Two Weeks to Take Global Action Against Malware

The National Crime Agency is urging members of the public to take action which will help fight the effects of two specific cyber threats.

In a globally co-ordinated awareness campaign, crime fighting forces in the UK, along with the FBI and collaborators in a number of other countries are encouraging members of the public to take steps which will not only help protect themselves from risk, but also cause significant disruption to the effectiveness of the network which supports the malware around the World.

According to the National Crime Agency, GOZeuS and CryptoLocker are two systems estimated to be responsible for the loss of hundreds of millions of pounds globally. While the two systems are distinct in the way they operate, they both take advantage of security holes on a user's computer.

Put as simply as possible, GOZeuS operates by sending emails to ‘victims’, seemingly from a familiar contact (so they look genuine), but which contain links to the malware. Once the link has been clicked, the malware is downloaded and then operates in the background, waiting for the opportunity to collect banking or personal information. This information is fed back to the criminals using a network of infected machines.

If GOZeuS considers the information it finds not to be financially rewarding, CryptoLocker in activated. This system encrypts the files on the machine and then offers to unlock them in return for payment – in essence a ransom for the release of the files.

The more members of the public that are able to take steps to protect their computers, the more chance there is of the network of infected computers (or BotNet) being disrupted and this in turn will help to reduce the effectiveness of both malware systems.

There are some simple steps that can be taken to help protect your computer – which also apply to general e-safety. These include:

  • Making sure your anti-virus/anti-malware is up to date

  • Changing your passwords

  • Keeping your operating system current with updates and security patches
  • Further information is available from CERT-UK. There are also helpful tips on the Get Safe Online website

    If you would like to discuss Malware with your students, it is covered in the lesson plans and assembly plans available to E-safety Support Premium and Premium Plus members.

    Written by E-safety Support on June 03, 2014 13:49

    Understanding the Heartbleed bug

    The Heartbleed bug has been widely reported over the last month, but what is it and how does it effect e-safety?

    Firstly, let us just clear up a common confusion between the terms 'bug' and 'virus'. A bug is a mistake or error in a computer system which can cause a system to malfunction or to behave unexpectedly.

    The term bug is derived from the days when computers used valves as opposed to transistors or solid state electronics and actual insects getting into the workings of a system would cause errors.

    A virus, is a piece of often malicious software code which is designed to spread from computer to computer and usually has a mission to interfere with the running of that system or access data that shouldn't be available.

    A bug may lead to a computer system having a security hole. A virus may be written to take advantage of that bug and thus circumvent system security.

    However, it is not just a virus which may 'exploit' a bug. A known error in a system could for instance be utilised by remotely communicating with a computer system using software or direct input from a computer terminal.

    So what is the Heartbleed bug?

    In order to secure a 'session' between a user and a computer system on the Web, a protocol called SSL (Secure Sockets Layer) is used. The aim is to encrypt data sent over the internet so that is can only be understood by the sender and the intended recipient.

    A protocol is a defined standard which software systems implement in order to communicate with other systems with their own implementation of the protocol.

    In a Web application there are many protocols and patterns which need to be implemented and rather than building these from scratch for every single computer system, most software languages will utilise tried and tested libraries of common computation requirements, such as for instance the implementation of a protocol. This is good practice as it ensures consistency and in general reduces the amount of potential errors.

    The protocol SSL is widely implemented in Web systems by using the library component OpenSSL and it was this piece of software which contained the error. This essentially meant that, once discovered the error could potentially be exploited to allow a third party to access a supposedly secure communication session and retrieve data it should not have access to.

    Fixing the bug

    Once discovered, the bug was fixed or patched within OpenSSL relatively quickly. The next step was for computer systems to apply the new fix to their servers.

    Our own servers, which run this very Web application were patched on 8th April and are now secure against any Heartbleed exploits.

    What's all this about needing to change my passwords?

    There have been some very confusing mixed messages about whether a user needs to reset their passwords.

    Firstly, the Heartbleed bug only effects systems which have used OpenSSL, however this is huge amount of systems, as a rule though, most banks do not fall into this category.

    There is a list here on Mashable.com of the most commonly used Web sites together with advice as to whether or not they were vulnerable to Heartbleed and whether a password reset is recommended.

    The Heartbleed bug potentially allowed a third party to obtain user details including email address and passwords for a system. 'If' this has happened then that system is no longer secure and the password should be reset. However, it is not know how many, if any systems were actually attacked and thus there is no way of knowing for sure for any given system whether a reset is required.

    The risk is low, but ...

    Many people tend to use the same password for multiple systems and so it is possible that an email address and password obtained for one single system might be useable to access any number of other systems. SO for instance if the password you use for a compromised system is the same password you use to access your email account, your email is no longer secure.

