Archive for May 2019

Your Latest IT News Update

Trust Challenge For Online Sharing Services

The Global Trust Survey from service provider Jumio has revealed that a quarter of adults feel unsafe using online sharing services.

<More>

Low Launch Share Price For Uber

Uber made its trading debut at the New York Stock Exchange (NYSE) recently, but the opening share price was much lower than had been expected at only $45 per share.

<More>

Serious Security Flaws Discovered In Popular GPS Tracker

Researchers at UK cyber-security company, Fidus Information Security, say that they have found security flaws in a popular Chinese-manufactured white-label location tracker that could be serious enough to warrant a recall.

<More>

Old Routers Are Targets For Hackers

Internet security experts are warning that old routers are targets for cyber-criminals who find them an easy hacking option.

<More>

Could Biometric Regulations Be On The Way Soon?

A written parliamentary question from MP Luciana Berger about the possibility of bringing forward legislation to regulate the use of facial recognition technology has led the Home Office to hint that the legislation (and more) may be on the way soon.

<More>

Tech Tip – Lightbeam Screen-Sharing App

If you’d like an app that enables you to easily share mobile screens with a friend or colleague, for work or leisure, Lightbeam is a new, free, cross-platform app which does just that.

<More>

Trust Challenge For Online Sharing Services

The Global Trust Survey from service provider Jumio has revealed that a quarter of adults feel unsafe using online sharing services.

What Are Online Sharing Services?

Online sharing services refers to companies like Uber and Airbnb where multiple users can use technology to book and consume a shared offering (car and room sharing), and where those offering the service can increase the utilisation of an asset – both parties get value from the exchange. The so-called “sharing economy” also includes services such as crowdfunding, personal services, and video and audio streaming.

The Sharing Economy

The sharing economy is expected to grow to a massive $335 billion by 2020. For example, in just 11 years, Airbnb has grown from nothing to becoming a $30bn firm listing more than six million rooms, flats and houses in more than 81,000 cities across the globe. Figures show that, on average, two million people use an Airbnb property each night.

Trust Challenge Revealed

Jumio’s Global Trust Survey showed that even though online sharing services are growing, and have been with us for some time now, in the 30 days prior to the survey taking place, over 80% of UK adults said that they hadn’t used an online sharing service, and 25% of UK adults said that they felt “somewhat unsafe” or “not at all safe” when using online sharing services.

A key element in making shared services successful is trust, and recent global from PwC confirmed this where 89% of consumers agreed that the sharing economy marketplace is based on trust between providers and users.

Identity Verification Vital

One area uncovered by the Global Trust and Safety Survey which appears to be a challenge for shared services is proving and verifying identity.  For example, the survey found that 60% of users believe it is either ‘somewhat important’ or ‘very important’ for new users to undergo an identity check to prove that they are who they claim to be.

This is the reason why companies such as Lyft are rolling out continuous background checks and enhanced identity verification, and why Uber is updating its app to give an alert to riders to check the license plate, make, and model of the vehicle, and to confirm the name and picture of the driver.

What Does This Mean For Your Business?

Trust is something that takes a long time for a business to build, and it is a vital element in the success of shared services such as those where considerable risk (financial and, critically, personal risk) is involved. Trust is also something that can be very easily lost, sometimes in an instant or through one high profile incident involving that service e.g. the recent murder in the US of a student by a man posing as an Uber driver.

The results of the Global Trust Survey help to remind businesses that offer shared services that consumers need and want a layer of safety to help them feel comfortable in trying and using those services.  Companies can, therefore, help create an ecosystem of trust through the process of identity verification.

Low Launch Share Price For Uber

Uber made its trading debut at the New York Stock Exchange (NYSE) last week, but the opening share price was much lower than had been expected at only $45 per share.

$45 Per Share

Ride-hailing (and now scooter and bike hire) company Uber had raised $28.5 billion as a private company from 166 different backers and was last valued at a still very impressive $75 billion. Even though banks and analysts had hinted at a projected figure of $120 billion that Uber looked set to raise in its public share offering, the actual figure turned out to be considerably less – a final valuation of $82.4 billion, selling 180 million shares at $45/share.

Nevertheless, this figure still marks Uber, the dominant player in the market for on-demand transportation, as one of the most valuable tech firms.

