
Introduction
We know that you have heard this message again and again and again, so we’re going to cut straight to the helpful bits…
Key Points
- 12 characters or more.
- Upper & Lowercase & symbols.
- Avoid info that can be pulled from social media (family names, maiden names, birthplace, D.O.B… I’m sure you understand)
- Don’t reuse a password.
- Password Managers are good.
- It is better to have 2FA than to not have 2FA.
Here are 2 methods that you can use to create a strong memorable password.
3 Random Words
PlaneBushDog Play around with the capital letters PlanebUshdoG
ManSkyPencil Add a few symbols in Man!Sky&Pencil.
GreenPaperSign You could do both greeN!PapeR&SigN.
Song Lyrics
This is a personal favourite. Pick a song that you are familiar with. It could be your favourite song. But not one that you are known for.
If you are constantly blogging about this song, the song lyrics are on your email footer, you sing this song constantly at your desk… then pick your second favourite song! The password needs to be as hard as possible to crack.
It is best to choose one of the more obscure lines in the song rather than the chorus.
If we take Elton John – Rocket Man as an example.
‘She packed my bags last night pre-flight
Zero hour nine AM
And I’m gonna be high as a kite by then
I miss the earth so much I miss my wife
It’s lonely out in space
On such a timeless flight”
The lines highlighted above…
”Zero hour nine AM
And I’m gonna be high as a kite by then ”
If we take the first character of each word, we get…
ZhnAAIgbhaakbt
This is a fairly strong password and we can make it even stronger by substituting certain characters for symbols.
ZhnAAIgbhaakbt becomes Zhn44!gbh44kbt This is a strong password!
When you reach the point where you can insert my password easily and quickly, you could make it even longer.
ZhnAAlgbhaakbt
Could become…
Zhn44!gbh44kbt as we did above.
Then we could add in the next line of lyrics
Zhn44!gbh44kbt + ”I miss the earth so much I miss my wife”
Zhn44!gbh44kbtImtesmImmw
Again, you could substitute certain characters for symbols.
Zhn44!gbh44kbt!mt3sm!mmw
You could even insert a line from a completely different song.
Choosing a song that you know ensures that you will remember the sequence of words, and from this sequence, you can pull the password.
Adding symbols makes this process more complicated but persevere, it’s worth it!
Introduction
In order to offer something expensive to you for free, such as news or valuable information, websites will make back their costs by selling advertising to you. Tracking cookies allow sites to target their ads to the people most likely to buy based on their purchase history or the kinds of websites they usually visit.
Google is one of the biggest collectors of data on you, from your search history, to how you use their free Gmail email services.
According to a July 2018 report by The Wall Street Journal, Google has admitted troubling security and privacy etiquette by not only allowing third-party companies to view how you use Gmail, but also allowing other app developers to sift through this personal data.
Google’s use of cookies to note your search history is of particular interest as well.
Other advertisers on Google’s network can make use of the cookies it sets and companies who want to advertise their products to you will pay Google for the privilege. Tens of thousands, if not hundreds of thousands of advertising networks are operating constantly every time you go online. With cookies, they can put together a sophisticated picture of the websites you visit most frequently and how long you spend on them.
Referrer URLs are an important part of the package. As Google explains, tracking cookies can be sent back to an advertiser’s own server, and can include data on the previous website that you visited.
So it’s not only the site that served you the cookie that benefits. Others down the chain can make use of this data, and serve you ads on garden hoses or any other related items they think customers with the same profile might buy.
By building a profile of you across websites, tracking cookies can link your smartphone to your laptop and any IoT devices such as Alexa assistants or Google Home smart speakers. In the past five years, the use of tracking cookies has become much more common and the information available is exponentially more detailed.
The rise in private and state-sponsored hacking has also put this data at risk. Privacy leaks from large data-storage companies are not uncommon, and these companies often have millions of people on file.
The link between tracking cookies and other forms of unwanted advertisements like nuisance cold calls is not always clear.
Originally cookies were only for use online, but the staggering amount of personal data points and location data that websites now collect from smartphones and work computers means that anyone who has the resources and the desire can build up a very detailed picture of an individual just through their online behaviour. This includes marketing professionals, corporate hackers and cyber criminals.
