Tailgating (aka piggybacking)

Tailgating (aka piggybacking) describes someone tagging along with another person who is authorized to gain entry into a restricted area, or pass a certain checkpoint.   

Where swipe-card or proximity sensor access systems are employed, please be aware that they are there to protect staff, sensitive information and/or high value assets, so please use them wisely.

 

Comments Off on Tailgating (aka piggybacking)

Crystal Ball?

If you want a peep into the future – read the Horizon Reports from Educause.  

Since 2005, the annual Horizon Report has been the product of a collaboration between the EDUCAUSE Learning Initiative (ELI) and the New Media Consortium.  It’s a right rivetin’ read!

http://www.educause.edu/Resources/Browse/Horizon%20Report/33560

Comments Off on Crystal Ball?

Printer Security Videos …

More along the lines of a personal bookmark than a proper entry, the following two videos are presentations on printer security that I keep intending to watch :-

httpvh://www.youtube.com/watch?v=GZgLX60U3sY#t=3m40s

httpvh://www.youtube.com/watch?v=MPhisPLwm2A

 

Comments Off on Printer Security Videos …

Loan Company Phishing To Decrease ?

With any luck, the latest news on the arrest of a group responsible for a phishing spam run against UK University students means that the number of such phishing attacks will diminish somewhat. According to the information in the linked to article, the scammers managed to steal from £1,000-£5,000 from each bank account they got access to – in the region of a thousand accounts.

Out of the total population of very roughly 2.5 million students, there have been in the region of a thousand victims – a response rate of very approximately 0.05%. Yet the scammers made quite a bit of money from this – or would have done if they had not been tracked down.

This shows that :-

  1. People can and do make enough money from such phishing attacks to maintain a rich lifestyle even when stealing from a small and not particularly wealthy population.
  2. Even the best educated and intelligent section of society can fall victim to a phishing attack.
  3. And you really don’t want to become a victim.
Comments Off on Loan Company Phishing To Decrease ?

G.I. JOE: THE RISE OF COBRA

On Saturday 26th Nov 2011, Channel 4 will screen “G.I. JOE: THE RISE OF COBRA”. at 21:15

Watch it for free – and there’s no need to illegally download it from BitTorrent

Comments Off on G.I. JOE: THE RISE OF COBRA

Are You An Accidental Outlaw?

Nominet have produced an interesting online quiz to test your knowledge of how the law applies to online activities.

It is quite easy to accidentally break the law when online without knowing you have done so – until the lawyers come knocking! Perhaps a little unlikely, but possible. My own score was lower than I was expecting despite working close to this area, and being an amateur photographer.

Looking through what online behaviour can be considered illegal, many of the behaviours are things that many of us would indulge in without a second thought. Given the widespread nature of such behaviour, you may think it is unlikely that you will ever be caught, but that could be dangerous thinking!

The more high profile your online activities are, the more likely you are to be “found out” and have to face the consequences. It is worth learning about this early before the lawyers strike!

Comments Off on Are You An Accidental Outlaw?

Copyright Infringement and P2P Downloads:

Stop and Think:
Before you download any material from the internet, ask yourself:

Would I normally be expected to pay for it?

Is it available to buy?

Is it subject to copyright – i.e. does it have a copyright sign issued by the production company or artist?

If you answered yes to any of the above questions then it is likely that downloading it would be an infringement of copyright.

Comments Off on Copyright Infringement and P2P Downloads:

Myth: Cybercriminals only target people with money

Truth: Anyone can become a victim of identity theft. Cybercriminals always look for the biggest reward for the least amount of effort, so they typically target databases that store personal information. If your information happens to be in the database, it could be collected and used for malicious purposes. It is important to take great care of your personal information so that you can reduce the risks.

If you wish to discuss any issues or concerns about data security, please contact robbie.walker@port.ac.uk  or mike.meredith@port.ac.uk

Comments Off on Myth: Cybercriminals only target people with money

Email Spam and Our Defence Against It

With email comes unwanted email of all sorts; probably the biggest category of unwanted email is spam – unsolicited bulk email. Note that not all unwanted email is spam! Spam is basically where someone has decided to send out very large quantities of email to a list of people who have no business relationship with the organisation arranging the spam run. This could mean advertising a commercial product; it could also be religious spam, campaign spam, or malicious spam such as phishing attacks or virus distribution. In this blog entry I will go through some general details on spam, and then move onto our defences about spammers.

Spam Not SPAM

The history of dealing with spam is littered with examples of those who have mistakenly used the label SPAM to refer to unsolicited bulk emails; at which point a certain irate food manufacturer sends out cease and desist letters backed up with a howling pack of savage attack lawyers. Hormel foods are actually quite reasonable about the situation – especially in the early days when they could have caused considerable difficulty to the anti-spam community – they don’t object to the use of the term “spam” but do object when “SPAM” gets used.

So don’t do it.

It Costs Money!

Spam is obviously an irritant to anyone who has ever trawled through a mail box looking for the real content amongst swathes of adverts for herbal mortgages and the like. And that is by itself a good reason for trying to prevent spam getting through. But there is also a monetary cost involved. Each time someone spends a moment looking at a spam email rather than doing their work, it costs us money. Every time someone asks questions about spam, it costs us money. That money adds up to quite a considerable sum across the entire University. The current estimate (which is based on very outdated salary figures) is that our current defences are saving the University between £2,000-£5,000 every day.

Near Spam

If you bought a pair of socks off an Internet shop 10 years ago, you will probably still be getting emails from the relevant shop even if you have not bought anything from them all that time. Unfortunately whilst you may no longer wish to receive email from them, it does not count as spam. At least legally (in the UK).

Your best option here, is to simply ask to be removed from the list of people the retailer sends messages to – instructions to do this are often contained within the message. They should comply, but be careful it really is “near spam” from a reputable retailer before replying!

Malware

Email containing viruses is just as much spam as that email telling you how to get rich quick by buying special herbs from an obscure seller in an obscure country. In fact the spammers who send adverts for products are quite often the ones responsible for sending out viruses too.

This is because spammers often use infected PCs as their ‘data centre’ for sending out spam – it’s cheaper to steal someone else’s computer and electricity rather than use your own. And of course someone else gets the blame when they track down the origin of the spam.

Our Anti-Spam Defences

For a long time, we have been attempting to protect University mailboxes from receiving spam, and despite the spam that does show up in your inbox, we do quite a good job blocking some 95% of spam before it is accepted by our servers. To do that we run a layered defence with different measures applied in different ways. One of the methods relies on your inbox being equipped by a “Junk Mail” folder, which for some reason seems to go missing in GroupWise on occasions.

Check if this is enabled, by selecting the Tools menu, and then Junk Mail Handling from the pull-down menu. And make sure that the option “Enable Junk List” is enabled.

Of course the problem with spam defences is that people do not see the spam that does not reach them (which is after all the point), so get concerned with the spam that does reach them. Our defences err on the side of caution, so it can be expected that some spam will still get through; however it is far less than would be seen if there were no defences in place.

Block Lists

Our main defence against spam is the use of a number of blocklists. These lists are built up by various anti-spam organisations to contain lists of known spammers, or the addresses of machines that spammers have taken over (with malware) and are currently sending out large (or smaller) quantities of spam. Of the lists in use, many of them are sanctioned for use (and subscribed to on our behalf) by JANET.

We also operate local block lists to which we can add addresses. However we rarely offer to do this for spam that escapes our defences as it is not effective – spammers “rotate” amongst a large number of legitimate email addresses, and rarely use the same one more than a few times.

Content “Filtering”

One of the more usual methods of dealing with spam elsewhere is to run software which looks at the content of a message to determine whether a message is spam or not. For historical reasons, we do not routinely block based on the content of messages with the following exceptions :-

  1. If the message contains a virus attachment.
  2. If the message scores as a “phishing attack”.
  3. Or if it publicises a web location well known to be hosted by a spammer.

What we do instead, is to mark the message with a ‘spammyness’ score to indicate how likely it is to be spam. This is done by adding three headers to the email message – X-Spam-Score (which contains the numeric score), X-Spam-Flag (a “yes” or “no” value), and a detailed report within the X-Spam-Report header. This should be handled automatically by GroupWise which should send all messages with an “X-Spam-Flag” header of “yes” into your “Junk Mail” folder.

What You Can Do

Nothing. Or at least nothing if you are not prepared to spend a lot of time learning about spam, how it works, how to deal with it appropriately, etc.

Comments Off on Email Spam and Our Defence Against It

Password Security and Strong Passwords

I needed a password eight characters long so I picked Snow White and the Seven Dwarves.

