UK Government Slammed For Encryption Mistruths

The technology secretary has drawn the ire of encryption experts by repeating false claims and half-truths about the Online Safety Bill.

The proposed legislation will effectively force private messaging companies that use end-to-end encryption to scan their users’ content for child abuse material. This would require users to download client-side scanning software to read messages on their devices before they’re encrypted.

Michelle Donelan told Radio 4’s Today program: “Technology is in development to enable you to have encryption as well as to be able to access this particular information.”

This prompted a furious backlash from experts.

Matthew Hodgson, CEO of secure messaging app Element, branded the statement as “factually incorrect.”

“No technology exists which allows encryption and access to ‘this particular information.’ Detecting illegal content means all content must be scanned in the first place. By adding the ability to use scanning technology at all, you open the floodgates to those who would exploit and abuse it,” he said.

“You put the mechanism in place for mass surveillance on UK citizens by the ‘good guys’ and the bad. It is utterly unacceptable to attempt to force tech companies to implement mass surveillance within their products.”

Read more on the Online Safety Bill: Security Experts Raise Major Concerns With Online Safety Bill

Donelan added that “the onus is on tech companies to invest in technology to solve this issue.” It’s an argument often repeated by lawmakers and law enforcers but roundly dismissed by technology experts as either disingenuous or ignorant.

“Countless experts, from private companies to academics and civil society organizations have told you this technology is impossible to build,” Hodgson responded. “Is the government expecting every tech company to plough money into a never-ending R&D project that will never result in a workable product?”

Read the full story here.

Financial Conduct Authority warns financial services firms over AI fraud

THE HEAD of the Financial Conduct Authority (FCA) has stated that Artificial Intelligence (AI) could disrupt the financial services sector “in ways and at a scale not seen before”, in parallel issuing a warning that the regulator would be forced to take action against AI-based fraud.

In a speech delivered to company executives in central London, Nikhil Rathi (CEO of the FCA) noted that there are risks of “cyber fraud, cyber attacks and identity fraud increasing in scale, sophistication and effectiveness” as AI becomes more widespread.

Prime Minister Rishi Sunak is fervently hoping to make the UK a centre for the regulation of AI, while the FCA’s work on this subject area is part of a much broader effort designed to work out how to regulate the big tech sector as it increasingly offers financial products.

During his delivery, Rathi warned that AI technology will increase risks for financial firms in particular. Senior managers at those firms will be “ultimately accountable for the activities of the business”, including decisions taken by AI.

“As AI is further adopted,” observed Rathi, “the investment in fraud prevention and operational and cyber resilience will have to accelerate simultaneously. We will take a robust line on this. There’s going to be full support for beneficial innovation alongside proportionate protections.”

Deepfake video

Rathi cited the example of a recent deepfake video of the personal finance expert Martin Lewis supposedly selling speculative investments. Lewis himself said the video was “terrifying” and has called for regulators to force big technology companies to take action in order to prevent similar scams.

Responding to Rathi’s comments, cyber specialist Suid Adeyanju (CEO of RiverSafe) said: “AI is set to become a regulatory minefield for the FCA, so maintaining a clear line of communication with businesses about the challenges and opportunities ahead is going to be critical in terms of maintaining high standards within the market.”

Adeyanju continued: “The tidal wave of AI-enabled cyber attacks and online scams adds an even greater level of complexity, so it’s vital that financial services firms beef up their cyber credentials and capabilities in order to identify and neutralise these threats before they can establish a foothold.

Read the full story here.

CISA and NSA Publish BMC Hardening Guidelines

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs).

Published on Wednesday, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

Read more on similar attacks: NCSC Warns of Destructive Russian Attacks on Critical Infrastructure

For context, BMCs are essential components embedded in computer hardware that facilitate remote management and control. They operate independently of the operating system and firmware, ensuring seamless control even when the system is powered down. 

However, because of their high privilege level and network accessibility, these devices make them attractive targets for malicious actors.

The joint guidance emphasizes the importance of taking proactive measures to secure and maintain BMCs effectively, adding that many organizations fail to implement even minimum security practices.

These shortcomings could result in BMCs being used by threat actors as entry points for various cyber-attacks, such as turning off security solutions, manipulating data or propagating malicious instructions across the network infrastructure.

To address these concerns, CISA and NSA recommend several key actions. These include protecting BMC credentials, enforcing VLAN separation, hardening configurations and performing routine BMC update checks.

Further, the agencies said organizations should also monitor BMC integrity, move sensitive workloads to hardened devices, use firmware scanning tools periodically and treat unused BMCs as potential security risks.

