Your Latest IT News Update

Xmas Toys – Security Risks

With Christmas just around the corner, consumer watchdog Which? has asked retailers to stop selling some popular internet-connected toys which have “proven” security issues that could allow attackers to take control of the toy or send messages.

<More>

Huddle Leaked Business Documents

A flaw has been discovered in the collaboration tool Huddle that is believed to have left private company documents able to be viewed by unauthorised persons.

<More>

Google’s Scary Hack Stats

With more than 15% of Internet users reporting takeovers of their email or social networking accounts, new research by Google and the University of California, Berkeley has shed light on how passwords are stolen and how accounts are hacked.

<More>

1 In 4 Law Firms Ready For GDPR

A report by managed services provider CenturyLink Emea, shows that despite the threat of up to €20m fines or 4% of annual global turnover for serious data protection failings, only 25% of more than 150 legal sector IT decision-makers said their firms were GDPR ready.

<More>

Bad Broadband? Get Automatic Compensation…

Ofcom has announced that broadband and landline customers will be automatically able to get money back from their providers when things go wrong, without having to make a claim for it.

<More>

Tech Tip – Android: Have Two WhatsApp/Facebook/Twitter Accounts On The Same Device

From Lollipop you can create different user accounts e.g. if you want to keep social and professional separate, or if others use your device. You can, therefore, manage your different identities / accounts with WhatsApp / Facebook / Twitter on the same device.

<More>

Xmas Toys – Security Concerns

With Christmas just around the corner, consumer watchdog Which? has asked retailers to stop selling some popular internet-connected toys which have “proven” security issues that could allow attackers to take control of the toy or send messages.

Toys At Risk

Consumer watchdog Which? has identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.

Children At Risk

The main worry is that children and the privacy / security of all members of a household could be put at risk because manufacturers have cut costs, been careless, or rushed their products to market without building-in adequate protection against taking over / hacking and reverse engineering e.g. to conduct surveillance.

Toy Makers Say

In the light of the Which? research, Hasbro, the manufacturer of Furby Connect has pointed out that it would take a large amount of reverse-engineering of their product, plus the need to create new firmware for attackers to have a chance to take control of it.

Vivid Imagination, which makes I-Que is reported as saying that although it would review Which?’s recommendations, it is not aware of any reports of these products being used in a malicious way.

Old Fears

The idea that a toy could pose a security risk in this way dates back to 1998, when a small robot ‘Furby’ was banned by the US National Security Agency.

Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.

Other Types of ‘Toy’

There was also news this week that Hong Kong-based firm Lovense had to issue a fix to the app in its remote (Bluetooth) controlled sex toy (vibrator) after a Reddit user discovered a lengthy recording on their phone which had been made during the toy’s operation.

This prompted more concerns about where the audio files (recorded via a user’s smartphone microphone) are being stored. The company is reported as saying that the audio files are not transmitted from the device, and that problem was caused by “a minor bug” limited to Android devices, and that no information or data was sent to its servers.

Not The First Time

This is not the first time that concerns have been raised about IoT sex toys. Back in March, customers of start-up firm Standard Innovation, manufacturers of IoT ‘We-Vibe’ products, were left red-faced and angry after the company was judged by a court to have been guilty of covertly gathering data about how (and how often) customers used their Wi-Fi enabled sex toy.

What Does This Mean For Your Business?

These reports have re-ignited old concerns about the challenge of managing the security of the many Internet-connected / smart / IoT devices that we now use in our business and home settings.

Where businesses are concerned, back in July 2016 a Vodafone survey showed that three quarters of businesses saw how they use the Internet of Things (IoT) as being a critical factor in their success. Many technology commentators have also noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.
It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

Businesses, therefore, may wish to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.

Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.

Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.

Huddle Leaked Business Documents

A flaw has been discovered in the collaboration tool Huddle that is believed to have left private company documents able to be viewed by unauthorised persons.

What is Huddle?

