It has been revealed that US authorities found out about the Spectre and Meltdown chip flaws from media reports rather than being informed directly by US computer chip manufacturer Intel.

What Chip Flaws?

Back in January, researchers from Google’s Project Zero, the Technical University of Graz in Austria and the security firm Cerberus Security in Germany, discovered that two major security flaws are present in nearly all modern processors / microchips. The hardware flaws were dubbed ‘Spectre’ and ‘Meltdown’.

Meltdown affects all Intel, ARM and most other processors on the modern market. It is believed that Meltdown could affect every processor since 1995, except for Intel Itanium and Intel Atom before 2013. The flaw could, for example, leave passwords and personal data vulnerable to attacks.

Found Out Via The Media

In this latest revelation, news has emerged that Intel didn’t inform US cyber-security officials about the flaw in its processors until after the news had been leaked to the media.

Google’s parent company Alphabet has said it informed Intel, AMD and ARM about the chip flaws in June 2017, and the three semiconductor / chip manufacturers were given 90 days to fix the flaws before disclosing the discovery of the flaws and the fix to the public. According to Alphabet, and in keeping with ‘standard practice’, it had left it up to the companies to decide whether they should inform government officials about the security flaws.

Extended

In response, Intel gives a slightly different version of events. According to Intel, Google Project Zero had chosen to extend the 90-day timeframe to 9 January 2018, and Intel had agreed to keep the information confidential until that date.

No Exploits Anyway

Even though there is general agreement that the security flaws are now present in nearly all modern devices, including all iPhones, iPads and Macs, Intel has been quick to stress that there have been no known exploits to date.

What Does This Mean For Your Business?

It is worrying that ‘standard practice’ in the industry is to be allowed to keep quiet about a security problem for 3 months from government cyber-security officials, and from the public. It is also worrying that it took journalists to uncover the problem, particularly when you consider the sheer scale of the flaws i.e. that they’re present in almost all modern processors.

There have been far too many stories of large, well-known companies choosing to keep quiet as long as possible about cyber / data security risks or breaches, and these episodes all serve to undermine confidence that companies will act responsibly themselves, without the threat of new regulations and huge fines (such as those that GDPR will bring).

The best advice to businesses is now to install all available patches for the flaws without delay, and to make sure that you are receiving updates for all your systems, software and devices.

Regular patching is a good basic security habit to get into anyway. Research from summer 2017 (Fortinet Global Threat Landscape Report) shows that 9 out of 10 impacted businesses are being hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and there are already patches available for them.

Technology and employment commentators are predicting that with the already high demand for skilled and talented Data Protection Officers (DPOs), the introduction of GDPR may see businesses having to compete to recruit the right one.

What’s A Data Protection Officer?

A DPO’s role is essentially that of looking after any legal and ethical issues related to handling customer data. They are required to have specialist knowledge in matters relating to data and information privacy and security.

What Is Demand For DPOs Like Now?

According to figures from the Indeed job search site, DPO job listings posted in the UK have increased by no less than 700% over the past 18 months. That’s the equivalent of an increase from 12.7 listings per 1 million in April 2016 to 102.7 listings per 1 million in December.

Triggered An Increase In Training

The huge increase in the demand for DPOs has led to a corresponding increase in the demand for GDPR training, as individuals spot a potentially lucrative career, and companies seek to bring their in-house DPOs up to speed.

Some GDPR training providers have reported selling out of courses for the next six months as demand for GDPR-Ready training programs for DPOs have increased by as much as one-third.

Even Bigger Demand With Introduction of GDPR

The International Association of Privacy Professionals (IAPP) estimates that, with the introduction of GDPR in May this year, 28,000 DPOs will be needed in Europe and U.S. and perhaps as many as 75,000 around the globe.

Why?

GDPR requires that companies must have a DPO to help with tasks such as data audits for compliance with privacy laws, training employees on data privacy, and to be the main point of contact in the company for European regulators.

With its 99 articles, under the guidance of 6 privacy principles, General Data Protection Regulation (GDPR) is long, and complicated, and it needs as well as requires someone within the business to understand it, and how it should be practically applied. Failure to comply with GDPR, and data breaches resulting from non-compliance can bring large fines and other potentially disastrous consequences for businesses and organisations e.g. loss of customers, and damage to brand and reputation.

Legal and business commentators are also predicting that companies may only want to deal with suppliers who are GDPR compliant in order to maximise their own compliance and avoid the penalties.

What Does This Mean For Your Business?

For those who are already, or are currently training to be DPOs, the immediate future looks bright in terms of their choice of employment, the massive (and growing) demand for their services, and the bargaining power that this may give them with employers e.g. for their salary.

For businesses that are already trying to get to grips with the complications and costs of complying with GDPR, and who already know that they will need somebody in the DPO’s role, they may not have anticipated the extra complication of having to compete with other businesses to get one. With the demand for good DPOs looking like continuing to out-strip supply, the situation may arise where some businesses attempt to poach DPOs from others.

With X-day already past, and the introduction of GDPR just 3 months away, the clock is now ticking loudly for businesses that may not yet have given any serious thought to the role of DPO, or where to get GDPR training.

Google’s latest Transparency Report reveals that of the 2.4 million requests made since 2014 to remove certain URLs from its search results, Google has only complied with less than half.

Removal Requests

The removal requests relate to a ruling by the European Union’s Court of Justice in May 2014 which said that Google and other search engines can be held responsible for personal data that appears in its search engine results pages – they are considered to be ‘Data Controllers’. Google and other search engines can, therefore, be asked to remove links to some web pages that are published by third parties, and any EU citizen can ask Google to remove information about them from their search results.

Doesn’t Have To Comply

The problem with the ruling for individuals who want their data removed is that Google doesn’t actually have to comply with the request, and can refuse to take links down if can demonstrate that there is a public interest in the information remaining in the search results. Google can also re-instate links that it has already taken down in a previous request if it can show that it has grounds to do so.

One example highlighted in Google’s Transparency Report concerns the UK man who managed to get Google to delist 239 (of 300) URLs that linked him to a fraud conviction where he was later found to be innocent. Following a 2nd request by the same man to remove pages relating to a benefits case linked to him, Google refused this request AND re-instated the previously de-listed URLs because it said that he provided forged documents with his 2nd request.

Two Main Reasons

The statistics appear to indicate that the two most likely reasons why Google would be asked to consider de-listing URLs are when they relate to personal information being shown in social media and directory services, and when aspects of a requester’s legal history from news outlets and government websites are shown in the search engine results.

What If Google Refuses Your Request?

Examples of why Google may refuse to take URLs down include when they give business information that might be useful for potential customers, or if the content about a violent crime could be of interest to the general public.

If Google refuses your request to take down certain URLs, you can then still take your complaint to the national data watchdog. This, of course, takes time.

Less Than Half Of Requests

The Transparency Report shows that, since May 2014, Google has not delisted 56.7% of URLs, and in the UK, 60.2% of requests to remove certain URLs were not complied with by Google.

What Does This Mean For Your Business?

This story appears to show that despite an EU ruling, Google is still really in charge of making the decision about whether your personal details appear in its search engine results, based on its own research rather than your reasons in your request. For businesses wanting to hide certain information from public view, this is clearly an obstacle. Many businesses and individuals may have arguably suffered a much longer lasting punishment for any wrongs or from any bad publicity simply because they now operate in the age of the Internet, where things take a long time to be forgotten.

It will be interesting to see what difference GDPR makes to this situation because with GDPR, any EU citizen has the ‘right to be forgotten’ (all data held about them is to be removed), and GDPR can be enforced with the help of substantial fines for companies failing to comply with requests from individuals.

Google has long appeared to take the position that it sees some requests to remove certain URLs from its search engine results as a kind of censorship, and it remains to be seen just how much influence individuals will be able to exert over the big internet companies in the coming years.

