‘Defence and protect’ marketing gets displayed in new smartphone technologies


With the news of the Yahoo cyber attack on 23rd September 2016, it is worth taking a look back at new technology developments and launches in 2016, which put privacy and security at the forefront of their marketing spiel.

Solarin smartphone at a sky high price

In May 2016 Sirin Labs launched a new military-grade encrypted smartphone, the ‘Solarin’ (retailing at an eye watering £11,400 per device). It offers encrypted calls with a 256-bit AES algorithm. However the screen is 2K not 4K and runs on Android Lollipop, not Marshmallow and its Qualcomm processor is 2015’s model.

Whilst clearly targeting wealthy professionals for whom privacy and security is a driver to purchase, this ‘hostage’ price will be way beyond the pocket of most. However, businesses and consumers shouldn’t be alarmed, as putting up to date cyber security antivirus and anti-malware software on smartphone devices goes a long way to protecting the user, at less than a tenth of the price on top end devices.

You won’t find me – Snowden’s iPhone introspection machine

Meanwhile, a smartphone sleeve methodology (currently only for the iPhone 6), that tells its owner when their phone is being hacked, is being designed by US whistleblower Edward Snowden in conjunction with hardware hacker Andrew ‘Bunnie’ Huang, was revealed at a closed MIT Media Lab launch in July. The iPhone was selected as it is generally regarded as being hard to hack.

Whilst Snowden’s motivations to thwart digital surveillance may be politically motivated in seeking to protect activists from location detection by law enforcement agencies, the dual edge of their pitch highlights the trend for cyber criminals to seek to seek to install malware on smartphone devices, whilst the user is on the move (all unbeknownst to the user). The case aims to track whether or not the phones’ radios are transmitting, as trusting the phone is in airplane mode or sticking it in a ‘Faraday bag’ to block radio signals has proven insufficient. With the prevalence of clever malware which can make a smartphone appear to be off, it is daunting to users to know how well protected they and their data are from harm. Again, it’s a mixture of best practice vigilance, cyber security software and good information security management.

Yoo-hoo! – Yahoo finally discloses massive cyber breach



Yahoo disclosed today that they have suffered what they believed to be a ‘state-sponsored’ cyber-attack. The attack itself dates back to 2014. Some 500 million users are believed to have had their personal details stolen in what is believed to be the biggest publicly disclosed cyber breach in history.

The US internet firm which at its height was worth $125bn during the dot.com boom, made a net loss of $4.4bn in 2015 and agreed a sale to global communications and tech giant, Verizon for $4.8bn earlier this Summer (Verizon’s rationale for purchase being the access to Yahoo’s core internet business, which has more than a billion active users a month, which would make it a global mobile media company).

So how does this breach compare with other large scale breaches made public in 2016?

• 2012 LinkedIn – 180 million accounts hacked
• 2010 MySpace – 360 million accounts hacked
• 2012 Dropbox – 68 million accounts hacked

There appears to be a trend of large data breaches announced which have taken place at least two years after the event, giving the hackers a comfortable period to make maximum use of any data they wish to target. The difference with the Yahoo breach revolves around the claims of it being ‘state sponsored’. For consumers this means that the motivations of the hackers could well be focused on specifically targeted individuals, not the wholesale public (not to say that the data isn’t sold on to the cyber underworld). This breach could be focused on particular individuals’ accounts concerning people who have been supressed in free speech in their source country. News of a mass data breach in August could be related to this, but Yahoo’s announcement is a formal acknowledgement versus previous dark net gossip. How this plays out and the degree of malice behind the event, we have yet to find out.

What should users do by way of best practice?

Whether or not someone believes their account has been compromised, it is always good to change passwords regularly and ensure they are strong and unique (an unbroken combination of U/L case characters, symbols and numbers). Multi step verification processes can further stiffen defences. Wrapping this with good antivirus and anti-malware software with security policies and procedures, will protect the majority of businesses.

However, the key factor in any security stance is education; this should be at the heart of all security themes no matter the size of the business. I recommend all Security professionals look to enhance their awareness to be able to educate end users and if you are an end user push for security education if you have not received it. Your security perimeter extends beyond you as an individual to your company and also on to your customers and suppliers.

Super charged Russian data breach


A supersized cache of over 98 million users’ login names and passwords of Russian ‘Rambler.ru’ email service (equivalent of Yahoo offering email services, news and content), dating from 2012, has just been posted online for sale, with copies of the list offered at one bitcoin (£456).

Notice of the leak was first flagged in 2014 and Rambler forced users to change passwords and embargoed any previously used ones.   However, the cyber attack revealed by Leaked Source which was verified with the help of Russian journalists, showed a complete lack of encryption or hashing.  Instead the data was just listed in plain text.

Analysis of the long list of passwords showed that the character sequence “asdasd” was the most popular string used by more than 723,000 people, followed by “asdasd123”.   This current revelation follows June’s public disclosure of another major breach suffered by more than 100 million users of the Russian VK.com service whose details were shared online.

We have often talked about an organisation’s ‘crown jewels’ being their data and safeguarding your data and that of your customers is a hugely important responsibility.  There is also no ‘one size fits all’ remedy, as what may be appropriate security measures for one organisation will be different to another.

However, companies focus their strategy by adopting a risk based approach to deciding what level of security is required and where – and to ask pertinent security questions from any third party contractors and suppliers used.

