This month, our Information and IT Security officer, Graeme Wolfe, looks at the latest updates for Windows machines and why they are important.
One of the original intentions of this blog was to remind you to check and apply any new security patches that have been released in the past month.
These are usually released on the second Tuesday of the month, or ‘Patch Tuesday’ as it is known.
This month (April) there is a selection of patches for Windows and Office that will patch what are known as ‘zero day attacks’. These are when a security flaw becomes known to the hacking community, but the fixes to close the flaw have yet to be released (and of course to be downloaded and applied to each device)
Your University supplied Windows laptop and desktop devices will be sent the appropriate patches automatically. We will also check these patches do not cause any instability in the standard software on your device/s. Be aware that these patches may have installed the last time you shut down, when updates are still to be installed you will see an exclamation mark! on the shutdown button (on the start menu).
If you have any personal devices running Windows and Office and they are not set up to receive automatic updates, then you should download and install these patches each month. If you receive an on screen reminder then follow these simple instructions.
The Windows reminder will often ask if you want to download and install the updates, so click on Yes.
To check you have the latest updates, click on ‘start’ then ‘all programs’
In the list of programs there will be a ‘Windows update’ icon, click on that
You will then get an on screen Window displaying the current status of your updates.
Information and IT Security Officer
Following on from last month’s blog, about how cyber criminals can use your compromised device to further their own ends, this month our Information and IT Security Officer, Graeme Wolfe, looks at encryption and how it is used to keep your online data and information safe and secure.
Encryption, in some form, has been around for many years. Julius Caesar used a simple form of encryption in his messages to his armies, to try to prevent enemies discovering his plans. The German enigma machine of WWII was a huge leap forwards in secure communications and drove the development of the modern computer age.
50 Years ago, two graduates at Stanford University, Whitfield Diffie and Martin Hellman produced detailed studies on how you could easily send a secure message to a person, so only they (the recipient) could decode it, without having to exchange any details that could be intercepted by a third party. This involved complex mathematics, based on prime numbers and the work they published went on to provide a secure foundation for the digital world we all now live in.
Within our everyday online activities, every time you put your password or credit card details into a web site, open a VPN (Virtual Private Network) to connect to work securely, or send some personal or sensitive information in a secure email, encryption means you can be sure that the only person who can read any data contained in the secure connection, is the recipient.
It also enables web sites to certify they are who they say they are, and not some scammers or a phishing site.
It is fair to say that without this mathematical encryption technology, the internet as we know it, and e-commerce in particular, just wouldn’t work.
If you send or receive personal, sensitive information for your work and don’t currently have an encrypted email option, or regularly work away from the office and could use a secure VPN to connect up to work, please contact the Service Desk, who can advise you how these may be obtained. Or if you would just like to know more about encryption, then feel free to contact me.
Information and IT Security Officer
This month our Information and IT Security officer, Graeme Wolfe, looks at how any compromised device (PC, laptop, tablet or smartphone) has a value to, and can be used by, cyber criminals.
When I am out and about, talking personal data security with people, I do still hear the following comment: “I don’t have anything sensitive or valuable on my device, so why should I be too worried about IT security?”
The trouble is what may not seem valuable to you, an online email account for example, does have a value to criminals, not a huge one on its own agreed; but if it does become compromised, it can be used to launch ten thousand spam emails in the blink of an eye, then dump it and move to the next one. Which when scaled up to the billions of users on the internet, means there are an awful lot of email accounts that can be used to launch spam attacks and it’s likely that none of them will be blocked by the spam filters on email accounts either.
Let’s say one of those spam mails finds its way to you and you think you know the sender and trust them, so you click on the link and your machine then becomes infected with all sorts of nasty possibilities.
Or maybe the link pretended to be from your bank and took you to a familiar looking web site where you entered all your banking details, effectively handing them to the criminals.
There are a whole host of ways a cyber-criminal can use a compromised device to their advantage and the security expert Brian Krebs (whose web site was attacked last year and was mentioned in my blog post for November) created a graphic which identifies many of the different ways a criminal can use your device to make them money.
Some of these you may have heard of, others will possibly be gobbledegook. But just because you haven’t heard of them doesn’t mean that criminals aren’t using them to take money from unsuspecting people and line their pockets.