A court in Belgium has told Facebook to stop using tracking code to follow and record internet use by people surfing in Belgium, until it complies with the country’s own privacy laws.

What’s The Problem?

According to Belgium’s privacy watchdog, the Belgian Commission for the Protection of Privacy (CPP), Facebook placed tracking code in the form of ‘cookies’ on third-party websites. This would mean that Facebook’s actions did not comply with Belgium’s privacy laws because:

• It tracked people without consent.
• It tracked people who were not Facebook users.
• It (presumably) stored the tracked personal data that it obtained illegally in the first place.

What Now?

If Facebook fails to comply with Belgium’s CPP it could face fines of £221,000 per day.

Industry Standard

Facebook is reported to have expressed disappointment at the verdict and has stated that it is simply using the same industry standard cookies and pixels that other EU businesses use to help them grow their business.

Ongoing

This latest case appears to be the latest round in a long-running, ongoing dispute between the social media giant and the CPP. For example, back in November 2015, the CPP won a case against Facebook concerning the tracking of people with a ‘datr cookie’ when they visited pages on the site and clicked on like or share, even if they had never registered for an account, or if they had but weren’t even logged in.

Facebook was able to appeal and win an overturning of the verdict because it was judged that Belgian courts didn’t have international jurisdiction over Facebook Ireland i.e. because the data collected by the cookies was stored on servers in Dublin, the European base of Facebook’s operations.

The CPP then indicated that it would try to appeal against Facebook’s successful appeal through Belgium’s court of cassation, using a Yahoo case as an example. With Yahoo, for example, it was ruled back in 2015 that finding against Yahoo wouldn’t have to mean intervention outside of Belgium, and that, since Yahoo actively participated in the economic life of Belgium by using the domain name .be or displaying ads based on users’ location e.g. in Belgium, it voluntarily submitted itself to Belgian law.

What Does This Mean For Your Business?

This story has commercial, legal and political aspects to it. Cookies can provide useful information and functions for businesses e.g. helping to personalise user browsing experiences, and gathering information about users of the company website – usually with an initial registration of consent by users of a website.

With this Facebook case, as web users, we may feel uneasy that trusted companies may be tracking all-comers without consent. This kind of story reminds us all about the importance of privacy and security, and its worth remembering that cookies sent over the web without encryption i.e. if the website doesn’t have HTTPS in front of the domain, could be a security risk because they are readable by anyone on a network and could sensitive data e.g. credit card details, e-mail address and more. Google, for example, has just announced that from July, Chrome will be labelling websites without HTTPS as ‘Not Secure’ to try and combat this kind of risk.

The legal aspect of this case relates to which country has jurisdiction over the actions of a company whose services are used in that country, but the HQ and the data storage are in another country. This is another long-running legal argument e.g. Apple’s tax breaks in Ireland.

Many see the EU and people like the EU’s commissioner for competition, and measures like greater regulation and taxation as being useful to curb some of the more suspect behaviour of the big US Internet companies in Europe.

The introduction of GDPR should also provide greater protection for EU citizens in terms of online privacy and security. The UK will soon not be an EU member, but will have its own similar Bill added to UK law, but this could produce more legal grey areas.

There is clearly a political dimension to this story too as Belgium seeks to hold a powerful overseas company to account, and it wouldn’t be the first time that an EU country has tried to do this.

Following disclosures of how Facebook was used by advertisers who may have been seeking to influence the US election result, Facebook has suggested that in future in the US, those backing candidates with advertising campaigns will receive a ‘snail mail’ postcard sent by Facebook with a verification code.

Ads Mentioning A Candidate

The measure is reported to be only applicable to those who run adverts mentioning a specific candidate, rather than paying to promote a political message e.g. a policy. The verification code sent on the post card can then be used to confirm the advertiser lives in the United States.

