Close
Cyber Security Awareness Month – Week Four (Part Two)
By Daniela Cooper, on 29 October 2024
Here is Part Two of Week Four’s content for Cyber Security Awareness Month, this is the very last one for this year! This short security related story is all about Preventing identity theft. If you haven’t already entered the Week Four (and Week One, Week Two and Week Three) quizzes to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.
Preventing identity theft
How to steal an identity
It’s as easy as…
Most of the data needed to steal a person’s identity can be found online. Data can be bought (illegally) from the dark web, or found using free online tools and publicly available information.
Armed with a full set of personal details, a criminal is able to:
- Purchase products or services using the details of the victim.
- Apply for credit cards using the details of the victim.
- Create false identity documents for use in further criminal offences, such as employment fraud, benefit fraud and mortgage fraud.
- Access or open bank accounts to steal money directly or to commit money laundering offences.
Social media
Personal accounts
Social media profiles are an important part of our personal and professional identities (and an important part of staying up till 3am watching YouTube videos).
Unfortunately, criminals also use social media to ‘fill in the gaps’ when researching victims. They look for full names, dates of birth, addresses, education histories, pet names and family members.
This doesn’t mean we shouldn’t use social media. It just means we need to keep a few things in mind. Things like:
- Are you uploading photos to social media?
- Do they contain sensitive information (like details of debit cards or flight tickets)?
- Have you geotagged yourself?
- Geotagging doesn’t just let people know where you are – it lets them know where you’re not!
Professional accounts
Information posted to professional social media accounts can be used by criminals to orchestrate social engineering attacks. Before posting, consider if and how your post might be used by a criminal, either in isolation or when combined with other information.
Pro Tip
Use Google’s Manage your reputation tool to see exactly what personal information is publicly available and remove any unwanted content or associated search results.
Mobile phones
SIM swapping
Mobile phones are often used by companies as a means of authentication. You’ll be sent a code by text message as part of the login process. You need to enter the code along with your username and password to authenticate your login.
Because mobile phones are being used more and more frequently for authentication, they’re now being targeted by criminals in a process known as SIM swapping.
How’s it done?
SIM swapping sees criminals gain access to your phone by requesting a new SIM card from your network provider.
This is how:
- First, criminals contact your phone company pretending to be you.
- Next, they answer a series of security questions. If successful, they amend your address.
- Then, they request a new SIM card.
- Finally, they activate the new SIM card. Your SIM stops working and all phone calls and text messages are diverted to the criminal.
Once a criminal has access to your mobile phone, they can use it to reset passwords, log in to accounts and treat it as a means of verification when contacting companies.
Pro Tip
Protect yourself from SIM swapping by contacting your network provider and setting a password on your account. In the future, they’ll ask you for your password instead of security questions.
Bulletproof your identity
Know the signs!
The following may indicate theft:
- Unauthorised transactions made from your bank account.
- Letters or emails about products or services you do not recognise.
- Letters or emails failing to arrive.
- Phone calls and text messages suddenly cease.
- Goods delivered without being ordered.
- Credit or debit cards being declined, or refusal for credit related services.
Act fast!
If you think you are a victim of identity theft, take immediate action. Criminals will act quickly to exploit your details for maximum gain; you need to act quicker.
- If you notice unauthorised transactions or a credit/debit card is declined, contact your bank or card provider.
- If phone calls or text messages suddenly cease, contact your network provider.
- If you receive letters, emails or goods you weren’t expecting; or letters, emails or goods you were expecting fail to arrive, contact the company or provider concerned.
Long-term protection
Sign up to free credit-scoring services
Before committing identity related offences, it’s common for criminals to open free credit scoring services using their victim’s details and an illicit email address. This allows criminals to monitor their victim and know when a new credit service has been granted.
By signing up to a service first, you prevent criminals from opening shadow accounts in your name. Signing up also allows you to monitor your credit history and check for suspicious spending. In the UK, consider Equifax, Experian, and TransUnion.
Register to vote at your current address
Doing so prevents criminals from registering your details at their address so they can redirect and intercept your mail.
Remove yourself from the open voters register
Next time you vote, be sure to tick the box requesting your information be removed from the public electoral register.
Secure your mail
All the information needed to commit identity theft lies in a single bank statement. So, stealing mail is a highly effective way of committing identity theft.
Make sure your mail is secure. Shred any documents containing personal details before disposing of them.
Consider protective registration
Protective registration is a service offered in the UK by CIFAS, a non-profit fraud prevention organisation. Protective registration places a marker next to your name and personal details in the secure National Fraud Database. Companies signed up to the database take extra steps to protect details, making it harder for criminals to apply for products and services in your name.
The one downside to protective registration is it can take longer to gain approval for credit. The service costs £25 and lasts for 2 years.
Summary
1. Identity theft is the most prevalent form of cybercrime. Be vigilant. Regularly check bank statements and free credit scoring accounts.
2. Review security settings on your social media accounts. Be mindful of what you post. The internet never forgets.
3. Call your network provider and secure your mobile phone account with a password.
Week Four Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What are the 3 steps needed to protect your devices?
Hint: The answer can be found in the Week Four (Part One) blog post – see below.
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Four.
If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/
If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/
If you haven’t entered the Week Three quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/
Cyber Security Awareness Month – Week Four (Part One)
If you haven’t already read Week Four (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/29/cyber-security-awareness-month-week-four-part-one/
Many thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week Four (Part One)
By Daniela Cooper, on 29 October 2024
It’s already the last week of Cyber Security Awareness Month, where has the last month gone! Here is Part One of Week Four’s content. This short security related story is all about Protecting your devices. Make sure you read all the way to the end to enter our week four quiz for your last chance to win a £25 Amazon voucher. If you haven’t already entered the Week One, Week Two or Week Three quizzes, see the details on how to enter at the bottom of the post.
Protecting your devices
It’s 7.30am. I’m on the bus. It’s cold and wet and I’m ready for a long shift at the day job.
Then I see him. Professional-looking, middle-aged guy on the way to work. He’s a little too engrossed in a newspaper. He plants his backpack on the seat next to him.
As the bus pulls into his stop, he tucks the newspaper under his arm and nods to the bus driver. Seems like a nice chap.
Then I notice it: he’s forgotten his bag.
I’m Leah. Bus rider, technology fanatic and cybercriminal. And today I earn my living.
The cybercriminal code of conduct
I grab his bag and take a peek. His laptop is there. Jackpot.
But, if I’m going to earn my cash, I have to remember the first rule of being a cybercriminal: don’t get caught.
This means getting rid of the evidence (i.e. the laptop) as soon as possible.
I have 20 minutes till the bus loops back around and I can return the laptop. 20 minutes to grab everything I need and install some nasty ransomware.
Plenty of time.
Pro Tip
Ransomware is a kind of malicious software. It blocks access to information, data, and computer systems until a sum of money is paid. However, there is no guarantee that access will be granted, even after the ransom’s been paid.
Too close for comfort
I’ve already spotted his first mistake: being in the wrong place at the wrong time. And I’m not talking about him. I’m talking about his diary. It’s right next to his laptop. A treasure trove of pet names, important dates and personal information. His name is John.
Using a password profiler, it takes 8 minutes to figure out John’s most important passwords.
With John’s password cracked, his laptop is mine.
Then I hit the first snag. John’s installed multi-factor authentication (MFA). Well played.
Leah 1 – 1 John
The good, the bad and the useless
John is clearly well up-to-date with his organisation’s security policies. As with any high-performing professional, he has MFA linked to his phone. That’s the ‘good’.
As I go to log in, John’s laptop sends its access request to his phone. I hear a melodic ping come from John’s bag. Yep, it’s his work phone. You may think that this is a win, but I’m not hopeful.
If John’s set up facial recognition or a fingerprint scanner on his phone, it’s protected. Even I can’t get past a biometric lock.
