2 Factor Authentication – what it is and why you should use it.

This month our Information and IT Security officer, Graeme Wolfe, looks at 2 Factor Authentication (2FA) and wonders why so few people enable and use this valuable security feature.

2 Factor Authentication, or 2FA, is an additional security measure that requires you to use two steps to log into online accounts. 2FA operates by extending the log in process, requiring not just a basic username and password to access or log into a site. It can take the form of a code texted to your phone, a token with a changing number, a hardware token, a card reader often supplied by banks, or even a pre-printed one time code.

Two factor authentication helps to guard against online security issues when hackers steal usernames and passwords. Two factor authentication demands each user supply something they know – the password, as well as something they have – a code supplied direct to a personal phone or card reading device, meaning that if your log in / password information has been compromised, your account is still safe.

Two factor authentication has been added to most banking, email accounts and many other online outlets, but at the recent Enigma 2018 security conference in the USA, a google engineer revealed that less than 1 in 10 Gmail users have enabled 2FA to secure their accounts.

Google has spent a lot of time and money promoting its 2FA offering, or 2 Step Verification as they prefer to call it, but it appears few people use this security measure.

When they were asked why they didn’t just make it mandatory, their response was very similar to many other organisations; they find that their customers are resistant to these enhanced security measures. In fact some organisations have reduced their security measures to speed up the user experience, but this does mean a compromise on security.

So if you have any account that offers you 2FA, I suggest that you enable it, as in the long run it will help you prevent your accounts being compromised.

Graeme Wolfe

Information and IT Security Officer



Meltdown and Spectre – What you need to know

This month our Information and IT Security Officer, Graeme Wolfe, looks at two new security vulnerabilities that have made the headlines over the New Year.

You may have seen or heard the names Meltdown and Spectre in the news and thought they were just titles of the latest action adventure films. In reality they are serious security flaws in the way that computer chips, Central Processing Units (CPUs), and Graphics Processing Units (GPUs) handle sensitive data like usernames and passwords, and encryption keys for secure web connections.

The problems lie with the design of the chip’s hardware and the way it handles data. Affected chips from Intel and AMD are in desktops, laptops and some tablets and affected chips from ARM are in most smartphones and tablets.

Meltdown and Spectre are both processor-level vulnerabilities that make it potentially possible for code running in user-mode – which might include malware or even malicious JavaScript served through rogue adverts on web sites or the like – to read from portions of protected kernel memory, an area hosting passwords, login cookies and other secrets, or other portions of memory it should be blocked from accessing.

The vulnerabilities have been rated as ‘Critical’ and affect just about every computer or device with a chip in them that was made since 1995! This includes ALL brands and makes of devices. So whether you have a Dell, HP or an Apple Mac, an iPhone or Android, even those of you out there running Linux, you are all likely to be affected by this. It has even affected all the major ‘cloud service providers’ such as Google, Amazon and Microsoft.

All the major companies in this field have been working on solutions to fix the problem since the middle of last year. There are a number of security patches that have been released to fix the issue with Meltdown, which mainly affects Intel CPU’s. The Spectre issue is looking harder to fix though.

You may also have heard that the patches are claimed to slow down machines by up to 30 per cent and if you do a lot of processor intensive ‘data crunching’, or play a lot of immersive games, then you may see a slowdown in performance. For most of us who just send messages, email and surf the web, we are unlikely to notice much of a change. I have updated my phone and all my other devices already and haven’t noticed any dramatic change in performance.

There are currently no specific tools that can exploit either of these flaws, but now the research is out in the open, it will only be a matter of time before ‘off the shelf’ exploits are made available to the hacking and criminal community.

The solution, as always, is patch! patch! patch! Additionally you should ensure your browser is running the latest version as well. As an example Google, Amazon, Microsoft and Apple all patched their cloud offerings to correct the Meltdown vulnerability as soon as they were available. They know how important this is. So you should check and see if there are updates available for your device(s) as well.

Do not put off installing any patches from your product supplier and make sure that you shut down / switch off your device when you have finished using it. Most patches will not be applied until the device is restarted. Just closing the lid on your laptop is not enough.

