Formal Review of New CSU Information Security Policy

In a CSU system-wide effort to enhance information security, a new set of CSU policies are in the final phases of review and deployment by all campuses. For San Francisco State University, the formal review of the CSU System-wide Information Security Policies will begin on approximately January 7th and end on February 15, 2009.

Below is a link for you to review this draft policy and provide comments. For quality control in the submittal of comments you will be required to authenticate using your

• SF State Id#
• SF State password

to read and post comments on the draft. Here is the link for the hosted policy:

http://www.sfsu.edu/~secure/policy review

Your comments will be captured, reviewed and aggregated into a campus-wide set of comments and proposed edits back to the Chancellor’s Office. Perhaps more importantly, as a result of this macro policy change, San Francisco State University plans to supplement and re-organize over the coming year its existing campus IT security policies:

• Confidential Information Security Plan (CISP),
• Secure Computing Webpage & Policy
• Acceptable Use Policy

to be consistent with the guidance stated in this CSU policy and, in some cases, will implement new policies and a proposed IT governance structure that currently do not yet exist.

The policies and standards provide direction to campuses and CSU staff in their efforts to protect CSU information assets and insure privacy protection to individuals in accordance with applicable laws and regulations and university requirements. The CSU System wide Information Security Policies have future implications for the management and control of IT assets and I therefore invite you to comment on the draft before it becomes final.

What You Need to Know about DMCA, RIAA & Illegal File Sharing Monitoring & Settlement Activities

Like several other campuses across the nation, San Francisco State University has felt the impact of increased activity by the Recording Industry Association of America's (RIAA's) new campaign for addressing copyright violations. RIAA (and other similar legal entities representing the interest of copyright holders such as MPAA ) have sent campuses as Internet Service Providers (ISPs) "settlement letters" specifying Internet Protocol (IP) addresses which they allege have been involved in copyright infringements. Often this also comes with the request that the ISP forward the letters to users associated with those IP addresses. These are currently known as "Settlement Letters" or "Pre-Settlement" letters. (A sample RIAA settlement letter can be viewed here.) The history and range of trade groups pursing copyright interests via lawsuits is discussed in this Wikipedia entry on legal efforts against filesharing.

Important Information for Students, Faculty & Staff:

• The use of SF State computing, network and other resources to override copyright protections intended by the owner is a violation of SF State's Acceptable Use Policy. See also Housing's ResNet Acceptable Use Guidance. If you are unsure of what intellectual property rights apply in the online and Internet realm, Chilling Effects provides an excellent background as well as examples to help you understand the intellectual property law and its application to the Internet. Illegal file-sharing and other copyright infringements also violate Title 5 of the California Code of Regulations and Federal copyright law. It is the responsibility of users who are downloading, uploading and accessing files to make certain they have the necessary permission of the copyright holder. These laws apply to all forms of information, including music, videos, written works and software.

• Students who do infringe copyright may want to reconsider such activity in light of the pervasive monitoring of file sharing that content owners now do on the Internet. Some disturbing and cautionary tales of former California-based students who are being tracked and pursued in litigation long after their illegal file sharing activity is over are detailed in this CityLife article.

• SF State University does not currently have a policy of monitoring the network or hard drives of computers connected to it for content and does not generate DMCA Notices. The technology deployed by RIAA and MPAA however may be able to trace illegal file sharing activity to a device you place on the SF State network and legal mechanisms under DMCA allow for subpoenas to SF State which may reveal your identity and activity on the network. You therefore should avoid allowing others to use your computer devices or campus credentials (email address, SF State id, etc) for access to any campus network for activities you are not aware of and which may ultimately be illegal.

Image courtesy of jistark, via Creative Commons & Flikr

Card Skimming On the Rise in Bay Area

If you have been listening to local Bay Area newscasts, you may notice increased reports from this last Memorial Day weekend of increased "ATM based thefts" in the South Bay.

These attacks are increasing in prevalence and are targeted at capturing your debit card and credit card numbers along with their associated PINs to execute unauthorized withdrawals or charges to your accounts. The thieves are counting on the fact that you are unlikely to be reviewing your credit card or debit account statements frequently enough to detect these events OR are likely to ignore withdrawals at locations you visit frequently because you can't remember the last visit. If you have multiple credit cards and bank accounts, this may mean checking activity weekly or daily amongst many accounts- something you know is time consuming and likewise, so do the thieves in betting you won't detect the activity.

Card skimming techniques vary from installing cameras to capture key strokes to actually modifying or installing "dummy" card readers, capture devices and key pads to capture data from the magnetic strips and/or keypads. There is evidence this activity is now increasing worldwide and domestically and was the reported vector in attacks orchestrated towards customers at a number of grocery stores (Lunardi's locally) and in variations of attacks that targeted credit card capture and transmission at POS terminals at grocery stores like Hannaford on the East Coast.

Other than being observant of general quirks in ATMs and card readers (admittedly difficult these devices all look different,) the next best thing it to check your account activity regularly for events that either fall out of a pattern or don't match your receipts. If you bank or credit card company offers electronic alerts, sign up for those as well.

This is also a reminder that attacks are not just via email systems but are now via other interfaces which you have traditionally trusted. Thieves continue to try and get around traditional password and pin authentication structures by targeting other weaknesses in systems.

Compromised Accounts, BackScatter Activity or Joe-Jobs?

