In this article, we look at how, in addition to the devastating missiles, rockets, bombs, tanks and other weapons, Ukraine has also been the subject of cyber-warfare and we look at how these and other war-related issues could be cause for concern across Europe.

War In Ukraine

At the time of writing this article, as Ukraine has come under attack from Russian forces from the sea, ground and air, with reports indicating that:

– Russian troops are still trying to take Ukraine’s two biggest cities, Kyiv and Kharkiv.

– An estimated half a million refugees have left Ukraine.

– There are news reports that residential areas in Ukranian cities are now being hit with attacks such as cluster-bombs.

– The first round of talks about a ceasefire have been held.

– Satellite images have shown large columns of Russian armour and other military vehicles heading into Ukraine.

– Sanctions on Russia have caused the value of the Ruble to crash, leading to long queues at Russian banks.

Cyber Attacks – A Part of ‘Hybrid Warfare’ 

State-sponsored cyber-attacks are now also very much an ongoing threat faced by all countries but, specifically in the case of Ukraine, they are being used against them as a weapon of war.  Part military strategy, first proposed by Frank Hoffman, and highlighted in a NATO review last year, ‘hybrid warfare’ is described as an “interplay or fusion of conventional as well as unconventional instruments of power and tools of subversion” which are “blended in a synchronised manner to exploit the vulnerabilities of an antagonist and achieve synergistic effects.”  In short, it’s a combination of conventional and unconventional strategies, methods, and tactics which includes cyber-attacks. These cyber-attacks are now used to support the ‘hard power’ of military action by disrupting vital services like power and communications to create more fear and confusion.

A Feature of Previous ‘Hybrid’ Methods Believed To Have Involved Russia 

Russia has been blamed for the use of cyber-attacks against states before, including Ukraine, especially during military conflicts. For example:

– Russia has been blamed for DDoS attacks on both Georgia and Crimea during the incursions in 2008 and 2014.

– In December 2015, Ukranian power stations were hacked and taken offline. It was also reported that the telephone lines had been disrupted so that the engineers couldn’t make calls. The result was huge disruption for hours for homes, businesses and other entities.

– In June 2017, the software used for Ukraine’s tax return filing system was hacked and companies were attacked with ransomware. The malicious software also spread to other countries, including the UK, as well as causing huge disruption to merchant shipping. The cost was estimated at $5-10 billion.

– In 2019, Russian military intelligence was blamed for cyber-attacks (DDoS) on 2000 websites in Georgia. The websites affected included the presidential website and the country’s national TV broadcaster.

Recent Cyber Attacks 

The hard power of military attacks against Ukraine are reported to have been accompanied in recent weeks by cyber attacks. For example:

– In mid January, Ukraine blamed Russia for attacks on 70 government websites (the largest attacks on Ukraine in 4 years) including the Diia website. This system, linked to government services, is where personal vaccination data and certificates are stored.

– In mid-February, Ukraine reported that two state-owned banks, PrivatBank and Oschadbank, had been hit by large-scale DDoS attacks and other failures which interrupted banking services.

– Last week, there were reports of Distributed denial of service (DDoS) attacks and “wiper” attacks against Ukrainian organisations. These attacks have destroyed data on infected machines. Experts believe that the Wiper attacks may have been planned as far back as December.

– Ukraine’s Computer Emergency Response Team (CERT) has reported that hackers from the Belarusian military (a group code-named “UNC1151”) have been targeting the private email addresses of Ukrainian military personnel “and related individuals”. The attacks have involved using password-stealing emails to break into Ukrainian soldiers’ email accounts and using the compromised address books to send further malicious messages.

Defence – The Rapid Cyber Response Team 

Countries have their own cyber protection units, usually linked to intelligence services/agencies, and the military. In terms of Ukraine’s defence against cyber-attacks, help could come from:

– The CRRT. Following a call for help from Ukraine, it has been reported that a rapid-response team (CRRT) is being deployed across Europe to help defend against Russian cyber-attacks which are accompanying (and preceded) the ground war. The team is reported to be made up of 12 experts, from Lithuania, Croatia, Poland, Estonia, Romania, and the Netherlands.

– Like the UK’s own Computer Emergency Response Team (CERT) which was set up in 2013, Ukraine has its own CERT-UA.

Should We Be Concerned About The Spread of The War? 

While thoughts are of course with the people of Ukraine, there has been much speculation and some warnings which indicate how the war could spread. For example:

– Neighbouring countries are preparing for the possibility of attacks, invading forces, or events that could spill over into their territories, e.g. Poland, Latvia, Georgia, Azerbaijan, and even Finland.

– Russia’s president Putin said that he has put Russia’s nuclear force on high alert. This, however, has been dismissed by many as a distraction attempt.

Should We Be Concerned About The Spread of the ‘Cyber War’? 

At the beginning of February, oil facilities in Germany, Belgium and the Netherlands being targeted by cyber-attacks, thought to be of Russian origin, were seen as a way of Russia exerting pressure on Germany and came at a time when Russia was threatening to close its oil pipelines. Also, at the end of January, UK businesses were warned by the National Cyber Security Centre (NCSC) to bolster their cyber defences in case Russia widened its attack scope to NATO countries and/or because of the spread of malware related to attacks on Ukraine. The NCSC has given advice about how to prepare here: https://www.ncsc.gov.uk/guidance/actions-to-take-when-the-cyber-threat-is-heightened

What Does This Mean For Your Business? 

In addition to the terrible consequences of war for Ukraine’s citizens, there is uncertainty and fear about what happens next, and what could happen to escalate the conflict. Also, with more than one-third of Europe’s natural gas coming from Russia there are, of course, concerns about how the conflict could begin affecting other countries and there are bound to be big knock-on consequences for supply chains and other industries across the world. In terms of technology, there are clear risks of more Russian cyber-attacks being launched against NATO countries and the US and, as NCSC has warned, UK businesses now need to pay special attention to strengthening their cyber defences, not least to protect against malware attacks. Large UK companies and organisations involved with vital UK infrastructure could now face serious cyber-attacks (e.g. DDoS attacks) and, if not properly protected, this could have wider effects across the country for businesses and homes.

A study by security firm ‘Proofpoint’ has revealed that 82 per cent of UK organisations whose systems were infected by ransomware in 2021 opted to pay the ransom.

Much Higher Than The Global Average 

Despite cybersecurity and government agencies warning against paying, Proofpoint’s ‘2022 State of the Phish’ report states that this UK figure for 2021 is the highest in any region surveyed and is 40 per cent higher than the global average.

Phishing Attacks & Ransomware 

Phishing attacks are one of the main ways that criminals deliver ransomware (and other malware) or direct victims to a site where they download the ramsomware that allows criminals to access their networks. Proofpoint’s report showed that more than three-quarters of organisations (78 per cent) saw email-based ransomware attacks in 2021 and 91 per cent of UK organisations reported facing bulk phishing attacks in 2021. In fact, In the first three quarters of 2021, 15 million phishing messages with malware payloads were linked to later stage ransomware. For example, these malware families included Dridex, The Trick, Emotet, Qbot, and Bazaloader.

Why Not Pay? 

The National Cyber Security Centre (NCSC) states that “even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files” and that “occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware.” 

Also, organisations that pay the ransom will still have infected computers, will be paying criminal groups allowing them to continue and bring suffering to others, and it makes organisations that are known to pay to be more likely to be targeted in the future.

What Does The Survey Say Happened To Those Who Paid? 

As the Proofpoint study showed, 60 per cent of organisations chose to at least negotiate with the attackers, and 82 per cent paid.  However, despite advice against paying, only 4 per cent of those organisations who paid a ransom were unable to retrieve their data. This is likely to be either because the key didn’t work properly, or the attackers had simply made off with the money.

Is No Backup A Reason To Pay The Ransom? 

It would seem logical that a lack of an effective back up may be a reason why organisations would pay a ransom. A report by cyber security company Emsisoft (2020), however, showed that some victims of attacks have been capable of restoring their networks from backups but have still opted to pay the ransom.

It should also be noted that one tactic that ransomware attackers often use is to threaten to publish an organisation’s data if the ransom isn’t paid.

Protecting Your Business From Ransomware Attacks 

Ways in which businesses can protect themselves from falling victim to ransomware attacks include:

– Educating staff about the risk of phishing emails and emails carrying malware, how to spot phishing/suspicious emails, and to never open emails that appear suspicious.

– Make regular backups of the most important files, keep them off-site (e.g., the cloud) and make multiple copies of files using different backup solutions.

– Make sure that the devices containing the backup are not permanently connected to the network, scan backups for malware before files are restored, and regularly patch products used for backup.

– Stop malicious content reaching company devices – e.g. by filtering to only allow file types you would expect to receive, blocking websites known to be malicious, actively inspecting content, and using signatures to block known malicious code.

