Archive for the ‘Security’ Category

Adopt ‘HTTPS’ Or Face Being Penalised by Google

Posted on: February 16th, 2018 by Mike Knight No Comments

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?

HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

  • Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
  • Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
  • HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
  • Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?

Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

UK Government Unveils Online Extremism Blocker

Posted on: February 16th, 2018 by Mike Knight No Comments

Home Secretary Amber Rudd has unveiled the UK government’s new tool for detecting and blocking online extremist and jihadist content.

Publicly Funded

The new tool was developed by artificial intelligence company ‘ASI Data Science’ based in London, and was funded using £600,000 of public funds.

Tackling A Growing Problem

The tool was developed to tackle the growing problem extremist / jihadist (e.g. IS) content being posted online, and current moderating techniques simply not being able to keep up with the job of detecting and removing it fast enough. For example, as well as the popular video platforms for posting such content, the Home Office estimates that between July and the end of 2017, extremist material appeared in almost 150 web services that had not been used for this kind of propaganda before.

An ASI Data Science spokesperson is reported as saying that there are currently over 100 different (extremist / IS) videos posted on over 400 different platforms online.

The danger is of course, that the material can contribute to the promotion of extremist causes, the radicalisation of people, the recruitment of new terror group members, and inspiring individuals / groups to commit their own acts of terror. Some of the content can also be very disturbing e.g. if viewed by children online.

How The New Tool Works

The new tool is reported to have an AI element which has enabled it to be ‘trained’ to correctly pick out extremist content. For obvious reasons, the exact workings of the tool are being kept secret, but it is understood that the tool uses an algorithm to detect signals that contribute to a level of probability (low to high) that a video is likely to be terrorist propaganda rather than e.g. a legitimate news video. The tool can be applied at the point of upload on a video platform, thereby stopping the propaganda video from being uploaded in the first place.

This tool is reported to be able to accurately detect 94% of IS video uploads, and that it can typically flag 0.005% of non-IS video uploads. On a site with five million daily uploads, for example, it would flag 250 non-IS videos for review / for a human decision to be taken.

Others Have Tried

Facebook and Google are known to have been trying to develop their own terror material filtering tool, and this UK version is thought to be suitable for use by smaller platforms first.

Home Secretary Says…

Home Secretary Rudd is reported as saying that even though the tool has been developed, the UK government won’t rule out taking legislative action too where necessary, and that an industry-led forum such as The Global Internet Forum to Counter Terrorism, launched last year, will also help to tackle the issue.

What Does This Mean For Your Business?

For businesses using the smaller social media and video platforms, this tool could be a practical solution to current moderation problems. For the UK government, it provides some good publicity, a chance to gain back some ground in the online battle with terror groups such as IS, and a way to be seen to be tackling worries of radicalisation of UK citizens. It also provides a way for the Home Secretary to apply more pressure to the popular social media platforms, some of which the UK government has criticised for not taking enough fast action to detect remove extremist content.

For UK businesses generally, association with and use of advertising platforms that are free of extremist and unsavoury material is obviously better from a brand protection point of view. It is, however, a fact that Facebook and Google are hugely important for business advertising, and that PPC advertising for example, is unlikely to be affected by whether the chosen video / social media platform adopts such a screening-tool in the near future.

Cryptojacking Discovered On Government Websites

Posted on: February 16th, 2018 by Mike Knight No Comments

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

What Is Cryptojacking?

Typically, cryptojacking involves hackers / scammers installing ‘mining script’ code such as Coin Hive, into multiple web pages without the knowledge of the website owners. The compromised website then runs the cryptomining code, which is written in JavaScript, inside the victim’s web browser when they visit the website. The scammer is then able to get multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.

If, for example, a website is able to get one million visitors a month, and if the Coin Hive Web Miner for Monero (XMR) is used, it could generate an income of £88 in the Monero crypto-currency.

Modified BrowseAloud Plugin

In this latest discovery by security researcher Scott Helme, criminals were found to be using a modified version of the BrowseAloud plugin to enable crypotojacking through government websites. The BrowseAloud plugin is normally used to make websites more accessible to visually impaired people, but in this case, attackers were found to have planted malicious code to the JavaScript file to use the browser CPU in an attempt to illegally generate cryptocurrency.

It is thought that criminals targeted this plugin because public sector websites need to comply with legal obligations to make their information accessible to people with disabilities.

Which Government Websites?

A recent investigation has discovered that around 5,000 websites are being targeted using this kind of cryptojacking. The government websites affected include the websites of the UK’s Information Commissioner’s Office (ICO), NHS websites, the General Medical Council website, some UK local council websites, the Student Loans Company site, some Australian government department websites, and the even the US Courts website.

What Does This Mean For Your Business?

Many businesses and organisations simply aren’t able to see and take account of all of the ways they can be attacked externally. Also, it’s not always easy to understand what belongs to your organisation, how it is connected to the rest of your asset inventory, and what potential vulnerabilities are exposed to compromise.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. There are, however, some simple measures that your business can take to avoid being exploited as part of this kind of scam.
If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js. This will stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, a dedicated browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.

Coin Hive’s developers have also said that they would like people to report any malicious use of Coin Hive to them.
Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Digital threat management software is also an option that can help companies to continuously discover an inventory of their externally facing digital assets, and to manage the risks across the entire attack surface.

X-Day Was February 15th – Prepare For GDPR

Posted on: February 16th, 2018 by Mike Knight No Comments

Network services provider EfficientIP has warned businesses that, in reality, February 15th was the last day that organisations can ensure their real-world compliance with GDPR.

I Thought May 25th Was The Deadline?

May 25th is the actual date that companies and organisations need to ensure that they are compliant with GDPR. However, the point that EfficientIP made in an announcement last week is that, realistically, it actually takes 99 days to detect a data breach. This gives hackers time to ‘exfiltrate’ data, or remove it without detection. Taking this into account, February 15th is exactly 100 days before May 25th 2018, and could, therefore, be regarded as the last day organisations can ensure real-world compliance with GDPR.

Dubbed ‘X-Day’

With this point in mind, some Cyber Security experts have started referring to February 15th as “X-Day” because it is the last day companies can prevent data exfiltration attacks without potential prosecution by regulators.

What Is Data Exfiltration?

Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server. In other words, hackers can use the DNS protocol to very quickly transfer large amounts of personal and sensitive data from your company systems e.g. customer data such as credit card numbers, or company information such as financial records.

EfficientIP have pointed out that most of the companies breached after February 15th 2018 will only discover the attack after GDPR is in force, and will, therefore, (legally) only have 72 hours to publicly disclose the breach.

How Common is Exfiltration?

EfficientIP’s own research shows that as much as 24% of companies have suffered data exfiltration in the past year.

Positive View

Although the EfficientIP is a warning, and companies already know that failing to comply with GDPR will bring large fines, and data breaches can cause irreparable damage to a company and its reputation, there are some very positive reasons for preparing now for GDPR. For example, a recent Veritas survey showed 95% of decision-makers expect a positive outcome from GDPR compliance, and 92% think they would benefit from having better data hygiene.

68% of respondents in the Veritas survey also said that getting GDPR compliant would give them a better insight into their business, which could help to improve the customer experience, and that compliance could actually save the company money.

Getting Motivated

It’s all very well issuing worrying warnings, but companies not yet compliant need to find effective ways to drive the cultural and organisational changes needed to get to grips with GDPR going forward. These motivators, also highlighted in a recent Veritas survey, could include adding compliance to employee contracts (47%), implementing disciplinary action if the regulation is disobeyed (41%), and educating employees about the benefits of GDPR (40%).

What Does This Mean For Your Business?

GDPR is just around the corner and this ‘X-Day’ warning is an indicator that realistically, GDPR compliance shouldn’t be put off any longer.

Data management commentators suggest that companies should adopt an automated, classification-based, policy-driven approach to GDPR so that they can meet the regulatory demands within the short time frame available.

