Twitter: The Trustworthiness of The Blue Tick

If you have not heard, Twitter suffered some sort of incident recently (yesterday at the time of writing) where a number of high profile accounts were used to send out “tweets” suggesting that if you pay them some money (in bitcoin) they would return double the amount of money in bitcoin.

Twitter claims that the accounts themselves were not compromised leading us to the possibility that Twitter has (or had) a vulnerability that allowed anyone to send out tweets as anybody on Twitter – even high profile accounts with blue ticks.

There are several aspects of this story worth learning from.

Firstly, this was one of the classic “wave money to overcome suspicion” attacks – if something is too good to be true, it probably is. At the very least, you will want to check such a strange offer.

Secondly this used prominent Twitter accounts to spread their message – trying (and in some cases succeeding) to abuse an existing trust relationship. We need to be wary of uncritically trusting well known people – we assume that when a tweet appears from a well known individual that they’re the ones actually doing the typing. This isn’t always the case – even in ordinary circumstances – and when a social media giant has security vulnerabilities, that message could be from any criminal.

If a well-known person says something out of character, that message should be viewed with suspicion.

Third, this scam used bitcoin as a payment method. Whilst bitcoin has legitimate purposes, it is also widely used by criminals as the “money” doesn’t go through banks. Any mention of bitcoin should lose a touch of credibility to any message – in combination with other factors could be the deciding factor.

Lastly, look at the “Only doing this for 30 minutes” … anyone tries to rush you into a decision, and they’re quite possibly up to something that you should spent some extra time thinking about.

It is not any one thing that protects us, but a combination of indicators that tip the scales of suspicion into distrusting a message.

Posted in Active Attacks, General | Tagged , , , | Comments Off on Twitter: The Trustworthiness of The Blue Tick

The VPN, Facebook, and China

We have had at least two reports that some people logged in to our GlobalProtect VPN are also logging into Facebook, examining their current Facebook logins and finding that they’re unexpectedly logged in from China (or Qatar).

This is not the case; we believe that Facebook is “confused” about the location of certain network addresses.

To see where you are logged into Facebook from, choose the downward pointing arrow in the blue Facebook menu bar – it’s next to the question mark at the end at the right. From the drop down menu that appears, select “Settings”.

This changes the page to show your settings with a series of links down the left of the window; select “Security and login” and the main are will change to show various bits including a section marked “Where you’re logged in”.

(This is my list – it is more likely to show “Windows” than “Linux” for you).

Next to the best guess at the operating system of a particular device you can see where Facebook thinks you are logged in from. If you hover the mouse pointer over than location, it will reveal the network address you are logged in from …

This shows the incorrect (and potentially worrying) location of Shanghai, China. However the network address shown when hovering the mouse pointer over the location shows an address beginning with 148.197.

This indicates that :-

  1. The network address belongs exclusively to the University.
  2. The network traffic that originated with your PC (or other device) was routed through the VPN and went directly from there to Facebook.
  3. At no point is there any indication that this traffic went anywhere near China.

The problem is with Facebook who have apparently got a corrupt “GeoIP” database.

Posted in Active Attacks, VPN | Tagged , | Comments Off on The VPN, Facebook, and China

VPN or GlobalProtect Performance Issues

On occasions over the last few months, IS has been contacted with regard to network performance issues in relation to the VPN (the GlobalProtect VPN). As a result we have built up some recommendations that may be helpful to others experiencing this.

To start with, our VPN is unlikely to be the root cause of any performance issue. Whilst there are many places whose VPN gateway has suffered because of the increased usage during the lockdown period; this is because they typically utilise a separate hardware device to provision the VPN and this is sized for the usual usage pattern.

In our case, our VPN gateway shares the hardware with the main university firewall and so shares its capacity – essentially bandwidth that was previously available for on campus usage is now available for VPN usage (it’s a bit more complex than that, but is a reasonable approximation). In addition the firewall went through a hardware refresh last year, so it is currently running on relatively new hardware and has plenty of capacity available.

