Rolling of eyes
Eggs, grandma teach and suck come to mind, but not in that order.
Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness campaign
The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise. Cyber Streetwise is urging people to take five actions in order to protect themselves and others from cyber crime: Use strong, memorable passwords Install anti-virus …
-
-
This post has been deleted by its author
-
Tuesday 14th January 2014 09:46 GMT NightFox
Re: Rolling of eyes
But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card
-
Tuesday 14th January 2014 10:25 GMT Anonymous Custard
Re: Rolling of eyes
Given the periodic stories that turn up in the news media, it's also "do as we say, not do as we do".
Although to be fair the list should be extended to add encryption of sensitive data (or storing it in a suitable place which is safe and under your control) and not leaving devices in compromised positions (such as laptops and phones left in taxis or on Starbucks tables unattended to be nicked).
And it comes within two articles in the main page of an article about WinXP and HMRC/govt and hacking/security after the end of XP support...
-
Tuesday 14th January 2014 17:14 GMT Ian McNee
Re: Rolling of eyes
@NightFox: indeed - except the site fails at the usual password hurdle of confusing complex (i.e. unmemorable) passwords with strong passwords. Hence the password checker states that single words that include a number and a capital like Gr4ndmas is good whereas a multiword password like "eggs grandma teach and suck" (thanks Rono666) is weak.
So with this advice we end up with important things like online banking sites requiring complex unmemorable passwords which leads to users creating relatively short (machine-crackable) passwords and re-using them on multiple sites. Password safes I hear you say? Good advice but how many non-geeks do you know that use password safes?
-
Wednesday 15th January 2014 00:36 GMT John Smith 19
@NightFox
"But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card"
Correct.
I like the fact it does not require a)Squillions of £ of advertising and b) Several new laws and a Statutory Instrument (the Dark Lords favorite device) to implement.
People see the Mission Impossible antics but 99%of the time it's the simple (stupid) stuff that's not done that f**ks most people up.
-
-
-
Tuesday 14th January 2014 09:20 GMT william 10
What is the point, the security service(with the help from their so called oversea friends) are ensuring that all systems are hackable, providing this information to the Americans who then broadcast this to the world either via virus/worms or making the documentation available via contractors like Snowdon.
May-be help provide some thing secure first before we go down the Eggs & Grandma route.
-
Tuesday 14th January 2014 09:29 GMT Anonymous Coward
I'm torn
Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken. I imagine a lot will be put off by the impression that it was designed for Tellytubbies viewers.
6/10 for trying, I think.
One note : under "Keep your devices safe and up-to-date" no advice is offered for Linux users. Are we to assume that Linux is problem-free? Or doesn't it exist to these people?
-
Tuesday 14th January 2014 10:19 GMT Anonymous Coward
Re: "no advice is offered for Linux"
(a) The sort of person who needs this advice won't have installed Linux, and if they are using it chances are someone competent set it up for them.
(b) Assuming (a), then the system will have all applications installed via the package manager, and that will be set to auto-update which mitigates a large proportion of problems.
(c) As a small percentage of desktop use, Linux gets far, far, less attacks anyway via the phishing/web-malware route. Linux may have other serious annoyances, but that is not a common one...
-
-
Tuesday 14th January 2014 11:41 GMT Hans 1
Re: @AC - "no advice is offered for Linux"
>That said, it could be taken as implying that Linux is totally safe (not true, of course).
Indeed, not "totally" ... Every week, Windows sees more new malware than GNU/Linux has managed to collect over the last two decades ... and it is only slightly worse for Mac OS X.
I am not saying there are no security issues in GNU/Linux, just that nobody seems to write shit to take advantage of them.
On the other hand one thing that needs to happen is OEM versions of anti virus software must vanish - they are the single worst source of problems. When after a month they expire, hardly anybody renews them. What happens next is that ppl either ignore the messages or install some other anti virus software alongside the expired OEM version ...
I used to install Avast on windows boxen I would repair, but they require you to re-register every year, which ppl tend to forget to do ... now I go with Security Essentials, which is better than nothing and certainly better than an expired Avast.
-
Wednesday 15th January 2014 07:03 GMT Anonymous Coward
@Hans 1 - Re: @AC - "no advice is offered for Linux"
I fully endorse your sentiments on the use of 3rd party security products, especially the point about lapsing registration - I have the same experiences.
The inherent weaknesses of the OSs are a major reason why public education is needed. At the same time, they are a reason why such education will probably prove futile.
