A report from the US Congress has revealed that credit agency Equifax’s 2017 network breach (which affected 143 million people) was not spotted because of an expired software certificate.
Last week, mobile operator O2 blamed a similar issue for causing a network blackout which affected the UK.
Digital certificates are basically small pieces of code created by using sophisticated mathematics that ensure that communication between devices or websites are sent in an encrypted manner, and are therefore secure. They play an essential role in keeping IT infrastructure up and running safely and are issued by certificate authorities, who electronically vouch that the certificates are genuine. When issued, these certificates are given an expiration date of anything between a few months and several years.
Digital certificates are issued for a variety of software that encrypts communications, including those embedded in hardware. In O2’s case it seems that a certificate linked to network equipment installed by Ericsson was the weak link.
Equifax’s certificate was linked to crucial software that monitored the network for suspicious traffic, meaning the hackers were not spotted in time.
While some think that the reason they expire is to allow the authorities to keep charging for renewals, there are some valid reasons why they need to be regularly updated – including changing technology, new vulnerabilities to encryption and the ownership of the certificate changing hands.
In O2’s case, the certificate reached its expiry date, which in turn meant that when different parts of the network attempted to communicate securely, they no longer trusted each other and refused to connect.
In Equifax’s case, the certificate in question was linked to software which monitored the network for suspicious traffic and had expired 19 months ahead of the breach. This means that their networks were not being monitored for hackers.
There are billions of certificates in circulation and, with the internet of things flourishing and connecting ever more devices to the web, more are needed each day.
“As business becomes digital in increasingly complex and ubiquitous ways, all enterprises need to protect themselves from repeating this disastrous outcome. A best practice in so doing is to automate the discovery, monitoring, and renewal of certificates of all types,’ said Tim Callan, a senior fellow at Sectigo.
“The proliferation of certificates and ever-increasing complexity of IT infrastructure has made it more and more challenging for IT professionals to stay on top of this component of their networks.”
www.bbc.co,uk/technews (12th December 2018)
A cache of internal documents have been published online by a parliamentary committee – against the wishes of Facebook’s chief. The emails show the firm struck secret deals to give some developers special access to user data – whilst refusing others. The files also apparently show that Facebook had made it deliberately hard for users to be aware of privacy changes to its Android app.
Damian Collins MP, the chair of the committee, said ‘I believe there is considerable public interest in releasing these documents. They raise important questions about how Facebook treats users data, their policies for working with app developers, and how they excuse their dominant position in the social media market.’
A spokeswoman from Facebook said ‘we stand by the platform changes we made in 2015 to stop a person from sharing their friend’s data with developers. …the facts are clear: we have never sold people’s data.’
Mr Zuckerberg also posted a personal response on his Facebook page – “I understand there is a lot of scrutiny on how we run our systems. That’s healthy given the vast number of people who use our services around the world, and it is right that we are constantly asked to explain what we do,” he said.
“But it’s also important that the coverage of what we do – including the explanation of these internal documents – doesn’t misrepresent our actions or motives.”
www.bbc.co.uk/technews (5th Dec 2018)
Staff at Google offices around the world are staging an unprecedented series of walkouts in protest at the company’s treatment of women. Staff in Zurich, London, Tokyo, Singapore and Berlin were amongst those to take part.
The employees are demanding several key changes in how sexual misconduct allegations are dealt with at the firm including a call to end forced arbitration – a move that would make it possible for victims to sue.
Google chief executive Sundar Pichai has told staff he supports their right to take the action.
The formal demands being made to Google’s management are –
- A commitment to end pay and opportunity inequality
- A publicly disclosed sexual harassment transparency report
- A clear, uniform, globally inclusive process for reporting sexual misconduct safely and anonymously
- The elevation of the chief diversity officer to answer directly to the CEO, and make recommendations directly to the board of directors
- The appointment of an employee representative to the board
- An end to forced arbitration in cases of harassment and discrimination for all current and future employees
www.bbc.co.uk/technews (1st Nov 18)
Apple Watch owners have been asked to return their devices for repair after some owners complained that software had caused their devices to stop working.
Those affected reported that their watches had become stuck in a state showing only the apply logo on their screens.
The problem appears to have baffled the firm’s repair staff meaning there is no way at present for owners to restore the products themselves. Apple said it intended to release a revised update soon.
Meanwhile, several people have been told to send their watches in for a fix – much to the disappointment of some customers.
Anyone experiencing problems have been told contact AppleCare.
www.bbc.co.uk/technews (31st Oct 18)
Plans for a ten mile test track in Wiltshire have been unveiled by Dyson, where new electric cars will be put through their paces. The track is part of a plan to start selling a ‘radical’ electric car from 2021. Dyson bought and then renovated the disued airfield at Hullavington two years ago. The redevelopment has cost £84m and the next phase of the airfield’s development would take Dyson’s total investment to £200m. About 400 automotive staff are now based at Hullavington and a further three buildings will open in the next few months, meaning there will be testing space of 15,000 sq m. ‘We are now firmly focused on the next stage of our automotive project strengthening our credentials as a global research and development organisation,’ said Jim Rowan, chief executive of Dyson.
Any details about the electric car are yet to be revealed, and no prototype has been built. It is expected to be aimed at the upper end of the market and may not even look like a conventional vehicle. ‘What we are doing is quite radical,’ said Rowan. The hints suggest that the Dyson vehicle is more likely to rival Elon Musk’s electric carmaker Tesla, rather than the likes of Toyota or Volkswagen.
Dyson came under fire in 2002 for its decision to move production of its vacuum cleaners from the UK to Malaysia at the cost of 560 jobs. Dyson, which made its 100 millionth machine last year, posted a 40% rise in turnover to £3.5bn as sales soared in Asia, while profits jumped by a third to a record £801m.
It has more than 12,000 staff, including 4,500 engineers and scientists, with 4,800 employees in the UK.
www.bbc.co.uk/technews (30th August 2018)
In March, years of video evidence gathered by police was lost thanks to a ransomware attack on Atlanta in the US.
Atlanta police chief, Erika Shields, said that the lost evidence involves dashcam recordings and was not able to be recovered.
About one-third of all software used by city agencies and departments is believed to have been affected by the attack.
The attack has since been revealed to have been more serious that first thought. The city has assigned an extra £7.1m to finance its recovery efforts.
The municipal courts in Atlanta were shut for several weeks during the height of the attack and huge amounts of legal documents stretching back decades are believed to have been scrambled by the malware.
The infection was know as ‘SamSam’, and the hackers encrypted key data and demanded $51,000 of bitcoins to unlock it. The ransom was not paid.
bbc.news.co.uk (7th June 2018)