SEARCH CLINIC

Search engine online marketers
Subscribe Twitter Facebook Linkedin

FBI warns on airline hacking threat

May 23, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Cyber Security, data security, Hackers, Search Clinic, Technology Companies

The USA’s Federal Bureau of Investigation (FBI) has issued a formal alert warning airlines to be on the lookout for hackers.

Federal Bureau of Investigation (FBI) has issued a formal alert warning airlines to be on the lookout for hackersIt follows an onboard tweet from security expert Chris Roberts, who joked about being able to hack into a United Airlines plane’s wi-fi network.

A terrorist could theoretically take over systems that fly a plane by compromising equipment at their seat as an increasing number of airlines are offering onboard wi-fi to customers.

The FBI and the US Transportation Security Administration (TSA) said they had no information to support claims a plane’s navigation system could be interfered via its onboard wi-fi kit, but added that they were evaluating the evidence.

In a private industry notification posted on its website and reported by Wired magazine, the FBI advised airlines to:

  • report any suspicious activity involving travellers connecting unknown cables or wires to the in-flight entertainment (IFE) system
  • report any evidence of suspicious behaviour following a flight, such as IFE systems that show evidence of tampering or the forced removal of covers to network connection ports
  • report any evidence of suspicious behaviour concerning aviation wireless signals, including social media messages with threatening references to onboard network systems, automatic dependent surveillance systems (ADS-B), aircraft communications addressing and reporting systems (ACARS) and air traffic control networks
  • review network logs from aircraft to ensure any suspicious activity, such as network scanning or intrusion attempts, would be captured for further analysis

In his tweet, Mr Roberts suggested that he might be able to deploy the oxygen masks on the flight.

Chris Roberts’s tweet:

On arrival at Syracuse airport, Mr Roberts – who is co-founder of security company One World Labs – was taken in for questioning by the FBI, and his laptop and other devices were seized.

A few days later, he was prevented from boarding a flight to California.

He had previously given a number of interviews, explaining the possible weak points in airline systems, telling CNN that he could connect to a computer under his seat to view data from the aircraft’s engines, fuel and flight-management systems.

Security experts have warned for some years that airlines are a possible target for hackers.

Planes including the Boeing 787 Dreamliner and the Airbus 350 and A380 have a single network that is used by both pilots to fly the plane and by passengers for their wi-fi connections.

Although there were currently no publicly known vulnerabilities that a hacker could exploit, such an attack remained “theoretically possible” because all networks were inherently insecure.

Wi-fi is now common on many airlines, and most have relaxed the rules surrounding the use of gadgets during flights.

Twitter launches anti cyberbully policy

April 27, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Personal Security, Search Clinic, Social Media, Social Networking, Twitter, Uncategorized

Twitter is to launch an anti cyberbully policy to act against violent threats as part of renewed efforts to tackle abuse.

Twitter launches anti cyberbully policyTwitter has acknowledged that its previous rules, which said a threat needed to be “direct” and “specific” to justify its intervention, had been too “narrow”.

The firm will still require a complaint to be made before it blocks an account, but it said it was also attempting to automatically make a wider range of abusive tweets less prominent.

The problem is not limited to Twitter – in March, a study of 1,000 UK-based 13 to 17 year olds by broadband provider Europasat indicated that nearly half of those surveyed had been sent abusive messages over the internet.

In February, Twitter’s chief executive Dick Costolo highlighted the issue when he sent a memo to staff telling them that “we suck at dealing with abuse and trolls on the platform and we’ve sucked at it for years”.

Twitter’s rules now state that it may act after being alerted to tweets that contain “threats of violence against others or promote violence against others”.

Twitter will tell some abusers to verify their phone number and delete several tweets before lifting a temporary ban.

By making its criteria more vague than before, the platform can now intervene if, for example, someone says that a victim ought to be beaten up.

It had previously required the aggressor to have provided specific details, such as the fact they planned to commit the act using a baseball bat at the victim’s place of work, before it would respond.

“Our previous policy was unduly narrow, and limited our ability to act on certain kinds of threatening behaviour,” wrote Shreyas Doshi, Twitter’s director of product management, on the firm’s blog.

“The updated language better describes the range of prohibited content and our intention to act when users step over the line into abuse.”

In addition, Twitter will begin freezing some abusers’ accounts for set amounts of time, allowing those affected to see the remaining duration via its app. Abusers may also be required to verify their phone number and delete all their previous offending tweets in order to get their account unlocked.

