Michael Hill interviewed me for Infosecurity Magazine about my background, some of the big consultancy projects I carried out last year, the media work I do and much more. You can read or download the magazine here. As always, it’s an excellent read, with articles on the cyber security implications of Trump’s presidency, an analysis of the future of encryption and a thought-piece on whether and when hacking back is ever legitimate.
Cyber crime can be pretty indiscriminate, with businesses of all sizes falling victim to attacks. For smaller businesses it can be particularly challenging to receive good cyber security information and advice. With this in mind, I contributed to an article that explores:
- top cyber crime predictions for 2017
- what small businesses can do to better-protect themselves
- the future of cyber crime – what’s on the horizon?
Read what myself and other cyber security professionals have to say about ransomware, the Internet of Things, spear-phishing, Artificial Intelligence, and more.
Most people in the UK returned to work this week after the festive break and I joined Radio 2’s Drivetime show, presented by Simon Mayo, to talk about one of the pitfalls: forgetting your passwords, having not logged in for a couple of weeks.
Take a listen to my interview with Simon Mayo below for my thoughts and tips on what makes a more secure password (and why) and how to cope with many complicated passwords at once (if you don’t want to use a password manager).
My parting advice in the interview is the importance of two-factor authentication, for advice and support in doing this, check out this website.
Last night Yahoo announced another huge data breach, this one dating from 2013 and including information from 1 billion accounts. The information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5 so pretty trivial to crack) and, in some cases, encrypted or unencrypted security questions and answers. This follows the news in September of this year that information associated with 500m Yahoo accounts was breached in 2014.
I did a few radio interviews on the story this morning but wanted to expand on my thoughts. I made a video earlier in which I talk about:
– details of the breach
– the label ‘biggest known data breach’
– whether it could be state-sponsored
– what to do to better protect your online accounts
See what I have to say about this news and feel free to comment or ask questions, twitter is usually the best place to reach me.
We’ve just had Black Friday and Cyber Monday, which are no longer limited to the days themselves but many sales spanning at least a week. Figures suggest that retailers have had very strong sales: Barclaycard has reported record numbers of transactions on Black Friday and online retailers have indicated that Black Friday and Cyber Monday have surpassed their expectations and broken record sales from previous years. In the UK, online sales are expected to have exceeded £1.27 billion on Black Friday alone.
Unsurprisingly, December is the busiest time for retailers and online shopping is particularly popular. Anecdotally, I’ve known some people refuse to buy Christmas presents online because of cybersecurity fears, most memorably the Liverpool taxi driver who took a day off work and drove to London to buy his son a skateboard rather than buy it online. It cost him a day off work, a day’s petrol to and from London and it was more expensive to buy in-store, but he refused to do any shopping online because “the hackers have won”. How many more people feel the same?
Last week, at the same time as Black Friday and Cyber Monday deals were being pushed by retailers, I surveyed over 1,000 people in the UK to ask if worries about cybersecurity had ever stopped them buying Christmas presents online.
The statistics suggest that one in five people in the UK have been put off buying a Christmas present online due to cybersecurity worries. Looking a bit deeper into the data seems to suggest that the older people are, the more likely it is that worries put them off buying online, but to be conclusive about that we’d need a higher sample size.
I ran the same survey last year and found that slightly fewer respondents had been put off buying Christmas presents online due to cybersecurity worries. The survey last year also had slightly fewer respondents in general (1,002 last year compared to 1,031 this year). It’s not a huge variations in the numbers, but I will run the survey at around the same time every year and it will be interesting to see if patterns become more conclusive, or not.
While I’m talking about future research, some thoughts:
- It would be really interesting to run deeper research to explore the extent to which people choose their online retailer according to perceptions of cybersecurity (whether they trust the retailer or not). The hypothesis being that investing in cybersecurity, and marketing based on that investment, could offer a clear return-on-investment for online retailers. I plan to explore this question in the near-future.
- I do a fair amount of these surveys, focusing on cybersecurity attitudes and behaviours (see my research on two-factor authentication and biometrics, for example). While surveying 1,000 people gives a good insight, it would be great to survey higher numbers. If you or a company you know would be interested in sponsoring such a survey, I’d be happy to chat about it so please get in touch.
