To celebrate the Blu-ray and DVD release of Mr. Robot, leading Government cyber security firm, BNS Cyber, give their top tips to keep safe online and halt hackers in their tracks…
In case you missed the thrilling and captivating Mr. Robot, here is a quick recap. The show focuses on a cyber security engineer by day and vigilante hacker by night, Elliot (Rami Malek) who finds himself at a crossroads when the mysterious leader of an underground hacker group (Christian Slater) recruits him to destroy the firm he’s paid to protect.
However most of us unfortunately don’t possess Elliot’s cyber skills and whether you are the IT Director of a multi-national company responsible for the safekeeping of valuable intellectual property, or a regular Joe who uses the internet for online shopping, personal banking websites and just your general LIFE, the threats from cyber-crime are increasing.
This is because businesses and individuals are more reliant than ever on cyberspace (the internet) to carry out day-to-day tasks.
There is readily available malicious software that hackers can buy from the seedier part of the underground internet world to try and steal this type of information. But the hackers generally sell the passwords and credit card details on criminals. So it’s easy to do, and once a system is compromised (perhaps in hours or days), the data can be stolen at normal internet download rates.
Even the most unskilled hacker can take control of your home machine by getting you to open a corrupted email (spam) or web link – so beware! Individuals can be targeted on a regular basis with spam, in some daily – which is why the tips below are so important!
With large organisations, they will almost certainly be under constant ‘probing’ from hackers with a variety of motivations such as ‘hacktivists’.
On sites like Cybermap, you can filter by country and see there are millions of infected emails alone every month in the UK!
Recently, the media has been rife with examples of successful cyber-attacks against both individuals and companies.
Ryan Collins, a computer hacker from Pennsylvania managed to gain access to over 100 online accounts, including that of 18 celebrities. This included sharing nude images of Jennifer Lawrence and Emma Watson, which the former branded as a ‘sex crime.’ Other celebrities who were targeted by Collins include Scarlett Johansson, Kirsten Dunst, Gabrielle Union, Jessica Alba and Kate Upton.
British telecoms company TalkTalk suffered a massive security breach last year with over 100,000 customer records containing personal details being stolen by cyber-criminals, which can then be used to facilitate identity theft. I have a friend who suffered identity theft, and it isn’t a pleasant story. There were numerous attempts (often successful) to set up credit cards and loans, and six months down the line there is no sign of slowdown.
This attack was almost certainly made possible because of insecure network configuration and other inadequate cyber-security measures. The financial impact through reputational damage (loss of customers and revenue) was estimated by TalkTalk to be in the tens of millions! It turned out that two teenagers were arrested in connection with this cyber-crime, proving that years of criminal experience is not required to damage a large corporate company.
And of course, there was last year’s infamous Ashley Madison extramarital affairs website hack, which stole the personal information of the site’s users and threatened to release names if the site was not shut down. The hackers subsequently released these personal details onto the Dark Net, where they were used for extortion and ‘naming and shaming’ amongst other things, devastatingly leading to reported suicides. Again, these types of attack are only made possible by poor cyber-security controls.
Cyber security also presents ethical challenges for the companies keeping you safe online. Apple and the US Government are currently in a legal battle following a request for Apple to unlock the iPhone of San Bernardino killer, Rizwan Farook. Apple’s security is very good – when an iphone is locked the data is encrypted which means it cannot be read without the correct code or thumbprint of the user to unlock it. This protects information such as credit card details and passwords from hackers and criminals who want to steal it. Apple do not have a ‘master key’ to unlock any iPhone.
The Crux of the legal battle is that the US Department of Justice have demanded Apple write a new piece of software to unlock Rizwan Farook’s iPhone. In an online message to all customers, Apple stated their opposition to this demand on the grounds that it has implications far behind the Rizwan Farook case. Apple argue that creating this new piece of software will create a ‘backdoor’ for cyber-criminals if it falls into the wrong hands, allowing them to routinely steal private information from iPhones. A ‘master key’ no less.
To be clear, Apple complies with FBI subpoenas and search warrants (including the San Bernadino case) and has also made Apple engineers available to advise the FBI. And Apple makes clear in their message to users that it condemns this deadly act of terrorism. Their argument is that this request puts millions of users worldwide at risk from cyber-crime. Who is going to win the battle? Watch this space…
Now for some top tips to reduce the likelihood of being a victim of a Mr.Robot-esque cyber attack!
Individuals
1) Behaviour: The most common cyber-attacks exploit user behaviour. This is done be enticing you to click-on or open something that contains malicious software (such as ransomware), or directs you to a website that contains malicious software.
Do not open emails or email attachments that are ‘too good to be true’ or ask you to reveal sensitive details – reputable organisations will not ask you to do this. Do not open websites or website links that are not for a reputable organisation, or where you have reason to be suspicious. Also be careful using social media. For example, setting your online status to ‘on holiday for 2 weeks’ and sharing this to a wide audience is useful information to a local house-burglar. All a small-time hacker need to do is follow you on social media, and then they can work out the rest!
I know of someone who set their social media status to ‘on holiday’ and among his hobbies was listed ‘cycle racing’ – he promptly had a follower break into his home and steal his £3000+ bike when he was away!
2) Passwords: Use strong passwords for web sites where you submit credit card details or store sensitive information (such as email). Use a different password for each of these web sites to limit the damage a cyber-attacker can do. For help choosing and remembering passwords, visit https://www.cyberstreetwise.com/passwords.
If you use a weak password then this can be easily guessed by a hacker. One 2015 survey found for several million passwords for cloud services that are for sale on the Darknet, 10% of users employ the 20 most popular passwords. That means with fewer than 20 tries, anyone could login to roughly 1 out of 10 accounts today. And the top 3 of these 20 most popular passwords are 123456, password, and 12345!
3) Patching: ensure all software security updates are installed as they become available. This reduces the vulnerabilities available for a cyber-criminal to exploit.
4) Operating System: Modern operating systems such as Microsoft Windows and Apple iOS are designed with security in mind, and come relatively secure out-of-the-box. Keeping this secure configuration will limit the damage a cyber-criminal can do.
In terms of operating systems – the newer the better!
The latest Microsoft operating systems are very much designed with security in mind, but Windows 95 and before not so much. And remember, Windows XP is now out of support for security patches so will be very vulnerable if you don’t have a custom support arrangement in place.
5) Internet Security Software: Install anti-virus software that includes regular updates to detect new malicious software, and has internet security controls built-in. This ensures if a malicious email or unsafe website is opened, the anti-virus software will prevent it causing harm.
The majority of successful attacks on individuals will be against computers with out of date Anti-Virus software and security patches. Having this in place means the hacker has to be more capable and develop an attack against an unknown vulnerability – referred to as ‘zero-day’ attack.
The latest Apple and Microsoft operating systems are very good if configured correctly. Apple appears so good that they cannot even access files on their own operating system on behalf of law enforcement agencies (joke)!
6) User Access Control: A simple step but often overlooked – only use an account with Normal User privileges for day to day working. Malicious software often runs in the context of the logged-on user, so do not routinely use an Administrator account which will increase potential harm.
Where possible, you should create a separate account for each computer user, and make sure they are not ‘administrators’. This will stop the hacker being able to take complete control of your computer in most cases.
7) Children’s Safety: Children are vulnerable to a wide variety of online threats. Some of these can be countered by your Internet Service Provider or Internet security software to limit the types of content that children can view. Advice to counter other threats such as bullying and inappropriate contact can be found at www.nspcc.org.uk.
Companies
Companies should consider all of the steps above to protect themselves online.
Additionally, other security protection is needed such as changing default passwords for network devices, implementing Firewalls and Intrusion Protection Devices to secure the company’s perimeter against malicious code.
Another good route is Data Leak Prevention devices to prevent sensitive information leaving the company’s network, and VPN tunnels (encrypted communications channels across the internet) which enable mobile workers to access the company’s network.
A good place to start is www.cyberstreetwise.com/cyberessentials, a Government-backed and industry supported scheme to guide businesses in basic protection against cyber threats. Ultimately, the size and complexity of a company’s IT systems, the type of work it conducts in cyberspace, and the threats it faces will determine the specific protection required, and this often requires expert, specialist advice.
Now you have the know-how, you’ll need never be caught out by cyber hackers again. But if you really want to see how it’s done, you can re-watch Elliot and Mr. Robot in Season One of Mr. Robot on Blu-ray and DVD from 11th April.
Mr. Robot is available on Blu-ray™ and DVD on 11th April 2016 courtesy of Universal Pictures (UK).
