X Close

Risky Business

Tips and tricks for securing information

Menu

Cyber Security Awareness Month – Week Four (Part One)

By Daniela Cooper, on 29 October 2024

It’s already the last week of Cyber Security Awareness Month, where has the last month gone! Here is Part One of Week Four’s content. This short security related story is all about Protecting your devices. Make sure you read all the way to the end to enter our week four quiz for your last chance to win a £25 Amazon voucherIf you haven’t already entered the Week One, Week Two or Week Three quizzes, see the details on how to enter at the bottom of the post.

Protecting your devices

It’s 7.30am. I’m on the bus. It’s cold and wet and I’m ready for a long shift at the day job.

Then I see him. Professional-looking, middle-aged guy on the way to work. He’s a little too engrossed in a newspaper. He plants his backpack on the seat next to him.

As the bus pulls into his stop, he tucks the newspaper under his arm and nods to the bus driver. Seems like a nice chap.

Then I notice it: he’s forgotten his bag.

I’m Leah. Bus rider, technology fanatic and cybercriminal. And today I earn my living.

The cybercriminal code of conduct

I grab his bag and take a peek. His laptop is there. Jackpot.

But, if I’m going to earn my cash, I have to remember the first rule of being a cybercriminal: don’t get caught.

This means getting rid of the evidence (i.e. the laptop) as soon as possible.

I have 20 minutes till the bus loops back around and I can return the laptop. 20 minutes to grab everything I need and install some nasty ransomware.

Plenty of time.

CYBSAFE-Protecting_your_devices_creative-220519_MS-11

Pro Tip

Ransomware is a kind of malicious software. It blocks access to information, data, and computer systems until a sum of money is paid. However, there is no guarantee that access will be granted, even after the ransom’s been paid.

Too close for comfort

I’ve already spotted his first mistake: being in the wrong place at the wrong time. And I’m not talking about him. I’m talking about his diary. It’s right next to his laptop. A treasure trove of pet names, important dates and personal information. His name is John.

Using a password profiler, it takes 8 minutes to figure out John’s most important passwords.

With John’s password cracked, his laptop is mine.

Then I hit the first snag. John’s installed multi-factor authentication (MFA). Well played.

Leah 1 – 1 John

 

The good, the bad and the useless

John is clearly well up-to-date with his organisation’s security policies. As with any high-performing professional, he has MFA linked to his phone. That’s the ‘good’.

As I go to log in, John’s laptop sends its access request to his phone. I hear a melodic ping come from John’s bag. Yep, it’s his work phone. You may think that this is a win, but I’m not hopeful.

If John’s set up facial recognition or a fingerprint scanner on his phone, it’s protected. Even I can’t get past a biometric lock.

I look at his phone. John’s turned off notifications. This means no lock-screen pop-up messages to give away the code. Clever. Thankfully, the phone only requires a four-digit pin. That’s the ‘bad’.

I try a few different combos.

‘0000’.

Nope.

‘1234’.

Nope.

‘4321’.

PIN accepted.

That’s the ‘useless’.

Pro Tip

MFA is incredible. It will take your accounts from 50% secure to 99% secure. BUT ONLY if used in conjunction with biometric identification or a strong passphrase while notifications are off.

 

Engage all defences!

The bus swerves round a sharp corner and someone bumps into me. I worry they’ll notice that I’m up to no good, but they don’t.

I log into John’s computer and see that he has the most important defences primed: an antivirus and a firewall.

CYBSAFE-Protecting_your_devices_creative-220519_MS-08

Antivirus software provides near-complete protection against malware. John’s evidently more cyber-savvy than I give him credit for. I’m almost proud.

Pro Tip

Make sure your devices are protected with antivirus software.

Case study: the computer virus from Outer Space

Ants, cats, frogs and even jellyfish have been sent to space. But in 2008, the first computer virus made its way to orbit. The virus, Gammima.AG, was designed to collect user login details and send them to a central server. Somehow, it found itself on board the International Space Station. How? The astronauts’ laptops didn’t have antivirus software installed.

 

A firewall is just as important. Luckily for John, his is turned on. It decides what his computer lets in and what his computer keeps out. Like his own private virtual bouncer.

Pro Tip

Hey, remember the last pro tip? Yep. Do the same for your firewall. Go on! Check if it’s turned on. I’ll wait.

Unfortunately for John, his software hasn’t been updated.

Who needs updates?

You can tell a lot from someone’s device. Not just their account details and favourite font, but what they’re like as a person.

John dislikes cold weather and vegetables (judging by his most recent takeaway order). He also dislikes updates. I know this because I’m bombarded by update notifications as soon as I open up his system settings. This means there are holes in his devices’ security.

I look at the software version John has installed. Like an open book, I can see every exploit. Every flaw. Total transparency. A cybercriminal’s dream.

Case study: NotPetya

NotPetya was a kind of ransomware that targeted corporate networks. It used the same way in as a previous attack called ‘WannaCry’. It turned out that the Windows update that defended against WannaCry would have also been effective against NotPetya. Unfortunately, many of the companies that fell victim to NotPetya had not updated their operating systems. NotPetya caused roughly $USD 10 billion in financial losses.