I’ve been commenting in the media a fair bit recently. I like to do this when my schedule allows, it’s a lot of fun and, being passionate about my job, I love to talk about cyber security whenever I can. It’s an honour that I get opportunities at a national, and even international, level to raise awareness both of cyber security issues in general, but also of the industry as a career.
However, as it’s been an especially busy few months with my consultancy work and speaking events, I haven’t had as much time to post about the media appearances once I’ve done them. So, this is a summary of some of my recent commentary.
Passwords vs Biometrics on BBC Radio 4’s Today Programme
The Dyn DDoS on BBC Radio 4’s Today Programme
Pippa Middleton’s iCloud Account Compromise on Sky News
The UK Cyber Security Strategy
I spoke to a few media outlets about the new UK Cyber Security Strategy. Here’s what I had to say:
On BBC Radio Wales
On ITV News
On Scotland Tonight
On Channel 5 News
In his latest blog post for cyber.uk, Chris Ratcliff tackles the threat posed by the Internet of Things and asks what we can do to meet the security challenges we face with more and more devices connecting to the internet.
How do you feel about being a pawn in someone else’s battle? It may sound odd, but there are currently people scanning the internet to try and take control of the gadgets and gizmos that you and I plug into our home internet connections. They’re not looking to steal our banking details or passwords or personal photos, they just want our data connections.
There have now been reported Distributed Denial of Service (DDoS) attacks peaking at 1.1Tbs of data, and this new attack vector is through the Internet of Things (IoT), that slightly odd term meaning smart TVs, light bulbs, security cameras, fridges and everything else that manufacturers think should be connected to the internet. When a vulnerable device is found, it is compromised and code uploaded to it so that when directed by a remote server, it will send junk traffic through a target.
You might say, why does that matter? The idea of scanning for a vulnerable host and compromising it has been around for as long as there have been computer networks. The problem with some IoT devices though is that they’re not designed for security, but rather built for ease of use by the end consumer, or even down to a cost. With some devices on razor thin profit margins too, ongoing support may be limited or non-existent.
And this is where we have come to with this new method for generating huge surges of data, tens or hundreds of thousands of devices from all over the world riddled with security holes, plugged into internet connections with little or no barrier between them and the outside world. How did we get in this mess?
There is an eternal conflict between security and usability. While it’s easy for security people to raise the concerns, and technically minded people to build a DIY solution, it’s easy to overlook just how many people consider IT, from laptops and phones to gadgets, to be something that should just work. In other cases, controls are actively turned off. Maybe it’s trying to get a child’s device to connect to the internet, maybe it’s to stop an annoying pop up, maybe it’s sheer bad luck. It comes down to a simple question in the mind of the consumer; “What do I have to do to be secure?”
Historically the answer has been ‘Get anti-virus’, then that was joined by ‘and a firewall’. You were now secure. You didn’t have to worry. You locked your doors at night, and you had a firewall on your PC. You were safe. Some may argue it was a false sense of security, but that was enough for many. Of course, many also forget or couldn’t be bothered to renew their anti-virus. They wouldn’t update their OS. They had no awareness of End of Life dates. Windows support? Who uses Windows support? It still runs, why bother upgrading it?
And herein lies the problem. Humans like knowing that things are taken care of. Threats of war? We have a military and intelligence services. Threats of violence or theft? There’s the police. Your ISP might offer a firewall or some sort of protection, so you don’t need to worry about online threats. Heck, the wi-fi access point your ISP provided even has Super Protection Features built in! Except that your new CCTV which lets you check on your house from anywhere doesn’t work over the Internet, but when you turn off that protection it does! It can’t be a problem though, they wouldn’t be allowed to sell them if they weren’t secure, right?
Even opening a web page is fraught with problems. If you’re ever tried locking down your web access, you’ll see a raft of connections made to a myriad of servers with each page request. Adverts, trackers, dynamic content, static content…
The answers, as much as there are, will seem obvious. Change passwords, update firmware, buy from reputable sources. Technology can be difficult though, as a single vendor’s product may be repackaged and sold under a myriad of different brands around the world.
As you’re reading a security blog, written by people who deal with security for a living, then the obvious solution may seem to be more security. Maybe we’ve reached a point where firewalling a PC is no longer enough, and we should use firewall appliances to shield our entire home network. We should set rules on that firewall to limit access to what’s required, and update its firmware and threat signatures frequently. We should inspect traffic coming from different devices and look for anomolies. Of course we also need to keep up to date ourselves with emerging trends and ensure that our defences are fit for purpose for those new threats. Then, when the manufacturer announces an End of Life date, we need to chuck our now obsolete firewalls in the bin and buy something newer, shiner, faster and supported.
Ok, that’s an infinitesimal fraction of the population protected, now the rest of the world.
In the UK, there is the Trading Standards Institute. Their role with local authorities is to ensure what is sold to the public is safe and legal. They run campaigns seizing counterfeit goods or potentially dangerous USB chargers. There’s also CE marking showing that a product meets safety standards set out for that product category. In the US, the Federal Trade Commission proudly states that it is ‘Protecting America’s Consumers’, and they were one of the bodies who charged VW with misleading consumers on emissions. Currently, as long as a device is safe with regards to power handling, materials used and RF emissions then it’s safe. I don’t see any of these bodies or standards looking at how vulnerable a device is.
What makes this especially challenging is that the harm to the individual is limited (though the frequency of these attacks could well increase) but the harm to the population is very significant. If this sounds like a need for herd immunity, then you’d be right, except there’s no vaccine that can be widely, and easily, administered.
I can see a future where Stuff That Connects To The Internet – which will probably be most electrical items and infrastructure – will need to meet a minimum standard to be legally sold in the UK. ISPs will need to be much more proactive in spotting unusual traffic patterns and both protecting the upstream data and informing their customers that something unusual is happening – although the customer service side of that is tricky. Future generations will also be much, much more familiar with everything that’s involved in living a technological life. They will understand the issues more instinctively and be more savvy about how they treat the internet.
However we need a short term solution. I’ve heard calls for the banning of IoT devices until this issue is resolved, but it leaves a huge legacy of devices sitting on networks which may be unpatchable, owned by people who don’t even realise they’re part of the problem and require action.
I always try and give my blogs something actionable in them, some great take away for people to use. Instead this time, I throw the floor open to you all. Is there a solution to this, or do we need to improve our DDoS protection?
Yesterday Yahoo confirmed that it was the target of the biggest known cyber attack in history. In 2014, 500m Yahoo accounts were compromised, with data including names, email addresses, telephone numbers, date of births, hashed passwords (most with bcrypt) and security question answers, some of which were unencrypted. Yahoo has claimed that this attack was carried out by a state-sponsored attacker.
I’ve done a few radio interviews giving my thoughts today, and you can listen to what I had to say on BBC Radio London.
Or watch a quick clip of me discussing the breach on Channel 4 News:
I’ve talked about the need for people to change their Yahoo password and set up two-factor authentication and to use strong, unique passwords on all of their accounts. This breach also highlights the need for people to deactivate accounts they no longer use.
— BBC Radio 5 live (@bbc5live) September 23, 2016
Some thoughts which I didn’t get chance to go into on the radio or TV:
- This is the biggest known cyber attack or data breach in terms of number of accounts compromised, and the impact on users could be significant. However, it’s interesting to consider how we classify the ‘biggest hack ever’. While this is the largest in terms of volume, is it the biggest in terms of impact? I’m thinking particularly of the Ashley Madison breach, following which at least one user reportedly committed suicide, and the US Office of Personnel Management breach, when information, including fingerprint data, of US government employees (some of whom of course have security clearance) was compromised.
- It also needs to be noted, of course, that this is the biggest known breach. When the Myspace breach of 360 million accounts came to light in May of this year, that was reported as the biggest breach only because we didn’t know about this one. Who knows what breaches have taken place that are simply not known?
- When Yahoo confirmed the breach yesterday, many people highlighted the fact that security researchers informed Yahoo in July that account information stolen in 2012 was seemingly being sold on the dark web. At the time, Yahoo responded by saying they were investigating. Many people understandably assumed that the breach Yahoo were confirming yesterday was the same data advertised for sale earlier this summer. Apparently this is not the case. It seems, rather, that when Yahoo investigated the purported 2012 breach they found no evidence to support that it was legitimate but the investigation found another breach, the 2014 one we’re now hearing about.