I look at his phone. John’s turned off notifications. This means no lock-screen pop-up messages to give away the code. Clever. Thankfully, the phone only requires a four-digit pin. That’s the ‘bad’.
I try a few different combos.
‘0000’.
Nope.
‘1234’.
Nope.
‘4321’.
PIN accepted.
That’s the ‘useless’.
Pro Tip
MFA is incredible. It will take your accounts from 50% secure to 99% secure. BUT ONLY if used in conjunction with biometric identification or a strong passphrase while notifications are off.
Engage all defences!
The bus swerves round a sharp corner and someone bumps into me. I worry they’ll notice that I’m up to no good, but they don’t.
I log into John’s computer and see that he has the most important defences primed: an antivirus and a firewall.
Antivirus software provides near-complete protection against malware. John’s evidently more cyber-savvy than I give him credit for. I’m almost proud.
Pro Tip
Make sure your devices are protected with antivirus software.
Case study: the computer virus from Outer Space
Ants, cats, frogs and even jellyfish have been sent to space. But in 2008, the first computer virus made its way to orbit. The virus, Gammima.AG, was designed to collect user login details and send them to a central server. Somehow, it found itself on board the International Space Station. How? The astronauts’ laptops didn’t have antivirus software installed.
A firewall is just as important. Luckily for John, his is turned on. It decides what his computer lets in and what his computer keeps out. Like his own private virtual bouncer.
Pro Tip
Hey, remember the last pro tip? Yep. Do the same for your firewall. Go on! Check if it’s turned on. I’ll wait.
Unfortunately for John, his software hasn’t been updated.
Who needs updates?
You can tell a lot from someone’s device. Not just their account details and favourite font, but what they’re like as a person.
John dislikes cold weather and vegetables (judging by his most recent takeaway order). He also dislikes updates. I know this because I’m bombarded by update notifications as soon as I open up his system settings. This means there are holes in his devices’ security.
I look at the software version John has installed. Like an open book, I can see every exploit. Every flaw. Total transparency. A cybercriminal’s dream.
Case study: NotPetya
NotPetya was a kind of ransomware that targeted corporate networks. It used the same way in as a previous attack called ‘WannaCry’. It turned out that the Windows update that defended against WannaCry would have also been effective against NotPetya. Unfortunately, many of the companies that fell victim to NotPetya had not updated their operating systems. NotPetya caused roughly $USD 10 billion in financial losses.
To think, my plans could have been scuppered if John had just set his security software to auto-update. Everything would be downloaded and installed automatically. What a shame.
John’s favourite font is Helvetica, by the way.
The John Files
Ransomware could make me some good money, but only if there’s anything worth ransoming. As the bus begins its journey back toward John’s stop, I treat myself to a look at his work files.
Access denied.
John has encrypted his files. Perhaps I’ll need to extend my journey.
Encryption sounds complex, but it’s actually just a type of lock. It scrambles information when active, and unscrambles it when unlocked. John’s locked his files behind a password. It’s a simple spell, but quite unbreakable.
Thankfully, John keeps all of his passwords in the notes app on his phone. Easy peasy. I now have access to his files. No extra journey required.
Leah 4 – 3 John
Permission to enter
You’d think it would be easy to install the ransomware after accessing John’s files, but I have to be wary of permissions.
You see, users need permissions to make changes to an account. Permissions decide what can enter and what can alter computer files. If John has set up his devices properly, his user account won’t have permission to install software.
As this was John’s work laptop, he had already been granted all the permissions he needed. And since I was already in his account, I had all the permissions I needed.
Thanks John!
Home Tip
The best way to securely set up your personal devices is to separate User and Admin accounts (using unique passphrases for each). You should use the User account for day-to-day activities, then switch to the Admin account when installing software.
To be even more secure, set up 2 Admin accounts (with different passphrases). That way, you always have a backup if anything happens to the other accounts.
Head in the Cloud
After installing the ransomware, I use John’s phone to contact his boss.
I tell him that John left his bag on the bus. ‘Oh thank you so much, you’ve saved the day!’
Don’t I know it.
It’s time to finish up and play the hero.
But there’s one thing left that can stop my ransomware attack from working: a backup.
Backups are extra copies of data. They can be copies of a file, a picture, or a video. Anything really. They can be stored anywhere, but are only useful when separate from the original device. USB sticks, external hard-drives, and even ‘cloud’ services are all great places to backup important data.
As the bus hurtles towards John, I pray his data isn’t backed up. If it is, I’ll have nothing to ransom.
I check cloud services: none. I check his bag for USB sticks: none. Then I find it: an external hard drive.
Pro Tip
Cloud storage is great. It’s affordable, and most providers encrypt all information stored on their servers. However, each provider is different. It’s worth researching cloud service providers as Clouds outside of your locale may follow different data protection laws.
Though external hard-drives can be secure, John left the hard-drive in his bag. This means his data was mine to destroy. I plug it in and delete the lot.
Problem solved.
Pro Tip
Whilst external hard-drives can be a great place to backup your data, there are a few things you should always do.
- Keep your external hard-drive separate from your device.
- Only use trusted external hard-drives. An infected USB stick or hard-drive could harm your device.
- Encrypt the drive if it contains personal or confidential data.
Prepare to launch
The bus skids into the last stop. The doors slide open. I pop everything back into John’s bag as if they never moved. I walk 3 minutes to John’s work. It’s a huge financial company.
Perfect.
John’s waiting outside. He shakes my hand and thanks me profusely. What would he do without me? How could he ever repay me?
I tell him it was nothing and wave goodbye. John has his laptop back, and he’s already going about his day as if nothing is wrong.
I jump back onto the bus.
Time to launch the ransomware attack.
3….
2…
1…
Summary
1. Do your best to prepare for the worst. Backup all of your data and encrypt all of your files. And keep your backups separate from your devices!
2. Our phones contain our most personal details. So keep them secure! Use a strong passphrase combined with MFA to keep people out. Keep your phone and apps updated and your files encrypted.
3. Set up separate User and Admin accounts on your personal devices.
4. It only takes one hole in your device security to leave your accounts vulnerable. Make sure you have an antivirus installed, your firewall turned on, and your security software set to auto-update.
Week Four Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What are the 3 steps needed to protect your devices?
Hint – check out the 4th point of the summary.
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Four.
If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/
If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/
If you haven’t entered the Week Three quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/
Cyber Security Awareness Month – Week Four (Part Two)
If you haven’t already read Week Four (Part Two), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/29/cyber-security-awareness-month-week-four-part-two/
Many thanks to CybSafe for providing the content for this blog post!
Suspicious Emails Reporting
By Peter Andrews-Briscoe, on 23 October 2024
If you receive a suspicious email and wish to raise it with ISG to determine if it is something to be concerned about, there are several routes you can take. In this guidance, we will walk you through some common types of malicious emails that are sent and which route would be best to report each kind of email.
Common Types of Emails Received
Although phishing and spam often take new forms, there are some common templates that are consistently reused. Here are some examples:
- Spoofing: This occurs when a scammer pretends to be someone or something else to gain your trust. A common version is an email from a “colleague” asking if you’re free and requesting something like Amazon gift cards if you reply. They can also take the form of a third party asking you to review a bill or receipt or informing you that a package has been delivered. If you receive an unexpected email like this, please check with the sender (via a different route than email or however they contacted you) to verify if it is a genuine communication.
- Blackmail Scam: These scam emails claim to have gained access to your computer via malware and to have access to sensitive files on you (such as having recorded you without your knowledge), asking you to pay them in Bitcoin or they will release the files publicly. They often provide “evidence” of the breach, such as spoofing your own email address or providing you with a password that was leaked in a public data breach. Please be aware that these are rarely evidence of an actual compromise of your account. While it is good to report these emails and change any passwords provided in the scam email, they are not necessarily a cause for worry.