 

To think, my plans could have been scuppered if John had just set his security software to auto-update. Everything would be downloaded and installed automatically. What a shame.

John’s favourite font is Helvetica, by the way.

 

The John Files

Ransomware could make me some good money, but only if there’s anything worth ransoming. As the bus begins its journey back toward John’s stop, I treat myself to a look at his work files.

Access denied.

John has encrypted his files. Perhaps I’ll need to extend my journey.

Encryption sounds complex, but it’s actually just a type of lock. It scrambles information when active, and unscrambles it when unlocked. John’s locked his files behind a password. It’s a simple spell, but quite unbreakable.

Thankfully, John keeps all of his passwords in the notes app on his phone. Easy peasy. I now have access to his files. No extra journey required.

Leah 4 – 3 John

 

Permission to enter

You’d think it would be easy to install the ransomware after accessing John’s files, but I have to be wary of permissions.

You see, users need permissions to make changes to an account. Permissions decide what can enter and what can alter computer files. If John has set up his devices properly, his user account won’t have permission to install software.

As this was John’s work laptop, he had already been granted all the permissions he needed. And since I was already in his account, I had all the permissions I needed.

Thanks John!

Home Tip

The best way to securely set up your personal devices is to separate User and Admin accounts (using unique passphrases for each). You should use the User account for day-to-day activities, then switch to the Admin account when installing software.

To be even more secure, set up 2 Admin accounts (with different passphrases). That way, you always have a backup if anything happens to the other accounts.

Head in the Cloud

After installing the ransomware, I use John’s phone to contact his boss.

I tell him that John left his bag on the bus. ‘Oh thank you so much, you’ve saved the day!’

Don’t I know it.

It’s time to finish up and play the hero.

But there’s one thing left that can stop my ransomware attack from working: a backup.

CYBSAFE-Protecting_your_devices_creative-220519_MS-09

Backups are extra copies of data. They can be copies of a file, a picture, or a video. Anything really. They can be stored anywhere, but are only useful when separate from the original device. USB sticks, external hard-drives, and even ‘cloud’ services are all great places to backup important data.

As the bus hurtles towards John, I pray his data isn’t backed up. If it is, I’ll have nothing to ransom.

I check cloud services: none. I check his bag for USB sticks: none. Then I find it: an external hard drive.

Pro Tip

Cloud storage is great. It’s affordable, and most providers encrypt all information stored on their servers. However, each provider is different. It’s worth researching cloud service providers as Clouds outside of your locale may follow different data protection laws.

Though external hard-drives can be secure, John left the hard-drive in his bag. This means his data was mine to destroy. I plug it in and delete the lot.

Problem solved.

Pro Tip

Whilst external hard-drives can be a great place to backup your data, there are a few things you should always do.

  1. Keep your external hard-drive separate from your device.
  2. Only use trusted external hard-drives. An infected USB stick or hard-drive could harm your device.
  3. Encrypt the drive if it contains personal or confidential data.

Prepare to launch

The bus skids into the last stop. The doors slide open. I pop everything back into John’s bag as if they never moved. I walk 3 minutes to John’s work. It’s a huge financial company.

Perfect.

John’s waiting outside. He shakes my hand and thanks me profusely. What would he do without me? How could he ever repay me?

I tell him it was nothing and wave goodbye. John has his laptop back, and he’s already going about his day as if nothing is wrong.

I jump back onto the bus.

Time to launch the ransomware attack.

3….

2…

1…

CYBSAFE-Protecting_your_devices_creative-220519_MS-10

Summary

1. Do your best to prepare for the worst. Backup all of your data and encrypt all of your files. And keep your backups separate from your devices!

2. Our phones contain our most personal details. So keep them secure! Use a strong passphrase combined with MFA to keep people out. Keep your phone and apps updated and your files encrypted.

3. Set up separate User and Admin accounts on your personal devices.

4. It only takes one hole in your device security to leave your accounts vulnerable. Make sure you have an antivirus installed, your firewall turned on, and your security software set to auto-update.

Week Four Quiz

For the chance to win a £25 Amazon voucher answer the following question:

Q: What are the 3 steps needed to protect your devices?

Hint – check out the 4th point of the summary.

Please send your answers to ISG via https://myservices.ucl.ac.uk/self-service/requests/new/provide_description?from=wizard&service_id=1296&service_instance_id=3679&support_domain=myservices-isg – use the subject line Cyber Security Awareness Month Quiz Entry – Week Four.

If you haven’t entered the Week One quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/03/cyber-security-awareness-month-week-one-part-1/

If you haven’t entered the Week Two quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/10/cyber-security-awareness-month-week-two-part-one/

If you haven’t entered the Week Three quiz yet, you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/18/cyber-security-awareness-month-week-three-part-one/

Cyber Security Awareness Month – Week Four (Part Two)

If you haven’t already read Week Four (Part Two), you can find that here: https://blogs.ucl.ac.uk/infosec/2024/10/29/cyber-security-awareness-month-week-four-part-two/

Many thanks to CybSafe for providing the content for this blog post!

Filed under Uncategorized

Leave a Reply