This month our Information and IT Security officer, Graeme Wolfe, looks at how any compromised device (PC, laptop, tablet or smartphone) has a value to, and can be used by, cyber criminals.
When I am out and about, talking personal data security with people, I do still hear the following comment: “I don’t have anything sensitive or valuable on my device, so why should I be too worried about IT security?”
The trouble is what may not seem valuable to you, an online email account for example, does have a value to criminals, not a huge one on its own agreed; but if it does become compromised, it can be used to launch ten thousand spam emails in the blink of an eye, then dump it and move to the next one. Which when scaled up to the billions of users on the internet, means there are an awful lot of email accounts that can be used to launch spam attacks and it’s likely that none of them will be blocked by the spam filters on email accounts either.
Let’s say one of those spam mails finds its way to you and you think you know the sender and trust them, so you click on the link and your machine then becomes infected with all sorts of nasty possibilities.
Or maybe the link pretended to be from your bank and took you to a familiar looking web site where you entered all your banking details, effectively handing them to the criminals.
There are a whole host of ways a cyber-criminal can use a compromised device to their advantage and the security expert Brian Krebs (whose web site was attacked last year and was mentioned in my blog post for November) created a graphic which identifies many of the different ways a criminal can use your device to make them money.
Some of these you may have heard of, others will possibly be gobbledegook. But just because you haven’t heard of them doesn’t mean that criminals aren’t using them to take money from unsuspecting people and line their pockets.
Remember, ‘Knowledge is Power’ and if we are all aware of the methods and scams the bad guys use, they are effectively rendered useless.
Information and IT Security Officer
This month Graeme Wolfe, our Information and IT Security Officer, looks at ‘smart home assistants’ and how to ensure you set your default accounts correctly, so that your ‘wished for’ list does not come true with all sorts of unexpected consequences.
You may have seen the launch last year of ‘smart home assistants’ from Amazon (Echo) and Google (Home) which employ Artificial Intelligence to listen out for your instructions and then act upon them. Saying “play this piece of music” or “remind me I have a meeting this afternoon” is fairly simple, but they can also order things online for you and that is where the problems can start.
An example of this, was to the surprise of one owner of a ‘smart home assistant’ when a dolls house arrived from Amazon that they hadn’t ordered. It turned out that their young daughter had ‘wished’ for one and the home assistant picked this up and dutifully placed an order for one. Later on, this made it to the local news in San Diego and when the TV presenter broadcast the words the child had spoken, there were ‘smart home assistants’ all over the local area that heard the request from the television and went and ordered up dolls houses as well!
It turns out that these ‘smart home assistants’ are unable to discriminate between your voice, that of your children, guests and even those coming from television or radio. The default setting on the Amazon device is to enable voice purchases. If you own one of these devices, be sure to go into the settings and make sure that you have changed the defaults to ones that suit your particular needs.
Information and IT Security Officer
The latest blog from our Information and IT Security Officer, Graeme Wolfe, looks at some myths around internet security, providing further advice and guidance on ways to keep yourself and your family safe and secure, especially in the run up to Christmas, when many of us are likely to be internet shopping and undertaking other online activities.
5 Myths about the internet and security:
I often get asked questions about the safe use of the ‘internet’, the threats and the myths attached to using the internet. Like the programme on the Discovery channel, here are some security myths that are BUSTED!
- If I visit a compromised web site, my computer can only be infected if I agree to download or install malicious software. This is not always the case, some infected sites use background software that your computer will automatically run, to install their malware. To protect your computer from such attacks ensure you have up to date anti-virus software or malware scanners installed.
- Only ‘disreputable’ sites will contain malware. Hackers can find a way into any ‘reputable’ site and use it to host their malware, especially if that site doesn’t have good security protocols and measures, or has not been properly security tested. Just because a link takes you to a recognisable site, always be careful about what you enter or download. Better still, go to the site from a known bookmark or web address.
- I am too small a ‘fish’ to be of interest to hackers. Never underestimate the targeting ability of criminals and activists. Every single device that is compromised can be added to the network of computers used to support illegal activity or attack other sites and services.
- I have very little of any value to a hacker on my device. There is potential value for all information stored on your device as follows:
- Your address book contains details of ‘live’ email accounts that can be targeted or sold on
- Browser’s and memory can retain a lot of personal data about you and your browsing habits, your ‘Digital Identity’, criminals can use this information
- You may not think your data is valuable, but there are those who do and will try to obtain it from you (see myth 3 above).
5. My device is not one targeted by hackers. In the past this may have been true, but the massive rise in new technology, platforms and devices, combined with the ease by which an attacker can launch an attack, means that ANY device connected to the internet can be considered a target (see myths 3 and 4 above and my blog from last month).
