Category: LSE

Targeted Trojans

A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.


This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.

Student Loan Scam

There is news today of another scam, targeting students. From the article, it seems that several students fell victim to this and are several thousand pounds out of pocket. In essence, this is just another phishing scam but specifically aimed at students, offering them the possibility of a bursary if they fill in a form with their personal details.

The Student Loan’s Company have been the bait for a number of scams over the last few years.

Unfortunately, this has happened before and will happen again. The Government have put some advice up here about what to look out for and some general advice on staying safe online here.

All software has bugs. Some are never found. Some aren’t important. A few are dangerous. It is estimated that Windows XP had 40 million lines of code and Mac OS X 10.4 had about 80 million. It is sadly inevitable that some of these bugs will be exploitable by people who want to hijack your machine for their own reasons.

You might ask yourself “why?”. It’s a perfectly reasonable question. Most of us have far better things to do with their time than to try to get into other people’s computers. You might also suggest that you haven’t got anything worth stealing on your PC anyway, so even if someone did take the time to create an exploit, why bother?

There are a number of reasons for all of this, but it all boils down to one thing: money. The criminal economy on the Internet is huge. And increasing. These criminals don’t care who they target as they operate, mainly, on scale. They ensnare vast numbers of machines, unknown to their owners, to do their bidding through the use of bot nets. Essentially, they use these huge networks of computers to attack company websites and to extort protection money from them. They are also used to send spam, break encryption codes and hide child pornography. As a sideline, they also harvest personal information from the machines they infect and often steal passwords to bank accounts.

So, what can you do about it?

Patch! In Windows, make sure automatic updates are enabled. In Mac OS X, check the Software Update link from the Apple menu (more information).But not just the operating system… If you’re using a PC, download the Secunia Personal Software Inspector. It’s free and shows you all of the programs installed on your PC and whether it’s insecure.

Macs are vulnerable. Even Apple themselves recommend using anti-virus products on OS X. I personally have seen a number of Macs infected with bot nets and Apple have been slow, in the past, to update software that has known bugs in it.

Patching is no substitute for running an anti-virus scanner, but is equally as important. AV scanners will often stop an exploit from working, so it’s best to remove the vulnerable code. It’s worth bearing in mind that AV scanners will also stop things from being installed intentionally by a user of a machine if it’s infected with something.

LSE provides free anti-virus for home use to students and staff here. Other free and paid-for anti-virus products exist.

I’d be interested to know your experiences. Do you patch? Have you had problems in the past with malicious software? Send in your comments…

Web Passwords

Passwords can be a pain. There are thousands of websites across the Internet that require passwords. Traditional advice has been to use different passwords for different applications. This is plainly impossible. A typical user of the Internet probably has passwords for their MSN, Gmail, YahooMail, Flickr, Picassa, Facebook, MySpace, Bebo accounts, as well as for their bank, mobile phone company, energy company, and innumerable other sites, some of which they’ve probably forgotten that they signed up for.

So, instead of saying each account should have a different password, I’d suggest that the best thing to do is to have a few passwords, but to have some rules around the ones that you use regularly.

  1. Always pick a good password. There’s a guide here that offers some ideas.
  2. Don’t use the same password for a mail account that you used to set up a social networking account with. For example, if you use the same password for Hotmail as you do Facebook, and one or the other gets “broken in to”, it’s likely the other will, too. And then it’s incredibly difficult to regain control of either.
  3. Do change them occasionally.
  4. Consider what you’re protecting. Don’t use the same password for all your important accounts (e.g. bank, email) and use a separate password for account for sites you’re not overly bothered about (e.g. that Fraggle Rock appreciation site you signed up to)
  5. Don’t share them! I know this sounds obvious but don’t let anyone else have your password – think about what you’re giving the access to. This is especially true for passwords at university or in the workplace – the risk is much greater than simply to your data as it could impact the whole organisation.

