The security.txt Page for Web Servers

We have recently started using a new-to-us web server security scanner that amongst other things will highlight the absence of a file – security.txt – in the root of the web server. And thus this blog entry explaining what it is, why we need it, and what the contents should be.

Note that this is not a HTML page but a plan text page and must be installed as such.

The intention behind security.txt is to provide a mechanism by which those who encounter security issues with a web site can make contact in an approved manner. To those who argue that the information is available elsewhere, the counter-argument is that it is a lot more helpful to have information available in a standardised location.

The minimum file should contain :-

Contact: cert@port.ac.uk
Preferred-Languages: en

You can add a second line for an additional contact if you wish :-

Contact: cert@port.ac.uk
Contact: servicedesk@port.ac.uk
Preferred-Languages: en

The file must be named as precisely security.txt and must be either in the root of the web server “document root” or within a standard subdirectory (/.well-known/security.txt) (compliant with RFC8615).

Posted in Technical | Tagged | Comments Off on The security.txt Page for Web Servers

Dodgy .ac.uk Web Sites

No, we not talking about real .ac.uk web sites but fake ones. We have recently been alerted to the activities of a certain well-known attacker (the “Silent Librarian”), and whilst processing it I noticed something it might be helpful to more widely publicise.

The location bar of your browser (or the pop-up that appears when you “hover” over a link in an email) can be a useful source of information on how trustworthy a site is :-

This web site address (it currently gives an error if you happen to try and visit it) has nothing to do with the port.ac.uk address (the university!) although it contains it. A certain number of “fake” web sites used by the previously mentioned attacker are set up like this – the address of a well-known .ac.uk institution with a different domain at the top.

A brief aside on domains: Domains are the wrong way around – for a domain such as port.ac.uk, the most significant part is on the right – the UK, followed by the “ac” (for academic) and finally “port” (for us). Bits added to the right are more significant than the bits at the left.

If I were to register touche.me I could easily create a registration for port.ac.uk.touche.me and point it to a web site not under control of the university. And that is what this attacker is doing.

So when you visit web sites, it is always worth double-checking the location bar to check that the domain is what you expect it to be. And doesn’t look like a legitimate site but in fact it is only legitimate on the left-side.

Posted in Active Attacks | Tagged , | Comments Off on Dodgy .ac.uk Web Sites

What Are “Homoglyph” Attacks?

As the phrase has started becoming more widely used, it seems worthwhile to explain just what exactly “homoglyph attacks” are. It is perhaps a bit extreme to call them “attacks” as they are effectively used to deceive … especially in phishing attacks.

It boils down to using “lookalike” letters to create something that looks like a trusted name (for example, “port.ac.uk”) yet isn’t (i.e. “Ꮲοrt.ɑⅽ.υk” (it should be noted that this was created to deliberately look bad)). If a homoglyph is used within a clickable link (for example), you could naively check the link and it would appear to take you to a trusted web site but you would in fact be talking to a completely separate site.

It should be noted that we are partially protected because JANET or Jisc won’t accept just any registration within .ac.uk and certainly won’t accept anything that looks like “port”.

But it is a significant problem that is commonly used by scammers undertaking phishing attacks.

Posted in General, Technical | Tagged , , | Comments Off on What Are “Homoglyph” Attacks?

Twitter: The Trustworthiness of The Blue Tick

If you have not heard, Twitter suffered some sort of incident recently (yesterday at the time of writing) where a number of high profile accounts were used to send out “tweets” suggesting that if you pay them some money (in bitcoin) they would return double the amount of money in bitcoin.

Twitter claims that the accounts themselves were not compromised leading us to the possibility that Twitter has (or had) a vulnerability that allowed anyone to send out tweets as anybody on Twitter – even high profile accounts with blue ticks.

There are several aspects of this story worth learning from.

Firstly, this was one of the classic “wave money to overcome suspicion” attacks – if something is too good to be true, it probably is. At the very least, you will want to check such a strange offer.

Secondly this used prominent Twitter accounts to spread their message – trying (and in some cases succeeding) to abuse an existing trust relationship. We need to be wary of uncritically trusting well known people – we assume that when a tweet appears from a well known individual that they’re the ones actually doing the typing. This isn’t always the case – even in ordinary circumstances – and when a social media giant has security vulnerabilities, that message could be from any criminal.

If a well-known person says something out of character, that message should be viewed with suspicion.

Third, this scam used bitcoin as a payment method. Whilst bitcoin has legitimate purposes, it is also widely used by criminals as the “money” doesn’t go through banks. Any mention of bitcoin should lose a touch of credibility to any message – in combination with other factors could be the deciding factor.

Lastly, look at the “Only doing this for 30 minutes” … anyone tries to rush you into a decision, and they’re quite possibly up to something that you should spent some extra time thinking about.

It is not any one thing that protects us, but a combination of indicators that tip the scales of suspicion into distrusting a message.

Posted in Active Attacks, General | Tagged , , , | Comments Off on Twitter: The Trustworthiness of The Blue Tick

The VPN, Facebook, and China

We have had at least two reports that some people logged in to our GlobalProtect VPN are also logging into Facebook, examining their current Facebook logins and finding that they’re unexpectedly logged in from China (or Qatar).

This is not the case; we believe that Facebook is “confused” about the location of certain network addresses.

To see where you are logged into Facebook from, choose the downward pointing arrow in the blue Facebook menu bar – it’s next to the question mark at the end at the right. From the drop down menu that appears, select “Settings”.

This changes the page to show your settings with a series of links down the left of the window; select “Security and login” and the main are will change to show various bits including a section marked “Where you’re logged in”.

(This is my list – it is more likely to show “Windows” than “Linux” for you).

Next to the best guess at the operating system of a particular device you can see where Facebook thinks you are logged in from. If you hover the mouse pointer over than location, it will reveal the network address you are logged in from …

This shows the incorrect (and potentially worrying) location of Shanghai, China. However the network address shown when hovering the mouse pointer over the location shows an address beginning with 148.197.

This indicates that :-

  1. The network address belongs exclusively to the University.
  2. The network traffic that originated with your PC (or other device) was routed through the VPN and went directly from there to Facebook.
  3. At no point is there any indication that this traffic went anywhere near China.

The problem is with Facebook who have apparently got a corrupt “GeoIP” database.

Posted in Active Attacks, VPN | Tagged , | Comments Off on The VPN, Facebook, and China

VPN or GlobalProtect Performance Issues

On occasions over the last few months, IS has been contacted with regard to network performance issues in relation to the VPN (the GlobalProtect VPN). As a result we have built up some recommendations that may be helpful to others experiencing this.

To start with, our VPN is unlikely to be the root cause of any performance issue. Whilst there are many places whose VPN gateway has suffered because of the increased usage during the lockdown period; this is because they typically utilise a separate hardware device to provision the VPN and this is sized for the usual usage pattern.

In our case, our VPN gateway shares the hardware with the main university firewall and so shares its capacity – essentially bandwidth that was previously available for on campus usage is now available for VPN usage (it’s a bit more complex than that, but is a reasonable approximation). In addition the firewall went through a hardware refresh last year, so it is currently running on relatively new hardware and has plenty of capacity available.

Testing

There are many ways of testing the bandwidth available via a network connection, but to keep things simple the suggestion is to use the test at https://speedtest.net/. Bear in mind that we’re not so much trying for an accurate test, but a relative speed :-

  1. Measure using the above speedtest with the VPN turned off. The result will be in megabits per second (or Mbps).
  2. Measure again with the VPN turned on.
  3. Finally calculate the relative speed with :-
percentage = ( (VPN turned on) / (VPN turned off) ) * 100

This will give a percentage result indicating what proportion of your basic Internet speed is available with the VPN turned on. A good result is anywhere more than 80%.

If you get a reasonable result, and your VPN performance is still poor bear in mind that the overall speed of the network connection has a bearing – whilst some things will work fine (if sluggishly) below 10Mbps, other things will start to break when things get too slow.

If your overall performance is poor, you may have no other option than to upgrade or change your ISP to get better performance. But bear in mind the next section!

Wireless

Whatever variety of wireless you are running at home, it can be subject to interference issues. And these are not always constant – interference can change according to the time of day (and the usage of wireless).

Firstly wireless is a shared media – my phone right now can see over a dozen wireless networks to connect to, and whilst not everyone lives in such a dense environment, any busy wireless network nearby will have an effect on how much traffic can travel through your wireless network.

Secondly wireless does not necessarily travel very well – walls (especially thick brick or stone walls) can attenuate the signal and cause a severe impact to wireless performance. For example, my home office is upstairs and at the back, whereas my wireless routers are downstairs at the front – trying to use wireless from my home office would be an exercise in frustration at the continual disconnections and abysmal performance.

So our very first recommendation is to plug your PC directly into your broadband router with a cable; even as just a test to confirm (or not) that the wireless network is problematic.

Dangling a cable all the way through a house (or flat) is not a sensible (or safe) solution, so for years I have been using a TP-Link powerline adapter – two boxes which plug into a wall power socket, and effectively “bridge” a network cable across the house power lines. A link to a similar produce can be found here (other suppliers exist; other products exist; all relevant disclaimers about this not being an official recommendation, etc).

Routers

Domestic routers tend to be engineered to prioritise economy than robustness and longevity.

