Security Blog

To be more precise, this is about forwarding all of “your” email from your University mailbox to an unapproved mail service (i.e. Hotmail, an individual Google Mail account, etc.). The very short summary of all of this is: Don’t.

We have recently been made aware that a significant number of people use automatic email forwarding to ensure that their University email is available on an alternate (and unapproved) mail service. This does not apply to Google Mail pilot users. Historically this sort of behaviour has been quietly overlooked, but there are a number of problems with this sort of behaviour.

More importantly, it is in the opinion of senior management that auto-forwarding all University email is against the University Email Policy. Whilst that policy may not explicitly ban auto-forwarding of University email to an unapproved third-party, it certainly does include terms that in effect prohibit this kind of activity. The University email policy is due to be revised and an explicit statement regarding forwarding is likely to be included.

Why?

It is understood that there are many possible reasons why it may be convenient for someone to have their email forwarded to another email service. Not limited to, but including :-

• Preferred mail interface – some people may prefer to use Hotmail’s user-interface over Google’s.
• Long-term business address – some people who move between institutions may wish to use a non-institutional address to avoid repeatedly changing their address. Of course it is perfectly acceptable to auto-forward a non-institutional address to the University email address.
• Centralising personal and business email into one mailbox.

Whilst these are all perfectly sensible reasons for auto-forwarding emails to an unapproved third-party provider, the University does have genuine concerns regarding the auto-forwarding of email. If anything, the University does not really want to ban auto-forwarding but is forced to.

The concerns include (but are not limited to) :-

1. Data Protection. As University property, University business emails are subject to the Data Protection Act and allowing them to be stored on third-party servers breaches the seventh data protection principle.
2. Data Protection. Individuals sending emails to an address that is forwarded may not be aware that their email is being forwarded, so there may be situations where the first data protection principle is being breached.
3. Operationally. Forwarding emails to an unapproved third-party location can (and does) cause issues with mail delivery which can in severe cases cause disruption to the legitimate use of the email systems.

One aspect of security that is easy to overlook is visual security where sensitive information is displayed on a screen in a location where it can be overlooked by people who should not have access to that information.

A new (to me) paper discusses this issue in greater depth.

Whilst it may not seem much of an issue, it is easy to imagine someone visiting an office – perhaps a vendor trying to sell a product – and whilst wandering through the office gets a glimpse of someone’s personal details on screen whilst they are being amended. Or someone working on a document on their laptop on the train; the passenger in the seat next to them has an excellent view of the contents.

It is perhaps something to consider when designing office layouts, and when working on a laptop in any public place.

Email is an old technology – I sent my first email almost exactly 25 years ago – and we are all quite used to it. So we have all developed habits over the years which we are used to, and not all of those habits are safe in terms of IT security.

Whilst most of what follows is advice that has been passed out many times over the years, it is advisable to review our ingrained habits to see if there is anything we should be doing better.

Every so often whilst writing this, I have been tempted to add “I’ve a story to tell about that”. But I’ve a story to tell about just about every piece of advice contained within this blog entry.

Email Is Not Private!

We normally think of email as the electronic equivalent of a letter, where we seal a message inside an envelope so that those carrying it along the way cannot see the contents. In fact email is far more like a postcard where anyone can read the contents just by flipping over the card.

When email is sent, it hops from server to server along the path to the final destination and can be intercepted and read at each hop. Whilst those with sufficient rights on our servers have been educated (and frankly didn’t really need telling) that casual email snooping is not permitted, there is no guarantee that snooping cannot be carried out at other places.

No Sensitive Personal Information

Because of the risk of accidental data leakage through the use of email, no sensitive personal information may be sent via unencrypted email. And if you are using encryption, you should seek advice on whether the encryption you use is appropriate.

Be Careful What You Quote

It is common for people to send emails where they add their own comments to the top of an existing email. Whilst this is quick and easy, it also means that emails can get longer and longer with information contained within them that may not be intended for the current set of recipients.

It is strongly suggested that you check the complete email before sending it to ensure that the contents are appropriate for the people you are sending to. Not only can this prevent leaking information to people who should not have that information, it can also prevent you from embarrassment!

Don’t Write Anything A Random Stranger Shouldn’t See

It is all too easy to end up making a simple typo in an email address, and sending an email off to where you do not expect. And of course it almost always happens to the one email you really do not want it to happen to.

