Author: Rob Burdett

50 Million Facebook User’s Data With Cambridge Analytica

Posted on by Rob Burdett

Facebook is at the heart of a storm after a whistleblower alleged that the data analytics firm that worked with Donald Trump’s election team and the winning Brexit campaign harvested 50 million Facebook profiles from a data breach.

Why?

London-based data analytics company, Cambridge Analytica, which was once headed by Trump’s key adviser Steve Bannon, has been accused of illegally harvesting 50 million Facebook profiles in early 2014 in order to build a software program that could predict and use personalised political adverts to influence choices at the ballot box in the last U.S. election.

Under Investigation

Cambridge Analytica is already the subject of two inquiries in the UK. The first is by the Electoral Commission which is looking into the company’s possible role in the EU referendum. The second is by the Information Commissioner’s Office which is looking into the company’s possible use of data analytics for political purposes.

Also, the company is the subject of an investigation in the US over possible Trump-Russia collusion.

It has been reported that Elizabeth Denham, the head of Britain’s Information Commission, is seeking a warrant to search the offices of consultancy Cambridge Analytica over the breach.

Facebook Under Scrutiny

Facebook has, of course, faced strong criticism over the breach, one tangible result of which has been nearly $40 billion off its market value as Facebook’s investors have become worried that damage to the reputation of the social media giant’s network will deter users and advertisers.

In a BBC radio report, the ICO’s chief Elizabeth Denhan said that the ICO is looking at whether or not Facebook secured and safeguarded personal information on its platform, and whether Facebook, when they found out about the loss of the data, acted robustly and whether or not people were informed.

Also, the head of Britain’s cross-party Media parliamentary committee is reported to have written to Facebook’s Mark Zuckerberg asking for more information by Monday 26 March, and in Dublin, Ireland’s privacy watchdog (the lead regulator for Facebook in the European Union) has said that it is following up with Facebook to clarify its oversight.

Harvested By Kogan’s App

It has been reported that the data was harvested from Facebook by an app on Facebook’s platform, created by British academic, Aleksandr Kogan, that was downloaded by 270,000 people, providing access to their own and their friends’ personal data too. It has been reported that Kogan says he changed the terms and conditions of his personality-test app on Facebook from academic to commercial part way through the project.

Facebook has said that Kogan violated its policies by passing the data to Cambridge Analytica, and Facebook was told that the data has since been destroyed, and has made its own efforts to obtain proof that it has been destroyed.

Mr Kogan has said on BBC radio that he was advised that the app was entirely legal, and that he thinks he’s being made a scapegoat for Facebook and Cambridge Analytica.

This latest incident sees Facebook back in hot water following on from reports of how its platform was used by outside interests for posts and adverts that were designed to influence the result of the US election. The share price has been impacted significantly this week.

What Does This Mean For Your Business?

There are so many worrying facets to this story, not least that personal data may not have been protected well enough to allow it to be harvested by an app on the platform, and then passed to a third-party that allegedly used it to create a tool to influence elections. Also, it has been several years since the breach happened, and news of the breach has only just been released. Some industry insiders have described the incident as ‘horrifying’, and many may rightfully believe that Facebook has a lot of questions to answer, as does Cambridge Analytica.

Facebook will be painfully aware that if the ICO’s investigations find Facebook to be at fault, the social media giant could be looking at a fine of up to 500,000 pounds ($700,000), and with the introduction of GDPR in May, it could be facing fines of up to 4% of its global turnover.

Also, Facebook is a major advertising platform for businesses, and some marketing commentators have pointed to the fact that scrutiny of Facebook over this latest issue could impact Facebook’s ability to gather and deploy data for ad targeting, which has been vital to ad efficacy and budget growth.

All the recent bad publicity about Facebook has seen the number of daily users in the United States and Canada fall for the first time in its history, dipping in the company’s home market by 700,000 from a quarter earlier to 184 million.

We haven’t heard the half of this story yet, and it remains to be seen what information will be released in the coming days and weeks and as the result of numerous investigations.

Camelot Hack – ‘It Could be You!’

Posted on by Rob Burdett

Lottery operator Camelot has announced that 150 customer accounts have been affected by a hack that took place prior to Friday’s £14-million draw at 8.30pm.

