Author Archive for Andy Wilkinson

Your Latest IT News Update

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

<More>

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations, consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

<More>

$80m Bitcoin Hack

Slovenian-based bitcoin mining marketplace NiceHash has reported that it has become the victim of a highly professional attack with sophisticated social engineering that has resulted in the theft of bitcoin to an estimated value of $80m.

<More>

Stick and Carrot Measures To Deal With GDPR

A report by Veritas Technologies has said that since 91% of most companies lack a strong data management culture they will be considering a number of ‘carrot and stick’ motivators to bring about the changes needed to help them to implement and comply with GDPR.

<More>

Facebook Dopamine-Addictive, Admits Ex-Exec

Former Facebook Vice President Chamath Palihapitiya has made the headlines following apparently negative comments that he made at an event about Facebook’s effects on society.

<More>

Tech Tip – Windows 10: Fix Search

If Windows Search can’t find files that you know are there somewhere, then you have the option to rebuild its index. Here’s how:

<More>

Supply Chain Attacks

With GDPR on the way, it is more important than ever for companies to protect themselves from online attacks via a 3rd party in their supply chain.

What’s The Risk?

Many companies have professional relationships with 3rd parties in their supply chain / value chain that involve granting them access to systems and sensitive data. This, combined with increased levels of sophistication in hacking tools and strategies, plus increased oversight from regulators, and potentially ‘weak link’ companies in terms of cyber-security now make the risk of supply chain attack very real.

Examples

Examples of high-visibility supply chain attacks where a 3rd party was implicated or blamed include the hack back in September of US Credit Rating Company Equifax when 143 million customer details were thought to be have been stolen, including a possible 44 million from UK customers. Equifax was reported to have blamed the breach on a flaw in outside software it was using, and on a malicious download link on its website to another vendor.

Also, the much publicised, so-called ‘Paradise Papers’ leak of 13 million files allegedly giving details of the offshore tax havens and tax avoidance schemes used by the rich and famous, and by governments and corporations was blamed on offshore legal firm Appleby.

Figures

A Ponemon Institute survey has revealed that 56 % of organizations have had a breach that was actually caused by one of their vendors, and although the average number of 3rd parties with access to sensitive information at each organization has increased from 378 to 471, only 35 % of companies have a list of all the third parties they are sharing sensitive information with. Without even knowing and being able to monitor or check on the details of the relationship that an organisation has a data sharing arrangement with, it is obviously a risky situation that could make detection of a breach very difficult.

Now An Eco-System

Rather than being single entities, even small companies / organisations are now digital ecosystems where many things are bought-in or outsourced e.g. hardware, software, and services such as cloud provider services (in place on data centres). This means that there are many more potentially weak links in the value / supply chain of a company that breaches could come from.

GDPR

With GDPR coming in May 2018, for example, liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This means that companies / organisations will need to take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships.

Also, there will need to be privacy by design, and the software, systems and processes of companies must be designed around compliance with the principles of data protection. Companies and organisations will need to ensure that 3rd party companies e.g. cloud suppliers, are themselves compliant, and building-in encryption.

Professional Services Companies A Risk

Many professional supply-side services companies have shown themselves to be vulnerable, and are often a way that attackers use to reach their final goal e.g. the Verizon breach caused by Nice Systems (customer service analytics), and the Deloitte hack in September where hackers were able to access emails and confidential plans of some of its blue-chip clients.

What Does This Mean For Your Business?

Many security commentators now believe that a new approach is needed to manage 3rd part risk effectively across a company’s digital ecosystem. This means really understanding where risks lie within that system, tailoring controls according to those risks, and collaborating with 3rd parties to remediate and mitigate those risks.

Companies and organisations need to become good at managing 3rd party risk in order to reduce the likelihood of a breach. This could involve measures such as:

  • Identification of every vendor, and which of them have access to sensitive data.
  • Evaluation of the security and privacy policies of all suppliers.
  • Introducing service level agreements with suppliers that show their commitment to security.
  • Asking vendors to do self-assessments, allow customer visits and audits, or purchase cyber insurance (most likely to work for larger customers).
  • Checking security score ratings for vendors e.g. through BitSight Technologies or SecurityScorecard.
  • Looking at vendors’ internal policies and processes.