These aren’t simply theoretical risks. In the last few months, I have dealt with situations including the hijacking of a Facebook and related Hotmail account – believe me when I say that this is not easy to resolve – and several instances where people have sent their usernames and passwords to scammers.

The reason scammers want your username and password in a place like a university is because they want to send spam through the universities mail system. Unfortunately, this can lead to the whole university being blacklisted as a spammer and no-one will be able to send or receive email.

Please take care of your passwords.

Webmail Passwords

It was bound to happen. Large lists of account details have been leaked that were compromised through phishing, where the owners of the accounts replied to emails requesting their passwords and, in some cases, the login details to alternative accounts. We put out a message at LSE fairly frequently that people should never hand out their usernames and passwords to anyone – hopefully a fairly unambiguous statement. And yet, we still get people doing it.

I have tried to do a little research into why people continually reply to these messages, and the answer I usually get is that the email making the request “looked official”.

If you have any ideas on how to get the message across, I’d be very interested.

Many organisations have policies that state that it is unacceptable to send emails to large numbers of users either inside or outside the organisations if you don’t have the recipients’ consent. Mass emails present their own problems, especially with attachments. Here’s a quick run down as to why.


The general term for mass unsolicited emails is “spam”. The sorts of emails typically associated with spam are those for dodgy investments (“pump and dump” schemes), growth pills, religious messages, phishing attempts, viruses and everything in between. Many organisations have invested in anti-spam filtering technologies to reduce the amount of junk that they receive (see my previous posting relating to scam/phishing emails for some statistics). The technologies to identify spam is always a “best guess”, using a variety of techniques, which means that some spam gets through and some legitimate emails get blocked.

At a very basic level, there are two main methods for preventing spam. Firstly, there are blacklists where servers who are known to send spam are prevented from sending any emails whatsoever to the organisation protected by anti-spam filtering. Secondly, emails that are received from “clean” servers have their content assessed to see if it matches the profile of known spam. If the score from this assessment is higher than the threshold decided upon by the protected organisation, it won’t get through and, in many cases, the sender’s servers are automatically added to the blacklist (or “greylist“). Rules vary for different products, but may include:

  • Sending to a large number of people
  • BCC’ing instead of sending to explicit addresses
  • Not including a standard greeting (“Dear Sue,” for example)
  • Having a reply-to set differently to the sender’s address

Organisation impact

A key point is that black-and greylists are shared and so if an organisation gets blacklisted it won’t be able to communicate with any organisation using that black- or greylist. Members of an organisation can, quite unwittingly, get their organisation blacklisted, thereby causing a lot of inconvenience to their colleagues.

Which is why organisations take it seriously.

Data Protection

All of the discussion above is quite apart from whether the email addresses should have been collected in the first place and then used for the purpose of sending emails. If in doubt, talk to your data protection manager.

Disk Space

I also have to put a short note in here about disk space. While most modern email systems will store a single copy of an email destined for multiple recipients on an email server, as soon as the email is copied off, forwarded or archived, a copy is made and the amount of space it takes up doubles. So, mass emails that have 1MB attachments can take up significant amounts of space if sent to a large number of people. And disk space is not free.

LSE resources

If you’re at the LSE and do want to send emails to large numbers of people, please see the LSE’s policy on internal email communications and the Conditions of Use for IT Facilities.

UPDATED: A lot of people have been asking me about this in the last two days and I thought I’d summarise my observations here. Please leave a comment if you think I’ve got something wrong or I haven’t answered a particular question.

The Issue

It seems that Microsoft have had a bug in Internet Explorer 5.01 (released in November 1999) that exists right up to the latest beta of IE 8. Essentially, someone can write a web page that references a non-existent page element causing an error within IE that allows code to be run on the local machine as if it were the current user of the machine. Usually this would manifest itself by using IE to download a piece of code from a 3rd website and silently install it, compromising the PC. (Before anyone comments that I’ve over simplified the problem, I have no intention to get into invalid pointer dereferencing in DHTML arrays in this blog.)

