Have You Changed Your Myspace Account Password Recently?

Don’t laugh.

Some of us who have been around for more than a few years may well have used a myspace account at some point in the past. And you may well have set your account up with a password that is weaker than the kind of password you would use today (or hopefully it is!); in addition myspace has been compromised and up to 360 million account details have been leaked.

You may very well think that your myspace account is no longer of interest to you – fair enough. But you should ask for it to be deleted if that is the case. And if not, you should change your account password.

But there is a general point here. If you have old accounts on old services then you should go back and change the passwords to be more secure; if you do not want to be bothered, you should request that the account is removed.

Posted in Passwords | Tagged , , | Comments Off on Have You Changed Your Myspace Account Password Recently?

Sending SurveyMonkey Questionnaires Without Being “Spammed”

We recently encountered an issue where somebody attempted to send a questionnaire constructed in SurveyMonkey to a number of students and some deliveries were made to the students’ spam folders.

Which is obviously sub-optimal.

Unfortunately we do not fully control how Google decides messages are spams, so we cannot easily ensure that such questionnaires are delivered to everyone’s inbox. SurveyMonkey themselves have some advice on avoiding being dropped into the spam folder.

After thinking about it for some time, a far more reliable method came to mind. It is slightly more work, but should in theory be more reliable for ensuring that everyone gets a chance to fill in your questionnaire.

The answer is when creating your survey is to get a link to the survey rather than simply email it out (the “most popular” option).


This gives you a web site address that will look something like https://www.surveymonkey.co.uk/r/G9K3RQP. You can then write an ordinary email in your Google Mail client explaining what the survey is about and paste in that web site address.

Because it comes from within Google, the mail is somewhat more trusted that emails from outside, so it should be less likely to be filed into the recipient’s spam folder.

Posted in Email | Comments Off on Sending SurveyMonkey Questionnaires Without Being “Spammed”

Be Careful What You Screenshot …

One of the latest stories from the security world is about a Christian pastor caught undertaking the kind of web browser activity you would not expect (or maybe you would) because he had taken a screenshot (presumably to capture the results of a search) which in addition to the information he expected, also contained the titles of web pages on other tabs.

However amusing (or not) we may find this story, it is a good reminder that whenever we distribute information of any kind it is worth bearing in mind stories like this and check.

  • If you are sending someone a screenshot, either make sure the rest of the screen does not contain information you do not want to be disclosed, or edit down the screenshot so that it only shows the area of interest (i.e. just the error message).
  • If you are forwarding an email onto someone who has not been part of the discussion, is there part of the email that you should possibly not share? Forwarding a whole chain of conversation has led in the past to legal action!
  • When sharing a Google document in editable form, does the revision history contain any embarrassing revisions? Anyone with rights to edit can browse through every version of that document!
Posted in General | Comments Off on Be Careful What You Screenshot …

Apache: Using X-Frame-Options To Evade Click-Jacking

Click-Jacking. It tells you all about it on the Wikipedia article.

This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).

The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).

Firstly make sure that you are loading the Apache module to modify HTTP headers :-

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-

Header always append X-Frame-Options DENY

The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).

Posted in Technical | Tagged , , | Comments Off on Apache: Using X-Frame-Options To Evade Click-Jacking

Ransomware for OSX

It turns out that ransomware is no longer just for Windows; OSX has it too.

If you use the OSX version of the Transmission Bittorrent client, you may want to check what version you are running because version 2.90 was in some cases infected with the first effective ransomware malware for OSX.

Posted in Active Attacks, Malware | Comments Off on Ransomware for OSX

Firewall Vulnerability Alerts

We are just about to enable something that will email people when there is a critical firewall alert relating to an attempted exploit.

During normal web browsing activity (although not when the web site is encrypted with https), the firewall keeps an eye on the “stuff” that is coming back from the web site. If it spots an attempt to exploit your web browser, it will block it, and log the details into the firewall logs.

We are then post-processing the firewall logs to send out these alerts.

What Should I Do With One?

First of all, don’t panic. You do not have to do anything if you receive an alert.

The firewall has blocked the attempted exploit, and the likelihood is that unless you are running an outdated web browser it wasn’t likely to work anyway. Of course if it was an attempted exploit against Adobe Flash, or Java, then it could well have worked if the firewall had not blocked it.

The alert is simply a mechanism to let you know that the firewall has protected you. It’s also an indicator that letting outdated software (web browsers, plugins like Flash and Java) loose on the Internet is going to lead to tears.

But I Keep Getting Them

In normal circumstances, just about anyone can expect the occasional alert from the firewall. If you keep getting alerts day after day (you shouldn’t get more than one alert per day!), then it may well be worth seeking advice because the level of alerts is unusual.

Amongst other things it may well be worth spending some time getting acquainted with security advice – if you’re getting attacked more often than is commonly the case, it makes sense to find out about protection.

What Is The “ANGLER Exploit Kit” ?

By far the most common vulnerability the firewall is blocking (at least to desktop machines; servers see a whole different bunch of exploits) is the various versions of the “ANGLER Exploit Kit”.

This is a particular version (i.e. it is sold by one particular gang of criminals) of a web-browser exploit kit. When you make a connection to a web server that has the ANGLER exploit kit installed, it will respond with various tuned attacks against your browser – so if you are running Internet Explorer, it won’t bother using Chrome vulnerabilities, and if you have Flash installed it will try to exploit that.

Essentially there are thousands of different ways of exploiting a vulnerability in your browser’s execution environment, and an exploit kit makes it easier for criminals to pick the right set of exploits to try against you.

Once it has successfully exploited your browser it will probably try to get your browser to download some more malicious malware that will persist on your machine, spy on what you are doing, and leak your banking credentials up into the cloud.

But the firewall has blocked it.

How Can I Protect Myself At Home?

At work, the firewall protects you (except if the web site is encrypted with https). But at home?

There are two methods you can use to protect yourself at home. If you are engaged with work activities, there is lot of sense using the VPN (see http://ithelp.port.ac.uk/questions/433/ for instructions). With the VPN turned on, all your Internet activity will go via the firewall (wherever you may be), so you will gain the benefit of the added protection of the UoP firewall.

If that is not an option you are comfortable with, then you can look at more conventional methods of protection, which are detailed below.

Check Your Anti-Virus Protection

Although not a guarantee of protection, having anti-virus protection on your PC is certainly a last level of defence against getting infected with something nasty. It is not just a matter of having an anti-virus product installed, you should also periodically check that it is still healthy and getting updates.

It is not unknown for people to not be aware that their antivirus subscription has lapsed and they are not getting updates. How do we know this? Because such people get infected.

Different antivirus products operate differently, but if you happen to be using Windows Defender (built into Windows 10), then hit the Start button, search for Defender, and then run “Windows Defender” (which should appear in the search results).

You should then be able to get to a screen looking like :-


As long as the “Definitions last updated” field reads as the current day, then updates are being applied.

Is Your Browser Updated?

The very first avenue of attack for an Internet hacker is the browser you are using. If it has not been updated recently, then it is almost certainly vulnerable to being exploited. Recent versions of browsers try to update themselves automatically, but automatic things go wrong occasionally!

For details of updating browsers see the relevant link below :-

But I Need IE6 For …?

If you require an ancient web browser version for a particular site (such as your bank), then there are two recommendations :-

  1. Contact your supplier and complain about having to use an insecure web browser.
  2. Use your ancient browser only for the site in question; use a modern browser for everything else. It’s perfectly possible to run more than one web browser; even at the same time!

Flash: Just Say No, or at Least Opt In

The Adobe Flash plugin is the attackers weak spot of choice at the moment. It seems to be riddled with vulnerabilities and rarely a week does not go by without a firewall content update to combat Flash vulnerabilities.

The extremist solution to this problem is to remove the Flash plugin, but there are all those sites that still insist on using Flash for interesting (or fun) content. There is an intermediate level of protection you can use (at least with Chrome).

To do this, find Chrome’s Settings menu item, click on the Show Advanced option, scroll down to Privacy, click on Content Settings, and scroll through the pop-up until you see the settings for Plug-ins :-


Select the “Let me choose when to run plug-in content” and then the Finished button. Once enabled, flash content will appear on a web page like the following :-


If you want to enable the plugin for a particular part of the page, move the mouse pointer into the relevant area and right-click. The menu that appears will have a “Run this plug-in” item to select. Once selected the content will be downloaded and run.

Posted in Active Attacks, Firewall | Tagged , , , , , | Comments Off on Firewall Vulnerability Alerts

Ransomeware shuts local authority

Lincolnshire Council’s information systems were held to ransom on Tuesday, 26 Feb – for £1m to reinstate access.  The breach was caused by a member of the council clicking on a link within a spam email.

So what can you do so it doesn’t happen here?

University “Managed Service” computers will have security updates installed automatically.  However, if you are using a ‘department’ or ‘project’ computer then extra caution is required.  If you are unsure – contact IS on ext 7777 for advice.

  1. Backup your important data to your Google drive.   If it’s already on your Google drive then you should be OK.  If your data is  really critical to you then copy to an external drive.  Ask your service delivery manager for advice.
  2. Don’t click email attachments, especially if you’re not expecting it.   
  3. Make your computer safe.    Invest in an anti-virus or anti-malware software from a reliable company.
  4. Update the operating system, security programs and other applications need to be kept updated or they just don’t  work properly.   Make sure the automatic updating is turned on.
  5. If you’re a victim of ransomware attack – don’t panic and don’t pay.   The payment won’t guarantee that your data will be  restored.
Posted in Uncategorized | Comments Off on Ransomeware shuts local authority

Have You Received An Invoice Spam?


