Flash, a-ah, still not quite dead, yet.

This month our Information and IT Security  officer, Graeme Wolfe, looks at a further vulnerability in Adobe Flash and advises on how to protect yourself, if you are still using this product in your web browser.

Some of you may remember a post I wrote last July about the demise of the web software, Flash.

Well it turns out that it’s not quite dead yet. Despite the owners of the software, Adobe, saying they were no longer going to provide updates to their product; an update was released as part of a ‘security bulletin’, due to a particularly nasty exploit that has been seen in ‘the wild’, currently doing the rounds in the Middle East, but likely to be heading our way sometime soon.

This exploit comes to you via Microsoft office documents, attached to a tempting email. So the usual advice remains. Patch your web browser versions of Flash using your browser update options or from this link and be wary of any tempting emails, with attachments you weren’t expecting. See here for more advice.

Graeme Wolfe

Information and IT Security Officer

18/06/2018

 

GDPR – Arriving this month

This month our Information and IT Security Officer, Graeme Wolfe, revisits the GDPR legislation and explains all those emails and other messages you will have been receiving over the past month or so, with GDPR in the subject heading. But also warns to be alert for scammers who will take advantage of the impending deadline and changes in procedures.

Back in June last year I wrote a blog article about the upcoming GDPR and this month (25^th May) sees it going ‘live’ in terms of enforcement.

You may have seen items on the news or in the media generally about these new data regulations. You may well also have received a number of emails, or update notifications in apps, from various companies asking if you can confirm that you still wish to receive information from them. You will also have received an email from John Cappock, The University’s Secretary and Chief Operating Officer, regarding our push to be compliant with GDPR.

Effectively, if a company wants to hold personal information about you, it has to have a legal basis to do so and it can’t just hold onto data because it feels like it. It must have a good reason to do so, or it should delete the data.

This should bring an end to the practices of ‘pre ticked boxes’ for the receipt of unwanted messages ad infinitum, or ‘if you want to opt out of being mailed to, then please jump through all these hoops and find the hidden link to unsubscribe from our mailing list’. See the ICO pages for a clear definition of this.

So, many companies who hold personal data you have previously shared with them, will be contacting you to ask if they can retain your information as a customer, which you may or may not wish to continue to do. But it is also an opportunity for scammers to send out messages asking you to ‘reconfirm’ or ‘re-enter’ your login or other personal details, under the guise of the new GDPR regulation. With a deadline looming and the increased awareness thought the media, it’s an ideal time for scammers to try to panic people into taking actions they would not normally do.

So keep an eye out for emails or ‘in app’ messages, that may look like they come from a known company, but don’t, asking for lots of information about you, or getting you to enter personal information somewhere.

For more help on spotting scam emails, see the pages on our public web site or look on the ICO web site for more GDPR assistance.

Graeme Wolfe

Information and IT Security Officer

16/05/2018

Facebook – what’s going on and should I be worried?

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent news about Facebook and how your personal information is worth money to companies, as well as criminals.

“Data is the new oil” and “If you’re not paying for a service, then you are the product”

These are a couple of quotes you may have heard recently in the news, after the revelations that Facebook allowed a number of companies, via various apps and games, to access the data of over 87 million people, which may then have been used to target and manipulate those people to behave in a particular way.

To those of us in the cyber security or digital media industries this is not news, as we have known for years that the way many large internet companies make their money is through advertising and data processing. I mentioned as much in my blog posts in Feb 2016 and Feb 2017

The trouble is this is not the first, or second, or third time, that Facebook has been investigated by regulators across the world. Facebook has been apologising for misusing its users’ data for over 10 years now.

There are numerous stories in the media about the attitude Facebook had towards data security and privacy, with Mr Zuckerberg even admitting before the US Congress that they didn’t do as good a job on these fronts as they should have done.

So the next time you are bored and decide to complete an on line ‘quiz’ about your family background, or your early life with pets, or cars, or friends, or colours, (funny how they are so often about the same subjects as the security questions used to verify your identity!!!) just consider the fact that someone, somewhere, could be gathering this information about you and storing it for use now, or at any point in the future.