Vast

Uber is reported as having 93 million active platform consumers (that’s up from 70 million only a year ago), making 17 million trips per day across 700 cities on six continents.

Co-Founder Not On The Balcony at Stock Exchange

At the event, where the NYSE bell was rung while key members of Uber stood on the balcony, the co-founder of Uber did not join the public display (although he did attend the event).  Travis Kalanick had to step down from Uber (even though the billionaire still sits on the board with an 8.6% stake) over controversies about business practices.  This followed a four-month investigation, with 20 sackings, culminating in Kalanick stepping down.

Competitors

Even though Uber is the dominant company in its field it is now not without competitors.  For example, Lyft, Gett, Heetch, MyTaxi, and Bolt are all now gaining in popularity.  In fact, the biggest competitor Lyft, which has a similar business model to Uber, is currently trading at $55 which is below its debut of $78.29 on March 29.

Woes

Even though the event at NYSE was supposed to be a triumphant and positive one, some of Uber’s high-profile woes surfaced outside in the form of protests about the alleged treatment of drivers and the impact on cities by Uber. In recent times, Uber has been the subject of driver protests, lawsuits, questions about business practices, and the need to pay attention to regulatory pressures.

What Does This Mean For Your Business?

Uber’s rise to this moment appears to have been meteoric and huge, although investment commentators have noted that going on the pure metric of profit and loss, Uber has been posting losses e.g. a loss of some $1 billion in the last quarter on revenues of $3 billion-$3.1 billion.  Uber has faced a lot of controversies, and now has some strong competition, and all of these factors have perhaps been reflected in the lower than expected value per share.

Some market analysts are still concerned about how Uber can turn things around and how patient investors are likely to be although leadership under the current CEO Dara Khosrowshahi, looks promising.

Serious Security Flaws Discovered In Popular GPS Tracker

Researchers at UK cyber-security company, Fidus Information Security, say that they have found security flaws in a popular Chinese-manufactured white-label location tracker that could be serious enough to warrant a recall.

Which Tracker?

The GPS tracker which is used as a panic alarm for elderly patients, to monitor children, and to track vehicles is white label manufactured but rebranded and sold by several different companies which reportedly include Pebbell (by HoIP Telecom), OwnFone Footprint and SureSafeGo. The tracker uses a SIM card to connect to the 2G/GPRS network.  According to Fidus at least 10,000+ of these trackers are currently used in the UK

What’s The Problem?

According to the researchers, simply sending the device a text message with a keyword can trick the tracker into revealing its real-time location. Also, other commands tried by the researchers can allow anyone to call the device and remotely listen in to its in-built microphone without the user knowing, and even remotely stop the signal from the tracker, thereby making the device effectively useless.  On its blog, Fidus lists several other things that its researchers were able to do to the device including change or completely remove all emergency contacts, disable the motion alarm, disable fall detection and remove any device PIN which had been set.

All these scenarios could pose significant risks to the (mainly vulnerable) users of the trackers.

According to Fidus, one of the main reasons why the device has so many security flaws is that it doesn’t appear that the manufacturers, nor the companies reselling the devices, have conducted any security testing or penetration testing of the device.

PIN Problem

The research by Fidus also uncovered the fact that even though the manufacturers built in PIN functionality to help lock the devices down, the PIN, by default, is disabled and users need to read the manual to find out about it, and when enabled, the PIN is required as a prefix to any commands to be accepted by the device, except for REBOOT or RESET functionality.  The problem with this is that the RESET functionality is the thing that really could provide any malicious user with the ability to gain remote control of the device.  This is because is the RESET command that wipes all stored contacts and emergency contacts, restores the device to factory defaults and means that a PIN is no longer needed.

What Does This Mean For Your Business?

What is particularly disturbing about this story is that the tracking devices are used for some of the most vulnerable members of society.  Even though they have been marketed as a way to make a person safer, the cruel irony is that it appears that if they are taken over by a malicious attacker, they could put a person at greater risk.

This story also illustrates the importance of security penetration testing in discovering and plugging security loopholes in devices before making them widely available.  This is another example of an IoT/smart device that has security loopholes related to default settings, and with an ever-growing number of IoT devices out there, many of them perhaps not tested as well as they could be, many buyers are unknowingly at risk from hackers.

Old Routers Are Targets For Hackers

Internet security experts are warning that old routers are targets for cyber-criminals who find them an easy hacking option.

