When thinking about what you need to consider about information security when using Excel, the common ones are probably:

• keeping Excel patched and up-to-date,
• not accidentally sending confidential information in an Excel spreadsheet to someone who shouldn’t have access to that information.

Do those considerations extend to being mindful of what information is contained within a vlookup range?

It turns out that Excel caches the information held in a vlookup range, thus making that information available to the spreadsheet where it has been referenced, even when the original information is deleted.

The following page explains it better than I can:

https://www.mrexcel.com/forum/excel-questions/720654-vlookup-external-wb-entire-table-stored-inside-linking-workbook.html

I cannot find anywhere that Microsoft warns its users that this happens and to be careful not to accidentally leak confidential information in this way.

The ICO (Information Commissioners Office) have fined organisations for leaking confidential information is this way, one organisation was fined £185K. The ICO have written a good guide on ‘How to disclose information safely’:

https://ico.org.uk/media/for-organisations/documents/how-to-disclose-information-safely-removing-personal-data-from-information-requests-and-datasets/2013958/how-to-disclose-information-safely.pdf

The only advice we can offer is, if you are sharing information in a spreadsheet that uses vlookups:

• save the file as .csv, this format does not support features such as vlookup.
• Export the information to a pdf.

A couple of other considerations:

• When using filters in Excel, don’t forget that others can change those filters and have access to the full information.
• When sending Excel spreadsheets that contain confidential information, password protect them and give the password by phone not email. Password protected Excel files are encrypted using AES 128-bit encryption, just remember to use a good password with upper-case and lower-case characters, numbers and symbols.

Updated to include guidance from the ICO.

KRACK Attacks

Security researchers have announced a major security vulnerability in the WPA2 protocol yesterday called KRACK (Key Reinstallation Attacks). WPA2 (WiFi Protected Access II) is the encryption protocol that secures all modern WiFi networks. It was designed to provide wireless networks with stronger data protection and network access control. The current vulnerability exploits a weakness in the encryption process, allowing an attacker to eavesdrop on wireless traffic. An attacker may also be able to inject and manipulate data (e.g. uploading malware to a website).

Impact

Most devices that support WiFi are affected by this vulnerability until the manufacturers release a patch to address it. If exploited, an attacker will be able to steal sensitive information that a client device sends to an access point on a wireless network. This may include credit card details, passwords, chat messages, photos etc. Malicious software can also be loaded onto the device, causing further damage.

What can I do?

Certain precautions can be taken to ensure that you do not fall victim to such an attack. Firstly, ensure that all communication is encrypted – for example, by only browsing sites over HTTPS. Most sites support HTTPS by default. For those that don’t, this feature may be enabled with an extension such as “HTTPS Everywhere” which forces websites to work in HTTPS mode whenever possible. Whenever browsing a website that requires any data input, check to make sure that ‘HTTPS’ is in the address bar and a green padlock is visible. Secondly, use a VPN provider which creates an encrypted tunnel between your device and the VPN host, encrypting all traffic automatically. UCL provies a free VPN service for all staff and students. Lastly, update your wireless devices as soon as patches becomes available. If possible, avoid using WiFi and use a wired connection instead!

Further reading

More details on the attack, a proof-of-concept and FAQs can be found on the KRACK Attacks site. The NCSC provided some useful guidance in relation to the vulnerability.

 

“Phishing is a fraudulent attempt, usually made through email, to steal your personal information”. – PhishTank.

Phishing is unfortunately something that we have to learn to live with, it’s not going to go away any time soon. The best way to protect ourselves against phishing is to learn to identify it.

Things to look out for

1. A sense of:
   1. Urgency – makes you feel like you have to do something quickly, so you don’t take the time to wonder if the email is suspicious.
   2. Fear – for example, if you don’t click on the link, your account will be deleted, or you will be fined.
   3. Promise of reward – lottery win notifications, or “I am the widow of a rich person” type of email.
   4. Guilt or sympathy – “I am dying of…” type of email.
   5. So if an email makes you feel: guilty, panicky, afraid, or greedy, stop and ask yourself why. It’s probably a phishing email.
2. ‘To‘ and ‘From‘ address – these can be trivially forged and show false information. Often the ‘To’ address isn’t even your email address, a legitimate email would be addressed to your actual email address.
3. Web link – check to see if the link is in the UCL domain (ucl.ac.uk), it could look like a legitimate UCL URL but check by hovering over it as it could be going somewhere else entirely.
4. Asking you to respond with your username and/or password – no legitimate email will ask you to do this.
5. Unexpected attachment – some phishing emails come with attachments that when opened will compromise your computer.
6. Headers and signatures – these can be forged, phishing emails often use them to appear more legitimate.

The consequences of responding to a phishing email (or opening an attachment in a phishing email) are that an attacker can steal your information and/or take control of your machine.

If you are ever unsure whether an email is a phishing email or not, before you click or respond, just ask us – isg@ucl.ac.uk.

In my next blog post I will be talking about test phishing campaigns.

There is an endless supply of literature on the Internet about usernames and passwords. Yet this is an immensely important topic that will always be relevant.

Tom has already written a blog post about passwords from a risk perspective so I will approach the topic from another angle and explain why the complexity of your password can make a huge difference to the overall security of your information.

However, first it is necessary to take a look at the basic mechanisms behind usernames and passwords. From a security perspective, a username is simply a form of identification. When a system is asking you for a username, it is essentially asking you to identify yourself as a user of its resources. In its basic form, this is the equivalent of someone asking you for your name. You can reply however you like. Whether they believe you or not is a different matter. This is where a password comes in. When you provide your password, you are basically authenticating yourself as the person that the provided username belongs to. Only you should know the password corresponding to your username. This is the equivalent of providing a driver’s license or a passport to confirm that you are indeed who you say you are.

Problems with passwords

Now let’s consider a common problem in the information security world – a compromised account. What I’m referring to here is the case where someone other than the intended individual has access to a specific account. This can come about in a number of ways such as:

• Willingly sharing credentials (e.g. with your colleague)
• Shoulder surfing (the attacker looks over your shoulder while you are typing your password)
• Writing a password down and storing it insecurely (e.g. on a sticky note at your desk)
• Data leak (usernames and passwords are made publicly available without authorisation)
• Brute force/dictionary attacks (the attacker guesses the password. This is done either by trying out every possible combination or going through a dictionary of commonly used passwords)

In relation to most of the points above, but specifically the brute force/dictionary attack, a more complex password can significantly improve security. This comes down to the way that this specific attack is performed. A computer is highly efficient and can test a large number of passwords in a short period of time and the more computer power dedicated to the task, the quicker the password will be correctly guessed.

As you add extra complexity elements to your password (extra characters and different types of characters) you make it increasingly difficult for a computer to be able to successfully guess your password.

Here’s a fun tool to demonstrate this concept: https://howsecureismypassword.net/. Although we don’t recommend that you enter your actual password!

Hello, My name is Ravi and I work with the Information Security Group. My role is to refresh all the existing Information Security Policies and make them more current.

Definition

According to the Cambridge Dictionary, a policy is “a set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organization, a government or a political party” I’m going to focus on the Information Security Policies and their role in being the guiding posts for UCL. Read on…

Why policies?

The development of security policies has become a critical component in all organisations. UCL recognizes the importance of information security in its day-to-day business. “Information security policies help UCL maintain its ability to prevent security incidents”. In addition to this, these policies help us to respond to security incidents when they do occur. UCL intends to have sound and robust policies. This assures all our stakeholders that their data and information is well protected.

Policies cannot be static and need to change with time. Some common drivers for policy change include:

• technology upgrade,
• new business rules coming into play, and,
• changes in legislation.

It is always a good idea to define a review timeline for a policy, this can be a year at the minimum.

Further reading

If you would like to read the information security policies, please see here: https://www.ucl.ac.uk/informationsecurity/policy/

We are all drowning in password advice and I’m loath to add my name to the seemingly endless list of “security people berating bad password practice”, but if you try to apply an information risk management viewpoint to a lot of areas where we store private information, both in our work and private lives, it is still all too often the case that a username and a password are the only elements controlling access to vast tracts of our lives.

Or, in other words, if I’m going to discuss practical information risk advice, then I need to discuss passwords. I’ll keep it brief I promise.

P@55w0rd is ok right..?

There is plenty of good advice available on how to write a strong password.  Instead, I’m going to talk about how to remember all those long, complex passwords. If you can make it easy to manage all these different accounts then you can remove the motivation to use weak, or duplicate passwords.

