Are You Ready For 2015-06-30 23:59:60?

Posted on 2015-06-24 by mike

Yes there really is such a time as 23:59:60 … at least there is on the 30th June 2015, when a leap second is inserted into standard time (I’ll gloss over exactly what that is as the full details would go on for some time). The leap second is being introduced to compensate for the fact that atomic clocks are accurate enough that the Earth’s slowing rotation means that the potential exists for standard time to deviate from planetary time.

Why does this matter? Unless you are a time geek or have a serious need for time accuracy, the only aspect of this that matters is the effect on servers and services. Historically servers have not always dealt well with the insertion of a leap second – sometimes requiring a reboot. Whilst things should have improved by now, information from certain conservative vendors indicates that problems may still occur.

And what does this have to do with security? In a word: Availability. The “a” in CIA. No, not that CIA.

The Nitty Gritty

In detail, what happens when a computer inserts a leap second?

Various things, but the first thing that happens is that the computer inserts a leap second. The software used to do this (a very tiny piece of code) is obviously not called very often, and has itself been the cause of many of the problems that occurred when past leap seconds were inserted.

The next obvious thing that happens is that the leap second will cause the following sequence of time :-

23:59:58
23:59:59
23:59:60
00:00:00

The emphasised time is the leap second, and this time does not normally appear. Poorly written software may start acting strangely when it sees such a time.

In addition, some systems attempt to avoid this situation by repeating a second :-

23:59:58
23:59:59
23:59:59
00:00:00

This also causes poorly written software to start acting strangely. To be fair nobody expects time to go backwards, which is what appears to happen here.

In addition software could have problems with the “incorrect” number of seconds in a minute, hour, or even day. Undoubtedly there are other potential issues too.

The Work Around

The intention is that IS will avoid the leap second issue as much as possible with a work-around. A day or two before the leap second occurs, the University NTP servers will be blocked from communicating with the world’s NTP servers so they will not learn about the leap second.

And on the morning of the 1st July, the block will be reverted and the NTP servers will catch up with the rest of the world.

Because our master NTP servers never learn of the leap second, no client NTP system will learn of it either. This should prevent the leap second issue from occurring unless :-

  1. Something is not using NTP.
  2. And it has leap second support with a recent list of leap seconds.

This work-around will mean that we are running a second ahead of “real” time for some time.

Posted in General | Tagged , , | Comments Off on Are You Ready For 2015-06-30 23:59:60?

Windows Server Updates: Use The Proxy

Posted on 2015-06-24 by mike

This is a more technical note than usual because I happened to have a Windows 2012 server that was refusing to see any Microsoft updates. And as someone who goes around telling people to patch their servers, it is somewhat embarrassing to have a server that isn’t patched.

The obvious “fix” is to tell the server to use the proxy cache to request updates from. The current proxy settings can be viewed from the command-line with :-

netsh winhttp show proxy

And to set the proxy settings, simply :-

netsh winhttp set proxy wwwcache.port.ac.uk:81

(Of course if you are not on our network you will have to specify a more appropriate proxy server).

And yes, as soon as the proxy server was specified, Windows started updating healthily again.

And whilst you are about it, you may want to check the “check for updates” dialog to see if it says :-

2015-06-24-14-18-1435151907

If it says something more like “For Windows only”, then you won’t be installing all of the necessary updates.

Posted in Technical | Tagged , | Comments Off on Windows Server Updates: Use The Proxy

Why Use The VPN On A Mobile Device?

Posted on 2015-05-18 by mike

One of the things that has surprised me during the project to implement a new VPN (more news of which will come shortly), is the number of people who wonder why anyone would want to use the VPN on a mobile device.

The obvious reason to use a VPN is to connect to the University and use the resources as if you were present on campus. Given that Google Apps is available without going through the University, there is less need for that these days.

It is probable that the only University resources a remote worker is likely to need to connect to are likely to be resources only useful on a desktop or laptop computer, making the need to use a VPN on a mobile device seem unnecessary.

