Leeds University Business Cybercrime Survey

I am helping Leeds University with a business Cybercrime Survey go to www.bit.do/cybersurvey to complete it or use the QR code.
Many thanks

ActionFraud and local police investigation

Many people are told when they call the police to report a fraud, especially a cyber based one that they should call ActionFraud or report it to the ActionFraud (AF) website. http://www.actionfraud.police.uk.

ActionFraud is fairly unique and is a world class service for bringing fraud and intelligence together at a national level

BUT, and it is a big BUT, many frauds really should be investigated locally.
And the rules governing AF allow this but many people, including many cops and call handlers seem still to be unaware.

Here is an outline of the rules governing AF and replicated on many force websites. This comes from the Met site, even Northern Ireland is covered
http://content.met.police.uk/Site/reportingfraud

Local police should take a formal report of fraud in the following circumstances, known as ‘Calls to Service’:

 Where the crime is in progress, or about to happen, including where a delivery is about to be made or money is at risk (a payment may be stopped if action is taken immediately).
 Where the person suspected of committing the crime is locally known or can be easily identified. (Police may refer the complainant to action fraud if the suspect does not reside in their force area.)
Where the person reporting or the victim is vulnerable. The person may be unable to make a report by telephone or the internet, lack understanding of their situation or require additional support from Police or partner organisations.

So if your fraud meets the above criteria then the police should investigate
Simples

Helping CERT-CISP in Yorkshire Humberside

Following last week’s launch of The Cyber Security Breaches Survey which found that one in four large firms are experiencing a cyber breach at least once a month, only half of all firms have taken any recommended actions to identify and address vulnerabilities. 

https://www.gov.uk/government/news/two-thirds-of-large-uk-businesses-hit-by-cyber-breach-or-attack-in-past-year 

 

Less than a third of all firms, had any formal written cyber security policies and only 10% had an incident management plan in place.

This demonstrates that companies are not ready for cyber-attacks and are not taking the most basic precautions, technically and through education or training.

I am pleased to be supporting aql’s commitment to working with businesses in the Yorkshire and Humberside Region we are helping all companies to improve their own protection by supporting the Regional Cyber-security Information Sharing Partnership (CiSP)

http://www.yhrocu.org.uk/29/section.aspx/28/launch_of_the_cybersecuirty_information_sharing_partnership_cisp

 

In order to help promote the CiSP aql have commissioned me to undertake work on behalf of the CiSP to improve membership and build activity across the region

aql’s CEO Dr Adam Beaumont, who is the designated business champion for CiSP in the Region said “Leeds is the second financial centre in the UK and a global centre for eHealth and we are dependent on London for connectivity, and connectivity is the lifeblood of a business these days.” 

“Whilst we help provide connectivity and substantial storage for many parties both public and private we want to ensure that companies in this region protect themselves and make the internet a safe place to operate and do business. That’s why I want to see the CiSP succeed. By supporting the joint efforts of businesses across the region we are helping build growth and make our community safer.

A valuable part of that effort is to support the CiSP itself, I am pleased to announce that I have engaged Stuart Hyde QPM to act on behalf of Yorkshire and Humberside businesses to help develop the CiSP”

I am very honoured to be asked by aql, an exceptional example of growth within the Region, to help drive the CiSP in Yorkshire and Humberside. CiSP is a key national strategy to make the UK a safer place online, and it should be capable of helping businesses to protect themselves.

Cyber Street Unwise

A few days ago the Register published an article about the waste of £20million pounds on Cyber Prevention. http://www.theregister.co.uk/2016/05/04/ukgov_uncoordinated_illinformed_and_utterly_ineffective_on_cybercime/


One of the findings in the report was that despite spending this money only 15% or so of people had heard of Get Safe Online (GSOL) https://www.getsafeonline.org/

Well that would be a sad story IF GSOL had received this alleged £20M

It hasnt.

In fact the Register got it wrong, but only in detail, such as who is responsible for spending that money. GSOL are not. They receive a max of £70k from Govt so not a bad return 13% of the population for £70K
So who has spent it?
Well its a secretive organisation called Cyber Street Wise https://www.cyberstreetwise.com/ (CSW)
I use the word "secret" because they do not want to tell you who is in charge, nor how they spend their money. Despite the logo "HM Government" in the top left hand corner, a request for a copy of their budget received a response of  "Only with a Freedom of Information Act" request will we tell you
And then the response was merely to say £4m per year. No budget, no accounts or outline. Just a single number. In fact they have had about £20m and I believe most has been spent on Saatchi and Co
http://www.thedrum.com/news/2014/01/13/uk-government-urges-public-be-cyber-streetwise-new-campaign-mc-saatchi
At the time their Saatchi Chairman Tim Duffy,  said: “This campaign represents one of the most relevant public information campaigns of our time. In cyberstreetwise.com we have created a campaign idea that is as flexible as it is powerful. The success of the campaign will be more and more people in Britain knowing how to be secure online and as a consequence helping to build an even stronger British economy.”