Low Level

The company has described the hack as ‘low level’ and has stressed that no money was stolen, and that the attackers only saw limited information. Camelot attributed the early discovery of the attack to its regular security monitoring which, in this case, detected suspicious activity on a small number of accounts.

Credential-Stuffing

The kind of hack that took place was a method known as ‘credential-stuffing’. This hack uses a list of passwords taken from other websites that have been circulated online e.g. on hacking groups / on the dark web. This method relies on people using the same password for multiple websites.

Suspended Accounts + Change Passwords

Camelot has said that it has directly contacted the customers whose accounts had been affected and all of the affected accounts have now been suspended. The company has also advised all 10.5 million National Lottery players to change the password on their online accounts.

Warned In November 2016

Back in November 2016, Camelot announced that it believed that as many as 26,500 online National Lottery accounts had been hacked using login details that had been stolen from elsewhere (e.g. a list of stolen passwords circulated online). At the time, Camelot said that it believed that suspicious activity appeared to have taken place in fewer than 50 of the hacked accounts.

Camelot re-assured customers by saying that it didn’t hold full debit card or bank account details in the online accounts for National Lottery player, and no money had been taken or deposited.

Criticism

Although, as in the latest hack, Camelot was quick to submit a breach report to The Information Commissioner’s Office, some critics voiced concerns and suspicion that there could have been some kind of deficiency in the system to allow 26,500 correct logins while saying that the details were not taken from Camelot’s servers.

What Does This Mean For Your Business?

If you have an online National Lottery account, change the password as soon as possible.

This story illustrates one of the main dangers of using the same passwords for multiple accounts. If there is a hack and theft of your login details from just one website, you could be in danger of falling victim to cyber-crime as those details are circulateing among other hackers and used for credential-stuffing attacks. The advice is, therefore, to change your passwords regularly and avoid using the same password for multiple accounts.

This story is also a reminder that businesses have a legal responsibility to protect customer data, and this responsibility will be enforced even more rigorously, and with the threat of very large fines for non-compliance with the introduction of GDPR in May this year.

One positive aspect of this story is that Camelot appear to have been proactive in their monitoring of customer account activity, were quick to inform the Information Commissioner’s Office, publicly announced the hack, and gave clear advice to customers (unlike many other companies). This story is also an example of why having a good Disaster Recovery Plan is important.

Huge UK Increase In Demand For AI Professionals

Posted on by Rob Burdett

A study by job website ‘Indeed’ based on job postings on its site since 2015 has found that demand for skills in AI and machine learning has almost tripled in 3 years.

Demand – AI Boom

With the Artificial Intelligence (AI) sector booming in the UK, and with the pace of growth in demand for AI roles here outstripping that in the US, Canada and Australia, AI is providing a shot in the arm to Britain’s jobs market, and Britain is consolidating its reputation as a world tech leader. The ‘Indeed’ figures show that the number of AI roles advertised in the UK is now 1,300 out of every million, but that there are six times more AI roles available in Britain than there are candidates to fill them.

Supply Increasing Too

Just as demand for AI professionals has shown a huge increase, the number of candidates actually looking for jobs in this area has doubled over the same period. One of the key benefits of landing a job in an emerging field is, of course, the salary. According to Indeed’s figures, jobs in AI advertised for an average of £56,385 a year and machine learning roles at £54,617.

Skills Gap & Brexit

Unfortunately, one of the reasons why companies are willing to pay so much is that experts of this kind are hard to find in a labour market where there is a real tech skills gap. Some tech commentators have long been predicting that Brexit is only likely to make matters worse. For example, a 2016 survey by the ‘Hired’ website highlighted skills gap challenges in many areas of IT, possible challenges to attracting high-skilled workers from across the globe because of Brexit, lower average salaries for London tech jobs compared to places like San Francisco and New York, leading to a possible brain drain, and the number of UK students graduating with computer science degrees falling.

A further example of the possible impact of Brexit on AI and robotics in the UK comes from an RSA report from late 2017 which showed that the UK receives up to 80% of its funding for autonomous systems and robotics directly from the EU, and even with the government’s Autumn statement promise of a boost to R&D, it may not be enough to plug the funding hole that Brexit will create.