Graeme Wolfe

Information and IT Security Officer


Bitcoin…Bubble or a sign of the future?

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent rise in Bitcoin values and the security surrounding them.

You may have heard in the news this month about the rise in value of Bitcoin to over $17,000 for 1Bitcoin. Considering that bitcoins have been around for less than 10 years and for much of that time its value was in the 10’s or 100’s of dollars, you may be wondering what has happened recently. You are not alone.

Bitcoin is a cryptocurrency, not created or regulated by any central bank, but they are ‘mined’ by solving complex mathematical equations on computers.

Bitcoins are monitored by something called a ‘blockchain‘, which is a publicly accessible listing of all Bitcoin transactions and involves the use of Private Cryptographic Keys to keep it secure.

So far, so secure.

However, there are a number of ‘traders’ who are set up to enable the buying and selling of bitcoins and this is where the security of the system breaks down.

People who wish to trade in bitcoins often upload their Private Keys to these traders and then can buy and sell with ease.

This has attracted the attention of thieves and criminals who see the stealing of bitcoins as an easy way to make money. Certainly easier than trying to rob a bank!

In 2014 $460m was stolen from the Mt Gox trading site; in 2016 Bitfinex suffered a similar loss and only this month NiceHash suffered a similar breach.

Many of these traders were set up with poor security measures in place and through a combination of technology and social engineering, they have been hacked and the money stolen.

Whether you are trading Bitcoins, or just using online banking and shopping services, it is vital that you keep your security details safe, whether they be usernames and passwords, Cryptographic Keys, or simple ‘autofill’ options on web sites, keep them to yourself and be wary of where you enter them online, as they are all targets for online criminals to plunder.

Graeme Wolfe

Information and IT Security Officer


Data breaches affecting Universities

This month our Information and IT Security officer, Graeme Wolfe, looks at more reported data security breaches affecting Universities and ways to avoid being in the media for all the wrong reasons.

You may have seen the news item in early November, about another University suffering a data breach, this time it was the University of East Anglia. If you didn’t, view the media stories on the  BBC  and the The Register web pages.

It would appear that UEA suffered a similar breach a few months back, where sensitive personal information was sent to the wrong people.

Lessons need to be learnt from this breach, which is why if you are thinking of sending sensitive information out by email, you should ask yourself a couple of basic questions.

  1. Should I be sending this by email?
  2. Who exactly am I sending this to and why?

Double check before you hit ‘send’ that you are sending the email to the right person and not a mailing list or someone with the same first name as your intended recipient. Mistakes are easy to make and almost impossible to rectify.

There are other methods of sharing data with people that can be more secure than email. For further guidance, we can advise on how to gain access to and use, an encrypted email service for your University account.

The Security and compliance team are here to help and advise anyone who deals with sensitive information at the University and how you can store and transmit such information securely. Also to ensure our University does not suffer a breach and receive media headlines similar to those currently in the press.

Graeme Wolfe

Information and IT Security Officer


Are your ears burning?

This month our Information and IT Security Officer, Graeme Wolfe, looks at how you can find out when your name is used, or appears online.

Noel Coward once said that the only thing worse than being talked about, was not being talked about. But in our modern, online world, knowing who is saying what and when could be very important.

Last month we showed how to find if your email has been hacked, this month we look at finding references to personal data on line.

With over 644 million web pages, plus many other postings on social media channels, blogs, vlogs and podcasts searching through them all for mentions of your own name would be a mammoth task.

Fortunately Google can make this easy for you. Google Alerts are automatically generated notifications that will send an email to your inbox to alert you every time your chosen search term is found online.

Alerts are easy to set up and can be set to send you updates daily, weekly, monthly or as they occur. Just go to https://www.google.co.uk/alerts or search for ‘google alerts’ then enter the details you want to get alerts on – John Smith for example – into the search boxes. If your name is a very common one you could get many alerts which are nothing to do with you personally – if you’re not sure if you have a popular name, this tool will help you find out.

