A Distributed Denial of Service (DDoS) attack is a non-intrusive internet attack made to prevent legitimate users from accessing a website, server or application by overwhelming it with fake requests and traffic.
DDoS attacks cannot steal personal information or data, the purpose is to overload the system to make connection slow or unresponsive for users. Our internet service provider (Jisc) can put protective measures in place to block suspicious traffic and guard against attacks but that does mean some staff and users may be bounced off the network, particularly If they have tried to connect repeatedly from the same IP address. If you are finding it difficult to connect to services, please try to reboot your computer and/or your Wi-Fi router.
Why will restarting my router help?
As a precaution against further DDoS attempts, Jisc (our internet service provider) has temporarily placed us in a special group of institutions with heighted protection which allows them to prevent any IP address trying to connect multiple times. While that blocks suspicious traffic, it occasionally means some staff and students may be bounced off the network, especially if they have tried to connect unsuccessfully a number of times. Restarting your home router will often generate a new IP address which will stop you being blocked by this protection.
If you have rebooted your router and still have issues connecting to the University’s IT services, please contact the IT Service Desk on 0114 225 3333.
Digital Technology Services is increasing the visibility of potentially fraudulent email by marking all email from outside the University to remind users to treat links or attachments with caution. This is an increasingly common tactic across the HE sector to help users to better identify fraudulent email, reducing the risk to them and the University.
Over the past month the University has seen a big increase in phishing, with over 3000 fake emails being delivered to University users’ mailboxes. While many recipients identify them as fake and report them so DTS can take action, the emails and web pages linked to are often convincing enough for some people to be taken in, providing usernames and passwords or other personal data to the attackers. Where we can trace that a user is at risk from an attack, DTS can take action and have reset over 100 hundred users’ passwords where suspicious activity is observed.
Once a user’s username and password are compromised like this they are exposed to a number of risks which have recently included use of their mailbox to launch further phishing or fraud attacks against other University users and changing staff bank details in Core to redirect salary payments to an attackers account.
The
CyberAware online training shows users the key risks in online activity, such as mail and web browsing, and how to deal with them. We recommend all undertake this regularly. While DTS can identify accounts at risk and support users in recovering control of their account, we cannot help where data or money has already been lost. For this reason it is important for the protection of University staff and students that we help people identify suspicious activity and take appropriate action.
If you ever accidentally click on a suspicious link, contact IT Help on 0114 225 3333 immediately.
Recently the UK National Cyber Security Centre published an analysis of passwords available online from existing breaches at various organisations (including LinkedIn).
Worldwide, weak passwords like “123456”, “qwerty”, “password” (along with football team names like “liverpool” and “chelsea”) are being used to secure millions of user accounts on social media, shopping sites and even banks (https://www.bbc.co.uk/news/technology-47974583). These passwords provide little protection both due to their reduced number of characters (no variation in upper/lowercase or special characters). This means they can be cracked relatively quickly even by complete novices using freely available automated tools. In addition to this, such passwords have been made widely available in common password lists for use in random attacks on services, this is known as ‘credential stuffing ‘.
Credential Stuffing
This is a simple attack using:
- an email address that is already part of a breach (e.g. the LinkedIn breach of 2016 which involved 117 million email addresses and passwords being made available online)
- a list of common passwords (referred to as a dictionary)
- repeatedly trying the email address and dictionary password combinations against online services (e.g. Amazon, Gmail, Facebook, Spotify, Halifax, AirBNB, etc)
As hackers are dealing with millions of email addresses, combined with the fact that millions of people are using insecure passwords, it’s not surprising that a significant number of accounts are breached and then used for further fraudulent activity.
Check your Email Addresses and Password Security
You can check if your email address (and/or other details) have been involved in breaches and subsequently made available online by using sites such as https://haveibeenpwned.com/. Once an email address is in the public domain like this, it will be used in credential stuffing attacks.
You can check to see if your password has been used in a previous breach and therefore if it is likely to be available for hackers at https://haveibeenpwned.com/Passwords.
Another online resource, available at https://password.kaspersky.com/, shows you how strong your password is.
Password Advice
The password advice is still:
- Don’t re-use passwords between services
- Passwords should be a mix of upper and lower case along with numbers and one or more special characters (like !#@*^, etc)
- Passwords should be a minimum of 12 characters
