Major Wi-Fi Security Risk

Researches have uncovered a major flaw in Wi-Fi connections dubbed as Krack, which could be putting homes and businesses at risk from hackers.

The Flaw

Researchers from Belgian university, KU Leuven, discovered that there is a critical flaw in the authentication system used by secure wireless connections.

All protected Wi-Fi networks use an old, four-way handshake (dialogue) system in order to generate a fresh session. With the handshake, the two devices agree a (session) key to use to keep a secure data connection between them.

According to the researchers, the system of random number generation used in authentication can actually be re-used, thereby allowing someone to enter a network and potentially spy on the data being sent in it.

Exploited

Hackers can exploit the ‘Krack’ vulnerability by tricking victims with a replayed, modified version of the original handshake, thereby making victims reinstall their live session key. This allows the set-up values to be reset which can thereby weaken encryption.

The researchers have found that the flaw means that attackers can potentially hijack a connection, decrypt and inject data, and even forge their own connection.

What / Who Is Affected?

The flaw is in the actual Wi-Fi protected access II (WPA2) security protocol i.e. in the standard itself. This means that there may be millions of routers in customers’ homes and businesses that are vulnerable to attack. Service providers and their customers, therefore, face significant risks because of the flaw.

What About Patching?

The flaw, which has prompted a warning by the US Computer Emergency Readiness Team (Cert), can reportedly be fixed using software patches. Industry body the Wi-Fi Alliance is reported to be working with service providers to help develop a patch, and Google has said that it will be patching any affected devices over the next few weeks.

What Does This Mean For Your Business?

This is reminiscent of the problem encountered back in June, when, after an investigative study by Which?, Virgin Media made the news when its (Netgear) Super Hub 2 and Super Hub 2 AC home routers were found to all have exactly the same private encryption key, thus making them more vulnerable to hacks. This prompted the need for a security patch to be rolled out in order to protect large numbers of customers.

The latest flaw in Wi-Fi connections discovered by the Belgian researchers is another example of how, despite taking their own Internet and data security measures, businesses (and home users) can suddenly find themselves unwittingly being vulnerable to attack because of the equipment and software supplied by service providers who they have to trust. Once again, it is outside security researchers who have discovered the flaw.

Thankfully, patching is generally a fast and effective way to shut down vulnerabilities. Keeping up with patching itself is an important part of any company’s ongoing security processes, and the Fortinet Global Threat Landscape Report (back in August) highlighted the fact that 9 out of 10 businesses are hacked through un-patched vulnerabilities, and that many of these vulnerabilities are 3 or more years old, and have patches already available for them.

Tech Tip: Device Manager Locates Your Phone

If you’ve put your phone down somewhere in the house or office but can’t remember where, you can use Android Device Manager (Find My Device) to help you locate it. Here’s how:

You can access Device Manager via the web on a mobile device or computer. Find My Device is on by default for Android devices associated with a Google account. To use it, your missing device must be turned on, signed in to a Google account, connected to mobile data or Wi-Fi, visible on Google Play, and with Location and Find My Device turned on.

  • Log into your Google account.
  • Choose your missing phone from the drop down.
  • Google reaches out and shows you where it is, and you can also ring the phone, even if it’s in silent mode.
  • You can also remotely erase the phone to protect your data.

Augmented Reality Maps

The Ordnance Survey augmented reality (OS) Maps app will allow users to see signs identifying UK landmarks in the area they’re looking at through their phone or tablet’s camera view.

Augmented Reality Maps

The new version of the OS Maps app uses ‘augmented reality’ which is the technology that can allow the real-world view to have other computer-generated or extracted real-world sensory input such as sound, video, graphics or GPS data superimposed on it.

The augmented reality aspect is an update to the current app which uses GPS to show users exactly where they are, records their route, and offers them the option to choose a map type from standard overview map, 1: 50k (Landranger), 1: 25k (Explorer) or aerial imagery.