How Big Is The Threat?

Trend Micros have reported that back in 2016 there were five families of threats for routers, but this grew to 35 families of threats in 2018. Research by the American Consumer Institute in 2018 revealed that 83 per cent of home and office routers have vulnerabilities that could be exploited by attackers.  These include the more popular brands such as Linksys, NETGEAR and D-Link.

Why Are Old Routers Vulnerable?

Older routers are open to attacks that are designed to exploit simple vulnerabilities for several reasons including:

  • Routers are often forgotten about since their initial setup and consequently, 60 per cent of users have never updated their router’s firmware.
  • Routers are essentially small microcomputers.  This means that anything that can infect those can also infect routers.
  • Many home users leave the default passwords for the Wi-fi network, the admin account associated with it, and the router.
  • Even when vulnerabilities are exposed, it can take ISPs months to be able to update the firmware for their customers’ routers.
  • Today’s routers are designed to be easy and fast to work straight out of the box, and the setup doesn’t force customers to set their own passwords – security is sacrificed for convenience.
  • There are online databases where cyber-criminals can instantly access a list of known vulnerabilities by entering the name of a router manufacturer. This means that many cyber-criminals know or can easily find out what the specific holes are in legacy firmware.

What If Your Router Is Compromised?

One big problem is that because users have little real knowledge about their routers anyway and pay little attention to them apart from when their connection goes down.  It is often the case, therefore, that users tend not to know that their router has been compromised as there are no clear outward signals.

Hacking a router is commonly used to carry out other criminal and malicious activity such as Distributed Denial of Service attacks (DDoS) as part of a botnet, credential stuffing, mining bitcoin and accessing other IoT devices that link to that router.

Examples

Examples of high-profile router-based attacks include:

  • The Mirai attack that used unsecured routers to spread the Mirai malware that turned networked devices into remotely controlled “bots” that could be used as part of a botnet in large-scale network attacks.
  • The VPNFilter malware (thought to have been sponsored by the Russian state and carried out by the Fancy Bear hacking group) that infected an estimated half a million routers worldwide.
  • The exploit in Brazil spread across D-Link routers and affecting 100,000 devices, aimed at customers of Banco de Brazil.

Also, back in 2017, Virgin Media advised its 800,000 customers to change their passwords to reduce the risk of hacking after finding that many customers were still using risky default network and router passwords.

Concerns were also expressed by some security commentators about TalkTalk’s Super Router regarding the WPS feature in the router always being switched on, even if the WPS pairing button was not used, thereby meaning that attackers within range could have potentially hacked into the router and stolen the router’s Wi-Fi password.

What Does This Mean For Your Business?

If you have an old router with old firmware, you could have a weak link in your cyber-security.  If that old router links to IoT devices, these could also be at risk because of the router.

Manufacturers could help reduce the risk to business and home router users by taking steps such as disabling the internet until a user goes through a set up on the device which could include changing the password to a unique one.

Also, vendors and ISPs could help by having an active upgrade policy for out of date, vulnerable firmware, and by making sure that patches and upgrades are sent out quickly.

ISPs could do more to educate and to provide guidance on firmware updates e.g. with email bulletins.  Some tech commentators have also suggested using a tiered system where advanced users who want more control of their set-up can have the option, but everyone else gets updates rolled out automatically.

Could Biometric Regulations Be On The Way Soon?

A written parliamentary question from MP Luciana Berger about the possibility of bringing forward legislation to regulate the use of facial recognition technology has led the Home Office to hint that the legislation (and more) may be on the way soon.

Questions and Answers

The question by the MP about bringing forward ‘biometrics legislation’ related to how facial recognition was being used for immigration purposes at airports. Last month, MP David Davis also asked about possible safeguards to protect the security and privacy of citizens’ data that is held as part of the Home Office’s biometrics programme.

Caroline Nokes has said on behalf of the Home Office, in response to these and other questions about biometrics, that options to simplify and extend governance and oversight of biometrics across the Home Office sector are being looked at, including where law enforcement, border and immigration control use of biometrics is concerned.  Caroline Nokes is also reported to have said that other measures would also be looked at with a view to improving the governance and use of biometrics in advance of “possible legislation”.

