Archive for Data Security

Cybercriminals Hijacking Netflix and Other Streaming Accounts

It has been reported that the surge in the use of streaming music and video services has been accompanied by a surge in the number of user accounts being taken over by cybercriminals.

Entertainment During Isolation

Self-isolation and the instruction to stay at home during the next few weeks in the COVID-19 crisis has meant that many people have turned to streaming services like Amazon Prime Video, Netflix, Spotify and Apple Music. In fact, the demand has been so high that many streaming and social media platforms have reduced the bit rate of videos in order to make sure that services can still be delivered without taking up too much bandwidth.

Stealing and Selling Your Credentials

Security company Proofpoint has now warned that cybercriminals are taking advantage of this increase in demand for streaming services by stealing the valid credentials of users and selling them online.  This means that someone else may be piggybacking off a user’s streaming account without them even knowing it.  When the account credentials are sold online (for a much lower price than normal accounts), the seller gives instructions to the buyer not to try and change the login details of the account.

How?

For cybercriminals to hijack streaming accounts, they first need to steal the legitimate credentials of existing users. Proofpoint has reported that this is achieved by using methods such as:

Keyloggers and information stealers – software that has been unwittingly downloaded, that is able to record keystrokes to discover logins and other valuable personal data.

Phishing attacks – convincing emails from bogus sources that have made users click on a link/ to re-direct, which has led to login credentials and financial information being stolen and/or malicious software being loaded onto their computer/device.

Credential stuffing – where logins are stolen in cyber-attacks on other sites/platforms and sold on to other cybercriminals are tried in other websites in the hope that a user has been password sharing (using the same login for multiple websites).

How Do You Know?

The ways to tell whether your streaming account is being piggybacked include checking the settings to view which devices are connected to the account, checking previous activity on the account and activating the options that notify you each time a new device connects to your account.

Protection

Since the ability to hijack a streaming account relies on the ability to steal login details, following basic data security and hygiene can dramatically reduce the risk to users. For example, using strong and unique passwords, not sharing passwords between different websites/platforms, using a good password manager, keeping anti-virus software and patches up to date, keeping systems and browsers up to date, and not clicking on links or attachments in emails may help protect against this and others similar crimes.

What Does This Mean For Your Business?

Cybercriminals are quick to take advantage of a crisis or a trend and are always keen to find easy, low-risk ways to get money and personal details.  In this case, adhering to relatively basic security best practice can prevent you from falling victim to this and many other cyber-crimes.

Sadly, this is not a new situation.  For example, a CordCutting.com report from last year suggested that around 20 per cent of people who watch a paid-for video streaming service are using someone else’s account.

Now that streaming services are experiencing a surge in users and are very much in the spotlight, it may be a good time for those services to tackle some of the long-running security concerns and to reassure users that they are taking some responsibility to make it much more difficult of others to piggyback accounts.

Featured Article – Maintaining Security During The COVID-19 Health Crisis

The current global health crisis may bring many different IT security challenges to businesses and organisations and this article highlights some of the ways that you can prepare to keep IT security covered as best you can at this difficult time.

Larger and Smaller Businesses – Some Different Challenges

Larger organisations may be at an advantage as they may already have policies, procedures, equipment and security arrangements in place for remote working, although they may find themselves more stretched as many more staff work from home than usual.

Smaller businesses and organisations, however, may be less well used to and equipped for suddenly having to send staff home to work. This means that they may have a lot more work to do now in order to prepare, and their IT personnel will find themselves needing to prioritise and be prepared to provide more on-demand support over the coming weeks.

Guide

Even though larger and smaller companies may have different challenges on a different scale, here is brief guide incorporating a list of suggestions that could help many businesses and organisations to stay secure while employees, contractors and other stakeholders are working remotely:

– Alert all staff to the possibility of email-borne threats and other social engineering attacks.  For example, over the last few weeks, cybercriminals have been sending COVID-19 related phishing emails e.g. bogus workplace policy emails, emails purporting to be from a doctor offering details of a vaccine/cure, emails with a promise of a tax refund and more.  The message to employees should be to not open unfamiliar emails and certainly don’t click on any attachments or links to external pages from any suspect emails.

