Author Archive for Andy Wilkinson

Your Latest IT News Update

Fake Finger Fools Fool Proof Phone

A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.

<More>

AI Used To Tackle Money Laundering

Banks and financial institutions are experimenting with AI technology to tackle the multi-trillion-pound problem of money laundering, thereby hitting the traditional funding sources of major criminal gangs.

<More>

Windows 10 Breaks Traditional PC Hardware and OS Upgrade Links

With figures (Gartner) showing Windows 10 predicted to represent 75% of the professional PC market by 2021, continued PC sales and improved Windows 10  back-end management, Windows 10 is making once time and resource consuming Windows OS and hardware upgrade projects a thing of the past, and is breaking the link between the two.

<More>

New UK ‘Duty of Care’ Rules To Apply To Social Media Companies

The new ‘Online Harms’ whitepaper marks a world first as the UK government plans to introduce regulation to hold social media and other tech companies to account for the nature of the content they display, backed by the policing power of an independent regulator and the threat of fines or a ban.

<More>

School Enlists Chinese Help To Upgrade To Enhanced Wi-Fi

The Lytchett Minster School in Dorset recently made the news among IT commentators after demonstrating how it could overcome the connectivity challenges of its rural location, cut costs and increase efficiency by upgrading its on-site network with Chinese company TP-Link’s enhanced Wi-Fi.

<More>

Tech Tip – Free Graphic Design App For Android

Design social media posts, ads, presentations, cards, flyers and more with ‘Desygner’, a free, popular graphic design app for phone or tablet:

<More>

Fake Finger Fools Fool Proof Phone

A Reddit user claims to have used a 3D printer to clone a fingerprint and then use the fake fingerprint to beat the in-display fingerprint reader on a Samsung Galaxy S10.

Fingerprint Scanner

The Galaxy S10 and S10+ phone models have an Ultrasonic Fingerprint Scanner embedded into the screen that uses soundwaves to create a 3D map of the owner’s fingerprint, and the recognition sensor at the bottom centre of the screen can then be used by the owner to gain entry to the phone by placing their fingerprint on it.

Made Fake Finger

The Reddit user known only as ‘darkshark9’ claimed in a proof-of-concept uploaded to Imgur that they had been able to unlock their own Galaxy S10 phone using a fake finger that had been made using a photograph (taken using the Galaxy S10’s camera) of their own fingerprint on a wine glass.  The mystery ‘darkshark9’ claimed that they had used Adobe Photoshop and Autodesk 3ds Max to work on the photograph and had then used an AnyCubic Photon LCD resin 3D home printer (costing less than £400) to make a physical replica of the fingerprint.

It has been reported that it took ‘darkshark9’ less than 15 minutes to make the fake fingerprint that opened the phone.

Fingerprint Fear

This means that a person with same equipment who could obtain a photo of a fingerprint from an object such as a glass or phone at close distance, or using a higher-quality DSLR camera (from perhaps even across the room) could have the potential to quickly break into anyone’s biometric security protected phone and steal personal data, access apps etc.

What Does This Mean For Your Business?

Many security experts agree that using biometric security as a primary unlock method is less secure than a password or PIN, although it offers convenience and is liked by many users.  In the case of the Galaxy S10, although it was supposedly fooled with the fake finger model, its fingerprint scanner uses ultrasonic sound waves to map the user’s fingerprint in the first place which is more secure than the optical sensors used by some other phones that can be fooled by a paper printout of a fingerprint.

Having a fingerprint scanner / sensor on the phone is better than having nothing at all, as is the case with many people who leave their phones unlocked all the time rather than having to type in a PIN or password.

This is not the first time that phone biometric security measures have been defeated.  For example, it is also claimed that the S10’s facial recognition (because it uses cameras rather than infrared sensors) can be fooled by another phone playing a video of the S10’s owner face.