Remember, ‘Knowledge is Power’ and if we are all aware of the methods and scams the bad guys use, they are effectively rendered useless.
Information and IT Security Officer
This month Graeme Wolfe, our Information and IT Security Officer, looks at ‘smart home assistants’ and how to ensure you set your default accounts correctly, so that your ‘wished for’ list does not come true with all sorts of unexpected consequences.
You may have seen the launch last year of ‘smart home assistants’ from Amazon (Echo) and Google (Home) which employ Artificial Intelligence to listen out for your instructions and then act upon them. Saying “play this piece of music” or “remind me I have a meeting this afternoon” is fairly simple, but they can also order things online for you and that is where the problems can start.
An example of this, was to the surprise of one owner of a ‘smart home assistant’ when a dolls house arrived from Amazon that they hadn’t ordered. It turned out that their young daughter had ‘wished’ for one and the home assistant picked this up and dutifully placed an order for one. Later on, this made it to the local news in San Diego and when the TV presenter broadcast the words the child had spoken, there were ‘smart home assistants’ all over the local area that heard the request from the television and went and ordered up dolls houses as well!
It turns out that these ‘smart home assistants’ are unable to discriminate between your voice, that of your children, guests and even those coming from television or radio. The default setting on the Amazon device is to enable voice purchases. If you own one of these devices, be sure to go into the settings and make sure that you have changed the defaults to ones that suit your particular needs.
Information and IT Security Officer
The latest blog from our Information and IT Security Officer, Graeme Wolfe, looks at some myths around internet security, providing further advice and guidance on ways to keep yourself and your family safe and secure, especially in the run up to Christmas, when many of us are likely to be internet shopping and undertaking other online activities.
5 Myths about the internet and security:
I often get asked questions about the safe use of the ‘internet’, the threats and the myths attached to using the internet. Like the programme on the Discovery channel, here are some security myths that are BUSTED!
- If I visit a compromised web site, my computer can only be infected if I agree to download or install malicious software. This is not always the case, some infected sites use background software that your computer will automatically run, to install their malware. To protect your computer from such attacks ensure you have up to date anti-virus software or malware scanners installed.
- Only ‘disreputable’ sites will contain malware. Hackers can find a way into any ‘reputable’ site and use it to host their malware, especially if that site doesn’t have good security protocols and measures, or has not been properly security tested. Just because a link takes you to a recognisable site, always be careful about what you enter or download. Better still, go to the site from a known bookmark or web address.
- I am too small a ‘fish’ to be of interest to hackers. Never underestimate the targeting ability of criminals and activists. Every single device that is compromised can be added to the network of computers used to support illegal activity or attack other sites and services.
- I have very little of any value to a hacker on my device. There is potential value for all information stored on your device as follows:
- Your address book contains details of ‘live’ email accounts that can be targeted or sold on
- Browser’s and memory can retain a lot of personal data about you and your browsing habits, your ‘Digital Identity’, criminals can use this information
- You may not think your data is valuable, but there are those who do and will try to obtain it from you (see myth 3 above).
5. My device is not one targeted by hackers. In the past this may have been true, but the massive rise in new technology, platforms and devices, combined with the ease by which an attacker can launch an attack, means that ANY device connected to the internet can be considered a target (see myths 3 and 4 above and my blog from last month).
So if any of you remember the programme ‘Hill Street Blues’, in the words of Sgt Phil Esterhaus “Let’s be careful out there!”
Information and IT Security Officer
This month we are looking at smart devices that connect to the internet and how they can be (and have been) easily compromised for use by criminals and activists.
Recently in the media you may have heard about the ‘Internet of Things’ (IoT), Smart Devices and how they have been used in recent cyber-attacks.
IoT simply refers to everyday objects or devices (both consumer and business) that have an internet connection and are able to send and receive data, usually without any human involvement. These items could be anything from fridges, TV’s, printers, baby monitors, CCTV cameras, even cars and buildings.
Unfortunately many of these devices are manufactured and distributed with little or no inbuilt security, often having a default standard password set up on each device. This is why we ensure anything that connects to the internet has the appropriate security built-in and that it is activated.
The Internet Storm Centre at the SANS institute, regularly tests the vulnerability of devices that are connected to the internet that have not been correctly patched or secured. Their testing regularly find’s that devices are discovered by ‘hackers’ and quickly compromised in as little as 5 minutes after connection!
You may not have heard of the recent cyber-attacks on websites that try to expose these ‘hackers’ and educate us on the need for security (krebsonsecurity). Recent attacks on Dyn, the company that manages the routing of a large part of the internet, affected many well-known sites and made them inaccessible, such as Twitter, Spotify, Netflix, Sound Cloud, PayPal, Reddit and parts of the Amazon web services.
The attack Dyn suffered was called a ‘Distributed Denial of Service’ attack (DDoS) which interrupted their Domain Name System (DNS) services, which is the way to translate a web address into an IP address that a computer understands, and then continued to attack the Dyn systems. This meant that the companies named above, who used the services of Dyn to connect and route web traffic, effectively dropped off of the internet and people were unable to connect to their web pages.
It is also suspected that a similar method was used, earlier this month, to affect the internet connections for the entire country of Liberia.
Devices that were classified as belonging to the IoT were identified as the source of the attack on Krebsonline and Dyn, many had been compromised with a well-known piece of malware called Mirai. Due to the seriousness and implications for all users of the internet, the US Government security arm, National Institute for Standards and Technology (NIST), has issued technical details for manufacturers on how to build their devices so they are resilient and trustworthy.
But until these new guidelines are incorporated into IoT devices, if you have any devices that have internet connectivity, from a home printer to a baby monitor or CCTV unit, then if possible you should always change the default passwords that come with them. Otherwise you could find your ‘fridge starts a cyber attack on your TV!
Information and IT Security Officer
Following on from last month’s post about regular scams and my recent blog about spam; if you follow the news you will have seen that in the intervening few months there have been further reports about cyber security issues. These have involved some big names and big numbers, for example:
- Yahoo – 500 million accounts compromised!
- Talk Talk –they were fined £400,000 by the Information Commissioner for breaches of the Data Protection Act relating to the hundreds of thousands of accounts that were compromised.
The key advice from all the companies in these situations is to change your log in password and monitor your accounts for at least a couple of months, for any unusual activity.
You may say, ‘So what? I don’t use any of those services, so why should I worry?’ Well, Yahoo provide email services for both Sky and BT, so you may find you are indirectly affected. Plus, according to the Symantec Security Insights Report, 1 in 113 emails contains malware and an increase in activity saw over one million new malware variants being created each day in August and September. So it’s only a matter of time before one crosses your path – if it hasn’t already. In addition, these attacks are not restricted to large online service providers and attacks can come from places a lot closer to home.
Cybersecurity firm SentinelOne contacted 71 UK universities asking if they had been attacked by Ransomware (see here for an explanation of Ransomware). Of the 58 which replied, 23 said they had been attacked in the last year. In particular, Bournemouth University, which boasts a cybersecurity centre, has been hit 21 times in the last 12 months.
The attacks are not limited to any particular area of business either, as 28 NHS Trusts said they had also been affected.
What this does show is that no one who operates online, in any way, is truly safe. But by being vigilant and thinking before acting, it is possible to greatly reduce the risk of being a victim of cyber-crime.
In addition to the guidance on the University’s IT Security pages on spotting malware attacks, it can be hard to know if an email, or other communication, is genuine or trying to extract more information from you. But in principle, if you are asked to click on a link in an email, then ‘re enter’ your details into a site, or are told that you have to act quickly to prevent something happening, then it’s probably a scam. Genuine organisations will not ask you to ‘re enter’ your information, or share your password or PIN with anyone from their organisation. Going to the security pages of their website will often confirm this. Also checking the return / sending email address an email was sent from can provide clues for you. Many scammers will produce emails or messages that may look like they have come from a genuine company, but on closer inspection appear to come from Yahoo or other webmail services. Plus email links in messages may not take you to the URL that is often shown in the text. So obviously they will be highly suspicious.
Information Security Officer
This month, after taking a break from his blog last month, Graeme Wolfe, our Information and IT Security Officer, takes a further look at the scams that continue to pop up at regular intervals.
Last year I published the blog post ‘Scam merry go round‘ and it would appear that we have saddled up our horses and are back on the scam merry-go-round again.
I was advised by the Student Union Financial Advisors of a scam that told students they could apply for a grant. When they clicked on the link, guess what they were asked for? All their financial and personal details of course. Just what any cyber-criminal would want to help them empty your bank account or steal your identity.
Recently, there was a programme on BBC ‘Inside Out – London’ which identified criminal gangs who used international student’s bank accounts to launder their money. Although it is not directly a scam, it is illegal, and can also leave those students open to scams and fraud in the future.
I’m sure that this won’t be the last of such attempts to defraud students and staff of their money and identity, so be cautious if someone is asking you for those details and check your accounts regularly for unusual activity.
Just like the ‘419’ scams, do you really think that someone in a foreign country has specifically selected you to help them move millions of pounds or dollars around? Only to send you a badly worded email from a generic email account offering you the chance of a lifetime – in exchange for your personal financial data of course.
Remember, if it sounds too good to be true, it probably is.
IT Security Officer
This month our Information and IT Security Officer Graeme Wolfe, takes a look at the phenomenon of “social engineering” which is behind the majority of successful hacking activities.
From the images promoted by television programmes and movies, many people think of hacking as hi-tech wizardry, cleverly designed software disguised in emails and geeky programmers. However, the reality is usually just an old-fashioned confidence trick, which uses an electronic medium to deliver or maintain the trick.
You could say ‘the con’ has been updated for the modern age where “phishing” and “smishing” are the modern terms used to describe the specific con tricks. All the cons rely upon a set of human characteristics which, with due respect to Hieronymus Bosch, you might think of as the “seven deadly sins” of social engineering.
To fall for a confidence trick, or worse, we assume others “must” have taken the necessary steps to keep us secure. Sadly this leads to a lack of awareness, and in the world of the hacker, that is gold dust.
This flaw was perfectly highlighted by the newspaper phone hacking scandals a few years ago. Where certain people’s voice mails could be accessed using the default PIN codes from the network operators. If they had set up a PIN themselves to protect their sensitive information, then they would most likely not have been hacked. This scandal caused many of the mobile service providers to force you to change your PIN when you use their service for the first time.
Another example is if you stay in a hotel and programme your random PIN into the room safe to keep your belongings secure, how many of us check to see if the manufacturers override code has been left in the safe?
Default PIN codes are nearly always 0000 or 1234. Change your PIN codes, if you haven’t already.
Humans are curious by nature. However, naive and uninformed curiosity has caused many casualties. Criminals know we’re curious and they will try to lure us in. If we see an unfamiliar door in a building we frequent, we all wonder where it leads.
If unlocked and there are no signs telling us not to, we might be tempted to open it and find out, but in the online world that might just be a trap waiting for an innocent user to spring it. A researcher for an online security firm built a website that contained a button that said Do Not Press, and was astonished to find that the majority of people visiting the site, actually clicked on it.
Be curious, but exercise a healthy degree of suspicion.
It is often thought of as a derogatory term, but we can all suffer from this sin. We make assumptions. We take others at face value, especially outside of our areas of expertise. Put a uniform (Imperial Storm trooper?!) on someone and we assume they have authority.
Give an email an official appearance by using the correct logo and apparently coming from the correct email address, and we might just assume it’s real, regardless of how silly its instructions might be.
All of this can be easily forged online, so make no assumptions.
We quite rightly all teach our children to be polite. However, politeness does not mean you should not discriminate.
If you do not know something, or you feel something doesn’t feel quite right, then ask someone. This principle is truer than ever in the online world, where we are asked to interact with people and systems in ways with which we can be unfamiliar.
If someone phones you out of the blue and says they are from your bank do you believe them? No. You would phone them back, on a number you obtained elsewhere and check. By the way, it’s best to use a mobile, or different, phone for this; as landlines can remain connected to the person who made the call in the first place and so while you might think you’re phoning the bank on a valid number, you’re just talking to the person who called you.
This happened to me quite recently, when I received calls and texts that looked like they came from my bank. The person I spoke to from the fraud department of my bank, said they wished that all their customers would take similar measures to ensure the identity of the person calling them.
Don’t be afraid to question someone who contacts you and appears to be legitimate. If they are they will understand that you are being cautious and won’t get offended.
Despite what we’d like to think, we can all be susceptible to greed; even though it might not feel like greed.
Since its inception, the very culture of the web has been to share items for free. Initially this was academic research and pictures of naked ladies! But as the internet was commercialised in the mid to late-1990s, we were left with the impression that we could still find something for nothing.
Nothing is ever truly free online. You have to remember that if you’re not the paying customer, you’re very likely to be the product. In the worst case, you might find that you have taken something onto your machine that is far from what you bargained for.
Many pieces of malware are actively downloaded by people unaware that the “free” product contains a nasty payload, even if it also appears to do what you expected of it.
Have you seen how much access to your personal data many ‘free apps’ require? Do you wonder why, as you click ‘allow’?
People are reluctant to ask strangers for ID, and in the online world it is more important than ever to establish the credentials of those whom you entrust with your personal or sensitive information.
Do not let circumstances lead you to make assumptions about ID.
For example, if someone from “IT support” calls you and asks for your password so they can help fix your problem, how do you know they haven’t called everyone else in the building first until they found you, who really has got a problem?
This is a well-known form of attack. If someone has a problem with proving who they are, you should immediately be suspicious.
Thinking before you act is possibly the most effective means of protecting yourself online. It is all too easy to click that link.
How many of us when reading an apparently valid link in an email would bother to check whether the link is actually valid or whether instead it takes you to a malicious site.
It’s horribly easy to make links look valid, so try hovering your cursor over the link for a few seconds before clicking to see what the real link is, the true link pops up if you give it a moment.
Try to think again and check before clicking on a link.
As cynical as it may sound, the only answer is to practise your A-B-C:
- Assume nothing
- Believe no-one
- Check everything
With more transactions (shopping, banking, etc.) being done online than ever before, you should watch out for those that would exploit the deadly sins.
Don’t give criminals the chance to ruin your on line experience, and remember that a little bit of paranoia goes a long way online.
Graeme Wolfe, Information and IT Security Officer, 21/07/2016
There have been some interesting developments in the world of spam and malware in the past couple of weeks.
Various organisations1 that monitor internet traffic, have found an alarming increase in the amounts of spam, malware and phishing emails being sent out recently.
They also found that it was not just one type of spam either, there are a number of different ‘flavours’.
Remember the 419 email and letter scams? Typically from Iraq, South Africa or somewhere in West Africa, these advance-fee scams ask for your help to transfer money out of a country in return for a fee. The fraudster requests your bank details for the transfer, and takes the opportunity to empty your account! These scams still seem to be serving up a bad taste in their victims mouths, just when we thought they were off the menu.
There was an increase in the amount of ‘ransomware’ emails being dished out, containing a link which when you click on it allows the scammer to encrypt your files and data, essentially holding your files and data ‘hostage’ until you pay the ransom payment for their decryption. These been rather successful in the past, not only infecting individual’s machines, but also large organisations too. An American hospital got a taste of this and ended up paying thousands of dollars to get their files decrypted.
Scare stories have been emailed to customers of two credential services or password vaults, referring recipients to data breaches by LinkedIn and Tumblr. The emails purporting to be bone-fide support, informed people that their accounts had been hacked and that they needed to re-enter their personal details. These scam emails contained links which directed people to the hackers fake web site, serving up yet another phishing email attack.
There is also new type of fraud that is gaining notoriety, called BEC (Business Email Compromise). Estimates are that tens of thousands of people have been scammed and billions of dollars have been lost world wide. There is such a huge growth in this type of fraud that the FBI issued out a Public Service Announcement. This scam targets employees in an organisation, usually in finance, accounts or procurement, with a message purportedly from a senior finance or accounts manager requesting an urgent payment to be made to a supplier. When the employee takes the bait, the ‘senior manager’ will email and ask for the payment to be made to a different account – the scammers account.
Many of these scams require an increasingly elaborate amount of research and reconnaissance, combined with sophisticated social engineering. As the awareness of scam methods increases and protective measures are taken to avoid them, scammers are devising ever more ingenious ways to trick people. Some are conducting more research into their intended victims, to try to make their messages and requests more appealing.
Just like the canned meat, email spam isn’t going to go away anytime soon. So we all need to be aware and take care when opening attachments, clicking on links or receiving instructions from colleagues that appear to go outside the regular procedures.
Graeme Wolfe, Information and IT Security Officer, 27/06/2016
1 Cloudmark, IC3 and FBI