Adopt ‘HTTPS’ Or Face Being Penalised by Google

Google has announced that websites without ‘HTTPS’ in front of their domains will be labelled as ‘Not Secure’ in version 48 of Chrome, starting this July.

What Is HTTPS and Why Does It Matter?

HTTPS stands for Hyper Text Transfer Protocol Secure. It is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to, which means that all communications between your browser and the website you visit are encrypted.

In practical and technical terms, having HTTPS in front of your website URL means that:

  • Every unprotected HTTP request could reveal information about the behaviours and identities of your users. With HTTPS, therefore, critical security and data integrity for both your websites and your users’ personal information is provided. For example, no one with access to your router or ISP can get in the middle and intercept information sent to websites, spy on what you’re doing, or inject malware into legitimate pages.
  • Intruders (benign and malignant), now target every unprotected resource between your website and users e.g. images, cookies, scripts, and HTML. HTTPS provides a kind of blanket protection. ‘Intruders’ could include intentionally malicious attackers, as well as legitimate but intrusive companies e.g. ISPs or hotels that inject adverts into pages.
  • HTTPS doesn’t just block misuse of your website, but it is now also a requirement for many cutting-edge features, and is an enabling technology for app-like capabilities such as service workers, or building progressive web apps.
  • Many older APIs are now being updated to require permission to execute e.g. geolocation API. HTTPS is, therefore, a main component to the permission workflows for both new features and updated APIs.

Naming and Shaming

Google’s Chrome Security Product Manager, Emily Schechter, has announced on the Google Blog that, as from July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”. Google has played down this more direct move as being simply another step in a progression that has seen it gradually marking a larger subset of HTTP pages as “not secure” over the last year. Those companies and organisations that have not yet got their secure certificates may, however, be left thinking that this looks more like a naming and shaming.

Google isn’t the only company to adopt this kind of tactic. Mozilla took a similar approach sites using HTTP back in December with Firefox Nightly version 59.

Cost

The cost of secure certificates varies e.g. popular host GoDaddy offers HTTPS for one website for around £44 per year (£55 when you renew it). Google’s blog post avoids discussion of the cost, and focuses more on the benefits, the risks of not getting one, and makes the point that secure certificates are now more affordable than ever.

According to Google’s figures, many sites have already switched to HTTPS, with a reported 68% of Chrome traffic on Android and Windows now protected, 78% of Chrome traffic on Chrome OS and Mac now protected, and 81 of the top 100 sites on the web now using HTTPS by default.

What Does This Mean For Your Business?

Clearly, any thought that a secure certificate will only be needed by websites that directly take payments is likely to be wrong. Google is committed to making HTTS the default standard – on its blog it says ‘a secure web is here to stay’. The fear for businesses, in addition to the fear of cyber attacks, is that if you don’t have HTTPS for your business website soon, it could suffer in the search engine rankings, and potential customers could be scared away by visual warnings that the site is somehow, suddenly not secure. For smaller businesses this could be particularly damaging.

If having HTTPS reduces the risk of cyber crime then the benefits of buying a secure certificate will outweigh the cost, but for many smaller businesses, this may feel like they are being forced to pay an extra cost each year, and it may also force cyber criminals to change their tactics e.g. move more into social engineering attacks, and perhaps turn to AI-powered attack methods.

Facial Recognition Arrest Claims Via Twitter

South Wales Police have taken to social media to announce news of the latest arrests made using Automated Facial Recognition (AFR) technology.

First Used At Champions League Finals Week

The AFR system was first used by South Wales Police last June at the Champions League final at the Millennium Stadium in Cardiff. AFR incorporates facial recognition, uses slow time static face search, and links to specialist software that can compare a camera image of a face to 500,000 custody images from the Police Record Management system in order to find a match.

Ironically, the first arrest made in Cardiff at the time using AFR was actually a local man whose arrest was unconnected to the Champions League, and who was identified by a van-mounted camera days after the match.

Police Tweets

The latest announcements of AFR-related arrests have made the news because they relate to the use of AFR at the recent Six Nations rugby tournament, the announcements have been delivered via Twitter, and have been seen by some media commentators as being boastful in style.

