Author: Rob Burdett

Justice Too Slow With Data Requests Says ICO

Posted on by Rob Burdett

The UK’s Secretary of State for Justice has been hit with an Enforcement notice by the Information Commissioner’s Office over backlogs and poor handling of requests for personal records made under data protection laws.

Subject Access Requests

In the UK, under the Data Protection Act 1998, anyone can make a request to any organisation (termed the ‘data controllers’) for copies of both paper and computer records and related information that the organisation is holding, using, or sharing about them. This is known as a ‘subject access request’ (SAR), and organisations usually charge a fee for providing the information e.g. up to £10 in normal circumstances. Under the DPA, organisations are required to answer data access requests within 40 days

The Backlog

The issuing of the Enforcement Notice by the ICO to the UK Ministry of Justice (technically the ‘data controllers in this case) on 21st December 2017 relates to the fact that ICO has received a large number requests for assessment by people whose subject access requests had not been dealt with quickly enough by the Ministry of Justice.

The Enforcement Notice highlighted the fact that there is a backlog of 919 SARs from individuals, some of which dated back to 2012.

Two Main Problems Highlighted

The two main problems highlighted by the Notice are that that the Justice Secretary (data controller) has contravened section 7 of the Data Protection Act for failing to act “without undue delay” and that the “data controller’s internal systems, procedures and policies for dealing with subject access requests made under the DPA were unlikely to achieve compliance with the provisions of the DPA”.

Plan To Clear Backlog

The ICO Enforcement Notice did, however, acknowledge that the Ministry of Justice has given the ICO a recovery plan which shows that it intends to clear the backlog by October 2018, and answer new requests without “undue delay” from January 2018.

According to the update and plan published in the Enforcement Notice, the Ministry of Justice believes that it has 793 requests that are over 40 days old, and that it planned to deal with 14 cases from 2O14 by 31 December 2017, 161 cases received from 2015 by 30 April 2018, 357 cases from 2016 by 31 August 2018, and 261 cases from 2O17 by 31 October 2018.

What Does This Mean For Your Business?

This is an embarrassment for the Ministry of Justice, and may be an indication of a wider problem faced by many businesses and organisations in the UK that are still not getting to grips with their responsibilities under the current Data Protection Act, let alone getting prepared for the introduction of the UK’s Data Protection Bill, and the EU’s GDPR will come into force on 25th May 2018.

Under GDPR for example, businesses and organisations will have to deal with requests even more quickly, may have to provide additional information, and won’t be able to charge a fee for complying with requests. There will also be the challenges of responding to an individual’s ‘right to be forgotten’, and the prospect of much greater penalties greater penalties for non-compliance than under the current Data Protection Act.

This story is a reminder that all businesses and organisations should take the opportunity now to ensure that their data practices are in order and likely to be compliant with GDPR, and also to consider that being GDPR compliant could actually provide commercial advantages as this will become a serious factor for consideration in trading relationships and alliances.

Tech Tip – Battery Saver In Windows 10

Posted on by Rob Burdett

If you need to squeeze the most out of the battery charge of your laptop or tablet, try the Battery Saver feature in Windows 10.

This feature disables unnecessary background functions such as live tile updates and email and calendar syncing. It can also auto-dim your screen brightness. Here’s how to access it:

  1. Go to the Action Centre
  2. Go to System > Settings > Battery
  3. Select ‘Battery Saver’
  4. Choose to automatically enable Battery saver mode or not.

Beware Android Phone-Melting Malware

Posted on by Rob Burdett

A type of crypto-currency mining malware has been found to overload an android phone with so much constant traffic that its battery physically bulges and bends the phone cover.

Malware Causing Physical Damage

The Android phone-wrecking Trojan malware, dubbed “Loapi”, was discovered by Kaspersky researchers. In tests, after running it for several days mining the Minero crypto-currency, the android phone used in the test was overloaded with activity (trying to open about 28,000 unique URLs in 24 hours) to the point that the battery and phone cover were badly damaged and distorted by the resulting heat.

The Loapi malware is reported to have been found hiding in applications in the Android mobile operating system.

How It Works

Loapi reportedly works by hijacking a smartphone’s processor and using the computing power to mine crypto-currency.

