Archive for April 2019

Your Latest IT News Update

123456 Still A Popular Password

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

<More>

No Windows 10 Updates For PCs With USB Devices or SD Cards Attached

Microsoft has announced that if your PC has a USB device or SD card attached it will not be possible to upgrade the computer to the Windows 10 May 2019 Update because of an “Inappropriate drive reassignment” issue.

<More>

Microsoft 365 Business Subscription Customers Get Shared Computer Activation (SCA)

SMEs that need to have multiple users (connecting to and using the same remote computer) but only have a (less-expensive) Microsoft 365 Business subscription have been given a boost by Microsoft in the form expanded rights with the imminent roll-out of SCA for Microsoft 365 Business.

<More>

UK Government Services Information Accessible Via Voice-Activated Smart Speakers

After a six-month trial by the Government Digital Service (GDS) with a view to future-proofing the delivery of online services for citizens, 12,000 items of government information can now be accessed via voice-activated smart speakers and virtual assistants, such as Amazon Alexa and Google Home.

<More>

Samsung’s Folding Phone Faults Delay Release Date

The release date of Samsung’s new dual-screen Galaxy Fold mobile handset has been delayed after reviewers reported having removed the top layer of the display causing damage to the screen, problems with hinge areas, and debris getting trapped under the screen.

<More>

Tech Tip – Free, Online AI Business School

If you’d like to get an understanding of what AI is and its implications for business strategy, corporate culture and business ethics, Microsoft, in partnership with global business school INSEAD has established a free, online business school.

<More>

123456 Still A Popular Password

A study by the UK’s National Cyber Security Centre (NCSC) into breached passwords has revealed that 123456 featured 23 million times, making it the most widely-used password on breached accounts.

Top Five Easy-To-Guess Passwords

The study, which analysed public databases of breached accounts to discover which words, phrases and strings were most popularly used, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

Names & Football Teams

The study revealed that people routinely use Christian names and the names of their favourite football teams as passwords, thereby making them relatively easy to crack.  For example, the most popular breached-password names were Ashley, Michael, Daniel, Jessica and Charlie. The most popular football team passwords noted by the study were ‘Liverpool are champions’, followed by Chelsea.

Not Confident

The NCSC study also found that 42% of those surveyed expected to lose money to online fraud, and that only 15% said that they were confident that they knew enough to be able to protect themselves online.

Big Risk – Password Sharing

The study also found that fewer than half of those surveyed used a separate, strong password for their main email account.  The risk of using the same password for multiple accounts and platforms is that if one of those accounts is compromised, cyber-criminals will sell your login details on and/or use ‘credential stuffing’ tools to try stolen passwords on multiple websites.

Stolen credentials are also routinely used in phishing attacks e.g. to send malicious emails to a victim’s list of contacts, and in targeted digital identity attacks, where the breached credentials are used to steal a victim’s entire digital identity, steal their money, or even to compromise their social media network data.

Passwords on Hacking Forums

As revealed back in January by security researcher Troy Hunt of ‘Have I Been Pwned’ service, 772,904,991 unique email addresses, and 21,222,975 unique passwords are already being shared on hacking forums as part of a collection of credentials stolen from multiple sites, dubbed Collection #1.

This highlights the importance of not sharing passwords between websites, and of changing passwords regularly.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One easy-to-use tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

The new version of the Chrome browser (69) also has an improved password manager, which could help those who still appear to rely upon using very weak passwords e.g. 123456, password, 12345678 and qwerty.  The Chrome 69 password manager suggests passwords incorporating at least one lowercase character, one uppercase character and at least one number, and where websites require symbols in passwords it can add these. Users can also manually edit the Chrome-generated password, and when Google is generating the password, every time users click away from its suggestion, a new one is created. Chrome 69 can store the password on a laptop or phone so that users don’t have to write it down or try and remember it (if they are using the same device).

If you’re worried that people in your business may currently be using passwords that have already been stolen, you can find a list of the (from Troy Hunt of ‘Have I Been Pwned’) here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and Mr Hunt provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.

No Windows 10 Updates For PCs With USB Devices or SD Cards Attached

Microsoft has announced that if your PC has a USB device or SD card attached it will not be possible to upgrade the computer to the Windows 10 May 2019 Update because of an “Inappropriate drive reassignment” issue.

