Category: The Authorities

UK Cyber Attacks in 2017

The National Cyber Security Centre (NCSC) has reported on 2017 and here are some key points from the report.

“It was a year of ransomware attacks, data breaches and online fraud.”

The WannaCry ransomware attack in May spread rapidly and randomly. 300,000 devices were infected across 150 countries and affecting services worldwide, including the NHS. The attack demonstrated the real-world harm that can result from cyber attacks, particularly when they are designed to self-replicate and spread.

 

The enormous scale of the 2013 Yahoo breach , the 2016 Uber breach and the 2017 Equifax breach came to light, demonstrating that data is a valuable target for cyber adversaries. It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim.

Between October 2016 and the end of 2017, the NCSC recorded 34 significant cyber attacks. 762 less serious incidents were also recorded. With interest in cryptocurrency still strong, cryptojacking – where an individual’s computer processing power is used to mine cryptocurrency without the user’s consent – will likely become a regular source of revenue for website owners. Increased use of cloud technology to store sensitive information will continue to tempt cyber attackers, which could result in UK citizens’ information being breached.

Distributed Denial of Service (DDoS) attacks – where hackers threaten to conduct DDoS attacks unless a ransom is paid – have increased since mid-2017 when a South Korean web hosting company paid a ransom fee in Bitcoin equivalent to US$ 1 million. In late 2017.

The reported number and scale of data breaches continued to increase in 2017, with Yahoo finally admitting in October that all of its 3 billion customers had been affected by the 2013 breach.

Groups assessed to have links to state actors – were likely responsible for some of the larger breaches.

Examples of data breaches included: • Equifax, where the personally identifiable information of 145 million US users and almost 700,000 UK users was compromised. • Verizon’s data on 14 million customers stored in the cloud, and controlled by a third party company, was exposed to anyone who could guess the web address. • Uber was forced to reveal that it deliberately covered up a year-old breach by paying the hackers US$ 100,000 to destroy the data they had stolen. The data of 57 million accounts, which had not been encrypted, was exposed. • An aggregated database of data, collated from multiple breaches, was discovered by security company 4iQ in December 2017. This contained 1.4 billion credentials in clear text, including unencrypted and valid passwords. Analysis indicated a large number of incidents were caused by third party suppliers failing to secure data properly.

If you have any experiences with scammers, spammers or time-waster do let me know, by email.

Fightback Ninja Signature

 

The Scale of Cyber Crime UK

The City of London Police Commissioner Ian Dyson was a victim of credit card fraud some years ago when criminals used his credit card to pay for a hotel stay and tried to pay for their car insurance with his card.

It is estimated that 5.6 million fraud and cyber-crimes are committed each year, of which only about 10% are reported to the Police.   This does include virus attacks etc. and some things that many people would not expect to report to the Police but that still leaves a lot of crimes that are unreported, but should be reported.

Recent statistics show that of the fraud and cyber-crimes reported, only about 10% are investigated by Police.

A lot of online crime is effectively anonymous and there is little anyone can do to track down and stop the perpetrators.

Prevention can be the most practical method for getting to grips with such crimes – warning and educating  people to have proper security for their online accounts and  to behave with common sense in all dealings online.

However, the Police do have a great deal of success in restricting the actions of the criminals.

In the year to March 2017, the Police shut down 170,856 websites, bank accounts and phone lines connected to cyber criminals.

The banks and other financial institutions and payment services have a huge role to play in keeping us safe online and paying recompense to victims when necessary.

The authorities are progressively clamping down on online crime, but are always several steps behind the criminals.

Be careful

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

The Safer Internet Centre

https://www.saferinternet.org.uk

The safer Internet Centre is a partnership of three leading organisations: Childnet International, Internet Watch Foundation and SWGfL, with one mission – to promote the safe and responsible use of technology for young people.

South West Grid for Learning (SWGfL) Trust is a not-for-profit charitable trust providing schools and other establishments with safe, secure, managed and supported connectivity and associated services, learning technologies to improve outcomes, and the toolkit for being safer online.