‘Mining’ refers to the process of completing complex algorithms to get rewards of new crypto-currency units e.g. Bitcoin.

Loapi uses Javascript code execution hidden in web pages (usually via advertising campaigns) with WAP billing to subscribe the user to various services. This works in conjunction with the SMS module to send the subscription message.

What makes Loapi particularly dangerous is the amount of device-attacking techniques present in it, and the modular architecture of this Trojan which means that more functionality could be added to it at any time.

Part Of Trend For Mining Scams

It is likely, therefore, that Loapi is loaded onto an android OS when a user visits a web page website where mining software / mining code is running in the background, without the knowledge of the website owners or visitors.

For the scammer who plants the code, they can use the power of multiple computers / devices to join networks so that the combined computing power will enable them to solve mathematical problems first (before other scammers) and thereby claim / generate cash in the form of crypto-currency.

A report by ad blocking firm AdGuard in October this year showed that the devices of 500 million people may be inadvertently mining crypto-currencies as a result of visiting websites that run mining software in the background.

What Does This Mean For Your Business?

Unfortunately, many cyber criminals are now trying to leverage the processing power of computers, smartphones and other devices to generate revenue from mining crypto-currency. Mining software e.g. Coin Hive, has been found in popular websites, and crypto-currency mining scams are now being extended to target cloud-based computing services with the hope harnessing huge amounts of computing power and using multiple machines to try and generate more income.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses, and this new threat of actually having your phone melted by malware adds another level of risk, including that of fire.

There are some simple measures that your business can take to avoid being exploited as part of this popular scam, although it is unclear how well these will work with the newly discovered Loapi. For example, you can set your ad blocker (if you’re using one) to block one specific JavaScript URL, which could stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, browser extensions are available e.g. the ‘No Coin’ extension for Chrome, Firefox and Opera (to stop Coin Hive mining code being used through your browser).

You can generally steer clear of dodgy Android apps by sticking to Google Play, by avoiding cloned apps from unknown developers within Google Play, by checking app permissions before you install them, by keeping Android apps up to date (and by deleting the ones you don’t use), and by installing an antivirus app.

Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Kaspersky Tries To Overturn U.S. Directive

Posted on by Rob Burdett

Embattled Moscow-based cyber security firm, Kaspersky Lab, is appealing against a U.S. Government’s ban on its software on the grounds that it is unconstitutional, and that there is no technical evidence.

What Directive?

Back in September, The U.S. Department of Homeland Security (DHS) issued a Directive ordering civilian government agencies to remove Kaspersky software from their networks within 90 days. Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions (anti-virus software).

Concerns Over Many Years

The U.S. Directive (ban) came after concerns about possible Russian state interference in the U.S. elections, but Kaspersky have long been the subject of suspicion and concerns by western governments.

In July this year, for example, security researchers claimed to have found a way to force the anti-virus product to assist snoops in stealing data from segmented networks (not connected to the wider internet).

Back in 2015, it was also reported that the US National Security Agency and GCHQ had sought to carry out reverse engineering of Kaspersky anti-virus as far back as 2008 to discover any vulnerabilities.

Long-running fears about Kaspersky have also been fuelled by leaks from the NSA through Edward Snowdon (2013), Hal Martin (2016), and by allegations (printed in the Wall Street Journal) that a Vietnamese NSA contractor was hacked on his home computer by Russian spies via Kaspersky.

Earlier this month Barclays bank in the UK emailed its 290,000 online banking customers to say that it will no longer be offering Kaspersky Russian anti-virus because of information and news stories about possible security risks.

The Appeal

A federal appeal has now been filed by Kaspersky Lab appeal under the Administrative Procedure Act against the U.S. Directive to remove Kaspersky software from civilian government agency networks. According to Kaspersky, the DHS has acted unconstitutionally and has violated Kaspersky Lab’s right to due process by issuing Binding Operational Directive 17-01.

Kaspersky Lab argues that the issuing of the Directive was based on no technical evidence, and the company has repeatedly denied any ties to any government and has said that it would not help a government with cyber espionage.