For example, Project leader Scott Lloyd took to Twitter to publicise the first identification and arrest made “within an hour”, and the drugs arrest of another man on a warrant using AFR Cardiff City Centre a short time later. Mr Lloyd also announced another “UK policing first” with the arrest of a third person, identified from night club CCTV a month earlier.

Controversy

The increased use of AFR at events has, however, been criticised by groups such as Big Brother Watch for infringing peoples’ rights, having no clear basis for its use, and for edging the UK closer to a ‘surveillance state’.

There have also been reports of a possible 35 false matches and one wrongful arrest after the London Metropolitan Police used AFR at the last Notting Hill Carnival.

What Does This Mean For Your Business?

So far, AFR has proven to be a relatively expensive system for the number of arrests it has delivered (£177,000 for its use in Cardiff for 1 arrest), and it has generated a lot of negative publicity and suspicion. It is little wonder, therefore, that a police spokesperson has been only too happy to take to an immediate way (Twitter) of announcing every arrest as it happens in an attempt to boost public confidence in the system, and to demonstrate some value for money.

With the introduction of GDPR this year, however, questions will no doubt be asked about the security and privacy of the images captured by the AFR system, as personal images do fall under the category of personal data.

Despite the findings of a study from YouGov / GMX of August 2016 that showed that UK people still have a number of trust concerns about the use of biometrics for security, biometrics actually represents a good opportunity for businesses to stay one step ahead of cyber criminals. This is because biometric authentication / verification systems are thought to be far more secure than password-based systems, which is the reason why banks and credit companies have already started using them.

All this said, facial recognition systems are widely believed to have value-adding, real-life business applications. For example, last May, a ride-hailing service called Careem (similar to Uber but operating in more than fifty cities in the Middle East and North Africa) announced that it was adding facial recognition software to its driver app to help with customer safety.

Virgin Credit Cards : No To Crypto

Shortly after Lloyds Bank announced that it would be banning customers from buying crypto-currencies such as Bitcoin using their credit cards, Virgin Money is now adopting the same policy.

Why?

The volatility of cryptocurrencies such as Bitcoin have led Lloyds, and now Virgin Money to try to protect their customers from running up large debts following a sharp fall in the value of a digital currency they’ve bought. Several of the biggest issuers of credit cards in the US including Bank of America, Citigroup, JP Morgan, Capital One and Discover, have also banned customers from using their cards to buy digital currency.

Bitcoin is a perfect example of how volatile a digital currency can be. For example, at the start of 2017, one Bitcoin was worth $1,000, reached highs of around $19,000 at the end of last year, and has since plummeted to $8,291.87, its worst performance since April 2013.

The rapid rise in the value of Bitcoin last year, was also accompanied by consumers being targeted by adverts and information which acted as a temptation and incentive to invest with the promise of big returns, with many investors being inexperienced in currency investments, and unaware of the potential risks. Facebook, for example, has recently announced that it will now block any advertising that promotes crypto-currency products and services.

Bank Could Lose

Some money commentators have made the point that although the move by Lloyds and now Virgin Money could offer some protection for customers, the banks are also helping themselves because if a person buys anything on credit, such as large amounts of cryptocurrencies, it’s the bank that stands to lose if the person can’t repay the debt.

Bitcoin, for example, also operates outside of the control of banks, which may be another reason why banks may not like it.

Used By Criminals?

The police and the UK government have also taken the opportunity presented by the announcements of Lloyds and Virgin Money to make the point that digital currencies are also popular among criminals because they can use them to evade traditional money laundering checks and other regulations.

Prime Minister Theresa May, for example, has stated that action against digital currencies may be needed because of their connection to criminal activity. At the risk of sounding cynical, some money commentators have pointed out that governments tend not to like some crypotocurrencies because they are beyond their control, and they can’t (yet) make revenue from them. For example, the Chinese government has long battled with the challenges posed by Bitcoin.

What Does This Mean For Your Business?

This move by two banks, with more likely to follow, sets a new precedent. Banks don’t like unsecured risks being taken with their money, and buying cryptocurrencies on credit appears to represent a far greater risk to them than traditional gambling which you can still use a credit card for (although it will be treated as a high interest cash loan).

It’s also worth remembering that banks and governments are likely to be less happy about things that they can’t control, regulate, and raise revenue from.

