Lock Snapping & How to Prevent It

Lock Snapping is a method used by home invaders which involves snapping a particular type of lock cylinder, allowing the burglar to quickly and easily gain access to your home. If the right amount of force is applied to the cylinder, it can break and give access to the locking mechanism.

Lock Snapping has become more common over recent years as it requires no special tools or expert knowledge, just the force of a hammer, mole grips or anything else that can physically grab and take hold of a cylinder is enough to gain entry. Many readily available videos’ online show the shocking force, speed and ease of the technique that burglars are using to break into homes up and down the country. One online video that we’ve seen shows how burglars will gain access to a cylinder even if it isn’t protruding from the handle. In this case the handle is shown literally being ripped off the door, the cylinder exposed, and the locking mechanism compromised using household tools such as a hammer and screwdriver.

A recent short tv documentary showed how a former burglar, without previous experience of snapping locks, could use this method to gain access to a property within 40 seconds, even he admitted how shocked he was at the ease and speed of gaining access, he said that an experienced lock snapper could probably gain access in as little as 13 seconds [Lock Snapping Video]. Another former burglar admitted that even if he had the best lock picks in England, he would rather snap the cylinder because “it’s simpler and easier”.

Police have said it’s estimated that around 22 million doors throughout the UK could be at risk from lock snapping where the lock cylinder can be broken in seconds.

 

What Locks Are at Risk

Key locks that are at risk of lock snapping are those of Euro Cylinder profiles, and locks that extend beyond 3mm of the handle. The further the lock cylinder protrudes from the door the more prone to tampering it becomes as it is easier to grip and take hold of, but even if a lock cylinder doesn’t protrude from the handle it still isn’t immune to tampering.

ASB Anti-Snap Locks

Locks that are of a TS007 3 Star standard (also known as ‘anti-snap’ cylinders) are locks that meet the requirements to withstand lock snapping attempts.

Anti-Snap cylinders have a ‘snap-off’ section integrated which will come away if a burglar was to try and snap the lock, making the cylinder shorter, thus making it more difficult to grasp. With the help of built in grip defenders it makes getting hold of the cylinder even harder. Not only that but anti-snap locks have a hardened bar which won’t snap, it will only flex making snapping almost impossible.

Check that your current locks do not over extend. If they appear vulnerable you may want to consider having them replaced or replacing them yourself. Fitting them yourself is relatively easy, takes little time and requires no specialist tools.

Replacement costs

Upgrading to an ASB lock by a reputable locksmith will cost you £100 to £150 for a single door. Replacing more than one at the same time reduces the cost per door.

If you are prepared to buy the replacement cylinders off line and DIY it will cost you £35 to £45 per door.

WhatsApp group chats not as secure as users might believe

Researchers have discovered flaws in the way WhatsApp,is messaging app handle secure (encrypted) group communication,which could result in unauthorized users getting added to closed groups and monitoring future conversations within them.

The problem with WhatsApp:
Paul Rösler, Christian Mainka, and Jörg Schwenk analysed the three widely used protocols and their implementations, and found that if someone – e.g., nation-state backed hackers (illegally), or law enforcement or intelligence agencies (legally) – gains control of WhatsApp’s servers, they could easily insert a new member in a private group without the permission of the group’s administrator(s).

The other participants will get a notification about a new user joining the group, but they have no way of knowing whether the new member was invited by the administrator(s). Also, if the attacker controls the server, he or she can block the messages sent by users who might question the new addition or warn others about it.

As noted cryptographer and Johns Hopkins University professor Matthew Green explained, the vulnerability stems from the fact that the WhatsApp server plays a significant role in group management, and that group management messages are not end-to-end encrypted or signed.

“When an administrator wishes to add a member to a group, it sends a message to the server identifying the group and the member to add. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. The flaw here is obvious: since the group management messages are not signed by the administrator, a malicious WhatsApp server can add any user it wants into the group. This means the privacy of your end-to-end encrypted group chat is only guaranteed if you actually trust the WhatsApp server.”