The firm said it could use this facility to calm situations in which a person or organisation came under attack from several people at once, where it might not be appropriate to enforce permanent bans on all involved.

While such decisions would be taken by Twitter’s staff, the company said it had also started using software to identify tweets that might be abusive, based on “a wide range of signals and context”.

Such posts will be prevented from appearing in people’s feeds without ever having been checked by a human being. However, they will still show up in searches and remain subject to the existing complaints procedure.

A side-effect of this could be that some abusive tweets become harder to detect.

The UK Safer Internet Centre, which represents a number of campaign bodies, welcomed the move.

“These are really good steps,” said Laura Higgins, the organisation’s online safety operations manager.

“Regrettably some people might fall foul of bad behaviour before Twitter can put some of these safeguards in place, but at least it is always looking for new solutions.”

“In cases when there is massive amounts of abuse and it’s all of a similar theme, I think the new system will be good at picking it up, and that’s great. But it would be good to hear what will happen to that data once Twitter has it.”

The announcements build on other recent changes made by Twitter, including hiring more workers to handle abuse reports and letting third parties flag abuse.

Search Clinic repeats the link to How to Report a Tweet or Direct Message for violations

The problems of cyber security for small businesses

February 24, 2015 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Customer Service, Cyber Security, data security, Dr Search, Ecommerce, Hackers, Search Clinic, Technology Companies, Uncategorized

The growing problem of cyber security is becoming a big headache for small businesses.

The growing problem of cyber security is becoming a big headache for small businesses.Figures from Sophos suggest about 30,000 websites a day are being compromised by cyber hackers – most of those will be the public face of one SME or others.

Becoming a victim of a hack or breach costs smaller firms between £65,000 and £115,000, according to the PWC survey of the worst data breaches among small firms. Those worst hit will suffer up to six breaches a year, PWC suggested, so the total cost could be even higher.

For a smaller firm finding that much cash to clean up after a breach could mean the difference between keeping trading and going bust.

This lack of focus on cyber security is understandable, as most small and medium-sized enterprises (SMEs) spent most of their time on core commercial activity such as keeping customers happy, seeking out new clients and engaging in all the basic day-to-day admin needed to keep their enterprise afloat.

So worrying about computer security comes a long down their To Do lists.

However, ecommerce, websites, apps, smartphones, tablets, social media and cloud services were all now standard ways of doing business in the 21st century, he said.

Additionally, there were some SMEs that were based entirely around technology but that did not make them experts in how to keep their digital business secure.

Either way, everyone is a target and they all need to look externally to security firms for help.

Everyone is familiar with attempts to penetrate internal networks to steal payment information or customer data records but may be less knowledgeable about invoice fraud, ransomware, malvertising, or even attacks that “scrape” websites with automated tools to steal all the information about prices and products they contain.

Estimates vary on how much SMEs spend on IT security.

The most recent government figures published 18 months ago suggest SMEs with 100 or more employees spend about £10,000 per year. The smallest small firms, with less than 20 staff, spend about £200. Other estimates put the spend at about £30 per employee.

SMEs should start with the basics.

This includes anti-virus software, firewalls, spam filters on email gateways and keeping devices up to date. This, would defeat the majority of the low level threats that those busy cyber thieves are churning out.

Government advice on how SMEs can be safer revolves around a 10 steps programme that emphasises basic, good practice. It’s big on those simple steps such as keeping software up to date and applying the widely used software tools that can spot and stop the most prolific threats.

But it also stresses that smaller firms understand more about how they use data and how it flows around their organisation.

Having a good sense of where data goes and who uses it can help limit the damage if it goes astray.

Having control of that data, knowing its value and where it is going, can help a company guard against it leaking out accidentally and maliciously. For instance, having that control might help a firm spot that a server was accidentally exposed to the net and private information was viewable by anyone.

It can also help SMEs keep an eye on their suppliers and partners to ensure that data is handled appropriately.

And finally, said Mr Harrison from Exponential-e, firms need to put in place a plan for what happens when a breach or security incident does occur.

“It’s not a question of if something bad will happen,” he said. “It will, but it’s all about what they do about it.”

Police warn on cyber crime threats

April 18, 2014 By: Dr Search Principal Consultant at the Search Clinic Category: Cyber Security, data security, Hackers, Personal Security, Search Clinic, Telecommunications Companies, Uncategorized

Only three out of 43 police forces in England and Wales have a comprehensive plan to deal with a large scale cyber attack, new research has found.

