back to article GCHQ agency 'strongly urges' Brit universities, colleges to protect themselves after spike in ransomware infections

GCHQ offshoot the National Cyber Security Centre has warned Further and Higher Education institutions in the UK to be on their guard against ransomware attacks as the new academic year (sort of) gets under way. NCSC sent advice to places of learning "containing a number of steps they can take to keep cyber criminals out of …

  1. Yet Another Anonymous coward Silver badge

    GCHQ says protect yourself

    But don't use encryption; because only terrorists, people-traffickers and (looksup list of today's official daily hate) Eu Brexit negotiators use encryption

    1. Anonymous Coward
      Anonymous Coward

      Re: GCHQ says protect yourself

      Ironic, given Trump just released Taliban responsible for Putin-contract killing of US troops, and has been sharing intel with Putin.

      https://www.washingtonpost.com/politics/2020/09/11/daily-202-taliban-prisoners-linked-killing-us-troops-are-released-ahead-911-anniversary/

      I bet when people signed up to 5-eyes work, they thought they were the good guys, protecting the west from terrorists and Putin, and yet here they are, their backdoors are the biggest threat to the security of the west.

      Protect yourselves from your own spooks.

    2. Anonymous Coward
      Anonymous Coward

      Re: GCHQ says protect yourself

      My own dealings with GCHQ say the opposite. Every member of staff I've spoken to are totally pro-encryption use, it's the senior managers giving speeches that seem to disagree.

  2. Arachnoid
    Mushroom

    Yea but theres back doors in that encryption if its to US standards, init bro.

  3. amanfromMars 1 Silver badge

    Which do you Prefer? The Juicy Lucy Carrot or the Blunt Cleft Stick?

    Is GCHQ fully protected against phisher men and women .... or are they just as incredibly vulnerable and addictively attracted to exotic and erotic temptations as would everyone else be?

    And are they suitably practised and remarkably expert in ....... well, let us venture they have an ardent interest in Pornographic Steganography, in multiple degrees of excessive order and participation, in order to ensure communications are able to be kept personal and private rather than exposed for simple pirating and renegade exploitation ‽ .

    It has many ardent enthusiastic fans .... for all of the really basic reasons which any hot blooded being would immediately fundamentally understand and encourage demonstration of. :-)

  4. Doctor Syntax Silver badge

    "This trove of information puts a target on the back of every good-sized school, college, or university."

    Just an idea but how about putting that trove on its own isolated network? Yes, inconvenient when somebody has to answer a query that came in by email. But look on it as a choice of that inconvenience vs the inconvenience of an attack on that trove and at best having to rebuild it from backups and at worst seeing it copied off and sold to the highest bidder - or all bidders.

    1. Chris G Silver badge

      " its own isolated network"

      It may be a little inconvenient but still less so than digging out a ledger as in the old days.

  5. Anonymous Coward
    Anonymous Coward

    Password security?

    What's password security? I've worked at a Russell Group university for the last 4 years without having to change my password. (Yes, basic complexity is enforced, but no changes). Rather different from my time at the NHS...

    AC, because I need to stay working there a bit longer yet.

    1. Yet Another Anonymous coward Silver badge

      Re: Password security?

      And the reason for changing your password regularly is ?????

      It used to be that brute forcing your password took months so the assumption was if you changed it every 3 months is was secure. Nobody is currently taking 3 months to brute force a hashed /etc/passwd

      So forcing you to change it every month just means lots of "my_dogs_name_N+1" passwords.

    2. Potemkine! Silver badge

      Re: Password security?

      Before enforcing a regular password change policy, one would have to convince me it's efficient.

      First, most of the time a regular password change just implies a digit change.

      Next, changing regularly passwords leads users to write them somewhere, something that should be radically forbidden.

      I don't think I'm the only one to believe this:

      Why Regularly Changing Your Password Puts You More at Risk of Attack

      NIST Changes Course and Advises Against Regularly Changing Passwords

      1. Anonymous Coward
        Anonymous Coward

        Ban "writing down" passwords....

        @Potemkine!

        Ever played the word game called hangman? Start with a row of blank "characters" and try to guess the word. So here's a password of mine ....yes.....written down:

        P _ _ _ _ Y _ _ _ _ _ B _ _ _ _

        There are thirteen blanks....and I can easily fill in the blanks even without any clues. And this example has more than 10** 21 possible ways of filling in the blanks (that's a decimal number with 21 decimal digits). Go ahead.....tell me what my password is. Or...tell me how much time a robot will take to try out ALL THE POSSIBILITIES........and that's assuming the password protects something more valuable than some cat videos!!

        1. John Brown (no body) Silver badge

          Re: Ban "writing down" passwords....

          "P _ _ _ _ Y _ _ _ _ _ B _ _ _ _"

          PimplYfacedBogie?

      2. Yet Another Anonymous coward Silver badge

        Re: Password security?

        >write them somewhere, something that should be radically forbidden.

        Not convinced about that. Having a secure online banking paswd written in the back of your diary in your handbag is probably a better defence against N Korea hackers than memorising "Passw0rd$"

        Ps don't write "my XYZ bank password is" in front of it!

    3. Anonymous Coward
      Anonymous Coward

      Re: Password security?

      I wouldn't mind if an institute I might have worked at had enforced one of password complexity *or* password expiry for senior staff, but they were instructed not to by those same senior staff.

      While many universities/colleges have moved to improve their security for their staff and students the arcane and convoluted politics of other institutions mean the these same problems exist and will not go away until there is (a) a change of personnel at the top of the organisation or (b) a major incident at said institution which itself causes (a).

      AC for the same reasons...

  6. Anonymous Coward
    Anonymous Coward

    You have nothing to Fear

    but National Security Services themselves.

    1. Bonzo_red

      Re: You have nothing to Fear

      Try convincing the family of the woman who died because the Dusseldorf University hospital had been compromised. She had to be taken to another hospital as a result and arrived too late to save here life.

  7. Anonymous Coward
    Anonymous Coward

    ...but no mention of WiFi security......

    .....strange. Perhaps the "experts" in Cheltenham don't know about this piece in yesterday's (Thursday's) El Reg:

    - https://www.theregister.com/2020/09/17/dot_pentesers_expose_wifi/

    Or perhaps GCHQ actually know all about WiFi hacks, but would prefer others to remain ignorant....because they do that sort of thing themselves! Surely not:

    - https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/

    Just saying.

  8. Loud Speaker

    Windows?

    Are UK Universities using Windows? They didn't when I was a student (cos the PC had not been invented - it was all ICL mainframes).

    Surely all the UK Universities could club together and produce a BSD clone for University use.

    For added confusion, they could call it "University Software Distribution" or "USD" for short ;-()

    If every Computer Science student had to produce a device driver ...

    No, wait ....

  9. Anonymous Coward
    Anonymous Coward

    You'd have thought state organisations

    would have state level protection by those whose core expertise is security.

    But maybe that's just too radical a concept.

    Or maybe they're just another example of The Shirky Principle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020