The Scenario

On its support site, Microsoft has announced that an attempt to upgrade a computer with the Windows 10 May 2019 Update will result in an error message being displayed if the following three factors are in place:

  1. You’re running a Windows-10 based computer that has either the April 2018 Update (Windows 10, version 1803) or the October 2018 Update (Windows 10, version 1809) installed.
  2. An external USB device or SD memory card is attached to the computer.
  3. You try to upgrade the computer to the May 2019 Update, or you have automatic updates turned on in the Windows Update settings.

Inappropriate Drive Reassignment

Microsoft says that the upgrade will not be able to occur in these situations because of the risk of inappropriate drive reassignment.  For example, a user may have booted Windows from external storage and may have left an external storage device (USB device or SD memory card) attached during the installation of the May 2019 upgrade.  Prior to the upgrade, the external device would have been mounted in the system as drive G based on the existing drive configuration, but after the upgrade, the device is reassigned a different drive letter e.g. H.  This is a situation that Microsoft is trying to avoid – hence the error message and the blocking of computers with external devices attached from receiving the upgrade.

The Workaround

According to Microsoft, the simple workaround is to remove the external media and restart the May 2019 Update installation.

Microsoft also says that the issue will be resolved in a future servicing update for Windows 10, and for Windows Insiders, the issue is resolved in build 18877 and later builds.

What Does This Mean For Your Business?

There is more than just a small element of Microsoft being cautious in issuing this error message and putting out information about the nature of the issue and workaround, after the many problems and bugs that led to Build 1809 having to be withdrawn after a few weeks before a re-issue. This time, Microsoft wants good publicity and good customer experience for its ongoing WaaS strategy.

If you’re planning to upgrade Windows 10 with the May 2019 Update and you want things to go smoothly, the advice is to make sure that you don’t have external storage devices connected to the computer at the same time.

Microsoft 365 Business Subscription Customers Get Shared Computer Activation (SCA)

SMEs that need to have multiple users (connecting to and using the same remote computer) but only have a (less-expensive) Microsoft 365 Business subscription have been given a boost by Microsoft in the form expanded rights with the imminent roll-out of SCA for Microsoft 365 Business.

What Is SCA?

Shared Computer Activation (SCA) is a service that allows a business to deploy Office 365 on a computer that is accessed by multiple users.

SCA That Doesn’t Count Against The Device Limit

The latest announcement from Microsoft means that Microsoft 365 Business subscribers (who would normally only be able to install and activate the Office 365 Business Client on a limited number of devices such as 5 PCs) will, with the roll-out from 30th April, be able to benefit from being able to use the Office 365 Business Client with shared computer activation enabled in a way that doesn’t count against that device limit.

Where It’s Useful

Situations (where this can add value and be useful to SMEs) include :

  • Multiple workers on different shifts at the same premises needing to use a shared computer with each worker using Excel on that computer during their shift to track orders & shipments.
  • Multiple workers use Word on shared computers at a work station throughout the day to create reports from a template.
  • Business owners and accounts staff can connect remotely to a Windows 2016 Server running Remote Desktop Services (RDS) to use Excel and the company’s accounting software.
  • Field service employees use Office on a computer that’s located in a conference room to update/write reports.
  • Remote workers connect from home connect to Windows Virtual Desktops (WVD) in Azure with Office installed to work on specific accounts/records.

Limitations

It is important to note that M365 Business does not include Office 365 Pro Plus, just the activation rights in the existing business client that comes in M365B.  The new SCA rights in M365 Business will, therefore, still require that each user be licensed, because companies can’t legally share Office on a single PC among, e.g. 5 users, where only three are covered by M365 Business licenses.

Also, users can only share the Windows, not a Mac version of Office on an SCA-covered machine.

What Does This Mean For Your Business?

Although Microsoft is not giving anything away as such with the SCA rights in M365 Business, it is, however, introducing something that takes account of how some industries need to work with software in real life i.e. computers often need to be  shared by multiple users with different user profiles, and multiple users in some businesses need to connect to the same remote computer at the same time. In this respect, it may add a great deal of value for many businesses, and in doing so, may help gain and retain customers, and lead to new opportunities for Microsoft.

SMEs are likely to welcome this added value service from Microsoft as they may have been stuck between having to choose E3 (without SCA), saving costs, and try to implement time-consuming workarounds to get more out of what they had.