HP Laptop ‘Keylogger’ Security Risk Discovered

HP is reported to have issued patches for 450+ commercial workstations, consumer laptops and other HP products after a keylogger was found to have been hidden in a driver.

What Is A Keylogger?

As the name suggests a keylogger / keystroke-logger usually refers to covert spying / monitoring software that tracks every key that you strike on your keyboard. This software is usually employed with malicious intent e.g. to collect account information, credit card numbers, user-names, passwords, and other private data.

Supposed To Be Debugger

In the case of the recent HP keylogger discovery, however, the offending versions of Synaptics touchpad drivers were actually intended to be to be used for debugging and aren’t believed to have been used with any malicious intent. The “debug trace” is actually a legitimate tool used by software companies to trace a problem / bug.

The security threat is, in this case, a potential threat which could be exploited by a hacker, who could potentially track every letter a laptop user typed.

HP has stressed that there has been no recorded access to customer data as a result of the issue.

Discovered

The discovery of the potentially serious threat was made by a computer programmer known as ‘Myng’ back in November, who discovered the issue when trying to control the backlighting of an HP keyboard. The programmer noticed a format string for a keylogger when looking through the keyboard driver. At this point, he contacted HP about his discovery.

Not The First Time

Strangely, this is not the first time such a discovery has been made about drivers installed in HP products. Back in May, a keylogger was discovered in Synaptics subsidiary Conexant’s audio drivers, which are installed in HP Laptops.

Fix Issued

HP actually issued a fix for this latest “potential, local loss of confidentiality” issue back on 7th November (updated 12th December).

What Does This Mean For Your Business?

If your business uses HP Commercial Notebooks, Mobile Thin Clients, Mobile Workstations, or if you use an HP Consumer Notebook, the company has provided software updates for Synaptics touchpad drivers listed by model (a long list) on the support section of its website here: https://support.hp.com/us-en/document/c05827409 .

This story illustrates how software development needs to take into account all known potentially malicious angles. It also helps to illustrate how we may all be facing risks from as yet undiscovered bugs and vulnerabilities in commercial software that we are already using.

The importance of keeping up to date with patches and software updates cannot be understated. It is worth remembering that 9 out of 10 businesses are hacked through un-patched vulnerabilities, that hackers can attack nine out of 10 businesses with exploits that are more than three years old, and that 60% of companies experience successful attacks targeting devices for which a patch has actually been available for 10 or more years.

$80m Bitcoin Hack

Slovenian-based bitcoin mining marketplace NiceHash has reported that it has become the victim of a highly professional attack with sophisticated social engineering that has resulted in the theft of bitcoin to an estimated value of $80m.

The Hack

The 4,700 bitcoin(s) were reported stolen in a hack of the NiceHash digital currency marketplace’s payment system last week. Users of NiceHash were advised to change online passwords, and operations in the NiceHash marketplace were halted last Wednesday.

NiceHash’s chief executive Marko Kobal is reported to have said that attackers (probably based outside the European Union) accessed the company’s systems at 00:18 GMT, and by 03:37 they had begun stealing Bitcoin. The exact nature of the hack, however, has not yet been released.

What Is NiceHash?

NiceHash is a digital currency marketplace with an estimated 750,000 registered users that matches people looking to sell processing time on their computers with users who are willing to pay to use it to mine for new bitcoin.

Bitcoin miners essentially use special software to solve maths problems, and are issued a certain number of bitcoins in exchange. This provides a smart way to issue bitcoins, and creates an incentive for more people to mine.

NiceHash’s social media accounts experienced a rise in the number of posts by bitcoin owners after it became apparent that there were problems with the website.

Reimbursed

It has been reported that NiceHash are working on a solution to reimburse all those affected by the hack.

Not The First Time

There have been dozens of reported attacks on digital currency exchanges over the last 6 years, such as the one that led to the collapse of the world’s largest bitcoin market Mt. Gox back in 2014. It is estimated that the many attacks have resulted in the theft of 980,000+ bitcoins which equates to more than $15 billion value at current exchange rates.

What Does This Mean For Your Business?

A huge surge in the value of bitcoin from $1,000 per bitcoin at the beginning of the year to around $15,000 now, coupled with the accompanying rise in the number of bitcoins contained within digital wallets have attracted the attention of hackers. The criminals have found that they are able to take advantage of exchanges and firms in the young crypto-currency industry sector that may not be secure against sophisticated attacks by criminal groups.

