Passwords are not just for Christmas

Wow, what a year. One thing’s for certain, 2020 is one year that will never be forgotten. Covid, Lockdown, Furlough, words that have been added to the canon of speech this year. And, to cap it all, Christmas is just around the corner and the world is still full of massive levels of uncertainty.

Whether you are working from home, #WFH, working in an office or still out and about I know that as Christmas approaches the big wind-down starts to feature in our minds.

Nothing wrong with looking forwards to Christmas but it’s important that you don’t allow your Cyber Security guard to fall too.

Andy, checking out websites as part of his work

Why not? Simply because the hackers and cyber criminals won’t – if anything they’ll be upping their activity because they know that our minds will be on other things. In previous years we’d have been looking forward to Christmas Markets, Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.

Our vigilance MUST remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.

It’s also a good idea to take a fresh look at your password security. Turkish researcher Ata Hakcil analysed more than 742m passwords that have been revealed in data breaches (hacks) that turned up on the Dark Web. Ata went on to make a worrying number of discoveries.

Of the 742m only 169m were unique which just goes to show how frequently we reuse passwords and how many passwords are used by a lot of people.

Worst passwords of 2020

Unfortunately, not a lot has changed over previous lists

1/ 123456 (same place as 2018 & 2019)
2/ 123456789 (up 1 place) (same as 2019)
3/ passwords (up one place on 2019)
4/ qwerty (a fall of one place on 2019)
5/ password (slips two places)
6/ 12345678 (up 1 on 2019)
7/ 123123 (a new entry)
8/ 111111 (up from No. 10 in 2019)
9/ 1234 (yes, I kid you not, 1234)
10/ 1234567890 (a new entry in this Top 10)

Disturbingly, at least 1 in 10 people have used at least one of these poor passwords – I hope you’re not one of them.

Data breaches are inevitable. To be as secure as possible you need to use strong, unique passwords for each individual account that you have. This makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.

What’s a Strong Password?

A strong password isn’t a word at all. The best ones are passphrases comprising of a random combination of words with 12 characters or more, using mixtures of alphanumeric, UPPER & lower case characters and symbols.

Think of a nonsense phrase, or even a line from your favourite song. Science Friction Burns My Fingers for example. Noe, run the words together, use hyphens, underscores and number substitution.

Sc13nce-fricti0nBurnsMy_Finger5%

That’s one password – you need a unique one for EVERY account that you have. Now, that’s a challenge to remember so you need a password manager. Because of my work, I have access to 789 accounts of one sort or another and I have 789 different passwords. Obvious there’s no way I could remember all of those – I struggle to remember 4 important ones which his why I use a password manager. Not only does it store all of my passwords in a safe place it also generates new, random, ones for me.

Top 10 Password Managers

There are loads of great password managers out there. I use LastPass because it was one of the first to integrate with my browser AND be available across all of my devices, desktop, laptop, Chromebook, phone and tablet.

TechRadar recently reviewed Password managers and their top 10 free and paid-for password managers is as follows

1/ Dashlane
2/ NordPass
3/ RoboForm
4/ 1Password
5/ LastPass
6/ Keeper
7/ BitWarden
8/ LogMeOnce
9/ mSecure
10/ ZohoVault

You can read TechRadar’s reviews here. And don’t forget, your web browser probably has a password manager built in and may even generate new ones for you but it may not synchronise across all of your devices

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of the above instead

Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

Why would anyone want to hack my website?

log on boxWith the news that 30m credit and debit card details from US customers and over 1m sets of card details belonging to visitors to the US, have been put up for sale on the Dark Web following a malware attack against US convenience retailer Wawa I thought I’d take time out to explain why small businesses are just as at-risk from hacking as large organisations.

But first, let’s take a look of some of the major security breaches that occurred last year. According to Risk Based Security’s Data Breach Report there were 5,183 breaches by the end of September 2019 alone. These exposed more than 7.9 billion records. This was a 33.3% increase on the same period in 2018.

Here are some of the worst breaches.

  • Orvibo Smart home products – 2 billion records discovered on an unprotected database. These comprised of private individuals, hotels and businesses who were using Orvibo’s smart home devices. The data included email addresses, passwords, user names, family names and addresses.
  • Dream Market Breach – 617m online account details stolen from 16 hacked websites, including MyFitnessPal (151m). Data stolen included user names, passwords and email addresses.
  • Canva – 139m records stolen, names, user names, passwords, email addresses and location.
  • Capital One – 106m records hacked with names, addresses, credit scores, email addresses, dates of birth and more stolen.
  • Words with Friends – 218m records stolen, including names, email addresses, passwords, phone numbers and, where linked, Facebook ID info

However, these are just some of the ones that hit the headlines. Thousands don’t,  particularly attacks on smaller businesses. Research indicates that nearly 70% of SME’s experience cyber attacks (Ponemon State of SMB Cyber Security 2018) but why SMEs?