Password managers are tools that allow you to do just this. A password manager allows you to create a single strong password, and use that to encrypt a vault containing the logins to all your remaining accounts. What this means is that you can create a highly complex password for each site, but without the added overhead of having to remember these complicated strings.

Let’s apply that to an example risk

“There is a risk that my information may be accessed by unauthorised actors as a result of my password being guessed, or duplicated from another site that has been hacked”

You can calculate risk as a function of a threat (unauthorised access) due to a vulnerability (password being compromised) resulting in an impact (the consequences of the unauthorised access).

We can reduce the risk by controlling any one of these factors. Practically speaking we can’t reduce the chances that someone may try and hack an account. Similarly, we can’t do much to reduce the value that other people ascribe to our information. What we can do however, is reduce the chance that they will be successful. By using a password manager (and creating strong passwords) we have reduced the likelihood that someone will compromise our password. Reducing the liklihood has reduced the risk.

Of the many tools available, ISG have reviewed the two below and can recommend them as offering reasonable assurance:

• LastPass https://lastpass.com/
• Password Safe https://pwsafe.org/

Hopefully most people will have heard the word “ransomware” before, but it’s getting to be big business. Here’s a quick break-down of what you need to know- and what you need to do.

The low-down

Ransomware is basically a way of forcing people to pay money for their own information. It works as follows:

1. You get an email directing you to click on a link or open an attachment
2. You click on the link or open the attachment
3. The website you visit, or the attachment you open, changes (encrypts) all your files so you can’t open them
4. You get a notification that your files have been made unusable, with a demand to pay money to get them back
5. You may pay the ransom, and may – or may not- get your files back (how much do you trust the person who just stole your files?)

There are whole “businesses” based on creating ransomware, distributing it and gathering ransoms. Some of these run franchises, like big burger chains do.

Ransoms are usually paid in Bitcoin, which is a form of online money. It even has an exchange rate with other currencies like dollars or pounds sterling. Bitcoin is designed to make it hard for the police to trace the payment and find the attacker.

The files which people are most upset to lose are often photographs of family and friends.

Ransomware is often spread by plausible looking fake emails from banks, your employer/university, or online services like PayPal asking you to click on a link, open an attachment or fill in a form. These emails are called “phishing” emails.

Phishing emails are also used to trick you into handing over your information, e.g. bank details.

What you can do

We often hear people saying things like “It’s all too much to understand”, or “I’ll just stop using the Internet, then!”. Totally understandable, but there is a more realistic approach which isn’t as drastic or inconvenient.

Think about the things we all do every day to keep clean. We wash our hands when they get dirty. We (hopefully) shower or bathe. We wear gloves if handling something unusually messy or corrosive. We change our clothes, and wash them. We keep cuts clean and apply antiseptic. The overall aim is to keep our friends, and avoid infections.

Now imagine you had to write all of this down: when to wash, how to wash, what sort of gloves to wear… Anyone reading your instructions will say “Wow, that’s a lot to do! I can’t imagine that being practical.”. But it’s normal- you’ve made it a part of your day, and you probably don’t even think about it. It’s all basic hygiene.

How does this relate to ransomware? Simple. Managing your risk of infection by ransomware is also achieved by basic hygiene.

• If you have a cut, you bandage it and help it heal. If you have a computer with a security flaw, you apply the security patch (these can be set up to happen automatically, just like healing happens automatically).
• When you’re going to be doing something messy, you wear gloves. If you are on the Internet, you make sure you have antivirus software installed.
• If you see food with maggots on it, or which looks a bit dodgy, you don’t eat it. If you get an email or other message which looks wrong, you don’t believe what it says, or do what it asks you to do.

Your health insurance

Everyone has a weak spot; it’s not possible to guarantee that you’ll never get an infection. So keep a copy of your important files somewhere else, where you have to use a different password to get at it. You could also keep a copy of the files on a secure USB stick (don’t leave it plugged in). If you do this, then if you get ransomware, you can avoid paying the ransom, and just recover your files from the safe place you left them in.

But how do I recognise dodgy emails?

Remember learning what dodgy/tainted food looked like? Often, you learned from other people or from school. Recognising ransomware isn’t part of the National Curriculum, as far as I know, so try our anti-phishing game to get you started. You can also run through the phishing module in the Information Security Awareness course.