Songs of restriction and compromise

I’m rather perturbed by some recent conversions with friends in university IS departments and for that matter a recent experience of being at a conferencelet in Keele. It all boils down to questions of security – and the (in my view mistaken) belief that by restricting the network to certain ports administrators can limit exposure of users to the evil that is the internet. This really bugs me as the internet is not just about port 80 and the wealth of potential applications (and therefore educational opportunities) gets squeezed through the single technological bottleneck of the web. Trouble is the compromises and attacks just get squeezed through the same chink as well and it’s still hell to manage.

Some songs of restriction…

Here in Bolton we have a quite complex set of restrictions on different parts of the network – the main segment which is mostly an internal free-for-all but users have to use a web-proxy to get out, the unrestricted wilds of the res-net where pretty much anything goes, the wireless which (once authenticated) gives you an unrestricted but mutually-isolated bit of connectivity, the DMZ where the servers live and breathe. From within our own office most of us end up using the wireless and then VPN-ing back in to collect email (or in some cases using external providers). Only a few of us can print without connecting our laptops directly to the printer and reconfiguring them to be on a different subnet – which is intensely annoying.

When I visited Keele I saw that they also have a wireless network – which in theory is all well and good. Apart from being put under considerable strain by the sheer volume of people wanting to use it (this being nothing new for JISC-orientated conferences) there were two major issues with it; Firstly access credentials were provided on pieces of paper and then users were required to log in by downloading and running a slightly shady and buggy Java application. Secondly once on the network it was very heavily restricted so while regular web-browsing was fine, anything slightly more exotic like picking up email with IMAP or (heaven forbid) using VPN to get in to Bolton was totally blocked. Strangely though the access credentials came with a temporary email account – which I didn’t touch or particularly want to mess with.

Some songs of compromise…

Unsophisticated: The other week we all got this email from Support Team (University of Bolton)

Attn: Staff/Student,

To update your bolton.ac.uk account & webmail, you must reply to this email immediately and enter your password here (*********)

Failure to do this will immediately render your Email Address deactivated from our database as this is part of our security measures to serve you better.

Thank you for being a part of University of Bolton.

Regards,

Support Teams

You can probably guess how many phishies bit the bait on this one. It’s an old and well tried social engineering technique and sadly it still works. It’s just regular email with a bogus “from” address and some external “reply-to” address, no fancy stuff here. An attacker on picking up valid credentials would not only be able to hijack the user’s account but also in theory get VPN access and dig their way into the internal network.

Sophisticated: Second example and this one contains an element of personal shame – CETIS run a couple of servers and a few weeks back (while I was off doing family things) one of them got rooted good and proper. I had neglected to run any security updates for a while and (as far as I can tell) the machine was compromised through vulnerable SSH keys – what with the SSH port being open to the world. Suspicious port-scanning activity was picked up downstream and we had no choice but to take the machine down until we could re-build it.

So we can’t win?
You can see why IS departments are worried about providing unrestricted access to the net for users – and why the heavy approach seems to work for shielding their machines from viral infection and so forth – however there will always be things that slip through via social engineering or more sophisticated attacks. There are many many other scenarios, users working around the restrictions to do whatever it is they want to do, physically unplugging their machines, taking them home and bringing them back, reconfiguring them to do such-and-such.

Yes we can win
Institutions need to get real and run some mandatory courses on computer security and behaviour for all staff. And for the really clueless some basic courses on computers and what they are. This is what is done in industry and by all accounts it works pretty well. While gullibility may not be curable people should at least know that there are some clear lines of responsibility and where and why they should not be crossed. From the technical end places need to reconsider their policies to balance protection of users against freedom to use whatever network services may help them teach, learn, research or administrate. Even if that does mean they can get on Skype, bit-torrent and Second Life!