- Lottery or Prize Scams: These emails claim that you have won a large sum of money or a prize, often requiring you to provide personal information or pay a fee to claim it. Legitimate lotteries do not ask for payment to receive winnings. Treat such emails with scepticism and do not provide any personal information.
Reporting Suspicious Emails
If you receive an email that you wish to have investigated, you can take the following steps:
- Send the Email to phish@ucl.ac.uk: When you send an email to this address, it will automatically scan the email and provide you with an automated response with the result. You can also click on the “Report Phishing” or “Report Junk” buttons (instructions shown here), which will provide you with the same automated response.
- Raise it Directly with ISG: If you believe that the classification given was wrong, or you still want a security analyst to directly review the email, you can raise a ticket with ISG with the email included, which can be done here.
Non malicious emails
You may receive spam or junk emails which, whilst annoying, will have no harmful links or documents within them. In these cases, you will not need to report them via Outlook – you can block the sender and safely ignore the email. If you are worried that the email may have been sent to multiple people in UCL, you can report it to ISG, where we can explore if it was sent to multiple addresses and, if it is a large enough campaign, can request the address be blocked university wide.
Best Practices for Email Security
- Verify the Sender: Always check the sender’s email address carefully. Scammers often use addresses that are similar to legitimate ones but may have slight variations.
- Hover Over Links: Before clicking on any links, hover your mouse over them to see the actual URL. Ensure it matches the legitimate site. If the end site asks you to input any details, only do so if you have already ensured the email and the site are both genuine.
- Check with the Sender: If you were not expecting the email, check with the sender (via a different mode of communication, such as Teams) to verify if they sent the email.
- If in Doubt, Report: If you have any doubts, report the suspicious email via the methods provided.
Securing emails: using Bcc over Cc
By Peter Andrews-Briscoe, on 23 October 2024
In today’s digital age, it should come as no surprise that many data breaches stem from the improper use of email. Email is one of the most common methods of communication due to its ease and convenience. However, this ubiquity also means that simple mistakes can have significant repercussions.
One common mistake is using Cc instead of Bcc for large bulk emails. For day-to-day emails involving communication between a few team members who are already aware of each other, using Cc is generally acceptable. However, significant problems can arise when you start bulk emailing people who do not know each other.
It’s important to note that it’s not always “just an email address” being exposed in these situations. Consider the case of a clinical trial studying a particular health issue or a bulk email to students who have recently used university-provided counselling services. Sending an email to all participants and using Cc instead of Bcc will reveal the sensitive information of everyone in the email thread. An example of this is shown in this article written by the ICO, where 166 people’s HIV status was breached due to the use of Cc instead of Bcc.
For more on the importance of using Bcc over Cc, you can refer to this article from the ICO, which includes advice and case studies on relevant breaches: ICO Guidance on Email Security. Additionally, you can learn about how to use Bcc and how to mitigate any mistakes here: Preventing Email Data Breaches.
The use of Bcc should be encouraged as much as possible. Unless you’re certain that all recipients are aware of each other and need to communicate with everyone in the email chain, Bcc should be the standard practice.
Cyber Security Awareness Month – Week Three (Part Two)
By Daniela Cooper, on 18 October 2024
Here is Part Two of Week Three’s content for Cyber Security Awareness Month. This short security related story is all about Sophisticated Attacks. If you haven’t already entered the Week Three (and Week One and Week Two) quizzes to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.
Sophisticated attacks
Meet Sophie. Sophie is a security consultant. She gets paid to think like a criminal and break into buildings.
Organisations hire Sophie to test their security.
Sophie uses fake emails, phone calls and text messages to pretend to be someone she’s not. Much of the time, she approaches people in person and manipulates them to help her.
Sophie’s attacks are “sophisticated” because she targets individuals. Sophisticated attacks work by getting people to do things they wouldn’t usually do, like provide access to restricted information or areas, pay “invoices”, or break policy.
Sophisticated attacks are often called “social engineering” attacks.
Recently, a client hired Sophie to test two of their facilities: a manufacturing plant and a nearby office.
This is how she did it…
Stage 1: Research
Your social media accounts are Sophie’s best friend. The more information you share, the more options you give her.
Sophie has several fake profiles. You might even be connected to one. (A good reason to always verify who people are before accepting requests.)
Sophie started by using one of her accounts to look for people who worked at the facilities. She found a Facebook account of a young woman, “Mary”.
Mary worked as a front desk assistant at the manufacturing facility.
Mary’s Facebook profile showed pictures of her volunteering at a maternity support centre. Sophie could tell Mary cared for children and new mothers. Of course, she would use this to her advantage.
Stage 2: Setting the scene
Sophie knew she would more likely be welcomed into the facility if staff were expecting her. So, she went about setting the scene for her arrival.
Armed with the knowledge about Mary, Sophie picked up the phone.
Before dialling, Sophie disguised her phone number so it looked like she was calling from head office. This process is known as “spoofing”.
Spoofing: When emails, phone calls and text messages are made to look like they’re from someone else.
By spoofing her client’s head office phone number, Sophie added credibility to her attack. Spoofing works because people don’t always verify who they’re talking to.
Pro Tip
What to look out for: Phone calls
All phone numbers can be faked. This includes internal extensions.
Criminals pose as legitimate people, like bank staff or IT teams. Their aim is to convince targets to do things they wouldn’t usually do.
Control your emotions, especially if the caller tries to get you to panic, worry, or act under pressure. Don’t do things you wouldn’t normally do. Stick to policy.
When necessary, verify. Call back using a known contact number (either that you know or that’s published online).
What to look out for: Text messages
Criminals also use fake text messages to encourage people to:
- Click links that lead to fake websites. Fake websites are set up to steal personal details or install malware.
- Call numbers that connect to criminals, or premium-rate lines.
Fake text messages can even drop into ongoing conversation threads with genuine contacts!
It’s rare for us to advise never to do something. Text messages are the exception. There’s no way to determine the real sender of a text message, so:
- Never click links in texts.
- Never follow directions sent via text.
- Don’t do things you wouldn’t normally do. Stick to policy.
- Verify if you need to, search online for legitimate details.
All suspected fake phone calls and text messages should be reported.
“Hi Mary! My name is Barbara.”
Sophie got right to it. She explained she was “Barbara”, a project coordinator arranging the refurbishment of company offices.
Sophie told Mary she was sending an interior designer out the next day. The interior designer, Sophie said, was putting together a facility-update proposal.
Mary was cautious, “Well, that’s great! But why the short notice?”
It was time for Sophie to play her trump card.
All phone numbers can be faked. This includes internal extensions.
Sophie explained she should have called sooner. But she was overloaded with work and was due to give birth in six weeks, “If my boss finds out I messed this up he’s going to flip.”
Mary cut her off. “Oh, it’s ok. We’ll work this out! Tell me about the baby! Is it your first? Boy or girl?!”
Mary was hooked. She was a good person, who just wanted to help.
The two talked babies and birth plans for a while. Mary then took down the name of the designer who would visit the next day, “Claire”.
If only Mary had verified who she was talking to. If only she had hung up and called back.
But she didn’t…
Stage 3: Attack
Sophie showed up the next day as “Claire” the interior designer. Claire had her own business cards and website! (Sophie had made them the night before.)
Mary and her boss were waiting to welcome Sophie. She shook hands and handed them each a business card. Mary gave Sophie a visitor badge and invited her in.
Sophie gained rapport with the staff by asking them what they wanted from an office space. “You want a standing desk? New chairs over here?! Ergonomic keyboards for all!!”
Everyone was very excited.
Sophie took forever looking around. Eventually Mary and her colleagues had to get back to work. They left Sophie, giving her complete, unaccompanied access to both facilities.
