Archive for Internet Security

Microsoft Tests ‘Sandbox’ Safe Browsing Extension For Chrome & Firefox

Microsoft is testing an in-browser ‘sandbox’ security extension for Chrome and Firefox that lets users access untrusted pages, safely.

Windows Defender Application Guard

The new browser extension, Windows Defender Application Guard, is already part of Microsoft’s Edge browser and will be rolled out as part of the next Windows 10 update ‘April 2019’ or 19H1 in the Spring.  It is currently being tested among Windows Insiders and will be available to Windows 10 Pro or Enterprise users when it goes live.

How Do You Use It?

When installed, users see a Windows Defender Application Guard landing page when they open their Chrome or Firefox browser. When the Firefox or Chrome user tries to access an untrusted web page / non-whitelisted URL, the new extension will work by loading a special isolated Edge tab (Windows Defender Application Guard page), not a tab in Firefox or Chrome. The sandbox page can also be initiated by the user at any time by toggling a switch in the menu settings.

Enterprise-Wide

Once the extension has been established by an enterprise network administrator it can be applied on devices across an entire company and configured by network isolation or application.  The enterprise administrator defines which web sites, cloud resources, and internal networks can be trusted, and everything that is not on this list is, therefore, considered untrusted.  In this way, it can isolate enterprise-defined untrusted sites eliminating any risk of opening potentially malicious apps on a work machine and protecting the company while employees browse the Internet.  With Windows Defender Application Guard there is less need to operate a fully-fledged virtual machine.

Why?

The new extension is part of a broader move by Microsoft to provide more convenient and secure features for its Enterprise and Pro users.

Types of Devices

The Windows Defender Application Guard was designed by Microsoft to work on enterprise desktops domain-joined and managed by the organisation, enterprise mobile laptops and BYOD mobile laptops, as well as personal devices that are not domain-joined or managed by an organisation.

What Does This Mean For Your Business?

This new extension of an existing Microsoft Edge security feature to Chrome and Firefox browser users gives enterprise admins greater and wider control to protect the organisation from threats to its network and systems that may be invited by employees who happen to browse untrusted websites. The extension is also a value-adding addition to a growing suite of features that are designed to help keep and attract valued enterprise customers.

DNS infrastructure Under Attack

The Internet Corporation for Assigned Names and Numbers (ICANN) has issued a warning that the DNS infrastructure is facing an “ongoing and significant risk” and has urged domain owners to deploy DNSSEC technology.

ICANN

ICANN is one of the many organisations involved in the decentralised management of the Internet but is specifically responsible for coordinating the top-most level of the DNS in order to ensure that it can operate in a secure and stable way and maintain universal resolvability.

Attacks

According to ICANN’s statement, public reports indicate that the DNS infrastructure is facing “multifaceted attacks utilizing different methodologies”.  Examples of such attacks include replacing the addresses of intended servers with addresses of machines controlled by attackers.  The prevalence of so-called “man in the middle” attacks, where a user is unknowingly re-directed to a potentially malicious site is of particular concern.

Cisco’s Talos Intelligence blog has highlighted how this type of attack has been carried out on a grand scale by some international players.  For example, the blog reports how Lebanon and the United Arab Emirates (UAE) have been targeting .gov domains, as well as a private Lebanese airline company.  The attackers used two fake, malicious websites containing job postings via malicious Microsoft Office documents which had embedded macros. The malware, dubbed “DNSionage” supported HTTP and DNS communication with the attackers.

The Cybersecurity Infrastructure Security Agency in the US has also been forced to order federal agencies to act against DNS tampering.

DNSSEC

One of the main ways that ICANN and Internet companies like Cloudflare and Google are suggesting that DNS-focused attacks can be countered is through the deployment of DNSSEC technology by domain owners.   Domain Name System Security Extensions (DNSSEC) has been described as a suite of Internet Engineering Task Force (IETF) specifications.  DNSSEC was designed to protect Internet resolvers/clients from forged DNS data, and it complements other technologies e.g. Transport Layer Security (usually used in HTTPS) that protect the end user/domain communication.  In essence, it cryptographically signs data to make it much more difficult to forge.