– Make sure that any software and software-based protection used by employees working from home is secure and up to date.  For example, this could include making sure their devices have up to date operating systems and browsers, firewall software and anti-virus software is installed and up to date, and make sure that employees install any new updates as soon as possible.

– Ensure that any devices used by employees are managed, secure (have downloaded trusted security apps), have appropriate protection e.g. data loss protection, updated anti-malware, and a capacity to be centrally monitored if possible. Ensure that all devices, including employee mobiles (which can carry confidential information), are password-protected, and can encrypt data to prevent theft.

– Monitor the supply chain arrangements where possible.  If a supplier is geographically remote, for example, and if the Covid-19 crisis has left a supplier short of qualified IT and/or security staff, or if contract staff/cover staff, or unfamiliar staff members have been brought in to replace staff members e.g. particularly in accounts, this could present a security risk.  Taking the time to conduct at least basic checks on who you dealing with could prevent social engineering, phishing and other security threats, and exercising caution and offering your own known secure channel suggestions where suppliers may be short of  IT-security staff could help to maintain your company’s security posture.

– Although employees are likely to stay at home in the current situation, you will still need to make sure that they are made aware of your policy about accessing information on public or unsecured networks e.g. using a VPN on mobile devices to encrypt data.

– Make sure you have a 24-hour reporting procedure for any stolen or lost equipment/devices.

– Pay attention to user identity management. For example, have a user account for each employee, and give appropriate access to each employee.  This should help to prevent unauthorised access by other persons.  Also, control which programs and data each employee has access to, and which level of user rights they have on certain platforms.

– Make employees aware that they must use only strong, unique passwords to sign-in to your network, and that these details should be changed regularly e.g. every 3 months.  Also, make sure that multi-factor authentication is used by employees.

– Stay on top of managing the workforce and general daily operations.  For example, make sure that key IT staff are available at all times, communication channels and procedures are clear and functioning, handover procedures are covered, any sickness (which looks likely) can have cover planned, and that productivity targets can be met despite remote working.

– Remind employees that they still need to comply with GDPR while working remotely and ensure that help and advice are available for this where needed.

– Use this experience to keep the company’s disaster recovery and business continuity plans up to date.

– Schedule regular, virtual/online meetings with staff and ensure that all employees have the contact details of other relevant employees.

– If you’re not already using a collaborative working platform e.g. Teams or Slack, consider the possibility of introducing this kind of working to help deal with future, similar threats.

Looking Forward

At this point, the country, businesses, and many individuals are thinking more about survival strategies, but taking time to ensure that IT security is maintained is important in making companies less vulnerable at a time when operations don’t follow normal patterns and when many cybercriminals are looking to capitalise on any weaknesses caused by the COVID-19 health emergency.

Cybercriminals Take Advantage of Covid-19 Outbreak With Phishing Emails

Some cybercriminals have already taken advantage of the fear surrounding the Covid-19 outbreak by sending out phishing emails that promise cures, seek donations, or heighten panic in order to extract personal data and money.

Phishing For Fear

Cybercriminals rely on exploiting human error that’s often driven by emotional responses.  The coronavirus outbreak has, therefore, provided scammers with a near-perfect opportunity to exploit the heightened the level of fear and to offer things that will take that fear and panic away as a motivation for a person to click on a link.  Clicking on a link in a phishing email, however, means having malicious software loaded onto your device that can allow cybercriminals to take control of your computer, log keystrokes, gain access to your personal information and financial data (for theft and identity theft), or simply direct you to a payment page.

Examples

Examples of the kinds of corona-virus related phishing emails which have been spotted over the last couple of weeks, and could be coming to an inbox near you, include:

– As reported by Proofpoint, an email purporting to be from a doctor offering details of a vaccine cure that’s been kept secret by the Chinese and UK governments.  Clicking on the link promises access to the vaccine cure details.

– Workplace policy emails that target employees in a specific company/organisation and encourage them to click on a link that will take them to their company’s Disease Management Policy.  Clicking on the link will, in fact, download malicious software that can provide a way into the company network.

– As reported by Mimecast, using the promise of a tax refund for coronavirus, directing the target to click on a link to input all their financial and tax information and with the lure of gaining access to (bogus) funds.