The company had a policy of escorting visitors. But because Sophie had been seen with trusted insiders, no one questioned her. She was free to do as she pleased.
Pro Tip
What to look out for: In-person approaches
In-person approaches rely on our desire to help. This shouldn’t be discouraged.
We should trust the people around us, but we also need to be comfortable checking if something doesn’t look or feel right.
Procedure is well thought out. It’s there to support and protect. A genuine person without ID won’t be annoyed or angry if you politely ask who they are and why they’re in the building. Trust, but verify.
What to look out for: Shoulder surfing
“Shoulder surfers” are opportunists who check screens or listen to private conversations.
When working in a shared space:
- keep your desk clear to prevent loss of physical assets,
- and consider who’s around before discussing sensitive topics.
Just like you would be with your PIN at an ATM, or whilst on the phone to your bank.
A privacy screen is a thin piece of plastic that’s placed over your monitor. It stops people seeing what’s on your screen.
What to look out for: Fake USB devices
Fake USB devices are USB devices that damage or steal data from computers or networks.
Any USB device can be harmful. This includes charging cables.
Labels like “bonus payments” can make USBs enticing. Letting curiosity take over can be risky.
Report any stray USB devices you find. Plugging them in isn’t worth it.
Sophie took her time. She gained network access and stole several thousand dollars worth of computer equipment.
Once she’d finished, Sophie found the office of the person who’d hired her…
“Who?…. Wait, what? How? How did you get in here?!”
Sophie sat down and smiled, “Let me start from the beginning…”
Summary
Everyone should be able to do their job without worrying about sophisticated attacks.
Trust those around you. But recognise when you’re being steered by emotions. Be comfortable checking when things aren’t right.
Don’t panic if you accidentally click, say, or do something unwise in an odd moment. It’s okay as long as it’s reported. Reporting buys time. It prevents further damage.
Stopping sophisticated attacks: “Trust, but verify”
1. All emails, phone calls and text messages can be made to seem as if they’re from someone else.
2. If you receive a request you weren’t expecting, or one that has an undue sense of urgency, slow down. Verify and follow policy.
3. If you think you’ve identified a sophisticated attack, report it. Reporting prevents cyber crime.
“Sophie” is a real person. Her story was adapted from the original published on vice.com on 20th October 2017.
Week Three Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: Not doing what, is like leaving the front door unlocked for criminals?
Hint: The answer can be found in the Week Three (Part One) blog post – see below.
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Three.
If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/
If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/
Cyber Security Awareness Month – Week Three (Part One)
If you haven’t already read Week Three (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/
Thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week Three (Part One)
By Daniela Cooper, on 18 October 2024
Here is Part One of Week Three’s content for Cyber Security Awareness Month. This short security related story is all about Working Remotely. Make sure you read all the way to the end to enter our week three quiz to win a £25 Amazon voucher. If you haven’t already entered the Week One and Week Two quizzes, see the details on how to enter at the bottom of the post.
Working remotely
“Invite to Saleena’s virtual leaving drinks? Awesome. It’s not like there’s anything else to do!”
Sarah has been working remotely for nearly a year.
At first, she enjoyed her new environment. Cool home-office gadgets, cosy blankets, and a fresh obsession with plants.
The novelty quickly turned frustrating. No distractions, no water-cooler chats, no social interaction.
Like most people, Sarah’s desire for social interaction skyrocketed.
So, Sarah enthusiastically clicked on the Zoom invite for Saleena’s event!
Before she had a chance to read the details, the doorbell sounded. She rushed to open the door for a delivery.
By the time she came back, the invite had disappeared, and the computer had turned off.
Strange.
Where did Sarah go wrong?
Checking emails
Whether it’s the desire to feel connected or the anticipation of a precious delivery, criminals take advantage.
Unsurprisingly, fake emails more than doubled when working remotely became the new normal.
And the invite for Saleena’s leaving drinks was indeed a fake email with a fake link to a fake Zoom event. All communications can be faked to make it look like they’re from someone else.
Pro Tip
Check sender’s email address. Do you recognise it? Does it match the name of who the email is from? If not, verify using an alternative contact method.Check email content. Is the email unexpected? Is it too good to be true? If something doesn’t feel right, slow down and report it to your IT department.Check links and attachments. Do you recognise them? Hover your mouse over a link to see its true destination. Use a reliable search engine to check whether it’s safe to open.If you suspect an email, report it to your IT department or security team.You can also report it to the NCSC.
Policies, procedure, guidance, winning
Approved technology, whether it’s hardware (e.g. a work device) or software (e.g. antivirus) is set up to have the best protection possible.
By clicking the fake Zoom link, Sarah unknowingly downloaded malicious software onto her personal computer. She didn’t have the same protection in place on her own device as on the one given to her by Liteify, her organisation.
Pro Tip
Work devices often have a lot of security layers in place. If you can, make sure your work and personal devices are separate. Keep work emails on work accounts and personal emails on personal accounts. Avoid forwarding emails from one to the other, just in case.
Personal devices: Updates
If you’ve been allowed to work on a personal device, make sure you have the following protections in place.
Antivirus
Antivirus protects devices from malware and viruses. It checks links, files, software and applications against known threats and monitors suspicious activity from programs running on your device.
As with any product or service, make sure to review several options before purchasing and only buy from reputable sources. It may be that your organisation recommends, uses, or is partnered with, a chosen provider.
Check first, as you might be able to gain access to a reputable provider for free!
Updates
Not installing software updates is like leaving the front door unlocked for criminals.
Outdated devices or apps can be an entry point for malware into home networks. Updates keep them secure by fixing newly discovered vulnerabilities.
Enable auto-updates for as many other pieces of software as you can.
Firewalls
A firewall is a set of virtual rules that tell the computer what data to let in, let out, and keep out. Here is how to turn it on
After restarting her device, Sarah noticed nothing wrong with it. She had no idea about the malware, until she got a strange email from a colleague.
She definitely did not send that email. After a short panic, Sarah reported the suspicious email she purportedly sent to her colleague.
Other colleagues had reported the unusual emails from Sarah, too. Thanks to these reports, the company’s security team successfully identified the fake email that attackers used to infiltrate Liteify’s systems and hijack Sarah’s email account.
Routers and passphrases
Though she felt uneasy and embarrassed, Sarah was also relieved. She understood the impact an accidental click and the absence of antivirus could have and decided to take action.
Routers
Unsecured routers can put both personal and work devices at risk.
Wi-Fi networks can be vulnerable if the default router settings aren’t changed as it makes it easy for criminals to gain remote access.
Secure your home routers for protection when working from home.
Strong and separate passphrases
Securing home routers is only effective if they’re protected with strong passphrases. Stronger and easier to remember, passphrases are passwords but better!
Reusing passphrases is risky. Using unique passphrases for each account is one of the easiest ways to protect your accounts in the event of a data breach.
Pro Tip
The most effective action to prevent cyber crime on a personal level is to use strong and separate passphrases on valuable accounts and home routers. If the systems or policy allow, use separate passphrases on workplace accounts.
How to – passphrases
An easy way to set a passphrase is to use three random words, such as:
workHOMEsecure2022
Join the words together to create your passphrase. You can include special characters, capital letters and numbers in memorable positions, like at the end:
workHOMEsecure2022!!
Passphrases should be at least 12 characters long – but the longer, the better.
Working from anywhere
Just like Sarah, 1 out of every 2 people worldwide work remotely at least once a week. Whether working from a beach in Bali or a local coffee shop, there are additional things to consider when working away from home.
Public Wi-Fi
Public Wi-Fi hotspots can be used to monitor web use and intercept personal information. You can protect yourself by tethering or using a VPN.
Tethering is sharing a device’s (phones, most often) internet connection with another device.