Password security and the need for strong passwords (as required by the University Password Policy) is being promoted at the moment, for a variety of reasons. Not least is that a number of security incidents relating to weak passwords have come to light over the last few months. Passwords are tedious to generate, difficult to remember, and not even a particularly good solution to the problem of authentication, but unfortunately we are somewhat stuck with them. And despite the best efforts of those trying to provide single sign on solutions, the number of passwords we have seems to be increasing. Whilst we are concerned mainly with the security of University accounts, these tips also apply to your own private account passwords. Everyone keeps banging on about the need for strong passwords, but why ?

Why Strong Passwords ?

The short answer is that weak passwords can be “guessed” by people whose business is compromising accounts. Not by actually guessing what a password is but by using automated tools for cracking passwords. There are two ways of “guessing” passwords with automated tools.

  1. By obtaining a “password hash”, an attacker can run through a list of candidate passwords and comparing the generated hash with that they obtained. If a candidate password generates a hash that matches a password hash obtained in some way, then the password is known. Password hashes can often be obtained by capturing network packets containing a login between a user and an application with weak security (and there are lots).
  2. By running through a list of candidate passwords and attempting to use an authenticated service, an attacker may be able to determine which are valid passwords.

When people hear about this, they often assume that the list of candidate passwords is quite small because they can imagine how hard it would be to run through a list of candidate passwords. Actually it is surprisingly easy, and relatively fast. Especially considering how poor many passwords are. Attackers also operate with unusual dictionaries specially tuned for finding words used in passwords. Whilst it is possible that the word in your password is not in an attacker’s dictionary, it is unwise to assume that it is not there. Having seen some attackers dictionaries, I can tell you that you will be quite surprised just how many words (and in languages other than English) appear in such dictionaries. In addition, many of the simple transformations that have been historically used to make words less obvious – such as changing vowels for digits (“p3ssw0rd”) – are well known to the attackers, and password cracking software usually makes some attempt to try those transformations. In summary, almost any simple password based around a word (whatever kind of word!) can be counted as a weak password that an attacker can obtain relatively easily. Strong passwords are essential.

How To Remember Passwords

The standard advice for passwords is to remember them and not write them down. Generating strong and memorable passwords is a bit of an art (but certainly possible), but remembering dozens of even memorable strong passwords is not something that comes easily to many people. Not even me! Writing down passwords can be done safely if it is done properly. The classic mistake of writing down a password on a postit note and sticking to the underside of your keyboard is not the right method. The right method is to use an application (such as KeePass) which records passwords in a strongly encrypted file.

Don’t Share Passwords

This phrase has two meanings … Firstly account passwords should not be shared with other people. This inculdes but is not limited to :-

  1. Don’t email them when you are asked to.
  2. Don’t fill in a web form asking for your password if you received the link in an email (no matter how legitimate it looks).
  3. Don’t tell people what your password is when asked. No matter who asks.
  4. Avoid entering your password where people may be overlooking you. This may seem excessively paranoid when you are entering your password in your office, but it is not so paranoid when you are entering your password in a crowded cyber café.

Secondly, it is also inadvisable to share your passwords across multiple different systems. Your banking passwords should not be the same as your social networking passwords, which in turn should not be the same as your work password. This limits the amount of damage that can be caused by one password being compromised.

So How Do I Generate A Strong Password ?

There are many, many different pages suggesting how you might generate a strong password. There are even cartoons :- (Source: XKCD) Whatever method you use, you need a method that works for you. However our suggestion is a variation on the method suggested above :-

  1. Pick three to four words of at least three letters in length.
  2. Capitalise one of the letters in some of the words … and the first letter is not a good choice.
  3. String the words together with a random punctuation symbol (“-“, “=”, “+”, “@”, “#”, etc.). There is no need to use different symbols; just pick a favourite symbol.

This leads to the kind of password that meets policy criteria (which more usually encourages passwords such as “zup12#$$9zz”), is easier to remember, and most importantly of all is strong. Some examples of the kind of password this generates include :-

  1. kift-bellow-bonE
  2. quick#purple#trumpeT
  3. optionS%Bullet%tree%gum
  4. kiN*Boggle*zap*Bug

These all look long and difficult to type; however in practice they are much easier than they look, and can be surprisingly quick to type.

Posted in Passwords | 2 Comments