Watch out, phishers about

Phishing

Day in, day out, cyber criminals probe the BBC's IT defences, searching for chinks in our electronic armour so they can steal information and block output.

'We are aware of a variety of threats.' says David Jones, recently appointed head of Information Security. 'We have a series of very high profile events this year, from the Jubilee, to the Olympics to the US election, and we know we are a serious target to a number of groups with good capability to attack us.'

He says there are two motivations for cyber attacks. Scammers and cyber criminals will be attempting to get access to steal money or financially useful data. External attacks are being done for disruptive and publicity reasons.

Massive attacks

The BBC was cyber attacked last month, when it came under DDos [distributed denial of service] asssault. Thousands of devices simultaneously targeted the BBC corporate internet links with huge volumes of spurious traffic which caused the gateways to slow to a crawl. Internally it meant staff were unable to access email or the internet. Mark Thompson accused Iran of the assault, which co-incided with jamming of satellite feeds into the country.

Cyber-crime gangs and politically motivated groups have access to enormous computing power in planning such attacks. They can buy space on a botnet [a collection of computers which have been compromised by a virus], or create their own, harnessing tens of thousands of devices to all file the same request at the same time.

botnet attack CGI of a botnet
Sophisticated scams

'Phishing' attacks, in which an individual is approached either by email or by phone, are financially motivated. The phisher will be looking for bank details. Everyone will be familiar with the email purporting to be from someone wanting to wash vast sums of money through your bank account, in return for which you will allegedly get a handsome payment. They usually contain spelling or grammatical errors and are relatively easy to detect. Or the random emails which claim to be from your bank, asking you to re-input your account details - amusing when you don't have an account at that bank.

Jones says the phishers are getting more sophisticated. 'They are now increasingly scamming following disasters or charity appeals. One way to check is to hover your mouse over the link they ask you to click on to donate. If you do that the full URL will come up, and if it doesn't look like a longer form of the link, or emanates from a country you think it shouldn't be coming from, you are probably being scammed.'

Employee error, including trustingly giving information to phishers, accounts for 65 to 95 per cent of data loss and security breaches at companies.

Use your judgement

This month ATOS reported a social engineering attempt to persuade a BBC employee to reveal IT information. In this instance the staff member was telephoned by someone claiming to be from Microsoft, who asked him to visit a particular URL. The staff member refused, but in the conversation the phisher learnt that Atos is the BBC support service - so next time he rings he can claim to be from Atos.

'Each piece of information is progressively more useful to them,' says Jones, 'so it's really down to individuals to use their own judgement. One particular warning sign is if you haven't initiated a call to Atos.'

Start Quote

Common sense is the best defence”

End Quote David Jones Information Security

Jones advises that staff who have doubts about a caller should ask for a name, then contact the service desk. 'They'll quickly tell you if they made the call. If the person ringing asks you to call an external number that's a giveaway.'

Information campaign

This summer Jones' Information Security team will run a campaign to alert staff to the risks of being gulled into giving out confidential information, and offering advice on how to guard against being tricked. In the meantime Jones offers one simple piece of advice. 'Commen sense is the best defence.'

In practice that means reading emails carefully, checking links and questioning people who ask for information over the phone.

Jones is frank that the biggest single risk to the BBC is accidental damage or disclosure by its own staff.

'That's not a criticism of the staff in any way. It's simply that every day we deal with massive amounts of data and people are under pressure and that means things can happen which can cause risks.'

And he says the information security teams are 'always' one step behind the hackers, but adds: 'It makes our life absolutely fascinating. We have to keep across developments everywhere, we have to look across our infrastructure the whole time.'

Features

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.