AGENDA
Criminals can gain a treasure trove of
sensitive information by listening in to
board meetings, warns Context Information
Security, after its researchers demonstrated
that some conference phone systems might
be at risk from hackers.
The Context team managed to gain root
access and take full control of a Mitel MiVoice
Conference and Video Phone (also known as
the Mitel UC360), potentially enabling them
to eavesdrop on meetings without alerting the
room’s occupants, to disable the mute button
so that private discussions are audible to
everyone on the call and to maintain a remote
backdoor into the network environment.
Neil Biggs, head of research at Context,
said: “Conference phones are ubiquitous in
modern offices and are often found in less
secure areas such as meeting rooms, where
they are privy to sensitive discussions, whether
hosting a call or just sat on the table. They also
present an interesting attack surface, often
in segregated VLANs that aren’t visible to an
infrastructure penetration test and so may
get overlooked. It’s possible that organisations
with a mature security posture might overlook
the security of these kinds of devices, but it’s
important to have them tested.”
Context reported these issues to Mitel
at the end of last year, along with a remote
exploit that caused the device to reboot,
and reports that the company was quick to
respond and provide mitigation advice, long
term-fixes and coordinated disclosure.
At present, the following mitigations should
be applied to prevent the attack described:
n
Configure static configuration and software
URLs;
n
Ensure Ethernet Debugging is disabled; and
n
Configure a strong admin password to
prevent access to the admin menu.
Hackers could spy on
meetings warns Context
Researchers develop
solution for one-handed
texting
Despite being at opposite ends of the mobile
device spectrum, the increasingly large
screens of ‘phablets’ and the tiny screens of
wearable devices have one thing in common –
they make it very hard to text with one hand.
Now, computer scientists at the University of
St Andrews have come up with a solution called
SWiM (ShapeWriting in Motion), which extends
’shape writing’ gesture keyboards to support
input by tilt. Instead of spelling out a word by
sliding your finger across an on-screen keyboard,
SWiM lets users input text by using the wrist
motion of the dominant hand to move a pointer
ball across the keyboard.
Professor Aaron Quigley, chair of human
computer interaction at the University’s School
of Computer Science, said: “When we consider
phablets, it’s difficult to hold them firmly in one
hand, let alone interact with them. This is due in
part to the limited functional area of the thumb,
which makes it difficult to reach all areas of the
screen. In addition, unintended touches from the
palm area may occur.
“These problems will be exacerbated if the
trend of larger mobile phone screens continues.
Yet, there are many occasions when the user’s
other hand is encumbered or not available,
perhaps due to a disability or when holding a bag,
a cup of coffee or an umbrella.”
In a pilot study, first time users of SWiM
achieved a rate of 15 words per minute (wpm)
after minimal practice, increasing to 32 wpm
after approximately 90 minutes of use.
Hot-desking leaves office workers cold
Hot-desking is a popular way for businesses to cut the cost of running an office by as much
as 30%. But it has considerably less appeal for office workers. In a survey by Reboot Online
Marketing:
n
81% said they would prefer to have their own desk or workstation;
n
75% said that hot-desking produced no improvement in cross-departmental relations and
collaboration;
n
66% said that they hadn’t made new contacts of any value from sitting next to or around
individuals from other teams/departments; and
n
59% thought the morale of their own team/department had declined as a result of hot-desking.
01732 759725
magazine
07
Employees too trusting of
email
Employees in major
UK businesses are
leaving themselves
vulnerable to the
most common form
of cyber-attack,
warns cyber security
firm Glasswall
Solutions.
Its research shows
that office workers in
mid-to-large UK businesses are too trusting of
email attachments, with 58% regularly opening
attachments from unknown senders despite the
risk of malicious exploits hidden inside common
file-types.
More than four out of five (83%) say they
always open attachments that appear to be
from a known contact, even though hackers
increasingly disguise malicious emails to look as
if they have come from someone the recipient
knows.
One third (34%) of UK office workers say
their business has been victim of a cyber-attack;
76% have received email attachments that were
suspicious.
Greg Sim, CEO of Glasswall Solutions, says
the vulnerability of email highlights the need for
new forms of protection. “Conventional anti-virus
and sandboxing solutions are no longer effective
and relying on the vigilance of employees clearly
leaves a business open to devastating cyber-
attacks,” he said.
Businesses forget human
role in cyber risk
When it comes to managing cyber
risk, businesses need to focus more on
employees and company culture, saysWillis
TowersWatson, a global advisory, broking
and solutions company.
It warns that many organisations are
continuing to focus on the technology aspect
of cyber defence at the expense of people risks,
which represent the largest source of data
breach claims.
The company’s claim data shows that
employee negligence or malicious acts account
for two-thirds (66%) of cyber breaches,
compared to just 18% caused by an external
threat.
In response to these research findings,Willis
Towers Watson has launched a Cyber Risk Culture
Survey designed to provide a clear picture of
an organisation’s internal risk culture, with a
particular focus on where it might be most
vulnerable to employee-driven cyber incidents.
Greg Sim
