Contact Twitter Says Change Your Password
Twitter has advised all users to change their passwords after a bug caused the passwords to be stored in easily readable, plain text on an internal computer log.
The Bug – Passwords Visible Before ‘Hashing’
Twitter reported on their own blog that the bug that stored passwords had been ‘unmasked’ in an internal log. The bug is reported to have written the passwords into that internal log before Twitter’s hashing process had been completed.
The hashing process disguises Twitter passwords, making them very difficult to read. Hashing uses the ‘bcrypt’ function which replaces actual passwords with a random set of numbers and letters. It is this set of replaced characters that should be stored in Twitter’s system, as these allow the systems to validate account credentials without revealing customer password.
Millions Affected?
The fact that the passwords were revealed on an internal server, albeit for what is estimated to be for several months, and that there appears to be no evidence of anyone outside the company seeing the passwords, and no evidence of a theft or passwords turning up for sale on hacker site, indicates that it is unlikely that many of the 330 million Twitter users have anything real to fear from the breach.
Big Breaches
In this case, Twitter appears to have behaved responsibly and acted quickly by reporting the bug to regulators, fixing the bug, and quickly and publicly advising all customers to change their passwords.
Twitter’s behaviour appears to be in stark contrast to the way other companies have handled big breaches. For example, back in November 2017 Uber was reported to have concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.
Breaches can happen for all kinds of reasons, and while Twitter’s breach was very much caused and fixed by Twitter internally, others have been less lucky. For example, an outsourcing provider of the Red Cross Blood Service in Australia accidentally published the Service’s entire database to a public web server, thereby resulting in Australia’s largest ever data breach.
What Does This Mean For Your Business?
If you have a Twitter account, personal or business, the advice from Twitter is quite simply to change your password, and change it on any other service where you may have used the same password. Twitter is also advising customers to make the new password a strong one that isn’t reused on other websites, and to enable two-factor authentication. You may also want to use a password manager to make sure you’re using strong, unique passwords everywhere.
In this case, Twitter has acted quickly, appropriately and transparently, thereby minimising risks to customers and risks to its own brand reputation. Twitter will want this message of responsibility to be received loud and clear, particularly at a time where GDPR (and its hefty fines) is just around the corner, and a time when other competing social networks i.e. Facebook have damaged customer trust by acting less responsibly with their data through the Cambridge Analytica scandal.
Tech Tip – Get More Value From Your Gmail Account
If, like many people, you have a Gmail account that you regularly use and you want to improve the value you get from your Gmail setup, try features such as ‘Canned Responses’ and ‘Gmail Offline’ (ahead of Google’s planned updates).
If you frequently have to send out the same email message each time to multiple persons, your ‘Canned Responses’ feature lets you prepare a stock message that you can send out when you need it, thereby saving time. To operate ‘Canned Responses’ in your Gmail account:
– When logged in, go to ‘Settings’.
– Select ‘Labs’.
– Look for ‘Canned Responses’ and click on ‘Enable’.
– Type out your stock message and send it when required.
The Gmail Offline feature allows you to read, write and send messages when you’re out of touch, and when you log back in, all your activity will is pushed through Google’s system. Here’s how to set it up:
– When logged in, go to ‘Settings’.
– Select ‘Offline’.
– Click on ‘Install Gmail Offline’.
New Google ‘Chat’ SMS Message Replacement Rollout Begins
Google has begun the rollout of ‘Chat’, the messaging service that, it is hoped, will replace SMS text messages on Android phones, and bring it into the same ballpark as WhatsApp and Apple’s iMessage.
What’s The Problem?
The SMS messaging system for Android phones has suffered over many years from being simply a succession of poorly supported, different apps all using the same basic the short message service (SMS) from the1990s to send text messages over a mobile network. The result has been that none have been particularly popular among android users, who have been envious of the simplicity and ease other messaging services e.g. iPhone that have better features and send messages over the internet instead of using SMS.