Damage

Kaspersky Lab has publicly stated that the Directive and the wide-scale media coverage and public / business reaction to it have damaged the company’s position in the market. Sales are reported to be down, Kaspersky has announced the closing of its D.C. headquarters as a direct result of the U.S. government’s public suspicion toward its business, and the company’s founder, Eugene Kaspersky, has said that the company has also suffered damage to its reputation.

Submitting Code

As well as strenuously denying the allegations and launching an appeal, Kaspersky Lab said in October that it would submit the source code of its software and future updates for inspection by independent parties. U.S. officials.

What Does This Mean For Your Business?

For businesses using Kaspersky in the UK, it is worth remembering that although Barclays Bank have stopped using the software, and a U.S. Directive remains in place, no actual evidence of wrongdoing related to espionage / spying, or of the company colluding with the Russian state has been publicly provided.

Businesses will need to take an individual view of any possible risks, taking into account the context of a certain amount of paranoia and the recent focus in the media about Russia following allegations of interference in the US elections.

On a technical and security note, it may not be a good idea anyway to remove Kaspersky anti-virus from a computer without immediately putting a suitable alternative in place. Anti-virus forms an important part of a company / organisation’s basic cyber defences and this, and other software should be kept up to date with patches and updates to enable evolving threats to be combated as part of a wider strategy.

No More Chrome Apps From Next Year

Posted on by Rob Burdett

Google has announced that Chrome apps for Mac and Windows will no longer be available from the Chrome Web Store by early next year and that they will be replaced next year by Progressive Web Apps (PWA).

Why?

Google has had Chrome-browser supported stand-alone apps on Mac, Windows and Linux since 2013, but back in August 2016 it was announced that Google would be phasing-out these apps because only 1% of users actively used them, and most hosted apps were already implemented as regular web apps e.g. Netflix.

Google, therefore, wanted to simplify its browser and move developers to more standardized web apps, and, therefore, planned to phase out standalone Chrome apps over 2 years, starting with the limiting of newly published apps to users on Chrome OS.

This latest announcement is the beginning of the final phase of that two-year plan.

Why Chrome Apps?

Chrome apps / packaged apps are basically Google’s own web-apps that are able to run offline, in their own window, and integrate with the underlying operating system and hardware.

Google has stated that it originally launched Chrome apps to give users experiences that the web, at the time (2013) couldn’t provide e.g. working offline, sending notifications, and connecting to hardware.

The Replacement – PWAs From APIs

Google’s work to move developers to more standardised apps has led to the introduction of powerful APIs e.g. service worker and web push, to enable the building of Progressive Web Apps that work across multiple browsers. These PWAs (launched earlier this year on Android) are essentially the replacement for Google’s standalone Chrome apps and blur the line between websites and installed software. PWAs will be available on desktops from the middle of 2018. According to Google, the benefits of PWAs are that they offer:

  • Reliability – they load instantly and don’t slow everything down.
  • Speed – they respond quickly to interactions with users, and animations are smooth.
  • Engagement – They offer the user an immersive experience with help from a web app manifest file (allowing users to control how an app appears and how it’s launched). A PWA feels like a natural app on a device.
  • Improved Conversions – Google has quoted the example of how AliExpress were able to improve conversions for new users across all browsers by 104% and on iOS by 82%.

What Does This Mean For Your Business?

It appears that the standalone Chrome apps may have been a welcome introduction back in 2013, but are now not being used because they have been replaced by regular web apps anyway. This announcement by Google shouldn’t, therefore, cause any real concern to most businesses.

Anything that can be done to simplify the use of browsers such as Chrome has to be good news.

The benefits of PWAs are also promising for developers and users, and the possibility of increased engagement and conversions are clearly of interest to businesses.

School Heating Hack Risk

Posted on by Rob Burdett

Cyber-security Company, Pan Test Partners, have warned that schools with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off – or worse.

The Problem

The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.

Tested

The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.

In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.

Not Just Schools

The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.

Incentive

Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.

The risks could, however, increase in future as more devices and systems become part of the IoT.

What Does This Mean For Your Business?

It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.

To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.

It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.

This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.

It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.

Tech Tip – Storage Sense

Posted on by Rob Burdett

If you want to make sure that you don’t start running out of space on your device, Windows 10 includes the Storage sense tool to monitor and free up space on your device automatically.

Storage Sense can empty the recycle bin every 30 days, and automatically cleaning up any temporary files from on your drives. Here’s how to activate it:

  • Open ‘Settings’.
  • Click on ‘System’.
  • Click on ‘Storage’.
  • Turn on the Storage sense toggle switch.

Southend … The ‘Smart City’

Posted on by Rob Burdett

Southend-on-Sea Borough Council is reported to have signed an agreement with tech company Cisco to deploy its ‘Kinetic for Cities’ platform in order to share the benefits of new digital technologies with its businesses and citizens, thereby making it a ‘Smart City’.

What Is ‘Kinetic For Cities’?

According to the Cisco blog, the Cisco Kinetic for Cities platform is a unified IoT platform strategy and a cloud-based platform that helps customers extract, compute and move data from connected things to IoT applications to deliver better outcomes and services. In essence, using sensors, digital management platforms, and analytics programs for all aspects of a city (including solutions for lighting, parking, crowd, environment and others), businesses and citizens can benefit from the effects of urban innovation, sector-specific solutions, city engagement that the technology provides.

Technology Hub

Through the use of the new platform, it is hoped that Southend can become a technology hub, and this can help it to grow and evolve, in line with the rest of the UK and with competition globally. It is also hoped that use of the digital platform could bring smarter, connected experiences for people who live in, work in, or visit the town.

Already Working In Other Cities

Cisco’s Kinetic for Cities platform is already being deployed in other cities such as Manchester (UK) where it is being used to project explore smart transport and CO2 emissions, in Jaipur (India) where it is helping to improve public safety.

How Will It Be Used In Southend?

At the current time, Southend Council looks likely to use the Kinetic for Cities platform for initiatives such as pilots relating to community safety e.g. building an intelligence hub with IP-based public safety systems for use with CCTV and advanced video analytics.

Also, there are plans to use the platform to help with traffic and parking management, easing of congestion, using the IoT to help monitor improve air quality, and to help manage energy better and bring down consumption, thereby reducing costs and helping the environment.

What Does This Mean For Your Business?

It has taken a long time for many of the potential benefits of the IoT to be realised, or for the IoT to be deployed in a more meaningful and beneficial way than in smart household gadgets. Using technology for the benefit of a whole town / city in this way represents a new kind of rapid regeneration which has the potential to benefit many more citizens and businesses than individual physical projects. Improving a whole town, and how efficiently it functions and how effectively it serves those who work and visit it in terms of experiences and opportunities can only be of benefit to locally based businesses, and can create an environment where businesses are better equipped to compete nationally and globally.

Unlimited Streaming Deals Contributing To Piracy?

Posted on by Rob Burdett

Stream RippingAs Three becomes the first network provider in the UK to launch a tariff that lets its customers use unlimited streaming services without it affecting their monthly data allowance, some media commentators are concerned that more streaming services of this kind could lead to more piracy.

Streaming & Stream Ripping

Streaming is the real-time transmission of data (e.g. audio and video) over the internet to computers and mobile devices. Stream ripping is the process of using software to turn that streamed data (music and video) into files so that they can be watched / listened to offline on computers and phones. Stream ripping is possible because music and video streaming services have urls, and there are now many freely available programs to download that can stream-rip content.

What’s The Problem?

The problem is that films, video and recorded music are covered by copyright and intellectual property laws. Although many people are happy to pay to use legal streaming services in the form they are delivered such as Netflix and Spotify, stream ripping and the storage and distribution of the ripped files infringes those laws and is technically piracy.

According to research by the Intellectual Property Office (IPO) and PRS for Music, usage of stream-ripping sites increased by 141.3% between 2014 and 2016, thereby making them more popular than all other illegal music services. The same research showed that in September 2016, these sites were used 498,681 times to pirate music in the UK

Who?

According to the IPO and PRS, research 15% of UK adults are now using these illegal services, with 33% of them being in the 16-24 age bracket.

Why?

According to the research, the most popular reasons given for using stream-ripping include a belief that music was already owned by users in another format (31%), simply wanting to listen to music offline (26%) and on the move (25%), not being able to afford to buy the tracks legally (21%), and believing that music is overpriced (20%).