– Asking for donations for a fake campaign to fund the fast development of a Covid-19 vaccine.  In this scam, the victim is directed to a bitcoin payment page.

– As reported by Proofpoint, an email purporting to be from the World Health Organization (WHO) that offers a fake document with information about preventing the spread of coronavirus, where clicking on the link actually leads to the downloading of keylogging software (criminals can track your keystrokes to uncover passwords).

– Emails that exploit feelings of panic, such as an email that claims that Covid-19 has become airborne and asks the target to click on a link to a fake Microsoft login page.

Spotting Phishing Emails

Many phishing emails have giveaways that you can spot if you know what you’re looking for.  Examples of ways in which you can identify a phishing email include:

– Online requests for personal and financial information e.g. from government agencies are very unlikely to be sent by email from legitimate sources.

– Beware of generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.

– Mistakes in spelling and grammar can be signs of scam emails.

– Check the email address by hovering your mouse (without clicking!) over the link in the email. This can quickly reveal if the email is genuine.

– Beware of heavy emotional appeals that urge you to act immediately.  These are signs of scam emails that hope to bypass your reasoning and tap into an emotional response.

What Does This Mean For Your Business?

Scammers often use phishing emails when there is/has been a recent crisis, when there’s been fraud/cybercrime that’s affected lots of people, or on other such events to take advantage of those who are looking for help and answers.  Scammers know that where emotions are strong and where they can tap into that by offering relief from negative feelings and by saying what people want to hear, they are more likely to achieve their aims.

In the case of coronavirus, although companies and organisations are issuing statements related to it, the best advice is to simply check the information that is given out through trusted, official sites such as the NHS https://www.nhs.uk/conditions/coronavirus-covid-19/, the World Health Organisation https://www.who.int/health-topics/coronavirus, and via trusted TV and radio stations.

Crisis or not, always exercise caution when you receive emails from unknown or unusual sources and remember that government agencies and financial institutions don’t send out emails asking for personal and financial information.

Companies also need to alert employees, many of whom may soon be working from home and may have a reduced ability to quickly ask the boss or manager about certain emails, to the threat of phishing emails with a Covid-19 theme and to the threat of social engineering attacks that could take advantage of a physically divided and reduced workforce.

Featured Article – Google: What Do they Know About You?

To have access to Google’s many features and services, as with other platforms, we need to give some personal information and then sign-in, but have you ever wondered just how much information Google keeps about you and your activities?

Google

This article looks as some of the many different types of personal information that Google stores, and how you can manage the situation, and reduce any potential risks that you may perceive as coming from your personal data being stored by Google.

Your Personal Data

Many of us accept that certain personal information needs to be stored privately with Google, but you may wish to know which information Google categorises as ‘public’.  To check this, login to your Google account, go to ‘Manage Your Google Account’, click on ‘Personal Info’, scroll down to ‘Choose What Others See’ and click on ‘Go to About me’.  Here you’ll be able to see which information is ‘hidden’ e.g. with a padlock icon, or ‘visible’ with an earth icon.  From here you can also click on ‘Privacy Check-up’ link so that you can manage other aspects of what information is stored about you and your Google-based activities.

‘Data and Personalisation’ Section

When you log into your Google account, go to your account page and click on the ‘Data and Personalisation’ link.  At this point, you will be able to see if your ‘Web & App Activity’, ‘Location History’ and ‘YouTube History’ are switched on or off.  If they in the ‘On’ position on tick-box control, then you can assume that Google is tracking and storing plenty of your data relating to these factors.

Web & App Activity

As the name suggests, this relates to your activity on Google sites and apps, and this also includes your location. The stated reason for collecting this information (with your consent, via the toggle control) is to give you “personalised experiences”.  Within the ‘Activity Controls’ section here you should also be able to see tick-box controls for the tracking and storing of your Chrome history and activity from sites, apps and devices that use Google services, and for including any voice and audio recordings.

You can stop Google from tracking this further by turning off the blue toggle switch in the ‘Activity Controls’ section relating to your Web & App Activity which then gives you the option to ‘pause’ this type of tracking.