However there is a very good reason for using a VPN on a mobile device especially for people who travel a great deal and connect their mobile device to many different sorts of networks. And that is to gain a level of assurance that the network traffic to and from that mobile device is encrypted to prevent eavesdropping.

There are many public WiFi networks in the world, and these can be targeted by attackers for information gathering purposes (i.e. what your account credentials are). And indeed even for network impersonation – if you use “The Cloud” extensively, an attacker can pretend to be “The Cloud” and connect you under their control.

Using a VPN reduces the risk of using unknown WiFi networks, so it is actually quite a sensible thing to do.

Posted in General | Tagged | Comments Off on Why Use The VPN On A Mobile Device?

MS15-034 Information …

Posted on 2015-04-17 by mike

This entry is chiefly intended as a collection of links to further information on MS15-034 which was announced this Tuesday. This vulnerability is found within the Microsoft Windows component that allows various packages to listen to HTTP requests – the obvious one being IIS, although there are many other software packages that use the vulnerable component.

The vulnerability is in relation to a kernel accelerator for web servers, and the vulnerability is in relation to a feature that allows for ranges of an object to be fetched. The exploit for the vulnerability comes in three different guises :-

  1. An informational probe. If an “attacker” requests a range starting with 0, then the response indicates whether the server is vulnerable or not.
  2. A denial of service attack. If the attacker requests a range starting with 20 (or higher), then the server is blue-screened (i.e. it crashes).
  3. A remote code execution attack. If the attacker requests an unknown range than the attacker may in theory be able to execute their own code on the server. Essentially they take over ownership of the server.

In terms of what we have actually seen, attack traffic has been limited to sources that are apparently just scanning for vulnerable systems. But we have seen it.

There are plenty of media reports panicking over it right now, but whilst it is a serious vulnerability, it is not as serious as it first seems. The remote code execution vulnerability is theoretical at the moment and there is a really rather simple work-around for those who cannot patch.

Links :-

Posted in Active Attacks | Tagged , , | Comments Off on MS15-034 Information …

Lock Up Your Computer: It’s A Portal Into Your Life

Posted on 2015-02-26 by mike

 

As we do more and more on line, it is easy to overlook just how critical security can become. With consequences varying from losing the only photos of your off-spring’s first year of life to having your bank accounts emptied.

As the cartoon implies, the standard security of an operating system will protect the system itself from any changes. But an unlocked laptop gives access to everything else you have logged into on the web (or other mechanisms).

So lock it!

Posted in General | Comments Off on Lock Up Your Computer: It’s A Portal Into Your Life

Public PCs Are Risky PCs

Posted on 2015-02-26 by mike

In various places you will find hints that security people really don’t like people to use public PCs in places like cyber cafés, etc. It turns out that this is not just a theoretical risk, but a genuine threat that has been seen for real.

Krebs on Security has a report indicating that not only are key loggers in use around public PCs in hotels, but that they are common enough that it is worth making special mention of them.

Whilst very convenient, whenever you use a public PC under the control of a third party, you never have full assurance that the PC is behaving properly and not stealing all your personal details.

Posted in General | Tagged | Comments Off on Public PCs Are Risky PCs

The Password Audit

Posted on 2015-02-24 by mike

If you have received an email claiming that you have a weak password, or you happen to read this blog posting, then this post explains the process used in the password audit. And yes, IS is sending out emails to those with weak passwords letting them know. If you are reading this just to find the link to change your password, click the relevant link below :-

If you have changed your password after November 2014, then any emails you receive from the password audit are in relation to your old password. However you may still wish to follow the advice to set a long and strong password if your new password is similar to your old password.

Selecting A Long And Strong Password

Choosing a password is of course up to you, and any method of choosing a password that generates a long and strong password is perfectly valid. However if you have been notified that your password is weak, you may wish to pay attention to the advice within the email and here. The method we suggest is to pick three to four words. Preferably at least one should be rare, and the sequence of words should not make sense. Separate each word with a symbol (‘=” or something) – not a space! The two examples given in the email should demonstrate :-

  1. Blue / Parrot / Police / Boodle
  2. Tree ( Blink ( Bubble ( Whistle

If you choose another method, the following are things you should not do :-

  1. Use a single word in whatever kind of transformation you apply.
  2. Using any kind of word that has any meaning to you. Using your pet’s name, birthplace, etc. in a password makes an attacker’s life much easier.
  3. Use a short (anything less than 8 characters) password.
  4. Use any example (such above) of a strong password. By it’s very nature an example of a strong password demonstrates what a strong password should look like but is itself weak as it is known. Well known passwords such as the Xkcd example of “correcthorsebatterystaple” is found in any attacker’s dictionary.
  5. Don’t assume that because you know a language other than English, that an attacker won’t. In fact attackers know far more languages than you do (they use multi-lingual dictionaries).
  6. Predictable sequences of characters found on the keyboard (“qwerty”, etc.) are also bad choices. Those attackers have all those kind of sequences in their attacker dictionaries.

What Is A Weak Password?

There are probably nearly as many definitions of what a weak password is as there are security researchers, and many of the definitions will travel down the path of information entropy which whilst academically interesting is not especially useful. It is almost an arbitrary choice as to what definition to use. However the IS Security Team have decided to define a weak password in a manner that becomes relatively easy to test :-

A weak password is a password that an attacker can obtain by running password cracking tools against the password hash within a reasonable amount of time using commodity hardware (1 day).

Whilst this definition may be gibberish to many, it does have certain advantages – we can use standard password cracking tools to determine whether an account password is weak or not using a very similar methodology to the attacker. And a password’s role is defeat an attacker; not meet an arbitrary standard for strength.

But Password Hashes Are Not Public

Attacking password hashes might be considered to be a bit of a cheat. Most password attacks that we see are those where the attacker guesses the password. However :-

  1. Attacking the password hash will get easily guessed passwords.
  2. Raising the bar a bit above where the attackers are seems to be a sensible precaution.
  3. Just because we do not see more sophisticated attacks does not mean they are not happening.

Whilst password hashes should not be visible to an attacker, there are many circumstances where they are. The standard methodology for an attacker breaking into servers is to dump any available password hashes to be attacked. Or an attacker who steals your laptop. It is also the least disruptive password strength test we can run. Other methods (guessing) run the risk of causing account lockouts; attackers cause enough of these, we do not want to add to the problem!

What Were The Results?

Obviously the results may well be considered to be sensitive. If I get the authority to publish the results, they will be made available here. However I can say that the technical part of the password audit has completed, and there are a large number of accounts with weak passwords.

And The Email?

Performing a password audit is one thing, but what do you do with the results? The most obvious thing to do is to send an alert to everyone who has a weak password letting them know. To avoid overwhelming the support mechanism in place, it has been decided to send out the emails over a period of time, so if you do not receive an email message today it does not mean that your password is strong.

Why?

Why should you use a strong password? For members of staff, it should be enough that your employer asks you to; it falls under the “… any reasonable request” phrase (which most of us have in our contracts). But there are good reasons in addition to that :-

  1. Using a weak password increases the likelihood that an attacker can obtain your account details and use them to attack the university. Whilst this may not have a direct impact on you, it does provide a good reason for the university to tackle the problem of weak passwords. And in some cases, your account gives you access to privileged data, so the university is required to make sure you use a long and strong password.
  2. If your university account gets compromised, one of the most obvious uses an attacker will use it for is to attempt to send large quantities of spam email. In the event this happens, your email address will suffer a permanent loss of credibility; some of your previous contacts will block all email from you. And there is nothing we can do about this.
  3. More subtly, an attacker could use your access to interfere with your academic work.
  4. Long and strong passwords are good practice, and once you are used to using them here, you will find it less inconvenient to use it elsewhere. And an attacker can do a lot more direct damage if they can access you bank accounts, social networking sites, etc.
Posted in Passwords | Comments Off on The Password Audit

Spam via Email

Posted on 2015-02-18 by mike

Spam is on the increase. Or it’s on the decrease.

To be honest, it’s rather difficult to say which direction spam is going in because it’s continually variable. And because frankly, it is not an interesting topic to worry about (and I used to produce a daily graph of the amount of spam I received for over 5 years) in that level of detail.

