The new ‘Site Isolation’ security feature for the Google Chrome browser has been switched on, and could protect users from log-in credentials theft.

Decade-Long History

The newly switched-on feature actually has a decade-long history in the making. It has been reported that Google invested those engineer-years, mostly in the last 6 years, and a lot of money in producing a DiD (defence-in-depth) feature, and what is a now essential defence against a prolific class of attack.

What Does the Google Chrome Site Isolation Do?

It has recently been discovered that all modern chips / processors have security vulnerabilities in them that can contribute to the success of ‘data leakage’ attacks. These vulnerabilities, dubbed Spectre and Meltdown (Meltdown only on Intel chips), can be used by hackers to steal passwords or other confidential data from computers and mobile devices through popular web browsers like Chrome, Internet Explorer, Firefox, and Safari for Macs or iOS.

With Site Isolation enabled, each renderer process contains documents from a maximum of one site which means that all navigations to cross-site documents cause a switch in processes, and all cross-site iframes are put into a different process than their parent frame. This ‘isolation’ of the processes provides effective detection against data leakage attacks like Spectre, which means that the vast majority of Chrome users are now theoretically safer from this one kind of attack. It has also been reported that work is underway to protect against attacks from compromised renderers.

It Does Sap Some Memory

One of the trade-offs that Google has had to make to in order to make this feature effective is greater resource consumption. With Site Isolation on, there is a 10-13% total memory overhead in real workloads due to the larger number of processes. Google is reported to be working on trying to reduce the memory burden.

Even 10-13% is good compared to the 20% memory overhead that was being used when Chrome 63 debuted with Site Isolation.

Not Android Yet – But Soon

Site Isolation is scheduled to be included in Chrome 68 for Android but reports indicate that Google is still working on resource consumption issues before that can be rolled out.

SSL Security Added

Google Chrome has also added security warnings for sites that do not have SSL Certificates, which switch websites from HHTP to HTTPS protocol. The warning alerts users to the fact that any information they enter into the set, such as usernames, passwords or email addresses may not be secure. Furthermore Google is gradually moving to penalise sites in its search engine without HTTPS with lower page rankings.

What Does This Mean For Your Business?

The switching on of this feature is, of course, good news for businesses, as it is an additional, free way to strengthen cyber resilience against a popular kind of attack that could have serious consequences. This is of particular importance when businesses are trying to do everything possible to achieve and maintain compliance with GDPR.

Up until now, all businesses have heard is that all modern processors have security flaws in them, and that software patching is the only real answer. Back in May, another 8 flaws, in addition to Spectre and Meltdown, were discovered in processors, dubbed Spectre Next Generation (Spectre NB). At least the switching-on of this Chrome feature is one tangible step in the journey to patch these vulnerabilities before cyber-criminals manage to exploit them all. Hopefully, more, similar features will be introduced across other browsers in the near future.

Globalnet works with businesses throughout London, Essex, Kent and Herts to ensure their data and networks are secure from all threats. Call us on 0203 005 9650 today to find out how we can provide the right protection for you.

Globalnet aims to be an integral part of your success, providing the best business advice, superior IT support and technology to help you reach your goals. 

The Google Forms Quiz in its free, browser-based educational software Classroom now features a locked mode on Chromebooks which prevents students from cheating during quizzes.

What Is Classroom?

Google Classroom is a free web service (app) for schools, non-profits or indeed anyone with a personal Google Account, that aims to simplify creating, distributing and grading assignments in a paperless way. It is reported to be used by over 30 million students globally.

Used in an actual educational setting, it enables teachers to create classes (set up a class online), distribute assignments, communicate, and stay organised, all in one place. Teachers can invite students and co-teachers, and in the class stream, they can then share information, assignments, announcements, and questions. They can also see who has or hasn’t completed the work, and give direct, real-time feedback and grades.

Classroom works with Google Docs, Calendar, Gmail, Drive, and Forms.

What About Chromebooks?

In the context of this story, Chromebooks are laptops that are sold with the sole purpose of being used in the classroom. They run Google’s Chrome OS and are designed to be used while connected to the Internet, with most applications and documents stored in the cloud. Chromebook are available from a range of PC manufacturers.

Cheating?

The problem that many teachers have reported experiencing is that in order to answer questions during Classroom quizzes and tests, some students are tempted to use the Internet connection on Chromebooks to look up the answers (also known as cheating).

Cheat-Proof Feature: Locked Mode

The newly added locked mode feature in the Google Forms Quiz prohibits students from surfing the web or opening apps until the answers are submitted. This is the first feature added to the app that’s exclusive to managed Chromebooks, and as such, it has meant that specialised controls have been added to what was basically a standardised system.

Other Features

Other features that have also been added include the ability to organise by topic or unit in the Classwork page, whereas everything was previously just categorised by date. Also, a new People page lets teachers add and remove fellow teachers, students and guardians. The Stream and system settings pages have also received some small improvements.

What Does This Mean For Your Business?

For educators and trainers who use Chromebooks and Classroom, the locked mode gives them greater control, and allows them to get a more accurate view of the level of knowledge of their students. More accurate measurements can help with the better planning and application of teaching resources, and can highlight areas that need improvement.

For Google, with such a popular system that has made inroads into the teaching / training market, it makes sense to keep their customers loyal and happy by introducing value adding improvements that solve long-running problems.

CALL US ON 0203 005 9650 FOR SUPERIOR IT SUPPORT

Globalnet aims to be an integral part of your success, providing the best business advice, superior IT support and technology to help you reach your goals. 

Some industry commentators have suggested that Google’s motives for introducing a blanket ban on cryptocurrency ads may not be all they seem, and could make the company appear unethical.

What Ban?

Back in March, Google followed Facebook’s lead (from January) and imposed a blanket ban on all cryptocurrency adverts on its platforms. The ban, which starts from this month, was announced following reports of scammers using adverts on popular platforms to fraudulently take money from people who believed they could cash in on the massive rise in the value of cryptocurrencies such as Bitcoin.

A popular con has been to use scam ad campaigns to sell units of a cryptocurrency ahead of its launch – known as initial coin offerings (ICO). Research has found that 80 per cent of ICOs have been fraudulent.

Also, the cryptocurrency value bubble led to the rise of ‘crypto-jacking’, where devices are taken over by people trying to mine crypto-currencies e.g. using Android phone-wrecking Trojan malware ‘Loapi’.

Why Unethical?

Online tech commentators have been quick to point out that even though Google has said that it made the move to ban cryptocurrency ads to confront criminality, protect web users, and to regulate what their users are reading, Google is also believed to have an interest in cryptocurrencies itself.

For example, back in May, Google is reported to have approached the founder of the world’s second most popular cryptocurrency, Ethereum, to explore possible market opportunities for the two companies. In fact, some commentators believe that Google may be acting unethically by banning cryptocurrency adverts because it is planning to launch its own cryptocurrency and, therefore, wants to give its own product the best chance in the marketplace.

This idea has been strengthened by the fact that Google continues to show adverts with links to gambling websites and other services which some would describe as unethical. It has been suggested that Google appears willing to ban cryptocurrency adverts, but still allows job postings, and adverts for anti-virus software or charities, all of which can also be known entry points for scammers.

Blockchain Ambitions

Google is also thought to have ambitions to make use of blockchain, which is among other things, the underlying technology behind the bitcoin currency. It is interesting that this interest follows Facebook, which is reported to be setting up a blockchain group that will report directly to the company’s CTO, Mike Schroepfer.

Circumvented

Putting a blanket ban on cryptocurrency adverts does not appear to have been an entirely successful strategy for others i.e. Facebook. For example, some advertisers have been able to circumvent Facebook’s cryptocurrency ad ban by abbreviating words like cryptocurrency to c-currency, and by simply switching the letter ‘o’ in the word bitcoin to a zero.

What Does This Mean For Your Business?

Google is a powerful private company, and with other big players in the market, it is looking to make the most of market opportunities e.g. Facebook, and it is only natural that Google is likely to also want to explore the potential of those opportunities, even if it has made an ethical stand in public about cryptocurrency adverts.