The partnership was appointed by the European Commission as the Safer Internet Centre for the UK in January 2011 and is one of the 31 Safer Internet Centres of the Insafe network. The centre has three main functions:

  1. Awareness Centre: to provide advice and support to children and young people, parents and carers, schools and the children’s workforce and to coordinate Safer Internet Day across UK
  2. Helpline: to provide support to professionals working with children and young people with online safety issues
  3. Hotline: an anonymous and safe place to report and remove child sexual abuse imagery and videos, wherever they are found in the world

The UK Safer Internet Centre is funded under the Connecting Europe Facility (CEF) programme of the European Commission. As such we contribute to the Better Internet for Kids (BIK) core service platform to share resources, services and practices between the European Safer Internet Centres and advice and information about a better internet to the general public.

The website pages are – About,  Safer Internet Day, Blog, Training & Events, Research, Get Involved, Translate

Advice Centre, Hotline, Helpline, Pupil powered e-safety

It contains a lot of advice and information, largely to do with young people, parents and carers but much applicable to anyone so it is a useful resource.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

 

The Pension Wise Service

https://www.pensionwise.gov.uk

In these days of pension fraud, if you’re over 55, it is wise to assess your pension situation using government advice.

The website Pension Wise was set-up by government to provide free advice

They say they can help you if:-

  • you are aged 50 or over
  • have a personal or workplace pension
  • want to make sense of your options

There is plenty of advice on the site from what happens if you live abroad to taxation to the different ways you can take money from your pension pot.

There’s also advice on how to avoid the pension scammers.

If you feel the need to talk to an expert, there are free calls of up to 60 minutes that can be booked.

If you need pension advice – this website is a good start.

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

UK Government Cyber Essentials Scheme

https://www.cyberessentials.ncsc.gov.uk/

The government says Cyber Essentials helps your business to guard against the most common cyber threats and demonstrate your commitment to cyber security

Self-Help for Cyber Essentials

The guide explains how to:

  • Secure your Internet connection
  • Secure your devices and software
  • Control access to your data and services
  • Protect from viruses and other malware
  • Keep your devices and software up to date

The Three levels of Engagement

Not everyone has the time or resources needed to develop a full-on cyber security system. So we’ve designed Cyber Essentials has been designed to fit with whatever level of commitment you are able to sustain. There are three levels of engagement:

  1. The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT.
  2. Basic Cyber Essentials certification.
  3. Cyber Essentials Plus certification.

1.     Self Help

The self-assessment option gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.

2.     Certified Cyber Security

Cyber Essentials Certificate £300 approx. (+VAT)

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

In the process of obtaining Cyber Essentials Certification is simple, you can opt to buy as much or as little help as you need from the company you choose to certify you.

Cyber Essentials shows you how to address those basics and prevent the most common attacks.

  • Reassure customers that you are working to secure your IT against cyber attack
  • Attract new business with the promise you have cyber security measures in place
  • You have a clear picture of your organisation’s cyber security level
  • Some Government contracts require Cyber Essentials certification

3.     Cyber Essentials Plus Certificate

The cost for this is only available on application.

It has all the benefits of Cyber Essentials PLUS your cyber security is verified by independent experts.

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The advice is designed to prevent these attacks.

Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but this time the verification of your cyber security is carried out independently by your Certification Body.

The more rigorous nature of the certification may mean you need to buy additional support from your Certification Body.

Cyber Essentials and Government Contracts

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

Fightback Ninja Signature

 

Regulator to Protect Victims of Payment Scams

Authorised Push Payment (APP) scams are where people are conned into authorising their bank to make payment to a fraudster.

The Payments Systems Regulator (PSR) is planning for new protections for consumers, from APP scams, to be in place from September 2018, as an industry code.

The Regulator ran a consultation from November 2017 to January 2018, to give people the opportunity to provide feedback on the regulator’s plans. It gathered opinions from the payments industry, consumer groups and individuals to make sure the PSR could understand how best to protect people from APP scams.

The Changes

Once the industry code is in place, it will be publicly consulted on, for refinement in early 2019 and the regulator expects that it will continue to evolve to ensure preventative measures are kept up to date.

The PSR is also bringing consumer and industry representatives together to establish a dedicated steering group. Led by an independent chair appointed by the PSR, the group will ensure the contingent reimbursement model is designed in the best way to minimise the number of scams in the future and protect victims of scams.

Paul Smith, Head of Policy at the PSR, said:

“This is about making a positive difference for people to protect them from APP scams – where people are tricked into sending money to a fraudster. The banks have already made some changes but, from September 2018, this industry code will see better protections available to everyone.  We expect the code to evolve over time to make sure methods of preventing APP scams are up to date.”

“This is a complex piece of work and we have set a challenging timeline, but it is essential we see, as soon as possible, a model that is effective in protecting people.”

Good progress by the regulator.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Scammers Targeting Elderly Are Caught

A Canadian con man who was caught on video bragging about stealing from the elderly was among 200 people charged by US Authorities with defrauding seniors.

Andrew John Thomas boasted about his sweepstakes scheme at a 2016 conference for postal scammers in Whistler, British Columbia, authorities said.

“My ability to whore my beautiful talent to sell this s— to people who don’t need it. It’s hard to be, it’s hard to be proud of it, but well I’m good at it.” said Thomas.

Authorities say Thomas masterminded the swindle of more than $4.5 million annually by duping senior citizens into believing they had won large sums of money. He targeting elderly Americans typically notifiying them via mail that they’d won a sweepstakes prize and all they needed to do to claim it was to pay a processing fee and money for taxes.

The mailings instructed recipients to return a response card with a processing fee in order to accept the bogus winnings. They received no money — only more solicitations. While many stopped sending money after realizing they had been duped, others continued to do so in hopes of claiming the prize.

U.S. law enforcement officials  announced what they labelled as the largest ever fraud enforcement action involving elderly Americans, charging more than 200 people and bringing civil actions against dozens more.

Agents from the U.S. Postal Inspection Service, (the enforcement arm of the U.S. Postal Service), executed search warrants at 14 locations that some of the same fraudsters have run for years.

Officers from the Vancouver Police Department in Canada served dozens of search warrants as part of the enforcement action.

This was a clearly a well organised and effective take-down of a lot of scammers by co-ordinated action between US agencies and the Canadian Police.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

UK Government Cyber Essentials 10 Step Plan

 

This is a summary of the UK Government 10 step plan for Cyber Essentials, which is designed for organisations looking to protect themselves in cyberspace.

1.     Risk Management

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2.     Secure Configuration

Identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities.

3.     Network Security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding. Your organisation’s networks may use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult.

4.     Managing User Privileges

All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed.

5.     User Education and Awareness

It’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6.     Incident Management

Invest in establishing effective incident management policies and processes to help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

7.     Malware Prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8.     Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies.

9.     Removable Media Controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

10.Home and Mobile Working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security has further information.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

UK Government Phishing Attacks

A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc.  They use the fake websites to get your confidential information.

The statistics below refer to sites that pretend to be government.

Top 10 Government ‘Brands’

Brand                                                  No of phishing sites     No of attack groups    Availability hours

HM Revenue & Customs                     16,064                         2,466                           10

Gov.uk                                                   1,541                           241                            15

TV Licensing                                             172                            93                               5

DVLA                                                        107                             53                            11

Government Gateway                                46                              22                              6

Crown Prosecution Service                        43                               26                           15

Student Loans Company                           19                               11                            17

Student Finance Direct                              13                                 3                              3

British Broadcasting Corporation                8                                 7                             35

The availability (in hours) of an attack is the total amount of time the phishing site is available from when the Netcraft service  first becomes aware of the attack through to when it is  finally taken down.

Phishing

When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked  to take the site down.

For example:-  a fraudster using an email address onlinehmrctax @ gov.co.uk. and a matching website. That is intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal.

A single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider.

Over the last calendar year, 18, 067 HMG-related phishing sites have been removed.

For comparison, in the previous 6 months , the volume was 19,443 sites.. It’s clear that here are fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.

However, it is very likely that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.

It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature