Cyber Security Focus - 1. Passwords and Beyond

security Awareness of the topic of cyber security is becoming more prevalent in the mainstream. Where it was once the fixation of computer scientists and engineers, lay people are increasingly beginning to understand the importance.

Most people will understand the potential problems of cyber criminals gaining access to things like their bank account and take appropriate precautions but many are still lax when it comes to cyber security in general.

There are some very clever pieces of software out there that ‘crack’ passwords or exploit weaknesses in the security of a Web service in order to access private data. But so much criminal activity is predicated ‘hacking the human’ - i.e. good old fashioned opportunism, and confidence tricks.

As an individual there is little you can do to influence the security systems of the services you use - other than to vote with your ‘cyber’ feet and refuse to use online services which don’t take security seriously. However, there is much an individual can do to minimise risk.

In this upcoming series of articles we will look at some of these related topics.

In the first article we’ll look at passwords and the move towards two or three factor authentication.

The use of passwords to access online services is nearly as old as the Web itself. Most services will ask for a username (often an email address) and password in order to grant access to the system. This is an example of ‘One-factor Authentication’ - it relies on asking something of the user that it is assumed the user (and only that user) and the system knows.
The system is based on the assumption that the user is keeping this bit of information safe. Therefore if the system asks the user for that bit of information and they offer that piece of information and it matches the information the system knows, then the user is assumed to be identified. In an ideal world there is nothing wrong with this system.

The inherent weakness occurs when that piece of information i.e. a password, is discovered by a malicious 3rd party.

There are three sources from which his information could be ‘stolen’
i) The system itself:
Despite what Hollywood movies may portray, this is actually harder than it seems (for a well maintained system)
ii) A second system:
This is where you use the same username/password combination on more than one service. Should one of those services be compromised, a simple hacker script will try those credentials on a list of other services to see if they can gain access. For instance, let's imagine you have an account on a simple local news sharing site. You access this using your email address and a password. Now let's say, the security is lacking somewhat and a criminal manages to get a list of emails and passwords for all the accounts on that system. There are 2.9 billion Facebook accounts, so it is a reasonable assumption that some of those people with accounts on the news Website also have a facebook account. It's a task of seconds to try the stolen list of email addresses and passwords against the Facebook login process. Anyone with an account of the news site who uses the same email address and password combination on Facebook, has now had their Facebook account hacked. What's worse is that Facebook can act as an authentication agent for other services - have you ever been to a Web service which offers the ability to 'Register or Log in with Facebook'? Thus we see that the simple mistake of duplicating a email and password combination on a venerable site has unlocked a whole raft of other accounts!
iii) The User themselves:
This is by far the most common way in which passwords are stolen. This could include leaving the password on a post-it note, maintaining a document or notebook with a list of passwords, sharing it with someone with compromised security, sending it or storing it in a non-secure place such as emailing or texting. You could also fall prey to some kind of deceit where you believe you are entering your details into a valid service, but it is actually a fake site which will collect your data. This is a form of ‘phishing’ which we will look at in a future blog in this series.

As mentioned above, there is little you can do personally about the first case, but the second two are well within the individual's control to guard against.

In the second case ‘compromising a second system’, the advice is simple.
NEVER USE THE SAME USERNAME AND PASSWORD FOR MORE THAN ONE SYSTEM.

This is even more important if you use that same password for your email.
Many systems will assume an email inbox to be secure. So for instance, if you forget your password and request a reset, most secure systems will email a link to the email address associated with your account to that email. You therefore need access to your email to confirm the reset request.

If you have used the same password for your email, not only can a criminal access your account for the compromised service, they can access your email and change passwords, thus locking you out. They can then request password resets of other services and confirm those, thus gaining access to countless other accounts.

To guard against the most common vulnerability - the user's own actions, you should take precautions to never share or document your password.

Sharing passwords to other staff members in a school is an all-too-common occurrence. We find that even though all our subscriptions allow the addition of extra staff accounts at no extra cost, many schools still circulate their account details to colleagues in order to access resources.

