Tag Archive: LSE

Targeted Trojans

A very particular problem that we face is around customised malware, aka targeted Trojans. These malicious programs are written specifically to avoid detection by our current anti-virus systems and are sent to carefully selected people within the institution. The purpose of these programs can only be inferred by the recipients.

LSE uses MessageLabs to protect our inbound email, primarily to reduce  the flood of spam to as small a trickle as possible. One of the systems that MessageLabs use is something called skeptic, that tries to identify previously unseen malicious software and to block it.

We think that this has been quite successful, although it is impossible to know how many attacks have managed to get through. Using the information we get from this system, we can discuss the implications of being on the list with the people being targeted.

The uncomfortable facts are that:

  1. LSE is a major target
  2. academia is being systemically attacked by a number of groups
  3. the threat is growing all of the time

There is no foolproof way of blocking every attack, but the intelligence gained from knowing the areas of interest of the attackers allows us to focus our efforts of the people at highest risk.

If you want more information on this or are at LSE and want specific advice, please contact me.

UPDATE: Martin Lee and I are proposing doing a talk about this at the RSA Conference 2012 in San Francisco. See the teaser trailer here.

This week, LSE received a couple of calls from “Microsoft”, stating that they had detected a virus on the PC that the user was using and could they install an update. Luckily, the person they called is in our support team and she managed to string them along for a bit. We have managed to get the originating telephone number, apparently a Croatian number, and have passed it on to the Police.

It’s worth following up on these calls, which are blatant social engineering attempts and informing staff. We have had reports that Skype users are also being targeted.

Student Loan Scam

There is news today of another scam, targeting students. From the article, it seems that several students fell victim to this and are several thousand pounds out of pocket. In essence, this is just another phishing scam but specifically aimed at students, offering them the possibility of a bursary if they fill in a form with their personal details.

The Student Loan’s Company have been the bait for a number of scams over the last few years.

Unfortunately, this has happened before and will happen again. The Government have put some advice up here about what to look out for and some general advice on staying safe online here.

IPv6 Challenges

There’s been a lot of discussion about the advantages of IPv6 in the press in recent months, focusing mainly on the huge increase in address space that a migration will give. But there are other features of IPv6 that are both a boon for the individual user and a headache for an IT department. Like many things, it’s a bit of a double-edged sword, one that cannot be ignored indefinitely.

The wonders of IPv4

IPv4 is one version of the “Internet Protocol“, an integral part of TCP/IP which was developed in the mid-1970s as a set of scalable communications protocols. The intention was to keep it as simple as possible, allowing any type of equipment with the right protocol stack installed to communicate with any other device, regardless of what those devices were. In those days, four billion addresses seemed like “enough”.

One of the consequences of this design strategy was to include no provision for security in general, with unencrypted networks, no authentication and any number of potential ways of attacking a victim. To be fair, in those days, people had a very different attitude to these networks; it was never envisaged that anyone would want to attack someone else. It just wasn’t “the done thing”.

Fast forward 30 years and a number of things have happened: an explosion in the number of devices connecting to the Internet, malicious software, Denial of Service attacks holding on-line companies hostage and the fear of being snooped on by anyone who has access to your data connection (anyone from the Government to Phorm).

The issue of a fast-reducing available address space was identified, and to some extent mitigated by using Network Address Translation, to allow organisations to use reserved IPv4 address ranges, (, and and only use a limited number of properly routable addresses on the Internet, effectively hiding the machines they have on their internal networks; all consumer equipment these days is configured to use NAT.

IPv6 – a new era

In 1998, the IETF published RFC2460 that outlined IPv6 which had a number of features not included in IPv4, including:

  • a vastly increased address space – IPv4 had a total of 4,294,967,296 addresses. IPv6 has 2128 (approximately 340 undecillion or 3.4×1038) this amounts to approximately 5×1028
    addresses for each of the 6.8 billion people alive in 2010 (taken from Wikipedia)
  • integration of IPSec, including packet authentication and encryption
  • stateless address autoconfiguration

These are real advances over IPv4. However, there are some things that companies do routinely that may become a whole lot more complicated:

Penetration testing: LSE, for example, has been allocated an IPv6 address space which has more available addresses than are available in IPv4 in total. The length of time to scan a space of this size is enormous.

Firewalling: subnetting works differently in IPv6 to IPv4 and there is provision for frequent address changes. In addition, having every outbound connection effectively opening up a VPN into an organisation’s network means that banned traffic can be transparently tunnelled through a firewall which would otherwise block it.

Deep packet inspection: this becomes very difficult if all packets are encrypted

Web filtering: again, with packet-layer encryption, how can traffic be inspected before it hits the end device?

SSL has always been difficult to monitor on IPv4 networks, with companies needing to inspect this traffic having to simulate a man-in-the-middle attack to terminate a connection from a user on a device and re-establish a secured connection to the requested resource, e.g. a bank, to create a break in the session to inspect the traffic. It’s a messy solution and doesn’t go down well with users. In a full IPv6 world, this type of challenge will be with us every day.

There’s a really great paper on some of these issues here.

The majority of people I talk to want to do the right things online to protect themselves but don’t know what to do. That said, most people won’t go hunting for information to help themselves because they have to wade through great mountains of jargon and impenetrable comments from all quarters. If they do go looking for stuff, many give up.

So, I have been organising a series of three evenings at LSE, in the Old Theatre, with eminent speakers to explain what’s going on in the information security world, and how you can protect yourselves.

These will take place on the 19th, 20th and 21st of October from 6.30pm and are open to the general public.

#ssol on Twitter

%d bloggers like this: