GCHQ says protect yourself
But don't use encryption; because only terrorists, people-traffickers and (looksup list of today's official daily hate) Eu Brexit negotiators use encryption
GCHQ offshoot the National Cyber Security Centre has warned Further and Higher Education institutions in the UK to be on their guard against ransomware attacks as the new academic year (sort of) gets under way. NCSC sent advice to places of learning "containing a number of steps they can take to keep cyber criminals out of …
Ironic, given Trump just released Taliban responsible for Putin-contract killing of US troops, and has been sharing intel with Putin.
https://www.washingtonpost.com/politics/2020/09/11/daily-202-taliban-prisoners-linked-killing-us-troops-are-released-ahead-911-anniversary/
I bet when people signed up to 5-eyes work, they thought they were the good guys, protecting the west from terrorists and Putin, and yet here they are, their backdoors are the biggest threat to the security of the west.
Protect yourselves from your own spooks.
Is GCHQ fully protected against phisher men and women .... or are they just as incredibly vulnerable and addictively attracted to exotic and erotic temptations as would everyone else be?
And are they suitably practised and remarkably expert in ....... well, let us venture they have an ardent interest in Pornographic Steganography, in multiple degrees of excessive order and participation, in order to ensure communications are able to be kept personal and private rather than exposed for simple pirating and renegade exploitation ‽ .
It has many ardent enthusiastic fans .... for all of the really basic reasons which any hot blooded being would immediately fundamentally understand and encourage demonstration of. :-)
"This trove of information puts a target on the back of every good-sized school, college, or university."
Just an idea but how about putting that trove on its own isolated network? Yes, inconvenient when somebody has to answer a query that came in by email. But look on it as a choice of that inconvenience vs the inconvenience of an attack on that trove and at best having to rebuild it from backups and at worst seeing it copied off and sold to the highest bidder - or all bidders.
What's password security? I've worked at a Russell Group university for the last 4 years without having to change my password. (Yes, basic complexity is enforced, but no changes). Rather different from my time at the NHS...
AC, because I need to stay working there a bit longer yet.
And the reason for changing your password regularly is ?????
It used to be that brute forcing your password took months so the assumption was if you changed it every 3 months is was secure. Nobody is currently taking 3 months to brute force a hashed /etc/passwd
So forcing you to change it every month just means lots of "my_dogs_name_N+1" passwords.
Before enforcing a regular password change policy, one would have to convince me it's efficient.
First, most of the time a regular password change just implies a digit change.
Next, changing regularly passwords leads users to write them somewhere, something that should be radically forbidden.
I don't think I'm the only one to believe this:
Why Regularly Changing Your Password Puts You More at Risk of Attack
NIST Changes Course and Advises Against Regularly Changing Passwords
@Potemkine!
Ever played the word game called hangman? Start with a row of blank "characters" and try to guess the word. So here's a password of mine ....yes.....written down:
P _ _ _ _ Y _ _ _ _ _ B _ _ _ _
There are thirteen blanks....and I can easily fill in the blanks even without any clues. And this example has more than 10** 21 possible ways of filling in the blanks (that's a decimal number with 21 decimal digits). Go ahead.....tell me what my password is. Or...tell me how much time a robot will take to try out ALL THE POSSIBILITIES........and that's assuming the password protects something more valuable than some cat videos!!
>write them somewhere, something that should be radically forbidden.
Not convinced about that. Having a secure online banking paswd written in the back of your diary in your handbag is probably a better defence against N Korea hackers than memorising "Passw0rd$"
Ps don't write "my XYZ bank password is" in front of it!
I wouldn't mind if an institute I might have worked at had enforced one of password complexity *or* password expiry for senior staff, but they were instructed not to by those same senior staff.
While many universities/colleges have moved to improve their security for their staff and students the arcane and convoluted politics of other institutions mean the these same problems exist and will not go away until there is (a) a change of personnel at the top of the organisation or (b) a major incident at said institution which itself causes (a).
AC for the same reasons...
.....strange. Perhaps the "experts" in Cheltenham don't know about this piece in yesterday's (Thursday's) El Reg:
- https://www.theregister.com/2020/09/17/dot_pentesers_expose_wifi/
Or perhaps GCHQ actually know all about WiFi hacks, but would prefer others to remain ignorant....because they do that sort of thing themselves! Surely not:
- https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/
Just saying.
Are UK Universities using Windows? They didn't when I was a student (cos the PC had not been invented - it was all ICL mainframes).
Surely all the UK Universities could club together and produce a BSD clone for University use.
For added confusion, they could call it "University Software Distribution" or "USD" for short ;-()
If every Computer Science student had to produce a device driver ...
No, wait ....
would have state level protection by those whose core expertise is security.
But maybe that's just too radical a concept.
Or maybe they're just another example of The Shirky Principle.