Can my light bulbs DoS me?

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Can my light bulbs DoS me?

Denial of Service (DoS) attacks are situations where an IT system is deliberately overwhelmed to a point where normal activity is no longer possible. A DoS attack usually comes from a single source. Where the attack comes from many sources we call this a Distributed DoS, or DDoS.

DDoS traffic is usually sent from many computers from around the world. These computers will have been hijacked and grouped together into a botnet which are then controlled by the bad player. These computers usually have been compromised because security patches have not been applied.

For some time InfoSec people have been wondering what impact the Internet of Things (IoT) will have on things like DDoS. The IoT generally refers to all those everyday objects that can now connect to the Internet. Think CCTV, toys, nappies, cars, door bells etc.

At the KiwiCon conference last year in Wellington, and at other conferences,  some of the presentations talk about the security of various IoT devices. Some of the findings were

  • Certain brands of car immobilisers could be activated by other people by attacking the website where the device was registered. This was particularly concerning for those vehicles that could have the fuel system shut down. Imagine suddenly running out of fuel while in the middle lane of a motorway doing 110 km/hr!
  • Home security devices being sold in NZ could be controlled by other parties.
  • Baby monitors can be listened into, and worse.
  • Barbie Dolls are relatively hard to take over.

So are the IoT really a problem? In late September a DDoS attack was launched against a well known security writer. The attack forced his website off line for a time by the huge volume of traffic sent to it. What is interesting is that most of the devices involved in the attack were on line cameras (it is estimated that about 1.5 million cameras were involved).

The security issues with the IoT may well turn out to be a bigger problem than Y2K. When preparing for Y2K it was possible to identify likely systems that needed fixing, and then update them. In the end a Y2K disaster was avoided since we understood how to fix the problems.

The problem with IoT is that we cant identify and/or fix most of the devices. Few manufacturers of an IoT device include options for efficiently getting updates onto the device. Almost no one will commit to providing support for any set time. For most devices, if there is a significant security issues with them, it will be a case of throwing them away.

So this comes back to the original question. Can my light bulbs DoS me?

Well, the current versions probably cannot launch a co-ordinated network attack, which is good. However, a bad player may well be able to take control of your light bulbs. Think about the result of all your lights coming on at 3 am. Perhaps we should call this a DoSl (Denial of Sleep).

What to do? Some of the functionality of some IoT devices is truly exciting. We are going to see more and more options out there. When buying these devices we need to start thinking about the impact if things go wrong. Ask the retailer about security updates. If updates are available ask for how long support will be provided.

Finally, be prepared to throw the device away. This may end up your only option.

Update on RansomWare

Friday, October 7th, 2016 | Mark Borrie | Comments Off on Update on RansomWare

In March this year I wrote about the upswing in ransomware attacks. Well since then we have seen even more attacks. Unfortunately some people have been caught out by the attackers and have had files encrypted.

Luckily everyone so far has been able to restore their data from backups and other sources.

The criminal gangs running these attacks are constantly looking for new ways to get results. Recently they used a flaw in certain types of Word docs. These were Word files with macros in them. Once we worked out what they were up to we started using our spam management system PureMessage to quarantine all these Word files with macros (these have a docm suffix). Only a few genuine files were quarantined and they were still available to the user.

During August we quarantined about 150 000 docm files.

Since then we have seen a decline in the use of docm files but a large increase in zip files. Zip files are a convenient way to bundle together a number of files in a compressed format that makes them easier to distribute.

During the first 12 days of September we quarantined about 1.5 million zip files. Almost all of these had some sort of malicious content.

Dealing with these ongoing attacks is a team effort and we all have a part to play. Remember if something looks suspicious then get someone to check it out.

User awareness videos

Tuesday, July 12th, 2016 | Mark Borrie | Comments Off on User awareness videos

Here are a couple of videos to help people become a bit more aware of social engineering risks. It would be interesting to hear from you as to which one you think is more effective.


Here is another good one from a bank


What is Ransomware?

Monday, March 7th, 2016 | Mark Borrie | Comments Off on What is Ransomware?