Also, in a Twitter thread, Manchun Wong claimed that she was able to fool her brother’s S10 facial recognition scanner using her own face, presumably because of the similarity of family and sibling resemblance. This is reminiscent of a case back in 2017 when BBC ‘Click’ reporter Dan Simmons reported that he had been able to fool HSBC’s biometric voice recognition system by passing his brother’s voice off as his own.

Biometric security on phones clearly has some way to go before the effectiveness lives up to the promise, and for the time being, although less convenient, password and PIN may be safer as the primary unlock method.

AI Used To Tackle Money Laundering

Banks and financial institutions are experimenting with AI technology to tackle the multi-trillion-pound problem of money laundering, thereby hitting the traditional funding sources of major criminal gangs.

Money Laundering

Money laundering is the process of concealing the origins of illegally obtained money by passing it through legitimate business or a sequence of banking transfers.

According to figures from the UN’s Office on Drugs and Crime, money laundering accounts for up to 5% of global GDP – the equivalent of £1.5 trillion per year.  In the UK, National Crime Agency figures show that financial crime suspicious activity reports increased by 10% in 2018.

Also, in the UK for example, Companies House and estate agents (setting up new companies and investing in property) have been criticised by the government’s Treasury Committee as being key ways in which money laundering can take place in the UK.

The law in the UK (from 2017) relating to trying to tackle money laundering requires those businesses or sole traders who operate as “high-value dealers” i.e. you / your company accepts or makes high-value cash payments of €10,000 or more (or equivalent in any currency) in exchange for goods, must register with HMRC. 

Money Laundering In The News

Some recent high-profile cases of alleged money laundering involving banks include:

  • Swiss bank UBS being fined a staggering £3.2 billion for helping wealthy clients based in France to hide money from tax and launder the proceeds (the bank has lodged an appeal).
  • In September 2018, Dutch bank ING Groep NV being fined €775 million euros after failing to spot that criminals had been money laundering through its accounts.
  • In December 2018, 10 former employees of the local branch of Danske Bank in Estonia being arrested as part of an international investigation into (alleged) money laundering.

How AI Can Help

AI technology is being tested in the fight against money laundering because AI can crunch vast amounts of data (i.e. the data from millions of bank transactions) very quickly and accurately, thereby making it very good at detecting patterns and deviations from patterns.  AI can, therefore, quickly detect patterns of unusual activity e.g. behaviour consistent with money laundering (AI also learns with experience), as well as being able to spot smurfing attempts (breaking down a transaction into smaller transactions to avoid being spotted), accounts that are set up remotely by bots rather than humans, and suspicious behaviour by corrupt insiders (known to be an important element in many successful money laundering operations).

What Does This Mean For Your Business?

Money laundering is often used to help organised criminals / criminal gangs continue to finance many kinds of other serious crimes which have a negative impact on society and the economy. It is, therefore, good news for businesses (particularly in the financial and property sectors) that an accurate, and reliable technology-based early detection system, that works independently from human influence and error is being set to work to crack an old problem using the very latest means. 

Critics have said, however, that even though AI may be excellent at spotting unusual transaction patterns it will only be as effective as the data it is fed, and banks, financial institutions, governments and law enforcement agencies, therefore, need to share more information to get the best results from AI tools.

Some have also been sceptical of how effective an ‘off-the-shelf’ AI-based money laundering detection tool (of which there are several on the market) could be.

Windows 10 Breaks Traditional PC Windows 10 Breaks Traditional PC Hardware and OS Upgrade LinksHardware and OS Upgrade Links

With figures (Gartner) showing Windows 10 predicted to represent 75% of the professional PC market by 2021, continued PC sales and improved Windows 10  back-end management, Windows 10 is making (historically) time and resource consuming Windows OS and hardware upgrade projects a thing of the past, and is breaking the link between the two.

Mobile PCs A Popular Business Choice For Content Creation

Even though the whole global PC market is in decline, traditional PCs are set to decline by 3% in 2019 to total 189 million units, and smartphones are users’ primary mobile devices, mobile PCs look set to remain popular purchases for businesses because they are needed for content creation.