If you’d like Google to automatically delete this data either every 3 or every 18 months, you can select the gear icon and choose the ‘Automatically Delete’ option and then choose which timeframe. Once this has been done Google will immediately delete current data that’s older than the timeframe specified by you.  Also, you choose to Delete activity by either Last hour, Last day, All time or a custom range.

Location History

By allowing Google to track your location history, Google can record and display information about where you’ve been with your devices, even if you haven’t been using a specific Google service at the time.

The positive aspects of Google storing this information is that you can get personalised maps and recommendations from Google based on places that you’ve visited, and if you click on the ‘Manage Activity’ link in your location history section in Google, it can be interesting to see where you’ve been on holiday and checked in with your location.  Google lists all of what it calls the ‘confirmed’ places you’ve visited (which Google gives you the option to confirm yourself) and the so-called ‘unconfirmed’ places.

The disadvantage of Google storing (and of you reviewing) this kind of information is that if it fell into the hands of criminals or those you would specifically not want to know where you are the data could be a threat damaging e.g. showing a burglar that you’re away from your home on holiday.  You may also feel personally that the information stored about your habits is a little bit too much like ‘big brother’ or borders on an infringement of your privacy.

You can stop Google from tracking this further by turning off the blue toggle switch in the ‘Activity Controls’ section relating to your Location History which then gives you the option to ‘pause’ this type of tracking.

If you’d prefer Google to automatically delete this data either every 3 or every 18 months, you can select the gear icon and choose Automatically delete Location History, then choose which timeframe. Once this has been done Google will immediately delete current data that’s older than the timeframe specified by you. You can go back over these steps and check that the visual location timeline is empty is you really want to be sure that Google has complied with your request.

Your YouTube History

Google tracks your YouTube search and watch history i.e. what videos you’ve searched for, watched and when, and this is used by Google to show videos at the top of the page when you next visit YouTube that you may be interested in based on your History.  There could, however, be several downsides to this e.g. on a shared computer, not wanting others to see which videos you have been watching, or the suggestions may not be things you are actually interested in at that point in time.

As with the other aspects of what Google stores and tracks, it’s a case of following the arrow next to ‘YouTube History’ link in your ‘Data & personalisation’ section of Google and setting your preferences from there.

Your Purchase History

CNBC research in May 2019 highlighted how Googlemail creates a (difficult to delete) page of your purchase history which it was believed was created by tracking your purchase receipt emails, and perhaps details stored in locations other than the inbox.

Google states in its accounts help section that “Your Google Account includes purchases and reservations made using Search, Maps, and your Assistant” (note that there’s now no mention of Googlemail) and according to Google, the feature is included as a way of organising things “to help you get things done”.  Getting things done, for example, means asking your Google Assistant about the shipping status of a purchase, or asking your Google Assistant to show you your flight reservations, or using Google’s search to ask questions like, “Is my flight on time?”

Deleting From Your Purchases Page

In Google’s help section here https://support.google.com/accounts/answer/7673989 and in the subsection ‘delete your purchases and reservations’, Google provides instructions on how to delete them i.e. sign in to your Google account, go to the Purchases page (for which a link is provided),  view your purchase details and select ‘Remove Purchase’, and follow the on-screen deletion instructions.

Downloading Your Data

If you’d like to download the data from the Google ‘products’ you’ve used, Google lets you do this here: https://support.google.com/accounts/answer/3024190?hl=en&ref_topic=7188671

Beware

Even though Google does appear to allow you to manage most aspects of what data is collected about you and your activities when signed in, there have been suggestions, reports and stories published online that may indicate that you could still be tracked by Google when signed-out.  For example, back in August 2018, An Associated Press report accused Google of recording the locations of its users via their mobile devices, even when they had requested not to be tracked by turning their “Location History” off. Also, some have suggested that cookies have been used to help track YouTube activity when you’re signed out, that Google can use information from Wi-Fi and other wireless signals near your phone to keep tracking you, and that there appear to be some contradictions between Google’s statements on certain privacy issues.

Looking Forward

For many of us, we’d like to have control of our personal data (if we had the time to check it all) and are pleased that there are now laws (e.g. GDPR) to help us to do this, but we’re also aware of the value of personal data to legitimate businesses e.g. for personalisation of services, and in marketing communications which have always been valuable in gaining, retaining, and maximising the value of customers.

Clearly, data security and privacy laws perform an important role of protection, and technology giants, as well as other companies and organisations, need to continue abiding by these laws and it is helpful to allow customers easy access to see and to personally manage what information is held about them both privately and publicly.

Facebook Sued Down-Under For £266bn Over Cambridge Analytica Data Sharing Scandal

Six years after the personal data of 87 million users was harvested and later shared without user consent with Cambridge Analytica, Australia’s privacy watchdog is suing Facebook for an incredible £266bn over the harvested data of its citizens.

What Happened?

From March 2014 to 2015 the ‘This Is Your Digital Life’ app, created by British academic, Aleksander Kogan and downloaded by 270,000 people which then provided access to their own and their friends’ personal data too, was able to harvest data from Facebook.

The harvested data was then shared with (sold to) data analytics company Cambridge Analytica, in order to build a software program that could predict and use personalised political adverts (political profiling) to influence choices at the ballot box in the last U.S. election, and for the Leave campaign in the UK Brexit referendum.

Australia

The lawsuit, brought by the Australian Information Commissioner against Facebook Inc alleges that, through the app, the personal and sensitive information of 311,127 Australian Facebook Users (Affected Australian Individuals) was disclosed and their privacy was interfered with.  Also, the lawsuit alleges that Facebook did not adequately inform those Australians of the manner in which their personal information would be disclosed, or that it could be disclosed to an app installed by a friend, but not installed by that individual.  Furthermore, the lawsuit alleges that Facebook failed to take reasonable steps to protect those individuals’ personal information from unauthorised disclosure.

In the lawsuit, the Australian Information Commissioner, therefore, alleges that the Australian Privacy Principle (APP) 6 has been breached (disclosing personal information for a purpose other than that for which it was collected), as has APP 11 (failing to take reasonable steps to protect the personal information from unauthorised disclosure).  Also, the Australian Information Commissioner alleges that these breaches are in contravention of section 13G of the Privacy Act 1988.

£266 Billion!

The massive potential fine of £266 billion has been arrived at by multiplying the maximum of $1,700,000 (£870,000) for each contravention of the Privacy Act by the 311,127 Australian Facebook Users (Affected Australian Individuals).

What Does This Mean For Your Business?

Back in July 2018, 16 months after the UK Information Commissioners Office (ICO) began its investigation into the Facebook’s sharing the personal details of users with political consulting firm Cambridge Analytica, the UK’s ICO announced that Facebook would be fined £500,000 for data breaches.  This Australian lawsuit, should it not go Facebook’s way, represents another in a series of such lawsuits over the same scandal, but the £266 billion figure would be a massive hit and would, for example, totally dwarf the biggest settlement to date against Facebook of $5 billion to the US Federal Trade Commission over privacy matters.  To put it in even greater perspective, an eye-watering potential fine of £266 billion would make the biggest GDPR fine to date of £183 million to British Airways look insignificant.

Clearly, this is another very serious case for Facebook to focus its attention on, but the whole matter highlights just how important data security and privacy matters are now taken and how they have been included in different national laws with very serious penalties for non-compliance attached. Facebook has tried hard since the scandal to introduce and publicise many new features and aspects of its service that could help to regain the trust of users in both its platform’s safeguarding of their details and in the area of stopping fake news from being distributed via its platform.  This announcement by the Australian Information Commissioner is, therefore, likely to be an extremely painful reminder of a regrettable and period in the tech giant’s history, not to mention it being a potential threat to Facebook.

For those whose data may have been disclosed, shared and used in a way that contravened Australia’s laws, they may be pleased that their country is taking such a strong stance in protecting their interests and this may send a very powerful message to other companies that store and manage the data of Australian citizens.

Billions Of Devices At Risk Due To Wi-Fi Chip Vulnerability

A security threat to devices, Wi-Fi access points (APs), and routers that comes from the Kr00k Wi-Fi chip vulnerability could affect billions according to security researchers.

Kr00k

The existence of Kr00k, also known by the catchy name of CVE-2019-15126 was made public at the recent RSA Conference in San Francisco and its discovery was attributed to ESET security researchers Miloš Cermák, Robert Lipovský and Štefan Svorencík.

Broadcom and Cypress Chips

According to the researchers, the Kr00k vulnerability is present in Wi-Fi chips manufactured by Broadcom and Cypress.  These chips are present in billions of devices and, prior to patches being developed and released already by many major manufacturers, the kinds of devices that were at risk included home smart speakers (Amazon Echo), Kindles, smartphones (Apple iPhone and Samsung Galaxy), the Raspberry Pi 3 and many Wi-Fi routers and access points that have Broadcom chips.

What Could Happen?

The Kr00k vulnerability could allow attackers to decrypt Wi-Fi traffic, thereby gaining access to data. Kr00k can do this by forcing an extended dissociation period in Wi-Fi devices, which is the temporary disconnection that occurs when a device moves between access points or when there is a low signal. In this period, Kr00k resets the encryption key used to secure packets to an all-zero value, giving the attackers access to your data.

This kind of attack, however, may not be as easy as it sounds because attackers would need to be within close range of their target’s Wi-Fi network.

Related to Krack

Some security commentators have noted that Kr00k is related to Krack, discovered in 2017, a vulnerability that was also a threat to devices that connected using Wi-Fi and required attackers to be in close proximity to the Wi-Fi network.  Krack was found to be a vulnerability in the Wi-Fi Protected Access 2 (WPA2) protocol.

What Does This Mean For Your Business?

The security researchers who discovered Kr00k shared their findings with the relevant manufacturers early-on which meant that the major manufacturers were able to quickly develop and release patches, thereby significantly reducing the scale of the threat posed by Kr00k.  Also, the need for attackers to be in close proximity to a Wi-Fi network to exploit the vulnerability is unlikely to be particularly attractive to many cybercriminals who prefer methods that allow maximum financial gain with minimum effort and that position them a long distance from their targets in a way that cannot be traced back to them.

Additionally, in this case, even though it is technically possible for attackers to use the dissociation period to decrypt Wi-Fi traffic, the data that they would be intending to steal is subject to being additionally encrypted by TLS thanks to HTTPS.

Tech Tip – Ransomware Protection in Windows 10

Ransomware is still a common threat to businesses, but you may not know that Windows 10 already has a ransomware protection features built-in to Windows Defender which is usually disabled by default.  Here’s how to enable ransomware protection:

N.B. If you already have third-party antivirus software installed and Windows Defender’s real-time protection is disabled, the Ransomware Protection features screen and Controlled Folder Access feature won’t be accessible to you. You’ll find this out when you follow these instructions:

– Click on the Start menu.

– Type Windows Security and select the search result, or go to the Settings app, then to Update & Security > Windows Security.

– Open Windows Security and click on the Virus & Threat Protection option

– Scroll down to Ransomware Protection and click on the Manage ransomware protection option.

– Next page, you will see a description of Controlled folder access – toggle to enable it.

– To enable Ransomware Protection, turn on Controlled Folder Access and log in to OneDrive.

– This will allow you to configure Controlled Folder Access and choose which folder you want to monitor and block from malicious programs.

Dentist’s Legal Challenges To Anonymity of Negative Google Reviewer

ABC News in Australia has reported how a Melbourne dentist has convinced a Federal Court Judge to order tech giant Google to produce identifying information about a person who posted a damaging negative review about the dentist on Google’s platform.

What Happened?

The dentist, Dr Matthew Kabbabe, alleges that a reviewer’s comment posted on Google approximately three months ago advised others to “stay away” from his practice and that it damaged his teeth-whitening business and had a knock-on negative impact on his life.

Even though Google provides a platform to allow reviews to be posted in order to benefit businesses (if reviews are good), perhaps encourage and guide businesses to give good service, and to help Google users to decide whether to use a service, the comment was the only bad one on a page of five-star reviews. In addition to the possibly defamatory nature of the comment, Dr Kabbabe’s objection to the anonymity that Google offers comment posters, and that it could, as such be, something posted by a competitor or disgruntled ex-employee to damage his (or any other business) drove him to take the matter to the Federal Court after, it has been reported, his requests to Google to take the comment down were unsuccessful.

