You don't need a PhD to phish a Brit university: Nonprofit claims 100% hit rate is easy peasy British university admin folk are alarmingly easy to phish, according to an academic support body which claims a 100 per cent success rate "within two hours". Jisc, the artists formerly known as the Joint Information Systems Committee, claimed to have secured a "100 per cent track record" when securing illicit access to "high …
Not particularly familiar with uni campus networks since foraging around Netware systems for pr0n in early 90s' but I know one that only a couple of years ago rebuffed the need for any web filtering on the campus network because of potential infringement on privacy and civil liberties. Sure I get that student and academic devices are on and off network all the time and therefore these networks are probably quite easy to breach but the lack of foundational security makes this report entirely unsurprising.
We've done that exercise (or had it run by our institute IT team) and anyone who fell for it was 're-educated'. (Actually, they were re-educated without sinister quotes...).
Brilliantly though, institutional email has now started munging all links in incoming email through an MS-backed 'safelinks' site. Outcomes: Links in old emails will be invalid if needed in a couple of years when the API inevitably changes, Thunderbird now warns that they're all potential phishing attacks (technically true...) and if one does slip through it makes it harder for the aware user to assess veracity because the link is much less human-readable.
Yes, Microsoft's link munging (one of my former almae matres also has this service) is abominable. It creates a horrible mess, frequently doesn't work right (at least for me), and probably adds little of value. While common-or-garden phishing is a danger, I doubt these services have a high prevention rate; and recent studies show links of any sort (much less ones likely to be identified by a service) are relatively rarely used in spearphishing.
This post has been deleted by its author
The campus network is provided for academic purposes: wen a student pays registration fees, the fees cover the usage of internet, but it may not be covering every possible usage beyond what is needed for studying. That can easily be specified in some form of acceptable user policy. And any usage that does not fall under such APU is filtered out.
When at university, there are rules on other stuff, like you are not allowed to beat up your fellow comrades or you cannot set-up fire to the chemistry lab. Why would there not be rules on the usage of internet?
While this is true, there are a number of other factors to consider:
1. Beating up other students and setting fire to the chemistry labs are clearly much more destructive actions than being able to access gmail.
2. University networks serve a wide range of disciplines, both in teaching and research. Language or politics students have a legitimate need to access news sources from different countries for example, university clubs may use social media such as facebook to coordinate their activities.
3. Research activities may require many different types of data transfer with collaborators, using formats and protocols that the average system administrator is unfamiliar with.
As such the uniform locking down that more paranoid corporations might do with a 'work related only' justification is much more difficult to create and maintain while allowing people to actually get on with stuff. A much more granular approach is needed.
"... while allowing people to actually get on with stuff." And that's where one layer of the problem starts. IT Security Man tell End User (whose main job function is to do 'X') that he has to implement such and such a security procedure that causes End User to do much less 'x' per hour. End User tries to explain the (potential) problems this might cause and finds concerns dismissed. End user informs his boss that IT is trying to prevent him from doing his job. Meanwhile IT Security Man informs his boss that End User is a security risk. Final result? Both End User and IT Security Man gripe about the other's department and the actual issue gets lost in administration.
As an aside, a lesson I've learned from 30+ years of working for large bureaucratic organizations is this: How a manager responds to information depends more on how the manager FEELS about the information giver than on everything else combined!
do much less 'x' per hour.
In a corporation the problem may be doing less X per hour.
In a university or other research institution, it is usually ‘we need to do X, Y and Z, none of which has ever been tried before’. Doing new things is the job description. Especially in hard sciences, where people regularly build their own devices, write software and invent ways how to control them, you can bet at least one of XYZ will be IT-related and impossible in locked down environment...
when considering the threat of data loss at an HE institution?
https://www.theregister.co.uk/2017/02/23/kcl_external_review/
That girl in the pic that accompanies this story (and has sat alongside may others over El Reg history). Well, her homework book always seems to be unerringly marked with a big red 'F' so I don't think she can't be too bright - assuming of course that she is student, rather than teacher.
In consideration of that I'd just have thought by now that the poor lass would have given up on the academics and been snapped up by HP or Capita professional services seeing that 'F' is the benchmark for their "elite" staffers.
You might like to surmise and realise that "insider" attacks are not being launched by disgruntled students or staff but by dedicated smarter elements cloaked and testing out programs with the cream of universal academe. .... and Renegade Rogue Phantom Enemy Outfits ..... urVirtual Opposition in Stellar Competitions
I imagine for a hitherto almighty few, that is a discomfort which triggers the desperate terror associated with the release of thoroughly destructive information which clearly identifies live evil abuse ..... in current maladministrative executive order office use.
But hey, surely that has been long expected and rightfully feared.
You FCUK with Yin and Yang and you think Zero Price Pays the Ultimate Price.
Why would there be any relationship between the security research done by a CS department, and IT hygiene practiced by the rest of the university population?
When a university has a notable cancer researcher in its medical school, that doesn't reduce cancer rates among the general population. Having a famous novelist in the English department doesn't significantly affect the students' taste in literature. A collection of top finance experts over in Business won't mean everyone else at the university is any better at managing their finances.
The fact of the matter is that even star professors remain largely unknown outside their fields at their own institutions, except in a few exceptional cases. While some members of the university population read at least some of those incessant press releases and local-research stories that universities inevitably generate, even with the best intentions it's impossible to remember much of that stuff for any significant length of time.
https://www.ssllabs.com/ssltest/analyze.html?d=cyber.kent.ac.uk&s=129.12.4.59
The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »
This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »
This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B. MORE INFO »
I used to work as a senior systems engineer at one of the UK Universities. Yep, the IT is poor. Ours was bad because of really bad management, project managers who could barely walk and talk at the same time and senior staff being academics instead of people who could do the job. I once has the Deputy Director of IT order me to give Domain Admin Access rights to a third party company who didn't have a contract with us. Naturally I refused and it all kicked off. We also had the dreaded "I've bought this software now make it do the following and I won't take - it can't do that - for an answer". Place was a joke. Unsurprisingly all the decent staff have left.
It's been my anecdotal experience that IT tends to be better resourced and staffed in commercial organizations than in education, government, or non-profit. Also, as others have pointed out in the comments, IT in education specifically often has considerably less scope to impose controls, and at a large university will probably have a much more heterogeneous environment to worry about.
But this story is really about spearphishing, and we've had many reports lately showing all sorts of organizations are highly vulnerable to spearphishing. That's no surprise. Targeted social engineering has always been effective. People have successfully run confidence games throughout recorded history.
Well that would explain the rash of clearly phishing emails that 'came from' our VC a while ago asking us to 'click on the button below to arrange a meeting'. It caused a certain amount of speculation here in the computing department about whether it was central IT or another department that had cocked up.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
