Coronavirus has been a boon to cyber-criminals, providing a new context for phishing scams including offers of free masks, miracle cures and more. Coronavirus related frauds increased by 400 per cent in March, said Det Sgt Chris White of the South East Regional Organised Crime Unit on a Redstor-sponsored web seminar today. In that time 1,425 UK victims have been defrauded of a total of £2.9 million.
Phishing is still by far the most successful starting point for any attack, as cybercriminals look to obtain login details and passwords. While security awareness is increasing, with 29 per cent of organisations now providing formal cybersecurity training for employees compared with 20 per cent two years ago, that still leaves 70 per cent without. As White pointed out, criminals only need to be lucky once.
Advice around passwords has changed over time as computer power increases and understanding grows around human behaviour. Today being Password Day, once again we are treated to the password top 20 which includes old favourites like password123, qwertyuiop, 111111, iloveyou, and the rest These, plus pet names, surnames, dates of birth, mothers' maiden names and other combinations that are trivial to guess by any cybercriminal worth his or her salt.
The ever-popular qwertyuioip can be cracked in 15 seconds
The ever-popular qwertyuioip can be cracked in 15 seconds. A combination of three common words such as CoffeeTinyFish can be broken in 6 hours but CoffeeTinyFish#9 will take 6 years because of the added complexity provided by special characters and numbers. Security professionals recommend that passwords should be at least 13 characters long, White said.
For emails, or to protect a password manager, they should be as long as possible and unique. An attacker in control of an email account can potentially use that to reset the passwords of any other accounts that use that email address as authentication, so it must be especially secure. A passphrase is better in this instance, since it can be both long and memorable. Being memorable is important as it means you won't be tempted to write it down.
Previously the advice was to change passwords regularly, but this can be counterproductive since new versions tend to get forgotten. White recommended only changing the long, memorable passphrase if you suspect it has been compromised, for instance by checking on https://haveibeenpwned.com/
Other advice was to use a password manager, or, if you are the sole user of a device, the browser's encrypted password store, and to protect accounts using two-factor authentication such as a hardware key or a mobile app such as Google Authenticator a generated one-time PIN out of band.
White suggested organisations avail themselves of free advice offered by the police and the NCSC. Some of those sites are given below.
https://serocu.police.uk/covid19/ - information about Covid-19 scams and advice on improving security from the South East Regional Organised Crime Unit.
ncsc.gov.uk - National Cyber Security Centre offers free advice and services around email, websites, DNS and networks, and security testing.
nomoreransom.org - an anti-ransomware site that publishes known decryption keys.
Cybercrime is rising sharply as opportunistic and immoral criminals take advantage of the disruption
After months of inactivity, all botnets are showing signs of life, researchers warn
The company says it has informed appropriate law enforcement authorities
Microsoft patches 113 vulnerabilities, including three zero-days, in April 2020 Patch Tuesday update
Two of the three zero-days were disclosed by Microsoft last month