Even though the roll-out date starts on April 30th, it may take a couple of months before the full roll-out is completed.

UK Government Services Information Accessible Via Voice-Activated Smart Speakers

After a six-month trial by the Government Digital Service (GDS) with a view to future-proofing the delivery of online services for citizens, 12,000 items of government information can now be accessed via voice-activated smart speakers and virtual assistants, such as Amazon Alexa and Google Home.

Wider Plan

The GDS trial that has made the information available via voice-activated smart -speakers is part of a wider plan to employ the use of third-party (voice) apps, machine learning, and other new technologies in order to simplify interactions between citizens services going forward. The millions of smart speakers now in use in UK homes means that voice-activated technology has provided an important first step for the government’s plans.

What Kind of Information?

Examples of the kind of government services information that’s now available via Alexa and Google home includes the dates of UK bank holidays, the minimum wage level, information about how to apply for a passport or pension, as well as the answers to childcare and tax-related questions.

Started A Year Ago

The plans to future-proof government services in this way were first made public a year ago when Neil Williams, head of Gov.uk at the time, said that around 400 services had already been identified as potential use cases for voice technology.

Machine Learning Added To Gov.uk website

The idea of integrating machine learning with the Gov.uk website is reported to have led to the creation of an algorithm that helps to tag all the content and develop a taxonomy, thereby making it much easier for users of the website to quickly access relevant information.

The Gov.uk website, which came online back in 2012 is reported to have resulted in huge efficiency savings, as well as making it much easier for citizens to access government content.

Innovation Strategy

In a recent blog post, The Minister for Implementation, Oliver Dowden, highlighted the importance of the GovTech Catalyst initiative in matching innovative private sector solutions with public sector challenges. Mr Dowden also announced the publication of an Innovation Strategy later this year that will share the government’s vision of how GDS and wider Cabinet Office will lay the foundations for the government to use emerging technologies.

What Does This Mean For Your Business?

There are many services that businesses need to access information about and having the information available quickly via smart speakers and virtual assistants could save time and money and help businesses to comply with government rules and regulations.  It could also help businesses to discover opportunities and help that may be available via government services for both the business itself and employees and other stakeholders.

The Gov.uk website has also been a money-saving tool for the government, and making more information available via smart speaker and apps, while improving the website and its operation using machine learning could provide greater savings in the future, while demonstrating how the government is making efforts to embrace and utilise the strengths of new technologies, and simplify access for to information for citizens.

Samsung’s Folding Phone Faults Delay Release Date

The release date of Samsung’s new dual-screen Galaxy Fold mobile handset has been delayed after reviewers reported having removed the top layer of the display causing damage to the screen, problems with hinge areas, and debris getting trapped under the screen.

The Galaxy Fold

Announced as the Galaxy X last summer, the Galaxy Fold handset has two inside panels and one outside panel with the two inside panels folding out to form the 7.3-inch OLED screen, thereby giving the user a much larger screen area.  The fact that the flexible screen folds in on itself when closed also adds protection for the touchscreen when the phone is not in use.

Reviewers

A number of reviewers, including many journalists, were given Galaxy Fold handsets for trial use.  It appears that faults were discovered and were perhaps even caused by many of the reviewers who peeled off what they believed was just a protective layer (despite being warned against doing in the handset’s documentation) that was, apparently, an important part of the screen display’s protection.

Several Faults

Several faults were identified by reviewers and confirmed in a statement from Samsung, including:

  • Issues on the display associated with impact on the top and bottom exposed areas of the hinge.
  • Substances being found inside the device affecting the display performance.

It has also been reported that some reviewers saw creases on the fold and other display glitches which the folding robot really should have found.

Production Problems – Is The Technology Ready Yet?

Part of the delay in the production of a commercial version of Galaxy’s folding phone from the first sighting of its prototype 7 years ago is thought to be down to production problems in the complexity of developing durable but flexible plastic screens.

Also, the fact that competitors LG and Sony have many patents on foldable mobile displays but have not produced a foldable phone yet has led some commentators to suggest that the technology may simply not be fully ready for use in the current generation of phone handsets.

In Samsung’s own statement about the reported faults the company said that “how the device needs further improvements”.