    It is for this reason that resetting your passwords is recommended.

    As a rule it is good practice to ensure you have secure (mixed case, letters, numbers and symbols) passwords which are unique to each system you access. It's also a good idea to change these passwords periodically.

    For the more tech savvy reader, the ever excellent XKCD had a great cartoon explaining the specifics of the bug.

    Written by E-safety Support on April 24, 2014 13:36

    How do you manage passwords with primary school children?

    It’s a dilemma. More and more of the work we do now in class is online. This could be an online cloud such as Google Apps or Microsoft 365, it could be a VLE or their email, or it could just be a simple website like animoto.com where they create photo galleries. The truth is that there are so many potential usernames and passwords that it is obvious that for many users, teachers as well as children, they will find one password and stick to it.

    So let’s assume that the majority of users in your school have a single password. We can pretend that most of them have a different password for every tool, but it just won’t be the case. So is that single password secure? How can we make it a good password? How can we check that our password is good enough?

    Luckily there is a free website called How Secure is my Password that gives a rough indication of the strength of a password. You simply type a password into the box and it will change colour to hopefully orange or better yet, green, if the password is secure. It is a great visual way of seeing the effect that adding a number or character can have on a password.

    Password advice often suggests using a mixture of upper and lower case letters, numbers and punctuation. There is also the idea of changing letters for numbers so even the humble password could become Pa55woRd? And this then becomes harder to crack. Of course it also becomes harder to remember too.

    When it comes to actually choosing a password to remember, one great tip for younger children (probably around Year 3) is to pick two unrelated words that they can spell such as house and flower. On their own, they could both be cracked by a computer instantly but together they would take 10 days. Better yet, by making the first letter a capital (Houseflower) and that ‘score’ jumps to 59 years. But there is much more chance of a child remembering that password than there is them remembering a jumbled-up selection of letters. Although I am sure the site is fine and doesn’t track passwords, I wouldn’t suggest doing it on a personal computer, just in case. You can’t be too careful right? Oh, the example above (Pa55woRd?) would take a year to hack, apparently.

    Another top-tip is to search online for “top 10 passwords” and there will be a range of surveys and lists giving examples of common passwords. This can then lead into a debate about why these are so common and why they should be avoided.

    So what seems like a simple task of choosing a password can be used as the starter of a discussion and the stimulus for teaching others. Give it a go, how secure is your password?

    Written by Ian Addison on March 25, 2013 15:00


    Join E-safety Support

    • Protect your pupils
    • Support your teachers
    • Deliver outstanding practice

    Recent Stories
    Story Tags
    addiction anti_bullying_alliance anti-radicalisation apps ask.fm assembly avatars awards bett Breck_Foundation bug bullying BYOD calendar cber_bullying censorship ceop chatfoss checklist child child_exploitation childline childnet child_protection childwise christmas ClassDojo classroom competition cookies CPD creepshot CSE curriculum cyberbullying cyber_bullying cyber_crime cybersmile_foundation cybersurvey DCMS Demos development devices DfE digital_citizenship digital_footprint digital_forensics digital_leaders digital_literacy digital_native digital_reputation digital_wellbeing eCadets education e-learning emoticon e-safe esafety e-safety e-safety, e-safety_support #esscomp #esstips ethics exa exploitation extreemism extremism extremism, facebook fantastict fapchat FAPZ film filtering freemium friendly_wifi gaming #GetSafeOnline glossary GoBubble gogadgetfree google governor grooming #GSODay2016 guidance hacker hacking icon information innovation inspection instagram instragram internet internet_matters internet_of_things internet_safety into_film ipad iphone ipod irights IWF language leetspeak lesson like linkedin malware mental_health mobile monitor monitoring naace navigation neknominate netiquette network news NHCAW nomophobia nspcc NWG ofcom offline ofsted omegle online online_safety oracle parents phishing phone Point2Protect policy pornography power_for_good pressure PREVENT primary privacy professional_development protection PSHE #pupilvoiceweek ratting rdi reporting research risk robots safeguarding safer_internet_day safety SCD2015 #SCD2016 school sdfsdf security self-harm selfie sexting sextortion ShareAware sid SID SID2016 SID2017 smartphone snapchat snappening social_media social_media, social_networking staff staff_training #standuptobullying statutory_guidance Stop_CSE stop_cyberbullying_day stress students survey swgfl SWGfL tablet teach teachers technology texting tootoot training TrainingToolz troll trolling twitter UKCCIS uk_safer_internet_centre UK_youth unplug2015 virus webinar website we_protect what_is_e-safety wifi wi-fi windows wizard yik_yak young_people youthworks youtube YPSI
    Archive