Category: The Authorities

The Safer Internet Centre

https://www.saferinternet.org.uk

The safer Internet Centre is a partnership of three leading organisations: Childnet International, Internet Watch Foundation and SWGfL, with one mission – to promote the safe and responsible use of technology for young people.

South West Grid for Learning (SWGfL) Trust is a not-for-profit charitable trust providing schools and other establishments with safe, secure, managed and supported connectivity and associated services, learning technologies to improve outcomes, and the toolkit for being safer online.

The partnership was appointed by the European Commission as the Safer Internet Centre for the UK in January 2011 and is one of the 31 Safer Internet Centres of the Insafe network. The centre has three main functions:

  1. Awareness Centre: to provide advice and support to children and young people, parents and carers, schools and the children’s workforce and to coordinate Safer Internet Day across UK
  2. Helpline: to provide support to professionals working with children and young people with online safety issues
  3. Hotline: an anonymous and safe place to report and remove child sexual abuse imagery and videos, wherever they are found in the world

The UK Safer Internet Centre is funded under the Connecting Europe Facility (CEF) programme of the European Commission. As such we contribute to the Better Internet for Kids (BIK) core service platform to share resources, services and practices between the European Safer Internet Centres and advice and information about a better internet to the general public.

The website pages are – About,  Safer Internet Day, Blog, Training & Events, Research, Get Involved, Translate

Advice Centre, Hotline, Helpline, Pupil powered e-safety

It contains a lot of advice and information, largely to do with young people, parents and carers but much applicable to anyone so it is a useful resource.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

 

The Pension Wise Service

https://www.pensionwise.gov.uk

In these days of pension fraud, if you’re over 55, it is wise to assess your pension situation using government advice.

The website Pension Wise was set-up by government to provide free advice

They say they can help you if:-

  • you are aged 50 or over
  • have a personal or workplace pension
  • want to make sense of your options

There is plenty of advice on the site from what happens if you live abroad to taxation to the different ways you can take money from your pension pot.

There’s also advice on how to avoid the pension scammers.

If you feel the need to talk to an expert, there are free calls of up to 60 minutes that can be booked.

If you need pension advice – this website is a good start.

If you’ve enjoyed this post or found it useful then do share – click on the post title then scroll down to the social media share buttons.

Fightback Ninja Signature

UK Government Cyber Essentials Scheme

https://www.cyberessentials.ncsc.gov.uk/

The government says Cyber Essentials helps your business to guard against the most common cyber threats and demonstrate your commitment to cyber security

Self-Help for Cyber Essentials

The guide explains how to:

  • Secure your Internet connection
  • Secure your devices and software
  • Control access to your data and services
  • Protect from viruses and other malware
  • Keep your devices and software up to date

The Three levels of Engagement

Not everyone has the time or resources needed to develop a full-on cyber security system. So we’ve designed Cyber Essentials has been designed to fit with whatever level of commitment you are able to sustain. There are three levels of engagement:

  1. The simplest is to familiarise yourself with cyber security terminology, gaining enough knowledge to begin securing your IT.
  2. Basic Cyber Essentials certification.
  3. Cyber Essentials Plus certification.

1.     Self Help

The self-assessment option gives you protection against a wide variety of the most common cyber attacks. This is important because vulnerability to simple attacks can mark you out as target for more in-depth unwanted attention from cyber criminals and others.

2.     Certified Cyber Security

Cyber Essentials Certificate £300 approx. (+VAT)

Certification gives you peace of mind that your defences will protect against the vast majority of common cyber attacks simply because these attacks are looking for targets which do not have the Cyber Essentials technical controls in place.

In the process of obtaining Cyber Essentials Certification is simple, you can opt to buy as much or as little help as you need from the company you choose to certify you.

Cyber Essentials shows you how to address those basics and prevent the most common attacks.

  • Reassure customers that you are working to secure your IT against cyber attack
  • Attract new business with the promise you have cyber security measures in place
  • You have a clear picture of your organisation’s cyber security level
  • Some Government contracts require Cyber Essentials certification

3.     Cyber Essentials Plus Certificate

The cost for this is only available on application.

It has all the benefits of Cyber Essentials PLUS your cyber security is verified by independent experts.

Cyber attacks come in many shapes and sizes, but the vast majority are very basic in nature, carried out by relatively unskilled individuals. They’re the digital equivalent of a thief trying your front door to see if it’s unlocked. The advice is designed to prevent these attacks.

