Do Not Attach Network Equipment to the UoP Network

Posted on 2016-08-18 by mike

It can be very tempting for a quick solution (especially for a temporary bodge) to attach network equipment up the University network. Don’t do it.

Please!

In the past it was unusual for network equipment to be so widely available, so this has not previous been a problem. However, with widespread home networks, it is becoming a problem. Naïvely attaching domestic (or enterprise) network equipment to a production network can have rather severe consequences.

On occasions entire building networks have been taken out of service due to this sort of issue.

Network switches, routers, and bridges can in some circumstances cause all sorts of disruption at a low level, which can be very hard to trace.

Any wireless equipment will cause a performance issue for anyone within the range of the transmitter.

Even ordinary computers can be configured in a way that will work perfectly fine in a domestic environment, but can cause disruption on an enterprise network.

Lastly it should be noted that attaching unauthorised equipment can (and has in some cases) resulted in your connection to the UoP network being withdrawn with no notice.

Posted in General | Comments Off

Do You Know Email’s “BCC” Header?

Posted on 2016-07-26 by mike

There are a number of stories going around at the moment relating to unintentional release of email addresses in terms of allowing third parties access to the email addresses. This is almost always a mistake made by someone who used conventional email software (such as the standard Google Mail interface) without thinking carefully enough.

Now in most cases this does not matter too much … except possibly a brief moment of embarrassment. After all an email address is not that private, or is it?

There are two parts to why leaking email addresses even to a limited audience can be considered to be a bad thing :-

People do sometimes want to keep their email address private; at the very least once an email address becomes public knowledge, spam starts arriving surprisingly quickly.
Releasing an email address in association with some other piece of information can be surprisingly sensitive. If email being sent implies that the recipients are interested in HIV services, the recipients may be somewhat disconcerted to learn their membership is now effectively public.

And of course there is another reason why leaking email addresses can be a bad idea. News organisations can jump on the story as an easy way of populating their front page!

The golden rule here is if you are sending emails to more than five people who do not know each other, either use a specialised piece of software to send the emails, or use the “BCC” (Blind Carbon Copy) header.

To make things easier for people migrating from paper memos, the inventors of email used three common terms for listing addresses that email should be sent to – To (the public recipient), Carbon Copy (for public others who may be interested), and Blind Carbon Copy (for private copies). At least these terms were common in the days of formal paper memos!

The key field to remember for the purposes of this blog posting is “BCC”.

When you compose an email, you are normally given a list of fields to enter email addresses into :-

In this case (Gmail), click on the “Bcc” on the right-hand side of the “To” field and a new field will be shown :-

(The “Cc” field works in the same way)

The “Bcc” field can be filled with email addresses in the normal way, but the difference is that when someone receives the email they will not be able to see to whom it was sent.

You may think that this does not apply to you right now, but there is no harm in getting to know about “Bcc” and used to using it. It doesn’t cause any harm, and being familiar with it may save you from some embarrassment at some point in the future.

Posted in Email | Tagged Bcc, Email, Leaks | Comments Off

TeamViewer: People Being Hacked

Posted on 2016-06-03 by mike

There are many reports that those using the TeamViewer application are being subjected to hacks with their bank accounts being emptied and similar problems. The details of how the attackers are breaking in are not available, but it seems likely that it is the result of unfortunate configuration settings.

If you are using TeamViewer, you should consider one or more of the following :-

Stop using TeamViewer. If you do not use it, you cannot be hacked. However it should be possible to use TeamViewer safely if you follow the instructions below.
Download the latest version of TeamViewer. The latest version is less likely to be vulnerable to exploits than earlier versions, and the instructions below apply to version 11.
Set up the configuration as guided below. The most likely way that the attackers can get in to your computer is through an insecure configuration.
Only run TeamViewer when necessary.

Another possibility is to use Bomgar which is licensed for University use – speak to the IS Servicedesk to see if it is a possibility.

Configuring Strong Random Passwords

First start the TeamViewer application:

We need to change the security settings, so select “Options” from the “Extras” menu, and select “Security” on the tab down the left-hand side. For OSX, the menu options are slightly different – “TeamViewer”, and then “Preferences” and the appearance is different :-

First of all, do not configure a Personal password as a randomly generated password is better (although for unattended access a personal password is required, but in this case you should use a long (at least 12 characters) and strong password and pay careful attention to the other steps in this guide).

And do not configure “Grant easy access”.

The next thing is to change the password strength of the random password to “Very Secure” :-

Whilst “Very secure” might seem a little extreme, it is not so extreme whilst an active attack is ongoing – and I suspect weak random passwords are the way in for the attackers.

One further thing we need to do is to go to the “Advanced” tab and show the settings :-

In the “Advanced settings for connections to this computer” we want to change the “Random password after each session” to “Generate new” :-

This causes TeamViewer to change the random password after each session.

Configuring Rules for Connecting

If you use a TeamViewer account, there are a few other things we can set up. On the very same page of settings we have a set of rules we can configure to determine who can connect :-

The first option is specifying whether a TeamViewer client can use the logon screen; leaving it set to “Not allowed” is the most secure option here.

The next thing to do is to set up a whitelist; click on the “Configure” button next to the “Black and whitelist” :-

The “Allow access only for the following partners” needs to be selected – by default this works as a list of people who are not allowed to connect, and filling in that list could be quite tedious! By only allowing specified “partners” to connect we can limit this list to just your account.

Click on “Add” and select yourself. The whitelist will be updated to include your name :-

(Obviously the name you see will be different here)

Configuring Two-Factor Authentication

Lastly, it is very strongly recommended that you set up two-factor authentication on your TeamViewer account. To begin with you will need an authenticator app on your phone such as the Google Authenticator (the one I used).

Log in to the web page at https://login.teamviewer.com/ and you should get to the management console with a web page that has the following at the top left :-

At this point select your name at the right which should drop down a menu :-

Select the “Edit profile” option and you should see a “Profile settings” screen displayed which will include :-

Click on the “Activate” next to “Two factor authentication” to start the process; first a warning screen :-

The next screen shows a QR code to enable two-factor authentication in your phone’s app :-

(I have obscured the QR code deliberately)

Scan this with your authenticator app, and it should be added to the list within your app, and it will generate a code to be used on the next screen :-

Once you activate this, you will be shown a further screen containing a special code to deactivate two-factor authentication. Record this safely – such as within your personal KeePass password store.

Once enabled, you will need to use the authenticator app to enter an additional time-based code every time you log in.

Further Information

The following links are to more information on the incidents :-

Posted in Active Attacks, Technical | Tagged TeamViewer | Comments Off

Have You Changed Your Myspace Account Password Recently?

Posted on 2016-05-31 by mike

Don’t laugh.

Some of us who have been around for more than a few years may well have used a myspace account at some point in the past. And you may well have set your account up with a password that is weaker than the kind of password you would use today (or hopefully it is!); in addition myspace has been compromised and up to 360 million account details have been leaked.

You may very well think that your myspace account is no longer of interest to you – fair enough. But you should ask for it to be deleted if that is the case. And if not, you should change your account password.

But there is a general point here. If you have old accounts on old services then you should go back and change the passwords to be more secure; if you do not want to be bothered, you should request that the account is removed.

Posted in Passwords | Tagged MySpace, Old Accounts, Passwords | Comments Off

Sending SurveyMonkey Questionnaires Without Being “Spammed”

Posted on 2016-05-25 by mike

We recently encountered an issue where somebody attempted to send a questionnaire constructed in SurveyMonkey to a number of students and some deliveries were made to the students’ spam folders.

Which is obviously sub-optimal.

Unfortunately we do not fully control how Google decides messages are spams, so we cannot easily ensure that such questionnaires are delivered to everyone’s inbox. SurveyMonkey themselves have some advice on avoiding being dropped into the spam folder.

After thinking about it for some time, a far more reliable method came to mind. It is slightly more work, but should in theory be more reliable for ensuring that everyone gets a chance to fill in your questionnaire.

The answer is when creating your survey is to get a link to the survey rather than simply email it out (the “most popular” option).

This gives you a web site address that will look something like https://www.surveymonkey.co.uk/r/G9K3RQP. You can then write an ordinary email in your Google Mail client explaining what the survey is about and paste in that web site address.

Because it comes from within Google, the mail is somewhat more trusted that emails from outside, so it should be less likely to be filed into the recipient’s spam folder.

Posted in Email | Comments Off

Be Careful What You Screenshot …

Posted on 2016-05-18 by mike

One of the latest stories from the security world is about a Christian pastor caught undertaking the kind of web browser activity you would not expect (or maybe you would) because he had taken a screenshot (presumably to capture the results of a search) which in addition to the information he expected, also contained the titles of web pages on other tabs.

However amusing (or not) we may find this story, it is a good reminder that whenever we distribute information of any kind it is worth bearing in mind stories like this and check.

If you are sending someone a screenshot, either make sure the rest of the screen does not contain information you do not want to be disclosed, or edit down the screenshot so that it only shows the area of interest (i.e. just the error message).
If you are forwarding an email onto someone who has not been part of the discussion, is there part of the email that you should possibly not share? Forwarding a whole chain of conversation has led in the past to legal action!
When sharing a Google document in editable form, does the revision history contain any embarrassing revisions? Anyone with rights to edit can browse through every version of that document!

Posted in General | Comments Off

Apache: Using X-Frame-Options To Evade Click-Jacking

Posted on 2016-03-15 by mike

Click-Jacking. It tells you all about it on the Wikipedia article.

This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).

The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).

Firstly make sure that you are loading the Apache module to modify HTTP headers :-

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-

Header always append X-Frame-Options DENY

The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).

The “X-Frame-Options” header is deprecated and an alternative is suggested :-

Header always append Content-Security-Policy: "frame-ancestors 'none'"

In some cases it may be necessary to try the following :-

Header always append Content-Security-Policy: "frame-ancestors 'self'"

Posted in Technical | Tagged Apache, Click-Jacking, X-Frame-Options | Comments Off

Ransomware for OSX

Posted on 2016-03-07 by mike

It turns out that ransomware is no longer just for Windows; OSX has it too.

If you use the OSX version of the Transmission Bittorrent client, you may want to check what version you are running because version 2.90 was in some cases infected with the first effective ransomware malware for OSX.

Posted in Active Attacks, Malware | Comments Off

Firewall Vulnerability Alerts

Posted on 2016-03-01 by mike

We are just about to enable something that will email people when there is a critical firewall alert relating to an attempted exploit.

During normal web browsing activity (although not when the web site is encrypted with https), the firewall keeps an eye on the “stuff” that is coming back from the web site. If it spots an attempt to exploit your web browser, it will block it, and log the details into the firewall logs.

We are then post-processing the firewall logs to send out these alerts.

What Should I Do With One?

First of all, don’t panic. You do not have to do anything if you receive an alert.

The firewall has blocked the attempted exploit, and the likelihood is that unless you are running an outdated web browser it wasn’t likely to work anyway. Of course if it was an attempted exploit against Adobe Flash, or Java, then it could well have worked if the firewall had not blocked it.

The alert is simply a mechanism to let you know that the firewall has protected you. It’s also an indicator that letting outdated software (web browsers, plugins like Flash and Java) loose on the Internet is going to lead to tears.

But I Keep Getting Them

In normal circumstances, just about anyone can expect the occasional alert from the firewall. If you keep getting alerts day after day (you shouldn’t get more than one alert per day!), then it may well be worth seeking advice because the level of alerts is unusual.

Amongst other things it may well be worth spending some time getting acquainted with security advice – if you’re getting attacked more often than is commonly the case, it makes sense to find out about protection.

What Is The “ANGLER Exploit Kit” ?

By far the most common vulnerability the firewall is blocking (at least to desktop machines; servers see a whole different bunch of exploits) is the various versions of the “ANGLER Exploit Kit”.

This is a particular version (i.e. it is sold by one particular gang of criminals) of a web-browser exploit kit. When you make a connection to a web server that has the ANGLER exploit kit installed, it will respond with various tuned attacks against your browser – so if you are running Internet Explorer, it won’t bother using Chrome vulnerabilities, and if you have Flash installed it will try to exploit that.

Essentially there are thousands of different ways of exploiting a vulnerability in your browser’s execution environment, and an exploit kit makes it easier for criminals to pick the right set of exploits to try against you.

Once it has successfully exploited your browser it will probably try to get your browser to download some more malicious malware that will persist on your machine, spy on what you are doing, and leak your banking credentials up into the cloud.

But the firewall has blocked it.

How Can I Protect Myself At Home?

At work, the firewall protects you (except if the web site is encrypted with https). But at home?

There are two methods you can use to protect yourself at home. If you are engaged with work activities, there is lot of sense using the VPN (see http://ithelp.port.ac.uk/questions/433/ for instructions). With the VPN turned on, all your Internet activity will go via the firewall (wherever you may be), so you will gain the benefit of the added protection of the UoP firewall.

If that is not an option you are comfortable with, then you can look at more conventional methods of protection, which are detailed below.

Check Your Anti-Virus Protection

Although not a guarantee of protection, having anti-virus protection on your PC is certainly a last level of defence against getting infected with something nasty. It is not just a matter of having an anti-virus product installed, you should also periodically check that it is still healthy and getting updates.

It is not unknown for people to not be aware that their antivirus subscription has lapsed and they are not getting updates. How do we know this? Because such people get infected.

Different antivirus products operate differently, but if you happen to be using Windows Defender (built into Windows 10), then hit the Start button, search for Defender, and then run “Windows Defender” (which should appear in the search results).

You should then be able to get to a screen looking like :-

As long as the “Definitions last updated” field reads as the current day, then updates are being applied.

Is Your Browser Updated?

The very first avenue of attack for an Internet hacker is the browser you are using. If it has not been updated recently, then it is almost certainly vulnerable to being exploited. Recent versions of browsers try to update themselves automatically, but automatic things go wrong occasionally!

For details of updating browsers see the relevant link below :-

But I Need IE6 For …?

If you require an ancient web browser version for a particular site (such as your bank), then there are two recommendations :-

Contact your supplier and complain about having to use an insecure web browser.
Use your ancient browser only for the site in question; use a modern browser for everything else. It’s perfectly possible to run more than one web browser; even at the same time!

Flash: Just Say No, or at Least Opt In

The Adobe Flash plugin is the attackers weak spot of choice at the moment. It seems to be riddled with vulnerabilities and rarely a week does not go by without a firewall content update to combat Flash vulnerabilities.

The extremist solution to this problem is to remove the Flash plugin, but there are all those sites that still insist on using Flash for interesting (or fun) content. There is an intermediate level of protection you can use (at least with Chrome).

To do this, find Chrome’s Settings menu item, click on the Show Advanced option, scroll down to Privacy, click on Content Settings, and scroll through the pop-up until you see the settings for Plug-ins :-

Select the “Let me choose when to run plug-in content” and then the Finished button. Once enabled, flash content will appear on a web page like the following :-

If you want to enable the plugin for a particular part of the page, move the mouse pointer into the relevant area and right-click. The menu that appears will have a “Run this plug-in” item to select. Once selected the content will be downloaded and run.

Posted in Active Attacks, Firewall | Tagged Alerts, Chrome, Exploits, Firefox, Firewall, Vulnerabilities | Comments Off

Ransomeware shuts local authority

Posted on 2016-02-01 by robbie

Lincolnshire Council’s information systems were held to ransom on Tuesday, 26 Feb – for £1m to reinstate access. The breach was caused by a member of the council clicking on a link within a spam email.

So what can you do so it doesn’t happen here?

University “Managed Service” computers will have security updates installed automatically. However, if you are using a ‘department’ or ‘project’ computer then extra caution is required. If you are unsure – contact IS on ext 7777 for advice.

Backup your important data to your Google drive. If it’s already on your Google drive then you should be OK. If your data is really critical to you then copy to an external drive. Ask your service delivery manager for advice.
Don’t click email attachments, especially if you’re not expecting it.
Make your computer safe. Invest in an anti-virus or anti-malware software from a reliable company.
Update the operating system, security programs and other applications need to be kept updated or they just don’t work properly. Make sure the automatic updating is turned on.
If you’re a victim of ransomware attack – don’t panic and don’t pay. The payment won’t guarantee that your data will be restored.

Posted in Uncategorized | Comments Off

Security Blog