Red X iconGreen tick iconYellow tick icon
Thursday 22 August 2019 10:57pm

Look out ... The manipulation of people is more popular than ever with cyber attackers as they try to breach tight IT security systems.

Everyone's efforts are needed to stop cyber attackers breaking in to the University's systems because, despite security measures daily blocking hundreds of thousands of attacks against Otago's systems, some can get through at times.

Worldwide, security for IT systems is now so robust, cyber attackers are focusing more on manipulating people, hoping they will be the weakest link, University of Otago Senior Manager IT Assurance and Cyber Security Richard Feist says.

So, to protect the University and themselves, everyone needs unique, strong passwords for every system they use and to be very careful with emails, especially before clicking on links or attachments.

Mr Feist's recommendations for passwords include:


  • Use a long phrase with 12 characters or more, made up of four or more words that are easy to picture e.g Telephone! mouse pirate raindrop
  • Keep spaces in a password or change them to a different character (e.g. / or =)
  • Include a word from another language

Do not use:

  • The same password for several purposes – use unique passwords for different accounts or systems
  • Keyboard sequences e.g. 123456, qwerty123 or gazwsxedc
  • Browser options that automatically complete logins and password for sites
  • Dictionary words with a number added, or any other obvious pattern, e.g. Computer134

The combination of new computer technology and the personal information on social media means many passwords are now considered weak because even a home computer with easily available software can mine social media then test billions of passwords a second to crack a password, Mr Feist says.

Cyber attackers usually aim to steal sensitive information, gain some sort of financial benefit or disrupt networks. Phishing attacks on the University generally target usernames and passwords, to use them for financial fraud or unauthorised access to data.

Notable phishing attempts have involved emails from a fake Vice-Chancellor Professor Harlene Hayne asking staff to buy iTunes cards, emails trying to get payroll's or suppliers' bank account details to change them to bank accounts under the attackers' control, and links to web pages that capture people's usernames and passwords to use fraudulently.

The IT Assurance and Cyber Security has some examples of phishing in a “phish tank” on the University's website.

Checking for phishing in emails should involve looking for:

  • The real email address and destination – by hovering the mouse over the email address and links. This is effective on a computer screen rather than, for example, a phone or tablet
  • Bad grammar, spelling or formatting, and an unpolished look
  • Generic salutations – dear customer etc – rather than your name
  • A call for urgency or immediate action, typically from a senior person
  • A full signature at the bottom of the email – attackers usually have a generic signature
  • Attachments that look too interesting to be true, or are totally unexpected (no indication of who sent it or why and it is not relevant to your role)

If in doubt, contact AskOtago for instructions about what to do with the email.

The three pillars of cyber security are people, processes and technology, so Mr Feist's team needs everyone to form a human firewall by making smart choices, which also includes:

  • Keeping devices safe, so they are not stolen or used by unauthorised people
  • Ensuring all mobile devices possible have biometric identification e.g. a fingerprint. If that is not possible, the pin should be at least eight characters or digits long
  • Ensuring that key data is kept on the University's central storage systems rather than laptops or other local hard drives that are not backed up e.g a C drive

To help staff and students keep themselves and the University safe from cyber attacks, the IT Assurance and Cyber Security team is working on new processes and procedures combined with training for staff and students, Mr Feist says.

Want to know more?

Phone: ext 4794 , ext 9266

Check out these two websites with more information about phishing: NZ Cert phishing and Knowbe4 phishing information

Back to top