Recent Posts

Recent Comments

    Archives

    Categories

    Meta

    IT Security for the summer holidays

    Posted on: 11 August 2015
    By:
    No Comments »
    Filed under: Uncategorized

    This month, Graeme Wolfe, our Information and IT Security Officer, looks at some of the scams and tricks that can be used against us all during the holiday period and also provides some security advice to travellers using mobile devices.

    IT Security for the summer holidays

    At this time of year many of us will be travelling to new or different places for our holidays, making lots of on line bookings or reservations and receiving various holiday related emails and messages.

    Scammers know this is the case and take advantage by sending ‘holiday’ related scam mails or posing as legitimate travel related web sites, to try and get hold of your personal information or to try and relieve you of your hard earned money.

    holiday-gadgets-header

    Scams and tricksters

    Since most Government departments went down a ‘Digital by Default’ path, to deliver services to us, many services can now be accessed on line; however, there have been a number of sites that have opened up offering to provide these same services to us, but at a price. In some cases, charging for things you can get for free.

    Examples of holiday related government services:

    1. EHIC (European Health Insurance Card) This is FREE from the NHS
    2. Passport applications and renewals. There are charges for passports and you can apply and find out more about all the details on Gov.uk
    3. Visas for Holiday destinations. Details of countries’ entry requirements, along with any other help and advice can be found on Gov.uk
    4. ESTA (Electronic System for Travel Authorization) For travel to the USA. This costs $14 and can be found on this official site.

    Sites that offer to provide such services, are not necessarily breaking the law, as long as they clearly state that they are offering ‘additional services’, even if in reality they aren’t. The two most common such sites are those offering EHIC and ESTA services.

    Also watch out for ‘Holiday’ related emails for flights, hotels, car hire, foreign exchange etc. both at work and at home, which can pop up around this time of year in the hope that you will think they are genuine or accidentally click on them without thinking.

    travel-gadgets

    Other things to consider are:

    1. Social media – Be careful what you post. “Just off for two weeks of Sun and Rum in Barbados” tells your friends and anyone else who cares to look, that your place will be unoccupied for a long period of time.
    2. Out of Office – Again, just some simple information that you are not in the office, when you expect to return and alternate contact details, is all you need to say.
    3. Voicemail – Something simple like “I am unavailable at the moment, please leave a message” is sufficient, like for item 2 above.

     Using portable devices in new locations.

    There are a few things you should take into consideration when using any mobile device in a new location, such as on holiday or in a different country.

    phonebeach_2634101b

    Public Wi-Fi:

    1. Public Wi-Fi is inherently insecure, so be cautious.
    2. Many places now offer free Wi-Fi as part of the services available during your stay. This can be a great way to cut the costs of using a device abroad, but as with any Wi-Fi service, make sure you are connecting to the service provided by the owner i.e. Starbucks or Hilton not $tarrbucks or Hillton
    3. If you are connecting to a Wi-Fi service, check it is secured using WPA security as a bare minimum and WPA2 is better.
    4. Public Wi-Fi services in some parts of the world may be routinely monitored and as such your connection, and any data transferred over it, may not be 100% secure.
    5. When logging into sites over public Wi-Fi, make sure you also log out of them afterwards.

    Charging your Device:

    1. Don’t forget your charger and lead. It might seem obvious, but it can be overlooked.
    2. Travel adaptor – have you got a suitable one for the country you are visiting?
    3. Charge your device fully before leaving home. You don’t know whether you can charge it ‘in transit’ so start with 100%.
    4. You can buy ‘portable batteries’ that can be precharged and kept for emergency use.

    Mobile data costs:

    1. Your UK mobile service provider may not have an equivalent in the country you are visiting, so you will need to select one from a list of options your device will provide you with. (if it has a working SIM installed of course)
    2. Once you have selected your new mobile network you should receive a text advising you of the costs of calls, texts and data in your new location.
    3. Some contracts will enable you to use your UK allowances in foreign climes, others won’t, so before you leave, check and don’t start posting all your holiday snaps on social media until you know for sure. Don’t get saddled with a huge bill on your return.
    4. If you are unsure or don’t want to pay ‘roaming data’ charges then turn this facility off on your device.