Low Adoption Rate

One of the reasons why DNS-focused attacks are so prevalent may be that the adoption rate of DNSSEC is so low – around 20%.  In fact, according to Cloudflare, only 3% of the Fortune 1,000 are using DNSSEC.

What Does This Mean For Your Business?

It is good that ICANN has identified this threat as this will now facilitate greater discussion and action and may motivate more domain owners to look into and adopt DNSSEC, hopefully across all unsecured domain names.  Although full deployment of DNSSEC is not the ultimate answer, it may go a long way towards drastically reducing the current threat.

ICANN has produced a helpful checklist of recommended security precautions that members of the domain name industry e.g. registries, registrars, resellers, and others, can proactively take to protect their systems, their customers’ systems and any that could be reached via DNS.  You can find the checklist here: https://www.icann.org/news/announcement-2019-02-15-en

Crypto-Mining Apps DiscoCrypto-Mining Apps Discovered in Microsoft Storevered in Microsoft Store

Security researchers at Symantec claim to have discovered eight apps in the Microsoft Store which, if downloaded, can use the victim’s computer to mine crypto-currency.

Only There For A Short Time Last Year

The suspect apps are reported to have only been on the Microsoft Store for a short time between April and December 2018, but it is thought that they still managed to achieve significant download numbers, as indicated by nearly 1,900 ratings posted for the apps.

Which Apps?

The suspect apps, in this case, are Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search apps.  These apps have now been removed from the Microsoft Store,

What Is Crypto-currency Mining?

‘Crypto-currency mining’ involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the web page visitor or often the website owner. Multiple computers then join their networks so that the combined computing power can enable mathematical problems to be solved. Whichever scammer is first to solve these problems is then able to claim/generate cash in the form of crypto-currency, hence mining for crypto-currency.

Crypto-currency mining software tends to be written in JavaScript and sends any coins mined by the browser to the owner of the web site. If you visit a website where it is being used (embedded in the web page), you may notice that power consumption and CPU usage on your browser will increase, and your computer will start to lag and become unresponsive. These slowing, lagging symptoms will end when you leave the web page.

Mining For Monero

In the case of the eight suspect apps, they had been loaded with a script that had been designed to mine the ‘Monero’ crypto-currency.  Monero, which was created in April 2014 is a decentralised cryptocurrency that uses an obfuscated public ledger.  This means that anybody can broadcast or send transactions, but no one outside can tell the source.

How?

The secret mining element of the eight suspect apps worked by triggering Google Tag Manager (GTM) in their domain servers as soon as they were downloaded.  The GTM, which was shared across all eight apps, enabled them to fetch a coin-mining JavaScript library, and the mining script was then able to use most of the computer’s CPU cycles to mine Monero.

GTM – Legitimate

GTM is usually a legitimate tool that is designed to enable developers to inject JavaScript dynamically into their applications.  In this case, however, it had been used as a cloak to conceal the malicious purpose of the apps.

Not The First Time

This is not the first time that suspect apps have been discovered lurking in popular, legitimate app stores. Back in January, for example, security researchers discovered 36 fake and malicious apps for Android that can harvest a user’s data and track their location, masquerading as security tools in the trusted Google Play Store. The apps, which had re-assuring names such as Security Defender and Security Keeper, were found to be hiding malware, adware and even tracking software.

Also, back in November 2017, a fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people before it was discovered to be fake.

What Does This Mean For Your Business?

This is not the first time that apps which perform legitimate functions of the surface and are available from trusted sources such as Microsoft store have been found to have hidden malicious elements, in this case, mining scripts.  The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and the increasingly sophisticated activities of crypto-jackers and other cyber-criminals, combined with a global shortage of skilled cyber-security professionals to handle detection and response have left businesses vulnerable to this kind of hidden app-based threat.

Although the obvious advice is to always check what you are downloading and the source of the download, the difference between fake apps and real apps can be subtle, and even Microsoft and Google don’t always seem to be able to detect the hidden aspects of some apps.

The fact that many of us now store most of our personal and business lives on our smartphones makes reports such as these more alarming. It also undermines our confidence in (and causes potentially costly damage to) the brands that are associated with such incidents e.g. the reputation of Microsoft Store.

Some of the ways that we can try to protect ourselves and our businesses from this kind of threat include checking the publisher of an app, checking which permissions the app requests when you install it, deleting apps from your phone that you no longer use, and contacting your phone’s service provider or visit the High Street store if you think you’ve downloaded a malicious/suspect app.

Also, if you are using an ad blocker on your computer, you can set it to block a specific JavaScript URLs related to crypto-mining, and some popular browsers also have extensions that can help e.g. a browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).  Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current crypto-currency mining threats and scams and what to do to prevent them, are just some of the other ways that you can maintain a basic level of protection for your business.

Scooter Hack Threat

An investigation by researchers at Zimperium® found a security flaw in the Xiaomi M365 electric scooter (the same model that is used by ridesharing companies) which could allow hackers to take control of the scooter’s acceleration and braking.

Xiaomi M365

The Xiaomi M365 is a folding, lightweight, stand-on ‘smart’ scooter with an electric motor that retails online for around £300 to £400. It is battery-powered, with a maximum speed of 15 mph, and features a “Smart App” that can track a user’s cycling habits, and riding speed, as well as the battery life, and more.

What Security Flaw?

The security flaw identified by the Zimperium® researchers is that the ‘smart’ scooter has a Bluetooth connection so that users can interact with the scooter’s features e.g. its Anti-Theft System or to update the scooter’s firmware, via an app. Each scooter is protected by a password, but the researchers discovered that the password is only needed for validation and authentication by the app, but commands can still be executed to the actual scooter without the password.

The researchers found that they could use the Bluetooth connection as a way in.  Using this kind of hack, it is estimated that an attacker only needs to be within 100 meters of the scooter to be able to launch a denial-of-service attack via Bluetooth which could enable them to install malicious firmware.  This firmware could be used by the attacker to take control of the scooter’s acceleration and braking capacities. This could mean that the rider could be in danger if an attacker chose to suddenly and remotely cause the scooter to brake or accelerate without warning.  Also, the researchers found that they could use this kind of attack to lock a scooter by using its anti-theft feature without authentication or the user’s consent.

Told The Company

The researchers made a video of their findings as proof, contacted Xiaomi and informed the company about the nature of the security flaw. It has been reported that Xiaomi confirmed that it is a known issue internally, but that no announcement has been made yet about a fix.  The researchers at Zimperium® have stated online that the scooter’s security can’t be fixed by the user and still needs to be updated by Xiaomi or any 3rd parties they work with.

Suggestion From The Researchers

The researchers have suggested that, in the absence of a fix to date, users can stop attackers from connecting to the scooter remotely by using Xiaomi’s app from their mobile before riding and connecting to the scooter.  Once the user’s mobile is connected and kept connected to the scooter an attacker can’t remotely flash malicious firmware or lock the scooter.

What Does This Mean For Your Business?

This is another example of how smart products/IoT products of all kinds can be vulnerable to attack via their Bluetooth or Internet connections, and particularly where there are password issues.  Usually, the risk comes from smart products from the same manufacturer all being given the same default password which the user doesn’t change.  In this case, the password works with the app, but in this case it appears as though the password isn’t being used properly to protect the product itself.

There have been many examples to date of smart products being vulnerable to attack.  For example, back in November 2017, German Telecoms regulator the Federal Network Agency banned the sale of smartwatches to children and asked parents to destroy any that they already have over fears that they could be hacked, and children could be spied-upon.  Also, back in 2016, cyber-criminals were able to take over many thousands of household IoT devices (white goods, CCTV cameras and printers), and use them together as a botnet to launch an online DDoS attack (Mirai) on the DNS service ‘Dyn’ with global consequences i.e. putting Twitter, Spotify, and Reddit temporarily out of action.

Manufacturers of smart products clearly need to take great care in the R&D process to make sure that the online security aspects have been thoroughly examined. Any company deploying IoT devices in any environment should also require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to specific and measurable criteria.  In the mobile ecosystem and in adjacent industries, for example, the GSMA provides guidelines to help with IoT security.

As buyers of smart products, making sure that we change default passwords, and making sure that we stay up to date with any patches and fixes for smart products can be ways to reduce some of the risks.   Businesses may also want to conduct an audit and risk assessment for known IoT devices that are used in the business.

Potential Jail For Clicking on Terror Links

The new UK Counter-Terrorism and Border Security Act 2019 means that you could face up to 15 years in jail if you visit web pages where you can obtain information that’s deemed to be useful to ‘committing or preparing an act of terrorism’.

Really?

The government states that the Act is needed to “make provision in relation to terrorism; to make provision enabling persons at ports and borders to be questioned for national security and other related purposes; and for connected purposes”.

As shown online in at legislation.gov.uk, Chaper1, Section 3 of the Act, which relates to the amended Section 58 of the Terrorism Act 2000 (collection of information) for example, states that unless you’re carrying out work as a journalist, or for academic research, if a person “views, or otherwise accesses, by means of the internet a document or record containing information of that kind” i.e. (new subsection) information of a kind likely to be useful to a person committing or preparing an act of terrorism, you can be punished under the new Act.

Longer Sentences

The new Act increases the sentences from The Terrorism Act 2000, so that a sentence of 15 years is now possible in some circumstances.

The Most Terror Deaths in Europe in 2017

A Europol Report showed that the UK suffered more deaths as a result of terror attacks than any other country in Europe in 2017.  The bill which has now become the new law was first introduced on 6th June 2018 after calls to for urgent action to deal with terrorism, following three terrorist attacks on the UK within 3 months back in 2017.

Online Problem

One of the key areas that it is hoped the law will help to tackle is how the internet and particularly social media can be used to recruit, radicalise and raise money.

Criticism

The new Act, which received royal assent on 12th February, has been criticised by some as being inflexible, based too much upon ‘thought crime’, and being likely to affect more of those at the receiving end of information rather than those producing and distributing it.  The new law has also been criticised for infringing upon the privacy and freedom of individuals to freely browse the internet in private without fear of criminal repercussion, as long as that browsing doesn’t contribute to the dissemination of materials that incite violent or intolerant behaviour.

The new Act has been further criticised by MPs for breaching human rights and has been criticised by legal experts such as Max Hill QC, the Independent Reviewer of Terrorism Legislation, who is reported as saying that the new law may be likely to catch far too many people, and that a 15-year prison is “difficult to countenance when nothing is to be done with the material, it is not passed to a third party, and it is not being collected for a terrorist purpose.”

What Does This Mean For Your Business?

We may assume that most people will be unlikely to willingly view the kind of material that could result in a prison sentence, and many in the UK are likely to welcome a law that provides greater protection against those who plan and commit terror attacks or who are seeking to use online means to recruit, radicalise and raise money.  The worry is that such a law should not be so stringent and inflexible as to punish those who are not viewing or collecting material for terrorist purposes, and there are clearly many prominent commentators who believe that this law may do this.

Businesses, organisations and venues of all kinds are often caught up in (or are the focus of) terror attacks and/or must ensure that they invest in security and other measures to make sure that their customers, staff and other stakeholders are protected.  A safer environment for all in the UK is, of course, welcome, but many would argue that this should not be at the expense of the levels of freedom and privacy that we currently enjoy.

Russia Plans Disconnect From Rest of World Internet For Cyber-Defence Test

Russia has set itself a deadline of 1st April to test “unplugging” the entire country from the global Internet for reasons relating to defence and control.

Giant Intranet Dubbed “Runet”

The impending test of a complete ‘pulling up of the drawbridge’ from the rest of the world is being planned in order to ensure compliance with a new (draft) law in Russia called the Digital Economy National Program.  This will require Russia’s ISPs to show that they can operate in the event of any foreign powers acting to isolate the country online with a “targeted large-scale external influence” i.e. a cyber-attack.

The plan, which is being overseen by Natalya Kasperskaya, co-founder of Kaspersky the antivirus company and former wife of CEO Eugene, will mean that Russia can unplug from the wider Internet, and create its own internal ‘Intranet’ (the ‘Runet’) where data can still pass between Russian citizens and organisations from inside the nation rather than being routed internationally.

