Dealing With Suspicious Emails

From time to time, we all receive emails at work that we regard as a little suspicious (if you do not, it is quite possible that your suspicion level needs to be increased). What should we do with those emails?

The traditional advice has been to check with a colleague and/or forward them to the IS ServiceDesk. That remains the advice, but NCSC has a new service for submitting suspicious emails to.

If the email does not contain confidential information, the advice is now to forward suspicious emails to the IS Service Desk ( as well as the NCSC SERS (

The later will contribute towards blocking and taking down malicious web sites – something which we cannot do ourselves.

In addition you can also use it for reporting suspicious emails received at non-work addresses.

You can read more about the NCSC SERS service at

Posted in Email | Tagged , | Comments Off on Dealing With Suspicious Emails

Who Is

Short answer: No idea! And yes that is my name.

We have received a couple of reports of phishing attempts using look-alike names – in this example (which isn’t real), the email address was used in an email purporting to be the individual who is usually found at As email addresses are slightly harder to forge than they used to be, attackers are looking to use look-alike email addresses.

Either domains that look similar (the bit after the “@” such as or, or names that are familiar – as in the example shown.

To defend against this, we need to :-

  1. Avoid using personal email accounts for UoP business emails.
  2. Check and double-check the email address in the “From” field – whilst these can be forged, it is somewhat harder to forge addresses than it used to be.
    1. Is the domain part (after the “@”) or does it merely look similar?
    2. If it looks like a personal name from a common personal mail site – – is it one you are familiar with? Do you know that the individual uses that address as their personal email?
  3. And of course the standard anti-phishing defences – does it encourage urgency? Suspicious. Does it link to a strange web site? Suspicious. Etc.
  4. If in doubt, ask. Ask a colleague or ring the sender to check.
Posted in Active Attacks, Email | Tagged , , | Comments Off on Who Is

Security At Home

As most of us are now working from home, it is time to consider security in the home; because you are working from home, security at home is important to the university (in addition to yourself). Indeed there are new dangers in the present situation that you may not have considered.

For instance, many of you have posted cute pictures of “co-workers” (four-legged ones) curled up on or near your laptops. But have you considered what is visible on the screen?

And despite choosing a deliberately innocuous window to take a copy of, it still contains some information that it may be worth thinking twice about making public!

This is a screenshot rather than a phone picture with a screen in it, so you may be thinking that what is in your phone photo is less visible. Except that :-

  1. It is simple to save a copy of that photo outside of where you are sending the photo (Facebook is the default option here) so it can be viewed in a different manner than you expect.
  2. You can zoom into images to see details not usually visible. And try other image enhancements to make things clearer.

The key thing is to remember is to obscure whatever is on the screen for fun photos – bring up Notepad, maximise it, and write “Not work stuff” in big letters!

Obscuring the screen should also be considered if you are working from home with others in the house – consider getting a privacy overlay (link provided as an example and not an endorsement) for your screen and minimise what you are working on when someone peers over your shoulder.

You should also lock your screen when you are away from the keyboard for any length of time! Apart from anything else, it’ll stop you coming back and discovering that your toddler has finished off that important email and sent it off.

Web Cams

We are all using web cams a bit more than we would normally do, so it is worth considering their security. Always treat a web cam as though it is turned on and your boss and co-workers can see what you’re up to in front of it.

Whilst some webcams are insecure and can be remotely controlled, that is not the danger we’re talking about here. This is more about getting into the routine of being able to join a video conference without making an embarrassing ‘mistake’ – I already know of one web cam accident where a conference attendee had a boyfriend wander through the background “inappropriately dressed”, and I’m sure Facebook will shortly be full of “Top 10 Embarrassing Working From Home Web Cam Accidents” (and I’ve heard about another just during the time it took to write this post).

Not that this should discourage you from using a web cam; just bear in mind the advice in the first paragraph, and discourage uninvited guests from joining the conference (although nobody minds four-legged visitors).

Phishing and Scams

You are probably all bored to tears reading advice about phishing attacks and scams, but it bears repeating because there are those trying to take advantage of the current situation for financial benefit :-

  • If it’s too good to be true, it probably is.
  • If a certain level of urgency is urged, it is worth taking time to be careful.

There is a whole category of old articles to read on phishing.

Using Non-University Equipment

If you are using university-supplied equipment for your work, IS will take care of the security of your device in terms of the system maintenance – providing that you connect it to the VPN (GlobalProtect) regularly. If you prefer to use your own equipment for UoP work, you will be expected to perform much the same system maintenance work (which you should be doing anyway to keep personally safe) :-

  1. You must be using a supported operating system. Unsupported operating systems do not get security patches and so will be assumed to be unsafe (they will be sooner or later). If the hardware you are running will not run a later operating system, you will have to arrange for another machine. This may seem harsh, but
  2. You must install operating system patches as and when they arrive; indeed you should check for operating system patches on a regular basis – daily, weekly, or monthly. An operating system that does not get updated is putting yourself (and the University) at risk!
  3. Similarly any installed software needs to be regularly checked for updates – especially web browsers!
  4. If you have any University work data on your own machine(s), you should make sure that the storage is encrypted. If you use any hardware from within the last 5 years or so, the performance impact will not be noticeable.
    1. Use approved cloud-based storage (including the N: and K: drives – they’re in the “UoP Cloud”) as much as possible.
    2. If you must put work data on your local disk(s), remove it as soon as you have finished work on it.
  5. Using the VPN (GlobalProtect) will give you an extra level of protection against “nasty” stuff on the Internet, so please feel free to use it even if you think you have an immediate reason for using it.

Posted in Active Attacks | Tagged , , , , | Comments Off on Security At Home

Scams In The Time of Coronavirus

(with apologies to Gabriel García Márquez)

As expected, scammers are trying to take advantage of fears over Covid-19 (the Coronavirus) to push their victims into unwise actions – often for profit. I have already seen two scams announcing UK government universal income payments that you have to visit a web site to claim.

We can expect :-

  1. Similar offers to claim your government universal income payment.
  2. ‘Magical’ vaccines, cures, or treatments at specially discounted rates.
  3. Offers to sell goods in short supply – toilet paper, hand sanitiser, medical masks, etc.

And probably a whole lot more attempts to defraud you. Or the university.

Be wary of emails, phone calls, or any other form of communication that :-

  1. Tries to induce a sense of urgency. By rushing you, the scammer hopes to bypass your “wait! is this sensible” thought.
  2. Tries to get you to bypass normal procedures – those procedures are in place for a reason, and whilst we need to be flexible in these times, procedures shouldn’t be completely bypassed.
  3. Tries to claim authority (governmental, official organisation, or senior management) to get you to take urgent action.
  4. If it sounds too good to be true, it probably is.

Which is pretty much the advice in ordinary times.  

Posted in Active Attacks, News | Tagged , , | Comments Off on Scams In The Time of Coronavirus

Working From Home

For some reason there seems to be a bit of an increase in interest in working from home and so it seems rather timely to produce some advice. Not so much the technical side of things, but general advice from someone who has done it from time to time.

The official instructions for working from home (or “work anywhere”) appears here.

Please feel free to groan!

For better or worse, in some places the facility is called “GlobalProtect” and others it is called “VPN”. The first (“GlobalProtect”) is a vendor-specific implementation of the generic “Virtual Private Network”.

It should be pointed out that the VPN works fine at the University – you can check that the VPN client works before going home.

VPN Technicalities

Having said that I will try to avoid the technical side, there are a few things to go through.

Firstly, there is plenty of VPN capacity available – the hardware itself is shared with the main firewall, so unlike common environments where the VPN is a separate box and sized for usual usage patterns, the VPN is not likely to collapse under the load.

There is a constraint on the number of VPN users which is related to the number of addresses allocated for its use. This is known, and increasing this has already been worked out.

The more serious problem (although not expected to be that serious) is that whilst the VPN has been in place for years and people have been using it for years, it is possible that someone will find something that does not work through the VPN. In such a situation we need to know: what, who, and when. And it should be logged via the IS ServiceDesk.

Such problems do not necessarily have a quick solution, so you may have to be patient – especially if there is a queue of problems to look at!

General Advice

  1. It can help to have a concrete start and end to the working day – both in terms of time, and more “physically”.
  2. I find it useful to “walk to work” – pop outside for a 30 minute walk around the block (or to the seafront).
  3. Do take breaks (especially lunch!). And take that break away from the work computer.
  4. Try to isolate yourself from whatever else is going in your home – you are “at work” and should be interrupted only when necessary – such as when something would normally escalate to calling you at work.
  5. Resist temptation; that refrigerator just steps away filled with goodies all whispering “Nibble me!” is just going to get you in trouble.
  6. When it comes to the end of the day, stop. The temptation is to keep going or do a few extra bits and pieces in the evening. That’s fine in an emergency, but down-time is necessary for sanity and working from home does tend to make you work longer hours than you would at work.
  7. Ergonomics is more important than you think – unless you’ve had three months off with constant nerve spasm! Laptops are not the best choice when it comes to usability over a long day – an external screen, keyboard, and mouse can be very helpful as they can be positioned sensibly. A proper desk at the right height and a comfortable office chair is also useful. If you cannot arrange such things (at least for now), then keep moving (in fact keep moving anyway). Spend half an hour sat down at the kitchen table and then half an hour standing at the kitchen work surface.

Lastly, working at home is not necessarily an all or nothing thing. It is possible for a team to set up a rota so that on any day, some people are working from home whilst others are in the office. Or more flexible arrangements.

It is certainly worth trying out working from home to see what works and what doesn’t (and not necessarily just where the VPN is broken, although I want to know that!).

Posted in General | Tagged , | Comments Off on Working From Home

Let’s Encrypt Certificates – Are They Broken?

Short answer: No.

There is a news story going around about an issue with certificates issued by Let’s Encrypt. The certificates themselves are in fact perfectly fine, but they were issued when they should not have been.

If the owners of a domain (say decide to, they can publish a record in the DNS (we don’t) which specifies what certificate authorities are authorised to issue certificates within that domain.

The Let’s Encrypt bug was in relation to checking those CAA records when multiple names appeared in the certificate; it mistakenly checked just one of the names. Thus in some circumstances it could issue certificates it wasn’t supposed to.

Let’s Encrypt are correcting this mistake by issuing revocation certificates marking the relevant certificates as invalid. If a certificate is revoked the site will still work, but it’s security indicator in the location bar will turn red :-

Rather than :-

Even a broken certificate still encrypts the traffic in transit; it “merely” no longer trusts the server’s identity. It is unlikely that you will encounter broken web sites under such circumstances :-

  1. No sites should have been issued with a broken certificate – we don’t publish the relevant DNS record, so Let’s Encrypt wouldn’t have run through the broken check process.
  2. Very few “mainstream” large web sites will use Let’s Encrypt certificates.
  3. Those sites that do use Let’s Encrypt certificates will have received notification if their certificate was due to be revoked, and will have renewed it (it’s free).

There is the chance that some neglected minor sites will show up as the red padlock icon (meaning “not secure”) and as usual if you see the warning :-

If you see such a warning, trust neither the content nor the identity of the site you are connecting to.

Posted in General | Comments Off on Let’s Encrypt Certificates – Are They Broken?

‘;–have i been pwned?

There is a well known “white-hat” web site called “‘;–have i been pwned?” which :-

  1. Publicises large data breaches of personal information.
  2. Collects data breaches looking for compromised accounts.
  3. Allows people to check if their own account has been compromised.
  4. Sends domain owners (if you have signed up) notifications of relevant data breaches.

