Passwords: Long and Strong

Yes, this is another blog posting about password strength, which we do keep going on about. That is because :-

  1. The password audit still shows that people are not getting the message (although for active staff we’re doing a great deal better than we used to).
  2. We continue to get security incidents related to compromised account passwords although probably a majority of these incidents are probably relating to phishing attacks rather than simple password strength.

Passwords are tedious, but there is in practice very little choice other than to set long and strong passwords to protect yourself and the University. Those who have had compromised accounts can attest to the pain of having an inbox crammed with thousands of spam bounces … and that’s nothing compared to some of the hair raising stories I’m not free to talk about.


Password length is the single biggest factor in determining password strength – short is weak, and long is strong. Mathematically the strength of a password can be calculated with a formula :-

(Strictly speaking that is the maximum possible information entropy given that each character is chosen perfectly randomly which would require passwords such as: wJv9eqmvGXrjUld7IKVLugAbCdpJ99KI4LDTEeJUD4c)

The most important part of that equation in terms of making a password more random (“stronger”) is the length.

This is why we are beginning to recommend a password length of 14 characters!


(the following is from Xkcd)

We recommend a method for generating passwords (or pass phrases) involving words :-

  1. Choose three to four random words. At least one of the words should be the kind of word not found in the vocabulary of the average Daily Fail reader. Such as pink, blank, whistle, prepositional.
  2. Capitalise at least one of the words at the end: pinK, blanK, whistlE, prepositionaL
  3. Pick one random symbol such as “/”, “<“, “#”, “@”, “=”, “;”, and insert in between the words: pinK/blanK/whistlE/prepositionaL

As an alternative you can use a rather useful password generator. It looks complicated, but once you load the “XKCD” preset, you are 9/10ths of the way.

Store the new password in a proper password manager (such as KeePass or KeePassXC), and then set your new password.

Safe Password Usage

  1. Do not tell someone what your password is. Especially your chosen password to your university account(s).
  2. Do not use the same password in multiple services – if one service gets compromised all your accounts with the same passwords become unsafe (or at risk).
  3. Where available, turn on multi-factor authentication (such as on your Google account). In the case of your university account it will not protect authentications that do not support multi-factor authentication but it will protect your university Google account. Even from phishing attacks!

“But They Aren’t Interested in Me”

Yes they are.

Attackers do want special accounts but they’re quite willing to work with ordinary accounts. We regularly see compromised accounts used by attackers to do things that are irrelevant to the account itself – specifically sending thousands of spam messages. Of course that is just what we can see!

Don’t underestimate the damage that can be caused by sending thousands of spam messages – not only do you get a very messy inbox to clean up, but your email address gets a permanent loss of credibility.

So yes you are a target, not because of who you are but of what you have (an account).

More on Multi-Factor Authentication

Multi-factor authentication (sometimes called “two step” although that makes me think of dancing which is scary enough to me never mind others) is a method by which a service (in particular anything provided by Google) can ask “can you confirm that it’s really you”. It doesn’t routinely ask this question – on my work desktop workstation, I typically get asked less than once a month.

It asks when it doesn’t recognise the machine you are connecting from (or that confirmation happened too long ago).

So whilst it does get in the way occasionally, the reduction in risk makes it well worth the trade-off.

Posted in Passwords | Comments Off on Passwords: Long and Strong

Do You Like Justin Bieber?

On of the stories I was reading this morning mentioned that some of those with Nest security cameras have been subjected to hack attacks. One of the attacks they were subjected to were hackers asking Alexa to play Justin Bieber (as a bit of a nasty shock) on the assumption that someone with a Nest security camera may well also have an Amazon product with Alexa built-in.

Allegedly the method of compromise was simply to try known combinations of email address and password – given that there are many web site leaks that have been archived around the place, such data is easily available.

This is a reminder to :-

  • Use a password manager (such as KeePass, KeePassX, Lastpass, etc.) to assist remembering passwords.
  • Use different passwords on each site … or at least for the important sites.
  • Periodically check on Have I Been Pwned to see if any of the sites that you use has been compromised.
  • Use two-factor (or multi-factor) authentication where it is available; particularly for “sensitive” sites such as Dropbox, banks, etc.

The question is, how often does this sort of attack occur? And how often does it succeed?