     
    Graeme Wolfe

    IT Security Officer

    11/08/2015

     

    May the (En)Force(ment) be with you.

    Posted on: 13 July 2015
    By:
    No Comments »
    Filed under: Uncategorized

    Or, security lessons from Star Wars.

    darth-Vader

    Star Wars Episode IV: A New Hope, is more than just an epic tale of the galaxy wide struggle between the Rebellion and the Galactic Empire, and the triumph of good over evil. It is also a great example of how a series of basic security flaws can cost the most powerful organisation in the galaxy dearly.

    In his position of executive leader of the Empire, Darth Vader certainly didn’t lack resources. With huge teams of highly trained and motivated personnel at his command,  plus state of the art technology and hardware, he knew what assets needed protecting. However the measures taken to protect those assets were sorely lacking. Ultimately the Empire was compromised by a fatal combination of weak security policies and poor practice.

    Let’s take a look at some of the key security mistakes made by the Empire in Star Wars IV, how those mistakes were exploited and what we can learn from them.

    Data Leak Prevention (DLP):

    maxresdefault

    In the (now legendary) opening sequence of the film, Darth Vader and his Storm Troopers board a Rebellion vessel to recover intercepted blueprints of the Empire’s new terror weapon, the Death Star. So far so good. The Empire has detected a potentially dangerous data leak, and has acted swiftly to contain it.

    However, the Empire’s good intentions were let down by poor execution. The search of the ship was too focused on finding Princess Leia, enabling the stolen data to be downloaded onto a consumer device (R2D2), which escaped the captured ship in an escape pod. During a period of security lock down, the Imperial forces detected the launch of the pod. They also knew that the pod contained two droids, but they let it go despite the prevalence of droids in the Star Wars universe. They also overlooked the fact the plans are only data and not alive, as at that time – it wasn’t a droid they were looking for!

    This lesson teaches us there are multiple vulnerabilities that can result in data loss: USB flash drives, consumer devices, email, instant messaging (IM). In the Star Wars example the data lost was  the Death Star schematics, the reality for the University is that data loss could damage the reputation of the University or its’ partners. Another lesson to learn from this example is that if we are suspicious of something that doesn’t seem to be right, then just ignoring it is probably the wrong thing to do.

    No technology is infallible:

    death_star1

    The stolen blueprints were put to good use by the Rebellion to create a highly targeted attack on the Empire’s primary security device, the Death Star. However, at the Imperial board meeting convened to discuss the ramifications of the data breach, Imperial executives were more concerned with points scoring and squabbling with each other, instead of working together to locate and then close off all possible vulnerabilities.

    Darth Vader warned Admiral Motti not to be too proud of the technology the Death Star represented.  Motti retorted that Vader’s knowledge and use of the Force had not revealed the location of the stolen data. Vader found Motti’s lack of faith disturbing, but he should have been more concerned that the meeting had failed to find a way to resolve the problem and fix the vulnerability. A simple precaution such as shielding the exhaust port, or welding a couple of metal bars over it could have been enough to secure this flaw in the design.

    Neither had grasped the fact that it doesn’t matter how strong you believe your security infrastructure to be there is always the possibility of vulnerabilities being introduced through simple human errors or poor planning and design. Keeping networks and data secure requires clear policies, with people following them. It also needs a coordinated effort across the IT and security teams. Having security products alone is not sufficient to protect networks and data.

    Authentication and Access controls:

    Storm-CHRON

    When the Millennium Falcon is captured in a tractor beam and brought into the Death Star, the Empire fails to properly inspect the vessel for payloads that could present a risk. Then the rebel crew exploit the Empire’s weak visual authentication tests by stealing Storm Trooper uniforms. This gives them unchallenged access to the Death Stars’ interior, networks and defence systems.

    This highlights two common security issues we can be more aware of. First, without strong user authentication it’s easy for a potential attacker to appear familiar and trustworthy. Simple visual checks carried out by the Empire such as: is the person  wearing an Imperial Storm Trooper uniform? Check. Do you nod when asked if you are TK421? Check. Access granted! Clearly these were not enough. When securing  physical access to a location by requiring photo ID, or securing electronic access by requiring a user name and password – we can see that authentication of identity is vital.

    Secondly, it is not appropriate to give all members of staff, contractors and third parties full access to all parts of our network, resources and data; as the Empire appears to do for Luke and his friends. We should ensure that only those authorised to access and use specific data can do so.

    Consumerisation or Bring Your Own Device/Droid (BYOD):

    r2-d2

    Having bypassed the Empire’s weak authentication systems on board the Death Star, R2D2 is able to access highly confidential data on the Death Star itself (how and where to disable the tractor beam and the location of Princess Leia), simply by plugging in to an easily accessed wall port. The port looks so much like a power outlet, even R2D2 accidentally plugs in to one by mistake in a later film!

    R2D2 is also able to control various parts of the Death Star’s physical environment from this access point such as lifts, garbage compactors etc. What’s more, R2D2 isn’t just a portable storage device. It is a self-propelled and intelligent robot that could not only take the data anywhere, it can also use that data selectively itself. This creates a real BYOD (bring your own device/droid) problem for the Empire.

    Ultimately, the Empire had clear strategic goals, enormous technology and manpower resources in place, yet it failed to apply proper security policies to manage these resources effectively. If it had, it could have made things much harder for the Rebels and crushed the Rebellion swiftly. However, if the Empire had been successful in preventing data loss by tackling it’s vulnerabilities, there probably wouldn’t been any more sequels to the film, which consequently would have ended within the first 10 minutes or so!

    Graeme Wolfe

    14/07/15

    With thanks to Terry Greer-King from CheckPoint technology, for the original article.

    Too Late! – A cautionary tale.

    Posted on: 9 June 2015
    By:
    No Comments »
    Filed under: Uncategorized

    This month our Information and IT Security Officer, Graeme Wolfe, recounts a true story of lost data and the potential impact of not following policy and guidance.

    Too Late! – A cautionary tale.

    In a meeting room with my manager, an HR rep and my Union rep, for a disciplinary and misconduct hearing – Too Late!

    Being asked by my manager if I had taken sensitive personal data out of the building on an unencrypted memory stick – Too Late!

    Arriving home to find the memory stick I copied my data to is missing and not contacting my manager immediately to inform them of the data loss – Too Late!

    Leaving the building with data on an unencrypted memory stick, which is accidentally lost on my journey home – Too Late!

    In a rush to get home, working flexibly the next day, bag is nearly full and heavy, don’t want to take my laptop home, so copy the documents I need to a personal memory stick (unencrypted) I have to hand – Too Late!

    Knowing I am working flexibly the following day, so making room for my laptop in my bag, or contacting the IT Helpdesk to obtain an encrypted memory stick, to take sensitive data away from the University – Not Too Late!

     

    This story could have had other steps and endings included, with more dramatic effects on staff and the wider University.

    For example – National newspaper publishes a story “Personal and medical data found on a memory stick lying in the street! Can you trust The University of Westminster with YOUR data?” or maybe in specialist Higher Education and Research media “University of Westminster loses Drug Company / NHS data. Can you trust them to keep your sensitive (and expensive) data and research secure?”

    Staff are reminded that there is a new IT Security and Use Policy which you should read and understand. This emphasises the need to keep data secure, in many formats (paper, electronic) and locations (office and travelling). It is important that you implement the policy, not only for the security of the University’s data, but also for your own personal protection.

    For further information on the ways to secure your data and use ‘removable media’ (like memory sticks) please see this link for information on how to use them safely and securely, or contact csirt@westminster.ac.uk

    Graeme Wolfe

    Information and IT Security Officer

    09/06/2015

    (With thanks to the FCO for the original concept of Too Late!)

    Patch Tuesday Blog – Cyber Security Updates

    Posted on: 20 May 2015
    By:
    No Comments »
    Filed under: Uncategorized

    As many of you may be aware, the second Tuesday of the month is Microsoft’s ‘Security Patch Tuesday’ *

    This also seemed like a good opportunity to share security updates, briefings and articles at the same time as ‘Patch Tuesday’ as part of my new monthly ‘Cyber Security’ blog. Though just like Microsoft, if there are urgent messages, these will be sent out as required, rather than waiting for a monthly blog.

    I’ll use the blog to provide a mix of advice and guidance on how to use the virtual world in a safe and secure manner for both work and personal use, in areas of IT and data / information security.

    I hope you will find them interesting and informative and I would welcome any feedback you may have.

    * A monthly window for releasing security patches and updates to their products. Though they do sometimes release critical patches and updates outside of these times. If you have a personal machine running Microsoft products, then look out for the update icon on the second Tuesday of the month and be sure to update your software accordingly. If you are unsure as to the status of your security patching for Windows, then click this link to find out more.

    This month:-

    Cyber hacking – A brief history.

    Extract from an interview with Chris Ensor, deputy director for the National Technical Authority for Information Assurance at GCHQ, Britain’s communications intelligence agency

    The first recorded cyber hack was in 1986, but there’s certainly been a fair few since then. Clifford Stoll, an astronomer at the Lawrence Berkeley National Laboratory in California, couldn’t understand why there was a 75 cent difference between two sets of digital accounts. In trying to unravel this mystery, he eventually discovered that Dutch hackers were being paid by the KGB to steal from the lab’s computers.

    “That was nearly 30 years ago, and very little has changed,” said Chris Ensor. He explained that while computing has vastly improved, the underlying principles of cyber-hacking are the same as they were back then.

    In the first stage of a cyber-attack, the hacker hunts for a weakness in your IT. “They’re looking for holes,” be that in your software, hardware or connection.

    “Once they find a potential way in, they’re thinking about delivery,” he continued. “I can connect to your computer and start using your computer without you knowing – by sending an email, PDF, word document or spread sheet, and inside that document there’s a way of exploiting a particular vulnerability in your system.” Indeed, “you may be pulling your hair out if you haven’t got USB access at work, but the reason you haven’t is because that’s a way of getting into your system.”

    In the exploitation phase, hackers seek to duplicate and exploit your ability to control and access information – so they lay the groundwork by deploying software that collects your passwords when you enter them. And if it gets to that stage, it’s very difficult to spot, because viruses can use your own passwords to turn spyware or anti-virus software off, preventing detection. As the private sector has found out to its cost, the aim is often to steal intellectual property.

    Given these risks, it’s crucial that organisations and individuals install updates and “patches” designed to plug vulnerabilities. There is a booming black market in selling data about software’s weaknesses, Ensor noted: a hacker can earn up to $250,000 for information about a single hole in a piece of Apple software, for example. The key vulnerabilities used to be in operating systems, but in these days of auto-updating software, cyber-hackers are more likely to seek entry through applications instead.

    Simple tips can often help, Ensor noted. For example, don’t use administrator accounts for day-to-day use, and instead set up a user account with limited powers – then, “if you’re compromised as a user, [a hacker is] limited on what [they] can do.”

    The day on which a software vulnerability is first found by a hacker, when it remains unknown to the rest of the world, is called a “zero day”, Ensor explained. “If you read about Stuxnet, for example – the thing that allegedly went out to stop Iranian [nuclear] enrichment – there were about four zero days, which is gold dust.” This time is so valuable because “nobody knows about them, there are no patches for them, so you can do a huge amount of things in a zero day.” It’s crucial, therefore, to keep software constantly updated

    It’s vital to prevent information being stolen, Ensor argued, because these days “information is all-powerful”. Indeed, critical infrastructure is so IT-dependent and so interconnected – taking down the telecoms network could take down the electricity network, and visa versa – that our vulnerabilities are as broad as they are deep. The principles of cyber-hacking may not have changed much since the late 1980s, but the work of preventing them is becoming ever more important.

    Graeme Wolfe

    Information Security Officer

    12/05/2015

    Previous posts
     
     
    Accessibility | Cookies | Terms of use and privacy
    everix peak