– Prevent attacks via Remote Desktop Protocol (RDP), or unpatched remote access devices by disabling RDP if it’s not needed, enabling MFA at all remote access points into the network, using a VPN, and patching known vulnerabilities in all remote access and external facing devices.

– Prevent malware running on devices – e.g. by centrally managing devices to only allow trusted apps and disabling or constraining scripting environments and macros.

– Plug vulnerabilities in devices – e.g. by installing security updates as soon they are available and enabling automatic updates for operating systems, applications and firmware.

What Does This Mean For Your Business? 

Making sure there are strong security measures in place (particularly where email is concerned) and checking data is definitely being backed up securely on a regular basis (and that it is accessible when needed) can help towards effective ransomware protection. Attackers can pressurise businesses into paying (e.g. by threatening to destroy and/or publish data), and an attack may simply come at a bad time for a business where a long disruption could seem less costly than paying. The fact is, however, that paying may not guarantee the return of data and may make a business more likely to be attacked again because they paid. Ultimately, businesses will, as the stats show, make their own decisions, but by their very nature, attackers can’t be trusted and paying now could lead to even bigger problems later, and will fuel the continuing cycle of attacks for others too.

With reports that Microsoft Edge is about to beat Safari to become the second most-popular browser, we take a brief look at what different browsers have to offer.

Google Chrome  

The most popular browser with a 65.38 per cent share of the market, Google Chrome is supported by Windows, macOS, Linux, Android, iOS. Its popularity may be closely linked to Google’s long-running effectiveness in terms of the quality of its search engine results.  Some of its best features include the extensions and add-ons, the autofill features, cross-platform support and sync, and live captions. It also has some powerful security features – blocking dangerous mixed content (scripts an images) and warning if email has been compromised. Some tech commentators point to its main downside being that it can be resource (memory) hungry.

Microsoft Edge

Edge is supported by Windows, macOS, Android, iOS, (with Linux coming soon), and bundled as part of Windows. With Chromium at its core, it is fast, has good privacy and security measures, some useful add-ons (e.g. password manager) and plenty of customisation options. It also has an “Install this site as an App” feature to allow a site to be installed as an app on the desktop with a shortcut so it can work as an app, and not a browser tab or window. One of the main criticisms of Edge is that it keeps asking to be the default.

Safari  

Safari, now almost the second most popular browser (already the most popular for iPhone and iPad) is fast, works well with Apple devices, and has a clean look that users like. Also, its Handoff feature allows users to continue a browsing session between different Apple devices and it offers some good privacy protection features, such as  Privacy Browsing mode and a Privacy Report tool that uses machine learning. Some of the more popularly voiced disadvantages include the fact that it’s only for Apple now, it has limited synchronisation options and a limited choice of extensions, customisation options are limited, there are few software updates, and some security measures may be lacking, e.g. notifying users whenever they access unencrypted web pages.

Opera  

Supported by Windows, macOS, Linux, Android, and iOS it is Chromium-based so it is fast and allows add-ons from the Chrome library. Opera also has built-in ad blocker, a built-in VPN, a crypto wallet, and supports integrated apps like WhatsApp and Facebook Messenger. Disadvantages may be that it’s not as fast as Chrome, it’s not as clean and uncluttered as Chrome or Edge, and it may be lacking some features like social media sharing tools.

Firefox  

Mozilla Firefox is fast (just behind Chrome) and has good built-in security tools such as Google safe browsing, a native pop-up blocker, excellent levels of support and warnings about whether there is SSL or TLS encryption on a website. Firefox also offers add-ons or browser extensions. Its disadvantages may include its system requirement requires a lot of resources, plus it has experienced a decline in recent years which may lead some to question its longevity.

Some Privacy-Focused Browsers….  

DuckDuckGo  

DuckDuckGo is a privacy-centred search engine / privacy browsing app, which is available as a download for mobile devices and as a Chrome extension. DuckDuckGo retains a user’s privacy by not saving the user’s browser history, forcing sites to use encrypted connections, blocking cookies and trackers (including ‘hidden trackers’ before they load), and by stopping a user’s searches being sold to third parties for profiling and advertising. It also uses Smarter Encryption which utilises a list of millions of HTTPS-encrypted websites, which has been generated by continuous crawling the of the web instead of crowdsourcing, thereby keeping it current.

Epic

This is another privacy and security focused browser gaining in popularity that blocks ads, trackers, fingerprinting, crypto mining, ultrasound, signalling, and offers free VPN (with servers in 8 countries).

