All posts by Keumars Afifi-Sabet

Microsoft plots ‘carbon negative’ target for 2030

Keumars Afifi-Sabet

17 Jan, 2020

Microsoft has outlined a set of ambitious plans to remove more carbon from the atmosphere than it emits by the end of the decade.

By 2030, Microsoft is aiming to be ‘carbon negative’, in that the carbon it removes from the atmosphere outweighs the carbon emitted, including the activity of its wider supply chain.

This is in addition to a $1 billion climate fund to accelerate research and development into carbon reduction, capture and removal technology that doesn’t already exist today.

Moreover, Microsoft wants to continue the trend of lowering emissions while increasing carbon removal so that by 2050 it will, on paper, have removed all the carbon it has emitted since its foundation in 1975.

“While the world will need to reach net-zero, those of us who can afford to move faster and go further should do so,” said Microsoft president Brad Smith.

“We recognize that progress requires not just a bold goal but a detailed plan. As described below, we are launching today an aggressive program to cut our carbon emissions by more than half by 2030, both for our direct emissions and for our entire supply and value chain.

“While we at Microsoft have worked hard to be “carbon neutral” since 2012, our recent work has led us to conclude that this is an area where we’re far better served by humility than pride. And we believe this is true not only for ourselves, but for every business and organization on the planet.”

The industry stalwart is the latest in a string of companies, including Amazon and HP, to enter an arms race geared on reducing carbon footprints and embracing cleaner and greener technologies.

Amazon, for example, has pledged to be carbon neutral by 2040, while Google Cloud hit its 100% renewable energy goal in April 2018, powering its data centres and offices from renewable sources, including solar and wind. Salesforce, similarly, achieved net-zero greenhouse gas emissions the previous year.

HP, on the other hand, has committed to releasing routine sustainability reports that track its progress in its aims to reduce its carbon footprint. It has started to build many of its products with sustainability in mind, including the forthcoming HP Elite Dragonfly business 2-in-1.

Microsoft says it can achieve its own “aggressive” set of targets by first investing in nature-based initiatives, such as planting trees, with the goal of shifting to technology-based programmes when they become more viable.

The wider strategy, however, encompasses a set of smaller goals that Microsoft hopes to hit along the way to achieving its major targets for 2030 and 2050.

By 2025, for instance, Microsoft is hoping to shift to a 100% supply of renewable energy, while aiming to fully electrify its global campus operations vehicle fleet by 2030.

The firm is hoping to implement new procurement processes and tools to incentivise its suppliers to reduce their carbon emissions too, with these pencilled in for July 2021. For customers, meanwhile, Microsoft will roll out a sustainability calculator and dashboard that estimates emissions from Azure services.

Small businesses and innovators benefit from £100m government boost

Keumars Afifi-Sabet

15 Jan, 2020

Up to 100 million is being poured into researchers and small businesses as part of public sector efforts to invest in emerging technologies like artificial intelligence (AI).

The government’s Future Leaders Fellowships scheme will receive 78 million to be invested in 78 researchers to work on scientific and technological discoveries.

The remaining 20 million will be allocated to universities to support small businesses in rapidly-growing industries including AI, but also areas like clean growth and agri-food.

The 20 University Enterprise Zones (UEZs) will provide specialist support to small businesses and raise the level of knowledge-sharing between academics and entrepreneurs through frequent collaborations.

Through these UEZs, startups and small businesses will be given the facilities and expertise to help take their ideas through from a concept into the production and marketing stages.

These programmes will run across the UK in cities like Exeter, Falmouth, and Durham, not just London, with the government hoping this regional diversity will lead to several improvements to local economies.

These packages are part of the government’s UK Research and Innovation (UKRI) programme, which has seen various sums allocated to boosting aspects of tech growth in recent months.

The NHS, for example, this month received 69.5 million to fund four projects that involve developing therapies and technologies to treat genetic mutations that predicate life-threatening conditions like cancer and arthritis.

The UKRI programme even funded three R&D projects in Bristol with a 50,000 round of investment in March this year.

“UKRI is committed to creating modern research and innovation careers and our Future Leaders Fellowships aim to support and retain the most talented people, including those with flexible career paths,” said UKRI chief executive Professor Sir Mark Walport.

“These 20 University Enterprise Zones funded by Research England will be important focal points for collaboration in business-friendly environments, driving innovation and delivering benefits that will be felt across economies at the local, regional and national scale.”

The largest recipient of the 20 million UEZ fund is the University of Southampton, which will use a 1.5 million boost to fund the Future Towns Innovation Hub.