Even though criminals are known to use cryptocurrencies such as Bitcoin for just these reasons (and the anonymity), it is also worth pointing out that Bitcoin actually has many attractive advantages for businesses such as the speed and ease with which transactions can take place, which is actually due to the lack of central bank and traditional currency control. Using Bitcoin also means that cross-border and global trading is made much easier and faster.

Also, even though Bitcoin looks too volatile for many to invest in at the moment, the cryptocurrency has lasted through many ups and downs (hacks and government opposition), it is still popular, and its widening popularity and potential uses for its underlying technology ‘Blockchain’ mean that Bitcoin still has a future.

From a consumer / potential individual investor’s perspective, the move by Lloyds, Virgin, and the big US credit card companies does, however, look likely to provide some responsible and sensible protection for the time-being.

Bitcoin Battered

Cryptocurrency Bitcoin’s value has now dropped to $6,000, a fall of $13,000 since November 2017.

What Is Bitcoin?

Bitcoin is a digital web-based currency that operates without the need for central banks and uses highly secure encryption to regulate the currency units and to verify transfers of funds. Bitcoin, which was first produced in 2009, uses the ‘Blockchain’, an open and programmable technology that can be used to record transactions for virtually anything of value that can be converted to code and is often referred to as a kind of ‘incorruptible ledger’.

In order to receive a Bitcoin, a user must have a Bitcoin address i.e. a ‘purse’ (of which there is no central register).

Bubble

Warnings of a Bitcoin ‘bubble’ were being delivered last year after its value rocketed from $1,000 to £19,000 in the space of less than a year.

Why The Fall In Value?

Several factors have led to the rapid fall in value since November last year. These include:

  • Tightening legislation and government opposition. Back in September, for example, China ordered exchanges to cease trading in the cryptocurrency as a way to gain control of the cryptocurrency through forced licensing. Also, China and South Korea have now banned initial coin offerings, Japan and Australia have taken steps to tighten Bitcoin regulations, and US restrictions look set to follow.
  • Negative predictions by currency experts. The news reports of the Bitcoin ‘bubble’ plus financial regulators in the UK and France warning investors that they could lose their money if they buy digital currencies issued by companies, known as “initial coin offerings”.
  • Banks and Credit Card Companies banning cryptocurrency purchases using credit cards. With less people able to buy cryptocurrencies, this has had the most recent downward effect on the value of Bitcoin.
  • Cyber criminals cashing-in. Crime is toxic to reputations, and Bitcoin has been increasingly targeted by criminals. For example, Slovenian-based Bitcoin mining marketplace NiceHash reported the theft of Bitcoin to an estimated value of $80m back in December, and an escalation of ‘crypto-jacking’. This happens where people’s devices are taken over by criminals trying to mine crypto-currencies such as via the Android phone-wrecking Trojan malware, dubbed ‘Loapi’. Bitcoin has been widely publicised as having link with crime e.g. to evade traditional money laundering checks and other regulations. Bitcoin is often named as the currency that ransomware scammers request their victims to pay with because of the anonymity that it offers. Some currency commentators have even suggested that the recent surge in the value of Bitcoin towards the end of last year was partly caused by European banks buying Bitcoin to pay off ransomware as a short-term way to deal with cyber-security.
  • Investors purchasing alternatives. As investors look for alternatives to the volatile Bitcoin bubble, this has had a negative effect on the value of Bitcoin, and a brief positive effect on the value of other cryptocurrencies.

What Does This Mean For Your Business?

From an investment point of view, Bitcoin is clearly risky. There are other cryptocurrency alternatives e.g. Ripple, Ethereum, Litecoin, but they all appear to have been tarred with the same brush as Bitcoin, particularly with the announcement that credit cards can’t be used to buy them.

Many of the possible advantages of cryptocurrencies to businesses e.g. to use for fast global trading and investing outside of bank controls, delays and red tape, are currently being overshadowed by the actions of banks and governments.

Cryptocurrencies may be currently in a dip, but the importance of other new technologies to businesses such as AI and driverless vehicles is finally being reflected in the value of the shares of companies who are leading the charge in those technologies, which are likely to provide many global business opportunities going forward.

Firefox Users Advised To Update

Cisco’s security team has advised Firefox users to install Mozilla’s latest update for its web browser after a potentially serious security vulnerability was discovered.

Malicious Code Danger

According to Cisco’s researchers (and confirmed by Mozilla), the vulnerability has been caused by “insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software”.

This means that unless Firefox users install the latest security patch update, they run the risk of remote hackers exploiting the vulnerability by persuading them to access a link or file that submits malicious code to the affected browser software.

Take Control Of The System

This kind of exploit could then enable an attacker to execute arbitrary code with the privileges of the user. If a user has elevated privileges, for example, this could even mean that the attacker could compromise the entire system. Once an entire system has been taken over, the attacker is then free to install programmes, create new accounts with full user rights, and to view, change or delete data.

Which Firefox Versions Are Affected?

The vulnerability is reported to affect Firefox web browser versions 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The Android Firefox browser app and Firefox 52 ESR are not affected.

How Can You Protect Your Systems?

The advice appears to be that Firefox users should download the browser update patch as soon as possible. The advisory information can be found here https://www.mozilla.org/en-US/security/advisories/mfsa2018-05/ and the patch can be found on the Mozilla website here: https://www.mozilla.org/en-US/firefox/new/?scene=2

Administrators can also help to safeguard systems by using an unprivileged account when browsing the Internet, and by monitoring critical systems.

What Does This Mean For Your Business?

The recent Malwarebytes annual State of Malware report showed that the UK is now the most targeted region in the world for cyber threats, so it is important for businesses to take action to patch any known vulnerabilities as soon a possible.

Since an exploit via Firefox of this kind would first require malicious software to be downloaded, users should remember, businesses should instruct all staff members not to open any email messages from suspicious or unrecognised sources. If users cannot verify that links or attachments included in email messages are safe, they should also be advised not to open them. Businesses should make it a matter of email policy and good practice that users should first verify if any unsolicited links are safe to follow.

Staying up to date with patching known vulnerabilities is an important part of the basic cyber security of business systems. For example, back in August 2017, the Fortinet Global Threat Landscape Report found that not only are 9 out of 10 businesses being hacked through un-patched vulnerabilities, but that many of these vulnerabilities are 3 or more years old, and already have patches available for them. In the case of Firefox, therefore, the patch should be downloaded immediately.

Too Much Technology Is A Workplace Distraction

The results of a survey by Microsoft indicate that constant contact with technology such as emails, messages and notifications in the workplace can reduce productivity, make workers less productive, and increase stress levels.

It’s All Down To The Company’s ‘Digital Culture’

The survey, which involved the opinions of 20,000 workers from 21 European nations, found that how technology is viewed and deployed in the workplace can make a big difference in worker productivity and well-being. Microsoft’s findings therefore, indicated that a company’s chosen “digital culture” can improve workers’ productivity and help them feel more involved in the business.

Too Much

It will come as no surprise to many people reading this that too much exposure to and emphasis on technology (e.g. large amounts of updates and notifications arriving via social media during the day) makes people less productive and more distracted.

The Microsoft report makes the point that one of the reasons why only 11.4% of European workers said they felt highly productive at work may be that even though there is an abundance of technology around, that doesn’t necessarily translate into impact.

Productivity comes from creative interchange rather than people simply working on computers, and Management Scientists now believe that technologies can overload people and make them less productive by making them focus too much on trying to deal with the technology itself, rather than working at using the technology to improve the delivery of a product or service.

‘Technostress’

Management Science experts now recognise the existence of ‘technostress’, which can occur when workers have to deal with the adverse consequences of adopting novel computer systems or software.

What Does This Mean For Your Business?

The main message for businesses is that simply introducing lots of interruptive and / or novel technology to the working environment can actually cause stress and make workers less productive. Businesses need to pay attention to building the right kind of digital culture. For example, organisations first need to know what they want to do with the software and systems they have adopted, and give staff the correct training and other help to use it.

A planned and managed digital culture with supporting conditions, such as appropriate email response times and measuring whether people are happy with the tech they use to do their day-to-day jobs, can help workers to get the most out of technology. This can lead to higher productivity, fewer staff feeling disengaged, and can ultimately benefit the aims and objectives of the business.

Each week we bring you the latest tech news and tips that may relate to your business, re-written in an techy free style. 

Archives