Those individuals and businesses involved in bitcoin speculation, investing and mining should therefore make sure that they get the best possible advice and help, and crypto-currency firms and exchanges need to invest in the most up to date systems and practices to ensure protection for their customers and users.

Stick and Carrot Measures To Deal With GDPR

A report by Veritas Technologies has said that since 91% of most companies lack a strong data management culture they will be considering a number of ‘carrot and stick’ motivators to bring about the changes needed to help them to implement and comply with GDPR.

GDPR Next Year

The EU’s General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations. The regulation has been designed to make companies take the issue of data protection more seriously, to strengthen the rights that EU citizens have over their data, and to ensure that businesses and other organisations are more transparent in how they store data.

The Challenge

The challenge, according to the Veritas report, which took into account the views of 900 decision-makers across 8 countries, is that even though 31% of those surveyed think their enterprise is already GDPR compliant, only 2% of respondents actually appear to be compliant.

Also, 9 out of 10 companies lack the data management culture that could ensure a greater likelihood of quickly and effectively reaching high levels of GDPR compliance.

Motivation

This challenge, coupled with the limited amount of time before GDPR comes into force is the reason why companies and organisations of all kinds are looking at a variety of carrot and stick methods to drive the cultural and organisational changes needed to get to grips with GDPR going forward.

For example, nearly half of the companies surveyed by Veritas plan to drive the change by adding compliance to employee contracts (47%). Other planned drivers include implementing disciplinary action if the regulation is disobeyed (41%) and educating employees about the benefits of GDPR (40%).

Positive

Despite the obvious penalties and other problems that companies face with non-compliance and data breaches, 95% of decision-makers expected a positive outcome from compliance, and 92% thought they would benefit from having better data hygiene.

This more positive attitude towards the changes that will be necessary for GDPR compliance was also reflected in the views of the 68% of respondents in the Veritas survey who said compliance would give them a better insight into their business, which could help to improve the customer experience, and that compliance would save money.

What Does This Mean For Your Business?

The Introduction of GDPR is a little over 5 months away, and this in itself is a motivator for many companies and organisations now taking a serious look at exactly how they intend to make the changes they need to be compliant, and / or to re-visit the plans that they have already made to achieve compliance.

GDPR will have a big impact on the culture of companies and organisations and, based on the results of the Veritas report, more education is needed on the tools, processes and policies to support information governance strategies that are necessary to comply with the GDPR requirements. Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Many companies and organisations are now starting to see the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market. There is also now a realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance.

Facebook Dopamine-Addictive, Admits Ex-Exec

Former Facebook Vice President Chamath Palihapitiya has made the headlines following apparently negative comments that he made at an event about Facebook’s effects on society.

Guilt

While speaking at a Stanford Graduate School of Business event, Mr Palihapitiya surprised many listeners when he reportedly described his feelings of guilt about helping the company attract two billion users, and advised people take a “hard break” from social media because of it’s the short-term, dopamine-driven feedback loops that it provides.

Like Sean Parker’s Comments

Mr Palihapitiya’s comments appear to echo those of founding president and billionaire Sean Parker, who said at an Axios event in Philadelphia back in November that the social media platform changes our relationship with society, and with each other, and is reported as saying that “God only knows what it’s doing to our children’s brains”.

Mr Parker, who also founded file-sharing site Napster, explained that the objective of Facebook was to consume as much of a person’s time and conscious attention as possible and that the “like” button would give users a kind of “little dopamine hit”, and thereby encourage them to upload more content. Mr Parker is also reported as saying that Facebook “exploited a vulnerability in human psychology” and that “all of our minds can be hijacked.”

Programmed

Mr Palihapitiya is reported as going so far as saying that the short-term signals that Facebook gives e.g. hearts, likes, and thumbs-up help Facebook users to get a kind of false perceived sense of perfection which is short-lived and “brittle” and equates to a kind of programming.

Global Problem

Mr Palihapitiya also highlighted how the 10 million people in the US saw “divisive social and political messages” in Facebook adverts from Russia before and after the US presidential election, and how this had become a global problem that appeared to be fuelled by social media such as Facebook.

What Does This Mean For Your Business?