Huawei

Another major phone market player (Huawei) also has a foldable phone in the development pipeline.  Huawei’s ‘Mate X’ version folds outwards, which some have speculated may leave the most vulnerable part of the device exposed all the time. The fact that Huawei has not yet gone to market with its foldable offering may also be a sign that it too is wrestling with similar screen problems i.e. screen creasing.

What Does This Mean For Your Business?

In the phone market, there has been a degree of stagnation as customers delay upgrades while waiting for more innovative models and new features.  A folding phone offers value in terms of its versatility as a kind of “2-in-1” tablet and phone, as well as the novelty value and kudos of having a device with the very latest folding screen.  As expected, however, the Samsung Folding (when is eventually launched), and competitor folding phone models will have a premium price tag (thought to be around £1,500), and although this would decrease as volumes increase, many businesses may decide to wait a bit longer before they buy one.

The fact that Samsung has called-off the launch and not given a future launch date for the Samsung Folding may indeed indicate that the technology is not quite ready, and that simply introducing a model with design faults just to be first to get a folding phone out there is not something they’re prepared to risk.

Tech Tip – Free, Online AI Business School

If you’d like to get an understanding of what AI is and its implications for business strategy, corporate culture and business ethics, Microsoft, in partnership with global business school INSEAD has established a free, online business school.

The AI course offers a series of 10-minute lecture videos as well as academic lectures, case studies, executive perspective videos and technology talks, which combined provide a grounding in AI and its possible applications in your business.

The online school doesn’t require registration, and the course material can be accessed on demand via mobile devices or the desktop.

Access Microsoft’s AI Business School resources here: https://www.microsoft.com/en-us/ai/business

Your Latest IT News Update

Fake Finger Fools Fool Proof Phone

A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.

<More>

AI Used To Tackle Money Laundering

Banks and financial institutions are experimenting with AI technology to tackle the multi-trillion-pound problem of money laundering, thereby hitting the traditional funding sources of major criminal gangs.

<More>

Windows 10 Breaks Traditional PC Hardware and OS Upgrade Links

With figures (Gartner) showing Windows 10 predicted to represent 75% of the professional PC market by 2021, continued PC sales and improved Windows 10  back-end management, Windows 10 is making once time and resource consuming Windows OS and hardware upgrade projects a thing of the past, and is breaking the link between the two.

<More>

New UK ‘Duty of Care’ Rules To Apply To Social Media Companies

The new ‘Online Harms’ whitepaper marks a world first as the UK government plans to introduce regulation to hold social media and other tech companies to account for the nature of the content they display, backed by the policing power of an independent regulator and the threat of fines or a ban.

<More>

School Enlists Chinese Help To Upgrade To Enhanced Wi-Fi

The Lytchett Minster School in Dorset recently made the news among IT commentators after demonstrating how it could overcome the connectivity challenges of its rural location, cut costs and increase efficiency by upgrading its on-site network with Chinese company TP-Link’s enhanced Wi-Fi.

<More>

Tech Tip – Free Graphic Design App For Android

Design social media posts, ads, presentations, cards, flyers and more with ‘Desygner’, a free, popular graphic design app for phone or tablet:

<More>

Fake Finger Fools Fool Proof Phone

A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.

Fingerprint Scanner

The Galaxy S10 and S10+ phone models have an Ultrasonic Fingerprint Scanner embedded into the screen that uses soundwaves to create a 3D map of the owner’s fingerprint, and the recognition sensor at the bottom centre of the screen can then be used by the owner to gain entry to the phone by placing their fingerprint on it.

Made Fake Finger

The Reddit user known only as ‘darkshark9’ claimed in a proof-of-concept uploaded to Imgur that they had been able to unlock their own Galaxy S10 phone using a fake finger that had been made using a photograph (taken using the Galaxy S10’s camera) of their own fingerprint on a wine glass.  The mystery ‘darkshark9’ claimed that they had used Adobe Photoshop and Autodesk 3ds Max to work on the photograph and had then used an AnyCubic Photon LCD resin 3D home printer (costing less than £400) to make a physical replica of the fingerprint.

It has been reported that it took ‘darkshark9’ less than 15 minutes to make the fake fingerprint that opened the phone.