Other prominent projects include Oxford Brookes’ 1.2 million AI & Data Analysis Incubator, and Lancaster University’s Secure Digitisation UEZ.

Google testing biometric support for Autofill service

Keumars Afifi-Sabet

13 Jan, 2020

Google is toying with adding biometric support to its Autofill service on Android devices, deployed by users to automatically populate online forms and apps with personal and sensitive information.

Android code that hasn’t yet been enabled suggests Google’s built-in service could, in a future update, introduce an additional security layer involving fingerprint scanning or facial recognition, according to XDA Developers

The additional step would be handled through the ‘BiometricPromptAPI’, and would aim to resolve a security concern that has riddled Google’s auto-fill feature for years.

Autofill allows Android users to automatically populate forms and apps with information like passwords, addresses and credit card details, that’s synced with their Google account.

With Google’s Android 8 Oreo operating system, the inclusion of an Autofill API opened up support to third-party password managers like LastPass and Dashlane.

Using the equivalent of Autofill with these apps, however, generally requires users to pass an additional layer of security, like a quick fingerprint scan, to verify their identity.

Unlike these third-party apps, however, Google’s own feature has never demanded any additional form of authentication.

Attackers, therefore, could in theory gain access to a wealth of sensitive information – including financial data – by just bypassing the passcodes users set that allows access into their devices.

According to an APK teardown, biometric support options would be enabled within the Autofill settings portion of the Android settings menu, under ‘autofill security’. 

Users could then separately toggle biometric support on or off for payment information and credentials like usernames and passwords.

Biometric security is increasingly being seen as a reliable and secure alternative to traditional passwords and passcodes. The use of password managers, too, is often recommended by security experts as a means of improving cyber hygiene.

Microsoft, for instance, is a company that’s been highly vocal about the need to shift away from conventional passwords and for users to instead embrace biometrics as an alternative. Its chief information security officer Bret Arsenault has in the past called for online passwords to be eliminated entirely.

Embracing biometric support completely, however, presents its own security challenges, as the Biostar 2 data breach showed, with the nature of the biometric data taken for more permanent than usernames and passwords, which are stolen in most other breaches.

Teams unveils Walkie Talkie and off-shift access controls in frontline workers push

Keumars Afifi-Sabet

10 Jan, 2020

Microsoft has unveiled a set of new features for its flagship Teams platform to appeal to what the company calls “firstline workers” in industries like medicine, retail and manufacturing.

Over the course of 2020, the major Slack rival will introduce a suite of tools, including features like an in-app walkie-talkie, shared device sign-out and off-shift access controls for IT administrators.

The news marks the company’s second major push around ramping up functionality for frontline-workers, hinting that Microsoft is aggressively trying to fill what it sees as a gap in the market.

Microsoft had previously revealed simple sign-in for Microsoft 365 and Teams at its Ignite conference in November. The previously announced SMS sign-in tool would allow frontline workers to log onto Teams using an SMS authentication code obtained by entering their phone number.

Companies in the retail industry, in particular, with high staff turnover, could be the main beneficiaries from this feature, as well as from new tools like off-shift access controls and shared device sign-out.

“Companies at the forefront of digital transformation recognize how critical it is to enable all of their people with the right technology and tools,” said Microsoft’s corporate vice president of modern workplace verticals Emma Williams.

“That’s why, in industries like retail, hospitality, and manufacturing, there’s a movement underway to digitally empower the Firstline Workforce – the more than two billion people worldwide who work in service- or task-oriented roles.

“Giving Firstline Workers the tools they need requires companies to address unique user experience, security and compliance, and IT management.”

Allowing workers to sign in using SMS, for instance, would allow IT departments to avoid the need to set up fully-fledged user accounts for individuals who may not stay in the job for very long.

One of the most eye-catching new features, the walkie-talkie tool, is aimed at supplanting the need to buy additional equipment like radios, with workers able to conduct voice conversations over Wi-Fi and mobile data.

Microsoft sees this walkie-talkie feature as a means to help companies ditch “analog devices with unsecure networks”, with workers no longer having to worry about crosstalk or eavesdropping from third-parties.

Principal analyst for digital workplace at CCS Insight, Angela Ashenden, said frontline workers have become a growing area of focus for Microsoft, with this segment of the workforce historically unserved with any apps or tools.

“We’ve seen Microsoft target this group already with its collaboration solution Teams,” she said. “And with its mixed reality applications as part of Dynamics 365, and we’re now starting to see these two worlds coming together as the company focuses on key verticals like retail.”

“Today’s announcements of a new push-to-talk, walkie talkie feature in Teams will be hugely valuable for retail businesses, and SMS sign-in helps address the challenge of the high-turnover storefront workforce who aren’t always given an email address to use to sign in with (this is a feature we’ve also seen Workplace by Facebook rollout).”

The use of off-shift access controls, similarly, gives IT admins the capacity to limit worker access to the app on personal devices outside of working hours. This would ensure employees are not working longer hours than they’re supposed to and helps employers comply with employment regulations.

While these features don’t have fixed release dates, Microsoft has penned broad estimates that range from later this quarter, to over the course of the first half of the year. All capabilities are expected to have been released by midway through 2020 or earlier.

Mozilla fixes Firefox zero-day being actively exploited

Keumars Afifi-Sabet

9 Jan, 2020

Mozilla has patched a critical flaw in its Firefox browser that’s being actively exploited by criminals in targeted attacks.

The critical vulnerability, branded CVE-2019-17026, allows an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’, according to an advisory released by Mozilla. 

The company confirmed that the critical flaw, which has now been patched, affects users running version 72.0.1 of Firefox and version 68.4.1 of Firefox ESR. The developer added that it’s “aware of targeted attacks in the wild abusing this flaw”. 

The severity of the flaw is such that the US Cyber Security and Infrastructure Agency has issued a separate warning urging Firefox users to apply the necessary updates.

The attack works by causing ‘type confusion’, which is a potentially critical error that can lead to data being read from or written to locations of memory normally out of bounds. When triggered, this can lead to an exploitable crash because of issues caused when the browser attempts to manipulate JavaScript objects.

It’s the second time within seven months that Firefox has sustained a critical zero-day vulnerability being actively exploited in the wild.

A previous flaw, discovered in June 2019, gave attackers the tools to execute arbitrary code on flawed machines and in some cases take over users’ devices remotely.

The latest emergency fix follows a round of 11 CVE-rated bug fixes Mozilla has issued, five of which were rated ‘high’ and four rated ‘medium’. Among these highly-rated issues were memory safety bugs in Firefox 72, another type confusion issue, and a memory corruption flaw.

The second major security scare within a matter of months is a blow to a developer trying to forge a fresh identity for Firefox as a privacy-centric web browser. Mozilla has teased and rolled out a suite of changes to how Firefox functions in the last year, including tools like a virtual private network (VPN).

In September last year, Mozilla also instigated a change in Firefox that would block known third-party tracking cookies and cryptocurrency mining by default as part of its Enhanced Tracking Protection (ETP).

Travelex disruption caused by devastating ransomware attack

Keumars Afifi-Sabet

8 Jan, 2020

The foreign exchange company Travelex has confirmed the ongoing disruption to its services, which started on New Year’s Eve, are being caused by a successful ransomware attack.

The outage, which has lasted more than a week, has caused chaos for customers and partners alike who rely on these systems to conduct transactions.

Travelex had previously pinned disruption on a “software virus”, in a statement released three days after the attack. The firm confirmed in an updated statement, however, the incident was indeed caused by a ransomware attack.

Additional reports suggest the perpetrators are demanding millions of dollars in exchange for the return of customer data.

Travelex first detected that a virus had compromised its services on 31 December and took all of its systems offline as a precaution to prevent the malware from spreading across its network any further.

Following days of speculation and media reports, the firm has finally confirmed the “software virus” that hit their systems was the ransomware known as REvil, with the name Sodinokibi also sometimes used.

The attack was a success, and the group behind the attack has demanded a ransom to the tune of $6 million (approximately £4.6 million), according to BBC News.

The attackers also claim they have taken approximately 5GB of customer data, and will only return this should the ransom be paid in full. This data is claimed to comprise dates of birth, national insurance numbers as well as credit card information.

The company says it’s taken steps to contain the spread of the ransomware, suggesting that although there has been some encryption, there remains no evidence that any customer data has been compromised.

Travelex also added in a statement that while it does not have a complete picture of all the data that has been encrypted, but “there is still no evidence to date any data has been exfiltrated”.

These conflicting reports could suggest the attackers may be bluffing in claiming to have downloaded a cache of customer data. Many less well-resourced firms unable to conduct thorough assessments in the wake of such attacks, however, may deem these ‘bluffs’ as too risky to ignore, and pay any ransom demanded to secure safe return regardless.

“Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise,” said Travelex chief executive Tony D’Souza.

“We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused.

“Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim.”

A forensic analysis of the incident is underway, and the firm is working to fully recover its systems. Some internal systems have been restored, but disruption still remains on the customer and partner-facing side. This is reportedly affecting services of other firms such as HSBC and Tesco Bank.

