Are your ears burning?

This month our Information and IT Security Officer, Graeme Wolfe, looks at how you can find out when your name is used, or appears online.

Noel Coward once said that the only thing worse than being talked about, was not being talked about. But in our modern, online world, knowing who is saying what and when could be very important.

Last month we showed how to find if your email has been hacked, this month we look at finding references to personal data on line.

With over 644 million web pages, plus many other postings on social media channels, blogs, vlogs and podcasts searching through them all for mentions of your own name would be a mammoth task.

Fortunately Google can make this easy for you. Google Alerts are automatically generated notifications that will send an email to your inbox to alert you every time your chosen search term is found online.

Alerts are easy to set up and can be set to send you updates daily, weekly, monthly or as they occur. Just go to https://www.google.co.uk/alerts or search for ‘google alerts’ then enter the details you want to get alerts on – John Smith for example – into the search boxes. If your name is a very common one you could get many alerts which are nothing to do with you personally – if you’re not sure if you have a popular name, this tool will help you find out.

If you use the Chrome browser, have a Gmail account and are logged in to them, alerts will pre-populate the ‘me on the web’ section for you. Having the accounts is not essential to set up alerts, but it does make things easier, just follow the simple online instructions.

Once you have set everything up, then whenever there is a new mention of your name on the web you will get an email alert.

I have set Google alerts up for family and friends and they have proved useful in identifying content about them that was inappropriate or inaccurate, which they have then had taken down or corrected, content which you may never have been aware was there in the first place.

Remember – Knowledge is power.

Graeme Wolfe

Information and IT Security Officer

16/10/2017

Have you been ‘pwned’?

This month our Information and IT Security officer, Graeme Wolfe, looks at recent security breaches, lists of potentially hacked accounts and what it means to be ‘pwned’?

You may not have heard, recently, that a collection of over 700 Million email addresses was found online, posted on a web server with an obscure URL, supposedly to prevent accidental detection.

You may, however, have heard of some of the recent high profile data breaches at Equifax, Ashley Madison, Adobe, LinkedIn, DropBox, Yahoo, Talk Talk, AA, Target, TK Maxx…I could go on and on – which is where many of the email addresses and other sensitive data were originally harvested from.

When the University’s security team ‘CSIRT’ (Computer Security Incident Response Team) found out about this, we decided to investigate and see if there were any instances of @Westminster or @my.Westminster email addresses in this list. Unfortunately we found many thousands of our email addresses listed, so we decided to act on your behalf.

Many of you will have recently received an email from Csirt@westminster.ac.uk, advising you that your Westminster account had been linked to a high-profile data breach and that you should change the password not only on the breached account, but also on your Westminster account, especially if you use the same password across multiple accounts.

After any security or data breach, you should take the following action:

  • When you are made aware of a breach, then change your passwords straight away
  • Consider using a password manager to generate and store unique passwords for each online account
  • Never use the same password on different accounts
  • Never reuse your Westminster log in details for other external services

You can check to see if your own personal email accounts, as well as your Westminster ones, have been breached on https://haveibeenpwned.com/  ‘Pwned’, is a widely used slang term (with origins in online gaming) meaning to conquer, appropriate or gain ownership of.

Just enter an email address and it will tell you if it has been ‘pwned’ and where the information may have been taken from. If you have been ‘pwned’ you should be on your guard for any spam / phishing / malware emails directed at you and you should follow the actions above. If you haven’t already been a target for scammers, then any security expert will tell you, it’s only a matter of time.

Graeme Wolfe

Information and IT Security Officer

15/09/2017

Scheduled scamming

This month, Graeme Wolfe, Information and IT Security Officer, takes a further look at the cycle of scams and what all the scheduled topics have in common.

Each year, around this time, I return to the subject of regular scams. If you check my blogs from previous summers, see links attached here and here. You will see there are cycles in scammer’s schedules, for example summer and the new academic year will see appealing wording in subject lines, that will appeal to people at this time of year, such as flights, clearing, loans, car hire, password reset and grants. They have all been used as ‘hooks’ in the past by scammers, to try and get your information.

With this being the holiday season, scammers try to use words like flights, car hire and holidays in their messages, to fool people into either handing over their personal information or even scamming them out of their money.

Also with many students sorting their details out for the forthcoming year, messages with things relating to loans, grants and clearing applications can be used to try and get log in and banking details from both existing and prospective students.

Additionally, as many students receive their access details to University systems around this time of year and often these expire after one year, there are scam messages about renewing your password that do the rounds and they can get mixed up with a genuine message about changing your password. This is the genuine site for Westminster password self service any other links are likely to be a scam or phishing attempt.

Some of these scams are too obvious to be genuine. Titles such as ‘log in and apply for your £3k grant’ or ‘log in to find out about your 13% pay rise’ should automatically raise an alarm to everyone. But some of them are very clever and the details / sites look like they could be genuine. So please be cautious and if you are in any doubt, then check with the Service Desk to see if it is a known scam, or speak with the Security and Compliance Team, who are always happy to help and advise you in such matters.

Working on the following two principles should help to keep you ahead of the fraudsters.

  1. If it looks too good to be true, then it probably is.
  2. Mistaking a genuine message for a scam is nowhere near as bad as mistaking a scam for a genuine message.

Graeme Wolfe

Information and IT Security Officer

21/08/2017

Flash, a-ah, saviour of the universe – not for much longer

This month our Information and IT Security  officer, Graeme Wolfe, looks at the demise of Adobe Flash and the future of moving images on t’internet.

When I heard that Flash was going to be killed off in 2020, my first thought was for the 1980 movie and Brian Blessed shouting “Flash Gordon’s alive!”

But in reality it is far less entertaining than that. Adobe, the owners of Flash software have decided there will be no more updates and patches for this rather ‘buggy’ and insecure plug in, running in many browsers world-wide.

Until recently Flash ran in browsers, powering videos, games and other animations. But because it was used by so many people, it was a constant target for malware writers trying to get inside it to plant their own code for their own, nefarious, purposes.

It didn’t help that this wasn’t a very secure, or well written piece of software. So regular updates had to be issued out when a vulnerability was exposed.

Newer technologies have superseded Flash, such as HTML5, which is present in just about all modern browsers. Adobe have been slowly removing flash updates and support from other platforms for some time now.

Most ‘Smart’ TV’s will now no longer play Flash based internet video files and games. Android powered smartphones had the support removed around the same time, in 2012. Apple have never liked the product and it was not an option in the App Store. But it did provide a quick and simple way to show moving images in a web browser.

Flash – Gone, but not forgotten.

Graeme Wolfe

Information and IT Security Officer

31/07/2017

GDP aarrgh!

This month our Information and IT Security Officer, Graeme Wolfe, looks at the upcoming changes to Data Protection legislation, explains GDPR and considers the impact for our University.

ar131871428090698

InfoSec17, the annual Security exhibition and conference, returned to London in June, as with previous years there continues to be two constants.

The first being each event has seen more visitors, exhibitors, new products, presentations, workshops and ideas on display. Proving security is a continually growing market which should not be ignored and the issues around it will not disappear anytime soon.

The second is that there is often a theme that the exhibitors focus on, to use to promote their products. This year saw two themes given equal exposure, Ransomware and General Data Protection Regulation [GDPR].

If you have been following my recent blogs, or seen the news, then you will be aware of the recent high profile ransomware attacks on corporations around the world, including the NHS and most recently the password attack on Parliament. But you may not have heard about the introduction of GDPR, which will have a huge impact on how we all process, store and share data in the future.

Currently all organisations in the UK that handle sensitive personal data are bound by the Data Protection Act 1998 (DPA). But in less than a year [25 May 2018 to be precise], this will be replaced by the General Data Protection Regulation [GDPR], which will apply across the European Union, unifying data protection rules.

GDPR:

  • Places more responsibility on organisations, large and small, to ensure they handle personal data in a safe and secure manner.
  • Redefines what is personal data and the accountability and governance that must go along with its everyday use and storage.
  • Applies to both electronic and hard copy data, new and existing systems, as well as archived materials.
  • Defines new roles and responsibilities in organisations and will bring some big changes with it.

One of the big changes, is the level of fines that can be imposed for breaching the GDPR. Currently the maximum fine for breaching the DPA is £500,000, this is to be increased to a maximum of 20 Million Euros or 4% of global turnover. For small organisations that lose personal data, any fine can make a large impact on their budgets, however, the increases that have been put in place, will impact on large multinationals too, and ensure they also take notice of these rules.

The University of Westminster’s Compliance team have been working on getting us ready for GDPR for some time. There is still much work to be done, but speaking to visitors and exhibitors at InfoSec17, we appear to be ahead of many other organisations in this matter.

Graeme Wolfe

Information and IT Security Officer

26/06/17

Recent malware attacks and some predictions

This month our Information and IT Security Officer, Graeme Wolfe, looks at the recent rise in high profile malware and considers the future of such attacks.

crystal-ball-and-autumn-1478526276ece

The first week in May saw a new form of attack take place, one where the attackers were using a very realistic looking piece of malware, which appeared to be a genuine Google Docs application, but was in fact a sophisticated piece of malware. This caught a lot of people out, before it was identified as malware and the exploit was shut down. (See note 1 below for more advice)

The second week in May saw the well documented ‘WannaCry’ Ransomware attack that affected the NHS and many other organisations, both commercial and public sector, across the world. (See note 2 below for more advice)

Fortunately, the third and fourth weeks in May appeared to be fairly quiet, though the SANS institute’s Internet Storm Centre, shows a fairly consistent level of ongoing attacks for May, with a couple of spikes for the above two attacks. Ongoing attacks generally have a lower profile and impact, so don’t tend to make the news.

Last month I wrote about the importance of applying security patches, after the theft of a number of ‘zero day’ exploits that were stolen from the NSA recently, and also of being aware of your actions on line. It would appear to have been somewhat prophetic.

This month I am going to make a prediction. These two attacks are not the last such attacks we will experience over the coming months and years. While it is cheap to mount these attacks and there is profit to be made, then they will keep on coming. ‘WannaCry’ used the ‘Eternal Blue’ exploit from the stolen NSA toolkit. So keep your eyes open for ‘EsteemAudit’ (another stolen NSA exploit) or variants thereof, in the not too distant future.

While organisations (and individuals) continue to run unpatched and insecure systems and there are criminals out in the “ether” who can exploit these vulnerabilities for financial gain, then these sorts of attacks will continue and they will increase, in number, in severity and in impact.

This sort of malicious activity used to be the preserve of those with technical backgrounds, who tended to perform their attacks to prove their ability amongst their peers, or to make a point or political statement.

But now it is possible to go to online marketplaces, where you can buy all the components needed to perform similar types of attacks, in an easy to use format, including lists of names and email addresses or other details, a bit like buying something from eBay and just like on eBay, the sellers have feedback ratings and rankings, many even offer 24 hour support lines and money back guarantees! Scams and malware have moved from a fringe activity into the mainstream.

This means that it is possible for many criminals, with just a little technical savvy, to perform attacks and make money from the comfort of their own homes. Which is far easier than robbing a bank, or burgling a house, or whatever other activities criminals get up to. Plus, with easily available advice on hiding their locations and identities, they can get away with their crimes with little or no chance of ever being caught. So it is no surprise that cyber crime has seen the fastest rates of growth of any crime in the past few years and that doesn’t look set to change anytime soon.

Graeme Wolfe

Information and IT Security Officer

30/05/2017

Note 1 – If you did click through the links and pressed yes to the request for permissions from the Google malware, then it is likely that the attackers will have access to all your Google address lists and the ability to send out the same message to all your contacts.

If you were a victim of this fraud, then just changing your password would not be sufficient as you will need to revoke the permissions given to the rogue Google Docs app.

Google did fix the problem within a day and prevented the spread of any more emails. They added that this only affected 0.1% of their users, but with over a Billion users world-wide, that is in excess of One Million Accounts that were compromised. Which puts some of the earlier attacks on Yahoo and other web mail accounts, in the shade.

Note 2Windows XP, Vista or Windows 8 If you are running a home device with one of these, then you should consider replacing them with a more modern version. There is no longer any official support for this software and as time goes on, they will not get any safer.

If you are running Windows 7 or 8.1 then make sure you have your updates turned ‘On’ and that you install the updates provided.

Windows updates – what you need to know

This month, our Information and IT Security officer, Graeme Wolfe, looks at the latest updates for Windows machines and why they are important.

microsoft-security-patches-100257334-primary-idge

One of the original intentions of this blog was to remind you to check and apply any new security patches that have been released in the past month.

These are usually released on the second Tuesday of the month, or ‘Patch Tuesday’ as it is known.

This month (April) there is a selection of patches for Windows and Office that will patch what are known as ‘zero day attacks’. These are when a security flaw becomes known to the hacking community, but the fixes to close the flaw have yet to be released (and of course to be downloaded and applied to each device)

Your University supplied Windows laptop and desktop devices will be sent the appropriate patches automatically. We will also check these patches do not cause any instability in the standard software on your device/s. Be aware that these patches may have installed the last time you shut down, when updates are still to be installed you will see an exclamation mark! on the shutdown button (on the start menu).

If you have any personal devices running Windows and Office and they are not set up to receive automatic updates, then you should download and install these patches each month. If you receive an on screen reminder then follow these simple instructions.

The Windows reminder will often ask if you want to download and install the updates, so click on Yes.

To check you have the latest updates, click on ‘start’ then ‘all programs’

In the list of programs there will be a ‘Windows update’ icon, click on that

You will then get an on screen Window displaying the current status of your updates.

Graeme Wolfe

Information and IT Security Officer

24/04/2017

Encryption, why it is Important

Following on from last month’s blog, about how cyber criminals can use your compromised device to further their own ends, this month our Information and IT Security Officer, Graeme Wolfe, looks at encryption and how it is used to keep your online data and information safe and secure.

enigma machine

Encryption, in some form, has been around for many years. Julius Caesar used a simple form of encryption in his messages to his armies, to try to prevent enemies discovering his plans. The German enigma machine of WWII was a huge leap forwards in secure communications and drove the development of the modern computer age.

50 Years ago, two graduates at Stanford University, Whitfield Diffie and Martin Hellman produced detailed studies on how you could easily send a secure message to a person, so only they (the recipient) could decode it, without having to exchange any details that could be intercepted by a third party. This involved complex mathematics, based on prime numbers and the work they published went on to provide a secure foundation for the digital world we all now live in.

Within our everyday online activities, every time you put your password or credit card details into a web site, open a VPN (Virtual Private Network) to connect to work securely, or send some personal or sensitive information in a secure email, encryption means you can be sure that the only person who can read any data contained in the secure connection, is the recipient.

It also enables web sites to certify they are who they say they are, and not some scammers or a phishing site.

It is fair to say that without this mathematical encryption technology, the internet as we know it, and e-commerce in particular, just wouldn’t work.

If you send or receive personal, sensitive information for your work and don’t currently have an encrypted email option, or regularly work away from the office and could use a secure VPN to connect up to work, please contact the Service Desk, who can advise you how these may be obtained. Or if you would just like to know more about encryption, then feel free to contact me.

Graeme Wolfe

Information and IT Security Officer

28/03/2017

How valuable is my device and data to a cyber criminal?

This month our Information and IT Security officer, Graeme Wolfe, looks at how any compromised device (PC, laptop, tablet or smartphone) has a value to, and can be used by, cyber criminals.

When I am out and about, talking personal data security with people, I do still hear the following comment: “I don’t have anything sensitive or valuable on my device, so why should I be too worried about IT security?”

The trouble is what may not seem valuable to you, an online email account for example, does have a value to criminals, not a huge one on its own agreed; but if it does become compromised, it can be used to launch ten thousand spam emails in the blink of an eye, then dump it and move to the next one. Which when scaled up to the billions of users on the internet, means there are an awful lot of email accounts that can be used to launch spam attacks and it’s likely that none of them will be blocked by the spam filters on email accounts either.

Let’s say one of those spam mails finds its way to you and you think you know the sender and trust them, so you click on the link and your machine then becomes infected with all sorts of nasty possibilities.

Or maybe the link pretended to be from your bank and took you to a familiar looking web site where you entered all your banking details, effectively handing them to the criminals.

There are a whole host of ways a cyber-criminal can use a compromised device to their advantage and the security expert Brian Krebs (whose web site was attacked last year and was mentioned in my blog post for November) created a graphic which identifies many of the different ways a criminal can use your device to make them money.

 

hackedpc2012

 

Some of these you may have heard of, others will possibly be gobbledegook. But just because you haven’t heard of them doesn’t mean that criminals aren’t using them to take money from unsuspecting people and line their pockets.

Remember, ‘Knowledge is Power’ and if we are all aware of the methods and scams the bad guys use, they are effectively rendered useless.

Graeme Wolfe

Information and IT Security Officer

27/02/2017

Be careful what you wish for…

wish

This month Graeme Wolfe, our Information and IT Security Officer, looks at ‘smart home assistants’ and how to ensure you set your default accounts correctly, so that your ‘wished for’ list does not come true with all sorts of unexpected consequences.

You may have seen the launch last year of ‘smart home assistants’ from Amazon (Echo) and Google (Home) which employ Artificial Intelligence to listen out for your instructions and then act upon them. Saying “play this piece of music” or “remind me I have a meeting this afternoon” is fairly simple, but they can also order things online for you and that is where the problems can start.

An example of this, was to the surprise of one owner of a ‘smart home assistant’ when a dolls house arrived from Amazon that they hadn’t ordered. It turned out that their young daughter had ‘wished’ for one and the home assistant picked this up and dutifully placed an order for one. Later on, this made it to the local news in San Diego and when the TV presenter broadcast the words the child had spoken, there were ‘smart home assistants’ all over the local area that heard the request from the television and went and ordered up dolls houses as well!

It turns out that these ‘smart home assistants’ are unable to discriminate between your voice, that of your children, guests and even those coming from television or radio. The default setting on the Amazon device is to enable voice purchases. If you own one of these devices, be sure to go into the settings and make sure that you have changed the defaults to ones that suit your particular needs.

Graeme Wolfe

Information and IT Security Officer

19/01/17

Latest:

Are your ears burning?

This month our Information and IT Security Officer, Graeme Wolfe, looks at how you can find out when your name is used, or appears online. Noel Coward once said that the only thing worse than being talked about, was not […]

Have you been ‘pwned’?

This month our Information and IT Security officer, Graeme Wolfe, looks at recent security breaches, lists of potentially hacked accounts and what it means to be ‘pwned’? You may not have heard, recently, that a collection of over 700 Million […]

Scheduled scamming

This month, Graeme Wolfe, Information and IT Security Officer, takes a further look at the cycle of scams and what all the scheduled topics have in common. Each year, around this time, I return to the subject of regular scams. […]

Flash, a-ah, saviour of the universe – not for much longer

This month our Information and IT Security  officer, Graeme Wolfe, looks at the demise of Adobe Flash and the future of moving images on t’internet. When I heard that Flash was going to be killed off in 2020, my first […]