Archive for Internet Security

Facebook Bans Deepfake Videos

In a recent blog post, ahead of the forthcoming US election, Monika Bickert, Vice President, of Facebook’s Global Policy Management has announced that the social media giant is banning deepfakes and “all types of manipulated media”.

Not Like Last Time

With the 59th US presidential election scheduled for Tuesday, November 3, 2020, Facebook appears to be taking no chances after the trust-damaging revelations around unauthorised data sharing with Cambridge Analytica, and the use of the platform by foreign powers such as Russia in an attempt to influence the outcome of the 2016 election of Donald Trump.

The fallout of the news that 50 million Facebook profiles were harvested as early as 2014 in order to build a software program that could predict and use personalised political adverts to influence choices at the ballot box in the last U.S. election includes damaged trust in Facebook, a substantial fine, plus a fall in the number of daily users in the United States and Canada for the first time in its history.

Deepfakes

One of the key concerns to Facebook this time around appears to be so-called ‘deepfake’ videos.  These use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create very convincing videos of the subjects saying and doing whatever the video-maker wants them to. These videos could obviously be used to influence public thinking about political candidates, and as well as having an influence in election results, it would be very damaging for Facebook, which has been very public about trying to rid itself of ‘fake news’ and not to be seen as a platform for the easy distribution of deepfake videos.  No doubt Facebook’s CEO Mark Zuckerberg would like to avoid having to appear before Congress again to answer questions about his company’s handling of personal data, as he had to back in April 2018.

The New Statement From Facebook

This latest blog post statement from Facebook says that as a matter of policy, it will now remove any misleading media from its platform if the media meets two criteria, which are:

  • If it has been synthesised i.e. more than just adjustments for clarity or quality to the point where the ‘average person’ could be misled into thinking the subject of the media/video is saying words that they did not actually say, and…
  • If the media is the product of artificial intelligence or machine learning that has merged, replaced or superimposed content onto a video, in order to make it appear to be authentic.

Not Satire

Facebook has been careful to point out that this policy change will not affect content that is clearly intended to be parody or satire, or videos that have been edited just to omit or change the order of the words featured in them.

Existing Policies

Any media posted to Facebook is subject to the social media giant’s existing comply-or-be-removed ‘Community Standards’ policies which cover, among other things, voter suppression and hate speech.

What Will Happen?

Facebook says that any videos that don’t meet its standards for removal are still eligible for review by one its independent third-party fact-checkers (which include 50+ partners worldwide) and that any photos or videos rated as false or partly false (by a fact-checker) will have its distribution “significantly” reduced in News Feed and will be rejected if it’s being run as an ad. Also, those who see it and try to share it, or have already shared it, will be shown warnings alerting them that it’s false.

Measures

Facebook has taken many measures to ensure that it is not seen as a platform that can’t be trusted with user data or as a distributor of fake news.  For example:

– In January 2019 Facebook announced (in the UK) that it was working with London-based, registered charity ‘Full Fact’ to review stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

– In September 2019, Facebook launched its Deep Fake Detection Challenge, with $10 million in grants and with a cross-sector coalition of organisations in order to encourage the production of tools to detect deepfakes.

– In October 2019, Facebook launched the ‘News’ tab on its mobile app to direct users to unbiased, curated articles from credible sources in a bid to publicly combat fake news and help restore trust in its own brand.

– Facebook has partnered with Reuters to produce a free online training course to help newsrooms worldwide to identify deepfakes and manipulated media.

Criticism

Despite this recent announcement of policy change to help eradicate deepfakes from its platform, Facebook has been criticised by some commentators for appearing to allow some videos which some could describe as misinformation in certain situations (apparently of its choosing).  For example, Facebook has said that content that violates its policies could be allowed if it is deemed newsworthy e.g. presumably, the obviously doctored videos of Labour’s Keir Starmer and US House Speaker Nancy Pelosi.

What Does This Mean For Your Business?

Clearly, any country would like to guard against outside influence in its democratic processes and the deliberate spread of misinformation, and bearing in mind the position of influence that Facebook has, it is good for everyone that it is taking responsibility and trying to block obvious attempts to spread misinformation by altering its policies and working with other organisations. Businesses that use Facebook as an advertising platform also need to know that Facebook users have trust in (and will continue to use) that platform (and see their adverts) so it’s important to businesses that Facebook is vigilant and takes action where it can.  Also, by helping to protect the democratic processes of the countries it operates in, particularly in the US at the time of and election (and bearing in mind what happened last time), it is in Facebook’s own interest to protect its brand against any accusations of not allowing political influence through a variety of media on its platform, and any further loss of trust by its public. This change of policy also shows that Facebook is trying to show readiness to deal with the most up to date threat of deepfakes (even though they are relatively rare).

That said, Google and Twitter (with its new restrictions on micro-targeting for example), have both been very public about trying to stop all lies in political advertising on their platforms, but Facebook has just been criticised by the IPA over its decision not to ban political ads that are using micro-targeting and spurious claims to sway the opinions of voters.

Facebook Bans Deepfake Videos

In a recent blog post, ahead of the forthcoming US election, Monika Bickert, Vice President, of Facebook’s Global Policy Management has announced that the social media giant is banning deepfakes and “all types of manipulated media”.

Not Like Last Time

With the 59th US presidential election scheduled for Tuesday, November 3, 2020, Facebook appears to be taking no chances after the trust-damaging revelations around unauthorised data sharing with Cambridge Analytica, and the use of the platform by foreign powers such as Russia in an attempt to influence the outcome of the 2016 election of Donald Trump.

The fallout of the news that 50 million Facebook profiles were harvested as early as 2014 in order to build a software program that could predict and use personalised political adverts to influence choices at the ballot box in the last U.S. election includes damaged trust in Facebook, a substantial fine, plus a fall in the number of daily users in the United States and Canada for the first time in its history.

Deepfakes

One of the key concerns to Facebook this time around appears to be so-called ‘deepfake’ videos.  These use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create very convincing videos of the subjects saying and doing whatever the video-maker wants them to. These videos could obviously be used to influence public thinking about political candidates, and as well as having an influence in election results, it would be very damaging for Facebook, which has been very public about trying to rid itself of ‘fake news’ and not to be seen as a platform for the easy distribution of deepfake videos.  No doubt Facebook’s CEO Mark Zuckerberg would like to avoid having to appear before Congress again to answer questions about his company’s handling of personal data, as he had to back in April 2018.

The New Statement From Facebook

This latest blog post statement from Facebook says that as a matter of policy, it will now remove any misleading media from its platform if the media meets two criteria, which are:

  • If it has been synthesised i.e. more than just adjustments for clarity or quality to the point where the ‘average person’ could be misled into thinking the subject of the media/video is saying words that they did not actually say, and…
  • If the media is the product of artificial intelligence or machine learning that has merged, replaced or superimposed content onto a video, in order to make it appear to be authentic.

Not Satire

Facebook has been careful to point out that this policy change will not affect content that is clearly intended to be parody or satire, or videos that have been edited just to omit or change the order of the words featured in them.

Existing Policies

Any media posted to Facebook is subject to the social media giant’s existing comply-or-be-removed ‘Community Standards’ policies which cover, among other things, voter suppression and hate speech.

What Will Happen?

Facebook says that any videos that don’t meet its standards for removal are still eligible for review by one its independent third-party fact-checkers (which include 50+ partners worldwide) and that any photos or videos rated as false or partly false (by a fact-checker) will have its distribution “significantly” reduced in News Feed and will be rejected if it’s being run as an ad. Also, those who see it and try to share it, or have already shared it, will be shown warnings alerting them that it’s false.

Measures

Facebook has taken many measures to ensure that it is not seen as a platform that can’t be trusted with user data or as a distributor of fake news.  For example:

– In January 2019 Facebook announced (in the UK) that it was working with London-based, registered charity ‘Full Fact’ to review stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

– In September 2019, Facebook launched its Deep Fake Detection Challenge, with $10 million in grants and with a cross-sector coalition of organisations in order to encourage the production of tools to detect deepfakes.

– In October 2019, Facebook launched the ‘News’ tab on its mobile app to direct users to unbiased, curated articles from credible sources in a bid to publicly combat fake news and help restore trust in its own brand.

– Facebook has partnered with Reuters to produce a free online training course to help newsrooms worldwide to identify deepfakes and manipulated media.

Criticism

Despite this recent announcement of policy change to help eradicate deepfakes from its platform, Facebook has been criticised by some commentators for appearing to allow some videos which some could describe as misinformation in certain situations (apparently of its choosing).  For example, Facebook has said that content that violates its policies could be allowed if it is deemed newsworthy e.g. presumably, the obviously doctored videos of Labour’s Keir Starmer and US House Speaker Nancy Pelosi.

What Does This Mean For Your Business?

Clearly, any country would like to guard against outside influence in its democratic processes and the deliberate spread of misinformation, and bearing in mind the position of influence that Facebook has, it is good for everyone that it is taking responsibility and trying to block obvious attempts to spread misinformation by altering its policies and working with other organisations. Businesses that use Facebook as an advertising platform also need to know that Facebook users have trust in (and will continue to use) that platform (and see their adverts) so it’s important to businesses that Facebook is vigilant and takes action where it can.  Also, by helping to protect the democratic processes of the countries it operates in, particularly in the US at the time of and election (and bearing in mind what happened last time), it is in Facebook’s own interest to protect its brand against any accusations of not allowing political influence through a variety of media on its platform, and any further loss of trust by its public. This change of policy also shows that Facebook is trying to show readiness to deal with the most up to date threat of deepfakes (even though they are relatively rare).

That said, Google and Twitter (with its new restrictions on micro-targeting for example), have both been very public about trying to stop all lies in political advertising on their platforms, but Facebook has just been criticised by the IPA over its decision not to ban political ads that are using micro-targeting and spurious claims to sway the opinions of voters.

Email Security (Part 1)

In this week’s featured article, which is the first of two parts on what is a huge subject for businesses to tackle, we take a look at some of the important issues of email security and how businesses can try to strengthen this crucial area of their cyber-defences.

Most Breaches Involve Email

Over 90 per cent of breaches now involve email, and Proofpoint’s Annual Human Factor Report figures, for example, show that social engineering is strongly favoured as a way in by cybercriminals. 99 per cent of these email attacks rely on victims clicking links.

Statistics like these reveal some of the key challenges that businesses and organisations face on a daily basis, such as how to defend effectively against the whole range of email attacks, how to spot and eliminate threats as they arrive, and how to ensure that staff are aware of email threats and know what to do when faced with suspicious emails and links.

Types of Email-Based Attacks

There is a vast array of attacks launched through email systems (often relying on social engineering) including targeted phishing schemes, business email compromises, and ransomware attacks.

– Ransomware is still a popular attack and extortion method, and Trend Micro reported a 77 per cent surge in malware attacks during the first half of 2019.

– Phishing is a cheap, easy and highly effective method for criminals to gain access to company systems, steal important data and money, and create a cornerstone of all kinds of other hacking campaigns. Just some of the high profile examples from the news this year include fake voicemail messages being used to lure victims into entering their Office 365 email credentials into a phishing page, Thomas Cook customers being targeted by phishing attacks in the wake of the travel company going into receivership, and news of Lancaster University being hit by a large, sophisticated phishing attack aimed at grabbing the details of new student applicants.

Verizon’s 2019 Data Breach Investigations Report showed that 32 per cent of data breaches involve phishing. Phishing threats to businesses are also evolving and becoming more sophisticated all the time. For example, PhishLabs recently discovered a tactic whereby attackers used a malicious Microsoft Office 365 app to gain access to a victim’s account without the need for the account holder to give up their credentials to the attackers – worrying!

The National Cyber Security Centre offers advice on how to protect your business/organisation from phishing attacks here: https://www.ncsc.gov.uk/guidance/phishing.

There are also a number of phishing test sites available online so that you (or staff members) can see if you’re able to spot a phishing email.

– Malware attachments to emails. There are a now staggering amount of malware types that businesses and organisations have to protect themselves against. For example, over 800 million different types were encountered in 2018, and some commentators are predicting that variants will reach over 1 billion by 2020!

A Number of Sources

Email-based attacks aren’t simply targeted just at your email system in a straightforward way but could come from sources such as supplier email systems that have been compromised or they could use details stolen from breaches elsewhere as part of the campaign.

Protecting Your Business Against Email Threats

There are many ways that you can try to protect your email system from email attacks and try to minimise the risk of human error that is so important in social engineering attacks. These include:

Help From the Big tech Companies :

Microsoft

Microsoft offers a number of ways that businesses and organisations can help keep their email secure, such as:

– Outlook’s Junk Email Filter, and the Report Message add-in for Outlook.

– Office 365’s Advanced Threat Protection (ATP) plans which offer a variety of leading-edge tools to investigate, understand, simulate, and prevent threats.

– Secure Score for Office 365 – a way to measure and get suggestions about how to protect your business from threats, all through a centralised dashboard.

– The “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

More information: The Microsoft blog here gives 6 email security best practices to protect against phishing attacks and business email compromise: https://www.microsoft.com/security/blog/2019/10/16/top-6-email-security-best-practices-to-protect-against-phishing-attacks-and-business-email-compromise/

Google

Google also offers a number of tools and suggestions, including:

– Advanced security settings for G Suite administrators to protect against phishing and malware (find out more here: https://support.google.com/a/answer/9157861?hl=en).

– Offering steps to identify compromised accounts (see https://support.google.com/a/answer/2984349?hl=en&ref_topic=2683865).

– Advice on Firewall settings.

You may, of course, already be using another email protection system.

Other Advice

Advice about ways in which you can protect your company now from email-based attack such as phishing and malware attacks is widely available, and in addition to the measures already covered (e.g. using Microsoft security tools), some basic measures that companies take include:

– Always keeping anti-virus and patching up to date.

– Staff education and training e.g. how to spot suspicious emails and what to do/what not to do e.g. not to click on links from unknown sources.

– Disabling HTML emails if possible (text-only emails can’t launch malware directly).

– Encrypting sensitive data and communications as an added layer of protection.

– Getting into the routine of checking your bank account’s activity for suspicious charges.

– Making sure important and sensitive company data is backed up and including business email compromise (BEC) in business continuity planning and disaster recovery planning.

– Preventing email archives from being publicly exposed e.g. by making sure that archive storage drives are configured correctly.

– Monitoring for any exposed credentials (particularly those of finance department emails).

– Using two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

– Not using the same password for multiple platforms and websites (password sharing). This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Looking Forward and Getting Prepared

In today’s environment, attackers can adapt their campaigns and methods so quickly, and use methods that can evade the more common protection solutions (‘polymorphic’ attacks) that businesses and organisations find themselves in a position whereby known signature and reputation-based checks aren’t enough, and that they need to be able to get a fuller picture and find solutions that can focus effectively on zero-day and targeted attacks in addition to known vectors. Looking forward, there is also the future threat of AI machine-learning software being able to possibly generate phishing URLs that can beat popular security tools, and of the threats posed (further in the future) buy the possible use of quantum computers in cyberattacks, and these are subjects that we will look briefly in part 2 of our look at email security. For now, stay safe.

New Phishing Tracker For Office 365

Microsoft is launching a new “campaign views” tool in Office 365 that is designed to offer greater protection from phishing attacks by enabling businesses to be able to spot the pattern of a phishing campaign over individual messages.

Context and Visibility

Microsoft is in a good position to leverage the large amount of anti-phishing, anti-spam, and anti-malware data and experience that it has across the entire Office 365 service world-wide to identify campaigns. It is this information that feeds into the campaign views tool.
The idea is that the extra context and visibility that campaign views provides gives the full story of how an organisation has been targeted. This additional dimension of defence means that an organisation and its users can see if/how defences have held up against popular attacks, and adjust its own defences accordingly, based on these insights.

What It Shows

The kind of information that the ‘campaign views’ tool can reveal to security teams includes:

  • A summary of a phishing campaign i.e. when it started, it’s pattern and timeline, the size and spread of the campaign, and how many known victims there has been (and see if users have clicked on the phishing link).
  • A list of IP addresses and senders associated with the attack, plus a list of all the URLs that were used in the attack.
  • A look at which messages were blocked, delivered to junk or quarantine, or allowed to get through to the inbox.

Today’s Attacks ‘Morph’ To Get Around Defences

Today’s email attacks are often the sophisticated output of factory-like cybercrime operations where new templates and variances can be rapidly created, generated, and scaled-up in a way that is designed to offer the best chance of maximising financial gain while evading detection and capture.

For example, in a single campaign, the attackers can make multiple changes and variants (morphs) e.g. changes in the sending infrastructure, the sending IPs and sending domains, sender names and addresses, URLs, and the hosting infrastructure for their attack sites. These morphs can, therefore, enable attackers to get around popular defence tactics such as blocking known bad URLs, sending IP address, or sending domains.

Value

Microsoft says that the extra context and visibility that ‘campaign views’ gives security teams means that they can be more effective and efficient. For example, once armed with the information that ‘campaign views’ provides, security teams can be better at remediating compromised/vulnerable users, improving the general security posture (by removing configuration flaws), investigating related/similar campaigns, and hunting and tracking any threats that have the same indicators of compromise.

What Does This Mean For Your Business?

Email is one of the main ways that cybercriminals can gain access to company systems and phishing campaigns are an all-too-common way to dupe businesses into clicking on links in often convincing-looking pages, thereby releasing the malware that causes so much damage, or imparting password and financial information. ‘Campaign views’ appears to be another potentially valuable tool in the cyber defences of businesses with its main strong point being that it gives a much fuller picture of real-world attacks. This additional context and data can help businesses to become much better prepared and more proactive in finding and closing the door on rapidly evolving email security threats.

Featured Article – How Does Encryption Work?

Encryption comes from the age-old science of cryptography.  In the digital world of today, encryption refers to using electronic devices to generate unique encryption algorithms which essentially scramble messages and data making them unintelligible to anyone who tries to intercept them, and also to provide an effective way to lock our electronic devices.

Using Encryption

Encryption can be used for most things that have an internet connection, such as messaging apps, personal banking apps, websites, online payment methods, files and more.

Why?

Cybercriminals seek our personal data (especially financial details) which they can find in our files, on our personals devices, and on websites / platforms and places online where we have submitted that data e.g. for registration/login, payment, in the form of emails and other messages, and our personal data may be stored in many different places (servers and databases) across the Internet and the digital world.

Verizon figures show that nearly one-third of all data breaches in 2018 involved phishing and that phishing was present in 78% of cyber-espionage incidents and the installation and use of backdoors.  Also, IT Governance figures, for example, show that 421,103,896 data records were confirmed to have been breached in October this year (still only 50% of the monthly average!) in111 incidents (including the compromising of sensitive and financial information).

A recent nCiper survey showed that the main driver for encryption is the protection of sensitive information and that organisations use encryption to protect intellectual property and the personal information of their customers.

Symmetric and Asymmetric Encryption

There are two main encryption methods, symmetric and asymmetric, both of which are made up of encryption algorithms, and the use of prime numbers forms a fundamental aspect of popular encryption methods.

Note: You will often hear the term ‘keys’ used as part of the explanation of encryption.  Keys in this sense means a random (but unique) string of bits that are generated by an algorithm to scramble and unscramble data.  Generally, the longer the key, the harder it is to break the encryption code.

Symmetric encryption uses the same (identical) key for encrypting and decrypting data. With symmetric encryption, two or more parties have access to the same key. This means that although it is still secure, anyone who knows how to put the code in place can also reverse engineer it.  Symmetric key encryption is generally used for encrypting large amounts of data efficiently e.g. 256-bit AES keys are symmetric keys.

Asymmetric encryption, on the other hand, uses a pair of keys, one for encrypting the data and the other for decrypting it. For the first key (used to encrypt data), ‘public key’ cryptography uses an algorithm to generate very complex keys, which is why asymmetric encryption is considered to be more secure than symmetric encryption (the code can’t be run backwards).  With asymmetric encryption, the public key is shared with the servers to enable the message to be sent, but the private key (owned by the possessor of the public key) is kept secret. The message can only be decrypted, therefore, by a person with the private key that matches the public one. Different public-key systems can use different algorithms.

Public Key Encryption – HTTPS

Public key encryption is widely used and is useful for establishing secure communications over the Internet e.g. for TLS/SSL, which enables HTTPS.  For example, A website’s SSL/TLS certificate is shared publicly and contains the public key, but the private key is on the origin server i.e. it is “owned” by the website.

Different Methods of Encryption

There numerous common encryption algorithms and methods.  These include:

  • RSA – Unveiled by three mathematicians back in 1977, RSA is a public-key encryption algorithm and a common standard for encrypting data sent over the internet.
  • Triple DES – designed to replace the original Data Encryption Standard (DES) algorithm and uses three individual keys with 56 bits each.  Triple DES is being used less frequently now but is still used in financial services and other industries.
  • Blowfish – also designed to replace the original Data Encryption Standard (DES).  This is a flexible and strong standard that is found in many different software categories e.g. e-commerce platforms (to protect passwords).
  • Twofish – One of the fastest, can be used in hardware and software environments, and (like Blowfish) is freely and often bundled in encryption programs.
  • AES – Advanced Encryption Standard (AES) is an incredibly strong encryption algorithm used by the U.S. Government, and likely to become the private sector standard in future.

Free Encryption

In addition to Blowfish and Twofish, other free encryption tools include LastPass (a popular password manager), VeraCrypt (available for Windows, OS X and Linux OS), and FileVault2 (good for encrypting data on macOS devices and Mac hardware).

Windows 10 includes its own encryption tool ‘BitLocker’ which enables you to use encryption on your PC’s hard drive and on removable drives.

End-to-End Encryption

End-to-end encryption is used to encode and scramble information so only the sender and receiver can see it. For example, WhatsApp uses end-to-end encryption and although the messages go through a server, none of those messages can be read by anyone other than the sender and receiver.