If you use the Chrome browser, have a Gmail account and are logged in to them, alerts will pre-populate the ‘me on the web’ section for you. Having the accounts is not essential to set up alerts, but it does make things easier, just follow the simple online instructions.

Once you have set everything up, then whenever there is a new mention of your name on the web you will get an email alert.

I have set Google alerts up for family and friends and they have proved useful in identifying content about them that was inappropriate or inaccurate, which they have then had taken down or corrected, content which you may never have been aware was there in the first place.

Remember – Knowledge is power.

Graeme Wolfe

Information and IT Security Officer


Have you been ‘pwned’?

This month our Information and IT Security officer, Graeme Wolfe, looks at recent security breaches, lists of potentially hacked accounts and what it means to be ‘pwned’?

You may not have heard, recently, that a collection of over 700 Million email addresses was found online, posted on a web server with an obscure URL, supposedly to prevent accidental detection.

You may, however, have heard of some of the recent high profile data breaches at Equifax, Ashley Madison, Adobe, LinkedIn, DropBox, Yahoo, Talk Talk, AA, Target, TK Maxx…I could go on and on – which is where many of the email addresses and other sensitive data were originally harvested from.

When the University’s security team ‘CSIRT’ (Computer Security Incident Response Team) found out about this, we decided to investigate and see if there were any instances of @Westminster or @my.Westminster email addresses in this list. Unfortunately we found many thousands of our email addresses listed, so we decided to act on your behalf.

Many of you will have recently received an email from Csirt@westminster.ac.uk, advising you that your Westminster account had been linked to a high-profile data breach and that you should change the password not only on the breached account, but also on your Westminster account, especially if you use the same password across multiple accounts.

After any security or data breach, you should take the following action:

  • When you are made aware of a breach, then change your passwords straight away
  • Consider using a password manager to generate and store unique passwords for each online account
  • Never use the same password on different accounts
  • Never reuse your Westminster log in details for other external services

You can check to see if your own personal email accounts, as well as your Westminster ones, have been breached on https://haveibeenpwned.com/  ‘Pwned’, is a widely used slang term (with origins in online gaming) meaning to conquer, appropriate or gain ownership of.

Just enter an email address and it will tell you if it has been ‘pwned’ and where the information may have been taken from. If you have been ‘pwned’ you should be on your guard for any spam / phishing / malware emails directed at you and you should follow the actions above. If you haven’t already been a target for scammers, then any security expert will tell you, it’s only a matter of time.

Graeme Wolfe

Information and IT Security Officer


Scheduled scamming

This month, Graeme Wolfe, Information and IT Security Officer, takes a further look at the cycle of scams and what all the scheduled topics have in common.

Each year, around this time, I return to the subject of regular scams. If you check my blogs from previous summers, see links attached here and here. You will see there are cycles in scammer’s schedules, for example summer and the new academic year will see appealing wording in subject lines, that will appeal to people at this time of year, such as flights, clearing, loans, car hire, password reset and grants. They have all been used as ‘hooks’ in the past by scammers, to try and get your information.

With this being the holiday season, scammers try to use words like flights, car hire and holidays in their messages, to fool people into either handing over their personal information or even scamming them out of their money.

Also with many students sorting their details out for the forthcoming year, messages with things relating to loans, grants and clearing applications can be used to try and get log in and banking details from both existing and prospective students.

Additionally, as many students receive their access details to University systems around this time of year and often these expire after one year, there are scam messages about renewing your password that do the rounds and they can get mixed up with a genuine message about changing your password. This is the genuine site for Westminster password self service any other links are likely to be a scam or phishing attempt.

Some of these scams are too obvious to be genuine. Titles such as ‘log in and apply for your £3k grant’ or ‘log in to find out about your 13% pay rise’ should automatically raise an alarm to everyone. But some of them are very clever and the details / sites look like they could be genuine. So please be cautious and if you are in any doubt, then check with the Service Desk to see if it is a known scam, or speak with the Security and Compliance Team, who are always happy to help and advise you in such matters.

Working on the following two principles should help to keep you ahead of the fraudsters.