For businesses trying to sell goods and services to younger age groups, social media and the recommendations that friends make to each other on social media platforms can be important influences in e.g. Omni-channel marketing and sales.

Facebook is also now an important tool for online paid advertising, and it is, therefore, in the interests of many businesses that people don’t take Mr Palihapitiya’s advice about taking a “hard break” from social media.

From a human point of view, and particularly for parents, the comments of Mr Palihapitiya and Mr Parker may appear to be somewhat worrying and shocking.

Tech Tip – Windows 10: Fix Search

If Windows Search can’t find files that you know are there somewhere, then you have the option to rebuild its index. Here’s how:

  1. Click on Start.
  2. Type index.
  3. Click on Indexing Options.
  4. On the Control Panel entry that opens, go to Advanced > Rebuild.
  5. Try searching again, once the index has been recreated.

Your Latest IT News Update

Trump’s New FCC Chairman Pushes To End Net Neutrality

After the Net Neutrality regulations from 2015 were partially overturned in May 2017, Donald Trump’s new chair of the Federal Communications Commission (FCC) is pushing to end net neutrality after a final vote this month.

<More>

Facebook For Children Launched

Facebook has launched ‘Messenger Kids’. The standalone app on a ring-fenced network is targeted at young people for use on their tablets or smartphones but can be controlled from a parent’s Facebook account.

<More>

Amazon Targets Businesses With Voice Activated Digital Assistants

Amazon with its best-selling digital voice assistant now has its sights set on a role for Alexa in the workplace with its plans to launch Alexa for Business.

<More>

Police Web & Phone Snooping Powers Curbed

The need to comply with a European Court Ruling has meant that senior UK police officers are to lose the power to self-authorise snooping on personal phone and web browsing records.

<More>

Barclays Drops Kaspersky Over Security Fears

Barclays bank has emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

<More>

Tech Tip – Get Microsoft Edge on Android

With the Microsoft Edge browser for Android you can Sync passwords, favourites, and exchange data between your PC and Android phone. Here’s how to set it up:

<More>

Trump’s New FCC Chairman Pushes To End Net Neutrality

After the Net Neutrality regulations from 2015 were partially overturned in May 2017, Donald Trump’s new chair of the Federal Communications Commission (FCC) is pushing to end net neutrality after a final vote this month.

What Is Net Neutrality?

In short, Net Neutrality means that ISPs (who control the data pipeline) treat everyone’s data (emails, digital audio files, and digital video) equally, whether it’s from companies or individuals, or whether its popular streamed TV episodes e.g. Netflix and Amazon being able to compete with established broadcasters. With Net Neutrality, ISPs don’t get to decide whose data is sent more quickly e.g. data from private individuals (more slowly), data from a business because it’s been paid for by a business (more quickly), and which sites get blocked or throttled e.g. the streamed delivery of a TV show from a competitor of the ISP.

The idea of having an Open Internet means that individuals and organisations should be able to easily access and use all of its resources, and to ensure that this can happen, certain principles need to be adhered to e.g. open standards, transparency, no Internet censorship, low barriers to entry, and ‘Net Neutrality’. The idea is that Net Neutrality can help to enhance innovation and trade in a fair way.

What’s Happened?

On 18th May the FCC voted two-to-one in support of a new proposal that would repeal the existing Net Neutrality regulations, and start a 90-day period of public comments before a final vote in December. The FCC, led by Ajit Pai also released a 210-page (pdf) document on 22nd November essentially outlining how a greater reliance on business competition and anti-trust laws to regulate ISP charges for their services plus a requirement to provide “transparency” to consumers could work as a replacement for the Net Neutrality regulations that are being overturned.

What’s The Problem?

For many, the push by the FCC to effectively end Net Neutrality has sparked concerns about a market-driven agenda which could mean that smaller or more diverse web services that won’t be protected for ISPs slowing their traffic or pricing them out of the market, and a situation where the scales are tipped in the favour of big telecoms providers such as AT&T and Verizon rather than other technology companies and social platforms.

Nature of The Markets Have Changed

Some are of the opinion that the move by the FCC is also simply an attempt to loosen restrictions on other types of gatekeepers e.g. cable TV operators and telecoms companies to allow them to compete more fairly with new competitors that were created by changes in the market brought about by Net Neutrality. For example, it was not necessarily foreseen that Facebook would grow bigger than traditional media or that Amazon would move into films, thereby changing the nature of the market and requiring a new kind of regulation.