WhatsApp and its end-to-end encryption were criticised by Amber Rudd in 2017 (who was Home Secretary at the time) when it was revealed that the first London Bridge terror attackers used WhatsApp to plan the attack and to communicate.  This led to government calls for ‘back doors’ to be built-in to WhatsApp and other end-to-end encrypted communications tools to allow government monitoring.  These calls were resisted on the grounds that building back doors means that security is compromised, and cybercriminals could also exploit these back doors.

Fails

Although encryption provides effective security and privacy it is not always infallible. For example:

  • Back in May 2018, A German newspaper released details of a security vulnerability discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption. PGP is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications.
  • Also, in October this year a report by a former Google employee on the ‘Freedom of the Press Foundation’ website warned organisations that any data stored on Google’s G Suite is not encrypted, can be accessed by administrators and can be shared with law enforcement on request.

Quantum Threat

One on threats to existing encryption that many tech commentators fear in the near future comes from quantum computers.  For example, quantum computers can perform calculations much faster than classical computer and this could enable them to defeat the encryption that currently protects our data e.g. our online banking records and other personal documents on hard drives.  With people having access to (commercial) quantum computers, this could become a real threat (e.g. access to Quantum Systems are now being offered via the cloud).

As well as the quantum threat, there is also some concern among tech and security commentators about the encryption and anonymisation technology that is being used to hide criminal activity e.g. on the dark web

The Future

In the immediate future, therefore, some companies are seeking to address the threat from quantum computers cracking existing encryption algorithms. Estimates of when there will be commercially available quantum computers range between 10 and 20 years, although state-sponsored use of quantum computers for wrongdoing could conceivably happen sooner.

The National Institute of Standards and Technology is already pushing researchers to look ahead to this “postquantum” era.

Recently, IBM researchers developed two quantum-proof cryptographic algorithms (Kyber and Dilithium) which now make up the “Cryptographic Suite for Algebraic Lattices” (CRYSTALS).  These have enabled IBM to create the world’s first quantum computing-safe tape drive.

In the meantime, however, with cyber threats evolving at a fast pace, companies and organisations that don’t use encryption as one of their security tools are effectively making things too easy for cybercriminals to access their data, with potentially devastating consequences.

Despite Patches, Researchers Warn That Intel Chips Are Still Vulnerable

The New York Times has reported that despite Intel issuing patches for security flaws (that were discovered last year) in its processors, security researchers are alleging that the processors still have some serious vulnerabilities.

What Flaws?

In January 2018, it was discovered that nearly all computer processors made in the last 20 years contained two flaws known as ‘Meltdown’ and ‘Spectre’. The 2 flaws could make it easier for something like a malicious program to steal data that is stored in the memory of other running programs.

Meltdown, discovered by researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, affects all Intel, ARM, and other processors that use ‘speculative execution’ to improve their performance; i.e. when a computer performs a task that may not be actually needed in order to reduce overall delays for the task (a kind of optimisation).

Meltdown could, for example, leave passwords and personal data vulnerable to attacks, and could be applied to different cloud service providers as well as individual devices. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013.

Spectre, which affects Intel, AMD and ARM (mainly Cortex-A) processors, allows applications to be fooled into leaking confidential information. Spectre affects almost all systems including desktops, laptops, cloud servers, and smartphones.

8 More Flaws Discovered

Then, in May 2018, 8 more security flaws in chips/processors were discovered by several different security teams.  The new ‘family’ of bugs were dubbed Spectre Next Generation (Spectre NB).

September 2018

According to reports by The New York Times, the Dutch researchers (at Vrije Universiteit Amsterdam) also reported a range of security issues about Intel’s processors to the company in September 2018 and provided Intel with a proof-of-concept code to help them to develop fixes

14 Months On – Only Some Fixes

It has been reported that after waiting 8 months to allow Intel enough time to develop fixes (of which only some have issued), and more than a year after providing Intel with a proof-of-concept code, Intel has only just announced the issue of more security updates earlier this week.

More Vulnerabilities

Unfortunately for Intel, just as they announced the issue of new security fixes last week, the researchers notified them of more unfixed flaws, and it has been alleged that Intel asked the researchers to alter the report about the flaws and to effectively stay quiet about them.

MDS

The latest unpatched flaw in Intel processors that the researchers from Amsterdam, Belgium, Germany and Austria have gone public about is a hacking technique, which is a variant of ZombieLoad or RIDL (Rogue In-Flight Data Load). The technique which exploits a flaw in Intel processors is known as microarchitectural data sampling (MDS) and it can enable hackers to carry out several different exploits e.g. running code on the victim’s computer that forces the processor to leak data.

Criticism

The news that there may still be flaws in Intel’s processors after the company appears to have had a long time to fix them has prompted some criticism of Intel online, some of it reported in the New York Times e.g. allegations  that there has been a lack of transparency about the issue from Intel, that the company has tried to downplay the problems, and allegations that Intel may not decide to do much to fix the problem until its reputation is at stake.

What Does This Mean For Your Business?

Bearing in mind that these flaws are likely to exist at the architectural level in the majority of processors, this story is bad news for businesses that have been legitimately trying to make themselves totally compliant with GDPR and as secure as possible from attack.

For the time being, in the short term, and unless processor companies try to completely re-design processors to eliminate the flaws, closing hardware flaws using software patches is the only realistic way to tackle the problem and this can be a big job for manufacturers, software companies, and other organisations that choose to take that step. It is good practice anyway for businesses to install all available patches and make sure that they are receiving updates for all systems, software and devices.

The hope is now that researchers can put enough pressure on processor manufacturers e.g. through bad publicity to make them speed up their efforts to tackle the known security flaws in their products.

Research Says Memes Can Tell Between Humans and Bots

Researchers from the University of Delaware have concluded that when it comes to authentication for logins, Memes may be one of the strongest techniques to distinguish between a human and a bot.

The Bot Challenge

One of the great challenges to websites when it comes to authentication for logins is that software bots can fool relatively simple tests such as ticking a box to say, ‘I’m not a robot’ and CAPTCHA (both words and images). Also, neural networks and machine learning have helped to train bots to behave more like humans.  With more than half of web traffic believed to be made of bots and to stop bots gaining easy access to sensitive data, correct authentication needs to be based upon a system that can effectively tell humans and bots apart.

Memes Could Be The Answer

According to the University of Delaware researchers, the dynamic nature of memes and the fact that bots don’t get cultural references and online humour, and that humans are familiar with and can understand memes with a greater depth than bots could mean that memes could be the answer to the ‘bot or human’ authentication challenge.

Memes are activities, concepts, catchphrases, or pieces of media, often humorous and/or mimicking, and commonly in the form of an image, gif or video that have cultural meaning and tend to be shared widely on social media platforms.

How Could Memes Work For Authentication?

According to the researchers, after the correct username and password have been verified on login to a website, a meme could be displayed with a question about the meme that relates to something that bots wouldn’t be able to spot.  For example, this question could relate to the facial expression of the person in the meme or to the action taking place in the meme (bots wouldn’t be able to accurately tell what the facial expression is or what it means in relation to that meme). Several possible answers relating to that meme could be given and clicking on the right option will mean that a person is granted entry to the website.

The fact that there is a vast number of memes available online means that the meme and its answer options used for one authentication process can then be deleted from the database to ensure that no answers are stored and learned by bots.

What Does This Mean For Your Business?

With more than half of web traffic being made up of bots, and with bots being able to fool many existing systems and with the data security, privacy and fraud risks that bots pose, businesses need to know that their websites have an effective system that can accurately distinguish between humans and bots at the login stage, but not make the process of authentication too complicated or lengthy for registered users.

The cultural references, humour, and subtleties in memes could, therefore, make them an effective way to make that distinction, and could keep businesses ahead of the game until AI/machine learning in bots necessitates another change.

Office 365 Voicemail Phishing Scam Warning

Security company McAfee has reported observing a phishing scam which uses a fake voicemail message to lure victims into entering their Office 365 email credentials into a phishing page.

How The Attack Works

According to McAfee’s blog, the first step in the phishing scam is the victim being sent an email informing them that they have missed a phone call.  The email includes a request to login to their account to access their voicemail.

The email message actually contains an HTML attachment which, when loaded, re-directs the victim to a phishing website. Although there are slightly different versions of the attachment, the most recent examples are reported to contain an audio recording which is designed to make the victim believe they are listening to the beginning of a legitimate voicemail.

Once re-directed to the bogus Microsoft account login page, the victim will see that their email address has already been loaded in the login field, thereby helping to create the illusion that this is their real Microsoft login page.

If the victim enters their password, the deception continues as they are shown a page saying that their login has been successful, and they are being re-directed to the home page.

Three Different Phishing Kits

Cybercriminals frequently buy-in phishing kits to launch their attacks. These are collections of software tools, created by professional phishers, that can be purchased and downloaded as a set. These phishing kits make it much easier for those with limited technical and coding skills or phishing experience to launch a phishing attack.

McAfee reports that as many as three different phishing kits are being used to make the fake websites involved in this scam. These are:

  1. Voicemail Scmpage 2019 – being sold on an ICQ channel, and used to harvest your email, password, IP Address and location details.
  2. Office 365 Information Hollar – similar to Voicemail Scmpage 2019 and used to harvest the same data.
  3. A third unnamed kit, which McAfee says is the most prevalent malicious page they have observed in the tracking of this particular campaign.  McAfee says that this kit appears to use code from 2017 malicious kit that was used to target Adobe users.

File Names For The Attachments

To help you spot this phishing attack McAfee has listed list the file names for attachments in the phishing email as being:

  • 10-August-2019.wav.html [Format: DD-Month-YYYY.wav.html]
  • 14-August-2019.html [Format: DD-Month-YYYY.html]
  • Voice-17-July2019wav.htm [Format: Voice- DD-MonthYYYYwav.htm]
  • Audio_Telephone_Message15-August-2019.wav.html [Format: Audio_Telephone_MessageDD-Month-YYYY.wav.html]

What Does This Mean For Your Business?

Reports indicate that this phishing attack has proved quite successful up until now, partly because the pages and steps appear authentic (and load the users email address as real login page does), and it uses social engineering and urgency (with audio) in a way that may prompt may people to suspend their critical faculty long enough complete the few short actions that it takes to give their details away.

The advice to businesses is, therefore, to be vigilant and to not open emails from unfamiliar sources or with unfamiliar attachments.  You may also want to use Two-Factor Authentication (2FA) where possible, and enterprise users may wish to block .html and .htm attachments at the email gateway level so that they don’t reach members of staff, some of whom may not be up to speed with their Internet security knowledge.

There is also a strong argument for not using the same password for multiple platforms and websites (password sharing).  This is because credentials stolen in one breach are likely to be tried on many other websites by other cybercriminals (credential stuffing) who have purchased/acquired them e.g. on the dark web.

Keeping anti-virus and software patches up to date and making sure that staff receive training and education about cybersecurity risks and what procedures should be followed if suspicious emails or other messages are spotted can also help companies to maintain good levels of cybersecurity.