Fingerprint Fear

This means that a person with same equipment who could obtain a photo of a fingerprint from an object such as a glass or phone at close distance, or using a higher-quality DSLR camera (from perhaps even across the room) could have the potential to quickly break into anyone’s biometric security protected phone and steal personal data, access apps etc.

What Does This Mean For Your Business?

Many security experts agree that using biometric security as a primary unlock method is less secure than a password or PIN, although it offers convenience and is liked by many users.  In the case of the Galaxy S10, although it was supposedly fooled with the fake finger model, its fingerprint scanner uses ultrasonic sound waves to map the user’s fingerprint in the first place which is more secure than the optical sensors used by some other phones that can be fooled by a paper printout of a fingerprint.

Having a fingerprint scanner / sensor on the phone is better than having nothing at all, as is the case with many people who leave their phones unlocked all the time rather than having to type in a PIN or password.

This is not the first time that phone biometric security measures have been defeated.  For example, it is also claimed that the S10’s facial recognition (because it uses cameras rather than infrared sensors) can be fooled by another phone playing a video of the S10’s owner face.

Also, in a Twitter thread, Manchun Wong claimed that she was able to fool her brother’s S10 facial recognition scanner using her own face, presumably because of the similarity of family and sibling resemblance. This is reminiscent of a case back in 2017 when BBC ‘Click’ reporter Dan Simmons reported that he had been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

Biometric security on phones clearly has some way to go before the effectiveness lives up to the promise, and for the time being, although less convenient, password and PIN may be safer as the primary unlock method.

AI Used To Tackle Money Laundering

Banks and financial institutions are experimenting with AI technology to tackle the multi-trillion-pound problem of money laundering, thereby hitting the traditional funding sources of major criminal gangs.

Money Laundering

Money laundering is the process of concealing the origins of illegally obtained money by passing it through legitimate business or a sequence of banking transfers.

According to figures from the UN’s Office on Drugs and Crime, money laundering accounts for up to 5% of global GDP – the equivalent of £1.5 trillion per year.  In the UK, National Crime Agency figures show that financial crime suspicious activity reports increased by 10% in 2018.

Also, in the UK for example, Companies House and estate agents (setting up new companies and investing in property) have been criticised by the government’s Treasury Committee as being key ways in which money laundering can take place in the UK.

The law in the UK (from 2017) relating to trying to tackle money laundering requires those businesses or sole traders who operate as “high-value dealers” i.e. you / your company accepts or makes high-value cash payments of €10,000 or more (or equivalent in any currency) in exchange for goods, must register with HMRC. 

Money Laundering In The News

Some recent high-profile cases of alleged money laundering involving banks include:

  • Swiss bank UBS being fined a staggering £3.2 billion for helping wealthy clients based in France to hide money from tax and launder the proceeds (the bank has lodged an appeal).
  • In September 2018, Dutch bank ING Groep NV being fined €775 million euros after failing to spot that criminals had been money laundering through its accounts.
  • In December 2018, 10 former employees of the local branch of Danske Bank in Estonia being arrested as part of an international investigation into (alleged) money laundering.

How AI Can Help

AI technology is being tested in the fight against money laundering because AI can crunch vast amounts of data (i.e. the data from millions of bank transactions) very quickly and accurately, thereby making it very good at detecting patterns and deviations from patterns.  AI can, therefore, quickly detect patterns of unusual activity e.g. behaviour consistent with money laundering (AI also learns with experience), as well as being able to spot smurfing attempts (breaking down a transaction into smaller transactions to avoid being spotted), accounts that are set up remotely by bots rather than humans, and suspicious behaviour by corrupt insiders (known to be an important element in many successful money laundering operations).

What Does This Mean For Your Business?

Money laundering is often used to help organised criminals / criminal gangs continue to finance many kinds of other serious crimes which have a negative impact on society and the economy. It is, therefore, good news for businesses (particularly in the financial and property sectors) that an accurate, and reliable technology-based early detection system, that works independently from human influence and error is being set to work to crack an old problem using the very latest means. 

Critics have said, however, that even though AI may be excellent at spotting unusual transaction patterns it will only be as effective as the data it is fed, and banks, financial institutions, governments and law enforcement agencies, therefore, need to share more information to get the best results from AI tools.

Some have also been sceptical of how effective an ‘off-the-shelf’ AI-based money laundering detection tool (of which there are several on the market) could be.