COVID-19 has altered the way we work and study across the world and Sheffield Hallam is no exception to that. This change has brought a number of challenges and risks that have meant adjustments for everyone.
We’ve had to make rapid changes to our University IT infrastructure which was primarily geared to on-site delivery of systems, services and data with a much smaller need for people to use it for working, teaching and studying remotely. Staff and students’ own home Internet Service Providers are also juggling a large increase in sustained demand through the working day (https://www.bbc.co.uk/news/technology-52448607)
Some of the University’s services are cloud-based which means we’re dependent on their providers to resolve any issues and notify us about interruptions to service. Online meeting services like Zoom and WebEx have surges in use at certain times which can affect connection.
The move to remote working has also increased certain risks. The University has protections in place from phishing and malicious websites or downloads but we’ve had to put considerably more resource into responding to the big spikes in phishing threats and frequent Distributed Denial of Service (DDOS) attacks which we’ve been seeing at the University. This isn’t just a Sheffield Hallam issue – Kaspersky (a global cybersecurity provider) reported almost a doubling in DDOS attacks in January – March this year compared to October – December 2019, with certain sectors being specifically targeted (e.g. local government and education https://usa.kaspersky.com/about/press-releases/2020_ddos-during-the-covid-19-pandemic-attacks-on-educational-and-municipal-websites).
All these factors make availability of IT services and access for remote working a difficult balancing act and the University is working hard with our partners and suppliers to minimise their impact.
What is Sheffield Hallam doing to address these issues ?
We’ve moved quickly to expand the availability of remote desktops and VPN connections (which offer increased security and a better connection) and are working to increase the availability of cloud-based labs and other facilities.
Our Security team is working with our own internet service provider (JISC) to put special protective measures in place which safeguard our systems and block DDOS attacks which are particularly prevalent at the moment.
A Distributed Denial of Service (DDoS) attack is a non-intrusive internet attack made to prevent legitimate users from accessing a website, server or application by overwhelming it with fake requests and traffic.
DDoS attacks cannot steal personal information or data, the purpose is to overload the system to make connection slow or unresponsive for users. Our internet service provider (Jisc) can put protective measures in place to block suspicious traffic and guard against attacks but that does mean some staff and users may be bounced off the network, particularly If they have tried to connect repeatedly from the same IP address. If you are finding it difficult to connect to services, please try to reboot your computer and/or your Wi-Fi router.
Why will restarting my router help?
As a precaution against further DDoS attempts, Jisc (our internet service provider) has temporarily placed us in a special group of institutions with heighted protection which allows them to prevent any IP address trying to connect multiple times. While that blocks suspicious traffic, it occasionally means some staff and students may be bounced off the network, especially if they have tried to connect unsuccessfully a number of times. Restarting your home router will often generate a new IP address which will stop you being blocked by this protection.
If you have rebooted your router and still have issues connecting to the University’s IT services, please contact the IT Service Desk on 0114 225 3333.
The Higher Education sector is a lucrative hunting ground for fraudsters – using phishing tactics to steal username and passwords, unlocking systems and enabling access to the University’s and the user’s own data.
Earlier this year, Lancaster University reported a breach that involved the loss of a significant amount of student personal data that can be monetised or used for further fraud against those students affected.
Fraudsters have been reported to
target students with false invoices, demanding direct payment to the fraudsters
launch phishing campaigns against students, staff, and other universities
redirect salary and expense payments from staff members to their own accounts
For Hallam, attacks have increased in severity over the last few months and we’ve seen increasingly sophisticated phishing campaigns since early 2019. These attacks are often successful because they direct users to sophisticated log-in portals that look like our own Office 365.
DTS monitors these attempts and aims to intervene as early as possible to reduce the opportunity that fraudsters have. The new email ‘caution’ banner (usually in yellow) at the top of all external mail is one of several measures put in place to highlight the risks in online activity. DTS also supply a CyberAware online training module which aims to help staff identify risks, and how to combat these. We encourage all staff to complete this for the safety of themselves, and the University.
Ultimately, it’s down to individual users to be wary of unexpected emails that require documents to be opened or to log-in to a website. Please remember to
Check the sender (the new external email caution banner should help to identify external senders, treat these more cautiously).
Check the address of any email links (always hover the mouse over them before clicking – this can sometimes be a giveaway).
Check the website address if you have clicked a link (don’t just assume it’s a University website because it uses our branding – fraudsters are good at copying).
Stop and think before logging-in, if anything at all feels ‘off’ then don’t go any further, contact IT Help before proceeding.
If you find something suspicious, or think you might have already been compromised, contact IT Help on 0114 225 3333 immediately.
Digital Technology Services is increasing the visibility of potentially fraudulent email by marking all email from outside the University to remind users to treat links or attachments with caution. This is an increasingly common tactic across the HE sector to help users to better identify fraudulent email, reducing the risk to them and the University.
Over the past month the University has seen a big increase in phishing, with over 3000 fake emails being delivered to University users’ mailboxes. While many recipients identify them as fake and report them so DTS can take action, the emails and web pages linked to are often convincing enough for some people to be taken in, providing usernames and passwords or other personal data to the attackers. Where we can trace that a user is at risk from an attack, DTS can take action and have reset over 100 hundred users’ passwords where suspicious activity is observed.
Once a user’s username and password are compromised like this they are exposed to a number of risks which have recently included use of their mailbox to launch further phishing or fraud attacks against other University users and changing staff bank details in Core to redirect salary payments to an attackers account.
The CyberAware online training shows users the key risks in online activity, such as mail and web browsing, and how to deal with them. We recommend all undertake this regularly. While DTS can identify accounts at risk and support users in recovering control of their account, we cannot help where data or money has already been lost. For this reason it is important for the protection of University staff and students that we help people identify suspicious activity and take appropriate action.
If you ever accidentally click on a suspicious link, contact IT Help on 0114 225 3333 immediately.
Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).
Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (https://www.bbc.co.uk/news/technology-47974583). These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters). This means they can be cracked relatively quickly even by complete novices using freely available automated tools. In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.
This is a simple attack using:
an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
a list of common passwords (referred to as a dictionary)
repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)
As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.
Check your Email Addresses and Password Security
You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as https://haveibeenpwned.com/. Once an email address is in the public domain like this, it will be used in credential stuffing attacks.
An ongoing phishing campaign targeting educational institutions in the US and the UK has now been seen by some SHU staff members.
Messages often appear to be from a known contact of the recipient and contain a subject line that has been used previously in communications between the sender and recipient e.g. “Re: Sheffield Hallam Open Day- Saturday 18th August 2018”.
The message may contain very little text and what looks to be a green button labelled “Display Message”, “Click here to view message” or similar text. Below is an example:
This button should NOT be clicked. If you do accidently click it, do not enter your username and password on the webpage that you are taken to.
If you have already entered your credentials, then the you must change your password immediately, using the “Changing your password” link on the Staff homepage or by visiting http://go.shu.ac.uk/password.
GDPR is coming into effect on 25th May and will herald a big change in the way organisations hold and manage personal data.
As such many organisations will need to seek consent from existing and new users, you may have noticed an increased number of emails asking you to either review privacy policies or grant explicit consent to continue receiving emails, etc.
We’ve become aware of a number of phishing campaigns purporting to be from a well-know organisation/brand with the sole intent of getting login details from recipients who respond. Further details are in this article:
The University is currently reviewing the impact of vulnerabilities branded Meltdown and Spectre by the cyber security industry and is assessing the patches which are becoming available to remediate them. There is no evidence that the flaws have been exploited anywhere yet but, as always, it’s important to use IT safely. Please take particular care when clicking on links, don’t open any suspicious attachments and avoid visiting unsecured websites.
For personal devices or home computers we advise, as always, to install patches and updates as soon as they are available. Bear in mind that this potentially affects all computer devices worldwide – phones, tablets, PCs and laptops, including Microsoft, Linux and Apple products.
You may have heard news about issues with the latest Mac OS operating system, High Sierra. At Sheffield Hallam, Digital Technology Services has been recommending that staff do not update University Macs to the new operating system and no University owned Macs that students use have the new operating system installed. If you own an Apple Mac yourself, you should take advice from Apple about how to handle this.
KRACK is a newly published attack on wireless communications between a device (smartphone, laptop, Wi-Fi cameras, etc) and the wireless access point
The attack works by interfering with the handshake process that the device and the access point undertake to secure communication between the two. It enables the attacker to:
Listen in on wireless traffic between the device and access point
Inject it’s own data to the traffic
Apply additional attacks to further reduce security
This means that an attacker can listen into all unsecured communications you’re having over Wi-Fi (e.g. instant messaging, websites, logins, emails, etc). They can also modify unsecured data you send/receive or insert new data (e.g. implanting a piece of malware in a website page) although this is a worst case scenario.
On the bright side vendors and manufacturers were warned months ago about this and have been working on security patches for a while. Some manufacturers have already released the patches via automated updates whilst others will be rolling them out shortly.
At this point in time (18/10/2017), and assuming you have automatic updates turned on, the status of the major vendors are:
macOS 10.11.1 – Patch Pending
Windows 7, 8, 8.1, 10 – Patched
Linux Ubuntu 14.04+, Arch, OpenBSD, Debian, Gentoo, Linux upstream – Patched
iOS – Fixed in iOS 11.1 due out in a few weeks
Google Devices (Android) – Patch Pending for Google Pixel and Google Nexus (although not clear if older Nexus devices will receive this patch)
Samsung (Android) – Newer devices receive Google security fixes (Patch Pending), older devices do not
Other Android – Refer to your manufacturers support site
Android devices tend not to get newer versions of the OS (let alone security patches) as they get older but vendors may have no option but to release a fix for this (especially if pressure is applied via social media, etc).
This blogger is keeping track of the status of patches for the most popular vendors (it’s about halfway down the page). Note that although patching home routers helps with some other issues presented by this attack, patching your router alone will do nothing to stop it if your device hasn’t been patched.
The University is currently advising the following (which should be considered normal practice to help keep yourself and your data safe.)
Make sure the software on your device is up to date. Manufacturers regularly release security patches to fix issues and vulnerabilities in operating systems and it is important that these are promptly installed. For University equipment, Digital Technology Services (DTS) will provide advice about what you need to do when these are available. Users of SHU-owned Macs have been advised NOT to accept an update to High Sierra until DTS has confirmed that it is okay to do so but they should continue to install any security patches which are offered. On your personally-owned devices, use the latest operating system and install patches when they are offered to you.
Wherever possible, use websites that are encrypted – these normally display a padlock next to the address.
University staff should use the VPN (Virtual Private Network) service when using laptops and other portable devices to ensure any University data is encrypted while using Wi-Fi networks. This includes while in public areas on campus such as University cafes and other open areas. More information on the VPN service.