Author Archive for Andy Wilkinson

Your Latest IT News Update

Adopt ‘HTTPS’ Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

<More>

UK Government Unveils Online Extremism Blocker

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

<More>

Cryptojacking Discovered On Government Websites

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

<More>

X-Day February 15th – Prepare For GDPR

Network services provider EfficientIP has warned businesses that, in reality, February 15th is the last day that organisations can ensure their real-world compliance with GDPR.

<More>

10 Gbps Home Broadband Speed Achieved In Test

Broadband operator Hyperoptic is reported to have achieved home Broadband speeds of up to 10 gigabits per second (Gbps) in a recent test.

<More>

Tech Tip – Windows 10: Keep Unwanted Software Off Computers You Support

If you help support your business and / or home computer, and you want to keep things secure and tidy by stopping other users from downloading unwanted software from sources you don’t trust onto the computer, here’s how…

<More>

Adopt ‘HTTPS’ Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?

HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

  • Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
  • Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
  • HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
  • Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?

Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

UK Government Unveils Online Extremism Blocker

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

Publicly Funded

The new tool was developed by artificial intelligence company ‘ASI Data Science’ based in London, and was funded using £600,000 of public funds.

Tackling A Growing Problem

The tool was developed to tackle the growing problem extremist / jihadist (e.g. IS) content being posted online, and current moderating techniques simply not being able to keep up with the job of detecting and removing it fast enough. For example, as well as the popular video platforms for posting such content, the Home Office estimates that between July and the end of 2017, extremist material appeared in almost 150 web services that had not been used for this kind of propaganda before.

An ASI Data Science spokesperson is reported as saying that there are currently over 100 different (extremist / IS) videos posted on over 400 different platforms online.

The danger is of course, that the material can contribute to the promotion of extremist causes, the radicalisation of people, the recruitment of new terror group members, and inspiring individuals / groups to commit their own acts of terror. Some of the content can also be very disturbing e.g. if viewed by children online.

How The New Tool Works

The new tool is reported to have an AI element which has enabled it to be ‘trained’ to correctly pick out extremist content. For obvious reasons, the exact workings of the tool are being kept secret, but it is understood that the tool uses an algorithm to detect signals that contribute to a level of probability (low to high) that a video is likely to be terrorist propaganda rather than e.g. a legitimate news video. The tool can be applied at the point of upload on a video platform, thereby stopping the propaganda video from being uploaded in the first place.

This tool is reported to be able to accurately detect 94% of IS video uploads, and that it can typically flag 0.005% of non-IS video uploads. On a site with five million daily uploads, for example, it would flag 250 non-IS videos for review / for a human decision to be taken.

Others Have Tried

Facebook and Google are known to have been trying to develop their own terror material filtering tool, and this UK version is thought to be suitable for use by smaller platforms first.

Home Secretary Says…

Home Secretary Rudd is reported as saying that even though the tool has been developed, the UK government won’t rule out taking legislative action too where necessary, and that an industry-led forum such as The Global Internet Forum to Counter Terrorism, launched last year, will also help to tackle the issue.

What Does This Mean For Your Business?

For businesses using the smaller social media and video platforms, this tool could be a practical solution to current moderation problems. For the UK government, it provides some good publicity, a chance to gain back some ground in the online battle with terror groups such as IS, and a way to be seen to be tackling worries of radicalisation of UK citizens. It also provides a way for the Home Secretary to apply more pressure to the popular social media platforms, some of which the UK government has criticised for not taking enough fast action to detect remove extremist content.

For UK businesses generally, association with and use of advertising platforms that are free of extremist and unsavoury material is obviously better from a brand protection point of view. It is, however, a fact that Facebook and Google are hugely important for business advertising, and that PPC advertising for example, is unlikely to be affected by whether the chosen video / social media platform adopts such a screening-tool in the near future.

Cryptojacking Discovered On Government Websites

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

What Is Cryptojacking?

Typically, cryptojacking involves hackers / scammers installing ‘mining script’ code such as Coin Hive, into multiple web pages without the knowledge of the website owners. The compromised website then runs the cryptomining code, which is written in JavaScript, inside the victim’s web browser when they visit the website. The scammer is then able to get multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.

If, for example, a website is able to get one million visitors a month, and if the Coin Hive Web Miner for Monero (XMR) is used, it could generate an income of £88 in the Monero crypto-currency.

Modified BrowseAloud Plugin

In this latest discovery by security researcher Scott Helme, criminals were found to be using a modified version of the BrowseAloud plugin to enable crypotojacking through government websites. The BrowseAloud plugin is normally used to make websites more accessible to visually impaired people, but in this case, attackers were found to have planted malicious code to the JavaScript file to use the browser CPU in an attempt to illegally generate cryptocurrency.

