In a blog post, Mr Hunt suggested attackers could redirect visitors trying to access NatWest’s online banking service, from the official address nwolb.com to something visually similar such as nuuolb.com.
Shortly afterwards, NatWest registered the nuuolb.com web address. But Mr Hunt, who has previously testified before US Congress on matters of cyber-security, said the bank had missed the point.
“We’re seeing ‘Not secure’ next to the address bar,” he said. “I would opine that ‘Not secure’ is not what you want to see on your bank.”
A spokesman for RBS, which owns NatWest, told the BBC: “We take the security of our services extremely seriously. While we do not currently enforce HTTPS on some of our websites, we are working towards upgrading this in the next 48 hours.
“Our online banking channel is secured with HTTPS.”
Security researchers found several other major banks did not use HTTPS on their homepages.
First Direct told the BBC: “This functionality is something we’re currently reviewing.”
Lloyds Banking Group said the websites for Lloyds and Halifax did typically use HTTPS, but also “allowed HTTP access” if people typed in the web address manually.
“We are in the final stages of correcting this and expect it to be resolved this week,” a spokesman told the BBC.
Tesco Bank has not responded to the BBC’s request for comment.
What’s the problem?
Online banking websites use HTTPS connections to help keep customer data private.
When a website uses HTTPS (Hyper Text Transfer Protocol Secure), any information sent between your device and the website is encrypted, so it cannot be read if it is intercepted.
However, security researchers found several banks did not use HTTPS on the rest of their websites, including the homepage on which visitors land.
NatWest originally tweeted that it did not use HTTPS on its homepage because it only contained “general information”.
But the researchers suggested that without HTTPS an attacker could theoretically modify elements of a bank’s website. They could send victims to a fake online banking site and steal their information.
“The homepage is insecure so you can’t trust anything on it,” said Mr Hunt.
“This is a banking website. No excuses,” added Stephen Kellett, from security firm Software Verify. “All pages, whether performing transactions, the homepage, the about page, the whole lot, they should all be secure. Why? Because they all launch the login page.”
How credible is the threat?
“There are various ways this can be exploited, to lure the client on to a phishing website,” said Dr Mark Manulis, from the Surrey Centre for Cyber-security.
A phishing page is designed to look like a legitimate website to trick people into handing over personal information.
“It’s possible to spoof the website and create a fake login button. Phishing attacks for a long time have been a major threat and can be quite sophisticated. This makes such attacks easier.”
Dozens of British schools’ heating systems have been found to be vulnerable to hackers, according to a probe by a security research firm.
Pen Test Partners says the problem was caused by the equipment’s controllers being connected to the wider internet, against the manufacturer’s guidelines.
It says it would be relatively easy for mischief-makers to switch off the heaters from afar.
But an easy fix, pulling out the network cables, can address the threat.
Even so, the company suggests the discovery highlights that building management systems are often installed by electricians and engineers that need to know more about cyber-security.
“It would be really easy for someone with basic computer skills to have switched off a school’s heating system – it’s a matter of clicks and some simple typing,” Pen Test’s founder Ken Munro told the BBC.
“It’s a reflection of the current state of internet-of-things security.
“Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can’t be set up this way.”
The cyber-security company made its discovery by looking for building management system controllers made by Trend Control Systems via the internet of things (IoT) search tool Shodan.
It knew that a model, released in 2003, could be compromised when exposed directly to the net, even if it was running the latest firmware.
But it responded to criticism that it could have done more to check its kit had been properly installed after the fact.
“Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible,” said spokesman Trent Perrotto.
“This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access.”
He added, however, that the company would “assess and test the effectiveness” of its current practices.
One independent security researcher played down the threat to those still exposed, but added that the case raised issues that should be addressed.
“The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override,” said Dr Steven Murdoch, from University College London.
“However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from.
“And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in.”
Engineers at a small British internet service provider have successfully made a broadband connection work over 2m (6ft 7in) of wet string.
The connection reached speeds of 3.5Mbps (megabits per second), according to the Andrews and Arnold engineer who conducted the experiment.