Tor  

Tor (short for ‘the onion router’) is a browser that uses a distributed network (randomly selected nodes) to anonymise the user’s IP address. Tor encrypts traffic and makes it very difficult for a user’s web traffic to be traced or for users to be tracked unless they reveal their IP address by enabling some browser plugins, downloading torrents, or opening documents downloaded using. Although it’s good for avoiding censorship (among other things), Tor is, however, used to access the Dark Web.

Brave  

Brave is another privacy-focused browser that is fee, open-source, and based on Chromium. It blocks ads and trackers and allows users to use a Tor in a tab to hide history, and masks location from the sites a user visits by routing a user’s browsing through several servers before it reaches its destination.

What Does This Mean For Your Business?  

Chrome is still by far the most popular browser and how it links up with Google’s other suite of useful tools (e.g. analytics and AdWords), means that it’s likely to be widely used by most UK businesses and organisations. Edge has adopted Chromium and, as such, is a big improvement on Explorer, but Safari seems to be gaining in popularity, fuelled by the popularity of Apple devices. At a time when privacy and online protection is valued more than ever, some organisations may be looking at the value of more privacy-focused browsers for certain tasks and situations e.g., DuckDuckGo, just as they value the encryption privacy of apps like WhatsApp. The browser battle is always ongoing and although Google’s Chrome is far ahead, there is closer competition behind which gives today’s users more choice.

If the Online Safety Bill is passed in its current form, it could mean that the main social networks will be forced to filter out any unverified accounts.

One Of Two New Duties Added To The Bill 

Last Friday, the government published details on its website of two new duties to its Online Safety Bill that are designed to strengthen the law against anonymous online abuse and protect people from online trolls. The first of the two new duties will force large, popular social media sites (‘category one’ companies with the largest number of users and highest reach) to give adult users the ability to block people who have not verified their identity on a platform.  The large social media companies have been singled out because the government says they pose “the greatest risk”.  The government says that the big social media platforms must now offer ways for their users to verify their identities and control who can interact with them.

How? 

The government’s suggestions for how this could be done include:

– Users ticking a box in their settings to receive direct messages and replies only from verified accounts.

– The platform providing users with an option to verify their profile picture to ensure it is a true likeness.

– The use of two-factor authentication where the platform sends a prompt to a user’s mobile number for them to verify.

– People using a government-issued ID such as a passport to create or update an account.

Why? 

The government says that too many people currently experience online abuse, and that anonymity may be fuelling this, with offenders having little to no fear of recrimination from either the platforms or law enforcement.

Examples include England’s Euro 2020 footballers suffering racist abuse, female politicians receiving death and rape threats, and ethnic minorities and LGBTQ+ people being subject to coordinated harassment and trolling.

The Responsibility Of Tech Firms 

Digital Secretary Nadine Dorries said of the new duties in the Bill:

“Tech firms have a responsibility to stop anonymous trolls polluting their platforms” and “people will now have more control over who can contact them and be able to stop the tidal wave of hate served up to them by rogue algorithms.” 

The Second New Duty 

The second of the two new duties added to the bill will require platforms to provide users with options to opt out of seeing harmful content. This duty has really been introduced to the bill to help tackle a growing list of toxic content and behaviour on social media which falls below the threshold of a criminal offence, but which still causes significant harm. This includes, for example, racist abuse, the promotion of self-harm and eating disorders, and dangerous anti-vaccine disinformation.

The government has suggested that this could be achieved by the larger social media platforms making available settings and functions where users can choose whether they want to be exposed to any legal but harmful content where it is tolerated on a platform.

What Does This Mean For Your Business? 

With the government hoping to introduce the (draft) bill as law soon, and with social media platforms very much in their sights, the ‘category one’ companies are unlikely to be surprised by these extra responsibilities that it would be hard to argue against, in theory.  It has not yet been decided, however, which methods the household-name platforms will provide to be compliant (e.g., settings tick boxes and filtering tools). Also, the Bill would not stop people making anonymous accounts and posting abuse but would force the social media platforms to give users the option to opt out of not seeing material posted using unverified accounts. The sanctions that come with the bill (i.e. imposing criminal sanctions on named tech executives) also look unlikely to actually be imposed for another 2 years ‘grace period’. All in all, measures that reduce the ability of online trolls and those spreading hate to reach their victims must be a good idea in principle and it now remains to be seen what else may be added to or removed from the bill before it comes into force in the next few months.

If you need to use the “Remove everything” option to reset a Windows device, and don’t want to leave any data behind (a known current issue), here’s the latest workaround from Microsoft:

Bi-directional charging technology offers a way to relieve the pressure on the grid from EV charging, share power, and reduce costs for EV owners.

What Is Bi-Directional Charging? 

Instead of taking power from the grid to charge an EV, bi-directional charging allows an EV’s battery to both receive energy from the electricity grid and to share the excess power it generates with the grid. I.e., with bi-directional (two-way) EV chargers, electricity can flow both ways – from the grid to vehicle, and from the vehicle to the grid. This type of charging can be particularly effective when combined with the use of solar rooftop chargers (reducing reliance on the grid altogether).

How Does It Work? 

With bi-directional charging, when the EV is charged using AC (alternating current) electricity from the national grid via a charging point, e.g. at the supermarket. This is converted to DC (direct current) electricity by a converter in the vehicle or in the charger, so the electricity can be used by the vehicle. Also, the internal converter in a bi-directional charger can convert the energy stored in the EV’s battery from DC electricity back into AC electricity so it can be used for the house or sent back to the national grid.

The Benefits 

The main benefits of bi-directional charging for EVs are that:

– EV batteries can be used to store enough power to use the excess for the home or the grid. For example, an EV battery can store many times more power than the standard 7 kWh lithium batteries found in solar photovoltaic systems.

– EV owners can save money on their energy bills using bi-directional charging. For example, in 2019, in a demonstration by Fermata Energy (a U.S. V2G solution provider), discharging less than half of the battery capacity of a Nissan LEAF for a peak 15-minute period was found to have saved $191.79 utility bill demand charges during the first month. Also, charging EVs at off-peak hours at the lowest rates while feeding power back into the grid (when energy rates are highest) can also reduce overall energy costs.

– The national grid’s performance can be improved by pressure on it being relieved during high-demand periods.

Drawbacks 

Bi-directional charging is still a relatively new idea. This means that there are currently only a few EVs that have bi-directional charging capabilities e.g., the Nissan LEAF and the Mitsubishi Outlander plug-in hybrid. This year, however, these capabilities are expected to be built-in to more makes and models e.g., all Teslas, The Volkswagen ID range, and the Ford F-120. more.

Being a new innovation, there are only a few bi-directional wall box chargers currently on the market and these are relatively expensive. Also, advantages can only currently be gained by those who charge at home or with a dedicated workplace charger. Some security commentators have also warned that EV charger security problems could be spread to the home or grid with the expansion of bi-directional charging.

Charging Network Still A Big Worry In the UK

Far from thinking about bi-directional charging, many people in the UK are still holding off from committing to EVs due to worries about finding charging points / the lack of an effective charging network.

For example, the UK’s Society of Motor Manufacturers and Traders (SMMT) has noted that although demand for green cars has surged (1 in 6 new cars) the public charging infrastructure hasn’t kept pace. Also, the SMMT’s concerns about public chargers not being equally distributed across the UK, and the need to regulate the price of chargers has led it to the call for a unified, national approach that could be led by a new regulator e.g., “Ofcharge.”

What Does This Mean For Your Organisation? 

Although still at its beginnings, bi-directional charging looks like being an innovation that could save EV owners money, reduce reliance on the grid and reduce pressure on the grid. At the same time bi-directional charging could be an important way to support and encourage the growth of EV adoption thereby helping meet green targets. Combining bi-directional charging with other green power sources, such as solar panels, can help maximise its sustainability and bi-directional charging looks as though it will not only benefit individual and business EV owner/operators but could be another valuable tool for helping to tackle pollution and climate change.

In this article, we look at what the ‘quantum apocalypse’ is, and what businesses are doing to prepare for this threat.

What Is The Quantum Apocalypse? 

The so-called ‘quantum apocalypse’ refers to the unspecified point in the future where someone (e.g., threat actors or a foreign power) has a functioning quantum computer that can break the kind of encryption that we trust to secure our data, transactions, and communications. This vision is apocalyptic because it would mean that this quantum computer could be used to shut down government defence systems, clear bank accounts, clear Bitcoin wallets, create financial chaos, and access all manner data and communications systems. In terms of national, enterprise, and personal security, this scenario (which is a real possibility) could really be apocalyptic and especially for those agencies, businesses, and organisations that have a legal responsibility to hold and store our data.

What Is A Quantum Computer? 

A Quantum computer can carry out complex calculations at high speed. Whereas traditional computers store data in binary ‘bits’ (ones and zeros) and work by creating and storing long strings of these ‘bits’, quantum computing’s ‘qubits’ (quantum bits) can do both at once. This is because a qubit can hold a zero, a one, or any proportion of both zero and one at the same time, and an array of qubits can use something called ‘superposition’ to represent all 2^64 possible values at the same time. This means that information can be processed much more quickly than with a traditional computer.