Graeme Wolfe

Information and IT Security Officer

12/04/2018

 

2 Factor Authentication – what it is and why you should use it.

This month our Information and IT Security officer, Graeme Wolfe, looks at 2 Factor Authentication (2FA) and wonders why so few people enable and use this valuable security feature.

2 Factor Authentication, or 2FA, is an additional security measure that requires you to use two steps to log into online accounts. 2FA operates by extending the log in process, requiring not just a basic username and password to access or log into a site. It can take the form of a code texted to your phone, a token with a changing number, a hardware token, a card reader often supplied by banks, or even a pre-printed one time code.

Two factor authentication helps to guard against online security issues when hackers steal usernames and passwords. Two factor authentication demands each user supply something they know – the password, as well as something they have – a code supplied direct to a personal phone or card reading device, meaning that if your log in / password information has been compromised, your account is still safe.

Two factor authentication has been added to most banking, email accounts and many other online outlets, but at the recent Enigma 2018 security conference in the USA, a google engineer revealed that less than 1 in 10 Gmail users have enabled 2FA to secure their accounts.

Google has spent a lot of time and money promoting its 2FA offering, or 2 Step Verification as they prefer to call it, but it appears few people use this security measure.

When they were asked why they didn’t just make it mandatory, their response was very similar to many other organisations; they find that their customers are resistant to these enhanced security measures. In fact some organisations have reduced their security measures to speed up the user experience, but this does mean a compromise on security.

So if you have any account that offers you 2FA, I suggest that you enable it, as in the long run it will help you prevent your accounts being compromised.

Graeme Wolfe

Information and IT Security Officer

19/02/2018

 

Meltdown and Spectre – What you need to know

This month our Information and IT Security Officer, Graeme Wolfe, looks at two new security vulnerabilities that have made the headlines over the New Year.

You may have seen or heard the names Meltdown and Spectre in the news and thought they were just titles of the latest action adventure films. In reality they are serious security flaws in the way that computer chips, Central Processing Units (CPUs), and Graphics Processing Units (GPUs) handle sensitive data like usernames and passwords, and encryption keys for secure web connections.

The problems lie with the design of the chip’s hardware and the way it handles data. Affected chips from Intel and AMD are in desktops, laptops and some tablets and affected chips from ARM are in most smartphones and tablets.

Meltdown and Spectre are both processor-level vulnerabilities that make it potentially possible for code running in user-mode – which might include malware or even malicious JavaScript served through rogue adverts on web sites or the like – to read from portions of protected kernel memory, an area hosting passwords, login cookies and other secrets, or other portions of memory it should be blocked from accessing.

The vulnerabilities have been rated as ‘Critical’ and affect just about every computer or device with a chip in them that was made since 1995! This includes ALL brands and makes of devices. So whether you have a Dell, HP or an Apple Mac, an iPhone or Android, even those of you out there running Linux, you are all likely to be affected by this. It has even affected all the major ‘cloud service providers’ such as Google, Amazon and Microsoft.

All the major companies in this field have been working on solutions to fix the problem since the middle of last year. There are a number of security patches that have been released to fix the issue with Meltdown, which mainly affects Intel CPU’s. The Spectre issue is looking harder to fix though.

You may also have heard that the patches are claimed to slow down machines by up to 30 per cent and if you do a lot of processor intensive ‘data crunching’, or play a lot of immersive games, then you may see a slowdown in performance. For most of us who just send messages, email and surf the web, we are unlikely to notice much of a change. I have updated my phone and all my other devices already and haven’t noticed any dramatic change in performance.

There are currently no specific tools that can exploit either of these flaws, but now the research is out in the open, it will only be a matter of time before ‘off the shelf’ exploits are made available to the hacking and criminal community.

The solution, as always, is patch! patch! patch! Additionally you should ensure your browser is running the latest version as well. As an example Google, Amazon, Microsoft and Apple all patched their cloud offerings to correct the Meltdown vulnerability as soon as they were available. They know how important this is. So you should check and see if there are updates available for your device(s) as well.

Do not put off installing any patches from your product supplier and make sure that you shut down / switch off your device when you have finished using it. Most patches will not be applied until the device is restarted. Just closing the lid on your laptop is not enough.