Cyber Essentials Plus still has the Cyber Essentials trademark simplicity of approach, and the protections you need to put in place are the same, but this time the verification of your cyber security is carried out independently by your Certification Body.

The more rigorous nature of the certification may mean you need to buy additional support from your Certification Body.

Cyber Essentials and Government Contracts

If you would like to bid for central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services, you will require Cyber Essentials Certification.

Fightback Ninja Signature

 

Regulator to Protect Victims of Payment Scams

Authorised Push Payment (APP) scams are where people are conned into authorising their bank to make payment to a fraudster.

The Payments Systems Regulator (PSR) is planning for new protections for consumers, from APP scams, to be in place from September 2018, as an industry code.

The Regulator ran a consultation from November 2017 to January 2018, to give people the opportunity to provide feedback on the regulator’s plans. It gathered opinions from the payments industry, consumer groups and individuals to make sure the PSR could understand how best to protect people from APP scams.

The Changes

Once the industry code is in place, it will be publicly consulted on, for refinement in early 2019 and the regulator expects that it will continue to evolve to ensure preventative measures are kept up to date.

The PSR is also bringing consumer and industry representatives together to establish a dedicated steering group. Led by an independent chair appointed by the PSR, the group will ensure the contingent reimbursement model is designed in the best way to minimise the number of scams in the future and protect victims of scams.

Paul Smith, Head of Policy at the PSR, said:

“This is about making a positive difference for people to protect them from APP scams – where people are tricked into sending money to a fraudster. The banks have already made some changes but, from September 2018, this industry code will see better protections available to everyone.  We expect the code to evolve over time to make sure methods of preventing APP scams are up to date.”

“This is a complex piece of work and we have set a challenging timeline, but it is essential we see, as soon as possible, a model that is effective in protecting people.”

Good progress by the regulator.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Scammers Targeting Elderly Are Caught

A Canadian con man who was caught on video bragging about stealing from the elderly was among 200 people charged by US Authorities with defrauding seniors.

Andrew John Thomas boasted about his sweepstakes scheme at a 2016 conference for postal scammers in Whistler, British Columbia, authorities said.

“My ability to whore my beautiful talent to sell this s— to people who don’t need it. It’s hard to be, it’s hard to be proud of it, but well I’m good at it.” said Thomas.

Authorities say Thomas masterminded the swindle of more than $4.5 million annually by duping senior citizens into believing they had won large sums of money. He targeting elderly Americans typically notifiying them via mail that they’d won a sweepstakes prize and all they needed to do to claim it was to pay a processing fee and money for taxes.

The mailings instructed recipients to return a response card with a processing fee in order to accept the bogus winnings. They received no money — only more solicitations. While many stopped sending money after realizing they had been duped, others continued to do so in hopes of claiming the prize.

U.S. law enforcement officials  announced what they labelled as the largest ever fraud enforcement action involving elderly Americans, charging more than 200 people and bringing civil actions against dozens more.

Agents from the U.S. Postal Inspection Service, (the enforcement arm of the U.S. Postal Service), executed search warrants at 14 locations that some of the same fraudsters have run for years.

Officers from the Vancouver Police Department in Canada served dozens of search warrants as part of the enforcement action.

This was a clearly a well organised and effective take-down of a lot of scammers by co-ordinated action between US agencies and the Canadian Police.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

UK Government Cyber Essentials 10 Step Plan

 

This is a summary of the UK Government 10 step plan for Cyber Essentials, which is designed for organisations looking to protect themselves in cyberspace.

1.     Risk Management

Embed an appropriate risk management regime across the organisation. This should be supported by an empowered governance structure, which is actively supported by the board and senior managers. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.

2.     Secure Configuration

Identify baseline technology builds and processes for ensuring configuration management can greatly improve the security of systems. Develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities.

3.     Network Security

The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. By creating and implementing some simple policies and appropriate architectural and technical responses, you can reduce the chances of these attacks succeeding. Your organisation’s networks may use of mobile or remote working, and cloud services, makes defining a fixed network boundary difficult.

4.     Managing User Privileges

All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. The granting of highly elevated system privileges should be carefully controlled and managed.

5.     User Education and Awareness

It’s important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. This can be supported by a systematic delivery of awareness programmes and training that deliver security expertise as well as helping to establish a security-conscious culture.