Travelex says it’s in discussions with the National Crime Agency (NCA) and the Metropolitan Police, who are each conducting their own investigations into the breach.

There’s doubt as to whether Travelex has approached the Information Commissioner’s Office (ICO), however, despite the potential for data theft. The incident could constitute a violation of the General Data Protection Act (GDPR), should the attackers claims to have made away with customer data prove to be true.

“Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms,” an ICO spokesperson said.

“If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.”

Principal security consultant and head of penetration testing at Bridwell Consulting, James Smith, told IT Pro that Travelex has handled the initial fallout badly. The company should also learn from this incident, as well as past incidents, and build these teachings into a proper cyber resilience plan.

“Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry,” Smith said.

“Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough.

“Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.”

Ransomware is highly common, with this particular form of attack blighting countless numbers of businesses routinely each year.

Many companies and professionals, meanwhile, believe that, actually, paying the ransom is often a cheaper and simpler way to secure data and restore systems.

A Canadian laboratory, for example, was advised in late 2019 to pay hackers in order to retrieve 85,000 stolen data records, despite this action being against the general consensus among security experts.

Asked whether Travelex should pay the ransom, Smith added there is a debate to be had, but the negatives always outweigh the positives.

“If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored.

“There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great.

“Then, of course, there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.

“If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the “pay or not pay” question is greatly reduced.”

XSS the most widely-used attack method of 2019

Keumars Afifi-Sabet

23 Dec, 2019

The most widely-used cyber attack method used to breach large companies in 2019 was cross-site scripting (XSS), according to research. 

The hacking technique, in which cyber criminals inject malicious scripts into trusted websites, was used in 39% of cyber incidents this year.

This was followed by SQL injection and Fuzzing, which were used in 14% and 8% of incidents respectively. Among other widely-used methods are information gathering, and business logic, although both were used in less than 7% of incidents.

With 75% of large companies targeted over the last 12 months, the report by Precise Security also revealed the key motivation behind cyber crime has been the opportunity for hackers to learn.

Almost 60% of hackers conducted cyber attacks in 2019 due to the fact it presents a challenge. Other prominent reasons for hacking a company’s systems include to test the security team’s responsiveness, and to win the minimum bug bounty offered. ‘Recognition’ ranked sixth in the list of motivations, and was cited by just 25% of hackers. Bizarrely, 40% also said that they preferred to target companies that they liked.

Digging into industry-specific insights, additional research published this month also revealed the most prominent attack method faced by sectors within the UK economy.

The most prevalent hacking technique in the business, finance and legal sectors, for example, was macro malware embedded into documents, according to statistics compiled by Specops Software. 

Retail and hospitality firms, meanwhile, suffered mostly from burrowing malware, present in 51% of attacks, as did governmental organisations, registering 37% of incidents.

The healthcare industry was susceptible mostly to man-in-the-middle attacks, in which communications between two computer systems are intercepted by a third-party. 

Distributed denial of service (DDoS) attacks were the most common form of attack faced by the technical services industry, with 58% of incidents using this method.

As for how these attacks are conducted specifically, the Precise Security report showed that 72% of platforms used as a springboard for cyber crime are websites. WordPress, for example, is a prime target due to the massive userbase, with 90% of hacked CMS sites in 2018, for instance, powered by the blogging platform.

Application programme interfaces (APIs) were the second-most targeted platforms in 2019, being at the heart of 6.8% of incidents, with statistics showing Android smartphones are usually involved in such attacks.

Google Transfer Service launched for those handling enormous data migrations

Keumars Afifi-Sabet

13 Dec, 2019

Google Cloud Platform (GCP) has developed a software service to help organisations handle massive data transfers between on-premise locations and the cloud faster and more efficiently than existing tools.

The tool has been designed for organisations that need to undergo large-scale data transfers in the region of billions of files, or petabytes of data, between physical sites to Google Cloud storage in one fell swoop.

GCP’s Transfer Service for on-premises data, released in beta, is also a product that allows businesses to move files without needing to write their own transfer software or invest in a paid-for transfer platform.

Google claims custom software options can be unreliable, slow and insecure as well as being difficult to maintain.

Businesses can use the service by installing a Docker container, with an agent for Linux, on data centre computers, before the service co-ordinates the agents to transfer data safely to GCP storage.

The system makes the transfer process more efficient by validating the integrity of the data in real-time as it gradually shifts to the cloud, with an agent using as much available bandwidth to reduce transfer times.

The data transfer service is a larger-scale version of tools such as gsutil, a cloud transfer service also developed by Google, which is unable to cope with the scale of data that Transfer Service has been designed to handle.

