Firewall Blocking Essentials?

Due to a certain episode around Easter this year, a number of changes were made to the firewall security policy to make it more secure. Since then a great deal of work has gone into identifying web-based applications that are in use and making sure they’re allowed through the firewall.

But in all likelihood, we’ve missed a few.

So it makes sense to test everything that you use for teaching (or anything else) to see if it works properly. If it doesn’t :-

  1. Connect to the VPN (whether you are at home or on campus).
  2. Try again
  3. Raise a servicedesk job requesting that “it” be allowed. To make it easier the following would be helpful :-
    1. What username you logged into the VPN with.
    2. Around what date and time did you try – the more accurate and precise you can make this, the better.
    3. A description of the application and why it is required.
    4. If you received an error, what was the text of the error message?

Don’t worry if it’s just a “nice to have” application – whilst there are security reasons for saying no, that is relatively rare and we’re not inclined to say no to something that looks like entertainment (for example).

Posted in Firewall | Leave a comment

GlobalProtect Installation for MFA VPN

This is a technical guide to some methods of installing/fixing the GlobalProtect client in the short term whilst ongoing conversations with the relevant vendors is taking place.

  1. Make sure you are using an up to date version of the client; the latest officially deployed version of which can be downloaded from https://staff.vpn.port.ac.uk/ or https://student.vpn.port.ac.uk/. It would be wise to completely remove older clients from the machine.
  2. Make sure that the machine is running a supported operating system.

Windows Installation

This requires a command-line installation with a switch to turn on the “default browser” option :-

msiexec.exe /i GlobalProtect.msi DEFAULTBROWSER=YES

Where “GlobalProtect.msi” is the file you have copied onto the client machine.

Mac Installation

Installation on a Mac is done in the usual way but before the VPN client is run, a terminal command needs to be run :-

sudo defaults write /Library/Preferences/com.paloaltonetworks.GlobalProtect.settings.plist '{"Palo Alto Networks" ={GlobalProtect={Settings={default-browser=yes;};};};}'

That’s all on one line.

Switching Browser

At least one report suggests changing the default browser on the client machine to an alternate browser – specifically from Chrome to Firefox.

Posted in Technical, VPN | Comments Off on GlobalProtect Installation for MFA VPN

Spam: Mail Quotas and Bitcoin

Recently we have become aware of an issue in relation to one of our cloud service providers which is weakening one of our email security measures – specifically the mechanism put in place to make it harder to impersonate UoP senders (i.e. any @port.ac.uk email address). This has allowed a recent increase in the amount of spam being received.

As of late in the afternoon of the 24th February, the cloud vendor has fixed the issue so there relevant spams should stop arriving. Leaving just ordinary spams!

We are in contact with the vendor to resolve this issue, but in the meantime you very well may receive spams with a sender address (“From”) of something@port.ac.uk.

Two quite common varieties of spam that are cropping up are mentioning mail quotas (“your mail quota is exceeded”) and bitcoins (“pay us bitcoin or we’ll leak your secrets”).

In relation to the mail quota spams :-

This example may not reflect the appearance of spams you receive.
  1. We do not have mail quotas; anyone offering to increase your mail quota is offering to do the impossible … or more likely ask you for your password so they can use it nefariously.
  2. If you “hover” (move the mouse pointer to where the clickable link is, but don’t click it), you can see where the link really takes you too at the bottom of the browser window. In the case of this spam, it will say something like https://port.ac.uk/mail-quota/ but will in fact take you somewhere else.

This is a standard phishing spam email – the link will take you to a page that looks like a login window and you will be prompted for your password. Don’t fill it in!

In the case of the bitcoin extortion spams, the main characteristic is that they say something that amounts to “send us bitcoin or we’ll leak all your secrets”. Sometimes they will claim to have broken into your account; sometimes they will claim to have recorded you indulging in activities that you won’t want others to know.

Whilst this could be alarming, it is exceptionally unlikely to be the truth. Extortion spams are widespread and known to have no truth behind them; although the latest ones don’t appear to be “sextortion”, it remains a possibility.

If you are wondering what “bitcoin” is, a link to the Wikipedia article can be found earlier in this article, but in summary it is a “crypto-currency” which is form of money without a backing government/central bank implemented using cryptographic mechanisms. Criminals appear to like it because they (falsely) believe it to be anonymous.

