Category Archives: passwords

Round-up: Top posts of 2015

2015 is almost over and we have been pleased and delighted to welcome many new followers and contributors to the Advent IM Holistic Security blog. It’s hard to wade through all the content but we thought it would be nice to present you with a list of some of our most popular posts this year, by month. (This is based upon what people read and not necessarily when they were published.)

jAN 2015In January, we warned you to watch out for phishing emails if you had nice shiny new devices for Christmas. We were recognised as Cyber Security Solution Suppliers to Her Majesty’s Government and we enjoyed a visit from The Right Honourable Francis Maude to talk all things CyberSec.


In FFEB 2015ebruary, we had a visit from James Morrison MP to talk about how cyber attacks affect local and national businesses, we launched Whitepaper on CCTV in schools and discussed the key ‘watch-outs’ in off-shoring data in relation to Data Protection


MAR 2015In March, we were exhibiting and speaking at the Security & Policing Event at Farnborough (we will be at the next one too, watch this space for details!) Mike Gillespie’s quote in The Sunday Times, talking about SMEs and Cyber Security back in 2014 suddenly shot back up the blog statistics, as people explored some of our older posts.


april 2015In April, law firms were in the sights of the ICO and we blogged about it and people looking for Senior Information Risk Owner Training found their way to the blog. Of course, if you do want to book training you need to go via the website

mAY 2015

In May, Ransomware was on everyone’s radar, including ours.  A lot of readers also sought out an old post on mapping the control changes in ISO 27001 2005 vs. 2013 and we were glad they found our tool to help them with this. We think that more businesses will want to think about this standard in 2016 as security awareness continues to grow and the common sense reveals the huge commercial benefits.

JUN 2015In June, the changes to EU Data Protection regulations had a lot of people talking. Dale Penn gave a no nonsense post, explaining what it meant and it was very well received. We had a Risk Assessment methodology post from Del Brazil, talking, Attack Trees. A post that was also very well read came from Julia McCarron who discussed the risk in continuing to run Windows XP

JUL 2015In July, Social Engineering was a key topic and one of our blog posts was very well visited, The Best Attack Exploit by Dale Penn is still receiving visits. Dale also wrote about hacking Planes, Trains and Automobiles, with clarity, as well as the coverage this kind of hacking was receiving.

AUG 2015In August, we heard about Hacking Team being hacked and it revealed some very risky security behaviour. Dale Penn wrote about this event and other security specialists being targeted. In August, a very old blog post started to get some traffic again as people wanted to read about secure destruction of hard drives and a guest post from Malcolm Charnock got hoisted back into the charts.

SEP 2015In September, TOR was in the press sometimes as a hero, but usually as a villain…well perhaps not a villain but certainly suspicious. We tried to throw some light on what TOR is for the uninitiated and explain why and how it is deployed by a variety of users. It came courtesy of Del Brazil. Another very old post on USBs also got raised from the archive – The Ubiquitous Security Breach.

OCT 2015In October, traffic to the blog doubled and we welcomed many more new readers. All of the posts mentioned here were read but far and away the winner was Crime of Our Generation from Chris Cope, talking about TalkTalk’s disastrous breach.  Marks and Spencers were discussed by Julia McCarron in light of their own security failure. Attack of the Drones discussed a variety of drone-related areas, uses and unintended consequences. A nuclear power plant worker was found researching bomb making on a laptop at work and the EU Safe Harbour agreement melted away. It was a very busy month…

NOV 2015In November, The Bank Of England expressed some firm opinion on cyber security requirements in the Financial sector. Morrisons staff took to the courts to sue over the data breach that exposed their personal information. Australia jailed a former junior bureaucrat who leaked defense material onto the notorious 4Chan website. The previous posts on TalkTalk, M&S, BoE, Safe Harbout and EU DP Regulations were also extensively read in November.

dEC 2015And finally, December…Well the Advent Advent Calendar has been a festive fixture for three years now so we had to make sure it was included and it has, as always,  been well trampled and shared. We also added a new festive bit of fun in the form of the 12 Days of a Phishy Christmas and some Security Predictions from the team for 2016. Why would anyone hack the weather? was a look at how attacks can be intended for other parts of a supply chain. Finally TalkTalk popped up in the news and a conversation again, as it emerged that Police had advised the firm not to discuss their breach.

Christmas card 2015


Have you got the energy for another breach…?

Julia McCarron, Advent IM Director, looks at the British Gas breach that saw customer details published online and the energy giant claiming they had not been breached and the details must have come from elsewhere…

So let’s get this straight. The email addresses and passwords definitely belonged to British Gas customers? Tick. They definitely accessed British Gas customer accounts? Tick. But the data didn’t come from British Gas? Dot. Dot. Dot.

phishIt appears that where there’s blame there’s a claim. British Gas are blaming everyone else’s recent security incident misfortunes and claiming it’s the result of information from other data breaches being pieced together, testing passwords which were re-used across multiple accounts. Or they’ve been uncovered from the result of a phising campaign. One or the other …. They’re not sure which.

Is this possible? Well yes in today’s sophisticated technological world it probably is to be honest. And that’s quite scary and brings us round to a common theme of ours …. Password management.

At Symbol

Every action we do online these days requires a password. Shopping accounts, banks, building societies, utility suppliers, pensions, social media, YouTube, movie streaming, e-reader accounts ….. And what do we have a tendency to do? Use the same password so that we don’t forget it. What else do we do? Use the cat’s name and granny’s date of birth. For those of us working in security, or an organisation with a good security culture, we are aware of the bad practice this demonstrates but many consumers out there have not grown up in an electronic information security environment. This makes British Gas’ claim a distinct possibility given the sophistication of the unethical hacker community.

Recent guidance issued by CESG and the Centre for the Protection of National Infrastructure (CPNI) explains how passwords are discovered.

Attackers use a variety of techniques to discover passwords, which include:

  • social engineering eg phishing; coercion.
  • manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names.
  • intercepting a password as it is transmitted over a network.
  • ‘shoulder surfing’, observing someone typing in their password at their desk.
  • installing a keylogger to intercept passwords when they are entered into a device.
  • searching an enterprise’s IT infrastructure for electronically stored password information.
  • brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.
  • finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device.
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.

Business Development Consultant - Cyber Security.

In business we can do something about this through implementing policies and procedures, providing security awareness training to our staff and implementing technical controls that prevent, detect and monitor activity to reduce the risk of a data breach.

The general public may not have the knowledge or resources to implement these controls, and arguably the likes of British Gas need to help their users cope with password overload. The same CESG/CPNI guidance suggests how service providers might do this.

“Users are generally told to remember passwords, and to not share them, re-use them, or write them down. But the typical user has dozens of passwords to remember – not just yours. Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

  • Only use passwords where they are really needed.
  • Use technical solutions to reduce the burden on users.
  • Allow users to securely record and store their passwords.
  • Only ask users to change their passwords on indication or suspicion of compromise.
  • Allow users to reset passwords easily, quickly and cheaply.
  • Do not allow password sharing.
  • Password management software can help users, but carries risks.”

Good Better BestSo rather than simply saying “this isn’t our fault” British Gas could perhaps be ‘looking after our world’ by improving how their customers manage their passwords? They may have got to 9/10 boiler breakdowns the same day last year but 9/10 password breaches won’t be good enough.