What do tracking cookies actually do?
Tracking cookies can pick up and broadcast a vast range of data, including your approximate location, what kind of computer or smartphone you’re using to access the website, the search queries you’ve entered, what you have bought online, and any URLs you have clicked on.
If you look into the technical aspect of tracking cookies, it becomes clear the kind of information that is being stored on you…
- Name: This is the name of the cookie, and in general what it is used for
- Value: Normally an alphanumeric string of letters and numbers, this is the unique identifier for your computer. It’s used so companies can tie that online session directly to you. In practice, it acts as a way to advertise to you when you visit different websites.
- Attribute: These are the specific features of the cookie, including: how long it will last for before being deleted, whether other websites and domains can use that cookie, if the cookie can only be accessed by using https, a secure version of the protocol that displays website pages, and whether the cookie can be accessed via Javascript. The last one of this list is particularly important because attackers can use cross-site scripting vulnerabilities to change what the cookie is allowed to do to spoof your login credentials and effectively fake your ID.
How to stop tracking cookies
Some websites make it easy to turn off cookies at this stage that are intended only for advertising with a simple click.
Others try to discourage this by making it more difficult, burying this option deep within a vast wall of text, like a privacy policy or a set of Terms and Conditions.
This can be time-consuming and confusing, and it’s no fun digging through endless menus, turning off the advertisers or preferences you don’t particularly want. If you want to avoid being tracked online, your first port of call should be to speak to your managed security service provider for advice.
There are steps you can take, though…
- Delete the cookies in your browser history. It’s not always easy to see what cookies are stored on your computer. However, it is relatively simple to clear and delete cookies. For example, if you are using Google Chrome, you can type chrome://settings/ into your address bar, scroll down to Advanced and click on Clear browsing data. For all other browsers, check out this website.
- Install an ad-blocker or anti-tracking browser extension. This is a very common and usually secure way of hiding your activity from tracking cookies. Always ask a cyber security professional before installing any software.
- Send a ‘Do Not Track’ request with your browser traffic. This option is common to most modern browsers and can usually be found in your Settings menu.
- Install a VPN. A business-grade Virtual Private Network can change your IP address in every session, making your profile much harder to reconcile and track. Ask your managed security services provider for recommendations.
Introduction
Cookies are an integral part of how the internet works but there is a huge amount of misinformation about them. Are they dangerous? Are companies tracking your every move? What are the privacy risks?
Your managed security service provider should be able to inform you about how to treat cookies on work computers.
Unfortunately, it’s almost impossible to avoid them entirely and the fact is that most websites require you to accept cookies in some form in order to serve you content.
Cookies are tiny text files that a browser places on your computer every time you visit a website.
They are used as a kind of memory for websites and servers, so that users can easily navigate websites without having to constantly enter their details and preferences every time they go online.
One specific type, called tracking cookies which we discuss below, cause more problems than any other.
A typical cookies notice will look something like this.
We use cookies and other tracking technologies to improve your browsing experience on our site, show personalised content and targeted ads, analyse site traffic, and understand where our audience is coming from. To find out more or opt-out, please read our Cookie Policy. By clicking ‘Yes’, or ‘I Accept’, you consent to our use of cookies and other tracking technologies.”
Much like reading a site’s small print, most people will plump for speed and convenience over security and simply click ‘Accept’.
As is often the case, this murky data-scraping part of the internet is hidden from public view. But if you are serious about your cyber security, it’s important to take notice.
How do cookies work?
When you use a browser like Google Chrome, Mozilla Firefox or Apple Safari, websites create cookies to store your preferences. These include things like your login information, so you don’t have to input your username and password every time you visit; whether you prefer English, Spanish or any other as your main language; and the items in your shopping cart.
The most basic form of cookies expire and are deleted as soon as you close your browser.
These are called session cookies. The most common use for session cookies is on e-commerce sites like Amazon. They are used to recognise you as you move from page to page and ‘remember’ any information you have entered. If Amazon did not use session cookies, any products you put in your basket would disappear by the time you got to the checkout.
