SEARCH CLINIC

Search engine online marketers
Subscribe Twitter Facebook Linkedin

Archive for the ‘data security’

Dell faces fresh security questions as new issue found

April 25, 2016 By: Dr Search Principal Consultant at the Search Clinic Category: Browser, Computers, Customer Service, Cyber Security, data security, internet, Personal Security, Search Clinic, Uncategorized

Dell is facing further questions after admitting to a second security issue with its computers this week.

Dell is facing further questions after admitting to a second security issue with its computers this week.

The new problem – similar to the first – could leave users’ personal information vulnerable, researchers backed by the US government said.

Dell said it had again released a fix, after doing the same for the first problem earlier this week.

The repeated issues raised concerns about the company’s attitude towards security, one expert told the BBC.

In a statement, Dell said that the second problem affected users who downloaded its Dell System Detect product. It said the second issue was not pre-installed on computers – as the first was.

It said the product was removed from its site once the issue was spotted and a replacement application was made available.

Earlier this week, Dell said it had inadvertently opened up a security hole in its computers when it pre-installed software on them. A self-signed root certificate authority (CA), which is used to identify trustworthy websites, was “implemented as part of a support tool and intended to make it faster and easier for our customers to service their system”, Dell said.

But the CA it installed, called “eDellRoot”, allowed hackers to intercept a Dell user’s internet traffic, while the private key that came installed with it could be used to trick the computer into thinking that unsafe websites were safe, security researchers pointed out.

The second vulnerability, another CA called “DSDTestProvider”, worked in much the same way, according to the Germany-based journalist who reported it to US Department of Homeland Security-backed researchers at Carnegie Mellon University: Hanno Bˆck.

In their subsequent report, the researchers wrote: “An attacker can generate certificates signed by the DSDTestProvider CA. Systems that trusts the DSDTestProvider CA will trust any certificate issued by the CA.

“An attacker can impersonate web sites and other services, sign software and email messages, and decrypt network traffic and other data.

“Common attack scenarios include impersonating a web site, performing a [man-in-the-middle] attack to decrypt HTTPS traffic, and installing malicious software.” Such an attack involves the hacker intercepting internet traffic between the user’s browser and the site they are accessing.

A Dell spokesman said: “When we became aware of eDellRoot earlier this week, we immediately dug into all our applications that get loaded on Dell PCs. We can confirm we have found no other root certificates on the factory-installed PC image.

“What we did find was that the Dell System Detect application and its DSDTestProvider root certificate had similar characteristics to eDellRoot. The application was removed from the Dell support site immediately and a replacement application without the certificate is now available.”

How data is shining a light on global property markets

April 14, 2016 By: Dr Search Principal Consultant at the Search Clinic Category: Broadband, Browser, Computers, Customer Service, Cyber Security, data security, Dr Search, internet, Personal Security, Search Clinic, search engines, Uncategorized

The property market, like that of gold and oil, is a rather murky world.

The property market, like that of gold and oil, is a rather murky world.

The prices you’ll see on most websites are asking prices. The value of a done deal – the real price – can take land registries weeks to process, by which time a fast-paced market will have moved on.

So those on the inside doing the deals, such as estate agents and developers, have a distinct advantage.

Could technology help blast open this closed market?

Teun van den Dries, chief executive of Dutch software company GeoPhy, believes his data analytics software program could do just that, starting with commercial property, a global market worth about Ä22.5tn (£15.7tn), according to the European Public Real Estate Association.

His program crunches lots of different data sets – public transport, roads, congestion, location, demographics, local economy, building quality and so on – to calculate an estimated value for a property.

And he has data for 41 countries, from Singapore to Spain, Brazil to Belgium.

“If you look at the current property market, almost all transactions are handled by estate agents that will describe property as being well situated, with great accessibility and beautiful views,” he says. “And that could all be true, but it doesn’t mean anything and it doesn’t allow you to compare.”

Location accounts for 70%-75% of the weighting in the algorithm – a mathematical set of rules – and his pricing is accurate within about 5%, he says.

Estate agents are known for their creative euphemisms when it comes to property descriptions, but data could help cut through the sales speak to arrive at a more realistic assessment, he believes.