-
-
-
-
Wednesday 15th January 2014 10:30 GMT bean520
Re: I'm torn
"Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken"
You have to understand this is information to be understood by even the thickest Daily Fail reader. It's to step those people in the right direction, not for us Reg readers that (should) know better. In this regard, this simplistic approach does what it is designed to do
-
-
Tuesday 14th January 2014 09:38 GMT Haku
Leeloo Dallas Multipass
Guys over on hackaday.com are in the process of creating a rather interesting open source USB device they're dubbing the 'Mooltipass', which will act as a password wallet that can automatically enter in the password of your choosing.
Handy if you have many passwords to try and remember and want to keep them long with random characters.
I look forward to seeing the final outcome of the project.
-
-
Tuesday 14th January 2014 17:05 GMT David Webb
Re: Leeloo Dallas Multipass
KeePass is what I'm using, due to that...
•Use strong, memorable passwords
is a moot point, I have no idea what my facebook password is, and even if I did I couldn't actually type it out! It's something along the lines of:
Îe.qînhóÏ@ÅÝ©Ê"¬æÈÁEt¡ÏÓq£¡h¼¡÷Ñw;ê|èø=I
Totally memorable, naturally only works on websites that accept any character and not the usual "numbers and letters only please", or worse, websites which don't let you paste your password into the "confirm your password" box so you have to have a weaker password.
-
-
-
Tuesday 14th January 2014 10:02 GMT Katie Saucey
Yeah Nanny States!
"The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise."
Huh, being the UK and all, I figured they would have passed legislation (based on one horror story) called 'Cyber Streetwise', then prosecuted those who did not comply. That said, here in Canada things are not much better.
-
-
Tuesday 14th January 2014 12:55 GMT Anonymous Coward
Standard for passwords
Yes! It really annoys me that some systems insist on you including certain characters, while others won't let you include certain characters, etc, etc. It would perhaps be useful if the government or some standards organisation could officially advise as follows:
By all means warn users if a password appears to be weak, but allow any password consisting of 1-32 printable ASCII characters. (This is because I am sick of having strong random passwords rejected when they happen to contain three instances of the same letter or something stupid like that. Forcing people to include a digit, or whatever, just makes them add "1" to the end or replace "o" with "0" or something similar that adds almost nothing to security. A warning is more likely to have a good influence on user behaviour, in my opinion, than enforcing a stupid rule.)
Calculate a salted hash of the entire password (rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly).
Also, see: https://xkcd.com/936/
-
Tuesday 14th January 2014 14:12 GMT Roland6
Re: Standard for passwords
Good points, but your reference to the xkcd.com/936/ cartoon, draws attention to an obvious failing of the government website - it's failure to use humour!
Yes it uses nice animations, but just tells you for example how to improve your password. However the xkcd.com/936/ cartoon uses humour to tell you both what a secure password is and what it could actually look like.
-
Tuesday 14th January 2014 14:30 GMT Anonymous Coward
Re: Standard for passwords
"rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly"
My own favourite was a UK public body whose accounting system gateway for suppliers required (in 2013) a password that was "at least 1 character long, but no more than 8". Oh dear, oh dear.
(Anon because I'm still working for them.)
-
-
Tuesday 14th January 2014 18:17 GMT VinceH
"Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only."
Only a week or so ago I encountered a badly designed system that not only put stupid restrictions on passwords, but didn't check the validity of those passwords properly and, in some circumstances, would let the user carry on as though a password had been accepted when in fact it hadn't.
(Also: A massive three choices of security question. Wow.)
-
-
-
-
-
-
Tuesday 14th January 2014 12:07 GMT Jonathan 29
Re: Use strong, memorable passwords
You can always write your password locker password down on paper and keep it in a file. It is still more secure than reusing passwords or using memorable passwords.. If you get burgled, just change it.
If lastpassword of 1password get hacked and expose user details it is their entire business down the toilet, so I am inclined to believe them when they say that only you can expose your data. I still won't put everything in it, but you can also add a multi factor authenticator to beef up your login password.
-
-
-
Tuesday 14th January 2014 14:58 GMT Roland6
Re: Use strong, memorable passwords
>As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!
Trouble is that some developers/sites do; however what they don't tell you is that they have only accepted the first n characters of your password (typically 8) and so when you try and use your strong password it will fail as you have typed too many characters...
But the real problem is that many passwords are tied to a person's email address (a subject that has been discussed before on these forums) ...
-
-
Tuesday 14th January 2014 11:56 GMT David Pollard
Is Trusteer Rapport any good?
