We’ve just had Black Friday and Cyber Monday, which are no longer limited to the days themselves but many sales spanning at least a week. Figures suggest that retailers have had very strong sales: Barclaycard has reported record numbers of transactions on Black Friday and online retailers have indicated that Black Friday and Cyber Monday have surpassed their expectations and broken record sales from previous years. In the UK, online sales are expected to have exceeded £1.27 billion on Black Friday alone.
Unsurprisingly, December is the busiest time for retailers and online shopping is particularly popular. Anecdotally, I’ve known some people refuse to buy Christmas presents online because of cybersecurity fears, most memorably the Liverpool taxi driver who took a day off work and drove to London to buy his son a skateboard rather than buy it online. It cost him a day off work, a day’s petrol to and from London and it was more expensive to buy in-store, but he refused to do any shopping online because “the hackers have won”. How many more people feel the same?
Last week, at the same time as Black Friday and Cyber Monday deals were being pushed by retailers, I surveyed over 1,000 people in the UK to ask if worries about cybersecurity had ever stopped them buying Christmas presents online.
The statistics suggest that one in five people in the UK have been put off buying a Christmas present online due to cybersecurity worries. Looking a bit deeper into the data seems to suggest that the older people are, the more likely it is that worries put them off buying online, but to be conclusive about that we’d need a higher sample size.
I ran the same survey last year and found that slightly fewer respondents had been put off buying Christmas presents online due to cybersecurity worries. The survey last year also had slightly fewer respondents in general (1,002 last year compared to 1,031 this year). It’s not a huge variations in the numbers, but I will run the survey at around the same time every year and it will be interesting to see if patterns become more conclusive, or not.
While I’m talking about future research, some thoughts:
It would be really interesting to run deeper research to explore the extent to which people choose their online retailer according to perceptions of cybersecurity (whether they trust the retailer or not). The hypothesis being that investing in cybersecurity, and marketing based on that investment, could offer a clear return-on-investment for online retailers. I plan to explore this question in the near-future.
I do a fair amount of these surveys, focusing on cybersecurity attitudes and behaviours (see my research on two-factor authentication and biometrics, for example). While surveying 1,000 people gives a good insight, it would be great to survey higher numbers. If you or a company you know would be interested in sponsoring such a survey, I’d be happy to chat about it so please get in touch.
I’ve been commenting in the media a fair bit recently. I like to do this when my schedule allows, it’s a lot of fun and, being passionate about my job, I love to talk about cyber security whenever I can. It’s an honour that I get opportunities at a national, and even international, level to raise awareness both of cyber security issues in general, but also of the industry as a career.
However, as it’s been an especially busy few months with my consultancy work and speaking events, I haven’t had as much time to post about the media appearances once I’ve done them. So, this is a summary of some of my recent commentary.
Passwords vs Biometrics on BBC Radio 4’s Today Programme
The Dyn DDoS on BBC Radio 4’s Today Programme
Pippa Middleton’s iCloud Account Compromise on Sky News
The UK Cyber Security Strategy
I spoke to a few media outlets about the new UK Cyber Security Strategy. Here’s what I had to say:
In his latest blog post for cyber.uk, Chris Ratcliff tackles the threat posed by the Internet of Things and asks what we can do to meet the security challenges we face with more and more devices connecting to the internet.
How do you feel about being a pawn in someone else’s battle? It may sound odd, but there are currently people scanning the internet to try and take control of the gadgets and gizmos that you and I plug into our home internet connections. They’re not looking to steal our banking details or passwords or personal photos, they just want our data connections.
There have now been reported Distributed Denial of Service (DDoS) attacks peaking at 1.1Tbs of data, and this new attack vector is through the Internet of Things (IoT), that slightly odd term meaning smart TVs, light bulbs, security cameras, fridges and everything else that manufacturers think should be connected to the internet. When a vulnerable device is found, it is compromised and code uploaded to it so that when directed by a remote server, it will send junk traffic through a target.
You might say, why does that matter? The idea of scanning for a vulnerable host and compromising it has been around for as long as there have been computer networks. The problem with some IoT devices though is that they’re not designed for security, but rather built for ease of use by the end consumer, or even down to a cost. With some devices on razor thin profit margins too, ongoing support may be limited or non-existent.
And this is where we have come to with this new method for generating huge surges of data, tens or hundreds of thousands of devices from all over the world riddled with security holes, plugged into internet connections with little or no barrier between them and the outside world. How did we get in this mess?
There is an eternal conflict between security and usability. While it’s easy for security people to raise the concerns, and technically minded people to build a DIY solution, it’s easy to overlook just how many people consider IT, from laptops and phones to gadgets, to be something that should just work. In other cases, controls are actively turned off. Maybe it’s trying to get a child’s device to connect to the internet, maybe it’s to stop an annoying pop up, maybe it’s sheer bad luck. It comes down to a simple question in the mind of the consumer; “What do I have to do to be secure?”
Historically the answer has been ‘Get anti-virus’, then that was joined by ‘and a firewall’. You were now secure. You didn’t have to worry. You locked your doors at night, and you had a firewall on your PC. You were safe. Some may argue it was a false sense of security, but that was enough for many. Of course, many also forget or couldn’t be bothered to renew their anti-virus. They wouldn’t update their OS. They had no awareness of End of Life dates. Windows support? Who uses Windows support? It still runs, why bother upgrading it?
And herein lies the problem. Humans like knowing that things are taken care of. Threats of war? We have a military and intelligence services. Threats of violence or theft? There’s the police. Your ISP might offer a firewall or some sort of protection, so you don’t need to worry about online threats. Heck, the wi-fi access point your ISP provided even has Super Protection Features built in! Except that your new CCTV which lets you check on your house from anywhere doesn’t work over the Internet, but when you turn off that protection it does! It can’t be a problem though, they wouldn’t be allowed to sell them if they weren’t secure, right?
Even opening a web page is fraught with problems. If you’re ever tried locking down your web access, you’ll see a raft of connections made to a myriad of servers with each page request. Adverts, trackers, dynamic content, static content…
The answers, as much as there are, will seem obvious. Change passwords, update firmware, buy from reputable sources. Technology can be difficult though, as a single vendor’s product may be repackaged and sold under a myriad of different brands around the world.
As you’re reading a security blog, written by people who deal with security for a living, then the obvious solution may seem to be more security. Maybe we’ve reached a point where firewalling a PC is no longer enough, and we should use firewall appliances to shield our entire home network. We should set rules on that firewall to limit access to what’s required, and update its firmware and threat signatures frequently. We should inspect traffic coming from different devices and look for anomolies. Of course we also need to keep up to date ourselves with emerging trends and ensure that our defences are fit for purpose for those new threats. Then, when the manufacturer announces an End of Life date, we need to chuck our now obsolete firewalls in the bin and buy something newer, shiner, faster and supported.
Ok, that’s an infinitesimal fraction of the population protected, now the rest of the world.
In the UK, there is the Trading Standards Institute. Their role with local authorities is to ensure what is sold to the public is safe and legal. They run campaigns seizing counterfeit goods or potentially dangerous USB chargers. There’s also CE marking showing that a product meets safety standards set out for that product category. In the US, the Federal Trade Commission proudly states that it is ‘Protecting America’s Consumers’, and they were one of the bodies who charged VW with misleading consumers on emissions. Currently, as long as a device is safe with regards to power handling, materials used and RF emissions then it’s safe. I don’t see any of these bodies or standards looking at how vulnerable a device is.
What makes this especially challenging is that the harm to the individual is limited (though the frequency of these attacks could well increase) but the harm to the population is very significant. If this sounds like a need for herd immunity, then you’d be right, except there’s no vaccine that can be widely, and easily, administered.
I can see a future where Stuff That Connects To The Internet – which will probably be most electrical items and infrastructure – will need to meet a minimum standard to be legally sold in the UK. ISPs will need to be much more proactive in spotting unusual traffic patterns and both protecting the upstream data and informing their customers that something unusual is happening – although the customer service side of that is tricky. Future generations will also be much, much more familiar with everything that’s involved in living a technological life. They will understand the issues more instinctively and be more savvy about how they treat the internet.
However we need a short term solution. I’ve heard calls for the banning of IoT devices until this issue is resolved, but it leaves a huge legacy of devices sitting on networks which may be unpatchable, owned by people who don’t even realise they’re part of the problem and require action.
I always try and give my blogs something actionable in them, some great take away for people to use. Instead this time, I throw the floor open to you all. Is there a solution to this, or do we need to improve our DDoS protection?
Yesterday Yahoo confirmed that it was the target of the biggest known cyber attack in history. In 2014, 500m Yahoo accounts were compromised, with data including names, email addresses, telephone numbers, date of births, hashed passwords (most with bcrypt) and security question answers, some of which were unencrypted. Yahoo has claimed that this attack was carried out by a state-sponsored attacker.
I’ve done a few radio interviews giving my thoughts today, and you can listen to what I had to say on BBC Radio London.
Or watch a quick clip of me discussing the breach on Channel 4 News:
I’ve talked about the need for people to change their Yahoo password and set up two-factor authentication and to use strong, unique passwords on all of their accounts. This breach also highlights the need for people to deactivate accounts they no longer use.
Some thoughts which I didn’t get chance to go into on the radio or TV:
This is the biggest known cyber attack or data breach in terms of number of accounts compromised, and the impact on users could be significant. However, it’s interesting to consider how we classify the ‘biggest hack ever’. While this is the largest in terms of volume, is it the biggest in terms of impact? I’m thinking particularly of the Ashley Madison breach, following which at least one user reportedly committed suicide, and the US Office of Personnel Management breach, when information, including fingerprint data, of US government employees (some of whom of course have security clearance) was compromised.
It also needs to be noted, of course, that this is the biggest known breach. When the Myspace breach of 360 million accounts came to light in May of this year, that was reported as the biggest breach only because we didn’t know about this one. Who knows what breaches have taken place that are simply not known?
When Yahoo confirmed the breach yesterday, many people highlighted the fact that security researchers informed Yahoo in July that account information stolen in 2012 was seemingly being sold on the dark web. At the time, Yahoo responded by saying they were investigating. Many people understandably assumed that the breach Yahoo were confirming yesterday was the same data advertised for sale earlier this summer. Apparently this is not the case. It seems, rather, that when Yahoo investigated the purported 2012 breach they found no evidence to support that it was legitimate but the investigation found another breach, the 2014 one we’re now hearing about.
Yahoo actually seem to be handling the breach communications pretty well, albeit belatedly. Many have expressed surprise that they are so confident that the attacker is a state-sponsored individual, not least because attribution in this space is so notoriously difficult. Putting that to one side, Yahoo have been prompting users to change their passwords and have put in place communications such as this FAQ, which are really helpful. It is a shame, however, that they aren’t using the opportunity to get more people using their two-step verification. My research suggests that only 20% of British people use 2FA, which is a real concern given how much more effective it is than simply having a password.
The news of this breach comes as Yahoo is in the process of finalising the sale of its business to Verizon, an acquisition which began in July. It will be interesting to see if the breach has any impact on this.
A couple of days ago I was interviewed on LBC radio about the recommendation from FBI director Jim Comey that everyone should cover their webcams. You can listen to what I had to say here:
The media response to this advice (much like the response to the fact that Mark Zuckerberg covers his) seems to have been one of surprise. However, for most in the cybersecurity industry, it won’t come as a shock. I’ve covered my laptop webcam for years as one of many precautions to stay safer online.
How a webcam can be hacked
Criminals can gain access to a webcam by using malware or Remote Administration Tools (RATs). Malware and RATs can be planted on your machine most commonly via infected files or malicious links, so being wary of what you click on whilst using the internet and opening emails is crucial.
Remote-access webcams are vulnerable to hacking like anything else connected to the internet, often by owners using default or weak passwords.
How often does it happen and why should I care?
Like all crime, let alone cybercrime, it’s impossible to say how often it happens. They key consideration for me, here, is impact. If your webcam is hacked, the impact of that can be huge. Think about the amount of time your laptop screen is left open, ‘looking’ at you. Perhaps you leave it open in your room while you get changed, perhaps you work in your underwear, perhaps I’ll leave you to think about all of the other things you do in front of your laptop screen that you would rather not share with the rest of the world.
There have been some pretty well-known cases of webcam hacking:
In 2014, Jared James Abrahams was sentenced to 18 months in prison for hacking the webcams of women and girls and secretly taking photos of them while they were undressed. He then contacted his victims and threatened to publish the photos online if they did not send more or undress for him via Skype. Abrahams reportedly told investigators that he hacked the webcams of 150 women and girls. One of his victims was Miss Teen USA, Cassidy Wolf, who has since campaigned to raise awareness of cybersecurity among young people.
In 2014 it came to light that a Russian website was sharing videos illegally captured from 10,000 webcams worldwide (584 of which were in the UK). The site targeted remote-access cameras that were still ‘protected’ by the manufacturer’s default password, whilst also providing the information needed to hack into the camera systems, plus GPS locations and postcodes. The site proclaimed that it was in operation to highlight the importance of security settings.
In 2015, Stefan Rigo was convicted in the UK of using the malware ‘Blackshades’ to infect victims computers and take over their webcams. Forensic examination of his computers found images of people engaged in sexual acts over Skype or in front of their computers. During his trial he admitted to being addicted to monitoring people via their computers, spending 5 to 12 hours a day doing so over a three year period.
So, should I cover my webcam and then I don’t have to worry about it?
I recommend covering your webcam. You probably don’t use it much and it’s easy to cover it with a little sticker or piece of sticky paper which you can simply temporarily remove when you need to use it. This will stop anyone being able to see you or take images of you via our webcam without you knowing about it.
However, this is – literally – a sticking plaster for the problem. Covering your webcam is one thing but if your webcam is hacked, that means your machine has been hacked and the attacker could be accessing all of your other information and / or using your machine as part of a DDoS botnet. So at the same time as covering your webcam, you should also:
Be wary of clicking links and downloading documentswhen you browse the internet and read emails, texts, whatsapp messages, etc
Use anti-virus and anti-malwaresoftware
Keep devices and software up-to-date so that known bugs will be patched and can’t be exploited by attackers
Don’t use public wifi where you could become the victim of a man-in-the-middle attack
If you have a remote-access webcam, change the password from the defaultone. Use a strong password
Remember: there is a webcam on your mobile phone and your phone probably sees more intimate images of you than even your laptop does. Your mobile is a computer and can be hacked just like your laptop, so all of my advice relates to them, too. Chances are that you use your phone camera more than your laptop one and so a sticker might not be practical, in which case there are products available which can cover the front and back lenses whilst still giving you access to the camera.
In the final blog post of Chris Ratcliff’s series about speaking at a security conference, it’s SteelCon 2016 and the day of the presentation itself. Read on for a presenters-eye-view of standing up and giving a talk – and why, if you haven’t already, you should give it a go.
So far in these blog posts I’ve gone from never having set foot in a security con, to doing my first talk to preparing my latest one. This post is the talk itself…
The day. Oh, what a day. Steelcon is a fantastic event, with great talks and a great atmosphere. Since it started I’ve been taking photos for the event. That means bouncing from hall to hall, taking photos, chatting with folk, Tweeting photos and generally keeping an eye on everything going on. The downside of this is that I never really get a chance to sit down and watch a full talk live, but on the upside I don’t have time to worry about my presentation. About half an hour before my slot I go into presentation mode. Boot the laptop, check my clicker is working, make sure the presentation is there and quickly run through the slides. I start pacing and I’ve got about 10 mins before I need to go up. I’m making idle chit chat with people, but mostly I’m thinking about the talk.
The talk. The easy bit. Once I’d resolved an AV issue getting my laptop hooked up to both the room and recording equipment, I could begin. This really is the easy bit, because the slides can’t be changed now, you’ve rehearsed (hopefully) the talking bit, it’s now just a case of doing it. The one piece of advice I was given very early on was “know your opening”. If you know the first thing you’re going to say when you open your mouth, then the rest will flow from there. And I fluffed the first thing I had to say.
The important thing is not to dwell on your mistakes. They’ve happened, and they can’t be changed. Just keep moving on. I knew the next bit, and off I went.
I made a few mistakes as I went through, especially getting myself horribly confused on the Fight Club reference about the cost of a safety recall vs the cost of the fines or compensation. I also knew going in I was struggling with the name of the airbag manufacturer. Takata, simply pronounced ta-cat-a. I can do it now, takatatakatatakatatakatatakatatakatatakatatakatatakatatakata, but I knew I’d struggled with it going into the talk and sure enough I saw it looming and tripped again.
I had to remember that at a friendly event, filled with likeminded people, the room is one of the most supportive you’ll ever get as a presenter. Everyone there wants to enjoy the talk, and wants you to do well. There’s also no harm in being vulnerable, being open, being honest. When I forgot one of the important researcher’s names I was citing and someone called it out, I had to say something so I was honest about why I kept forgetting. It’s humanising.
The review. The important bit. I was lucky this year that Steelcon had video recording running, and running reliably, across all the talks so I could watch my talk back. It’s weird, it’s a bit uncomfortable, but it’s crucial in being able to identify what went well, and what you can improve. I discovered errors I’d made and not even noticed – such as mixing up a clutch and throttle pedal – while others were not having planned out a slide properly and instead of making the point I wanted, I’d ended up making a different one.
I was pleased with the response I received both at the event straight after the talk, and subsequently on social media. If you can, however, solicit feedback and critique. While it’s nice to get praise, constructive feedback will give you a different perspective on how things went and areas to work on next time.
Thinking back to my crisis of confidence I remembered the thing I worried about most; the lack of technical depth. The truth is that I’d laid my stall out well in my CFP so it was clear that my talk was going to be high level. On top of that I only really had 45 minutes or so, and a lot of ground to cover – 60 slides in fact! Those who knew the subject took away something new, but what I came to realise was that many people came in with little or no knowledge of the subject. What’s obvious or basic to me is only that because I’ve been dabbling in car systems for three or four years. The field of computer security is so huge that no one knows everything about everything, and what’s basic for one person is enlightening for another.
If you have a desire to talk at a security con (or anywhere!) then I hope this has been useful, or at the very least shown what it’s like from behind the microphone. It can be daunting to stand up and ask people to listen to you, but it’s a thrilling challenge, and one I would recommend anyone tries at least once.
In the second of a great three-parter, Chris Ratcliff talks us through what it’s like to go from attending security conferences to speaking at them. This post is specifically about honing the idea for a CFP through to preparing the presentation in its entirety. If you’ve ever thought about speaking at a conference, these posts are full of helpful, reassuring and practical advice. If you’re already experienced in conference speaking, there will be so much you can relate to (hi, google image search!) and probably something you can learn from, too.
In the last post I talked about my introduction into the world of security cons and why people talk at them. With a desire to present at Steelcon 2016 here’s how I went through the process step by step.
The subject. A tricky one. I still don’t have a technical field of research with breakthroughs I can talk about. Can I do people-y stuff again? Do I have anything to say? I keep work stuff separate from what I present about otherwise it opens a whole new can of worms.
I do have an interest in cars, and I’ve done a bit of tinkering with them. I start thinking, I start talking in my head. I start doing a presentation just to see where it leads, and I think I can bring some insight. I’m really interested and excited about the subject. This is key, as if you’re not passionate then that will come across. Most of all, I think I can add value to the event and to the community. Great, I have an idea, and I have a sense of purpose.
The CFP. This is the tricky bit. Most cons have a Call For Presentations where you submit your idea and an abstract that will become essentially your advert in the event schedule. You want to give a flavour of your talk without going through the content, to be detailed enough as to why you should present, and to attract attendees to come and see you! I’ve seen some really underplay their value, while others really go OTT to stand out.
My success ratio isn’t brilliant, so I wrote what I thought was best, and bounced it off a few people with more experience than I who helped shape it to a couple of simple sentences. I submitted it, and it was accepted!
I had an idea, and I had a slot. So now I just have to write and prepare and give my talk. Easy, right?
When it comes to presenting, I’m constantly aware of other people who do it really, really well. Great presenters tell great stories, and I’m a huge stand-up comedy fan. Dave Gorman’s Googlewhack Adventure is a fantastic story, but it’s also a good example of working with Powerpoint. Steve Jobs’ Apple keynotes are case studies in what to not include in presentations, and how to build a narrative and take the audience with you. TED talks can be great too, watching people like Mark Ronson ooze his personal calmness or Adam Savage be passionate is inspiring and informative. It’s not just about what they say, it’s how they say it.
These people are professionals at this though, how does this apply to me?
Every time you can watch anyone get up and talk, you can learn about presenting. If you attend an event with many speakers, watch each and look for things you could do too, what the speaker did well, and also where they could have improved and apply all of those to yourself. It may feel like imitation at times, but it’s a great way to identify a good trait and try it out.
I had an idea, a concept. I wrote down four major bullet points for my talk:
I’d start slotting things into those headings, and discarding ideas that didn’t fit. I carried on presenting my talk to myself while out walking or doing the shopping or cleaning the kitchen. Letting my mind go down new paths and make new connections. I’d jot down ideas or update notes on my phone so I didn’t forget them – though ‘photo of footwell’ in isolation isn’t always very helpful. I started outlining what slides would be needed. With a couple of weeks to go before the event, I obviously had a full slide deck ready for polishing.
The more I outlined the slides, the more research ideas turned up, which meant more Googling, which opened up yet more avenues for discovery. I had my slide ideas though, I had my bullet points, I had to move on.
The Slides. Or how I learned to stop worrying and love Powerpoint. It’s really easy to get distracted, and I did, with relatively trivial things. With the presentations being recorded, should by slides be 4:3 or 16:9? I tweeted the organisers and the head AV guy, I looked up how to set them differently in Powerpoint. That probably lost me a couple of hours overall. It’s the little things, the animations, the choice of fonts and colours that can take hours to choose but add little if the content isn’t there. I was in a time crunch so ploughed on, which was actually a blessing in disguise. The worst habit people have with Powerpoint is too many words. Putting up sentence after sentence which distracts the viewer, and can lead to you reading the words off the screen too. A bad habit, but very easy to do.
I didn’t have time to write words, and words which I’d have to stick to rigidly. Instead I hit Google Image search. I’m looking for images to illustrate my point – or be a punchline – and then it’s onto the next.
My way is not to write out talks long hand, but essentially make sure I know the bullet points I want to hit in a slide, and what gets me to the next slide. In some cases, too, knowing when to trigger an element within a slide.
On that note, if you’ve never used Powerpoint with a multiscreen set up then you’re missing out on Powerpoint’s great presenter view. On your screen you can see the next element to be displayed, your notes, the elapsed time and the current time. To have those available to you is a god send. You don’t have to remember every slide, or turn to face the screen the audience are watching. One tip: make notes very short and in a decent sized font!
The crisis. It will come, one day. About 10 days before Steelcon it hit. Should I really be doing a talk? Is it technical enough? Should I have more actual examples and less of my conjecture? I know I can stand up and talk, but what if people say it was too self-indulgent or, even worse, boring? The crisis is like stage fright for your Powerpoint deck. I reviewed the slides, I made sure things still fitted and were relevant. I even looked back at the stuff I’d cut out. Actually, would it be better in, or was I right to cut it? This is the moment that panic can set in and rash decisions made, but best to be methodical and stick to the course.
For me the worry was that the more I researched the topic of car hacking, the more I found whole reams of working groups, forums, projects and documentation outlining how things work and the standards they use. If anyone had an interest in car hacking, and they did more than 5 minutes Googling then they’d find most things I would talk about and more. Heck, I cited two PDFs in my talk that I find fascinating. They go into the greatest depth about car hacking and anyone who’d read them would realise I was barely scratching the surface. There was some original thinking though, but it was around the industry and not massively technical. I hoped I wouldn’t lose my audience.
Rehearsal, or do what I say, not as I do. You should absolutely rehearse your talk. The process of doing it and refining and iterating will help you give a more polished talk and iron out any bugs or errors. And I didn’t. Well, that’s not strictly true, but I never performed it. I went through it again and again, I drummed in the words and the ideas. I stepped through the powerpoint deck, going through the bullet points, the asides, the links and making sure it worked.
So far so good. In the final blog of this series it’s the big day of the talk itself, and then reflecting on how it went.
Biometrics hit the headlines again recently with news that Barclays is rolling out voice recognition technology to its telephone banking customers as a replacement for passwords. In recent years, there has been an increased focus on biometrics, for example with many people getting used to fingerprint technology to access iPhones. It’s an interesting subject from a cybersecurity point of view, as any new technology brings with it the opportunity / threat of compromise, demonstrated, for example, by this story about exploring 3D printing to bypass fingerprint access to an iPhone.
With the news of Barclays voice recognition, I was approached by a few media outlets to comment on whether we are about to see the end of the password, and the cybersecurity implications of biometric systems, including this interview on Radio 4’s Today programme.
When I’m able to, I’m always happy to give my opinion to the media on issues which relate to cybersecurity, but with something like this it’s the opinions of the general public which interest me the most. After all, it’s the attitudes and behaviours of the ‘average user’ that we’re often trying to engage with and influence, so how do they feel about biometrics?
A few days ago, I asked members of the general public in the UK the following question:
Would you use a biometric system (voice activation, fingerprinting etc.) instead of a password to access your internet accounts (e.g email and online banking)?
1,003 people completed the survey, 51.6% were male and 48.4% female. The overall findings were:
The most popular response was that people would consider using a biometric system, at 35.5% of the sample, closely followed by those who would not use it because they don’t trust it, at 28.7%. Behind that were those who wouldn’t use it because they don’t understand it, at 22.3%, and finally the group of people who already use it, 12.9% of the sample. There was a tiny percentage of people, 0.6%, who selected ‘other’ and their responses included ‘don’t know’, ‘too tech’, ‘maybe’, ‘not sure’ and ‘boring’*. I could dismiss the respondent who inputted ‘boring’ but this response has value in itself. The response rate for this survey was only 15.4% and this could be related to the perception that cybersecurity is boring and onerous – a challenge the industry faces when trying to encourage engagement from the ‘average user’.
Returning to the top level findings, the proportion of people that either currently use a biometric system in place of a password, or would consider doing so, is 48.4% and those who would not use it either because they don’t trust it or don’t understand it is 51%. So there are marginally more people in this sample who reject, rather than feel quite comfortable with, biometrics. However, it’s such a small margin that it’s hard to put stock in it, and so it seems pretty much 50/50 whether people in the UK are willing to embrace biometrics or not.
When we unpick the data further, the findings offer more insight.
People in the East of England were most likely to consider replacing their passwords with biometric systems, at 52.9%, and Londoners were least likely, at 29.3%.
The East of England was the area which displayed the most trust in biometrics (only 16.7% rejected the idea of biometrics due to distrust). The least trusting place was the North East, with 34.8% of people from that area saying they would not use biometrics due to distrust.
Comparing how women and men feel about biometrics shows that men have more faith and trust in replacing their passwords with biometrics. The gap between women who would consider replacing their password with biometrics (33.2%) and those who would not trust it (30.5%) was much smaller than the gap between men who would consider it (39.7%) and those who do not trust it (27.3%).
When we breakdown the findings by gender and geography, we discover that the least trusting population is women from Wales, 43.5% of whom would not use biometrics due to distrust. This contrasts quite sharply with the most trusting population, men from the East of England, where only 10.3% reject biometrics due to trust issues.
Attitudes by Age
Attitudes to biometrics also varied according to age group, and probably not in the way many people would expect. It is often said that ‘millennials’ have a laissez-faire attitude to privacy and security. However, my findings here contradict the notion that 18-24 year olds are oblivious to issues of technology and security.
18-24 year olds were the age group least likely to consider replacing their passwords with biometrics, with only 25.4% of that age group saying that they would consider doing so. They were also the age group least likely to trust biometrics, with 38.1% saying they would not use biometrics in place of passwords because of distrust.
It’s interesting to speculate why attitudes to biometrics vary according to age. Perhaps the younger age group feel more comfortable with passwords, having grown up with the internet? Are the older age groups more willing to trust biometrics because they, perhaps, have more work accounts and are fed up with trying to manage so many passwords? Could it be that younger people are more privacy conscious, and more aware of the pitfalls of technology, and so more considerate of the risks of giving away their biometric data?
Sharing this article on Twitter elicited the following suggestion regarding why young people in the UK may be the age group most likely to distrust biometrics:
@drjessicabarker@cyberdotuk it would be interesting to cross check this with whether they had been required to use biometrics in school
At least 3,500 schools in the UK use biometric security systems and as this article highlights “a data breach will mean these type of scans will be untrustworthy for the pupils – for the rest of their lives”. Perhaps the very experience of being expected to entrust their schools with their biometric data has instilled in many young people an awareness of the potential pitfalls of such systems?
Without more research, it is impossible to know exactly why people feel differently about passwords depending on where they live, their gender and their age. However, if organisations want consumers to use biometrics more, they will need to address the sections of the population which are most sceptical about how biometrics work and whether the systems can be trusted. In particular, 18-24 year olds are an important cohort they will have to engage with if they are to have any success. The password isn’t going to die anytime soon if the younger generation has little trust in the alternatives.
They say you always remember your first time. For me it was 1995 at the British Educational Training and Technology show at Olympia. The college I attended had a sponsorship deal with a company who were exhibiting and they wanted someone to talk about the use of IT in day to day education. While my contemporaries stared at their shoes I thrust my hand up and a few weeks later was being handed a full on Madonna wireless headset and presenting to an audience of bemused show visitors and stand staff who enthusiastically watched a 15 year old geek talk about using IT while a friend of mine used various trigger words to know when to change slide or quickly alt-tab to another application to make a point.
21 years later, that’s the only time I’ve ever had a voice activated slide deck.
Since then I MC’d mountain bike events for Future Publishing and Red Bull, appeared on the Extreme Channel and even had a few goes doing car videos on Youtube. I’m not an extrovert but public speaking isn’t something I shy away from, it’s fair to say.
Then my first con. BSides London 2014. It was overwhelming and exhilarating. I’d never even watched a hacking talk online, but now I was surrounded by people sharing the results of their research, sharing their secrets, doing things I understood but could never actually do. On the train ride home, I started preparing my ideas for a talk of my own.
There are often discussed points as to why you should do a talk at a con; it may be for personal development, commercial reasons, to try and raise your professional profile to help your career, or simply because you have a cool thing you want to share with people. There’s no requirement to, though. I think it’s a great thing to give back to the security community, but there are many, many ways to do that. For me, I think a lot of presenters don’t do it because they think they should, but rather because they are driven to.
It’s also worth remembering that organisers choose talks, and that’s your first round of validation. If your talk is not selected then they think it wouldn’t be a good fit. It stings to be rejected, but if you are accepted then it’s a sign that other people believe in your idea.
My ideas weren’t technical, they didn’t unveil a new attack or highlight vulnerabilities in a thing, they talked about people. They were both offensive and defensive, they brought some experience I’d gained through work and hoped to fill in some of the gaps I saw at different BSides events. And no-one would accept them. Eventually I got a slot at the second Steelcon event in 2015 and I found the talk on the other track was about the myths of plane hacking. In hindsight this was A Good Thing, as it meant my first security talk was for a modest audience, and it was definitely a learning experience.
To build on that first experience I decided to do a presentation for Steelcon 2016. In my next guest post I’ll take you through the process; the highs, the lows and how Google image search is your friend.
News of a data breach at the UK software company Sage is a reminder of the potential damage which can be done by an insider. Sage is a FTSE 100 company and provides business management software for companies in 23 countries. It has reported the breach to the City of London police and has informed customers who they believe may have been affected that the personal informaton of employees at 280 firms may have been compromised by someone using an internal computer login.
The insider threat can take the form of malicious and non-malicious activity. From an attacker (or attackers) with inside access who are consciously stealing or using internal information for their own gain and / or to harm the organisation, to an individual accidentally emailing information to the wrong recipient or leaving documents on a train. Research suggests that the malicious insider is the most costly threat facing organisations.
What can your company do the mitigate the insider threat?
Access to information should be based on the principle of ‘need to know‘. Ensure that this is in place with an access rights review and set up procedures to make sure that IT is informed, and amends access accordingly, when employees move jobs or leave the organisation. Data should be segregated, with network segregation at least according to department.
Train employees in cybersecurity, instilling them with an understanding of the threats and of the impact that their behaviours can have on keeping information safe.
Situational awareness is important on an organisational, as well as individual, level. Participate in threat sharing communities if at all possible. Communicate with peers to develop and maintain awareness of the threats which they are managing and consider what this means for you. Remain aware of current cybersecurity threats hitting the headlines.
Look at your password policy, and practices of employees. Do people leave passwords on post-it notes on their desks, or share them with colleagues? If so, this increases the potential for unauthorised insider access and could be an indication that you should simplify your approach to passwords.
Consider your other cybersecurity policies. Have you clearly and concisely communicated how you expect employees (and anyone else with access) to handle information? How are the policies communicated and enforced? It’s really important to understand where people find workarounds in the policies and procedures – what they routinely don’t comply with as a means of getting their job done. These workarounds shows where policies and procedures are hindering the business and inducing risk. Work with the business to address these in a proportionate way – how can you find a balance that enables people to get their job done whilst maintaining security of information?
Review how employees and contractors access your network. Remote working and Bring Your Own Device (BYOD) open up new risks and so you may need to consider how you can support flexible working whilst minimising those risks.
Encrypt data at rest and in transit. Don’t make it easy for unauthorised people to access and view data.
Look at your personnel and physical security. How easy would it be for an attacker to take advantage of an internal weakness, such as tailgating, poor CCTV or a lax approach to wearing name badges? A social engineering test is a good way of attaining an ‘attacker’s eye view’ of your organisation.
Keep logs. Many organisations don’t make this a priority, and whilst logs of course will not protect you from the insider threat, they will provide an audit trail to help you unpick what has happened and provide supportng evidence in a criminal trail, should it come to that.
Have an incident response plan, which outlines roles, responsibilities and avenues of communication – and test it. Again, an incident response plan will not protect you from the insider threat, but it will enable you to respond as quickly and effectively as possible. However, it will only do this if you test it to ensure that when you really need it, the theory works in practice.
Some of these tips are aimed at minimising the insider threat, whilst others are about managing an incident should one occur. Ponemon’s latest data breach report highlighted that having an incident response team, extensive use of encryption, employee training, participation in threat sharing or business continuity management decreased the per capita cost of a data breach.
Finally, remember that the definition of an insider threat is not limited to employees, but rather relates to anyone (employees, contractors, third-part suppliers) who accesses your information or networks.