So if any of you remember the programme ‘Hill Street Blues’, in the words of Sgt Phil Esterhaus “Let’s be careful out there!”
Information and IT Security Officer
This month we are looking at smart devices that connect to the internet and how they can be (and have been) easily compromised for use by criminals and activists.
Recently in the media you may have heard about the ‘Internet of Things’ (IoT), Smart Devices and how they have been used in recent cyber-attacks.
IoT simply refers to everyday objects or devices (both consumer and business) that have an internet connection and are able to send and receive data, usually without any human involvement. These items could be anything from fridges, TV’s, printers, baby monitors, CCTV cameras, even cars and buildings.
Unfortunately many of these devices are manufactured and distributed with little or no inbuilt security, often having a default standard password set up on each device. This is why we ensure anything that connects to the internet has the appropriate security built-in and that it is activated.
The Internet Storm Centre at the SANS institute, regularly tests the vulnerability of devices that are connected to the internet that have not been correctly patched or secured. Their testing regularly find’s that devices are discovered by ‘hackers’ and quickly compromised in as little as 5 minutes after connection!
You may not have heard of the recent cyber-attacks on websites that try to expose these ‘hackers’ and educate us on the need for security (krebsonsecurity). Recent attacks on Dyn, the company that manages the routing of a large part of the internet, affected many well-known sites and made them inaccessible, such as Twitter, Spotify, Netflix, Sound Cloud, PayPal, Reddit and parts of the Amazon web services.
The attack Dyn suffered was called a ‘Distributed Denial of Service’ attack (DDoS) which interrupted their Domain Name System (DNS) services, which is the way to translate a web address into an IP address that a computer understands, and then continued to attack the Dyn systems. This meant that the companies named above, who used the services of Dyn to connect and route web traffic, effectively dropped off of the internet and people were unable to connect to their web pages.
It is also suspected that a similar method was used, earlier this month, to affect the internet connections for the entire country of Liberia.
Devices that were classified as belonging to the IoT were identified as the source of the attack on Krebsonline and Dyn, many had been compromised with a well-known piece of malware called Mirai. Due to the seriousness and implications for all users of the internet, the US Government security arm, National Institute for Standards and Technology (NIST), has issued technical details for manufacturers on how to build their devices so they are resilient and trustworthy.
But until these new guidelines are incorporated into IoT devices, if you have any devices that have internet connectivity, from a home printer to a baby monitor or CCTV unit, then if possible you should always change the default passwords that come with them. Otherwise you could find your ‘fridge starts a cyber attack on your TV!
Information and IT Security Officer
Following on from last month’s post about regular scams and my recent blog about spam; if you follow the news you will have seen that in the intervening few months there have been further reports about cyber security issues. These have involved some big names and big numbers, for example:
- Yahoo – 500 million accounts compromised!
- Talk Talk –they were fined £400,000 by the Information Commissioner for breaches of the Data Protection Act relating to the hundreds of thousands of accounts that were compromised.
The key advice from all the companies in these situations is to change your log in password and monitor your accounts for at least a couple of months, for any unusual activity.
You may say, ‘So what? I don’t use any of those services, so why should I worry?’ Well, Yahoo provide email services for both Sky and BT, so you may find you are indirectly affected. Plus, according to the Symantec Security Insights Report, 1 in 113 emails contains malware and an increase in activity saw over one million new malware variants being created each day in August and September. So it’s only a matter of time before one crosses your path – if it hasn’t already. In addition, these attacks are not restricted to large online service providers and attacks can come from places a lot closer to home.
Cybersecurity firm SentinelOne contacted 71 UK universities asking if they had been attacked by Ransomware (see here for an explanation of Ransomware). Of the 58 which replied, 23 said they had been attacked in the last year. In particular, Bournemouth University, which boasts a cybersecurity centre, has been hit 21 times in the last 12 months.
The attacks are not limited to any particular area of business either, as 28 NHS Trusts said they had also been affected.
What this does show is that no one who operates online, in any way, is truly safe. But by being vigilant and thinking before acting, it is possible to greatly reduce the risk of being a victim of cyber-crime.
In addition to the guidance on the University’s IT Security pages on spotting malware attacks, it can be hard to know if an email, or other communication, is genuine or trying to extract more information from you. But in principle, if you are asked to click on a link in an email, then ‘re enter’ your details into a site, or are told that you have to act quickly to prevent something happening, then it’s probably a scam. Genuine organisations will not ask you to ‘re enter’ your information, or share your password or PIN with anyone from their organisation. Going to the security pages of their website will often confirm this. Also checking the return / sending email address an email was sent from can provide clues for you. Many scammers will produce emails or messages that may look like they have come from a genuine company, but on closer inspection appear to come from Yahoo or other webmail services. Plus email links in messages may not take you to the URL that is often shown in the text. So obviously they will be highly suspicious.
Information Security Officer
This month, after taking a break from his blog last month, Graeme Wolfe, our Information and IT Security Officer, takes a further look at the scams that continue to pop up at regular intervals.
Last year I published the blog post ‘Scam merry go round‘ and it would appear that we have saddled up our horses and are back on the scam merry-go-round again.
I was advised by the Student Union Financial Advisors of a scam that told students they could apply for a grant. When they clicked on the link, guess what they were asked for? All their financial and personal details of course. Just what any cyber-criminal would want to help them empty your bank account or steal your identity.
Recently, there was a programme on BBC ‘Inside Out – London’ which identified criminal gangs who used international student’s bank accounts to launder their money. Although it is not directly a scam, it is illegal, and can also leave those students open to scams and fraud in the future.
I’m sure that this won’t be the last of such attempts to defraud students and staff of their money and identity, so be cautious if someone is asking you for those details and check your accounts regularly for unusual activity.
Just like the ‘419’ scams, do you really think that someone in a foreign country has specifically selected you to help them move millions of pounds or dollars around? Only to send you a badly worded email from a generic email account offering you the chance of a lifetime – in exchange for your personal financial data of course.
Remember, if it sounds too good to be true, it probably is.
IT Security Officer
This month our Information and IT Security Officer Graeme Wolfe, takes a look at the phenomenon of “social engineering” which is behind the majority of successful hacking activities.
From the images promoted by television programmes and movies, many people think of hacking as hi-tech wizardry, cleverly designed software disguised in emails and geeky programmers. However, the reality is usually just an old-fashioned confidence trick, which uses an electronic medium to deliver or maintain the trick.
You could say ‘the con’ has been updated for the modern age where “phishing” and “smishing” are the modern terms used to describe the specific con tricks. All the cons rely upon a set of human characteristics which, with due respect to Hieronymus Bosch, you might think of as the “seven deadly sins” of social engineering.
To fall for a confidence trick, or worse, we assume others “must” have taken the necessary steps to keep us secure. Sadly this leads to a lack of awareness, and in the world of the hacker, that is gold dust.
This flaw was perfectly highlighted by the newspaper phone hacking scandals a few years ago. Where certain people’s voice mails could be accessed using the default PIN codes from the network operators. If they had set up a PIN themselves to protect their sensitive information, then they would most likely not have been hacked. This scandal caused many of the mobile service providers to force you to change your PIN when you use their service for the first time.
Another example is if you stay in a hotel and programme your random PIN into the room safe to keep your belongings secure, how many of us check to see if the manufacturers override code has been left in the safe?
Default PIN codes are nearly always 0000 or 1234. Change your PIN codes, if you haven’t already.
Humans are curious by nature. However, naive and uninformed curiosity has caused many casualties. Criminals know we’re curious and they will try to lure us in. If we see an unfamiliar door in a building we frequent, we all wonder where it leads.
If unlocked and there are no signs telling us not to, we might be tempted to open it and find out, but in the online world that might just be a trap waiting for an innocent user to spring it. A researcher for an online security firm built a website that contained a button that said Do Not Press, and was astonished to find that the majority of people visiting the site, actually clicked on it.
Be curious, but exercise a healthy degree of suspicion.
It is often thought of as a derogatory term, but we can all suffer from this sin. We make assumptions. We take others at face value, especially outside of our areas of expertise. Put a uniform (Imperial Storm trooper?!) on someone and we assume they have authority.
Give an email an official appearance by using the correct logo and apparently coming from the correct email address, and we might just assume it’s real, regardless of how silly its instructions might be.
All of this can be easily forged online, so make no assumptions.
We quite rightly all teach our children to be polite. However, politeness does not mean you should not discriminate.
If you do not know something, or you feel something doesn’t feel quite right, then ask someone. This principle is truer than ever in the online world, where we are asked to interact with people and systems in ways with which we can be unfamiliar.
If someone phones you out of the blue and says they are from your bank do you believe them? No. You would phone them back, on a number you obtained elsewhere and check. By the way, it’s best to use a mobile, or different, phone for this; as landlines can remain connected to the person who made the call in the first place and so while you might think you’re phoning the bank on a valid number, you’re just talking to the person who called you.
This happened to me quite recently, when I received calls and texts that looked like they came from my bank. The person I spoke to from the fraud department of my bank, said they wished that all their customers would take similar measures to ensure the identity of the person calling them.
Don’t be afraid to question someone who contacts you and appears to be legitimate. If they are they will understand that you are being cautious and won’t get offended.
Despite what we’d like to think, we can all be susceptible to greed; even though it might not feel like greed.
Since its inception, the very culture of the web has been to share items for free. Initially this was academic research and pictures of naked ladies! But as the internet was commercialised in the mid to late-1990s, we were left with the impression that we could still find something for nothing.
Nothing is ever truly free online. You have to remember that if you’re not the paying customer, you’re very likely to be the product. In the worst case, you might find that you have taken something onto your machine that is far from what you bargained for.
Many pieces of malware are actively downloaded by people unaware that the “free” product contains a nasty payload, even if it also appears to do what you expected of it.
Have you seen how much access to your personal data many ‘free apps’ require? Do you wonder why, as you click ‘allow’?
People are reluctant to ask strangers for ID, and in the online world it is more important than ever to establish the credentials of those whom you entrust with your personal or sensitive information.
Do not let circumstances lead you to make assumptions about ID.
For example, if someone from “IT support” calls you and asks for your password so they can help fix your problem, how do you know they haven’t called everyone else in the building first until they found you, who really has got a problem?
This is a well-known form of attack. If someone has a problem with proving who they are, you should immediately be suspicious.
Thinking before you act is possibly the most effective means of protecting yourself online. It is all too easy to click that link.
How many of us when reading an apparently valid link in an email would bother to check whether the link is actually valid or whether instead it takes you to a malicious site.
It’s horribly easy to make links look valid, so try hovering your cursor over the link for a few seconds before clicking to see what the real link is, the true link pops up if you give it a moment.
Try to think again and check before clicking on a link.
As cynical as it may sound, the only answer is to practise your A-B-C:
- Assume nothing
- Believe no-one
- Check everything
With more transactions (shopping, banking, etc.) being done online than ever before, you should watch out for those that would exploit the deadly sins.
Don’t give criminals the chance to ruin your on line experience, and remember that a little bit of paranoia goes a long way online.
Graeme Wolfe, Information and IT Security Officer, 21/07/2016
There have been some interesting developments in the world of spam and malware in the past couple of weeks.
Various organisations1 that monitor internet traffic, have found an alarming increase in the amounts of spam, malware and phishing emails being sent out recently.
They also found that it was not just one type of spam either, there are a number of different ‘flavours’.
Remember the 419 email and letter scams? Typically from Iraq, South Africa or somewhere in West Africa, these advance-fee scams ask for your help to transfer money out of a country in return for a fee. The fraudster requests your bank details for the transfer, and takes the opportunity to empty your account! These scams still seem to be serving up a bad taste in their victims mouths, just when we thought they were off the menu.
There was an increase in the amount of ‘ransomware’ emails being dished out, containing a link which when you click on it allows the scammer to encrypt your files and data, essentially holding your files and data ‘hostage’ until you pay the ransom payment for their decryption. These been rather successful in the past, not only infecting individual’s machines, but also large organisations too. An American hospital got a taste of this and ended up paying thousands of dollars to get their files decrypted.
Scare stories have been emailed to customers of two credential services or password vaults, referring recipients to data breaches by LinkedIn and Tumblr. The emails purporting to be bone-fide support, informed people that their accounts had been hacked and that they needed to re-enter their personal details. These scam emails contained links which directed people to the hackers fake web site, serving up yet another phishing email attack.
There is also new type of fraud that is gaining notoriety, called BEC (Business Email Compromise). Estimates are that tens of thousands of people have been scammed and billions of dollars have been lost world wide. There is such a huge growth in this type of fraud that the FBI issued out a Public Service Announcement. This scam targets employees in an organisation, usually in finance, accounts or procurement, with a message purportedly from a senior finance or accounts manager requesting an urgent payment to be made to a supplier. When the employee takes the bait, the ‘senior manager’ will email and ask for the payment to be made to a different account – the scammers account.
Many of these scams require an increasingly elaborate amount of research and reconnaissance, combined with sophisticated social engineering. As the awareness of scam methods increases and protective measures are taken to avoid them, scammers are devising ever more ingenious ways to trick people. Some are conducting more research into their intended victims, to try to make their messages and requests more appealing.
Just like the canned meat, email spam isn’t going to go away anytime soon. So we all need to be aware and take care when opening attachments, clicking on links or receiving instructions from colleagues that appear to go outside the regular procedures.
Graeme Wolfe, Information and IT Security Officer, 27/06/2016
1 Cloudmark, IC3 and FBI
This month Graeme Wolfe, Information and IT Security Officer, looks at Windows 10 and at the options for upgrading.
If you use a personal Windows based PC / Laptop / device running Windows 7, 8 or 8.1, you will no doubt have seen the icon in your task bar inviting you, for a limited time, to upgrade to Windows 10 for free.
Your University supplied Windows PC / Laptop will not show this icon as we have suppressed it. We are working on a new ‘build’ to upgrade to Windows 10 at some point, but this has to be done in conjunction with checking that all the various software products on our estate still work as expected with Windows 10 and that there are no conflicts on our network.
I have been asked by a few people whether they should upgrade to Windows 10 on their personal device, or not, especially as there have been some issues raised with the information it gathers and uses about you, plus the deadline imposed by Mircrosoft for a ‘free’ update is July 29th 2016
This really is a personal matter for you and your appetite for moving to a new OS, as there are potential benefits and possible drawbacks to each action. There are many articles and reviews on line, which list the ‘pros’ and ‘cons’ of Windows 10. Just do a search for them if you want to know more, before deciding to take the plunge, or not.
Here are links to a couple of articles to get you started:
I was also asked what the support position was for Windows OS and can reply as follows.
Windows 7 went out of mainstream support in January last year and Windows 8 will join it in January 2018, though they will both continue to receive security patches and updates until they go out of extended support.
Microsoft will be withdrawing extended support for Windows 7 in January 2020 and Windows 8 in January 2023, which may seem a long way off, but there is talk that this may happen earlier than that and this may be a reason why you would want to upgrade to Windows 10.
If you are still unsure as to whether to upgrade or not, but don’t want to make a decision before the July deadline; then you can download and install Windows 10 on your device, then you can ‘roll back’ to your previous OS, Windows 7 or 8. Make sure you take a backup of your files first. You shouldn’t lose any files during the changes, but better to be safe than sorry. This will register you as being a Windows 10 user, so ‘beating’ the deadline and you can go back to Windows 10 when and if the fancy takes you, at a later date.
Graeme Wolfe, Information and IT Security Officer 13/05/2016
This month Graeme Wolfe, Information and IT Security Officer has his head in the clouds!
Many people and organisations talk about ‘cloud’ services for data storage and the hosting of services. It sounds impressive and is often hyped up in marketing campaigns. However, the reality is rather more mundane and amounts to merely putting your data or an organisations data or IT service on another organisation’s computer, usually using the internet as the transport method.
So, if you have pictures stored on Instagram or Photo bucket and keep emails, attachments or other files on Google, or Office 365, then you are already using cloud storage services – probably without even realising it!
Two of the great advantages of cloud storage are that you can access your data from anywhere that has an internet connection. Often there is no cost, at least when storing items on a small scale. Cloud storage services can also act as a ‘back up’ to your hard drive or local storage, so you have a copy of things in case your local storage fails.
Two of the problems with cloud storage are that if you don’t have an internet connection you are unable to access your data. Also anyone else who has an internet connection potentially has an opportunity to try and access your data too. Plus you lose physical control over your data and have to rely on someone else to protect it for you.
One question you should be asking yourself when using cloud services is “Do I trust the company who owns the ‘cloud’ to keep my data safe and secure?”
There was a lot of talk in the press last year about celebrity cloud storage accounts (iCloud) being hacked and data (mostly intimate pictures) being stolen. The resulting forensic reports on these attacks showed that many were due to the use of weak passwords, being guessed (or forced) by the attackers.
In my blog dated January 2016 I spoke about the creation and use of secure passwords, for access to any online services. Cloud storage and services are no exception to this, so make sure you have a strong and unique password if you use these services.
You should also be aware that many cloud storage companies will limit their liability for private users (in those terms and conditions we all tick to say we have read and agree to) often to a maximum of $5. Which you may be fine with, if you are storing and sharing some unimportant data. But if the data is worth more than $5 to you, then you should think twice about where you store it. Even if you enter into a commercial (paying a fee) agreement with them, they will limit their liability in the event of lost or corrupted data. But these services should not be used to store, sensitive commercial and personal information on, unless the data is encrypted and the host has no access to the decryption password.
Some modern personal devices will automatically upload data to the cloud for you, so if you don’t want to do this or you want to control what and when it does this, then check the security settings on your device.
Tip: Type “security issues for [your device]” into google and see what comes up. You may be surprised. Then type in “security settings for [your device]” to find out how to keep your data safe.
So in conclusion. Cloud storage can make your life quicker and easier, but take a moment or two to consider putting data security measures in place to make it less quick and easy for any potential attackers.
Graeme Wolfe, Information and IT Security Officer 12/04/2016