In the section on online banking, Cyber Street's first recommendation is to "Sign up to security software provided by your bank, such as Trusteer Rapport". Just a few months ago Reg readers seemed to suggest this may not be all that good.
http://forums.theregister.co.uk/forum/1/2013/08/06/trusteer_pushes_updates_after_cybercrook_brew_up_browser_lockdown_exploit/
My only experience of it is from sorting out a pc which was seriously snarled. Can other readers comment?
-
Tuesday 14th January 2014 14:46 GMT Roland6
Re: Is Trusteer Rapport any good?
I've tended to avoid it because in general it seems you need the version provided by your bank - which is a problem if you use multiple banks... Also it did get a poor reputation as once installed it was very difficult to remove which was an issue if it conflicted with previously installed software (although Trusteer have become more public about such matters).
I've used instead third-party browser security products that can be used across multiple websites but unfortunately require configuring by a knowledgeable user.
Specific products I've used: Prevx SafeOnline (now part of Webroot) which was also provided by some banks and for several years was available as a free download from Facebook (it also protected against a number of live banking exploits that Trusteer Rapport didn't...). Kaspersky Internet Security - Barclay's provided this free to their online customers for several years, but annual re-registration was required, also Barclay's provide no information on how to configure KIS to enable it to fully secure their internet banking...
Another good tool is Zemana AntiLogger, however the challenge I've found with targeted security products is ensuring they play nicely with more general security products, both on initial install and after subsequent auto-updates...
So I can understand why Cyber Street would effectively recommend "Joe Public" users download the (hopefully) preconfigured security software from their bank. Also with the banks effectively backing Trusteer, there is an incentive to ensure it does work with third-party security software and that third-party security developers include it in their DB's of 'safe' applications.
-
-
Tuesday 14th January 2014 14:13 GMT pacman7de
Sign up to security software ..
"Sign up to security software provided by your bank, such as Trusteer Rapport
"You can download Rapport from the following locations: PC users: http://download.trusteer.com/U3uxFr8Ib/RapportSetup.exe"
https://www.trusteer.com/download-trusteer-rapport
So, I have to download and install an executable in order to keep my 'computer` safe?
-
Tuesday 14th January 2014 14:20 GMT J.G.Harston
Use strong, memorable passwords
Advised by the very government that has websites that point blank absolutely refuse to allow you to do this.
The Universal JobMatch site is a case in point. It goes out of its way to physically prevent you using it. Who the hell needs a password to browse JOB ADVERTS for glod's sake? And groin-punchingly-stupid validation rules, must have this, must have that, must be unrememberable, must be impossible to type. If I can't set my password to dick horse battery compound then f*** off and fix your f***g website.
Almost on a par with Sheffield University's online job application system.
-
Tuesday 14th January 2014 14:42 GMT wolfetone
Campaign conducted by idiots
My 63 year old mother, who has never used a computer in her life (nor does she want to, or need to) never refers to the Internet as "cyber" anything. It's the Internet. Even she knows that, and she left school when she was 11 (as was the standard back in the days of 1950's Ireland).
-
Tuesday 14th January 2014 16:01 GMT Disgruntled of TW
How does a user "check" a website is secure?
Surely not by clicking on the green SSL certificate? We all know how that can end nowadays.
Because users with weak passwords understand PKI and certificate authority trust chains.
Well intention'd, but I shiver at the money they are spending on the campaign. Bit like their ludicrous approach to broadband (BDUK) and giving £1.2b to BT. That'll end well.
-
Tuesday 14th January 2014 20:54 GMT Zacherynuk
I can't imagine anybody this information applies to either finding it or understanding it.
Keepass is good, but for joe-average lastpass is probably more likely.
Linux is not the end game - we are not just worried about fly by infections we are worried more about willing social engineering - doesn't matter how your gran accesses the internet, if she is asked to enter details on a false shopping site she will. This is what the Cameron porn blockade should have done - ISP level warnings on known scum (warning only no block)
http://www.wastedspace.co.uk/b3ta/ANanoMoose.gif
-
Wednesday 15th January 2014 14:15 GMT colinvj
maybe no alternative
I think that the banks that provide rapport , may insist that if you dont use the offered software, then any breaches in security will be your responsibilty, we all know banks look for anyway of ovoiding responsibility for any losses. Lets hope not ,but Iits a strong possibility regardless of its suitabilty or effectiveness.
This topic is closed for new posts.
Biting the hand that feeds IT
