Author Archive for Andy Wilkinson – Page 2

Response To Freedom of Information Requests Concerning Brexit Involves ICO

Two government departments and a Kent-based Brexit planning group are reported to have given local councils advice on how to avoid releasing information about the no-deal Brexit plans, prompting UK. Gov and the ICO to intervene.

What Happened?

Kent Online reported that at the end of January, a leaked report showed that local councils were being given advice about how to handle Freedom of Information requests relating to the councils’ work and plans towards a no-deal Brexit, in a way that would not cause public harm.

It has been alleged that the threat of a no-deal Brexit situation has led to an increase in the amount of FIOA requests that councils receive about their plans for it, but that certain government departments and others may have sought to manage the amount of information making its way into the papers by issuing tips on how to keep emergency plans secret.

A blanket approach of this kind would go completely against FOIA laws.

Who?

According to Kent Online, the leaked report came from the Kent Resilience Forum, which is a group co-ordinating the strategy in the county for how it would deal with disruption in the event of a no-deal Brexit. Also, guidance issued by the Department for Exiting the EU DExEU was also cited in the report, as was guidance by the Cross-Border Delivery Group.

What Kind of Guidance?

The ‘guidance’ in question, mentioned in the leaked report, is alleged to include:

  • The DExEU suggesting that councils and other organisations should refuse FOIA requests in relation to their emergency planning and, in some circumstances, that they should not confirm whether they hold information.
  • Guidance from the DExEU leading to emergency services and councils being given a ready-made template for FOIA requests on Brexit plans.
  • Local Resilience Forums or individual partner organisations being told to argue that disclosure would not be in the public interest as it “would undermine the effective conduct of public affairs”.
  • Guidance that has led to the government tying ports to non-disclosure agreements, which prevent them from releasing any details about their discussions. Recommendations from the Cross-Border Delivery Group mean that while port authorities can share information with other organisations, these non-disclosure agreements are in effect for general disclosure to the public domain.

ICO Involved

The idea that FOIA requests could be treated in this way has prompted the involvement of the Information Commissioner’s Office. It has been reported that the ICO’s director of FoI, Gill Bull, has written to DExEU, the local government department, and the Kent Resilience Forum to express the ICO’s concern about the guidance.

The Council Says…

Kent Council has said that “We are keen to provide our partners with advice on how they can prepare for a worst-case EU Exit scenario”. The council has also said that it will soon be issuing an updated partner pack without the previous FOIA guidance.

The Government Says…

It has been reported that a government spokesperson has said that the original advice has now been revised, and new, updated guidance has now been issued.

What Does This Mean For Your Business?

Brexit is a complicated and divisive subject, but a Freedom of Information Request is an important legal right in the UK that allows for greater transparency in the way that companys and organisations operate, and each FOIA request should be considered individually.  It is worrying that advice should be given by government departments and other organisations, supposedly in the public interest, that appears to go against the Freedom of Information Act, by suggesting that some kind of blanket response, designed to withhold information should be applied. Businesses would not be able to behave this way without being held to account in a very damaging way, and it is understandable, therefore that the ICO has stepped in.

Potential £ 1 Million Court Bill Over £1 Uber Receipt

A millionaire barrister who raised crowdfunding money to fight ride-sharing company Uber in court over a £1.06 VAT receipt has lost attempts to limit his court costs liability and could face a £1 Million legal bill.

What Happened?

The initial reason given for tax lawyer Jolyon Maugham QC bringing the case against Uber was that he was not given a VAT receipt for £1.06 for his £6.34 taxi journey which he could have reclaimed from HMRC as a business expense and that Mr Maugham QC believed that Uber was undercharging VAT on its taxi services.

However, as commentators have noted there may be a wider angle to this story as the barrister accepted that the VAT receipt amount that he sought was trivial and that it may be more about establishing whether Uber as a company is subject to VAT.  If Uber is found to be subject to VAT, Mr Maugham QC’s action could trigger a £1bn VAT bill against Uber.