Of course, the real world issue is that people have countless accounts on a variety of Web based services and expecting people to have the ability to remember them all is a tall order.

One solution is to use a password manager. These are a secure method of storing your passwords against a specific username and web address which can be accessed through a single password. You may already have one of these if you, for instance, use Chrome as a browser and have a Google account or maybe you have activated the Keychain system built into Apple devices.

There are a number of third party password manager options - some of which are reviewed here.

A second approach may simply be to actively forget most passwords. Concentrate on remembering the passwords for the services you use often and forget the rest. Make sure you remember your email account password - and make sure it’s a good secure one.

Then for any service you log into infrequently, set up a complex password - the secure passwords suggested by your browser are a good bet. Then each time you want to access those sites, simply go through the password reset process - this will normally take you less than a minute.

For more tips on passwords see our article: How do you manage passwords with primary school children?

As we discussed earlier - a username/password combination is an example of One-factor or Single-Factor authentication. Given the inherent problems with this, many services are looking more to Two-factor or even Three-factor authentication.

Two-factor authentication - often written as 2FA:
If we think of Single-factor authentication as “Something the user knows” we can think of Two-factor authentication as Single-factor authentication with the addition of “something the user has”. This may be something like a fob that can generate a code based on a specific context. Think about the card reader you may use to confirm a transfer with your online banking. It could also be an app running on your phone or the phone itself - have you ever had a service send a text message with a confirmation code that you need to enter into a Web site before you may gain access? Paypal, for instance, uses this method.

Three-factor authentication (3FA):
This method builds on the previous two. Not only does it want evidence of ‘Knowledge’ (something the user knows) and ‘Possession’ (something the user has), it further requires ‘Inheritance’ - “Something the user is”. This is not just accessing authorisation based on access to specific credentials but also, who is actually trying to use the credential.

Third factor authentication credentials are all biometric, such as the user’s voice, hand configuration, a fingerprint, or a retina scan etc. We may be aware of smart phones or laptops which use fingerprint or facial recognition to unlock the device. This is the kind of tech that may be used in three-factor-authentication.

Strictly speaking it is only 3FA if these biometric methods are used in conjunction with the previous two factors. So although the unlocking of your phone with your fingerprint uses a biometric method, it is not necessarily in itself an example of 3FA.

We will see the higher factors of authentication used more and more often as the arms race between security systems and cyber criminals continues ever onward.

As ever, the advice remains the same. Be sensible, don’t fall into predictable patterns of password usage and don’t share your security credentials to other people or duplicate them across other services.

Written by Safeguarding Essentials on April 01, 2022 15:41

What’s going on with Facebook?

Facebook has been in the news quite a lot recently, there have been allegations, investigations and corporate reshuffles. In case you have missed things, or have lost track of the story, here are the main points:

Facebook started life in 2004 as a social network app aiming to connect students at Harvard College. The name Facebook referred to the student directories often given to American university students containing student details and a portrait photo - a literal book or faces.

From there it expanded first to use across other US universities and eventually to the general public.

Facebook was the name of the application itself but also of the company that owned and operated it.
Like many tech corporations, Facebook the company grew not just through gaining more users but also through the buying of other tech companies and acquiring their expertise, software, applications and services.
In fact Facebook has acquired in the region of 90 companies since its inception, the most recognisable perhaps being Instagram, WhatsApp and virtual reality company Oculus.
You can find a complete list here, if you are interested in digging further.

Often the technology acquired has been rolled into the main Facebook application, though some of the more stand-alone applications such as Instagram retained their own branding with a small addition that refereed to them being owned by Facebook.

While Facebook is a strong brand this all makes sense, but things are changing.