Funding Needed

Also, some industry experts have recently criticised the UK government for making a strategic error in their perceived lack of funding in AI and robotics.

There have been calls for the setting up of systematic programmes to mobilise the brain power of AI and robotics communities around the most important challenges of government.

What Does This Mean For Your Business?

If your business needs an AI or robotics professional, you may have a challenge on your hands. A home-grown skills gap means that you may need to attract talent from overseas, one aspect of which is being able to pay a considerable salary that is competitive with that offered in other countries. Getting an overseas professional to come to the UK, however, may be problematic because of the insecurities that Brexit is presenting to migrant workers.

Ideas to plug the UK’s skills gap in many tech areas include the offering of digital apprenticeships e.g. by Microsoft, but AI is a very specialised area, and much more investment and specialist education and training may need to be made available in the UK in a short time to enable UK industries to make the most of the UK’s AI boom.

First Direct Customers Can Pay By Siri

Posted on by Rob Burdett

First Direct customers can now make voice-activated payments to existing payees or mobile contacts via the Siri tool on their Apple iPhones, without logging into online banking or using their password.

Following Barclays

First Direct’s move to voice-activated payments follows the move by Barclays last August to allow its customers (with an Apple device with iOS 10 software or above, with fingerprint technology) to make payments using Apple’s voice-activated assistant, Siri.

Dutch Pioneers

Dutch banking group ING Netherlands are widely credited as being the pioneers of this kind of system when, back in 2014, they launched a voice-navigated banking app with a view to enabling biometric voice recognition as a replacement for PINs in the future.

Interface Between The Customer and Paym

In the case of First Direct, the Siri digital assistant acts as an interface between the customer and the Paym mobile payment system.

Paym is the service, launched by the Payments Council, that allows users to send and receive payments directly to a current account using only the mobile number of the account holder.

How Does It Work?

With the First Direct system, users simply tell Siri what amount they would like to pay, and the name of the person that they would like to pay using First Direct. The system then asks for verification using the fingerprint scanner or face ID tool on the payer’s mobile device. It has been reported that the money is then transferred instantly, and First Direct customers can make transfers of up to £350 daily using the new system.

What Will You Need?

Clearly, to use the system you will need to be registered for digital banking with First Direct. You will then need to activate Paym in the First Direct app, and make sure that you are using an iPhone that is capable of fingerprint or facial recognition so that your payments can be verified without a password.

What Does This Mean For Your Business?

For businesses, saving time and getting cash quickly into the business are important, and the First Direct system looks as though it is capable of helping both these things to happen. It also offers your business, suppliers, and other stakeholders a convenient way of paying while on the move.

Also, the biometric aspect (fingerprint or facial recognition) is believed to provide greater security than passwords.

Voice-activated assistants have proven popular with users, and it makes sense that they could be linked up with other technologies and systems to deliver greater value, convenience, and time savings. It is likely that other banks will now follow suit, and voice-activated assistants will be linked-up to a whole range of other services in the near future to benefit the business and the customer.

Fighting Exploitation Via Blockchain and Coke

Posted on by Rob Burdett

Coca-Cola, the US State Department, and 2 other companies are working on a project to used blockchain to fight forced labour worldwide.

What Is Blockchain?

Blockchain is an incorruptible peer-to-peer network (a kind of ledger) that allows multiple parties to transfer value in a secure and transparent way. Blockchain’s Co-Founder Nic Carey describes Blockchain as being like “a big spreadsheet in the cloud that anyone can use, but no one can erase or modify”.

Forced-Labour

The International Labour Organisation estimates that there are nearly 25 million people working in forced-labour conditions worldwide, and 47% of them in the Asia-Pacific region.

The kind of work where there is known to be forced-labour varies, but many are engaged in work that contributes to products for food and beverage e.g. forced-labour in countries where sugarcane is produced.

A KnowTheChain (KTC), a partnership founded by U.S.-based Humanity United, showed that most food and beverage companies could be doing more solve the problem.

Coca-Cola Committed

As part of a new partnership, Coca-Cola has now committed to conduct 28 country-level studies on child labour, forced-labour, and land rights for its sugar supply chains by 2020.