Read the full story here.

Sussex PCC denies CCTV could be switched off

The Sussex Police & Crime Commissioner has denied the county’s CCTV could be switched off from April.

Katy Bourne was questioned during a meeting of the Police & Crime Panel about problems with the renewal of a contract with service provider BT.

According to a police spokesman, BT has only offered a one-year fixed price contract rather than the three-year contract which had been expected.

Ms Bourne said an inspector was working on the issue full-time and that “nobody’s going to get switched off”.

The meeting also heard a “significant price increase” was forecast on the £250,000 per year already being paid, due to upgrades being made to the circuit technology.

Ms Bourne said: “The contract is BT’s. If they decide they don’t want to renew, they don’t have to renew – we can’t force them.

“They’ve agreed a price. It’s their price and we can’t afford it, effectively.

“My understanding, having spoken with the team in Sussex Police, is that nobody’s going to get switched off, so let’s just allay that concern.”

Read the full story here.

Ransomware Attacks Are on the Rise, Again

Ransomware attacks tumbled in 2022, offering hope that the tide was turning against the criminal gangs behind them. Then things got a whole lot worse.

Amid a concerted effort by global law enforcement to crack down on ransomware attacks, payments to hackers and even the volume of attacks fell in 2022. But the trend doesn’t seem to be holding for 2023, and attacks have shot up again.

Data from cryptocurrency tracing firm Chainalysis indicates that victims have paid ransomware groups $449.1 million in the first six months of this year. For all of 2022, that number didn’t even reach $500 million. If this year’s pace of payments continues, according to the company’s data, the total figure for 2023 could hit $898.6 million. This would make 2023 the second biggest year for ransomware revenue after 2021, in which Chainalysis calculates that attackers extorted $939.9 million from victims.

The findings track with general observations from other researchers that the volume of attacks has spiked this year. And they come as ransomware groups have become more aggressive and reckless about publishing sensitive and potentially damaging stolen information. In a recent attack against the University of Manchester, hackers directly emailed the UK university’s students telling them that seven terabytes of data had been stolen and threatening to publish “personal information and research” if the university didn’t pay up.

“We think as a result of their budgetary shortfalls in 2022 we’ve seen these more extreme extortion techniques, ways to kind of twist the knife,” says Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. “In 2022 we were very surprised to find that decline. Then we talked to external partners—incident response firms, insurance companies—and they all said, yeah, we’re paying less, and we’re also seeing fewer attacks.”

Read the full story here.

EchoPoint distributed acoustic sensors introduced for intrusion detection

FIBER SENSYS, itself part of the OPTEX Group, has launched EchoPoint distributed acoustic sensors for advanced intrusion detection across even the highest-level security sites.

Dubbed the latest evolution in fiber optic sensing technology, the new EchoPoint sensors make use of intelligent detection algorithms to provide point detection of +/- 6 metres in a range of up to 100 km. This highly accurate and reliable detection renders the sensors ideal for larger perimeters and high security sites, such as airports, logistics centres, railway networks and critical infrastructure, and to protect data conduits and pipelines, where being able to locate and identify the precise point of intrusion is critical.

Thanks to their highly advanced pattern-recognition classification algorithm, the sensors are able to distinguish between common causes of false and nuisance alarms, such as wildlife and environmental conditions, and genuine intrusion attempts. The system is also immune to electromagnetic interference, radio frequency interference and lightning.

The flexibility and versatility of the EchoPoint sensors is such that they can be operated across multiple applications and installed on fences, buried or commissioned in a hybrid layout. When mounted on a fence, the sensors can identify someone cutting the fence or attempting to climb it. When buried, the system can differentiate between footsteps, manual and machine digging and vehicle movements.

To meet the individual needs of every site, the EchoPoint sensors features intelligent software zoning. This means different detection zones can be configured. End users have the ability to independently adjust the sensitivity and output within each zone, thereby helping to provide maximum capture rates and minimise nuisance alarms.

Read the full story here.

Access Control Company in Berkshire and London

Rethinking Access Control for Today’s Flexible Workplace

OVER THE years, approaches designed to support employee well-being have evolved. Delivering job satisfaction, mental health support and flexible and hybrid working are just some of the measures adopted, but what about ensuring people feel safe and protected? Workers feeling vulnerable poses a significant risk to employee well-being, as Michel Roig discovers.

While security has always been a priority, one of the most recent approaches to facilitating employee well-being – flexible and hybrid working (or ‘Working from Anywhere’) – might have created new risks.

Despite most pandemic restrictions having now been lifted, it appears that ‘Working from Anywhere’ is here to stay. Surveys of UK employees have revealed that the proportion of ‘Working from Anywhere’ employees almost doubled between February and May of this year.