The corporation ‘Facebook’ recently announced it was renaming and rebranding to ‘Meta’.
There are many reasons for a corporation to rebrand, here are perhaps some of the things which have led to this particular decision

1. Falling adoption

The Facebook application has for some time had a problem attracting younger users, in fact the ‘ageing population’ of the Facebook user base is well documented. I’ll bet if you ask your pupils they’ll tell you Facebook is what their parents or even grandparents use, but it’s not really for them.
Younger people have traditionally been an important driver in the rate of adoption and use of new technologies and so maintaining the ‘Facebook’ branding may well put off younger users from new services if they associate the branding with the activities of their elders.
For this reason, it’s easy to omit Facebook from discussions on online safety within schools, but as we’ve stated, Facebook has its fingers in lots of pies, many of which are very popular with young people. Maybe the rebranding to ‘Meta’ opens up the possibility for discussion, especially when understanding the various applications and how they can share data between them.

Further reading

2. Controversy

Almost since the very start, Facebook has courted controversy. Early on these were often about business practices, intellectual property wrangles or the personal and business relationships of the most well-known founder and figurehead Mark Zuckerberg. However, there have also been a fair amount of accusations and legal actions around things which should concern us more from a safeguarding and online safety stand point.

There have been numerous privacy issues, including the leaking of data and the corporate use of personal data by third parties. The case of Cambridge Analytica and it’s use of the personal data of 87 million Facebook users in its political marketing activities is one of the more well-known incidents. You can read more about that here

In addition, accusations of corporate practices leading to psychological harm, societal instability, tax avoidance, advertising fraud and dissemination of harmful fake news among others have tarnished the Facebook brand.

Recently an internal report showed that the company itself was aware of the potential harm its Instagram service was doing to teenage girls in particular. One slide in the report received a great deal of attention as it appeared to confirm the company knew that one in three teenage girls who had already experienced body-image issues stated that using Instagram made them feel worse. Specifically, the use of filtered images, posting selfies and viewing content with hashtags affected their well-being.

With reference to this and other corporate practices, Facebook whistleblower Frances Haugen recently alleged the social media giant put profit before user safety while answering questions from a UK parliament Joint Committee.

In time it’s likely that the wealth generation aspects of the company will move further away from the Facebook application itself and more towards its other brands and applications and so it makes sense to disassociate these from the Facebook name.

Further reading

3. The Metaverse

In the glitzy event to announce the rebranding of the Facebook corporation to ‘Meta’, Mark Zuckerberg introduced his vision on the ‘Metaverse’ - a social network expanded with virtual reality, augmented reality and 3D spaces which “will let you socialize [sic], learn, collaborate and play in ways that go beyond what we can imagine”.

This ‘vision’ instantly had commentators likening the idea to the concept of the ‘OASIS’ from the novel and movie ‘Ready Player One’ and has led to some speculation, some wild and some more reasoned, as to the potential future of social networking. The premium fear being that Zuckerberg and his colleagues failed to comprehend the dystopian theme of the story which has highlighted the dangers of giving up real life, for an existence in a corporate controlled virtual existence.

The ‘metaverse’ concept is not new and like many of the ideas which have propelled Facebook to its position of one of the richest tech companies in the world, was not originated by Mark Zuckerberg or his colleagues. Indeed, platforms such as Secondlife, have been around since the beginning of the century, but there is something about the current level of reach and adoption of Facebook (now Meta), that suggests we might be in for a major leap in adoption.
Additionally, by naming the company ‘Meta’ the association or even allusion that it somehow ‘owns’ the metaverse is somewhat of a shrewd business move.

Further reading

As ever, it’s not really possible to discuss Facebook/Meta or indeed social networks in general and conclude with any certainty as to whether they are a net good or evil. One thing is for certain, there are definitely dangers and problems which we need to ensure people are aware of and we need to equip ourselves with the abilities to detect, understand and neutralise; be that privacy concerns, scams or psychological harms.

This article has sought merely to contextualise the current state of Facebook/Meta and we intend to do some deeper dives into some of the areas raised in subsequent articles.

Written by Safeguarding Essentials on December 01, 2021 17:57

What’s going on with Facebook?

