To Whom It May Concern 

26 June 2023

 

Dear Valued Partner,

In our previous letters, Hikvision committed to providing you with the latest updates on the conversations the company is having across the UK and Ireland to clarify misconceptions about our products and operations. 

We wanted to share with you that today (Monday 26 June 2023 at 8PM), BBC Panorama intends to broadcast a programme which purports to investigate Chinese companies operating in the surveillance industry. We have been engaging with the producers of this programme, and have grave concerns regarding the integrity and content of the broadcast.

The BBC will broadcast a ‘hack’ of a six-year-old Hikvision camera to exploit a vulnerability that was identified in 2017, but was patched and publicly disclosed less than one week after it was brought to the company’s attention. To claim that this stunt has uncovered a security breach or an intentional backdoor in June 2023 is farcical. It sensationalises a problem that was already fixed to universally recognised CVE standards. Furthermore, this test has not been conducted on a typical network, but rather an unsecured one. This test simply cannot be characterised as representative of ‘the cameras lining our streets today’, which would be much better defended than the camera in this so-called ‘test’ the BBC have run.

Hikvision was not given any information in advance about the specifications of the hack to be carried out

We repeatedly asked the BBC for more information about its planned ‘hack’, but were ignored until we asked our lawyers to intervene. Indeed the BBC repeatedly refused to clarify the following: which camera model and serial number would be used; what version of firmware was installed; whether the camera included was UK firmware; whether the camera would be tested on a closed circuit or connected to a network; how any network would be secured; if the hack would include port forwarding; if the camera was still being sold in the UK; and, how the camera was obtained.

We now know that the camera was in fact supplied by, and compromised with the collaboration of IPVM, an organisation with a vendetta against Hikvision. 

Hikvision’s conduct with regards to this vulnerability has followed all internationally accepted standards of best practice. When made aware of the vulnerability in March 2017, Hikvision patched it in less than one week. The vulnerability – and Hikvision’s patch – were subject to further scrutiny in the US with the then-Chairman of the US House of Representatives Small Business Committee noting in a public hearing that Hikvision’s work with the US Department of Homeland Security on this vulnerability meant that any continuing issues resulting from unpatched equipment would lie with ‘small businesses that do not engage with the government or the DHS regularly’. 

Going further, the Deputy Assistant Secretary for the US Department of Homeland Security Office of Cybersecurity and Communications said they ‘worked with the company’ to resolve the problem and that ‘standard practice was followed’.

There is no reason to believe that circumstances would be any different in the UK. After all, the vast majority of public sector organisations have processes in place to respond to vulnerabilities and regularly update their firmware. It is virtually certain that every public sector organisation in the UK has patched its cameras since 2017 and therefore no reason to assume there is any risk today.

The BBC had all the information above ahead of broadcast. The BBC has been misled by IPVM and will now, in turn, mislead others. 

Hikvision knows that you, as surveillance industry professionals, will understand this test simply cannot be taken seriously. It is not representative of the security of Hikvision cameras on the market today. However, the general public may not understand. 

As we seek redress for this egregious and irresponsible broadcast, we continue to reserve all of our rights, including legal action. Please accept my apologies for any inquiries you receive from your customers or the public at this stage. We are working tirelessly to dispel these untruths with both the media and government, and if you need any help whatsoever in reassuring your own stakeholders, please do not hesitate to contact me, and we will render any and all assistance that we can.

Your support and continued business at this time is deeply appreciated.

Yours faithfully,

Justin Hollis

Marketing Director – Hikvision UK & Ireland

Microsoft disarms push notification bombers with number matching in Authenticator

Jeff Burt - The Register

Microsoft is hoping to curb a growing threat to multi-factor authentication (MFA) by enforcing a number-matching step for those using Microsoft Authenticator push notifications when signing into services. 

Starting this week, Redmond is putting some muscle behind a number-matching feature that it began talking about last year. It said there were rising numbers of cyberattacks using MFA fatigue, also known as MFA push spamming and push bombing. 

Two-factor authentication (2FA) and MFA are strategies for verifying users trying to log on to websites, accounts or services, and are part of the larger drive for zero-trust architectures, which take the position that anything or anyone trying to climb onto a network can't be trusted or given access until verified.

MFA can come in the form of a one-time code you enter, or an app on a linked device that pops up a notification asking if a login attempt is legit. If someone is trying to login as you, you can decline access. If it's you trying to get in, you can approve the login.

Attackers are finding ways around MFA protections, such as through phishing, and, in this case, MFA fatigue, a social engineering effort in which attackers use stolen credentials to try to sign into a protected account quickly and repeatedly, overwhelming potential victims with push notifications asking for login approval.

Initially the targeted individual will likely hit the prompt to indicate it isn't them trying to sign in, but may be worn down in the spamming onslaught and eventually accept the login to stop the harassment. Essentially, MFA is supposed to thwart those using stolen login credentials, but in reality, the protection measure can be bypassed by exploiting the human element: spamming users with notifications on their devices until they assume it's a bug and hit accept. At that point, the miscreant is in your account.

It's a threat Microsoft, among other vendors and security pros, has been tracking for a couple of years. Redmond saw almost 41,000 Azure Active Directory Protection sessions with multiple failed MFA attempts in August 2022, compared with 32,442 a year earlier, and noted that such attacks had "become more prevalent."

MFA fatigue also is one of any number of reasons Microsoft is leaning on in an industry push – and that of others, including Google and Apple – to do away with passwords entirely as a verification tool.

There were some high-profile attacks last year that featured MFA fatigue schemes. The Yanluowang ransomware gang used it in an strike against Cisco while the Lapsus$ group leaked 37GB of source code stolen from Microsoft after compromising an employee via MFA fatigue. Uber was also hit by Lapsus$ via such an attack, it's reported.

In October 2022, Microsoft introduced number matching as an option, as well as other security features like location and application context, in Microsoft Authenticator. Now, number matching is automatically being enabled for all push notifications in Authenticator.

"As relevant services deploy, users worldwide who are enabled for Authenticator push notifications will begin to see number matching in their approval requests," the vendor wrote in an Azure support note this week. "Users can be enabled for Authenticator push notifications either in the Authentication methods policy or the legacy multifactor authentication policy" as long as notifications through the mobile app is enabled."

The note also said that number matching doesn't support push notifications for Apple Watch or Android wearable devices. "Wearable device users need to use their phone to approve notifications when number matching is enabled," Microsoft wrote.

When it's enforced, Authenticator users responding to a MFA push notification will be presented with another number that they'll need to type into whatever app is being logged into to complete the process. Authenticator users will not be able to opt out of the feature. It effectively adds a one-time code element to the push notification approach.

Some services will begin deploying the changes starting this week and "users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Authenticator push notifications in advance."

The number matching also will work in other scenarios with Authenticator, including self-service password reset (SSPR), AD FS adapters (on support Windows Server versions), and combined MFA and SSPR registration when setting up Authenticator.

For Windows users who don't use Authenticator, their default sign-in method won't change, according to Redmond. ®

Does Copying & Pasting Message “Bypass” Facebook’s Algorithm?

By Craig Haley
https://www.thatsnonsense.com/does-copying-pasting-message-bypass-facebooks-algorithm-fact-check/

A message on Facebook claims that because of a recent “new algorithm”, Facebook users are limited to seeing the same 25 or 26 friends appear on their newsfeed. The message goes on to urge readers to copy the same message to their own timeline in order to “bypass” that algorithim and see more users on their newsfeed. 

FALSE

The message has been spreading since 2018. Examples of it can be seen below – 

Hello! Thanks for the tips to bypass FB…it WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years. Here’s how to bypass the system FB now has in place that limits posts on your news feed. Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste. This will bypass the system. Hi new and old friends! Missed you!

Collected November 2018

Fixed my blocked posts I wondered where everybody had been! This is good to know: It’s ridiculous to have 516 friends and only 25 are allowed to see my post. I ignored this post earlier, because I didn’t think it worked. It WORKS!! I have a whole new news feed. I’m seeing posts from people I haven’t seen in years. Here’s how to bypass the system FB now has in place that limits posts on your news feed. Their new algorithm chooses the same few people – about 25 – who will read your posts. Therefore, Hold your finger down anywhere in this post and “copy” will pop up. Click “copy”. Then go your page, start a new post and put your finger anywhere in the blank field. “Paste” will pop up and click paste. This will bypass the system.

Collected October 2019

Thanks for the tip to circumvent Facebook… Works!! I have a whole new profile. I see posts from people I didn’t see anymore. Facebook’s new algorithm picks the same people – around 25-who will see your posts. Hold your finger anywhere in this post and click ” copy “. Go to your page where it says ” what you’re thinking “. Tap your finger anywhere in the empty field. Click paste. This is going to circumvent the system. Hello new and old friends! Drop a single hello, thanks 

Collected June 2020

Thanks for the tip to circumvent Facebook…OO5251839 Works!! I have a whole new profile. I see posts from people I didn’t see anymore. Facebook’s new algorithm picks the same people – around 25-who will see your posts. Hold your finger anywhere in this post and click ” copy “. Go to your page where it says ” what’s on your mind”. Tap your finger anywhere in the empty field. Click paste. This is going to circumvent the system. Hello new and old friends!Hello Drop a single hello, thanks! PLEASE SAY HELLO IF YOU SEE THIS. Hello to all!

Collected May 2021

To be clear, the above messages are entirely nonsense, and just a spin-off from similar, older messages that were also inaccurate.

Facebook’s newsfeed is designed to show you more content from friends you engage with regularly, and less content from friends you engage with rarely. That’s been the case since the early beginnings of the social media platform. This doesn’t mean you’re being “limited” to the number of friends you can see, instead it means that Facebook places a higher priority on certain types of friends that the platform assumes you’ll be more interested in.

Consequently, there is no “new algorithm” from Facebook, much less an algorithm to “bypass”. You’re not limited to 25 or 26 friends (this number appears entirely arbitrary). 

And even if Facebook did introduce some friend-limiting new algorithm into the newsfeed (they haven’t) you wouldn’t be able to somehow bypass it simply by copying some random warning message.

The roots of this hoax started in 2017 when the same claim (about being limited to 25/26 friends) began to circulate. Those earlier hoaxes differed slightly by asking readers to comment with an emoji or type “hi”. Those messages were based on the hazy reasoning that because Facebook looks for engagement between friends when deciding who appears on whose newsfeed, typing “hi” as a comment should suffice. The problem, however, is that Facebook looks for meaningful engagement, meaning such posts were unlikely to have any significant effect.

However, by 2018, the messages had evolved (to the examples above) and were simply claiming that you could “bypass” a “new algorithm” simply by copying and pasting a message (the request to type a comment now omitted.)

That is, of course, entirely nonsense. There is no special attribute or quality that any of the messages above possess that would allow them to bypass any type of algorithm that will result in more people appearing on a person’s newsfeed.

As we always say, if you want a particular friend (or friends) to appear in your newsfeed more often, you should engage with them on Facebook, which could mean speaking through Messenger, commenting, liking or sharing each other’s posts or tagging each other in photo or video.

Users who speak with lots of friends will see more friends appear on their newsfeed. Users who interact with only a small number of friends on a regular basis will see fewer friends on their newsfeed. It really is that simple

Twitter Now Charging For SMS Two Factor Authentication

By Craig Haley
https://www.thatsnonsense.com/twitter-now-charging-for-sms-two-factor-authentication-in-the-news/
February 18, 2023

Twitter users be aware – unless you’re coughing up the monthly fee for the Twitter Blue subscription service, you will no longer be able to use SMS-based two factor authentication to secure your online account.

We’ve long been recommending that our readers always enable two-factor-authentication (2FA) for all their important online accounts. It’s a security measure that adds another layer of security to your account by requiring more than just the password to gain access. In most cases you also need a separate code or PIN that is sent to (or generated by) a device that you own, such as your phone.

This means that even if crooks get a hold of your password (either by malware, data breaches, social manipulation or phishing attacks) they still can’t access your account. (More on two factor authentication here.)

So it’s perhaps a little perplexing that Twitter has announced this week that it is scaling back its two-factor-authentication features by only allowing its paying subscribers access to the most popular 2FA method – SMS 2FA. SMS-based 2FA means having a text message sent to your phone with a PIN, which needs to be entered along with the account password to login.

Twitter vaguely claimed in a blog post on its site that the method was being exploited by “bad actors”. 

Twitter users using SMS 2FA will have until March 20th of this year to switch to a different 2FA method (or, of course, become a paying “Twitter Blue” subscriber) else face the 2FA feature of their account being automatically disabled altogether.

Twitter users are being asked to remove SMS 2FA from their accounts

That’s not a particularly great move, of course. It’s estimated that around 75% of Twitter users with 2FA enabled are using the SMS option. While many will choose to change their 2FA approach, the bottom line is that on March 20th Twitter will be rendering a hefty number of accounts on their own platform less secure.

So what are the other 2FA options? Well you can use a physical security key, which is a far less popular option, or you can install an authentication app on your mobile device. An authentication app generates a code for you that you can type in when logging in, instead of a code being sent using SMS.

We strongly recommend securing your account with 2FA. It really is one of the most effective security measures you can take. And unless you’re paying Twitter a monthly subscription, this will now likely mean using an authentication app.

Protect your email with DropSuite

Are you one of thousands of people who have a false sense of security that your cloud data is safe and sound? Many people think that if they use a platform like Microsoft 365 or Gmail/GoogleDrive that it doubles as a data backup.

Cloud storage and cloud backup are two very different things. When you’re syncing with a cloud platform like OneDrive, files are “live,” meaning they can be edited or deleted.

Cloud backup, on the other hand, takes a snapshot of all your files and securely stores them by backup date. This allows you to restore files as they were on a specific moment in time. 

51% of companies have reported they’ve lost data in the cloud. Data loss can mean thousands of dollars in losses and lost productivity trying to recreate data that you didn’t save. In the case of cloud data, companies can feel even more of an impact these days because most have migrated a majority of their data to the cloud. It’s vital that you don’t leave cloud data out of your company’s backup and recovery strategy, or you cloud be left with a major loss that could impact your business for years to come.

Cloud Providers Recommend You Back Up Data

Cloud providers aren’t impervious to outages or server crashes, which means you could be without your data if they’re having a problem. Even large cloud application providers recommend that users back up data that is stored in their platforms. For example, the Microsoft Services Agreement states, “In the event of an outage, you may not be able to retrieve Your Content or Data that you’ve stored. We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.”

DropSuite is a great product that backs up your entire M365, Google Workspace, Exchange Online or Gmail accounts for a small cost per month. 

Email me for a quote or more information

Microsoft announces global price rise

Consistent global pricing for the Microsoft Cloud

05/01/2023 | Microsoft Reporter

Today, we are announcing that Microsoft is taking several steps to align the pricing of our Microsoft Cloud products globally, meaning customers will have consistent pricing reflecting the exchange rate of the local currency to the US dollar (USD). Starting April 1, 2023, pricing for Microsoft Cloud products will be adjusted in the following currencies:

GBP: +9%
DKK, EUR and NOK: +11%
SEK: +15%

In the future, Microsoft will assess pricing in local currency as part of a regular twice a year cadence, taking into consideration currency fluctuations relative to the USD. This will provide increased transparency and predictability for customers globally and move to a pricing model that is most common in our industry.

The Microsoft Cloud continues to be priced competitively, and Microsoft remains deeply committed to the success of its customers and partners. We will continue to invest to enable customers to innovate, consolidate and eliminate operating costs, optimize business performance and efficiency and provide the foundation for a strong security strategy that customers around the world have come to rely on.

Common Sense will help avoid a cyber disaster
Common sense may actually not be so common after all, especially in the digital world, where millions of consumers get conned every day.  (click arrow to continue reading)

Phishing for users’ personal information via email, texts, and phone calls has become part of our daily lives. However, applying sound judgment online stops fraudsters from stealing your data and money.

In cybersecurity, common sense dictates that you should:

Using common sense can save you in a lot of trouble online. Be aware - Be cautious and be sensible!

PR PC Support - Protect

'Protect' from PR PC Support is made up of 3 products and is designed to give your Microsoft 365 subscription the ultimate protection from malicious attacks, ransomware and phishing attacks. 
If you don’t backup your Microsoft cloud data your business could be at risk of massive exposure for the simple reason that Microsoft does not provide the ability to recover data that has been accidentally or maliciously deleted or corrupted. 

The recycle bin is fine for short-term and item-level recovery, but doesn’t provide the ability to perform a point-in-time recovery of lost or corrupt data. 

As data storage services, SharePoint and OneDrive are not only prone to sync errors, and accidental or malicious data loss, they’re also at risk from malware and ransomware such as CryptoLocker. 

Get in touch for more information or a quote.