Blockchain

Blockchain’s validation and digital notary capabilities are being used in the new project to create a secure registry for workers and their contracts. The project, involving Trust Accelerator (BTA), a non-profit organization, the US State Department, Coca-Cola, and U.S.-based Humanity United, will use blockchain to create a validated chain of evidence that will encourage compliance with labour contracts.

US tech company The Bitfury Group, will build the blockchain platform, while Emercoin will provide blockchain services.

Blockchain Used To Reduce Child Labour Too

Earlier this month it was reported that blockchain is also being used in a pilot project between car-maker BMW and start-up Circulor with a view to eliminating battery minerals produced using child labour. In that project, blockchain is being used to help provide a way to prove that artisanal miners are not using child labour in their cobalt mining activities. Bags of cobalt are given a digital tag which can be entered into blockchain using a mobile phone. The details of the digital tag can then be entered by each link in the chain of buyers, thereby providing a clear, verifiable trail, all the way from miner to smelter.

What Does This Mean For Your Business?

The new project involving Coca-Cola is another example of how blockchain is being used to ethically add value, genuinely reduce suffering and exploitation, and shows how this new technology can deliver social impact. One of the strengths central to blockchain is that it offers an incorruptible and transparent system that can provide a much greater, and more reliable level of proof that something has happened in the correct way in a value chain. Many different types of businesses can use blockchain to categorically prove a certain source and route for e.g. delivery, raw materials or production. This is proving to be particularly valuable to businesses where provenance is necessary to add to the monetary, ethical or other value of a product, service, and brand.

Tech Tip(s) – Browser Security

Posted on by Rob Burdett

Your Internet browser is one of your most-used applications, so it makes sense that you should make yours as secure as possible. Here are a few tips to help you do just that :

  • Use browsers that have built-in protection features such as Chrome, Firefox, Apple and Safari.
  • Utilise the security settings on your browser. Look under advanced settings, and select Privacy and Security e.g. restrict your device from visiting dangerous sites.
  • Use private / incognito browsing to avoid tracking.
  • Consider deactivating ‘ActiveX’. This add-on acts as a middleman between your PC and Java/Flash-based interactions in certain sites, thereby potentially creating security problems by giving malicious websites a window into your PC.
  • Consider disabling ‘JavaScript’. As well as making browsing quicker and simpler, this can stop cyber criminals from using JavaScript in malicious ways in order to infect your device.
  • Delete Cookies. Although they can be helpful for remembering accounts and passwords, they can also be targeted by cyber criminals because of the information they contain.
  • Beware of some browser extensions and add-ons. Even though they can add extra functionality, they can also pose a security risk as they can be exploited to inject malware.

As always (e.g. with cookie or javascript usage), it’s a case of weighing up benefits of functionality against potential risks and exploits. The more ‘stuff’ you have open/running … the more that can (potentially) go wrong.

Voice Recognition ‘Sexist’

Posted on by Rob Burdett

Delip Rao, CEO and co-founder of start-up R7 Speech Sciences has brought the issue back into the spotlight that voice recognition systems struggle more with female voices.

Not New

The issue has been known about for some time and has been brought into sharper focus with the popularity of voice-activated digital assistants like Apple’s Siri, or Amazon’s Alexa, or Google Home.

Why?

According to Linguistics experts, the key problem is that females have higher pitched voices than males, and they tend to be quieter and sound more “breathy” when they talk.

With speech for example, Mean Fundamental Frequency (Mean FO) can be expressed as a number around which vocal tones are spread. The FO for men is around 120Hz, but for women it is much higher at 200Hz.

MFCCs

Also, another problem for voice recognition systems comes when they try to process words and sounds into MFCCs (Mel-frequency cepstral coefficients). The voices of women are known to give a less robust acoustic signal, and this signal can be easily masked by noise. These two challenges also make things more difficult for speech recognition systems.

Lack of Diverse Training

Since speech recognition systems also rely on an AI element, they require training to become more used to recognising certain vocal characteristics. Linguistics experts, therefore, also believe that a lack of diverse training examples of the speech of women may also be a contributing factor to the problems encountered by current voice recognition systems.

Gender Biases As A Result

Some commentators are, therefore, predicting possible worsening gender biases problems with voice recognition systems if these issues are not tackled.

