Google Chrome is ending support for Silverlight – used by NOW TV and BT Sport to play video.

The Microsoft runtime depends on an ageing plug-in protocol called Netscape Plugin Application Programming Interface (NPAPI), for which Google is currently phasing out support in its browser.

The Google Chrome team originally speculated that support for the old protocol would be removed from Chrome before the end of 2014.

Silverlight remains very popular with broadcasters because of the level of encryption it offers. Many broadcasters seem to be sticking with Silverlight instead of migrating to HTML5.

“With each step in this transition, we get closer to a safer, more mobile-friendly web,” said Justin Schuh, software engineer and plug-in retirement planner at Google.

Don’t be a victim of Counterfeit Software…

As an IT Support company, our clients put their trust in us to source and supply various hardware and software solutions. We purchase Microsoft Office by the bucket load and almost on a daily basis it’s one of the team’s job to go through the headache of unpacking the Microsoft Office box, pulling out the licence key, and going through the hassle of installing Office 2013 on the client machine. Today was different. We sourced our copies of Office from our normal supplier, took delivery, opened the boxes, and proceeded to download the software.

That part of the procedure is normal. What isn’t normal is being told by the Licence Card to visit a website that isn’t Microsoft’s. We almost got caught out by this. If we can almost get caught out, someone without genuine software to compare them to would almost certainly be an unknowing victim of software piracy. Microsoft do a lot to defend their intellectual property. What people take for granted is that Microsoft’s software (jokes aside) doesn’t contain Malware or Viruses. It doesn’t contain software that will spy on you when you’re purchasing your Summer holiday or moving money around your various bank accounts.

The software we almost downloaded could have.

Here’s a picture of the counterfeit version against a genuine one (click the picture for a full size version):

Can you guess which one is the counterfeit one? Exactly. Microsoft’s first line of defence is a special label they call their Certificate of Authenticity (or COA). This label has a few security features that should allow you to determine if what you hold in your hands is a genuine product. Have a look at the COA label on the two boxes below (we’ve kept the genuine one and the counterfeit one in the same place):

Got any clue as to which one is the genuine one yet? Assuming you didn’t take a look at the COA before opening the box, the only other real tell-tale sign that the product we have is counterfeit is the following:

Have you spotted it yet? Obviously Step 4 is missing on one of the cards, but the crucial issue is the website they’re sending us to: http://uk.msoffice13.com/hb This is not a Microsoft Website. It should go without saying not to visit the site, but if you do, you’ll start downloading a HomeBusinessRetail.exe file that looks like the genuine Microsoft product. In fact, even AVG, Malwarebytes and Avast! didn’t moan that this file wasn’t genuine. At this stage, we’re pretty confident that the product on the left is actually a knock-off. A genuine Microsoft COA label will have a hologram on the left hand side and a “microsoft” thread intertwined through the label itself. Here’s a picture of a genuine COA:

Notice on the left hand side the hologram (you can’t see it really well unless you move the label around the light) and the thread slightly to the right of the hologram which if you touch with your finger you can actually feel that it’s interwoven. And now here’s the fake closer up:

If you look at the label closely, you’ll see the hologram is actually just one solid colour and the thread that runs through the label has in fact been replaced with just a green line. Whilst we weren’t able to confirm if there was malware in the download of this counterfeit software (and the software had just been hacked to bypass the Serial Number checks Microsoft do) there’s still the possibility for counterfeit software to come packaged up with other nasties.

We also checked the licence key card against the official Microsoft download site and it came back as not recognised.

Microsoft have a very thorough website dedicated to checking if your products are genuine: http://www.microsoft.com/howtotell

We’ve also just noticed that if you scan the barcode on the COA, it comes back with the wrong numbers and not the ones shown.

The Heartbleed Bug

The Heartbleed Bug is a vulnerability in the popular OpenSSL cryptographic software library. This is the software that almost 60% of the internet will use to establish a secure communication between the server and the client. When you browse a website and you see the padlock sign, chances are it uses OpenSSL to establish this secure link. Windows Servers are generally unaffected by this issue, but other providers that use Linux (or OpenSSL specifically) will likely have had this vulnerability running for some time.

Whilst a lot of the big players in the cloud world are saying that they have now patched their systems and that users do not need to change their passwords, we are taking the stance that it doesn’t hurt to change your passwords on a regular basis and this is as good a time as any. Therefore this notice is to advise you to change your password for all internet-based services, irrespective of whether or not the site in question has stated they are now secure or were never vulnerable.

If you use services such as Google, Dropbox, AmazonWeb Services, Facebook, Tumblr, Yahoo/Yahoo Mail, etc. then our formal and professional advice is to take ten minutes out of your day to go through all websites and change your password.

Please be aware that we also expect to see a rise in Phishing (scam) emails pertaining to be from these various sites asking you to change your password byfollowing a link in the email. Please visit the site directly in your browser to change your password!

There is a more technical overview of the Heartbleed Bug online at www.heartbleed.com

If you have questions, give us a call (0131 510 0110) or send us an email ([email protected])

Does the date 8th April 2014 mean anything to you?

If you’re a business and care about the security of your IT equipment then it should.

On the 8th April, Microsoft’s Windows XP and Office 2003 products will no longer be supported. The products wont stop working, but critical security updates will no longer be developed and rolled out for these products. That means that if a major security flaw is discovered, Microsoft will do nothing about it.

30% of PCs still use Windows XP and at least a handful of our clients still have one or two Windows XP machines in their office (thankfully they’re moving away this week).

Keeping your IT infrastructure secure is serious business and only at the beginning of March, The British Pregnancy Advice Service (BPAS) was fined £200,000 for not making sure the data they held about people was stored securely.

David Smith, Deputy Commissioner and Director of Data Protection said about the case:

“There’s a simple message here: treat the personal information you are holding with respect. This includes making sure you know just what information you are holding and that it’s subject to up-to-date and effective security measures.”

The organisation’s failure to spot problems with their software has led to a serious breach of the Data Protection Act, caused substantial damage and distress to those affected and left the organisation with a fine of £200,000. The hacker, meanwhile, is now in prison.

For a small office environment, the steps you need to take can be relatively simple. Making sure you stay on top of the updates that need to be regularly applied to desktop and laptop operating systems is relatively easy to do. All of the major vendors have a system to regularly check for updates and a pop-up will usually display on the screen alerting you to the fact that a security update is required.

In a more complex environment you might need to test these updates first to make sure they are compatible with your existing infrastructure. Where you cannot apply an update, you may need to put additional measures in place to mitigate the risk.

The UK government’s National Technical Authority for Information Assurance (CESG) has published short-term mitigation advice for public sector organisations that are unable to fully migrate away from Windows XP prior to its end of support date.

You should also consider whether your other IT assets need an update. Recently, a number of vulnerabilities have been discovered in the firmware of routers and firewalls. You can check the manufacturer’s website to see if an updated firmware has been released. For the novice user these are not as easy to update as an operating system or desktop software. If you get the configuration of your primary defence wrong you could be leaving your organisation in a worse position than if you’d done nothing at all; so call in the professionals if you are unsure.

So if you are unsure whether your security software is up-to-date across all devices make sure you follow these three basic steps:

Step one – Carry out an audit of your IT equipment so you know the size of the problem. Make a list of devices, operating systems, serial numbers, installed software and which members of staff this kit is issued to.

Step two – Plan and Prioritise. Work out which updates you need to apply and in which order you are going to do these. If you are disposing of equipment that has reached the end of its life, make sure this is done securely by following the Information Commissioner’s Office’s IT asset disposal guidance and any other guidance provided by the manufacturer.

Step three – Roll out security updates to the remaining equipment where required and continue to keep the software up-to-date.

Remember, from 8th April 2014 there will be no updates to apply to Windows XP or Office 2003. Do not fall into a false sense of security by believing that because there are no updates then there are no vulnerabilities. Anyone using these two products must consider their options to look at migrating to a supported operating system. Failure to do so will leave your company’s network vulnerable over time and significantly increases the risk of a data breach that you could have prevented.

North East Lincolnshire Council has been fined a monetary penalty of £80,000 (eighty thousand pounds) for failing to encrypt a USB stick that contained personal information about the physical or mental health of pupils and their teaching requirements as well as information about their home life.

On 1 July 2011 an unencrypted USB memory stick containing personal and sensitive personal data was lost on the data controller’s premises. A special educational needs teacher had been working with the information held on the USB stick while using a laptop that was connected to the data controller’s networked computer system.

When logging off the system and leaving the office for the day, the teacher forgot to remove the USB stick. When the teacher realised the mistake and tried to retrieve the USB stick, it was gone. To date, the USB stick has not been recovered. The data controller completed an internal investigation in response to the incident.

Stephen Eckersley, ICO head of enforcement, said: “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted.”

He went on to say: “North East Lincolnshire Council failed to do this by delaying the introduction of a policy on encryption for two years and then failing to make sure that staff were following the policy once it was finally implemented. This breach should act as a warning to all organisations that their data protection policies must work in practice, otherwise they are meaningless and fail to ensure people’s information is being looked after correctly.”

The Information Commissioner’s Office (ICO) has issued Glasgow City Council with a penalty of £150,000 following the loss of two unencrypted laptops, one of which contained the personal information of over 20,000 people.

The serious breach of the Data Protection Act comes after the council was previously issued with an enforcement notice three years ago, following a similar breach where an unencrypted memory stick containing personal data was lost.

In the latest incident, two unencrypted laptops were stolen from the council’s offices on 28 May last year. The laptops were stolen from premises which were being refurbished and where complaints of theft and a lack of security had been made. One laptop had been locked away in its storage drawer and the key placed in the drawer where the second laptop was kept, but the second drawer was subsequently left unlocked overnight, allowing the thief access to both laptops.

One of the laptops stolen contained the council’s creditor payment history file, listing the personal information of over 20,000 people, including 6,069 individuals’ bank account details.

The ICO’s investigation found that, despite the ICO’s previous warning and in breach of its own policy, the council had issued a number of its staff with unencrypted laptops after encountering problems with the encryption software. While most of these devices were later encrypted, the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for, with at least six of these known to have been stolen.

The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for all of its managers to receive asset management training. The council must also carry out a full check of all of its devices each year so that the asset register can be kept up to date.

Ken Macdonald, the ICO’s Assistant Commissioner for Scotland, said:

How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised.

Consider IT offer encryption services to all clients, so get in touch today if you’d like to discuss the various options available. Alternatively, click here to visit our encryption services page.