A report from the US Congress has revealed that credit agency Equifax’s 2017 network breach (which affected 143 million people) was not spotted because of an expired software certificate.
Last week, mobile operator O2 blamed a similar issue for causing a network blackout which affected the UK.
Digital certificates are basically small pieces of code created by using sophisticated mathematics that ensure that communication between devices or websites are sent in an encrypted manner, and are therefore secure. They play an essential role in keeping IT infrastructure up and running safely and are issued by certificate authorities, who electronically vouch that the certificates are genuine. When issued, these certificates are given an expiration date of anything between a few months and several years.
Digital certificates are issued for a variety of software that encrypts communications, including those embedded in hardware. In O2’s case it seems that a certificate linked to network equipment installed by Ericsson was the weak link.
Equifax’s certificate was linked to crucial software that monitored the network for suspicious traffic, meaning the hackers were not spotted in time.
While some think that the reason they expire is to allow the authorities to keep charging for renewals, there are some valid reasons why they need to be regularly updated – including changing technology, new vulnerabilities to encryption and the ownership of the certificate changing hands.
In O2’s case, the certificate reached its expiry date, which in turn meant that when different parts of the network attempted to communicate securely, they no longer trusted each other and refused to connect.
In Equifax’s case, the certificate in question was linked to software which monitored the network for suspicious traffic and had expired 19 months ahead of the breach. This means that their networks were not being monitored for hackers.
There are billions of certificates in circulation and, with the internet of things flourishing and connecting ever more devices to the web, more are needed each day.
“As business becomes digital in increasingly complex and ubiquitous ways, all enterprises need to protect themselves from repeating this disastrous outcome. A best practice in so doing is to automate the discovery, monitoring, and renewal of certificates of all types,’ said Tim Callan, a senior fellow at Sectigo.
“The proliferation of certificates and ever-increasing complexity of IT infrastructure has made it more and more challenging for IT professionals to stay on top of this component of their networks.”
www.bbc.co,uk/technews (12th December 2018)
The woman who created and sold what many recognise as the world’s first word processor has died at the age of 93. Evelyn Berezin called the device the Data Secretary. She launched the product in 1971 with her company Redactron.
Redactron grew from 9 employees to nearly 500 and was named one of America’s top leaders by Business Week magazine in the year she sold it, 1976.
The innovation – which matched customers and available seats – was tested by United Airlines in 1962. According to the Computer History Museum it had a one second response time and worked for 11 years without any central system failures.
In addition, Ms Berezin helped pioneer other types of special-purpose computing such as: an automated banking system, a weapons-targeting calculator for the US Defence Department, and terminals for a horse-racing track that monitored how much money was being bet on each animal.
www.bbc.co.uk/technews (13th December 2018)
Two mental health chatbot apps, Wysa and Woebot, have required updates after struggling to handle reports of child sexual abuse. In tests, neither of the apps urged an apparent victim to seek emergency help. They also had problems dealing with eating disorders and drug use.
Woebot is designed to assist with relationships, grief and addiction, while Wysa is targeted at those suffering stress, anxiety and sleep loss. Both apps let users discuss their concerns with a computer rather than a human. Their automated systems are supposed to flag up serious or dangerous situations.
The flaws mean that both the chatbots are currently not fit for purpose for use by youngsters. The Children’s Commissioner for England, Anne Longfield, said that the apps ‘should be able to recognise and flag for human intervention a clear breach of law or safeguarding of children’.
Wysa had been previously recommended as a tool to help children by an NHS Trust. Its developers have promised an update to improve the responses by the app.
The makers of Woebot have now introduced an 18+ age limit as a result of the testing outcomes, stating that the app should not be used in a crisis.
Despite the shortcomings, both apps did flag messages suggesting self-harm, directing users to emergency services and helplines.
www.bbc.co.uk/technews (10th December 2018)
Millions of smartphone users in the UK lost their data services this morning after the O2 network suffered technical problems. O2 has 25 million customers, but also provides services for the Sky, Tesco, Giffgaff and Lycamobile networks which have another seven million users.
Users began complaining about the difficulties at 5:30 in the morning. An O2 spokesperson said a software issue was to blame for the outage. They encouraged customers to use Wi-Fi wherever possible, and apologised for the inconvenience caused.
Although most customers seem to be up and running as normal, the outage had knock-on effects for other services that use the O2 network, including Transport for London’s electronic timetable service at bus stops, which also stopped working.
www.bbc.co.uk/technews (5th Dec 2018)
A cache of internal documents have been published online by a parliamentary committee – against the wishes of Facebook’s chief. The emails show the firm struck secret deals to give some developers special access to user data – whilst refusing others. The files also apparently show that Facebook had made it deliberately hard for users to be aware of privacy changes to its Android app.
Damian Collins MP, the chair of the committee, said ‘I believe there is considerable public interest in releasing these documents. They raise important questions about how Facebook treats users data, their policies for working with app developers, and how they excuse their dominant position in the social media market.’
A spokeswoman from Facebook said ‘we stand by the platform changes we made in 2015 to stop a person from sharing their friend’s data with developers. …the facts are clear: we have never sold people’s data.’
Mr Zuckerberg also posted a personal response on his Facebook page – “I understand there is a lot of scrutiny on how we run our systems. That’s healthy given the vast number of people who use our services around the world, and it is right that we are constantly asked to explain what we do,” he said.
“But it’s also important that the coverage of what we do – including the explanation of these internal documents – doesn’t misrepresent our actions or motives.”
www.bbc.co.uk/technews (5th Dec 2018)
Staff at Google offices around the world are staging an unprecedented series of walkouts in protest at the company’s treatment of women. Staff in Zurich, London, Tokyo, Singapore and Berlin were amongst those to take part.
The employees are demanding several key changes in how sexual misconduct allegations are dealt with at the firm including a call to end forced arbitration – a move that would make it possible for victims to sue.
Google chief executive Sundar Pichai has told staff he supports their right to take the action.
The formal demands being made to Google’s management are –
- A commitment to end pay and opportunity inequality
- A publicly disclosed sexual harassment transparency report
- A clear, uniform, globally inclusive process for reporting sexual misconduct safely and anonymously
- The elevation of the chief diversity officer to answer directly to the CEO, and make recommendations directly to the board of directors
- The appointment of an employee representative to the board
- An end to forced arbitration in cases of harassment and discrimination for all current and future employees
www.bbc.co.uk/technews (1st Nov 18)