Experts have pointed out the importance of training systems using equal proportions of men and women to avoid the problem of them being very good at recognising male data and very bad at recognizing female data.

Ethnic Mix

The same experts have also highlighted potential biases based on ethnicity if voice recognition systems aren’t trained using a wide ethnic as well as gender mix.

What Does This Mean For Your Businesses?

With digital assistants now in the workplace in computer systems (e.g. Alexa for Business),and with AI bots being used e.g. to handle customer service systems (with a voice element), it’s important that women and / or certain ethnic groups are not at a disadvantage when using the systems.

The problem is known about now, and companies should, therefore, be taking action to make sure that voice recognition systems work well for all demographics, and deliver equality as part of their value.

Accountants To Use AI For The ‘Boring’ Stuff

Posted on by Rob Burdett

A study by Sage that identified how 83% of clients would like their accountants to extend their services has seen 50% of accountants looking to solutions like AI to allow them to free up the necessary time to do so.

Off-Load Repetitive Tasks To AI

With accountancy clients looking for consultancy and advice (42%) as well as traditional services, half of the 3,000 accountants involved in the Sage study appear to be happy to consider AI and automation technology solutions to handle the workload of repetitive tasks such as number crunching, data entry and diary management.

Likely To Invest

The president of AI at Sage, Kriti Sharma, has been reported as having recognised that although AI is currently viewed as an automation tool by accountants, more are likely to invest in AI in the coming years as an important, lower cost way to scale their operations.

For example, AI could be used to review millions of transactions and spot anomalies, and even make recommendations. This would normally be something that would be done manually. AI could, therefore, significantly decrease costs and make accountants more time-rich, thereby enabling them to develop and sell new services.

Many Industries Adopting AI

Accountancy is certainly not the only industry beginning to realise and unlock the potential of AI. For example:

  • Some legal firms are already using AI to assemble, process and read certain types of documents.
  • AI ‘cognitive technology’ is being used to answer customer questions for customers in many areas of services.
  • In banking e.g. Nat West, AI software is being used to offer consumers an investment advice service. Also, for Royal Bank of Scotland (RBS) automated financial advice services have allowed the bank to reduce face-to-face adviser jobs by 220. As far back as 2016, RBS and NatWest introduced their virtual customer service technology in the form of the ‘Luvo’ chatbot from IBM Watson.
  • The AI The chatbot, called ‘DoNotPay’ (originally launched in March 2016 by British student, Joshua Browder), made famous for providing legal advice that led to a reported 375,000 claims against parking tickets, was then modified so that it could automatically sue Equifax for $15,000 per claim in the wake of a hack and data breach.

What Does This Mean For Your Business?

The adaptability and capacity of AI to learn and tackle even complicated tasks (in April last year an AI program beat the world’s leading poker players in a 5-day competition), means that it has huge business potential. Deploying AI e.g. to tackle repetitive tasks and free-up time in accountancy is just another example of how this technology can be used to add value, save costs, help meet changing customer needs, allow the cost-effective scaling of businesses, and improve competitiveness.

Even though AI appears to be advancing at a fast rate, we really haven’t seen anything yet as regards its true potential.

Eight New Cyber Threats Every Second

Posted on by Rob Burdett

The latest McAfee Labs threat report shows that in the last quarter of 2017, organisations faced 8 new cyber threats a second as there was an 18% increase in the number of reported security incidents across Europe.

478 New Cyber Threats Every Minute

The report makes worrying reading as businesses and organisations try to secure their online and data security systems in preparation for the introduction of GDPR.

The McAfee Labs report shows an 18% increase in the number of reported security incidents across Europe with a specific focus the on adoption of newer tools and schemes, such as fileless malware, cryptocurrency mining and steganography.

Cytptocurrency Mining

The rocketing value of the cryptocurrency Bitcoin led to a big increase in cryptocurrency mining / cryptojacking in the last quarter of 2017. For example, cryptojacking involves installing ‘mining script’ code such as Coin Hive into multiple web pages without the knowledge of the website owners. The scammer then gets multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.

Also, at the end of 2017, ransomware operators were found to be hijacking Bitcoin and Monero wallets using Android apps developed exclusively for the purpose of cryptocurrency mining. Many criminals appear to have favoured Litecoin over Bitcoin because there was a lesser chance of exposure.