In some cases such routers can get slower over time if they are left on continuously. It can be worth trying to restart the router (remove power, wait 5 seconds, restore power) to see if that improves matters. If it does, you can restart it on a regular basis – once a month or once a week.

In other cases, if you have an older router it may have started to go wrong or simply one of it’s internal components might not be keeping up with the amount of bits going through it. There is not much you can do about this other than to replace the router.

If your ISP supplied the router and it is quite old (5 years or more), it may be worth asking your ISP if an upgraded router is available.

The PC

How healthy is your PC? Particularly if it is a self-managed device (i.e. one you own).

If you are lucky enough to be able to have a spare PC or laptop (or can borrow one from someone else in the family), it may be worth installing GlobalProtect onto it and retrying the speed test. If borrowing from one of the family, make sure that their VPN connection is turned off (there is no need to uninstall it!) – two VPNs turned on at the same time will yield surprising and unfortunate results!

The other possibility is to try and borrow something from IS, although at the current stage of the academic year they may be in rather short supply.

Virgin Media Cable

Virgin is a popular choice for supplying an Internet connection given the available speeds they provide. However we believe (and JANET – the university’s ISP) that Virgin Media has an intermittent problem relating to VPN traffic performance being routed to the academic networks – it isn’t just us.

Many people will not notice because the difference between 150Mbps and 200Mbps isn’t sufficient to cause a significant problem, but in some cases it can.

There is not a great deal IS can do about this – we can’t log faults for connections that we are not the customer for! JANET themselves are in contact with Virgin, but it may help if you are experiencing issues to :-

  1. Run through the various steps contained within to try and indicate that the problem is with Virgin.
  2. Emphasise to Virgin that the we (the university) does not believe the VPN gateway to be the root cause of the problem and non-Virgin customers do not see a huge performance hit when using the VPN.

Virgin are unlikely to escalate the call priority for just one person, but if they receive a pattern of similar calls it increases the chances of more senior engineers (and perhaps managers setting policy) paying attention.

Posted in General, VPN | Tagged , , | Comments Off on VPN or GlobalProtect Performance Issues

Dealing With Suspicious Emails

From time to time, we all receive emails at work that we regard as a little suspicious (if you do not, it is quite possible that your suspicion level needs to be increased). What should we do with those emails?

The traditional advice has been to check with a colleague and/or forward them to the IS ServiceDesk. That remains the advice, but NCSC has a new service for submitting suspicious emails to.

If the email does not contain confidential information, the advice is now to forward suspicious emails to the IS Service Desk (servicedesk@port.ac.uk) as well as the NCSC SERS (report@phishing.gov.uk).

The later will contribute towards blocking and taking down malicious web sites – something which we cannot do ourselves.

In addition you can also use it for reporting suspicious emails received at non-work addresses.

You can read more about the NCSC SERS service at https://www.ncsc.gov.uk/information/report-suspicious-emails.

Posted in Email | Tagged , | Comments Off on Dealing With Suspicious Emails

Who Is mikemeredith@hotmail.com?

Short answer: No idea! And yes that is my name.

We have received a couple of reports of phishing attempts using look-alike names – in this example (which isn’t real), the email address mikemeredith@hotmail.com was used in an email purporting to be the individual who is usually found at mike.meredith@port.ac.uk. As port.ac.uk email addresses are slightly harder to forge than they used to be, attackers are looking to use look-alike email addresses.

Either domains that look similar (the bit after the “@” such as port.ac or port.co), or names that are familiar – as in the example shown.

To defend against this, we need to :-

  1. Avoid using personal email accounts for UoP business emails.
  2. Check and double-check the email address in the “From” field – whilst these can be forged, it is somewhat harder to forge @port.ac.uk addresses than it used to be.
    1. Is the domain part (after the “@”) port.ac.uk or does it merely look similar?
    2. If it looks like a personal name from a common personal mail site – mikemeredith@hotmail.com – is it one you are familiar with? Do you know that the individual uses that address as their personal email?
  3. And of course the standard anti-phishing defences – does it encourage urgency? Suspicious. Does it link to a strange web site? Suspicious. Etc.
  4. If in doubt, ask. Ask a colleague or ring the sender to check.
Posted in Active Attacks, Email | Tagged , , | Comments Off on Who Is mikemeredith@hotmail.com?

Security At Home

As most of us are now working from home, it is time to consider security in the home; because you are working from home, security at home is important to the university (in addition to yourself). Indeed there are new dangers in the present situation that you may not have considered.

For instance, many of you have posted cute pictures of “co-workers” (four-legged ones) curled up on or near your laptops. But have you considered what is visible on the screen?

And despite choosing a deliberately innocuous window to take a copy of, it still contains some information that it may be worth thinking twice about making public!

This is a screenshot rather than a phone picture with a screen in it, so you may be thinking that what is in your phone photo is less visible. Except that :-

  1. It is simple to save a copy of that photo outside of where you are sending the photo (Facebook is the default option here) so it can be viewed in a different manner than you expect.
  2. You can zoom into images to see details not usually visible. And try other image enhancements to make things clearer.

The key thing is to remember is to obscure whatever is on the screen for fun photos – bring up Notepad, maximise it, and write “Not work stuff” in big letters!

Obscuring the screen should also be considered if you are working from home with others in the house – consider getting a privacy overlay (link provided as an example and not an endorsement) for your screen and minimise what you are working on when someone peers over your shoulder.

You should also lock your screen when you are away from the keyboard for any length of time! Apart from anything else, it’ll stop you coming back and discovering that your toddler has finished off that important email and sent it off.

Web Cams

We are all using web cams a bit more than we would normally do, so it is worth considering their security. Always treat a web cam as though it is turned on and your boss and co-workers can see what you’re up to in front of it.

Whilst some webcams are insecure and can be remotely controlled, that is not the danger we’re talking about here. This is more about getting into the routine of being able to join a video conference without making an embarrassing ‘mistake’ – I already know of one web cam accident where a conference attendee had a boyfriend wander through the background “inappropriately dressed”, and I’m sure Facebook will shortly be full of “Top 10 Embarrassing Working From Home Web Cam Accidents” (and I’ve heard about another just during the time it took to write this post).

Not that this should discourage you from using a web cam; just bear in mind the advice in the first paragraph, and discourage uninvited guests from joining the conference (although nobody minds four-legged visitors).

Phishing and Scams

You are probably all bored to tears reading advice about phishing attacks and scams, but it bears repeating because there are those trying to take advantage of the current situation for financial benefit :-

  • If it’s too good to be true, it probably is.
  • If a certain level of urgency is urged, it is worth taking time to be careful.

There is a whole category of old articles to read on phishing.

Using Non-University Equipment

If you are using university-supplied equipment for your work, IS will take care of the security of your device in terms of the system maintenance – providing that you connect it to the VPN (GlobalProtect) regularly. If you prefer to use your own equipment for UoP work, you will be expected to perform much the same system maintenance work (which you should be doing anyway to keep personally safe) :-

  1. You must be using a supported operating system. Unsupported operating systems do not get security patches and so will be assumed to be unsafe (they will be sooner or later). If the hardware you are running will not run a later operating system, you will have to arrange for another machine. This may seem harsh, but
  2. You must install operating system patches as and when they arrive; indeed you should check for operating system patches on a regular basis – daily, weekly, or monthly. An operating system that does not get updated is putting yourself (and the University) at risk!
  3. Similarly any installed software needs to be regularly checked for updates – especially web browsers!
  4. If you have any University work data on your own machine(s), you should make sure that the storage is encrypted. If you use any hardware from within the last 5 years or so, the performance impact will not be noticeable.
    1. Use approved cloud-based storage (including the N: and K: drives – they’re in the “UoP Cloud”) as much as possible.
    2. If you must put work data on your local disk(s), remove it as soon as you have finished work on it.
  5. Using the VPN (GlobalProtect) will give you an extra level of protection against “nasty” stuff on the Internet, so please feel free to use it even if you think you have an immediate reason for using it.

Posted in Active Attacks | Tagged , , , , | Comments Off on Security At Home

Scams In The Time of Coronavirus

(with apologies to Gabriel García Márquez)

As expected, scammers are trying to take advantage of fears over Covid-19 (the Coronavirus) to push their victims into unwise actions – often for profit. I have already seen two scams announcing UK government universal income payments that you have to visit a web site to claim.

We can expect :-

  1. Similar offers to claim your government universal income payment.
  2. ‘Magical’ vaccines, cures, or treatments at specially discounted rates.
  3. Offers to sell goods in short supply – toilet paper, hand sanitiser, medical masks, etc.

And probably a whole lot more attempts to defraud you. Or the university.

Be wary of emails, phone calls, or any other form of communication that :-

  1. Tries to induce a sense of urgency. By rushing you, the scammer hopes to bypass your “wait! is this sensible” thought.
  2. Tries to get you to bypass normal procedures – those procedures are in place for a reason, and whilst we need to be flexible in these times, procedures shouldn’t be completely bypassed.
  3. Tries to claim authority (governmental, official organisation, or senior management) to get you to take urgent action.
  4. If it sounds too good to be true, it probably is.

Which is pretty much the advice in ordinary times.  

Posted in Active Attacks, News | Tagged , , | Comments Off on Scams In The Time of Coronavirus