So it is worth avoiding putting anything in an email that you would not want a random stranger to see.

Use End To End Encryption Where Possible

Unfortunately, most solutions for end-to-end encryption of email are rather tricky to use, so it is not something we can expect everyone to use. And of course you need to persuade people you email to use encryption too!

But the only solution for email security that ticks all of the boxes is end-to-end encryption using something like PGP. Watch this space! Blog articles on how to use PGP may well appear, although it will remain something for those comfortable with very technical configuration.

Email Identity Is Insecure

Internet email is based around standards that date back to the 1970s. As such there is very little to ensure that rogue people cannot send emails out with all sorts of interesting trickery in place.

As detailed previously, it is perfectly possible to send emails out with headers that indicate that the email came from someone other than yourself. Or indeed someone else can send out emails that appear to come from yourself.

The only effective technical solution is to use digital signing of emails – this is unfortunately as technically challenging as encryption is, as digital signatures are effectively encryption too.

The non-technical solution is to be aware that forged emails can be sent in your name, and you can receive them too. If you are in any doubt about the authenticity of an email, you should contact the sender “out of band” (i.e. not using email) to check.

Spam

There are many possible irritations with email, but the one that is almost certainly at the top of everyone’s list is spam – technically unsolicited bulk email. These need not be commercial – they can be on any subject at all.

As spam has come up on this blog a number of times before, there is no need to go into great detail here.

Attachments, Viruses and Other Malware

As soon as email started to be used, someone made the observation that email by itself was all very well, but the ability to send documents (of any kind) alongside the email would be useful. And so the email attachment was born.

Whilst the phrase “email attachment” sort of implies that any attached documents are treated as separate objects,  at the very lowest level of email they are not really separate at all. What  happens is that your document is encoded in plain text (and so grows by about 30%) and appended to the end of your email.

It becomes one giant email. And email systems are not necessarily very efficient when dealing with very large emails. For one thing it is easy to have a size explosion – sending a 20Mbyte file attachment to 1,000 users becomes 25Gbytes. Not something that is pushed out very quickly, and whilst it is being pushed out, all the other email could well be delayed.

So almost every mail server implements a size limit. These vary according to the whims of whatever organisation configured the mail server – we have a carefully considered limit of 25Mbytes. But you can always run into this limit.

Of course attachments are not only used for legitimate documents but for malicious software too.

Viruses and Other Malware

Malware software can be distributed through all sorts of methods – originally floppy discs, network shares, USB memory sticks, and of course email. Although email clients that would automatically “display” the contents of an attachment (and thus run attached software) have hopefully been assigned to history, malware is still distributed via email.

This relies on persuading the recipient to open any attachment on the email. Whilst some people will open any attachment at all, more cautious people need to be tricked into opening an attachment. After all, we have been saying “be careful of attachments” for a while now.

So the senders of malware rely on all sorts of tricks to persuade us to open their malware and get it to run. Some of the tricks used to make us open attachments containing malware can include :-

• Making the attachment sound irresistible – such as offers of naked pictures of celebrities.
• Forging the email so it appears to come from someone with credibility.
• Crafting the email so that it sounds important to deal with – a tax issue, a lottery win, a notification of copyright infringement, etc.

Although we should all be running anti-virus protection of some kind, it is still worth avoiding the nasty attachments. Simply avoid opening attachments where the email is a bit suspicious.

Again if you have any doubts about the origin of the email, simply contact the sender “out of band” (using phone, or something other than email) to verify that the email is legitimate or not.

Sophos have released the latest version of their so-called “threatsaurus”, which whilst it does abuse the English language also details the top threats in IT security today. The document can be downloaded at the following URL :-

• http://www.sophos.com/en-us/security-news-trends/security-trends/threatsaurus.aspx

If you are at all interested in IT security, have a look … it may contain surprises.

The following link contains detailed information about the “West Yorkshire” ransomware :-

• http://www.pc-xp.com/2012/05/21/west-yorkshire-police-virus-removal/

This link was added for the use of technical staff.

What Is Ransomware?

Ransomware is a kind of malware that infects your computer and then displays a message asking for money. The most usual method is to encrypt your own files to prevent you from accessing them. However there are some other kinds; some of which are even nastier.

The usual kind will usually perform some work in the background – encrypting the files amongst other things, and will then pop up a message alerting you to it’s presence and demanding you hand over some money.

What To Do If You Get Infected?

Contact the IS servicedesk (x7777). Do not pay up – whilst some ransomware distributors have been known to unlock your files “honestly”, there is no guarantee here. And it would instantly make you a target for future attacks.

What To Do Before Getting Infected?

1. Setup some form of automated backup routine so that your files are kept safe away from your computer.
2. Make sure your antivirus product is up to date and working properly.

… or to be more precise, if your computer is infected with dnschanger, then it will appear that the Internet is dead on the 9th July. Whilst the University itself does not have a large problem with infected machines, it is entirely possible that some people may have issues at home.

This is both a warning to those who may have infected machines to check to see if their anti-virus product is still working, and an informational notice to those who may be contacted.

The Internet is not broken when it comes to the 9th July.

The technical details of this are that the dnschanger malware has changed the DNS server list on client machines to point to what were servers controlled by the malware authors. These have been taken over, and have been offering a genuine service (at extra cost to the FBI), but will be shut down on the 9th July.

The UK has recently adopted a law in line with European legislation covering the use of web site cookies. Anyone involved in the production of web sites that may use cookies should be familiar with the law any appropriate advice. Given the likelihood of cookie warning fatigue – particularly given the nature of just how intrusive some of these warnings are – it is worth remembering to avoid warning about the use of cookies obtrusively where the use of cookies is not an invasion of privacy.

The University statement on the use of cookies on the main University website can be found here. You may wish to include your own warning about privacy (including cookies) on your own website(s), or link to the University one.

The following originates as an advice note regarding the use of cookies and expands on the information above :-

Introduction

In line with recent changes in European legislation, UK law now requires website operators to ask for a website user’s permission when placing certain kinds of cookie on their devices. Where consent is required, the law states that it should be “informed consent”. This increases the duty on website owners to ensure that visitors understand what cookies are and why the website operators want to use them.

The International Chamber of Commerce (UK) has outlined four categories of cookie (these are not definitive). Where a cookie does not fit into an appropriate category, website operators will have to devise their own descriptive wording and consent approach. Whatever mechanism is used, the user should be given a clear, informed choice.

The Categories

Category 1: Strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for, like shopping baskets or e-billing, cannot be provided.

Examples include:

• Remembering previous actions when navigating back to a page in the same session.
• Managing and passing security tokens to different services within a website to identify the visitor’s status (e.g. logged in or not)
• To maintain tokens for the implementation of secure areas of the website
• To route customers to specific versions/applications of a service, such as might be used during a technical migration

These cookies must not be used

• To gather information that could be used for marketing to the user.
• To remember customer preferences or user ID’s outside a single session (unless the user has requested this function).

Category 2: Performance cookies

These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. Web analytics that use cookies to gather data to enhance the performance of a website fall into this category. For example, they may be used for testing designs and ensuring a consistent look and feel is maintained for the user. They may also be used to track the effectiveness of ‘pay-per-click’ and affiliate advertising

Examples include:

• Web analytics — where the data collected is limited to the website operator’s use only, for managing the performance and design of the site.
• Ad response rates — where the data is used exclusively for calculating response rates (click-through rates) to improve the effectiveness of advertising purchased on a site external to the destination website.
• Affiliate tracking — where the cookie is used to let affiliates know that a visitor to a site visited a partner site some time later and if that visit resulted in the use or purchase of a product or service, including details of the product and service purchased.
• Error management — typically this will be to support service improvement or complaint management and will generally be closely linked with web analytics.
• Testing designs — Testing variations of design, typically using A/B or multivariate testing, to ensure a consistent look and feel is maintained for the user of the site in the current and subsequent sessions.

Consent wording:

“By using our [website][online service], you agree that we can place performance cookies on your device These cookies don’t collect information that identifies a visitor. All information collected by these cookies is anonymous.”

Category 3: Functionality cookies

These cookies are used to remember customer selections that change the way the site behaves or looks. It might also include cookies that are used to deliver a specific function. The information these cookies collect may be anonymised and they cannot track your browsing activity on other websites.

Examples include:

• Remembering settings a user has applied to a website such as layout, font size, colours etc.
• Remembering a choice such as not to be asked again to fill in a questionnaire.
• Detecting if a service has already been offered, e.g. a tutorial on future visits to the website.
• Providing information to allow an optional service to function e.g. a live chat session.
• Fulfilling a request by the user such as submitting a comment.