Fileless Malware Attacks

Another trend uncovered by the McAfee Labs threat report was the adoption of fileless malware and abusing Microsoft PowerShell, which showed a 432% surge over the course of 2017.

Fileless malware involves hijacking tools that are already built-in to Windows rather than installing software on a victim’s computer. It is designed to work in-memory (in the computer’s RAM) and is, therefore, very resistant to existing anti-computer forensic strategies, and is difficult to detect.

The MacAfee report showed a huge 267% growth in the use of the new PowerShell malware. Powershell is a legitimate tool (scripting language) that is built-in to Windows, and provides access to a machine’s inner core, including Windows APIs. This is why it has become a favoured route for fileless malware attacks.

Increase In Attacks On Healthcare

One other disappointing trend uncovered in the McAfee Labs threat report is the dramatic 210% overall increase in incidents against healthcare organisations in 2017. It is believed that these attacks were facilitated by organisational failures to comply with security best practices, or to address many known vulnerabilities in medical software.

What Does This Mean For Your Business?

The report highlights how businesses now face risks on an unprecedented scale, and how, particularly with GDPR on the way, businesses need to prioritise cyber and data security. A collaborative and liberalised information-sharing approach should be taken to improve attack defences and combat escalating asymmetrical cyber warfare.

Cyber-criminals always try to combine the highest returns in the shortest time with the least risk. This is why tactics like cryptojacking, stealthy fileless PowerShell attacks, and attacks on soft targets such as hospitals have become so popular over the last year.

New threats for this year, such as cyber-criminals developing botnets exploiting the Internet of Things (IoT) will pose more challenges to businesses and the security industry.

New Threat From Fileless Powershell Exploits

Posted on by Rob Burdett

Businesses now face the growing threat of fileless hacking and fileless malware attacks facilitated by the PowerShell scripting language that is already built-in to Windows.

Surge Reported

The latest McAfee Labs threat report shows what an emerging and dangerous threat the exploiting of the PowerShell scripting language has become. Taking the last quarter of 2017, the adoption of fileless malware via Microsoft PowerShell showed a 432% surge.

How Does It Work?

Microsoft PowerShell is a scripting language that’s built-in to the Windows OS. Its main legitimate uses include running background commands, checking services installed on the system, terminating processes, and the managing configurations of systems and servers.

The Microsoft PowerShell scripting language provides access to your computer’s inner core, including unrestricted access to Windows APIs. Also, because it is a legitimate part of your computer’s Operating System, any commands it executes are usually ignored by security software, and it provides no signature for antivirus software to detect. Another crucial aspect of Powershell is that it can run remotely through WinRM. For these reasons, it has become an ideal route for cyber-criminals.

Controlling Computers Using Powershell

A hack via Powershell involves attackers getting to PowerShell remotely through WinRM, enabling them to get through Windows Firewall, run more PowerShell scripts complete with admin control. Even if WinRM is turned off, it can be turned on remotely through WMI using a single line of code.

Also, through Powershell, once an attacker obtains a username and password for one computer, the path to complete compromise of the whole enterprise system is laid open.

Recent Fileless Malware Attacks

It has been reported that PowerShell malware arrives via spam email, and it is the embedded code in the email that contains the PowerShell commands. This code usually contains instructions to download another payload to carry out the primary malicious activity.

The McAfee Threat report shows how recent attacks have used Powershell to download malware of the Bartallex (.bat and .vbs files) and Dridex families onto the systems of victims in what are now popularly known as fileless malware attacks.

What Does This Mean For Your Business?

The combination of PowerShell providing legitimate access to computer’s and its subsequent ability to be ignored by security software, as well as the ability to run it remotely through WinRM make it a low risk, low cost and potentially and potentially high return tactic for cyber-criminals. This means that fileless hacks and fileless malware attacks are now a serious and present risk to businesses and organisations of all kinds.

The stealth factor, plus the fact that it goes under the radar of normal antivirus software makes detection very difficult. The one clear chance to stop it appears to be not opening the malicious email that contains the code that begins the attack. Companies and organisations need to make sure that all staff are trained to recognise and resist social engineering tactics, and to be made aware of the risk of downloading and installing applications that they do not understand or trust.