Content uploaded by Aaron Higbee
Author content
All content in this area was uploaded by Aaron Higbee on Jan 10, 2022
Content may be subject to copyright.
ISSN 1361-3723/18 © 2018 Elsevier Ltd. All rights reserved
This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use:
Photocopying
Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or
systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit
educational classroom use.
NEWS
Financial organisations must show they’re
ready for disaster 1
Big names in major breaches 3
FEATURES
Assessing website password practices –
over a decade of progress? 6
World Password Day 2018 saw Microsoft suggesting
that it would deliver a “world without passwords”.
But we’ve been here before. Indeed, the fact that we
even have a World Password Day rather implies that
passwords are not as dead as past announcements and
headlines would have us believe. Steven Furnell of the
University of Plymouth, UK and Edith Cowan University,
Australia presents the results of an assessment of
password guidance and policy enforcement on a series
of leading websites and compares them with similar
studies from 2007, 2011 and 2014. The findings have
been revealing in terms of the approaches taken by the
sites and particularly the extent to which they support
their users in achieving good practice. A consistent
finding in all prior cases was that sites were collectively
doing rather less than might be expected. So, 11 years
on from the original study, what’s changed and have
things got any better?
The role of crypto-currency in cybercrime 13
The market for crypto-currencies has been incred-
ibly volatile and these peaks and troughs have made
crypto-currency value a popular media topic. Hackers,
too, have taken notice. We have seen a recent sharp
rise in crypto-jacking attacks, exploiting the power of
victims’ computers to mine crypto-currency. And alter-
native currencies also play a major role in ransomware
attacks, being the payment method of choice. The chief
defence against this growing threat, says Aaron Higbee
of Cofense, is education. Phishing is a key element in
these attacks and businesses need to help their first line
of defence – their employees – to spot phishing attacks.
Critical infrastructure: understanding
the threat 16
With nation state cyber-meddling now an acknowledged
problem, there’s growing concern about the threats to
critical national infrastructure (CNI). The vulnerability of
systems that underpin the functioning of society isn’t
exactly news to security specialists. But now politicians
and the general public are waking up to the potential
carnage that hackers could wreak. As Scott King of
Rapid7 explains in this interview, the threats are real,
but not necessarily in the way people imagine.
Editorial 2
Report analysis 4
News in brief 5
Calendar 20
Contents
computer
FRAUD
&
SECURITY
ISSN 1361-3723
July 2018 www.computerfraudandsecurity.com
www.biometrics-today.comwww.biometrics-today.com
www.membrane-technology.comwww.membrane-technology.com
www.networksecuritynewsletter.comwww.networksecuritynewsletter.com
www.sealingtechnology.infowww.sealingtechnology.info
www.filtrationindustryanalyst.comwww.filtrationindustryanalyst.com
www.computerfraudandsecurity.comwww.computerfraudandsecurity.com
Visit us
www.pumpindustryanalyst.comwww.pumpindustryanalyst.com
@
Visit us @
Visit us @
Visit us @@
Visit us @
Visit us @
Visit us
@
Visit us @
Visit us @
Visit us @
Visit us @
Featured in this issue:
Assessing website password practices – over a
decade of progress?
Every now and again we get a
flurry of headlines proclaiming
the passing of passwords, yet they
are still with us and still being bro-
ken and breached.
Steven Furnell of the University
of Plymouth, UK and Edith Cowan
University, Australia presents the
results of an assessment of password
guidance and policy enforcement on
a series of leading websites and com-
pares them with three earlier studies. A
consistent finding in all prior cases was
that sites were doing less than might
be expected. So, 11 years on from the
original study, what’s changed and
have things got better?
Full story on page 6…
The role of crypto-currency in cybercrime
The market for crypto-currencies
has been incredibly volatile and
these peaks and troughs have made
crypto-currency value a popular media
topic. Hackers, too, have taken notice.
We have seen a recent sharp rise in
crypto-jacking attacks, exploiting the power
of victims’ computers to mine crypto-cur-
rency. And alternative currencies also play
a major role in ransomware attacks, being
the payment method of choice. The chief
defence, says Aaron Higbee of Cofense,
is education. Phishing is a key element in
these attacks and businesses need to help
their employees to spot phishing attacks.
Full story on page 13…
Critical infrastructure: understanding the threat
With nation state cyber-meddling
now an acknowledged prob-
lem, there’s growing concern about
the threats to critical national infra-
structure (CNI).
The vulnerability of the systems that
underpin the functioning of society isn’t
exactly news to security specialists. But now
politicians and the general public are waking
up to the potential havoc that hackers could
wreak. As Scott King of Rapid7 explains in
this interview, the threats are real, but not
necessarily in the way people imagine.
Full story on page 16…
Financial organisations must show they’re ready
for disaster
At the beginning of July, the Bank
of England (BoE) and Financial
Conduct Authority (FCA) gave notice
to the UK’s financial institutions that
they had three months in which to
produce reports on how they avoid
IT failures and mitigate cyber-attacks.
“Operational disruption can impact
financial stability, threaten the viability
of individual firms and financial market
infrastructures, or cause harm to con-
sumers and other market participants
in the financial system,” said Andrew
Bailey, chief executive of the FCA, and
Jon Cunliffe, deputy governor of the
BoE, in a joint statement at the launch
of the discussion paper.
Continued on page 3...
Editorial Office: Elsevier Ltd
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
Fax: +44 (0)1865 843973
E-mail: cfseditor@elsevier.com
Web: www.computerfraudandsecurity.com
Publisher: Greg Valero
E-mail: g.valero@elsevier.com
Editor: Steve Mansfield-Devine
E-mail: smd@contrarisk.com
Editorial Advisors:
Silvano Ongetta, Italy; Chris Amery, UK;
Jan Eloff, South Africa; Hans Gliss, Germany;
David Herson, UK; P. Kraaibeek, Germany;
Wayne Madsen, Virginia, USA; Belden Menkus,
Tennessee, USA; Bill Murray, Connecticut, USA;
Donn B. Parker, California, USA; Peter Sommer, UK;
Mark Tantam, UK; Peter Thingsted, Denmark;
Hank Wolfe, New Zealand; Charles Cresson Wood,
USA; Bill J. Caelli, Australia
Production Support Manager: Lin Lucas
E-mail: l.lucas@elsevier.com
Subscription Information
An annual subscription to Computer Fraud & Security includes
12 issues and online access for up to 5 users.
Prices:
E1139 for all European countries & Iran
US$1237 for all countries except Europe and Japan
¥151 620 for Japan
(Prices valid until 31 December 2011)
To subscribe send payment to the address above.
Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971
Email: commsales@elsevier.com,
or via www.computerfraudandsecurity.com.
Subscriptions run for 12 months, from the date payment is
received. Periodicals postage is paid at Rahway, NJ 07065,
USA. Postmaster send all USA address corrections to: Computer
Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA
Permissions may be sought directly from Elsevier Global Rights
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
may also contact Global Rights directly through Elsevier’s home page
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
& permission’. In the USA, users may clear permissions and make
payments through the Copyright Clearance Center, Inc., 222 Rosewood
Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978
750 4744, and in the UK through the Copyright Licensing Agency Rapid
Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P
0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other
countries may have a local reprographic rights agency for payments.
Derivative Works
Subscribers may reproduce tables of contents or prepare lists of arti-
cles includin g abstracts for internal circulation within their institutions.
Permission of the Publisher is required for resale or distribution outside
the institution. Permission of the Publisher is required for all other
derivative works, including compilations and translations.
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically
any material contained in this journal, including any article or part of
an article. Except as outlined above, no part of this publication may
be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the Publisher. Address
permissions requests to: Elsevier Science Global Rights Department, at
the mail, fax and email addresses noted above.
Notice
No responsibility is assumed by the Publisher for any injury and/
or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any meth-
ods, products, instructions or ideas contained in the material herein.
Because of rapid advan ces in the medical sciences, in particular, inde-
pendent verification of diagnoses and drug dosages should be made.
Although all advertising material is expected to conform to ethical
(medical) standards, inclusion in this publication does not constitute a
guarantee or endorsement of the quality or value of such product or
of the claims made of it by its manufacturer.
02065
Pre-press/Printed by Mayfield Press (Oxford) Limited
EDITORIAL
2Computer Fraud & Security July 2018
Editorial Office: Elsevier Ltd
The Boulevard, Langford Lane, Kidlington,
Oxford, OX5 1GB, United Kingdom
Tel: +44 1865 843239
Web: www.computerfraudandsecurity.com
Publishing Director: Bethan Keall
Editor: Steve Mansfield-Devine
E-mail: infosec@webvivant.com
Editorial Advisors:
Silvano Ongetta, Italy; Chris Amery, UK;
Jan Eloff, South Africa; Hans Gliss, Germany;
David Herson, UK; P. Kraaibeek, Germany;
Wayne Madsen, Virginia, USA; Belden Menkus,
Tennessee, USA; Bill Murray, Connecticut, USA;
Donn B. Parker, California, USA; Peter Sommer,
UK; Mark Tantam, UK; Peter Thingsted, Denmark;
Hank Wolfe, New Zealand; Charles Cresson Wood,
USA; Bill J. Caelli, Australia
Production Support Manager: Lin Lucas
E-mail: l.lucas@elsevier.com
Subscription Information
An annual subscription to Computer Fraud & Security
includes 12 issues and online access for up to 5 users.
Subscriptions run for 12 months, from the date
payment is received.
More information: www.elsevier.com/journals/institu-
tional/computer-fraud-and-security/1361-3723
Permissions may be sought directly from Elsevier Global Rights
Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865
843830, fax: +44 1865 853333, email: permissions@elsevier.com. You
may also contact Global Rights directly through Elsevier’s home page
(www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright
& permission’. In the USA, users may clear permissions and make
payments through the Copyright Clearance Center, Inc., 222
Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750
8400, fax: +1 978 750 4744, and in the UK through the Copyright
Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham
Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555;
fax: +44 (0)20 7631 5500. Other countries may have a local repro-
graphic rights agency for payments.
Derivative Works
Subscribers may reproduce tables of contents or prepare lists
of articles i ncluding abst racts for internal circulation within their
institutions. Permission of the Publisher is required for resale or
distribution outside the institution. Permission of the Publisher
is required for all other derivative works, including compilations
and translations.
Electronic Storage or Usage
Permission of the Publisher is required to store or use electronically
any material contained in this journal, including any article or part of
an article. Except as outlined above, no part of this publication may
be reproduced, stored in a retrieval system or transmitted in any form
or by any means, electronic, mechanical, photocopying, recording or
otherwise, without prior written permission of the Publisher. Address
permissions requests to: Elsevier Science Global Rights Department,
at the mail, fax and email addresses noted above.
Notice
No responsibility is assumed by the Publisher for any injury and/
or damage to persons or property as a matter of products liability,
negligence or otherwise, or from any use or operation of any meth-
ods, products, instructions or ideas contained in the material herein.
Because of rapid advan ces in the medical sciences, in particular,
independent verification of diagnoses and drug dosages should
be made.Although all advertising material is expected to conform
to ethical (medical) standards, inclusion in this publication does
not constitute a guarantee or endorsement of the quality or value
of such product or of the claims made of it by its manufacturer.
12986
Digitally Produced by
Mayfield Press (Oxford) Ltd
Editorial
Things seem to have taken a
turn for the better lately with
regard to privacy. And no, I’m not
talking about the EU’s General
Data Protection Regulation (GDPR),
although that will have focused
the minds of many organisations
in the right direction.
The US Supreme Court has handed
down a somewhat surprising ruling
that will have major implications for
how some data is used. In the case
of Carpenter vs the United States,
the court effectively overturned the
so-called ‘third-party doctrine’ – the
assumption that when you hand your
private information to a third party,
such as an online service, that you can
no longer have any reasonable expec-
tation of privacy with regard to that
information.
This led to the situation where
mobile phone operators were selling
customer information – including
detailed real-time data about location
– to law enforcement agencies (LEAs),
often through companies established
purely to market this data trove.
Indeed, it seems that there is a thriving
reseller market for this data: before it
reaches an LEA, the information has
sometimes been sold and resold mul-
tiple times. It’s effectively a market for
real-time surveillance data.
One company, LocationSmart, even
offered a ‘try before you buy’ page on
its website that, it turned out, allowed
you to look up the real-time location
of any mobile phone with a number
issued by one of the major carriers.
Since the New York Times broke
the story about this lucrative busi-
ness, those carriers – AT&T, Sprint,
T-Mobile and Verizon – announced
they were severing ties with these data
resellers. That, of course, doesn’t pre-
vent them from carving out new deals,
or even selling the data directly.
This trade came to the attention
of the Supreme Court because of the
case of Timothy Carpenter, who was
sentenced to 116 years for a series of
armed robberies. The police obtained
cell site location information (CSLI)
which showed that he was in the
location of each robbery when it hap-
pened. The Supreme Court, however,
ruled this was a breach of the Fourth
Amendment protection against unrea-
sonable search. This is a major change
in the law because it’s the first time
the amendment has been applied to
something other than physical evi-
dence.
The court emphasised that its rul-
ing applies only to the specific issue
of location data and that it does not
extend to “conventional surveillance
techniques and tools, such as security
cameras; does not address other busi-
ness records that might incidentally
reveal location information; and does
not consider other collection tech-
niques involving foreign affairs or
national security”.
CSLI is “detailed, encyclopaedic,
and effortlessly compiled” and is auto-
matically collected, requiring no action
on the part of the subscriber. This
places it in a different category to, say,
call records or financial transactions.
The court referred to CSLI as “near
perfect surveillance” allowing users
of the data to “travel back in time to
retrace a person’s whereabouts, subject
only to the five-year retention policies
of most wireless carriers.” This means
CSLI deserves special protections, the
court argued in its report. In addi-
tion, mobile phones are “indispensable
to participation in modern society”,
which cut off the argument that peo-
ple can opt to avoid surveillance by
not having a phone.
How this will play out is the subject
of much debate, but it certainly swings
the pendulum towards greater privacy.
It would seem likely that those inter-
mediary companies selling the location
data may be out of business, or at least
have less to offer (it remains to be seen
if other data, such as call records, will
continue to be traded). And LEAs will
now have to show probable cause to
a judge in order to obtain a warrant
before accessing the information.
– Steve Mansfield-Devine
...Continued from front page
Organisations in the sector will have
to convince the BoE and FCA that they
have systems and procedures in place to
weather any service disruption, whether
it’s caused by IT failures or activities by
cyber-criminals.
“This is good news,” said Dan Pitman,
senior solutions architect at Alert Logic.
“The concepts of disaster recovery,
cyberthreats, business (revenue) conti-
nuity and so on are intrinsically linked
through business risk, but too often
considered separate by businesses. Banks
and other financial services underpin
our economy and enable the public
and businesses to operate. They have
a duty to ensure that disruption from
any source, be it technological, process-
based or malicious, is planned for and
demonstrable to customers, partners and
governing organisations.”
The announcement came shortly after
a major outage affecting customers of
TSB, who were unable to access their
accounts online for a week because of a
failed IT migration, with some custom-
ers still unable to use the service after a
month. Analysis of the problem by IBM,
which suggested a lack of testing, was
published by the Treasury Committee.
The report said IBM “has not seen evi-
dence of the application of a rigorous set
of go-live criteria to prove production
readiness”.
The BoE and FCA have suggested
that two days is a reasonable maximum
for disruption to business services. If
financial firms fail to convince regulators
that they have adequate back-up plans
and cyber-defences, they may be forced
to make further investment or increase
their capital levels to protect customers.
The discussion paper is available here:
http://bit.ly/2L0P6JM.
Big names in major
breaches
A
rash of data breaches has affected
millions of people and big-name
brands, albeit indirectly in some cases.
Marketing and data aggregation
firm Exactis left 2TB worth of data
– nearly 340 million records – on a
publicly accessible server. The infor-
mation, which seems to have covered
nearly all adults in the US, included
names, addresses, phone numbers,
email addresses and even subjects such
as religion, interests and the number,
age and gender of any children. Some
records contain more than 400 items
of information, such as whether the
person smokes or has pets. No Social
Security numbers or financial details
were included in the database.
Security researcher Vinny Troia of
Night Lion Security found the database
using the Shodan search tool by search-
ing for publicly accessible servers run-
ning instances of ElasticSearch databases.
“I’m not the first person to think of
scraping ElasticSearch servers,” he told
Wired. “I’d be surprised if someone else
didn’t already have this.”
Exactis protected the database after
being contacted by Troia.
Social media aggregation service
Timehop admitted to a breach affecting
the personal information of 21 million
of its users. Attackers exploited access
tokens provided by the company’s cloud
hosting provider in December 2017.
They then created a new administrative
account. This wasn’t discovered until
the firm noticed a network intrusion on
4 July. Information affected includes
names, email addresses and phone num-
bers. The firm claimed that no financial
or private messaging information was
involved. There are full details here:
http://bit.ly/2u5bSXk.
A couple of major names have been
affected by breaches at third-party sup-
pliers. Ticketmaster acknowledged a
breach affecting around 40,000 custom-
ers, mainly in the UK, after Inbenta
Technologies, which hosts a customer
support system for the firm, was com-
promised with malware. Ticketmaster
issued a statement saying: “Less than
5% of our global customer base has
been affected by this incident,” but the
number could climb much higher. And
it subsequently emerged that mobile
banking firm Monzo had warned
Ticketmaster and Inbenta of a prob-
lem back in April. The bank had seen
so many dubious transactions that it
requested Mastercard to replace all the
cards issued to Monzo’s customers.
Ticketmaster, however, seems to have
denied any evidence of a breach.
Dixons Carphone has admitted to
an “unauthorised access” involving 5.9
million payment cards and 1.2 million
personal data records. According to the
company, its research, “indicates that
there was an attempt to compromise
5.9 million cards in one of the process-
ing systems of Currys PC World and
Dixons Travel stores. However, 5.8
million of these cards have chip and
PIN protection. The data accessed in
respect of these cards contains neither
PIN codes, card verification values
(CVV) nor any authentication data
enabling cardholder identification or
a purchase to be made. Approximately
105,000 non-EU issued payment cards
which do not have chip and PIN pro-
tection have been compromised.”
The breach also exposed the personal
details (name, address, email address) of
1.2 million people. The firm’s confes-
sion is here: http://bit.ly/2L1zKBG.
Meanwhile, Typeform, which man-
ages surveys and competitions on behalf
of other firms, suffered a breach that
has affected brands such as Fortnum &
Mason and Travelodge. In most cases,
only the customer’s email address was
vulnerable, although additional informa-
tion was compromised in some instanc-
es. Some of the firm’s customers have
already said they are severing ties with it.
Other organisations affected by the
breach include lesser names such as
Australian bakery chain Bakers Delight,
banking firm Revolut, the Australian
Republican Movement, data platform
Ocean Protocol, software companies
DevResults and PostShift, and even
Shavington-cum-Gresty Parish Council
in Cheshire.
Finally, Adidas has warned US cus-
tomers that their information may have
been stolen. The company has so far
been cagey about details, saying simply
that: “The limited data includes contact
information, usernames and encrypted
passwords. Adidas has no reason to
believe that any credit card or fitness
information of those consumers was
impacted.” The size of the breach is
unknown, but could reach into the
millions of records.
NEWS
July 2018 Computer Fraud & Security 3
NEWS
4Computer Fraud & Security July 2018
Report Analysis
Bank of England: Systemic Risk Survey
When asked about key risks to the UK
financial system, cyber-attack barely regis-
ters between the first time the survey was
take, in 2008, and 2014, when more than
a tenth of organisations finally considered
it significant. Then concern ramps up until
the first half of 2018 when two-thirds of
those surveyed rated it a key risk. That puts
it now at the same level as geopolitical risk
but some way behind ‘UK political risk’
(which, in a word, means Brexit), rated at
91%.
Other risks have headed in the opposite
direction. ‘Risk of financial institution fail-
ure/distress’, for example, topped the list in
2008, at 85%. That’s now down to 11%,
which may surprise some bank customers
who have been inconvenienced by more
than one system failure in recent months.
However, the Bank of England runs its
own stress tests and the results of the
2017 exercise showed that: “For the first
time since the Bank of England launched
its stress tests in 2014, no bank needs to
strengthen its capital position as a result of
the stress test. The 2017 stress test shows
the UK banking system is resilient to deep
simultaneous recessions in the UK and
global economies, large falls in asset prices
and a separate stress of misconduct costs.”
Clearly, then, what banks are most con-
cerned about is the self-harm inflicted by
Brexit – an external threat largely beyond
their control, as are the risks posed by
geopolitical developments. The most sig-
nificant area of concern where they can
take direct measures to protect themselves
is cyber-security.
“With the UK’s financial stability at
stake, it comes as no surprise that cyber-
attacks are seen as the second biggest risk
after Brexit,” said Kirill Kasavchenko,
principle security technologist at Netscout
Arbor. “Cybercrime is constantly proving
to be a lucrative source of revenue, par-
ticularly when it comes to money-rich and
sensitive data-driven sectors like finance.
To minimise this threat, all organisations,
particularly those in the financial services
industry, must look to adapt a proactive
stance, rather than wishing attacks away.
As part of this, the cyber-security commu-
nity need to collaborate to cut cybercrime
frequency, severity and impact. Security
threats cannot be mitigated by any single
organisation alone. It requires better intel-
ligence sharing and improved co-operation
not only with law enforcement but also
with the rest of industry. Sharing best
threat detection and protection practices
will allow a broader and deeper visibility of
network traffic, threats and user behaviour.
All companies can benefit from taking
these steps to increase their security provi-
sions.”
The report notes that: “Confidence in
the stability of the UK financial system
over the next three years has increased. The
proportion of respondents judging them-
selves to be fairly confident, very confident
or completely confident increased to 94%
(+4 percentage points).”
However, while that may be the case for
the country’s financial system as a whole,
whether that confidence extends to an
individual financial organisation’s technol-
ogy isn’t recorded. This could be seen as
something of a weakness in the report,
given that cyberthreats have grown to
outweigh issues such as a downturn in the
UK economy (rated as a key risk by 33%
in 2008, 26% in 2018) or risk of financial
market disruption/dislocation (down from
45% to 16%).
When asked about the number one
threat, UK political risk still topped the list
(53%), but cyber-attack was second (14%)
with geopolitical risk knocked into third
place (11%) and the 19 other categories
receiving negligible (or no) votes.
True, the financial sector is one of the
strongest when it comes to cyber-security.
However, it does have issues, some of them
running deep. And when asked what risks
are the most challenging to manage, cyber-
attack pretty much equals UK political risk
at the top of the table.
“Due to the significant amount of legacy
systems that financial services hold, it is
no surprise that cyber-risks and fraud are
rising for these firms,” said Pete Banham,
cyber resilience expert at Mimecast.
“Legacy systems make it difficult for finan-
cial institutions to implement change, let
alone embed new processes and technology
to help with cyber-security. This is where
new, challenger financial brands can stand
out from the crowd.”
He added: “Impersonation fraud, par-
ticularly via email, continues to grow and
remain dangerous no matter how up to
date the technology. Cyber-criminals rely
on the inherent trust in email to launch
attacks that wreak havoc for businesses
across all industries. There is also a major
supply chain risk, as attackers could
use an employee as a stepping stone to
launch impersonation attacks against a
bank’s suppliers and corporate custom-
ers. More needs to be done to ensure that
organisations, not just those in the finan-
cial sector, remain cyber resilient. This
needs to span beyond security and look
at continuity, remediation and recovery
to ensure that businesses can get back on
their feet if something does get through.
Accountability also shouldn’t be limited
to the IT team. As every employee is a
potential route into the business, ongoing
education for all is critical.”
There is another factor here, too. The
risk posed by Brexit to the financial system
is going to be resolved soon, one way or
another. And geopolitical risks wax and
wane forever. But the risk of cyber-attack
is continually growing, and it’s something
that needs action now.
The report is available here:
www.bankofengland.co.uk/systemic-risk-
survey/2018/2018-h1.
The Bank of England’s twice-yearly ‘Systemic Risk Survey’ report shows
a slight increase in the expectation among financial services compa-
nies that they will suffer a high-impact cyber-attack. At the same time,
those same organisations seem to be extremely confident that they can
withstand or survive such an attack. But the historical data from past
reports shows a fast ramping up of concern about both cyber-attacks and
non-technical risks, particularly in the political sphere.
NEWS
July 2018 Computer Fraud & Security 5
Privacy Shield in doubt
A vote in the European Parliament has cast
doubt on the continued viability of the
Privacy Shield agreement that allows US
organisations to move personal informa-
tion relating to EU citizens to servers in the
US without being liable to the full weight
of EU privacy laws. Privacy Shield was
implemented when the previous arrange-
ment, Safe Harbor, was thrown out in the
courts following a challenge by activist
Max Schrems. Last September, a European
Commission review noted that there are
still vacant posts on the Privacy and Civil
Liberties Oversight Board (PCLOB) and
no permanent ombudsman. It also raised
concerns about executive orders concern-
ing immigration, security and privacy by
President Donald Trump. Now MEPs on
the civil liberties committee (LIBE) have
said that many of these concerns have not
been addressed and it voted in favour of
calling on the European Commission to
suspend the arrangement if the US is not
compliant by the new review in September.
HMRC voice database revealed
One of the first organisations that could
potentially fall foul of the new EU General
Data Protection Regulation (GDPR) is the
UK’s tax authority, HM Revenue & Customs
(HMRC). A Freedom of Information (FoI)
request filed by Big Brother Watch has
revealed that HMRC has amassed a database
of 5.1 million voiceprints. People contacting
the organisation by phone are required to
record a key phrase as a means of biometric
identification to be used in subsequent com-
munications under a scheme known as Voice
ID.
However, according to Big Brother Watch,
users are not given sufficient information on
how to opt out of the scheme, or if and when
their data would be deleted. In fact, in the
first 30 days of the scheme operating, since
it started in January 2018, no-one opted
out, probably because the registration system
doesn’t give them the option. HMRC has
refused to provide details about how data
erasure would work. Big Brother Watch has
pointed out that the GDPR requires a posi-
tive opt-in to such schemes. Users can later
choose not to use the biometric authentica-
tion, but are given no details about how to
delete the files. HMRC’s response to the FoI
also revealed that the department did not
consult the biometrics commissioner on its
Voice ID plans.
EU cyber force
The European Union could set up a cyber-
response force trained to counter future
attacks if it follows up on a proposal by the
Lithuanian Government. A Declaration of
Intent was put forward by the country at a
session of the EU Foreign Affairs Council
in Luxembourg. Five other countries –
Romania, Croatia, Estonia, the Netherlands
and Spain – have already signed up to it
and four more are believed to be ready
to join by the end of the year. France
and Finland are participating in the pro-
ject while Belgium, Germany, Greece and
Slovenia have joined as observers. The ‘EU
Cyber Rapid Response Force’ would employ
the services of security firms and specialists
to create a standing cyber-security unit that
could counter major attacks, especially those
emanating from nation states, according to
Lithuanian Minister of National Defence
Raimundas Karoblis. There’s more informa-
tion here: http://bit.ly/2uj2Jd5.
NHS under attack…
In the past three years, the UK’s National
Health Service has suffered more than 18
days of IT system outages as a result of
cyber-attacks. A Freedom of Information
(FoI) request by tech firm Intercity
Technology revealed that of the 80 NHS
Trusts that had responded to the request,
17% had experienced security-related
downtime. Inevitably, a significant propor-
tion of these will have been caused by the
virulent but short-lived WannaCry ransom-
ware outbreak, with some NHS organisa-
tions also having fallen foul of the Locky
and Zepto variants.
…and leaking data
A data breach at NHS Digital affecting
150,000 people has been blamed on a cod-
ing error. The confidential data related to
people who thought they had opted for the
information to be used only for matters relat-
ing to their own care. NHS Digital oversees
the use of data collected via doctors and NHS
institutions. In many cases, this informa-
tion can be passed – usually, but not always,
anonymised – to third parties for use in
clinical research. A ‘Type-2’ opt-out is made
available to patients who don’t want their data
used in this way. However, an error by soft-
ware development firm TPP, to which coding
work had been outsourced, led to these opt-
outs being ignored in 150,000 cases. “There
is not, and has never been, any risk to patient
care as a result of this error,” said Jackie
Doyle-Price, Parliamentary Under-Secretary
of State for Health. “NHS Digital has made
the Information Commissioner’s Office and
the National Data Guardian for Health and
Care aware.” Type-2 opt-outs have now been
replaced by a national data opt-out meant
to simplify the registering of an objection to
wider data sharing.
Dark web arrests
A year-long operation against a number
of dark web markets, involving the US
Department of Justice, US Immigration and
Customs Enforcement’s Homeland Security
Investigations unit, the US Secret Service, the
US Postal Inspection Service and the Drug
Enforcement Administration, has resulted
in multiple arrests and the seizure of goods.
The agencies focused on the (now-defunct)
Silk Road, AlphaBay, Hansa and Dream
dark web marketplaces. Agents posed as
money launderers willing to convert crypto-
currency funds into US dollars in order to
gain the trust of vendors. In the last four
weeks of the operation, the execution of
more than 70 search warrants as part of
100 law enforcement actions across the US
led to the seizure of 333 bottles of liquid
synthetic opioids, over 100,000 tramadol
pills, 100g of fentanyl, more than 24kg of
Xanax, other recreational and prescription
drugs and 15 pill presses. Agents also seized
over 100 firearms, five vehicles bought with
funds from illegal activities, more than $3.6m
in currency and gold bars, nearly 2,000
Bitcoins and other crypto-currency worth
over $20m and Bitcoin mining equipment.
Around 35 arrests were made, although the
operation had targeted 65 people.
UK firms attacked every three minutes
On average, UK businesses were subjected
to 52,596 cyber-attacks each in the three
months to the end of June – the equivalent
of 578 attempts a day or just over once every
three minutes, according to Beaming, the
business ISP. Although the rate of attack was
slightly down on that experienced in the first
quarter of the year, when businesses received
53,981 attacks each, there was an increase
in the number of attacks targeting remote
desktop services.
On average, businesses received 1,655
attempts each to breach remote desktop
systems between April and June this year,
8% more than in the preceding quarter.
Remotely controlled devices such as build-
ing control systems and networked security
cameras were the most commonly targeted
systems. Over the past three months they
attracted 41% of all attacks. Businesses
experienced 21,499 attempts each on aver-
age to take control of IoT devices. Beaming
believes hackers target IoT devices for use in
distributed denial of service (DDoS) attacks.
Q2 was the first full recorded quarter in
which Europe was the most common source
of cyber-attacks on UK businesses, with
43% originating from European locations,
compared to 34% from Asia and 17% from
North America.
In brief
FEATURE
Computer Fraud & Security July 2018
6
Assessing website
password practices – over
a decade of progress? Steven Furnell
Every now and again we get a flurry of
headlines proclaiming the passing of pass-
words. Bill Gates said they were dead in
2004.4 In 2013, the FIDO (Fast Identity
Online) Alliance told us we could replace
them, and it is happening again in 2018
with launch of the FIDO2 Project, which
continues the aim to end our dependency
on this vulnerable approach.5,6 However,
the fact that we even have a World
Password Day rather implies that pass-
words are not as dead as past announce-
ments and headlines would have us
believe. In fact, if you listen in the right
places, rumours are rife that passwords are
still used as the principal (or even sole)
authentication method on the vast major-
ity of systems, sites and services.
Given our continued reliance upon this
much-maligned technology, it is reason-
able to expect that those requiring people
to use passwords would at least be taking
all reasonable steps to ensure that they do
so in an informed and effective manner.
With that thought in mind, this article
presents the results from an assessment of
password guidance and policy enforcement
on a series of leading websites. The study
continues the theme of an assessment first
conducted in 2007 and then repeated in
2011 and 2014.7-9 In each instance, the
findings have been revealing in terms of
the approaches taken by the sites and par-
ticularly the extent to which they support
their users in achieving good practice. A
consistent finding in all prior cases was that
sites were collectively doing rather less than
might be expected. So, 11 years on from
the original study, it is worth seeing what’s
changed and if things are any better.
Site selection and
assessment methodology
As in the previous studies, the candidate
sites were identified from the Alexa global
list of ‘The top 500 sites on the web’ (see:
www.alexa.com/topsites). The sample
was taken in early June 2018 and focused
on the top 10 unique English language
sites (a choice largely motivated by the
fact that the author needed to be able to
understand them). This meant omitting
various non-English sites (eg, Baidu, Qq,
Taobao and Sohu), as well as regional
variations such as Google.co.in, and other
sites that used the same login service as
others already listed (eg, YouTube, listed
at number two, uses Google credentials
to sign in). As a result, Netflix – the
10th-ranked unique English language
site – was actually 27th in the overall list.
The full list of sites and their ranking at
the time, is shown in Table 1, along with
the description provided on the Alexa site
(with the exception of Instagram, where
a description has been added because
the Alexa listing did not include one).
Of these, Amazon, Facebook, Google,
Microsoft and Yahoo had featured in all
of the earlier versions of the study, while
Twitter and Wikipedia both appeared
in the last couple. This left Instagram,
Netflix and Reddit as the newcom-
ers, replacing LinkedIn, Pinterest and
WordPress from the 2014 study.
As with the prior runs of the study, the
sample of just 10 sites is not presented
as being statistically significant. Its aim is
rather to capture a group of leading and
well-recognised services, whose password
practices consequently affect a sizeable
community of users (who may in turn use
their experiences of these sites to influence
their password choices in other contexts).
Similarly, other online providers may see
these market-leading sites as the examples to
follow when deciding upon the acceptable
security to be offered on their own sites.
