Researchers from Australia’s Monash, Swinburne, and RMIT universities claim to have set a new Internet speed record of 44.2 Tbps.

Fibre Connection

The claim, which is featured in the ‘Nature Communications’ journal (https://www.nature.com/) refers to setting the bandwidth world record for ultra-dense optical data transmission over 75 km of standard optical fibre, with a single chip source.  It has been reported that the fibre connection was run between RMIT’s Melbourne City campus and Monash University’s Clayton campus in order to represent the infrastructure that is used by Australia’s National Broadband Network (NBN).

Micro-Comb

The exceptional speed and bandwidth achieved in the test, enough to download the contents of more than 50 100GB Ultra HD Blu-ray discs in one second, has been attributed not just to the capacity and capabilities of fibre, but also to the addition of micro-combs to the cable fibres.

Micro-combs are optical frequency combs based on micro-cavity resonators, and the researchers report that the ability to phase-lock, or mode-lock, these comb lines were key to breaking this speed record.

Micro-comb technology, therefore, appears to be a highly efficient way to transmit data and micro-combs offer the full potential of their bulk counterparts but in an integrated footprint.

Integrate With Existing Infrastructure

RMIT’s Professor Arnan Mitchell has been quoted as saying that the challenge will now be how to turn the micro-comb technology into something that can integrate with the existing cable infrastructure, and the that the long-term hope is to “create integrated photonic chips that could enable this sort of data rate to be achieved across existing optical fibre links with minimal cost”.

Data Centres First

Communications commentators have suggested that once the new technology is commercialised, data centres are most likely to benefit first from its introduction and that home and business users may have to wait years before they can use it, provided that it is affordable.

What Does This Mean For Your Business?

For communications infrastructure companies, this development means that they can augment the fibres that are already in the ground with this new micro-comb technology, thereby meaning that their existing networks are still good and scalable for the future.

This speed record and the new technology is also good news for the autonomous vehicles industry, gaming industry, medical fields, and other industries, segments, organisations, agencies and businesses that need greater speed and capacity to help them deal with increasing data demands

Reports that eBay has been running port scans against the computers of visitors to the platform have caused alarm over potential security issues.

Port Scans

Port scanning is something that many people associate with cyber-attacks and penetration (‘pen’) testing.  Port scanning scripts are used to determine which ports a system may be listening via, by sending packets of information to a user’s machine and varying the destination port. This can help an attacker to determine what services may be running on the system and, therefore, get an idea of the operating system a target user has.

Port scanning can also be used to counter the activities of cybercriminals by scanning for remote-control access ports to detect any criminals that may be logged into a user’s computer in order to impersonate them on various platforms/sites e.g. to make fraudulent purchases.

eBay

In the recent observations of port scanning by eBay according to US-based security researcher Charlie Belmer and recorded on his nullsweep.com blog, Mr Belmer reported that eBay appeared to be looking for VNC services being run on the host (the same thing that was reported for bank sites).  The ports scanned by eBay are generally used for remote access and remote support tools e.g. Windows Remote Desktop, VNC, TeamViewer and others.

Mr Belmer has listed the 14 different ports he observed as being scanned by eBay and has concluded that the port scanning he observed being run from eBay was “clearly malicious behaviour and may fall on the wrong side of the law”.

Advice

On his blog, Mr Belmer urges anyone else who observes this port scanning behaviour to “complain to the institution performing the scans, and install extensions that attempt to block this kind of phenomenon in your browser, generally by preventing these types of scripts from loading in the first place”.

Maybe Just Fighting Fraud

Bearing in mind that there were reports 4 years ago of cybercriminals taking over users’ computers using TeamViewer to make fraudulent purchases on eBay, it may be very likely that the port scanning observed is simply part of eBay’s efforts to fight fraud by trying to detect if a compromised computer is being used to make fraudulent purchases on its platform.

What Does This Mean For Your Business?

Being an auction site, eBay clearly must take measures to ensure that fraudulent purchases cannot be made and to guard against and problems similar to those experienced with TeamViewer four years ago.  It is understandable, however, that a practice often associated with criminal activity and penetration testing may cause alarm among those familiar with the more technical aspects of Internet security. Although the matter has been reported by Mr Belmer on his blog, it is unclear yet what action or statements, if any, are likely to come from eBay.

Andrew Bud, chief executive of iProov, the company behind the NHS app, has floated the idea of using facial recognition for Covid-19 “immunity passports”.

App

The iProov-made NHS app system, for Android and iOS, not to be confused with the in-development COVID-19 app, is a system for use in England that allows users to access a range of NHS services via smartphone or tablet.

The app can currently be used to get advice about coronavirus, order repeat prescriptions, book appointments, check symptoms (against NHS information), view the user’s medical records, register a user’s organ donation decision, and to find out how the NHS uses a user’s data.

Facial Recognition

Users of the app have to submit a photo of themselves from an official document such as their passport or driving license which the app system uses as the basis for facial recognition to enable a user to verify their identity and access NHS services via the app.

Each time the user logs in using facial recognition, the system scans a person’s face using their phone/tablet camera which involves the user seeing a short sequence of flashing colours.

The Basis of an Immunity Passport

In support of a suggestion made previously by Health Secretary Matt Hancock, Andrew Bud, chief executive iProov has suggested that the trusted identity system of the NHS app could provide the basis for an “immunity passport”.

Immunity Passports

According to the Lancet, an immunity passport is a “digital or physical document that certify an individual has been infected and is purportedly immune to SARS-CoV-2” (the disease associated with the 2019 COVId-19 virus).  The idea of an immunity passport is something that has been considered by governments including Chile, Germany, Italy, the UK, and the USA.  An immunity passport could be used to exempt individuals from physical restrictions and could enable them to return to work, school, and daily life.

Issues

While an immunity passport is an option, some of the issues with this idea are that:

– There is no evidence that people who have recovered from COVID-19 and have antibodies are protected from a second infection (as stated by the WHO, April 24).

– A false-positive and an immune status could make that passport holder change their behaviour, despite still being susceptible to infection and able to infect others.

– Artificial restrictions in society could result for those who don’t have an immunity passport, and this could lead to discrimination, inequality, corruption, bias and even to extra costs for those in countries that don’t have access to (free) health care at the point of delivery.

– Immunity passports for some could restrict travel and civil liberties and could even incentivise people to become infected in order to get the benefits that such a passport could bring.

What Does This Mean For Your Business?

All businesses want to provide a safe environment for their staff, their customers, and other stakeholders as we move out of lockdown restrictions where economies still must function in an environment where COVID-19 is still a serious threat.  Whereas an immunity passport sounds as though it could indicate that a person is less of a risk e.g. when accessing services, not enough is known about whether a person can contract the virus more than once, thereby limiting the effectiveness and validity of the system.  Also, it depends upon how rigidly and widely such a system is used as to its effectiveness, and there are clearly many other issues based around discrimination to consider.

Facial recognition on an app however does sound like it could form a trusted base for a system that requires accurate verification.

‘Vishing’, or ‘phishing over the phone’ is on the rise and in this article, we look at vishing techniques and examples, and how to prevent them.

Vishing

The word Vishing is a combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data.

Vishing scams to homes often use recorded voice messages e.g. claiming to be from banks and government agencies to make victims respond in the first instance.

The technology used by scammers is now such that voice simulation may even be used in more sophisticated attacks on big businesses.

Vishing Vs Phishing

Phishing attacks can take different forms and can employ different combinations, such emails, bogus websites, and phone calls.  Vishing focuses on using VoIP to complete the scam and this can include using a ‘spoofed’ phone number of a real business or company to add the appearance of authenticity.

Smishing

Smishing uses SMS text messages rather than phone calls to deceive victims into responding.

Selection

Victims are selected using large call lists where little or nothing is known about the target (‘shotgun’ attacks), or where some information is known from sources such as personal data that has come from website data breaches and perhaps from data interception data gathered from phishing and other social engineering attacks. Vishing attacks where some important data is already known by the attacker are referred to as ‘spear vishing’ attacks.

Motivation

The motivation for attackers is, of course, easy money or data which leads to the acquisition of more money, and perhaps use in further attacks on other sites which can give access to a person’s financial and personal data. In the U.S., for example, if attackers already have the first few digits of a Social Security Number, gaining the remaining numbers can give them access to many other sources of funds and data.

The motivation presented by the attacker to the target to make them part with their data is the promise of bogus rewards e.g. prizes and taking advantage of amazing limited offers, the need to avoid a negative outcome, and the need to be helpful/contribute positively to society e.g. in scams whereby a victim is asked to help police/fraud investigations.

In most cases, fraudsters use emotional manipulation, deception techniques and the illusion of limited time (act now) as ways to gain access to personal data. The internet telephone service (VoIP) calls also provide them with anonymity and flexibility that they need to target their attacks.

The Scale of the Problem

The scale of the vishing threat is now huge.  For example:

– First Orion’s 2018 Scam Call Trends and Projections Report showed that nearly 30% of incoming mobile calls were spam calls.

– The “Quarterly Threat Intelligence Report: Risk and Resilience Insights” report from Mimecast researchers warned that in 2020, “voicemail will feature more prominently” in attacks and showed vishing as becoming a likely daily occurrence in 2020.

– Proofpoint’s 2020 State of the Phish report (worldwide survey) found that 25% of workers could correctly define the term.

Examples of Vishing

Popular examples of vishing calls include:

– Calls from banks or credit card companies with messages asking the victim to call a certain number to reset their password.

– Unsolicited offers for credit and loans.

– Exaggerated (almost too good to be true) investment opportunities.

– Bogus charitable requests for urgent causes and recent disasters.

– Calls about extended car warranties.

– Calls claiming to be from fraud officers to (ironically) help people who have recently fallen victim to scams and attacks, asking people for their help in operations to catch fraudsters e.g. by transferring funds to a specified account.

– Calls claiming to be from government agencies e.g. tax office calls offering rebates or warning of an investigation.

– Tech support calls to fix bogus problems with computers.  This method can also use popup windows on a victim’s computer, often planted by malware, to issue a bogus warning from the OS about a technical problem.

– Travel and holiday company calls relating to (bogus) holiday bookings and cancellations.

– Calls relating to insurance e.g. for weddings, holidays, and flight cancellations.

– ‘One ring and cut’ (Wangiri – Japanese) calls where criminals trick victims into calling premium-rate numbers. For example, the fraudster’s system calls a large number of random phone numbers with each ringing once.  If someone calls back (replying to a missed call) they are directed to a premium rate number.

Real Examples

– In May 2018, in the North-East,  vishing calls over a three-week period resulted in the theft of £1Million by fraudsters pretending to be from their victim’s bank saying they were investigating fraudulent activity by staff within the organisation and asking victims to move large sums money into foreign accounts for safe-keeping.  This was coupled with a request that the victim did not report the call for fear of jeopardising the investigation.

– In September 2019 AI voice simulation software was used to impersonate the voice of a UK-based energy company CEO and to thereby make the company transfer £200,000 into the account of the fraudsters.

– In October 2019, Police in Derbyshire warned that scammers had called victims claiming to be “tech support representatives” from Microsoft, telling people there was something wrong with their computer and offering to fix the problem by remote access.

Government Fights Back

Earlier this month (May 2020), Her Majesty’s Revenue and Customs (HMRC) asked UK Internet Service Providers (ISPs) to remove 292 websites exploiting the coronavirus outbreak since the national lockdown began on March 23.

How To Guard Against Vishing

Ways that you and your business can guard against vishing attacks include:

– Don’t trust caller ID to be 100 per cent accurate, numbers can be faked.

– Don’t answer phone calls to unknown numbers, block numbers of spam callers, register your phone number with the Telephone Preference Services (TPS) and report any suspicious spam calls to the Information Commissioners Office (ICO).

– Beware of unsolicited alleged calls from banks, credit card companies or government agencies, particularly those asking to you to call certain numbers and/or change password details. The real organisations and agencies would not make calls of this kind.

– Include phishing, vishing, smishing and other variants with your security awareness training for employees.

– Avoid using a gift card or a wire/direct money transfer, and make sure that there is a policy and process in place for any money transfers that all employees must adhere to, even if the request appears to come from someone within the company.

– Don’t give in to pressure; remember that you can ditch any call at any time, and give yourself the option of looking up the number of the company/agency/organisation that claims to be calling you and calling them back yourself to check.

Looking Ahead

The predictions from security researchers and commentators are that vishing, along with phishing and smishing are set to increase this year, and their success could be helped by the COVID-19 outbreak as people wait and search for information about financial and health matters, details about government payments and help, and details about cancellations e.g. holidays and flights. Companies and organisations need to educate their staff about the threat, while businesses and individuals need to be vigilant and cautious about any unsolicited phone calls, particularly those that offer rewards, create panic or warn of dire consequences, and those that apply pressure.