This only affects Internet Explorer – not Firefox, Safari, Opera or Chrome (although I’m still a bit sceptical about the patching regime for Chrome at the moment and am hesitant to recommend it).


Because the vulnerability essentially means that an attacker can install anything they like on your machine, anything could have been happened. I don’t mean to panic people, but I honestly don’t have any idea how much information or how many machines have been compromised in this way since the vulnerability was discovered.

Let’s get the issue into perspective. We know that at least 10,000 websites have been compromised and, if visited with a vulnerable web browser, will infect your PC. However, given that there are approximately 110.1 million websites being operated, with a total of 550 billion web pages on the Internet, the proportion of the total affected is small.

It’s also fairly safe to say that most of the “big” sites like the BBC, Microsoft, Yahoo, Google, Blogspot and other sites that have big operations behind them will very quickly find compromises in their sites and fix them – they can’t afford the publicity. Those sites being compromised are the smaller sites, being hosted in a chicken shed at the end of the garden.

I’m definitely not saying this isn’t an issue – it is a huge problem. However, equally, I’m not saying we should all run for the hills.

What is happening and what can I do?

Microsoft have stated that they’ve brought forward a patch for this problem to 1pm EST. This will hopefully solve the problem. There are a few things that you can do, in addition to patching your machine by visiting the Microsoft Update Centre. IMPORTANT: if you’re using a PC supported by LSE, or any other organisation, and it’s on the corporate/work network, patching should be done automatically, as it is at LSE. There is a big difference between running a personal computer and having a reliable network with several thousand on at the same time on a corporate network. Please don’t change the configuration of a work PC. If in doubt, contact your support team (at LSE, these can be found here).

If using your own PC, consider the following:

  • Ensure your anti-virus product is up-to-date
  • Make sure you have a properly configured firewall on your PC
  • Consider using a different web browser
  • Patch regularly
  • Only visit web sites you trust
  • Change your passwords regularly
  • Don’t use the same password for every website

It’s also important to note that this whole sorry episode could well be repeated next week, with another vulnerability, or in a different browser. Please be sensible when surfing the web.

I’d welcome any feedback.

UPDATED (18.55, 17/12/2008): Microsoft have released an update page. See:

We’ve been suffering from a plethora of phishing scams over the last few weeks at LSE. To put this into context, Messagelabs stop in excess of 250,000 spam e-mails from arriving at our mailboxes every week, which represents 25% of the total (1,108,000). So, when one does get through, it is a bit unusual. In the main, these don’t cause a lot of disruption as most people are conditioned to ignore them. However, there’s always someone who does reply and the IT department spends quite a bit of time clearing up the aftermath.

So, here is my one top tip to not getting caught:

Never, ever send your password to anyone by e-mail.

It’s quite simple. No-one should ever ask you to disclose your password by e-mail and you should never, under any circumstances, give it to anyone.

What happens if you do

Here at LSE, we have a set of Conditions of Use for IT Facilities which clearly state that you shouldn’t do this. Most organisations with an information security policy say the same thing. Generally, you can expect your account to be suspended as a minimum.

However, that’s not all. Scammers will use the details that they have gained to abuse the account they have access to steal information and, most likely, send spam out from the account. This means that the account gets blacklisted. Which is a pain.

Phishing for Bank Details

This is obviously a subset of a much wider attempt to con people into handing out personal detail, either directly or trying to convince them that they are on a legitimate site. Many people have received e-mails, purportedly from their bank, asking them to log in by clicking a link in the e-mail and filling in all of their authentication information.

There is a simple way to avoid being duped by one of these e-mails. Never click on the links in the e-mail: always go directly to your bank by manually typing their website address in the address box of your browser.

Browser defences

On top of this, many web browsers now (or will soon) incorporate anti-phishing tools. For example, Mozilla Firefox has a feature that, if turned on, automatically blocks access to known phishing site.

If in doubt, don’t click. And another tip: don’t reply to these scam e-mails with some sarcastic comment: it only confirms your address and you’ll end up getting more spam.

%d bloggers like this: