The Rise of Spear Phishing

I was recently interviewed for a BBC radio programme on social engineering and, in particular, spear phishing emails. The aim of the show was to explore how common spear phishing emails are, how easy it is to be taken in by them and what people can do to better-protect themselves.

Spear phishing has risen phenomenally – in scale and sophistication – in the last year or so, and will continue to do so. Criminal gangs are increasingly using spear phishing as a tool to make money because it is relatively easy for them, requires little technical ability and can be very lucrative for very little effort. Read More

New Year Wishes

In the run-up to Christmas, the lovely people at Tripwire asked me to contribute to an article they were putting together compiling information security professionals’ Christmas Wishes.

I gave it some thought, as there are so many things I’m sure we’d all wish for his community, and from it. In the end, I wrote something very much from the heart, which for me extends beyond our day jobs and into our lives. While I wrote it as a Christmas wish, it seems to me as something to reflect on in this week where most people have returned to work (or are already exhausted from being flat-out over Christmas), thinking about the resolutions set on 1 January and making plans for the year ahead. After all, wishes are for life, not just for Christmas!

My wish:

My wish revolves around the fact that we are all the same. By ‘we’ I mean people – techies, execs, designers, developers, ‘users’. Yes, we all have different levels of knowledge, skills and understanding – and differences in lots of other ways, too – but there’s really not an ‘us’ and ‘them’. Underneath it all, we are all fighting battles most people don’t see, overcoming anxieties and worries we don’t share and hoping for happiness and success, in whatever way we define that. I’m going to ask my infosec community genie for three wishes, all of which relate to kindness.

Firstly, please be kind to the ‘users’. I know you want to pull your hair out when they use terrible passwords and click phishing links, but they’re busy and stressed, just like you are. For most, security is not their number one priority, or the first thing that they think of, and the workings of the Internet are a bit of a mystery. Please don’t see your ‘users’ as a problem to be fixed, but instead please recognise them as an asset to be nurtured.

Secondly, please be kind to each other. One of the many things I love about this industry is how supportive it can be, but for everyone lifting someone onto their shoulders, there’s someone else pulling them down. The twitter spats and one-upmanship help no one in the end. Let’s build each other up and gain strength from our community.

Finally, please be kind to yourself. As research like that presented by Chris Sumner and Jack Daniel at bsides London shows, rates of burnout and stress in this industry are pretty high. You’re working hard, fighting fires and seeing the same problems coming back like boomerangs. It can take its toll so please give yourself a break. Go outside, rest, take a holiday – remember that life actually is about more than attack and defend.

You can read all of the infosec wishes in part one and part two of the Tripwire articles.

By Dr Jessica Barker

Top Five Cyber Lessons of 2015

It would not be hyperbolic to suggest that 2015 is the year cyber security awareness went mainstream. Breaches hit headlines on a seemingly daily basis and some, like Ashley Madison and TalkTalk, were top of the news agenda for weeks. Meanwhile, we only have to look at Bond’s Spectre and Mr Robot to see how embedded cyber security is becoming in our cultural references.

I am particularly interested in trends among the general public with regards to awareness and behaviours online. I’m casting an eye back over some of the cyber.uk surveys and analyses this year to see what we’ve learnt. Read More

Does Santa do his Christmas shopping online? 20% of people don’t, thanks to cyber insecuity woes

In the run up to Black Friday and Cyber Monday, I asked 1,000 people in the UK whether worries about cyber security have ever put them off buying a Christmas present online.

Part of the motivation was a conversation I had with a Liverpool taxi driver a few years ago. It was just after Christmas and having spoken about how stretched his finances were, and how he was struggling to cover costs on his cab let alone make a profit, we moved on to my job. When I told him I work in cyber security, he told me that I’d failed and should go home and put my feet up because “the hackers have won”. He refused to use the Internet because he was so scared of cyber crime, to the extent that when his son wanted a particular skateboard which was only available online or in a London store, he forgoed a day’s work and drove to London to buy the board in person, rather than save all of that petrol money and lost work hours and buy it online. He told me his wife was the direct opposite, thought his fears were paranoia, and would buy anything from any site with no care or concern for security. To my mind, both of these extreme responses are the result of poorly communicated cyber security threats and I’ve spoken and written about the psychology of fear and cyber security elsewhere.

Read More

Talking TalkTalk

Last week, TalkTalk announced they had been subjected to a ‘significant and sustained’ cyber attack, which potentially affected all of their 4m customers. Little more information followed, although the CEO, Dido Harding, made multiple media appearances and attempted to answer questions on (what became apparent was) little knowledge.

5 newsI was on Five News on Friday evening talking about how the attack might have happened. Since that time, a 15 year old boy from County Atrim has been arrested in connection with the attack, under the Computer Misuse Act. As I said on Five News, it seems most likely that the attack was carried out by a SQL injection, whereby attackers take advantage of a flaw in the website to access a database behind it and exfiltrate data using code. It definitely was not carried out by a Distributed Denial of Service (or DDoS) as talktalk’s CEO initially claimed, in which attackers flood the website with traffic until it can’t cope with demand and goes offline. Attackers usually use botnets to do this, which are networks of computers used to direct traffic at the site. If you inadvertently download malware on your machine, for example by clicking a dodgy link, your machine could be used as part of a botnet without you necessarily realising it. It could be that the attackers used a DDoS to distract talktalk while they carried out the actual attack on their data (which we’ve seen before) but it is technically impossible to extract data using a DDoS. Read More

Cyber Crime: stats, SMEs and psychology

For the first time, the UK Office of National Statistics included cyber crime in their quarterly report, which had a profound impact on the numbers, resulting in a 107% increase in crime statistics since last year when cyber crime was not taken into account. According to the official numbers, there were 5.1 million cyber crimes and frauds last year, plus 2.5 million offences under the Computer Misuse Act. Of course, these statistics are only known, reported and recorded crimes so they are far from telling the whole picture. Read More