Consent wording:

“By using our [website][online service], you agree that we can place functionality (persistent/session) cookies on your device. These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features.”

Category 4: Targeting cookies (aka advertising cookies)

These cookies are used to deliver adverts more relevant to you and your interests. They are usually placed by 3^rd party advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers.

Examples include:

• Cookies placed by advertising networks to collect browsing habits in order to target relevant adverts to the user.
• Cookies placed by advertising networks in conjunction with a service implemented by the website to increase functionality, such as commenting on a blog, adding a site to the user’s social network, providing maps or counters of visitors to a site.

Consent wording:

“By using our [website][online service], you agree that we can place advertising (persistent/session) cookies on your device. These cookies are used to deliver adverts more relevant to you and your interests They may also used to limit the number of times you see an advertisement as well as help measure the effectiveness of an advertising campaign.”

Unfortunately email addresses can be spoofed relatively easily and an email can arrive in your inbox –  apparently sent from someone you know – but they then deny ever sending it. In this respect, email is really no different from traditional letters and parcels, but there is a vast difference in terms of scale and ease with which the spoofing can be perpetrated.

If your (physical) address is publically available, anyone can send you an unsolicited letter, or send someone else a letter, pretending to be you.   It is the responsibility of the receiver to establish the authenticity of the sender – and there are many ways to this.     Over the years, people have developed ways to spot confidence tricks, bogus letters or suspicious parcels, but we haven’t yet managed apply the same thinking  to e-communication.   Moreover, our default position is to take e-communication at face value.

While you cannot stop it, you can learn how to identify it – firstly by trusting your instincts.   Ask yourself if the email sounds authentic – would your colleague really be keen to sell you Viagra, or ask you to help extricate a fortune from a Nigerian bank?    If doubts remain, you could study the email header information – but this can be tricky!    If you feel the need to delve into the header files to authenticate the source of an email, then your suspicions should have been raised enough to allow good sense to prevail – and call us.

In More Detail

Many people these days use webmail services or corporate services where much of the detail of the configuration of mail is hidden from view, but some may remember in the past when mail clients had to be configured with an email address as the “From” address.

Whilst we all would enter our own email address into that field, there is nothing to stop a malicious person from entering any valid address into that field. And by default, the mail systems all the way from the origin of an email to the final destination – you – will not do anything to stop such a forgery taking place.

Spammers have been resorting to various tricks to get through anti-spam defences for years, and keep trying. Because it’s worth money to them.

And one of the techniques they use (which appears to becoming more common) is to use a legitimate address used at the institution they are sending to – so if they are sending spam to mike.meredith@port.ac.uk, they will pick out an address that they have on record that matches after the “@” such as postmaster@port.ac.uk.

In fact they will often attempt to send emails from your address to you! Which can be somewhat alarming the first few times you see it. But it is almost always just a spam message.

There are ways to determine technically where the origin of a message comes from but looking at the content is a far simpler way of determining whether the email is legitimate or not – even if there isn’t a definite yes or no answer. Look at the message and who it is from :-

1. Is it “From” more than one person ? Whilst it is technically permitted, it is unusual in the extreme for legitimate emails to come “From” more than one address. If more than one address appears, it is more than likely to be an spam email.
2. Does the “Subject” header match who sent the message? Spammers want to persuade you to buy stuff … or pursue actions that in the end will allow them to dip into your pocket. It is unlikely that the subject on such an email is the sort a co-worker would use.
3. Does the “Subject” header match the contents of the message? Surprisingly enough, spammers will often send emails where the Subject has little or no relation to the contents of the message. If it doesn’t seem to match, then it’s a sign that the message may not be legitimate.
4. Does the message itself mention money ? Or ask you to present some personal details (like login to an account, etc.) ? It’s very often not legitimate.
5. Does the message seem a little … excited ? Lots of exclamation marks!!! This is another sign that something is wrong.

If the answers to at least two of the above point to a message being spam, then it can be ignored. If you are still in doubt over whether an email is legitimate or not, why not give the other person a call ?

According to the Sophos Naked Security blog, there are rumours of the hashed password file from the LinkedIn site being found on hacking sites. If true it means that anyone with a LinkedIn account should consider their password compromised and should change it at once using the standard advice for strong passwords. The latest information is that there is very little doubt now – the file of password hashes is readily available.