New System, New Features
The solution to the problem for Google has been to take many years to develop a whole new messaging system that is based on a standard called the “Universal Profile for Rich Communication Services” (instead of simply making another app), which allows Android users to send messages and image files over a data network.
The new ‘Chat’ service offers many more features such as group texts, videos, typing indicators and read receipts. Since RCS is a communications standard, it will be up to mobile operators to enable the service, but Android will still have SMS to fall back on anyway.
Carrier-Based Service
Chat is a carrier/network-based service (i.e. not a Google-based service), so one of the key ways that Google has gone about making sure that Chat will work is to try to convince as many carriers as possible to take the new standard, and make the Chat services interoperable between carriers.
If you text someone who doesn’t have Chat enabled, or who is not an Android user, your messages will revert back to SMS, in the same way that an iMessage does.
It is thought that Google has done enough work with 50+ carriers to ensure that most of them will enable the use of the Chat service this year, which is handy since the global rollout by Google is already underway.
Au Revoir ‘Allo’
Another indicator of Google’s commitment to getting Chat ‘out there’ is the pausing of its work on its ‘Allo’ messaging service.
Data Plan Instead of SMS
Since Chat messages will be sent over the data network i.e. sent with your data plan instead of your SMS plan, it is expected that charges for messages could be less, although this will be up to the networks.
Security Flaw
One flaw in the Chat service could be the fact that messages are not encrypted, and could, therefore, be a security risk if intercepted.
What Does This Mean For Your Business?
Business and individual users of Android will be pleased to hear that at last there may be a messaging service that is built-in, allows plenty of modern functionality, and is up there with competing services e.g. WhatsApp and iMessage.
Hopefully, the main networks will support the service as soon as possible, and with messages being sent over the data network the hope is also that costs for the service could be kept at a very reasonable level (depending on the network).
The one question mark for many users may, however, be the lack of encryption of the messages, especially at a time when data security is at the forefront of their mind with the introduction of GDPR next month.
Half of UK Manufacturers Hit By Cyber Attacks
A new report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI) shows that 48% of UK manufacturers have been subject to a cyber-security incident at some time.
Loss and Disruption
Half of those manufacturing companies who admit to being hit by cyber-criminals have said that the incident(s) caused financial loss or disruption to business.
Challenges
The report highlighted several key challenges that the manufacturing industry faces in making itself less vulnerable to cyber-criminals. These challenges include:
- The age of equipment and the networked nature of production facilities. Many industrial systems are up to 20 years old and were developed before cyber threats became a big issue. As a result, poorly protected office systems, often the first implemented historically within manufacturing businesses, are particularly vulnerable. Also, a networked building, such as many manufacturing sites, can be hacked and exploited.
- Many manufacturing companies hold a large amount of classified information e.g. intellectual property (IP) and trade secrets, which makes them targets for (for example) financially motivated, state-sponsored hackers.
- Having no idea of the nature and size of the risks. 41% of manufacturing companies don’t believe they have access to enough information to assess their true cyber risk, and 12% of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.
- A lack of basic detection that a cyber attack is taking place / has taken place, and a lack of investment in training i.e. 34% do not offer cyber-security training.
- Feeling that they are not equipped to tackle the risk anyway. For example, 45% are not confident they are prepared with the right tools for the job.
- A lack of confidence. Although 91% of the 170 UK manufacturing businesses polled are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
What Does This Mean For Your Business?
For manufacturing businesses facing the very real threat of sophisticated, multi-level attacks, now is not the time to be left with a vulnerable outdated system. Advice from the report includes following the advice of the Government backed ‘Cyber Essentials’ scheme. This includes the 5 security essentials of using a firewall to secure your Internet connection, choosing the most secure settings for your devices and software, controlling who has access to your data and services, protecting yourself from viruses and other malware by using antivirus software, only downloading apps from manufacturer-approved stores, or running apps and programs in an isolated environment, and continually ensuring that operating systems and software are up-to-date and running the latest security patches.