This story does illustrate, however, that ethics play an important part in business, and can play an important role in supporting the value of a brand, particularly in a digital world where inconsistencies can be spotted and widely reported immediately.
When you think about it, Google has a trusted brand and is well placed in the market to perhaps get involved in, or even produce its own cryptocurrency, particularly where there are profits to be made and when cryptocurrencies appear to have an important future beyond the initial bubble of bitcoin-mania. The important thing for Google is that it, along with Facebook, was seen to be doing the right thing when cryptocurrency scam adverts began making the news, and there is still no real, firm proof that Google will commit itself to its own cryptocurrency yet.

It is also not surprising that companies such as Google and Facebook would want to explore the huge potential opportunities that blockchain offers. It is worth remembering that blockchain has shown itself to have many great uses beyond just cryptocurrecies e.g. enabling students to share their qualifications with employers, recording the temperature of sensitive medicines being transported from manufacturer to hospital in hot climates, as a ledger to record data about wine certification, as a ledger for ownership and storage history, as a system for tracking consignments that addresses visibility and efficiency, and for sharing information between energy suppliers to speed the supplier switching process. Dubai has also invested in using blockchain to put all its documents on blockchain’s shared open database system by 2020 in order to help to cut through Middle Eastern bureaucracy, speed up civic transactions and processes, and bring a positive transformation to the whole region.

Both cryptocurrencies and blockchain have a long way to run yet, and Google and Facebook will certainly not be the only web giants exploring their potential.

CALL US ON 0203 005 9650 FOR SUPERIOR IT SUPPORT

Globalnet aims to be an integral part of your success, providing the best business advice, superior IT support and technology to help you reach your goals. 

Following an investigation by campaign group Big Brother Watch, the UK’s Information Commissioner, Elizabeth Denham, has said that the Police could face legal action if concerns over accuracy and privacy with facial recognition systems are not addressed.

Which Facial Recognition Systems?

A freedom of information request sent to every police force in the UK by Big Brother Watch shows that The Metropolitan Police used facial recognition at the Notting Hill carnival in 2016 and 2017, and at a Remembrance Sunday event, and South Wales Police used facial recognition technology between May 2017 and March 2018. Leicestershire Police also tested facial recognition in 2015.

What’s The Problem?

The two main concerns with the system (as identified by Big Brother Watch and the ICO) are that the facial recognition systems are not accurate in identifying the real criminals or suspects, and that the images of innocent people are being stored on ‘watch’ lists for up to a month, and this could potentially lead to false accusations or arrests.

How Do Facial Recognition Systems Work?

Facial recognition software typically works by using a scanned image of a person’s face (from the existing stock of police photos of mug shots from previous arrests), and then uses algorithms to measure ‘landmarks’ on the face e.g. the position of features and the shape of the eyes, nose and cheekbones. This data is used to make a digital template of a person’s face, which is then converted into a unique code.

High-powered cameras are then used to scan crowds. The cameras link to specialist software that can compare the camera image data to data stored in the police database (the digital template) to find a potential ‘match’. Possible matches are then flagged to officers, and these lists of possible matches are stored in the system for up to 30 days.

A real-time automated facial recognition (AFR) system, like the one the police use at events, incorporates facial recognition and ‘slow time’ static face search.

Inaccuracies

The systems used by the police so far have been criticised for simply not being accurate. For example, of the 2,685 “matches” made by the system used by South Wales Police between May 2017 and March 2018, 2,451 were false alarms.

Keeping Photos of Innocent People On Watch Lists

Big Brother Watch has been critical of the police keeping photos of innocent people that have ended up on lists of (false) possible matches, as selected by the software. Big Brother Watch has expressed concern that this could affect an individual’s right to a private life and freedom of expression, and could result in damaging false accusations and / or arrests.
The police have said that they don’t consider the ‘possible’ face selections as false positive matches because additional checks and balances are applied to them to confirm identification following system alerts.

The police have also stated that all alerts against watch lists are deleted after 30 days, and faces in the video stream that do not generate an alert are deleted immediately.