Facebook has been in the news quite a lot recently, there have been allegations, investigations and corporate reshuffles. In case you have missed things, or have lost track of the story, here are the main points:

Facebook started life in 2004 as a social network app aiming to connect students at Harvard College. The name Facebook referred to the student directories often given to American university students containing student details and a portrait photo - a literal book or faces.

From there it expanded first to use across other US universities and eventually to the general public.

Facebook was the name of the application itself but also of the company that owned and operated it.
Like many tech corporations, Facebook the company grew not just through gaining more users but also through the buying of other tech companies and acquiring their expertise, software, applications and services.
In fact Facebook has acquired in the region of 90 companies since its inception, the most recognisable perhaps being Instagram, WhatsApp and virtual reality company Oculus.
You can find a complete list here, if you are interested in digging further.

Often the technology acquired has been rolled into the main Facebook application, though some of the more stand-alone applications such as Instagram retained their own branding with a small addition that refereed to them being owned by Facebook.

While Facebook is a strong brand this all makes sense, but things are changing.

The corporation ‘Facebook’ recently announced it was renaming and rebranding to ‘Meta’.
There are many reasons for a corporation to rebrand, here are perhaps some of the things which have led to this particular decision

1. Falling adoption

The Facebook application has for some time had a problem attracting younger users, in fact the ‘ageing population’ of the Facebook user base is well documented. I’ll bet if you ask your pupils they’ll tell you Facebook is what their parents or even grandparents use, but it’s not really for them.
Younger people have traditionally been an important driver in the rate of adoption and use of new technologies and so maintaining the ‘Facebook’ branding may well put off younger users from new services if they associate the branding with the activities of their elders.
For this reason, it’s easy to omit Facebook from discussions on online safety within schools, but as we’ve stated, Facebook has its fingers in lots of pies, many of which are very popular with young people. Maybe the rebranding to ‘Meta’ opens up the possibility for discussion, especially when understanding the various applications and how they can share data between them.

Further reading

2. Controversy

Almost since the very start, Facebook has courted controversy. Early on these were often about business practices, intellectual property wrangles or the personal and business relationships of the most well-known founder and figurehead Mark Zuckerberg. However, there have also been a fair amount of accusations and legal actions around things which should concern us more from a safeguarding and online safety stand point.

There have been numerous privacy issues, including the leaking of data and the corporate use of personal data by third parties. The case of Cambridge Analytica and it’s use of the personal data of 87 million Facebook users in its political marketing activities is one of the more well-known incidents. You can read more about that here

In addition, accusations of corporate practices leading to psychological harm, societal instability, tax avoidance, advertising fraud and dissemination of harmful fake news among others have tarnished the Facebook brand.

Recently an internal report showed that the company itself was aware of the potential harm its Instagram service was doing to teenage girls in particular. One slide in the report received a great deal of attention as it appeared to confirm the company knew that one in three teenage girls who had already experienced body-image issues stated that using Instagram made them feel worse. Specifically, the use of filtered images, posting selfies and viewing content with hashtags affected their well-being.

With reference to this and other corporate practices, Facebook whistleblower Frances Haugen recently alleged the social media giant put profit before user safety while answering questions from a UK parliament Joint Committee.

In time it’s likely that the wealth generation aspects of the company will move further away from the Facebook application itself and more towards its other brands and applications and so it makes sense to disassociate these from the Facebook name.

Further reading

3. The Metaverse

In the glitzy event to announce the rebranding of the Facebook corporation to ‘Meta’, Mark Zuckerberg introduced his vision on the ‘Metaverse’ - a social network expanded with virtual reality, augmented reality and 3D spaces which “will let you socialize [sic], learn, collaborate and play in ways that go beyond what we can imagine”.