No Phone Signal Needed

Even though the new augmented reality app works on smart phones, it does not need a phone signal, and is, therefore, practical for use in remote places. If users do operate with a data connection, pressing on a label gives the users additional local area information with routes, places to stay and local images from GetOutside.

Using Phones For Navigation

The app is thought to be particularly useful and convenient because many people now use their smart-phones for navigation, and it is part of an app that operates on the user’s existing mobile device.

Where Can You Use It?

The new app is able to operate in 200,000 locations throughout the UK.

Features Identified

The kinds of geographical features that the app displays labels and useful text information about include hills and mountains, lakes, coastal features, woodland, and transport hubs.

Wider Perspective

The app addresses the challenge posed by small phone screen sizes by showing what is on the horizon.

Safer With Paper?

Despite the convenience and practicality of the app, the Digital Product Manager at Ordnance Survey has been quick to point out that, for safety reasons, it is still recommended that people carry a paper map when outside (because they don’t rely on batteries).

Where To Buy?

The app is free to subscribers of OS Maps (exclusively for Premium Users). For non-subscribers, it can be purchased from the OS online shop for £19.99 and then downloaded from Apple iTunes or Google Play.

What Does This Mean For Your Business?

Augmented reality ideas such as this could provide all kinds of opportunities for businesses involved in tourism and tours e.g. cities, holiday / historic / tourist locations, travel and tour companies, galleries). Other opportunities could be in design e.g. allowing consumers to view how a retailer’s virtual furniture looks in their room before they buy.

Augmented reality could also provide business opportunities in education and teaching and anywhere that information about culture and the environment is needed in a fast, convenient and portable form (handheld AR equipment).

There are also military applications for AR such as the Heads-Up Display (HUD) used by ground troops, and there are medical uses e.g. to practice surgery in a controlled environment.

Businesses may also be able to use AR for advertising and promotional purposes e.g. apps designed to display information about (and offers relating to) restaurants, shops, and other businesses in the local area of a user.

In short, we are still at the beginning of the AR revolution, and the technology offers businesses and other organisations opportunities that are limited only by the imagination.

Crackdown On Tax Payments By Online Businesses

The European Commission is using the rulings of two cases involving Apple and Amazon, and reforming the way VAT is collected to make sure that all online businesses pay their taxes.

The Apple & Amazon Cases

The rulings on cases involving Apple’s operations in Ireland, and Amazon’s in Luxemburg are to be used to close loopholes for those multinational companies operating in Europe and seeking to allocate profits to entities not (directly) involved in the provision of the goods or services to which the profits relate, as a means of reducing the amount of corporation tax they pay.

Countries Accused

There have also been accusations that governments appeared to have allowed the companies to channel their profits through companies that existed mainly for tax arrangements from which they stood to benefit.

Apple

In Apple’s case, last year the Irish government was ordered to retrieve €13 billion in back taxes by the EC (the European Union’s antitrust and competition watchdog). The EC has now taken the Irish government to court for failing to recover the money from Apple, thereby firing a warning shot to other multinationals that they’re not going to let companies (however powerful) off the hook when it comes to taxes owed. The tax bill for Apple is equivalent to 5% of its cash reserve / one quarter’s global profit, so could be enough to have an effect.

Amazon

In Amazon’s case, the EC ordered Luxembourg’s government to recover $250 million from Amazon because Amazon’s reduced tax bill was deemed to be ‘illegal state aid’. This amount equates to a little over the global profit for the last quarter, and is, therefore, a significant amount for Amazon.

VAT Changes

The EC has also moved to close more loopholes where VAT is concerned. These moves could create a proposed new, unified system of value-added tax (VAT) collection across the EU. This could stop companies from ‘jurisdiction shopping’ to pay the lowest rates, and it is estimated that it could help governments recover VAT of up to €150 billion a year (including €50 billion lost to fraud). With this scheme in place, governments in countries where purchases are made could receive revenue, and (cross border) businesses would know the right amount of tax to pay and collect, and could have their compliance costs reduces. The proposed VAT changes, however, are unlikely to be introduced until 2022.

What Does This Mean For Your Business?

These moves and the very public announcement of them last week are clearly designed to send a message to all companies, online or offline, in whichever country their tax liability actually lays, they will be expected to pay their taxes in the EU for sales made in the EU from now on. The fact that the EC has challenged huge corporations and whole countries shows that it is serious.

Hopefully, the proposed new VAT changes will be less complicated and costly for small businesses than the Commission’s last attempt to simplify EU cross-border VAT collection with the mini one-stop shop” in 2014.

It is possible to see why, for the benefit of their economies, countries like Ireland may have been reluctant to go after Apple for the money, but for many people, seeing big corporations (with big profits) being held to account like other businesses, the EC’s announcements and actions have a positive aspect to them.

The Commission now has to make sure that the proposed changes help all online businesses not just multinationals like Apple and Amazon that can afford expert help with their tax advice.

Google’s DeepMind To Monetize AI

After years of astonishing AI developments and expensive R & D and staffing bills, Google now plans to finally monetize its DeepMind AI by embedding it into a host of Google products and services.

Losing Money

Up until now, the expense of AI development work by DeepMind has meant big annual losses. Last year, for example, it made a loss of £94 million, which was partly due to the hiring of experienced and highly specialised technical staff to work its AI development and research.

The hope and intention is, of course, that the AI developments made by DeepMind will pay back with improved products and services and new business opportunities that will generate more revenue in the not-too-distant future.

What is DeepMind?

DeepMind is Google’s London-based artificial intelligence (AI) company which it purchased in 2014 for $400 million. It has been engaged in developing AI with a view to improving Google’s products and services with it, and to help in the battle for voice first AI dominance against competitors like Microsoft and Amazon (Cortana and Alexa). For example:

  • Improving Google’s voice-controlled virtual assistant ‘The Google Assistant’ in order to make it sound more natural in products such as the new Google Home Mini.
  • Developing the algorithm WaveNet, a network for producing better and more realistic-sounding speech. Originally it was thought to be too computationally intensive to work in consumer products (and therefore to be effectively monetized), but work by DeepMind over the last 12 months has improved the speed and quality.

WaveNet is now reported to be 1000 time faster, capable of running at scale, and is, therefore, the first product to launch on Google’s latest Tensor Processing Units (TPU) cloud infrastructure (used to accelerate a wide range of machine learning workloads, including both training and inference).

According to the DeepMind blog, the updated version of WaveNet can generate Google Assistant voices for US English and Japanese across all platforms, thus rendering it more likely to make money for Google.

Ethics Perspective

As well as worrying about how to best make money out of the expensive work on AI, DeepMind is also aware that simply advancing AI and developing ever more powerful algorithms without considering the possibility of hyper-intelligent machines turning on humans would be a mistake, and more than just commercial suicide.

In a recent meeting with the US National Governors Association, for example, Tesla and SpaceX CEO Elon Musk reportedly described ‘Artificial Intelligence’ (AI) as a “fundamental risk to the existence of civilisation.”

With that in mind, DeepMind has set up ‘Ethics and Society’ which is essentially an ethics committee to look at the real-world impacts of AI with the aim of helping technologists put ethics into practice and helping society at large understand the potential effects of AI.

‘Ethics and Society’ is able to draw upon the input of a number of expert ‘fellows’ including Nick Bostrom of Oxford University’s Future Humanity Institute and Strategic Artificial Research Centre.

What Does This Mean For Your Business?

AI-based, voice-controlled virtual assistants are now popular in-home devices such as the Amazon Echo, and in the Windows 10 operating system. As one of the really big tech company market leaders, Google, of course, needs to be able to compete in that market segment, but the full benefits of Google’s DeepMind work and investment not have been realised yet. After such a large R & D investment, it is understandable that Google now wants the DeepMind project to start paying back by incorporating AI in (and thereby adding value to) existing and new products and services.

The fast development of AI has brought important and real-world concerns about the growth of automation, the changes it will bring to the labour market, and the other potential threats that it could pose.

