GCHQ warns of cyber security scams on Black Friday

GCHQ has issued an warning of cyber security scams on Black Friday.

GCHQ has issued an warning of cyber security scams on Black Friday.

Black Friday sales could be targeted as easy pickings for cyber-crime, according to Cheltenham-based GCHQ.

The National Cyber Security Centre, part of GCHQ, is advising shoppers of the risk of online threats. It is the first such official cyber security warning in the run up to Christmas.

GCHQ wants to start a “national cyber-chat” today (Black Friday), when billions are spent online. Known for working in secret, the agency wants to be open and engage with the public over the seriousness of the threat.

The National Cyber Security Centre has tackled more than 550 significant cyber incidents over the past year, and has taken down almost 140,000 “phishing” websites.

The National Cyber Security Centre (NCSC) is giving tips for shoppers to avoid cyber-crime – and for the first time it will be publishing answers to questions from the public on Twitter.

The agency recently warned of a serious and sustained threat from elite hackers in other countries, which could include the theft of millions from retailers and attacks on the financial networks the shops depend on.

The British Retail Consortium is backing the calls for better cyber security during the Christmas shopping season, and retailers continue to invest heavily in protecting themselves against cyber-threats.

The National Cyber Security Centre’s advice to reduce the risk of cyber crime is:

  • Install the latest software and app updates
  • Type in a shop’s website address rather than clicking on links in emails
  • Choose strong and separate passwords for accounts
  • Keep an eye on bank accounts for unrecognised payments
  • Avoid over-sharing unnecessary information with shops, even if they ask
  • Make sure all your home gadgets are secure

If you want to save yourself stress, money and a damaged reputation from a cyber incident – for a cyber security incident prevention, protection and training please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

Most UK Britons concerned about personal data sharing

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

More than half of UK consumers (57%) are worried that about how much personal data they have shared online.

Britons also feel that the data they share is not being used to benefit them, with 48% saying businesses benefit the most and 63% saying the organisation holding the data should be responsible for protecting it, according to a poll of more than 2,000 UK consumers commissioned by identity management firm ForgeRock.

Only a third (36%) of consumers say they would be likely to share personal data to get a more personalised service, with over half (53%) saying they would not be comfortable for their personal information to be shared with a third party under any circumstances. Just 15% say they would be likely to sell personal data to an organisation or business.

At the same time, UK consumers underestimate how much personal information is available online, with 46% saying they do not feel they know how much data is available about them online, 19% saying they think Twitter has access to data on users’ political affiliations, 31% believing Instagram has access to location data on its users, 48% thinking Facebook holds information on whether they have children, and 20% believing Facebook does not have access to any personal data about its users, despite the fact that social networks have access to this data on a large number of their users.

One in three would take legal action and 24% would contact the police about their personal data being shared.

British consumers are also clear that there would be consequences for any company sharing their data without their consent, with 58% saying they would stop using a company’s services completely if it shared data without their permission, 49% would remove or delete all the data held on them by that company, 44% would advise their family and friends against using the company, and 30% would request financial compensation.

Growing concerns about data sharing

With the EU’s General Data Protection Regulation (GDPR) set to give consumers much more control over their personal data and how it is used, the survey report said it is crucial that members of the public understand their rights and how their data is being used and shared.

The ForgeRock survey suggests there are growing concerns about data sharing, which businesses and regulators should address. Some 63% of UK consumers say they know little or nothing about their rights regarding personal data and 64% have never heard of or know nothing about GDPR.

Banks and credit card companies are most likely to be seen as trusted holders of personal data, the survey shows, with 82% of consumers reporting that they trust these organisations to store and use personal data responsibly. Amazon also performed well, with over three-quarters (78%) of consumers saying they trust the ecommerce company to manage personal data.

Social media platforms performed less well, with 63% of Britons saying they trust social networks to treat personal data in a responsible manner.

There is a clear correlation between the organisations consumers trust with their data and how in control they feel, the report said, with Amazon (60%), banks and credit card companies (58%) and mobile phone operators (51%) ranked as the organisations that give users most control over their data. Just 51% of UK consumers said they feel in control of the data that is shared with social media platforms.

In contrast, social media companies offer consumers experiences without any financial payment – instead they pay in data. If companies were more transparent about how their business models rely on purchases, attention or data, consumers would have a much stronger understanding of what their privacy risks are and could tailor their behaviours and trust levels accordingly.

So if you want to save yourself stress, money and a damaged reputation from a data incident with affordable, live systems protection please ring us now on 01242 521967 or email [email protected] or complete the form on our contact page NOWContact Cyber 139

ICO wants jail terms for personal data misuse

The Information Commissioner’s Office (ICO) says it wants prison sentences for anyone misusing personal data unlawfully.

The Information Commissioner’s Office (ICO) says it wants prison sentences for anyone misusing personal data unlawfully.

A nursing auxiliary has been fined for accessing a patient’s medical records without a valid legal reason, prompting the Information Commissioner’s Office (ICO) to reiterate calls for prison sentences.

Cwmbran Magistrates’ Court fined 61-year-old Marian Waddell of Newport £232 after she admitted accessing a patient’s records at Newport’s Royal Gwent Hospital.

She was also ordered to pay £150 costs as well as a £30 victim surcharge for breaching section 55 of the 1988 Data Protection Act.

Waddell accessed the records of a patient, who was known to her, on six occasions between July 2015 and February 2016 without a valid business reason and without the knowledge of the data controller, the Aneurin Bevan University Health Board.

David Teague, the ICO’s regional manager for Wales, said it is disappointing that people continue to get into serious trouble over behaviour that is easily avoidable.

“Staff training, and the publicity around previous cases of this nature, means that they really should know better,” he said, adding that anyone whose work allows them to access sensitive personal data must realise that this information is out of bounds unless they have a valid and legal reason for looking at it.

Mike Shaw, enforcement group manager and head of the ICO’s criminal investigations team, warned that anyone accessing personal data without a valid reason or without their employer’s knowledge is guilty of a criminal offence and will be prosecuted by the ICO.

“If found guilty, you will face a fine and possibly have to pay prosecution costs,” he wrote in a blog post. “The court case will likely be covered by local media and the details played out over the internet. Not only could you lose your job, but your future employment prospects could be irreparably damaged too.”

“Of course, this issue is not unique to the NHS,” he said. “In 2017, we have also prosecuted cases involving employees in local government, charities and the private sector, the latter cases often involving an element of financial gain.”

Currently, section 55 offences can be punished only with a fine, and the nine convictions this year attracted fines and costs totalling more than £8,000.

“But in the future, we would like to see custodial sentences introduced as a sentencing option for the courts in the most serious cases,” said Shaw.

The ICO has long campaigned for custodial sentences for people convicted of accessing personal data unlawfully, especially for financial gain, under former information commissioners Richard Thomas and Christopher Graham, and now under current information commissioner Elizabeth Denham.

Information security professionals not too worried by Brexit

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.According to The Security Institute, the Brexit decision may have significant implications for the security profession and will inevitably present fresh challenges.

However, the organisation’s vice-president Alison Wakefield said security professionals pride themselves on being able to take the objective view, to put aside emotion and to focus instead on the hard facts of a situation.

“One thing we categorically disagree with is Michael Gove’s assertion that people in this country have had enough of experts,” she said.

“As an organisation that numbers a great many security experts in its membership, we believe the changes Brexit will bring mean that we, as a nation, will more than ever rely on these experts.”

Whatever cyber security challenges lie ahead as a result of Brexit, Wakefield said they will be met and overcome by the application of expertise and the diligent efforts of experts.

“The Security Institute’s raison d’être is to promote the professionalisation of security. Now that our country has chosen to go through a period of economic and political turbulence, let’s collectively – as experts in our field – do our utmost to re-emphasise professionalism, and redouble our efforts to help nurture security practitioners who can carry the ‘expert’ label with justification, pride and the external recognition they are due,” she said.

Adrian Davis, European managing director at security certification body (ISC)2, said information security is well-recognised as an international concern that has motivated levels of co-operation that already transcend national boundaries and politics.

“There is no reason to believe that this will come to an end or even be significantly interrupted by the Brexit vote,” he said, despite concerns by some information security professionals the cyber threat intelligence sharing may be impeded.

According to Davis, information security professionals in the UK and across Europe have at least two years to understand the practicalities that will affect their day-to-day job, and there is a good chance that quite a lot of what is anticipated over this time will not change.

The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR) for example, will remain the same, he said, as UK businesses will continue handling EU citizens’ data.

“The march of technical innovation reflects global trends and will continue to shape the challenges we face on the front lines, and we all understand that threats and attacks are international. The work we do as a profession already ensures that the standards and practices required to face them account for differences in markets and regulatory expectations. I’m confident that, as a profession, information security professionals right across Europe will continue to work together,” said Davis.

UK consumers want fines for firms that lose personal data

Most UK consumers want the government to fine companies who don’t protect personal information.

Most UK consumers want the government to fine companies who don't protect personal information.A majority of UK consumers would like to see government fines for companies that fail to provide sufficient safeguards for personal information, a survey has revealed.

Some 86% of more than 1,000 UK consumers polled by the Institute of Customer Service (ICS) think the government should review data protection laws, while 77% feel it should do more to protect data from cyber attacks.

The findings of the survey are in line with the recommendations by the Department of Culture, Media and Sport (DCMS) Committee’s inquiry into the October 2015 data breach at TalkTalk, which saw the personal information of 155,000 people compromised.

The committee has published a set of recommendations in its inquiry report for improving data security in the UK, including the introduction of escalating fines for delays in reporting breaches of personal data.

The report also recommends that the government initiates a public awareness-raising campaign about online scams and allocate more resources to the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Although most UK consumers would like to see more government action on data protection, 62% also believe businesses should do more to safeguard personal information, according to the ICS survey, which was included in a written submission to the DCMS committee’s inquiry.

The ICS survey shows only 13% of respondents are confident that their personal information is protected and only 15% trust organisations do everything possible to prevent security breaches.

“Businesses need to accept responsibility, rather than offer excuses, if customer data is exposed in a cyber security breach” said Jo Causon, chief executive of the ICS.

“Almost one in four consumers say nothing can restore their trust after a data breach, so if cyber security attacks continue at the current pace, business performance will suffer as concerned customers swap loyalty for personal data safety,” she said.

The ICS survey shows that 22% of respondents no longer trust companies that have suffered a breach, while 28% said they avoid organisations that have suffered a breach. In the event of a breach, 41% seek immediate notification, 23% want compensation and 10% look for an apology.

To reassure customers, the ICS outlines a series of actions businesses can take in its response to the DCMS Committee inquiry.

These include ensuring staff have the appropriate skills to communicate how data is protected and what is happening in the event of a cyber-attack; setting out the approach taken to protect customers’ data so consumers are fully informed and able to make a decision about what to share; and following a consistent set of standards across an organisation so that customer data is continuously protected no matter where it is held or analysed.

Police ask for early contact of cyber crime

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted.

Businesses should contact the Police as early as possible about cyber crime- even before they are targeted“The sooner we can become involved the better,” said Garry Lilburn, detective inspector, cyber crime unit, Metropolitan Police.

Current reporting mechanisms are “clunky” and there plans to replace them, he said, but in the meantime, businesses can make direct contact with the cyber divisions of the National Crime Agency (0370 496 7622) UK-wide or the Met Police for cyber crime in London (0207 230 8129) or 01452 752644 in Gloucestershire.

“Businesses can call us to discuss what is happening and get advice without having to officially report a crime and without fear of it leaking to the media or regulators,” said Lilburn, adding that some of the biggest cyber crime cases his unit has worked on have never been reported in public.

“If businesses contact us about cyber crime in action, we can advise them on how to mitigate the attack, preserve evidence, and how to communicate with cyber extortion gangs and even the media if necessary in the case of high-profile attacks,” he said.

However, Lilburn said businesses should engage with police even before they are targeted by cyber criminals.

“We offer a service of conducting table-top exercises with businesses so they can experience what it is like to work with the police in the event of an attack by cyber criminals and learn what kind of information we will need and the kind of questions we will ask,” he said.

Businesses should also develop plans for engaging with law enforcement before they are targeted by cyber criminals, and practice those plans in the same way they do fire drills, said Kurt Pipal, assistant legal attaché, office of the legal attaché at the FBI.

“Businesses should ensure they understand what law enforcement can do for them, what investigators are likely to ask for, and what they can do to help any investigation,” he said, adding that they should get their legal counsel involved because they are going to be one of the first points of contact with the police in the event of a cyber criminal attack.

“Many firms fear reputational damage and media exposure, but engaging early with law enforcement before anything happens often alleviates many of these types of concerns and makes them more comfortable in working with law enforcement when they are attacked,” said Pipal.
Police encourage information sharing

Cyber crime is almost always international in nature, but that should not put businesses off reporting cyber criminal activities, even if they appear to be coming from overseas or conducted through anonymising proxies, said Lilburn.

Many of the recent botnet takedowns involving the FBI have been the result of international law enforcement agencies working together, said Pipal.

“While cyber criminals may be based in countries where we cannot reach them, they also like to go on vacation, and often they go to countries where we do have the ability to make arrests, so businesses should talk to law enforcement about the cyber criminal activities they are seeing,” he said.

“Law enforcement should learn from this and also begin to find ways to collect information about bad actors that can be queried by law enforcement agencies around the world,” he said.

