Archive for News and Events

Your Latest IT News Update

Thomas Cook Customers and Employees Targeted By Phishing Attacks

Security researchers at Skurio Ltd have warned former employees and customers of Thomas Cook to be vigilant after it detected the registration of 53 Thomas Cook-related domains in the week after the travel operator went into receivership.

<More>

PayPal Drops Out of Facebook’s Libra Cryptocurrency

PayPal has announced that it is not going to be a part of the Switzerland-based Libra Association that is overseeing the introduction of Facebook’s Libra cryptocurrency.

<More>

AI and the Fake News War

In a “post-truth” era, AI is one of the many protective tools and weapons involved in the battles that male up the current, ongoing “fake news” war.

<More>

Local Authorities Facing 800 Cyber Attacks Per Hour

Figures gathered by insurance broker Gallagher – through the Freedom of Information (FoI) Act – have shown that UK local authorities were hit by an average of 800 cyber-attacks every hour in the first six months of this year.

<More>

Google’s Chrome To Block Mixed Content Pages Without HTTPS

Google has announced that in a series of steps starting in Chrome 79, all mixed content will gradually be blocked by default.

<More>

Tech Tip – Twobird

New email client app ‘Twobird’ allows you to put all your emails in one place and create notes and reminders on the fly (and attaches the notes on emails).

<More>

Thomas Cook Customers and Employees Targeted By Phishing Attacks

Security researchers at Skurio Ltd have warned employees and customers of Thomas Cook to be vigilant after it detected the registration of 53 Thomas Cook-related domains in the week after the travel operator went into receivership.

Phishing Risk

The risk is that cyber-criminals may be seeking to exploit a search for information from customers and staff affected by the company’s collapse to launch phishing attacks.  For example, Thomas Cook-related domains that have been registered but don’t have a holding page or landing-page on them could be used to create a legitimate-looking email address as part of phishing attempts.

German Site

One of the Skurio analysts, John Evans, reported finding a .de Thomas Cook-related domain that hosted a page that pretended to be a legitimate business, but was using the Thomas Cook likeness to make money from customer refund claims.

25% Just Piggybacking

The Skurio researchers found that 25% of the domains registered appeared to be just simply piggybacking off the collapse of Thomas Cook, and were using their domains to simply redirect to other websites.

Holding Pages + Advert Clicks

The researchers discovered that 50% of the recently registered domains had holding pages for websites on platforms like Wix or WordPress (awaiting a full live site).  Some other domains were discovered to be used for ad clicks and ad revenue e.g. with adverts for booking a new holiday or finding jobs for Thomas Cook employees.

Thomas Cook Contracted Skurio

Skurio were monitoring the Thomas Cook-related domain situation because (as reported by Skurio) Thomas Cook, had contracted Skurio, long before its collapse, to monitor surface, deep and Dark Web sources in order to provide early data breach detection services.  It was as part this service Skurio was scanning for new domain registrations relating to Thomas Cook services.   According to Scurio, this scanning involved looking for domains set up with subtle spelling errors or additional terms that a customer may expect to see, in order send phishing emails, create fake social media accounts or capture customer details online.

What Does This Mean For Your Business?

It is not uncommon for cyber-criminals to launch campaigns to take advantage of a popular information search by customers after events such as a high-profile security breach or company collapse.  This is because people may let their guard down and may simply not suspect such an underhand tactic, which is the kind of human error based on emotion that cyber-criminals are counting on.

Phishing attacks are all-too-common, and a recent APWG report showed that phishing attacks continued to rise in summer of 2019, with cyber-criminals focusing branded webmail and SaaS providers.

Companies can help guard against phishing attacks by educating and training all staff to be able to spot possible fraudulent tactics, and by encouraging and empowering them to question and refer any suspicious activity that could help to protect the business. Having clear systems for staff to follow, including carefully verifying any new payment requests before authorising them, and continuously promoting online vigilance can be well worth the effort in the fight against phishing, and the generally increasing number of social engineering attacks that companies are facing.

PayPal Drops Out of Facebook’s Libra Cryptocurrency

PayPal has announced that it is not going to be a part of the Switzerland-based Libra Association that is overseeing the introduction of Facebook’s Libra cryptocurrency.

What Is Libra?