Controversial

There have been several controversial incidents where the Police have used/held trials of facial recognition at events and in public places, for example:

In February this year a deliberately overt trial of live facial recognition technology by the Metropolitan Police in the centre of Romford led to an incident whereby a man who was observed pulling his jumper over part of his face and putting his head down while walking past the police cameras ended up being fined after being challenged by police.  The 8-hour trial only resulted in three arrests as a direct result of facial recognition technology.

In December 2018 ICO head Elizabeth Dunham was reported to have launched a formal investigation into how police forces use facial recognition technology after high failure rates, misidentifications and worries about legality, bias, and privacy.

A trial of facial recognition at the Champions League final at the Millennium Stadium in Cardiff back in 2017 only yielded one arrest, and this was the arrest of a local man for something unconnected to the Champions League. This prompted criticism that the trial was a waste of money.

Biometrics – Approved By The FIDO Alliance

One area where biometrics has got the seal of approval by The FIDO Alliance is in its use in facial recognition, and fingerprint scanning as part the login for millions of Windows 10 devices from next month. The FIDO Alliance is an open industry association whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords.

In a recent interview with CBNC, Microsoft’s Corporate Vice President and Chief Information Officer Bret Arsenault, signalled the corporation’s move away from passwords on their own as a means of authentication towards biometrics and a “passwordless future”.  Windows Hello (the Windows 10 authenticator) has been built to align with FIDO2 standards so it works with Microsoft cloud services, and this has led to the FIDO Alliance now granting Microsoft official certification for Windows Hello from the forthcoming May 2019 upgrade.

What Does This Mean For Your Business?

Taking images of our faces as part of a facial recognition system used by the government may seem like an efficient way of identifying and verification e.g. for immigration purposes, but our facial images constitute personal data.  For this reason, we should be concerned about how and where they are gathered (with or without our knowledge) and how they are stored, as well as how and why they are used.  There are security and privacy matters to consider, and it may well make sense to put regulations and perhaps legislation in place now in order to provide some protection for citizens and to ensure that biometrics are used responsibly by all, including the state, and that privacy and security are given proper consideration.

It should be remembered that some of the police facial recognition tests have led to mistaken identity, and this is a reminder that the technology is still in its early stages, and this may provide another reason for regulations and legislation now.

Tech Tip – Lightbeam Screen-Sharing App

If you’d like an app that enables you to easily share mobile screens with a friend or colleague, for work or leisure, Lightbeam is a new, free, cross-platform app which does just that.

The social screen sharing app also makes it easy to book group itineraries and reservations for trips, and it also works as a video chat service.

To download the app find it on Apple’s iTunes, and on Google Play Store.

Your Latest IT News Update

Surveillance Attack on WhatsApp

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

<More>

3D AR Shopping Via Google Search

Later this month, Google will be rolling out 3D Augmented Reality (AR) in its search results, a change which could allow retailers to show their products online in a way that enables customers to a virtually ‘try’ those products and see them in situ before buying them.

<More>

Proposed Legislation To Make IoT Devices More Secure

Digital Minister Margot James has proposed the introduction of legislation that could make internet-connected gadgets less vulnerable to attacks by hackers.

<More>

G7 Cyber Attack Simulation To Test Financial Sector

The G7 nations will be holding a simulated cyber-attack this month to test the possible effects of a serious malware infection on the financial sector.

<More>

Data Breach Report A Sharp Reminder of GDPR

The findings of Verizon’s 2019 Data Breach Investigations Report have reminded companies that let customer information go astray that they could be facing big fines, and damaging publicity.

<More>

Tech Tip – Free Online Presentation App ‘Zoho Show’

If you’d like an app that enables you to create and collaborate, publish and broadcast presentations from any device, quickly and easily, Zoho Show free online presentation software may be for you.

<More>

Surveillance Attack on WhatsApp

It has been reported that it was a surveillance attack on Facebook’s WhatsApp messaging app that caused the company to urge all of its 1.5bn users to update their apps as an extra precaution recently.

What Kind of Attack?

Technical commentators have identified the attack on WhatsApp as a ‘zero-day’ exploit that is used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp has been hijacked and the spyware loaded onto the phone, it can, for example, access encrypted chats, access photos, contacts and other information, as well as being able to eavesdrop on calls, and even turn on the microphone and camera.  It has been reported that the exploit can also alter the call logs and hide the method of infection.