Another type, called first-party persistent cookies expire after a set amount of time. For example, if you use an affiliate page like a price comparison website to search for a better deal for business broadband, that site will place a cookie on your computer for 24 hours. Then when you click through to the provider website to buy the deal, the cookie can tell the provider that you came from the price comparison site, and that site gets a cut of the profits from your sign-up. There’s a reason price comparison websites are big business: the five biggest in the UK revealed that they get up to £30 for every customer.
The most nefarious form of cookies are much more long-lasting and have the greatest effect on your cyber security. These are, called tracking cookies or third-party persistent cookies. We’ll go into more detail on these pieces of code in our next blog. Websites or advertising networks that did not create these kinds of cookies can still access them, tracking you wherever you go on the web.
If you have ever had the feeling your latest Amazon purchase is following you around, this will be down to tracking cookies. Once you’ve seen the 14th advert for a garden hose after buying one online, it can get a little oppressive.
What impact does GDPR have on cookies?
Since the introduction of the EU’s GDPR legislation, websites are now required to put their disclaimer notices front and centre when you visit a website for the first time.
The laws came into force on 25 May 2018 and are intended to give consumers more of a say over what data they allow websites to carry or store about them. The policy is intended to disrupt bad behaviour or insecure websites that continue to store personal details on corporate databases.
All websites serving content to customers in Europe, including (for now) the UK, have to be much more up front about the cookies that they are placing on your computer.
In effect, websites must now tell you, before they allow you to read their content, that they use tracking cookies.
In America and other non-EU countries, websites aren’t compelled to tell you if they are placing tracking cookies on your computer. This is why when you visit a website with servers based solely in the US, you may see a disclaimer pop-up saying that it is not possible to serve you the web page because of EU regulations. This refers to GDPR.
Next time we will look at which companies gain the most from tracking cookies, how they work and what you can do to stop your private data being leaked across the web.
Introduction
Bots now make up around half of all internet traffic. But what are they?
A bot, short for ‘web robot’, is simply a software application that runs automated commands over the internet.
The first bots were created in the late 1980s but have become much more common as the internet has developed in scale and maturity.
At first, they were intended as a way to save human labour when performing fairly routine, monotonous tasks.
Good bots
Google’s web crawler, which ranks pages on the internet, is a bot. This piece of software is an integral part of how SEO or search engine optimisation works. It visits all the websites on the internet and makes a note of how well or how badly a page performs in relation to the information listed on it. The pages with the best SEO appear higher in Google’s search results.
An email out-of-office reply is another example of a bot. Instead of having to email every person who sends you a message while you are on holiday, you can instead use an email service’s built-in bot to send a professional, automatic reply.
Now, any business can create their own bot in a matter of minutes.
The most common user-created examples are chatbots on websites where customer service is required 24/7.
Chatbots usually operate on a limited set of guidelines or rails, like an automated answering machine that can detect certain types of language and respond with text to the person asking a question.
Instead of employing customer service agents around the clock, a chatbot can save a business serious money, so what was once a frightening prospect is now widely accepted.
83% of customers say they are happy to shop online where a chatbot is in use, and the technology is expected to save companies more than $8bn by 2022.
Bot, or human?
Amazon’s Alexa smart speaker is another example of a bot. When you say ‘Alexa’ or ‘OK Google’, you’re talking not to a human being, but a machine. This is a piece of software housed in a friendly-looking metal box that is entirely automated and designed to respond in a certain way to human speech.
There are also secondary bots (called ‘Skills’) which you can set up on your Alexa to create things like a round-up of the day’s news, order your groceries, or give you an update on the amount left in your bank account.
Voice assistants like Alexa, however, flag up the inherent fragility of bots. In September 2017, viewers of the long-running American cartoon series South Park were shocked when their Google Home and Amazon Echo devices responded to on-screen commands, adding a series of scatalogical items to their shopping lists.
While these pieces of automated software can make make a passable attempt at mimicking human language they can usually only operate in narrowly-defined ways. Programmers can script a greeting response like ‘Hi,’ or ‘Hello’, and a text-based chatbot can recognise a question when it sees a question mark, but chatbots do not have any critical thinking functions and for the most part cannot improvise.
As Artificial Intelligence develops, we may see bots than can improvise, or use slang terms as their dictionaries expand to better copy how a human might write or speak. The most human-like chatbot in the world is currently Mitsuku, a four-time winner of the Loebner Prize Turing Test.
When bots go bad
As with any technology, bots can be employed for crime just as easily as they are used for handy day-to-day business tasks.
Twitter bots, for example, can run and control their own social media feed. These programs can post tweets automatically, ‘like’ other posts, follow, or send direct messages to other accounts.
As many as 48 million Twitter accounts – some 15% of the total – are thought to be bots rather than humans.
While most activity is benign, bots can be used to spam links to harmful websites designed to steal your identity, post fake reviews or comments on your website, or even carry out co-ordinated denial-of-service attacks to stop users accessing popular sites.
Social media bots can also be employed to bully or harass companies online by responding negatively to every post they make, distorting the general public’s view of a service or product.
Botnets and worse
Spam comments and dodgy pranks are just the tip of the iceberg. From 2016 onwards, the Mirai botnet launched a devastating attack on large portions of the internet.
This was a worldwide network of infected machines which had a portion of their running power diverted to launching DDOS attacks.
Unfortunately, botnets are growing more popular among cyber criminals because they are very cheap to set up and can offer extremely lucrative ransom or theft rewards.
Even worse, bots can be used to post political messaging designed to affect the way people vote.
Most famously, Russia’s shadowy troll farm, the Internet Research Agency, employed hundreds of people creating thousands of bot accounts on Youtube, Facebook and Twitter to post made-up, extremist, or intentionally divisive fake news with the intent of influencing the 2016 US presidential election.
Automate your defences
The threat from malicious bots is severe and ever-growing.
The National Cyber Security Centre warned in 2018 that hostile hackers paid by Russia were exploiting basic and widespread weaknesses in UK networks to enact ‘man-in-the-middle’ attacks to steal intellectual property, automatically divert computing power, and sometimes inject viruses or scripts that lie dormant until they can be used in massive co-ordinated cyber attacks.
If your managed security services provider is not watching for bot attacks, then there are serious holes in your defences. Remember, bots don’t discriminate. If you or your business has something worth stealing, you’re automatically a target.
To get in touch with Emerge Digital, call 01242 805500. You can view our opening times on The Big Red Directory.
Introduction
Perhaps the most infamous cybersecurity incident of the past decade was the WannaCry ransomware attack on hospitals and NHS Trusts in England and Wales in the spring of 2017.
The exploit would simultaneously cause national panic and expose the shocking fragility at the heart of Britain’s public sector IT.
Since the 1990s, with the invention and proliferation of the internet and networked computing, state-backed hackers have attempted intrusions into critical national infrastructure.
But this was the first time that cyber warfare truly hit the mainstream in the UK.
It all began on Friday 12 May when an apparently co-ordinated malware attack hit 47 hospitals and primary care organisations.
Staff came in to work that day to find themselves locked out of their own PCs, with their normal desktop displays replaced with messages that claimed to have encrypted all the files on the network.
Pop-ups flashed across their screens, reading: “What happened to my computer? Your important files are encrypted. Many of your documents, photos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”
Hackers demanded cash ransoms of between $300 and $600 to be paid in the Bitcoin cryptocurrency, promising to unlock the encryption by sending each payer a special decryption key.
As the day wore on, fear spread as it became clear that the worm had infected all computers sharing the same network inside hospital trusts and Accident and Emergency triage centers.
What happened next?
As staff could not access patient records, ambulances had to be turned away from the affected hospitals.
East and North Hertfordshire NHS was one of the first to make a public statement: “The Trust has experienced a major IT problem, believed to have been caused by a cyber attack. Immediately on discovery of the problem, the Trust acted to protect its IT systems by shutting them down. It also meant that the Trust’s telephone system is not able to accept incoming calls.”
Thousands of critical and emergency operations were canceled, along with thousands of routine appointments across NHS organisations.
Who was responsible and how did it happen?
A joint investigation by GCHQ and the National Cyber Security Centre concluded that hackers from North Korea most likely lead the attack.
Security experts at anti-virus company Kaspersky noted in a blog post how the invasion spread, and how the ransomware was developed from software stolen from the NSA, America’s spy agency, and sold on the dark web.
They wrote: “In these attacks, data is encrypted with the extension .WCRY added to the filenames. Our analysis indicates the attack is initiated through an SMBv2 remote code extension in Microsoft Windows. This exploit, codenamed ‘Eternal Blue’, has been made available on the internet through the Shadowbrokers dump on April 14 2017, and patched by Microsoft on March 14.”
Kaspersky researchers noted how “many organisations have not yet installed the patch”, suggesting that the ransomware exploited a known vulnerability in Microsoft’s aging XP operating system.
Freedom of Information requests in March 2017 had revealed that XP was still being used in more than 5% of all NHS computing. Over half of the UK’s NHS Trust still used the outdated XP, despite Microsoft ending support for it in 2014. In some Trusts, the number was as high as 76%.
Why is this a problem?
It will not necessarily surprise anyone in England to find out that the IT systems in the NHS are outdated from years of underfunding. While this may have caused no greater problem than it taking a long time to open computer programs or still having the paperclip assistant in Microsoft Word, outdated or unpatched software presents a very real threat.
The problem here is that vulnerabilities multiply the older a software package becomes.
Microsoft XP was released in 2001; by 2017 any large organisation still using it would find their computers not just out of date but dangerously leaky.
Patching is what it sounds like. It’s an update to a piece of code which basically patches or papers over a hole or deficiency, which if left alone could allow unscrupulous people to hack their way into a computer system. Patching is very common in IT, as it’s not often clear how certain programmes will interact with others out in the real world.
Microsoft did not already have a patch to correct the flaw in XP that the WannaCry ransomware exposed, and so took the highly unusual step of hurriedly developing and releasing a patch for all those people and organisations still using XP.
Five lessons we learned from WannaCry
It total, one-third of all of England’s NHS Trusts were affected by WannaCry along with 8% of GP surgeries.
A report by the government’s Department for Health and Social Care found that the malware attack was contained within 48 hours. However, the monetary fallout from WannaCry was vast.
It cost the service £19m as a results of cancelled operations and appointments, along with a further £73m in additional IT costs to recover data and restore systems hit in the attack.
A lessons learned document released by NHS England in February 2018 stressed the importance of greater use of managed security services providers across the organisation, upskilling IT workers in the latest threats, along with making sure staff know their responsibilities in the post-incident period.
Lesson 1: Stay up to date
Keep your computers up to date and install patches as soon as they become available.
Any managed security services provider worth their salt should take control of patching. If your IT team does not already do this, or you don’t have an IT team (if your IT team consists of just you), then this is something to give serious thought to.
You don’t have to buy your staff the latest Macbook Air or i7 PC but at the very least you should be running operating systems that are still supported by the manufacturer and preferably fairly current. (Windows 7, 8 or 10)
Lesson 2: Train staff and train them again
Ask yourself this question: if my receptionist got a ransomware message on his computer, would he know what to do? (By the way, the answer is to touch nothing and immediately alert your managed security service provider.) Might he try to negotiate on his own, and would he know who to call?
Lesson 3: You’re not paranoid if they really are after you
While it may not be a pleasant task to prepare for a cyber attack, security should be an extremely high priority for any business owner. Ransomware, in particular, is relatively simple to deploy and can be very lucrative so there is little stopping a determined criminal from attacking you.
The amount of lost custom and lost productivity from ransomware or another kind of cyberattack can be extremely painful. Prevention is always better than cure.
Lesson 4: Have a plan in place and be prepared to deploy it
Ensure there are clearly laid-out standards and procedures to follow during and in the aftermath of a cyber attack. This time can be extremely stressful for all concerned and so definitive planning can bypass much of the heart-stopping anxiety associated with cyber security issues.
Who are your emergency contacts in the minutes after discovery? What steps are in place for the first two hours? Do you have real-time protection and reporting planned? Who should have administrator access to your systems in the event of an attack?
Lesson 5: Research your managed security services provider thoroughly
IT is an acutely skilled profession but not every team is the same. Questions you will want to ask when outsourcing your security are: do they have a Security Operations Centre for real-time support? What specialisms does your incident response team have? What experience do they have with companies of your size?