It should be emphasised that this is not a malicious site – it is providing a service to the community. If you check that site for your UoP email address (and it is more than a year or two old), you will almost certainly find out it is listed. For example, my “account” was leaked in the following breaches :-

  1. Anti Public Combo List
  2. Apollo
  3. Collection #1
  4. Data Enrichment Exposure From PDL Customer
  5. Dropbox
  6. Credential Stuffing List
  7. LinkedIn
  8. Onliner Spambot 
  9. Trik Spam Botnet

It should be noted that my email address is over 25 years old and I do sign up to lots of strange services “out there”. So this list might be slightly longer than average.

If your “account” is compromised, don’t panic. And it isn’t your fault. There are actions you should look at doing to reduce your risk … which we’ll get to.

My Account Is Leaked!?‽

If we take one example from the list above – Dropbox – in that case, Dropbox was broken into and the account details of Dropbox were obtained by an attacker. So your Dropbox account was compromised; hopefully you were notified at the time and had to change your Dropbox password.

This does not mean that your UoP account is at risk if you do not use the same password here.

If you have a perfect personal security score (and very few of us do), that’s all. However if you use the password for your Dropbox account elsewhere, then it is possible that someone is trying to break into those accounts. So when you’re notified of a password breach at a site like Dropbox, and that same password is used on other sites, you should be changing passwords on those other sites.

And if you do use the same password on your UoP account as on a compromised web site, you should change this password too.

Anonymous Leaks

If you refer back up to that list of leaks containing my email address, you will see that well over half are not associated with a well-known web site. The others are leaks from the “dark web”, and unfortunately are often distributed with no indication of from where they originated.

It is widely believed that the leaks from the “dark web” represent a tiny minority of the amount of data to be found there – to those with the money to pay for it!

How Did The Leaks Occur?

The leaks very simply fit into two categories – leaks from well known web services (“Dropbox”), and leaks from the “dark web” where personal data dumps from unknown sources are available for sale.

When a large public web service is compromised, and the attackers steal large amounts of account credentials (and any associated personal information), the news often hits the main stream security news sites (see: The “haveibeenpwned” site on the other hand attempts to get a copy of the leaked data, so people (including you) can check to see if their account has been leaked.

The “compromise” can consist of an infinite number of possible ways data can be leaked, but the two most significant are :-

  1. A security vulnerability in the web site allows an attacker to break into the servers and access whatever data sits on the web site server(s).
  2. A cloud-based database or database backup is not properly secured and is available to anyone to connect to and read data. In some ways this is worse than the first as it is just a mistake in configuration that allows the leak.

Finally, there are leaks from the “dark web” – public data leaks are just the tip of the iceberg. It isn’t in the interest of hackers for it to be known that they have stolen large swathes of data because they’re very often in the business of selling that data on-wards. If those hackers themselves have a data leak, it is entirely possible that the data could end up in the hands of security researchers – who very well may pass them onto “haveibeenpwned”.

In some cases where the data is sitting on public file distribution sites, “haveibeenpwned” will pass the link onto domain owners – which is why occasionally IS can inform those whose accounts have been compromised what has happened. But they do not distribute personal information themselves (even when they have the data).

What Are Data Leaks Used For?

Fraud. Specifically any kind of fraud that will obtain money.

In some cases attackers will use account credentials to leak data out of other web services to “enrich” data they already have on you.


Defending Yourself

Whilst it is in no way your fault that third-parties leak your personal data, that is hardly very helpful when you are the victim of identity theft and/or financial fraud. And so, how can we defend ourselves against the mistakes made by third parties?

  1. Try not to use the same password on multiple sites, and if you do, group them into related and low-risk sites. For example, your banking sites need unique strong passwords, but infrequently used shopping sites that do not store your credit card details could share a password.
  2. Use long and strong passwords wherever possible; if you fear forgetting passwords (and frankly given the number of passwords we have to remember, who doesn’t?), install and use a password manager such as KeePassXC.
  3. Where it is available as an option, consider enabling two-factor (or multi-factor) authentication.
  4. Periodically check the web site to see if your details have been compromised since the last time.


Lastly, that strange word “pwn” is a deliberate misspelling of “own” (or “owned”) to indicate that something has been broken into (or “owned”). And yes, this even appears in the OED.

Posted in Active Attacks, Passwords | Comments Off on ‘;–have i been pwned?

Email: Spam/Ham and Some Indigestible Acronyms

This posting has been a long time coming, and is probably longer than ideal, but for those who send bulk emails, there may well be some useful tips in here. And for convenience those who use cloud-based services that also send email can also be classified as bulk email senders.

Some bits get very technical but if you want to skip over those details, feel free but bear in mind that email without the technical bits won’t work. Whatever the sales person tells you!

Ham is of course email that isn’t spam.

But what is spam? It depends on who you ask but :-

  1. It is email that the recipient doesn’t want to see. Whilst this is the least specific definition and the hardest to work to, it is perhaps the most important definition. If the recipient doesn’t want to receive your email, and hits the “This is Spam” button, your emails will be added to a statistical model and/or a machine learning neural network as an example of spam and make it less likely that future emails will be delivered without being filed away into the dreaded “Spam” folder.
  2. It is unsolicited bulk email which is the original technical specification of spam – unsolicited because it isn’t asked for (but what qualifies as “asking”?), bulk (but is generating individually customised versions mean it is no longer bulk?), and email (because sending unsolicited bulk instant messages isn’t quite so annoying?).

There is also a legal definition of what counts as spam but that is beyond the scope of this article.

Phishing can be considered a sub-type of spam – it is bulk email designed to fool you into doing something that you should not – such as “log in” to an attacker’s portal designed to look like a Google authentication page, or less technically, designed to get you to pay for something.

As one of the techniques used to try and fool recipients, phishing very often tries to forge the sender email address to make it look more official. For this reason, technical controls to make forging email addresses harder are frequently in use.


One of the selling points of cloud-based bulk email senders is that they try and offer a control panel to indicate just how many recipients have received and read your emails. Perhaps unfortunately, email just doesn’t work that way.

Bulk email senders have been engaged in a low-level war with email privacy activists with one side inventing new ways to track what the recipients are doing with your email, and the other side trying to prevent that “invasion of privacy”.

Whilst the standard for “Do Not Track” has failed, there is still widespread support for it (as shown above), and some people are using “ad blockers” as a more effective alternative.

In summary: You cannot be sure that the control panels of cloud-based bulk email senders are actually tracking what they claim to be.

The Indigestible Acronyms

Email by itself is not secure in any way. You can pretend to be anybody you want, and the contents of the email are not secure either – if an attacker can intercept your email, they can read the contents.

The early solution to this problem was PGP, but whilst an excellent solution technically it really requires senders and recipients to actively participate and to have a rather high level of technical expertise. So it was widely ignored, although it remains an excellent solution for communication requiring very high levels of assurance.

But the problem of forged emails not only remained but increased so other solutions were developed … solutions that resided within the email infrastructure and did not require sender or recipient participation.


Whilst the Domain Name System sits underneath email, it also sits underneath every single Internet (and many other) applications. It is most commonly used to lookup names such as “” and return network addresses (such as

But it can be used to publish other information, and is widely used within various email security enhancements. The various standards are often implemented as a record added to the DNS – for example, the SPF standard requires publishing a text record in the DNS of the form “v=spf1 ip4: -all“.

SPF (Sender Policy Framework)

The SPF standard publishes a record within the DNS for an organisation that allows that organisation to specify what network addresses can be used to send email addressed from that domain. For example, we have an SPF record that specifies that can come from (the UoP public network address), Google’s network addresses, plus a rather large number more.