Libra is a cryptocurrency, designed and coded by Facebook, that will enable payments to be made by a special phone app and by messaging services such as WhatsApp so that spending the new currency could be as easy and fast as texting.  Libra was announced as being targeted at the 1.7 billion adults worldwide who do not have a bank account (unbanked).

Unlike other cryptocurrencies such as Bitcoin, Libra will offer the security from massive value fluctuation by being asset-backed and pegged to other currencies and it will not have a traditional bank ‘middleman’, therefore enabling fast and frictionless transactions.

Units of Libra units can be purchased via Libra’s platforms and stored it in a digital wallet called “Calibra”.

Libra Association

The Libra Association, which PayPal has just left, is a 28-member (now 27) association of multinational companies and non-profits, hoping to grow to 100 or more members.  The Libra Association, based in Switzerland will be responsible for the management of Libra and members of the Association include Mastercard, eBay, Spotify, Uber, Vodafone, and a variety of charities such as Women’s World Banking.

Why Has PayPal Left?

PayPal has not given a clear reason why it has left the Libra Association, but there is speculation among some commentators that it may be due to PayPal wanting to distance its brand from the fact that regulators, particularly in Washington and Brussels, appear to be concerned that the Libra project could be seen as a means to bypass rules relating to money laundering and tax evasion.  There is also speculation that PayPal may have been concerned that Facebook executives haven’t paid attention to PR that could counter much of the initial criticism of Libra.

PayPal has said, however, that “We remain supportive of Libra’s aspirations and look forward to continued dialogue on ways to work together in the future”.

Others?

There are also press reports that other Association members such as Mastercard, Visa, and digital payment platform and processor Stripe may be considering leaving the Libra Association due to concerns about the suggestions that Libra could potentially be used for money laundering to tax evasion.

France Says No

In September, France’s finance minister, Bruno Le Maire, said that the development of Facebook’s Libra cryptocurrency will be blocked in Europe unless concerns over risks to consumers and to the monetary systems of countries can be addressed.

Warnings and Concerns

Back in July, finance chiefs from the Group of Seven democracies warned that cryptocurrencies like Libra would have to address “serious regulatory and systemic concerns” before they would be allowed.  Also, President Trump has said in a Tweet that he isn’t a fan of Libra, and central bank chiefs, including Mark Carney have also expressed concerns about Libra.

Some sceptical commentators have also noted that Libra may be less about money and blockchain anyway but more about gathering more information about the identity of clients.

What Does This Mean For Your Business?

Libra is now coming under increased scrutiny, and the mention of phrases like ‘money laundering’ or ‘tax evasion’ appear to be enough to scare some of the big financial brands away from the Libra project, at least until regulators’ questions have been answered and the heat has died down.  The fact that a big name like PayPal has pulled out, with other big names such as Mastercard and Visa looking likely to follow is undoubtedly going to be a big blow to the image and credibility of Libra, although the Libra Association still has 25+ other members and is hoping to grow this to include 100 or so other big names.

Countries and banks are clearly worried by the possible shift in control to big business that Libra could bring, and this shift in control could have a number of effects on the business environment and the economies of countries if Libra proves to be popular.

Even though Libra users are not intended to be businesses, if Libra does help the ‘unbanked’ this could have a knock-on effect in helping that segment of society to buy more goods and services, thereby helping businesses and the economy.

AI and the Fake News War

In a “post-truth” era, AI is one of the many protective tools and weapons involved in the battles that male up the current, ongoing “fake news” war.

Fake News

Fake news has become widespread in recent years, most prominently with the UK Brexit referendum, the 2017 UK general election, and the U.S. presidential election, all of which suffered interference in the form of so-called ‘fake news’ / misinformation spread via Facebook which appears to have affected the outcomes by influencing voters. The Cambridge Analytica scandal, where over 50 million Facebook profiles were illegally shared and harvested to build a software program to generate personalised political adverts led to Facebook’s Mark Zuckerberg appearing before the U.S. Congress to discuss how Facebook is tackling false reports. A video that was shared via Facebook, for example (which had 4 million views before being taken down), falsely suggested that smart meters emit radiation levels that are harmful to health. The information in the video was believed by many even though it was false.