Landmark Ruling

Not only did Federal Court Judge Justice Bernard Murphy request that Google divulge identifying information about the comment poster, listed only a “CBsm 23″ (name, phone number, IP addresses, location metadata), but also the tech giant has been ordered to provide any other Google accounts (name and email addresses)  which are from the same IP address during the period of time in question.

Can Reply

Reviews posted on Google can be replied to by businesses as long as the replies comply with Google’s guidelines.

Dealing with some apparently unfair customer comments online is becoming more common for many businesses.  For example, hotels and restaurants have long struggled with how to respond to potentially damaging criticism left by customers on TripAdvisor. Recently, the owner of the Oriel Daniel Tearoom in Llangefni, Anglesey made the news when they responded to negative comments with brutal responses and threats of lifetime bans.

What Does This Mean For Your Business?

For the most part, potential customers are likely to be able to take a balanced view of comments that they read when finding out more about a business, but the fact that a Federal judge ruled in favour of not allowing those who have posted potentially damaging comments to hide behind online anonymity means that there may well be an argument for platforms to amend rules to try to redress the balance more in the favour of businesses.  It does seem unfair that, as in the case of the dentist, where the overwhelming majority of comments have been good, an individual, who may be a competitor or person with an axe to grind is allowed to anonymously and publicly publish damaging comments, whether justified or not, for a global audience to see and with no need to prove their allegations – something that would be subject to legal scrutiny in the offline world.  It will be interesting to see Google’s response to this ground-breaking ruling.

Google Indexing Makes WhatsApp Group Links Visible

A journalist has reported on Twitter that WhatsApp groups may not be as secure as users think because the “Invite to Group via Link” feature allows groups to be indexed by Google, thereby making them available across the Internet.

Links Visible

Chats conducted on the end-to-end encrypted WhatsApp can be joined by people who are given an invite URL link but until now it has not been thought that invite links could be indexed by Google (and other search engines) and found in simple searches. However, it appears that group links that have been shared outside of the secure, private messaging app could be found (and joined).

Exposed

The consequences of these 45,000+ invite links being found in searches is that they can be joined and details like the names and phone numbers of the participants can be accessed.  Targeted searches can reveal links to groups based around a number of sensitive subjects.

Links

Even though WhatsApp group admins can invalidate existing links, WhatsApp generates a new link meaning that the original link isn’t totally disabled.

Only Share Links With Trusted Contacts

Users of WhatsApp are warned to share the link only with trusted contacts, and the links that were shown in Google searches appeared because the URLs were publicly listed i.e. shared outside of the app.

Changed

Although Google already offers tools for sites to block content from being listed in search results, since the discovery (and subsequently publicity) of the WhatsApp Invite links being indexed, some commentators have reported that this no longer happens in Google.  It has also been reported, however, that publicly posted WhatsApp Invite links can still be found using other popular search engines.

Recent Security Incident

One other high profile incident reported recently, which may cause some users to question the level of security of WhatsApp was the story about Amazon CEO Jeff Bezo’s phone allegedly being hacked by unknown parties thought to be acting for Saudi Arabia after a mysterious video was sent to Mr Bezo’s phone.

Also, last May there were reports of an attack on WhatsApp which was thought to be a ‘zero-day’ exploit that was used to load spyware onto the victim’s phone.  Once the victim’s WhatsApp had been hijacked and the spyware loaded onto the phone, for example, access may have been given to encrypted chats, photos, contacts and other information.  That kind of attack may also have allowed eavesdropping on calls and turning on the microphone and camera, as well as enabling attackers to alter the call logs and hide the method of infection.  At the time, it was reported that the attack may have originated from a private Israeli company, The NSO Group.

What Does This Mean For Your Business?

In this case, although it’s alarming that the details of many group members may have been exposed, it is likely to be because links for those groups were posted publicly and not shared privately with trusted members as the app recommends.  That said, it’s of little comfort for those who believed that their WhatsApp group membership and personal details are always totally private.  It’s good news, therefore, that Google appears to have taken some action to prevent it from happening in future. Hopefully, other search engines will now do the same.