I talk to many people who believe their businesses are too small to have anything of value to the hackers. However, the truth is that they are too small to have a dedicated cyber security officer/specialist and so are easy targets.

Let’s take websites – most businesses use WordPress – over 1/3rd of websites use it. There’s nothing wrong with WordPress but, as the world’s most popular web development tool, it is also the hackers main target. (A bit like the way Windows is targeted compared to Apple’s operating system – its all in the number of targets)

WordPress is pretty secure and there are Plugins to make it more so BUT you have to keep everything up to date. Keep WordPress up to date, keep your plugins updated too because if you don’t you might be leaving holes in your security for the bad guys to exploit. 

But why would they?

  • Small companies are frequently connected to larger organisations and they might be a way in
  • Hacked systems can store illegal material
  • Hacked systems can be used in attacks on other websites (DDoS)
  • Hacked systems can host Malware
  • Hacked systems could provide access to valuable Intellectual Property
  • Hacked systems could provide easy access to other valuable data

Malware

Safer Internet DayImagine you have a reasonably popular website. Hackers will look to gain access to your site and plant malware on it that will automatically download (and install) itself on the computers of everyone who visits your website. The malware could allow the hackers to record the keystrokes of infected machines, could enable the hackers to take remote control of infected machines or turn them in to storage depots for illegal material.

Imagine how your reputation will suffer when this comes to light. 

  1. Keystroke recorders
    A keystroke recorder does what it says on the tin, it records every single keystroke made on a keyboard and secretly transmits it to a malicious 3rd party. This could be bank/card details, online shopping details, log-in user names and passwords, and much more
  2. Remote Control – DDoS (Distributed Denial of Service Attack)
    With the ability to remotely control your PC, and hundreds or thousands of others, malicious 3rd parties can “take down” target websites simply by overwhelming them with more web traffic than the website can cope with. Remember what happens to the Glastonbury website when the tickets are released – although not malicious the number of people desperate to get their tickets tend to bring the website to its knees as soon as tickets are made available

    Imagine a bookmakers website going off line a week before a major betting event. They’d be contacted by the Cyber Criminals who will admit responsibility. The bookmakers will then be told to “pay up” or their website will be blocked again, much closer to “big day” and prevent bets being placed.
  3. Illegal data storage
    Imagine the scene. There you are working in your office and there’s a battering ram through the door followed by police storming in with a warrant to take ALL of your computing devices. Your business will grind to a halt but why have you been targeted? Simples, as the meerkats say – the police have identified one or more of your computers/servers as the source of illegal material. This could be pirated software, music, films or worse. In the worst case scenario this information hits the local (and possibly national media) and your reputation is trashed. And you may not even have been at fault!
  4. GDPR
    Under all of the above scenarios you’ll probably have to report the matter to the Office of the Information Commissioner (ICO) under GDPR. After investigation, If your security and procedures are found wanting then you might be liable for a fine. GDPR states that fines can be up to 4% of your turnover, and that’s no laughing matter

How do I prevent this happening to me

No security system is 100% watertight, there are just too many variables and access points. The closer you get to 100% the more expensive it becomes to close those last few security percentage points. However, like home security, your job is to make sure that your security is as good as it can be so that the bad guys choose an easier target.

Get in touch with a good IT company or Cyber Security company or you could #AskAndy. Drop me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020 and we can start the ball rolling. I know that I’m not a security consultant but I know quite a bit and can always point you in the direction of a trusted third party if you need more help.

New Year – New Security Resolution

Tamara EcclestoneIn December last year Tamara Ecclestone’s London home was burgled and jewellery worth £50m was stolen.

Leaving aside the fact that this is a phenomenal sum of money to have invested in jewellery only to leave it “lying around” there are many rumours as to the particular timing of the heist.

Just a few hours before the robbery took place, Tamara and her husband shared a picture on Instagram of them boarding a private jet.

As a billionairess it’s no doubt that people of a dubious background will have been watching her social media updates hoping for just such an opportunity. They will have lists of targets, important addresses and social media accounts and probably even have plans in place, ready for execution as soon as an opportunity presents itself.

So, think about the pictures you post to Social Media. What do they give away? All those photos of you sunning yourself on a beach somewhere warm and exotic tells near do wells that you are not at home. Photos of road trips tell people that you are not at home, or in your business.

You even need to make sure that there’s nothing in the background of the picture that can be zoomed in to that might give away something you’d rather kept private. An innocent looking photo taken outside of your house could, if zoomed in, give away your house number whilst previous, or subsequent pictures could give away your street name – for example.

If you are going away, and you are an important cog in your business, it could encourage scammers to target employees with fake emails requesting money transfers, payment of fake bills and invoices etc.

log on boxSo why not make 2020 the year you strengthen your security fortifications. Make a start with passwords and email.

  • Conduct a password audit of everything AND everybody involved in your business.
  • Enforce the use of strong passwords and encourage the use of password managers
  • Make sure that you have a strong email policy in place.
  • Educate yourself and your employees on the tricks used by scammers-
    • how to check whether a link in an email takes the clicker to a safe site or not
      Hint – hover your cursor over the link to see the full web address
    • Ensure that the email comes from a trusted address. Is it from mycompany.co.uk or mycompany.co or myc0mpany.co.uk for example?
      hint – hover your cursor over the address or just hit “reply”
    • Are there any obvious spelling or grammatical errors?
    • Would you be expecting an email from this particular source?
    • Does the email express an urgent response?

Don’t forget that people new to your organisation should also receive the same level of training. Always remember that “if it feels to good to be true” then it probably is

And if you are still unsure, look up the phone number for the company that you think the email is from and give them a call – don’t rely on the phone number that’s displayed within the potential scam email.

Watch out for more emails looking at security issues and if you have any concerns, please don’t hesitate to get in touch for an informal chat by email (andy@enterprise-oms.co.uk) by phone (01793 238020) or ask me on Social Media – Linkedin or Twitter and I’ll be only too happy to talk.

Thanks for reading and I hope you have a great, and secure 2020.

 

 

Christmas is coming, don’t let the hackers get fat

Christmas is nearly here, people are beginning the big “wind down” and it would be so easy to let your guard down too.

Andy, checking out websites as part of his workWell, let me tell you, the hackers and cyber criminals won’t – if anything they’ll be ratcheting up their activity because they know that our minds will be on other things.

You know, things like Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.

So, vigilance must remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.

It’s also a good idea to take a fresh look at your password security. SplashData have just released their ninth annual “Worst Passwords of the Year” list which has been compiled from more than 5m passwords that have ended up on the Dark Web after being purloined by hackers.

Unfortunately, not a lot has changed over previous lists

  1. 123456 (same place as 2018)
  2. 123456789 (up 1 place)
  3. qwerty (a return to the top 5 for this old favourite)
  4. password (slips two places)
  5. 1234567 (up 2)
  6. 12345678 (falls out of the top 5)
  7. 12345 (falls by 2 places)
  8. iloveyou (this perennial is up 2 places from 10 in 2018)
  9. 111111 (yes, people do use this although it’s fallen 3 places from last year)
  10. abc123 (up 7 and breaking in to the top 10)

You can see passwords from 11 to 25 here.

SplashData estimates that at least 1 in 10 people have used at least one of these poor passwords.

Data breaches are inevitable but by using strong, unique passwords for each individual account that you have makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.

3 simple tips to make your digital life more secure

  1. Use passphrases (random word combinations) of 12 characters or more with mixed character types
  2. Use a different password for each of your log-ins so if you loose one password you haven’t lost all of the keys to your digital empire
  3. Use a password manager to secure your digital assets, to generate random password combinations, store them securely and make them available across all of your devices

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of these instead

Top Password Managers (in no particular order)

Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

However, I hope to enjoy Christmas too so may be slower than normal in responding to your requests. I’ll be back in the office on January 2nd.

How secure is your password?

Government Communications Head Quarters (GCHQ) – where the UK spooks provide signals intelligence to the UK’s government, military and Military Intelligence and the Department for Digital, Media and Sport (DCMS) carried out their first UK Cyber Survey and the results didn’t make for great reading.

Apparently

  • 42% of us Brits expect to lose money to on-line fraud
  • 23.2 million worldwide victims of cyber breaches used 123456 as their password
  • 15% say they know how to properly protect themselves from harmful on-line activity
  • 33% rely on friends and family for help with their cyber security
  • Young people are the most likely to be cyber aware, privacy concious and careful of the details they share on-line
  • 61% of internet users check Social Media daily, 21% say they never look at it
  • More than 50% use the same password for their email that they use elsewhere
Hacker Inside

Dr Ian Levy, NCSC Technical Director said “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” whilst Margot James, DMCS Minister said “We shouldn’t make their (cyber criminals) lives easy so choosing a strong and separate password for your email account is a great practical step. “

Most Regularly Used Passwords

RankPasswordTimes UsedPasswordTimes Used
1.123456 23.2mashley432,276
2.1237567897.7mmichael425,291
3.qwerty3.8mdaniel368,227
4.password3.6mjessica324,125
5.11111113.1mcharlie308,939

It’s a shame that the top password list hasn’t really changed for at least 10 years – it shows how complacent a lot of us are with our on-line security.

I used to have 3 passwords, a simple one that I used really casually for newspaper sign-ups etc – name123 (not my real passwords, merely examples) a medium security one that I used on shopping sites, n@m3123 and a more secure one, used for banking etc – c3ler0n! (and all of the ones that I used feature on the Have I Been Pwned list).

log on box

About 5 or more years ago I switched to a Password Manager. I have 801 log-ins and 801 different passwords. All of them are at least 16 random characters long and comprise upper & lower case letters, numbers and symbols (where permitted).

My Password database is stored securely in the cloud and is replicated on my PC, Phone and Tablet and accessible from my Chromebook too. I use LastPass but others exist and here’s a review of some of the top ones.

As you can see, I do my best to stay on top of my security but if you feel adrift, or need some help, just give me a call on 01793 238020 or email andy@enterprise-oms.co.uk for a free chat.

Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

So, why is it so important to know whether your passwords are available to cyber criminals?

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match. And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”

007 in ‘For your GDPR Only’

MI6 headquartersWhen “M” has finished spymastering for the day, or pops out for a cheeky Nandos, we always see M locking the “Top Secret” files away in the office  safe. We know that’s so that no secrets will be discovered, even if an enemy spy (or the tea person) manages to gain access to the empty office.

In business, we need to be like “M”.

In a previous post I looked at Data Protection and the forthcoming General Data Protection Regulations (GDPR). However, I didn’t make it clear that the regulations don’t just apply to digital data stored on your IT systems and network but also apply to paper records too.

Anything that contains personal data, whether paper or digital, falls under the auspices of the Act, including the recordings from your CCTV cameras, phone systems (think “this call may be recorded for training purposes”) and biometric data – such as fingerprint or iris recognition systems used to unlock systems or grant access.

Keyboard with the word 'Privacy' overlaid

This means the files on your desk, the files in your filing cabinet, your paper archives as well as your electronic records, anything that includes personal data.

To start with, you need to ask yourself

  • Who has overall responsibility for the data you have and/or use?
  • What data are you holding, why are you holding it and where is it held?
  • Are your Privacy and Data Use Policies as good as they need to be?
  • How long do you need to keep data & how will you securely destroy it when you no longer need to keep it?
  • Who has legitimate access to it and who else can access it?
  • How secure is your building, your paper records and IT systems?
  • What happens out of normal business hours?
  • Can data be exported and removed without authorisation (to a USB key for example)?
  • Is your network connected to the internet and how secure is your connection?
  • Can your network be accessed remotely – is this secure?
  • Is your electronic data encrypted so, in the event of a breach, data cannot be accessed and used?
  • Can your network prevent unauthorised intrusion (hacking)?
  • How do you manage Subject Access Requests, (when someone requests to see the data you hold about them)?
  • How will you manage a data breach, whether it’s a hack, unauthorised file copy or unauthorised removal of paper records?

So, how can I help?

I can put you in touch with reliable IT companies and trusted partners 

  • Blob figure staring, "James Bond like" down the barrel of a gunthat will be able to inventory all of your IT and data assets.
  • who’ll test your network to see how secure it is and whether hackers are likely to be able to gain access
  • who will secure your network from external threats (hacking) and ensure that your remote access requirements are reliable, easy to use and secure.
  • who will help you secure your data inside the organisation and set things up so that only appropriately authorised employees can access the data they need to do their job and no more.
  • who will secure your network so that it’s almost impossible for data to be copied onto a USB key or external hard drive and removed from the organisation
  • who will put transparent encryption in place which means that it doesn’t slow anything down but is so strong that only GCHQ or the NSA would be likely to crack it.

Take the first step now, by giving me a call on 01793 238020 or emailing andy@enterprise-oms.co.uk to find out how I can help mitigate data security risks and start preparing for GDPR guidelines.