How?

The attack is reported to be able to use the WhatsApp’s voice calling function to ring a target’s device. Even if the target person doesn’t pick the call up the surveillance software can be installed, and the call can be wiped from the device’s call log.  The exploit can happen by using a buffer overflow weakness in the WhatsApp VOIP stack which enables an overwriting of other parts of the app’s memory.

It has been reported that the vulnerability is present in the Google Android, Apple iOS, and Microsoft Windows Phone builds of WhatsApp.

Who?

According to reports in the Financial Times which broke the story of the WhatsApp attack (which was first discovered earlier this month), Facebook had identified the likely attackers as a private Israeli company, The NSO Group, that is part-owned by the London-based private equity firm Novalpina Capital.  According to reports, The NSO Group are known to work with governments to deliver spyware, and one of their main products called Pegasus can collect intimate data from a targeted device.  This can include capturing data through the microphone and camera and also gathering location data.

Denial

The NSO Group have denied responsibility.  NSO has said that their technology is only licensed to authorised government intelligence and law enforcement agencies for the sole purpose of fighting crime and terror, and that NSO wouldn’t or couldn’t use the technology in its own right to target any person or organisation.

Past Problems

WhatsApp has been in the news before for less than positive reasons.  For example, back in November 2017, WhatsApp was used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain bank details.

Fix?

As a result of the attack, as well as urging all of its 1.5bn users to update their apps, engineers at Facebook have created a patch for the vulnerability (CVE-2019-3568).

What Does This Mean For Your Business?

Many of us think of WhatsApp as being an encrypted message app, and therefore somehow more secure. This story shows that WhatsApp vulnerabilities are likely to have existed for some time.  Although it is not clear how many users have been affected by this attack, many tech and security commentators think that it may have been a focused attack, perhaps of a select group of people.

It is interesting that we are now hearing about the dangers of many attacks being perhaps linked in some way to states and state-sponsored groups rather than individual actors, and the pressure is now on big tech companies to be able to find ways to guard against these more sophisticated and evolving kinds of attacks and threats that are potentially on a large scale.  It is also interesting how individuals could be targeted by malware loaded in a call that the recipient doesn’t even pick up, and it perhaps opens up the potential for new kinds of industrial espionage and surveillance.

3D AR Shopping Via Google Search

Later this month, Google will be rolling out 3D Augmented Reality (AR) in its search results, a change which could allow retailers to show their products online in a way that enables customers to a virtually ‘try’ those products and see them in situ before buying them.

Shown At Phone Launch

Google showed how 3D AR could work in search results to attendees of the launch of its Pixel 3 smartphone at its annual developer’s conference. At the phone launch, Google’s Vice President, Aparna Chennapragada, used a superimposed animation of a shark and a 3D exploration of a pair of New Balance running shoes to illustrate how potential customers could superimpose a 3D AR image of a product on their own chosen backdrop (‘you space’).  This would allow customers to see just how a product would look in situ if they were to purchase it.

Brands

Examples of the brands that Google is reported to have been working with in order to develop optimised links to 3D AR versions of their products in Google’s search results include New Balance, Samsung and Volvo.

Other Uses of AR

Google users may already be used to seeing AR in action as part of Google Maps, where users can switch from map to an AR representation with directional arrows by clicking on the ‘satellite’ link and then by clicking on the route. This feature allows users to follow arrows along a drivers-eye route, change direction, and zoom in and out.

AR and VR

Back in October 2017 Ordinance survey introduced AR to its mobile app so that users could point their smartphone at the world around and see labels about places of interest and get a reading of how far away they are.

In February this year, breakfast cereal manufacturer Kellogg’s announced that it had been working with third-party VR companies to help it determine the best way to display its new products in stores. The pilot scheme used VR to give test subjects an immersive and 360-degree experience of a simulated store environment in which they were able to ‘virtually’ pick products, place items in shopping trolleys and make purchases.

What Does This Mean For Your Business?

Using AR to show 3D AR versions of products in the search results will enable companies to get their product instantly in front of consumers in a way that allows them to engage with those products on-demand, have a good look around the products, and virtually try them out and see how they could fit in with their lives.  This may be particularly important for products linked to self-image and lifestyle perceptions.  This could prove to be a valuable sales tool considerable potential for all manner of products.