Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).
Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (https://www.bbc.co.uk/news/technology-47974583). These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters). This means they can be cracked relatively quickly even by complete novices using freely available automated tools. In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.
This is a simple attack using:
an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
a list of common passwords (referred to as a dictionary)
repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)
As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.
Check your Email Addresses and Password Security
You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as https://haveibeenpwned.com/. Once an email address is in the public domain like this, it will be used in credential stuffing attacks.
An ongoing phishing campaign targeting educational institutions in the US and the UK has now been seen by some SHU staff members.
Messages often appear to be from a known contact of the recipient and contain a subject line that has been used previously in communications between the sender and recipient e.g. “Re: Sheffield Hallam Open Day- Saturday 18th August 2018”.
The message may contain very little text and what looks to be a green button labelled “Display Message”, “Click here to view message” or similar text. Below is an example:
This button should NOT be clicked. If you do accidently click it, do not enter your username and password on the webpage that you are taken to.
If you have already entered your credentials, then the you must change your password immediately, using the “Changing your password” link on the Staff homepage or by visiting http://go.shu.ac.uk/password.
GDPR is coming into effect on 25th May and will herald a big change in the way organisations hold and manage personal data.
As such many organisations will need to seek consent from existing and new users, you may have noticed an increased number of emails asking you to either review privacy policies or grant explicit consent to continue receiving emails, etc.
We’ve become aware of a number of phishing campaigns purporting to be from a well-know organisation/brand with the sole intent of getting login details from recipients who respond. Further details are in this article:
The University is currently reviewing the impact of vulnerabilities branded Meltdown and Spectre by the cyber security industry and is assessing the patches which are becoming available to remediate them. There is no evidence that the flaws have been exploited anywhere yet but, as always, it’s important to use IT safely. Please take particular care when clicking on links, don’t open any suspicious attachments and avoid visiting unsecured websites.
For personal devices or home computers we advise, as always, to install patches and updates as soon as they are available. Bear in mind that this potentially affects all computer devices worldwide – phones, tablets, PCs and laptops, including Microsoft, Linux and Apple products.
You may have heard news about issues with the latest Mac OS operating system, High Sierra. At Sheffield Hallam, Digital Technology Services has been recommending that staff do not update University Macs to the new operating system and no University owned Macs that students use have the new operating system installed. If you own an Apple Mac yourself, you should take advice from Apple about how to handle this.
KRACK is a newly published attack on wireless communications between a device (smartphone, laptop, Wi-Fi cameras, etc) and the wireless access point
The attack works by interfering with the handshake process that the device and the access point undertake to secure communication between the two. It enables the attacker to:
Listen in on wireless traffic between the device and access point
Inject it’s own data to the traffic
Apply additional attacks to further reduce security
This means that an attacker can listen into all unsecured communications you’re having over Wi-Fi (e.g. instant messaging, websites, logins, emails, etc). They can also modify unsecured data you send/receive or insert new data (e.g. implanting a piece of malware in a website page) although this is a worst case scenario.
On the bright side vendors and manufacturers were warned months ago about this and have been working on security patches for a while. Some manufacturers have already released the patches via automated updates whilst others will be rolling them out shortly.
At this point in time (18/10/2017), and assuming you have automatic updates turned on, the status of the major vendors are:
macOS 10.11.1 – Patch Pending
Windows 7, 8, 8.1, 10 – Patched
Linux Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, Linux upstream – Patched
iOS – Fixed in iOS 11.1 due out in a few weeks
Google Devices (Android) – Patch Pending for Google Pixel and Google Nexus (although not clear if older Nexus devices will receive this patch)
Samsung (Android) – Newer devices receive Google security fixes (Patch Pending), older devices do not
Other Android – Refer to your manufacturers support site
Android devices tend not to get newer versions of the OS (let alone security patches) as they get older but vendors may have no option but to release a fix for this (especially if pressure is applied via social media, etc).
This blogger is keeping track of the status of patches for the most popular vendors (it’s about halfway down the page). Note that although patching home routers helps with some other issues presented by this attack, patching your router alone will do nothing to stop it if your device hasn’t been patched.
The University is currently advising the following (which should be considered normal practice to help keep yourself and your data safe.)
Make sure the software on your device is up to date. Manufacturers regularly release security patches to fix issues and vulnerabilities in operating systems and it is important that these are promptly installed. For University equipment, Digital Technology Services (DTS) will provide advice about what you need to do when these are available. Users of SHU-owned Macs have been advised NOT to accept an update to High Sierra until DTS has confirmed that it is okay to do so but they should continue to install any security patches which are offered. On your personally-owned devices, use the latest operating system and install patches when they are offered to you.
Wherever possible, use websites that are encrypted – these normally display a padlock next to the address.
University staff should use the VPN (Virtual Private Network) service when using laptops and other portable devices to ensure any University data is encrypted while using Wi-Fi networks. This includes while in public areas on campus such as University cafes and other open areas. More information on the VPN service.
To ensure success hackers often use multiple approaches to the same problem. These may be technological in the hacking tools they bring to bear or in the knowledge of vulnerabilities that can be exploited, but they also make use of Social Engineering.
Social Engineering is the use of psychological tricks against people to get them to do something against their interest or to the benefit of the attacker. Social Engineering has been around for a lot longer than the phrase, Con Men and Scam Artists have made use of the same techniques for centuries in order to get what they want.
One of the best examples of Social Engineering is the Greek’s leaving behind a large wooden horse after pretending to give up on the decade long siege of Troy (https://en.wikipedia.org/wiki/Trojan_Horse). Even the term Trojan is used in cyber security to indicate a malicious program that pretends to be something it’s not (e.g. an innocuous program or browser plugin that contains a key logger).
Hackers make use of Social Engineering as it’s often quicker to convince someone to perform an action or give up some information than it is to find and exploit a technological vulnerability.
They make use of multiple strategies to help achieve their goals:
Phishing and Spear Phishing – Spammed or targeted emails that aim at getting the victim to hand over information, take an action or to activate a malicious attachment/website. Fun Fact: scammers often deliberately include spelling mistakes to single out more credulous people.
Pretexting – Where scammers need to operate in-person (either via a phone or face-to-face) they’ll spend time crafting a plausible reason as to why they need what they’re asking for. Unlike phishing attacks which use urgency coupled with fear (either of missing out or of some repercussion), pretexting relies on building trust with the victim in order to make use of them.
Baiting – Relies on people receiving “something for nothing”. For example usb sticks can be put in a reception area or organisation’s car park, often with a juicy label like “Redundancies 2017” in the hope that people will be curious enough to pick up the device and plug it into a machine. Once that’s done the machine can be compromised in seconds, often installing back doors and “phoning home” to the attacker for exploitation at their leisure.
Quid Pro Quo – In order to instil a sense of obligation an attacker will offer help in some form with the expectation that the user will respond in kind to a request from the attacker.
Tailgating – Our final example is tailgating where someone who lacks authority to enter a particular area follows behind someone who has access. This can be as simple as impersonating a delivery driver with a package or being in a common smoking area and following other smokers back into the building.
In order to reduce the risk to yourself and the university be aware of red flags when dealing with people. Some red flags include unsolicited urgent communications with implied threat/benefit and strangers looking for the benefit of the doubt.
But also take into account the sensitivity of information you’re being asked for or the impact of an action you’re being asked to do. Hackers and scammers can do very little without your help!
Western Intelligence services have lost control of a number of ‘cyber weapons’. These are essentially toolkits built around one or more vulnerabilities that the intelligence services have discovered but not disclosed to vendors.
The recent WannaCry ransomware which had such devastating effect on the NHS and around the world made use of one such undisclosed vulnerability.
These ‘cyber weapons’ are crafted exploits available across multiple operating systems (Windows, Apple, Linux) and devices (Android, iPhones, Windows phones).
As a result, the threat environment at the moment is very high and system vendors and security companies are working hard to understand the vulnerabilities and provide fixes or protection. Users need to ensure systems are patched or security products installed in order to benefit from this protection and reduce their risk.
Additionally two further attacks have shown disturbing developments.
UCL was suffered a ransomware attack on 15th June this year that investigation showed was initiated by users browsing a site that was running malicious advertising. The attack itself was initiated via an advert that not only made use of a ‘zero-day exploit’ (a vulnerability not known to vendors and therefore not fixed or protected against) but didn’t require the user to click on anything. Around a dozen computers were infected which resulted in the IT department shutting down all network drives in order to contain and eradicate the infection.
A further ransomware attack called NotPetya appeared on the 27th June. It made use of the same WannaCry vulnerability in addition to several others. This attack is remarkable because it appears the hackers had no intention of decrypting any of the machines that had been infected. Even those users who dutifully paid $300 received nothing in return.
In this environment it becomes incredibly important that organisations and users take time to ensure their systems are properly protected:
Always ensure your machines and devices are upgraded regularly. All major Operating System manufacturers offer automatic updates and this feature should be turned on.
Computers and devices should have some form of anti-virus/anti-malware or internet security suite installed.
Install ad blockers where possible on all browsers (for more advanced users, look into script blocking add-ons)
Don’t use an administrator login as your normal login, create a separate user with normal rights and use that for your day to day use. The more rights your account has, the more damage can be done if it is compromised.
Be vigilant and don’t fall for unsolicited attempts to get you to click links, open attachments or perform some other action (especially where there’s an implied or explicit threat or reward)
Ensure backups are taken of your most important files. This should be either on a separate system or, preferably, on removable storage.
The energy wasted by leaving your PC on isn’t the only thing you need to be concerned about. Not rebooting your PC regularly can mean it’s less protected against malware and other security risks. Every month, Digital Technology Services installs updates to staff and student computers to maintain security and address issues. These take effect when the PC is restarted.
If you do not do this, you are not adequately safeguarding your PC and the University’s IT. Please remember to restart frequently, it will make the computer run better too.
Student PCs at the University are restarted automatically every day but everyone should also make sure they update and restart their own equipment regularly to help keep it secure against the latest malware and viruses.
The University has received notification of fraudsters running sophisticated scams at other universities to obtain users’ login details for the HR portal. These details are subsequently used to change bank account details so wages and expenses are paid to the fraudsters.
On receipt of this notification SHU is taking the following action:
Contacting all staff who have changed banking details since the last pay day on January 15th verifying the change is legitimate
Adding filters to the SHU mail systems to block known e-mail subject titles. A search of the logs show no previous use of these subject titles in previous emails
Communicating with staff via the staff intranet, eView and the IT Security Blog
There’s no indication that SHU has been targeted yet and staff are being informed of the current risk via a number of channels.
As always please be aware of unsolicited emails enticing you to click a link or open an attachment. This particular phishing attempt used both branded emails and a branded web login page indistinguishable from the actual HR employee portal
had any suspicious/unsolicited emails
clicked on a link in an unsolicited email taking you to the Core Portal
entered username/password into the Core Portal that has subsequently failed to load