Government Efforts

The Digital, Culture, Media and Sport Committee has published a report (in February) on Disinformation and ‘fake news’ highlighting how “Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalised ‘dark adverts’ from unidentifiable sources, delivered through the major social media platforms”.  The UK government has, therefore, been calling for a shift in the balance of power between “platforms and people” and for tech companies to adhere to a code of conduct written into law by Parliament and overseen by an independent regulator.

Fact-Checking

One way that social media companies have sought to tackle the concerns of governments and users is to buy-in fact-checking services to weed out fake news from their platforms.  For example, back in January London-based, registered charity ‘Full Fact’ announced that it would be working for Facebook, reviewing stories, images and videos to tackle misinformation that could “damage people’s health or safety or undermine democratic processes”.

Moderation

A moderator-led response to fake news is one option, but its reliance upon humans means that this approach has faced criticism over its vulnerability to personal biases and perspectives.

Automation and AI

Many now consider automation and AI to be an approach and a technology that are ‘intelligent’, fast, and scalable enough to start to tackle the vast amount of fake news that is being produced and circulated.  For example, Google and Microsoft have been using AI to automatically assess the truth of articles.  Also, initiatives like the Fake News Challenge (http://www.fakenewschallenge.org/) seeks to explore how AI technologies, particularly machine learning and natural language processing, can be leveraged to combat fake news, and supports the idea that AI technologies hold promise for significantly automating parts of the procedure human fact-checkers use to determine if a story is real or a hoax.

However, the human-written rules underpinning AI, and how AI is ‘trained’ can also lead to bias.

Deepfake Videos

Deepfake videos are an example of how AI can be used to create fake news in the first place.  Deepfake videos use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create an embarrassing or scandalous video. Deepfake audio can also be manipulated in a similar way.  Deepfake videos aren’t just used to create fake news sources, but they can also be used by cyber-criminals for extortion.

AI Voice

There has also been a case in March this year, where a group of hackers were able to use AI software to mimic an energy company CEO’s voice in order to steal £201,000.

What Does This Mean For Your Business?

Fake news is a real and growing threat, as has been demonstrated in the use of Facebook to disseminate fake news during the UK referendum, the 2017 UK general election, and the U.S. presidential election. State-sponsored politically targeted campaigns can have a massive influence on an entire economy, whereas other fake news campaigns can affect public attitudes to ideas and people and can lead to many other complex problems.

Moderation and automated AI may both suffer from bias, but at least they are both ways in which fake news can be tackled, to an extent.  Through adding fact-checking services, other monitoring, and software-based approaches e.g. through browsers, social media and other tech companies can take responsibility for weeding out and guarding against fake news.

Governments can also help in the fight by putting pressure on social media companies and by collaborating with them to keep the momentum going and to help develop and monitor ways to keep tackling fake news.

That said, it’s still a big problem, no solution is infallible, and all of us as individuals would do well to remember that, especially today, you really can’t believe everything you read and an eye to source and bias of news coupled with a degree of scepticism can often be healthy.

Local Authorities Facing 800 Cyber Attacks Per Hour

Figures gathered by insurance broker Gallagher – through the Freedom of Information (FoI) Act – have shown that UK local authorities were hit by an average of 800 cyber-attacks every hour in the first six months of this year.

Problem Could Be Bigger Than Figures Show

The figures, which were based upon the 203 (out of 408) local authorities that responded, showed that there were more than 263 million incidents in the first six months of 2019.  This could mean that even though 76 local authorities reported a cyber-attack between January and June 2019, the fact that only half of UK local authorities responded to the FoI request could mean that the problem may be proportionately much worse than even these figures show.

What Kind of Attacks?

Gallagher’s collected information shows that since the beginning of 2017, 17 of the attacks reported by respondents related to loss of data or money, with an average cost to the victim of around £430,000.  Gallagher’s figures also show that only 13% of councils have a standalone cyber insurance policy, meaning that most councils are risking potentially heavy fines under GDPR for any breaches.

Why A Target?

Local authorities and other public sector organisations are attractive targets to cyber-criminals because they hold large quantities of personal data and, perhaps due to a lack of funding and/or getting the most out of IT spending, they may be running older, less secure systems.  Also, they have a large number of employees who may lack education about an training in data and cyber-security.