It is thought that criminals targeted this plugin because public sector websites need to comply with legal obligations to make their information accessible to people with disabilities.

Which Government Websites?

A recent investigation has discovered that around 5,000 websites are being targeted using this kind of cryptojacking. The government websites affected include the websites of the UK’s Information Commissioner’s Office (ICO), NHS websites, the General Medical Council website, some UK local council websites, the Student Loans Company site, some Australian government department websites, and the even the US Courts website.

What Does This Mean For Your Business?

Many businesses and organisations simply aren’t able to see and take account of all of the ways they can be attacked externally. Also, it’s not always easy to understand what belongs to your organisation, how it is connected to the rest of your asset inventory, and what potential vulnerabilities are exposed to compromise.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. There are, however, some simple measures that your business can take to avoid being exploited as part of this kind of scam.
If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js. This will stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, a dedicated browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.

Coin Hive’s developers have also said that they would like people to report any malicious use of Coin Hive to them.
Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Digital threat management software is also an option that can help companies to continuously discover an inventory of their externally facing digital assets, and to manage the risks across the entire attack surface.

X-Day February 15th – Prepare For GDPR

Network services provider EfficientIP has warned businesses that, in reality, February 15th is the last day that organisations can ensure their real-world compliance with GDPR.

I Thought May 25th Was The Deadline?

May 25th is the actual date that companies and organisations need to ensure that they are compliant with GDPR. However, the point that EfficientIP made in an announcement last week is that, realistically, it actually takes 99 days to detect a data breach. This gives hackers time to ‘exfiltrate’ data, or remove it without detection. Taking this into account, February 15th is exactly 100 days before May 25th 2018, and could, therefore, be regarded as the last day organisations can ensure real-world compliance with GDPR.

Dubbed ‘X-Day’

With this point in mind, some Cyber Security experts have started referring to February 15th as “X-Day” because it is the last day companies can prevent data exfiltration attacks without potential prosecution by regulators.

What Is Data Exfiltration?

Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. In other words, hackers can use the DNS protocol to very quickly transfer large amounts of personal and sensitive data from your company systems e.g. customer data such as credit card numbers, or company information such as financial records.

EfficientIP have pointed out that most of the companies breached after February 15th 2018 will only discover the attack after GDPR is in force, and will, therefore, (legally) only have 72 hours to publicly disclose the breach.

How Common is Exfiltration?

EfficientIP’s own research shows that as much as 24% of companies have suffered data exfiltration in the past year.

Positive View

Although the EfficientIP is a warning, and companies already know that failing to comply with GDPR will bring large fines, and data breaches can cause irreparable damage to a company and its reputation, there are some very positive reasons for preparing now for GDPR. For example, a recent Veritas survey showed 95% of decision-makers expect a positive outcome from GDPR compliance, and 92% think they would benefit from having better data hygiene.

68% of respondents in the Veritas survey also said that getting GDPR compliant would give them a better insight into their business, which could help to improve the customer experience, and that compliance could actually save the company money.

Getting Motivated

It’s all very well issuing worrying warnings, but companies not yet compliant need to find effective ways to drive the cultural and organisational changes needed to get to grips with GDPR going forward. These motivators, also highlighted in a recent Veritas survey, could include adding compliance to employee contracts (47%), implementing disciplinary action if the regulation is disobeyed (41%), and educating employees about the benefits of GDPR (40%).

What Does This Mean For Your Business?

GDPR is just around the corner and this ‘X-Day’ warning is an indicator that realistically, GDPR compliance shouldn’t be put off any longer.

Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Businesses have now heard all the warnings, and many companies and organisations are now starting come around to the idea of focusing on the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market.

There is also now growing realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance. This means that GDPR compliance will be become a basic necessity to enable companies to compete in a normal way in today’s business environment.

10 Gbps Home Broadband Speed Achieved In Test

Broadband operator Hyperoptic is reported to have achieved home Broadband speeds of up to 10 gigabits per second (Gbps) in a recent test.

Hyperoptic?

‘Hyperoptic’ is the company name in this case, but the term hyperoptic generally refers to the kinds of super speeds that can be achieved with full fibre / fibre-to-the-building / fibre-to-the-home / ‘fibre-to-the-premises’ infrastructure and packages.

A First

The result of the test, which was carried out in a home in the former Olympic village in east London (presumably because it is fully fibre linked), is thought to be the first time that such speeds have been brought to a UK home using an existing ISP network rather than a dedicated line.

How Fast Is That?

Quoted broadband speed figures are often not what they seem, but speeds of up 10 gigabits per second would mean that:

  • A standard HD movie file (5GB) could be downloaded in 4 seconds, compared with 6 minutes 40 seconds on a 100Mbps connection.
  • A 25GB Xbox game could be downloaded in 20 seconds, compared with more than 33 minutes on a 100Mbps connection.
  • The latest full 4K ultra high definition movie (75 GB) could be downloaded in just 1 minute, compared to 1 hour 40 minutes on a 100Mbps connection.

Why Do We Need Hyper Speeds?

Spending more time on more powerful gadgets / mobile devices, the growth of the subscription economy for services, the continued growth of online shopping, the growth of the cloud, the popularity of gaming, video and social media programs, the popularity of TV / Film and other media streaming services, the demand to download bigger and better quality files, and the frustration of buffering and slow connections over many years have all stimulated UK demand for better and faster connections. Also, more businesses are looking to future-proof their networks, and they feel that much faster connections are needed for effective global business competitiveness.

As things stand, a recent survey by cable.co.uk found that the UK ranks only 31st in the world for average broadband speeds, with an average broadband speed of just 16.51Mbps.

Trials of Full Broadband In 6 UK Regions

Back in September, the UK government announced that six regions of the UK would be hosting trials of full fibre broadband for businesses, schools and hospitals as part of a £200m scheme by the Department for Digital, Culture, Media & Sport (DCMS).

According to the DCMS, £10 million of the total £200 million budget will be spent on trials for full fibre broadband in Aberdeen and Aberdeenshire, West Sussex, Coventry and Warwickshire, Bristol and Bath & North East Somerset, West Yorkshire and Greater Manchester.

Commitment From Big Providers

The big UK broadband providers are making more of a commitment to the kind of full-fibre connections that could bring much faster speeds. For example, BT has promised to bring full-fibre connections to 3 million premises by 2020, 700,000 of which will be in rural areas. Also, TalkTalk has announced a big investment in infrastructure which will bring full-fibre technology to 3 million homes and businesses.

Criticism

Despite this recent announcement by Hyperoptic, there are many valid criticisms about any big plans for boosting broadband speeds with the widespread use of fibre-optic cables in the UK including:

  1. Even if you have a fibre-optic cable to your home / business premises, there will still be shared traffic points in the network which will slow down your broadband at certain times.
  2. Full fibre-optic, ultra-fast broadband is not likely to be a reality in the UK anytime soon. At the current rate, BT Openreach has stated that only two million premises will have access to ‘full fibre’ by the end of 2020.

What Does This Mean For Your Business?

The test by Hyperoptic is really just a tantalizing view of what could be possible if we all had full-fibre broadband up to our premises, and a fabulous UK fibre infrastructure. Obviously, that could bring considerable value-adding, cost-saving, competitiveness-boosting benefits to UK businesses.

Sadly, the current reality is that businesses don’t have (and look unlikely to have any time soon) access to kind of speeds that overseas companies (e.g. competitors) enjoy, and certainly don’t have access to the speeds that the Hyperoptic test was demonstrating.

Whilst it is good that funding and momentum for the task of delivering faster (fibre or fibre/G.fast) broadband for UK businesses looks to be increasing, the UK has a long way to go, and the reality is that we may only actually have 7% full fibre coverage by 2020.

In terms of what it actually means for a business to be physically connected to a fibre broadband infrastructure, technical commentators say it will be a case of simply having a small box installed on the premises. In terms of costs, it seems likely that faster full-fibre packages will be an opportunity for ISPs to charge more.

Tech Tip – Windows 10: Keep Unwanted Software Off Computers You Support

If you help support your business and / or home computer, and you want to keep things secure and tidy by stopping other users from downloading unwanted software from sources you don’t trust onto the computer, here’s how…

To lock down Windows 10 so users can’t install new software unless it comes from a trusted source:

  • Go to Settings > Apps > Apps & Features.

Look for the Installing Apps setting at the top of the page. There should be three choices:

  1. Allow apps from anywhere (the default).
  2. Warn me before installing apps from outside the Windows Store. Selecting this option will mean that any standard user accounts will need your permission to continue.
  3. Allow apps from the Store only. Select this option if you don’t want users to be able to install apps from anywhere except the trusted Windows Store.

Desktop programs that you’ve already installed before enabling this restriction will continue to run.

Using these restrictions, you can set up a PC with a selection of trusted apps and then lock it down so nothing changes without your permission.

Your Latest IT News Update

Technostress

The results of a survey by Microsoft indicate that constant contact with technology such as emails, messages and notifications in the workplace can reduce productivity, make workers less productive, and increase stress levels.

<More>

Firefox Users Advised To Update

Cisco’s security team has advised Firefox users to install Mozilla’s latest update for its web browser after a potentially serious security vulnerability was discovered.

<More>

Bitcoin Battered

Cryptocurrency Bitcoin’s value has now dropped to $6,000, a fall of $13,000 since November 2017.

<More>

Virgin Credit Cards: No To Crypto

Shortly after Lloyds Bank announced that it would be banning customers from buying crypto-currencies such as Bitcoin using their credit cards, Virgin Money is now adopting the same policy.

<More>

Facial Recognition Arrest Claims Via Twitter

South Wales Police have taken to social media to announce news of the latest arrests made using Automated Facial Recognition (AFR) technology.

<More>

Tech Tip – Timeline For Windows 10

Currently being tested and likely to come out soon in an update is a browser history for your Windows desktop known as ‘Timeline’. This feature will allow you to search through files, apps and sites you’ve previously had open, and jump back and pick up what you were doing.

<More>

Technostress

The results of a survey by Microsoft indicate that constant contact with technology such as emails, messages and notifications in the workplace can reduce productivity, make workers less productive, and increase stress levels.

It’s All Down To The Company’s ‘Digital Culture’

The survey, which involved the opinions of 20,000 workers from 21 European nations, found that how technology is viewed and deployed in the workplace can make a big difference in worker productivity and well-being. Microsoft’s findings therefore, indicated that a company’s chosen “digital culture” can improve workers’ productivity and help them feel more involved in the business.

Too Much

It will come as no surprise to many people reading this that too much exposure to and emphasis on technology (e.g. large amounts of updates and notifications arriving via social media during the day) makes people less productive and more distracted.

The Microsoft report makes the point that one of the reasons why only 11.4% of European workers said they felt highly productive at work may be that even though there is an abundance of technology around, that doesn’t necessarily translate into impact.

Productivity comes from creative interchange rather than people simply working on computers, and Management Scientists now believe that technologies can overload people and make them less productive by making them focus too much on trying to deal with the technology itself, rather than working at using the technology to improve the delivery of a product or service.

‘Technostress”

Management Science experts now recognise the existence of ‘technostress’, which can occur when workers have to deal with the adverse consequences of adopting novel computer systems or software.

What Does This Mean For Your Business?

The main message for businesses is that simply introducing lots of interruptive and / or novel technology to the working environment can actually cause stress and make workers less productive. Businesses need to pay attention to building the right kind of digital culture. For example, organisations first need to know what they want to do with the software and systems they have adopted, and give staff the correct training and other help to use it.

A planned and managed digital culture with supporting conditions, such as appropriate email response times and measuring whether people are happy with the tech they use to do their day-to-day jobs, can help workers to get the most out of technology. This can lead to higher productivity, fewer staff feeling disengaged, and can ultimately benefit the aims and objectives of the business.

Firefox Users Advised To Update

Cisco’s security team has advised Firefox users to install Mozilla’s latest update for its web browser after a potentially serious security vulnerability was discovered.

Malicious Code Danger

According to Cisco’s researchers (and confirmed by Mozilla), the vulnerability has been caused by “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software”.

This means that unless Firefox users install the latest security patch update, they run the risk of remote hackers exploiting the vulnerability by persuading them to access a link or file that submits malicious code to the affected browser software.

Take Control Of The System

This kind of exploit could then enable an attacker to execute arbitrary code with the privileges of the user. If a user has elevated privileges, for example, this could even mean that the attacker could compromise the entire system. Once an entire system has been taken over, the attacker is then free to install programmes, create new accounts with full user rights, and to view, change or delete data.

Which Firefox Versions Are Affected?

The vulnerability is reported to affect Firefox web browser versions 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The Android Firefox browser app and Firefox 52 ESR are not affected.

How Can You Protect Your Systems?

The advice appears to be that Firefox users should download the browser update patch as soon as possible. The advisory information can be found here https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ and the patch can be found on the Mozilla website here: https://www.mozilla.org/en-US/firefox/new/?scene=2 .

Administrators can also help to safeguard systems by using an unprivileged account when browsing the Internet, and by monitoring critical systems.

What Does This Mean For Your Business?

The recent Malwarebytes annual State of Malware report showed that the UK is now the most targeted region in the world for cyber threats, so it is important for businesses to take action to patch any known vulnerabilities as soon a possible.

Since an exploit via Firefox of this kind would first require malicious software to be downloaded, users should remember, businesses should instruct all staff members not to open any email messages from suspicious or unrecognised sources. If users cannot verify that links or attachments included in email messages are safe, they should also be advised not to open them. Businesses should make it a matter of email policy and good practice that users should first verify if any unsolicited links are safe to follow.

Staying up to date with patching known vulnerabilities is an important part of the basic cyber security of business systems. For example, back in August 2017, the Fortinet Global Threat Landscape Report found that not only are 9 out of 10 businesses being hacked through un-patched vulnerabilities, but that many of these vulnerabilities are 3 or more years old, and already have patches available for them. In the case of Firefox, therefore, the patch should be downloaded immediately.