back to article Use strong passwords and install antivirus, mmkay? UK.gov pushes awareness campaign

The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise. Cyber Streetwise is urging people to take five actions in order to protect themselves and others from cyber crime: Use strong, memorable passwords Install anti-virus …

COMMENTS

This topic is closed for new posts.
  1. Rono666

    Rolling of eyes

    Eggs, grandma teach and suck come to mind, but not in that order.

    1. Def Silver badge

      Re: Rolling of eyes

      Grandma come to teach mind, and suck eggs?

      1. Crisp Silver badge

        Re: Grandma come to teach mind, and suck eggs?

        And she's all out of eggs.

    2. NightFox

      Re: Rolling of eyes

      But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card

      1. Anonymous Custard Silver badge

        Re: Rolling of eyes

        Given the periodic stories that turn up in the news media, it's also "do as we say, not do as we do".

        Although to be fair the list should be extended to add encryption of sensitive data (or storing it in a suitable place which is safe and under your control) and not leaving devices in compromised positions (such as laptops and phones left in taxis or on Starbucks tables unattended to be nicked).

        And it comes within two articles in the main page of an article about WinXP and HMRC/govt and hacking/security after the end of XP support...

      2. Ian McNee

        Re: Rolling of eyes

        @NightFox: indeed - except the site fails at the usual password hurdle of confusing complex (i.e. unmemorable) passwords with strong passwords. Hence the password checker states that single words that include a number and a capital like Gr4ndmas is good whereas a multiword password like "eggs grandma teach and suck" (thanks Rono666) is weak.

        So with this advice we end up with important things like online banking sites requiring complex unmemorable passwords which leads to users creating relatively short (machine-crackable) passwords and re-using them on multiple sites. Password safes I hear you say? Good advice but how many non-geeks do you know that use password safes?

      3. John Smith 19 Gold badge
        Unhappy

        @NightFox

        "But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card"

        Correct.

        I like the fact it does not require a)Squillions of £ of advertising and b) Several new laws and a Statutory Instrument (the Dark Lords favorite device) to implement.

        People see the Mission Impossible antics but 99%of the time it's the simple (stupid) stuff that's not done that f**ks most people up.

  2. jason 7

    Sounds like ...

    ....Getting Cool With Kids or whatever.

    Getting hit by a virus etc. is like broken windscreens. You can go years and years without one and then get two in as many weeks.

    1. Roland6 Silver badge

      Re: Sounds like ...

      >Getting hit by a virus etc. is like broken windscreens.

      But unlike a broken windscreen, get a virus and the repair and cleanup is no where near as quick and simple.

  3. william 10

    What is the point, the security service(with the help from their so called oversea friends) are ensuring that all systems are hackable, providing this information to the Americans who then broadcast this to the world either via virus/worms or making the documentation available via contractors like Snowdon.

    May-be help provide some thing secure first before we go down the Eggs & Grandma route.

  4. Anonymous Coward
    Meh

    I'm torn

    Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken. I imagine a lot will be put off by the impression that it was designed for Tellytubbies viewers.

    6/10 for trying, I think.

    One note : under "Keep your devices safe and up-to-date" no advice is offered for Linux users. Are we to assume that Linux is problem-free? Or doesn't it exist to these people?

    1. Anonymous Coward
      Anonymous Coward

      Re: "no advice is offered for Linux"

      (a) The sort of person who needs this advice won't have installed Linux, and if they are using it chances are someone competent set it up for them.

      (b) Assuming (a), then the system will have all applications installed via the package manager, and that will be set to auto-update which mitigates a large proportion of problems.

      (c) As a small percentage of desktop use, Linux gets far, far, less attacks anyway via the phishing/web-malware route. Linux may have other serious annoyances, but that is not a common one...

      1. Anonymous Coward
        Anonymous Coward

        @AC - Re: "no advice is offered for Linux"

        All good points. Maybe they thought that going for completeness by mentioning Linux would overcomplicate things for no real gain.

        That said, it could be taken as implying that Linux is totally safe (not true, of course).

        1. Hans 1 Silver badge

          Re: @AC - "no advice is offered for Linux"

          >That said, it could be taken as implying that Linux is totally safe (not true, of course).

          Indeed, not "totally" ... Every week, Windows sees more new malware than GNU/Linux has managed to collect over the last two decades ... and it is only slightly worse for Mac OS X.

          I am not saying there are no security issues in GNU/Linux, just that nobody seems to write shit to take advantage of them.

          On the other hand one thing that needs to happen is OEM versions of anti virus software must vanish - they are the single worst source of problems. When after a month they expire, hardly anybody renews them. What happens next is that ppl either ignore the messages or install some other anti virus software alongside the expired OEM version ...

          I used to install Avast on windows boxen I would repair, but they require you to re-register every year, which ppl tend to forget to do ... now I go with Security Essentials, which is better than nothing and certainly better than an expired Avast.

          1. Anonymous Coward
            Anonymous Coward

            @Hans 1 - Re: @AC - "no advice is offered for Linux"

            I fully endorse your sentiments on the use of 3rd party security products, especially the point about lapsing registration - I have the same experiences.

            The inherent weaknesses of the OSs are a major reason why public education is needed. At the same time, they are a reason why such education will probably prove futile.

    2. bean520
      Thumb Up

      Re: I'm torn

      "Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken"

      You have to understand this is information to be understood by even the thickest Daily Fail reader. It's to step those people in the right direction, not for us Reg readers that (should) know better. In this regard, this simplistic approach does what it is designed to do

  5. Joe Harrison Silver badge

    Cyber-lol

    Definition: cyber (ˈsʌɪbə) : adjective

    "To undermine one's own credibility or indicate a lack of IT understanding (esp. security)"

  6. Buzzword

    Not just online

    "if an offer looks too good to be true, it probably is"

    That's a lesson that applies just as much in the real world.

  7. Haku

    Leeloo Dallas Multipass

    Guys over on hackaday.com are in the process of creating a rather interesting open source USB device they're dubbing the 'Mooltipass', which will act as a password wallet that can automatically enter in the password of your choosing.

    Handy if you have many passwords to try and remember and want to keep them long with random characters.

    I look forward to seeing the final outcome of the project.

    1. Anonymous Coward
      Anonymous Coward

      Re: Leeloo Dallas Multipass

      KeePass have been there and worn out the T shirt already

      1. David Webb

        Re: Leeloo Dallas Multipass

        KeePass is what I'm using, due to that...

        •Use strong, memorable passwords

        is a moot point, I have no idea what my facebook password is, and even if I did I couldn't actually type it out! It's something along the lines of:

        Îe.qînhóÏ@ÅÝ©Ê"¬æÈÁEt¡ÏÓq£¡h¼¡÷Ñw;ê|èø=I

        Totally memorable, naturally only works on websites that accept any character and not the usual "numbers and letters only please", or worse, websites which don't let you paste your password into the "confirm your password" box so you have to have a weaker password.

  8. wyatt

    The first problem I have when I get to the site is the message 'Java script is disabled'.. yes it is for security?! Fail already.

    1. Anonymous Coward
      Anonymous Coward

      Re: JavaScript

      On the other hand, there are some good security things you can do with JavaScript. For example, you could run crypto algorithms implemented in JavaScript on the browser and authenticate yourself without revealing your secret key to the server.

  9. Katie Saucey

    Yeah Nanny States!

    "The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise."

    Huh, being the UK and all, I figured they would have passed legislation (based on one horror story) called 'Cyber Streetwise', then prosecuted those who did not comply. That said, here in Canada things are not much better.

  10. ukgnome Silver badge

    I don't mind education on this

    I just hope the government heed their own advice. Although I doubt it.

  11. Anonymous Coward
    Anonymous Coward

    Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only.

    1. Anonymous Coward
      Anonymous Coward

      Standard for passwords

      Yes! It really annoys me that some systems insist on you including certain characters, while others won't let you include certain characters, etc, etc. It would perhaps be useful if the government or some standards organisation could officially advise as follows:

      By all means warn users if a password appears to be weak, but allow any password consisting of 1-32 printable ASCII characters. (This is because I am sick of having strong random passwords rejected when they happen to contain three instances of the same letter or something stupid like that. Forcing people to include a digit, or whatever, just makes them add "1" to the end or replace "o" with "0" or something similar that adds almost nothing to security. A warning is more likely to have a good influence on user behaviour, in my opinion, than enforcing a stupid rule.)

      Calculate a salted hash of the entire password (rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly).

      Also, see: https://xkcd.com/936/

      1. Roland6 Silver badge

        Re: Standard for passwords

        Good points, but your reference to the xkcd.com/936/ cartoon, draws attention to an obvious failing of the government website - it's failure to use humour!

        Yes it uses nice animations, but just tells you for example how to improve your password. However the xkcd.com/936/ cartoon uses humour to tell you both what a secure password is and what it could actually look like.

      2. Anonymous Coward
        Anonymous Coward

        Re: Standard for passwords

        "rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly"

        My own favourite was a UK public body whose accounting system gateway for suppliers required (in 2013) a password that was "at least 1 character long, but no more than 8". Oh dear, oh dear.

        (Anon because I'm still working for them.)

        1. John G Imrie Silver badge

          Re: Standard for passwords

          So they where using the Unix crypt function then

    2. VinceH Silver badge

      "Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only."

      Only a week or so ago I encountered a badly designed system that not only put stupid restrictions on passwords, but didn't check the validity of those passwords properly and, in some circumstances, would let the user carry on as though a password had been accepted when in fact it hadn't.

      (Also: A massive three choices of security question. Wow.)

  12. Arachnoid

    – CyberStreetwise.com –

    Waits for news that someone hacked in and replaced the java based header with a virus dropper..........

  13. Scott Broukell
    Meh

    [quote] "always ensuring to check online retail sites are secure" - Presumably this makes Mrs. Potter of number 92 'The Willows' a world-class penetration tester?

    1. Anonymous Coward
      Anonymous Coward

      Only when her husband is at work.

  14. This Side Up
    Stop

    "Use strong, memorable passwords"

    If ever there was an oxymoron!

  15. Crisp Silver badge

    Use strong, memorable passwords

    As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!

    1. Anonymous Coward 101

      Re: Use strong, memorable passwords

      "Use strong, memorable passwords" doesn't withstand the reality of using the internet for more than five minutes. Instead, the government should recommend the use of password lockers like Keepass which is a far superior technique for password management.

      1. Anonymous Coward
        Anonymous Coward

        Re: Use strong, memorable passwords

        2 issues i see with password lockers.

        1. If your very forgetful, (as i am) if you forget your password locker password, then you're stuffed.

        2. What if the password locker gets hacked?

        1. Jonathan 29

          Re: Use strong, memorable passwords

          You can always write your password locker password down on paper and keep it in a file. It is still more secure than reusing passwords or using memorable passwords.. If you get burgled, just change it.

          If lastpassword of 1password get hacked and expose user details it is their entire business down the toilet, so I am inclined to believe them when they say that only you can expose your data. I still won't put everything in it, but you can also add a multi factor authenticator to beef up your login password.

    2. Roland6 Silver badge

      Re: Use strong, memorable passwords

      >As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!

      Trouble is that some developers/sites do; however what they don't tell you is that they have only accepted the first n characters of your password (typically 8) and so when you try and use your strong password it will fail as you have typed too many characters...

      But the real problem is that many passwords are tied to a person's email address (a subject that has been discussed before on these forums) ...

    3. Mycho Silver badge

      Correct-Horse-Battery-Staple

      Is accepted by most password regimes. Just pick a special character to use as a space.

  16. David Pollard

    Is Trusteer Rapport any good?

    In the section on online banking, Cyber Street's first recommendation is to "Sign up to security software provided by your bank, such as Trusteer Rapport". Just a few months ago Reg readers seemed to suggest this may not be all that good.

    http://forums.theregister.co.uk/forum/1/2013/08/06/trusteer_pushes_updates_after_cybercrook_brew_up_browser_lockdown_exploit/

    My only experience of it is from sorting out a pc which was seriously snarled. Can other readers comment?

    1. Roland6 Silver badge

      Re: Is Trusteer Rapport any good?

      I've tended to avoid it because in general it seems you need the version provided by your bank - which is a problem if you use multiple banks... Also it did get a poor reputation as once installed it was very difficult to remove which was an issue if it conflicted with previously installed software (although Trusteer have become more public about such matters).

      I've used instead third-party browser security products that can be used across multiple websites but unfortunately require configuring by a knowledgeable user.

      Specific products I've used: Prevx SafeOnline (now part of Webroot) which was also provided by some banks and for several years was available as a free download from Facebook (it also protected against a number of live banking exploits that Trusteer Rapport didn't...). Kaspersky Internet Security - Barclay's provided this free to their online customers for several years, but annual re-registration was required, also Barclay's provide no information on how to configure KIS to enable it to fully secure their internet banking...

      Another good tool is Zemana AntiLogger, however the challenge I've found with targeted security products is ensuring they play nicely with more general security products, both on initial install and after subsequent auto-updates...

      So I can understand why Cyber Street would effectively recommend "Joe Public" users download the (hopefully) preconfigured security software from their bank. Also with the banks effectively backing Trusteer, there is an incentive to ensure it does work with third-party security software and that third-party security developers include it in their DB's of 'safe' applications.