VPNs can be downloaded as an app which creates a secure connection to the Wi-Fi hotspot.
Being aware of your environment
- Lock unattended devices to prevent unauthorised access, especially when living with others or working in a shared space.
- Use privacy screens if needed.
- Avoid discussing sensitive work topics in public.
Week Three Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: Not doing what, is like leaving the front door unlocked for criminals?
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Three.
If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/
If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/
Thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week Two (Part Two)
By Daniela Cooper, on 11 October 2024
Here is Part Two of Week Two’s content for Cyber Security Awareness Month. This short security related story is all about passphrases and MFA. If you haven’t already entered the Week Two quiz to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.
Passphrases and MFA
I was sipping my latte when I overheard her.
“It was a bargain! Only $700 at xyz-style.com!! Just look how cute it is!!!”
The dress is alright… Judith Harris. That’s her full name. A glance at her employee ID was all I needed.
Judith is clearly well-off. Who else describes a $700 dress as “a bargain”?
So what’s next?
I start looking online to see what other personal information I can find.
It takes just a few minutes.
Her Facebook and LinkedIn accounts are both public. In a few minutes, I know a lot about her: date of birth; home and work email address; family members; recent holidays; hobbies; and the dog’s name, obviously.
I bet I can use the information to break into her email account. From there I can access other accounts and services linked to it, like PayPal, Amazon, and her credit cards.
To start, I’ll need to crack her password. To do this I need a “wordlist”. A wordlist is just a file containing passwords. Hundreds of thousands of them.
You can download generic wordlists online. In my experience though, they don’t work as well as ones you build yourself.
I use a piece of software called CUPP (short for Common User Passwords Profiler). CUPP generates a custom wordlist using the information I know about Judith.
This is what it looks like, if you’re interested.
There are other ways to hack accounts.
I chose to crack Judith’s password. It’s not the most effective way to hack an account. But it keeps my skills sharp. It’s also fun!
The dark web: It’s easier to buy stolen account details from the dark web. People rarely use different passwords for different accounts. I take the details from one stolen account, and use them to access other accounts belonging to the same person. It’s child’s play.
Public Wi-Fi: Public Wi-Fi is also a helpful friend. Shared networks, like the ones in coffee shops, can be used to intercept passwords.
Personally, I never use public Wi-Fi to do things I wouldn’t want other people to see, like access accounts containing personal info, send emails, or make payments. You shouldn’t either.
Fake emails, messages & phone calls: If I get stuck, or if I’m going after a cautious individual, I’ll reach out directly. My message will look similar to something they’d normally receive, like a delivery notification or a message from a colleague.
The message will contain a link to a fake website that looks genuine. The website will be set up to steal their password. These “sophisticated attacks” are great at tricking people into giving away their passphrases.
Right, I have Judith’s email address and 203,462 potential passwords. But I can’t just bang on Gmail’s front door. Google will lock the account if the wrong password is entered too many times.
What about xyz-style.com…? The website she got her “bargain” of a dress from. I wonder if it has the same security controls in place.
…bingo! I’m in.
(I say “bingo” as if it happened instantly. It didn’t. It took about 8 minutes. Had to get another coffee and everything.)
Scared now, huh? No need to be.
People don’t realise they can check if passwords or account details have been leaked online. haveibeenpwned.com is a website that lets you check if you have an account that has been compromised in a data breach. It’s owned by Troy Hunt. Troy is a respected security professional and Regional Director at Microsoft.
Check it out: haveibeenpwned.com
It can be scary, but it’s worth doing. You can also sign up to an alerts system which will notify you if your details appear in future breaches.
Back to Judith.
I’m in to xyz-style.com. There’s not much to see. The site doesn’t store card details, unfortunately.
Doesn’t matter. The reason I hacked into xyz-style.com was to attribute a password to Judith. People frequently reuse passwords. Let’s try the same one to login into her email account…
Forget about passwords.
In the past, you may have been advised to use a complex password. Something like this…
~2EnQ4#t?
It’s bad advice.
Complex passwords are very difficult for humans to remember. They’re also very easy for computers to guess, or “crack”.
Something like the above would take just 8 days for a computer to crack.
Using personal information in your passwords is also a bad idea.
So what should you do?
Use a passphrase.
Passphrases are similar to passwords. They’re just stronger and easier to remember.
Pro Tip
An easy way to set a passphrase is to use three random words, or a simple but memorable saying, for example:
- linguini pencil london
- dogs eat meat dogs play beats
Join the words together to create your passphrase.
You can include special characters, CAPITAL LETTERS and numbers.
Place them in simple, memorable positions, like at the end:
- linguiniPENCILlondon2020!!
- DOGSeatmeatDOGSplaybeats2020!!
Your passphrase should be at least 12 characters long, but longer is better, if you can.
Extra protection.
…It works!
I’ve hacked into Judith’s email. She’s made it so easy for me.
You might be wondering what the value of this exercise is. Let me show you.
Many people do not realise how much they have invested in their email accounts until those accounts are in the hands of criminals.
In nearly all cases, the person in control of an email address can reset the password of any associated service or account.
By then it’s too late.
Stealing, cracking or buying passphrases is challenging. But it’s not impossible.
I’d suggest using extra measures to protect your accounts. That’s what I do.
Step 1: Protect your valuable accounts with multi-factor authentication (MFA)
MFA is a powerful tool to protect your main email and other high-value accounts. It takes an account from about 50% secure to 99% secure.
MFA lets you verify your identity twice when logging in, using your passphrase and a unique code from your phone.
This means if I have access to your passphrase, I cannot get into your account unless I also have access to your phone.
Many believe you have to enter MFA codes every time you login. You don’t! After logging in for the first time, the device and the account become “linked”. Once the device is linked, it’ll usually log in automatically. Easy.
Setting up MFA
Step 2: Use biometric readers
Biometric readers are things like fingerprint scanners and facial recognition cameras. They bolster the effectiveness of your passphrases.
Biometric readers are a real time saver. But they’re only as strong as the passphrase they represent. If you have access to, say, a fingerprint scanner, only use it in conjunction with a strong passphrase!
The four-digit pin you’ve “protected” your phone with? That’s not secure even with a biometric reader. You can do better!
Step 3: Use a password manager
A password manager stores all your passwords (or passphrases) in one place. They’re great if you have lots of different passwords to remember.
The passwords stored in the password manager are secured with one “primary passphrase”.
You can get them as standalone apps or you can use the one in your web browser. Both are good.
If you don’t feel comfortable using a password manager, you can write passwords down. Store them somewhere safe, out of sight and, most importantly, away from your computer.
Summary
I’m not real, obviously.
I serve a purpose though. I represent real people.
I am online criminals, nation-state hackers, and every person who doesn’t have a job or means to make money legally. If you make it easy for me, I will eventually get you.
I do this because I can. And because people make it easy for me
1. Using strong passphrases is the most effective thing you can do to prevent cyber crime.
2. Use a strong and separate passphrase for your most valuable accounts, like your home and work email accounts.
3. MFA takes an account from about 50% secure to 99% secure. If it’s available, use it!
4. If you’re struggling to remember multiple passwords, consider a password manager.
Week Two Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What are the three steps to spotting a fake email?
Hint – the answer is in Week Two Part One (see below for a link).
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Two.
Cyber Security Awareness Month – Week Two (Part One)
If you haven’t already read Week Two (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/
Thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week Two (Part One)
By Daniela Cooper, on 10 October 2024
Here is Part One of Week Two’s content for Cyber Security Awareness Month. This short security related story is all about spotting fake emails. Make sure you read all the way to the end to enter our week two quiz to win a £25 Amazon voucher.
Spotting fake emails
One slow day, whilst sitting in his office, James Linton noticed something. Emails don’t show the sending email address by default. He realised he could put any name there he wanted.
So he did, for five months.
He started by pranking his colleagues. He sent them emails that looked like they were from their CEO. He loved the excitement and wanted more.
James’ first real victim was the CEO of a large British bank. James sent him an email purportedly from the bank’s chairman. Suspecting nothing, the CEO engaged in an exchange praising the chairman.
James leaked the email exchange, embarrassing the CEO and prompting the bank to reconfigure their email systems. SINON_REBORN – James’ prankster alter ego – had arrived!
The pranking spree continued.
The Governor of the Bank of England.
And the White House!
Sending fake emails was exhilarating. James compared the excitement of it to the high of gambling –“You fire out three emails, and one of them comes up. When it does, you realise you have one on the line.”
James’ emails worked. Over and over again.
They worked because they won his victims’ trust.
That’s exactly what targeted fake emails do.
What are fake emails?
Fake emails look like they’re from legitimate or known sources, like a person or company you know.
These days, fake emails are difficult to spot.
The idea that most fake emails come from “long-lost relatives” is a myth. Today’s fake emails are more convincing. For the most part, they’re free from spelling and grammatical errors.
Fake emails can be either generic or targeted.
Generic fake emails are low in complexity but high in volume. Criminals send out millions of them. They usually look like they’re from a well-known company, like Apple or Amazon.
Targeted fake emails are harder to recognise and are increasingly common. They’re unique to the recipient and usually reference information found on platforms like LinkedIn.
Pro Tip
You may have heard some people refer to fake emails as “phishing”. They’re exactly the same thing. Targeted fake emails are sometimes called “spear-phishing”.
Creating legitimate-looking fake emails isn’t as hard as you might think.
How did James Linton create fake emails?
James decided on his target first. Then he picked his character based on his target’s professional and personal connections.
The next step was to find a hook. The hook was usually an interest both James’ target and character shared.
James then created a fake email address using his character’s name.
Finally, James added extra credibility to his fake emails. For example, he might hand type a second “email” below his message. This additional text, James believed, made his emails seem as though they had been forwarded.
James also favoured adding “Sent from my iPhone” to the end of messages. This made it seem like his messages were sent by an ordinary person, not “somebody huddled over a laptop in their hoodie.”
Pro Tip
How to create legitimate-looking fake emails
A guide by James Linton:
1. Pick your target.
2. Pick your character.
3. Create a hook.
4. Create a fake email address.
5. Add extra credibility.
Ian Levy: a target too far
After tricking the White House, James’ search for worthy prey continued. That was when he landed on the Technical Director of the UK’s National Cyber Security Centre (NCSC) – Dr Ian Levy.
Posing as a colleague – the Director of Operations – James “accidentally forwarded” an email from another colleague – the Director of Communications – to Ian, including a link to an article.
After inspecting the link on this phone (by a good old “touch-and-hold”), Ian suspected the emails were fake.
How to spot fake emails
You can use Ian Levy’s 3-step checklist:
Pro Tip
How to spot fake emails
1. Check sender’s address.
2. Check content.
3. Check links or attachments.
Step 1: Check sender’s address
Email inboxes show sender names, but they don’t always show addresses.
You can click on the sender’s name to reveal their actual email address. Pay attention to the information that comes after @.
Right after Ian had noticed the link protection of mail.com – instead of ncsc.gov.uk – he examined the sender’s address:
paul.chichester.ncsc.gov@mail.com
It didn’t look right. It was supposed to end with @gov.uk. He was intrigued, so he played along, humoring his adversary. Eventually, Ian Levy convinced James Linton to reveal his identity.
Pro Tip
Do you recognise the sender or the sender’s email address?
- Click on the sender’s name to reveal the email address.
- Contact the person you think the email is from – using anything but that email address.
Step 2: Check content
Fake emails use emotional manipulation to trick people. Notice the different types of emotions evoked:
Panic
Make a payment – your manager needs you to make an urgent payment.
Worry
Verify some information – someone has tried to access a company or service you rely on (such as a bank, phone provider or TV service).
Curiosity
Open an attachment – you’ve been sent a confidential document to read.
This is how James Linton attempted to trick Ian Levy. The emails “accidentally forwarded” from his colleague evoked curiosity.
Kindness
Visit a website – a colleague needs you to visit a website to check the content and provide your opinion.
Trust
Provide sensitive information – a colleague needs you to reveal sensitive information to help them with a task.
Pro Tip
Is the email unexpected? Does it convey an undue sense of urgency? Does it ask you to break policy?
- Slow down and think.
- Check the sender details.
- Call the person you think the email is from and ask them. Call them using a known contact number.
Step 3: Check links or attachments
Links can be displayed in their raw format (www.google.com) or as a hyperlink (this). They can also be disguised or shortened, like this https://bit.ly/3yJanNJ.
To see the true destination of a link, hover your mouse over it.
Or, if on your phone, do what Ian did. Touch & hold the link to reveal its true destination. This is how Ian noticed the link for mail.com, instead of ncsc.gov.uk.
File extensions – the last 3 or 4 letters after the dot [.] at the end of the file – tell you what a file does. So make sure you inspect them before opening attachments.
Pro Tip
Does the email include a link or attachment you don’t recognise?
- Hover your mouse over a link to see its true destination.
- If you are using Google Chrome, the browser has a built-in safe browsing feature that will show a warning before taking you to a dangerous site – keep an eye out for these warning messages.
- You could also use a reliable URL scanner to check whether or not a link is safe to open.
Bonus content: File extensions
Files ending .exe, .vbs and .scr are more likely to be dangerous. If you see a file that contains any of these extensions, especially if what you think you are opening is meant to be a read only file, such as a document, photo or video, be cautious.
Enable “Show file extensions” on your computer as it allows you to check file types before opening them.
Make sure the file you think you’re opening is what it claims to be:
- PDF – .pdf .fdf .xfdf
- MS Word – .docx .doc
- MS PowerPoint – .pptx .ppt
- MS Excel – .xlsx .xls
- Image – .jpeg .jpg .jp2 .jpx .png .gif .tif .tiff
- Video – .avi .flv .wmv .mov .mp4
Can you spot fake emails?
Below are four emails – see if you can spot the fake ones.
Real or fake?
Fake!
Check links or attachments.
Hovering over “Open in Docs” shows you its true destination, a look-alike link – http://drive—google.com/samandrews/fdhh9w8qr5lioe55.
Real or fake?
Real!
This is a legitimate Dropbox email.
Check the sender’s address.
The sender is “dropboxmail.com” – although this looks unusual, a quick search reveals it’s legitimate.
Check links or attachments.
The link is to a secure site https://www.dropbox.com.
Real or fake?
Fake!
Check links or attachments.
Hovering over “this” shows you the link’s true destination – a look-alike website address https://drive.google.com.download-photo.balootec.net/AONhfnfeuG. The real address is “balootec.net” which is disguised to look like Google Drive.
Check the sender’s address.
Do you know AK? Clicking on the sender’s name reveals their actual email address. Does the email address “AKumar62457@gmail.com” seem familiar?
Check content.
Is the email unexpected? What emotions does it evoke? Someone addressing you as “friend” and sending you a “cute photo” likely evokes curiosity.
Real or fake?
Fake!
Check links or attachments.
Hovering over “CHANGE PASSWORD” shows you its true destination – http://myaccount.google.com-intro.help-secruity.org/signinoptions. The link actually points to the website of “help-secruity.org”, not Google.
And “secruity” in the link is misspelled.
Check the sender’s address.
Clicking on the sender’s name reveals their actual email address. The sender address “google.support” isn’t actually used.
Check content.
The email contains poor grammar – “You’re account” and “Suspicious signon”.
Summary
After Ian Levy coaxed James Linton out of hiding, the pair teamed up. They co-authored a blog about their experience.
Their aim was to help people spot future fake emails.