Testing

There are many ways of testing the bandwidth available via a network connection, but to keep things simple the suggestion is to use the test at https://speedtest.net/. Bear in mind that we’re not so much trying for an accurate test, but a relative speed :-

  1. Measure using the above speedtest with the VPN turned off. The result will be in megabits per second (or Mbps).
  2. Measure again with the VPN turned on.
  3. Finally calculate the relative speed with :-
percentage = ( (VPN turned on) / (VPN turned off) ) * 100

This will give a percentage result indicating what proportion of your basic Internet speed is available with the VPN turned on. A good result is anywhere more than 80%.

If you get a reasonable result, and your VPN performance is still poor bear in mind that the overall speed of the network connection has a bearing – whilst some things will work fine (if sluggishly) below 10Mbps, other things will start to break when things get too slow.

If your overall performance is poor, you may have no other option than to upgrade or change your ISP to get better performance. But bear in mind the next section!

Wireless

Whatever variety of wireless you are running at home, it can be subject to interference issues. And these are not always constant – interference can change according to the time of day (and the usage of wireless).

Firstly wireless is a shared media – my phone right now can see over a dozen wireless networks to connect to, and whilst not everyone lives in such a dense environment, any busy wireless network nearby will have an effect on how much traffic can travel through your wireless network.

Secondly wireless does not necessarily travel very well – walls (especially thick brick or stone walls) can attenuate the signal and cause a severe impact to wireless performance. For example, my home office is upstairs and at the back, whereas my wireless routers are downstairs at the front – trying to use wireless from my home office would be an exercise in frustration at the continual disconnections and abysmal performance.

So our very first recommendation is to plug your PC directly into your broadband router with a cable; even as just a test to confirm (or not) that the wireless network is problematic.

Dangling a cable all the way through a house (or flat) is not a sensible (or safe) solution, so for years I have been using a TP-Link powerline adapter – two boxes which plug into a wall power socket, and effectively “bridge” a network cable across the house power lines. A link to a similar produce can be found here (other suppliers exist; other products exist; all relevant disclaimers about this not being an official recommendation, etc).

Routers

Domestic routers tend to be engineered to prioritise economy than robustness and longevity.

In some cases such routers can get slower over time if they are left on continuously. It can be worth trying to restart the router (remove power, wait 5 seconds, restore power) to see if that improves matters. If it does, you can restart it on a regular basis – once a month or once a week.

In other cases, if you have an older router it may have started to go wrong or simply one of it’s internal components might not be keeping up with the amount of bits going through it. There is not much you can do about this other than to replace the router.

If your ISP supplied the router and it is quite old (5 years or more), it may be worth asking your ISP if an upgraded router is available.

The PC

How healthy is your PC? Particularly if it is a self-managed device (i.e. one you own).

If you are lucky enough to be able to have a spare PC or laptop (or can borrow one from someone else in the family), it may be worth installing GlobalProtect onto it and retrying the speed test. If borrowing from one of the family, make sure that their VPN connection is turned off (there is no need to uninstall it!) – two VPNs turned on at the same time will yield surprising and unfortunate results!

The other possibility is to try and borrow something from IS, although at the current stage of the academic year they may be in rather short supply.

Virgin Media Cable

Virgin is a popular choice for supplying an Internet connection given the available speeds they provide. However we believe (and JANET – the university’s ISP) that Virgin Media has an intermittent problem relating to VPN traffic performance being routed to the academic networks – it isn’t just us.

Many people will not notice because the difference between 150Mbps and 200Mbps isn’t sufficient to cause a significant problem, but in some cases it can.

There is not a great deal IS can do about this – we can’t log faults for connections that we are not the customer for! JANET themselves are in contact with Virgin, but it may help if you are experiencing issues to :-

  1. Run through the various steps contained within to try and indicate that the problem is with Virgin.
  2. Emphasise to Virgin that the we (the university) does not believe the VPN gateway to be the root cause of the problem and non-Virgin customers do not see a huge performance hit when using the VPN.

Virgin are unlikely to escalate the call priority for just one person, but if they receive a pattern of similar calls it increases the chances of more senior engineers (and perhaps managers setting policy) paying attention.

Posted in General, VPN | Tagged , , | Comments Off on VPN or GlobalProtect Performance Issues

Dealing With Suspicious Emails

From time to time, we all receive emails at work that we regard as a little suspicious (if you do not, it is quite possible that your suspicion level needs to be increased). What should we do with those emails?