Clearly, manufacturing companies with old systems may need to bite the bullet and invest in more modern, digitised, and well-protected systems. The report also indicates that greater investment in staff training is needed to help them spot and deal with risks, and to avoid the kind of human error that is needed in many modern cyber-attacks e.g. malware / viruses sent by email, phishing, and other social engineering attacks.
Another opportunity for manufacturing companies to boost cyber-security could also come from cyber-insurance. For example, many cyber insurers offer a comprehensive package of pre-loss services to businesses to carry out a cyber health check which could help to highlight gaps in cyber risk management and help identify what security measures should be prioritised.
WhatsApp Raises Age To 16 For GDPR
Facebook’s WhatsApp messaging service is raising its minimum age in Europe to 16 to comply with GDPR which comes into force on May 25th.
Was 13
Up until now, the minimum age has been 13, and that minimum age will remain for the rest of the world, in line with its Facebook parent company. WhatsApp, founded in 2009, has an estimated 1.5 billion users.
Just Asking
Users will be asked to confirm their minimum age by the new WhatsApp Ireland Ltd in the next few weeks, when they will be prompted to agree to new terms of service and a privacy policy. Some critics have pointed out that even though users will be asked if they are 16 or over, it is unclear from the information that the service holds about users how their age can be accurately checked and verified and, therefore, how the new rule can be enforced.
Based on US Law Until Now
The age 13 limit up until now has been based upon the US law “Children’s Online Privacy Protection Rule” (Coppa), which bans online services from collecting personal information about younger children. This is why the usage of many other popular social media apps e.g. Snapchat, YouTube, Instagram, Pinterest, Twitter, Musical.ly and Reddit are restricted to persons aged 13 and over.
WhatsApp’s parent company Facebook faced criticism after announcing last December that it would be targeting younger children with its ‘Messenger Kids’ service. At the time, Facebook’s primary (stated) motive for the new junior version of its platform was to provide a safer, more age-appropriate version, but some tech and business commentators suggested that it may also be an ideal way for Facebook to recruit its next generation of users, and to capture the attention of 6 to 12-year-olds before Snapchat or a similar social network competitor.
Collecting and Sharing Information
The recent Facebook and Cambridge Analytica scandal has brought the matter of collecting and sharing of our personal data into sharp focus. WhatsApp, however, has said that the new changes do not mean that it will be asking for any new rights to collect personal information in the agreement it has created for the European Union. WhatsApp says that the goal of the change is simply to explain how they use and protect the limited information they have about users.
As well as the age restriction change, WhatsApp is also, therefore, rolling out a feature with the latest version of the app that allows users to download a report detailing the data that WhatsApp holds on them e.g. the make and model of the device they used, their contacts, their groups and any blocked numbers.
Facebook Nominate
Facebook is also updating its data policy to comely with GDPR which involves asking 13 and 15-year-old users to nominate a parent or guardian to give permission for them to share information on the platform. If they won’t / cannot do so, the young users will not be able to see a fully personalized version of the social media platform.
Also, Facebook’s Instagram is launching a data download tool to provide users with a file containing the photos, comments, archived stories, contacts and any other personal data that they’ve posted to the service in the past.
Twitter Too
Twitter Inc is also changing its privacy policy so that users can view information they share with the micro-blogging service and show how it’s being used, ahead of the introduction of GDPR. Twitter has said that the changes are to make the privacy policy visually clear and easy to use, and to clarify legalistic or technical language.
What Does This Mean For Your Business?
This story is another clear reminder that the introduction of GDPR is just around the corner as the tech giants, who have more to lose in fines, potential lost customer numbers, and serious reputational damage, make the necessary legal moves to ensure compliance. For Facebook especially, they have faced some very high profile bad publicity this year over their handling and sharing of personal data, so getting their GDPR compliance house in order may be a way to help avoid any further problems.
There is also a very serious ethical element to this story. It is estimated that Facebook has 20 million under-13-year-olds currently using the network, and there may also be a very large number of children using WhatsApp. Parents may understandably have serious concerns about what content children can have access to and, equally importantly, who can have access to children via social networks. Unsuitable material, commercialisation, bullying (or predatory behaviour by some adults) are just some of the issues to consider.
