I saw this article on BBC today http://www.bbc.co.uk/news/technology-37821867 which states that the UK Government intend to spend several billion pounds to increase UK cyber-security. Sounds good on paper, but in real life will no doubt end up throwing even more taxpayer’s money down the drain with very little benefit.
There are a few very simple things that the UK Government can do, VERY CHEAPLY, that cuts down on phishing, malware spreading and increases security by an exponential amount.
- Force all UK Government, Local Authority, Banks and other common financial institutions to use Extended validation SSL certificates on all their websites, including all sub domains. This gives a full green address bar in Internet explorer and a light green padlock and start of the URL bar in Chrome, Firefox and Safari.It should be that no Green bar or Padlock on a Government site means NOT SAFE. So many Government / Local authority or Government Agency sites are spoofed to either deliver malware or to phish for your details.Some Government Departments do use EV certificates, but not all. The ones that I have checked appear to all be subdomains of https://www.gov.uk for example https://www.passport.service.gov.uk/filter/select-service
Why do the UK Gov’t use a separate EV certificate for each subdomain? when it would be easier & cheaper and less confusing for a user to use 1 certificate on the https://www.gov.uk base domain. One commonly used site that does not use an EV certificate is the DVSA book your theory test https://wsr.theorytest.direct.gov.uk/testtaker/signin/SignInPage/DSA?locale=en_GBAll sites using a standard HTTPS certificate are relatively easy to spoof using a similar domain name that is easily confused and a free SSL ( HTTPS) certificate from Cpanel. I will prove this in another post
This post by Troy Hunt explains why confirmed identity on an important web site is so vital.
I really wish ALL browsers would adopt the IE mode which is much clearer for users to see. Once it is widely known that All government & finance sites are only legitimate when you see green URL bar, that at a stroke helps to alert a victim to a potential phishing or fraud site. They can start with sorting out the Bank of England website as described in THIS post about phishing and malware spreading Make sure ALL UK Government and Local Authority and UK based financial services emails use proper working authentication, DKIM and SPF
- Use the resources that are already widely available. That means including the malware research communities, anti-virus and security companies and individual researchers. Listen to those of us that deal with these problems at the sharp end of things all day and every day, rather than focus groups and those that want to protect their existing self interest to avoid spending money on security.
- Set up a clearing house where all reports of phishing, malware spreading, fake websites, infected websites, phoney domains etc can be reported and should be reported to. Make it a legal requirement for all web hosting providers, email providers, domain registrars, as well as individual companies that self host their own servers, to respond in a clearly defined time frame 24 / 48 / 72 hours maximum to a report from the “official central clearing house” and take down, null route or clean up the offending servers or cancel fake and spoof domains. Too many hosting companies ignore reports from independent researchers and antivirus companies or even the national CERT teams, unless accompanied by a court takedown order. Yes, we know many hosting companies are not based in UK, but they still charge and pay VAT, tax and other charges to UK government for business conducted from the UK, which gives a degree of influence and financial pressure over them.
- Force UK domain registrars to actually perform basic checks before issuing domains. It is trivially easy to set up an automatic system that detects variations of common sites that are always used for phishing, like Government sites, Banks, PayPal, Apple, Microsoft, Adobe, Courier companies etc. Any suspicious domain name that is attempting to be registered should be referred to a human to check and either approve or reject. That would allow somebody to register a site like Ihatepaypal.co.uk but reject a site that would be an obvious spoof or phishing site like paypal-update.co.uk . They also need to check whether the alleged registrant actually exits and whether the name, address & phone number given is real one and match. Domains registered to 10 Downing Street SW1A 2AA or House of Commons SW1A 1AA are more than likely to be false.
- Do not use the same dangerous behaviour that we commonly see in phishing & malware scam emails. For a glaringly stupid example of a government department email that looks identical to a phishing email, telling you to click the link inside the attached document, please see https://myonlinesecurity.co.uk/uk-government-departments-encourage-phishing-malware-spreading-and-bad-practices/
All these take some money to set up but mainly involve changing methods of working and changing accepted practices.