The traditional advice has been to check with a colleague and/or forward them to the IS ServiceDesk. That remains the advice, but NCSC has a new service for submitting suspicious emails to.

If the email does not contain confidential information, the advice is now to forward suspicious emails to the IS Service Desk (servicedesk@port.ac.uk) as well as the NCSC SERS (report@phishing.gov.uk).

The later will contribute towards blocking and taking down malicious web sites – something which we cannot do ourselves.

In addition you can also use it for reporting suspicious emails received at non-work addresses.

You can read more about the NCSC SERS service at https://www.ncsc.gov.uk/information/report-suspicious-emails.

Posted in Email | Tagged , | Comments Off on Dealing With Suspicious Emails

Who Is mikemeredith@hotmail.com?

Short answer: No idea! And yes that is my name.

We have received a couple of reports of phishing attempts using look-alike names – in this example (which isn’t real), the email address mikemeredith@hotmail.com was used in an email purporting to be the individual who is usually found at mike.meredith@port.ac.uk. As port.ac.uk email addresses are slightly harder to forge than they used to be, attackers are looking to use look-alike email addresses.

Either domains that look similar (the bit after the “@” such as port.ac or port.co), or names that are familiar – as in the example shown.

To defend against this, we need to :-

  1. Avoid using personal email accounts for UoP business emails.
  2. Check and double-check the email address in the “From” field – whilst these can be forged, it is somewhat harder to forge @port.ac.uk addresses than it used to be.
    1. Is the domain part (after the “@”) port.ac.uk or does it merely look similar?
    2. If it looks like a personal name from a common personal mail site – mikemeredith@hotmail.com – is it one you are familiar with? Do you know that the individual uses that address as their personal email?
  3. And of course the standard anti-phishing defences – does it encourage urgency? Suspicious. Does it link to a strange web site? Suspicious. Etc.
  4. If in doubt, ask. Ask a colleague or ring the sender to check.
Posted in Active Attacks, Email | Tagged , , | Comments Off on Who Is mikemeredith@hotmail.com?

Security At Home

As most of us are now working from home, it is time to consider security in the home; because you are working from home, security at home is important to the university (in addition to yourself). Indeed there are new dangers in the present situation that you may not have considered.

For instance, many of you have posted cute pictures of “co-workers” (four-legged ones) curled up on or near your laptops. But have you considered what is visible on the screen?

And despite choosing a deliberately innocuous window to take a copy of, it still contains some information that it may be worth thinking twice about making public!

This is a screenshot rather than a phone picture with a screen in it, so you may be thinking that what is in your phone photo is less visible. Except that :-

  1. It is simple to save a copy of that photo outside of where you are sending the photo (Facebook is the default option here) so it can be viewed in a different manner than you expect.
  2. You can zoom into images to see details not usually visible. And try other image enhancements to make things clearer.

The key thing is to remember is to obscure whatever is on the screen for fun photos – bring up Notepad, maximise it, and write “Not work stuff” in big letters!

Obscuring the screen should also be considered if you are working from home with others in the house – consider getting a privacy overlay (link provided as an example and not an endorsement) for your screen and minimise what you are working on when someone peers over your shoulder.

You should also lock your screen when you are away from the keyboard for any length of time! Apart from anything else, it’ll stop you coming back and discovering that your toddler has finished off that important email and sent it off.

Web Cams

We are all using web cams a bit more than we would normally do, so it is worth considering their security. Always treat a web cam as though it is turned on and your boss and co-workers can see what you’re up to in front of it.

Whilst some webcams are insecure and can be remotely controlled, that is not the danger we’re talking about here. This is more about getting into the routine of being able to join a video conference without making an embarrassing ‘mistake’ – I already know of one web cam accident where a conference attendee had a boyfriend wander through the background “inappropriately dressed”, and I’m sure Facebook will shortly be full of “Top 10 Embarrassing Working From Home Web Cam Accidents” (and I’ve heard about another just during the time it took to write this post).

Not that this should discourage you from using a web cam; just bear in mind the advice in the first paragraph, and discourage uninvited guests from joining the conference (although nobody minds four-legged visitors).

