On Receiving USB Memory Sticks In The Post

A warning has been made about US businesses receiving “bad” USB memory sticks in the post. Although not a new form of attack, what is new is that the USB sticks may contain mass ransomware malware.

If you receive items in the post, be especially wary of USB memory sticks – if the stick is unexpected, it comes from a sender you haven’t received anything from before, or if there are other reasons to suspect it, pass it along to IS for inspection.

A “Bash Bunny”

That’s a genuine “bad USB” stick from my collection of tools; real “bad USB” sticks won’t be quite as obvious.

Whilst a USB memory stick is just a memory stick, an attacker can build (or buy) something that looks like a memory stick but can be programmed to act as almost any kind of USB device – a keyboard, a mouse, or something else.

A keyboard is quite common because an attacker can insert fake keystrokes that will install malware and then take over full control of the system you are using.

Posted in Uncategorized | Leave a comment

Cyber Essentials v3.0

In the January 2022, the NCSC will introduce an updated set of requirements for the Cyber Essentials scheme (v3.0). This update is the biggest overhaul of the scheme’s technical controls since it was launched in 2014 and is in response to the evolving cyber security challenges that organisations now face.

The way we work has changed dramatically over a short period of time. The speed of the digital transformation and the adoption of cloud services are driving factors here, as well as the move to home and hybrid working, accelerated by the COVID-19 pandemic, which is now routine for many people.

The refresh of Cyber Essentials reflects these changes and also signals a more regular review of the scheme’s technical controls.

The University passed the annual Cyber Essentials – Plus recertification on 29 November 2021. In late November 2022, we will have to be ready to re-certify to v3.0. An assessment of the impact of any changes is underway and plans to adapt our working practices will follow.

Please contact Rob Walker (robbie.walker@port.ac.uk) if you have any questions.

Posted in Uncategorized | Comments Off on Cyber Essentials v3.0

The “Secret” BCC Email Header

You want to send an email to a long list of people; perhaps that list should remain private, or perhaps you just want to avoid the inconvenience of people seeing a huge “To” field with tons of other addresses in. What do you do?

Use the “Bcc” field.

When composing a new message in Google Mail :-

New Message Screenshot

Click on the little “Bcc” at the top right :-

New Message with Bcc Screenshot

The window changes to show the “Bcc” header into which you can enter addresses to send the email to – which won’t be visible to those receiving the mail.

“Bcc” is short for “blind carbon copy” a reference to an ancient office technology that most of us are too young to remember (even me!). But it can be regarded as the same as “To” except that addresses listed within it are not sent to the recipient.

Why is this important?

For a start, it is a lot neater for those reading the message without seeing a whole mess of additional recipient addresses.

Secondly (and far more importantly), if the recipient addresses are private, showing those addresses in an email is a security breach. Whilst not generally as serious, it can lead to news such as the recent leak of the email addresses of Afghanistan interpreters.

If you do not use the Google Mail interface, you should still be able to use the “Bcc” header when composing messages although how will vary from client to client.

Posted in Email, General | Comments Off on The “Secret” BCC Email Header

Firewall Blocking Essentials?

Due to a certain episode around Easter this year, a number of changes were made to the firewall security policy to make it more secure. Since then a great deal of work has gone into identifying web-based applications that are in use and making sure they’re allowed through the firewall.

But in all likelihood, we’ve missed a few.

So it makes sense to test everything that you use for teaching (or anything else) to see if it works properly. If it doesn’t :-

  1. Connect to the VPN (whether you are at home or on campus).
  2. Try again
  3. Raise a servicedesk job requesting that “it” be allowed. To make it easier the following would be helpful :-
    1. What username you logged into the VPN with.
    2. Around what date and time did you try – the more accurate and precise you can make this, the better.
    3. A description of the application and why it is required.
    4. If you received an error, what was the text of the error message?

Don’t worry if it’s just a “nice to have” application – whilst there are security reasons for saying no, that is relatively rare and we’re not inclined to say no to something that looks like entertainment (for example).

Posted in Firewall | Comments Off on Firewall Blocking Essentials?

GlobalProtect Installation for MFA VPN

This is a technical guide to some methods of installing/fixing the GlobalProtect client in the short term whilst ongoing conversations with the relevant vendors is taking place.