More Than Half Raised From The Black Cab Trade

Even though Mr Maugham QC managed to raise £107,650 to bring the case, one of the factors that appears to have influenced Mr Justice Trower’s rejection of Mr Maugham QC’s attempt to shield himself from the £1M legal bill and his attempt to appeal against the rejection is the proportion of money raised from the black cab trade to fight Uber. For example, the judge pointed out that “well in excess of 50%” of the crowdfunding money came from the black cab trade, and this included a donation of £20,000 from just one unidentified black cab source.

Income A Factor

Even though Mr Maugham QC wanted to limit his legal costs liability to £20,000 in the High Court case he brought against Uber, some commentators have noted that Mr Maugham QC’s alleged net annual income of £400,000, and his ownership of two properties may also have been a factor in the judge deciding not to stop Uber from recovering its estimated £1 million legal costs if it wins the main case.

The VAT Argument

This case was originally intended to focus on VAT, and one thing it has done is to shine a light on an argument about whether it is the individual Uber drivers who need to be VAT registered to give a VAT receipt, or whether Uber now has a large VAT liability.

What Does This Mean For Your Business?

The case was originally based on an assertion that Uber may be undercharging VAT on the taxi services it offers, and that HMRC may be treating big US multinationals such as Uber with kid gloves and an allegation that Uber could be thought by some to have a business model that’s designed to minimise its tax liability, and to minimise the workers’ rights that it has to offer to its drivers.

According Jolyon Maugham QC, in his statement via the Good Law Project, the decision to reject his attempt to limit his liability for legal costs could be seen as an example of how corporations can use the threat of costs liability to somehow dodge legal accountability, thereby making it difficult for other individuals or organisations to hold them to account.

Although Mr Maugham QC’s personal income and property assets may have had a bearing on the Judge’s decision not to grant him protection from an estimated £1 million legal bill if Uber wins, the outcome could also send a warning to businesses that taking on a big company/corporation in court could be make or break and could have serious financial implications.

New, Free Windows 10 Microsoft Office App Launched

Microsoft has announced the launch of its new “Office” app for Windows 10 which is an update to the former My Office app, will come preinstalled on Windows 10 machines and will provide access to an online version of Office for those who don’t have a subscription for Office 365.

Simply “Office”

The new, free app simply named “Office” can be used with ‘almost’ any version of Microsoft Office means that those who do have a 365 subscription and have Microsoft’s apps installed on their device can open Office from the Office app, and those who don’t have a subscription will be automatically directed to the online version.  Like Google Drive, this online version features the user’s recent documents on the home screen, which is in keeping with the idea that users should be able to find what they want quickly. Users can also share files with each other and can find content relevant to them but created by colleagues within their organisation.

Features

The new app includes helpful features such as tutorials and tricks for Microsoft’s apps and services, and users can see every Office app available to them by clicking on “Explore all your apps”.

Office also allows customisation so that businesses can brand it. Users also have access to third-party apps and Microsoft Search.

When and How?

Microsoft says that the Office app will become available to users on a rolling basis over the next few weeks and that it will be installed automatically as an update to the MyOffice app, which comes pre-installed as part of Windows.

You can search for “Office” in the search bar of the Windows start menu to open the app. The new app can also be downloaded from the Microsoft Store if needed.

Users can sign in to the app with their work, school, or free personal Microsoft Account to get started.

The Office app should work with any Office 365 subscription, Office 2019, Office 2016, and Office Online (the free web-based version of Office).

What Does This Mean For Your Business?

Launching this Office app is a way of Microsoft being able to publicise, raise awareness about, and get more people using its free online versions of Office.

The app, which also allows Microsoft to compete with its rival Google Drive, should be quite appealing to business users thanks to features such as the ability to customise and brand it, the fact that it allows access third-party apps using AAD through the Office app, and the Microsoft Search feature that works across the organisation in addition to the user’s own apps and documents.

Having a free Office app that’s available without the need for an Office 365 subscription will also help address the problem of a mistaken assumption from many people that Office simply comes as part of Windows.

