In this insight, we look at how to best to avoid redacted text from being ‘unredacted’ by certain software tools, and we look at what researchers advise based on recent experiments.

The Problem 

For businesses and organisations, the increased need for data sharing and/or making some data public can mean that certain (sensitive) parts of documents need to be obscured/obfuscated/censored for legal or security purposes (and to stop data leaks and fines). There are several different methods for achieving this in a document, including blurring, swirling, or pixelating letters and images. The issue is that some of these methods may not be effective enough and could, possibly, lead to the text being recovered/de-obfuscated using certain tools and methods e.g., the Depix tool or the ‘Unredacter’ tool. A python program like Depix, for example, is designed to recover censored text to a readable format via a simple command, and this type of tool in the wrong hand could potentially lead to a security breach.

Challenge Issued 

The challenge of testing the level of security of pixelated text is something that researchers have focused on for some time. For example, researchers at a company called Jumpsec tested the Depix tool to see if it could recover text that has been pixelated. The results broadly showed that:

– Using the supplied examples, text redaction with Depix was possible to a reasonable degree.

– Using original content (not the author’s supplied example), and after taking a long time, Depix failed to recover the obfuscated text.

It was concluded that The Depix tool poses minimal risk to security at present, as it requires specific criteria to be met to be effective BUT there is a small chance that users can depixelate images using the tool.

Jumpsec then issued (2021) an Internet challenge for someone to develop a tool that could effectively recover censored text to a readable format.

Bishop Fox Research

The challenge was accepted by Dan Petro, Lead Researcher at US security company Bishop Fox. Mr Petro built his own ‘Unredacter’ tool and tested it in a similar way to the Depix tool.

Mr Petro noted that pixelation tools use an algorithm to divide an image into a grid of a given block size (e.g. 8×8) and, for each block, the redacted image’s colour is set to be equal to the average colour of the original for that same area. This “smears” the information of the image out across each block and, although it can work, it has several problems. These include characters not lining up with the blocks and bleeding over, problems with white spacing, and problems with variable-width fonts, and font inconsistency.

The ‘Unredacter’ Tool 

The ‘Unredacter’ Tool created by the Bishop Fox researchers, however, solved many of the problems that the Depix tool had encountered, and was able to recover the text in a test image to a reasonable degree.

The Conclusions 

The conclusions of both the Jumpsec Labs and the Bishop Fox text recovery tool experiments were the same. Both advise that, when redacting text, only use black bars covering the whole text. Never use other methods such as pixelisation, blurring, fuzzing, or swirling, and edit the text as an image. Bishop Fox’s Mr Petro also advises that using black background with black text in a Word document means that the text can still be read that just by highlighting it. This means that is not a secure method and could lead to the accidental leak of sensitive information because of an insecure redaction technique.

What Does This Mean For Your Business? 

There are now so many ways that a data security breach could happen and although using an insecure redaction technique may seem like a more unusual one, the result could be just as devastating as other more popular types of breaches. The lessons for businesses resulting from this research are that software could possibly be used to uncover redacted text and that relying upon fast methods such as using a black background with black text is ineffective and very risky. The research shows that businesses can best protect themselves from this threat by editing the text as an image and by only using black bars covering the whole text.

A sacked school IT Technician who took revenge by deleting data and sabotaging his old school’s network (and by wiping the computers of everyone who was logged in) has been jailed.

Revenge Hack 

As reported on Leicestershire Live, a court was told that Adam Georgeson, 29, who was dismissed from his job as an IT Technician last January at Welland Park Academy in Leicestershire, took revenge by hacking back into the school system and deleting data.

School Network Sabotaged 

In the attack, Mr Georgeson sabotaged his old school’s network, thereby taking it offline for 10 days. This meant that staff were forced to work long overtime hours without payment to try and rectify the problems. Also, the attack meant that 4 staff members were unable to resume working remotely for nearly four months!

Personal Devices of Pupils Wiped 

The other particularly distressing aspect of the attack was the wiping of any devices that were connected to the school’s network at the time. This meant that at least 125 devices, including those belonging to 39 families and computers at the school, had their files completely wiped. This meant the loss of personal family photographs for example, as well as important work and study files. It was reported that the school had to spend £15,600 to restore the system. This spending also meant that cutbacks had to be made on school spending elsewhere, thereby magnifying the impact of the attack.

Losses 

Some of the losses reported in the attack, highlighted in personal impact statements, included:

– A full-time student, in the second year of university studies losing most of her work from the preceding 18 months, leading to her failing an exam.