Won’t Solve Everything

Facebook’s global director of policy programs, Katie Harbath, has reportedly acknowledged that the postcard idea may not solve all the all problems, but it is the most effective solution that the company could come up with for the time bring to stop similar illegal activity happening on its platform.

How Bad Was It?

Back in November, Facebook released figures ahead of its Senate hearing showing that Russia-based operatives uploaded 80,000 posts to Facebook in the last 2 years. Taking into account posts published between June 2015 and August 2017, it is believed that 29 million Americans saw the posts directly, and that 26 million American users may have seen, and perhaps been influenced by, liked and shared messages and comments that could have originated in Russia.

Also, US Special Counsel Robert Mueller said recently that no fewer than 13 Russians and three Russian companies are believed to have committed criminal offences by using social media to interfere in the US election.

What Does This Mean For Your Business?

It does seem a little ironic that one of the world’s most famous Internet companies must resort to ‘snail mail’ to solve a major problem, but as the company says, it seems like the only effective option for now. It would also be easy to see how this overt, but fairly limited option could be gotten around by e.g. determined state sponsored players.

The bigger picture of the whole election result influence story (i.e. which party / candidate wins) is that it has a big effect on the business environment as well as on society. It is not a surprise that one country could seek to influence events in another, but it is a surprise to some people that tech companies and social media companies are still able to offer such a powerful voice and a channel to all.

The challenge that tech companies such as Facebook and Google (with YouTube) face is that they need to protect the idea that they reject censorship and interference from governments, while still being seen to be acting responsibly and proactively, while also protecting their brands and monetising elements of their business at the same time.

The election revelations have just served to add fuel to the arguments of governments and politicians, both in the US and the UK, that they don’t have more of an influence over social media and tech companies e.g. with the end-to-end encryption debate in the UK, and that they often only come up against lawyers for these companies rather being able to be seen to be publicly grilling the owners of these tech giants themselves.

Facebook is facing criticism for allegedly using sign-ups to 2 factor authentication as an opportunity to send spam SMS notifications.

What 2FA?

Facebook has been allowing users to sign up for SMS-based two-factor authentication to mitigate the risk of phishing attempts and to help protect people from having their accounts compromised.

Spam Too

Unfortunately, in addition to receiving the authentication texts / security tokens that they expected, some sign-ups have also reported receiving what are essentially extra spam texts from Facebook with links to other things happening on the social network.

To make matters even worse, any replies to the spam texts e.g. requests to stop the texts, were reported to have been posted onto the user’s Facebook profile page.

Facebook Sorry

After complaints were received, Facebook released a statement saying that it was sorry for any inconvenience caused, and that it was not their intention to send non-security-related SMS notifications to the phone numbers that customers had submitted as part of the two-factor authentication service.

With regards to posting customer replies to the spam texts on their own Facebook profiles, Facebook explained that this was a throwback to a time before the ubiquity of smartphones when Facebook supported posting to profiles via text message. Facebook admitted, however, that this feature is now less useful, and that it would soon be deprecated..

Bad Publicity In Europe

This incident comes on top of plenty of recent bad publicity in Europe for Facebook. Firstly, after a dispute dating back to 2015 where Facebook fell foul of Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations, a German court has just ruled that Facebook didn’t do enough to alert people to the pre-ticked privacy settings on its mobile app. It also found that eight clauses in Facebook’s terms of service were invalid, including terms that allow Facebook to transmit data to the US and use personal data for commercial purposes.

In a separate long-running spat, this time in Belgium, Facebook lost in a court case with Belgium’s privacy watchdog, the Belgian commission for the protection of privacy (CPP), where it was ruled that Facebook failed to comply with Belgian privacy laws. This time, it was found that Facebook had been using cookies to track people who may or may not have been Facebook users without their consent, and then stored the tracked personal data that it obtained illegally in the first place.

What Does This Mean For Your Business?

As well as highlighting how it appears that the behaviour of some big US Internet companies in Europe are being closely monitored (and needs to be), it highlights how data privacy laws and courts differ in different countries.

