACD as a tool to better tackle cyber-crime in the UK.

According to the National Cyber Security Centre (part of GCHQ), the ACD defence programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed that UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.

What Does This Mean For Your Business?

Reputations are valuable and vitally important to businesses, as should be cyber-security defences, and making sure that strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to be taken to bring about improvements and contribute to the tackling of cyber-crime across the private as well as the public sector.

The NCSC, for example, has been working with companies for some time anyway with the ACD programme to help them protect their customers.  For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs, and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections.

As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress, and it is not a single entity, amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being perhaps a way of the government scanning and collecting data about private organisations.  For this reason, the CSRG and King’s College London Report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.

In reality, effective cyber-security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far, show that it, or tools based upon it, could have real value as part of number of measures that could help reduce cyber-crime for private as well as public sector organisations.

Google’s £44 Million GDPR Fine

Google has been fined a massive 50 million euros (£44m) for breach of GDPR dating back to May 2018 and relating to how well people were informed about how Google collected data to personalise advertising, and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad Personalisation & Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the Web on Google’s partner websites and apps based on their browsing history, and on Google Search based on their previous activity such as previous searches.

What & Why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were that:

  1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” that users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant that it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant that users were unable to exercise their right to opt out of data-processing for personalisation of ads.
  2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant that users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other Complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is that when people request a copy of the personal data that these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What Does This Mean For Your Business?

Even before GDPR was introduced, many technology and security commentators predicted that the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case however, the fact that the complaints have created a record-breaking fine shows that there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely that Google will need to make some significant modifications to some aspects of its services now, and that this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on business agenda.