– A father-of-three losing 1,000 family photographs.

– An assistant headteacher losing learning-related materials and all of his son’s GCSE coursework.

Not The Only Attack 

Mr Georgeson is also reported to have carried out another cyber-attack a few months earlier on a former employer’s business. The attack on Rutland-based Millennium Computer Services, from where Mr Georgeson had been dismissed for misusing the company’s credit card to buy personal computing equipment (without permission) caused chaos to the company’s computer system, putting it out of action for 8 days.

Why? 

The court was told that Mr Georgeson’s actions were the result of a crisis of depression and anxiety. The Judge, however, ruled that the motivation for the attacks were spite and revenge. After pleading guilty to two counts of unauthorised modification of computer material under the Computer Misuse Act, Mr Georgeson was jailed for 21 months.

What Does This Mean For Your Business? 

This case highlights the need for businesses and organisations to have procedures and systems in place for dealing with and minimising some of the risks associated with employee exit. Although this case sounds exceptional and the former employee was found to be responsible due to malicious hacking, it should also be noted that businesses and organisations have a legal responsibility to ensure that security levels are maintained with regards to data security, and this also applies to employee exit (i.e. ‘insider threat’). In order to reduce this kind of threat, areas that businesses and organisations need to address as soon as a staff member leaves could, for example, include:

– Revoking login details and rights/permissions for company computer systems and networks.

– Revoking access to the CRM, thereby protecting data relating to the company, its customers, its other stakeholders, sales, communications and more.

– Stopping access to collaborative working apps/platforms and shared, cloud-based, remote working platforms e.g., Teams or Slack.

– Changing the person’s personal voicemail message on the company phone.

– Ensuring that the departing staff member returns all company devices. This means having procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media e.g., USBs may also help to prevent some security threats.

– Making sure that any stored items in separate folders on the departing person’s computer are transferred back to the company/organisation or deleted.

– Having a policy in place for the regular changing of passwords and changing any passwords shared with multiple members of staff when one person leaves.

– Changing PINs for any credit/debit cards that the person was authorised to use.

– Immediately letting the team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud.’

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved.

– Retrieving any physical documents that the employee was issued e.g., a handbook that contains information and data that could threaten company security.

– If the departing employee’s email address and extension feature on the website and/or if that employee is featured as being in the role that they are departing from, this needs to be removed from the website. Also, check that company social media doesn’t indicate that the departed employee is still in their role e.g., on LinkedIn and Facebook. Checks should also be made to ensure that the departing employee doesn’t feature in the business/organisation’s online estate e.g., at the top of the website home page or other prominent pages.

Organising your open apps on the screen in a way that suits you can be a great help to productivity and can save time. Here’s how to choose the right snap layout in Windows 11:

Under the the draft Online Safety Bill legislation, adult websites (i.e. pornographic) site operators will be legally required to verify the age of website visitors or face tough penalties.

Online Safety Bill

For those who run commercial porn sites, the bill, which expected to be introduced to parliament in the next few months, looks likely to mean that:

– Their users may be asked to prove their age, e.g. by proving they own a credit card or confirming their age using a third-party service.

– Failure to comply with the legislation could see commercial porn site bosses held criminally liable. Also, for their business, this could also mean fines up to 10 per cent of their global turnover, or Ofcom (the UK’s communications regulator) blocking their websites from being accessible in the UK.

A Step In The Right Direction

Child safety groups, who have been seeking age verification on porn sites (and who were disappointed when similar measures dropped in 2019), have welcomed the measures in this now strengthened bill as a step in the right direction. However, the NSPCC, for example, has noted that the “legislation still falls short of giving children comprehensive protection from preventable abuse and harmful content”.

Reddit & Twitter Users Too

The draft Online Safety Bill also applies to a wide variety of online services and social media platforms. For example, when the bill moves into law, UK users of platforms such as Twitter and Reddit, on which can be found quantities of explicit adult material, may find that they need to verify their age before being able to login. The alternative, which would be complicated and challenging for social media platforms, would be to somehow remove all adult material from their services in the UK.

Also, Facebook & TikTok

Other obvious platforms which may require age verification under Online Safety Bill laws could be Facebook and TikTok.

What Does This Mean For Your Business?

