Change your password by default and change it again

At a major US information security event last week a fundamental flaw by a major payment terminal vendor was disclosed, potentially exposing millions of customers to the risk of credit card theft and fraud.

The researchers at the RSA Conference in San Francisco would only reveal the password ‘166816’.  This sequence has apparently been used by the same firm on payment terminals shipped worldwide for more than 20 years.   A Google search afterwards connected this with several models of credit card terminal sold by Verifone in the Silicon Valley.  Verifone are highly active, selling into 150 countries and connecting 27 million payment devices, so it is an embarrassing disclosure for the vendor (although they declined to comment) and a stark warning to businesses to review security.

It is believed that customers assumed the 6-digit password was unique to them and thus made no further changes.  This lapse in security practice makes it all too easy for hackers to unscrupulously target payment terminals.  Moving to chip-based payment cards remains only part of the answer as they are not bullet proof either.

The financial repercussions for retailers cannot be underestimated both from loss of consumer confidence as well as share price with publicly listed organisations (remember US retailer Target in 2013 – 70 million customers affected and US store Home Depot – reportedly affecting 56 million customers).

The take away for business whatever the market sector and whichever side of the Pond, is to ensure your business has a robust security policy, reviewed regularly at board level and on a deployment basis, if your systems and software are ringfenced, then to have clear protocols on re-securing assets introduced or re-circulated into the organisation.  But to this ying we add a yang:  no system is any good if an operator is flawed. To best practice cyber security policy we would add a good education programme communicated throughout the workplace, as humans remain the primary conduit for increasingly sophisticated hacking.


Microsoft announces Customer Lockbox for Office 365

Microsoft announces Customer Lockbox for Office 365

During this week’s RSA conference in San Francisco Microsoft has announced a new feature for Office 365 called ‘Customer Lockbox’. This new feature is designed to provide unprecedented control over a customer’s content stored on Microsoft’s platform.

Customer Lockbox administers access control through multiple levels of approval within Microsoft. It logs and audits all Office 365 control actions and provides access with limited and time-bound authorisation.

Essentially this enables the owner of the Office 365 account to scrutinize any request for access to their data including support from Microsoft themselves. By default requests have a lifetime of 12 hours, after this time the engineer will be unable to access customer content and will have to submit another request for access.

Customer Lockbox will be available by the end of the 2015 for Exchange online and Q1 2016 for SharePoint Online. The new feature will not be enabled by default but those who do opt-in will increase the separation of server administration from the data stored in Office 365 resulting in an added layer of security.


Transport infrastructure cyber threats loom

The UK’s next generation of signalling system using digital technology will be rolled out on intercity routes in the 2020s, but could be at risk from hacking causing a serious crash, according to Prof David Stupples, a scientific Government advisor.  Network Rail takes the threat seriously.  With UK testing through the European Rail Traffic Management System underway, Network Rail says, “We work closely with government, the security services, our partners and suppliers in the rail industry and external cyber security specialists to understand the threat to our systems and make sure we have the right controls in place”.

So what could happen? 
The new system is designed to make networks safer by reducing driver error, however if the system were hacked with malware, then the speed at which a train travelled could be overridden and the length of time it was programmed to stop could be slowed down, creating either disruption or worse, a potential accident.

With a robust security system to the outside world, the threat is deemed to be greatest from a rogue employee or an ill-informed worker, say plugging in a malware infected device.  With an aged and disconnected infrastructure, the rail networks have hitherto not been a frequent target, however as transport systems become more computerised and connected, this threat will only increase.

This comes at a time when the FBI have recently sent out a formal alert to US airlines to warn them of the dangers of their wi-fi network being hijacked, following a tweet by an independent security expert that he had successfully accessed the network through the in-flight entertainment system (IFE) .   The FBI and the US Transportation Security Administration are working fast to cover up the cracks, but this is not new news.  The concern is that an avionic network could be accessed illegally, and controls for the plane being taken over – either from someone on board or on the ground.

Technology is a wonderful thing, but only in the right hands.  The job of defencing network systems can truly be life critical, let alone business critical.  Whatever your line of business, take the time to regularly review your security systems and test it for failure.   Sometimes it only takes one incident to do irreparable damage to the public’s trust in an organisation.  Don’t let that company be yours.


Does your mobile phone screen give you butterflies?

Researchers in Germany have discovered that a butterfly’s transparent wing eliminates most reflections at any angle.  This natural source of inspiration for technology could be ideal for phones, camera lenses and any other device where glare is a problem.   The technology works because of irregular, nanoscopic structures on the glasswing of the butterfly.  Whilst the surface is still being refined in the labs, the prototypes are already self-cleaning and water repellent, which would avoid the need for current anti-glare coatings to be applied as done presently.

This would be a big improvement for people using their smartphone and take much of the strain from those working outdoors and having difficulty in clearing seeing content on their device.