With laptop PCs running Windows 10, this is a key reason why Windows 10 represents such a large share of the professional PC market.

The SaaS model with its automatic bi-annual automatic upgrades is, therefore, the step to making teams responsible for OS upgrades in businesses a thing of the past.

Left Behind and At Risk

The growth, popularity, and general effectiveness of Windows10, coupled with the ending of support for older versions is making businesses still running older platforms (e.g. Windows 7) and thinking of putting off the upgrade to Windows 10 until 2020 look likely to be left behind in IT effectiveness terms, and at risk in security terms (support for Windows 7 is scheduled to end in January 2020).

Businesses are also realising that:

  • They can’t skip a version i.e. waiting and skipping to Windows 11 is not an option – migration to Windows 10 may as well happen sooner rather than later.
  • Windows 10 is a modern operating system that allows organisations to run cloud applications and provide security much more effectively.
  • Microsoft has aligned upgrades of its cloud productivity suite, Office 365, to Windows 10, so not switching to Windows 10 could mean a competitive disadvantage.
  • Windows 10 enables businesses to automatically receive new, potentially value-adding features every six months.

Changing The Nature of Upgrades

With most businesses using Windows 10 and receiving automatic software upgrades every month, and more enterprise applications being consumed as software as a service (SaaS), hardware upgrades are more likely to be driven by wear and tear in future rather than by the availability of a new PC operating system from Microsoft.  This is the reason why Windows 10 has effectively disconnected the link between PC hardware and Windows operating system upgrades.

What Does This Mean For Your Business?

Figures show that laptop PCs with Windows 10 loaded on them are (and will continue to be for the near future) an important tool for many businesses, and that the automatic bi-annual upgrade and SaaS model of Windows 10 has disconnected the traditional link between PC hardware and Windows operating system upgrades.  The migration to Windows 10 can also not only free up resources once needed just to ensure OS upgrades, but can also improve security, competitiveness and operational effectiveness. 

Windows 10’s successes and the weaknesses and threats of holding out until 2020 before upgrading are presenting strong arguments for businesses to take the plunge sooner and move to Windows 10.

New UK ‘Duty of Care’ Rules To AppNew UK ‘Duty of Care’ Rules To Apply To Social Media Companiesly To Social Media Companies

The new ‘Online Harms’ whitepaper marks a world first as the UK government plans to introduce regulation to hold social media and other tech companies to account for the nature of the content they display, backed by the policing power of an independent regulator and the threat of fines or a ban.

Duty of Care

The proposed new legal framework from the Department for Digital, Culture, Media and Sport (DCMS) and the Home Office aims to give social media and tech companies a duty of care to protect users from threats, harm, and other damaging content relating to cyberbullying, terrorism, disinformation, child sexual exploitation and encouragement of behaviours that could be damaging.

The need for such regulation has been recognised for some time and was brought into sharper focus recently by the death in the UK of 14-year-old Molly Russell, who was reported to have viewed online material on depression and suicide, and in March this year, the live streaming on one of Facebook’s platforms of the mass shooting at a mosque in New Zealand which led Australia to suggest fines for social media and web-hosting companies and imprisonment of executives if violent content is not removed.

The Proposed Measures

The proposed measures by the UK government in its white paper include:

  • Imposing a new statutory “duty of care” that will hold companies accountable for the safety of their users, as well as a commitment to tackle the harm caused by their services.
  • Tougher requirements on tech companies to stop the dissemination of child abuse and terrorist content online.
  • The appointment of an independent regulator with the power to force social media platforms and tech companies to publish transparency reports on the amount of harmful content on their platforms and what they are doing to address the issue.
  • Forcing companies to respond to users’ complaints, and act quickly to address them.
  • The introduction of codes of practice by the regulator which will include requirements to minimise the spread of misleading and harmful disinformation using dedicated fact checkers (at election time).
  • The introduction of a “safety by design” framework that could help companies to incorporate the necessary online safety features in their new apps and platforms at the development stage.