In recent years another new term has emerged to describe yet more malicious software that attacks users. This one is called ransomware.

So what does ransomware do?

When a computer become infected with this software, all the files on the computer get encrypted. The user is then notified and offered an option of paying a ransom to get the secret decryption key in order to recover the files. If the user refuses to pay up all the encrypted files are lost.

There has been a large increase in ransomware attacks worldwide in recent months. The Information Security Office team is seeing large numbers of spam emails being intercepted here at Otago that are connect to ransomware attacks.

A recent attack

Many staff recently received an email claiming to be from a lawyer that suggested the user had breached copyright on some material. This spam was deliberately sent during the weekend so that users would not have the usual support channels available (Alarm bell #1). This email was sent to many other Universities.

An analysis from another institution of the email revealed that some interesting things.

  • The email had a zip file attached (Alarm bell #2)
  • The zip file attached to the email contained a pdf that had a script in it.(Alarm bell #3)
  • This script requested the user to install a special font in order to read the pdf (Alarm bell #4)
  • If the user (or their IT support person) finds the font and installs it then the ransomware is installed and immediately starts encrypting all the user’s files INCLUDING those on file shares.

Protecting yourself

Targeted spam attacks are getting more sophisticated. They use real companies and individual’s names. They are sent outside normal work hours, i.e. during weekends or holidays, or overnight. They often appear to be relevant to the target people, i.e. copyright issues for academics, or account information for financial staff.

Things to do (or not do)

  • Do not respond to unexpected emails outside work hours (It really isn’t that urgent)
  • Do not respond to requests to “take an action” (It truely is not that urgent)
  • Check with IT staff or colleagues if you get an unusual email. Chances are it will be a known attack, or it will alert staff of a new one under way
  • Be prepared. Make sure all your data files are properly backed up. Some of the ransomware attacks are now targeting backups as well as file shares so backups should not be accessible to the attack

For more information or assistance, contact the ITS ServiceDesk or the Information Security Office.

Malware – more than just a virus?

Thursday, March 3rd, 2016 | Mark Bedford | Comments Off on Malware – more than just a virus?

Seems that the term malware is causing confusion as the term itself covers a wide variety of malicious activity and is a contraction of the two words “malicious software”. It is generally used in the information security area to refer to software that is malicious in intent but does not cover unintentionally bad or faulty software.

There is a type of malware called spyware which is sometimes embedded in applications that appear useful but may have additional hidden functionality that gathers marketing information.

The SANS Ouch this month contains information describes it in more detail and provides some tips on ways to protect yourself.

Financial fraud phishing emails

Wednesday, February 17th, 2016 | Mark Borrie | Comments Off on Financial fraud phishing emails

The Information Security team has noted an increase in phishing emails that are targeting staff who may handle financial transactions. Initially these emails targeted senior staff and attempted to get fraudulent payments made by the University. A tertiary organisation up north fell victim to this and may be out of pocket to the tune of over $100k.

The phishing emails are now targeting departmental staff. The email will appear to come from another University staff member and attempt to establish further email communication. The email address will not be an address. Eventually the target victim will be asked to set up a fraudulent financial payment. These emails are asking staff to work outside University financial processes by suggesting that there is some urgency in processing the request and hence bypass normal processes.

Staff who handle financial transactions are asked to be vigilant for these types of attacks. If you receive unusual requests to process payments then ensure that the following is undertaken
– Check with the apparent requester via another channel, i.e. if the request comes via email then give them a call to verify.
– At all times follow the University account processing systems. Contact FSD if you have questions.
– Report any attempts of this nature to the Information Security Office so that we can keep up to date with current attacks.

If you have any questions regarding this matter then please contact myself.

Thanks, Mark

P.S. A copy of this email has been posted on the Information Security Blog site for verification. See

Mark Borrie
Information Security Manager,
Information Technology Services, University of Otago,
Dunedin 9054, N.Z.
Ph +64 3 479-8395, Fax +64 3 479-8813

Airline Boarding passes

Thursday, October 8th, 2015 | Mark Borrie | Comments Off on Airline Boarding passes

Ever wondered what is recorded on your airline boarding pass? Well someone has done some analysis of one and quickly turned up some interesting information. The bottom line is don’t throw them away, instead make sure you take them home and destroy them at the end of your travels.

