Tech Tip – Sort Outlook Deleted Items by Date Deleted
If you’ve ever accidentally deleted an e-mail and you can’t remember what day it was originally sent to you, and you need to track it down then this is the tip for you. Here’s how it works:
For Outlook:
- Go to the deleted items folder
- In the top ribbon bar, click on View tab then select View Settings
- In the Advanced View Settings box, click on the Columns… button
- Under Select Available columns from: choose the “Date / Time fields” drop down
- Single click on “Modified” and select Add (to put it at the bottom of the list on the right hand side), click OK
- Back at the first box, select “Sort…”. At the bottom drop the box down under Select Available Fields From and choose Date / Time Fields
- At the top, drop the box down under Sort Items By and choose Modified. It should auto select “Descending”. If it doesn’t, choose it (so the most recent modified file is at the top)
- Click on OK. Make sure your settings are now showing up and click on OK again
Your folder should automatically re-sort its self. If it doesn’t, just select the By Date sort option at the top of the email items header. Et voila … your missing email turns up.
New, Free Secret Browsing and Cyber Security Service
Quad9 is a new, free service that will allow users to keep their Internet browsing habits secret and their data safe from malicious websites, botnets, phishing attacks, and marketers.
What’s The Problem?
When you browse the Internet, your Domain Name System (DNS) is likely set to whatever your ISP would like it to be (unless you have changed it). DNS services monitor your traffic data, and this information is often resold to online marketers and data brokers. We all face the security threat of unknowingly visiting domains that are associated with things like botnets, phishing attacks, and other malicious internet hosts. Many businesses also have to go to the trouble of running their own DNS blacklisting and whitelisting services.
Quad9
The new Quad9 free public Domain Name Service (DNS) system addresses all of these threats. The service promises not to collect, store, or sell any information about your browsing habits, thereby freeing the user from receiving even more unwanted attention from marketers in the future.
Also, a large part of the value of the service is that it will block domains associated with botnets, phishing attacks, and other malicious internet hosts, and relieve businesses of the need to maintain their own blacklisting and whitelisting services.
How Does It Work?
The Quad9 system, so-named because of its 9.9.9.9 Internet Protocol address, draws upon IBM X-Force’s threat intelligence database which is made up of 40 billion+ analysed web pages and images. The Quad9 service also draws upon 18 other threat intelligence feeds including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.
Quad9 uses its intelligence feeds and database to keep an updated whitelist of domains never to block, using a list of the top one million requested domains. It also keeps a “gold list” of safe providers e.g. Microsoft’s Azure cloud, Google, and the like.
Amazon Web Services
All of this means that, when a Quad9 user browses the Internet and visits a website, types a URL into a browser, or follows a link, Quad9 checks the site against its databases and feeds to make sure its safe. If it isn’t safe, access to it will be blocked, thus protecting the users from possible security threats.
Not For Profit
The Quad9 service is the result of a non-profit alliance between IBM Security, Packet Clearing House (PCH), and The Global Cyber Alliance, an organisation founded by law enforcement and research firms.
What Does This Mean For Your Business?
This service offers businesses another useful and free tool in the fight to maintain cyber security and resilience in an environment where threats seem to be around every corner. This service has some credible contributors with serious critical mass, and has a presence in over 70 locations across 40 countries, with plans to double its global presence over the next 18 months. This means that Quad9 could add real value to business efforts to deter threats that can come from anywhere in the world. It could also save businesses the time and trouble, and extra risk of having to compile their own (often inadequate) blacklisting and whitelisting services, and can help businesses to defend themselves from evolving threats. This kind of service also helps protect against all-too-common human error by blocking threats automatically.
Businesses hoping to use the service simply need to change the DNS settings in their device or router to point to 9.9.9.9. Installation videos and guides are also available online.
Prison Sentences Demanded For Unauthorised Data Usage
The Information Commissioner’s Office (ICO) has said that it backs the idea that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence, should be prosecuted, and prison sentences should be an option.
Recent Case
A recent case involving a nursing auxiliary at Newport’s Royal Gwent Hospital has re-ignited the ICO’s calls to get tough on personal data snoops. In the case of 61-year-old Marian Waddell of Newport, she was found to have accessed the records of a patient who was known to her, on six different occasions between July 2015 and February 2016, without having a valid business reason to do so and without the knowledge of the data controller (at the Aneurin Bevan University Health Board). The data controller is the person who (alone or jointly or in common with other persons) who determines the purposes for which and the manner in which any personal data is to be processed.
In this case, Nursing auxiliary Waddell was found guilty of a section 55 offence (of the 1988 Data Protection Act) and was fined £232, ordered to pay £150 costs, and was ordered to pay a £30 victim surcharge.
Fines … For Now
Section 55 offences of this kind are currently only punishable by fines, and such fines and costs have totalled £8,000 this year for nine convictions.
Section 55 of the Data Protection Act 1998 refers to the unlawful obtaining etc. of personal data, and it states that “a person must not knowingly or recklessly, without the consent of the data controller – obtain or disclose personal data or the information contained in personal data, or – procure the disclosure to another person of the information contained in personal data.”
The ICO, however, would like to see tougher penalties for data snooping. For example, a blog post by ICO enforcement group manager and head of the ICO’s criminal investigations team, Mike Shaw, highlighted the fact that offenders not only face fines, payment of prosecution costs, but could also face media (Internet) coverage of their offences, and damaged future job prospects. Mr. Shaw also stated that the ICO would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases.
Not Just An NHS Problem
The ICO have been quick to point out that data snooping and convictions for doing so are not confined to the NHS. Prosecution cases this year have also been brought against employees in local government, charities and the private sector.
Motives for data snooping vary, from sheer nosiness to seeking financial gain.
What Does This Mean For Your Business?
With GDPR soon to be introduced and with the ICO now pushing for possible prison sentences for certain data offences, businesses now need to (if they haven’t done so already) make data protection and compliance with data protection law a priority. This story is should remind anyone in any business or organisation that, if you have access to personal data, that data is actually out of bounds to you unless you have a valid and legal reason for looking at it.
Businesses can help to make all staff aware of the rules and regulations for handling and processing data through staff training and education.
57 Million Data Breach Concealed By Uber – Hackers Paid
It has been reported that Uber concealed a massive data breach from a hack involving the data of 57 million customers and drivers, and then paid the hackers $100,000 to delete the data and to keep quiet about it.
More Than Two Years Ago?
Reportedly, the hacking of ride-hailing service Uber’s stored data took place more than two years ago. Instead of reporting the breach to regulators and going public with the news, Uber are now accused of concealing the breach.
What Actually Happened?
Reports indicate that back in 2016, two hackers were able to access a private GitHub coding site that was being used by Uber software engineers. Using the login details obtained via the GitHub, the attackers were able to go to the Amazon Web Services account that handled the company’s computing tasks and access an archive of rider and driver information. This information is believed to have been stolen by the hackers, and the hackers are then reported to have emailed Uber asking for money.
Hackers Paid
Almost as shocking as Uber keeping quiet about the breach for 2 years or more is their reported decision to pay the hackers $100,000 to delete their copy of the data, and to keep quiet about the breach. At the time of the hack, in November 2016, Uber was negotiating with U.S. regulators (Federal Trade Commission) who were investigating separate claims of privacy violations by the company and Uber had just settled a lawsuit with the New York attorney general over data security disclosures.
Kalanick and Sullivan
Uber’s former CEO, Travis Kalanick, who was ousted from the role earlier this year (but remained on the board), is reported to have known about the breach a month after it took place.
Joe Sullivan, outgoing security chief, also appears to be somewhat in the frame over how the hack was handled, as it was only when Uber’s board commissioned an investigation into the activities of Sullivan’s security team (by an outside law firm) that the hack and the failure to disclose it was discovered.
What Kind of Data Was Stolen?
Reports indicate that within the 57 million names, email addresses and mobile phone numbers stolen, 600,000 drivers had their names and licence details / drivers licence numbers exposed. This has led to drivers now being offered free credit monitoring protection.
History
Unfortunately, this is not the first time that poor practice has been uncovered in how Uber deals with data. For example, the U.S. has opened at least five criminal probes into the company’s activities around data, which is in addition to the multiple civil lawsuits that the company faces. The UK government has also looked at banning the service on the grounds of alleged reckless behaviour (thus losing its London licence in September).
What Does This Mean For Your Business?
How companies store and handle data is, in today’s society, important to consumers, and to governments. The introduction of GDPR next year and the potentially severe penalties for businesses / organisations that don’t comply is evidence of how Europe and the UK are determined to force businesses / organisations to be more responsible, transparent, and follow practices that will ensure greater security. If companies really want to destroy their reputation and brand and risk being closed down, there are few better ways than [a] having a significant data breach (or being a repeat offender), and [b] failing to disclose that breach until being forced to do so.
Uber joins a line of well-known businesses that have made the news for all the wrong reasons where data handling is concerned e.g. Yahoo’s data breach of 500 million users’ accounts in 2014 followed by the discovery that it was the subject of the biggest data breach in history back in 2013. Similar to the Uber episode is the Equifax hack where 143 million customer details were stolen (44 million possibly from UK customers), while the company waited 40 days before informing the public and three senior executives sold their shares worth almost £1.4m before the breach was publicly announced.
This story should help to remind businesses how important it is to invest in keeping security systems up to date and to maintain cyber resilience on all levels. This could involve keeping up to date with patching (9 out of 10 hacked businesses were compromised via un-patched vulnerabilities), and should extend to training employees in cyber-security practices, and adopting multi-layered defences that go beyond the traditional anti-virus and firewall perimeter.
Companies need to conduct security audits to make sure that no old, isolated data is stored on any old systems or platforms, and no GitHub-style routes are offering cyber-criminals easy access. Companies may now need to use tools that allow security devices to collect and share data and co-ordinate a unified response across the entire distributed network.
The reported behaviour of Uber is clearly poor and likely to inflict even more damage on the reputation and brand of the company. The hack is also a reminder to businesses to maintain updated and workable Business Continuity and Disaster Recovery Plans.
Your Keystrokes Being Tracked
A new study from Princeton University has suggested that your keystrokes, mouse movements, scrolling behaviour, and the entire contents of the pages you visit may be tracked and recorded by hundreds of companies.
What??
The study revealed that no fewer than 480 websites of the world’s top 50,000 sites are known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information.
The researchers found that companies are now tracking users individually, sometimes by name.
The Software
The session replay software offered by seven firms, and detected in the study was FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex.
The research showed that companies using the software (on 492 sites) were sharing information about individuals with one or more of the seven replay companies, and that the percentage of sites giving information to the software companies was likely higher, because the software companies only track just a sample and not the total of visits to a website.
Companies Using The Software
As indicated in the research, some companies believed to be using session replay software include the Telegraph website, Samsung, Reuters, Home Depot (US retailer) and CBS News.
What’s The Risk?
As pointed out by the researchers, this kind of software is like someone looking over your shoulder, and that the extent of the data collected may far exceed user expectations, without any visual indication to the website visitor that such monitoring is taking place.
Security commentators have noted that among the general browsing data collected by these third-party replay scripts, they are also capable of collecting some very sensitive and personal information e.g. medical conditions and credit card details. Depending on how this data is transmitted and stored (where and how securely?) this could expose people to risks such as identity theft and online scams.
The research also raised the question of whether state-sponsored surveillance is being carried out with session replay software, when it was noted that Yandex (one of the session replay software companies) is also Russia’s largest search engine.
What Does This Mean For Your Business?
Creeping surveillance and monitoring for multiple purposes is now part of our daily lives and includes e.g. CCTV, monitoring / surveillance of behaviour and Internet use at work, tracking via our mobile phones, EPOS / supermarket recording of our purchases, storage of our browsing history as part of the Investigatory Powers Bill / ‘Snooper’s Charter’, social media monitoring, and government attempts to gain back-doors into and stop end-to-end-encryption of popular platforms like WhatsApp.
Keystroke monitoring in itself is nothing new, but the difference now is that cyber-crime is at a high, data protection has become a more public issue with data breach reports in new regulations on the way in (GDPR), and the fact that the latest session replay software is capable of recording so much detail including our most sensitive data and interests.
For businesses, session replay software could be an asset in understanding more about customers and making marketing more effective and efficient. As consumers, we could be forgiven for having cause for concern, and with things like ad-blockers only capable of filtering out only some replay scripts, we remain somewhat vulnerable to the risks that they may pose.
Smartwatches – Spying on Kids
German Telecoms regulator the Federal Network Agency has banned the sale of smartwatches to children and asked parents to destroy any that they already have.
Danger To Children – Spying and Tracking
The reason why the regulator has taken the step is over concerns that children wearing the watches could be, in theory, spied upon and tracked. These risks have been identified because the watches are internet-connected and are thought to be poorly secured e.g. no encryption of any transmitted data. This could mean that they could be hacked and taken over, and also the GPS tracking in the watches could be used by unauthorised persons to track the child.
Demographic
Smartwatches like the ones that have been banned in Germany are generally aimed at children aged between five and twelve, and this could be considered to be a demographic that is particularly vulnerable if data from the watches fell into the wrong hands.
App
Smartwatches have a Sim card, limited telephony function, and are linked to an app.
Parents can use the app to access their child’s smartwatch, and thereby listen to what is happening in the child’s environment, and it has been reported that the German Federal Network Agency has evidence that parents have used this feature to listen to teachers in the classroom. This ‘unauthorised transmitting’ and the surrounding privacy concerns have led to schools being warned to be on the lookout for the watches.
Similar Case In Norway
This is not the first time that concerns have been raised about the security and privacy aspects of smartwatches. Back in October, the Norwegian Consumer Council (NCC) reported that some children’s watches had flaws such as transmitting and storing data without encryption. Among the dangers identified were concerns that watches could have been hacked using basic techniques and the (child) wearer could have been tracked, or made to appear to be in a different location.
Internet-Connected Gifts / Toys Fear
Only last week there were news reports that Consumer watchdog Which? identified toys such as Connect, the i-Que robot, Cloudpets and Toy-fi Teddy as having a security vulnerability because no authentication is required, and they could be linked with via Bluetooth.
Also in the US, back in July this year, the FBI issued an urgent announcement describing the vulnerability of internet-connected toys to such risks, explaining steps to take to minimise the threat. The main concern appeared to be that young children could tell their toys private information, thinking they’re speaking in confidence. This information could be intercepted via the toy, thereby putting the child and family at risk.
What Does This Mean For Your Business?
Many tech and security commentators agree that a lot more care needs to be taken by manufacturers of Internet-connected / smart toys, gifts, and other home and business products to make sure that they are secure when they are sold, and that any information they do transmit is encrypted.
It is very worrying that, children particularly, may be at risk now due to vulnerabilities in smart toys. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.
It has also been noted by many commentators that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.
For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products, who don’t run checks and audits, it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.