Whilst the details of the story indicate that there are several “challenges” for an attacker to jump through to gain access to someone’s account :-

1. The supposedly public password list is not associated with the list of usernames. If you crack a password, you will not know what account it is associated with. Except that whoever leaked the list in the first place may well know the usernames!
2. Any attacker has to run a password cracker against the list. Because the list is so long, only the weakest passwords will be compromised initially. If you use a strong password, you may well be relatively safe.

Despite the “challenges”, it would be safest to assume that an attacker could get your password (and username) so to be safe change your LinkedIn password.

There are indications that a significant proportion of the password hashes have already been “cracked” – approximately 1/3 of them.

Information on password cracking has been moved from this blog entry and updated.

It is possible that you may have heard of the IS Security team performing security scans of servers or networks. Those rumours are true. Of course what you may not be aware of is that other even nastier people are also performing security scans of the University servers! We do use tools to scan the network and specific servers looking for security holes, so that we can double-check the security of critical services. Whilst security hardening is part of any project to install a service, to double-check the security of a server we scan it from the network to see how it looks to a potential attacker.

Are We Being Scanned ?

The short answer to this, is yes we are … all the time … 24 hours a day, 7 days a week and 52 days a year. One minor example of this are the number of “invalid user” login attempts made to just one server … and a minor little known one at that :-

These invalid login attempts are just to attack the ssh service looking for certain usernames with poor passwords set. There is plenty of other scanning going on. More details available on ssh scanning can be obtained from the Dragon Research Group

What Scanning Does

A network security scanner performs a scan by performing a number of checks against each server it is asked to scan (or discovers for itself). These checks include :-

1. Determining what network services are running – such as web servers, or ssh servers.
2. If a particular network service is running, it obtains information about that service by probing it. Most network services have some sort of “announcement” which may include useful information about versions in use, etc. Or it could be a lot more obscure such as it announces that it supports certain versions of the protocol – for example, ssh has two different levels of the protocol and a service may announce the fact that it supports the old (and vulnerable) SSH1 protocol.
3. For some network services, the scanner can attempt to use the services to determine if appropriate access restrictions are in place. For example, mail servers often have extra debugging commands that can leak information useful to spammers – these commands should be allowed internally but not externally.
4. If given authentication credentials, it may also login to the server to determine more information about the services that are running.

The more aggressive network scanners (i.e. those used by attackers) may attempt to exploit services.

When finished, network security scanners produce a report to be distributed amongst technical staff to highlight what has been discovered. In most cases, the report needs to be assessed to determine which items are of concern and which are not. Some vulnerabilities that may be discovered could be less serious than a network security scanner determines, and some may even be more serious!

Is It Disruptive?

Most network security scanners are written to be non-disruptive. Even those written by attackers who want to break in and cause damage are intended to cause no disruption because disruption is obvious and an attacker will not want the defences raised before they have broken in. However there are no guarantees in this world, and it is always possible for a network security scanner to unintentionally cause disruption. We have seen this ourselves in a very small number of situations – either fragile network devices, or misconfigured servers that get overloaded.

Disruption is very rare and probably occurs in less that 1% of all scans. If disruption does occur, it tends to be of a temporary nature – a server gets overloaded whilst the scan is going on.

So the answer to that question is that scanning could be disruptive, but it is very unlikely.

Scan Scheduling

Official network scans are scheduled formally being incorporated into the IS change control process and in consultation with the Business Owner of the system being scanned. Official network scans are only performed by suitable IS staff – specifically staff within EPS/IS who have undergone suitable training and who are familiar with the procedure for performing network security scans.

“Unofficial” scans are prohibited, which does not stop them happening when performed by an outsider of course.

Why Do We Scan?

In an ideal world, with an infinite amount of time to configure servers properly there well be no need for performing network security scans. As we have yet to manage to create a perfect world, network security scans are very useful for assessing the security of our servers. They allow us to identify misconfigured services, and services where configuration improvements could be made.

We do not blindly follow the recommendations of a network security scan, but identifying areas of improvement does allow us to target work on improving servers.

And yes we do need to spend time on making services more secure – allowing an attacker to obtain access to our servers has a number of negative consequences which can have legal consequences. Up to and including rather large fines from the Information Commissioner!