Education A Target

Universities, colleges and schools are also targets for cyber-criminals because they tend to have large numbers of users spread across many different departments, different facilities and faculties, and data is moved between these, thereby making admin and IT security very complicated.  Also, universities have a lot of valuable intellectual property as well as student and staff personal data within their systems which are tempting targets for hackers.

Back in July, for example, Lancaster University, which offers a GCHQ accredited cyber-security course and has its own Cyber Security Research Centre was hit by a phishing attack, resulting in the leak of the personal data of new university applicants.  Also, in 2018, The Information Commissioner (ICO) fined the University of Greenwich £120,000 for a data breach that left the personal details of thousands of students exposed online.

A National Cyber Security Centre report recently revealed that the UK’s universities lost almost £150m from cyber-attacks in the first six months of 2018 alone.

Lost Mobile Devices

Lost mobile devices, many of which may provide access to cloud-based data, are also known to be a problem for government bodies.  For example, an FoI request in July by MobileIron found that government staff had lost 508 mobile and laptop devices between January and April 2019.

What Does This Mean For Your Business?

These figures make worrying reading, especially at a time when council budgets are very limited.  Local authorities are already facing serious decisions about what to prioritise in terms of investment, but GDPR and a duty to protect the privacy and security of local authority customers and staff should mean that data security is kept high up the agenda. Part of maximising the value of investments in data security for local authorities should include ensuring that training and software are put in place to enable a more proactive approach to attack prevention and that staff are educated about threats, and how to spot (and what to do with) suspicious communications by email, social media or other means.

Gallagher’s figures may also serve as a reminder to local authorities that it may be a good idea to make sure, in the light of the sheer number of threats (only one of which needs to get through), that they have a good cyber insurance policy in place.

Google’s Chrome To Block Mixed Content Pages Without HTTPS

Google has announced that in a series of steps starting in Chrome 79, all mixed content will gradually be blocked by default.

What Is Mixed Content?

Mixed content refers to the insecure http:// sub-resources that load into https:// pages, thereby creating a possible way in for attackers to compromise what appears to be a secure web page.  For example, this could be any audio, video, and images that are loaded insecurely from HTTP but appear as part of an HTTPS page when it loads.  Many browsers are already able to block other types of mixed content by default such as scripts and iframes.

Why Worry?

Mixed content from a non-secure source poses privacy and security risks and could provide a way for attackers to spread misinformation.  For example, an attacker could alter a chart to mislead viewers or could hide a tracking cookie in a mixed resource load.  Also, the mix of secure and insecure content in a page could confuse browser security UX.  Google’s own research shows that Mobile devices account for the majority of unencrypted end-user traffic.

What Does HTTPS Do?

HTTPS provides a secure, encrypted channel for web connections that can protect users against issues such as eavesdroppers, man-in-the-middle attacks and hijackers spoofing a trusted website. The kind of encryption offered by HTTPS stops interception of your information and ensures the integrity of the information that you send and receive.

Older hardware and software can pose a privacy and security risk because it often doesn’t support modern encryption technologies.

Progress

Progress has been made to make web browsing more secure with the move towards the full introduction of HTTPS, and Google is keen to point out that Chrome users now spend over 90% of their browsing time on HTTPS on all major platforms.

Google now sees its next task as ensuring that HTTPS configurations across the web are secure and up to date.

Roll-Out In Steps

Google says that the roll-out of its blocking of mixed content will happen in a series of steps starting with the release of Chrome 79 (in December 2019) with its new setting to unblock mixed content on specific sites.  Next, Chrome 80 (due for release in January 2020) will auto-upgrade mixed audio and video resources to https://.  Chrome 80 will display a “Not Secure” chip in the Omnibox for mixed images.

What Does This Mean For Your Business?

The introduction of measures to display warnings about and to block mixed content will put pressure on some businesses to clean up their web pages and make it more difficult for cyber-criminals to find a way through browser security.  This is good news for businesses and web users alike.

It should be remembered, however, that secure websites with encrypted connections can still be harmed by certain cryptographic weaknesses e.g. due to external or related-domain hosts, so it’s important for businesses and individuals to keep up to date with software patches and fixes.

Tech Tip – Twobird

New email client app ‘Twobird’ allows you to put all your emails in one place and create notes and reminders on the fly (and attaches the notes on emails).