This SPF record is limited in size, and the more we add to it, the more likely we are to break email. For this reason there is an initiative to try and coalesce bulk email services to reduce the number that we are using.

DKIM (DomainKeys Identified Mail)

The DKIM standard also publishes a record (actually commonly more than one) within the DNS to specify the public key of a public/private key pair which is used to verify that a sending server is authorised by an organisation to send email.

The sending server uses a private key to sign a header, and the receiving server uses the public key published in the DNS to verify the signature. If the verification succeeds, the recipient’s mail server can be confident that the sending server was authentic.

A DKIM record looks something like :-

v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCAfEB8lKdN9PEGll4hxix17dnvGFbvjiIfrIq/E3Yi5rePbLfOHQ1lnJwG54mdA8AFQjgJ4hKiC8++JGog/v4RiamLdq7csjuz7erUvjoC3VSco8K33iNRWskgTFnwuJj2BwC89F3GZjBBZ0cKvim+OHi/jHSuk+4vR1z21He4LwIDAQAB

And yes that has to be entered exactly as given with no risk of mistakes – a text-based cut and paste is required to create a new DKIM record for a new email sender.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

The DMARC standard is yet another DNS record published by an organisation that specifies how messages should be permitted, rejected, or quarantined (put in a “spam” folder) depending on whether they pass SPF and DKIM verification.

Membership Management

When running a mailing list, it is important to manage the members of that list :-

  1. Removing addresses that don’t work.
  2. Removing members of an “opt in” list who expressed a desire to opt out.

These two tasks may be managed automatically, but it is worth bearing in mind that these are both tasks that a bulk emailer is responsible for. Sending to broken addresses may well increase the likelihood that email to a similar destination will be marked as spam; and of course sending email to those who don’t want to receive it will result in it being manually marked as spam.


In addition to getting the technical configuration right to not fall afoul of DMARC,DKIM, or SPF checking, it is also important to optimise the content of messages to minimise the chances of being marked as spam. This is definitely the trickiest bit to advise on because the “markers” for spam tend to be based on statistical models and in some cases advice may be in conflict for the purpose of the message!

  1. Email with “rich” content (fonts, colours, embedded links, etc.) is normally sent as two parts – an HTML version (with the “rich” bits) and a plain text version. Email sent as only HTML is quite likely to be marked as spam. Depending on your email sender, this may be an option to turn on or off although Mailchimp at least sends plain-text versions alongside HTML messages by default.
  2. When composing email with “rich” content, avoid making it too “rich” – the use of JavaScript, external CSS, Flash, embedded video, etc. will most likely not work, and will make your email look like spam.
  3. Don’t! Get!! Too!!! Excited!!!! Spam often seems to be very excited in its tone (and is often guilty of using too many exclamation marks) – try and avoid getting too overenthusiastic in tone. This doesn’t mean try to be too bland though. On a related note, DON’T SHOUT (uppercase only text is perceived as shouting).
  4. Using punctuation like “!” or “?” in Subject headers is also ‘spam-like’.
  5. No matter how urgent it is, don’t try to push people into doing something urgently (“Urgent! Bank fees to go up!”) – they won’t, and it is a very spam-like (and phishing) thing to do.
  6. Avoid spam-like phrases such as “business offer”, “free”, “best price”, “cash”, “no obligation”, “wrinkles”, “mortgage”, “valium”, “weight-loss”, “guaranteed”.
  7. Never mention ‘impossible’ percentages (anything greater than 100%) – it is a clear sign of spamminess, and causes mathematical inclined people to grind their teeth.
  8. Use correct English.

There are other guides to avoiding being marked as spam – search for them.

In general, it is also important to “stick to the subject” – use mailing lists for the purpose for which they were created, avoid sending unnecessary messages, minimise the number of emails sent, and keep them interesting.

