Outlook shared calendars preview

Microsoft have enabled a preview option in Outlook for the new shared calendar functionality. Have a look at this video for an overview.

Preview new shared calendars updates in Outlook for Windows

Microsoft is continuing to invest in Outlook for Windows calendar capabilities to assist customers in managing their time and connecting with people who help them achieve more. We are introducing an opportunity for Office 365 customers to preview new shared calendar capabilities aimed at improving the speed and reliability of how they sync. Learn more at the Outlook Help Center: https://support.office.com/outlook

Passwords – managing and/or doing without.

Passwords are the Achilles heal of security. As stated in this Microsoft video, users hate them but hackers love them.

Lorica Support for our Office 365 clients is now conditional on all user accounts being protected by MFA. You can find out what MFA is from this earlier post.

If you are not using MFA, please raise a support ticket to request enforcing this.

Fancy doing away with passwords on Office 365 as shown in the video above? Please get in touch for details on the options.

However, you’ll still have passwords for many other sites and services. We strongly recommend a password manager. This will prevent your users being required to remember passwords, using the same passwords on several sites and using too simple passwords.

There are several acceptable programs for managing passwords. Our preferences are RoboForm and 1Password, both of which we an supply and assist you with settings up. Again…..get in touch for more information.

MFA setup for users in Office 365

  • 7 minute read
  • 10 minutes of video

Before MFA is turned on for your account and enforced, you need to have completed the setup procedure. It’ll only take a few minutes and well worth it for peace of mind.

This is no more difficult than you may have already completed for other accounts and/or services such as your bank’s online service, facebook or many more.

The steps required to enforce MFA on your account are as follows.

  1. Setup MFA and your authentication methods on your account
  2. Request MFA to be turned on for your account
  3. Use MFA.

You still need to have a decent password so don’t be complacent. Defence in depth is good.

Open your favourite browser and login to the Office 365 portal. Then open a new tab in the same browser and go to the following URL : https://aka.ms/MFASetup

Here are two videos that will show you the procedure. This first one, is from Microsoft and is a few years old so the Office 365 look and feel is out of date but the explanation is very comprehensive.

Channel 9 MFA

Here is a video where Fred BLOGGS runs through the setup on his account using the mobile app.

It’s important to remember that you don’t respond “yes” every time the app asks you to, only when you know that you, and only you, are trying to login or use a program that is using your account.

If it pops up while you’re in the pub then chances are it’s some slimy toe rag trying to get into your account for mischief.

Office 365 User accounts

It is imperative that your users have secure accounts.

Our recommendation is that MFA should be immediately enabled for all user accounts. Please raise a ticket to request this on your tenancy as soon as you are ready.

MFA = Multiple factor authentication.

This is adding another method of proving who you are when logging on. The preferred method is the authenticator app on your mobile phone as it’s quick, easy and simple and nobody else can log into your account unless they know your username, password AND have you mobile phone.

Please email your account manager at Lorica to arrange a phone meeting if you would like to discuss.

Office 365 MFA Overview

Security Update

Some security updates for you.

First some recommendations and a request for you to let us know if you’d like them implemented.

  • Office 365 credentials are your user’s skeleton key and should therefore be treated as such.
    • Usernames (UPN) should be kept secret. It’s preferable these are not the same as your email address.
    • Passwords should be complex and secure.
  • Laptops and mobile devices containing data should be encrypted
  • User’s need to be “cyber aware” and trained.
  • Cloud backup is recommended.

Secondly, some changes we’ll be making to our client’s Office365 tenancies

  • Disabling POP and IMAP mailbox access. It’s insecure and outdated. If you’re using this method of mailbox access an alternative needs to be implemented.
  • Audit logs will be enabled on Office 365 – let us know if you would like any reports or alerts settings up

If you have any requests, questions or concerns please do get in touch.

Automatic Broadband Compensation Is Nigh

After Ofcom announced back in November 2017 that broadband and landline customers will automatically be able to get compensation from their providers when things go wrong without the need for a claim, it appears that an £8-per-day deal agreement has finally been reached between Openreach and five of the UK’s internet service providers.

Agreement

The voluntary agreement, which will only apply only if a fault takes longer than two days to fix, is between BT, Sky, TalkTalk, Virgin Media, and Zen. Plusnet and EE had indicated previously that they would be prepared to sign up.

This should now mean that the new automatic compensation system will, from early 2019, bring automatic compensation to consumers (home, small and medium business customers) for a total loss of fixed broadband and phone connectivity.

Although Openreach, which looks after the infrastructure, is keen to point out that it has been offering compensation for broadband failures since 2008 and would pay compensation even when others prevented it from accessing its network, it has said that it is not prepared to pay-out for measures beyond reasonable control / force majeure events e.g. flooding. Openreach also has another exclusion under its Service Level Guarantee (SLG) arrangements.