The firm has recommended that only businesses with a network speed faster than 300Mbps use its Transfer Service, with gsutil sufficing for those with slower speeds.

Customers also need a Docker-supported 64-bit Linux server or virtual machine that can access the data to be transferred, as well as a POSIX (Portable Operating System Interface)-compliant source.

The product is aimed squarely at enterprise users, and comes several weeks after the company announced a set of migration partnerships aimed at customers running workloads with the likes of SAP, VMware and Microsoft.

This exploit could give users free Windows 7 updates beyond 2020

Keumars Afifi-Sabet

10 Dec, 2019

Members of an online forum have developed a tool that could be used to bypass eligibility checks for Windows 7 extended support and receive free updates after the OS reaches end-of-life.

Only a handful of Windows 7 users can continue to receive updates from Microsoft through its paid-for Extended Support Updates (ESU) programme after 14 January, through to January 2023.

This scheme was first introduced for enterprise customers in August and later extended to SMB users after Microsoft identified “challenges in today’s economy”.

The ESU programme is not available to all businesses, however. Users on tech support platform My Digital Life have therefore developed a prototype tool that could theoretically allow ineligible businesses to continue to receive free updates beyond 14 January.

Before ESU patches are beamed to eligible machines, Windows 7 performs a check to determine whether or not users can receive these updates. This involves the installation and activation of an ESU license key. The created tool bypasses this eligibility check, which is only performed during installation, so users would, in theory, continue to receive Windows 7 updates for free through the ESU scheme without paying an ESU subscription.

The bypass was tested on the Windows 7 update KB4528069, a dummy update which was issued to users in November so they could verify whether or not they were eligible for extended support after 14 January.

Although the tool has worked on the test patch, its creators urged My Digital Life forum members to consider this as a prototype, and not a fully-fledged workaround, as things may change by February 2020.

Microsoft will be keen to ensure there aren’t any ways to undermine the ESU scheme once Windows 7 reaches end-of-life due to the sums it’s charging eligible businesses, and an ultimate desire to shift machines to Windows 10.

The firm is likely to change the way the eligibility check is performed given how simple it’s been proven to bypass.

It’s certainly not a tool that Microsoft is likely to condone, but it does demonstrate the extent to which Windows 7 is still popular as users are trying to retain undisrupted access to the legacy OS.

Businesses have just weeks to upgrade their devices running Windows 7 and Windows XP or face restrictions on accessing critical security updates.

Microsoft launches Office 365 phishing campaign tracker

Keumars Afifi-Sabet

10 Dec, 2019

Microsoft has devised a phishing campaign dashboard for its Office 365 Advanced Threat Protection (ATP) module to give customers a broader overview of phishing threats beyond just individual attacks.

The newly-announced ‘campaign views’ tool provides additional context and visibility around phishing campaigns. This aims to give businesses under constant threat from phishing attempts a fuller story of how attackers came to target an organisation, and how well attempts were resisted. 

Security teams with access to the dashboard can see summary details about a broader campaign, including when it started, any activity patterns and a timeline, as well as how far-reaching the campaign was and how many victims it claimed. 

The ‘Campaign views’ tool also provides a list of IP addresses and senders used to orchestrate the attack, as well as the URLs manifested in the attack. Moreover, security staff will be able to assess which messages were blocked, delivered to junk or quarantine, or allowed into an inbox.

“It’s no secret that most cyberattacks are initiated over an email. But it’s not just one email – it’s typically a swarm of email designed to maximize the impact of the attack,” said Microsoft group program manager with Office 365 security Girish Chander. 

“The common pattern or template across these waves of email defines their attack ‘campaign’, and attackers are getting better and better at morphing attacks quickly to evade detection and prevention. 

“Being able to spot the forest for the trees – or in this case the entire email campaign over individual messages – is critical to ensuring comprehensive protection for the organization and users as it allows security teams to spot weaknesses in defenses quicker, identify vulnerable users and take remediation steps faster, and harvest attacker intelligence to track and thwart future attacks.”

Office 365’s ATP tool is an email filtration system that safeguards an organisation against malicious threats posed by email messages, links and any collaboration tools. 

With the additional information at hand, Microsoft is hoping that security teams within organisations can more effectively help compromised users, and improve the overall security setup by eliminating any configuration flaws. 

Related campaigns to those targeting the organisation can also be investigated, and the teams can help hunt down threats that use the same indicators of compromise.

The ‘campaign views’ dashboards are available to customers with a suite of Office 365 plans including ATP Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5.

These new features have started rollout out into public preview, with Microsoft suggesting the features are expected to be available more generally over the next few days and weeks.