The assessment process involved creat-
ing and using accounts on the sites in
order to determine the password selection
requirements. The passwords were then
updated using the available change and
reset procedures. The overall evaluation
process sought to establish whether:
• Thesitesprovidedanyguidanceto
support password selection, and (if
so) the extent of the coverage.
• Thesiteenforcedanyrestrictionson
permissible password choices.
• Userswereprovidedwithinteractive
feedback or nudges to improve their
Steven Furnell, Centre for Security, Communications and Network Research,
University of Plymouth, UK; Security Research Institute, Edith Cowan
University, Perth, Australia
World Password Day 2018 saw Microsoft suggesting that it would deliver a “world
without passwords” and BlackBerry proposing that they would be replaced by
adaptive authentication (based on the buzzwords du jour of artificial intelligence
and machine learning).1,2 Yet at the same time we had the irony of Twitter asking
330 million subscribers to change their passwords, having discovered a bug in the
firm’s internal systems that resulted in them being stored in unencrypted form.3
FEATURE
July 2018 Computer Fraud & Security 7
password choices (eg, via a password
strength meter or ratings).
• Therewasanymeansforusersto
supplement their passwords with
additional protection (eg, via one-time
passcodes sent to their mobile devices).
• Thesitepermittedthereuseofold
passwords.
• Ameanswasofferedtoresetor
recover passwords.
Provision of password
guidance
The first issue of interest is whether the
website provides any upfront guidance on
selecting (and ideally managing) the pass-
word it is asking the user to set. To qualify,
a site needed to present – or offer links
to – at least a couple of tips, and this guid-
ance had to be available before users tried to
enter their choice (ie, the assessment does
not count feedback messages provided in
response to choices that are not permitted).
The sites were assessed in three password-
setting scenarios (ie, at initial sign-up, if
users elect to change their password, or if
users are forced to change their password
because they have forgotten it), and the
results are presented in Table 2.
As in previous runs of the study, it
was interesting to note the considerable
variations in guidance and support that
existed at different stages. For exam-
ple, Figure 1 illustrates the differences
observed with Twitter, which was largely
devoid of upfront guidance at sign-up,
provided strength ratings for password
change and provided onscreen advice,
ratings and a ‘Learn more’ link to full
guidance at password reset. Meanwhile,
other sites (eg, Reddit) were consistent
in a lack of guidance throughout.
It is notable that in the initial registra-
tion stage (Figure 1a), Twitter offers a
feedback message requesting that users
“enter a stronger password”, but the site
provides no support for them to under-
stand what ‘stronger’ actually means.
By contrast, the term is directly defined
in the password-reset stage (Figure 1c).
Meanwhile, the ‘Learn more’ link takes
the reader to an informative set of advice
on account security, including a good set
of password dos and don’ts (and interest-
ingly this includes advice suggesting that
users “Do create a password at least 10
characters long” – four characters longer
than they are encouraged to choose at sign-
up).10 As such, it seems rather unfortunate
that a link to this resource is not provided
to assist users at other stages of the process.
One factor that was common to several of
the sites (eg, Facebook, Twitter and Yahoo)
was that, although they do not provide any
guidance (or indeed indication of password
rules) upfront, they do progressively reveal
various requirements in response to users
entering passwords that do not qualify. As
an example, Figure 2 shows three messages
from Yahoo that appeared in response to
passwords that were (a) too short, (b) too
obvious (‘password1’), and (c) included the
surname (‘furnell1’). Aside from the fact
that it seems unhelpful to reveal the exist-
ence of rules in a piecemeal manner, it is
Alexa ranking Site Alexa description of site
1 Google “Enables users to search the world’s information,
including web pages, images, and videos.”
3 Facebook “A social utility that connects people, to keep up
with friends, upload photos, share links and videos.”
5 Wikipedia “A free encyclopedia built collaboratively using
wiki software.”
6 Reddit “User-generated news links. Votes promote stories
to the front page.”
7 Yahoo “A major Internet portal and service provider
offering search results, customisable content,
chatrooms, free email, clubs, and pager.”
10 Amazon “Amazon.com seeks to be Earth’s most customer-
centric company, where customers can find and
discover anything they might want to buy online,
and endeavors to offer its customers the lowest
possible prices.”
13 Twitter “Social networking and microblogging service utilising
instant messaging, SMS or a web interface.”
15 Instagram Social networking service for sharing photos
and videos.
17 Microsoft Live “Search engine from Microsoft.”
27 Netflix “Flat monthly fee streaming TV and movies service.”
Table 1: Ten popular websites selected for assessment.
Site
Guidance provided
Sign-up Password
change
Password reset
Amazon ✘ ✘ ✓
Facebook ✘ ✘ ✓
Google ✓ ✓ ✘
Instagram ✘ ✘ ✘
Microsoft Live ✘ ✘ ✘
Netflix ✘ ✘ ✘
Reddit ✘ ✘ ✘
Twitter ✘ ✘ ✓
Wikipedia ✘ ✘ ✘
Yahoo ✘ ✘ ✘
Table 2: Provision of password guidance at different stages.
FEATURE
Computer Fraud & Security July 2018
8
also liable to annoy users if they keep trying
things and then keep getting knocked back.
Additionally, as an aside in this particular
case, it can be noted that the message in
Figure 2a asks users to make the password
longer, but still neglects to reveal the mini-
mum length that they should be aiming for.
It is notable that even where guid-
ance is provided on what to do, none
of the sites make much of an attempt
to explain to the user why this advice is
relevant. While users can probably work
out the reasons for themselves in terms
of advice around not writing passwords
down or sharing them, the rationale for
being asked to provide longer and more
complex passwords, as well as avoiding
dictionary words and personal informa-
tion, often remains unclear. Many users
still have no conception of password
cracking or social engineering, and may
still imagine the threat coming from an
attacker sitting at the keyboard trying
things manually. Explaining a little about
the reality of the threats, or about what
the various password requirements and
restrictions seek to achieve, could aid
users’ understanding and improve their
buy-in and compliance as a result.
Enforcement of restrictions
Whether they provided guidance or not,
the other key question is what passwords
the sites will actually permit users to
select. To this end, the other significant
aspect of the assessment examined the
password restrictions that sites imposed
at sign-up, as well as other elements of
support that they might provide in order
to help users behave more securely.
In terms of restrictions on password
choices, the study applied the same set
of tests as had been used in the 2007-
2014 versions, namely:
• Doesthesiteenforceaminimum
password length, and if so what is it?
• Areuserspreventedfromusingtheir
surname as their password?
• Doesthesitepreventthere-useofthe
user ID (or email name) as the password?
• Areuserspreventedfromusing
the string ‘password’?
• Doesthesitecheckthecomposition
of the password to ensure multiple
character types?
• Doesthesitefilterouttheuseof
dictionary words that would be easily
compromised with cracking tools?
All of these are feasible to check
(although checking surname and user ID
aspects requires these to be featured during
the registration process), and all of them
are well-founded on the basis of the estab-
lished bad practices that users can other-
wise adopt. Table 3 summarises the degree
of enforcement of these restrictions during
initial sign-up to the sites. It also includes
indications of additional provisions that
sites may make, which are also considered
in the discussion that follows. As an aside,
it may be noted that some sites do actu-
ally differ in terms of the passwords they
will accept at sign-up and those that are
permitted at later stages, but a detailed
account of these variations was beyond the
scope of the study.
As can be seen, the best provisions (con-
sidering permitted password length and
the other restrictions applied) were offered
by Google, Microsoft Live and Yahoo.
This finding is broadly comparable with
the 2014 results – where they were also
the top three among the sites assessed –
although the checks and provisions are not
exactly the same (eg, in 2014, Google did
Figure 1:
Contrasting the
password guidance
at: (a) initial
registration;
(b) password change;
and (c) password
reset.
FEATURE
July 2018 Computer Fraud & Security 9
not enforce password composition rules,
but did provide a password meter).
The three least favourable sets of
results were from Amazon, Reddit and
Wikipedia. Indeed, consistent with all of
the prior versions of the study, Amazon’s
password requirements remain the most
liberal and the lack of any password meter
to nudge users in the right direction
means that it can ultimately be judged
lower than Reddit in terms of overall
support. Meanwhile, Wikipedia was
somewhat ironic insofar as it filtered out
obviously poor choices (such as the user
ID or the word ‘password’) but would
otherwise permit one-character passwords
to be chosen without complaint.
While most of the length restrictions
are simply as stated in Table 3, the value
for Yahoo merits some further commen-
tary. In this case, the length restriction
works in conjunction with password
composition. As shown in the table,
the shortest permitted is seven charac-
ters, but this is only permitted with all
character types (ie, uppercase, lower-
case, numeric, and punctuation) being
used. The system will not allow seven-
character passwords with less diversity
(enforcing an eight-character minimum
length with three character types, and
a nine-character minimum with one or
two types). So, while Yahoo still does
not enforce password composition with
multiple character types, it certainly
Figure 2:
Password feedback
messages revealed
in response to
unacceptable
choices.
Site
Restrictions enforced at sign-up Other Support
Enforces min
length
(+max if stated)
Prevents
surname
Prevents
user ID
Prevents
‘password’
Enforces
composition
Prevents
dictionary
words
Password
meter
Extra
protection
Prevents
reuse
Amazon 6 ✘ ✘ ✘ ✘ ✘ ✘ ✓ ✘
Facebook 6 ✓–✓ ✘ ✓ ✘ ✓ ✘
Google 8 ✓ ✓ ✓ ✓ ✓ ✘ ✓ ✓
Instagram 6 ✘ ✓ ✓ ✘ ~✘ ✓ ✓
Microsoft Live 8–✓ ✓ ✓ ~✘ ✓ ✓
Netflix 4–60 –✘ ✘ ✘ ✘ ✘ ✘ ✓
Reddit 6 –✘ ✘ ✘ ✘ ✓ ✓ ✘
Twitter 6 ✘ ✘ ✓ ✘ ~✘ ✓ ✘
Wikipedia ✘ ✘ ✓ ✓ ✘ ~✘ ✘ ✘
Yahoo! 7 ✓ ✓ ✓ ✘ ✓ ✘ ✓ ✓
Table 3: Enforcement of password restrictions and availability of additional support.
FEATURE
Computer Fraud & Security July 2018
10
makes use of it as a factor in determin-
ing acceptable choices.
Upper limits on password length were
not specifically tested and only Netflix
explicitly indicated one. However, at 60
characters, this was likely to be sufficient
for all but the most masochistic of pass-
word users.
In terms of preventing the use of the user’s
surname, only three sites that collect the
user’s name then utilise the information in
password filtering. Meanwhile, three of the
sites (Microsoft Live, Netflix and Reddit) do
not collect the user’s actual name at the point
the password is set and so implicitly cannot
use it in the checking process either.
Aside from requiring a minimum
length, the most commonly encountered
policy rule was the prevention of the word
‘password’ (which is warranted, given its
consistent prominence in the lists of worst
passwords actually used). However, probing
a little further tends to reveal some weak-
nesses beyond the initial positive result, as
although the majority of the sites do indeed
prevent the use of ‘password’, several accept-
ed predictable variants such as ‘password1’,
‘Password’ and ‘Password1!’.
Multiple types
As in previous runs of the study, one of
the least common policies enforced was
to require that passwords be composed of
multiple character types. As in 2014, just
two sites did this, with only Microsoft
Live being consistent across both stud-
ies. In 2014, Google did not do so, but
Yahoo did. However, as observed earlier,
Yahoo now only lets users get away with
single character-type passwords if they are
at least nine characters long – and so one
way or another their policy is still ensur-
ing a significant character space in the
resulting password. The fact that com-
position rules remain the least enforced
aspect of policy is arguably understanda-
ble, given earlier findings that users strug-
gle to create and remember passwords
with multiple character classes.11
In terms of dictionary words, the assess-
ment was based upon a range of options,
as shown in Table 4. The first three
entries are words or word combinations
found within the top 10 in SplashData’s
most recent annual list of the worst pass-
words (and are included on the basis that
it might consequently be reasonable to
expect sites to block them).12 The inclu-
sion of ‘monkey’ is because it is another
dictionary word that was popular in ear-
lier versions of the same list (and indeed
still appeared 13th in the 2017 listing).
The use of ‘diamonds’ and ‘dictionary’
was to test longer strings while retaining
dictionary words as the basis (with the
latter choice doing so literally). The final
three variations were included to see if
the password parsing could be fooled by
mixing the case and arbitrarily adding a
number to the end (in the final variant).
As can be seen from the table, Amazon,
Netflix and Reddit performed no checking
in this context and consequently permit-
ted everything. Meanwhile, the remaining
results are very much mixed, with only
Facebook, Google and Yahoo managing
to do a credible job of it. Some words were
naturally prevented by virtue of other checks
already in place (eg, both ‘letmein’ and
‘monkey’ were both too short for the sites
requiring eight-character minimum lengths).
Microsoft Live also looks like it did a reason-
able job, until it is noted that most options
were actually stopped by virtue of its com-
position rule, which required at least two
character types (and it is apparent it did not
block dictionary words if presented in mixed
case – eg, using ‘Football’ was accepted).
None of the sites was able to prevent the
‘extreme’ test case of ‘Dictionary1’.
A notable observation in this run of the
study was that only Reddit offered any
form of password meter at sign-up (and
even then, it would still accept passwords
that the meter had rated minimally low).
As previously observed in Figure 1, Twitter
offered strength ratings at change and
reset stages (as did Facebook), but overall
there were few examples of any password
rating/scoring throughout the trial. This
is in rather marked contrast to the earlier
rounds, where the use of meters or ratings
had been far more prominent. For exam-
ple, four of the 10 sites used them at sign-
up in the 2014 study and seven did so in
2011. Indeed, this means that some sites
that once offered such feedback at sign-up
no longer do so, with Facebook, Google
and Twitter all falling into this bracket.
This is perhaps surprising, given that ear-
lier research has found that suitable meters
can have a positive effect on password
selection behaviours.13
An area in which some good provi-
sion is now being made is in relation to
additional login protection (eg, via two-
Test word Amazon Facebook Google Instagram Microsoft
Live
Netflix Reddit Twitter Wikipedia Yahoo
letmein ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✓ ✘
football ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘
iloveyou ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘
monkey ✓ ✘ ✘ ✘ ✘ ✓ ✓ ✘ ✘ ✘
dictionary ✓ ✘ ✘ ✓ ✘ ✓ ✓ ✓ ✓ ✘
diamonds ✓ ✘ ✘ ✓ ✘ ✓ ✓ ✓ ✓ ✘
Diamonds ✓ ✘ ✘ ✓ ✓ ✓ ✓ ✓ ✓ ✘
Dictionary ✓ ✘ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✘
Dictionary1 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
Table 4 : Dictionary words accepted by each site under test.
FEATURE
July 2018 Computer Fraud & Security 11
step or two-factor options). As an exam-
ple, Facebook (which otherwise looks
quite mixed in terms of its provisions
in Table 3) offers a host of additional
protection options, as shown in Figure
3. Meanwhile, Amazon (which otherwise
looks among the worst in the earlier
table) does at least offer a tangible two-
step authentication option (see Figure 4).
Reset or recovery?
A final factor assessed throughout the
series of studies is whether the ‘forgot-
ten password’ feature works by offering
password reset or recovery. The latter is
less secure, insofar as, if compromised, it
ends up revealing a password that might
also be in use on other sites and services
(given the well-known propensity for
users to have the same password across
multiple systems).
Meanwhile, the genuine account holder
may remain entirely unaware that their
secret has now been compromised (unless
they are specifically sent a notification
that recovery has been used, via a channel
the attacker does not control). By con-
trast, if password reset is offered, then an
attacker is forced to change the password,
thus alerting the legitimate user to a
problem once he can no longer access the
account himself.
While various sites can be found that
persist in offering password recovery, it
was not a practice among any of the 10
sites surveyed here. All offer reset rather
than recovery, although differing in terms
of the specifics of how they achieve it (eg,
Wikipedia emails a temporary password,
while all the others send a reset link or a
one-time verification code). As such, this
was at least one area in which good prac-
tice was seen to be uniform.
Discussion
With over a decade having passed since
the original version of the study, it seems
appropriate to reflect upon the differences
between then and now. The first, funda-
mental observation is that despite all the
on-going predictions of their impending
demise, passwords remain dominant. In
spite of this, the way in which they are
offered and enforced still falls well short
of what good practice would suggest.
To see how things have changed over
the years, Figure 5 presents a comparison
between the 2007 and 2018 versions of
the study, tallying the number of sites that
supported each type of restriction on each
occasion. As can be seen, the only area that
has notably improved is the proportion
of sites that prevent the word ‘password’
being used (and even here a third of sites
still allow it). Password length remains the
most commonly enforced restriction, but
even this is not universally enforced and
(as shown in Table 3) the actual length
requirements still vary. (For information,
the average minimum length, across sites
that enforced one, increased from 6 char-
acters in 2007 to 6.33 in 2018.)
The other thing that has significantly
improved is the number of sites offering
some form of additional protection. This
aspect was not assessed in 2007, but only
three sites did so in 2011, rising to four in
2014. The fact that eight sites now offer
Figure 3: Additional security options offered by Facebook.
Figure 4: Amazon’s two-step verification option.
FEATURE
Computer Fraud & Security July 2018
12
something to supplement and strengthen
authentication beyond the password alone
is a tangible improvement. However, while
the vast majority of sites offer something,
none of them explicitly flag this option at
sign-up. As such, it would seem reasonable
to assume that many users will not use
the features and many will remain entirely
unaware of them. Indeed, evidence pre-
sented earlier this year suggested that less
than 10% of registered Google users have
enabled two-factor authentication, despite
the option having been available to them
for seven years.14
Overall, however, the feature that
remains fundamentally lacking is clear
upfront guidance and support for users.
While some sites (indeed some readers)
may dismiss this in the belief that users
would simply ignore it anyway, other
results have demonstrated clear improve-
ments from the mere presence of appro-
priate guidance at the point of password
selection, with the addition of feedback
yielding further improvements. Indeed, in
one of our other studies, we observed that
the proportion of weak-rated passwords
dropped from 75% to 35% simply by
making guidance and feedback available
(ie, without any actual enforcement of
password restrictions at all).15 As such, the
fact that it remains entirely absent from
many sites is curious and potentially sug-
gests that their priorities lie elsewhere – eg,
signing-up users with as few obstacles as
possible, rather than putting them off by
thinking about security. Of course, the
resulting usability must be a consideration,
but prior research has suggested that this
does not have to come at the expense of
password strength and ensuring that the
user receives appropriate guidance is
ultimately an aid to usability anyway.16
Conclusions
With over 10 years between the studies, it
is somewhat disappointing to find that the
overall story in 2018 remains largely similar
to that of 2007. In the intervening years,
much has been written about the failings
of passwords and the ways in which we
use them, yet little is done to encourage or
oblige us to follow the right path.
To be clear, this article is not intended as
a defence of passwords. They are inadequate
for most modern requirements and their
shelf life is increasingly limited. Even if we
get people to use them better, events such as
the recent Twitter breach will render their
protection worthless unless combined with
further steps or factors. The basic argument
here – as with the earlier versions of the
study and the others referenced – is for pro-
vision of user-facing security to be matched
with accompanying support. Passwords
are a good example because we know that
many people are poor at using them. And
yet the lesson continues to go unheeded
and we continue to criticise the method and
blame the users instead.
The increased availability of two-step
verification and two-factor authentica-
tion options is positive, not least because
of the numerous instances of passwords
getting compromised en masse on the
provider side. However, users arguably
require more encouragement – or indeed
obligation – to use them. Otherwise, like
passwords themselves, they will offer the
potential for protection, while falling
short of doing so in practice.
About the author
Prof Steven Furnell is a professor of infor-
mation security and leads the Centre for
Security, Communications & Network
Research at Plymouth University. He is also
an Adjunct Professor with Edith Cowan
University in Western Australia and an
Honorary Professor with Nelson Mandela
University in South Africa. His research
interests include usability of security and
privacy, security management and culture,
and technologies for user authentication and
intrusion detection. He has authored over
290 papers in refereed international jour-
nals and conference proceedings, as well as
books including Cybercrime: Vandalizing
the Information Society and Computer
Insecurity: Risking the System. Furnell is
the current chair of Technical Committee
11 (security and privacy) within the
International Federation for Information
Processing, and a member of related work-
ing groups on security management, security
education and human aspects of security. He
is also a board member of the Institute of
Information Security Professionals and chairs
the academic partnership committee and
southwest branch.
References
1. Ranger, S. ‘Windows 10: We’re going
to kill off passwords and here’s how,
says Microsoft’. ZDNet, 2 May 2018.
Accessed Jun 2018. www.zdnet.com/
article/windows-10-were-going-to-kill-
off-passwords-and-heres-how-
says-microsoft/.
2. Thurber, A. ‘Burying Weak
P@$$vv0rd$ Once and For All’.
Inside BlackBerry, 2 May 2018.
http://blogs.blackberry.com/category/
new-blackberry/news/ (accessed 4
June 2018).
3. Agrawal, P. ‘Keeping your account
secure’. Twitter blog, 3 May 2018.
Accessed Jun 2018. https://blog.
twitter.com/official/en_us/topics/
company/2018/keeping-your-account-
secure.html.
4. Best, J. ‘Gates: The password is dead’.
ZDNet, 16 Nov 2004. Accessed Jun
Figure 5:
Total sites
enforcing
different
restrictions
in 2007 and
2018 studies.
FEATURE
July 2018 Computer Fraud & Security 13
2018. www.zdnet.com/article/gates-
the-password-is-dead/.
5. ‘Lenovo, Nok Nok Labs, PayPal,
and Validity Lead an Open Industry
Alliance to Revolutionize Online
Authentication’. FIDO Alliance, press
release, 12 Feb 2013. Accessed Jun
2018. https://fidoalliance.org/lenovo-
nok-nok-labs-paypal-and-validity-
lead-an-open-industry-alliance-to-
revolutionize-online-authentication.
6. ‘FIDO Alliance and W3C Achieve
Major Standards Milestone in Global
Effort Towards Simpler, Stronger
Authentication on the Web’. FIDO,
press release, 10 Apr 2018. Accessed
Jun 2018. https://fidoalliance.org/
fido-alliance-and-w3c-achieve-major-
standards-milestone-in-global-effort-
towards-simpler-stronger-authentica-
tion-on-the-web/.
7. Furnell, S. ‘An assessment of web-
site password practices’. Computers
& Security, vol.26, nos.7-8, 2007,
pp.445-451. Accessed Jun 2018.
www.sciencedirect.com/science/arti-
cle/pii/S0167404807001083.
8. Furnell, S. ‘Assessing password
guidance and enforcement on lead-
ing websites’. Computer Fraud
& Security, Dec 2011, pp.10-18.
Accessed Jun 2018. www.scien-
cedirect.com/science/article/pii/
S1361372311701233.
9. Furnell, S. ‘Password practices
on leading websites – revisited’.
Computer Fraud & Security, Dec
2014, pp.5-11. Accessed Jun 2018.
www.sciencedirect.com/science/arti-
cle/pii/S136137231470555X.
10. ‘About account security’. Twitter
Help Centre. Accessed Jun 2018.
https://help.twitter.com/en/safety-
and-security/account-security-tips.
11. Komanduri, S; Shay, R; Kelley, PG;
Mazurek, ML; Bauer, L; Christin,
N; Cranor, LF; Serge, E. ‘Of pass-
words and people: measuring the
effect of password-composition
policies’. Proceedings of the SIGCHI
Conference on Human Factors in
Computing Systems’. 7-12 May
2011, Vancouver, BC, Canada.
12. ‘Worst Passwords of 2017 – Top
100’. SplashData. Accessed Jun 2018.
www.teamsid.com/worst-passwords-
2017-full-list/.
13. Ur, B; Kelley, PG; Komanduri, S;
Lee, J; Maass, M; Mazurek, ML;
Passaro, T; Shay, R; Vidas, T; Bauer,
L; Christin, N; Cranor, LF. ‘How
Does Your Password Measure Up?
The Effect of Strength Meters on
Password Creation’. Proceedings of the
21st USENIX conference on Security
symposium, USENIX Association
Berkeley, CA, 8-10 Aug 2012.
14. Thomson, I. ‘Who’s using 2FA?
Sweet FA. Less than 10% of Gmail
users enable two-factor authentica-
tion’. The Register, 17 Jan 2018.
Accessed Jun 2018. www.theregister.
co.uk/2018/01/17/no_one_uses_two_
factor_authentication/.
15. Furnell, S; Khern-am-nuai, W;
Esmael, R; Yang, W; Li, N.
‘Enhancing security behaviour by
supporting the user’. Computers
& Security, Vol.75, pp.1-9, 2018.
Accessed Jun 2018. www.scien-
cedirect.com/science/article/pii/
S0167404818300385.
16. Shay, R; Komanduri, S; Durity, AL;
Huh, P; Mazurek, ML; Segreti, SM;
Ur, B; Bauer, L; Christin, N; Cranor,
LF. ‘Designing Password Policies
for Strength and Usability’. ACM
Transactions on Information and
Systems Security, Vol.18 Issue 4,
May 2016.
The role of crypto-
currency in cybercrime
Aaron Higbee
For example: hackers take control of a
victim’s devices to mine digital currency,
ransomware attacks now demand payment
in crypto-currency, and the topic of crypto-
currency can be used in a phishing attack.
Undoubtedly, crypto-currency is transform-
ing cybercrime. It’s a method of making
money, a preferred payment option and,
in some cases, a lure for phishing scams.
Mining applications
Crypto-currencies log the history of trans-
actions on a distributed ledger. This pro-
cess is called mining and requires masses
of computing power. In return, miners
are paid in crypto-currency. To generate
this sort of computer power, hackers are
looking to botnets – a network of infect-
ed computers under a hacker’s control –
to log transactions and ‘mine’.
The ability to command machines
for mining is achieved through phish-
ing emails sharing a compromised link
Aaron Higbee, Cofense
The first crypto-currency appeared in 2009 when Bitcoin was born. Since then,
numerous others have entered the market. The market for crypto-currencies has
been incredibly volatile and, at its peak in 2017, one bitcoin was worth over
$11,200, although it is now suffering from sustained losses in 2018.1,2 These
peaks and troughs have made crypto-currency value a popular media topic and
hackers too have taken notice.
FEATURE
Computer Fraud & Security July 2018
14
that directs users to a website domain
that allows hackers to run a short script
designed to begin the mining. The
Monera crypto-currency has been the most
popular currency associated with this type
of hack, as it uses calculations that can run
on normal computing devices, rather than
the specialised applications that are used
for other crypto-currencies such as Bitcoin.
Hackers have also added mining plugins
to websites to take control of people’s
devices and mine valuable crypto-curren-
cies. Coinhive, for example, is a popular
mining application which many hackers
have been able to install on victims’ devices
without permission, using up their bat-
tery and compute power. What’s more,
this hack is not limited to laptops or
computers; hackers are increasingly target-
ing victims’ mobile phones. For instance,
Android apps available on Google Play
were found encoded with malicious
mining capabilities. In these cases, the
JavaScript runs code making this process
invisible to the user. While mobile phone
hacks generate much less profit compared
to computer devices, both type of device
are vulnerable to hacking.
There has been some effort to protect
against mining malware. Google added
specific protections in its web browser,
Google Chrome, while anti-virus firms
have updated software to detect and dis-
able unauthorised mining applications.
The main mining application, Coinhive,
has also put measures in place to ask users
for their permission to mine, protecting
against hackers.
Ransomware payments
Last year, 54% of UK companies expe-
rienced ransomware attacks.3 These
often begin with a phishing attack that
convinces a user to open a compromised
email and click on a malicious link,
granting the hacker access to the network.
Once inside the network, the attackers
can siphon information, encrypt it and
demand a ransom for its decryption. In
some cases, the ransom is demanded in
crypto-currency.
Last year’s WannaCry attack was the
largest ransomware attack in history,
affecting Windows systems all over the
world, including many used by the NHS.
The hackers behind the NHS attack
demanded ransom payments in the form
of bitcoins. Since then, other ransomware
attacks have demanded ransom to be paid
in crypto-currencies and some hackers
have offered victims the choice to negoti-
ate the ransom value.
Where hackers once demanded pay-
ments via Western Union or PayPal, cryp-
to-currencies have transformed the field.
One likely reason for this shift is the ano-
nymity of using crypto-currency; payments
are untraceable as they do not link back
to bank accounts or addresses. This allows
hackers to cover up their steps, making it
easier for them to repeatedly get away with
these types of attacks. To collect the ran-
soms paid in crypto-currency, some hack-
ers have gone as far as to create a QR code
that contains a Bitcoin wallet address. The
Sage ransomware attack, which occurred
in 2017, used this technique, presenting
an interactive ransom note to victims with
a QR code. After several collections from
separate wallets, hackers can transfer all
their crypto-currencies into one large wal-
let and reap their reward.
People now debate whether untrace-
able crypto-currency is causing ransom-
ware attacks to increase. Other security
breaches such as trojans, where bank
details are stolen, are more traceable due
to the evidence in the transaction history.
Therefore, such attacks hold more risk.
However, the future of using crypto-
currency in ransoms isn’t certain. For
example, as the value continues to fluctu-
ate, it will be difficult for hackers to know
the amount they are demanding from
victims. Potentially, values will vary too
much to make it worth hackers’ while,
or be so unfeasible in price that ransoms
wouldn’t be paid. This is perhaps why
the Scarab ransomware allowed victims
to negotiate the amount of bitcoin they
Reporting rates for
phishing attempts have
risen over the past
few years, reducing
organisations’
susceptibility to these
attacks. Source: Cofense.
Reporting rates
have increased
while suscept-
ibility rates
have decreased,
leading to greater
resiliency.
Source: Cofense.
FEATURE
15
July 2018 Computer Fraud & Security
paid. The change in Bitcoin’s market
price is also changing the debate around
the crypto-currency’s role in cybercrime,
which could leave a space for other digital
currencies to fill.
Phishing lures
There is a number of reasons why a hack-
er would launch a phishing attack, from
siphoning off information, turning a vic-
tim’s computer into part of a botnet, or
using it as an access point to dwell within
a network. The most effective way of get-
ting victims to click is through an email
that is targeted or topical. In the world
of crypto-currency, imagine an email
discussing Bitcoin’s fluctuating value.
Internet users trading Bitcoin might be
intrigued enough to open the email and
click on the link. This would enable the
hacker to penetrate the network.
More recently, new outlets have
reported on a particular Monero min-
ing software that runs in a browser. The
site most commonly associated with
this behaviour is the aforementioned
Coinhive. The level of exploitation is
such that recently CheckPoint Software
said that Coinhive miners were their
‘most wanted’ malware, with some 55%
of their customers exposed to one or
more crypto-currency mining malware
families.
We know from experience that many
email recipients, even if they believe an
email is likely to be a phish, will still click
on it simply because they are curious.
Many believe that if it is a phish, they
will be smart enough to recognise it once
they see the page and ‘not fall for it’.
The trend now is to embed the miner
into more traditional credential-phishing
sites, where an email lures you to a fake
website designed to steal the user ID
and password to an online service, email
system or financial institution. When
this approach is used, popular browsers
launch instances of themselves which
are hidden from the user, allowing
coin-mining to continue in the back-
ground, even if the user has closed all
the browser windows he or she can see.
An evaluation of dozens of phishing
sites that launch ‘in the browser’ crypto-
miners, including those that phishers place
on already compromised servers, has so
far found that they have all been linked to
Coinhive. While there may be legitimate
reasons why a company might want its idle
machines to mine for Monero, surely most
businesses would rather not have their
machines used to enrich strangers.
A simple fix is to block all access to
‘coin-hive.com’ or ‘coinhive.com’ from
your network – access that shouldn’t be
needed for employees’ day-to-day work.
Be aware that if these URLs are blocked,
some JavaScript will load the session from
an alternatively named domain. Network
administrators might consider observing
traffic immediately after rejecting traffic to
Coinhive, just to be extra cautious. There
are other browser-based mining scripts,
but Coinhive is the site most actively
exploited. Many anti-virus products also
provide protection from this class of ‘prob-
ably unwanted programs’ and there are
even browser plugins, such as ‘No Coin’,
that claim to offer protection.
Building resiliency
While the crypto-currency market can
be unpredictable, as long as there is
money to be made, hackers will be after
it. Building resiliency to any attack often
comes down to protecting against phish-
ing emails. If people can spot a suspi-
cious email, they can stop hackers in
their tracks.
With phishing attacks up 65%
worldwide, a strong defence is critical.4
Businesses are in a perfect position to
help employees spot phishing attacks
seeking to deliver ransomware. Phishing
simulations are the most successful way
to do this. They condition users to recog-
nise and report fraudulent emails and the
more users report suspicious emails, the
less susceptible they become to attacks. In
2017, reporting rates were up more than
4% annually, with susceptibility rates
dropping 2%.
It is also important to educate users to
the phishing emails making the rounds.
If they’re given the most up-to-date intel-
ligence on what to look for, employees
can help IT teams catch malicious emails.
IT, in turn, can more effectively respond
to security threats and expel hackers from
the network if employees supply real-time
intelligence.
Remember, even when facing newer
threats fuelled by crypto-currency, it
takes more than technology to defeat the
hackers. You need vigilant humans, too.
About the author
Aaron Higbee is the co-founder and CTO
of Cofense (formerly PhishMe), directing
all aspects of development and research
that drives the feature set of this solution.
The Cofense method for awareness train-
ing was incubated from consulting services
provided by Intrepidus Group, a company
that Higbee co-founded with Rohyt Belani
in 2007.
References
1. Desai, Neera. ‘Locky-Like Campaign
Demonstrates Recent Evolving
Trends in Ransomware‘. Cofense,
7 Dec 2017. Accessed May 2018.
https://cofense.com/locky-like-cam-
paign-demonstrates-recent-evolving-
trends-ransomware/.
2. Bovaird, Charles. ‘Crypto market
down nearly 40% from all-time
high’. Forbes, 14 Sep 2017. Accessed
May 2018. www.forbes.com/sites/
cbovaird/2017/09/14/crypto-market-
down-nearly-40-from-all-time-
high/#1f9a3ae97c74.
3. ‘Presenting: Malwarebytes Labs 2017
State of Malware Report’. Malwarebytes
Labs, 25 Jan 2018. Accessed May
2018. https://blog.malwarebytes.com/
malwarebytes-news/2018/01/present-
ing-malwarebytes-labs-2017-state-of-
malware-report/.
4. ‘Enterprise phishing resiliency and
defense report 2017’. Cofense.
Accessed May 2018. https://cofense.
com/whitepaper/enterprise-phishing-
resiliency-and-defense-report/.
FEATURE
Computer Fraud & Security July 2018
16
Just recently, Ciaran Martin, head of the
UK’s National Cyber Security Centre
(NCSC), issued another warning about
nation state attacks on the country’s CNI
and told a parliamentary committee that
such attacks emanating from Russia and
North Korea had increased significantly over
the past two years.1 There has been a “con-
sistent rise in the appetite for attack from
Russia on critical sectors,” he said. The same
day, the NSCS announced that it would
be working closer with company boards,
providing them with a toolkit to help them
better understand the threats.2
This followed an earlier advisory, in April,
from the NCSC of a campaign underway
to target CNI in the UK. “The targeting is
focused on engineering and industrial control
companies and has involved the harvesting of
NTLM credentials via Server Message Block
(SMB) using strategic web compromises and
spear-phishing,” the alert said, adding that
the attacks had been underway for a year.3
Reality check
The NCSC warnings are not isolated –
security specialists have been saying for years
that CNI targets are wide open to attack.
In a recent report on industrial control sys-
tem (ICS) security, Positive Technologies
said that it had detected 175,632 Internet-
connected ICS devices, with nearly half of
them (42%) being in the US.4
But is the position as dire as it sounds?
While the number of new vulnerabilities
detected by Positive in 2017 was greater
than the previous year – 197 compared to
115 – it was lower than in 2015 and the
numbers could be viewed as being fairly
consistent for the past five years. The kinds
of vulnerabilities – information disclo-
sure, remote code execution and even old
favourites such as SQL injection and buff-
er overflows – have a familiar ring to them,
suggesting that organisations running ICS
are prone to the same security failings as
any other organisation.
In fact, a problem we now face is that
of too much general doom-saying and not
enough attention on the specifics. It might
be time for a reality check, says King.
“It’s kind of like end-of-the-world
prophecies,” he says. “When they don’t
come true, the person who prophesied
them is completely discredited. The same
is true in the cyber-security space when we
talk about massive threats and the world
ending or having huge societal impact.
The reality is that there are a considerable
number of threats that face critical infra-
structure worldwide. I do, however, believe
that these threats are potentially being
misconstrued in many regards and it’s very
helpful to focus on the different types of
threat categories, because each of those
threat categories has a different potential
impact or a set of damages.”
The threat actors are the usual suspects:
criminals looking to make money through
activities such as ransomware and distrib-
uted denial of service (DDoS) attacks;
‘hacktivists’ pursuing a cause or ideol-
ogy, or just looking to make a name for
themselves; and the most worrying of all
– nation-state attackers. These, says King,
“are the one that we read about in the
news and everybody is terrified of,” and
their activities fall into two broad groups.
The first of these is to prepare the
ground so that a cyber-attack can be used
either to prepare for or be part of a broader
campaign that might include ‘kinetic’
actions – that is, attacks involving military
activities. The other group encompasses
industrial espionage where attackers are
interested in information that could ben-
efit their nation’s own industries.
“Every nation has the same interests and
is probably doing the same things,” says
King. “They want to understand foreign
energy strategies. So they have an interest
in obtaining confidential and restricted
information from, say, the US government
around energy policy, or the largest energy
producers or mining companies, or infor-
mation about oil, natural gas and other
consumable resources.”
There’s one more group to which we
should be paying more attention, King
believes, and that’s insiders. There can be
a significant impact on something like
electricity networks just from people mak-
ing mistakes. And then there are malicious
insiders, perhaps in the pay of a foreign gov-
ernment, who are in a position to do harm.
The dangers
While many of the vulnerabilities
threatening CNI firms are the same as
for any organisation (albeit with some
significant differences, as we’ll see), what
makes attacks against this sector especial-
Critical infrastructure:
understanding the threat
Steve Mansfield-
Devine
Steve Mansfield-Devine, editor, Computer Fraud & Security
With nation state cyber-meddling now an acknowledged problem, there’s
growing concern about the threats to critical national infrastructure (CNI)
– everything from water treatment plants through electricity generation and
distribution to air traffic control. The vulnerability of systems that underpin
the functioning of society isn’t exactly news to security specialists. But now
politicians and the general public are waking up to the potential carnage that
hackers could wreak. As Scott King, a senior director at Rapid7, explains in this
interview, the threats are real, but not necessarily in the way people imagine.
FEATURE
July 2018 Computer Fraud & Security 17
ly concerning are the potential results.
An attack in the cyber-realm can have
kinetic consequences, such as the power
going out across a whole region, as we
witnessed in Ukraine in 2015 and 2016
(see box). And there are various ways of
achieving this.
“You can hit the transformers that put
the power from the generation environ-
ment on to the transmission grid,” says
King. “You could potentially hit the
generator itself and cause a cascading
blackout, as we’ve seen in certain situ-
ations where there’s lots of load on the
transmission grid – the other systems that
produce power and are also put on the
grid disconnect themselves to essentially
save themselves from having an over-
generation potential.”
There are also less obvious ways of
causing problems that could have long-
term impact.
“One of the challenges specific to the
power industry is that a lot of the com-
ponents used to put power onto the grid
have a long lead time to build,” says King.
“With things like transformers, you can’t
just buy one off the shelf. These are things
that can take an extended period of time to
obtain and cost a lot of money. Yet we’ve
seen examples of how transformers and
the like can be impacted, either through
a natural disaster or through some type
of cyber-attack. I can tell you that large,
high-voltage switches don’t respond well
to constantly being flipped on and off, and
when those types of things happen, you
can cause an impact that can take a long
time to recover from. If you extend those
impacts out to multiple energy companies,
multiple high-voltage transmissions, sub-
stations and so on, you could potentially
cause extended energy outages.”
Well-resourced attackers
While there are many similarities between
the attacks – and the attackers – that
plague organisations generally and those
specifically in the CNI sector, there are
also some significant differences. CNI
organisations have to put up with ‘nui-
sance’ hackers like any other business and
hacktivists probably fall into this category.
But they are also targeted by extremely
well-resourced hacking groups, backed by
the funds and capabilities of governments
and their intelligence agencies.
“A methodology that you could assume
would be employed in those situations is
people building full-scale environments
of their targets, whereby they’re acquiring
the same types of technologies, they’re
acquiring the same types of infrastructure
to simulate the environment that they’re
going to target, so that when they do
actually go after their intended target,
they have a higher degree of success,”
says King. “They’ve practised and they
know where the weaknesses are and they
have back-up plans when things don’t go
according to plan. So that well-funded,
highly motivated type of adversary is
the bigger threat, because they have the
means to map out their attack plans, and
they can lay in wait and take as long as
they need to ensure maximum success.”
With this kind of attack, however, tim-
ing is everything, King believes. It’s quite
likely that these kinds of infiltration will
be co-ordinated with other activities. “It
will depend on the geopolitical situation
whether they want to cause immediate
damage because there’s some type of war
Ukraine without power
Ukraine provides a case study for
how cyber-attacks can have real-world
impact. The country suffered two
attacks against its electricity networks,
the second coming almost exactly a
year after the first.
In the first attack, in December
2015, an engineer at a control centre
that manages the electricity grid for
a large part of Western Ukraine, wit-
nessed unusual activity on a screen.
Someone had taken control of the sys-
tem and was clicking on buttons to trip
circuit breakers and take sub-stations
offline. The attacker logged out the
engineer and changed his password.
At the same time, there were attacks
in progress against two other power
stations. Some 30 sub-stations were
taken offline and back-up power sup-
plies disabled. Around 230,000 people
were left without electricity for up to
six hours. Even after power was restored
there were problems. The attackers had
overwritten firmware on serial-to-Eth-
ernet converters, making some breakers
impossible to control remotely.
A year later, around a fifth of Kiev
was plunged into darkness. Hackers had
targeted Supervisory Control and Data
Acquisition (Scada) systems belong-
ing to the nation’s electricity grid. The
blame was levelled at the Fancy Bear
group, which has carried out numerous
hacking attacks against targets consid-
ered to be in conflict with the interests
of the Russian Government.
Scott King is the senior director, security advi-
sory services for Rapid7. He has over 20 years
of professional work experience in the IT and
cyber-security fields, with a strong focus on the
energy sector. Most recently, he developed and
ran a fortune 250 energy company’s combined
utility cyber-security programme. During this
time, King chaired a cyber-security CISO collec-
tive of the nation’s 14 largest electric utilities,
acted as a board member for the American
Gas Association’s Cybersecurity Task Force,
participated in the Edison Electric Institute’s
Cyber-security working group, and was a board
member for EnergySec. He has been an advo-
cate for building better cyber-security practices
and approaches, including helping design multi-
ple national critical infrastructure cyber-security
incident response exercises for the Department
of Homeland Security (DHS) and the North
American Electric Reliability Corporation (NERC),
advising the SANS Institute on building indus-
trial control systems and cyber-security training,
guiding multiple universities on their cyber-
security bachelors/masters programmes, provid-
ing comment and guidance for federal and state
cyber legislation, giving presentations to board
members and board subcommittees, providing
rate case testimony to public utility commission-
ers and giving dozens of talks on cyber-security
at industry conferences and trade shows.
FEATURE
Computer Fraud & Security July 2018
18
situation, or if they want to lay in wait in
case something happens, or so they can
make threats.”
The Stuxnet attack is a classic example.5
Generally attributed to US and Israeli intel-
ligence, the Stuxnet malware was able to
destroy centrifuges in Iran’s nuclear process-
ing plant, even though its networks were
air-gapped, by taking control of Siemens
programmable logic controllers (PLCs).
It has been reported that the intelligence
agencies built a replica of the Iranian facility
using the same Siemens equipment in order
to learn how to best attack it.
“I have to imagine that it was the same
with the attacks that we saw in Ukraine,
based on the sophistication,” says King.
“Whoever the perpetrator was, they had
access to the same exact systems with the
same model numbers and firmware versions
and configurations that were targeted. How
they obtained that information, we can
only speculate. But it would seem as though
there was a lot of inside knowledge. That’s
how I would do it. And when you’re highly
motivated and have a lot of funding to sup-
port one of these actions, you’re going to
want to ensure your success. They’ve got
bosses, right? They don’t want their bosses
to get upset and fire them.”
Source of vulnerabilities
One of the chief sources of vulnerabilities
that has afflicted CNI organisations – and,
arguably, companies in the energy sector in
particular – has been the habit of connect-
ing to the Internet systems that were never
meant to be networked. Supervisory control
and data acquisition (Scada) systems, for
instance, that were built before the Internet
took off have been hooked up, often to pro-
vide a link between operational technology
(OT) and business IT. However, King feels
there is at least some movement away from
this kind of inadvertent exposure.
“Over the past decade, we have been
reducing the number of industrial control
systems that are directly connected to the
Internet,” he says. “Although, if you do
some searching with Shodan, I think that
shows there’s still quite a bit of stuff out
there, some of which large utilities know
about, some of which they don’t.”6
There are some significant challenges
to solving this issue of unwisely con-
nected devices, says King.
“If you look at something like a turbine,
these are manufactured so that they have
multiple levels of controller identity. A
large, gas-fired turbine is going to have two,
three or four control modules for redundan-
cy. Each of those control modules is going
to be running the exact same firmware. So
if there’s a vulnerability on one, there’s a
vulnerability on all of them.”
Another issue is that many of the
devices, such as PLCs or embedded con-
trollers, are not very sophisticated.
“They open and close things,” says King.
“They receive a signal; they take an action.
Manufacturers have been putting modules
in front of these very simplistic devices
that allow them to be connected to an IP
network. What happens more often than
not is that the front-loading device has no
authentication, so it’s not validating who’s
accessing it. It doesn’t have any protection
around who can send a command.”
If you can get on to that network, then
you can flip those switches. This is a
fundamental design problem, says King,
although one that has been receiving some
attention. Some manufacturers are start-
ing to implement authentication systems.
“The problem, though, is that when a
utility company buys a piece of hardware
like this, it’s a capital asset, and that capital
asset has a depreciation cycle of five, 10,
15, even 20 years,” says King. “So if a util-
ity were to want to replace it specifically
for cyber-security reasons, they’re going to
be losing money, because it hasn’t fully
depreciated yet. And the whole revenue
model of utilities is based on capital assets
and acquisition and depreciation of those
assets over time, which helps them earn
a rate of return on their investment. So if
you look at it from a monetary perspective,
it’s a losing proposition.”
Rip and replace
The simplistic nature of many of the
devices involved means that there is no
update or patching process. Improving the
device means ‘rip and replace’ – taking out
the old device and replacing it with a new
one. And this isn’t necessarily an option.
“For example, I’ve seen a peaker plant
[a generation facility design to come
online at peak load times] that is running
Number of new
vulnerabilities found
in industrial control
system components.
Source: Positive
Technology.
Types of vulnerabilities in ICS components.
Source: Positive Technologies.
FEATURE
July 2018 Computer Fraud & Security 19
A SUBSCRIPTION INCLUDES:
Online access for 5 users
An archive of back issues
www.computerfraudandsecurity.comwww.computerfraudandsecurity.com
embedded Windows XP,” says King.
“You can’t just turn up with a new ver-
sion of Windows and install it onto this
embedded device that controls this power
generator. You have to replace a whole
unit – the control modules and so on –
that hasn’t depreciated yet. Unless you
are a very forward-thinking utility and
you have an overwhelming cyber-securi-
ty risk management concern, you’re not
going to do that. Instead, you’re going
to develop compensating controls for the
known weaknesses of your environment.
And then those insecure devices are
going to be protected in some way that
would prevent an adversary from getting
access to the network that the devices
live on.”
In other words, an organisation will
acknowledge that it has a vulnerable
infrastructure and attempt to wrap extra
layers of protection around it.
“That is the only thing that utilities and
critical infrastructure providers can do at
this point,” says King.
Managing risk
All organisations struggle with identi-
fying, analysing and quantifying risk.
So are companies in, for instance, the
energy sector really on top of where their
vulnerabilities lie?
“Yes and no,” says King. “Larger
utilities that have a heavy regula-
tory oversight from either NERC
[North American Electric Reliability
Corporation] through its CIP [Critical
Infrastructure Protection] standards in
the US and parts of Canada, are doing
a much better job of managing risks
that they know about.7,8 But there are
still a number of risks that they have
not assessed at a detailed level. For
example, utility companies use a lot of
radio frequency (RF)-based commu-
nications, and a lot of that RF com-
munication is not encrypted, it can be
intercepted and potentially manipu-
lated in transit. That’s something that
I don’t hear a whole lot of people talk-
ing about. There are distribution envi-
ronments that rely on insecure radio
technology to transmit command and
control signals from central control
centres to substations and field dis-
tribution units. Not something we’re
talking about today.”
In some cases, reckons King, areas of
potential vulnerability are being ignored
simply because they’re so complex and
costly to manage. Acknowledging the
risk might create greater liability for the
organisation and so the approach is to
ignore it until caught – a form of secu-
rity through obscurity.
Continued on page 20...
Many specialists concerned with the
security of critical national infrastruc-
ture believe that a recent malware
attack on a facility in the Middle East
upped the stakes. Dubbed ‘Triton’,
the malware was the first recorded
instance of attackers specifically target-
ing a safety instrumented system (SIS).
https://www.fireeye.com/blog/threat-
research/2017/12/attackers-deploy-new-
ics-attack-framework-triton.html
According to FireEye, whose
Mandiant division was called in to ana-
lyse and remediate the incident: “We
assess with moderate confidence that
the attacker was developing the capabil-
ity to cause physical damage and inad-
vertently shutdown operations.”
The attack, widely attributed to an
unnamed nation state, compromised a
Schneider Electric Triconex safety sys-
tem. Like other SIS solutions, these sys-
tems are used to shut down operations
and protect machinery, systems and
people when dangerous conditions are
encountered. Disabling an SIS solution
could be a precursor to a larger attack by
ensuring that critical systems are unable
to protect themselves. Or attackers could
manipulate SIS solutions to shut down
operations, as a form of denial of service.
According to Schneider, that attackers
According to Schneider, attackers appear
to have tried to implant a remote access
trojan (RAT) in the affected system.
[https://www.youtube.com/watch?v
=f09E75bWvkk&feature=youtu.be] By
exploiting the credentials of one of the
plant’s engineers, it seems the attackers
were able to gain access to engineering
stations on the operational technol-
ogy (OT) side of the organisation via
Remote Desktop Protocol (RDP) con-
nections. This effectively bypassed the
firewall between IT and OT systems.
The initial stage of the malware used
Schneider TriStation protocols which
allow serial-over-Ethernet access to SIS
devices, in part to allow the download-
ing of firmware. The SIS devices are pro-
tected by a physical lock and any down-
loaded code is stored in a user area that
is not persistent. However, the attackers
exploited what Schneider has referred to
as a ‘zero day’ flaw that allowed them to
escalate privileges gaining write permis-
sions regardless of the key switch posi-
tion. This resulted in the malware’s pay-
load being written to RAM. Although
this isn’t persistent memory, SIS devices
are rarely turned off. It was only a
mistake by the attackers that led to the
intrusion being detected.
Triton ups the ante
EVENTS
FEATURE/NEWS/CALENDAR
20 Computer Fraud & Security July 2018
...Continued from page 19
Ramping up
While CNI organisations are changing to
deal with the threats, attackers are also evolv-
ing, as seen in a recent incident that many
people believe to be game-changing – the
so-called Triton malware (see box). So does
King think this was a significant moment?
“I do,” he says. “The malware went after
a safety system. That is not something
we’ve seen before. A lot of control systems
– not from a security perspective but just
from an overall reliability perspective – rely
on safety systems and redundant systems.
What is really interesting about the Triton
malware is that it went specifically after
the safety system. In a full-scale attack,
that’s exactly what I would do. I would
impact the redundant system first before I
went in and hit my actual target. If I was
going to target a generator, I would want
to understand all of the layers and levels
of redundancy for that particular type of
generation facility. I would want to target
those redundant systems and safety systems
that would give the operators an indication
that something bad was about to happen
or was happening, and only then would
I actually cause the real damage. If you
take the safety and the redundant systems
offline, then the real damage is actually
going to cause a pretty significant impact
that can’t be recovered from easily.”
Attackers are showing that they now
have a deeper understanding of how sys-
tems are built and the protections in place.
“They want to cause a much larger and
longer-lasting impact through attacking all
relevant systems.” he says. “But where that
methodology breaks down is that there
are quite a number of redundant systems
that are completely manual fail-safes. The
gas industry is a prime example. There is a
ton of manual systems that are not IP con-
nected, that have no on/off switch that can
be controlled remotely. They’re just very,
very simplistic. If a gas line has an over-
pressurisation situation, there are redun-
dant systems that will shut the valve down
without receiving any kind of control to
do so. It’s just pre-set-up, and it’s based on
mechanics, not technology.”
Nevertheless, he adds: “Triton defi-
nitely takes the level of sophistication up
a notch and shows that adversaries are
more knowledgeable about safeguards
that are being implemented within
industrial control systems.”
About the author
Steve Mansfield-Devine is a freelance jour-
nalist specialising in information security. He
is the editor of Computer Fraud & Security
and its sister publication Network Security.
References
1. ‘Threat of cyber-attack from Russia
has intensified, British MPs told’. The
National, 26 Jun 2018. Accessed Jun
2018. www.thenational.ae/world/
threat-of-cyber-attack-from-russia-has-
intensified-british-mps-told-1.744200.
2. ‘NCSC to work with boards to better
prepare businesses for cyber incidents’.
National Cyber Security Centre, 26 Jun
2018. Accessed Jun 2018. https://www.
ncsc.gov.uk/news/ncsc-work-boards-bet-
ter-prepare-businesses-cyber-incidents.
3. ‘Advisory: Hostile state actors com-
promising UK organisations with
focus on engineering and industrial
control companies’. National Cyber
Security Centre, 5 Apr 2018. Accessed
Jun 2018. https://www.ncsc.gov.uk/
alerts/hostile-state-actors-compromis-
ing-uk-organisations-focus-engineer-
ing-and-industrial-control.
4. ‘ICS Security: 2017 in Review’.
Positive Technologies. Accessed Jun
2018. www.ptsecurity.com/upload/
corporate/ww-en/analytics/ICS-
Security-2017-eng.pdf.
5. ‘Stuxnet’. Wikipedia. Accessed Jun 2018.
https://en.wikipedia.org/wiki/Stuxnet.
6. Shodan, home page. Accessed Jun
2018. www.shodan.io.
7. North American Electric Reliability
Corporation (NERC), home page.
Accessed Jun 2018. www.nerc.com.
8. ‘CIP Standards’. NERC. Accessed Jun
2018. www.nerc.com/pa/Stand/Pages/
CIPStandards.aspx.
1–3 August 2018
IEEE International Workshop
on Cloud Security and Forensics
New York, NY, US
http://bit.ly/2JuhQq7
4–9 August 2018
Black Hat USA
Las Vegas, US
www.blackhat.com
9–12 August 2018
Def Con
Las Vegas, US
www.defcon.org
20–24 August 2018
Hack In The Box GSEC
Singapore
https://gsec.hitb.org/
21–22 August 2018
Artificial Intelligence,
Robotics & IoT
Paris, France
http://bit.ly/2HV6v55
3–7 September 2018
European Symposium on
Research in Computer Security
Barcelona, Spain
https://esorics2018.upc.edu
6–7 September 2018
GrrCON
Grand Rapids, Michigan, US
http://grrcon.com
9–12 September 2018
21st Information Security
Conference
London, UK
http://isc2018.sccs.surrey.ac.uk
10–16 September 2018
Toorcon
San Diego, US
https://sandiego.toorcon.net
12–14 September 2018
44Con
London, UK
https://44con.com