As well as these concerns, governments (such as the UK) are looking to stop end-to-end encryption in WhatsApp, GDPR is just around the corner, Facebook is now facing more tough questions about its Cambridge Analytica links, Martin Lewis (OBE) is taking Facebook to court for defamation and calling for Facebook to take responsibility for its actions … the pressure is now seriously on big social media platforms to make some changes, particularly where EU users are concerned.
Martin Lewis Fights Facebook In Court
MoneySavingExpert’s (MSE) founder and TV consumer champion Martin Lewis (OBE) has commenced UK High Court proceedings against Facebook to sue the tech giant for defamation over a series of fake adverts bearing his name.
What Happened?
Mr Lewis alleges that 50 fake ads bearing his name appeared on the Facebook social media platform over the space of a year, and that the fact that the ads were not from him, and could / did (in some cases) direct consumers to scammer sites containing false information may have caused serious damage to his reputation, and did cause some people to lose money.
Mr Lewis prepared for the first day of the court action against Facebook (on Monday 23rd April) by giving an interview to BBC radio explaining why he was taking the action, and offering to stop the court action altogether if Facebook ‘took responsibility’ for what he believes were its damaging actions against his reputation.
It is alleged that the adverts featured Mr Lewis’s face alongside endorsements that Mr Lewis says that he did not make. Mr Lewis has publicly stated many times that he does not appear in any adverts, therefore, any advert bearing his name must be a fake.
Long Fight
Mr Lewis has stated in a press release about the case that he has been fighting to stop the adverts from appearing on Facebook over the last year and that, even when they were reported to Facebook, many of the ads were left up for days or weeks, and when they are taken down, scammers were able to new, nearly identical campaigns very soon afterwards.
Mr Lewis is personally suing Facebook (not on behalf of MSE), and has published details of the legal action on the MSE website, saying “I will issue high court proceedings against Facebook, to try and stop all the disgusting repeated fake adverts from scammers it refuses to stop publishing with my picture, name and reputation.”
Mostly ‘Get-Rich-Quick Schemes’
The fake adverts are reported to have been mostly for ‘get-rich-quick schemes’ e.g. titled ‘Bitcoin code’ or ‘Cloud Trader’, which are reported to be fronts for binary trading firms based outside the EU. Martin Lewis has stated online that binary trading is a financially dangerous, near-certain money-loser, which the regulator the Financial Conduct Authority (FCA) strongly warns against.
Not For His Own Financial Benefit
Although Mr Lewis has said that he is seeking exemplary and substantial damages, he has said that this is because he wants to show Facebook that they can’t just pay damages as a kind of cost of business and then simply “carry on regardless”.
Mr Lewis has said that any money he does receive in damages from the court case will go not to him, but to anti-scam charities.
What Does This Mean For Your Business?
This case is compelling for many reasons. Firstly, it appears clear from what Mr Lewis has said publicly about his side of things that the fake adverts are bound to be damaging to a person whose public role is to fight for consumer rights, and is reported to have been damaging to other innocent victims of the scam ads e.g. the lady who reportedly had over £100,000 taken from her by the ad scammers. It’s in everyone’s interest that the activities of scammers are stopped.
Secondly, it will be interesting to see how successful Martin Lewis personally will be in taking on a rich tech giant that some commentators may see as being almost behaving as though it were above the law of some of the countries that it operates in. Since Martin Lewis is a consumer ‘champion’ and influencer when it comes to many financial products, it is likely that he will have a great deal of public sympathy and media attention which could give him extra bargaining power.
Thirdly, one key aspect of this case is which businesses Facebook is actually in rather than what business it thinks it’s in. For example, Mr Lewis is arguing that Facebook claims to be a platform not a publisher – and yet the problem has arisen not just from posts on a web forum, but from Facebook being paid to publish, promulgate and promote what may be fraudulent enterprises i.e. acting like a publisher. If Mr Lewis wins the case, it may be that Facebook will need to re-examine whether or not it now has to see itself as a publisher, and may be forced to change its system.