GDPR-Style Fines (Or A Ban)

Culture, Media and Sport Secretary Jeremy Wright has said that tech companies that don’t do everything reasonably practicable to stop harmful content on their platforms could face fines comparable with those imposed for serious GDPR breaches e.g. 4% of a company’s turnover.

It has also been suggested that under the new rules to be policed by an independent regulator, bosses could be held personally accountable for not stopping harmful content on their platforms. It has also been suggested that in the most serious cases, companies could be banned from operating in Britain if they do not do everything reasonably practical to stop harmful content being spread via their platforms.

Balance

Although there is a general recognition that regulation to protect, particularly young people, from harmful/damaging content is a good thing, a proportionate and predictable balance needs to be struck between protecting society and supporting innovation and free speech.

Facebook is reported to have said that it is looking forward to working with the government to ensure new regulations were effective and have a standard approach across platforms.

Criticism

The government’s proposals will now have a 12-week consultation, but the main criticism to date has been that parts of the government’s approach in the proposals are too vague and that regulations alone can’t solve all the problems.

What Does This Mean For Your Business?

Clearly, the UK government believes that self-regulation among social media and tech companies does not work.  The tech industry has generally given a positive response to the government’s proposals and to an approach that is risk-based and proportionate rather than one size fits all.  The hope is that the vaguer elements of the proposals can be clarified and improved over the next 3 months of consultation. 

To ensure the maximum protection for UK citizens, any regulations should be complemented by ongoing education for children, young people and adults to make sure that they have the skills and awareness to navigate the digital world safely and securely.

School Enlists Chinese Help To Upgrade To Enhanced Wi-Fi

The Lytchett Minster School in Dorset recently made the news among IT commentators after demonstrating how it could overcome the connectivity challenges of its rural location, cut costs and increase efficiency by upgrading its on-site network with Chinese company TP-Link’s enhanced Wi-Fi.

Challenges

As recently featured by Computer Weekly, the school had to contend with a rural campus location and the resulting poor connectivity, next to a grade II listed 18th century manor house, and a rudimentary system of ageing individual home-user access points (APs) mounted in school corridors which required users to disconnect and reconnect when roaming around.   Also, the old wireless network was not voucher-based and was insecure (the pre-shared key could be compromised), which meant that staff had to reset each AP’s password individually (with remote authentication dial-in user service help) and users had to keep reconnecting each of their devices to the network.

As is the case with so many schools, Lytchett Minster School had to make its limited budget go as far as possible in the upgrade.  This meant the need to minimise price per AP and annual licensing fees while getting the best value, efficient and effective wireless infrastructure solution.

Requirements

It was decided that the most important requirements on the school’s list were power over Ethernet (PoE), Radius authentication, centralised management, provision of multiple service set identifiers (SSIDs) and voucher authentication.

TP-Link Chosen

The school chose Chinese company TP-Link to upgrade their on-site network based on features offered, value for money, and the fact that TP-Link builds its hardware itself instead of outsourcing and, therefore, doesn’t charge licensing fees.

Founded in 1996 by two brothers and based in Shenzhen, China, TP-Link is a manufacturer of computer networking products and is now the world’s number 1 provider of consumer Wi-Fi networking devices, shipping products to over 170 countries. 

Change

Changing to the upgraded, enhanced Wi-Fi meant that the old APs could be moved from corridors into classrooms for optimum performance and coverage. The changes to a better enhanced Wi-Fi network also meant that access control lists could issue users with vouchers that restricted network access at the subnet according to core user group, out of hours separate public access SSID could be offered to users of the school’s sports facilities, larger numbers of staff iPads and phones could be used for teaching, and special provisions could be made for the BYOD policy for  sixth form students.

The new system also enabled easier, centralised management of the network with data from each AP being displayed to the IT department on large screens, with no more need to perform network reboots (as these can happen automatically at 6 am every day to avoid disrupting lessons), and the ability to carry out all key tasks from a central interface.