Tough Questions About Libra Cryptocurrency

Facebook’s CEO, Mark Zuckerberg faced a grilling from the US Congress last week over his company’s ‘Libra’ cryptocurrency plans.

Libra

‘Libra’ is Facebook’s new cryptocurrency and global payment system that’s due to be launched in 2020.  Unlike other cryptocurrencies, Libra is backed by a reserve of cash and other liquid assets.  The idea of Libra is that spending the new currency could be as easy and fast as texting as payments can be made by a special phone app and by messaging services such as WhatsApp.  Also, Libra is intended to be of particular value to the one billion+ people around the world (including 14 million in the US) with no access to a bank account, but who could use a mobile phone-based payment system.

Management of the currency, units of which can be purchased via Libra’s platforms and stored it in a digital wallet called “Calibra” will be the responsibility of an independent group of 21 companies and non-profit organisations called the Libra Association, of which Facebook’s subsidiary ‘Calibra’ is a member.

Problems and Criticism

Facebook has, however, found itself coming in for some tough criticism over its involvement with Libra. This includes:

  • Worries about whether Facebook can be trusted with peoples’ financial details in the light of its part in the personal data-sharing scandal with Cambridge Analytica.
  • Concerns from ‘Group of Seven’ democracies finance chiefs about whether Libra could address “serious regulatory and systemic concerns”.
  • President Trump Tweeting that he’s not a fan of Libra, and bank chiefs like Mark Carney also expressing concerns about Libra.
  • Worries that Libra could be used as a means to bypass rules relating to money laundering and tax evasion (which is believed to have led to PayPal leaving the Libra Association recently).
  • Warnings that Libra could be blocked in Europe (especially in France) unless concerns over risks to consumers and to the monetary systems of countries can be addressed.

Congress Grilling

The grilling of Mark Zuckerberg at the US Congress last week at the top of the House Financial Service Committee’s hearing focused on many of the key concerns.  For example:

  • Republican Nydia Velázquez asked Mark Zuckerberg why Facebook should be trusted after the recent privacy scandals and data breaches/data sharing relating to the Cambridge Analytica affair.
  • Republican Joyce Beatty criticised Mark Zuckerberg over an apparent lack of knowledge of diversity and housing advertisement issues and alleged that Zuckerberg hadn’t read her reports.
  • Republican Patrick McHenry criticised the technology industry and highlighted the current anger towards it.

Prepared Statement Covered Many Concerns

Mark Zuckerberg’s prepared statement for the hearing appears have anticipated and answered the main concerns.  For example, as well as stressing how Facebook is committed to strong consumer protections for the financial information they receive, Mark Zuckerberg addressed three main concerns, saying that:

  1. Where people are concerned that Facebook is moving too fast on the Libra project, Facebook is committed to taking the time to get this right.
  2. Where it has been suggested that Facebook could circumvent regulators and regulations with Libra, Facebook won’t actually be a part of launching the Libra payments system anywhere in the world unless all US regulators approve it.
  3. Libra is not an attempt to create a sovereign currency but, like existing online payment systems, it’s simply intended to be a way for people to transfer money.

So What?

Despite the grilling, many commentators have pointed out that the House Financial Service Committee and Congress don’t actually have the power to do much about the introduction of Libra.  Some commentators have also suggested that the hearing was as much about political grandstanding as it was about Libra and that politicians are finding it hard to stay up to speed with information about cryptocurrencies.

No Regulatory Approval = Facebook Leaves the Association

Mr Zuckerberg stressed just how much he intends to play by the rules with Libra by saying that if the Libra Association moved forward without regulatory approval, Facebook “would be forced to leave the Association.”

What Does This Mean For Your Business?

Banks and governments are unlikely to adopt a favourable attitude to a new type of currency that could potentially unbalance monetary systems, and could potentially get around regulations, scrutiny and control, and could even be used for money laundering and tax evasion. That said, the blockchain-anchored Libra is unlikely to suffer many of the huge fluctuations and problems that other cryptocurrencies like bitcoin have because Libra is backed by real assets.  Also, many of the big financial players are part of the Libra Association e.g. Mastercard and Visa, although it’s clear that Facebook needs to make sure that Libra can meet all regulatory requirements and is squeaky clean if the Association wants to keep these important members.

If, as Mr Zuckerberg says, Libra is simply and innocently another way of paying for things that could lead to a more inclusive society e.g. by helping those without bank accounts, this could benefit not just society but whole economies too.  It looks as though Facebook still has some way to go, however, to convince governments, finance chiefs and other critics that it is the right company to be trusted with a new currency and the financial data of those who use it.

Amazon Echo and Google Home ‘Smart Spies’

Berlin-based Security Research Labs (SRL) discovered possible hacking flaws in Amazon Echo (Alexa) and Google Home speakers and installed their own voice applications to demonstrate hacks on both device platforms that turned the assistants into ‘Smart Spies’.

What Happened?

Research by SRL led to the discovery of two possible hacking scenarios that apply to both Amazon Alexa and Google Home which can enable a hacker to phish for sensitive information in voice content (vishing) and eavesdrop on users.

Knowing that some of the apps offered for use with Amazon Echo and Google Home devices are made by third parties with the intention of extending the capability of the speakers, SRL was then able to create its voice apps designed to demonstrate both hacks on both device platforms. Once approved by both device platforms, the apps were shown to successfully compromise the data privacy of users by using certain ‘Skills and actions’ to both request and collect personal data including user passwords by eavesdropping on users after they believed the smart speaker has stopped listening.

Amazon and Google Told

SRL’s results and the details of the vulnerabilities were then shared with Amazon and Google through a responsible disclosure process. Google has since announced that it has removed SRL’s actions and is putting in place mechanisms to stop something similar happening in future.  Amazon has also said that it has blocked the Skill inserted by SRL and has also put in preventative mechanisms of the future.

What Did SRL’s Apps Do?

The apps that enabled the ‘Smart Spy’ hacks took advantage of the “fallback intent”, in a voice app (the bit that says I’m sorry, I did not understand that. Can you please repeat it?”), the built-in stop intent which reacts to the user saying “stop” (by changing the functionality of that command after the apps were accepted), and leveraged a quirk in  Alexa’s and Google’s Text-to-Speech engine that allows inserting long pauses in the speech output.

Examples of how this was put to work included:

  • Requesting the user’s password through a simple back-end change by creating a password phishing Skill/Action. For example, a seemingly innocent application was created such as a horoscope.  When the user asked for it, they were given a false error message e.g. “it’s not available in your country”.  This triggered a minute’s silence which led to the user being told “An important security update is available for your device. Please say start update followed by your password.” Anything the user said after “start” was sent to the hacker, in this case, thankfully, SRL.
  • Faking the Stop Intent to allow eavesdropping on users. For example, when a user gave a ‘stop’ command and heard the ‘Goodbye’ message, the app was able to continue to secretly run and to pick up on certain trigger words like “I” or words indicating that personal information was about to follow, i.e. “email”, “password” or “address”. The subsequent recording was then transcribed and sent back to SRL.

Not The First Time

This is not the first time that concerns have been raised about the spying potential of home smart speakers.  For example, back in May 2018, A US woman reported that a private home conversation had been recorded by her Amazon’s voice assistant, and then sent it to a random phone contact who happened to be her husband’s employee. Also, as far back as 2016, US researchers found that they could hide commands in white noise played over loudspeakers and through YouTube videos in order to get smart devices to turn on flight mode or open a website. The researchers also found that they could embed commands directly into recordings of music or spoken text.

Manual Review Opt-Out

After the controversy over the manual, human reviewing of recordings and transcripts taken via the voice assistants of Google, Apple and Amazon, Google and Apple had to stop the practice and Amazon has now added an opt-out option for manual review of voice recordings and their associated transcripts taken through Alexa.

What Does This Mean For Your Business?

Digital Voice Assistants have become a popular feature in many home and home-business settings because they provide many value-adding functions in personal organisation, as an information point and for entertainment and leisure.  It is good news that SRL has discovered these possible hacking flaws before real hackers did (earning SRL some good PR in the process), but it also highlights a real risk to privacy and security that could be posed by these devices by determined hackers using relatively basic programming skills.

Users need to be aware of the listening potential of these devices, and of the possibility of malicious apps being operated through them.  Amazon and Google may also need to pay more attention to the reviewing of third party apps and of the Skills and Actions made available in their voice app stores in order to prevent this kind of thing from happening and to close all loopholes as soon as they are discovered.

Why You May Be Cautious About Installing The Latest Windows 10 Update

Some of Microsoft’s enterprise-based customers may be feeling cautious about installing the latest Windows 10 update because Microsoft warns that it could stop the Microsoft Defender Advanced Threat Protection (ATP) service from running.

The Update and Warning

The update in question is the October 15, 2019 KB4520062 (OS Build 17763.832).  The update contains a long list of improvements and fixes (see here for full details: https://support.microsoft.com/en-us/help/4520062/windows-10-update-kb4520062), but also three known issues, one of which concerns the Microsoft Defender Advanced Threat Protection (ATP) service.

What Is The ATP?

The ATP is a paid-for service, for Microsoft Enterprise customers (not Home or Pro customers) that’s designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It offers features like endpoint behavioural sensors embedded in Windows 10, Cloud security analytics and access to threat intelligence generated by Microsoft hunters, security teams, and augmented by threat intelligence provided by Microsoft’s partners.

What’s The Issue With the Update?

In the update’s release notes Microsoft says, “We suggest that devices in an affected environment do not install this optional non-security update”.

The reason given for the warning is that installing the update could mean that the ATP service could stop running and may fail to send reporting data.  This could mean that certain enterprise customers are more exposed to security threats until a solution has been found.

Microsoft also warns that an error (0xc0000409) may be received in MsSense.exe.

Not Fixed Until November

Microsoft says that although it’s working on a resolution it estimates that it won’t have a solution to the problem until November.

One of Several Update Problems Recently

This is one of several updates from Microsoft recently that have come with problems.  For example, an update on the 16th of September was reported to have caused issues with Windows Defender.  Later in September, Microsoft had to issue two emergency Windows updates to protect against some serious vulnerabilities relating to Internet Explorer and Windows Defender (anti-virus software).

Also, the October 3 update is reported to have adversely affected the Start Menu and print spooler, and the Start Menu issues were reported to be still present following the 8 October update.

What Does This Mean For Your Business?

Although Home and Pro customers need not worry about this particular issue, Microsoft’s valued Enterprise customers, who have paid for the ATP service to help stay ahead of the game in security may be a little worried and frustrated at having to either wait until November to enjoy the improvements of the new (optional) update in safety, or install it now and risk the loss of their ATP service and face the associated potential security risks.

Microsoft customers seem to have suffered several problems related to updates in recent months, and Enterprise customers are likely to be those that Microsoft particularly does not want to upset.  It is likely, therefore, that Microsoft will be focusing of getting an appropriate solution to the new update issues before November if possible.