Police warn on cyber crime threatsHer Majesty’s Inspectorate of Constabulary (HMIC) warned only Derbyshire, Lincolnshire and West Midlands had sufficient plans in place.

It also found only 2% of police staff across 37 forces had been trained on investigating cybercrime.

The report examined how prepared police are for a series of national threats.

Last year, the government identified five threats as priorities for police to prepare for. These are:

  • Terrorism
  • Civil emergencies
  • Organised crime
  • Public order threats
  • Large-scale cyber-attacks

As part of its Strategic Policing Requirement (SPR), the Home Office called for a nationally required policing response to counter each of the threats.

The report is the first in a series of inspections looking at how individual forces have responded to the guidelines.

HMIC inspectors said they were “struck by how incomplete the police service’s understanding of the national threats was” and that more needs to be done “collectively by all forces”.

The report called for “much greater attention” from police leaders.

“The capacity and capability of the police to respond to national threats is stronger in some areas than others – with the police response to the cyber-threat being the least well developed,” HMIC’s Stephen Otter said.

Police plans to deal with counter-terrorism, public order, civil emergencies and organised crime were in “stark contrast” with the capabilities for cyber-related threats.

Inspectors found the ability to deal with cyber-threats remains “largely absent” in some forces and that some senior officers across England and Wales are still “unsure of what constituted a large-scale cyber-incident”.

They found forces were “silent” when it came to preventing cybercrime and protecting people from the harm it causes, despite the fact it is “fast becoming a dominant method in the perpetration of crime.

“The police must be able to operate very soon just as well in cyberspace as they do on the street,” the report said.

According to the government’s definition, a large-scale cyber-incident could be “a criminal attack on a financial institution to gather data or money” or an “aggregated threat where many people or businesses across the UK are targeted”.

It also includes “the response to a failure of technology on which communities depend and which may also be considered a civil emergency”.

Basically- despite cybercrime costing the UK ecomony billions of Pounds, our plods are light years from being able to cope- let alone help us.

Moral of the story is make sure that you are as secure as you can be- because the state isn’t capable of nannying you.

Passwords- how to set and remember them

April 15, 2014 By: Dr Search Principal Consultant at the Search Clinic Category: Cyber Security, data security, Dr Search, Hackers, Personal Security, Search Clinic, Uncategorized

With the heightened risk of password hacking Search Clinic thought that it is a good time to refresh your memory on how to set- and remember your secure passwords.

Passwords- how to set and remember themDr Search of the Search Clinic visited the Cheltenham Science Festival a few years ago and attended a lecture by Toby of GCHQ on security in the computer age and posted a post at: top common passwords.

Your starter for ten is to make sure that you don’t use any of them. If you do- then you are already in trouble.

Changing passwords is something many people avoid at all costs- because they fear they will forget the new password.

However, you can make something memorable by simply using the power of association and location. In order to remember a string of online passwords, all you have to do is associate each individual letter and number with a known or fixed item, calling on your imagination throughout.

The more you stimulate and use your imagination, the more connections you will be able to make, and the more you will be able to memorise.

Memory expert Tony Buzan gives tips on how to remember new ones, which should be a long jumble of randomly generated letters and numbers.

No pet’s names- Hackers can find out a lot about you from social media

No dictionary words- Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.

Mix unusual characters- Try a word or phrase where characters are substituted -Whyd03s1talw&ysr*in?

Have multiple passwords- If hackers compromise one system, they won’t be able to access other accounts.

Keep them safely- Don’t write them down – use a secure password vault on your phone. If you must worte them down label the file someother OTHER than passwords.

Tom from GCHQ suggested using a combination of the above, by using multiple words and numbers- with a few symbols thrown in for good measure:

wh1te-rabbt)*m0nth

Good Luck- and safe browsing.

Mobile position data present anonymity risk

April 02, 2013 By: Dr Search Principal Consultant at the Search Clinic Category: data security, Mobile Marketing, mobile phones, Personal Security, smart phones, Telecommunications Companies, Uncategorized

Scientists say it is remarkably easy to identify a mobile phone user from just a few pieces of location positioning information.Mobile position data present anonymity riskWhenever a phone is switched on, its connection to the network means its position and movement can be plotted.

This data is given anonymously to third parties, both to drive services for the user and to target advertisements.