What now?
The main problem is this: end-to-end encryption, which WhatsApp purports to offer, should not depend on uncompromised servers. “We haven’t entirely achieved this yet, thanks to things like key servers. But we are making progress. This bug is a step back, and it’s one a sophisticated attacker potentially could exploit,” Green noted.

The researchers disclosed their findings to WatsApp last summer. WhatsApp said that the “group invitation bug” is a theoretical danger that’s additionally minimized by the fact that users will receive a notification about a new user joining the group. Also, the spokesperson noted, administrators could warn users about the new, unauthorized addition via private messages. That seems to be enough for them at the moment, especially because a fix for the flaw could end up breaking the convenient “group invite link” feature.

There are apps for most things; use them safely and securely

Thanks to apps, your phone, tablet and maybe your smart watch have become the smartest and fastest way to communicate, navigate, shop, bank, book, pay, get your entertainment … and much more. But convenience can be accompanied by disadvantages, so we’d like to pass on a few expert tips about making sure you choose and use apps safely and securely.

Use only official app stores

Avoid downloading fraudulent or otherwise illegitimate apps by using only the official store for your device’s operating system, and avoiding unauthorised sources such as bulletin boards and peer-to-peer networks. Even then, read reviews and choose with care, as some rogue apps occasionally make their way into app stores.

Read the small print

When downloading apps, you’re usually asked to agree to terms and conditions. These can be quite lengthy and complex, but it’s important to do so as some small print includes details on data sharing, in-app payments and other conditions.

Know what permissions you’re granting

You may be asked for permission for an app to access your location, photos, camera, contacts or other functions or data. Before agreeing, think about if you really want this type of access enabled, and the safety aspects of others knowing what you’re doing and where you are (especially important for children).

Check settings

Where possible, check app settings to determine whether downloading updates and day-to-day data are enabled automatically. This may be convenient, but it could also make it easier for your data to be intercepted, and may use up your data allowance.

Check content ratings

Most apps found in the official app stores feature ratings with guidance on the content and intensity of various aspects of the app. Each store has its own policy, so ratings may vary from store to store. A nice-to-have for you, but essential for apps which may be accessed by children.

Use public Wi-Fi safely

When you’re out and about, remember that you shouldn’t use Wi-Fi hotspots for confidential communications or transactions in places like cafés, pubs and hotel rooms, as there’s no guarantee of security. Instead, use your data, or wait until you get back to your secure Wi-Fi.

Always log out

When you’ve finished using an app – particularly one for banking, shopping or payments – always log out, as simply closing the app may not necessarily do it for you. This also goes for location-based apps, when you want to keep your whereabouts to yourself.

Download updates

Always download app updates when prompted, because as well as providing new features and better functionality, updates usually contain at least one security fix.

Look after your devices

With today’s apps, your mobile device becomes a computer, wallet, satnav, photo album, TV, filing cabinet, and much more. You shouldn’t leave any of these items in an unlocked house or vehicle, or unattended in a café or on a train …your mobile device is no different. And always PIN or password-protect your device as a first line of security.

Keep an eye on those bills

Be aware of the data used by apps when you’re out and about, including roaming charges abroad. And remember that some apps enable in-app purchases, which can be very attractive to use – especially to children – but at a price.

Do your housekeeping

Filling your phone or tablet with dozens of apps you don’t use can affect its performance, including reducing battery life. Remove the ones you haven’t used for a while, apart from security apps. If you’re disposing of your phone by any means, erase all data and apps, also preferably doing a factory re-set.

Click here for the full story

I’ll make you an offer you can’t refuse… – NCSC Site

One of the terms we didn’t include in our advent calendar of definitions was ‘malvertising’. This is a term which we felt we could say a little more about, and so we’ve saved it for this blog. Malvertising may seem like a scary topic, but it doesn’t need to be. This blog includes some simple steps to protect your End User Devices and your networks, so you don’t need to be afraid of online adverts.

What is malvertising?

Malvertising, or ‘malicious advertising’, is when an attacker uses online advertising as a delivery method for malicious activity. It’s particularly insidious because it often doesn’t require any user interaction – such as choosing to run downloaded files – to cause problems. You can become a victim of malvertising simply by visiting a popular website. Code within online adverts on the website could install ransomware or other malware.