WhatsApp has end-to-end encryption, which should mean that it is secure, and considering that it has at least 1.5 billion users worldwide, surprisingly few stories have emerged that have brought the general security of the app into question.

Worries About Huawei Persist

Security fears about Huawei products being used in the new 5G networks are still being expressed by the Trump administration, while Google has clarified its position on the matter.

What’s So Bad About Huawei?

Back in July 2018,  espionage chiefs from Australia, Canada, New Zealand, the U.K. and the U.S. (the so-called ‘Five-Eyes’), agreed at a meeting in July this year to try to contain the global growth of Chinese telecoms company Huawei (the world’s biggest producer of telecoms equipment) because of the threat that it could be using its phone network equipment to spy for China.  This led to the US, Australia and New Zealand barring Huawei Technologies Ltd. (with Japan more or less joining the ban) as a supplier for fifth-generation networks.

At the time, the Trump administration drew attention to the matter when Meng Wanzhou, the chief financial officer of Huawei, was detained in Vancouver at the request of U.S. authorities for violating US sanctions on Iran.

Since then, other countries have joined the ban and other allegations have been made against Huawei e.g. the US Department of Justice (DOJ) charged Huawei with bank fraud and stealing trade secrets back in January 2019.

What About The UK

As for the UK government, it will allow Huawei equipment to be used in the country’s 5G network, but not in core network functions or critical national infrastructure, and not in nuclear and military sites.  This has led to White House chief of staff Mick Mulvaney visiting just last week to help dissuade the UK from using Huawei’s products in phone networks.

Latest Warning From the US

The latest warning about Huawei products from the US has been voiced by Robert Strayer, who is the US deputy assistant secretary for cyber and communications. Mr Strayer, who is on a tour of Europe this week, warned that allowing Huawei to provide key aspects of the 5G network infrastructure could allow China to undermine it and to have access to “sensitive data”.  Mr Strayer piled on the pressure by warning that if the UK adopts Huawei as a 5G technology vendor it could threaten aspects of intelligence sharing between the US and UK.

Google Clarifies

As a US company, tech giant Google has been banned by the Trump administration since May 2019 from working with Huawei which last year led to Google confirming (via blog post) that it wouldn’t be working with Huawei on new device models or providing any Google apps (Gmail, Maps, YouTube, Play Store) for preload or download on Huawei devices.

In the light of more recent allegations and warnings about Huawei, Google has chosen to clarify its position in an article on its support pages (find it here https://support.google.com/android/thread/29434011?hl=en).  The article states that “To protect user data privacy, security, and safeguard the overall experience, the Google Play Store, Google Play Protect, and Google’s core apps (including Gmail, YouTube, Maps, and others) are only available on Play Protect certified devices”.

Google says in the article that sideloaded Google apps will not work reliably on Huawei devices.  Sideloaded apps are those which haven’t been through a certification process to appear in the Store and to run on a Windows device.  The fear is that sideloading apps could mean that apps could be installed which appear to be genuine and normal, but which may have been altered or tampered with in ways that could compromise user security.

What Does This Mean For Your Business?

The Trump administration in the US is keeping the pressure on as regards discouraging countries with which it has security and defence connections, and leverage as an ally or friend with to avoid installing Huawei products in networks, particularly in critical parts.  Clearly, a Republican administration (and in this case, and apparently inward-looking one championing US companies) in a country which has traditionally seen communist China as a threat is likely to be at least suspicious of Huawei products.  It is of course, unknown exactly what evidence exists to support the idea, and it should also be remembered that it is not long since President Trump launched a trade war with China, and may also be additionally conscious of spying issues from foreign powers after the allegations of Russian influence possibly influencing his own election as president.

For US, European, and other trusted tech network product companies from elsewhere, less for Huawei could mean more for them, and the rub-off bad publicity for Huawei also seems to have negatively affected Huawei’s sales of phone handsets, which has meant that US, Japanese and other phone suppliers have picked up more phone business.

In the run-up to next US presidential election, and with UK looking for trade deals outside the EU, it is likely that the US will continue to try and bring the UK and other countries round to its way of thinking about Huawei.