But a study Unique in the Crowd: The privacy bounds of human mobility in Scientific Reports warns that human mobility patterns are so predictable it is possible to identify a user from only four data points.

The growing ubiquity of mobile phones and smartphone applications has ushered in an era in which tremendous amounts of user data have become available to the companies that operate and distribute them – sometimes released publicly as “anonymised” or aggregated data sets.

These data are of extraordinary value to advertisers and service providers, but also for example to those who plan shopping centres, allocate emergency services, and a new generation of social scientists.

Yet the spread and development of “location services” has outpaced the development of a clear understanding of how location data impact users’ privacy and anonymity.

For example, sat-nav manufacturers have long been using location data from both mobile phones and sat-navs themselves to improve traffic reporting, by calculating how fast users are moving on a given stretch of road.

The data used in such calculations are “anonymised” – no actual mobile numbers or personal details are associated with the data.

But there are some glaring examples of how nominally anonymous data can be linked back to individuals, the most striking of which occurred with a tranche of data deliberately released by AOL in 2006, outlining 20 million anonymised web searches.

Recent work has increasingly shown that humans’ patterns of movement, however random and unpredictable they seem to be, are actually very limited in scope and can in fact act as a kind of fingerprint for who is doing the moving.

Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months’ worth of anonymised mobile phone records for 1.5 million individuals.

They found from the “mobility traces” – the evident paths of each mobile phone – that only four locations and times were enough to identify a particular user.

“In the 1980s, it was shown that you need 12 points to uniquely identify and characterise a fingerprint,” said the study’s lead author Yves-Alexandre de Montjoye of MIT.

“What we did here is the exact same thing but with mobility traces. The way we move and the behaviour is so unique that four points are enough to identify 95% of people.”

“We think this data is more available than people think. When you think about, for instance wi-fi or any application you start on your phone, we call up the same kind of mobility data.

“When you share information, you look around you and feel like there are lots of people around – in the shopping centre or a tourist place – so you feel this isn’t sensitive information.”

Sam Smith of Privacy International said: “Our mobile phones report location and contextual data to multiple organisations with varying privacy policies.”

“Any benefits we receive from such services are far outweighed by the threat that these trends pose to our privacy, and although we are told that we have a choice about how much information we give over, in reality individuals have no choice whatsoever.” 

Paypal predicts the end of passwords

March 04, 2013 By: Dr Search Principal Consultant at the Search Clinic Category: Customer Service, Cyber Security, data security, Dr Search, Ecommerce, Hackers, Personal Security, smart phones, Technology Companies, Telecommunications Companies, Uncategorized

The days of the tiresome password may be numbered- according to Paypal.Paypal predicts the end of passwordsThe fact is that the way we users typically deal with having multiple passwords for our online accounts makes us too vulnerable to spyware, phishing and identity theft.

Many of us rely on the same password, while many more of us only use three or four passwords.

Ideally, the best password would be at least 16 characters with capitals, numbers and special characters – but you’d never remember it.

So the industry is looking to ditch passwords, and is turning to a variety of solutions, such as voice recognition, key stroke analysis and finger print identification.

Payments firm PayPal is one of those leading the changes, and president David Marcus says the aim is to make the whole process seamless.

“Like magic, you’ll be authenticated, and the payment will go through. We want to move away from passwords, and get to embedded fingerprint scanners on mobile phones.”

“You’re going to start seeing that type of experience later this year, with a mass roll-out in the year to come.”

Earlier this month, PayPal, Lenovo and others announced the formation of the Fido Alliance (Fast Identity Online) to change the way online security checks are carried out.

The idea is that users will be able to select the type of authentication that suits them best – from fingerprint scanning to USB tokens.

“The best protection is the one you don’t see – it’s the one that happens in the background, that verifies your identity accessing your own data,” says Mr Marcus.
‘Untapped potential’

For PayPal, solving the password security problem is important because so many people now use it to make purchases – it has 125 million customers in more than 190 countries.

“You shop offline more than you shop online, but in most of these transactions mobile is involved now,” says Mr Marcus.

“As the offline market is 17 times bigger than the online market, there is still huge untapped potential for us.”

The key driver for this has been the way in which customers are increasingly using phones, tablets and other handheld devices to make purchases.

Last year, PayPal recorded $145 billion (£95bn) in total transactions, of which $14 billion were via mobile devices, says Mr Marcus.  “But the year before it was less than $4 billion.

All of which should be welcome news for those of us who continually have to email our online retailers for new passwords, because we’ve forgotten the one we asked them for the last time we tried to buy something from them.

Apple computers now hacked

February 18, 2013 By: Dr Search Principal Consultant at the Search Clinic Category: Apple, Computers, Cyber Security, data security, Hackers, internet, Search Clinic, Technology Companies, Uncategorized

Apple has announced that its own computers were attacked by the same hackers who targeted Facebook.Apple computers now hackedThe iPhone-maker said a small number of its machines were affected, but added there was “no evidence” of data theft.

Last week Facebook said it had traced a cyber attack back to China which had infiltrated employees’ laptops.

Apple said it would release a software update to protect customers against the malicious software used in the attack.

In a statement, the firm said: “Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers.”

“The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers.”

“We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple.”

“We are working closely with law enforcement to find the source of the malware.”

Apple said it had taken measures to protect users from vulnerabilities in Java, a widely-used programming language that was found to have serious security flaws.

“Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days,” the company said.

“To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.”

Facebook’s turn to be targeted by sophisticated hackers

February 15, 2013 By: Dr Search Principal Consultant at the Search Clinic Category: Cyber Security, data security, Facebook, internet, Personal Security, Social Media, Technology Companies, Uncategorized

Facebook has revealed it was the latest website to be targeted by a “sophisticated attack” by hackers last month, but found no evidence any user data had been compromised.Facebook's turn to be targeted by sophisticated hackersThe social network said that the attack occurred when employees visited a mobile developer website “that was compromised”.

More than one billion people use Facebook worldwide.

“Last month, Facebook security discovered that our systems had been targeted in a sophisticated attack,” the company said.

“The attack occurred when a handful of employees visited a mobile developer website that was compromised.”

Malware was downloaded on to its employees’ laptops, the firm said, adding: “As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day.”

“We have no evidence that Facebook user data was compromised in this attack,” Facebook said in its blog post.

The firm went on to say that it was “not alone in this attack”.

“It is clear that others were attacked and infiltrated recently as well. As one of the first companies to discover this malware, we immediately took steps to start sharing details about the infiltration with the other companies and entities that were affected,” Facebook said.

UK needs more skilled cyber crime fighters- official

February 11, 2013 By: Dr Search Principal Consultant at the Search Clinic Category: Computers, Cyber Security, data security, Ecommerce, internet, Personal Security, Search Clinic, Technology Companies, Uncategorized

Given the recent spate of hacking incidents a timely report from the National Audit Office (NAO) has highlighted that a lack of skilled workers is hampering the UK’s fight against cyber crime.UK needs more skilled cyber crime fighters- officialThe spending watchdog had heard from experts who believe it could take “up to 20 years to address the skills gap”, it said in a report.

But progress has been made in tackling cyber fraud, with more police resources and prosecutions aimed at catching cyber criminals, the NAO added.

The government said it was “investing heavily” in research and education.

The number of IT and cyber security professionals in the UK has not increased in line with the growth of the internet, the watchdog said.

In 2011, ministers announced funding of £650 million to implement the UK’s Cyber Security Strategy, which set out the risks of the UK’s growing reliance on cyber space.

The strategy identified criminals, terrorists, foreign intelligence services, foreign militaries and politically motivated “hacktivists” as potential enemies who might choose to attack vulnerabilities in British cyber-defences.

In a review of the strategy, the NAO said there had been an number of developments to help tackle cyber crime.

The internet economy in the UK accounts for more than £120 billion – a higher proportion of GDP than any other G20 country, the NAO said.

But it warned that the cost of cyber crime is estimated to be between £18 billion and £27 billion a year.

Action Fraud, the UK’s national fraud reporting centre, received 46,000 reports of cyber-enabled crime, amounting to £292 million of attempted fraud, the report said.

And the Serious Organised Crime Agency had captured more than 2.3 million compromised debit or credit cards since 2011, preventing a potential economic loss of over £500 million.

New regional police cyber crime centres and a trebling of the size of the Police Central e-crime Unit had also helped boost the UK’s capability to combat attacks, the watchdog said.

But the NAO warned that the UK faced a current and future cyber security skills gap, with “the current pipeline of graduates and practitioners” unable to meet demand.

Education officials interviewed by the NAO said it could take “up to 20 years to address the skills gap at all levels of education”.

They raised concerns about a lack of promotion of science and technology subjects at school, leading to a low uptake of computer science and technology courses by university students.