It’s a popular method because a single malicious advertisement could be distributed to many publishers and onward to many websites – causing widespread attacks against their users. Ad networks allow advertisers to target online advertisements on features like location and device types; attackers can also leverage this to launch targeted malvertising campaigns. In addition, it can be difficult to attribute malicious activity to malvertising.

How malvertising works

To understand how to protect against malicious advertising, it helps to understand how it is delivered. Website owners and mobile application developers, known as publishers, receive payment from advertisers in return for displaying online advertisements. Online advertisements can allow advertisers to run code to display rich media advertisements that incorporate elements like animations, video and scripts. Malicious actors can take advantage of this to deliver malicious content within an online advertisement, without the knowledge of the publisher.

There are different ways for malicious advertisements to be displayed on a publisher’s site:

  • Publishers can use their own servers to deliver online advertisements.
  • Alternatively, publishers can use an ad network. Within ad networks, advertisers can buy the rights to serve an advertisement onto a publisher site.

Whether an attacker compromises a publisher’s server or poses as a legitimate advertiser, the same delivery vector – online advertisements – is used to deliver malicious activity. It is important to note that while publishers are being used in the infection process, they are – like the end user – victims of malvertising. Publishers will suffer reputational damage if their customers get infected from malvertising displayed on their sites.

Embedded malicious code

Malicious advertisements typically do not require any user interaction because they contain embedded code. The user does not need to click on the advertisement as they have malicious code within them. The code can carry out a variety of tasks, such as exploit software vulnerabilities, or silently redirect users to malicious websites that host exploit kits. In this regard, malvertising is like drive-by-downloads, in that software is run on a victim’s computer simply by visiting a malicious website.

Note: Exploit kits are automated toolkits or frameworks designed to scan a victim’s device, find software vulnerabilities and then exploit them in order to deliver a malicious payload.

What is the impact of malvertising?

Numerous high-profile publisher sites have been victims of malvertising campaigns. In March 2016, visitors to various major publishers including aol.com, bbc.com, nfl.com and nytimes.com received malicious advertisements. The malvertising campaign targeted US users and was delivered through multiple ad networks. Shortly afterwards, a similar malvertising campaign targeted visitors to UK websites.

In both campaigns, the malicious advertisement redirected victims to websites hosting the Angler exploit kit. This can lead to malicious activity such as stealing financial information stored on victims’ machines, or installing ransomware whereby victims’ files are encrypted unless payment is made to the attacker.

Ad blocking

Ad blocking is a technology designed to limit (or completely prevent) the display of online advertisements. There are several ad blocking solutions that work in different ways. Some ad blockers are designed to block all advertisements (whether legitimate or malicious), whilst others whitelist ‘trusted’ ad networks. It is worth noting that whitelisted ad networks could still be a source of malicious advertisements. Whilst ad blockers can help prevent malvertising from affecting you, they should not be regarded as a security product.

Protecting your devices and networks

The clear majority of malvertising targets unpatched vulnerabilities in web browsers, plugins, and associated internet-facing software on End User Devices. Prompt patching and updating of this software is the most effective mitigation available. For more information on protecting End User Devices within your organisation, see our EUD guidance.

In addition, Cyber Essentials contains five critical controls which can help to reduce the harm from malvertising. We recommend that all organisations consider these controls, and the recommendations in the 10 steps to cyber security. Wider network security hygiene protections, such as network segregation, web proxying, and least privilege are also useful in minimising the impact of any successful malware infection.

Source: I’ll make you an offer you can’t refuse… – NCSC Site

Putting the cyber in crime: How lower barriers and increased profits have led to a surge in cybercrime.

It seems as if not a day goes past where cybercrime isn’t in the headlines. Whether it is a ransomware attack, a huge data breach, theft of intellectual property, or the unavailability of service, ‘cyber’ is playing an increasingly important role for both enterprises and individuals alike.

Nowadays, nearly all crimes have an element of cyber to them and we’re seeing more ‘traditional’ criminals get into the cybercrime industry. However, this isn’t just bandwagon jumping; there are actually some very good reasons why the world of cyber makes a lot of sense to criminals.