Businesses have now heard all the warnings, and many companies and organisations are now starting come around to the idea of focusing on the positive outcomes and benefits that GDPR compliance will bring such as increased revenues, resulting from improved customer loyalty, heightened brand reputation, and competitive differentiation in the market.

There is also now growing realisation that companies will prefer to have business relationships with GDPR compliant companies to help ensure their own compliance. This means that GDPR compliance will be become a basic necessity to enable companies to compete in a normal way in today’s business environment.

Firefox Users Advised To Update

Posted on: February 13th, 2018 by Mike Knight No Comments

Cisco’s security team has advised Firefox users to install Mozilla’s latest update for its web browser after a potentially serious security vulnerability was discovered.

Malicious Code Danger

According to Cisco’s researchers (and confirmed by Mozilla), the vulnerability has been caused by “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software”.

This means that unless Firefox users install the latest security patch update, they run the risk of remote hackers exploiting the vulnerability by persuading them to access a link or file that submits malicious code to the affected browser software.

Take Control Of The System

This kind of exploit could then enable an attacker to execute arbitrary code with the privileges of the user. If a user has elevated privileges, for example, this could even mean that the attacker could compromise the entire system. Once an entire system has been taken over, the attacker is then free to install programmes, create new accounts with full user rights, and to view, change or delete data.

Which Firefox Versions Are Affected?

The vulnerability is reported to affect Firefox web browser versions 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The Android Firefox browser app and Firefox 52 ESR are not affected.

How Can You Protect Your Systems?

The advice appears to be that Firefox users should download the browser update patch as soon as possible. The advisory information can be found here https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ and the patch can be found on the Mozilla website here: https://www.mozilla.org/en-US/firefox/new/?scene=2 .

Administrators can also help to safeguard systems by using an unprivileged account when browsing the Internet, and by monitoring critical systems.

What Does This Mean For Your Business?

The recent Malwarebytes annual State of Malware report showed that the UK is now the most targeted region in the world for cyber threats, so it is important for businesses to take action to patch any known vulnerabilities as soon a possible.

Since an exploit via Firefox of this kind would first require malicious software to be downloaded, users should remember, businesses should instruct all staff members not to open any email messages from suspicious or unrecognised sources. If users cannot verify that links or attachments included in email messages are safe, they should also be advised not to open them. Businesses should make it a matter of email policy and good practice that users should first verify if any unsolicited links are safe to follow.

Staying up to date with patching known vulnerabilities is an important part of the basic cyber security of business systems. For example, back in August 2017, the Fortinet Global Threat Landscape Report found that not only are 9 out of 10 businesses being hacked through un-patched vulnerabilities, but that many of these vulnerabilities are 3 or more years old, and already have patches available for them. In the case of Firefox, therefore, the patch should be downloaded immediately.

Bitcoin Battered

Posted on: February 13th, 2018 by Mike Knight No Comments

Cryptocurrency Bitcoin’s value has now dropped to $6,000, a fall of $13,000 since November 2017.

What Is Bitcoin?

Bitcoin is a digital web-based currency that operates without the need for central banks and uses highly secure encryption to regulate the currency units and to verify transfers of funds. Bitcoin, which was first produced in 2009, uses the ‘Blockchain’, an open and programmable technology that can be used to record transactions for virtually anything of value that can be converted to code and is often referred to as a kind of ‘incorruptible ledger’.

In order to receive a Bitcoin, a user must have a Bitcoin address i.e. a ‘purse’ (of which there is no central register).

Bubble

Warnings of a Bitcoin ‘bubble’ were being delivered last year after its value rocketed from $1,000 to £19,000 in the space of less than a year.

Why The Fall In Value?