  1. If it looks too good to be true, then it probably is.
  2. Mistaking a genuine message for a scam is nowhere near as bad as mistaking a scam for a genuine message.

Graeme Wolfe

Information and IT Security Officer


Flash, a-ah, saviour of the universe – not for much longer

This month our Information and IT Security  officer, Graeme Wolfe, looks at the demise of Adobe Flash and the future of moving images on t’internet.

When I heard that Flash was going to be killed off in 2020, my first thought was for the 1980 movie and Brian Blessed shouting “Flash Gordon’s alive!”

But in reality it is far less entertaining than that. Adobe, the owners of Flash software have decided there will be no more updates and patches for this rather ‘buggy’ and insecure plug in, running in many browsers world-wide.

Until recently Flash ran in browsers, powering videos, games and other animations. But because it was used by so many people, it was a constant target for malware writers trying to get inside it to plant their own code for their own, nefarious, purposes.

It didn’t help that this wasn’t a very secure, or well written piece of software. So regular updates had to be issued out when a vulnerability was exposed.

Newer technologies have superseded Flash, such as HTML5, which is present in just about all modern browsers. Adobe have been slowly removing flash updates and support from other platforms for some time now.

Most ‘Smart’ TV’s will now no longer play Flash based internet video files and games. Android powered smartphones had the support removed around the same time, in 2012. Apple have never liked the product and it was not an option in the App Store. But it did provide a quick and simple way to show moving images in a web browser.

Flash – Gone, but not forgotten.

Graeme Wolfe

Information and IT Security Officer


GDP aarrgh!

This month our Information and IT Security Officer, Graeme Wolfe, looks at the upcoming changes to Data Protection legislation, explains GDPR and considers the impact for our University.


InfoSec17, the annual Security exhibition and conference, returned to London in June, as with previous years there continues to be two constants.

The first being each event has seen more visitors, exhibitors, new products, presentations, workshops and ideas on display. Proving security is a continually growing market which should not be ignored and the issues around it will not disappear anytime soon.

The second is that there is often a theme that the exhibitors focus on, to use to promote their products. This year saw two themes given equal exposure, Ransomware and General Data Protection Regulation [GDPR].

If you have been following my recent blogs, or seen the news, then you will be aware of the recent high profile ransomware attacks on corporations around the world, including the NHS and most recently the password attack on Parliament. But you may not have heard about the introduction of GDPR, which will have a huge impact on how we all process, store and share data in the future.

Currently all organisations in the UK that handle sensitive personal data are bound by the Data Protection Act 1998 (DPA). But in less than a year [25 May 2018 to be precise], this will be replaced by the General Data Protection Regulation [GDPR], which will apply across the European Union, unifying data protection rules.


  • Places more responsibility on organisations, large and small, to ensure they handle personal data in a safe and secure manner.
  • Redefines what is personal data and the accountability and governance that must go along with its everyday use and storage.
  • Applies to both electronic and hard copy data, new and existing systems, as well as archived materials.
  • Defines new roles and responsibilities in organisations and will bring some big changes with it.

One of the big changes, is the level of fines that can be imposed for breaching the GDPR. Currently the maximum fine for breaching the DPA is £500,000, this is to be increased to a maximum of 20 Million Euros or 4% of global turnover. For small organisations that lose personal data, any fine can make a large impact on their budgets, however, the increases that have been put in place, will impact on large multinationals too, and ensure they also take notice of these rules.

The University of Westminster’s Compliance team have been working on getting us ready for GDPR for some time. There is still much work to be done, but speaking to visitors and exhibitors at InfoSec17, we appear to be ahead of many other organisations in this matter.

Graeme Wolfe

Information and IT Security Officer


Recent malware attacks and some predictions

This month our Information and IT Security Officer, Graeme Wolfe, looks at the recent rise in high profile malware and considers the future of such attacks.


The first week in May saw a new form of attack take place, one where the attackers were using a very realistic looking piece of malware, which appeared to be a genuine Google Docs application, but was in fact a sophisticated piece of malware. This caught a lot of people out, before it was identified as malware and the exploit was shut down. (See note 1 below for more advice)

The second week in May saw the well documented ‘WannaCry’ Ransomware attack that affected the NHS and many other organisations, both commercial and public sector, across the world. (See note 2 below for more advice)

Fortunately, the third and fourth weeks in May appeared to be fairly quiet, though the SANS institute’s Internet Storm Centre, shows a fairly consistent level of ongoing attacks for May, with a couple of spikes for the above two attacks. Ongoing attacks generally have a lower profile and impact, so don’t tend to make the news.

Last month I wrote about the importance of applying security patches, after the theft of a number of ‘zero day’ exploits that were stolen from the NSA recently, and also of being aware of your actions on line. It would appear to have been somewhat prophetic.

This month I am going to make a prediction. These two attacks are not the last such attacks we will experience over the coming months and years. While it is cheap to mount these attacks and there is profit to be made, then they will keep on coming. ‘WannaCry’ used the ‘Eternal Blue’ exploit from the stolen NSA toolkit. So keep your eyes open for ‘EsteemAudit’ (another stolen NSA exploit) or variants thereof, in the not too distant future.

While organisations (and individuals) continue to run unpatched and insecure systems and there are criminals out in the “ether” who can exploit these vulnerabilities for financial gain, then these sorts of attacks will continue and they will increase, in number, in severity and in impact.

This sort of malicious activity used to be the preserve of those with technical backgrounds, who tended to perform their attacks to prove their ability amongst their peers, or to make a point or political statement.

But now it is possible to go to online marketplaces, where you can buy all the components needed to perform similar types of attacks, in an easy to use format, including lists of names and email addresses or other details, a bit like buying something from eBay and just like on eBay, the sellers have feedback ratings and rankings, many even offer 24 hour support lines and money back guarantees! Scams and malware have moved from a fringe activity into the mainstream.

This means that it is possible for many criminals, with just a little technical savvy, to perform attacks and make money from the comfort of their own homes. Which is far easier than robbing a bank, or burgling a house, or whatever other activities criminals get up to. Plus, with easily available advice on hiding their locations and identities, they can get away with their crimes with little or no chance of ever being caught. So it is no surprise that cyber crime has seen the fastest rates of growth of any crime in the past few years and that doesn’t look set to change anytime soon.

Graeme Wolfe

Information and IT Security Officer


Note 1 – If you did click through the links and pressed yes to the request for permissions from the Google malware, then it is likely that the attackers will have access to all your Google address lists and the ability to send out the same message to all your contacts.

If you were a victim of this fraud, then just changing your password would not be sufficient as you will need to revoke the permissions given to the rogue Google Docs app.

Google did fix the problem within a day and prevented the spread of any more emails. They added that this only affected 0.1% of their users, but with over a Billion users world-wide, that is in excess of One Million Accounts that were compromised. Which puts some of the earlier attacks on Yahoo and other web mail accounts, in the shade.

Note 2Windows XP, Vista or Windows 8 If you are running a home device with one of these, then you should consider replacing them with a more modern version. There is no longer any official support for this software and as time goes on, they will not get any safer.

If you are running Windows 7 or 8.1 then make sure you have your updates turned ‘On’ and that you install the updates provided.


2 Factor Authentication – what it is and why you should use it.

This month our Information and IT Security officer, Graeme Wolfe, looks at 2 Factor Authentication (2FA) and wonders why so few people enable and use this valuable security feature. 2 Factor Authentication, or 2FA, is an additional security measure that […]

Meltdown and Spectre – What you need to know

This month our Information and IT Security Officer, Graeme Wolfe, looks at two new security vulnerabilities that have made the headlines over the New Year. You may have seen or heard the names Meltdown and Spectre in the news and […]

Bitcoin…Bubble or a sign of the future?

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent rise in Bitcoin values and the security surrounding them. You may have heard in the news this month about the rise in value of Bitcoin to over […]

Data breaches affecting Universities

This month our Information and IT Security officer, Graeme Wolfe, looks at more reported data security breaches affecting Universities and ways to avoid being in the media for all the wrong reasons. You may have seen the news item in […]