Graeme Wolfe

Information and IT Security Officer

18/01/2018

Bitcoin…Bubble or a sign of the future?

This month our Information and IT Security officer, Graeme Wolfe, looks at the recent rise in Bitcoin values and the security surrounding them.

You may have heard in the news this month about the rise in value of Bitcoin to over $17,000 for 1Bitcoin. Considering that bitcoins have been around for less than 10 years and for much of that time its value was in the 10’s or 100’s of dollars, you may be wondering what has happened recently. You are not alone.

Bitcoin is a cryptocurrency, not created or regulated by any central bank, but they are ‘mined’ by solving complex mathematical equations on computers.

Bitcoins are monitored by something called a ‘blockchain‘, which is a publicly accessible listing of all Bitcoin transactions and involves the use of Private Cryptographic Keys to keep it secure.

So far, so secure.

However, there are a number of ‘traders’ who are set up to enable the buying and selling of bitcoins and this is where the security of the system breaks down.

People who wish to trade in bitcoins often upload their Private Keys to these traders and then can buy and sell with ease.

This has attracted the attention of thieves and criminals who see the stealing of bitcoins as an easy way to make money. Certainly easier than trying to rob a bank!

In 2014 $460m was stolen from the Mt Gox trading site; in 2016 Bitfinex suffered a similar loss and only this month NiceHash suffered a similar breach.

Many of these traders were set up with poor security measures in place and through a combination of technology and social engineering, they have been hacked and the money stolen.

Whether you are trading Bitcoins, or just using online banking and shopping services, it is vital that you keep your security details safe, whether they be usernames and passwords, Cryptographic Keys, or simple ‘autofill’ options on web sites, keep them to yourself and be wary of where you enter them online, as they are all targets for online criminals to plunder.

Graeme Wolfe

Information and IT Security Officer

11/12/2017

Data breaches affecting Universities

This month our Information and IT Security officer, Graeme Wolfe, looks at more reported data security breaches affecting Universities and ways to avoid being in the media for all the wrong reasons.

You may have seen the news item in early November, about another University suffering a data breach, this time it was the University of East Anglia. If you didn’t, view the media stories on the  BBC  and the The Register web pages.

It would appear that UEA suffered a similar breach a few months back, where sensitive personal information was sent to the wrong people.

Lessons need to be learnt from this breach, which is why if you are thinking of sending sensitive information out by email, you should ask yourself a couple of basic questions.

1. Should I be sending this by email?
2. Who exactly am I sending this to and why?

Double check before you hit ‘send’ that you are sending the email to the right person and not a mailing list or someone with the same first name as your intended recipient. Mistakes are easy to make and almost impossible to rectify.

There are other methods of sharing data with people that can be more secure than email. For further guidance, we can advise on how to gain access to and use, an encrypted email service for your University account.

The Security and compliance team are here to help and advise anyone who deals with sensitive information at the University and how you can store and transmit such information securely. Also to ensure our University does not suffer a breach and receive media headlines similar to those currently in the press.

Graeme Wolfe

Information and IT Security Officer

17/11/2017

Are your ears burning?

This month our Information and IT Security Officer, Graeme Wolfe, looks at how you can find out when your name is used, or appears online.

Noel Coward once said that the only thing worse than being talked about, was not being talked about. But in our modern, online world, knowing who is saying what and when could be very important.

Last month we showed how to find if your email has been hacked, this month we look at finding references to personal data on line.

With over 644 million web pages, plus many other postings on social media channels, blogs, vlogs and podcasts searching through them all for mentions of your own name would be a mammoth task.

Fortunately Google can make this easy for you. Google Alerts are automatically generated notifications that will send an email to your inbox to alert you every time your chosen search term is found online.

Alerts are easy to set up and can be set to send you updates daily, weekly, monthly or as they occur. Just go to https://www.google.co.uk/alerts or search for ‘google alerts’ then enter the details you want to get alerts on – John Smith for example – into the search boxes. If your name is a very common one you could get many alerts which are nothing to do with you personally – if you’re not sure if you have a popular name, this tool will help you find out.

If you use the Chrome browser, have a Gmail account and are logged in to them, alerts will pre-populate the ‘me on the web’ section for you. Having the accounts is not essential to set up alerts, but it does make things easier, just follow the simple online instructions.

Once you have set everything up, then whenever there is a new mention of your name on the web you will get an email alert.

I have set Google alerts up for family and friends and they have proved useful in identifying content about them that was inappropriate or inaccurate, which they have then had taken down or corrected, content which you may never have been aware was there in the first place.

Remember – Knowledge is power.

Graeme Wolfe

Information and IT Security Officer

16/10/2017

Have you been ‘pwned’?

This month our Information and IT Security officer, Graeme Wolfe, looks at recent security breaches, lists of potentially hacked accounts and what it means to be ‘pwned’?

You may not have heard, recently, that a collection of over 700 Million email addresses was found online, posted on a web server with an obscure URL, supposedly to prevent accidental detection.

You may, however, have heard of some of the recent high profile data breaches at Equifax, Ashley Madison, Adobe, LinkedIn, DropBox, Yahoo, Talk Talk, AA, Target, TK Maxx…I could go on and on – which is where many of the email addresses and other sensitive data were originally harvested from.

When the University’s security team ‘CSIRT’ (Computer Security Incident Response Team) found out about this, we decided to investigate and see if there were any instances of @Westminster or @my.Westminster email addresses in this list. Unfortunately we found many thousands of our email addresses listed, so we decided to act on your behalf.

Many of you will have recently received an email from Csirt@westminster.ac.uk, advising you that your Westminster account had been linked to a high-profile data breach and that you should change the password not only on the breached account, but also on your Westminster account, especially if you use the same password across multiple accounts.

After any security or data breach, you should take the following action:

• When you are made aware of a breach, then change your passwords straight away
• Consider using a password manager to generate and store unique passwords for each online account
• Never use the same password on different accounts
• Never reuse your Westminster log in details for other external services

You can check to see if your own personal email accounts, as well as your Westminster ones, have been breached on https://haveibeenpwned.com/  ‘Pwned’, is a widely used slang term (with origins in online gaming) meaning to conquer, appropriate or gain ownership of.

Just enter an email address and it will tell you if it has been ‘pwned’ and where the information may have been taken from. If you have been ‘pwned’ you should be on your guard for any spam / phishing / malware emails directed at you and you should follow the actions above. If you haven’t already been a target for scammers, then any security expert will tell you, it’s only a matter of time.

Graeme Wolfe

Information and IT Security Officer

15/09/2017

Scheduled scamming

This month, Graeme Wolfe, Information and IT Security Officer, takes a further look at the cycle of scams and what all the scheduled topics have in common.

Each year, around this time, I return to the subject of regular scams. If you check my blogs from previous summers, see links attached here and here. You will see there are cycles in scammer’s schedules, for example summer and the new academic year will see appealing wording in subject lines, that will appeal to people at this time of year, such as flights, clearing, loans, car hire, password reset and grants. They have all been used as ‘hooks’ in the past by scammers, to try and get your information.

With this being the holiday season, scammers try to use words like flights, car hire and holidays in their messages, to fool people into either handing over their personal information or even scamming them out of their money.

Also with many students sorting their details out for the forthcoming year, messages with things relating to loans, grants and clearing applications can be used to try and get log in and banking details from both existing and prospective students.

Additionally, as many students receive their access details to University systems around this time of year and often these expire after one year, there are scam messages about renewing your password that do the rounds and they can get mixed up with a genuine message about changing your password. This is the genuine site for Westminster password self service any other links are likely to be a scam or phishing attempt.

Some of these scams are too obvious to be genuine. Titles such as ‘log in and apply for your £3k grant’ or ‘log in to find out about your 13% pay rise’ should automatically raise an alarm to everyone. But some of them are very clever and the details / sites look like they could be genuine. So please be cautious and if you are in any doubt, then check with the Service Desk to see if it is a known scam, or speak with the Security and Compliance Team, who are always happy to help and advise you in such matters.

Working on the following two principles should help to keep you ahead of the fraudsters.

1. If it looks too good to be true, then it probably is.
2. Mistaking a genuine message for a scam is nowhere near as bad as mistaking a scam for a genuine message.

Graeme Wolfe

Information and IT Security Officer

21/08/2017

Latest: