/ Technology

Are you keeping ‘Cyber Aware’?

Cyber Aware is the government’s advice on staying secure during the COVID-19 lockdown. Our guest from the National Cyber Security Centre explains the campaign.

This is a guest post by Kate Sinnott of the National Cyber Security Centre. All views expressed are her own, and not necessarily shared by Which?. 

The last few weeks have changed the way we use technology in ways we probably never imagined.

Many of us are spending more time online; home schooling, shopping, gaming, and video calling with friends and family.

It’s important to make sure that you are doing this securely to protect yourself from cybercrime. To help, the National Cyber Security Centre’s (NCSC) Cyber Aware campaign gives you six important steps to stay secure online.

Alongside these steps, the NCSC has also provided guidance on using video conferencing apps securely, staying secure while playing online games and shopping online securely.

Which? News: are Houseparty and Zoom safe to use?

Six NCSC tips for staying secure

1. Create a separate password for your email: your personal email account contains lots of important information about you and is the gateway to all your other online accounts. Protecting it with a strong password that is different to all your others will help keep it secure.

2. Create a strong password using three random words: weak passwords can be hacked in seconds. The longer and more unusual your password is, the stronger it becomes and the harder it is to hack. The best way to make your password long and difficult to hack is by using a sequence of three random – but memorable words.

3. Save your passwords in your browser: using the same passwords for all your accounts makes you vulnerable – if that one password is stolen all your accounts can be accessed. We know it can be difficult to remember lots of different passwords, so to help make it easier you should store your passwords in your browser when prompted to; it’s quick, convenient and safer than re-using the same password.

4. Turn on two-factor authentication: two-factor authentication (2FA) is a free security feature that gives you an extra layer of protection online and stops cyber criminals getting into your accounts – even if they have your password. It does this by sending you a text message or code to check you are who you say you are. During this extended time at home, why not check which online accounts you use offer 2FA and turn it on where available.

5. Update your devices: using the latest versions of software, apps and operating system on your phone or tablet can immediately improve your security. Remember to update regularly, or set your phone or tablet to automatically update so you don’t have to think about it.

6. Turn on backup: If your phone, tablet or laptop is hacked, your sensitive personal data could be lost, damaged or stolen. Make sure you keep a copy of all your important information by backing it up. It will also mean you can recover your important information if you break your device or accidentally put it through the washing machine.

Reporting scams and protecting others

Cyber criminals are preying on fears of the coronavirus (COVID-19) and sending scam emails that try to trick people into clicking through to fraudulent websites.

You may have received an email that claims to have a ‘cure’ for the virus or encourages you to donate. Like many scams, these emails are preying on real-world concerns and trying to trick you into clicking on a link.

If you receive an email that you’re not quite sure about, you can forward it to the NCSC’s Suspicious Email Reporting Service by forwarding it to report@phishing.gov.uk.

If anything is found to be malicious, the NCSC will take it down and you will have helped protect others from falling victim to scams. 

Which? is now also warning of scams like this with its scam alert service.

This was a guest post by Kate Sinnott of the National Cyber Security Centre. All views expressed were her own, and not necessarily shared by Which?. 

Comments
Em says:
6 May 2020

3. Save your passwords in your browser …

I’m not sure that is great advice without some additional caveats.

If we consider Google Chrome, for example. Passwords stored here are only as secure as your Google account password – unless you have turned on 2-step verification. If you started using Google a long time ago, you probably didn’t give that password’s security a lot of consideration and you may not even remember what it is. Unlike a proper password management tool, Google rarely, if ever, re-authenticates you.

You may also be aware of how easy it is to sync your Google account settings across multiple devices (computer, tablet, mobile …). That is also a security threat. If you once shared your Google account, maybe with your family, or allowed someone access to your computer or mobile phone (perhaps when you upgraded your mobile), they had the means to replicate all your accounts and passwords.

Even if you change a password now on a critical account to make it more secure, that change could be updated without your knowledge to whoever synced to your Google account in the dim and distant past.

In summary, Google password management just works in the background. It is far too transparent and easy to forget about, as it is designed for convenience, not security.

I would strongly suggest use of a separate password management tool, like LastPass or Dashlane. At least you will start off with a strong master password and hopefully ensure you close your password vault when not required. It will also force you to re-authenticate on a fairly regular basis even if you forget to do so.

DerekP says:
8 May 2020

I certainly do not save my more sensitive passwords on browsers. Instead I rely on handwritten records on paper.

I do the same, Derek, and I encrypt some of them, but in some cases I can no longer remember which codes I used to encrypt them.

Em says:
8 May 2020

Rather than write down or encrypt a password (which someone other than you could find or potentially un-encrypt), I prefer to use a non-obvious hint.

If your password is “TitanicIceberg1912”, a simple hint could be Smith, or (in references to the movie) Winslet or Celine.

But it is better to think of a hint somewhat more remote and write that down. E.g. Smith could become “EJS” or “Rose” (Winslet’s character) or [De Dion-]”Bouton”.

But with my addled brain, Em, it would have to be memorable and a bit more obvious than that! Some passwords hardly get used from one year to the next so if there’s a problem I just set up a new password. I use very few sites where there are any financial transactions and those I use so frequently I don’t need to make a note of the password or remember its decryption code.

During my life in the Before, when I was a volunteer computer buddy in the local library, lost passwords were a recurring problem that I helped with.

I think folk need to use whatever works for them. I have found that simple paper records work well for many, but not for those who will easily loose them.

For a lot of us, anything that depends on remembering clever and sometimes complicated tricks can be doomed to failure.

If at all possible, folk need to avoid using the same password everywhere and also they should periodically change or renew their passwords. Those of us with work accounts are usually forced to do that, e.g. every few months.

Ideally, passwords should also be easy for the user to get right, but hard for others to guess.

Many sites related to non-sensitive activities will often issue password resent emails to registered email addresses. Those are very helpful, unless you have lost access to the email account in question. So it is very import to have robust and durable email passwords.

One of the most common pitfalls that I’ve seen occurs with Android phones (or other devices). Here a Google/gmail account needs to be created to operate the device. Then years later, that password is needed in a different context, but the user has long since forgotten it. The original device (with the saved password on it) continues to function, but does not help the user recover their password for use elsewhere.

These days, loss of access to emails is not necessarily a trivial matter. If important personal data is handled by email, then loss of access can make it hard or impossible to recover that data.

Stephen Wood says:
14 May 2020

I am very surprised at this advice. Saving passwords to the browser always is a no no. Can someone elaborate on this Which advice to convince me that it secure!
Thanks

Hi Em, I’ve had precisely this chat with Kate, the author of this piece – she and I liaise a lot. You’re absolutely right that saving passwords in a browser’s password manager is not as secure as using something like LastPass or Dashlane (I am a LastPass fan, for the record). Her point, though, and I absolutely agree with her on this, that saving passwords in the browser is a big improvement on just re-using the same password for every site.

The aim of this campaign from the NCSC is to help people think about simple steps they can take to improve their security, and for many people, using a browser’s password manager is a big improvement on what they’re doing now.

You are of course right to identify some of the potential risks of saving passwords in Chrome, but I’m sure you’ve heard the saying “don’t let perfect be the enemy of good”. It’s often the case that changing an old, insecure habit is what’s needed, and when you consider the risks of the imperfect solution chosen now (storing passwords in the browser) vs the really insecure old habit (reusing a small number of passwords across multiple sites), it’s clear that the changed habit has already improved their security.

I would absolutely urge everyone to consider switching to a password manager, but if that’s too daunting, then using a browser password manager is still a big improvement. If you couple that with implementing 2FA wherever possible, you’ve gone a long way to protecting your accounts.

Actually, the advice now is not to change passwords regularly, @derekp. There’s been a lot of research done on that and it’s found that people tend to cycle through increasingly insecure passwords because they can’t remember which one they’re using now. These days you only need to change a password if you think it’s been compromised. T

he NCSC has some useful guidance on that here https://www.ncsc.gov.uk/blog-post/problems-forcing-regular-password-expiry – these days the advice is to pick a strong password, either via the three words method Kate discusses above, or get a password manager to generate a strong one for you, and protect your account with 2FA.

And don’t get me started on companies that still force password resets … ! That’s usually because they’ve got some legacy software somewhere in the IT estate that requires it, but I think you’ll see it less and less these days.

All software is hackable so how safe are password managers? I will continue to keep my passwords in a box file on my desk.

I used to work for a company that forced monthly password resets and I had 3 to change every month so they went:
memorable wordjan
memorable wordfeb

A password could not be reused within 12 months and all three could be the same…🙄

Em says:
14 May 2020

Hi Kate1 (and Kate2), Appreciate the response. We often see a Convo lead piece that doesn’t sound quite right or isn’t clear, so it is good when we can have a dialogue.

Whilst a browser password cache is better than nothing, the key message of point 3 should be Use a different password for each account. That message is lost under the headline Save your passwords in a browser:.

I actually go one step further and set up a different userid or user name for each account, so even if my password is in the wild, it is very difficult to associate that with any other account of mine. For most accounts, you would need to have a domain to do that, so you can register using a different email address. That way, I also know which accounts are not to be trusted with my details, as soon as I start to receive phishing emails. Here’s a short list of household names: adobe.com, Villeroy & Boch, BMW, Ebac, Groupon, … .

Em says:
14 May 2020

Kate says: That’s usually because they’ve got some legacy software somewhere in the IT estate that requires it …

I’m not aware of any legacy software that forces password resets. The granddaddy of security software is IBM RACF (1976), still the de facto security software for mainframes. RACF could require passwords to be changed at any interval between 1 and 99 days, or 0 days, meaning never.

Zero (0) days was used, because it would be very dangerous for a computer operator or administrator to lose access, because the previous shift had been forced to update the password! Of course, we also checked the security logs every day to check who was using these highly-privileged log on IDs. Computer terminals didn’t “move around” in those days.

Before RACF, passwords were hard-coded. If changed at all, it was an administrative hassle to manually update them and securely send individual typewritten memos to each employee, informing them of their new password. There was no email or instant messaging in those days.

In the 1980s, computer threats were internal to the office. Employees were in the habit of sharing their userids and password with work colleagues. If a system was accessed – payroll or accounts payable were favourite targets – use of a shared password meant there was limited accountability and auditability.

As a result, passwords were where possible set to expire every 30 days or so. Anyone guilty of using another employee’s userid and password would eventually get caught out entering the expired password. They could then be traced to their computer terminal and verified against their physical presence in the building – clocking in and out was also common in those days.

So anyone that tells you today that expiring passwords every 30 days is “best practice”:

1) doesn’t know the history or rationale behind this legacy thinking and, more importantly

2) doesn’t deserve to be in charge of computer security, as they are not capable of thinking for themselves or identifying appropriate strategies to deal with new threats.

As Kate says: don’t get me started!!!

Em says:
14 May 2020

As a short aside to IBM RACF – 1976 technology remember – it has always implemented “trap door” password encryption. This means that nowhere within RACF is your password stored in clear, i.e. no one can find out or tell you your real password. And password encryption only works one way – it cannot be de-encrypted.

How can that work?

You new or changed password is first encrypted and then stored in RACF. When you sign in, your password is again encrypted and compared with the original encrypted password. If the encrypted passwords match, you are good to go.

What does this mean for consumers?

Any website or software that can retrieve and reveal your original password, whether by email, clicking the “eye” icon, or whatever, has a serious security flaw and you must treat it with strong suspicion. Certainly, never save your credit card or other financial details there. If you can recover your own password, so can anyone else.

Em says:
14 May 2020

Em (that’s mE) says: Any website or software that can retrieve and reveal your original password … has a serious security flaw and you must treat it with strong suspicion.