After completing this module, you’ll have everything you need to do just that.
How to spot fake emails
1. Check the sender’s address. Click on the sender’s name to reveal it. Contact the person you think the email is from using a known contact number.
2. Check the content of the email. Is the email unexpected? Is it asking you to do something unusual? What emotions does it evoke?
3. Check links or attachments. Hover over them to see their true destination. If they look suspicious, search for verifiable online information.
Week Two Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What are the three steps to spotting a fake email?
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Two.
Thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week One (Part Two)
By Daniela Cooper, on 4 October 2024
Here is Part Two of Week One’s content for Cyber Security Awareness Month. This short security related story is about security incidents. If you haven’t already entered the Week One quiz to win a £25 Amazon voucher, see the details on how to enter at the bottom of the post.
Security incidents
It happened a few days ago. Still, Peter hadn’t told anyone.
As he was sitting in his meeting, he couldn’t stop thinking about it.
“Should I say something? People will judge me. They’ll avoid me. They’ll know.”
So Peter didn’t say a word.
Everyone at his company was affected. And most of his friends. And his friends’ friends, too.
Eventually, 10% of the world’s internet-connected computers were compromised.
What happened to Peter?
Peter received an email with the subject line ILOVEYOU. He opened the attached love letter. This started the malware’s spread.
What’s malware, you might ask?
Malware is malicious software. It’s computer code that can crash devices. It can also steal data, passwords, browsing history and money.
Malware can also lock and delete personal files – which is one of the ways the “ILOVEYOU” malware hurt Peter and its other victims.
After overwriting files, it emailed itself to everyone in Peter’s contact list.
In total, ILOVEYOU caused more than US$15 billion of damage. It left company reputations in tatters.
Bonus content: Six types of malware
Viruses – Viruses attach themselves to normal files. They run when the file is opened. Viruses rely on people sharing infected files to spread.
Worms – Worms are like viruses, but they spread without any human interaction. The most dangerous types replicate across networks. ILOVEYOU was a worm – which is how it affected so many people.
Trojans – Trojans don’t harbour bloodthirsty Ancient Greeks! But they are brutal. Trojans usually open “backdoors” into computers and networks, granting criminals remote access.
Ransomware – Ransomware is worm-like malware that restricts access to files or systems. It then demands victims pay a ransom to regain access. Paying the ransom doesn’t always overcome the infection. Access may be lost forever.
Spyware – Spyware lets criminals spy. It can track what you’re viewing and what you’re typing. Spyware can even turn on webcams and modify security settings.
Grayware – Grayware is software that sits in the “gray” area between malware and software. Think unwanted browser extensions and pop-up ads. Infections pose little direct threat, but they can trigger spontaneous fits of rage.
Was ILOVEYOU avoidable?
It’s unlikely.
But Peter knew about ILOVEYOU early. He could have slowed the spread and reduced the damage it caused.
We can all reduce the impact of malware. It starts with taking responsibility: to prevent, to detect, and to report.
Preventing
Verify emails
If you receive an unexpected email, and you are uneasy about doing something as a result, verify.
Verify by calling back the person you think the message is from. Do so using known contact details.
Check where links lead before clicking
Pro Tip
Found a suspicious site or receive a suspicious email? Report it on the NCSC website and to your IT department.
Show (and check) file extensions
Attachments can contain malware – that’s how Peter’s nightmare started. Some file types are more likely to contain malware than others.
Image description
The image above is a screenshot of an email which contains an attachment with the file extension ‘.vbs’, this attachment is supposedly a love letter.
File extensions are the last three, four or five letters after a filename, like “essay.docx”.
They make dangerous files easier to spot.
File extensions aren’t always displayed by default. If you use a personal device for work, turning on the “Show file extensions” setting will help you to spot dangerous files.
What type of files are dangerous?
All files have the potential to be dangerous. Some are more dangerous than others:
Action files: Files that end with .exe, .vbs or .scr all perform actions when opened or downloaded. They often carry malware.
Macros: Macro-enabled Microsoft Office files can also contain malware. They have an ‘m’ in their file extensions, like “proposal.docm”.
Pro Tip
Microsoft Office will sometimes ask to “Enable macros” or “Turn off protected view”. Doing so can run a series of pre-programmed actions. It’s risky!
Vigilant professionals only open or interact with files they are expecting, and if they know the sender.
Ask for help if you’re ever unsure.
Bonus content: File types
More dangerous:
- Executable – .exe
- Screensaver – .scr
- Visual basic script – .vbs
- MS Word (macro-enabled) – .docxm .docm
- MS Powerpoint (macro-enabled) – .pptxm .pptm
- MS Excel (macro-enabled) – .xlsxm .xlsm
Less dangerous:
- PDF – .pdf .fdf .xfdf
- Image – .jpeg .jpg .png .gif .jp2 .jpx .tif .tiff
- Video – .avi .flv .wmv .mov .mp4
- MS Word (no macros) – .docx .doc
- MS Powerpoint (no macros) – .pptx .ppt
- MS Excel (no macros) – .xlsx .xls
Isolate devices
Malware spreads when devices connect.
Plugging unknown or unauthorised devices into work equipment increases risk. This includes charging cables, USB sticks etc. They can be adapted to carry malware, too.
Refraining from plugging in unauthorised devices – and only charging devices from power sockets – reduces risk.
Download apps safely
Malware can be hidden in useful-looking apps. The apps behave like the real thing while stealing data in the background.
Always download apps from reputable sites like the Apple app store or Google Play. Check reviews before downloading.
Work related software can be downloaded from the UCL Software Database: https://swdb.ucl.ac.uk/
Heed security warnings
Security warnings are the messages displayed by browsers before they allow access to dangerous sites.
Security warnings can be overridden. Doing so is a risk and potentially a breach of policy.
If security warnings restrict access to sites needed for work, letting someone know is the best thing to do (Line manager, IT Team or Security Team). It’s safer and, long-term, will help others in your organisation too.
Detecting
The following can be signs of malware infection:
- People report receiving spam from your email address.
- New icons appear on your desktop or in your web browser.
- Pop-ups appear or programs start running on their own.
- Messages tell you an unknown program is trying to access the internet.
- Your device is unusually slow or crashes at random intervals.
A special mention: Ransomware
Ransomware is worm-like malware that restricts access to files or systems. It then demands victims pay a ransom to regain access. Paying the ransom doesn’t always overcome the infection. Access may be lost forever.
It’s the most destructive and prolific form of malware.
If a device has been infected with ransomware, you’ll likely see a message similar to this:
Image description
A large red pop-up containing a ransom note
If you do see a message like this, acting quickly is your chance to make a difference.
Reporting
Reporting security incidents protects organisations from criminals. Still, not all security incidents are reported.
Often it’s because people feel responsible, like Peter. Peter chose not to report so as not to bring attention to himself.
It’s okay to make mistakes. It’s not okay to hide them.
In reality, reporting a security incident is more like a “good catch”. Something happens. You notice it. You report it. Good catch.
Security related incidents should be reported to the UCL Information Security Group via https://myservices.ucl.ac.uk/
Week One Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What percentage of identity thieves use social media to access the personal information of victims?
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week One.
Hint: The answer is in Week One (Part One) – see below.
Cyber Security Awareness Month – Week One (Part One)
If you haven’t already read Week One (Part One), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/
Thanks to CybSafe for providing the content for this blog post!
Cyber Security Awareness Month – Week One (Part One)
By Daniela Cooper, on 3 October 2024
It is that time of year again, where we remind ourselves of the importance of information security in both our personal lives and at work. We are doing things a little differently this year, we will be providing a series of security related short stories using content from CybSafe, there will be two each week. We will still be running the weekly quiz to win a £25 Amazon voucher so make sure you read all the way to the end!
Are you really a target?
