Last updated: 
4 months 3 weeks ago
Group Manager
Cyber security has long been an area of activity for those providing, protecting and supporting services in research and education. For many years we have provided security products and services to help preserve the confidentiality, integrity, and availability of the Janet network and everything on it. Over time the services we offer have evolved and grown to meet your changing needs and the different threats that we are all now seeing.  This Group aims to provide updates and articles about Jisc's security products and services as well as providing relevant news items and links about areas of security that affect Jisc members.

Group administrators:

Jisc Cyber Security Update January 2016

18 January 2016 at 12:26pm

High profile security breaches: Recent months have seen a number of breaches and issues with several large companies’ online security, resulting in authorised accesses to and theft of personal data:

  • The theft of 21,000 unique bank account numbers and sort codes and 28,000 obscured credit and debit card details from TalkTalk (30th October update here) received the most coverage.
  • A few days later, BBC News reported that a fault with Marks and Spencer's website allowed customers to see each other's details when they logged into their own accounts (though it would appear that this was the result of a technical glitch rather than an attack).
  • Vodafone also announced that it had been subject to an attack resulting in 1,827 customers having their accounts accessed.

James Davis, Jisc’s Information Security Manager, highlighted in a blog post that, because it’s likely the TalkTalk breach was via an SQL injection or a similar application vulnerability, encrypting the personal data held would not have provided any protection:

 “By necessity the application needs access to cleartext data to be able to process and present it. So if a vulnerability is present in an application, it's highly likely to give the same access to the data as the application had - in cleartext.”

This underlines the importance of fully understanding risks in order to implement the right protections to address them. More generally, such incidents demonstrate the need for continued vigilance in the face of the growing number of risks and threats, as well as the risk of reputational damage arising from negative media coverage in the event of an incident. Further commentary from BBC News here with advice on what to do to improve cyber security here.

Janet CSIRT incident statistics: Janet’s CSIRT publishes details of the number and type of new incidents handled each month; see figures for OctoberNovember and December 2015 (a description of the classification scheme the Janet CSIRT uses to record incidents is available here.

The Janet network came under a sustained DDoS attack in December and the incident report can be viewed here

The wider context: Of particular concern is the fact that attacks are increasing in complexity and duration as well as in number. A number of internet service providers and equipment manufacturers provide regular updates on the changing cyber security and threat landscape; recent examples include:

  • Akamai’s Q3 2015 State of the Internet – Security report revealed that in Q3 2015 the total number of distributed denial of service (DDoS) attacks recorded on Akamai’s routed network increased by 180% over Q3 2014, and by 23% over Q2 2015. At the same time decreases were observed in average attack duration, average peak bandwidth and volume, attributed largely to the increasing use of DDoS-for-hire booter-stresser tools. Average peak bandwidth was 5.15 Gbps, down 25% from Q2, and average peak volume was 1.57 million packets per second (Mpps), down 43%. Q3 data showed the UK as the top source country for DDoS attacks, responsible for 26% of attacks. The number of attacks measuring 100Gbps or more dropped from 12 in Q2 to 8 in Q3. Akamai expects more records to be set for the number of DDoS attacks recorded on its routed network in coming months, with attack vector and methods continuing to vary. Akamai also expects to continue to see malware in ads and third-party service attacks as attackers continue to find security holes in the many widgets and plugins used across myriad platforms.
  • Cisco’s 2015 2015 Midyear Security Report (also see this video overview) showed that threats are continuing to evolve rapidly in sophistication; some attacks employ obfuscation techniques to slip past network defences and evade detection, sometimes for long periods of time (also see this commentary from BBC News). For example, some exploit kit authors are incorporating text from Jane Austen’s Sense and Sensibility into web landing pages that host their exploit kits. Antivirus and other security solutions are more likely to categorize these pages as legitimate after “reading” such text. Other malware now attempts to destroy data and render machines inoperable if it detects it has been modified. Attacks designed to target vulnerabilities are being integrated so quickly into exploit kits like Angler (more here) and Nuclear that it is becoming increasingly difficult for security teams to keep pace (creating a “patching gap”).
  • Trend Micro’s latest quarterly threat round up for Q3 2015 focused on the impact of high profile data breaches such as the hacking of the Ashley Madison website, suggesting that similar attacks are likely in future: “Dumping stolen confidential information in public domains can tarnish victims’ reputations and cause far greater damage than business disruptions that result from web defacement and distributed denial-of-service (DDoS) attacks.” The report also described the growth in mobile malware across both Android and iOS devices and revealed that Angler continued to be the most widely used exploit kit. Trend Micro’s previous round up for Q2 2015 highlighted how basic malware components and tools have become so available and simple to use that any fledging individual cybercriminal can now run their own malicious enterprise. Trend Micro also reported the exploitation during this quarter of WordPress’s content management system (CMS) via the insertion of a malicious JavaScript code into its administrator browser window. This allows cross-site scripting (XSS) attacks via comment boxes in forums and discussion boards on WordPress sites, which make up a fourth of the Internet. These kinds of vulnerabilities and issues underline the importance of organisations maintaining close monitoring of the core software and plug-ins used, together with the need for good penetration testing on custom applications.
  • McAfee Labs’ most recent quarterly threat report also flagged the growing complexity of attacks. The adoption of cloud services has changed the nature of some attacks, as devices are attacked not for the small amount of data that they store, but as a path to where the important data resides. Cybercrime has now grown into a full-fledged industry with suppliers, markets, service providers, financing, trading systems, and a proliferation of lucrative business models and like Trend Micro’s Q2 report, McAfee’s analysis highlights the ease with which cybercriminals can now commence malicious activities. Businesses and consumers still do not pay sufficient attention to updates, patches, password security, security alerts, default configurations, and other easy but critical ways to secure cyber and physical assets. These aspects still remain the most likely vectors for successful attacks. McAfee Labs also published its 2016 Threats Predictions report, highlighting the security challenges posed by the shift towards cloud services and the proliferation of end-user devices and services.
  • Alcatel-Lucent’s Motive Security Labs Malware Report flagged a significant rise in mobile infections via Windows PCs: Windows PCs connected to mobile Networks via dongles and mobile Wi-Fi devices or tethered through smartphones are now responsible for a large percentage of the malware infections observed. As the mobile network becomes the access network of choice for many Windows/PCs, the malware moves with them.

Other recent cyber security news:

XOR DDoS botnet: In September 2015, Akamai issued a new advisory notice in relation to the XOR DDoS Botnet. This is capable of 150+ Gbps distributed denial of service DDoS attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems. Akamai noted this as an example of attackers switching focus and building botnets using compromised Linux systems to launch DDoS attacks, something now occurring more frequently, as previously Windows machines were the primary targets for DDoS malware.

Cisco identifies Network Time Protocol (NTP) vulnerabilities: ZDnet reported that Cisco has discovered serious vulnerabilities in NTP could allow attackers to bypass authentication procedures. For example, by maliciously changing system times, an attacker could authenticate through expired passwords and accounts and circumvent security structures such as HTTPS. According to the article All ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable, but upgrading to ntp-4.2.8p4 fixes these problems. Until then, the best defence is to use firewalls to block malicious traffic.

Vulnerabilities found in Cisco's Clientless SSL virtual private network (VPN): Ars Technica reported that attackers are infecting Cisco’s widely used Clientless SSL VPN product to install backdoors that collect user names and passwords. Once the backdoor is in place, it may operate unnoticed for months. The backdoor is installed through at least two different entry points. The first is a critical vulnerability that Cisco patched more than 12 months ago. The other infection method relies on attackers gaining administrator access through other means and using it to load the malicious code. The article recommended that, since the backdoors are easily missed by antivirus programs, intrusion prevention systems and other security measures, administrators should periodically check for signs of compromise.

Sensitive student data at risk on top US college websites: Passcode reported on a number of recent security breaches of US university and college websites where student’s personal data (including contact information, financial records, health records and Social Security numbers) has been stolen:

“In one of the most glaring recent examples, some 80,000 students of the California State University system had personal data exposed in an early September breach…In July, Harvard revealed that it was the victim of a digital attack. And, in the same month, the hacktivist group known as GhostShell repeated claims that it stole data from scores of colleges and universities.”

Passcode found that the majority of institutions fail to enable the latest online safeguards required to secure such data. In particular, US universities lag behind in their failure to employ HTTP Strict Transport Security (HSTS), a measure which ensures users connect only to secure versions of websites.

Comments

Welcome to the first Jisc cyber security update. We hope that it provides a useful resource for you, perhaps in support of your own reporting, and would very much welcome feedback on this first update, by asking you to complete a short five minute survey.

Many thanks.