February 2nd, 2014
IT workers note:
“It wasn’t work. We were making art. Steve insisted that we sign our names on a piece of paper with a Sharpie [pen] and he engraved it on to the mould [inside of the case of the first production run] so all of our signatures would be on it. And the reason is: real artists sign their work and they’re proud of it.“ Bill Atkinson a member of the original Apple Mac team.
We may complain at times that we are called upon to be either hero’s or artisans – let’s stop complaining about it and embrace the truth.
January 29th, 2014
No – this isn’t a post about marine life. For the last week we’ve been hearing from people who are receiving a malicious emails, apparently from Brandeis email accounts, requesting the recipient to log in for important information about his or her Discover card. This is known as phishing and you can find information on phishing on the LTS website. The email looks like this:
Most of these are going to folks outside of the university – several people who have no connection to Brandeis have called or emailed us to report them (very thoughtful and kind individuals), and some have gone to faculty, staff, and students on campus (around 50 at last count). A couple of things to note:
- these are not actually being sent from Brandeis accounts – it’s trivial to configure email to look like it’s from any email address.
- you can look at the actual sending address (using Gmail) by selecting “show original”:
- You’ll also note that by hovering your mouse over the URL they want you login to, the actual URL is pretty suspicious: in this case “http://xxxxxtsg.com/tmp/asisin.php” (I’m blanking out some of the URL intentionally – note that it’s not discover.com!)
- Finally the language is awkward and for what it’s worth a credit card company will never send a message like this – they’ll call you if they see suspicious activity on your account. And note that LTS nor any Brandeis unit will ever email you asking for your password.
If you get any email that you think is suspicious – either forward it to email@example.com or better yet, simply delete it. And don’t forget to check out additional more detailed information on our LTS Phishing pages and/or the Brandeis Technology Forum which often has information about current phishing emails the community is seeing.
January 26th, 2014
As Marianne Cooper observes in the Harvard Business Review, “High-achieving women experience social backlash because their very success— and specifically the behaviors that created that success—violates our expectations about how women are supposed to behave.”
January 24th, 2014
I was onced asked by an executive “so, what would we do if we were subject to a cyberattack?” What I was really being asked is “are we prepared for a cyberattack, and if not, what do we need to do to be ready?”, which is exactly the right question to ask your security staff. The problem here is that what they didn’t realize is that we (and by we I mean everyone) is under continuous cyberattack from the Internet. Granted, a lot of that activity is fairly mindless scanning – but here’s a lovely little example of what goes on pretty regularly.
So what is this? This chart displays all of the failed attempts to log into the campus shell server (think secure command line if you don’t know what a shell is) for a period of ~22 minutes this morning (1:06:49 am to 1:28:02 am, 283 attempts) from a single location in Guangzhou China.
What I wanted to point out to the non IT professional, is that this isn’t an “attack” in the sense that someone is probing a machine for unpatched software – whoever is behind this attack is attempting to log into the server by trying a variety of “guessable” account names and probably a variety of empty or default passwords. In total 184 different usernames were tested. These range from the typical (root, oracle, visitor) to common names (matt, samuel, and sarah) to the less biblical (panorama, newsletter, and zxin). The attackers hope to find an account they log in with and from there launch a further more penetrating attack on the campus and it’s infrastructure.
The moral of the tale is that if you are responsible for setting up any computing equipment (software or hardware, including your home wireless router) – you really must change the default password for any accounts delivered with your system. You never know who’s knocking on your door at 1 in the morning.
January 20th, 2014
I wish this was simply malicious. But it’s ignorance (or at best, marketing trumping common sense). From the website of the new canary home security system:
4b: How secure is it?
We use bank-level security. All communication between your Canary, the Canary Cloud and your smart phone is encrypted over SSL (HTTPS). Video and audio are stored and encrypted using AES-256 bit encryption. You decide how long you want to store sensor data, if at all.
The fact that your data is transmitted via SSL is important, but is so basic, it’s almost akin to saying “the new Toyota now comes with a brake!” While it’s a good thing they’re encrypting your data while it’s stored (known as “data at rest”) it’s also no panacea – when and how data is encrypted is actually more nuanced then that. For example, if my laptop hard drive is fully encrypted but I’m using a weak, guessable, password, the encryption is of no value whatsoever. Don’t get me wrong, I’m glad to see they’re doing this but to really assess a vendor’s security isn’t easy. Over the last 6 years, it’s safe to say that evaluating third party services has consumed more of my time (as a security professional) than any other activity. Many of my peers say the same thing.
If you really want to dive into the nitty-gritty of vendor assessments, feel free to drop by to discuss it but a great starting point is the excellent work being done by the good people at the cloud security alliance.
January 19th, 2014
So all weekend I’ve been enamored with the notion of a fantasy University league along the lines of the a fantasy sports league (full disclosure, the only fantasy sports league I’ve ever joined was professional bass fishing – truly I joined only to annoy my friends who were/are avid fantasy baseball fanatics).
Instead of forming a team, you’d form Colleges (and eventually Departments); instead of recruiting a pitcher, perhaps you’d build a startup package to recruit a top physicist or string quartet. A fully fleshed out game would allow you to manage an endowment, alumni and be loosely coupled to the actual economy based on the location your ‘team’ was based. Ideally your “team” (aka faculty) would would benefit as real faculty published papers, books, or won awards. A dynamic system would scour online services for publications or grants (“Why so chipper today, Mike?” “Professor Mendelssohn got an NFS grant! I’m sure to climb the US News rankings!”).
Of course, a real University is so much more than the academic success of it’s faculty – the modern University isn’t merely a business or a school, it’s a municipality with banking functions, a police force, housing, a variety of IT services, and sometimes, I hear, athletics. What we’re really talking about here is a modeling effort, which sounds to me like a really fascinating student project.
January 16th, 2014
I remember a meeting on national security with an unnamed three letter agency, where the conversation revolved around international access to Intellectual Property. Obviously protecting our IP is a good thing. However here’s a quick snapshot of the country of origin for logins to Brandeis systems in the last 24 hours.
This isn’t to say that all of these represent a a student or faculty member from the listed country. Some are individuals doing field work, collaborating at other institutions, traveling through the listed country – and some are probably malicious logins from compromised accounts. But it’s a nice illustration of how borderless a University is these days.
January 15th, 2014
On average around two thirds of the email sent to the Brandeis community is spam or phishing emails. This is a remarkable number though by no means exceptional – many Universities see a reject rate of nearly 90% with even higher peaks.
FWIW, Educational communities continue to be the top target for spam globally (though not for phishing).
So why is this interesting? Most people who don’t work in IT find it surprising that such a high percentage of the email coming to campus is simply rejected out of hand (though to be fair, this is a smaller percentage then the physical mail I get at home that gets immediately tossed into the recycling).
At first blush it seems a bit odd that educational institutions would be so highly targeted - I’d like to think that our better educated population would make poor targets for spam and phishing – but in all likelihood this reflects the huge online footprint of our student populations. Most spammers aren’t really that sophisticated – it’s the professional phishing outfits that are scary.
But today’s factoid is a window on IT costs. Email, despite being the engine that powers so much of our operation, is a commodity. Google alone provides over 400 million accounts world wide. Brandeis, like so many others, shifted email out to Google not solely because Google Apps and Gmail are so good – there’s also the promise that they’ll be cheaper. For the most part they are, yet as the chart shows we still need to devote resources to filtering, scanning, and basically cleansing the email stream to stop both the merely annoying and the truly malicious. This investment allows the community to focus on learning, teaching, research, and social engagement rather than spending half our day deleting 60% of our email and it lowers the risk that a malicious email message will result in a loss of personal or University information.