X Close

Risky Business

Tips and tricks for securing information

Menu

Ransomware: Your money or your (online) life!

By Bridget Kenyon, on 10 February 2017

Hopefully most people will have heard the word “ransomware” before, but it’s getting to be big business. Here’s a quick break-down of what you need to know- and what you need to do.

The low-down

Ransomware is basically a way of forcing people to pay money for their own information. It works as follows:

  1. You get an email directing you to click on a link or open an attachment
  2. You click on the link or open the attachment
  3. The website you visit, or the attachment you open, changes (encrypts) all your files so you can’t open them
  4. You get a notification that your files have been made unusable, with a demand to pay money to get them back
  5. You may pay the ransom, and may – or may not- get your files back (how much do you trust the person who just stole your files?)

There are whole “businesses” based on creating ransomware, distributing it and gathering ransoms. Some of these run franchises, like big burger chains do.

Ransoms are usually paid in Bitcoin, which is a form of online money. It even has an exchange rate with other currencies like dollars or pounds sterling. Bitcoin is designed to make it hard for the police to trace the payment and find the attacker.

The files which people are most upset to lose are often photographs of family and friends.

Ransomware is often spread by plausible looking fake emails from banks, your employer/university, or online services like PayPal asking you to click on a link, open an attachment or fill in a form. These emails are called “phishing” emails.

Phishing emails are also used to trick you into handing over your information, e.g. bank details.

What you can do

We often hear people saying things like “It’s all too much to understand”, or “I’ll just stop using the Internet, then!”. Totally understandable, but there is a more realistic approach which isn’t as drastic or inconvenient.

Think about the things we all do every day to keep clean. We wash our hands when they get dirty. We (hopefully) shower or bathe. We wear gloves if handling something unusually messy or corrosive. We change our clothes, and wash them. We keep cuts clean and apply antiseptic. The overall aim is to keep our friends, and avoid infections.

Now imagine you had to write all of this down: when to wash, how to wash, what sort of gloves to wear… Anyone reading your instructions will say “Wow, that’s a lot to do! I can’t imagine that being practical.”. But it’s normal- you’ve made it a part of your day, and you probably don’t even think about it. It’s all basic hygiene.

How does this relate to ransomware? Simple. Managing your risk of infection by ransomware is also achieved by basic hygiene.

  • If you have a cut, you bandage it and help it heal. If you have a computer with a security flaw, you apply the security patch (these can be set up to happen automatically, just like healing happens automatically).
  • When you’re going to be doing something messy, you wear gloves. If you are on the Internet, you make sure you have antivirus software installed.
  • If you see food with maggots on it, or which looks a bit dodgy, you don’t eat it. If you get an email or other message which looks wrong, you don’t believe what it says, or do what it asks you to do.

Your health insurance

Everyone has a weak spot; it’s not possible to guarantee that you’ll never get an infection. So keep a copy of your important files somewhere else, where you have to use a different password to get at it. You could also keep a copy of the files on a secure USB stick (don’t leave it plugged in). If you do this, then if you get ransomware, you can avoid paying the ransom, and just recover your files from the safe place you left them in.

But how do I recognise dodgy emails?

Remember learning what dodgy/tainted food looked like? Often, you learned from other people or from school. Recognising ransomware isn’t part of the National Curriculum, as far as I know, so try our anti-phishing game to get you started. You can also run through the phishing module in the Information Security Awareness course.

Filed under Do it now

No Comments »

GDPR or GDPARRGH: Data Protection Strikes Back

By Bridget Kenyon, on 10 February 2017

Yesterday, I went to a meeting with a number of other organisations to talk about the Big New Scary Thing (GDPR). The revised data protection law comes into effect next May. It covers all data relating to a living individual (including me, except on Wednesdays when I am a zombie).

There was a general air of determination, but also some concern regarding what the darned thing actually wanted from us. OK, people agreed that it was a good move for security, but no-one was sure what it meant in practice.

Here’s an example. GDPR requires organisations to notify the ICO immediately in the case of a breach. This sounds really sensible. But what does “immediately” mean? And how certain should you be that it really is an incident before you notify? And, more worryingly, what constitutes awareness of a breach? If one IT staff member notices something a bit odd, does that mean that UCL is “aware”? Oh, and do they mean ALL breaches? The ICO will need another thousand or so staff if they have to get involved in every minor incident.

Fines and other monsters

The other funny thing was that people are really worried about possible fines. The max current fine for a breach is £500k, which is a lot for a corner shop, but not the end of the world for UCL. The new GDPR fines top out at 4% of global annual turnover: £50million approx for UCL. This is indeed scary, but here’s something else which might be a game changer. What if criminal liability comes with the package, as it does with Health and Safety?

In the Health and Safety world, the company is liable for damages, but an individual employee can also be charged and convicted with “corporate manslaughter”, which carries a prison term.

If we apply this model to data protection, I think it might squeak a little, since most GDPR incidents aren’t life threatening- but what about Sarbanes-Oxley in the US? That had teeth because it made the financial director personally responsible for the financial conduct of their company (broadly speaking).

So in conclusion, there are always monsters under the bed. Some have fangs, some do not.

Filed under Ruminations

No Comments »

Hello everyone!

By Bridget Kenyon, on 8 February 2017

Hello and welcome to the Information Security Group blog. We help staff and students in UCL to protect themselves online, protect UCL from attack- and reduce the chances of accidents.

Over the next few months, we’ll be putting up information and news for academics, students and support staff. We’ll point you to articles on our website and other resources. Come back each week to hear from a different member of the team. This week, you’ll be hearing from Bridget Kenyon, Head of Information Security and ISG team manager.

Get in touch

Comment on any post using the form at the bottom, or email the team.

The UCL Information Security website has formal advice and guidance, including UCL’s policies.

Filed under Uncategorized

No Comments »
Next Entries »