BEEP BEEP BEEP BEEP BEEP BEEP. SLAM.
The sound of Joe turning off his fifth alarm.
It’s 7 a.m. and a brand new day. Time to get up and get out. He throws on a shirt and tie, brushes his teeth, and wakes up the kids.
“Myles, Lily, time to wake up!”
“But bed is so comfy!”
“Up!”
Joe heads downstairs, puts on his ‘Morning tunes’ and packs their lunches. When Myles and Lily eventually grace the kitchen table, Joe snaps a cute pic of them eating breakfast.
Little does Joe know, he’s already a target. And not because of his music taste.
How do you like your eggs in the morning?
Joe posts the picture on social media: ‘my two little eggs <3’
“Dad, you’re so embarrassing!”
“And your profile isn’t even private!” …
Joe’s social media profile catches the eye of a fraudster.
Everything about Joe is public. His music, birthday, friends, family, job title, company, email address, phone number and favourite wrestler. You name it, it’s there.
85% of identity thieves use social media to access victims’ personal information.
As Joe coaxes Lily and Myles out of the house, the fraudster is hard at work. There is so much information about Joe available online, it’s a matter of moments before the fraudster has loaded everything into a password profiler.
Within minutes, the fraudster has access to Joe’s accounts. Netflix, Amazon, Facebook, Instagram, LinkedIn, the lot.
As Joe drops Lily and Myles at school, the fraudster is selling Joe’s Netflix account on the dark web.
This is really going to mess with his TV recommendations.
Pro Tip
Fraudsters view public social media profiles as one thing: $$$.
Find out what information about you is publicly available by using a search engine. Fraudsters use personal information to access accounts, so it’s best to keep them private. Just log onto your social media accounts and change the privacy settings. After all, there’s nothing more off-putting to a fraudster than a private account.
Coffee, anyone?
Joe arrives at work, makes his way to his desk and turns on his laptop. He is confronted by something that strikes fear into his heart: update notifications.
System, antivirus and app updates! When will they end?
But Joe knows how to deal with these pesky notifications: ignore them till they go away.
He knows that it takes roughly 10 minutes for them to disappear. He sticks his head out into the office. “Coffee, anyone?”
Pro Tip
Forgetting to install updates to your devices or applications is like leaving your front door unlocked. Updates allow security improvements to be applied. Without updates, your device is vulnerable to compromise and puts confidential data at risk.
You can set updates to automatically install in your device’s security settings.
One watercooler chat and cappuccino later, Joe returns to his desk. No more notifications. It’s like magic. He settles down and opens his emails.
Joe doesn’t realise that he’s a dream come true. At least, he is for organised crime groups. He has access to data and information that can be sold for a profit. And what’s more, he skips security updates.
As Joe opens up his emails, he sees a message from the CEO.
The message has an attachment. It appears to contain a picture of Joe and the Director of Marketing, Sam. Nerve-wracking stuff to receive from the CEO.
In a panic, Joe forwards the email to Sam and clicks on the attachment. There is no picture.
Joe, confused, wipes his brow and laughs it off. Little does he know, spyware has started taking over his laptop.
Case study: It makes you WannaCry
The WannaCry attack was run by state-sponsored criminals. It affected over 200,000 computers in 150 countries with an estimated global cost of USD $12 billion.
Malicious software was delivered via emails tricking recipients into opening an attachment. Once opened, the software restricted information and data, demanding payment to reinstate access.
Pro Tip
Verify! Verify! Verify!
Using known contact details to verify emails and messages is an easy way to avoid malicious attachments. When in doubt, verify! Especially before forwarding anything.
And be sure to check if any attached files end in ‘.exe’, ‘.vbs’ or ‘.scr’. These file types perform an action which could put your device at risk.
Across the office, Sam receives the email and opens the attachment. A warning flashes onto his screen: ‘this attachment is unsafe.’
Sam’s laptop had been set to auto-update. Thankfully, the most recent update contained a defence against new internet nasties. It was installed while Sam was chatting to Joe by the watercooler.
Sam reported the email straight away. Crisis averted.
Afternoon delight
Nothing is nicer than a well-deserved lunch break. And Joe’s lunch break is positively delightful. He’s meeting an old co-worker for fajitas.
The Head of IT’s afternoon is also delightful. She prevented an attack by removing a load of spyware that somehow found its way into the system. Weird.
Pro Tip
Refer! Refer! Refer!
Referring any suspicious messages, emails or attachments to your IT department can help prevent future attacks and identify sneaky malware.
Joe sits down and orders some fajitas. Robin, Joe’s ex-coworker, sits down beside him. After some witty repartee, Robin shifts the topic of conversation.
“I was wondering if you could get me back into the office? I left a few bits I need to grab.”
“Of course! We can head there after lunch.”
Insiders love access. For malicious employees, access is an opportunity for exploitation. And who better to grant it than a trusting soul like Joe?
Pro Tip
Insiders often try to intercept information or obtain documents requiring elevated access. Everyone has the power to challenge access.
You should feel authorised to question people when you are unsure of something. Someone in the office without a pass? Ask to see it. Someone requesting to view a confidential document? Verify their reason.
Back at work, Robin follows Joe into the office. Sam thinks it’s a bit odd, but doesn’t question it.
“Just going to grab my stuff.” Robin whispers, heading into the backroom. Joe nods and gets back to work. Meanwhile, Sam does a quick LinkedIn search. Robin is now working for their competitor.
“Erm… Joe?”
“Yes, Sam?”
“Did you know Robin works for our competitor?”
Joe’s eyes widen as he realises that Robin could be an insider.
Joe rushes into the back office. There stands Robin. He’s taking photos of important documents.
And he would have gotten away with it too…
Case study: Employee of the month
For one credit card provider, it only took a disgruntled employee to wreak havoc. The insider managed to steal the personal data of 100 million US citizens as they knew where it was stored. It cost the company approx. USD $100-150 million to fix.
A hard day’s night
After a long day of being a target, Joe just wants to watch TV with his kids. But as he logs in to Netflix, something seems off.
“Which one of you has been watching Dance Moms?”
Myles and Lily shrug their shoulders, “not us!”
“And which one of you has made a new profile?”
“What new profile?”
Joe clicks back to the profile selection page.
“There! Which one of you is NetflixHacker49?”
Myles and Lily give another shrug.
Joe realises what has happened. His account has been hacked. And if this account is compromised, others might be too. Joe gives Sam a ring.
“I think my Netflix account has been hacked!”
“Okay, calm down.”
Sam sends Joe a message that contains a single line:
“Go on that website and type in your email,” Sam explains, “it’ll tell you if there’s been a breach.”
With a flurry, Joe types in his details and hits ‘Enter’.
Oh no – pwned!
Joe’s accounts have been breached. “Not to worry” Sam calmly states. “Go into your accounts and change your passwords to separate passphrases.”
Joe hands the remote control to Myles and jumps on his computer.
As he goes through his accounts, Lily’s voice drifts in from the living room.
“Daaaad!”
“Yes, Lily?”
“Myles has clicked on something he shouldn’t have!”
Here we go again.
Summary
1. No matter your job description, role or department, YOU are responsible for keeping your organisation’s data safe. Cyber security is for everyone, not just the tech-savvy people in IT!
2. Stopping yourself from becoming a target requires little added effort. A few quick changes can set you up for success.
3. Reporting potential infections or issues can make you a security hero. It gives your organisation a chance to act quickly and respond. If they can respond quickly, they can limit the damage.
4. Be more like Sam.
Week One Quiz
For the chance to win a £25 Amazon voucher answer the following question:
Q: What percentage of identity thieves use social media to access the personal information of victims?
Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week One.
Cyber Security Awareness Month – Week One (Part Two)
If you haven’t already read Week One (Part Two), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/04/cyber-security-awareness-month-week-one-part-two/