Huddle is cloud-based and ‘secure’ software system for collaborative work, file sharing and project management. It can be accessed through mobile and desktop apps, and can be integrated with enterprise tools such as Microsoft Office, Google Apps for Work, SharePoint and Salesforce.com.

Used By Government Agencies

What makes this recent discovery more worrying and embarrassing is the fact Huddle publicly claim that more than 80% of UK Central Government agencies use the Huddle system and that it has administrative, technical and physical safeguards, and yet a simple login flaw appears to have exposed clients to potentially serious security risks.

What Happened?

The security flaw is reported to have been discovered by a journalist who tried to log in and access a shared diary for their team, but was instead logged in to a KPMG account, and was able to view a directory of private documents and invoices, and an address book.

Huddle also discovered later that an unauthorised person (unknown) had accessed the Huddle of BBC Children’s programme Hetty Feather, but had not opened any of the private documents.

Why?

Huddle’s reported explanation of the problem is that because two users arrived at the login server within 20 milliseconds of each other they were both given the same authorisation code. This duplicate code was then carried to the security token process, and whoever was fastest to request the security token was logged in to the system, and was therefore able to see another company’s files.

Rare

A statement from Huddle appeared to play down the seriousness of the discovery by pointing out that the bug had only affected six sessions out of 4.96 million log-ins between March and November.

Now Fixed

Huddle users will be relieved to hear that Huddle has now fixed the bug by making sure that a new authorisation code is generated every time the system is invoked.

What Does This Mean For Your Business?

The important point for businesses to take away from this story is that even trusted, popular, market leading 3rd party systems are likely to have some undiscovered bugs in them – no system is perfect, and the chances of them being discovered and exploited are very small. It is also a good (and lucky) thing that a responsible person (the journalist) discovered and reported the bug so that it has now been fixed.

Critics, however, have highlighted the fact that it is surprising and worrying that a global leader in secure content collaboration that is supposed to offer a world-class service, and publicises how its system is trusted with sensitive government information could have its system so easily compromised, without the need for any hacking or illegal activity.

For the companies whose details have been accessed, it’s unlikely to be the rarity of such an event that concerns them, but more the fact that they trusted a 3rd party with their company security, and have suffered a potentially damaging breach as a result. It is also likely to damage trust in the Huddle service, raise questions about how rare such an event really is, and tempt some companies to switch suppliers, or to perhaps to use the system for less sensitive projects.

Google’s Scary Hack Stats

With more than 15% of Internet users reporting takeovers of their email or social networking accounts, new research by Google and the University of California, Berkeley has shed light on how passwords are stolen and how accounts are hacked.

Tracking Black Markets

The research, which took place between March 2016 and March 2017, and focused on password stealing tactics, tracked several black markets that traded third-party password breaches, as well as 25,000 blackhat tools used for phishing and keylogging.

This tracking identified a staggering 788,000 credentials stolen via keyloggers, 12 million credentials stolen via phishing, and 3.3 billion credentials exposed by third-party breaches.

Findings

Google’s summary of the research was that enterprising hijackers are constantly searching for, and are able to find, billions of different platforms’ usernames and passwords on black markets. This means that many of us are (unknowingly) at risk of suffering a takeover of our accounts.

For example, the research found that 12% of the exposed records included a Gmail address serving as a username and a password, and, of those passwords, 7% were still valid due to reuse.

Google Accounts – Targeted By Phishing and Keyloggers

The research showed that phishing and keyloggers frequently target Google accounts, and that 12-25% of attacks of their attacks yield a valid password. In fact, Google concluded that the 3 greatest account takeover threats are phishing, followed by keyloggers, and finally third-party breaches.

Password Alone Not Enough

With greater security being applied to many different types of accounts e.g. two-factor verification and security questions, the research acknowledged that a password is rarely enough to gain access to e.g. a Google account. This explains why attackers now have to try to collect other sensitive data, and the research found evidence of this in the 82% of blackhat phishing tools and 74% of keyloggers that now attempt to collect a user’s IP address and location, and in the 18% of tools that collect phone numbers and device makes and models.