In general I can’t answer that, but we do see a continuous stream of password “guessing” attacks where an attacker tries to use lists of known email addresses and passwords to get in to various services. And by “continuous stream” we’re talking about in the region of 100,000 probes a day across all services.

In terms of successful attacks, it is somewhat less than that but we do get a trickle of notifications of either account compromises or of account credential leaks. This “trickle” amounts to between 3 and 118 incidents a month (since 2015), and a mean of 28 per month (since January 2018).

Posted in Active Attacks, Passwords | Comments Off on Do You Like Justin Bieber?

There Is No Such Thing As A Secure Web Site

On the left-hand side of the location bar, your browser will show you something like :-

Which is entirely correct and incorrect at the same time.

To be precise, what that little label (and the alternative green one) means is that the network traffic is either plain text or encrypted (when you get the green one). In the former case, anyone who can intercept the traffic can see anything that you send to the web site.

So if you are communicating with a web site, and sending any private information you want to make sure you have a little green label.

But that is not the end of the story. Just because a web site has a little green label does not make it secure. Data in transit to and from the site is encrypted so cannot be intercepted, but data at rest on the server is no more safe than it is on a plain text server.

If the server is not maintained properly, it could be successfully attacked, exploited, and all the data leaked. That little label does not say anything about how secure the actual site is.

Posted in General | Tagged , | Comments Off on There Is No Such Thing As A Secure Web Site

The Latest Phishing Attack

I have just been alerted to yet another phishing attack that works by sending web links via email to a “secure message” (or in the example no words at all). The link of course takes you to a malicious site that will try and fool you into disclosing your credentials.

The latest attack will look something like :-

There may well be minor variations (or major ones).

As usual :-

  • If the email is from someone you do not know, be cautious about the contents.
  • If the email contains a link for you to click on, point at the link and check what the real destination is. If you do not know how to do this, you can right-click on the link, select “Copy link address” or “Copy link location”, and then paste the clipboard into an empty text message – it will look something like “….”.
  • If the email is “from” someone you know and the language looks odd – unusually illiterate (or unusually literate), strange spellings, etc. then check “out of band” (i.e. via another way of communicating) that the message is legitimate.
  • If an email asks you to do something unusual – in particular bypassing normal procedures – then check with someone else to see if it is legitimate or not.
Posted in Email, Passwords | Tagged | Comments Off on The Latest Phishing Attack

The New GlobalProtect VPN Client

The new GlobalProtect VPN client will be made live in the coming weeks. This version has a number of usability enhancements (it looks prettier), so it is worth documenting those visibility changes.

The task bar icon has changed and shows as either (connected) :-

Or (unconnected) :-

The login panel has changed :-

The “you are connected” dialog has also changed :-

This can be closed by clicking on the icon in the task bar.

The settings page can be opened by clicking on the cog icon, but the result doesn’t look different enough to grab a screenshot of.

The client on macOS is very similar although the icon is colourless.

Posted in General, VPN | Comments Off on The New GlobalProtect VPN Client

Using The VPN For General Internet Protection

Using the VPN is generally seen as a way of using UoP services remotely in a relatively safe way, but it does actually offer another advantage for using generic Internet services – because the VPN goes through the UoP firewall, it offers protection against Internet threats above and beyond what is normally offered by most Internet routers.

In addition, all traffic between your computer and the VPN end point is encrypted allowing the use of untrustworthy networks.

Threat Protection

The firewall performs scanning of any traffic that isn’t encrypted looking for viruses, spyware and attempts to exploit web browsers. Such malicious content is blocked to keep you safe.

Network Encryption

Not all networks are equally trustworthy – networks in some public locations (“free WiFi here”) are unprotected and hackers have been known to capture the traffic looking for “interesting” data.

The easy way to solve this issue is to use a VPN that encrypts all traffic between you and the VPN endpoint.


So perhaps you don’t want us knowing that you’ve visited that site. Perfectly reasonable except that :-

  1. We don’t know who visits that site.
  2. We don’t care who visits that site.
  3. Even if we were interested, there is too much work on to figure out who visits that site.
  4. Formal requests to identify who visits that site would be refused.

If anything, using the UoP VPN is a better guarantee of privacy than using a third-party network without a VPN. Unless it becomes a legal matter.