For those who operate commercial porn websites, this new bill, when it moves into law, could obviously be a threat. For third-party verification service providers, the bill is clearly an opportunity. For the big social media platforms such as Facebook, although the idea has been welcomed, the details of the bill are unlikely to be popular. Nevertheless, platform bosses will be aware that executives can be personally given serious penalties (with a two-year grace period) which is likely to make them take some notice. Facebook, however, is already moving into a new, more controllable area with its Metaverse. Although parents and child safety advocates may take some comfort that the bill may provide better protection for their children, there is an argument that proving age verification may not provide protection from other sites where pornography exists and could threaten the privacy and security of users (i.e., data breaches and scammers). Furthermore, there is an argument that the need to scan social posts could, as highlighted by the Open Rights Group, mean encryption will need to be halted, further affecting privacy and security.

Following recent announcements of a toughening-up of the (draft) Online Safety Bill, we look at what the bill is, and what its implications are.

What Is The Online Safety Bill For?

The UK government’s Online Safety Bill is (draft) legislation that’s designed to place a ‘duty of care’ on internet companies which host user-generated content in order to limit the spread of illegal content on these services.

The idea of the Online Safety Bill is essentially to prevent the spread of illegal content and activity (e.g., images of child abuse, terror material, and hate crimes), as well as to protect children from harmful material, and also to protect adults from legal but harmful content.

The Bill applies to social media platforms, video-sharing platforms, search engines, and other tech services, and requires them to put in place systems and processes to remove illegal content as soon as they become aware of it. The Bill also requires these services to take additional proactive measures with regards to the most harmful ‘priority’ forms of online illegal content.

Priority

The kinds of priority offences listed in the draft bill are terrorism, child sexual abuse, and exploitation. The Department for Digital, Culture, Media and Sport’s Secretary of State also has powers to add further priority offences (with Parliament’s approval) via secondary legislation once the bill becomes law.

Other Illegal Behaviour

The Bill can also be applied to other illegal behaviour including more activities recently made illegal, which have emerged alongside the ability to target individuals or communicate en masse online.

In summary, the main groups of offences that the Bill now covers are are:

– Encouraging or assisting suicide

– Offences relating to sexual images (revenge and extreme pornography)

– Incitement to and threats of violence

– Hate crime

– Public order offences (harassment and stalking)

– Drug-related offences

– Weapons / firearms offences

– Fraud and financial crime

– Money laundering

– Controlling, causing or inciting prostitutes for gain

– Organised immigration offences

Strengthened Recently

Following Criticism that the original draft Bill’s scope hadn’t gone far enough and that services/firms would only have been forced to take such content down after it had been reported to them by users, the Bill has now been strengthened (hence the quite extensive list of offences shown above). On 4 Feb this year, Digital Secretary Nadine Dorries announced that the Bill had been strengthened in the following ways:

– The addition of extra priority illegal offences; i.e. revenge porn, hate crime, fraud, the sale of illegal drugs or weapons, the promotion or facilitation of suicide, people smuggling and sexual exploitation. The naming of the new offences is designed to remove the need for them to be set out in secondary legislation later. The government says that it will also enable Ofcom (which issues the fines under the Bill) to take quicker enforcement action against tech businesses which fail to remove the named illegal content.

– The requirement for services to be proactive and prevent people being exposed in the first place rather than waiting for users to report incidents before taking the content down.

Three More New Offences Being Considered

The government is also considering the Law Commission’s recommendations for three other offences to be created and added to the Online Safety Bill, namely. cyberflashing, encouraging self-harm, and epilepsy trolling.

Back in July, the Commission recommended other new offences which the Digital Secretary has only just cofirmed will be created and legislated for in the Online Safety Bill. These are harmful and abusive emails, harmful social media posts and WhatsApp messages, as well as ‘pile-on’ harassment (where many people target an individual with abuse e.g., in a comments section). These new offences do not apply to regulated media – print and online journalism, TV, radio, and film.

Named Individuals

One large aspect of the debate around the Online Safety Bill is the naming of specific individuals/executives in offending companies. The draft Bill, for example, already included the ability to impose criminal sanctions of named tech executives. These sanctions (i.e. prison sentences) however, were originally due to be delayed for two years (a grace period) after the laws are passed but some UK MPs have been asking the government to remove this long grace period before criminal sanctions can be faced. Digital Secretary Nadine Dorries, who has personal experience of having been targeted by trolls, is believed to favour a six months timeline (grace period) before the imposition of prison terms for those tech execs who fail to remove “harmful algorithms”.

Freedom and Legal Commentators

Freedom groups, such as the Index on Censorship and the Open Rights Groups have expressed concerns about Silicon valley companies making outsourced decisions about whether speech is harmful or not. Some legal commentators have also expressed concern that the Bill essentially allows the government to delegate all aspects of investigating and making judgements about online crimes to the tech companies/social media platforms.

Tech Companies

The big social media platforms have expected the Bill for some time and although they have given no major reactions to the most recent announcements, they are thought to be broadly in agreement with its aims. For example, Monica Bickert, vice-president of content policy at Meta (Facebook) said recently (in the Telegraph): “While we won’t agree with all the details, we’re pleased the Online Safety Bill is moving forward.”

Other Comments and Criticism

The NSPCC recently criticised the Bill for (in an open letter to Nadine Dorries) for not doing enough to put children at its the heart. Also, the Labour Party has said that the bill needs to go further in terms of tougher sanctions on executives who breach the new laws.

Enforcement

Ofcom, the UK’s communications regulator will be in charge of issuing the fines for offences under the bill.  For example, Ofcom will be able to issue fines of up to 10 per cent of annual worldwide turnover to non-compliant sites or block them from being accessible in the UK.

What Does This Mean For Your Business?

Tech companies, particularly social media platforms, have been forced to make changes for several years now in response to a series of trust-damaging events (e.g. Facebook’s Cambridge Analytica scandal, the platform’s use for influence in the previous US election and UK referendum), pressure from governments, and widespread concerns from users about the safety of young and vulnerable people online. The government sees the recently boosted powers of the (draft) Online Safety Bill as a way to send a much clearer message now to online services, particularly social media platforms that these issues now need to be taken more seriously, with the threat of possible prison terms for executives designed to make companies take more notice and make more changes. Facebook already appears to have started morphing into something different for the future (Meta) and, for example, Twitter’s co-founder Jack Dorsey stepped down last November. The aims of the bill appear noble in terms of the extra protections against a much wider range of offences that it may offer, but it remains to be seen how well it will work in reality when it passes into law, and whether it needs to be strengthened further.

Microsoft recently announced that it will be blocking Visual Basic for Applications (VBA) macros by default as a way to stop the spread of malware. Since these macros are important automation tools for Microsoft Office apps, how is this going to work?

What Are Visual Basic for Applications (VBA) Macros?

Visual Basic for Applications (VBA) for Office is the programming language behind Excel and other office apps. VBA can accomplish almost every operation that can be performed with a mouse, keyboard, or a dialog box. Also, it is the automation of repetitive tasks that is one of the most common uses of VBA in Office. VBA macros, therefore, are a series of instructions written (in VBA) into a single command to automate tasks e.g., with a single click.

What’s The Problem?

Microsoft says that although VBA macros are tools designed to make routine entry work simpler, they have long been abused by hackers and bad actors to deliver malicious payloads such as ransomware to unsuspecting users. For example, Tom Gallagher from Microsoft’s Office Security team recently said that “A wide range of threat actors continue to target our customers by sending documents and luring them into enabling malicious macro code”. Mr Gallagher has also highlighted how malicious code is usually part of a document that originates from the internet (email attachment, link, internet download, etc.). Once enabled, the malicious code can gain access to the identity, documents, and the network of the person who enabled it.

Safest Option – Block Them By Default

Since, as described by Microsoft’s Tom Gallagher, VBA macros are obtained from the internet, Microsoft says, therefore, that the most secure option is now to simply block them by default.

Message Displayed

With macros being blocked, instead of being allowed to enable macros just by clicking a button, users will instead see a message bar notifying them that macros are blocked, next to an option to learn more. Although it will still be possible to enable macros, this will require users to travel go through more layers, thereby reducing the possibility of accidentally clicking on a phishing email.

What And When?

Microsoft says that, for now, the functionality will be limited to the Windows version of Microsoft Office and will be enabled in Access, Excel, PowerPoint, Visio, and Word.

The new change will be rolled out in a preview (version 2203) in the Current Channel, due in early April. This will then be gradually rolled out to the Monthly Enterprise Channel and Semi-Annual Enterprise Channel.

What Does This Mean For Your Business?

This change by Microsoft, which was prompted by ongoing cloud migration and increased remote and hybrid working, is designed to increase safety and security, particularly for remote workers. What it essentially does is to make it much more difficult for users to be fooled into running malicious code via social engineering while, at the same time, keeping a path for legitimate macros to be enabled through a trusted route where appropriate. The advice to IT and security teams is to work with any parts of the business that use macros in their Office files and, with any independent software vendors that are critical to the business who use macros within Office files.