Why worry about Accreditations?

I do a lot of work for an IT support company in Bristol – Bristol IT Company – and at the bottom of their website is a list of badges, icons and logos, there’s a couple of ISO related ones and the rest come from well known (and less well known) brands in the IT sector but why are they there and why should you be concerned?

Bristol IT Company accreditationsWell, ISO’s easy, it’s a way of demonstrating a certain credibility by being assessed every year to ensure that we remain up to scratch. A lot of businesses have ISO9001 which is a quality management certification that demonstrates their commitment to consistently provide products and services that meet the needs of our clients. ISO27001 is an information security standard that demonstrates commitment to information security, both their own and that of clients.

The other accreditations come from manufacturers such as Cisco, Microsoft, Dell, Aruba, Cyberoam, VMWare and Veeam and demonstrate that the Bristol IT Company has the necessary skills to not only supply their equipment but to ensure that it is properly installed, configured and supported.

Why is this important
Let’s take a look at the security of your network – they have 2 vendors that are accredited with in this area, Cisco and Sophos. You can buy some Cisco & Sophos equipment on Amazon at competitive prices, have it delivered pretty much the next day and get it up and running very quickly. This might make you feel secure, after all Cisco are a market leader in networking and security – right?

Is this the right way to do things?
Probably not! Even assuming that you order the most appropriate device for your needs, installing equipment using the default settings could cause you a whole heap of pain.

Most hackers worth their salt know, and understand, these default settings making it really easy for them to penetrate your business’s network. It’s almost like advertising that you’ve installed the best locks in the world but have left a key under the doormat.

Not only that but the default settings are a one-size-fits-all option that are unlikely to be best suited to the way your business works and could actually slow your network, and internet connectivity, down if left untouched.

You could probably find hundreds of internet forums where people discuss the settings but which ones are the best for your particular needs? Which ones speed things up without compromising security and which ones increase security without compromising speed and which ones are actually posted by hackers looking to lure you into making your network even more insecure?

Accreditation
That’s where accreditation comes into play. By buying your equipment from an accredited supplier, Bristol IT Company will first of all advise you on the correct product that most closely matches your existing and future needs, possibly saving you money – certainly saving you pain.

They then ensure that your network is made as secure as possible by changing default settings to something much more secure and applying their training, experience and skill to ensure that your network is as secure as it can be by optimising the setup and performance of your kit.

Still think accreditation’s just an icon on a website? Well, give them a call on 01173 700 777 or email andy.poulton@bristolitcompany.com to find out that there’s much more to it than a pretty picture

Are we already at war?

Are we already at war?
This is the first (of two) articles taking a look at the hacking and cybercrime that’s taken place in 2015. Part 2, to be published soon, looks at the simple steps we can take to enhance our security and minimise the threats from cybercrime.

2015
Cost of Cyber Crime in 2014Although we’ve yet to reach the end of 2015, there’s already been an unprecedented number of data breaches and hacks compared to previous years, measured by both the number of breaches and the amount of data exposed.

The graphic on the right shows the estimated cost of cybercrime for 2014. In 2015 the cost has increased by 14% according to the “Cost of Cyber Crime Study: UK“, conducted by the Ponemon Institute and sponsored by HP.

The institute conducted 326 interviews with personnel from 39 UK companies to assess the incidence and cost of cybercrime for businesses. and the latest news is that the very recent TalkTalk hack has cost the company £35m so far

Major data breaches in 2015

FebruaryBillion dollar cyberheist
Up to 100 banks were penetrated and more than $1bn stolen
US health insurer Anthem
80 million patient and employee records including date of birth, social security
numbers, home and email addresses, employee information and more
May 2015 – BlueCross, US Health Insurance provider
11.2 million names, birth dates, email addresses stolen
US office of Personnel Management
21.5m US Federal employees confidential data was accessed and presumed
stolen
June 2015Kasperski Labs (yes, the security vendor) was hacked
Technical information was stolen, thought to be industrial espionage by a
sovereign Nation State
July 2015 – Harvard University
One of 8 universities hacked in 2015 but it’s not known what information was
accessed (and stolen)
Hacking Team
Hacking Team develop spy tools for government agencies and the breach
exposed 1 million emails including those of a sensitive nature from a number
of security agencies around the world
US Army National Guard
850,000 social security numbers, home addresses, names and other
personal information stolen
August – Ashley Madison
32m member’s data stolen and posted on the dark web for sale. The
ramifications are ongoing
September – John Brennan
CIA Director had his personal AOL email account hacked
October – TalkTalk
Major hack of the TalkTalk website and a lot of user data was stolen

In the US it is a legal requirement that all hacked companies make a report to the appropriate government department, however similar legislation has yet to be enacted in Europe so the reported incidents may just be the tip of the iceberg – and that’s assuming that hacked companies know that they’ve been hacked.

So who was behind these hacks and what was their goal?
hacker at laptop?At the time of writing, 4 people had been arrested, and bailed, for the The TalkTalk hack – 3 teenagers and a young adult although no charges have been brought.

Some hacks might be carried out by the stereotypical spotty teenager in a bedroom just doing it for fun, however the majority are likely to be carried out by more worrying groups, ranging from organised crime to extort money to government organisations.

The Ashley Madison hack looks to have been for the purpose of extortion, of both Ashley Madison themselves and their members (pay us £xx or we’ll let your friends and family know where you spend your time etc).

Others will be industrial espionage, companies looking to gain a competitive advantage whilst the remainder might have been carried by departments acting for state security and it’s believed, although almost impossible to prove, that the Kasperski, US National Guard, US Office of Personnel Management & Hacking Team hacks were conducted by sovereign Nation States, believed to be North Korea and/or China.

These attacks by non-friendly sovereign nation states on infrastructure may even be attacks seen as acts of war.

Safer Internet DayWhy do hacks occur?
For some, it’s simply for fun, the challenge and the bragging rights.

However, there’s a lot of money to be made from the theft of intellectual property and business sensitive materials, and nations stand to learn a great deal about their friends and enemies. It’s widely believed, for example, that China has been inside US military design systems for many years which could explain why their military have made extremely rapid advances with the design and manufacture of new military equipment, including stealth planes, missile defence systems and drones in recent years.

Towards the end of 2015 we’re seeing that China is negotiating two way, anti-hacking, arrangements with a number of major economic partners, including the UK, USA and Germany, theoretically enshrining in law that the countries won’t attempt to hack China and China won’t try to hack them. However, even if the above is true they don’t need to hack any further if they already have access to core systems.

A cynic might also say that history indicates that China may not stick to it’s side of the deal, and even if they do – they can always ask their friends to do it for them.

Protecting your business and yourself.
Although I’ve mentioned high-profile attacks, SMEs are also at great risk and so in Part Two I’ll be looking at some simple steps that you can take to maximise your security and minimise the risk that you are exposed to.

How much did your last cup of coffee cost?

Nice cup of coffee

Imagine the scene, you’re between meetings and decide to drop in to your favourite coffee shop for a steaming hot cup of your favourite coffee, a cake and to tap into their Wi-Fi to read your emails, refresh your knowledge in time for your next meeting or simply to surf the web.

Then the urge hits, you look around and see that everybody seems respectable enough so you you head off to the toilet thinking that your laptop is safe on the table. After all, nobody would lift it in sight of all those customers, staff and CCTV cameras would they?

Laptop tracking service provider, Prey, found that areas offering free Wi-Fi were the second most common target for opportunistic laptop thefts, the only riskier place being left in a visible place in your car.

Open Laptop

If stolen, it’s not only the inconvenience of replacing the laptop, re-installing your applications and copying back your data [you do back-up your data don’t you?] it’s the additional costs that are not covered by your insurance.

The Ponemon Institute, a US cyber crime consultancy, put the real cost of the loss of a laptop and it’s data at nearly £31,000. This was broken down in to £4,000 for the loss of Intellectual Property, forensics and legal bills adding around £1,500 with a staggering £24,500 attributable to the loss of income, customers and competitive advantage associated with a data breach

SPOOF HOTSPOT


When you sit down and try to log-on to the Wi-Fi there’s often a selection of hotspots to choose from. How do you know which is the free service provided by the venue and which is a spoof.

It’s very easy to set up a Wi-Fi hotspot using a mobile phone, Mi-Fi type of device or laptop and allow other users to connect through this free connection. However, all of the traffic can then be intercepted by the person providing the spoof account. What sort of important information is passed from your laptop through this connection? It could be your details to access your online banking, the log-in to your company network or the necessary information required to access your corporate email account.

So, the next time you stop off for a cup of coffee and decide to log-on using their free Wi-Fi, just make sure you know which network that you’re connecting to and that you don’t leave your laptop unattended.

And if you’re in need of help, then just give me a call on 01793 238020 or send an email to andy@enterprise-oms.co.uk