What Does This Mean For Your Business?

This story is an example of how the potential of an organisation (a school in this case) was limited by poor Wi-Fi provision, partly due to its rural location and old, inadequate hardware. The school showed that today, it is possible for a school based in Dorset to choose a Chinese tech firm as a partner to deliver a business-class wireless network solution that meets all operational requirements within budget, and without the extra cost of ongoing licence fees. An enhanced Wi-Fi system of this kind also offers the convenience, transparency and ease of centralised control.

Tech Tip – Free Graphic Design App For Android

Design social media posts, ads, presentations, cards, flyers and more with ‘Desygner’, a free, popular graphic design app for phone or tablet.  The app has an intuitive interface and thousands of templates to choose from. Although the basic offering is free, you can switch up to a £5.99 monthly subscription if you plan to use the app regularly.

To install the app, look for ‘Desygner’ in Google Play.

Your IT News Update

HTTPS Security Vulnerabilities Found

Research teams at Ca’ Foscari University of Venice and Tu Wien in Austria have discovered security vulnerabilities in the TLS browser encryption defence system of 5.5% of the 10,000 HTTPS sites which could leave website visitors vulnerable to attack.

<More>

Experts Recommend Security Update For Magento E-commerce Sites

Security experts are warning companies with a Magento e-commerce site to make sure that it has the latest security patch and updates in order to avoid the risk of card skimming attacks.

<More>

Is Huawei Really Dragging Its Feet Over Security?

After espionage chiefs from the ‘Five Eyes’ agreed last July that they would try to contain the global growth of Chinese telecom Huawei (over fears that it was spying for China), a new report from the Huawei Cybersecurity Evaluation Centre (HCSEC) says that the company is still not fixing previously identified security problems.

<More>

Facebook Rolls Out ‘Why Am I Seeing This Post?’ Tool

In an attempt to be more transparent and give more control to its users, Facebook is about to roll-out a new “Why am I seeing this post?” tool, which will give users insights into their newsfeed algorithm.

<More>

Automatic Compensation For Broadband Problems Begins

Next week will see the introduction of automatic compensation, without having to ask, for customers of BT, Sky, TalkTalk, Virgin Media and Zen Internet who experience delayed repairs, installations or missed engineer appointments.

<More>

Tech Tip – Integrated Audio Recording and Note-Taking App

The ‘Noted’ app is a fully-integrated audio recording and note-taking app that can help you to keep track of meetings, interviews, lectures and more.  The app records audio, while also allowing you to type out notes which have rich text and image support.

<More>

HTTPS Security Vulnerabilities Found

Research teams at Ca’ Foscari University of Venice and Tu Wien in Austria have discovered security vulnerabilities in the TLS browser encryption defence system of 5.5% of the 10,000 HTTPS sites which could leave website visitors vulnerable to attack.

What Is TLS?

Transport Layer Security (TLS) is one of the two security protocols (the other is SSL) used in HTTPS to encrypt the data between your browser and the web servers it communicates with. The visual symbol on a browser that this secure connection is place is a green padlock symbol.

HTTPS should secure communication over the Web by providing a cryptographic protection layer that protects the confidentiality and integrity of communication and enables client/server authentication.

The Research

The recent research carried out on top ranking HTTPs sites (ranked by Amazon’s Alexa analytics company) uncovered a number of potentially exploitable TLS vulnerabilities in 5,574 hosts that could be broadly grouped into 3 risk categories:

  1. 4,818 were found to be vulnerable to ‘man-in-the-middle’ attack (MITM). As the name suggests, this kind of attack involves a third party being able to intercept and tamper with communications – in this case between the web server and the user’s browser.
  2. 733 were found to be vulnerable to full decryption.  In this case, hackers could decrypt all the traffic passing through them.
  3. 912 were found to be vulnerable to partial decryption.