Whilst this is an ongoing situation with a special wrinkle, the advice is still pretty standard :-

  1. If it sounds too good to be true, it probably is.
  2. Does the email “ring right”? If it came from an @port.ac.uk address :-
    1. Does it look like it was composed in Gmail
    2. Do you normally receive emails from that sender?
    3. Is the writing standard what you would expect?
  3. Before you click on a link, check (by “hovering”) if that link takes you to where you expect.
  4. If you click on the link, does the page appear to be in the usual UoP style? Most of our authentication pages go through the same “identity provider” and although there are two main ones with different appearances, they do have a standard “look”.

Because of the current issue (which we expect to resolve in a day or two), be wary of emails from @port.ac.uk addresses that you haven’t corresponded with before.

Posted in Active Attacks, Email | Tagged , , , | Comments Off on Spam: Mail Quotas and Bitcoin

The security.txt Page for Web Servers

We have recently started using a new-to-us web server security scanner that amongst other things will highlight the absence of a file – security.txt – in the root of the web server. And thus this blog entry explaining what it is, why we need it, and what the contents should be.

Note that this is not a HTML page but a plan text page and must be installed as such.

The intention behind security.txt is to provide a mechanism by which those who encounter security issues with a web site can make contact in an approved manner. To those who argue that the information is available elsewhere, the counter-argument is that it is a lot more helpful to have information available in a standardised location.

The minimum file should contain :-

Contact: cert@port.ac.uk
Preferred-Languages: en

You can add a second line for an additional contact if you wish :-

Contact: cert@port.ac.uk
Contact: servicedesk@port.ac.uk
Preferred-Languages: en

The file must be named as precisely security.txt and must be either in the root of the web server “document root” or within a standard subdirectory (/.well-known/security.txt) (compliant with RFC8615).

Posted in Technical | Tagged | Comments Off on The security.txt Page for Web Servers

Dodgy .ac.uk Web Sites

No, we not talking about real .ac.uk web sites but fake ones. We have recently been alerted to the activities of a certain well-known attacker (the “Silent Librarian”), and whilst processing it I noticed something it might be helpful to more widely publicise.

The location bar of your browser (or the pop-up that appears when you “hover” over a link in an email) can be a useful source of information on how trustworthy a site is :-

This web site address (it currently gives an error if you happen to try and visit it) has nothing to do with the port.ac.uk address (the university!) although it contains it. A certain number of “fake” web sites used by the previously mentioned attacker are set up like this – the address of a well-known .ac.uk institution with a different domain at the top.

A brief aside on domains: Domains are the wrong way around – for a domain such as port.ac.uk, the most significant part is on the right – the UK, followed by the “ac” (for academic) and finally “port” (for us). Bits added to the right are more significant than the bits at the left.

If I were to register touche.me I could easily create a registration for port.ac.uk.touche.me and point it to a web site not under control of the university. And that is what this attacker is doing.

So when you visit web sites, it is always worth double-checking the location bar to check that the domain is what you expect it to be. And doesn’t look like a legitimate site but in fact it is only legitimate on the left-side.

Posted in Active Attacks | Tagged , | Comments Off on Dodgy .ac.uk Web Sites

What Are “Homoglyph” Attacks?

As the phrase has started becoming more widely used, it seems worthwhile to explain just what exactly “homoglyph attacks” are. It is perhaps a bit extreme to call them “attacks” as they are effectively used to deceive … especially in phishing attacks.

It boils down to using “lookalike” letters to create something that looks like a trusted name (for example, “port.ac.uk”) yet isn’t (i.e. “Ꮲοrt.ɑⅽ.υk” (it should be noted that this was created to deliberately look bad)). If a homoglyph is used within a clickable link (for example), you could naively check the link and it would appear to take you to a trusted web site but you would in fact be talking to a completely separate site.

It should be noted that we are partially protected because JANET or Jisc won’t accept just any registration within .ac.uk and certainly won’t accept anything that looks like “port”.

But it is a significant problem that is commonly used by scammers undertaking phishing attacks.

Posted in General, Technical | Tagged , , | Comments Off on What Are “Homoglyph” Attacks?

Twitter: The Trustworthiness of The Blue Tick

If you have not heard, Twitter suffered some sort of incident recently (yesterday at the time of writing) where a number of high profile accounts were used to send out “tweets” suggesting that if you pay them some money (in bitcoin) they would return double the amount of money in bitcoin.