Posted in Email | Tagged , , | Comments Off on Email: Spam/Ham and Some Indigestible Acronyms

Diagnosing a Phishing Attack

I was clearing out some older emails today and encountered an attempt to phish Apple credentials; although this one was specific to Apple, the general lessons apply to all phishing attacks … and indeed more general malicious spam.

The attack was immediately obvious simply from the email addresses within the “To” and “From” headers without opening the body of the email :-

From: suρρort@aρρlе.com <>

First of all, look at the “To” header :-

  1. It doesn’t contain your (or in this case my) email address. This is a mark of suspicion; not enough on it’s own to make it spam, but on the way.
  2. Look how “apple” is a sub-domain of “”. Is Apple likely to allow anything significant to be branded with anything other than “apple”? More suspicious.

Next look at the “From” header … it may well be that your mail client does not show the full version of this – it would show just the “suρρort@aρρlе.com” rather than the real email address which is contained within “<” and “>” (“”). So some of the first indicators may not be visible to you :-

  1. The real email address (“”) is very odd, and the domain part (“”) has no apparent connections with Apple.
  2. The supposed email address (“suρρort@aρρlе.com”) appears where a full name would normally appear – this is a clear mark of suspicion.
  3. Look closely at the “p”s in “aρρlе.com” and “suρρort”. Magnify the screen if you wish; not quite right are they? That’s because they’re not “p”s but a Greek rho letter with a similar but not identical appearance to a “p”. Using deceptive Unicode letters like this is doubly suspicious – enough to treat the email very carefully.

The subject itself also has lots of suspicious keywords selected (in some cases) to fool you into treating it more urgently and less suspiciously :-

  1. “Fwd:”: This is commonly added when someone manually forwards an email on – why is this sort of email being forwarded and not sent directly? Do you have a personal assistant who handles emails for you?
  2. “Daily-Reminder”: If it’s a daily reminder, what is so urgent about it?
  3. “Receipt-Document due”: Are you behind on your paperwork with Apple?
  4. “Alert!”: Is it really?

And lastly, there is the message body itself, although by now there is enough information leading to suspicion that there is no need to examine the body. But the body consists of just an attachment; no serious email from an organisation like Apple will consist of just an attachment with no explanation as to the contents. I have never sent an email to someone with just an attachment – even when they know such a thing is on the way; there is always an explanation.

I (and don’t do this unless you know you are running it in a prepared environment with full protection against infection) downloaded the attachment and passed it through some checks :-

  1. It isn’t detected as malware by VirusTotal (which passes an uploaded file through 61 anti-malware engines).
  2. The document contains lots of scary words plus a link to a suspicious site. The link was to csactivityremember.ddns.${obfuscated}. The “ddns” bit indicates that this site moved around to different servers on a regular basis. Not the sort of thing that Apple would do; and Apple certainly wouldn’t use a name like that.

Note how there was enough information in the “To” and “From” headers to indicate that this was a suspicious email – all the rest of it was further analysis to confirm my suspicions. You can (and should) reject such suspicious emails at the earliest possible stage.

Posted in Active Attacks, Email | Tagged , | Comments Off on Diagnosing a Phishing Attack

German University Forced To Reset All Passwords

According to this story in The Register (the source material is reasonably enough in German), one of our German competitors has recently been forced to reset every single account password causing significant queues for service. Plus a significant amount of malware cleansing.

Reading between the lines, and making possibly unwarranted assumptions based on my knowledge of how attacks work, it seems likely that this incident came about because :-

  1. A significant malware outbreak occurred despite anti-virus protection (everyone has that these days) making a cause for “next generation endpoint protection” (detecting malware by behaviour rather than signature).
  2. At least one infected workstation was used by someone with “domain admin” level privileges allowing access to the Active Directory database.
  3. And presumably some indication was found that the Active Directory database was “stolen” in theory allowing accounts with relatively weak passwords to be compromised.

Security is one of those tasks that can seem kind of like wasted time; until you look at events like this!

Posted in General | Tagged , , | Comments Off on German University Forced To Reset All Passwords