Posted in Firewall, General | Tagged , | Comments Off on Using The VPN For General Internet Protection

How to spot a phishing email

It claims that there is an important meeting, and contains a link for details.  The email may even use your name (so called ‘spear-phishing’).  However, the link provided leads to a fake website designed to capture your login details so that your account can be hijacked.   These sites can look very realistic.

Most of this advice can be used to identify more general “dodgy” emails – spams, scams, and attempts to spread malicious software.

Where is the link actually going to take me?

Move your mouse cursor so it hovers over the link.  Now look at the bottom of the window,  you should be able to see the URL of the destination site.  Even to the non-expert, these URLs can look very suspicious, messy and not at all related to any known organisation – it’s a phishing site!

Here’s an example

Common phishing techniques:

  • Begins with ‘Dear User’, ‘Dear Sir or Madam’
  • Urgency – the message urges you to take action quickly – without thinking
  • Surprising – e.g. Why is the Vice Chancellor asking me to pay an invoice?
  • Fake link – the link leads to an unfamiliar and suspicious-looking URL
  • Unprofessional Formatting
  • Poor use of English

The use of any one of these in an email should increase your suspicion of it; the absence of some does not indicate that the email is trustworthy.


If you receive a message like this, please delete it.  If you’re ever concerned that an email might be malicious, or if you think you might have given your account details away, please contact the IS Service Desk on ext 7777 or send a report to the email address.

If you do report a suspicious email, you may wish to take a look at obtaining the “original view“. There is a lot of extra information contained within email headers that can be useful for identifying the source of an email and normally forwarding an email loses such information.


Posted in Email, General | Tagged | Comments Off on How to spot a phishing email

Checking The Safety of Websites

With all the different dodgy web sites out there, and all the emails trying to encourage us to visit them, it is perhaps time to look at some web sites that can be used to check the trustworthiness of web sites.

The first (and frankly the main reason for this posting) is (Scamadviser). Visit this site, enter a website address (such as and see their assessment of how trustworthy a site is.

It is certainly worth checking if you are about to hand over some money to a web site you have never used before. Just check the location bar at the top of your browser window :-

Different browsers and operating system all look different of course, but there should still be somewhere within your browser that shows the current location and it will look somewhat like the above.

In a similar way, the “Web of Trust” website ( also allows you to check on the trustworthiness of a particular web site. It can even be added to the browser as an extension.

On a different subject, Snopes is a web site dedicated to checking on the validity of certain kinds of news stories – in particular those stories spread over social media. For instance the story about gangs throwing eggs at cars to obscure the windscreen has been shown to be false.

Posted in General | Comments Off on Checking The Safety of Websites

Apache: Reducing Information Leaked Through The Headers

Apache by default announces all sorts of information about itself when you make a connection to it :-

$ lynx -head http://some-server-fqdn/
HTTP/1.1 302 Found                                                                                                                                                                                                                             
Date: Thu, 31 May 2018 12:18:22 GMT                                                                                                                                                                                                            
Server: Apache/2.2.15 (CentOS)                                                                                                                                                                                                                 
Connection: close                                                                                                                                                                                                                              
Content-Type: text/html; charset=iso-8859-1        

This can be fixed by simply changing the ServerTokens Apache configuration option to “Prod”. This is found in either security.conf or in global.conf somewhere under /etc/apache2 (or elsewhere if Apache has been set up in a strange way).

And change ServerSignature to “Off” (in the same place).

Make the change and restart Apache in the usual way – apachectl configtest and then apachectl graceful.

Posted in Technical | Tagged , | Comments Off on Apache: Reducing Information Leaked Through The Headers

Apache: Disabling Directory Indexes

One of the features of Apache that can cause security issues (or at least those who audit security issues may complain about it) is the ability to produce a file listing of a directory if there is no index page in place :-

This can be turned off by removing the Apache option “Indexes”; search the Apache configuration directory (assumed to be /etc/apache2) for a file containing that word :-

# find . -type f -exec grep -li Indexes {} \;

Check each file for an active Indexes option :-

Options Indexes FollowSymLinks

And remove the “Indexes”.

Restart Apache in the usual way (apachectl configtest and if that comes back Okay, then apachectl graceful).

Posted in Technical | Tagged , | Comments Off on Apache: Disabling Directory Indexes