It is definitely true there is a lot of it; probably far more than you realise. Most email sent on the Internet is spam (there are statistics out there but they are wildly variable), so the surprising thing is not that you sometimes get spam in your inbox (or your spam folder) but that there is little of it!

Everybody gets a different amount of spam depending on various factors :-

  1. How old your email address is. If you have had an address for a long time you will get more spam than if it has been newly created.
  2. How much you use your email address on web sites. Many web sites are known to sell list of email addresses onto spam criminals.
  3. How well publicised your email address is. If your email address appears on a web page anywhere, it will attract spam.

One obvious strategy to reduce the amount of spam you receive is to avoid using and publicising your email address. Which rather defeats the purpose of having an email address in the first place!

Spam is just spam. An annoyance and something we could do without, but it seems to be one of those inescapable annoyances of modern life. And usually we only see the tip of the iceberg.

Google’s Anti-Spam Mechanisms

Google protects your inbox. If you have several hundred spams in your inbox right now, it won’t seem like it, but it does.

The details of the anti-spam mechanisms are either not public, or are rather too technical to go into here, but there are basically two levels of defences.

Firstly Google will block emails from arriving that it is certain are spam. These spam emails don’t get delivered; they don’t even get accepted for delivery.

Secondly, Google will attempt to classify the emails that it does accept to determine whether it has accidentally accepted spam. There are anywhere up to thousands of potential tests – whether an email is in HTML without a text part, whether it consists of just an image, whether it lacks certain email headers that are normally present, etc.

Once an email fails a certain number of those tests, it will be filed into your “Spam” folder :-

2015-02-18-11-20-1424258450

That’s what my “Spam” folder looks like right now. Your folders may well look quite different. Don’t confuse this with your “Junk Mail” folder – which I commonly do! If it’s invisible, consider whether you really need to see it.

If you decide you do, you can choose to display the label by selecting the settings menu (it looks like a cog), selecting “Settings” and you should see something like the following :-

 

2015-02-18-11-46-1424260000

 

If the word “show” next to the System label “Spam” is shown in blue, click on it.

The contents of this folder should be considered to be potentially dangerous, offensive, etc. There might be some legitimate email in there, so you are free to look through the contents to see if some has been misclassified.

If you ignore your spam folder, any of the contents older than 30 days will be removed.

But …

It’s Offensive Material

Unfortunately anyone can send email to you if they know your email address, and that includes people whose tastes include material that is offensive to you (and in many cases nearly everyone).

There is not anything more that can be done about this sort of material for our domain; Google already blocks most spam from reaching your inbox and classifies most of the remainder as spam (and files away from your Inbox).

You can of course hide the Spam folder (see above).

Can’t You Block The Sender?

Well, we could but that would :-

  1. Cost the University a lot of money; blocking one sender is cheap of course but everyone will want to block their spam senders. That’ll be thousands per day.
  2. Be completely ineffective as senders change on a frequent (sometimes multiple times per second) basis. There is no point in blocking a sender address that will never be used again.

Of course if you have an abusive sender, IS will be happy to block that sender.

What About ….?

If you think you have discovered an anti-spam technique that Google doesn’t already know about, you are welcome to write up an academic paper so that Google can use your technique.

There is a lot of expertise at work in the anti-spam area and has been for years. Unless you are already a researcher working in this area, it is likely that you have come up with an idea that has already been considered.

And What Is The “Junk Mail” Folder?

Earlier I mentioned that it is possible to confuse the “Spam” folder with the “Junk Mail” folder. If you do not have a “Junk Mail” folder, you can ignore this section!

It is probable that if you did not create it yourself, the “Junk Mail” folder is an artefact of the migration from GroupWise (a predecessor to Google Mail). You can probably delete it safely.

But the key fact that Google does not use the “Junk Mail” folder automatically.

Posted in Email | Tagged , , , | Comments Off on Spam via Email

The New Firewall

Posted on 2015-01-09 by mike

As you may be aware, we have a new firewall to replace our existing firewall. This blog posting will go into more detail on what is happening and why than the normal communications.