The point of the experiment appears to have been purely to see if it was achievable.
The firm does not believe there is a way to exploit the finding.
“To be honest it was a bit of fun, which one of our techies decided to try out – we have equipment we could test in the office, and why not?” Adrian Kennard, the internet provider’s director, told the BBC.
“There is no commercial potential that we are aware of.”
“What it does show, though, is how adaptive ADSL really is. This can be important when it comes to faulty lines with bad (or even disconnected) joints still providing some level of broadband service.”
An asymmetric digital subscriber line (ADSL) is used by nearly half of premises in the UK. It works by splitting a single copper telephone line into separate voice and data channels.
The string used in the experiment was first put in salty water – chosen because salt is a good conductor of electricity.
Prof Jim Al-Khalili from Surrey University’s department of physics explained how it worked: “Although wet string is clearly not as good a conductor of electricity as copper wire, it’s not really about the flow of current.
“Here the string is acting as a waveguide to transmit an electromagnetic wave. And because the broadband signal in this case is very high frequency it doesn’t matter so much what the material is.”
Matthew Howett, principal analyst at research firm Assembly said: “While we often get tied up in knots over whether it should be fibre to the street cabinet or fibre all the way to the home, one thing’s for certain and that’s that this isn’t going to make it into the mix of technologies companies like Openreach or Virgin Media will be using.”
“Meghan Markle”, fiancee to Prince Harry, has been revealed by Google as the top most searched term in the UK for 2017.
It puts the royal bride-to-be ahead of “iPhone 8″ and “Hurricane Irma” in the list of top search terms.
The Manchester bombing and Grenfell Tower also featured in the top 10.
The UK election featured heavily in the list of top “What is…?” queries, with people asking about a hung Parliament and the Democratic Unionist Party.
“Bitcoin” became one of the year’s buzzwords and “What is Bitcoin?”, “How to buy Bitcoin” and “How to mine bitcoins” all appeared on trending lists, as the crypto-currency rose in value through the year.
The online lists also reflected some of the key playground trends of 2017 – including the toy known as a “fidget spinner”, which made it to number four in most searched terms, and the rise in popularity of making home-made slime, which featured in the “How to…” list.
According to Google, searches beginning in “how” increased by 150% over the last decade, hitting an all-time high in 2017.
Top trending news events included the Manchester bombing and the London Bridge attack, with the top global news trends including North Korea, the Las Vegas shooting and Catalonia’s bid for independence.
“People aren’t only using Google Search to find information about the topics that matter to them. They’re increasingly searching for ways to take action and find out how to do things – including how to donate or volunteer in moments of crisis,” said Hannah Glenny, a Google Search trends expert.
Meghan Markle also featured on the top trending “people” queries, followed by Tara Palmer-Tomkinson, who died in February. Donald Trump made it to only number six on the list.
In global search, the number one most searched term was “Hurricane Irma”, followed by “iPhone 8″ and “iPhone X” in second and third place.
Google UK top trending searches of 2017:
7.13 Reasons Why
Google UK top trending ‘What is…?’ queries of 2017:
Lectures by a radical Islamist cleric linked to the 9/11 attacks and other jihadist content have been discovered on LinkedIn.
The business-focused social network was alerted to the issue after an investigation by the Tony Blair Institute for Global Change.
The Microsoft-owned business has since removed the material.
But it faces criticism for not having taken a more proactive stance ahead of the discovery.
According to the former prime minister’s research body – whose remit includes counter-extremism – some of the documents had been on LinkedIn for eight years.
The researcher who made the discovery, earlier this month, said there had been no obvious way to flag the problem to the technology company, and ultimately relied on the Times newspaper to bring it to Microsoft’s attention.
“Platforms must ensure that sufficient, effective reporting mechanisms are in place,” Mubaraz Ahmed told the BBC.
“The likes of Facebook, Twitter, and Google have taken demonstrable and effective steps to counter terrorists’ use of the internet, but other platforms must not ignore the risks or become complacent.”
Calls to violence
A total of 18 jihadist documents uploaded between 2009 and 2016 were discovered by Mr Ahmed on LinkedIn’s Slideshare service.
Before they were removed, they had collectively attracted more than 21,000 views.
a lecture arguing democracy is in contradiction to Islam
a call for Muslims to commit violence and seek martyrdom
a demand Muslims help finance jihadist activities
an order for retaliation against cartoons depicting the Prophet Muhammad
advice that children do not need their parents’ permission to engage in jihadist activities
The authors included Anwar al-Awlaki, a radical American cleric who met two of the 11 September 2001 hijackers before their attack, as well as being linked to other plots before his death in 2011.
Hidden software that can record every letter typed on a computer keyboard has been discovered pre-installed on hundreds of HP laptop models.
Security researcher Michael Myng found the keylogging code in software drivers preinstalled on HP laptops to make the keyboard work.
HP said more than 460 models of laptop were affected by the “potential security vulnerability”.
It has issued a software patch for its customers to remove the keylogger.
The issue affects laptops in the EliteBook, ProBook, Pavilion and Envy ranges, among others. HP has issued a full list of affected devices, dating back to 2012.
In a statement, the company said: “HP uses Synaptics’ touchpads in some of its mobile PCs and has worked with Synaptics to provide fixes to their error for impacted HP systems, available via the security bulletin on HP.com.”
‘Loss of confidentiality’
Mr Myng discovered the keylogger while inspecting Synaptics Touchpad software, to figure out how to control the keyboard backlight on an HP laptop.
He said the keylogger was disabled by default, but an attacker with access to the computer could have enabled it to record what a user was typing.
According to HP, it was originally built into the Synaptics software to help debug errors.
It acknowledged that could lead to “loss of confidentiality” but it said neither Synaptics nor HP had access to customer data as a result of the flaw.
Scan your eyes over Apple’s just-published list of the year’s most popular iPhone apps, and there’s one notable omission: Shazam.
In fact, it’s been a while since the song-identifying software squeezed its way into the iOS App Store’s top 10.
So, why has Apple confirmed it is “combining” its business with that of the smaller London company?
It has not revealed the price it is paying, but the sum is rumoured to be as much as $400m (£300m), which would make it one of Apple’s most expensive takeovers to date.
The US technology giant also hasn’t disclosed its motivations beyond saying that it has “exciting plans in store”.
But there are several reasons the deal may have appealed.
Apple’s smart assistant, Siri, already taps into Shazam, allowing users to verbally ask: “What song is playing?” and has done so for more than three years.
But with growing competition between Apple Music and Spotify – which also ties into Shazam – Apple may have felt the need to secure the service rather than risk its Swedish rival or some other company buying it first.
Apple has said that Shazam is a “natural fit” for its streaming music platform.
Some, however, believe that the real value of the acquisition isn’t Shazam’s technology – which Apple could presumably have developed a version of itself for a smaller sum – but rather the data Shazam has gathered for more than a decade about its millions of users.
“Spotify has made the discovery of new music front and centre of what makes it a compelling proposition,” said Mark Mulligan, from the consultancy Midia Research.
“Apple just doesn’t have the same amount of data about listening tastes as Spotify, meaning it can’t drive recommendations with as high a degree of accuracy and precision.
“Shazam essentially gives it a shortcut to having a massive database.”
Music forms a major pillar of Apple’s business – not just its song subscription service, but also its:
So, locking in one of the key song-discovery services and potentially deepening the way Shazam ties into Apple’s wider ecosystem has a certain logic.
Apple will be mindful that first Google Now and subsequently Google Assistant have used in-house technology to let Android users identify songs.
That helped the search giant add a clever feature to its recently released Pixel 2 phone: the handset proactively shows the name of songs it hears on its home screen without waiting to be asked.
Moreover, it does this without requiring an active internet connection thanks to it periodically updating an on-device database of tens of thousands of tracks, and carrying out the whole song-matching process on the phone.
To let Siri replicate the trick or add innovations of its own, Apple might have felt it needed to bring Shazam in-house.
Apple has long portrayed itself as a company that goes the extra mile to protect its users’ privacy, so it would presumably reject the idea of allowing a third-party to run an always-listening service on its devices.
Apple’s Homepod smart speaker – a rival to the Amazon Echo and Google Home – has had its release date delayed despite the hardware being unveiled back in June.
That points to the problem being with its software.
Perhaps some of Shazam’s audio-recognition technology might provide a quick fix, or at the very least Apple might believe it could add extra capabilities in the future.
The technology superimposes graphics over real-world views captured by a smartphone’s camera and is something Apple’s chief executive, Tim Cook, is particularly keen on.
He has repeatedly called AR more “profound” than virtual reality, which limits users to computer-generated views.
Shazam has focused on offering its AR capabilities to brands.
Fanta has used it as a way to let users bring posters for its soft drinks to life, while if users held their phone over a bottle of Bombay Sapphire gin they could see images of its ingredients grow out of its sides before prompting them to explore cocktail recipes.
Another British start-up, Blippar, has already demonstrated that merging real-world object recognition and AR has uses beyond advertising – it offers a way to show information about people seen standing nearby.
Perhaps, Apple is keen to build on Shazam’s efforts to develop killer features of its own for the launch of its much-rumoured AR glasses.
About half a million children and young people gamble every week, a Gambling Commission report is expected to show.
The regulator has warned that children as young as 11 are using so-called skin betting websites, which let players gamble with virtual items as currency.
The items won – usually modified guns or knives within a video game known as a skin – can often be sold and turned back in to real money.
The Gambling Commission is releasing its annual survey on Tuesday.
It is estimated that half of the UK online population – more than 30 million people – play video games.
Valve ordered to tackle ‘skin betting’
‘Remove gambling ads appealing to children’
Some students ‘have £10,000 gambling debt’
The Gambling Commission said it had identified third party websites that enabled players to gamble their skins on casino or slot machine type games and then these could later be be sold and turned into real-world money.
It said cracking down on the industry was a top priority.
‘Struggle buying food’
Aberystwyth University student Ryan Archer’s love of gaming spiralled into gambling when he was 15 and he became involved in skin betting.
Four years later he has lost more than £2,000.
“I’d get my student loan, some people spend it on expensive clothes, I spend it on gambling virtual items,” he said.
“There have been points where I could struggle to buy food, because this takes priority.”
Ryan wanted to build an inventory of skins, but when he could not afford the price tag attached to some of them he began gambling on unlicensed websites to try to raise money.
He said: “It’s hard to ask your parents for £1,000 to buy a knife on CSGO (the multiplayer first-person shooter game Counter Strike: Global Offensive), it’s a lot easier to ask for a tenner and then try and turn that into £1,000.”
In CSGO, players can exchange real money for the chance to obtain a modified weapon known as a skin and a number of gambling websites have been built around the game.
“You wouldn’t see an 11-year-old go into a betting shop, but you can with this, there’s nothing to stop you,” Ryan said.
What is skin betting?
Skins are collectable, virtual items in video games that change the appearance of a weapons – for example, turning a pistol into a golden gun.
Sometimes skins can be earned within a game, but they can also be bought with real money.
Some games also let players trade and sell skins, with rarer examples attracting high prices.
A number of websites let players gamble with their skins for the chance to win more valuable ones.
Since skins won on such a website could theoretically be sold and turned back into real-world money, critics say betting with skins is unlicensed gambling.
Sarah Harrison, chief executive of the Gambling Commission, said: “Because of these unlicensed skin betting sites, the safeguards that exist are not being applied and we’re seeing examples of really young people, 11 and 12-year-olds, who are getting involved in skin betting, not realising that it’s gambling.
“At one level they are running up bills perhaps on their parents’ Paypal account or credit card, but the wider effect is the introduction and normalisation of this kind of gambling among children and young people.”
Earlier this year, the Gambling Commission for the first time prosecuted people for running an unlicensed gambling website connected to a video game.