Given the wealth...
...of info you can dredge up about Unis on Shodan im not surprised a convincing phishing attack can be pulled off.
Uni security is pretty up there on the security shit list.
Re: Given the wealth...
That's deliberate. Unis are porous organisations by design. At one level they are just a great big huge cafe and hotel with meeting rooms which the public flow in and out off both physically and electronically. A bit like libraries.
You won't dupe a uni employee with the promise of a pay rise by email. We all know that there is no such thing as a pay rise unless you are a Vice Chancellor.
Re: Phishing smishing
My uni has had a number of people fall for phishing attacks over the last few years, but it's true that no-one fell for the recent spate of pay rise ones!
(AC for obvious reasons.)
Re: Phishing smishing
Certainly my experience in University IT was that the academic staff were the worst for falling for phishing attacks - we had at least one a day merrily handover a password to someone
-- this seems to be par strokes for the course. Quoting the Duo.com article: "The most recent data from our free phishing simulation tool, Duo Insight, shows that on average, 13% of users will fall victim to phishing attacks, with 61% of the campaigns resulting in at least one user attempting to submit credentials to our fake phishing page."
Generally: if your org has computer users, it's vulnerable to phishing. The fact that your org is a uni is irrelevant. Might as well be a Japanese distributor of frozen squid, or a Rio Tinto office in Borneo; chances are better than even that someone in a large organization will click that link.
Re: Roight,then --
Agreed. This is a thinly veiled sales pitch. And FOI request? I very much doubt it. FOI can generate release about data already held; this is a survey.
As for phishing attacks in the last year... I can recall at least three every week, and those are the ones that got through the mail filters at (1) the service provider, (2) the institutions custom filters, (3) the default filters on the client machines and (4) the custom filters on the client machine.
As for successful phishing attacks, well I've got a user base of around 250 people and I've only known two people who have succumbed to acting on a phishing mail in the last 12 years and one of those was a clicked in error. Only one user ever admitted to entering their details on a website that was suspicious, and we changed the credentials immediately.
I call BS fear mongering scare tactic sales techniques on this. They've probably identified universities as having a diverse user base with a wide range of technical skills and identified them as somewhere to sell things... which is exactly what a fisher would do.
Re: Roight,then --
One that admitted to it..
I know of one office,full of highly skilled,highly paid I.t specialists,and even though I worked on a different part of site,these supposedly highly intelligent,specialist folk seemed to be easily fooled,going by the amount of time and effort others used to have to put in to keep the systems secure from phishing attacks,they seem very susceptible to falling for one's supposedly using their own secure internal email system,but as I pointed out to the fire crew,you could have a crook on the books,or your system is not as secure as you think...
Duo.com's likely email
Here is what I suspect Duo's email was. No surprise that they got the answer they got. Ive removed all individual identifiers that I could find. These FOIs we are required to respond to by law. So you can see how information gets out.
Sent: 14 December 2016 14:57
Subject: Freedom of Information request - Phishing attacks
1. What is your policy for using personally owned devices accessing IT applications?
• We allow access to both student and staff with personal and corporate devices
• We allow access to staff with personal and corporate devices
• We only allow access to corporate devices
2. Do you have visibility into devices that are used to access University applications?
3. Do you use multi-factor authentication (such as a hardware token, software code generated by a mobile phone app, or an SMS code) to access IT applications? Please select one answer only.
• Yes, we use multi-factor authentication for all access by students, faculty and staff onto the devices, apps, intranet or IT network
• Yes, we only use it for access to all sensitive data such as financial payments, grades and personally identifiable data (PII) data held on the network
• No, we just use single factor authentication today
• We just use single factor authentication today but we are planning on implementing multi-factor authentication in the next 12 months.
4. What security risks in personal devices are you most worried about when accessing University applications?
• Out of date software. Ex: Operating systems, browsers
• Physical security of devices. Ex: passcode lock
• Jailbroken / Rooted devices
• Others (Please specify)
5. What is your policy regarding patching and updating digital devices, operating systems and apps which access your corporate network? Please select one answer only.
• We implement all patches/upgrades within 48 hours from notification
• We implement all patches/upgrades within 7 days of notification
• We implement all patches/upgrades within 30 days of notification
• It is impossible for us to maintain all devices, operating systems and apps at the latest version and patches/upgrades typically take longer than 30 days to implement.
• We outsource the patching and upgrade of all our devices and systems to a third party
6. Has your university ever been the victim of a phishing attack (where an individual is duped into disclosing their login, password or credit card details via an email purporting to be from a trusted source)? Please select one answer
• Don’t know
6a. If yes, how often have you experienced a phishing attack in the last 12 months? Please select one answer.
• 0-5 times
• 6-10 times
• 11-50 times
• 51+ times
• Don’t know
6b. If yes, which is the most common target of the phishing campaigns? (please select one)
• Lecturers/faculty staff
• Other (please specify)
6c. What type of data was being targeted? (select all that apply)
• Student personally identifiable information (PII) e.g. date of birth. National Insurance Nos.
• Employee PII
• Financial/payroll data
• Other (please specify)
6d. Did you identify the attackers and, if so, are they? (select all that apply).
• Organised cyber-criminals
• Opportunistic hackers (non-organised)
• Political hacktivists
• Disgruntled employees/former employees
• Disgruntled students/former students
• State sponsored hackers
• Other (please specify)
"Seven universities, including those with GCHQ-certified degree courses"
Why should having a GCHQ-certified degree course make a difference? It will only involve a tiny percentage of people in the entire university.
It must be a slow news day if undigested PR bumf like this is making its way into el Reg.
Take any population of > 10K users
I read that as 30% of Universities don't know what phishing means. Or perhaps they lie in response to FOI requests.
If you take any large organisation that has access to email you're eventually going to get *someone* fall victim to a phishing attack. The interesting bit is how the organisation responds to it.
Re: Take any population of > 10K users
I'd be interested in seeing which side of the line different universities fall...
Oh, and just an example --
-- this is a good one.
The security and protection of your account is one of our highest priorities. We apologize for any inconvenience that precautionary measures we have taken may have caused you.
Your online account was frozen because you violated the security rules. You need to follow the security link to confirm your identity in order to reactivate it.
Thank you for banking with us. We appreciate the opportunity to serve you.
Bank of America <Dickson.Kevin@BANKAMERICA.COM>
Of course the "Security Center" link is not to bankamerica.com. But the spelling and grammar are correct, the email link looks legit, etc. This particular email landed in an alias email box unconnected to my real name or any real online banking account. But at first glance it's quite a good phishing hook.
Re: Oh, and just an example --
I have, in the past, received many missives about my account at BoA. None of them were as well-written as you example, but all have suffered from one fatal flaw: I don't have an account at BoA.
I have also received missives about my Paypal, EBay, and Facebook accounts, some of them very well written indeed. Once again, the fatal flaw which identifies them as phishing attempts is that I don't have accounts at those places, either.
I have received missives allegedly from banks, etc., where I do have accounts. Legit ones include my account number (NOT the same as the credit card number, if applicable) or at least the last four digits of the account number, and are addressed to me by name, not 'Dear Customer' or similar. Yes, having the account number (or last four) flying around the Internet could be a security problem, but if it's not there, that immediately IDs the post as highly probably phish. In any case, I NEVER click on anything in the post (and legit posts tend to not have anything to click on, anyway) but instead go to the appropriate site directly, by the bookmark in the browser I use for that site. (I use, depending on OS and site, Safari, Opera, or Palemoon. Chrome is avoided as I don't know what it sends to Google and Edge/MSIE is avoided because Microsoft.) As I normally use Firefox for browsing, should I click on something in error it will go out using the wrong browser.
Doing it this way generates more work for me, and isn't 100% secure. It does make it less likely that I'll be phished.
Some sites require that I enter six-digit PIN to access the account, or at least have that setting as an option which I have set up. I have, for example, recently received multiple emails allegedly from Apple yapping about how my 'iTunes account' or my 'AppleID' has been 'frozen' or 'suspended', usually for 'security reasons'. I have 2FA set up on my Apple account. The phishers don't seem to know that 2FA exists. It's particularly amusing to receive a notification that my 'iTunes account' has been 'suspended' while listening to music courtesy of iTunes Match.
Levels of Victim
There's also quite a continuum between "individual user clicked on dodgy link / handed over login details" to "all the organisation's data is deleted / corrupt / compromised / stolen / being ransomed back to us".
A typical university has 1000s of staff and 10,000s of students all with varying degrees of technical incompetence and/or malicious intent towards the university. The university plans for trouble. So, while it's surprising at my university when a phishing attach *doesn't* net a user. It also doesn't really matter much, as the university systems are actually quite robust to such security failures.
Re: university systems are actually quite robust to such security failures.
Obviously not at KCL, then.