Most businesses are likely to be affected by some aspect of automation e.g. software or mechanical, in the near future, either themselves directly or via suppliers and stakeholders.

There is, of course, the threat that intelligent machines could be a danger to humans if AI is not properly regulated, but a more immediate threat is likely to be the threat that AI-based automation poses to traditional jobs. There is an inevitability that AI and robotics will alter what jobs look like in the future, but it is also important also to remember that they could provide huge advantages and opportunities for businesses.

Regulation of the growth of AI, and keeping a close eye on the ethical aspects of it are sensible measures, and workers can try to insulate themselves from the worst effects of automation by seeking more education / lifelong learning, and by trying to remain positive towards and adapting to changes.

How much automation and what kind of automation individual businesses adopt will, of course, depend upon a cost / benefit analysis compared to human workers, and whether automation is appropriate and is acceptable to their customers.

Legal Threat From GDPR

Speaking at the recent IP Expo in London, Irwin Mitchell solicitors warned businesses that focusing too much on consent as a basis for data collection could mean that they miss other options and issues, and leave themselves open to the risk of fines from the UK regulator when GDPR comes into force next year.

Consent

One of the key areas highlighted by the speaker from Irwin Mitchell was the fact that obtaining consent will be far more difficult under GDPR, and that the stricter rules around the gathering of consent with GDPR could mean that companies that rely on it entirely face the risk fines.

Under GDPR, businesses will need to demonstrate that they have a basis for transferring and processing user data i.e. ensuring that they have ‘legitimate interests’ i.e. showing that they are using data for legitimate business purposes and that no privacy rules are being breached.

What About Consent?

Consent where gathering and using personal data is concerned is a notoriously complicated legal area.

When the EU’s General Data Protection Regulation (GDPR) comes into force next year businesses will need ‘explicit consent’ to legitimate certain forms of data processing. GDPR will essentially make a number of other changes to the way in which organisations will have to gain consent.

Consent under GDPR will have to be unbundled i.e. consent requests are separate from other terms and conditions, granular (a thorough explanation of options to consent must be given), named (state which organisation and third parties will be relying on consent), and documented (keeping records of how consent was gained).

Consent will also have to be easy to withdraw, and this means that if companies focus too much first on the consent aspect of GDPR as a legal basis for using personal data, it may be at the expense of other options, and could leave them open to legal risks that they had missed.

Complications For Businesses

  • Some of the complications that could lead to some businesses being open to legal threats are that:
  • Under GDPR implied consent will disappear.
  • Terms and conditions can no longer be used as a catch-all.
  • Businesses that rely to some degree on consent as a legal basis will need to redraft their forms to make them compliant.
  • Many current marketing consents are not clear enough, and companies will need to sort through them, make sure they are compliant, and refresh them every two years.

Revealed Gap

For many businesses, trying to prepare for GDPR has revealed just how far behind they have been with data protection practices anyway, and many are still trying to find data that they should have been securing for years. With the clock ticking, compliance is a daunting challenge.

Focusing On The Wrong Things

Some GDPR commentators have pointed out that many companies have been focusing on the wrong things in their preparations for GDPR because they don’t understand the real legal risks.

For many businesses, there needs to be (and there hasn’t been) enough of a focus on the use of technology in their preparations in order to be realistically compliant in time.

Businesses are also not in a position of to see the day-to-day cases in which EU regulators are forming a point of view on data protection.

What Does This Mean For Your Business?

There is now a pervading view that although the legal profession understands many of the ins and outs of consent, and the other important legal matters relating to GDPR, many businesses do not, and there is likely to be a quantum of illegality into May 2018 and beyond.

The whole area of what is meant by consent is so complicated and carries so many new obligations that data controllers should concentrate first on looking at other legal grounds as an alternative to consent.

Businesses could help their own preparations by focusing on how they can use technology to achieve compliance in time for GDPR, but may need to seek the current best legal information and advice to make sure that they are aware of, and are covered for the worst legal risks.

Each week we bring you the latest tech news and tips that may relate to your business, re-written in an techy free style. 

Archives