Phishing and Scams

You are probably all bored to tears reading advice about phishing attacks and scams, but it bears repeating because there are those trying to take advantage of the current situation for financial benefit :-

  • If it’s too good to be true, it probably is.
  • If a certain level of urgency is urged, it is worth taking time to be careful.

There is a whole category of old articles to read on phishing.

Using Non-University Equipment

If you are using university-supplied equipment for your work, IS will take care of the security of your device in terms of the system maintenance – providing that you connect it to the VPN (GlobalProtect) regularly. If you prefer to use your own equipment for UoP work, you will be expected to perform much the same system maintenance work (which you should be doing anyway to keep personally safe) :-

  1. You must be using a supported operating system. Unsupported operating systems do not get security patches and so will be assumed to be unsafe (they will be sooner or later). If the hardware you are running will not run a later operating system, you will have to arrange for another machine. This may seem harsh, but
  2. You must install operating system patches as and when they arrive; indeed you should check for operating system patches on a regular basis – daily, weekly, or monthly. An operating system that does not get updated is putting yourself (and the University) at risk!
  3. Similarly any installed software needs to be regularly checked for updates – especially web browsers!
  4. If you have any University work data on your own machine(s), you should make sure that the storage is encrypted. If you use any hardware from within the last 5 years or so, the performance impact will not be noticeable.
    1. Use approved cloud-based storage (including the N: and K: drives – they’re in the “UoP Cloud”) as much as possible.
    2. If you must put work data on your local disk(s), remove it as soon as you have finished work on it.
  5. Using the VPN (GlobalProtect) will give you an extra level of protection against “nasty” stuff on the Internet, so please feel free to use it even if you think you have an immediate reason for using it.

Posted in Active Attacks | Tagged , , , , | Comments Off on Security At Home

Scams In The Time of Coronavirus

(with apologies to Gabriel García Márquez)

As expected, scammers are trying to take advantage of fears over Covid-19 (the Coronavirus) to push their victims into unwise actions – often for profit. I have already seen two scams announcing UK government universal income payments that you have to visit a web site to claim.

We can expect :-

  1. Similar offers to claim your government universal income payment.
  2. ‘Magical’ vaccines, cures, or treatments at specially discounted rates.
  3. Offers to sell goods in short supply – toilet paper, hand sanitiser, medical masks, etc.

And probably a whole lot more attempts to defraud you. Or the university.

Be wary of emails, phone calls, or any other form of communication that :-

  1. Tries to induce a sense of urgency. By rushing you, the scammer hopes to bypass your “wait! is this sensible” thought.
  2. Tries to get you to bypass normal procedures – those procedures are in place for a reason, and whilst we need to be flexible in these times, procedures shouldn’t be completely bypassed.
  3. Tries to claim authority (governmental, official organisation, or senior management) to get you to take urgent action.
  4. If it sounds too good to be true, it probably is.

Which is pretty much the advice in ordinary times.  

Posted in Active Attacks, News | Tagged , , | Comments Off on Scams In The Time of Coronavirus

Working From Home

For some reason there seems to be a bit of an increase in interest in working from home and so it seems rather timely to produce some advice. Not so much the technical side of things, but general advice from someone who has done it from time to time.

The official instructions for working from home (or “work anywhere”) appears here.

Please feel free to groan!

For better or worse, in some places the facility is called “GlobalProtect” and others it is called “VPN”. The first (“GlobalProtect”) is a vendor-specific implementation of the generic “Virtual Private Network”.

It should be pointed out that the VPN works fine at the University – you can check that the VPN client works before going home.

VPN Technicalities

Having said that I will try to avoid the technical side, there are a few things to go through.

Firstly, there is plenty of VPN capacity available – the hardware itself is shared with the main firewall, so unlike common environments where the VPN is a separate box and sized for usual usage patterns, the VPN is not likely to collapse under the load.

There is a constraint on the number of VPN users which is related to the number of addresses allocated for its use. This is known, and increasing this has already been worked out.

The more serious problem (although not expected to be that serious) is that whilst the VPN has been in place for years and people have been using it for years, it is possible that someone will find something that does not work through the VPN. In such a situation we need to know: what, who, and when. And it should be logged via the IS ServiceDesk.

