back to article You don't need a PhD to phish a Brit university: Nonprofit claims 100% hit rate is easy peasy

British university admin folk are alarmingly easy to phish, according to an academic support body which claims a 100 per cent success rate "within two hours". Jisc, the artists formerly known as the Joint Information Systems Committee, claimed to have secured a "100 per cent track record" when securing illicit access to "high …

  1. Anonymous Coward
    Anonymous Coward

    Wot no web filtering

    Not particularly familiar with uni campus networks since foraging around Netware systems for pr0n in early 90s' but I know one that only a couple of years ago rebuffed the need for any web filtering on the campus network because of potential infringement on privacy and civil liberties. Sure I get that student and academic devices are on and off network all the time and therefore these networks are probably quite easy to breach but the lack of foundational security makes this report entirely unsurprising.

    1. Terry 6 Silver badge
      Joke

      Re: Wot no web filtering

      Re: " foraging around Netware systems for pr0n in early 90s'"

      Couldn't you have just bought it from WH Smith?

      1. Chunky Munky
        Pint

        Re: Wot no web filtering

        Couldn't you have just bought it from WH Smith?

        Wot? and waste all the beer money?

      2. Anonymous Coward
        Anonymous Coward

        Re: Wot no web filtering

        "Couldn't you have just bought it from WH Smith?"

        Spend money? On pr0n? How very 80's...

    2. Captain Scarlet Silver badge

      Re: Wot no web filtering

      Normally Pen Testers will be given internal access, so emails which may normally be blocked aren't.

      All they probably have done is spoofed an email internally and recorded who clicked the links.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wot no web filtering

        We've done that exercise (or had it run by our institute IT team) and anyone who fell for it was 're-educated'. (Actually, they were re-educated without sinister quotes...).

        Brilliantly though, institutional email has now started munging all links in incoming email through an MS-backed 'safelinks' site. Outcomes: Links in old emails will be invalid if needed in a couple of years when the API inevitably changes, Thunderbird now warns that they're all potential phishing attacks (technically true...) and if one does slip through it makes it harder for the aware user to assess veracity because the link is much less human-readable.

        1. Captain Scarlet Silver badge

          Re: Wot no web filtering

          You can sort of pick through the generated link to put the link back together, can't tell by a simple look if links are valid anymore though.

        2. Michael Wojcik Silver badge

          Re: Wot no web filtering

          Yes, Microsoft's link munging (one of my former almae matres also has this service) is abominable. It creates a horrible mess, frequently doesn't work right (at least for me), and probably adds little of value. While common-or-garden phishing is a danger, I doubt these services have a high prevention rate; and recent studies show links of any sort (much less ones likely to be identified by a service) are relatively rarely used in spearphishing.

          1. Ideala2

            Re: Wot no web filtering

            Ugh... Our university has since gone the trendmicro-URL-mangling route too.

            So one either has to hide URLs as links in HTML / RTF - or send as plain-text + give up sending a legible / permanent link.

            It turns users into idiots once again, after years of educating them not to click a link unless they know where it's going to... now every link has to be trusted because f*ck knows where it actually goes.

            Whatsmore the system cannot cope with unique links or bespoke attacks as by the time it is flagged as dodgy, the first wave has already hit.

    3. Olivier2553 Silver badge

      Re: Wot no web filtering

      The campus network is provided for academic purposes: wen a student pays registration fees, the fees cover the usage of internet, but it may not be covering every possible usage beyond what is needed for studying. That can easily be specified in some form of acceptable user policy. And any usage that does not fall under such APU is filtered out.

      When at university, there are rules on other stuff, like you are not allowed to beat up your fellow comrades or you cannot set-up fire to the chemistry lab. Why would there not be rules on the usage of internet?

      1. ibmalone Silver badge

        Re: Wot no web filtering

        While this is true, there are a number of other factors to consider:

        1. Beating up other students and setting fire to the chemistry labs are clearly much more destructive actions than being able to access gmail.

        2. University networks serve a wide range of disciplines, both in teaching and research. Language or politics students have a legitimate need to access news sources from different countries for example, university clubs may use social media such as facebook to coordinate their activities.

        3. Research activities may require many different types of data transfer with collaborators, using formats and protocols that the average system administrator is unfamiliar with.

        As such the uniform locking down that more paranoid corporations might do with a 'work related only' justification is much more difficult to create and maintain while allowing people to actually get on with stuff. A much more granular approach is needed.

        1. AK565

          Re: Wot no web filtering

          "... while allowing people to actually get on with stuff." And that's where one layer of the problem starts. IT Security Man tell End User (whose main job function is to do 'X') that he has to implement such and such a security procedure that causes End User to do much less 'x' per hour. End User tries to explain the (potential) problems this might cause and finds concerns dismissed. End user informs his boss that IT is trying to prevent him from doing his job. Meanwhile IT Security Man informs his boss that End User is a security risk. Final result? Both End User and IT Security Man gripe about the other's department and the actual issue gets lost in administration.

          As an aside, a lesson I've learned from 30+ years of working for large bureaucratic organizations is this: How a manager responds to information depends more on how the manager FEELS about the information giver than on everything else combined!

          1. find users who cut cat tail

            Re: Wot no web filtering

            do much less 'x' per hour.

            In a corporation the problem may be doing less X per hour.

            In a university or other research institution, it is usually ‘we need to do X, Y and Z, none of which has ever been tried before’. Doing new things is the job description. Especially in hard sciences, where people regularly build their own devices, write software and invent ways how to control them, you can bet at least one of XYZ will be IT-related and impossible in locked down environment...

  2. Anonymous Coward
    Anonymous Coward

    Where does one start...

    when considering the threat of data loss at an HE institution?

    https://www.theregister.co.uk/2017/02/23/kcl_external_review/

  3. Aristotles slow and dimwitted horse Silver badge

    That girl in the pic...

    That girl in the pic that accompanies this story (and has sat alongside may others over El Reg history). Well, her homework book always seems to be unerringly marked with a big red 'F' so I don't think she can't be too bright - assuming of course that she is student, rather than teacher.

    In consideration of that I'd just have thought by now that the poor lass would have given up on the academics and been snapped up by HP or Capita professional services seeing that 'F' is the benchmark for their "elite" staffers.

    1. BigSLitleP Silver badge
      Trollface

      Re: That girl in the pic...

      "Well, her homework book always seems to be unerringly marked with a big red 'F' so I don't think she can't be too bright"

      I think she may be holding your old English language homework......

      1. Evil Auditor Silver badge

        Re: That girl in the pic...

        To be fair, for a horse its English is astonishingly good.

        1. ibmalone Silver badge

          Re: That girl in the pic...

          Its Attic Greek is even better!

    2. Wayland Bronze badge

      Re: That girl in the pic...

      She has the glasses of someone trying to look smart.

  4. Anonymous Coward
    Anonymous Coward

    Sh*tstorm

    To say this has caused a sh*tstorm in the sector would be a bit of an understatement...

    1. Anonymous Coward
      Anonymous Coward

      Re: Sh*tstorm

      You ain't kidding. That's going to make Networkshop a bit uncomfortable for some of the Jisc people next week.

  5. knarf

    Send them a pdf

    With: Sorry late course work , would be bound to work.

  6. Bongwater

    Zuckerborg

    Didn't he have Harvard students sending him their socials to get a Koobface account? Could have a been a rumor I suppose but I saw it here first years ago mentioned.

  7. amanfromMars 1 Silver badge

    Nothing to See Here ... Move Right Along Please .... NOT

    You might like to surmise and realise that "insider" attacks are not being launched by disgruntled students or staff but by dedicated smarter elements cloaked and testing out programs with the cream of universal academe. .... and Renegade Rogue Phantom Enemy Outfits ..... urVirtual Opposition in Stellar Competitions

    I imagine for a hitherto almighty few, that is a discomfort which triggers the desperate terror associated with the release of thoroughly destructive information which clearly identifies live evil abuse ..... in current maladministrative executive order office use.

    But hey, surely that has been long expected and rightfully feared.

    You FCUK with Yin and Yang and you think Zero Price Pays the Ultimate Price.

    1. amanfromMars 1 Silver badge

      Re: Nothing to See Here ... Move Right Along Please .... NOT

      Ooops ..... sorry.

      That last sentence should read ....You FCUK with Yin and Yang and you think Zero Cost Pays the Ultimate Price ‽ .

      1. Intractable Potsherd Silver badge

        Re: Nothing to See Here ... Move Right Along Please .... NOT

        Nice use of the interrobang, AMfM! It is a shame that native Earthlings don't use it more often...

  8. dnicholas Bronze badge

    Hight value

    How much we talking?

    Getting the burser to transfer £10k as hoc, yes. All the philosophy studen'ts musings, not worth a bean

    1. TRT Silver badge

      Re: Hight value

      There you go again, undervaluing the efforts of your working thinker. You'll have a national philosophers strike on your hands!

      1. DCFusor Silver badge

        Re: Hight value

        And who exactly will that hurt?

        1. Eltonga
          Joke

          Re: Hight value

          And who exactly will that hurt?

          What? The future of humankind itself... NOT

        2. TRT Silver badge

          Re: Hight value

          Never you mind, buster; it'll hurt.

  9. Anonymous Coward
    Anonymous Coward

    Phish me ...

    I once applied for a sysop job at a UK university. Perhaps the reason I didn't get it was because I wasn't gullible enough?

  10. EBG

    but .. but

    ... every university computer science dept. that is claiming to be anything has its cybersecurity Prof(s). Almost always " world leading".

    1. Omgwtfbbqtime Silver badge
      Facepalm

      Re: but .. but

      World leading?

      The word lemmings springs to mind...

      1. TRT Silver badge

        Re: but .. but

        WWAWD?

        (What Would Alan Woodward Do?)

        The roll-out commentator for any cyber-story in the popular press nowadays. Even in the unpopular press, come to think of it.

    2. Michael Wojcik Silver badge

      Re: but .. but

      Why would there be any relationship between the security research done by a CS department, and IT hygiene practiced by the rest of the university population?

      When a university has a notable cancer researcher in its medical school, that doesn't reduce cancer rates among the general population. Having a famous novelist in the English department doesn't significantly affect the students' taste in literature. A collection of top finance experts over in Business won't mean everyone else at the university is any better at managing their finances.

      The fact of the matter is that even star professors remain largely unknown outside their fields at their own institutions, except in a few exceptional cases. While some members of the university population read at least some of those incessant press releases and local-research stories that universities inevitably generate, even with the best intentions it's impossible to remember much of that stuff for any significant length of time.

      1. Anonymous Coward
        Anonymous Coward

        Re: but .. but

        https://www.ssllabs.com/ssltest/analyze.html?d=cyber.kent.ac.uk&s=129.12.4.59

        The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »

        This server does not support Forward Secrecy with the reference browsers. Grade capped to B. MORE INFO »

        This server does not support Authenticated encryption (AEAD) cipher suites. Grade capped to B. MORE INFO »

  11. Petergwilson

    I used to work as a senior systems engineer at one of the UK Universities. Yep, the IT is poor. Ours was bad because of really bad management, project managers who could barely walk and talk at the same time and senior staff being academics instead of people who could do the job. I once has the Deputy Director of IT order me to give Domain Admin Access rights to a third party company who didn't have a contract with us. Naturally I refused and it all kicked off. We also had the dreaded "I've bought this software now make it do the following and I won't take - it can't do that - for an answer". Place was a joke. Unsurprisingly all the decent staff have left.

    1. Anonymous Coward
      Anonymous Coward

      Sounds like a Uni I know only too well, where they appointed yet another ex-navy prat as director to run IT, even less use than a tocH lamp! And where they train computer hacking to/for whom ever pays for the course, the Chinese especially...

    2. Michael Wojcik Silver badge

      It's been my anecdotal experience that IT tends to be better resourced and staffed in commercial organizations than in education, government, or non-profit. Also, as others have pointed out in the comments, IT in education specifically often has considerably less scope to impose controls, and at a large university will probably have a much more heterogeneous environment to worry about.

      But this story is really about spearphishing, and we've had many reports lately showing all sorts of organizations are highly vulnerable to spearphishing. That's no surprise. Targeted social engineering has always been effective. People have successfully run confidence games throughout recorded history.

      1. Anonymous Coward
        Anonymous Coward

        I know a University that rolled out Real Player to their Windows estate less than 10 years ago. Real Player!?!!?

  12. Sharik

    Well that explains one thing

    Well that would explain the rash of clearly phishing emails that 'came from' our VC a while ago asking us to 'click on the button below to arrange a meeting'. It caused a certain amount of speculation here in the computing department about whether it was central IT or another department that had cocked up.

  13. EnviableOne Bronze badge

    See

    Not Just the NHS

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019