6.     Incident Management

Invest in establishing effective incident management policies and processes to help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact.

7.     Malware Prevention

Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. The risk may be reduced by developing and implementing appropriate anti-malware policies as part of an overall ‘defence in depth’ approach.

8.     Monitoring

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies.

9.     Removable Media Controls

Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. You should be clear about the business need to use removable media and apply appropriate security controls to its use.

10.Home and Mobile Working

Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. You should establish risk based policies and procedures that support mobile working or remote access to systems that are applicable to users, as well as service providers.

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security has further information.

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

UK Government Phishing Attacks

A phishing attack is when criminals create fake websites that look like well-known websites such as Marks and Spencer or HMRC or British Gas etc.  They use the fake websites to get your confidential information.

The statistics below refer to sites that pretend to be government.

Top 10 Government ‘Brands’

Brand                                                  No of phishing sites     No of attack groups    Availability hours

HM Revenue & Customs                     16,064                         2,466                           10

Gov.uk                                                   1,541                           241                            15

TV Licensing                                             172                            93                               5

DVLA                                                        107                             53                            11

Government Gateway                                46                              22                              6

Crown Prosecution Service                        43                               26                           15

Student Loans Company                           19                               11                            17

Student Finance Direct                              13                                 3                              3

British Broadcasting Corporation                8                                 7                             35

The availability (in hours) of an attack is the total amount of time the phishing site is available from when the Netcraft service  first becomes aware of the attack through to when it is  finally taken down.

Phishing

When a phishing site is identified that is pretending to be a UK government brand, the hosting provider is asked  to take the site down.

For example:-  a fraudster using an email address onlinehmrctax @ gov.co.uk. and a matching website. That is intended to deceive the user into thinking this is a real HMRC site. Not all phishing sites use domains like this and many are hosted in areas of legitimate sites that have been compromised by the criminal.

A single attack can involve multiple spoof sites, hosted on the same server. If there are many phishing URLs in a single attack, they can easily skew statistics through the responsiveness or otherwise of the hosting provider.

Over the last calendar year, 18, 067 HMG-related phishing sites have been removed.

For comparison, in the previous 6 months , the volume was 19,443 sites.. It’s clear that here are fewer HMG-related phishing takedowns in 2017 and the trend is generally downward. Given how the service is driven, it’s reasonable to assume that it sees a relatively constant percentage of the global phishing and so this strongly suggests that there has been less HMG-related phishing this year than last.

However, it is very likely that this work has had a direct impact on the viability of criminal phishing targeting HMG brands, making them less lucrative and therefore less likely to be used.

It’s obvious from the table that the vast majority of HMG-related phishing attacks continue to use the HMRC brand. That’s unsurprising given that most adults have a relationship with them and everyone would welcome a tax refund.

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature

 

How Common Are Data Breaches

The Proportion of Businesses That Have Had Breaches in 2017

  Overall Micro Firms Small Firms Medium Firms Large Firms Admin/ Real Estate
% experiencing a cyber security breach or attack in 2017 24 17 33 51 65 39

 

Businesses that invest more in cyber security have more breaches than businesses that invest less. This may seem counter intuitive but it’s partly due to businesses that realise they are more at risk such as finance operations then investing more whereas businesses where the online presence is minimal feel less at risk and invest less. There is also the assumption that businesses that invest more in cyber security will be better at identifying such breaches.

Types of Breaches/Attacks

Viruses, spyware or malware 68%
Other impersonating organisation in emails or online 32%
Denial of service attacks 15%
Hacking 13%
Money stolen electronically 13%
Breaches from personally owned devices 8
Personal information stolen 8
Breaches from externally hosted web services 8
Unlicensed or stolen software downloaded 8
Money stolen via fraud emails or websites 6
Software damaged or stolen 5
Breaches on social media 3
Intellectual property theft 1

 

You can see that attacks of various kinds are very common. All businesses must take steps to protect against data breaches and all common forms of cyber-attack

Do you have an opinion on this matter? Please comment in the box below.

Fightback Ninja Signature

UK Cyber Security Centre One Year On

In November 2016 the National Cyber Security Centre (NCSC) was created as part of GCHQ and given a mandate to pursue the radical action required to better protect the UK’s interests in cyberspace.

A key strand in this new approach is the NCSC’s Active Cyber Defence (ACD) programme, which aspires to protect the majority of people in the UK from the majority of the harm, caused by the majority of the attacks, for the majority of the time. It is intended to tackle the high-volume commodity attacks that affect people’s everyday lives, rather than the highly sophisticated and targeted attacks, which are dealt with in other ways.

One key intervention is the Takedown Service.

The Takedown Service

This service works by requesting that hosting providers remove malicious content that is pretending to be related to UK government and also certain types of malicious content hosted in the UK.

  • In 2017, we removed 18,067 unique phishing sites across 2,929 attack groups that pretended to be a UK government brand, wherever in the world they were hosted.
  • As a consequence, we have reduced the median availability of a UK government-related phishing site from 42 hours to 10 hours. That means that these sites are available for much less time to do harm to UK citizens. 65.8% of those are down in 24 hours, up from 39% before we started takedowns.
  • In 2017, we removed 121,479 unique phishing sites across 20,763 attack groups physically hosted in the UK, regardless of who it was pretending to be. As a consequence, we have reduced the median availability of a phishing site physically hosted in the UK from 26 hours to 3 hours, again giving them much less time to do harm. 76.8% of those were down in 24 hours, up from 47.3% before NCSC started takedowns.
  • In 2017, we worked with 1,719 compromised sites in the UK that were being used to host 5,111 attacks, intended to compromise the people that visited them. As a consequence, we have reduced the median availability of these compromises from 525 hours to 39 hours.
  • Over the year 2017, the month-by-month volume of each of these has fallen, suggesting that criminals are using the UK government brand less and hosting fewer of their malicious sites in UK infrastructure.
  • In 2017, we notified email providers about 3,243 Advance Fee Fraud attacks, pretending to be related to UK government.
  • In 2017, we stopped several thousand mail servers being used to impersonate government domains and sending malware to people, in the expectation that the government link makes them more realistic. We have also removed a number of deceptive domains that were registered with the sole intention of deceiving people.
  • While the volume of global phishing we can see has gone up significantly (nearly 50%) over the last 18 months, the share hosted in the UK has reduced from 5.5% to 2.9%.

That’s a great first year – keep up the good work.

Do leave a comment on this post – click on the post title then scroll down to leave your comment.

Fightback Ninja Signature

Reporting Data Breaches to the Information Commissioner

Not all organisation data breaches get reported to the Information Commissioner’s Office (ICO).

ICO do recommend that any serious breach is reported to them, but it isn’t mandatory and ‘serious breaches’ are not defined. However, the following should assist data controllers in considering whether breaches should be reported:

 

  1. The potential detriment to individuals is the overriding consideration in deciding whether a breach of data security should be reported to the ICO. Detriment includes emotional distress as well as both physical and financial damage.

Ways in which detriment can occur include:

  • exposure to identity theft through the release of non-public identifiers, eg passport number
  • information about the private aspects of a person’s life becoming known to others, eg financial circumstances

The extent of detriment likely to occur is dependent on both the volume of personal data involved and the sensitivity of the data where there is significant actual or potential detriment as a result of the breach.

Where there is little risk that individuals would suffer significant detriment, for example because a stolen laptop is properly encrypted or the information that is the subject of the breach is publicly-available information, there is no need to report.

  1. The volume of personal data lost / released / corrupted: There should be a presumption to report to the ICO where a large volume of personal data is concerned and there is a real risk of individuals suffering some harm.
  2. The sensitivity of the data lost / released / corrupted:

How to Report a Breach

Serious breaches should be reported to the ICO using the DPA security breach helpline on 0303 123 1113 (open Monday to Friday, 9am to 5pm). Select option 3 to speak to staff that will record the breach and give you advice about what to do next or report in writing using the  DPA security breach notification form, which should be sent to the email address casework@ico.org.uk or by post to the office address at:- Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

When a breach is reported, the nature and seriousness of the breach and the adequacy of any remedial action taken will be assessed and a course of action determined.

ICO may:

  • Record the breach and take no further action, or  Investigate the circumstances of the breach and any
  • remedial action, which could lead to further action;
  • Set a requirement on the data controller to undertake a course of action to prevent further breaches;
  • Start formal enforcement action which could lead to a fine of up to £500,000

For further information see https://ico.org.uk

Do enter your email address and click on the subscribe button on top right to keep up to date with new posts.

Fightback Ninja Signature