- Yahoo actually seem to be handling the breach communications pretty well, albeit belatedly. Many have expressed surprise that they are so confident that the attacker is a state-sponsored individual, not least because attribution in this space is so notoriously difficult. Putting that to one side, Yahoo have been prompting users to change their passwords and have put in place communications such as this FAQ, which are really helpful. It is a shame, however, that they aren’t using the opportunity to get more people using their two-step verification. My research suggests that only 20% of British people use 2FA, which is a real concern given how much more effective it is than simply having a password.
- The news of this breach comes as Yahoo is in the process of finalising the sale of its business to Verizon, an acquisition which began in July. It will be interesting to see if the breach has any impact on this.
A couple of days ago I was interviewed on LBC radio about the recommendation from FBI director Jim Comey that everyone should cover their webcams. You can listen to what I had to say here:
The media response to this advice (much like the response to the fact that Mark Zuckerberg covers his) seems to have been one of surprise. However, for most in the cybersecurity industry, it won’t come as a shock. I’ve covered my laptop webcam for years as one of many precautions to stay safer online.
How a webcam can be hacked
Criminals can gain access to a webcam by using malware or Remote Administration Tools (RATs). Malware and RATs can be planted on your machine most commonly via infected files or malicious links, so being wary of what you click on whilst using the internet and opening emails is crucial.
Remote-access webcams are vulnerable to hacking like anything else connected to the internet, often by owners using default or weak passwords.
How often does it happen and why should I care?
Like all crime, let alone cybercrime, it’s impossible to say how often it happens. They key consideration for me, here, is impact. If your webcam is hacked, the impact of that can be huge. Think about the amount of time your laptop screen is left open, ‘looking’ at you. Perhaps you leave it open in your room while you get changed, perhaps you work in your underwear, perhaps I’ll leave you to think about all of the other things you do in front of your laptop screen that you would rather not share with the rest of the world.
There have been some pretty well-known cases of webcam hacking:
- In 2014, Jared James Abrahams was sentenced to 18 months in prison for hacking the webcams of women and girls and secretly taking photos of them while they were undressed. He then contacted his victims and threatened to publish the photos online if they did not send more or undress for him via Skype. Abrahams reportedly told investigators that he hacked the webcams of 150 women and girls. One of his victims was Miss Teen USA, Cassidy Wolf, who has since campaigned to raise awareness of cybersecurity among young people.
- In 2014 it came to light that a Russian website was sharing videos illegally captured from 10,000 webcams worldwide (584 of which were in the UK). The site targeted remote-access cameras that were still ‘protected’ by the manufacturer’s default password, whilst also providing the information needed to hack into the camera systems, plus GPS locations and postcodes. The site proclaimed that it was in operation to highlight the importance of security settings.
- In 2015, Stefan Rigo was convicted in the UK of using the malware ‘Blackshades’ to infect victims computers and take over their webcams. Forensic examination of his computers found images of people engaged in sexual acts over Skype or in front of their computers. During his trial he admitted to being addicted to monitoring people via their computers, spending 5 to 12 hours a day doing so over a three year period.
So, should I cover my webcam and then I don’t have to worry about it?
I recommend covering your webcam. You probably don’t use it much and it’s easy to cover it with a little sticker or piece of sticky paper which you can simply temporarily remove when you need to use it. This will stop anyone being able to see you or take images of you via our webcam without you knowing about it.
However, this is – literally – a sticking plaster for the problem. Covering your webcam is one thing but if your webcam is hacked, that means your machine has been hacked and the attacker could be accessing all of your other information and / or using your machine as part of a DDoS botnet. So at the same time as covering your webcam, you should also:
- Be wary of clicking links and downloading documents when you browse the internet and read emails, texts, whatsapp messages, etc
- Use anti-virus and anti-malware software
- Keep devices and software up-to-date so that known bugs will be patched and can’t be exploited by attackers
- Don’t use public wifi where you could become the victim of a man-in-the-middle attack
- If you have a remote-access webcam, change the password from the default one. Use a strong password
Remember: there is a webcam on your mobile phone and your phone probably sees more intimate images of you than even your laptop does. Your mobile is a computer and can be hacked just like your laptop, so all of my advice relates to them, too. Chances are that you use your phone camera more than your laptop one and so a sticker might not be practical, in which case there are products available which can cover the front and back lenses whilst still giving you access to the camera.