The Three Deal

There is no suggestion that the new Three ‘Go Binge’ service is causing or contributing to piracy. The fact is, however, that it is an unlimited streaming deal for data-heavy users averaging 6GB a month. It is conceivable that without Three imposing their own security measures, Go Binge could be used for stream ripping.

What Does This Mean For Your Business?

This story illustrates how difficult it can be in an online world to prevent publicly available content being shared for free, and how creative industries continue to suffer from not being able to find effective ways to get monetary rewards for recorded output or to make consumers comply with the law. In a share-everything-online world where users are used to content being free, copyright and intellectual laws are often either not widely known about or are ignored and circumvented in a kind of mass diffusion of responsibility due to the large numbers of people who are doing it without penalties.

The increased take-up of legal streaming services in recent years is, however, more promising but it is clear that more measures need to be taken, perhaps by companies offering streaming deals, to make sure that stream ripping is not taking place.

News Bots to Flood UK with 30,000 Articles a Month

Posted on by Rob Burdett

google-botsGoogle’s has awarded €706,000 ($800,000) to the UK’s Press Association (PA) so they can develop robot reporters or news-bots that can generate 30,000 articles a month

Digital News Initiative

The funding is part of Google’s €150m Digital News Initiative, a three-year program in support of European journalism using technology. The initiative is in its third and final year, and lis looking to provide funding for 7 projects in 27 countries.

Codenamed RADAR, or Reporters and Data and Robots, the Press Association project is a joint effort with Urbs Media, a UK startup specialising in automated data journalism.

Why?

On the one hand, this is an effective and less labour-intensive way to satisfy the demand for more news. Some sceptics, however, have noted that the initiative could be a handy way for tech and advertising giant Google to help websites to get more readers and thereby gain more advertising business and revenue for itself.

On its website, the PA has issued a statement about RADAR’s role in meeting the growing demand “for consistent, fact-based insights into local communities, for the benefit of established regional media outlets, as well as the growing sector of independent publishers, hyperlocal outlets and bloggers.”

Natural Language Processing Software

For the news bots to generate information and stories, natural language processing software will be used on a grand scale. The PA and Urbs Media will reportedly select a team of five journalists to identify, template, and edit data-driven stories. These journalists will apply the code to publicly available government databases to churn out stories.

Hope For The Local Press

This comes at a most opportune time where Britain’s hard-pressed and diminishing local press need to meet the demands for more and more page views, as well as filling spaces in print. PA Editor-in-Chief Pete Clifton has reportedly acknowledged the usefulness of RADAR in terms of cost-effectiveness in providing incisive local stories, and the fact that, although skilled human journalists are still vital in the process, local media would find it very difficult to produce articles in the numbers necessary with the limited number of journalists that they have.

Not Just The Press Association
Although the PA received the largest grant of UK recipients, Google also gave funding to other organisations as part of the initiative. These include Wikipedia (€385,000), City University (known for its popular journalism school (€335,113), fact-checking body ‘Full Fact’ (€300,000), owner of various computing titles ‘Dennis Publishing’ (€160,000), and Al Jazeera (€50,000).

News Bots Already Used In Some Countries

News bots are already being used by some media companies. In China, for example, Xiaomingbot generated hundreds of stories for last year’s Rio Olympics, and The Los Angeles Times’ own news bot, Quakebot, recently made headlines when it generated news of an earthquake off the coast of Santa Barbara, California.

What Does This Mean For Your Business?

This kind of initiative is another example of how many businesses are finding ways to promote and harness the power of technologies such as AI to help meet demand, particularly where services e.g. customer service, are concerned, in a cost effective, value adding way. It is also an example of how automation is beginning to be used to replace human jobs.

Research firm Gartner, for example, estimates that up to 85% of customer service centres will become virtual by 2020 e.g. by using more bots, and Facebook announced last April F8 that anyone can now make their own bot using Facebook’s application programming interface (API) known as ‘Messenger Platform’.

Also, in March this year, a report by PwC claimed that over 30% of UK jobs could be lost to automation by the year 2030. How much automation and what kind of automation individual businesses adopt will, of course, depend upon a cost / benefit analysis compared to human workers, and whether automation is appropriate and is acceptable to their customers.