Criticisms

As well as accusations of inaccuracy and possibly infringing the rights of innocent people, the use of facial recognition systems by the police has also attracted criticism for not appearing to have a clear legal basis, oversight or governmental strategy, and for not delivering value for money in terms of the number of arrests made vs the cost of the systems.

What Does This Mean For Your Business?

It is worrying that there are clearly substantial inaccuracies in facial recognition systems, and that the images of innocent people could be sitting on police watch lists for some time, and could potentially result in wrongful arrests. The argument that ‘if you’ve done nothing wrong, you have nothing to fear’ simply doesn’t stand up if police are being given cold, hard computer information to say that a person is a suspect and should be questioned / arrested, no matter what the circumstances. That argument is also an abdication from a shared responsibility, which could lead to the green light being given to the erosion of rights without questions being asked. As people in many other countries would testify, rights relating to freedom and privacy should be valued, and when these rights are gone, it’s very difficult to get them back again.

The storing of facial images on computer systems is also a matter for security, particularly since they are regarded as ‘personal data’ under the new GDPR which comes into force this month.

There is, of course, an upside to the police being able to use these systems if it leads to the faster arrest of genuine criminals, and makes the country safer for all.

Despite the findings of a study from YouGov / GMX (August 2016) that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics represents a good opportunity for businesses to stay one step ahead of cyber-criminals. Biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies are now using them.

Facial recognition systems have value-adding, real-life business applications too. For example, last year, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Globalnet IT Innovations offer a range of managed IT services and on-demand IT services. Call us on 0203 005 9650 to speak to one of our IT consultants and discover how we can help you reach your business goals.

A German newspaper has released details of a security vulnerability, discovered by researchers at Munster University of Applied Sciences, in PGP (Pretty Good Privacy) data encryption.

What Is PGP?

PGP (Pretty Good Privacy) is an encryption program that is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and disk partitions, and to increase the security of e-mail communications. As well as being used to encrypt and decrypt email, PGP is also used to sign messages so that the receiver can verify both the identity of the sender and the integrity of the content. PGP works using a private key that is kept secret, and a public key that the sender and receiver share.

The technology is also known by the name of GPG (Gnu Privacy Guard or GnuPG), and is a compatible GPL-licensed alternative.

What’s The Flaw?

The flaw, which was first thought by some security experts to affected the core protocol of PGP (which would make all uses of the encryption method, including file encryption, vulnerable), is now believed to be related to any email programs that don’t check for decryption errors properly before following links in emails that include HTML code i.e. email programs that have been designed without appropriate safeguards.

‘Efail’ Attacks

The flaw leaves this system of encryption open to what have been called ‘efail’ attacks. This involves attackers trying to gain access to encrypted emails (for example by eavesdropping on network traffic), and compromising email accounts, email servers, backup systems or client computers. The idea is to reveal the plaintext of encrypted emails (in the OpenPGP and S/MIME standards).

This type of attack can be carried out by direct exfiltration, where vulnerabilities in Apple Mail, iOS Mail and Mozilla Thunderbird can be abused to directly exfiltrate the plaintext of encrypted emails, or by a CBC/CFB gadget. This is where vulnerabilities in the specification of OpenPGP and S/MIME are abused to exfiltrate the plaintext.

What Could Happen?

The main fear appears to be that the vulnerabilities could be used to decrypt stored, encrypted emails that have been sent in the past (if an attacker can gain access). It is thought that the vulnerabilities could also create a channel for sneaking personal data or commercial data and business secrets off devices as well as for decrypting messages.

What Does This Mean For Your Business?

It is frustrating for businesses to learn that the email programs they may be using, and a method of encryption, supposed to make things more secure, could actually be providin a route for criminals to steal data and secrets.

The advice from those familiar with the details of the flaw is that users of PGP email can disable HTML in their mail programs, thereby keeping them safe from attacks based on this particular vulnerability. Also, users can choose to decrypt emails with PGP decryption tools that are separate from email programs.

More detailed information and advice concerning the flaw can be found here: https://efail.de/#i-have

Globalnet IT Innovations offer a range of managed IT services and on-demand IT services, including secure Outlook 365 email. Call us on 0203 005 9650 to speak to one of our IT consultants and discover how we can help you reach your business goals.