Tech Tip – How To Disable Ad Tracking In Windows 10

Although many websites say they rely upon ad-revenue to provide free content, and some ads can be relevant, as web users we may still feel uneasy about allowing our online behaviour to become tracked, and too many ‘interest-based’ targeted adverts can be annoying and disruptive.  There is an easy way in Windows 10 to disable advertising ID/‘interest based’ adverts.  Here’s how:

– In Windows search (bottom left), type ‘Privacy’ and Go to ‘Privacy Settings’.

– In the ‘General’ section on the right-hand side of the window, turn off the first option relating to your advertising ID.

– For a higher level of ad blocking, go to the Microsoft Privacy Ad Settings page and disable interest-based ads on the browser, Windows and Microsoft account level. This should prevent your online behaviour from being tracked by marketers but will still enable you to see some generic adverts.

Your Latest IT News Update

New York’s Governor Orders Investigation Into Facebook Over App Concerns

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

<More>

Discovery of Microphone in Google’s Nest Guard Prompts Backlash

The discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec has been put down to an erroneous omission by Google, but it has also caused a backlash that escalated to the US Congress.

<More>

DNS infrastructure Under AttackThe Internet Corporation for Assigned Names and Numbers (ICANN) has issued a warning that the DNS infrastructure is facing an “ongoing and significant risk” and has urged domain owners to deploy DNSSEC technology.

<More>

Form-Jacking Attacks Hit High Profile Companies

Research by Security Company Symantec has revealed that high profile companies such as BA and Ticketmaster are among the many thousands of businesses whose websites are being targeted with “form-jacking” attacks every month.

<More>

Targets Of A Rise In Extortion Scams

A report by cyber-crime researchers is warning professional people and those in higher level management positions that extortion scams are on the rise with higher earners as the obvious targets.

<More>

Tech Tip – How To Put YouTube Videos on Automatic Repeat

If you’d like to put a YouTube video on repeat play e.g. because you want to watch or show a work / instructional video, or even listen to your favourite music on a loop while working on your laptop, there are two easy ways to do it.  Here’s how:

<More>

New York’s Governor Orders Investigation Into Facebook Over App Concerns

The Governor of New York, Andrew Cuomo, has ordered an investigation into reports that Facebook Inc may be using apps on users’ smartphones to collect personal information about them.

Alerted By Wall Street Journal

The Wall Street Journal prompted the Governor to order New York’s Department of State and Department of Financial Services (DFS) to investigate Facebook when the paper reported that Facebook may have more access than it should to data from certain apps, sometimes even when a person isn’t even signed in to Facebook.

Health Data

It has been reported that the kind of data that some apps allegedly share with Facebook includes health-related information such as weight, blood pressure and ovulation status.

The alleged sharing of this kind of sensitive and personal data, whether or not a person is logged-in Facebook, prompted Governor Cuomo to call such practice an “outrageous abuse of privacy.”

Defence

Facebook’s defence against these allegations, which appears to have prompted a short-lived but noticeable fall in Facebook’s share value, was to point out that WSJ’s report focused on how other apps use people’s data to create ads.

Facebook added that it requires other app developers to be clear with their users about the information they are sharing with Facebook and that it prohibits app developers from sending sensitive data to Facebook.

The social media giant also stressed that it tries to detect and remove any data that should not be shared with it.

Lawsuits Pending

This appears to be just one of several legal fronts where Facebook will need to defend itself.  For example, Facebook is still facing a U.S. Federal Trade Commission investigation into the alleged inappropriate sharing of information belonging to 87 million Facebook users with now-defunct political consulting firm Cambridge Analytica.

Apple Also Accused By Governor Over FaceTime Bug

New York’s Governor Cuomo and New York Attorney General Letitia James have also announced an investigation into Apple Inc’s alleged failure to warn customers about a bug in its FaceTime app that could inadvertently allow eavesdropping as iPhones users were able to listen to conversations of others who have not yet accepted a video call.

DFS Involvement

The Department of Financial Services (DFS), which is one of the two agencies that have been ordered to investigate this latest Facebook app sharing matter has only recently begun to get more involved in digital matters, particularly by producing the country’s first cybersecurity rules governing state-regulated financial institutions such as banks, insurers and credit monitors.

Some commentators have expressed concern, however, about the DFS saying last month that DFS life insurers could use social media posts in underwriting their policies, on the condition that they did not discriminate based on race, colour, national origin, sexual orientation or other protected classes.

What Does This Mean For Your Business?

You could be forgiven for thinking that after the scandal over Facebook’s unauthorised sharing of the personal details of 87 million users with Cambridge Analytica, that Facebook may have learned its lesson about the sharing of personal data and may have tried harder to uncover and plug any loopholes that could allow this to happen. The tech giant still has several lawsuits and regulatory inquiries over privacy issues pending, and this latest revelation about the sharing very personal health information certainly won’t help its cause. Clearly, as the involvement of the FDS shows, there needs to be more oversight of (and investigation into) apps that share their data with Facebook, and possibly the need for more legislation and regulation of the smart app / smart tech ecosystem.

There are ways to stop Facebook from sharing your data with other apps via your phone settings and by disabling Facebook’s data sharing platform.  You can find instructions here: https://www.techbout.com/stop-facebook-from-sharing-your-personal-data-with-other-apps-37307/

Discovery of Microphone in Google’s Nest Guard Prompts Backlash

The discovery of a microphone in Google’s Nest Guard product that was not listed in tech spec has been put down to an erroneous omission by Google, but it has also caused a backlash that escalated to the US Congress.

What Happened?

One of Google’s products is the Nest Secure product which is a home security system that operates using a phone app, alarm, keypad, and motion sensor with Google Assistant built in (which is the main hub), Nest Detect Sensors for doors and windows, and a tag which the homeowner taps on the main hub when they enter the house to disarm the system. Earlier this month, the addition of Google’s digital assistant to the product led to the surprise discovery that the main hub unit has always had a microphone installed in it, but the microphone was not mentioned on the technical specifications for the product.

The discovery of what appeared to be a “secret” microphone has, therefore, prompted anger and discussion among privacy and security advocates and commentators, concern from consumers, bad publicity for Google, and calls for action by a Senator, a Congressman, and many others.

Google Says 

Google’s response to the discovery was simply to apologise for what was an “error” and oversight on its part for not listing the microphone in the tech spec for the system, and to stress that the microphone was not intended to be ‘secret’ and had not been used until the addition of the Google Assistant.

It has also been reported that Google has said that one of the reasons for the microphone’s inclusion had originally been to allow future functionality, for example, to detect breaking glass in the home.

Criticism

Google has faced anger and criticism from many different angles over the discovery of the microphone including:

  • Maryland Congressman John Delaney calling for privacy legislation to now be applied to a broad range of tech products.  Mr Delaney also proposed that electronic tech products should have labelling on them like that on food products, so consumers can be quickly and easily alerted to any privacy and security implications.
  • Virginia Senator Mark Warner, chairman of the Senate Intelligence Committee, calling for hearings with federal agencies and the U.S. Congress about the digital economy, and the smart home ecosystem.
  • The Electronic Privacy Information Center (EPIC) calling on the Federal Trade Commission (FTC) to request via an enforcement action, that Google divests of its Nest hardware products, and that Google disgorges any data that it may wrongfully have obtained from Nest customers.

What Does This Mean For Your Business?

Smart electronic products and devices are now in homes and businesses everywhere, but consumers and business owners should have the right to be clearly informed about the security and privacy implications of those products so that they can make an informed choice about whether to buy and operate them.

As some commentators have noted, the arguments that it’s easier to ask for forgiveness than seek permission or that ‘it’s in the fine print’, shouldn’t be acceptable privacy policies from tech companies.  The idea of food packaging-style labelling on smart tech products to help inform about security and privacy implications may not be a bad one, and if the tech industry can’t regulate itself on this matter then more legislation to protect consumers and businesses seems likely.

This is a damaging story in terms of trust and reputation for Google, particularly in the US where the story has been given greater prominence and may cause consumers to think twice about the kinds of smart products that they let into their homes and businesses.

DNS infrastructure Under Attack

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued a warning that the DNS infrastructure is facing an “ongoing and significant risk” and has urged domain owners to deploy DNSSEC technology.

ICANN

ICANN is one of the many organisations involved in the decentralised management of the Internet but is specifically responsible for coordinating the top-most level of the DNS in order to ensure that it can operate in a secure and stable way and maintain universal resolvability.

Attacks

According to ICANN’s statement, public reports indicate that the DNS infrastructure is facing “multifaceted attacks utilizing different methodologies”.  Examples of such attacks include replacing the addresses of intended servers with addresses of machines controlled by attackers.  The prevalence of so-called “man in the middle” attacks, where a user is unknowingly re-directed to a potentially malicious site is of particular concern.

Cisco’s Talos Intelligence blog has highlighted how this type of attack has been carried out on a grand scale by some international players.  For example, the blog reports how Lebanon and the United Arab Emirates (UAE) have been targeting .gov domains, as well as a private Lebanese airline company.  The attackers used two fake, malicious websites containing job postings via malicious Microsoft Office documents which had embedded macros. The malware, dubbed “DNSionage” supported HTTP and DNS communication with the attackers.

The Cybersecurity Infrastructure Security Agency in the US has also been forced to order federal agencies to act against DNS tampering.

DNSSEC

One of the main ways that ICANN and Internet companies like Cloudflare and Google are suggesting that DNS-focused attacks can be countered is through the deployment of DNSSEC technology by domain owners.   Domain Name System Security Extensions (DNSSEC) has been described as a suite of Internet Engineering Task Force (IETF) specifications.  DNSSEC was designed to protect Internet resolvers/clients from forged DNS data, and it complements other technologies e.g. Transport Layer Security (usually used in HTTPS) that protect the end user/domain communication.  In essence, it cryptographically signs data to make it much more difficult to forge.

Low Adoption Rate

One of the reasons why DNS-focused attacks are so prevalent may be that the adoption rate of DNSSEC is so low – around 20%.  In fact, according to Cloudflare, only 3% of the Fortune 1,000 are using DNSSEC.

What Does This Mean For Your Business?

It is good that ICANN has identified this threat as this will now facilitate greater discussion and action and may motivate more domain owners to look into and adopt DNSSEC, hopefully across all unsecured domain names.  Although full deployment of DNSSEC is not the ultimate answer, it may go a long way towards drastically reducing the current threat.

ICANN has produced a helpful checklist of recommended security precautions that members of the domain name industry e.g. registries, registrars, resellers, and others, can proactively take to protect their systems, their customers’ systems and any that could be reached via DNS.  You can find the checklist here: https://www.icann.org/news/announcement-2019-02-15-en

Form-Jacking Attacks Hit High Profile Companies

Research by Security Company Symantec has revealed that high profile companies such as BA and Ticketmaster are among the many thousands of businesses whose websites are being targeted with “form-jacking” attacks every month.

What Is Form-Jacking?

Form-jacking involves inserting a small amount of malicious JavaScript code into the checkout web pages of e-commerce sites, thereby allowing attackers to monitor payment card information being entered and to then syphon that information off.

When a user hits the submit button on a checkout page that contains the malicious code, the user’s payment and personal details are sent to an attacker’s servers where the attacker can use this information to perform payment card fraud or sell these details on to other criminals on the dark web.

Pages that have been compromised in this way aren’t easy to spot, and to the to the naked eye, the checkout process looks normal.

How Big Is The Problem?

Symantec claims to have stopped more than 3.7 million form-jacking attacks in 2017, and between August and September 2018, the company says that it blocked 248,000 attempts at form-jacking.  The fact that 36% of these blocks took place from September 13th to September 20th was an indicator that form-jacking attempts were escalating towards the end of last year.

Symantec reports that 4,800 websites are being hit by form-jacking attacks every month.

Examples

High profile examples of victims of form-jacking given by Symantec include British Airways and Ticketmaster who were both targeted by the ‘Magecart’ hacking group.

The attack on British Airways saw the Magecart attackers set up a spoof web domain designed to look like those of the legitimate company, and even purchase paid SSL certificates from Comodo to make it look more legitimate. Magecart was present on British Airway’s website from August 21 to September 5, and the 22 lines of digital skimming JavaScript code that it took to operate the form-jacking attack affected 380,000 transactions.  In the BA attack, the vital customer data was skimmed and stolen in a fraction of a second between the time the customer put the mouse over the submit button and before the data had a chance to reach BA’s servers as the customer clicked on the button.