Such problems do not necessarily have a quick solution, so you may have to be patient – especially if there is a queue of problems to look at!

General Advice

  1. It can help to have a concrete start and end to the working day – both in terms of time, and more “physically”.
  2. I find it useful to “walk to work” – pop outside for a 30 minute walk around the block (or to the seafront).
  3. Do take breaks (especially lunch!). And take that break away from the work computer.
  4. Try to isolate yourself from whatever else is going in your home – you are “at work” and should be interrupted only when necessary – such as when something would normally escalate to calling you at work.
  5. Resist temptation; that refrigerator just steps away filled with goodies all whispering “Nibble me!” is just going to get you in trouble.
  6. When it comes to the end of the day, stop. The temptation is to keep going or do a few extra bits and pieces in the evening. That’s fine in an emergency, but down-time is necessary for sanity and working from home does tend to make you work longer hours than you would at work.
  7. Ergonomics is more important than you think – unless you’ve had three months off with constant nerve spasm! Laptops are not the best choice when it comes to usability over a long day – an external screen, keyboard, and mouse can be very helpful as they can be positioned sensibly. A proper desk at the right height and a comfortable office chair is also useful. If you cannot arrange such things (at least for now), then keep moving (in fact keep moving anyway). Spend half an hour sat down at the kitchen table and then half an hour standing at the kitchen work surface.

Lastly, working at home is not necessarily an all or nothing thing. It is possible for a team to set up a rota so that on any day, some people are working from home whilst others are in the office. Or more flexible arrangements.

It is certainly worth trying out working from home to see what works and what doesn’t (and not necessarily just where the VPN is broken, although I want to know that!).

Posted in General | Tagged , | Comments Off on Working From Home

Let’s Encrypt Certificates – Are They Broken?

Short answer: No.

There is a news story going around about an issue with certificates issued by Let’s Encrypt. The certificates themselves are in fact perfectly fine, but they were issued when they should not have been.

If the owners of a domain (say port.ac.uk) decide to, they can publish a record in the DNS (we don’t) which specifies what certificate authorities are authorised to issue certificates within that domain.

The Let’s Encrypt bug was in relation to checking those CAA records when multiple names appeared in the certificate; it mistakenly checked just one of the names. Thus in some circumstances it could issue certificates it wasn’t supposed to.

Let’s Encrypt are correcting this mistake by issuing revocation certificates marking the relevant certificates as invalid. If a certificate is revoked the site will still work, but it’s security indicator in the location bar will turn red :-

Rather than :-

Even a broken certificate still encrypts the traffic in transit; it “merely” no longer trusts the server’s identity. It is unlikely that you will encounter broken web sites under such circumstances :-

  1. No port.ac.uk sites should have been issued with a broken certificate – we don’t publish the relevant DNS record, so Let’s Encrypt wouldn’t have run through the broken check process.
  2. Very few “mainstream” large web sites will use Let’s Encrypt certificates.
  3. Those sites that do use Let’s Encrypt certificates will have received notification if their certificate was due to be revoked, and will have renewed it (it’s free).

There is the chance that some neglected minor sites will show up as the red padlock icon (meaning “not secure”) and as usual if you see the warning :-

If you see such a warning, trust neither the content nor the identity of the site you are connecting to.

Posted in General | Comments Off on Let’s Encrypt Certificates – Are They Broken?

‘;–have i been pwned?

There is a well known “white-hat” web site called “‘;–have i been pwned?” which :-

  1. Publicises large data breaches of personal information.
  2. Collects data breaches looking for compromised accounts.
  3. Allows people to check if their own account has been compromised.
  4. Sends domain owners (if you have signed up) notifications of relevant data breaches.

It should be emphasised that this is not a malicious site – it is providing a service to the community. If you check that site for your UoP email address (and it is more than a year or two old), you will almost certainly find out it is listed. For example, my “account” was leaked in the following breaches :-

  1. Anti Public Combo List
  2. Apollo
  3. Collection #1
  4. Data Enrichment Exposure From PDL Customer
  5. Dropbox
  6. Kayo.moe Credential Stuffing List
  7. LinkedIn
  8. Onliner Spambot 
  9. Trik Spam Botnet
  10. Verifications.io

It should be noted that my email address is over 25 years old and I do sign up to lots of strange services “out there”. So this list might be slightly longer than average.