ISO 27001 Information Security Management System (ISMS) provides a risk based approach to data security.  When rolled out through an organisation it can push down through the supply chain to raise standards with third party contractors and suppliers.  Whilst no organisation can be guaranteed to remain 100% free from threat 24×7, any company large or small that creates a robust and regularly monitored cyber security posture, will be better prepared to fend off, or respond quickly and effectively through regularly tested policy to a breach.   What this means for the firm’s customers and stakeholders are higher levels of assurance, as well as enabling you to meet growing legal and regulatory data protection obligations.

Microsoft announces launch of new UK datacentres


Microsoft have announced their launch of new data centres in London, Durham and Cardiff amid mounting commercial concerns about the growing need to ring-fence the location of where data resides in Europe.

Back in June 2015, we blogged about the EU’s frustration around multiple legislative barriers inter-country which were stifling off-premise cloud technologies due to disparate data protection laws.  The EC’s Head of Software, Services & Cloud Computing, Pearse O’Donohue spoke then of this desire to create a centralised EC Digital Single Market.  Post Brexit and with no EU exit Clause 50 triggered yet, the UK can, with this news, demonstrate it remains in demand by being able to attract such heavyweight attention and become an important datacentre hub this side of the Pond.  The news is also a flip for Microsoft as it steals a march on its main rival AWS which is due to open its UK datacentres early in 2017.

Microsoft commented: “Built on Microsoft’s Trusted Cloud principles of security, privacy, compliance, transparency and availability, this creates new opportunities for innovation, with the intent to spark local economic growth for Microsoft UK’s 25,000-plus partners and support local technology advancement”.

There will no doubt be further rationalisation and stitching of new laws around UK data, however, this news will create confidence for UK organisations and businesses in meeting regulatory obligations and as well as creating greater productivity opportunities with Microsoft’s products.   Whether this will get backed up by positive, joined-up thinking and innovation with our EU counterparts when it comes to the negotiating table is one crystal ball too far at present.  However, in this increasingly digital age for consumers and business alike, it would be of benefit to everyone that sovereignty and neighbourliness could share the stage as we seek to look after our customers and citizens.

“The investment by Microsoft shows their continued commitment to the UK Economy and may encourage a post Brexit UK Data Protection Act that is essentially a nationalisation of the General Data Protection Regulation. With significant support from the Ministry of Defence and the NHS I am certain the UK datacentres will prove very popular. With our years of proven history working in regulated sectors and our long standing relationship with Microsoft Amicus ITS is ideally placed to assist existing and new customers migrating to Microsoft CloudJP Norman, Director of Technology, Security & Governance Amicus ITS.

Cyber attacks and airline DR fiasco create rude wake up call signalling the end of Summer 2016


Two cyber attacks and a Disaster Recovery nightmare for a major international airline have caught our eye in recent weeks, reflecting the urgent need for business to pay attention to the smaller details as well as what lies in front of you.

Firstly, the matter of the Delta airlines DR fiasco in early August 2016.  What started as a small fire and power outage created a painful chain reaction, leading to 2,000 flight cancellations, millions of dollars of lost income and significant reputational damage.  At the technical heart of the story, 300 of the airline’s 7,000 servers were not connected to the backup power system. Remarkably, despite spending “hundreds of millions of dollars in technology infrastructure upgrades and systems, including backup systems”, Delta CEO Ed Bastian advised they were not aware of the vulnerability.  Huge comfort for Delta customers.  From a backup point of view, this omission is a basic error which belies lack of preparedness by Delta for business continuity and disaster recovery planning and testing.  Gartner’s data centre recovery and continuity analyst Mark Jaggers commented:  “A lot of people do disaster recovery testing around moving a workload between different sites, but once they have done that, do they go back and look for defects in the design of the systems that are there? I don’t know that many companies are doing that sort of testing after the fact or as part of a disaster recovery test”.  Added to this, the complexity of IT environments creates intricate interdependencies and it only takes one fault or human error to trip up.

Secondly, mid August produced the news that FTSE 100 accounting software firm Sage had suffered a data breach following unauthorised access of a login. Whilst unknown as to whether the source was internal and external, the result caused exposure of personal details and bank accounts relating to around 300 UK companies. The cost:  Sage’s share price tumbled in the early days by 4.3%.  The remedy – due diligence around access privileges to logins if an internal attack, or more complex credentials across different sites and systems used if a ‘reluctant insider (ie. a user whose individual user username and password(s) have been breached unwittingly).

Finally, the end of August 2016 drove a chill through the spine of the cloud storage market with news of the true extent of a breach by hackers believed to have originated in 2012, where account details of over 60 million Dropbox users was reported.  Dropbox’s remedy of forced password resets has now completed.  However, whilst the data dump did not appear to be listed in the main dark web marketplace where the data would be traded, reports are being made that the data is already in the possession of 3rd parties.  The remedy secure complex passwords which are changed regularly.

Assurance derives from MSPs with connected thinking on data security services.  Amicus ITS MD, Steve Jackson commented: “Organisations should review their mission critical business areas and processes to ensure they have up to date and tested security policies, procedures, staff education and strategy.  Annexing cyber security services like FoxcatcherTM and Amicus ViperTM with our Data Backup & Replication service and an analytics driven approach, creates Cyber DRaaS. This will be the future direction for companies to consider and a service which we are currently developing”.  Failure to take such positive steps mean that companies which might have sought to rely on remediation and recovery alone, will realise that the fallout from capital value from loss of brand confidence, trust, plus financial penalty is just too heavy a burden.