  17. Boris the Cockroach Silver badge
    Devil

    Perhaps

    the government would be better off starting with campaign aimed at the civil service first.... you know something simple like "DO NOT LEAVE YOUR UNSECURED LAPTOP ON THE F***ING BUS AGAIN!"

  18. Marvin O'Gravel Balloon Face

    Another waste of [our] money.

  19. teebie

    "cyber streetwise"

    Who came up with that name? Are they hiring funky vicars for PR duties now?

  20. Anonymous Coward
    Anonymous Coward

    PRISM?

    What would Edward Snowden do?

  21. pacman7de
    Facepalm

    Sign up to security software ..

    "Sign up to security software provided by your bank, such as Trusteer Rapport

    "You can download Rapport from the following locations: PC users: http://download.trusteer.com/U3uxFr8Ib/RapportSetup.exe"

    https://www.trusteer.com/download-trusteer-rapport

    So, I have to download and install an executable in order to keep my 'computer` safe?

  22. gerdesj Silver badge

    dot com

    Why on earth is it a .com address?

    It should be .gov.uk. My internal alarm bells go berserk when a URL looks wrong and a UK Govt related/sponsored/whatever website with .com on the end looks wrong.

    Cheers

    Jon

    1. J.G.Harston Silver badge

      Re: dot com

      Exactly, that is inviting fraud. I've already posted on The Guardian saying that anybody who thinks a website without a .gov.uk address is the HMRC deserves to get all their money stolen as a stupidity fine, so here we have the government actively promoting scammers' activities.

      1. J.G.Harston Silver badge

        Re: dot com

        Complaint sent to the dev/null that is the Home Office.

  23. J.G.Harston Silver badge

    Use strong, memorable passwords

    Advised by the very government that has websites that point blank absolutely refuse to allow you to do this.

    The Universal JobMatch site is a case in point. It goes out of its way to physically prevent you using it. Who the hell needs a password to browse JOB ADVERTS for glod's sake? And groin-punchingly-stupid validation rules, must have this, must have that, must be unrememberable, must be impossible to type. If I can't set my password to dick horse battery compound then f*** off and fix your f***g website.

    Almost on a par with Sheffield University's online job application system.

  24. Primus Secundus Tertius Silver badge

    No Admin Users

    They omit to point out one very useful practice:

    * Be a pleb user, not an administrative user.

  25. wolfetone Silver badge

    Campaign conducted by idiots

    My 63 year old mother, who has never used a computer in her life (nor does she want to, or need to) never refers to the Internet as "cyber" anything. It's the Internet. Even she knows that, and she left school when she was 11 (as was the standard back in the days of 1950's Ireland).

  26. Disgruntled of TW

    How does a user "check" a website is secure?

    Surely not by clicking on the green SSL certificate? We all know how that can end nowadays.

    Because users with weak passwords understand PKI and certificate authority trust chains.

    Well intention'd, but I shiver at the money they are spending on the campaign. Bit like their ludicrous approach to broadband (BDUK) and giving £1.2b to BT. That'll end well.

  27. Matheus

    They forgot most important from the list:

    USE LINUX. USE........ L.I.N.U.X------------> save money+have stable, secure operation system. Believing in Windows is like believing in Stalinism.

  28. Zacherynuk

    I can't imagine anybody this information applies to either finding it or understanding it.

    Keepass is good, but for joe-average lastpass is probably more likely.

    Linux is not the end game - we are not just worried about fly by infections we are worried more about willing social engineering - doesn't matter how your gran accesses the internet, if she is asked to enter details on a false shopping site she will. This is what the Cameron porn blockade should have done - ISP level warnings on known scum (warning only no block)

    http://www.wastedspace.co.uk/b3ta/ANanoMoose.gif

  29. Pookietoo
    Alert

    OMG it's MSFT Bob back from the dead

    See title.

  30. colinvj

    maybe no alternative

    I think that the banks that provide rapport , may insist that if you dont use the offered software, then any breaches in security will be your responsibilty, we all know banks look for anyway of ovoiding responsibility for any losses. Lets hope not ,but Iits a strong possibility regardless of its suitabilty or effectiveness.

  31. RamblingRant

    Quick review of this site for you good folks... with advice on KeePass & IdentitySafe.

    http://ramblingrant.co.uk/2014/01/17/cyberstreetwise-com-really-bad-infosec-advice/

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019