Twobird has been billed as “a new kind of email app” that offers email at the speed of live chat.  It includes all your everyday tools – writes emails, creates notes, set reminders and assign to-dos — all in your inbox. If, for example, if you’ve scheduled an appointment it will alert you at just the right time.

Features include:

– Remind: allowing you to schedule an email or note to appear in your inbox later.

– Low Priority: so you can set aside automated messages so you don’t get distracted.

– Pinned and Recent: this lets you keep important notes and conversations easily accessible.

– Tidy Up: archives any inactive conversations so your inbox stays fresh.

Twobird is available in the Google Play store.

Your Latest IT News Update

AI and Facial Analysis Job Interviews

Reports of the first job interviews conducted in the UK using Artificial Intelligence and facial analysis technology have been met with mixed reactions.

<More>

Email Signature Legally Binding For Lawyer

A recent ruling by the High Court that an email containing an automated signature is legally binding proved costly to the lawyer who sent such an email on behalf of his client that included the wrong price for a land sale.

<More>

Windows Virtual Desktop Generally Available Now

Microsoft has announced that its Windows Virtual Desktop is now generally available worldwide on Azure and will include Windows 7 free Extended Security Updates for up to three years.

<More>

Worldwide Rollout of ‘Personal Vault’ OneDrive Security Features

Microsoft has announced that the ‘Personal Vault’ security features for its OneDrive storage service are now available worldwide on all OneDrive consumer accounts.

<More>

Police Auction Hacker’s £240,000 of Cryptocurrency

The £240,000 of cryptocurrency confiscated from a teenager who was jailed for hacking ISP TalkTalk has been auctioned by police with the proceeds going towards fighting crime.

<More>

Tech Tip – How To Sign a PDF Without Printing It

If you need to sign PDFs and return them (e.g. as part of your sales or buying processes) there is a way to do it without having to go to the time and trouble of printing out the PDFs, signing them, scanning them, and then emailing the scans back.

<More>

AI and Facial Analysis Job Interviews

Reports of the first job interviews conducted in the UK using Artificial Intelligence and facial analysis technology have been met with mixed reactions.

The Software

The AI and facial analysis technology used for the interviews comes from US firm HireVue. The main products available from HireVue for interviewing are Pre-Employment Assessments and Video Interviewing.

For the Pre-Employment Assessments, the software uses AI, video game technology, and game-based and coding challenges to collect candidate insights related to work style, how the candidate works with people, and general cognitive ability. The Assessments are customisable to specific hiring objectives or ready to deploy based on pre-validated models. The data points are analysed by HireVue’s proprietary machine learning algorithms, and the insights gained are intended to enable businesses to save time and use recruitment resources more effectively by enabling businesses to quickly prioritise which candidates to shortlist for interviews.

The Video Interviewing product uses real-time evaluation tools and can assess around 25,000 data points in one interview.  During interviews, candidates are asked to answer pre-scripted questions with HireVue Live offering a real-time collaborative video interview that can involve a whole recruitment team. The benefits of on-demand video-based assessments, which can be conducted in less than 30 minutes, are that recruiters and managers don’t have to synchronize candidates and calendars, and can evaluate more candidates, thereby being able to spend their time deciding between the best candidates.

Who Is Using The Software?

According to HireVue, 700+ companies use the software (not all in the UK) including Vodafone, Urban Outfitters, Intel, Ikea, Hilton, Unilever, Singapore Airlines, JP Morgan and Goldman Sachs. It has been reported, however, that the technology has already been used for 100,000 interviews in the UK.

Concerns

Even though there are obvious on-demand expertise, time and cost savings for companies, and HireVue displays case studies from satisfied customers on its website, AI and facial analysis technology use in interviews has been met with criticism by privacy and rights groups.

For example, it has been reported that Big Brother Watch representatives have voiced concerns about the ethics of using this method, possible bias and discrimination (if the AI hasn’t been trained on a diverse-enough range of people), and that unconventional but still good potential candidates could fall foul of algorithms that can’t take account of the complexities of human speech, body language and expression.

Robot Interviewer

Back in March, it was reported that TNG and Furhat Robotics in Sweden have developed a social, unbiased recruitment robot called “Tengai” that can be used to conduct job interviews with human candidates. The basic robot was developed several years ago and looks like an internally projected human face on a white head sitting on top of a speaker (with camera and microphone built-in).  The robot is made with pre-built expressions and gestures as part of a pre-loaded OS which can be further customised to fit any character, and the HR-tech application software that Tengai uses means that it can conduct situation and skill-based interviews in a way that is as close as possible to a human interviewer. This includes using “hum”, nodding its head, and asking follow-up questions.

What Does This Mean For Your Business?

Like the Swedish Tengai robot Interviews, the HireVue Pre-Employment Assessment (and possibly the video) appear to be have been designed to be used at the early part of the recruitment process as a way of enabling big companies to quickly create a shortlist of candidates to focus on. As businesses become used to, and realise the value of outsourcing as a way of making better use of resources and buying in scalable and on-demand skills and resources, it appears that bigger companies are also willing to trust new technology to the point where they outsource expertise and human judgement in exchange for the promise of better, and more cost-effective recruitment management.

AI, facial recognition, and other related new technologies and algorithms are being trusted and adopted more by big businesses which also need to remember, for the benefit of themselves and their customers and job candidates that they need to make sure that bias is minimised, and that technology is unlikely to be able to pick up on every (potentially important) nuance of human behaviour and speech.  It should never be forgotten that we each have the most powerful, amazing and perceptive ‘computer’ available in the form of our own brain, and for vast amount of medium and small businesses that probably can’t afford or don’t want to use AI to choose recruits, experienced human interviewers can also make good recruitment decisions.

That said, as technology progresses, AI-based recruitment systems are likely to improve by gaining their own experience, and be augmented, and become more widely available and affordable to the point that they become a standard first challenge for job applicants in many situations.

Email Signature Legally Binding For Lawyer

A recent ruling by the High Court that an email containing an automated signature is legally binding proved costly to the lawyer who sent such an email on behalf of his client that included the wrong price for a land sale.

£25,000 Below

The unfortunate lawyer, Daniel Tear, who sent an email to another lawyer setting out the terms for an owner’s land/property sale (but with the sale price listed as £25,000 lower than the asking price) the ruling about his email signature at the County Court in Manchester proved to be very costly.

In the case, which related to a dispute over the sale of land near Lake Windermere listed as a “jetty/boat landing plot/mooring”, it has been reported that the land should have been offered for sale at the asking price of £200,000 but (according to published court documents) but Mr Tear’s email to the lawyer of those wishing to purchase the land specified a price of “ £175,000 (one hundred and seventy-five thousand pounds”.

The lawyer acting for the buyer accepted the deal, and despite Mr Tear later emailing all the parties to say the deal had not been finalised by email, the court ruling went against him and his client.

Why?

According to the published court documents which refer to matters related to certain sections of the Law of Property Act of 1989, Mr Tear’s auto-signature (using Microsoft Outlook) which appeared at the bottom of his email, accompanied by the words “Many Thanks” (which link the email’s contents to the signature) were enough to make the contents of the email’s agreement binding.

In a hearing which considered the many difficulties around an email footer possibly being treated as a sufficient act of signing the judge stated that he was “satisfied that Mr Tear signed the relevant email on behalf of the Defendant” and that “the Claimants are entitled to the order for specific performance that is sought”.

Mr Tear’s argument that the case fell under Section 2 (1) of the Law of Property Act of 1989 i.e. “The document incorporating the terms or, where contracts are exchanged, one of the documents incorporating them (but not necessarily the same one) must be signed by or on behalf of each party to the contract” was, therefore, not accepted by the court.

What Does This Mean For Your Business?

As with most legal matters, if you read the court documents (here: https://www.bailii.org/ew/cases/EWHC/Ch/2019/2462.html) there were many different considerations based around the case. One thing that businesses can take away from this case, however, is that if you create and add an email signature section to the footer of your Outlook emails, even though it is automatically added to each of your emails, it may still prove to be enough to legally bind you to the contents of the email, even though you may have made a mistake. It goes without saying, therefore, that businesses need to be very careful to check that prices and quotes emails to clients (where an email signature is included) are correct and that any terms are clearly stated.  This ruling could now and in future have implications for many businesses in disputes relating to the contents of business emails.