But, he notes, “a valuation is never right until someone pays. So, it’s the same price point a surveyor will put their signature on.”

The only difference is that it’s derived from data and a set of comparable rules, he says.

However, there are some valuations it can’t help us to understand – parts of London, such as St James’s Park or Mayfair, home of the £90m mansion, simply defy data analysis.

At present, his customers are pension funds and other large institutions that own property portfolios. They want quick access to property valuations, as well as other data, such as the energy efficiency of their buildings.

But he hopes this type of analysis could also help make the residential property and rentals markets more transparent, too.

So when your landlord says prices are rising in your area and hikes up your rent, you’ll be able to see if that’s really the case, says Mr van den Dries.

 

But not everyone is so sure about the benefits of data analytics in the commercial property market.

For example, a seller may offload a building to make a loss to offset against tax and as such will sell at a lower “rational” price, he says.

And shifts in economies thousands of miles away – China or in the Middle East, perhaps – could suddenly empty money out of a given market, without the data giving any warning.

While many large publicly owned property owners have talked about using data, many “just don’t really know where to start and are only at the start of the journey,” he says. “Commercial property is the last imperfect market.”

“Homes may be better, as they are more homogenous and could be more comparable,” he adds.

Mr van den Dries admits that there is some resistance to this new data-driven approach – a number of property owners have expressed displeasure at having their buildings benchmarked, he says.

But he, and others, remain convinced that better analysis of more data is key to a more efficient – and less mysterious – property market.

Tablets ‘eroding’ children’s digital skills

April 09, 2016 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Customer Service, data security, Dr Search, Email, internet, Personal Security, Search Clinic, smart phones, Tablets, Uncategorized

Children are learning very different skills via tablets and smartphones, suggests a report.

Children are learning very different skills via tablets and smartphones, suggests a report.

Children’s growing use of mobile devices may hamper their learning of key technology skills, says a report.

An Australian educational body noted a “significant decline” in IT literacy among some students since 2011.

Its report said children learned very different skills on tablets and smartphones to the basic technology skills required for the workplace.

Changes to the way that ICT was being taught in Australian schools could explain some of the decline, it said.

The report added that significant alterations in the types of devices people use could also be behind some of the changes.
Poor performance

The report by Australia’s National Assessment Programme looked at technology literacy among two groups of children – one just leaving primary school and another in its fourth year of secondary school. More than 10,500 students took part.

It compared digital literacy scores from 2011 with those from a survey carried out in late 2014.

“This report shows a significant decline in their ICT literacy performance when compared to previous cycles,” it said.

Both age groups saw a decline in IT proficiencies, it added. Statistics revealed that the average performance of 16-year-olds in the 2014 group was lower than the average in any other year.

In addition it found that the number of children meeting basic ICT literacy standards in these age groups had dropped.

Pupils now made “increased” and “extensive” use of mobile technology and it was possible that this meant they were “practising fewer of the skills that have been associated with ICT literacy,” it said.

Tablets and smartphones were making children competent at using many forms of online communication, it said, at the expense of those other skills emphasised by the curriculum.

It warned against assuming that children who use tablets and other portable devices were more widely competent with technology.

“We cannot expect students to become proficient on important employability and life skills, just by using computing devices for games and social interaction,” it said. “They also need to be taught the relevant knowledge, understanding and skills.”

Eben Upton, who came up with the idea for the bare-bones Raspberry Pi computer, said the Australian research presented some “interesting” conclusions.

“It’s always been my belief that ‘appliance-like’ hardware platforms don’t encourage real computer literacy because there are missing rungs on the ladder between being a consumer and being a producer,” he told the BBC.

“There’s a place for tablets in education, but we need to get away from the idea that knowing how to pinch-zoom makes your toddler the next Bill Gates,” he said.

Paris attacks: Silicon Valley in crosshairs over encryption

February 18, 2016 By: Dr Search Principal Consultant at the Search Clinic Category: Apps, Computers, Customer Service, data security, Email, Hackers, internet, Personal Security, Search Clinic, Uncategorized

Grief over the Paris attacks will soon make way to demands for action.

Grief over the Paris attacks will soon make way to demands for action.

As well as increased military activity, and the controversial suggestions to close the door on refugees, the next battle in the “surely something can be done” arena will be aimed squarely, and angrily, at Silicon Valley.

Tech companies were already under pressure to make it easier for governments to access “private” communication apps and services. Those calls have intensified greatly since the attacks in Paris.

The “problem” is to do with encryption.

Without encryption, all of the things we do online would be insecure, be it emailing, or shopping, or banking. They all rely on the principle that if you encrypt data using complex mathematics it is nigh-on impossible to crack.

If you’re using communication apps such as WhatsApp, Apple’s iMessage, WeChat and so on, your messages are encrypted by default.

It means that even if those companies wanted to hand over your messages to law enforcement, they couldn’t.

“There are a lot of technological capabilities that are available right now that make it exceptionally difficult, both technically as well as legally, for intelligence and security services to have the insight they need to uncover it,” said CIA director John Brennan at a security forum on Monday.

“And I do think this is a time for particularly Europe, as well as here in the United States, for us to take a look and see whether or not there have been some inadvertent or intentional gaps that have been created in the ability of intelligence and security services to protect the people that they are asked to serve.”

An opinion column in the New York Times, authored by Manhattan’s district attorney, and the City of London Police commissioner, said “encryption blocks justice”.

In the piece, published back in August, they wrote about a murder near Chicago in which a father of six had been shot. At the scene, officers found two mobile phones. But they were passcode locked. Neither Google or Apple (the phones ran their software) could unlock the phones, and therefore the data was inaccessible.

“On behalf of crime victims the world over,” the opinion piece read, “we are asking whether this encryption is truly worth the cost.”

It’s an argument that can be made with more vigour than ever after the Paris attacks.

With access to communications, the anti-encryption advocates say, we could perhaps stop these tragic events from occurring. That’s a claim worth scrutinising.

It’s early days in the investigation, and no evidence has yet been offered to show that encrypted communications were used to organise the atrocity.

But technology industry is, on the whole, against the suggestion that law enforcement should have “backdoors” into popular services – the term given to a hidden way of circumventing the app’s security.

A backdoor, in the infosec world, is the term given to a method in which a supposedly secure system can be accessed. It could be a quirk in some code, or a vulnerability in how a system communicates. Whatever the weakness, typically, once backdoors are made public, they are fixed.

Hackers make serious money by discovering backdoors and selling them on – often to government security services.

Many in law enforcement and government feel there should be a backdoor made just for those in authority to investigate and stop criminals and terrorists.

But some of tech’s most influential figures say that the notion of a secure, secret backdoor is dangerously misguided.

If any backdoor exists, hackers will find it eventually. It would mean data security for all of us, not just criminals, would evaporate.

 

Cost concerns over web spying proposals

February 13, 2016 By: Dr Search Principal Consultant at the Search Clinic Category: Browser, Computers, Customer Service, data security, Dr Search, Google, internet, Personal Security, Search Clinic, Uncategorized

Disentangling data can be difficult and costly, say net experts.

Disentangling data can be difficult and costly, say net experts

UK MPs are investigating what it will cost ISPs to meet government proposals to log where Britons go online.

The House of Commons Science and Technology committee is looking at whether gathering data on net-using citizens is even feasible. It also wants to look into the potential impact that logging browsing will have on how people use the web.

The consultation comes as questions mount over the money the government will set aside to support monitoring.

The draft Investigatory Powers Bill (IP Bill) was unveiled last week and it attempts to update the way the state, police and spies gather data to fight crime, terrorism and other threats.

One of the most contentious aspects of the IP Bill obliges ISPs to record information about the services, websites and data every UK citizen uses. These “Internet

The Science and Technology committee has said it wants to look more deeply into this and its potential cost.

In a notice announcing the inquiry, the Committee said it wanted to find out if it was possible for ISPs to meet the IP Bill’s requirements. The text of the Bill asks ISPs to log where people go but not what they do when on a site or using a service.

MPs also want to find out how easy it is for ISPs to separate data about a visit to a site from what happens once people log in, because more stringent rules govern who can discover what people do on a site as opposed to the sites they use.

The Committee will also look at how much it might cost the providers to do this.

The government has said it will provide £175m to ISPs over 10 years to pay for data to be gathered and stored.

ISPs watch the flows of data across their networks to help manage traffic, he said, but they typically only sample these streams because they deal with such massive quantities of information every day.

Android’s biggest update ever to fix security flaws

August 24, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Android, Cyber Security, data security, Google, Hackers, mobile phones, Samsung, Uncategorized

Last month a major bug was discovered in the Android software that could let hijackers access data on up to a billion phones.

Last month a major bug was discovered in the Android software that could let hijackers access data on up to a billion phones.

Samsung, LG and Google have pledged to provide monthly security updates for smartphones running the Android operating system.
Manufacturers have been slow to roll out a fix because many variations of Android are widely used.
h3:::
One Android expert said it was “about time” phone makers issued security fixes more quickly as Android is the most widely-used mobile operating system

Android has been working to patch a vulnerability, known as Stagefright, which could let hackers access a phone’s data simply by sending somebody a video message.

“My guess is that this is the single largest software update the world has ever seen,” said Adrian Ludwig, Android’s lead engineer for security, at hacking conference Black Hat.

LG, Samsung and Google have all said a number of their handsets will get the fix, with further updates every month.

Android is an open source operating system, with the software freely available for phone manufacturers to modify and use on their handsets.

The Google-led project does provide security fixes for the software, but phone manufacturers are responsible for sending the updates to their devices.

Some phones running old versions of Android are no longer updated by the manufacturer. Many companies also deploy customised versions of Android which take time to rebuild with the security changes.

Apple and BlackBerry can patch security problems more quickly because they develop both the software and the hardware for their devices.

BlackBerry’s software is reviewed by mobile networks before being sent to handsets, while Apple can push updates to its phones whenever it wants.
Some phone-makers add their own software to Android

“The very nature of Android is that manufacturers add their own software on top, so there have been delays in software roll-outs,” said Jack Parsons, editor of Android Magazine.

“In the US it’s even worse because mobile carriers often add their own software too, adding another layer of bureaucracy holding up security fixes.

FBI warns on airline hacking threat

May 23, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Cyber Security, data security, Hackers, Search Clinic, Technology Companies

The USA’s Federal Bureau of Investigation (FBI) has issued a formal alert warning airlines to be on the lookout for hackers.

Federal Bureau of Investigation (FBI) has issued a formal alert warning airlines to be on the lookout for hackersIt follows an onboard tweet from security expert Chris Roberts, who joked about being able to hack into a United Airlines plane’s wi-fi network.

A terrorist could theoretically take over systems that fly a plane by compromising equipment at their seat as an increasing number of airlines are offering onboard wi-fi to customers.

The FBI and the US Transportation Security Administration (TSA) said they had no information to support claims a plane’s navigation system could be interfered via its onboard wi-fi kit, but added that they were evaluating the evidence.

In a private industry notification posted on its website and reported by Wired magazine, the FBI advised airlines to:

  • report any suspicious activity involving travellers connecting unknown cables or wires to the in-flight entertainment (IFE) system
  • report any evidence of suspicious behaviour following a flight, such as IFE systems that show evidence of tampering or the forced removal of covers to network connection ports
  • report any evidence of suspicious behaviour concerning aviation wireless signals, including social media messages with threatening references to onboard network systems, automatic dependent surveillance systems (ADS-B), aircraft communications addressing and reporting systems (ACARS) and air traffic control networks
  • review network logs from aircraft to ensure any suspicious activity, such as network scanning or intrusion attempts, would be captured for further analysis

In his tweet, Mr Roberts suggested that he might be able to deploy the oxygen masks on the flight.

Chris Roberts’s tweet:

On arrival at Syracuse airport, Mr Roberts – who is co-founder of security company One World Labs – was taken in for questioning by the FBI, and his laptop and other devices were seized.

A few days later, he was prevented from boarding a flight to California.

He had previously given a number of interviews, explaining the possible weak points in airline systems, telling CNN that he could connect to a computer under his seat to view data from the aircraft’s engines, fuel and flight-management systems.

Security experts have warned for some years that airlines are a possible target for hackers.

Planes including the Boeing 787 Dreamliner and the Airbus 350 and A380 have a single network that is used by both pilots to fly the plane and by passengers for their wi-fi connections.

Although there were currently no publicly known vulnerabilities that a hacker could exploit, such an attack remained “theoretically possible” because all networks were inherently insecure.

Wi-fi is now common on many airlines, and most have relaxed the rules surrounding the use of gadgets during flights.

Computer communication encryptions are a problem for police

March 30, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Cyber Security, data security, Social Media, Social Networking, Technology Companies, Telecommunications Companies, Uncategorized

Encrypted communications are the biggest problem for police, says Europol’s police chief.

Computer communication encryptions are a problem for policeThe European police chief says the sophisticated online communications are the biggest problem for security agencies tackling terrorism.

Hidden areas of the internet and encrypted communications make it harder to monitor terror suspects, warns Europol’s Rob Wainwright.

Tech firms should consider the impact sophisticated encryption software has on law enforcement, he said.

There is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat.

Mr Wainwright said that in most current investigations the use of encrypted communications was found to be central to the way terrorists operated.

“It’s become perhaps the biggest problem for the police and the security service authorities in dealing with the threats from terrorism,” he explained.

“It’s changed the very nature of counter terrorist work from one that has been traditionally reliant on having good monitoring capability of communications to one that essentially doesn’t provide that anymore.”

Mr Wainwright, whose organisation supports police forces in Europe, said terrorists were exploiting the “dark net”, where users can go online anonymously, away from the gaze of police and security services.

But he is also concerned at moves by companies such as Apple to allow customers to encrypt data on their smartphones.

And the development of heavily encrypted instant messaging apps is another cause for concern, he said. This meant people could send text and voice messages which police found very difficult or impossible to access, he said.

“We are disappointed by the position taken by these tech firms and it only adds to our problems in getting to the communications of the most dangerous people that are abusing the internet.

“Tech firms are doing it, I suppose, because of a commercial imperative driven by what they perceive to be consumer demand for greater privacy of their communications.”

Mr Wainwright acknowledged this was a result of the revelations by former National Security Agency contractor Edward Snowden, who exposed how security services were conducting widespread surveillance of emails and messages.

He said security agencies now had to work to rebuild trust between technology firms and the authorities.

The extent of the challenge faced by security services is shown in the scale of social media use by IS.

The programme also found evidence that supporters of ISIS are using encrypted sites to radicalise or groom new recruits.

Mr Wainwright revealed that ISIS is believed to have up to 50,000 different Twitter accounts tweeting up to 100,000 messages a day.

Europol is now setting up a European Internet Referral Unit to identify and remove sites being used by terrorist organisations.

Mr Wainwright also says current laws are “deficient” and should be reviewed to ensure security agencies are able to monitor all areas of the online world.

“There is a significant capability gap that has to change if we’re serious about ensuring the internet isn’t abused and effectively enhancing the terrorist threat.

“We have to make sure we reach the right balance by ensuring the fundamental principles of privacy are upheld so there’s a lot of work for legislators and tech firms to do.”

Cyber criminals raided by police

March 06, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Cyber Security, data security, Dr Search, Hackers, internet, Personal Security, Search Clinic, Technology Companies, Uncategorized

The UK’s National Crime Police Agency has arrested 56 suspected hackers in part of a “strike week” against cybercrime.

The UK's National Crime Agency has arrested 56 suspected hackers as part of a strike week against cybercrimeIn total, 25 separate operations were carried out this week across England, Scotland and Wales. Those arrested are suspected of being involved in a wide variety of cybercrimes including data theft, fraud and virus writing.

The week long series of operations was co-ordinated by the NCA’s National Cyber Crime Unit (NCCU) as well as specialist officers from regional organised crime squads and the Metropolitan Police.

West Midlands police arrested a 23 year old man in Sutton Coldfield who is believed to have been involved in breaking into the network of the US defence department in June 2014.

The biggest operation saw the arrest of 25 people in London and Essex suspected of using the net to steal money, launder cash and carry out other frauds.

The hackers behind that attack stole contact information for about 800 people and data on the network’s internal architecture was also pilfered.
line

The action also resulted in the arrest of people thought to be part of some well known hacking groups.

In Leeds, a suspected member of the Lizard Squad group was arrested, and in London a 21-year-old man was taken into custody on suspicion of being part of the D33Ds Company hacking collective.

The D33Ds group is believed to have been behind a 2012 attack on Yahoo that stole more than 400,000 email addresses and passwords subsequently published online.

Investigations about suspects in Sutton Coldfield, Leeds and Willesden were aided by forensic information provided by the FBI.

The other actions targeted alleged phishing gangs, intellectual property thieves, users of financial malware, companies that offer hosting services to crime groups, and many people who took part in so-called DDoS (distributed denial of service) attacks in an attempt to knock websites offline.

One 21-year-old man from County Durham allegedly knocked out the Police Scotland website mounting such a DDoS attack.

“Criminals need to realise that committing crime online will not render them anonymous to law enforcement,” said Andy Archibald, deputy director of the NCCU. “It’s imperative that we continue to work with partners to pursue and disrupt the major crime groups targeting the UK.”

In addition, this week the NCA coordinated visits to 70 firms to inform them about how vulnerable their servers were to attack and how they could be used by cyberthieves to send out spam or act as proxies for other attacks.

The strike week also involved four forces setting up pop-up shops to give advice to the public about staying safe online and to get their devices checked to make sure they are free of malware and other digital threats.

The problems of cyber security for small businesses

February 24, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Customer Service, Cyber Security, data security, Dr Search, Ecommerce, Hackers, Search Clinic, Technology Companies, Uncategorized

The growing problem of cyber security is becoming a big headache for small businesses.

The growing problem of cyber security is becoming a big headache for small businesses.Figures from Sophos suggest about 30,000 websites a day are being compromised by cyber hackers – most of those will be the public face of one SME or others.

Becoming a victim of a hack or breach costs smaller firms between £65,000 and £115,000, according to the PWC survey of the worst data breaches among small firms. Those worst hit will suffer up to six breaches a year, PWC suggested, so the total cost could be even higher.

For a smaller firm finding that much cash to clean up after a breach could mean the difference between keeping trading and going bust.

This lack of focus on cyber security is understandable, as most small and medium-sized enterprises (SMEs) spent most of their time on core commercial activity such as keeping customers happy, seeking out new clients and engaging in all the basic day-to-day admin needed to keep their enterprise afloat.

So worrying about computer security comes a long down their To Do lists.

However, ecommerce, websites, apps, smartphones, tablets, social media and cloud services were all now standard ways of doing business in the 21st century, he said.

Additionally, there were some SMEs that were based entirely around technology but that did not make them experts in how to keep their digital business secure.

Either way, everyone is a target and they all need to look externally to security firms for help.

Everyone is familiar with attempts to penetrate internal networks to steal payment information or customer data records but may be less knowledgeable about invoice fraud, ransomware, malvertising, or even attacks that “scrape” websites with automated tools to steal all the information about prices and products they contain.

Estimates vary on how much SMEs spend on IT security.

The most recent government figures published 18 months ago suggest SMEs with 100 or more employees spend about £10,000 per year. The smallest small firms, with less than 20 staff, spend about £200. Other estimates put the spend at about £30 per employee.

SMEs should start with the basics.

This includes anti-virus software, firewalls, spam filters on email gateways and keeping devices up to date. This, would defeat the majority of the low level threats that those busy cyber thieves are churning out.

Government advice on how SMEs can be safer revolves around a 10 steps programme that emphasises basic, good practice. It’s big on those simple steps such as keeping software up to date and applying the widely used software tools that can spot and stop the most prolific threats.

But it also stresses that smaller firms understand more about how they use data and how it flows around their organisation.

Having a good sense of where data goes and who uses it can help limit the damage if it goes astray.

Having control of that data, knowing its value and where it is going, can help a company guard against it leaking out accidentally and maliciously. For instance, having that control might help a firm spot that a server was accidentally exposed to the net and private information was viewable by anyone.

It can also help SMEs keep an eye on their suppliers and partners to ensure that data is handled appropriately.

And finally, said Mr Harrison from Exponential-e, firms need to put in place a plan for what happens when a breach or security incident does occur.

“It’s not a question of if something bad will happen,” he said. “It will, but it’s all about what they do about it.”