Twitter claims that the accounts themselves were not compromised leading us to the possibility that Twitter has (or had) a vulnerability that allowed anyone to send out tweets as anybody on Twitter – even high profile accounts with blue ticks.

There are several aspects of this story worth learning from.

Firstly, this was one of the classic “wave money to overcome suspicion” attacks – if something is too good to be true, it probably is. At the very least, you will want to check such a strange offer.

Secondly this used prominent Twitter accounts to spread their message – trying (and in some cases succeeding) to abuse an existing trust relationship. We need to be wary of uncritically trusting well known people – we assume that when a tweet appears from a well known individual that they’re the ones actually doing the typing. This isn’t always the case – even in ordinary circumstances – and when a social media giant has security vulnerabilities, that message could be from any criminal.

If a well-known person says something out of character, that message should be viewed with suspicion.

Third, this scam used bitcoin as a payment method. Whilst bitcoin has legitimate purposes, it is also widely used by criminals as the “money” doesn’t go through banks. Any mention of bitcoin should lose a touch of credibility to any message – in combination with other factors could be the deciding factor.

Lastly, look at the “Only doing this for 30 minutes” … anyone tries to rush you into a decision, and they’re quite possibly up to something that you should spent some extra time thinking about.

It is not any one thing that protects us, but a combination of indicators that tip the scales of suspicion into distrusting a message.

Posted in Active Attacks, General | Tagged , , , | Comments Off on Twitter: The Trustworthiness of The Blue Tick

The VPN, Facebook, and China

We have had at least two reports that some people logged in to our GlobalProtect VPN are also logging into Facebook, examining their current Facebook logins and finding that they’re unexpectedly logged in from China (or Qatar).

This is not the case; we believe that Facebook is “confused” about the location of certain network addresses.

To see where you are logged into Facebook from, choose the downward pointing arrow in the blue Facebook menu bar – it’s next to the question mark at the end at the right. From the drop down menu that appears, select “Settings”.

This changes the page to show your settings with a series of links down the left of the window; select “Security and login” and the main are will change to show various bits including a section marked “Where you’re logged in”.

(This is my list – it is more likely to show “Windows” than “Linux” for you).

Next to the best guess at the operating system of a particular device you can see where Facebook thinks you are logged in from. If you hover the mouse pointer over than location, it will reveal the network address you are logged in from …

This shows the incorrect (and potentially worrying) location of Shanghai, China. However the network address shown when hovering the mouse pointer over the location shows an address beginning with 148.197.

This indicates that :-

  1. The network address belongs exclusively to the University.
  2. The network traffic that originated with your PC (or other device) was routed through the VPN and went directly from there to Facebook.
  3. At no point is there any indication that this traffic went anywhere near China.

The problem is with Facebook who have apparently got a corrupt “GeoIP” database.

Posted in Active Attacks, VPN | Tagged , | Comments Off on The VPN, Facebook, and China

VPN or GlobalProtect Performance Issues

On occasions over the last few months, IS has been contacted with regard to network performance issues in relation to the VPN (the GlobalProtect VPN). As a result we have built up some recommendations that may be helpful to others experiencing this.

To start with, our VPN is unlikely to be the root cause of any performance issue. Whilst there are many places whose VPN gateway has suffered because of the increased usage during the lockdown period; this is because they typically utilise a separate hardware device to provision the VPN and this is sized for the usual usage pattern.

In our case, our VPN gateway shares the hardware with the main university firewall and so shares its capacity – essentially bandwidth that was previously available for on campus usage is now available for VPN usage (it’s a bit more complex than that, but is a reasonable approximation). In addition the firewall went through a hardware refresh last year, so it is currently running on relatively new hardware and has plenty of capacity available.

Testing

There are many ways of testing the bandwidth available via a network connection, but to keep things simple the suggestion is to use the test at https://speedtest.net/. Bear in mind that we’re not so much trying for an accurate test, but a relative speed :-

  1. Measure using the above speedtest with the VPN turned off. The result will be in megabits per second (or Mbps).
  2. Measure again with the VPN turned on.
  3. Finally calculate the relative speed with :-
percentage = ( (VPN turned on) / (VPN turned off) ) * 100

This will give a percentage result indicating what proportion of your basic Internet speed is available with the VPN turned on. A good result is anywhere more than 80%.

If you get a reasonable result, and your VPN performance is still poor bear in mind that the overall speed of the network connection has a bearing – whilst some things will work fine (if sluggishly) below 10Mbps, other things will start to break when things get too slow.