  1. Make sure you are using an up to date version of the client; the latest officially deployed version of which can be downloaded from https://staff.vpn.port.ac.uk/ or https://student.vpn.port.ac.uk/. It would be wise to completely remove older clients from the machine.
  2. Make sure that the machine is running a supported operating system.

Windows Installation

This requires a command-line installation with a switch to turn on the “default browser” option :-

msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES

Where “GlobalProtect.msi” is the file you have copied onto the client machine.

Mac Installation

Installation on a Mac is done in the usual way but before the VPN client is run, a terminal command needs to be run :-

sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist '{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}'

That’s all on one line.

Switching Browser

At least one report suggests changing the default browser on the client machine to an alternate browser – specifically from Chrome to Firefox.

Posted in Technical, VPN | Comments Off on GlobalProtect Installation for MFA VPN

Spam: Mail Quotas and Bitcoin

Recently we have become aware of an issue in relation to one of our cloud service providers which is weakening one of our email security measures – specifically the mechanism put in place to make it harder to impersonate UoP senders (i.e. any @port.ac.uk email address). This has allowed a recent increase in the amount of spam being received.

As of late in the afternoon of the 24th February, the cloud vendor has fixed the issue so there relevant spams should stop arriving. Leaving just ordinary spams!

We are in contact with the vendor to resolve this issue, but in the meantime you very well may receive spams with a sender address (“From”) of something@port.ac.uk.

Two quite common varieties of spam that are cropping up are mentioning mail quotas (“your mail quota is exceeded”) and bitcoins (“pay us bitcoin or we’ll leak your secrets”).

In relation to the mail quota spams :-

This example may not reflect the appearance of spams you receive.
  1. We do not have mail quotas; anyone offering to increase your mail quota is offering to do the impossible … or more likely ask you for your password so they can use it nefariously.
  2. If you “hover” (move the mouse pointer to where the clickable link is, but don’t click it), you can see where the link really takes you too at the bottom of the browser window. In the case of this spam, it will say something like https://port.ac.uk/mail-quota/ but will in fact take you somewhere else.

This is a standard phishing spam email – the link will take you to a page that looks like a login window and you will be prompted for your password. Don’t fill it in!

In the case of the bitcoin extortion spams, the main characteristic is that they say something that amounts to “send us bitcoin or we’ll leak all your secrets”. Sometimes they will claim to have broken into your account; sometimes they will claim to have recorded you indulging in activities that you won’t want others to know.

Whilst this could be alarming, it is exceptionally unlikely to be the truth. Extortion spams are widespread and known to have no truth behind them; although the latest ones don’t appear to be “sextortion”, it remains a possibility.

If you are wondering what “bitcoin” is, a link to the Wikipedia article can be found earlier in this article, but in summary it is a “crypto-currency” which is form of money without a backing government/central bank implemented using cryptographic mechanisms. Criminals appear to like it because they (falsely) believe it to be anonymous.

Whilst this is an ongoing situation with a special wrinkle, the advice is still pretty standard :-

  1. If it sounds too good to be true, it probably is.
  2. Does the email “ring right”? If it came from an @port.ac.uk address :-
    1. Does it look like it was composed in Gmail
    2. Do you normally receive emails from that sender?
    3. Is the writing standard what you would expect?
  3. Before you click on a link, check (by “hovering”) if that link takes you to where you expect.
  4. If you click on the link, does the page appear to be in the usual UoP style? Most of our authentication pages go through the same “identity provider” and although there are two main ones with different appearances, they do have a standard “look”.

Because of the current issue (which we expect to resolve in a day or two), be wary of emails from @port.ac.uk addresses that you haven’t corresponded with before.

Posted in Active Attacks, Email | Tagged , , , | Comments Off on Spam: Mail Quotas and Bitcoin

The security.txt Page for Web Servers

We have recently started using a new-to-us web server security scanner that amongst other things will highlight the absence of a file – security.txt – in the root of the web server. And thus this blog entry explaining what it is, why we need it, and what the contents should be.

Note that this is not a HTML page but a plan text page and must be installed as such.

The intention behind security.txt is to provide a mechanism by which those who encounter security issues with a web site can make contact in an approved manner. To those who argue that the information is available elsewhere, the counter-argument is that it is a lot more helpful to have information available in a standardised location.

The minimum file should contain :-

Contact: cert@port.ac.uk
Preferred-Languages: en

You can add a second line for an additional contact if you wish :-

Contact: cert@port.ac.uk
Contact: servicedesk@port.ac.uk
Preferred-Languages: en

The file must be named as precisely security.txt and must be either in the root of the web server “document root” or within a standard subdirectory (/.well-known/security.txt) (compliant with RFC8615).

Posted in Technical | Tagged | Comments Off on The security.txt Page for Web Servers

Dodgy .ac.uk Web Sites

No, we not talking about real .ac.uk web sites but fake ones. We have recently been alerted to the activities of a certain well-known attacker (the “Silent Librarian”), and whilst processing it I noticed something it might be helpful to more widely publicise.

The location bar of your browser (or the pop-up that appears when you “hover” over a link in an email) can be a useful source of information on how trustworthy a site is :-

This web site address (it currently gives an error if you happen to try and visit it) has nothing to do with the port.ac.uk address (the university!) although it contains it. A certain number of “fake” web sites used by the previously mentioned attacker are set up like this – the address of a well-known .ac.uk institution with a different domain at the top.

A brief aside on domains: Domains are the wrong way around – for a domain such as port.ac.uk, the most significant part is on the right – the UK, followed by the “ac” (for academic) and finally “port” (for us). Bits added to the right are more significant than the bits at the left.

If I were to register touche.me I could easily create a registration for port.ac.uk.touche.me and point it to a web site not under control of the university. And that is what this attacker is doing.

So when you visit web sites, it is always worth double-checking the location bar to check that the domain is what you expect it to be. And doesn’t look like a legitimate site but in fact it is only legitimate on the left-side.

Posted in Active Attacks | Tagged , | Comments Off on Dodgy .ac.uk Web Sites

What Are “Homoglyph” Attacks?

As the phrase has started becoming more widely used, it seems worthwhile to explain just what exactly “homoglyph attacks” are. It is perhaps a bit extreme to call them “attacks” as they are effectively used to deceive … especially in phishing attacks.

It boils down to using “lookalike” letters to create something that looks like a trusted name (for example, “port.ac.uk”) yet isn’t (i.e. “Ꮲοrt.ɑⅽ.υk” (it should be noted that this was created to deliberately look bad)). If a homoglyph is used within a clickable link (for example), you could naively check the link and it would appear to take you to a trusted web site but you would in fact be talking to a completely separate site.

It should be noted that we are partially protected because JANET or Jisc won’t accept just any registration within .ac.uk and certainly won’t accept anything that looks like “port”.

But it is a significant problem that is commonly used by scammers undertaking phishing attacks.

Posted in General, Technical | Tagged , , | Comments Off on What Are “Homoglyph” Attacks?

Twitter: The Trustworthiness of The Blue Tick

If you have not heard, Twitter suffered some sort of incident recently (yesterday at the time of writing) where a number of high profile accounts were used to send out “tweets” suggesting that if you pay them some money (in bitcoin) they would return double the amount of money in bitcoin.

Twitter claims that the accounts themselves were not compromised leading us to the possibility that Twitter has (or had) a vulnerability that allowed anyone to send out tweets as anybody on Twitter – even high profile accounts with blue ticks.

There are several aspects of this story worth learning from.

Firstly, this was one of the classic “wave money to overcome suspicion” attacks – if something is too good to be true, it probably is. At the very least, you will want to check such a strange offer.

Secondly this used prominent Twitter accounts to spread their message – trying (and in some cases succeeding) to abuse an existing trust relationship. We need to be wary of uncritically trusting well known people – we assume that when a tweet appears from a well known individual that they’re the ones actually doing the typing. This isn’t always the case – even in ordinary circumstances – and when a social media giant has security vulnerabilities, that message could be from any criminal.

If a well-known person says something out of character, that message should be viewed with suspicion.

Third, this scam used bitcoin as a payment method. Whilst bitcoin has legitimate purposes, it is also widely used by criminals as the “money” doesn’t go through banks. Any mention of bitcoin should lose a touch of credibility to any message – in combination with other factors could be the deciding factor.

Lastly, look at the “Only doing this for 30 minutes” … anyone tries to rush you into a decision, and they’re quite possibly up to something that you should spent some extra time thinking about.

It is not any one thing that protects us, but a combination of indicators that tip the scales of suspicion into distrusting a message.

Posted in Active Attacks, General | Tagged , , , | Comments Off on Twitter: The Trustworthiness of The Blue Tick