This ‘vision’ instantly had commentators likening the idea to the concept of the ‘OASIS’ from the novel and movie ‘Ready Player One’ and has led to some speculation, some wild and some more reasoned, as to the potential future of social networking. The premium fear being that Zuckerberg and his colleagues failed to comprehend the dystopian theme of the story which has highlighted the dangers of giving up real life, for an existence in a corporate controlled virtual existence.

The ‘metaverse’ concept is not new and like many of the ideas which have propelled Facebook to its position of one of the richest tech companies in the world, was not originated by Mark Zuckerberg or his colleagues. Indeed, platforms such as Secondlife, have been around since the beginning of the century, but there is something about the current level of reach and adoption of Facebook (now Meta), that suggests we might be in for a major leap in adoption.
Additionally, by naming the company ‘Meta’ the association or even allusion that it somehow ‘owns’ the metaverse is somewhat of a shrewd business move.

Further reading

As ever, it’s not really possible to discuss Facebook/Meta or indeed social networks in general and conclude with any certainty as to whether they are a net good or evil. One thing is for certain, there are definitely dangers and problems which we need to ensure people are aware of and we need to equip ourselves with the abilities to detect, understand and neutralise; be that privacy concerns, scams or psychological harms.

This article has sought merely to contextualise the current state of Facebook/Meta and we intend to do some deeper dives into some of the areas raised in subsequent articles.

Written by Safeguarding Essentials on December 01, 2021 17:57


Join Safeguarding Essentials

  • Protect your pupils
  • Support your teachers
  • Deliver outstanding practice

Recent Stories
Story Tags
2fa addiction anti_bullying_alliance #antibullyingweek anti-radicalisation apps ask.fm assembly avatars awards awareness bett Breck_Foundation bug bullying BYOD calendar cber_bullying #CEADay20 censorship ceop chatfoss checklist child child_exploitation childline childnet child_protection childwise christmas ClassDojo classroom competition cookies Covid, CPD creepshot CSE curriculum cyberbullying cyber_bullying cyber_crime cybersmile_foundation cybersurvey data_protection DCMS Demos development devices DfE digital_citizenship digital_footprint digital_forensics digital_leaders digital_literacy digital_native digital_reputation digital_wellbeing ecadets eCadets education e-learning emoticon e-safe esafety e-safety e-safety, e-safety_support esports #esscomp #esstips ethics events exa exploitation extreemism extremism extremism, facebook fake_news fantastict fapchat FAPZ film filtering freemium #Freetobe friendly_wifi gaming GDPR #GetSafeOnline glossary GoBubble gogadgetfree google governor grooming #GSODay2016 guidance hacker hacking health, holiday icon information innovation inspection instagram instragram internet internet_matters internet_of_things internet_safety into_film ipad iphone ipod irights IWF KCSIE #KeepMeSafe knife_crime language leetspeak lesson like linkedin live_streaming lscb malware media mental_health mobile momo monitor monitoring naace national_safeguarding_month navigation neknominate netiquette network news NHCAW nomophobia nspcc NWG ofcom offline ofsted omegle online online_safety oracle parents password phishing phone Point2Protect policy pornography power_for_good pressure PREVENT primary privacy professional_development protection PSHE PSHE, #pupilvoiceweek radicalisation ratting rdi relationships reporting research risk robots rocketlearn RSE RSPH safeguarding safeguarding, safer_internet_day safety SCD2015 #SCD2016 school screen_time sdfsdf security self-harm selfie sexting sextortion ShareAware sid SID SID2016 SID2017 SID2018 SID2019 SID2020 smartphone snapchat snappening social_media social_media, social_networking staff staff_training #standuptobullying statutory_guidance Stop_CSE stop_cyberbullying_day stress students survey swgfl SWGfL tablet teach teachers technology terrorism texting TikTok tootoot training TrainingSchoolz TrainingToolz trends troll trolling twitter UKCCIS uk_safer_internet_centre UK_youth unplug2015 video virus VPN webinar website wellbeing we_protect what_is_e-safety wifi wi-fi windows wizard working_together yik_yak young_people youthworks youtube YPSI yubo
Archive