The following is one of a number of spam messages that I received yesterday; all carefully filed away in the spam folder.

To Whom It May Concern,

Please find attached an invoice relating to Penalty Charge Notice Number IA54236946 along with a copy of the contravention.

In order to prevent this fine from escalating further we have paid this fine on your behalf. Should you have any queries concerning these charges please don’t hesitate to contact me.

Payment for this invoice will be taken by Direct Debit 9 working days from the date of this email.

Please refer to page 2, point 3.6 in your Terms and Conditions for information on Traffic Offences.



[invoice54236946.doc application/msword (23129 bytes)]

If you received something similar (and you probably did), the following may be of some interest.

Of course it was a spam message, and of course the attachment was a malware payload (which would not have been detected by the majority of anti-virus engines). The interesting thing (and an opportunity to demonstrate something) was that many of us will have received a number of copies.

I saved 14 copies of the attachment (don’t try doing this unless you really know what you are doing), and all were different. The files were all multi-part MIME files containing a JavaScript and a binary. The binaries were all different.

Loading one of them into VirusTotal revealed only 3 AV products detected malware :-


Three on the day after; on the day itself it was only two.

This illustrates several things :-

  1. Malware writers are still attempting to infect computers with nothing more sophisticated than click-to-infect where you rely on someone doing something less than clever.
  2. Malware writers are producing malware that morphs per message. It is possible that this invoice malware has a different binary signature for every single copy that was sent out (and it was probably millions sent out).
  3. Anti-virus products don’t detect this malware at the initial stages (a 5% detection rate is small enough to say “don’t”).
Posted in Active Attacks, Email | Comments Off on Have You Received An Invoice Spam?

OSX Malware: Yes It Does Exist!

One of the messages that we are regularly trying to push is that malware on Apple devices can and does exist. We have even encountered a few infected Apple laptops! It is easy to overlook amongst the ever rising flood of Windows-based malware that OSX malware is also a problem.

(Sourced from https://www.av-test.org/en/statistics/malware/ and yes there is something about January 2016)

The grand total for each month is a bit deceptive; whilst there are hundreds of millions of different malware payloads each month, most of them are variations on a theme. Initially the comparison with OSX malware instances is amusing :-

(Sourced from: http://www.bleepingcomputer.com/news/apple/2015-was-the-worst-in-history-for-osx-malware/)

After all 100,000,000 is far greater than 1,000; a hundred thousand times greater in fact. But you will probably find the overall total is far lower than it appears to be, and it essentially does not matter – the risk of getting infected with malware is not directly related to the number of malware instances there are out there.

It is in fact related to the number of infections and the behaviour patterns of the person who gets infected. Refusing to believe that OSX computers can get infected is one behaviour pattern that increases your chances of getting infected!

After all, the number of malware payloads out there in the wild is irrelevant; it is the malware payload that is running on your computer that counts.

So if you are running OSX, what should you do? Various things :-

  1. Keep your major version of OSX up to date. As of 2016-01-06, you must not be running anything earlier than 10.9, and there is really very little reason not to upgrade to 10.11.
  2. Keep your minor version of OSX up to date. You should check for updates in the App store every couple of weeks (or more often) and apply updates when they become available.
  3. Consider running an additional anti-virus package such as Sophos. Whilst Apple provides its own anti-malware protection mechanisms (including a conventional anti-virus product), it can make sense to run additional protection.
  4. Avoid clicking on links in messages (of any kind).
  5. Avoid downloading software from untrusted sources – peer to peer networks are infamous sources of malware-infected software packages. In fact always download software from it’s original source – the company (or freeware developer) that actually wrote it.
  6. Consider periodically (once a week if you regularly install software, but at least once a month) running a package such as KnockKnock which checks what your Mac starts automatically.
Posted in Active Attacks, Malware | Tagged , | Comments Off on OSX Malware: Yes It Does Exist!

Who Would Want To Hack My ${Device} ?

One of the most common things you hear when talking about security to ordinary people is a variation on the question asked in the subject: Who would want to hack my desktop, laptop, phone, router, intelligent thermostat, smoke detector, etc.

The easy answer is that any cyber-criminal who wants plausible deniability would.

Any cyber-criminal redirects their network activity through a collection of compromised devices which can include some surprisingly modest devices – I wasn’t joking about smoke detectors!

Of course routing rogue traffic through your devices isn’t the only thing that is possible – they can use their access to your devices to sniff on what you are doing or use their access to further compromise other devices. Whilst you may not visit your bank’s website using your smoke detector, once someone has access to your smoke detector, they can use that access to attack other devices on your network.

With or without lots of technical details, the fix is to keep things updated – not just the obvious computers like your laptop, but also the devices that come under the banner of the “Internet of Things”.

Posted in General | Tagged | Comments Off on Who Would Want To Hack My ${Device} ?