Fake and Stolen Identities For Comments

One alarming aspect of this latest development is the allegation that, of the record number of the 23 million comments filed with the FCC as part of the public consultation process about possibly repealing the Net Neutrality regulation, many used faked or used stolen identities. This has prompted accusations that the comment process is corrupt.

Other Regulations Removed

As well as attempting to remove Net Neutrality regulations, the FCC also appears to be trying to remove regulations around other restrictions on media ownership e.g. reducing / revising the cap on how many homes in the US a single broadcaster can reach, and allowing TV stations to use different frequency channels that count less against this overall cap on broadcasting reach.

What Does This Mean For Your Business?

To allow fair competition and equal opportunities, there must be something that looks like an ‘equal playing field’ in place, and it often takes rules imposed by authorities outside an industry rather than just market forces and industry bodies to make sure that happens.

There is an argument that the evolution of the online data market makes it complicated to regulate, but the removal of Net Neutrality looks likely to be bad news for smaller and more diverse companies and for those outside of the current mainstream media.

There is also a danger here that market-driven and political agendas are being given greater value than the civic service or cultural good that an equal / neutral situation would allow.

Facebook For Children Launched

Facebook has launched ‘Messenger Kids’. The standalone app on a ring-fenced network is targeted at young people for use on their tablets or smartphones but can be controlled from a parent’s Facebook account.

Challenge

The challenge identified by Facebook is that young people are being given access to tablets and smartphones, but their parents are concerned about (and can’t always monitor) how their children are using them and which apps are appropriate. Also, even though Facebook is strictly for those 13 and over, it would not be difficult for younger children to set up and use an account, and it is thought that as many 20 million under-13-year-olds may currently be using the network.

Next Generation of Facebook Users

Although Facebook’s primary stated motive for the new junior version of its platform is to provide a safer, more age-appropriate version, some tech and business commentators have suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.

What’s Different About It?

Messenger Kids is different from the main version of Facebook because:

  • It puts parents in control. If two children want to be friends on Messenger Kids, that friendship must first be approved by a parent for each child. Approved adults can also contact their children through the app.
  • It has appropriate, targeted content. There is a library of child-appropriate and specially chosen GIFs, frames, stickers, masks and drawing tools that enable children to decorate content and express their personalities.
  • It is ad-free. Also, targeting ads e.g. to parents based on what their children are talking about in Messenger Kids, or using what was discussed in Messenger Kids to target adverts at teens as they graduate into over the age of 13 to a normal Facebook account will not be possible. The app doesn’t know exactly how old the children signing up are anyway.
  • It is a simplified, locked-down / ring-fenced version.

Data Sharing Concerns

Some concerns have been raised about privacy, and what data will be collected about the young users of the accounts. Facebook will collect data such as the child’s name, the content of the messages, and typical usage reports for how the app is being used. It is understood that Facebook will only share that information with third parties who have data protection policies that comply with Coppa, the Children’s Online Privacy Protection Act in the US (Messenger Kids is being launched in the US first).

What Does This Mean For Your Business?

From a business perspective, it is understandable that Facebook needs to find a way to bring a new, young generation of users to its platform, to find a way to compete with other platforms for the attention of other users, and to do so in a way that has the approval and involvement of parents, particularly if children are going to use social networks anyway. For businesses that want to target children with advertising, Messenger is not going to be a good route for doing so, although it remains to be seen how popular the uptake of Messenger Kids will be. It may also be of some reassurance to current Facebook advertisers with young target audiences that Facebook is seeking to bring new targets through the door, and therefore looks like a promising advertising channel to continue with in the future.

For many parents and interest groups dealing with parental concerns, it may still be a worry that with Messenger Kids there are still no totally clear policies about data collection, what happens to the content children post or any plans for the future. Parents may simply and naturally feel as though they don’t trust Facebook (or other social networks) anyway for use by children until the parent feels they’re old enough.

There has also been some concern recently in the media about the results of research showing that children may be seeking too much online peer validation through ‘Likes’ on social media – Likes will be included in Messenger Kids.

For now, it’s a case of wait-and-see, and hope that all the safeguards, testing and targeting provide the safety and positive experiences for users that Facebook intends in a world where cyber-crime levels are high.