“Just because cyber criminals are located in other countries or appear to be anonymous, businesses should not assume we will not be interested or that we will not be able to take action against those responsible”

Many of these third parties are small and medium enterprises that work as suppliers or partners to larger organisations, but these businesses typically do not have the same level of security awareness or resources as their bigger partners, said Ferguson.

“While large organisations have the resources to understand and respond to threat intelligence gathered through industry forums and the government-sponsored cyber security information sharing partnership (Cisp) and the national computer emergency response team, Cert-UK, smaller businesses do not,” he said.

Indeed Cyber Security Force are part of theGloucestershire Safer Cyber Forum- which is founded and run by the Gloucestershire Constabulary.

Gloucestershire Safer Cyber Forum accepts Cyber Security Force

The Gloucestershire Safer Cyber Forum has accepted Cyber Security Force to join it.

The Gloucestershire Safer Cyber Forum has accepted Cyber Security Force to join it.The Gloucestershire Safer Cyber Forum (GCSF)  was set up and run by the Gloucestershire Constabulary to to provide a source of crime prevention, advice and to share cyber threat information.

GSCF also provides a secure environment for Gloucestershire business to engage directly with peers and Gloucestershire Constabulary on incidents or concerns around cybercrime, along with the ability to report it anonymously.

Being part of GSCF means that we can be at the leading edge of information on how to avoid cyber security issues and when they do arise how best to prevent and recover from the bad guys out there.

BBC suffers widespread website and iPlayer outages

UK broadcaster apologised as its internet services are taken down by ‘technical issues’ affecting its website, apps and streaming video and radio services.

UK broadcaster apologised as its internet services are taken down by ‘technical issues’ affecting its website, apps and streaming video and radio servicesThe BBC website returning an 500 error page with intermittent outages across its entire bbc.co.uk domain and internet services.

The BBC is currently suffering an intermittent internet services outage that has taken down its website, the BBC iPlayer and all other digital services provided by the bbc.co.uk domain.

Users started complaining about the iPlayer and website issues at in the early hours of this morning, with web service down detector indicating major issues from around 7am. The website is currently showing 500 error pages, with some parts of it intermittently loading and others completely offline.

The BBC’s radio and television broadcasts are unaffected but many of the broadcaster’s digital services are offline.

The BBC’s press office simply called it a “technical issue”. The cause of the outage is not currently known.

The BBC is in the process of migrating more and more of its traditional services to its website, including BBC3, which will become online only from February.

The last major outage of the BBC’s web services was in 2011 when the broadcaster’s bbc.co.uk domain went offline for an hour due to technical problems.

Later in 2012 the BBC revealed that it had suffered from cyber attacks, which took its Farsi language service in London and its telephone and email services offline.

Security of UK ISPs failing users

The security of the UK’s biggest ISPs needs “major improvement”, according to one expert.

The security of the UK's biggest ISPs needs improvementSecurity consultant Paul Moore examined the publicly available information of the UK’s six biggest ISPs. He said he found plenty of bugs that could be exploited by hackers.

But he said most ISPs had been in contact with him and had worked to tighten security once told of the issues.

The audit of TalkTalk, Sky, BT, Plusnet, EE and Virgin Media was kicked off in the wake of the TalkTalk hack, which saw the personal details of 157,000 of its customers exposed and more than 15,600 bank account number and sort codes were stolen.

Similar problems to those encountered by TalkTalk could have been experienced by any of the major ISPs, Mr Moore believes.

The audit found a variety of problems, including passwords stored in plain text, exposed code that would allow hackers to inject their own code on to ISPs’ websites and, potentially load malware on to them, and issues with encryption certificates that meant Mr Moore could apply for them from the certificate authority and pose as the webmaster for a set of ISP-owned websites.

Mr Moore said he was impressed by most of the ISPs’s responses when he raised the issues with them.

“Ordinarily they would not be so open and honest with me but, after what happened at TalkTalk, they have been stepping in quickly,” said Mr Moore.

“On one occasion I notified BT and PlusNet about a bug at 14:00 and they kept people back until 22:00 to fix it.”

But, he added, TalkTalk was yet to contact him. TalkTalk did supply a statement saying it had “integrated Paul Moore’s comments into an ongoing programme of work”.

“We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straightaway to secure our system,” it added.

Prof Alan Woodward, a security expert at Surrey University, said he was shocked by the findings.

“TalkTalk still has problems and others have not dissimilar ones,” he said. “I find it very surprising that after the TalkTalk hack, they the six ISPs still appear not to be attending to the basics.

He added: “ISPs are the single biggest handlers of our personal data and I would expect them to get this right.”