If your “account” is compromised, don’t panic. And it isn’t your fault. There are actions you should look at doing to reduce your risk … which we’ll get to.

My Account Is Leaked!?‽

If we take one example from the list above – Dropbox – in that case, Dropbox was broken into and the account details of Dropbox were obtained by an attacker. So your Dropbox account was compromised; hopefully you were notified at the time and had to change your Dropbox password.

This does not mean that your UoP account is at risk if you do not use the same password here.

If you have a perfect personal security score (and very few of us do), that’s all. However if you use the password for your Dropbox account elsewhere, then it is possible that someone is trying to break into those accounts. So when you’re notified of a password breach at a site like Dropbox, and that same password is used on other sites, you should be changing passwords on those other sites.

And if you do use the same password on your UoP account as on a compromised web site, you should change this password too.

Anonymous Leaks

If you refer back up to that list of leaks containing my email address, you will see that well over half are not associated with a well-known web site. The others are leaks from the “dark web”, and unfortunately are often distributed with no indication of from where they originated.

It is widely believed that the leaks from the “dark web” represent a tiny minority of the amount of data to be found there – to those with the money to pay for it!

How Did The Leaks Occur?

The leaks very simply fit into two categories – leaks from well known web services (“Dropbox”), and leaks from the “dark web” where personal data dumps from unknown sources are available for sale.

When a large public web service is compromised, and the attackers steal large amounts of account credentials (and any associated personal information), the news often hits the main stream security news sites (see: https://nakedsecurity.sophos.com/2020/01/22/big-microsoft-data-breach-250-million-records-exposed/). The “haveibeenpwned” site on the other hand attempts to get a copy of the leaked data, so people (including you) can check to see if their account has been leaked.

The “compromise” can consist of an infinite number of possible ways data can be leaked, but the two most significant are :-

  1. A security vulnerability in the web site allows an attacker to break into the servers and access whatever data sits on the web site server(s).
  2. A cloud-based database or database backup is not properly secured and is available to anyone to connect to and read data. In some ways this is worse than the first as it is just a mistake in configuration that allows the leak.

Finally, there are leaks from the “dark web” – public data leaks are just the tip of the iceberg. It isn’t in the interest of hackers for it to be known that they have stolen large swathes of data because they’re very often in the business of selling that data on-wards. If those hackers themselves have a data leak, it is entirely possible that the data could end up in the hands of security researchers – who very well may pass them onto “haveibeenpwned”.

In some cases where the data is sitting on public file distribution sites, “haveibeenpwned” will pass the link onto domain owners – which is why occasionally IS can inform those whose accounts have been compromised what has happened. But they do not distribute personal information themselves (even when they have the data).

What Are Data Leaks Used For?

Fraud. Specifically any kind of fraud that will obtain money.

In some cases attackers will use account credentials to leak data out of other web services to “enrich” data they already have on you.

See: https://nakedsecurity.sophos.com/2020/02/07/cybercrooks-busted-for-multimillion-dollar-identity-fraud/

Defending Yourself

Whilst it is in no way your fault that third-parties leak your personal data, that is hardly very helpful when you are the victim of identity theft and/or financial fraud. And so, how can we defend ourselves against the mistakes made by third parties?

  1. Try not to use the same password on multiple sites, and if you do, group them into related and low-risk sites. For example, your banking sites need unique strong passwords, but infrequently used shopping sites that do not store your credit card details could share a password.
  2. Use long and strong passwords wherever possible; if you fear forgetting passwords (and frankly given the number of passwords we have to remember, who doesn’t?), install and use a password manager such as KeePassXC.
  3. Where it is available as an option, consider enabling two-factor (or multi-factor) authentication.
  4. Periodically check the web site to see if your details have been compromised since the last time.

Pwned?

Lastly, that strange word “pwn” is a deliberate misspelling of “own” (or “owned”) to indicate that something has been broken into (or “owned”). And yes, this even appears in the OED.

Posted in Active Attacks, Passwords | Comments Off on ‘;–have i been pwned?