A further request to know who is leading CSW produced a response that stated in relation to the management team of the Cyber Streetwise campaign, "after careful consideration, we judge that the information you request is exempt from disclosure under section 40(2) of the Freedom of Information Act (“FOIA”)."

So much for open Government

No wonder The Register found it so hard to understand who does what.

The campaign from CSW was not about promoting GSOL. In fact they rarely mention GSOL in any of their media.
CSW rarely engages with real dynamic issues and seems to replicate the same mantra on Twitter. Have a look at their feed for example. No doubt a Bot controls the Twitter Feed as their is rarely any discussion. When TalkTalk broke they didn't seem to notice

So its not surprising that the Government's campaign is not working

Its Ok to moan but what should be done

1. Move a substantial amount of the CSW funding to GSOL.
2. Cancel the account with Saatchi
3. Put some of the money into supporting local businesses to engage, particularly through the CiSP.  https://www.cert.gov.uk/cisp/
4. Make the civil servants running CSW accountable and let people know who is in charge
5. Create and deliver Public accounts and performance targets for CSW

GSOL has been run on a shoe string for years and the fact that The Register didn't know about CSW is not surprising, albeit poor quality journalism.

Lets hope that Ministers wake up to this saga and help create a more effective strategy for public cyber protection

Apple and the FBI some thoughts and judgement pre Farook decision

The Apple FBI saga

The disagreement over Apple and the FBI has become a microcosm of the world of cyber and digital crime. Warranty can secure access to homes, cars planes and any premise or item. However the encryption coding on the iPhone, that is loved by many, seems to be at the limit of the privacy issue, and not just because of encryption.

Cyber investigators have mixed views ranging from fully supporting Apple’s right to say no, through to a total distrust of the state to protect its citizens from digital theft. The role of private organisations and businesses to support and deliver security or evidence on behalf of the state seems an unreasonable one to many.

Understanding what has actually happened legally is also a concern as the media is either misunderstanding the application made by the FBI or is “bigging” up Apple’s response.

Either way the legal process will ensue as Apple appeals the FBI bid. Added to that are side issues such as whether the password for the San Bernardino shooter's iCloud account (Farook) associated with his iPhone was reset hours after authorities took possession of the device, was this an error or a deliberate ploy.  

Some questions already posed.

1.      Is Apple right to stand its ground, balancing personal security and privacy against national security?

There is also an issue about product confidence and the concern that the US is not the only country where iPhones sell. Its approach is to appeal and use its legal route first. This will take time.The below unrelated case gives support to Apple's view

2.      What are the long-term implications?

If the appeal fails then the FBI will secure what it is after, an ability to keep trying to crack the encryption without the iPhone losing data. The question is whether this will stop Apple’s encryption and create a back door for the FBI/Police. If they do, there is considerable fear it will be copied by other countries or organisations rendering the security of the iPhone useless.

3.      Since so much consumer trust is invested in how we use our phones for the most data sensitive of operations amongst commerce, mobile money and banking etc will this move compromise that trust?

If Apple are forced to create a back door it will reduce consumer confidence in the product on the basis that the techniques are likely to be copied or replicated elsewhere. Currently the Passcode is part of an encryption that cannot be broken

4.      If the government is effectively asking for a back door key, how secure would that process be? Through human carelessness or leaking could the key be compromised?

Industry doesn’t have a strong sense that the state could protect the “key”. And there are examples to support that view. What if those with access are compromised or neglectful? Apple has well-reasoned arguments to consider the ability of any state to hold that access “key”

However A judgement came yesterday in a not related case which doesnt have binding precedence over the Farook case but contains some some really helpful comments within the 50 page report

A good summary is found below, particularly the call for Legislators to deal with the fast changing technological developments

"In deciding this motion, I offer no opinion as to whether, in the circumstances of this case or others, the government's legitimate interest in ensuring that no door is too strong to resist lawful entry should prevail against the equally legitimate societal interests arrayed against it here. Those competing values extend beyond the individual's interest in vindicating reasonable expectations of privacy – which is not directly implicated where, as here, it must give way to the mandate of a lawful warrant. They include the commercial interest in conducting a lawful business as its owners deem most productive, free of potentially harmful government intrusion; and the far more fundamental and universal interest – important to individuals as a matter of safety, to businesses as a matter of competitive fairness, and to society as a whole as a matter of national security – in shielding sensitive electronically stored data from the myriad harms, great and small, that unauthorized access and misuse can cause. 

How best to balance those interests is a matter of critical importance to our society, and the need for an answer becomes more pressing daily, as the tide of technological advance flows ever farther past the boundaries of what seemed possible even a few decades ago. But that debate must happen today, and it must take place among legislators who are equipped to consider the technological and cultural realities of a world their predecessors could not begin to conceive. It would betray our constitutional heritage and our people's claim to democratic governance for a judge to pretend that our Founders already had that debate, and ended it, in 1789."

This is the full judgement passed yesterday re the FBI and Apple case in Brooklyn. It will be interesting to see how this is regarded in the main Farook case


Judgement Apple and FBI