Tech Tip: Easy Switching of Audio Sources

If you’re tired of having to go into the Control Panel to switch from your speakers to your headphones, Windows 10 now makes it much easier with handy in-taskbar volume controls.

To switch audio sources in Windows 10, it’s simply a case of:

  • Going to the task bar.
  • Clicking the audio device name in the volume controls.
  • Seeing the list of all connected audio outputs.
  • Switching from your headphones to your speakers (and back again) as and when required.

Greater Protection From IoT Hacks Needed Say Cyber Security Experts

There have been renewed warnings from cyber security experts that much more needs to be done to provide adequate protection from the potentially devastating effects of hacks involving IoT devices.

What Are IoT Devices?

IoT devices are those devices that are now present in most offices and homes that have a connection to the Internet and are, therefore, ‘smart’ and inter-connected. These devices could be anything from white goods and smart thermostats to CCTV cameras, medical implants and even industrial controllers.

What Are the Risks?

The fact that they have a connection to the Internet, are prevalent, and are often overlooked in security planning (and are therefore likely left unguarded) means that they are vulnerable to hacks and attacks.

What makes the risks physically greater, more immediate and more complicated is that the vast number of IoT devices now deployed worldwide tend to be connected to (or in control of) physical objects. These objects could be elevators, doors, heating or fire safety systems in office buildings … the list is long. This means that a hack / breach could mean that there is a real risk of human casualties or fatalities, as opposed to the lesser, traditional, lower impact but still serious risks associated with hacks such as data loss and fines.

IoT devices are also deployed in many systems that link to and are supplied by major utilities e.g. smart meters in homes. This means that a large scale attack on these systems could affect the economy.

Hackers have also shown that they can take over large numbers of IoT devices at once and use them as a botnet to attack other systems. An example of this happened in October 2016 when the ‘Mirai’ attack used thousands of household IoT devices as a botnet to launch an online distributed denial of service (DDoS) attack (on the DNS service ‘Dyn’) with global consequences.

The devices included things like white goods, CCTV cameras and printers, and the major platforms that were put out of action by the attack included Twitter, Spotify, and Reddit.

No Risk Assessment & No Universal Standard.

Technology commentators have noted that the true extent of the risks posed by IoT device vulnerabilities are unknown because the devices are so widely distributed globally, and large organisations have tended not to include them in risk assessments for devices, code, data, and infrastructure.

It has also been noted by many commentators that not only is it difficult for businesses to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.

What Does This Mean For Your Business?

For businesses, one first step may be to conduct an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible.

Security experts also suggest that anyone deploying IoT devices in any environment should require the supply chain to provide evidence of adherence to a well-written set of procurement guidelines that relate to some kind of specific and measurable criteria.

Microsoft has also compiled a checklist of IoT security best practice. This highlights the different areas of security that need to be addressed by the organisations involved throughout the lifecycle of an IoT system e.g. manufacturing and integration, software development, deployment, and operations.

TV Accidentally Sets Off Amazon Gadget

Amazon Echo’ gadgets in homes across the city of San Diego on the West Coast of the US were activated by a comment make by a TV presenter.

What is Amazon Echo?

Amazon Echo is a 23.5cm tall, cylindrical, smart ‘hands-free’, voice operated speaker. The product, which was developed by Amazon and is also known as Doppler or Project D, contains a 7 piece array of microphones to allow it to receive and respond to requests from the operator.

The Echo connects to the Alexa Voice Service, and the user can ask the Echo to play music, provide information and news, sports scores, weather and more.

What Happened?

CW6 TV presenter Jim Patton was reporting on a news item about a 6-year-old child called Brooke Neitzel from Dallas who accidentally ordered a doll’s house for herself while talking during play to the family’s Amazon Echo Dot / Alexa Voice Service. The young girl’s request is reported to have resulted in a new doll’s house and a large tin of cookies turning up at the family’s home the following morning.

Brooke’s mother Megan’s subsequent investigation into the surprise delivery revealed what really happened.

A news item was then produced and aired about the incident by channel CW6 in the San Diego area. As part of this news the presenter, Mr. Patton used the phrase "I love the little girl saying ‘Alexa ordered me a dollhouse’." Many Amazon Echo devices in viewers’ homes across the city of San Diego then picked up and responded to the comment as if it was a request from their users. The result was an attempt by many Echo devices to wake up and actually order a doll’s house.

Alerted By Complaints.

Not long after the report was aired on the morning show, CW6 viewers phoned to complain that Mr. Patton’s on-air comment had woken up their Amazon Echo devices.

Echoes of 2014.

This is not the first time that home devices have been activated by comments made on the TV. Back in June 2014, an advert featured Breaking Bad actor Aaron Paul who used the phrase “Xbox On”. This prompted complaints from Xbox One owners that the on-air comment had activated the voice recognition software on their own consoles, and turned them on.

Preventing Unwanted Activation.

Technical commentators have stated that Amazon Echo voice-driven buying is enabled by default. Users should, therefore disable voice purchasing or enable a four-digit confirmation code to prevent any accidental purchases.

What Does This Mean For Your Business?

This is an example of how the introduction of smart devices and AI to our homes and workplaces is still in the relatively early stages and is resulting in some unforeseen consequences as a result.

It demonstrates how voice activated systems are causing some concern and are displaying vulnerabilities. Recently, for example, concerns were raised about a voice manipulation software system from Adobe that has the potential to possibly fool bank voice recognition authentication systems, thus leaving it open to abuse by pranksters or criminals.

The general advice with IoT / smart devices should be, therefore, to change any default passwords or settings to ensure that you at least have basic protection.

UK Schools Targeted With Ransomware

UK police have issued a warning to educational establishments to be vigilant, following an alert by ‘Action Fraud’ that fraudsters are targeting UK schools with ransomware in order to demand big payments.

Action Fraud Alert.

The UK’s fraud and cybercrime centre ‘Action Fraud’ issued an alert recently that schools are being targeted by fraudsters using a form of malware known ‘ransomware’.

What is Ransomware?

Ransomware is a form of malware that typically encrypts important files on the victim’s computer. The victim is then given a ransom demand, the payment of which should mean that the encrypted files can be released. In reality, some types of ransomware delete many important files anyway, and paying the ransom does not guarantee that any files will be released.

Targeting Schools.

The Action Fraud alert and police warning relate to recent attempts by criminals to cold-call schools, claiming to be from the Department of Education. The object of the calls has been to obtain the email address of the head teacher / a senior staff member, with the excuse that forms containing sensitive information need to be sent to them. According to Action Fraud, the types of forms that fraudsters have claimed they need to send have varied; anything from exam guidance to mental health assessments.

Step Two – The Malware (Ransomware).

Once the email address of the head teacher / senior staff member has been obtained, a legitimate looking email is then sent that contains a zip file attachment which has been masked as an Excel or Word document. The attachment contains the ransomware. If the attachment is downloaded, key files on the computer are encrypted files (and often deleted, sometimes at timed intervals) and a demand for money is sent to the school to unlock the files. This type of attack is doubly disastrous for schools due to their data protection responsibilities and the fact that the data relates to children / vulnerable young people.

Example From America.

An example of a very similar attack which took place at a Los Angeles School on New Year’s Eve resulted in unknown attackers using ransomware to encrypt hundreds of thousands of files affecting much of the campus’ 1,800 staff and 20,000 students. The school, in this case, paid US$28,000 (in bitcoin currency) to release files.

2016 Was Ransomware Year.

2016 was a huge year for ransomware attacks globally. For example, Kaspersky Labs estimated that in the 3rd quarter of 2016 a ransomware infection occurred every 30 seconds. Intel Security also reported that infections rose by more than a quarter in the first 3 months of the year.

What Does This Mean For Your Business?

For schools and businesses alike, it’s a case of always being on the lookout for suspicious emails, keeping security software up to date and regularly backing up critical data.

In order to provide maximum protection against more prevalent and varied threats this year, businesses should now adopt multi-layered security solutions. Businesses should accept that there is a real likelihood that they will be targeted and therefore prepare for this by implementing the most up to date security solutions, virtual patching and education of employees in order to mitigate risks from as many angles (‘vectors’) as possible.

Having workable and well communicated Disaster Recovery and Business Continuity Plans in place is now also an important requirement.