Several factors have led to the rapid fall in value since November last year. These include:

  • Tightening legislation and government opposition. Back in September, for example, China ordered exchanges to cease trading in the cryptocurrency as a way to gain control of the cryptocurrency through forced licensing. Also, China and South Korea have now banned initial coin offerings, Japan and Australia have taken steps to tighten Bitcoin regulations, and US restrictions look set to follow.
  • Negative predictions by currency experts. The news reports of the Bitcoin ‘bubble’ plus financial regulators in the UK and France warning investors that they could lose their money if they buy digital currencies issued by companies, known as “initial coin offerings”.
  • Banks and Credit Card Companies banning cryptocurrency purchases using credit cards. With less people able to buy cryptocurrencies, this has had the most recent downward effect on the value of Bitcoin.
  • Cyber criminals cashing-in. Crime is toxic to reputations, and Bitcoin has been increasingly targeted by criminals. For example, Slovenian-based Bitcoin mining marketplace NiceHash reported the theft of Bitcoin to an estimated value of $80m back in December, and an escalation of ‘crypto-jacking’. This happens where people’s devices are taken over by criminals trying to mine crypto-currencies such as via the Android phone-wrecking Trojan malware, dubbed ‘Loapi’. Bitcoin has been widely publicised as having link with crime e.g. to evade traditional money laundering checks and other regulations. Bitcoin is often named as the currency that ransomware scammers request their victims to pay with because of the anonymity that it offers. Some currency commentators have even suggested that the recent surge in the value of Bitcoin towards the end of last year was partly caused by European banks buying Bitcoin to pay off ransomware as a short-term way to deal with cyber-security.
  • Investors purchasing alternatives. As investors look for alternatives to the volatile Bitcoin bubble, this has had a negative effect on the value of Bitcoin, and a brief positive effect on the value of other cryptocurrencies.

What Does This Mean For Your Business?

From an investment point of view, Bitcoin is clearly risky. There are other cryptocurrency alternatives e.g. Ripple, Ethereum, Litecoin, but they all appear to have been tarred with the same brush as Bitcoin, particularly with the announcement that credit cards can’t be used to buy them.

Many of the possible advantages of cryptocurrencies to businesses e.g. to use for fast global trading and investing outside of bank controls, delays and red tape, are currently being overshadowed by the actions of banks and governments.

Cryptocurrencies may be currently in a dip, but the importance of other new technologies to businesses such as AI and driverless vehicles is finally being reflected in the value of the shares of companies who are leading the charge in those technologies, which are likely to provide many global business opportunities going forward.

Virgin Credit Cards: No To Crypto

Posted on: February 13th, 2018 by Mike Knight No Comments

Shortly after Lloyds Bank announced that it would be banning customers from buying crypto-currencies such as Bitcoin using their credit cards, Virgin Money is now adopting the same policy.

Why?

The volatility of cryptocurrencies such as Bitcoin have led Lloyds, and now Virgin Money to try to protect their customers from running up large debts following a sharp fall in the value of a digital currency they’ve bought. Several of the biggest issuers of credit cards in the US including Bank of America, Citigroup, JP Morgan, Capital One and Discover, have also banned customers from using their cards to buy digital currency.

Bitcoin is a perfect example of how volatile a digital currency can be. For example, at the start of 2017, one Bitcoin was worth $1,000, reached highs of around $19,000 at the end of last year, and has since plummeted to $8,291.87, its worst performance since April 2013.

The rapid rise in the value of Bitcoin last year, was also accompanied by consumers being targeted by adverts and information which acted as a temptation and incentive to invest with the promise of big returns, with many investors being inexperienced in currency investments, and unaware of the potential risks. Facebook, for example, has recently announced that it will now block any advertising that promotes crypto-currency products and services.

Bank Could Lose

Some money commentators have made the point that although the move by Lloyds and now Virgin Money could offer some protection for customers, the banks are also helping themselves because if a person buys anything on credit, such as large amounts of cryptocurrencies, it’s the bank that stands to lose if the person can’t repay the debt.

Bitcoin, for example, also operates outside of the control of banks, which may be another reason why banks may not like it.

Used By Criminals?

The police and the UK government have also taken the opportunity presented by the announcements of Lloyds and Virgin Money to make the point that digital currencies are also popular among criminals because they can use them to evade traditional money laundering checks and other regulations.