More detail of the vulnerabilities identified include:

  • 898 websites classed as fully compromisable, including e-commerce sites, e-banking services and other major websites.
  • 10% of login forms having confidentiality issues.
  • 412 websites possibly subject to cookie theft and exposing to session hijacking, with 543 websites subject to cookie integrity attacks.

Green Padlock Still Showing

The vulnerabilities identified by the researchers were present even though the green padlock symbol was still showing on the browser.  This indicates that the vulnerabilities are not fixed, not even noticed by the browser’s defence layer, and are not pointed out on the user side

The Causes

The vulnerabilities are thought to be caused by a combination of issues in how each site’s TLS encryption schemes have been implemented and a failure to patch any known bugs.  Most of the issues are, therefore, due to external or related-domain hosts.

What Does This Mean For Your Business?

For many businesses, buying a HTTPS certificate for their website was a trusted way to help ensure security, particularly with the introduction of GDPR.  This research, however, shows that even this system has holes in it, and it is particularly worrying for businesses (and as general web users) that, for example, 898 HHTPS websites were found to be fully compromisable.

The researchers have demonstrated how a relatively limited number of exploitable HTTPS vulnerabilities can be amplified by the complexity of the web ecosystem, and how the security of many so-called secure websites with encrypted connections can be severely harmed by cryptographic weaknesses, many of which are due to external or related-domain hosts.

This story also highlights the importance of keeping up to date with software patches and fixes.

Experts Recommend Security Update For Magento E-commerce Sites

Security experts are warning companies with a Magento e-commerce site to make sure that it has the latest security patch and updates in order to avoid the risk of card skimming attacks.

Magento

Magento, originally developed by Varien Inc (now owned by Adobe) is a leading open-source, enterprise-class e-commerce platform written in PHP.

Security concerns about unpatched Magento e-commerce stores have been raised in the past e.g. in 2015 and 2016, with their possible susceptibility to a cross-site scripting attack, and in 2017 Magento CE web stores possibly being susceptible to Remote Code Execution attacks (skimming) and possibly having the database and server taken over.

Latest Vulnerability

The (SQL) injection vulnerability in pre-2.3.1 Magento code means that attackers would not need to be authenticated on the site and would have a level of privilege to be able to e.g. carry out a card skimming attack and could even launch automated attacks (because authentication isn’t needed).

For example, security expert Marc-Alexandre Montpas, a researcher at security firm Sucuri, has warned that this vulnerability is potentially so dangerous because of the number of active installs, the ease of exploitation, and the effects of a successful attack.

This kind of (SQL) injection vulnerability could even enable attackers to steal an entire database and take control of the website and web server.

Which Sites Are At Risk?

According to (Adobe) Magento’s own advisory notice, this vulnerability affects sites using the open source or commercial version of the software, and the affected versions are 2.1 prior to 2.1.17, 2.2 prior to 2.2.8, and 2.3 prior to 2.3.1.

It is still unknown exactly how many of Magento’s 300,000 customer sites are at risk from this vulnerability.

Fix

Magento has already released a new security update / patch fixing multiple types of vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, SQL Injection, and Remote Code Execution.

What Does This Mean For Your Business?

This story illustrates how important it is to make sure that all software should be kept up to date with the latest patches and fixes, particularly for example, a company e-commerce website where hackers could gain access to customer payment and other private data.

If you have a Magento e-commerce website the advice is to install patch PRODSECBUG-2198. Also, to protect against this vulnerability and others, customers should upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. Magento recommends that customers install the patches as soon as possible.

Magento says that Cloud customers can upgrade ECE-Tools to version 2002.0.17 in order to get the vulnerability in core application patched automatically and that even though they have blocked any known ways to exploit vulnerability, they strongly recommend customers to either upgrade ECE-Tools or apply the patch through m2-hotfixes.

The full official advisory from Magento can be found here: https://magento.com/security/patches/magento-2.3.1-2.2.8-and-2.1.17-security-update