Lowering barriers to entry:Go back ten years or so and ‘hacking’ knowledge was limited to a few select individuals that understood technology. It wasn’t easy to find experts that were willing to be “hackers for hire”, and for those new to the industry, acquiring such skills wasn’t an easy task either. However, in recent years, the barriers to entry have gotten significantly lower due to a few key factors:

  1. Availability of online marketplaces. Online marketplaces have become commonplace and provide a convenient place where hackers for hire can advertise their skills to bidders. These can encompass a broad range of services such as DDoS attacks, botnets, and targeting of individuals or businesses, as well as custom services.
  2. As-a-service. Taking a cue from legitimate businesses, cybercriminals are beginning to remodel their organizations for greater efficiency. This has resulted in the rise of “cybercrime-as-a-service”. For example, Petya & Mischa ransomware-as-a-service (RaaS) was launched in July 2016. This platform encourages distributors to generate high returns by enticing them with the cybercrime equivalent of performance bonuses. If distributors generate less than five bitcoins in each week, then they only earn 25% of the ransom paid. However, if the weekly payment is over 125 bitcoins, then they can potentially keep 85% of it. Through such initiatives, the RaaS business model has proven to be highly lucrative, for both the providers and the distributors, and there’s no sign that the these operations will go away anytime soon.
  3. The rise of cryptocurrency. The third leg of the stool is made up of crypto currencies such as bitcoin, which allow payments to be made anonymously. This allows cybercrime service providers to sell their wares easily, and allows cybercriminals to extort money from their victims more effectively.

Profit and loss: Another aspect contributing to the rise in cybercrime is the increase in potential profits. The cybercrime market is lucrative because of the extent to which things have gone digital. Everything from finance, to healthcare, to national infrastructure is connected in some way or another. On top of this, the introduction of IoT and smart devices has resulted in an explosion of connected devices, each of which presents a potential money-making opportunity for a clever hacker.

The abundance of connected devices gives criminals an advantage because there will always be unsecured, unpatched, or simply insecure targets. Attacks can be individual consumers as they could from attacking large enterprises. By targeting individuals, hackers further lower the bar to entry, as no pre-qualification needs to be done on the target.

 Key takeaways: The growing number of criminals taking advantage of lucrative cyber money-making opportunities will unfortunately only continue to grow. Therefore, it is more important than ever that enterprises and individuals take appropriate steps to protect themselves from cyber-attacks. Here are few tips to bear in mind:

  • User education and awareness is the first, and arguably the most important, line of defence. For example, knowing not to click on suspicious links could prevent a potential infection entirely.
  • Segregating critical systems and assets is also a good defensive measure. If a user does click on a link, having segregated systems will prevent infections from spreading.
  • Have robust detection and response controls in place, which are enhanced by threat intelligence, is also critical so that infections can be detected quickly and remedial action taken immediately to minimize impact.
  • Finally, the importance of backup processes cannot be forgotten or neglected. If the worst does happen, it’s often better to wipe systems and reinstall from a clean, trusted backup than try to fix the mess.

Cyber-threats in university Clearing and how to overcome them -it Security Guru

A Level results are out.  For many, this is a time of celebration as they take up offers for the university or college of their choice.  However, for those who have not received the results they need it can be a stressful time as they enter Clearing, and turn to online search to secure a university or college place to continue their studies.

Cybercriminals are wise to this forthcoming uptick in web traffic, and have been creating higher education phishing sites to trick stressed students into clicking on malware-laden links.  This is not a new scam, and is evidence that cybercriminals are diversifying to rework banking, online shopping and other phishing scams.  Today security researchers at Forcepoint are now warning prospective students across the UK and internationally to beware of these scams.

Carl Leonard, principal security analyst at Forcepoint said: “This activity could come from one-off individual criminal elements speculating for financial gain or as part of an organised gang spreading malware kits or adding to botnets.  Using search analytics criminals can map likely human reactions and rework tried and tested social engineering scams to target vulnerable individuals.  Broadly, if a university or college offer appears too good to be true, it probably is.”

“University students will continue to be targeted by cyber criminals at relevant times of the year.  The scammers will continue to setup fraudulent websites and send convincing emails demanding interaction in order to manipulate a student’s behaviour when they are under the most time pressure.”

As a way of preventing these cyber scams, Forcepoint advises students searching for university and college courses for the autumn to do the following:

  • Type in the URL rather than clicking on links in email or in online adverts
  • Use reputable search engines
  • Be aware of lure lines such as “discounted course fees,” “multiple course places available now,” or the usage of highly respected educational establishment names in promotions
  • Keep internet security up to date on PCs and mobiles
  • Begin your Clearing search via the UCAS website, which contains official links and the latest up-to-date places
  • Reach out to the university or colleges admin secretary office if you have doubts as to the legitimacy of a fee or offer

Wayne Gaish, IT Strategic Development Manager, Petroc said: “Petroc takes cyber security very seriously and in particular for our learners at this crucial time of year. The guidance provided by Forcepoint will help promote a better understanding for our learners in today’s digital world.”

Frank Jeffs, post-graduate researcher and former Head of Advertising at Middlesex University said:

“Scams of this nature have the potential to trick stressed UK-based students, but could also catch out international students who are seeking courses in the UK.  In my experience, scammers use well-known university names such as Oxford or Cambridge and create fake institutions which sound very similar.  Designed to look realistic and offering qualifications at a low price or attempting to capture personal information, this social engineering trick could easily catch out international studients or people who might not have the local knowledge of the official educational establishment names.  Always go via the UCAS website or type in the URL of the university or college you are interested in.”

 

Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

Children’s commissioner says too much time is spent online as she launches ‘five a day’ campaign. Children’s access to Snapchat should be limited, the children’s commissioner says. Photograph: Lucy Nicholson/Reuters.

Source: Stop children bingeing on social media during holidays, parents urged | Society | The Guardian

‘LinkedIn Update’ Phishing Scam Email

If you use LinkedIn, keep an eye out for an email that claims you must click a link to update your account. The email, which has the subject “LinkedIn Update” claims that LinkedIn is updating its “Services Agreement and Privacy.

The message warns that your account will be deactivated if you do not click the link and update your account. However, LinkedIn did not send the email and your account will not be deactivated if you don’t click the link. Instead, the email is a phishing scam that is designed to steal your LinkedIn account login details. If you click the link, you will be taken to a fraudulent website that has been built to emulate the real LinkedIn login page. Once on the fake site, you will be asked to enter your account email address and password to log in. After entering your details, you’ll see a message claiming that you’ve successfully completed the supposed update.

Online criminals can now use the information you provided to hijack your LinkedIn account. Once they have gained access to your account, the criminals can use it to send spam, scam, and malware messages to your LinkedIn contacts in your name.  They may also gather more of your personal information from your account and use it to pose as you and attempt to steal your identity. LinkedIn users are regularly targeted in such phishing scams.

LinkedIn has information about phishing scams and how to report them on its website.

Cyber Safe Warwickshire – Significant Rise In Council Tax Rebate Frauds

Action Fraud are warning that fraudsters may be posing as local council officials or professionals and cold-calling customers stating that they are eligible for a general tax or council tax rebate, with a sharp increase in the number of reports relating to fake council tax refunds in the last few weeks.

Source: Cyber Safe Warwickshire – Significant Rise In Council Tax Rebate Frauds

Which smartphone is the most secure? – NCSC Site

Andy P (EUD Security Research Lead) says: “When talking about end-user device security, one of the questions I hear most often is ‘Which smartphone is the most secure?’ . Now, since Jon’s told us we’re not allowed to say ‘It Depends’, we’d better have a good answer. So here’s what I think.”

‘The most secure platform’ isn’t really a useful metric. It’s an old adage that the most secure computer is the one turned off, disconnected, and locked in a safe. Pretty secure, and not very usable. But it illustrates the point that there’s plenty more to think about than just security when deciding which device you’re going to use to get your job done (or play Minecraft on). Instead, I believe the question we should be asking is ‘Is it secure enough?’.  Once you’ve established which of your potential options are in that category, you can then pick the one that best meets your other requirements, such as cost, features, battery life, availability of your favourite apps and so on.

Source: Which smartphone is the most secure? – NCSC Site