If your overall performance is poor, you may have no other option than to upgrade or change your ISP to get better performance. But bear in mind the next section!

Wireless

Whatever variety of wireless you are running at home, it can be subject to interference issues. And these are not always constant – interference can change according to the time of day (and the usage of wireless).

Firstly wireless is a shared media – my phone right now can see over a dozen wireless networks to connect to, and whilst not everyone lives in such a dense environment, any busy wireless network nearby will have an effect on how much traffic can travel through your wireless network.

Secondly wireless does not necessarily travel very well – walls (especially thick brick or stone walls) can attenuate the signal and cause a severe impact to wireless performance. For example, my home office is upstairs and at the back, whereas my wireless routers are downstairs at the front – trying to use wireless from my home office would be an exercise in frustration at the continual disconnections and abysmal performance.

So our very first recommendation is to plug your PC directly into your broadband router with a cable; even as just a test to confirm (or not) that the wireless network is problematic.

Dangling a cable all the way through a house (or flat) is not a sensible (or safe) solution, so for years I have been using a TP-Link powerline adapter – two boxes which plug into a wall power socket, and effectively “bridge” a network cable across the house power lines. A link to a similar produce can be found here (other suppliers exist; other products exist; all relevant disclaimers about this not being an official recommendation, etc).

Routers

Domestic routers tend to be engineered to prioritise economy than robustness and longevity.

In some cases such routers can get slower over time if they are left on continuously. It can be worth trying to restart the router (remove power, wait 5 seconds, restore power) to see if that improves matters. If it does, you can restart it on a regular basis – once a month or once a week.

In other cases, if you have an older router it may have started to go wrong or simply one of it’s internal components might not be keeping up with the amount of bits going through it. There is not much you can do about this other than to replace the router.

If your ISP supplied the router and it is quite old (5 years or more), it may be worth asking your ISP if an upgraded router is available.

The PC

How healthy is your PC? Particularly if it is a self-managed device (i.e. one you own).

If you are lucky enough to be able to have a spare PC or laptop (or can borrow one from someone else in the family), it may be worth installing GlobalProtect onto it and retrying the speed test. If borrowing from one of the family, make sure that their VPN connection is turned off (there is no need to uninstall it!) – two VPNs turned on at the same time will yield surprising and unfortunate results!

The other possibility is to try and borrow something from IS, although at the current stage of the academic year they may be in rather short supply.

Virgin Media Cable

Virgin is a popular choice for supplying an Internet connection given the available speeds they provide. However we believe (and JANET – the university’s ISP) that Virgin Media has an intermittent problem relating to VPN traffic performance being routed to the academic networks – it isn’t just us.

Many people will not notice because the difference between 150Mbps and 200Mbps isn’t sufficient to cause a significant problem, but in some cases it can.

There is not a great deal IS can do about this – we can’t log faults for connections that we are not the customer for! JANET themselves are in contact with Virgin, but it may help if you are experiencing issues to :-

  1. Run through the various steps contained within to try and indicate that the problem is with Virgin.
  2. Emphasise to Virgin that the we (the university) does not believe the VPN gateway to be the root cause of the problem and non-Virgin customers do not see a huge performance hit when using the VPN.

Virgin are unlikely to escalate the call priority for just one person, but if they receive a pattern of similar calls it increases the chances of more senior engineers (and perhaps managers setting policy) paying attention.

Posted in General, VPN | Tagged , , | Comments Off on VPN or GlobalProtect Performance Issues

Dealing With Suspicious Emails

From time to time, we all receive emails at work that we regard as a little suspicious (if you do not, it is quite possible that your suspicion level needs to be increased). What should we do with those emails?

The traditional advice has been to check with a colleague and/or forward them to the IS ServiceDesk. That remains the advice, but NCSC has a new service for submitting suspicious emails to.

If the email does not contain confidential information, the advice is now to forward suspicious emails to the IS Service Desk (servicedesk@port.ac.uk) as well as the NCSC SERS (report@phishing.gov.uk).

The later will contribute towards blocking and taking down malicious web sites – something which we cannot do ourselves.

In addition you can also use it for reporting suspicious emails received at non-work addresses.

You can read more about the NCSC SERS service at https://www.ncsc.gov.uk/information/report-suspicious-emails.

Posted in Email | Tagged , | Comments Off on Dealing With Suspicious Emails