And BTW: In case you’ve seen a certain spam being pushed out, no we don’t need you to re-validate your email credentials.

Why?

Our existing firewall – an FWSM blade in a Cisco 65xx chassis – is old. It was installed nearly 11 years ago, and although the software has been updated from time to time, fundamentally the capabilities have not changed since it was installed. Whilst the firewall has been demonstrated to be stable enough, there does come a point where older equipment starts having “issues” and replacing it before that time makes a great deal of sense. In addition, the existing firewall is only capable of connecting at 1Gbps which is somewhat less than our Internet connection (10Gbps). Upgrades do exist, but we would need to upgrade enough components that we would be essentially installing a whole new firewall. Finally, the firewall world has moved on since the mid-2000s and modern firewalls have much more capabilities than our current firewall. Utilising a modern firewall would offer greater levels of defence against all the threats out there.

What?

The replacement firewall will be a pair of Palo Alto Networks PA5060s running in active-standby mode. Both will be configured as “firewalls on a stick” whereby all the network plumbing is on the existing network infrastructure. At this stage, the firewalls will be configured with the base level of capability with decisions on capabilities such as URL filtering to be made in the second phase of the project. From the time the new firewall is installed, we will have an elevated level of protection against :-

  1. Viruses. Stream-based anti-virus protection will be applied to all unencrypted streams of traffic.
  2. Threats. Again, stream-based threat protection will be applied to all unencrypted streams of traffic.
  3. Denial of service. Although our existing firewall provides some protection, the new firewall offers a greater level of protection.

How?

On the day the switch-over will be made – the 17th of January – the existing firewall will be disabled and the new firewall enabled. Unfortunately this is a disruptive process, so apologies for that. During the switch-over process, we will be performing potentially disruptive tests to verify that the fail-over capabilities of the new firewall work as expected in a variety of different failure scenarios. All being well, the amount of disruption will be minimal but disruption may continue for some time if we encounter issues that need a resolution. After the period of disruption, the service will be “at risk” for an extended period whilst testing takes place. Whilst we are currently undergoing a very large programme of testing, it is not feasible to test every single application and every single rule in advance. During the “at risk” window, we have the opportunity to evaluate how the firewall performs for real and make changes to the rule set to fix issues as they arise. At an early stage during the “at risk” window, a decision on whether to roll back to the old firewall will be made. That is only likely to happen in a situation where the new firewall encounters issues so fundamental that ordinary use is not possible – and we have already had a test that indicates that this is unlikely. By Monday (although it is still strictly speaking within the “at risk” window), we expect everything to be working normally. And hopefully a bit quicker than before. Without wishing to jinx the whole process, it is probable that after about 10:00, the Internet will be usable but there remains the risk of disruption.

Further Details

The new firewall has a number of interesting capabilities, including capabilities which whilst might be perfectly normal in a corporate environment, may be somewhat controversial within an academic environment. That has already been hinted at with the mention of URL filtering.

Censorship

The IS Security Team doesn’t do censorship. Deciding what you can and cannot view on the web is not a decision for the security team; we may block access to web sites for security reasons and we may monitor network traffic for security reasons. URL filtering is not currently a subscription we’ve signed up to on the firewall, but if it were to be used, it would at present (pending any University policy changes) only be used to block access to malware distribution sites and phishing sites.

Decryption

The new firewall has the capability to decrypt certain types of traffic. If you are communicating with a secure web site, all of the traffic between you and the server is encrypted to prevent eavesdropping. This is of course a good thing and we encourage the use of encrypted web sites (https not http) but there is a disadvantage for a firewall that looks in detail at the data for security issues with the data. Such as viruses, malware or direct attempts to exploit. By decrypting such traffic, we can perform security checks against such traffic. At present no decision on whether to use decryption has been made.

Anti-Virus

The new firewall performs a stream-based anti-virus scan on any of the traffic that passes through it. If it finds a virus, it will attempt to block access to it (it isn’t always possible). This supplements (but does not replace) workstation based anti-virus scanning and common sense.

Posted in General | Comments Off on The New Firewall

Living With Google Two-Factor Authentication

Posted on 2014-09-24 by mike

If you have not already heard, Google allows two-factor authentication (“Google 2FA”) for access to their services – which includes our own Google domains. This adds greater security to accounts by requiring what is in effect a second password that is sometimes required – for instance if someone attempts to use your account from a computer that has not been previously used.

The initial landing page for it is: https://www.google.com/landing/2step/. Having listened to the discussions regarding Google 2FA and having lived with it for some time (with multiple Google accounts), I can say that it’s possible to see reactions to it splitting into three categories :-

  1. It’s such a pain to use that nobody will ever voluntarily turn it on and if they do, they will quickly turn it off again. Not really; whilst it can take a bit of getting used to there are any number of perfectly normal people who have opted for Google 2FA (frequently after their account has been hacked) who have managed to live with it perfectly reasonably.
  2. It’s wonderful, not a nuisance at all and there’s no reason why everyone shouldn’t turn it on immediately. Not really; it can indeed be a bit of a pain – it always seems to ask for the additional authentication factor at the most inconvenient moments – and there are cases why you should be careful about turning it on. It is possible that the most enthusiastic supporters of Google 2FA have had it turned on for some time and the initial pain of adoption has faded with time.
  3. It’s a bit of a pain but a lot better than the alternative. The alternative being that someone breaks into your account and starts using it for something nefarious. Apart from the amount of time that it takes to clean up after something like this, your email address will take a permanent credibility hit from being used by a spammer.

Ultimately it makes a lot of sense to turn it on and once you are used to it, it doesn’t seem strange or that inconvenient any more.

How Does It Work?

In addition to your password, Google will ask for an authentication code (a 6-digit number) to let you in.

The authentication code comes from one of three places :-

  1. An authenticator application which generates codes in a known fixed sequence. This is not limited to the Google Authenticator application – there are others.
  2. A text message sent to your mobile phone.
  3. A voice message sent to your landline phone.
  4. A printout containing a list of one-time only codes.

You are not asked for the code every time you login, but when circumstances change or every 30 days.

How Easy Is It?

That depends on your exact circumstances and how many “unusual” applications you use that do not support Google 2FA. Without such applications, it’s probably something you can get set up in under 5 minutes.

If you do use such applications, you will need to generate an application-specific password for each one and configure each application to use it. It should be noted that such applications are unusual and unless you are an extreme geek, you are unlikely to use more than one or two such applications.

How Do I Go About It?

By preparing. You can just turn it on, but if you’re timing is poor and you have lots of devices that need their settings changed you could well have a poor experience.

If I were to do it again, I would prepare by :-

  1. Picking a time that is relatively quiet, and is likely to stay that way for a week (just to be cautious).
  2. Don’t pick a time just before a trip!
  3. Scribbling down a list of the devices and applications that need checking.
  4. Find out about application specific passwords before you need one.

Finally on the day in question, check your email and print off a copy of that day’s calendar before turning it on.

Even if it does go horribly wrong, it is possible to turn off Google 2FA so it is always possible to rescue a situation.

If you do decide to give it a go, the starting point is: https://www.google.com/landing/2step/

It’s Not Perfect!

Turning on Google 2FA doesn’t solve the world’s problems; it doesn’t even solve all issues in relation to authentication :-

You still need a strong password. If Google was the only service your password gave you access to, then it would be possible to follow the advice of the extreme proponents of two-factor authentication and lower the strength of your password. However Google 2FA is not supported when logging into Windows, etc. So for non-Google services your password strength is still important.

It is still possible for your account to be hacked in a number of ways :-

  1. If you leave your sheet of paper with your one-time only codes lying around and it has your account username and password written on it, people will still be able to “hack” your account.
  2. If a device containing an application specific password is broken into, then an attacker can get into your account with that application specific password. 

And perhaps worst of all, it does tend to weld your smartphone even closer to you!

Posted in General, Passwords | Comments Off on Living With Google Two-Factor Authentication