Kaspersky researchers have reported a 35 per cent rise in the number of people who have encountered the use of so-called ‘stalkerware’ or ‘spouseware’ software in the first 8 months of this year.

What is Stalkerware?

Stalkerware (or ‘spouseware’) is surveillance software that can be purchased online and loaded onto a person’s mobile device. From there, the software can record all of a person’s activity on that device, thereby allowing another person to read their messages, see screen activity, track the person through GPS location, access their social media, and even spy on the mobile user through the cameras on their device.

Covert, Without Knowledge or Consent

The difference between parental control apps and stalkerware is that stalkerware programs are promoted as software for spying on partners and they run covertly in the background without a person’s knowledge or consent.

Unlike legitimate parental control apps, such programs run hidden in the background, without a victim’s knowledge or consent. They are often promoted as software for spying on people’s partners.

Most Stalkerware needs to be installed manually on a victim’s phone which means that the person who intends to carry out the surveillance e.g. a partner, needs physical access to the mobile device.

Figures from Kaspersky show that there are now 380 variants of stalkerware ‘in the wild’ this year, which is 31% more than last year.

Most In Russia

Kaspersky’s figures show that this kind of surveillance software is most popular in Russia, with the UK in eighth place in Kaspersky’s study.

What Does This Mean For Your Business?

Unlike parental control apps which serve a practical purpose to help parents to protect their children from the many risks associated with Internet and mobile phone use, stalkerware appears to be more linked to abuse because of how it has been added to a device without a user’s consent to covertly and completely invade their privacy.  This kind of software could also be used for industrial espionage by a determined person who has access to a colleague’s mobile phone.

If you’d like to avoid being tracked by stalkerware or similar software, Kaspersky advises that you block the installation of programs from unknown sources in your smartphone’s settings, never disclose the passwords/passcode for your mobile device, and never store unfamiliar files or apps on your device.  Also, those leaving a relationship may wish to change the security settings on their mobile device.

Kaspersky also suggests that you should check the list of applications on your device to find out if suspicious programs have been installed without your consent.

If, for example, you find out that someone e.g. a partner/ex-partner has installed surveillance software on your devices, and/or does appear to be stalking you, the advice is, of course, to contact the police and any other relevant organisation.

Some Google employees have accused the company’s leadership of developing a browser-based file extension for all of Google’s in-house computers that could flag-up signs of workers trying to organise meetings and protests.

Google Employees

The story came to light in a memo written by a Google employee that is reported to have been seen and verified by 3 other anonymous Google employees and Bloomberg News.  In the memo it was alleged that a team within the company had developed a surveillance tool, disguised as a calendar, that could be added to the custom Chrome browser used on Google’s computers.

How?

The employee’s memo alleged that the browser extension would be able to report any staff who booked a calendar event which involved the need for more than 10 rooms, or scheduled an event with more than 100 people, and the alleged reason for flagging up these details was to warn the company’s leadership about any attempt to organise workers for the purposes of industrial action e.g. meetings and protests related to labour rights.

Reviewed

Reported employee memos have suggested that work on the tool started in September and that Google’s privacy team approved the tool’s release but also expressed some concerns about the culture at Google.

According to Google, however, the tool was developed over several months and was subject to Google’s standard privacy, security and legal reviews.

Rollout In October

According to reports of a memo posted on an internal staff message board, the surveillance tool is due to be rolled out this month (October), and there is a report of two Google workers in California saying that the tool has already been added to their browsers.

‘Trouble at Mill’

There has been speculation by some commentators that the tool may have been developed in response to recent outbreaks of organised activity by workers concerned about the company’s attitude to their rights, the ethics of some of the company’s projects, and how Google may have handled some complaints.  For example, some workers in the company’s Zurich office held an event about workers’ rights and unionisation, and some Google employees have protested about products such as the ‘Project Dragonfly’ search engine that could allow Google to re-enter the Chinese market by censoring certain terms.  Human rights groups had also been vocal in criticising this idea saying that it appeared to support state censorship.

What Does This Mean For Your Business?

For Google employees, many of whom are used to working in an environment of relative freedom where creativity and collaboration are encouraged, an apparent cultural shift (if indeed that is what is happening) towards a more authoritarian and less trusting approach where ethics could come lower down the list of priorities in the search for profits would be likely to be a shock, and could possibly damage the relationship and the trust between management and workers.  It is unlikely that workers anywhere would respond positively to being subjected to a kind of covert surveillance and internal censorship, particularly if they believed that it was being carried out to curtail certain aspects of their labour rights.  The resulting bad publicity could also damage a company’s brand and therefore, the company’s competitiveness and customer perceptions of the company.

It should be said, however, that the reports of the development of the browser tool in Google rest upon the alleged details of memos, and it is unclear to date how accurate the reports are.

After a long and difficult bidding process, Amazon has lost out to Microsoft in the battle to win a $10bn (£8bn) US Defence Department AI and Cloud computing contract.

For ‘Jedi’

The contract was for the Joint Enterprise Defence Infrastructure (Jedi).  This infrastructure will be designed to enable US forces to get fast access to important Cloud-held data from whichever battlefield they are on. The project will also see AI being used to enhance and speed up the delivery of data to US forces, thereby potentially giving them an advantage.

Amazon Was Thought To Be In Front…Before Trump Comments

Amazon, led by Jeff Bezos, was believed by many tech commentators to have been the front-runner of the two tech giants in the battle for the contract as it is the biggest provider of cloud-computing services.  Also, Amazon had already won an important computing services contract with the CIA in 2013 and is already a supplier of cloud services and technologies to thousands of U.S. agencies.

Unfortunately for Amazon, in August the Pentagon appeared to put the brakes on the final decision-making process following concerns expressed by President Trump.

The President is reported to have said back in July that he was concerned about the contact not being “competitively bid” and that he had heard “complaints” about the contract with Amazon and the Pentagon.

The President, however, was not the only one with concerns as tech giant Oracle (which was also in the running for the contract at one point) had gone to the federal court earlier in the year with allegations (which were dismissed) that the bidding process had been rigged in Amazon’s favour.

Difficult Relationship

Many media reports have suggested that a difficult relationship between President Trump and Jeff Bezos in the past has possibly had some influence on the outcome of the Pentagon’s decision about the project.  For example, Mr Bezos has been criticised before by President Trump, and Mr Bezos also owns the Washington Post.  President Trump has been critical of several news outlets, such as CNN, the New York Times, and The Washington Post.  For example, it has been reported by the Wall Street Journal that President Trump has now instructed his agencies not to renew their subscriptions to those newspapers.

Great News For Microsoft

Winning the contract is, of course, good news for Microsoft which will receive a large amount of U.S. Defence funds for the Jedi contact, and possibly for another defence -related multi-billion-dollar contract (‘Deos’) to supply cloud-based Office 365.

What Does This Mean For Your Business?

With a contract of this value up for grabs and the possibility of further lucrative contracts too, this was never going to be a clean and uncomplicated fight between the tech giants.  In this case, however, it being a defence contract, one of the key influencers was the U.S. President and it appears that his relationship with Amazon’s Jeff Bezos along with other factors may have played a part in Microsoft coming out on top.  The size and complexity of the contract meant that it was only ever going to be something for the big, established tech names, and Microsoft winning the contract was undoubtedly an important victory against its competitor Amazon, will add value to its brand, will bring in a sizeable source of revenue at a time when it’s already seen a 21 per cent rise in its profits on last year, and puts Microsoft in a much closer 2nd position behind Amazon’s AWS in the cloud computing services market.

Facebook’s CEO, Mark Zuckerberg faced a grilling from the US Congress last week over his company’s ‘Libra’ cryptocurrency plans.

Libra

‘Libra’ is Facebook’s new cryptocurrency and global payment system that’s due to be launched in 2020.  Unlike other cryptocurrencies, Libra is backed by a reserve of cash and other liquid assets.  The idea of Libra is that spending the new currency could be as easy and fast as texting as payments can be made by a special phone app and by messaging services such as WhatsApp.  Also, Libra is intended to be of particular value to the one billion+ people around the world (including 14 million in the US) with no access to a bank account, but who could use a mobile phone-based payment system.

Management of the currency, units of which can be purchased via Libra’s platforms and stored it in a digital wallet called “Calibra” will be the responsibility of an independent group of 21 companies and non-profit organisations called the Libra Association, of which Facebook’s subsidiary ‘Calibra’ is a member.

Problems and Criticism

Facebook has, however, found itself coming in for some tough criticism over its involvement with Libra. This includes:

• Worries about whether Facebook can be trusted with peoples’ financial details in the light of its part in the personal data-sharing scandal with Cambridge Analytica.
• Concerns from ‘Group of Seven’ democracies finance chiefs about whether Libra could address “serious regulatory and systemic concerns”.
• President Trump Tweeting that he’s not a fan of Libra, and bank chiefs like Mark Carney also expressing concerns about Libra.
• Worries that Libra could be used as a means to bypass rules relating to money laundering and tax evasion (which is believed to have led to PayPal leaving the Libra Association recently).
• Warnings that Libra could be blocked in Europe (especially in France) unless concerns over risks to consumers and to the monetary systems of countries can be addressed.

Congress Grilling

The grilling of Mark Zuckerberg at the US Congress last week at the top of the House Financial Service Committee’s hearing focused on many of the key concerns.  For example:

• Republican Nydia Velázquez asked Mark Zuckerberg why Facebook should be trusted after the recent privacy scandals and data breaches/data sharing relating to the Cambridge Analytica affair.
• Republican Joyce Beatty criticised Mark Zuckerberg over an apparent lack of knowledge of diversity and housing advertisement issues and alleged that Zuckerberg hadn’t read her reports.
• Republican Patrick McHenry criticised the technology industry and highlighted the current anger towards it.

Prepared Statement Covered Many Concerns

Mark Zuckerberg’s prepared statement for the hearing appears have anticipated and answered the main concerns.  For example, as well as stressing how Facebook is committed to strong consumer protections for the financial information they receive, Mark Zuckerberg addressed three main concerns, saying that:

1. Where people are concerned that Facebook is moving too fast on the Libra project, Facebook is committed to taking the time to get this right.
2. Where it has been suggested that Facebook could circumvent regulators and regulations with Libra, Facebook won’t actually be a part of launching the Libra payments system anywhere in the world unless all US regulators approve it.
3. Libra is not an attempt to create a sovereign currency but, like existing online payment systems, it’s simply intended to be a way for people to transfer money.

So What?

Despite the grilling, many commentators have pointed out that the House Financial Service Committee and Congress don’t actually have the power to do much about the introduction of Libra.  Some commentators have also suggested that the hearing was as much about political grandstanding as it was about Libra and that politicians are finding it hard to stay up to speed with information about cryptocurrencies.

No Regulatory Approval = Facebook Leaves the Association

Mr Zuckerberg stressed just how much he intends to play by the rules with Libra by saying that if the Libra Association moved forward without regulatory approval, Facebook “would be forced to leave the Association.”

What Does This Mean For Your Business?

Banks and governments are unlikely to adopt a favourable attitude to a new type of currency that could potentially unbalance monetary systems, and could potentially get around regulations, scrutiny and control, and could even be used for money laundering and tax evasion. That said, the blockchain-anchored Libra is unlikely to suffer many of the huge fluctuations and problems that other cryptocurrencies like bitcoin have because Libra is backed by real assets.  Also, many of the big financial players are part of the Libra Association e.g. Mastercard and Visa, although it’s clear that Facebook needs to make sure that Libra can meet all regulatory requirements and is squeaky clean if the Association wants to keep these important members.

If, as Mr Zuckerberg says, Libra is simply and innocently another way of paying for things that could lead to a more inclusive society e.g. by helping those without bank accounts, this could benefit not just society but whole economies too.  It looks as though Facebook still has some way to go, however, to convince governments, finance chiefs and other critics that it is the right company to be trusted with a new currency and the financial data of those who use it.

A lawsuit against US Credit Rating Company Equifax relating to the massive 2017 hack alleges that the breaching of Equifax’s systems was “inevitable because of systemic organisational disregard for cybersecurity and cyber-hygiene best practices.”

What Happened

Back in September 2017, US Credit Rating Company Equifax was hacked and, in one of the largest recorded data breaches in history, an estimated 148 million customer details stolen, 44 million of which are believed to have come from UK customers.  Details stolen in the attack included names, US social security numbers, dates of birth, addresses, driver’s license details, and around 209,000 credit card numbers.

Hackers got in through a vulnerability in the website and Equifax was reported to have known about the attack 40 days before informing the public that it had happened.  Another aspect of the case that caused outrage at the time was the fact that three senior executives at the company were believed to have sold-off their shares worth almost £1.4m before the breach was publicly announced.

The Lawsuit

The lawsuit that was filed against Equifax with the Northern District Court of Georgia (Atlanta Division) in the US states that the breach was the “inevitable result of widespread shortcomings in Equifax’s data security systems”.

What Kind of Shortcomings?

The lawsuit alleges that Equifax’s data protection measures were “grossly inadequate,” and “failed to meet the most basic industry standards”.  The lawsuit paints a picture of a company with a shockingly simplistic and risky approach to the protection of personal data.  For example, it alleges that Equifax:

• Failed to implement proper patching protocols and relied upon one individual to manually implement its patching process across its entire network.
• Didn’t encrypt sensitive information and instead, stored in plain-text, making it easy for unauthorised users to read and misuse.
• Didn’t encrypt mobile applications, meaning that it failed to encrypt data being transmitted over the internet.
• Stored sensitive data on public-facing servers and left the keys to unlocking the encryption on those same public-facing servers, making it easy to remove the encryption from any data.
• Used inadequate network monitoring practices and obsolete software.
• Failed to implement adequate authentication measures.  This allegedly included using weak passwords and security questions.

Simple Usernames and Passwords Including ‘Admin’

One of the shocking accusations in the lawsuit relates to passwords.  It highlights how the New York Stock Exchange-listed firm responsible for protecting the sensitive personal data of millions of people used four-digit pins (derived from Social Security numbers and birthdays) to guard personal information, even though these weak passwords had already been compromised in previous breaches.

Also, the lawsuit alleges that Equifax relied upon the username “admin” and the password “admin” to protect a portal used to manage credit disputes, thereby making it incredibly easy for any hackers to guess.  For example, many penetration testing companies will use more obvious passwords such as ‘admin’ as a basic part of their testing of company systems.

Simple Passwords Still Widely Used

One of the main ways that we can all leave the door open to security breaches and hacks is by using simple, easy to guess passwords, and by sharing the same password between multiple websites and platforms.

For example, a study by the UK’s National Cyber Security Centre (NCSC) into breached passwords (in April this year) revealed that 123456 featured 23 million times, making it the most widely used password on breached accounts.  The study, which analysed public databases of breached accounts, also found that the second-most popular string was 123456789, and that the words “qwerty” and “password”, and the string 1111111 all featured in the top five most popular breached passwords.

What Does This Mean For Your Business?

The allegations about the apparent organisational disregard for cyber-security at such a big company and the use of simple, default-style passwords such as ‘Admin’ and leaving one person in charge of patching for the whole company are truly shocking.  The case highlights how some organisations may be too casual about how they manage and protect sensitive data, which is a dangerous position to be in, particularly with the possible fines from GDPR. Since most companies still rely upon passwords for many important systems and tools, this case particularly highlights how IT departments may need to implement processes to make sure that default passwords are changed to more secure ones, and that commonly used passwords are blacklisted.  Introducing multifactor authentication (MFA) also adds another important extra layer of security to password-based systems, and many companies are now seeking biometric authentication methods as a way of getting completely away from the whole risky password area.

The Equifax case also highlights how businesses shouldn’t treat database security any differently from other aspects of their cybers-ecurity, especially by not sharing admin passwords, and if sharing is necessary, by keeping track of who has those passwords and why. Using analytics on a database is also a way in which businesses can track when someone has got into a database using certain admin credentials.