QED: All current Internet password managers, including Chrome, Dashlane and LastPass have a fundamental and insurmountable security flaw, whatever they might claim.

Whether passwords are internally stored in an encrypted form or not, password managers MUST be able to regenerate your password in clear, TO BE ABLE TO FILL IN THE PASSWORD PROMPT ON THE THIRD PARTY WEBSITE. Don’t be fooled by the fact that it is concealed by dots – your original, un-encrypted password is there just waiting to be discovered.

Paper and pencil or memory power is the only way to go for really sensitive passwords, particularly financial websites. And make sure it is complex and unique!

I have a bit of a dilemma. I have recently been sent a new upgraded fibre broadband router which connects and works well on most devices – except the Samsung TV. The new password is so long and varied the keyboard always cuts out before I finish typing it in. How do I keep the keyboard running long enough to install the new password, short of requesting a new smaller one from the ISP?

Is it possible to change the password on your router through the router’s ‘Admin’ section? I ask, because it is on mine.

Em says:
8 May 2020

I’m assuming this is your WiFi password, so you must be able to change it on the router.

There is usually an option to connect to WiFi, if you have physical access to the router, just by pressing the WPS button. You need to select this option on your TV, then go and press the button on your router with about 30 seconds. No password required!

It’s got to be the WiFi password if other devices are working fine.

You might also try connecting a physical keyboard to your TV via USB or Bluetooth @beryl – it looks like most Samsungs will recognize the device when you plug it in: https://www.samsung.com/au/support/tv-audio-video/how-to-pair-a-smart-wireless-keyboard-to-your-tv/

You can also change the password on the router: usually most routers will have their default IP address and admin login information physically on them, and you would then usually navigate to the specific WiFi network settings, then change the password there. Bear in mind, if you do that for the TV, you’ll also need to change the password on every other device.

Hello @beryl, as others have said, you should be able to change the password to connect to the wifi on your router. The fiddly bit is finding how to get into your router’s settings, but there should be instructions to do that with the router. It usually means opening a browser (Chrome, Firefox, Microsoft Edge) and typing in your router’s IP address (again, that should be in your instructions – it might be 192.168.0.1, or something very similar) and then typing in the admin password (note: not the wifi password; again, it should be with the router instructions).

Once you’ve managed to log in to the router, you should be able to find the wifi password fairly easily. You can change it to anything you like: pick something you’ll remember (we have advice on choosing strong passwords here https://computing.which.co.uk/hc/en-gb/articles/360000818025-How-to-create-secure-passwords) and then save the changes. You’ll need to put that new password into all your other wifi devices (tablet, laptop etc) to connect back to the wifi, but hopefully a shorter, easier to type password will be easier for your Samsung telly to recognise before the keyboard crashes.

Or, as @jon-stricklin-coutinho suggests, you might be able to plug in an ordinary keyboard to the TV via USB. Let us know how you get on!

I have tried all of the above but nothing works. The other devices are in the same room as the TV and are working fine. The keyboard always requests the WiFi password but keeps cutting out before completion. This is apparently a common problem with older Samsung Smart TVs see: eu.community.samsung.com – TV Keeps Disconnecting from WiFi

Time to trade it in for a younger model perhaps 🙂

Are you now on FTTP Beryl? If not I presume you could reinstate the old router if that worked.

Very frustrating.

Mick says:
14 May 2020

l did as requested go on the government website only to have it come back as undelivered by Microsoft.
Very frustrated and I sent several messages but none of them connected and yes I did use the Email address from Which. Where to now

It sounds like this could either be an error on the NSCS’ side, or an error with how your emails are being sent, Mick. Did you get any sort of error message on the email that was returned to you? Has this been happening with other emails you’re trying to send to other addresses, or just specifically the ones to the phishing email service above?

The NCSC note that there are cases when emails may not be delivered:

In a small number of cases, an email may not reach our service due to it already being widely recognised by spam detection services. The vast majority of reports do reach our system so please keep reporting any suspicious emails you receive.

If you continue to have problems then please contact us so we can investigate it further.

(from https://www.ncsc.gov.uk/information/report-suspicious-emails)

If you’re having an issue specifically with this email address, it may be worth contacting them using the contact form on that page to make them aware of the error.

Hi All, thanks for some interesting views above, especially from Kate and Em.

In a reply to one of my comments, Kate said “These days you only need to change a password if you think it’s been compromised. ”

If that is the current widsom, then so be it but, if you wait to change passwords until you suspect (or actually know) that you security has been compromised, then surely a lot of the damage may already have been done by then.

Furthermore, some of the best and most expert hacks may never be revealed.

As far far I know, some of my best ones were either never revealed or only revealed after I flagged them up as discovered security loopholes in systems. Whether or not I was prepared to do that depended a lot on the extent to which IT and security staff in different organisations could really be trusted to do the right thing and how they handled revelations of “guilty knowledge”.

Like Em, I write down important passwords or, if I can, write down unambiguous hints instead. But I do not mind using browsers or system keyrings to remember non-critical passwords, such as the one for Which? Conversation.

From my computer buddy volunteering, I also have some experience of doing forgotten password resets on Windows, Apple and Linux PC’s. Here I found that such facilities were available by design on the Apple and Linux machines where I had forgotten my passwords and available by means of widely known tricks on Windows PCs. The latter provide some nice examples of how it is all too easy for systems to contain unsecured loopholes.

Em says:
15 May 2020

@DerekP, You are right, but password security is not the only vulnerability we have to be aware of. The worst case I have ever seen was a well-known lift sharing website.

Having signed up and identified a suitable lift sharing candidate, I casually inspected the HTML (the web page content language) behind her profile. I was horrified to find her private address, home telephone number and her work email address (which revealed both her and her employer’s name) embedded in the code.

Knowing what days and at what times she left for work and returned home every day from her profile, gave me, any potential burglar or stalker, all the information needed about her whereabouts and daily movements. Note that no hacking was required and no passwords were needed to find out all this information.

I deleted my profile straight away, informed the lady concerned and notified the lift sharing site of their security blunders. As to “guilty knowledge”, they weren’t overly-concerned and said it would be fixed later that year – which it was – but only after they had implemented HTTPS protocols (the padlock in the web address) bar. It was never made public.

Tony Hunt says:
15 May 2020

I have a spreadsheet (named after a deceased family pet) on my laptop and keep my passwords on that. I

For anything financial I write down clues that will help me remember passwords. For other purposes I use Apple Keychain. If there is news of password breaches I change the password but not otherwise.

Em says:
19 May 2020

Tip 7. Don’t fly easyJet?

Today, easyJet announced price sensitive information to the London Stock Exchange, namely that they have been the victims of a highly sophisticated cyber attack. If, according to BBC sources, they became aware of this in January 2020, but have only just made this public “on the recommendation of the ICO”, they have more than some cancelled flight refunds to worry about.

Apparently, over 9 million easyJet customers have had their emails and travel plans accessed, making them ripe pickings for follow-up phishing attacks, as well as 2,000 customers who have had their credit card details leaked.

And if British Airways data breach in 2018 is anything to go by, affecting only 500,000 customers, easyJet could well be in line for the maximum fine of £255 million.

Em says:
25 May 2020

easyJet advice following the cyber security incident:

As normal, customers should continue to be alert and it is good practice to reset passwords on a regular basis. You can find out how to do this on easyjet.com in “Reset my password”.

Now, let me get this straight .. . You leak my name, email address and travel plans in January. Four months later, you inform the public.

In the meantime, it was fortuitous indeed that I happened to reset my password, according to your “good practice”. Does that mean my name, email address and travel plans are now secure again? Or the alternative implication is I didn’t change my password, so I somehow contributed to this data breach?

Sounds like borderline gaslighting to me. According to Greenberg:

The abuser may hide things from the victim and cover up what they have done. Instead of feeling ashamed, the abuser may convince the victim to doubt their own beliefs about the situation and turn the blame on themselves.