Cost of SMB cybercrime

Cyber criminals continue to aggressively targeting SMBs in the hope that their systems will be less robust than larger, enterprise organisations.

Data theft and disruption (digital vandalism) are pure salmon on the menu for hackers, to either steal money from or pass details to other criminals and criminal organisations.  The US in 2013 had 28 million SMBs, 66% of which contributed $7.5 trillion to the US economy.  36% of SMBs in the US suffered cyber attack in 2012.  The UK in 2014 had an estimated 5.2 million businesses employing 25 million people, with a combined turnover of £3.5 billion.

Common types of attack:
• Phishing – scam email from a familiar looking person or address getting the user to reveal passwords or credit card details.
• Digital vandalism – Denial of Service (DoS), virus attacks or other malware to interrupt a business with damaging cost impact to business.
• Data theft – this can paralyse a smaller organisation – average cost to a US SMB in 2013 was $9,000.  Of those attacked it is estimated that 60% go out of business within six months.

Impact on business:
• Business lost during a cyber breach
• Loss of company assets (bank account details, passwords, customer records, company strategy, employee information)
• Damage to reputation – this can go on for years (and hacked websites can be quarantined for long periods by search engines preventing new business in).
• Risk of being sued – failure to protect customer information with reasonable measures could leave an SMB open to litigation.
• Vulnerability of business through lack of firewalls, encryption, virus software and staff monitoring and managing the protection of a company’s digital estate.

Failing to act is no safeguard.  Understanding the infrastructure and its weaknesses is a first step to positive preventative action.  Pen-testing offers a relatively cheap and often eye-opening analysis of risk and gaps.


Is Google giving your website the thumbs up?

On 21st April 2015 your company website may be seriously impacted in Google’s search rankings if it fails their ‘mobile friendly test’.  Go to their tool to try out your site at:

This reflects the changing patterns of web consumption and access with 80% of people now accessing the web on a mobile device or tablet,

Google have flagged up to sites which need to improve and they provide a Webmasters Mobile Guide to help any on catch up.  The advantage for those who tick the box is that your website will be identified with a ‘Googlebot’ ‘mobile friendly’ tag.

The key criteria are that your site:

• Avoids software that is not common on mobile devices, like Flash
• Uses text that is readable without zooming
• Sizes content to the screen so users don’t have to scroll horizontally or zoom
• Places links far enough apart so that the correct one can be easily tapped

Amicus ITS have got their “Awesome!” thumbs up result.  What is yours?


IBM and Apple monitor our health

We first reported IBM and Apple’s JV partnership in our blog of 18th July 2014 with AppleCare for enterprises.

The boom in fitness trackers and health apps has prompted the tech giants to make commercial inroads on the opportunities arising from analytic technologies.  IBM has set up a new health unit to create “a secure, cloud-based data sharing hub” as part of their “employee health and wellness management solutions” with the aim that it will provide diagnoses or health alerts for GPs, carers and insurers in future, with the user’s permission.

IBM aspires to offer greater individual insights into people’s health and to advance this strategy, has bought Explorys (which owns one of the largest healthcare databases in the world) and healthcare specialist Phytel (which works with digital medical record systems to reduce hospital readmissions and automate communications).  Added to this, Apple iPhones provide ResearchKit, free software for gathering health data, which Apple states has already been used to develop apps to study asthma, breast cancer, cardiovascular disease, diabetes and Parkinson’s disease.

US consumer technology and wearables supplier Jawbone is trying to engage businesses with its fitness trackers as a way to monitor the health of a company’s workforce.  How does this leave the end user/employee?  For a start, if a company sought to monitor the health of an employee, consent has to be given freely, with the ability to withdraw that consent at any time.

Insurers are also keen to get in on the act, with companies like UK’s Vitality offering rewards to policy holders for undergoing certain activities whilst wearing their devices.  Are we reaching the point though where data analytics lead ultimately to cover being withheld, other than premiums going up or down.

The latest UK Government stats show that 61.9% of adults and 28% of children aged between 2 and 15 are overweight with a higher risk of developing Type 2 diabetes, heart disease and certain cancers.  The cost of health problems associated with being overweight and obese is estimated to cost the NHS more than £5billion every year.

For GPs, gathering data which gives a broader and more accurate picture of exercise undertaken and calories consumed, could alter health directives on the amount of sleep we need, or which exercises are most effective.

Gazing into the NHS’ future, a carrot and stick approach accompanied by bold education messaging for health reform of UK citizens may be the tough approach needed by the next Government.  However, to succeed, with an NHS in crisis on funding and struggling to hold onto its GPs through which the future frontline is directed, many parts of its processes and systems will have to go digital. This comes back to having data shared securely with privacy maintained and strict governance on who it is share by – and that is a big promise to keep.