Prime Minister Theresa May, for example, has stated that action against digital currencies may be needed because of their connection to criminal activity. At the risk of sounding cynical, some money commentators have pointed out that governments tend not to like some crypotocurrencies because they are beyond their control, and they can’t (yet) make revenue from them. For example, the Chinese government has long battled with the challenges posed by Bitcoin.

What Does This Mean For Your Business?

This move by two banks, with more likely to follow, sets a new precedent. Banks don’t like unsecured risks being taken with their money, and buying cryptocurrencies on credit appears to represent a far greater risk to them than traditional gambling which you can still use a credit card for (although it will be treated as a high interest cash loan).

It’s also worth remembering that banks and governments are likely to be less happy about things that they can’t control, regulate, and raise revenue from.

Even though criminals are known to use cryptocurrencies such as Bitcoin for just these reasons (and the anonymity), it is also worth pointing out that Bitcoin actually has many attractive advantages for businesses such as the speed and ease with which transactions can take place, which is actually due to the lack of central bank and traditional currency control. Using Bitcoin also means that cross-border and global trading is made much easier and faster.

Also, even though Bitcoin looks too volatile for many to invest in at the moment, the cryptocurrency has lasted through many ups and downs (hacks and government opposition), it is still popular, and its widening popularity and potential uses for its underlying technology ‘Blockchain’ mean that Bitcoin still has a future.

From a consumer / potential individual investor’s perspective, the move by Lloyds, Virgin, and the big US credit card companies does, however, look likely to provide some responsible and sensible protection for the time-being.

Facial Recognition Arrest Claims Via Twitter

Posted on: February 13th, 2018 by Mike Knight No Comments

South Wales Police have taken to social media to announce news of the latest arrests made using Automated Facial Recognition (AFR) technology.

First Used At Champions League Finals Week

The AFR system was first used by South Wales Police last June at the Champions League final at the Millennium Stadium in Cardiff. AFR incorporates facial recognition, uses slow time static face search, and links to specialist software that can compare a camera image of a face to 500,000 custody images from the Police Record Management system in order to find a match.

Ironically, the first arrest made in Cardiff at the time using AFR was actually a local man whose arrest was unconnected to the Champions League, and who was identified by a van-mounted camera days after the match.

Police Tweets

The latest announcements of AFR-related arrests have made the news because they relate to the use of AFR at the recent Six Nations rugby tournament, the announcements have been delivered via Twitter, and have been seen by some media commentators as being boastful in style.

For example, Project leader Scott Lloyd took to Twitter to publicise the first identification and arrest made “within an hour”, and the drugs arrest of another man on a warrant using AFR Cardiff City Centre a short time later. Mr Lloyd also announced another “UK policing first” with the arrest of a third person, identified from night club CCTV a month earlier.

Controversy

The increased use of AFR at events has, however, been criticised by groups such as Big Brother Watch for infringing peoples’ rights, having no clear basis for its use, and for edging the UK closer to a ‘surveillance state’.

There have also been reports of a possible 35 false matches and one wrongful arrest after the London Metropolitan Police used AFR at the last Notting Hill Carnival.

What Does This Mean For Your Business?

So far, AFR has proven to be a relatively expensive system for the number of arrests it has delivered (£177,000 for its use in Cardiff for 1 arrest), and it has generated a lot of negative publicity and suspicion. It is little wonder, therefore, that a police spokesperson has been only too happy to take to an immediate way (Twitter) of announcing every arrest as it happens in an attempt to boost public confidence in the system, and to demonstrate some value for money.

With the introduction of GDPR this year, however, questions will no doubt be asked about the security and privacy of the images captured by the AFR system, as personal images do fall under the category of personal data.

Despite the findings of a study from YouGov / GMX of August 2016 that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics actually represents a good opportunity for businesses to stay one step ahead of cyber criminals. This is because biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies have already started using them.

All this said, facial recognition systems are widely believed to have value-adding, real-life business applications. For example, last May, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.