The new agreement, which was reached after more than 6 months negotiations, and is subject to a 12-month review of Cancelled Provisions, will mean £8 compensation per-day, £25 compensation if an engineer does not arrive on schedule, or cancels within 24 hours, and an offer of £5-per-day for new services not starting on.

What Happened?

The voluntary, automatic compensation agreement only came about because of a review and intervention in the broadband market by regulator Ofcom, which introduced a voluntary Code of Practice.

It was found that compensation was only paid in approximately one in seven cases (15%) where landline or broadband customers suffered slow repairs, delayed installations or missed engineer appointments. The actual amount of compensation paid in these cases was also widely recognised to be small.

Considering that BT, Sky, TalkTalk, Virgin Media and Zen Internet, collectively serve around 90% of landline and broadband customers in the UK, it was thought that an automatic compensation agreement that reflects the harm consumers suffer when things go wrong would help consumers and the industry alike as well as satisfying Ofcom.

Openreach

Openreach has been set its own set of tough Quality of Service (QoS) standards by Ofcom, but Openreach’s position of not paying out for force majeure-type events, and Ofcom expecting retail ISPs to cover those costs themselves has led to ISPs perhaps feeling that they will end up paying for Openreach’s failures.

What Does This Mean For Your Business?

For retail ISPs, although the agreement may go some way to making them improve their quality standards (which is good for customers), the regulator estimated in 2017 that such an agreement could mean that 2.6 million UK customers could receive up to £142 million per year in automated compensation payments.  This could represent a significant extra service cost to the ISPs, and hopefully one that won’t end up being passed on to customers in raised prices.

Ofcom’s research shows that nine in ten adults report going online every day and three-quarters of internet users say it is important to their daily lives. For businesses, a fast and reliable broadband connection is now vital for them to operate and compete effectively in today’s marketplace. Problems with broadband services can be very costly and frustrating for businesses, and many businesses feel that they shouldn’t have to fight for compensation on top of the problems caused by poor broadband services, and that current levels of compensation are too low, and don’t come close to reflecting the harm caused. Automatic compensation at higher levels is, therefore, good news, and it is good news that an agreement has finally reached and the (voluntary) scheme can start operating as soon as early 2019 (we hope).

The new automatic compensation scheme is particularly good news for small businesses because one-third of small and medium-sized enterprises (SMEs) choose residential landline and broadband services, and around half (49%) of SMEs don’t know if they’re entitled to compensation when service falls short (Ofcom figures).

70% Increase In DDoS Cyber Attacks On Black Friday Prompts Christmas Warning

Cyber security experts are warning companies with online shops to have adequate protection against DDoS attacks in place after a 70% increase in that kind of cyber-attack was recorded on Black Friday.

What Is A DDoS Attack?

A denial-of-service attack is a cyber-attack on that is intended to make a computer or network unavailable to users, and a distributed denial-of-service attack (DDoS) is one that uses multiple compromised systems, sometimes thousands, that are often infected with a Trojan virus to launch a single attack on one system. The sheer number of requests that the target receives (called a ‘flood’) typically overload the resources and memory and render the targeted computer or network unavailable.

Black Friday – 70% Increase!

According to DDoS protection provider Link11, DDoS attacks on e-commerce providers showed an increase of more than 70% compared with other days in November, and Cyber Monday attacks showed a massive increase of 109% compared with the November average.

Up To 100 Gbps

Gbps, which stands for billions of bits per second, is a measure of bandwidth on a digital data transmission, and is the level used to gauge the intensity of DDoS attacks. When you consider that Link 11 have reported that attacks of around 6 Gbps are more than enough to exceed the capacity of most websites, the Black Friday and Cyber Monday recordings of levels of up to 100 Gbps in some attacks were extremely high.

The Cost of DDoS Attacks

Bitkom research found that cyber-attacks can cost retailers an average of €185,000.  This total includes costs of IT repair, loss of sales revenue and reputational damage to the business.

Research from Corero, in April this year, found that (DDoS) attacks typically cost enterprises up to £35,000 per attack in lost business and productivity, as well as mitigation costs. The research revealed that 69% of respondents said their organisation experiences anywhere between 20 and 50 DDoS attack attempts a month – about one attack per day!  78% of respondents in the Corero research said that the loss of customer trust and confidence was the most damaging effect on business of DDoS attacks.

Christmas Warning

Based on the huge increase in DDoS attacks on Black Friday and Cyber Monday, cyber security professionals are warning businesses to prepare now in order to protect themselves against an expected high level of DDoS attacks over the Christmas shopping period.

What Does This Mean For Your Business?

Businesses trying to simply expand their own infrastructure to absorb peak loads with their own resources may not have enough resources to stop determined attackers who may decide to deliver ever greater attacks to overwhelm services completely.

One of the best ways that businesses can prepare themselves for a possible increase in DDoS attacks is by investing in scalable, cloud-based protection solutions that can counteract the kind of targeted overloads caused by DDoS attacks.

Making sure that the business has an updated and workable Business Continuity Plan and Disaster Recovery Plan in place are also important elements of preparing for the possibility of the aftermath of a successful DDoS attack.

SIM Swap Scam Warning

A recent investigation by BBC TV’s Watchdog Live revealed evidence that some mobile phone shop staff are not conducting proper ID checks for replacement SIM requests, thereby enabling some customers to become victims of SIM swap scams.

What is a SIM Swap Scam?

SIM swap scams are believed to have been in existence for the last four years in one form or another.  In its current form, the SIM swap scan happens when a fraudster goes into a mobile operator’s shop and claims a false identity i.e. the identity of one of that operator’s customers.  The fraudster knows that the person they are claiming to be is a customer of that operator because of personal details that have been stolen in previous malware or cyber-attacks, and those details have been posted or sold on the dark web.

In the shop, while pretending to be that customer, the fraudster claims that their phone has been lost or stolen and asks to be issued with a replacement SIM. Once the fraudster has the replacement SIM, the victim’s SIM no longer works, and the fraudster can then access any online service that requires security codes to be sent to the phone, as well as being able to access any other of the victim’s personal details that are stored on the SIM.

In the past (London 2016), a similar version of the scam worked when fraudsters used an intercepted bank statement from the victim (or information found on social media) to call the person’s mobile operator, pass security checks, and get a blank SIM card.  The fraudsters were then able to access the unique codes sent by the victim’s bank to log into their account and transfer funds.

What Should Happen When Someone Requests a Replacement SIM?

At the moment, mobile operators should conduct i.d. checks for replacement SIMs, but it is not compulsory.  Also, the Watchdog Live investigation revealed that checks for contract customers and Pay As You Go customers may differ.  For example, O2 said that it only asks for photo ID when replacing SIMs on monthly contracts, and that Pay As You Go customers will be sent an authorisation code if someone is trying to access the number.

What Happened in Reality?

In the investigation, which involved the secret filming of Watchdog Live’s own ‘King Con’ former fraudster in multiple EE, O2, Three and Vodafone stores, EE and Three staff conducted all the necessary checks, but Vodafone blamed rogue employees for not doing so.  Also, replacement SIMs were obtained from O2 stores and the authorisation codes that the company says it sends out were not received.

What Does This Mean For Your Business?

It appears that this relatively old fraud is still very much alive and is a reminder of how valuable our personal details can be to criminals. Bearing in mind how serious this fraud can be to the victims, it is shocking that photo ID checks for replacement SIMs are not made to be compulsory for all operators in all situations.  Mobile operators could help themselves and customers by introducing compulsory measures and by making sure through training and in-built systems that all staff conduct satisfactory checks.

It is also worrying that the investigation appears to have revealed a two-tiered security system, with Pay As You Go customers afforded less protection.

In the meantime, one way that we can help ourselves is to regularly check both our phone and bank statements, and if you have a contract with e.g. O2, contact them to confirm that no replacement SIMs have been issued in your name.

ICO Investigation Into Police Use of Facial Recognition Technology

ICO head Elizabeth Dunham is reported to have launched a formal investigation into how police forces use facial recognition technology (FRT) after high failure rates, misidentifications and worries about legality, bias, and privacy.

Concerns Expressed In Blog Post In May

In a blog post on the ICO website back in May, Elizabeth Dunham expressed several concerns about how FRT was being operated and managed. For example, although she acknowledged that there may be significant public safety benefits from using FRT, Elizabeth Dunham highlighted concerns about:

  • A possible lack of transparency in FRT’s use by police and how there is a real risk that the public safety benefits derived from the use of FRT will not be gained if public trust is not addressed.
  • The absence of national level co-ordination in assessing the privacy risks and a comprehensive governance framework to oversee FRT deployment.  This has since been addressed to an extent by an oversight panel, and by the appointment of a National Police Chiefs Council (NPCC) lead for the governance of the use of FRT technology in public spaces.
  • The use and retaining of images captured using FRT.
  • The need for clear evidence to demonstrate that the use of FRT in public spaces is effective in resolving the problem that it aims to address, and that it is no more intrusive than other methods.

Commissioner Dunham said that that legal action would be taken if the Home Office did not address her concerns.