It’s easy to see why. Offering ‘Working from Anywhere’ as part of the job remit is now a significant factor in attracting candidates and retaining employees. Signs are emerging that it’s also the key to enhanced productivity.

However, ‘Working from Anywhere’ means that employers have to secure digital estates wherever and whenever employees are working. This represents a significant challenge as companies have to respond to increased digital threats and apply enterprise security for domestic settings.

There are also challenges in physical access that are worrying workers. Even before the pandemic, findings from the Society of Human Resource Management revealed that roughly one-in-seven Americans, for example, don’t feel safe in the workplace.

In essence, the scale of the challenge requires companies to critique their own current security solutions and consider carefully whether the existing regime provides a smart and secure workplace that supports employee well-being.

Read the full story

Sensors reduce student vaping, Kidderminster school says

A headteacher says sensors have reduced the number of students vaping.

Matthew Carpenter, from Baxter College, Kidderminster, had the sensors and also CCTV installed to tackle the use of e-cigarettes.

It comes as a group of students there admitted addiction to vaping.

The tech, Mr Carpenter said, had been used to “pinpoint” when and where the activity was happening to help lessen impacts on both students and the school environment.

The school had spent £4,000 installing CCTV outside plus sensors in toilet blocks, having seen an increase, it said, in the number of students asking to go to the toilet during lessons.

“We’ve got a CCTV camera outside so we can just use the timestamps to work out when it was happening,” Mr Carpenter explained.

“What the sensors allow us to do is really accurately pinpoint when students have been vaping.”

E-cigarettes have helped many thousands of people stop smoking by removing the dangerous and toxic tobacco smoke from their habit, giving a huge health boost.

But the e-cigarette vapour which is inhaled can still contain small amounts of chemicals, including nicotine.

Mr Carpenter said students who had not smoked previously had taken up vaping as a “lifestyle choice” and he was concerned it would lead them to smoke traditional cigarettes and a nicotine addiction.

Trading Standards says one in three vaping products may fall short of regulations monitoring nicotine limits.

It is illegal to sell e-cigarettes and liquid to under-18s.

Read the full story here.

Nick Ross elected president of the British Security Industry Association

THE BRITISH Security Industry Association (BSIA) has elected popular broadcaster and campaigner Nick Ross CBE to serve as the Trade Association’s new president. Ross replaces Sir Keith Povey QPM, who retires as BSIA president after 14 years in the role.

Ross assumed the post of president on Wednesday 19 April at the Trade Association’s Annual General Meeting in London. Going forward, his primary goal will be to continue the work focused on developing the relationship between the police service and the private security industry.

Starting out as a junior reporter while still at university, Ross covered the troubles in Northern Ireland for the BBC and then moved on to host programmes including Radio 4’s The World at One, PM and The World Tonight.

He became a TV reporter, documentary director and political correspondent and chaired live debates, but was perhaps best known for the crime appeals programme Crimewatch, which he presented for over two decades.

Ross conceived the new discipline of ‘crime science’, which focuses on practical, multidisciplinary and outcomes-focused approaches to crime reduction. He also founded the Jill Dando Institute at UCL, which has since grown into one of the largest academic crime prevention departments in the world.

‘Failure to prevent fraud’ offence brought forward by Home Office.

THE NEW ‘failure to prevent fraud’ offence proposed by the Home Office will make it easier to prosecute a large organisation if an employee commits fraud for that organisation’s benefit. If an act of fraud is committed by an employee of an organisation, that organisation must be able to demonstrate it had reasonable measures in place to deter the offending or otherwise risk receiving an unlimited fine.

The proposed legislation, to be introduced through the Economic Crime and Corporate Transparency Bill, encourages businesses to do more to deter offending, which will help in the bid to cut crime and protect consumers, investors, other businesses and the taxpayer from fraudulent practices.

The Home Office has tabled an amendment to introduce the failure to prevent fraud offence, which is actively supported by the Serious Fraud Office and the Crown Prosecution Service (CPS).

Security Minister Tom Tugendhat observed: “We are determined to crack down on unscrupulous companies that seek to defraud their customers. Our new ‘failure to prevent fraud’ offence will protect consumers from dishonest and misleading sales practices, and also level the playing field for the majority of businesses that behave responsibly.”

Further, Tugendhat noted: “This Government is committed to fighting economic crime, as demonstrated by our recently launched Economic Crime Plan 2, which sets out how we will give law enforcement more state-of-the-art resources to tackle high-level offending.”

Read the full story here.