This story also brings into focus the importance of the imminent introduction of GDPR in May this year, which should go some way to making data privacy and security laws more uniform and consistent across the EU region. Even though the UK won’t be in the EU soon, GDPR will apply initially, and then the Data Protection Bill (DPB) will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law for the future.

On the subject of GDPR, businesses should be reminded that we have now passed what is known as ‘X-Day’ (100 days from GDPR’s introduction), and that businesses and organisations need to quickly adopt an automated, classification-based, policy-driven approach so that they can meet the regulatory demands within the short time frame available.

In relation to the Facebook case of ‘accidental’ spam after sign-ups for the SMS-based two-factor authentication service, this behaviour would contravene GDPR because, under GDPR, the users would have only given consent for the 2FA service, and not for anything else. GDPR may, therefore, make companies think very seriously about what SMS and email messages they send to user groups based on their initial consent. The whole area of consent and GDPR is something that will need more discussion and clarification to help businesses understand the new boundaries for their online marketing.

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?

HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

• Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
• Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
• HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
• Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?

Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

A UK security researcher has discovered that cyber criminals have been using public sector websites, including that of the UK’s Information Commissioner’s Office for cryptojacking.

What Is Cryptojacking?

Typically, cryptojacking involves hackers / scammers installing ‘mining script’ code such as Coin Hive, into multiple web pages without the knowledge of the website owners. The compromised website then runs the cryptomining code, which is written in JavaScript, inside the victim’s web browser when they visit the website. The scammer is then able to get multiple computers to join their networks so that the combined computing power will enable them to solve mathematical problems. Whichever scammer is first to solve these problems is then able to claim / generate cash in the form of crypto-currency.

If, for example, a website is able to get one million visitors a month, and if the Coin Hive Web Miner for Monero (XMR) is used, it could generate an income of £88 in the Monero crypto-currency.

Modified BrowseAloud Plugin

In this latest discovery by security researcher Scott Helme, criminals were found to be using a modified version of the BrowseAloud plugin to enable crypotojacking through government websites. The BrowseAloud plugin is normally used to make websites more accessible to visually impaired people, but in this case, attackers were found to have planted malicious code to the JavaScript file to use the browser CPU in an attempt to illegally generate cryptocurrency.

It is thought that criminals targeted this plugin because public sector websites need to comply with legal obligations to make their information accessible to people with disabilities.

Which Government Websites?

A recent investigation has discovered that around 5,000 websites are being targeted using this kind of cryptojacking. The government websites affected include the websites of the UK’s Information Commissioner’s Office (ICO), NHS websites, the General Medical Council website, some UK local council websites, the Student Loans Company site, some Australian government department websites, and the even the US Courts website.

What Does This Mean For Your Business?

Many businesses and organisations simply aren’t able to see and take account of all of the ways they can be attacked externally. Also, it’s not always easy to understand what belongs to your organisation, how it is connected to the rest of your asset inventory, and what potential vulnerabilities are exposed to compromise.

The increased CPU usage and slowing down of computers caused by mining scripts waste time and money for businesses. There are, however, some simple measures that your business can take to avoid being exploited as part of this kind of scam.
If, for example, you are using an ad blocker on your computer, you can set it to block one specific JavaScript URL which is https://coinhive.com/lib/miner.min.js. This will stop the miner from running without stopping you from using any of the websites that you normally visit.

Also, a dedicated browser extension called ‘No Coin’ is available for Chrome, Firefox and Opera. This will stop the Coin Hive mining code being used through your browser. This extension comes with a white-list and an option to pause the extension should you wish to do so.

Coin Hive’s developers have also said that they would like people to report any malicious use of Coin Hive to them.
Maintaining vigilance for unusual computer symptoms, keeping security patches updated, and raising awareness within your company of current scams and what to do to prevent them, are just some of the ways that you could maintain a basic level of protection for your business.

Digital threat management software is also an option that can help companies to continuously discover an inventory of their externally facing digital assets, and to manage the risks across the entire attack surface.