Dramatically Speed Up Complex Tasks 

The fact that Quantum computers can store so much more data in fewer bits, means that in addition to being able to solve extraordinarily complex problems, they can do so at high speed. Quantum computers can be used, for example, to dramatically speed up tasks that have traditionally taken a long time, such as finding new drug molecules.

The results can be astounding, where crunching numbers that would take a classical computer a week, could take a quantum computer less than a second. For more information (and examples like this), there are some interesting take-aways from IBM at: https://www.ibm.com/quantum-computing/what-is-quantum-computing/ .

The Risk And The Fear 

The fear is, however, that although the rate of improvement in quantum computing has slowed in recent years, over time they are still likely to become many times faster than today’s machines. This raises the possibility that the world could be caught off guard by someone developing a quantum computer that could render most known methods of encryption useless. This risk has been taken very seriously for several years now. For example:

– In 2015 in the US, the National Security Agency (NSA) warned that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.

– In November 2018, security architect for Benelux at IBM, Christiane Peters, warned of the possible threat of commercially available quantum computers being used by criminals to try and crack encrypted business data.

How Are Businesses Preparing To Mitigate The Threat? 

Having known about this threat for some time, many global businesses in the financial and tech sectors have been taking ‘quantum-proofing’ measures to protect themselves and their stakeholders. Examples of how businesses have been preparing include:

– Former IBM engineer, now head of the Future Lab for Applied Research and Engineering (FLARE) at JPMorgan Chase, Marco Pistoia, has been helping the financial giant to develop quantum key distribution (QKD) that works effectively over distances. This hybrid technology can boost security for financial transactions and guard against quantum hacks. JPMorgan Chase is also working with the US National Institute of Standards and Technology NIST to provide recommendations about the algorithms to use.

– NIST is itself working to develop a standardised defence strategy that would be able to protect industry, government and academia as well as America’s critical national infrastructure.

– Google, Microsoft, Intel, and IBM are reported to be working on solutions. These companies are well-placed to develop solutions that could provide security against the known quantum threats. For example, IBM has been involved in quantum computing for some time and has opened a Quantum Computation Centre in New York bringing online (and making accessible via the cloud) the world’s largest fleet of quantum computing systems for commercial and research activity that exist outside of experimental lab environments. It also appears (from a paper briefly published to a NASA website) that Google has already achieved ‘quantum supremacy’ by making a quantum processor that can complete a task in 200 seconds, which would take a regular state-of-the-art supercomputer approximately 10,000 years to perform.

– Specialist companies like Quantinuum and Post-Quantum are already offering solutions. For example, Post-Quantum, which describes itself as “the only source of usable quantum-safe solutions” offers software products to guard against the risk and says it “began solving the post-quantum encryption challenge back in 2009”. The company also authored the Internet Engineering Taskforce (IETF) standards for a post quantum Virtual Private Network, which is being trialled by NATO.

What Does This Mean For Your Business? 

Quantum computers offer so much promise in enabling governments, businesses, and organisations to solve complex problems in a mere fraction of the time that normal computers can. It is a very real risk, however, that this power, in the wrong hands could be weaponised and used to crack the encryption that the world trusts and relies upon. The race is on, therefore, to create powerful algorithms that can stand up to attacks from quantum computers. With grand names like post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms, these are the next generation of protection for businesses everywhere. Although it seems a long way off, the evidence is that the threat is real and the development of these algorithms and other solutions yet to come are likely to play a vital role in protecting us all from the threat of the so-called ‘quantum apocalypse.’

Insurer Aviva has highlighted how accidental damage caused by VR headset-wearing gamers caused a 31% jump in home contents claims in 2021.

Average of £650  

Aviva reports that the average VR-related claim for accidental damage in 2021 was about £650, for example for TVs that have been broken in the real world after gamers, immersed online (e.g. within the Metaverse), became overenthusiastic. Although there has been a 31 per cent jump in claims last year in VR headset-related home breakages, Aviva reports that there has been a 68 per cent overall increase since 2016.

More Expected This Year 

Aviva has also said that with many people in the UK having acquired VR headsets for Christmas, it is likely that there will be even more such claims in 2022.

What Kind Of Damage? 

On Aviva’s twitter account, the company highlighted punched ceiling fans, broken furniture and smashed lighting as the kind of household damage caused by people wearing VR headsets. Aviva’s tweet on the subject, which linked to a Guardian article, came with the advice “If you have a VR headset, take care.” 

Injuries Too 

Some specific examples of real-life injuries caused when people are wearing VR headsets can be found on the Reddit feed (subreddit) https://www.reddit.com/r/VRtoER/ where people have shared their painful (video and photo) experiences. These include injured hands from hitting a desk, children getting accidentally hit, and accidentally falling and headbutting the TV.

In the recent Guardian article linked from Aviva’s tweet, Aviva’s UK property claims director, Kelly Whittington, explained that as new games and gadgets become more popular, this tends to be reflected by a rising number of claims relating those gadgets, as happened with handsets, fitness games and rogue fidget spinners. Whittington is quoted as saying that “These devices can be a great source of fun, but we’d encourage people to be mindful of their surroundings and take a look at their home insurance to make sure it suits their needs,” and recommends that users should consider adding accidental damage cover to their home insurance plan.

What Does This Mean For Your Business? 

With VR headsets increasing in popularity and Meta’s (Facebook’s) ‘Metaverse’ on the way, Aviva’s figures have highlighted both a risk to health and property, and a financial risk to home and business users of VR headsets. For businesses where VR headsets are used (e.g., tech and entertainment/experience businesses), it highlights an area for legal concerns as well as the need for additional insurance cover e.g., damage and/or injuries resulting from staff or customers having a VR headset-related accident. For insurance companies, the VR headset trend will mean the need for policy reviews to address the situation and could mean additional revenue from more people taking out accidental damage cover. Also, insurance companies may have to investigate and perhaps pay out more on such claims. VR headset manufacturers may also need to add more warnings and may introduce product safety innovations to help prevent injury and breakages from occurring.

In this insight, we look at how to best to avoid redacted text from being ‘unredacted’ by certain software tools, and we look at what researchers advise based on recent experiments.

The Problem 

For businesses and organisations, the increased need for data sharing and/or making some data public can mean that certain (sensitive) parts of documents need to be obscured/obfuscated/censored for legal or security purposes (and to stop data leaks and fines). There are several different methods for achieving this in a document, including blurring, swirling, or pixelating letters and images. The issue is that some of these methods may not be effective enough and could, possibly, lead to the text being recovered/de-obfuscated using certain tools and methods e.g., the Depix tool or the ‘Unredacter’ tool. A python program like Depix, for example, is designed to recover censored text to a readable format via a simple command, and this type of tool in the wrong hand could potentially lead to a security breach.

Challenge Issued 

The challenge of testing the level of security of pixelated text is something that researchers have focused on for some time. For example, researchers at a company called Jumpsec tested the Depix tool to see if it could recover text that has been pixelated. The results broadly showed that:

– Using the supplied examples, text redaction with Depix was possible to a reasonable degree.

– Using original content (not the author’s supplied example), and after taking a long time, Depix failed to recover the obfuscated text.

It was concluded that The Depix tool poses minimal risk to security at present, as it requires specific criteria to be met to be effective BUT there is a small chance that users can depixelate images using the tool.

Jumpsec then issued (2021) an Internet challenge for someone to develop a tool that could effectively recover censored text to a readable format.

Bishop Fox Research

The challenge was accepted by Dan Petro, Lead Researcher at US security company Bishop Fox. Mr Petro built his own ‘Unredacter’ tool and tested it in a similar way to the Depix tool.

Mr Petro noted that pixelation tools use an algorithm to divide an image into a grid of a given block size (e.g. 8×8) and, for each block, the redacted image’s colour is set to be equal to the average colour of the original for that same area. This “smears” the information of the image out across each block and, although it can work, it has several problems. These include characters not lining up with the blocks and bleeding over, problems with white spacing, and problems with variable-width fonts, and font inconsistency.

The ‘Unredacter’ Tool 

The ‘Unredacter’ Tool created by the Bishop Fox researchers, however, solved many of the problems that the Depix tool had encountered, and was able to recover the text in a test image to a reasonable degree.

The Conclusions 

The conclusions of both the Jumpsec Labs and the Bishop Fox text recovery tool experiments were the same. Both advise that, when redacting text, only use black bars covering the whole text. Never use other methods such as pixelisation, blurring, fuzzing, or swirling, and edit the text as an image. Bishop Fox’s Mr Petro also advises that using black background with black text in a Word document means that the text can still be read that just by highlighting it. This means that is not a secure method and could lead to the accidental leak of sensitive information because of an insecure redaction technique.

What Does This Mean For Your Business? 

There are now so many ways that a data security breach could happen and although using an insecure redaction technique may seem like a more unusual one, the result could be just as devastating as other more popular types of breaches. The lessons for businesses resulting from this research are that software could possibly be used to uncover redacted text and that relying upon fast methods such as using a black background with black text is ineffective and very risky. The research shows that businesses can best protect themselves from this threat by editing the text as an image and by only using black bars covering the whole text.

A sacked school IT Technician who took revenge by deleting data and sabotaging his old school’s network (and by wiping the computers of everyone who was logged in) has been jailed.

Revenge Hack 

As reported on Leicestershire Live, a court was told that Adam Georgeson, 29, who was dismissed from his job as an IT Technician last January at Welland Park Academy in Leicestershire, took revenge by hacking back into the school system and deleting data.

School Network Sabotaged 

In the attack, Mr Georgeson sabotaged his old school’s network, thereby taking it offline for 10 days. This meant that staff were forced to work long overtime hours without payment to try and rectify the problems. Also, the attack meant that 4 staff members were unable to resume working remotely for nearly four months!

Personal Devices of Pupils Wiped 

The other particularly distressing aspect of the attack was the wiping of any devices that were connected to the school’s network at the time. This meant that at least 125 devices, including those belonging to 39 families and computers at the school, had their files completely wiped. This meant the loss of personal family photographs for example, as well as important work and study files. It was reported that the school had to spend £15,600 to restore the system. This spending also meant that cutbacks had to be made on school spending elsewhere, thereby magnifying the impact of the attack.

Losses 

Some of the losses reported in the attack, highlighted in personal impact statements, included:

– A full-time student, in the second year of university studies losing most of her work from the preceding 18 months, leading to her failing an exam.

– A father-of-three losing 1,000 family photographs.

– An assistant headteacher losing learning-related materials and all of his son’s GCSE coursework.

Not The Only Attack 

Mr Georgeson is also reported to have carried out another cyber-attack a few months earlier on a former employer’s business. The attack on Rutland-based Millennium Computer Services, from where Mr Georgeson had been dismissed for misusing the company’s credit card to buy personal computing equipment (without permission) caused chaos to the company’s computer system, putting it out of action for 8 days.

Why? 

The court was told that Mr Georgeson’s actions were the result of a crisis of depression and anxiety. The Judge, however, ruled that the motivation for the attacks were spite and revenge. After pleading guilty to two counts of unauthorised modification of computer material under the Computer Misuse Act, Mr Georgeson was jailed for 21 months.

What Does This Mean For Your Business? 

This case highlights the need for businesses and organisations to have procedures and systems in place for dealing with and minimising some of the risks associated with employee exit. Although this case sounds exceptional and the former employee was found to be responsible due to malicious hacking, it should also be noted that businesses and organisations have a legal responsibility to ensure that security levels are maintained with regards to data security, and this also applies to employee exit (i.e. ‘insider threat’). In order to reduce this kind of threat, areas that businesses and organisations need to address as soon as a staff member leaves could, for example, include:

– Revoking login details and rights/permissions for company computer systems and networks.

– Revoking access to the CRM, thereby protecting data relating to the company, its customers, its other stakeholders, sales, communications and more.

– Stopping access to collaborative working apps/platforms and shared, cloud-based, remote working platforms e.g., Teams or Slack.

– Changing the person’s personal voicemail message on the company phone.

– Ensuring that the departing staff member returns all company devices. This means having procedures in place to keep a record of which company devices have been allocated to each employee.

– Retrieval of any backup/storage media e.g., USBs may also help to prevent some security threats.

– Making sure that any stored items in separate folders on the departing person’s computer are transferred back to the company/organisation or deleted.

– Having a policy in place for the regular changing of passwords and changing any passwords shared with multiple members of staff when one person leaves.

– Changing PINs for any credit/debit cards that the person was authorised to use.

– Immediately letting the team/person responsible for IT security know that a person has left, particularly if the person left ‘under a cloud.’

– Making sure that all company-related keys, pass cards, ID cards, parking passes, and any other similar items are retrieved.

– Retrieving any physical documents that the employee was issued e.g., a handbook that contains information and data that could threaten company security.

– If the departing employee’s email address and extension feature on the website and/or if that employee is featured as being in the role that they are departing from, this needs to be removed from the website. Also, check that company social media doesn’t indicate that the departed employee is still in their role e.g., on LinkedIn and Facebook. Checks should also be made to ensure that the departing employee doesn’t feature in the business/organisation’s online estate e.g., at the top of the website home page or other prominent pages.