In the case of Ticketmaster attack, which took place in June, attackers first compromised a chatbot from tech firm Inbenta that was used for customer support on Ticketmaster websites.  This chatbot then provided the way in for the Magecart attackers which enabled them to alter the JavaScript code on Ticketmaster’s websites so that payment card data from customers could be captured and sent to their servers.  It is thought that the form-jacking code remained undetected on Ticketmaster’s website from September 2017 to June 2018.

What Does This Mean For Your Business?

Cybercriminals have found that better back-up practices by businesses and home users have made attacks like ransomware less likely to pay, so may have moved into form-jacking. The fact that it only requires the insertion of a relatively small amount of JavaScript and that it can be very difficult to detect make it an attractive new way to get paid for many criminals.

Companies can use network-based and file-based protection against form-jacking, and ways to stop attackers getting in to inject the code include using firewalls to block all incoming connections from the internet to services that should not be publicly available, enforcing a (complex) password policy, turning off file sharing if not needed, turning off and removing unnecessary services, keeping patching up to date, and configuring email servers to block or remove emails that contains file attachments that are commonly used to spread threats e.g. .vbs, .bat, .exe, .pif and .scr files.

Also, companies should guard against software supply chain attacks by testing new updates, even seemingly legitimate ones, in small test/sandbox environments, and by monitoring the behaviour of all activity on a system to help identify any unwanted patterns.

Targets Of A Rise In Extortion Scams

A report by cyber-crime researchers is warning professional people and those in higher level management positions that extortion scams are on the rise with higher earners as the obvious targets.

Report

The report, from researchers at risk protection firm Digital Shadows, tracked so-called ‘sextortion’ campaigns from July 2018 to February 2019, during which time they discovered that more than 89,000 unique recipients were the targets of 792,000 extortion attempts!

Why?

Extortion scams are aimed higher earners become popular because:

– These scams are cheap and easy to operate. For example, aspiring extortionists can purchase sensitive corporate documents and extortion manuals online from other criminals for less than £10.

– The rewards are high.  Professionals, business owners and high net worth individuals who hold positions of power within companies have the ability and often the motivation to pay.  For example, as part of the research, analysis of bitcoin wallets associated with extortion scams showed that “sextortionists” are making an average of £414 per victim.

Sextortion

As the name suggests, sextortion involves blackmail and bribery through coercion based upon the criminal threatening to release images and/or other information about their victim.

This type of crime is now one of the main methods of extortion. Individuals who are thought likely to be vulnerable to this type of crime are often targeted with manufactured attacks.  For example, one type of attack which features in extortion guides is carried out when a criminal begins an online relationship with a married person and then threatens to reveal details of the affair to their partner unless a ransom is paid. Less sophisticated ‘sextortion’ attacks involve using a password to ‘prove’ to the victim that they have been compromised, claiming to have video footage of the victim watching adult content online, and then telling the victim to pay a ransom to a specified bitcoin address.

What Does This Mean For Your Business?

Most businesses will continue to face some of the more common threats such as phishing attempts, malware, social engineering, hacking, credential compromise and DDoS attacks.  Cybercriminals are, however, becoming even more daring, and the amount of resources available to them on criminal forums now makes extortion-style attacks more likely.  For example, a massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post in January by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service. Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources.

Some ways that businesses may be able to protect themselves from extortion attacks include:

  • Checking the HaveIBeenPwned website to find out if your accounts have been previously breached.
  • Regularly backing up data and storing sensitive files in detached storage away from your main network, and making disaster recovery plans, business continuity plans, and periodically testing your backup and recovery processes.
  • Not answering extortion emails.
  • Making sure that your email system is secure and applying best practices for user permissions.
  • Educating / training staff on how to deal with extortion emails.
  • Where possible, minimising your personal and professional online exposure.
  • Keeping software patches up to date.
  • Making your remote workers use a (good, paid-for) VPN.