What Does This Mean For Your Business?

It is worrying for all businesses that so much information and so many hacking tools are available to criminals on the black market, and that attackers are becoming more sophisticated in their methods.

It is good, however, that Google has made a serious attempt with the research to understand the scale, nature, and sources of the risks that their customers face. The real value to businesses will come from Google and other companies using the findings of the research to tighten account security, close loopholes, and try to keep one step ahead of cyber-criminals. Google has, for example, stated that it has already applied the insights to its existing protections with Safe Browsing now protecting more than 3 billion devices (alerts about dangerous sites / links), monitoring account logins for suspicious activity and requesting extra verification where needed, and regularly scans of activity across Google products. Google states that the scanning of its products enables it to prevent or undo actions attributed to account takeover, notify the affected user, and help them change their password and re-secure their account into a healthy state.

Google’s 2 key pieces of advice to customers to help prevent account takeover are to:

  1. Visit Google’s ‘Security Checkup’ to make sure you have recovery information associated with your account, like a phone number.
  2. Allow Chrome to automatically generate passwords for accounts and save them via Smart Lock.

1 In 4 Law Firms Ready For GDPR

A report by managed services provider CenturyLink Emea, shows that despite the threat of up to €20m fines or 4% of annual global turnover for serious data protection failings, only 25% of more than 150 legal sector IT decision-makers said their firms were GDPR ready.

Why Not?

If any sector looks likely to be prepared for the introduction of GDPR next year, you could be forgiven for thinking that the legal sector would be at the forefront, given that companies and individuals will be seeking the advice, help and services of law firms with compliance and enforcement matters.

According to the report, however, the legal sector is saying that three quarters of law companies are not ready, and not achieving higher levels of privacy and data security because of challenges relating to human mistakes (50%), dedicated cyber attacks e.g. distributed denial of service (DDoS) attacks and ransomware or SQL injection (45%), and lost documentation and devices (36%).

The report shows, for example, that 1 in 5 law firms have experienced an attempted cyber attack in the past month, and less than one-third (31%) of IT directors believe their firm is compliant with cyber-security legislation.

Shadow IT Worries

One other interesting area of confusion for law firms appears to be Shadow IT. This term describes the apps and services that employees bring in to company systems without going through the approved channels, and how employees use them in their own way to solve specific work problems. Many companies see it as a threat to control, security and the strategy of the business as well as being strength in some situations.

The CenturyLink Emea report shows that 11% of law firms have no shadow IT policies at all, and although one-third (33%) of firms don’t officially permit bring your own device (BYOD) or bring your own apps (BYOA), in reality 43% of IT decision-makers at law firms trust their IT teams to “do the right thing” for their business.

Not The First Negative GDPR Report

This is certainly not the first GDPR report with less than positive news. Only last month, a study by DMA group (formerly the Direct Marketing Association) revealed that more than 40% of UK marketers said their business is not ready for changes in the forthcoming General Data Protection Regulation (GDPR). One of the main issues highlighted in that report was confusion over issues of consent in GDPR. Some commentators have said that focusing too much on consent as a basis for data collection could mean that companies miss other options and issues, and end up not being ready and compliant in time.

What Does This Mean For Your Business?

The findings of this report are surprising in some ways, partly because in September last year, media reports indicated that the legal profession was already preparing itself for the introduction of GDPR in terms of how to build a market for litigation as well as ensuring that they fully understand the many different aspects of the Regulation and its implications. It appears, however, that legal firms are experiencing the same challenges many other companies in other sectors. To some extent, the news that law firms are apparently not up to speed with GDPR is likely to be somewhat of a relief to many businesses.

Law companies also face an added risk to their reputation e.g. if they are hacked and there is a data breach due to non compliance. This is the reason why many law firms and other companies are now taking steps towards greater security by moving away from legacy, on-premise IT systems to private or public managed cloud arrangements. Outsourcing IT infrastructure to providers can offer a secure environment to support digital transformation initiatives, and managed services can minimise the risk posed by external attacks, and free up internal resources to focus on innovative IT and business initiatives.

With GDPR, one of the key challenges for all companies in addition to getting an understanding of consent issues is making sure the technology is in place to help deal with data in a compliant way. Some technology products are now available to help deal effectively with data, and many tech commentators believe that developments in AI and machine pattern learning / deep learning technologies will be able to be used by companies in the near future to help with GDPR compliant practices.

At this late stage, legal firms and those in other sectors clearly need to press on quickly with, and get to grips with GDPR and its implications. Ordinarily, one piece of advice for companies would be to seek professional advice to at least highlight which areas are most legally pressing, but in the light of this report, it seems that some law firms may be struggling to see how GDPR applies to themselves, let alone their customers.

Bad Broadband? Get Automatic Compensation…

Ofcom has announced that broadband and landline customers will be automatically able to get money back from their providers when things go wrong, without having to make a claim for it.

Review Brings ‘Automatic Compensation’ Agreement

After a review and intervention in the broadband market by Ofcom, BT, Sky, TalkTalk, Virgin Media and Zen Internet, who collectively serve around 90% of landline and broadband customers in the UK, have agreed to introduce automatic compensation, which should reflect the harm consumers suffer when things go wrong. Plusnet and EE have also indicated that they may also join the scheme.

£142 Million

Compensation is currently only paid in approximately one in seven cases (15%) where landline or broadband customers have suffered slow repairs, delayed installations or missed engineer appointments. The actual amount of compensation paid in these cases is also widely recognised to be small.

With the new automatic compensation, the amounts paid are predicted to be around nine times higher with customers set to receive an estimated £142 million in payouts.

Entitlement

The new automatic compensation scheme will apply to fixed broadband and landline telephone services. Customers will be able to receive the compensation if:

  • Services have stopped working and are not fully fixed after two full working days. In these cases, customers will be entitled to £8 for each day it is not repaired.
  • An engineer doesn’t turn up for the scheduled appointment, or if the appointment is cancelled with less than 24 hours’ notice. In these cases customers should receive £25 per missed appointment.
  • A provider promises to start a new service on a particular date, but fails to do so. In this case, customers will be able to claim £5 for each day of the delay, including the missed start date.

Not For 15 Months

According to Ofcom, the complexity of launching the first ever automatic compensation scheme for telecoms customers, and the changes to providers’ billing systems, online accounts and call centres that will be required to implement the system will mean that it won’t come into effect for 15 months.

What Does This Mean For Your Business?

Ofcom’s own research shows that nine in ten adults report going online every day and three-quarters of internet users say it is important to their daily lives. For businesses, a fast and reliable broadband connection is vital to operate and compete effectively in today’s marketplace. Problems with broadband services can be very costly and frustrating for businesses, and many businesses feel that they shouldn’t have to fight for compensation on top of the problems caused by poor broadband services, and that current levels of compensation are too low, and don’t come close to reflecting the harm caused. Automatic compensation at higher levels is, therefore, good news, although there are still 15 months to wait before the scheme starts.

The new automatic compensation scheme is particularly good news for small businesses because one-third of small and medium-sized enterprises (SMEs) choose residential landline and broadband services, and around half (49%) of SMEs don’t know if they’re entitled to compensation when service falls short (Ofcom figures).

It is also reassuring to know that the main providers are on board with the scheme, and that Ofcom plans to monitor its implementation, review it after one year, and step in if it’s not working well enough for customers.

Tech Tip – Android: Have Two WhatsApp/Facebook/Twitter Accounts On The Same Device

From Lollipop you can create different user accounts e.g. if you want to keep social and professional separate, or if others use your device. You can, therefore, manage your different identities / accounts with WhatsApp / Facebook / Twitter on the same device. Here’s how:

  • Set up a new user – go to Settings> Users> Add user.
  • Access the profile from the shortcuts by tapping on the user icon and choosing the profile you prefer.
  • In each of the profiles you will have separate personal files, e.g. photos and accounts of services such as Gmail, WhatsApp, Facebook, or Twitter.

Your Latest IT News Update

Fake WhatsApp – 1 Million Downloads

A fake version of WhatsApp, the free, cross-platform instant messaging service for smartphones, was downloaded from the Google Play store by more than one million unsuspecting people.

<More>

Supermarket Voucher Scam Via WhatsApp

WhatsApp is being used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain your bank details.

<More>

Quarter of UK Workers Deliberately Breach Confidentiality

Research by commissioned by data privacy and risk management firm Egress Software Technologies has revealed that a quarter of UK workers have purposefully shared confidential business information outside their organisation.

<More>

Art Galleries And Dealers Defrauded Through Email Hack

Art galleries and dealers in the UK have lost hundreds of thousands of pounds after being targeted by email hackers.

<More>

Cuts Mean Fewer ATMs But More Cashless Payments

Banking industry group LINK has warned that a plan to cut the fees that fund their cash machines could mean that more ATMs will be axed.

<More>

Tech Tip – Clear App Defaults

If a link opens in a certain app rather than in the browser on your Android phone e.g. a link to a Facebook page or a Tweet, you could find yourself waiting around while your phone shuts down Chrome before it loads something else. You can avoid this by:

<More>

Supermarket Voucher Scam Via WhatsApp

WhatsApp is being used by ‘phishing’ fraudsters to circulate convincing links for supermarket vouchers in order to obtain your bank details.

How Does The Scam Work?

The WhatsApp messenger app is being used to send messages purporting to be from well-known supermarkets such as Asda, Tesco and Aldi that contain a link to an online survey. The message tempts the receiver into completing the survey with the offer of hundreds of pounds worth of shopping vouchers.

In order to complete the survey, victims must give financial information, and have to send the link to 20 contacts in order to receive the vouchers. This helps to legitimise the scam as the contacts are likely to recognise and trust the sender.

Small Differences In Letters

The bogus supermarket link has been able to fool more than 30 people so far because a very subtle, difficult to spot substitution of certain letters with similar characters. For example, the d in Aldi was swapped with a ? (notice the small dot underneath), which is actually a Latin character. Also a d, known as a ‘crossed D’ (or dyet) has been used instead of a normal lower case d in order to fool potential victims.

Unclear

As yet, it is unclear whether just clicking on the link itself does something malicious like downloads malware, and there have been reports that doing so on social media has meant that the message was shared without the consent of contacts.

Brand Used Twice This Week

This is the second time in a week that the value and trust of the WhatsApp brand has been exploited by fraudsters. Earlier this week there were reports that a fake version of the WhatsApp messaging service for smartphones was distributed to more than one million unsuspecting people after it was put on Google Play store. In that case, the bogus app was used to spread spam adverts.

Bad Timing

The association of the WhatsApp brand with scams is damaging anyway, but the timing is particularly bad with the announcement only last month that WhatsApp is about to launch ‘WhatsApp Business’, with a free version for small businesses, and a paid-for version (a chance for WhatsApp to monetise its services) for enterprises with a global customer base.

WhatsApp has also suffered from bad PR, again by association, after it was announced that WhatsApp had been used by London terror attacker Khalid Masood minutes before he killed and injured multiple people back in March. This, in turn, led to Home Secretary Amber Rudd campaigning to abolish end-to-end encryption in social media platforms and to enable ‘back doors’ to be built into them for use by the authorities.

What Does This Mean For Your Business?

This is another example of how fraudsters are using the powerful combination of the trust placed in brands, very convincing messages, and apparent referrals from friends to commit socially engineered fraud. Cyber-criminals are becoming ever-more sophisticated and devious in their methods, and our use of social media platforms and mobile devices, and the lack of time and attention that we can give to individual messages, are helping criminals to carry out fast and successful scams.

It should be remembered, however, that a social media / messaging platform is simply the medium, and not all messages posted therein can be trusted. As advised by Action Fraud, people should avoid unsolicited links in messages, even if they appear to come from a trusted contact.

Quarter of UK Workers Deliberately Breach Confidentiality

Research by commissioned by data privacy and risk management firm Egress Software Technologies has revealed that a quarter of UK workers have purposefully shared confidential business information outside their organisation.

Sharing Confidential Business Information

The findings of the OnePoll on behalf of Egress research, which involved 2,000 UK workers who regularly use email as part of their jobs, make worrying reading for UK businesses and highlight the common, but often overlooked security vulnerabilities of ‘insider threat’ and human error.

The research showed that not only have 24% of workers purposely shared info with other companies, but nearly 50% have received an email by mistake. This has meant that almost half (46%) of respondents in the research admitted to having received a panicked email recall request.

Malicious

In the case of ‘malicious’ insider threat, it is worrying that the research indicates that 24% of workers have purposely shared information with competitors or new and previous employers and other entities. This amounts to a data breach that it is difficult for companies to protect themselves against. These kinds of leaks and breaches can undermine company efforts to comply with data protection laws and protect competitive advantage, and can leave companies open to huge financial risks, loss of customers, and damage to their brands.

An example of insider threat that has been in the news (again) recently is the case of the disgruntled former Morrisons employee who stole and leaked the personal details of almost 100,000 staff to national newspapers, and on data-sharing websites. This resulted in a £2 million clean-up bill at the time, and now 5,518 former and current Morrisons employees are suing the company in the High Court.

Accidental

The Egress research appears to show, however, that a more likely risk that most companies face is accidental email misuse. The research revealed that the biggest human factor in sending emails in error is listed as ‘rushing’ (68%), and auto-fill technology, meanwhile, caused almost half (42%) to select the wrong recipient in the list.

8% of those workers involved in the research even admitted to alcohol being involved with wrongly sent emails.

Sensitive Attachments

The research showed that almost one in ten (9%) of staff had accidentally leaked sensitive attachments e.g. bank details or customer information, thereby putting customers and their own company at risk.

What Does This Mean For Your Business?

Accidental misuse of email clearly represents a real and prevalent risk to businesses that could leave them open to a variety of potentially serious financial, legal, and market risks. High pressure, busy business environments can make it more difficult for employees to always make the correct checks on emails before they press the send button, but highlighting the issue and reminding people to be extra-careful with email checks can be a good starting point.

The research also shines an important light on insider threat. Crowd Research Partners, for example, have found that 74% of organizations are vulnerable to insider threats, and 75% of survey respondents estimated insider threats cost their companies at least $500,000 in 2016.

There are many well-documented (see online) behavioural indicators of insider threat, the most common one being a lack of awareness e.g. employees with savvy IT skills creating workarounds to technology challenges, or employees using personal devices to access work emails.

Companies can help protect themselves by adopting a holistic and layered approach to user behaviour analytics to help spot potential risks. Companies need to pay attention to security infrastructures, and to adopt a comprehensive, risk-based security strategy that includes:

  • Awareness, education and training – compliance with security best practices, employee training and security monitoring.
  • Behaviour monitoring for detecting and mitigating insider threats.
  • Implementing appropriate procedures when employees terminate their employment e.g. denying them further access to IT system.
  • Information governance to provide the intelligence that drives security policies and controls.
  • User-based analytics to provide detection and predictive measures.
  • Development of an incident response program to consider internal and external breaches.
  • Being clear on legal and regulatory considerations.
  • A cross-organisational effort (people, processes and technology) to gain a detailed understanding of the organization’s assets and security posture.