Rolling of eyes
Eggs, grandma teach and suck come to mind, but not in that order.
The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise. Cyber Streetwise is urging people to take five actions in order to protect themselves and others from cyber crime: Use strong, memorable passwords Install anti-virus …
This post has been deleted by its author
But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card
Given the periodic stories that turn up in the news media, it's also "do as we say, not do as we do".
Although to be fair the list should be extended to add encryption of sensitive data (or storing it in a suitable place which is safe and under your control) and not leaving devices in compromised positions (such as laptops and phones left in taxis or on Starbucks tables unattended to be nicked).
And it comes within two articles in the main page of an article about WinXP and HMRC/govt and hacking/security after the end of XP support...
@NightFox: indeed - except the site fails at the usual password hurdle of confusing complex (i.e. unmemorable) passwords with strong passwords. Hence the password checker states that single words that include a number and a capital like Gr4ndmas is good whereas a multiword password like "eggs grandma teach and suck" (thanks Rono666) is weak.
So with this advice we end up with important things like online banking sites requiring complex unmemorable passwords which leads to users creating relatively short (machine-crackable) passwords and re-using them on multiple sites. Password safes I hear you say? Good advice but how many non-geeks do you know that use password safes?
"But this isn't really aimed at the typical Reg reader is it? This might be "noddy" stuff, but if all my friends and relatives actually understood and followed it I'd have a lot less of my life wasted cleaning up their infected laptops and explaining why they keep getting all these rude emails and need to cancel their credit card"
Correct.
I like the fact it does not require a)Squillions of £ of advertising and b) Several new laws and a Statutory Instrument (the Dark Lords favorite device) to implement.
People see the Mission Impossible antics but 99%of the time it's the simple (stupid) stuff that's not done that f**ks most people up.
What is the point, the security service(with the help from their so called oversea friends) are ensuring that all systems are hackable, providing this information to the Americans who then broadcast this to the world either via virus/worms or making the documentation available via contractors like Snowdon.
May-be help provide some thing secure first before we go down the Eggs & Grandma route.
Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken. I imagine a lot will be put off by the impression that it was designed for Tellytubbies viewers.
6/10 for trying, I think.
One note : under "Keep your devices safe and up-to-date" no advice is offered for Linux users. Are we to assume that Linux is problem-free? Or doesn't it exist to these people?
(a) The sort of person who needs this advice won't have installed Linux, and if they are using it chances are someone competent set it up for them.
(b) Assuming (a), then the system will have all applications installed via the package manager, and that will be set to auto-update which mitigates a large proportion of problems.
(c) As a small percentage of desktop use, Linux gets far, far, less attacks anyway via the phishing/web-malware route. Linux may have other serious annoyances, but that is not a common one...
>That said, it could be taken as implying that Linux is totally safe (not true, of course).
Indeed, not "totally" ... Every week, Windows sees more new malware than GNU/Linux has managed to collect over the last two decades ... and it is only slightly worse for Mac OS X.
I am not saying there are no security issues in GNU/Linux, just that nobody seems to write shit to take advantage of them.
On the other hand one thing that needs to happen is OEM versions of anti virus software must vanish - they are the single worst source of problems. When after a month they expire, hardly anybody renews them. What happens next is that ppl either ignore the messages or install some other anti virus software alongside the expired OEM version ...
I used to install Avast on windows boxen I would repair, but they require you to re-register every year, which ppl tend to forget to do ... now I go with Security Essentials, which is better than nothing and certainly better than an expired Avast.
I fully endorse your sentiments on the use of 3rd party security products, especially the point about lapsing registration - I have the same experiences.
The inherent weaknesses of the OSs are a major reason why public education is needed. At the same time, they are a reason why such education will probably prove futile.
"Torn between applauding the government for finally trying to educate the population in these matters and laughing at the totally childish approach taken"
You have to understand this is information to be understood by even the thickest Daily Fail reader. It's to step those people in the right direction, not for us Reg readers that (should) know better. In this regard, this simplistic approach does what it is designed to do
Guys over on hackaday.com are in the process of creating a rather interesting open source USB device they're dubbing the 'Mooltipass', which will act as a password wallet that can automatically enter in the password of your choosing.
Handy if you have many passwords to try and remember and want to keep them long with random characters.
I look forward to seeing the final outcome of the project.
KeePass is what I'm using, due to that...
•Use strong, memorable passwords
is a moot point, I have no idea what my facebook password is, and even if I did I couldn't actually type it out! It's something along the lines of:
Îe.qînhóÏ@ÅÝ©Ê"¬æÈÁEt¡ÏÓq£¡h¼¡÷Ñw;ê|èø=I
Totally memorable, naturally only works on websites that accept any character and not the usual "numbers and letters only please", or worse, websites which don't let you paste your password into the "confirm your password" box so you have to have a weaker password.
"The UK government has launched a new campaign aimed at changing attitudes to online security among consumers and small businesses, dubbed Cyber Streetwise."
Huh, being the UK and all, I figured they would have passed legislation (based on one horror story) called 'Cyber Streetwise', then prosecuted those who did not comply. That said, here in Canada things are not much better.
Yes! It really annoys me that some systems insist on you including certain characters, while others won't let you include certain characters, etc, etc. It would perhaps be useful if the government or some standards organisation could officially advise as follows:
By all means warn users if a password appears to be weak, but allow any password consisting of 1-32 printable ASCII characters. (This is because I am sick of having strong random passwords rejected when they happen to contain three instances of the same letter or something stupid like that. Forcing people to include a digit, or whatever, just makes them add "1" to the end or replace "o" with "0" or something similar that adds almost nothing to security. A warning is more likely to have a good influence on user behaviour, in my opinion, than enforcing a stupid rule.)
Calculate a salted hash of the entire password (rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly).
Also, see: https://xkcd.com/936/
Good points, but your reference to the xkcd.com/936/ cartoon, draws attention to an obvious failing of the government website - it's failure to use humour!
Yes it uses nice animations, but just tells you for example how to improve your password. However the xkcd.com/936/ cartoon uses humour to tell you both what a secure password is and what it could actually look like.
"rather than ignoring any characters after the first 8, which lots of systems seem to do, amazingly"
My own favourite was a UK public body whose accounting system gateway for suppliers required (in 2013) a password that was "at least 1 character long, but no more than 8". Oh dear, oh dear.
(Anon because I'm still working for them.)
"Perhaps a standard of suitable password options should be enforced because the times i have had to use a weak(er) password as some sites wont allow special chr$. If you want us to use strong password then don't limit those password to letters and numbers only."
Only a week or so ago I encountered a badly designed system that not only put stupid restrictions on passwords, but didn't check the validity of those passwords properly and, in some circumstances, would let the user carry on as though a password had been accepted when in fact it hadn't.
(Also: A massive three choices of security question. Wow.)
You can always write your password locker password down on paper and keep it in a file. It is still more secure than reusing passwords or using memorable passwords.. If you get burgled, just change it.
If lastpassword of 1password get hacked and expose user details it is their entire business down the toilet, so I am inclined to believe them when they say that only you can expose your data. I still won't put everything in it, but you can also add a multi factor authenticator to beef up your login password.
>As soon as developers start building systems that will accept something like "Correct Horse Battery Staple" as a strong password, I will!
Trouble is that some developers/sites do; however what they don't tell you is that they have only accepted the first n characters of your password (typically 8) and so when you try and use your strong password it will fail as you have typed too many characters...
But the real problem is that many passwords are tied to a person's email address (a subject that has been discussed before on these forums) ...
In the section on online banking, Cyber Street's first recommendation is to "Sign up to security software provided by your bank, such as Trusteer Rapport". Just a few months ago Reg readers seemed to suggest this may not be all that good.
http://forums.theregister.co.uk/forum/1/2013/08/06/trusteer_pushes_updates_after_cybercrook_brew_up_browser_lockdown_exploit/
My only experience of it is from sorting out a pc which was seriously snarled. Can other readers comment?
I've tended to avoid it because in general it seems you need the version provided by your bank - which is a problem if you use multiple banks... Also it did get a poor reputation as once installed it was very difficult to remove which was an issue if it conflicted with previously installed software (although Trusteer have become more public about such matters).
I've used instead third-party browser security products that can be used across multiple websites but unfortunately require configuring by a knowledgeable user.
Specific products I've used: Prevx SafeOnline (now part of Webroot) which was also provided by some banks and for several years was available as a free download from Facebook (it also protected against a number of live banking exploits that Trusteer Rapport didn't...). Kaspersky Internet Security - Barclay's provided this free to their online customers for several years, but annual re-registration was required, also Barclay's provide no information on how to configure KIS to enable it to fully secure their internet banking...
Another good tool is Zemana AntiLogger, however the challenge I've found with targeted security products is ensuring they play nicely with more general security products, both on initial install and after subsequent auto-updates...
So I can understand why Cyber Street would effectively recommend "Joe Public" users download the (hopefully) preconfigured security software from their bank. Also with the banks effectively backing Trusteer, there is an incentive to ensure it does work with third-party security software and that third-party security developers include it in their DB's of 'safe' applications.
"Sign up to security software provided by your bank, such as Trusteer Rapport
"You can download Rapport from the following locations: PC users: http://download.trusteer.com/U3uxFr8Ib/RapportSetup.exe"
https://www.trusteer.com/download-trusteer-rapport
So, I have to download and install an executable in order to keep my 'computer` safe?
Advised by the very government that has websites that point blank absolutely refuse to allow you to do this.
The Universal JobMatch site is a case in point. It goes out of its way to physically prevent you using it. Who the hell needs a password to browse JOB ADVERTS for glod's sake? And groin-punchingly-stupid validation rules, must have this, must have that, must be unrememberable, must be impossible to type. If I can't set my password to dick horse battery compound then f*** off and fix your f***g website.
Almost on a par with Sheffield University's online job application system.
My 63 year old mother, who has never used a computer in her life (nor does she want to, or need to) never refers to the Internet as "cyber" anything. It's the Internet. Even she knows that, and she left school when she was 11 (as was the standard back in the days of 1950's Ireland).
Surely not by clicking on the green SSL certificate? We all know how that can end nowadays.
Because users with weak passwords understand PKI and certificate authority trust chains.
Well intention'd, but I shiver at the money they are spending on the campaign. Bit like their ludicrous approach to broadband (BDUK) and giving £1.2b to BT. That'll end well.
I can't imagine anybody this information applies to either finding it or understanding it.
Keepass is good, but for joe-average lastpass is probably more likely.
Linux is not the end game - we are not just worried about fly by infections we are worried more about willing social engineering - doesn't matter how your gran accesses the internet, if she is asked to enter details on a false shopping site she will. This is what the Cameron porn blockade should have done - ISP level warnings on known scum (warning only no block)
http://www.wastedspace.co.uk/b3ta/ANanoMoose.gif
I think that the banks that provide rapport , may insist that if you dont use the offered software, then any breaches in security will be your responsibilty, we all know banks look for anyway of ovoiding responsibility for any losses. Lets hope not ,but Iits a strong possibility regardless of its suitabilty or effectiveness.