Moving Router Points Inside Russia

A move of this scale involves attempting to move the country’s key router points inside Russia. This means that ISPs will have to show that they can direct all Internet traffic entering and leaving Russia through state-controlled routing points, whereby traffic can be filtered so that, if required, traffic destined for outside Russia is discarded, and attempts to launch cyber-attacks on Russia can be more easily detected and thwarted.

Own Version of DNS

Other measures needed to give Russia the ability to completely unplug include building its own version of the net’s DNS address system. This is currently overseen by 12 organisations outside Russia, but copies of the net’s core address book now exist inside Russia.

Why?

Russia has been implicated in many different international incidents that could provoke cyber-attack reprisals and misinformation interference. For example, the alleged interference in US presidential election campaign and UK referendum, and the Novichok attack in Salisbury.  There has also been deterioration of the relationship between the US and Russia, and widespread criticism of Russia in the western media.

Censorship and Control?

Even though the word from Russia is that the ability to ‘unplug’ is for defence from external aggression, many commentators see it as a move to be able to exert more state control in a way that is perhaps similar that seen in China with its extensive firewall.

In Russia, control of social media could, for example, thwart attempts from the people to organise mass protests against Putin, such as those seen in 2011-13.

Also, the ability to control what people can see and say online can mean that websites that promote anti-state views and information can be blacklisted. It has been reported that there is already an extensive blacklist of banned websites and that Russia now requires popular bloggers to register with the state.  There have also been reports of Russians facing fines and jail for social media posts that have been judged to have ridiculed the Kremlin or Orthodox Church.

What Does This Mean For Your Business?

Business and trade tend to benefit from open channels of communication, and when states move to shut down communication channels in this way, it prevents the promotion and advertising of products, creates costs and bureaucracy, and damages the prospects and competitiveness of those organisations exporting to and from Russia. This kind of communications shutdown may be useful for the purposes of the state, but it can only really be harmful for international trade, and for those businesses within Russia itself looking to sell overseas.

Anything that portrays the image of a controlling and/or inward-looking state can also damage industries such as tourism and can make companies in those states appear to be risky to deal with.

Naming and Shaming of Companies With Poor Cyber Security

A report from the Cyber Security Research Group and the Policy Institute at King’s College London, has suggested that the government could help combat high cyber-crime levels by naming (and shaming) companies with poor cyber-security.

Who?

The Cyber Security Research Group at King’s College London brings together experts with backgrounds in international relations, security studies, strategic studies, intelligence, public policy, informatics and computer science in order to promote better research into cyber-security.  The other research partner in this case, the Policy Institute at King’s College London is an independent research institute focusing on using evidence and expertise to tackle societal challenges.

Cyber-crime Levels

The report highlights the fact that government’s 2018 data breach survey showed that 4 in 10 businesses experienced a cyber-security breach or attack in 2017-18 should be grounds to enable the public to see what steps are being taken by companies (or not) to keep users safe online and to protect their data.

Championing The ACD Programme

The report also champions the government’s Active Cyber Defence (ACD) programme, which was by developed the National Cyber Security Centre (NCSC) for the public sector, as something that could bring benefits if rolled-out to the private sector too, and/or if at least the tools and techniques of ACD could be extended beyond the public sector.

The report points to the relative success that ACD has had in bringing about a fall in scam emails from fake government addresses, and in shutting down thousands of “phishing” sites that pose as government agencies in order to steal users’ personal information.  Symantec figures, for example, show that phishing rates have increased across most industries and organisation sizes, and in this latest report, Tim Stevens, convenor of the Cyber Security Research Group at King’s College London notes that, according to his research findings, ACD could be rolled out beyond the public sector legally, cheaply and efficiently, with few obstacles, and could help to tackle phishing. The report, therefore, urges non-public sector organisations to engage more actively with the NCSC in order to deploy ACD as a tool to better tackle cyber-crime in the UK.

According to the National Cyber Security Centre (part of GCHQ), the ACD defence programme can be used to tackle cyber attacks in a relatively automated and scalable way. Last February, when the results of the NCSC’s Active Cyber Defence programme figures were published, they showed that UK share of visible global phishing attacks dropped from 5.3% (June 2016) to 3.1% (Nov 2017), and that 121,479 phishing sites hosted in the UK had been removed, and 18,067 sites worldwide that were spoofing UK government sites had been removed as a result of the ACD programme.

What Does This Mean For Your Business?

Reputations are valuable and vitally important to businesses, as should be cyber-security defences, and making sure that strong data protection measures are in place is critical. With this in mind, the idea that there could be a public naming and shaming of companies with poor cyber-security could be one way to incentivise action to be taken to bring about improvements and contribute to the tackling of cyber-crime across the private as well as the public sector.

The NCSC, for example, has been working with companies for some time anyway with the ACD programme to help them protect their customers.  For example, the NCSC launched a collaborative online platform where BT has been able to share its threat intelligence data with other UK ISPs, and the NCSC has offered support to BT to help strengthen its security and block malicious malware infections.

As acknowledged, however, in the Cyber Security Research Group and the Policy Institute at King’s College London report, ACD is not a finished product but a work in progress, and it is not a single entity, amenable to simple, one-off deployment. Also, a government programme that is extended to the private sector could face suspicion as being perhaps a way of the government scanning and collecting data about private organisations.  For this reason, the CSRG and King’s College London Report recommends perhaps putting a buffer between the government’s intelligence community and third parties in the form of regulatory authorities in each sector e.g. the Charity Commission in the third sector.

In reality, effective cyber-security comes from a large number of factors working together, including education and training as well as deploying relevant technologies, but the figures from the success of the ACD programme so far, show that it, or tools based upon it, could have real value as part of number of measures that could help reduce cyber-crime for private as well as public sector organisations.

Biggest Personal Data Breach Puts Password Effectiveness In The Spotlight

Password-based authentication has long been known to be less secure than other methods such as multi-step verification or biometrics, but a massive leak of a staggering 87GB of 772.9 million emails, 21.2 million passwords and 1.1 billion email address and password combinations recently shared on hacking forums has brought the inherent weaknesses of password authentication into sharp focus.

What Leak?

The massive leak of 2.6 billion rows of data from 12,000 files dubbed Collection #1 onto hacking forums was revealed in a blog post by security researcher Troy Hunt, who is most well-known for managing the ‘Have I Been Pwned’ service.

In his post, Mr Hunt said that the leaked personal data is a set of email addresses and passwords totalling 2,692,818,238 rows and is made up of many different data breaches from thousands of different sources. The data contains 772,904,991 unique email addresses, and 21,222,975 unique passwords, all of which can be put into 1,160,253,228 unique combinations.

Risks

Clearly, Mr Hunt has an interest in publicising the existence of Collection #1 and the fact that it has been incorporated into his service to help publicise the ‘Have I Been Pwned’ service, but as Mr Hunt points out, if your password/email combinations are part of the collection and have not been changed since, you could face some serious risks.  For example:

  • Credential stuffing attacks. In this case, 2.7 billion of the username and password combinations could be put into a list and used for credential stuffing.  This is where cyber-criminals rely on the fact that people may use the same username and password combinations for multiple websites, and therefore, the criminals use software to automate the process of trying the breached username/password pairs on many other websites to see if they can gain access.
  • Phishing attacks.  The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.
  • Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.

What Does This Mean For Your Business?

This story highlights the importance of always using strong passwords that you change on a regular basis. Also, it highlights the importance of not using the same usernames and passwords on multiple websites as this can provide an easy route to your data for criminals using credential stuffing.

Managing multiple passwords in a way that is secure, effective, and doesn’t have to rely on memory is difficult, particularly for businesses where there are multiple sites to manage. One tool that can help is a password manager.  Typically, these can be installed as browser plug-ins that are used to handle password capture and replay, and when logging into a secure site, they offer to save your credentials. On returning to that site, they can automatically fill in those credentials. Password managers can also generate new passwords when you need them and automatically paste them into the right places, as well as being able to sync your passwords across all your devices. Examples of popular password managers include Dashline, LastPass, Sticky Password, and Password Boss, and those which are password vaults in other programs and CRMs include Zoho Vault and Keeper Password Manager & Digital Vault.

If you’re worried that people in your organisation may be using passwords that have been stolen, Troy Hunt has provided a list of them here:  https://www.troyhunt.com/pwned-passwords-now-as-ntlm-hashes/  and provides some answers to popular questions about the stolen passwords in the ‘FAQs’ section of his blog post here: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/

Tech Tip – Phishing Quiz

Identifying a phishing attempt may be harder than you think and being able to spot one is an important part of maintaining your cybersecurity defences in the modern business environment.  Here’s a little phishing quiz from Google that can help you to spot the signs that can enable you to tell a real email from a phishing email.

Go to https://phishingquiz.withgoogle.com/

Click on ‘Take The Quiz’.

Fake News Fact Checkers Working With Facebook

London-based, registered charity ‘Full Fact’ will now be working for Facebook, reviewing stories, images and videos, in an attempt to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Why?

The UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election were both found to have suffered interference in the form of so-called ‘fake news’ / misinformation spread via Facebook which appears to have affected the outcomes by influencing voters.

For example, back in 2018, it was revealed that London-based data analytics company, Cambridge Analytica, which was once headed by Trump’s key adviser Steve Bannon, had illegally harvested 50 million Facebook profiles in early 2014 in order to build a software program that was used to predict and generate personalised political adverts to influence choices at the ballot box in the last U.S. election. Russia was also implicated in trying to influence voters via Facebook.

Chief executive of Facebook, Mark Zuckerberg, was made to appear before the U.S. Congress in April to talk about how Facebook is tackling false reports, and even recently a video that was shared via Facebook (which had 4 million views before being taken down) falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Scoring System

Back in August 2018, it was revealed that for 2 years Facebook had been trying to manage some misinformation issues by using a system (operated by its own ‘misinformation team’) that allocated a trustworthiness score to some members.  Facebook is reported to be already working with fact-checkers in more than 20 countries. Facebook is also reported to have had a working relationship with Full Fact since 2016.

Full Fact’s System

This new system from third-party Full Fact will now focus on Facebook in the UK.  When users flag up to Facebook what they suspect may be false content, the Full Fact team will identify and review public pictures, videos or stories and use a rating system that will categorise them as true, false or a mixture of accurate and inaccurate content.  Users will then be told if the story they’ve shared, or are about to share, has been checked by Full Fact, and they’ll be given the option to read more about the claim’s source, but will not be stopped from sharing anything.

Also, the false rating system should mean that false content will appear lower in news feeds, so it reaches fewer people. Satire from a page or domain that is a known satire publication will not be penalised.

Like other Facebook third-party fact-checkers, Full Fact will be able to act against pages and domains that repeatedly share false-rated content e.g. by reducing by their distribution and by reducing their ability to monetise and advertise.  Also, Full Fact should be able to stop repeat offenders from registering as a news page on Facebook.

Assurances

Full Fact has published assurances that among other things, they won’t be given access to Facebook users’ private data for any reason, Facebook will have no control over what they choose to check, and they will operate in a way that is independent, impartial and open.

Political Ad Transparency – New Rules

In October last year, Facebook also announced that a new rule for the UK now means that anyone who wishes a place an advert relating to a live political issue or promoting a UK political candidate, referencing political figures, political parties, elections, legislation before Parliament and past referenda that are the subject of national debate, will need to prove their identity, and prove that they are based in the UK. The adverts they post will also have to carry a “Paid for by” disclaimer to enable Facebook users to see who they are engaging with when viewing the ad.

What Does This Mean For Your Business?

As users of social networks, we don’t want to see false news, and false news that influences the outcome of important issues (e.g. elections and referendums) have a knock-on effect to the economic and trade environment which, in turn, affects businesses.

Facebook appears to have lost a lot of trust over the Cambridge Analytica (SCL Elections) scandal, findings that Facebook was used to distribute posts of Russian origin to influence opinion in the U.S. election, and that the platform was also used by parties wishing to influence the outcome of the UK Referendum. Facebook, therefore, must show that it is taking the kind of action that doesn’t stifle free speech but does go some way to tackling the spread of misinformation via its platform.

There remains, however, some criticism in this case that Facebook may still be acting too slowly and not decisively enough, given the speed by which some false content can amass millions of views.