See for an explanation.

Password Managers

Thursday, October 1st, 2015 | Mark Bedford | Comments Off on Password Managers

Passwords and password memorisation simply stated is a chore and many people reuse the same password for multiple services to avoid having to remember them. Enter password managers. I am not going to review them in this post, rather point you to a lifehacker article that does a decent job of reviewing them.

The summary is to use one that meets you needs rather than re-use the same password. If you go the next step, you can then store your password file (which should already be encrypted) on an internet facing service such as the Otago Syncplicity service where it will be available to you from anywhere on the internet.

LinkedIn Scams

Tuesday, September 1st, 2015 | Mark Borrie | Comments Off on LinkedIn Scams

In recent weeks there has been an increase in fake requests on LinkedIn for users to connect with people. These are likely to be precursors to attempted scams or fraud.

Some examples I have noticed are from people claiming to be from financial companies based overseas. After connecting with the person a message quickly follows asking for more information about yourself.

If you are unsure about these connect requests there are a few things you can do. Check out the company affiliation. If you cant find the company then there is a good chance it is fictitious.

Also check the profile picture. This is easy with Google. Open the Google search page and select the images link. Now drag the profile pic into the search bar and see if there are any matches. You might be surprised at where that profile picture originated from.

Now there is no requirement that someone will use an actual picture of themselves on LinkedIn, however you may want to think about why someone uses a picture of someone else.

So what to do with these requests. There are options on LinkedIn to report people that appear to be misrepresenting themselves. Alternatively, simply don’t connect or disconnect from people you don’t trust.

Above all else, keep safe.

Psychological trick used for spam

Friday, June 26th, 2015 | Taichi Nakamura | Comments Off on Psychological trick used for spam

Subject Title “stop spamming me”

There was an interesting spam today caught on the university email spam filter system.
It used a psychological trick manipulating people’s behaviour.
The subject title and the content contained a complaint towards spams being sent continuously from a certain department and had a Microsoft Word document attached with the details of the spam they were receiving.

The uniqueness to this spam was that it avoided being deleted instantly by not using the common subject title and its following sentences that spammers use.
Then carefully sent to a third party employee that is interested in helping.
Hope for the spammer next was that the employee will try and be helpful. Otherwise from the human nature of curiosity the employee would click the attachment.

Of course after that, the malware hidden in the Word document would be infecting the PC.

More Specific

The spam looked like a genuine complaint. But the complaint was not real.
The sender and receiver’s email address was forged. But with the recent standard email applications usually hiding the headers by default, it would be difficult for the receiver to have spot it.

How the subject line and contents looked was not like the commonly computer generated spam. But rather a complaint written by a native English speaker.
It had nothing to identify it was a spam. It had enough but minimal information gaining more necessity to investigate further to understand the full picture.
With that it gained more possibility to have the employee read the contents rather than throwing the spam straight away, and then checking the attachment.

The receiver wasn’t associated to the department being complained on the spam’s contents. But it did look like a genuine complaint having real department names included.
So if the employee tried to be helpful he/she could have easily been tricked to check the attachment and then be infected by the malware.

How to Avoid 

Best practice is to never open an email attachment unless you know who it is from, expecting them and absolutely sure it is legitimate.
If there is an attachment that you are not expecting it is best to be suspicious and contact the sender or Information Security Office to receive clarification.

Recent Type of Spams

Often spams provide the notion that the matter is critical to be responded immediately and requesting to do something.
It often contains malicious attachment sor links.

Recent spam types:
Bank requesting change of passwords
Helpdesk informing your email account being out of quota and to click on a link to avoid getting locked
Someone wealthy overseas wanting to send money or funds
Unknown parcels having difficulty to be delivered
Copyright and other infringement notices that you do not recognise the reason for
Conference and paper submission invites
Sales of equipments and goods
Apple iTunes and other vendor’s apps and services requesting to go to a website and authenticate


Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.