Notting Hill Carnival & Football Events in South Wales

Back in May 2017, South Wales and Gwent Police forces announced that it would be running a trial of ‘real-time’ facial recognition technology on Champions League final day in Cardiff. In June, the trial of FRT at the final was criticised for costing £177,000 and yet only resulted in one arrest of a local man whose arrest was unconnected.

Also, after trials of FRT at the 2016 and 2017 Notting Hill Carnivals, Police faced criticism that it was ineffective, racially discriminatory, and confused men with women.

Research

Recent research by the University of Cardiff, which examined the use of the technology across a number of sporting and entertainment events in Cardiff for over a year, including the UEFA Champion’s League Final and the Autumn Rugby Internationals found that for 68% of submissions made by police officers in the Identify mode, the image had too low a quality for the system to work. Also, the research found that the locate mode of the FRT system couldn’t correctly identify a person of interest for 76% of the time.

What Does This Mean For Your Business?

Businesses use CCTV for monitoring and security purposes, and most businesses are aware of the privacy and legal compliance aspects (GDPR) of using the system and how /where the images are managed and stored.

As a society, we are also used to being under surveillance by CCTV systems, which can have real value in helping to deter criminal activity, locate and catch perpetrators, and provide evidence for arrests and trials. It is also relatively common for CCTV systems to fail to provide good quality images and / or to be ineffective at clearly identifying persons and events.

With the much more advanced facial recognition technology used by police e.g. at public events, there does appear to be some evidence that it has not yet achieved the effectiveness that was hoped for, may not have justified the costs, and that concerns about public privacy may be valid to the point that the ICO deems it necessary to launch a formal and ongoing investigation.

Liberty Wins Right To Judicial Review Into Investigatory Powers Act

The fact that Human rights group Liberty has won the right for a judicial review into the Investigatory Powers Act 2016 could mean a legal challenge in the high court as soon as next year.

The Investigatory Powers Act

The Investigatory Powers Act 2016 (also known as the ‘Snooper’s Charter’) became law in the UK November 2016. It was designed to extend the reach of state surveillance and requires web and phone companies (by law) to store everyone’s web browsing histories for 12 months and to give the police, security services and official agencies unprecedented access to that data. The Charter also means that security services, government agencies and police can hack into computers and phones and collect communications data in bulk, and that judges can sign off police requests to view journalists’ call and web records.

Long Time Coming

Liberty was given the general go-ahead by the UK High Court to make a legal challenge against the Investigatory Powers Act in July 2017 and was enabled to do so with the help of £50,000 of crowdfunding raised via CrowdJustice.

Also, Liberty’s challenge is thought to have been helped by the European Court of Justice (in a separate case, represented by Liberty lawyers back in 2016) ruling that the same powers in the old the UK state surveillance law the ‘Data Retention and Investigatory Powers Act’ (DRIPA) were unlawful, and by a ruling by the court of appeal in January 2018 also finding the same thing.

The UK government was, therefore, given until July 2018 to amend or re-write powers to require phone and internet companies to retain data on the UK population.

Part 4 of the Act

The most recent High Court ruling on 29th November gives Liberty the right to a judicial review on part 4 of the Investigatory Powers Act.  This is the part which gives many government agencies powers to collect electronic communications and records of internet use, in bulk, without reason for suspicion.

Concerns About GCHQ’s Hacking

Human rights groups and even Parliament’s Intelligence and Security Committee have become particularly concerned about an apparent shift towards the use of hacking of computer systems, networks and mobile phones for information gathering by intelligence services such as GCHQ in projects such as the ‘Computer Network Scaling’ programme.

What Does This Mean For Your Business?

The UK’s ability to spot and foil potential plots is vital. Although the Investigatory Powers Act may include measures that could help with that, many people and businesses (communications companies, social media, web companies) are still uneasy with the extent of the legislation and what it forces companies to do, how necessary it is, and what effect it will have on businesses publicly known to be snooping on their customers on behalf of the state. The 200,000+ signatures on a petition calling for the repeal of the Investigatory Powers Act after it became law, and the £50,000 crowdfunding raised from the public in less than a week to challenge parts of the Act in the courts, both emphasise the fact that UK citizens value their privacy and take the issues of privacy and data security very seriously.

Liberty is essentially arguing for what it sees as a more proportionate surveillance regime that can better balance public safety with respect for privacy. The government initially believed that this level of surveillance was necessary to counter terrorist groups and threats posed to safety and democracy by other states, but successive legal challenges by Liberty have seen them give some ground. According to the Intelligence and Security Committee, GCHQ is running a project that aims to improve the way that it complies with the Act, and MI5 has also said that it trying to operate more compliantly.  As for any additional oversight of government orders to internet and phone companies, this is estimated to be running about a year behind schedule with IT problems being blamed for the delay.