A number of other campuses have been experiencing large volumes of unexplained nondelivery messages in their user's inboxes. These nondelivery (or “bounced”) messages typically from MAILER-DAEMON appear to indicate that the user has been sending spam to external servers, and the messages have been rejected by the remote servers. (These attacks are also hitting ISPs; I have recently also been receiving a large volume of such bounceback messages in my Comcast.net account for instance.)

These messages have been the source of confusion and concern for the people who receive them and they may often contact a Help Desk with the belief their account has been compromised or hijacked. In fact, in most cases, the users’ accounts have not been compromised.

As you know the nature of the e-mail systems, there are no restrictions on what e-mail address is designated as the “from” address in external e-mail. This means that if a spammer elects to forge a SFSU e-mail address as the “from” address for spam messages, there is nothing preventing the spammer from doing so.

Over the past several weeks, it appears that more and more spammers are doing this, as well as selling such information to execute what is known as a JoeJob- or deliberately targeting individuals using this practice (http://en.wikipedia.org/wiki/Joe_job). This has increased the volume of "backscatter" considerably. Because many spam filtering servers around the Internet are configured to send a nondelivery report to the from address of offending messages (even if the “from” address is forged), many of these nondelivery reports are ending up in our users’ mailboxes. This general phenomenon is called backscatter spam.

Some things you can do to differentiate what might be happening:

• if this is a backscatter problem, you will not likely have outbound spam in your SENT folder (as the account was never actually compromised and used to send spam.)

• a user who divulged sensitive information to a spear phisher or had their credentials compromised say via a keylogger, and the account is truly hijacked, will often have additional problems such as not being able to to access their account and/or will likely have have spam in their sent folder.

We are currently working with our anti-spam vendor, Ironport, to see if they are better able to detect and block backscatter.

Genuine SMS Alert Messages?

Yes, it is legitimate and not a spam message.

If you recently registered for the SF State Emergency Notification System, you may be receiving SMS messages to devices you registered into the system. If you specified a text-enabled device in your emergency contact data you will receive a text message stating:

SFSU TEXT ALERT: You are now confirmed to receive alerts from us. More info text reply "HELP"

The is a test notification and will be sent to phones, e-mails, and any other communication devices on record.

The message will clearly indicate that this a test; however, you may still wish to give advance notice to anyone who might receive the call or voicemail message (e.g., family members at home).

We are currently working with the vendor for additional unique identifiers for such messages.

Strategies To Avoid Falling Victim to Spear Phishing Attempts

Like many other academic institutions, SF State has been recently targeted in a series of spear phishing attempts. While new technology is being evaluated to detect and prevent these attacks, the following guidelines are suggested for you to recognize and avoid falling victim to spear phishing attempts:

What is phishing?
Phishing is an attempt to fraudulently acquire sensitive information by masquerading as a legitimate or trustworthy entity, in an electronic communication. Phishing has been typically carried out by email (and therefore is a variant of spam) or instant messaging and may also direct users to fraudulent websites to gather additional information. Spear phishing is usually highly targeted an individual communities of users.

An excellent background on phishing - its history and its ongoing evolution, is available at Wikipedia here

Recognize that Caller Id, Text Messaging Id, and Email “From/Reply To” Addresses Can All Be Forged

• Caller id, text messages & email “From” addresses can all be forged- therefore you unfortunately cannot trust them alone as a source of verification or as a valid “reply to” address within an email message. The SFSU HelpDesk will not contact you first this way unless you have already contacted them and will never ask you for sensitive data via email.

Don’t Respond to Mail You Suspect As Spam or Phishing Attempts

• As is indicated above, the reply address is often forged, stolen or created for the purposes of sending spam. Replying only indicates your email address is valid.

Use Browsers That Are "Phisher" Aware

• As a result of the large volume of attacks against PayPal, EBay and online banking users over the past 3 years, security enhancements have been added to many of the popular web browsers. Internet Explorer 7, Firefox 2.0 and Opera 9.x all have implemented various anti-phishing measures. Turn these features on; this will significantly limit the probability that you are redirected to a fraudulent URL within an email message.

Look At How You Manage Ids & Passwords Across Web Sites Internal & External to SFSU

• If you keep your id and password the same on several systems, and you revealed your id & password in this last phishing attempt, consider changing at least your password across all the sites you visit. Phishers are reportedly now using the fact that many people use the same id and password across many of the web interfaces they access (campus, bank, social networking site, etc.) and targeting you at a location you may be more casual in sharing information (such as the campus environment) rather than via a bank communication where you guard may be higher.

Put time on your side.

• Malicious messages commonly use threats (such as your email being turned off, etc) to force you to act quickly without thinking. Instead use your time to verify the source of the message if it asks for personal information about you.

Think About Information You Have Posted On Other Websites

• The industry is seeing a large volume of “blended” and multi-vector attacks meaning that scammers are attempting to extract sensitive information from multiple sources. If posting your email brings you no real benefit on another site, consider whether it really needs to be public and activate any private sharing features the sites provide.

Phishing Article, Xpress

I've recently done some interviews with the SFSU XPress newspaper on the recent spear phishing activity targeted at campus members. Unfortunately, the very little content from either of those interviews were published by the editors at Xpress and I was instead frequently quoted as "having no comment" which was not the case....

Here is the original interview with Doug Morino and some content that I think will be useful to students and staff wanting to limit the success and impact of spear phishing or any type of social engineering targeted towards them:


Have you had a problem like this in the past?

Not at SFSU, but Stanford and other academic institutions have been reporting this activity for a couple of years now. It has been hitting academic centers recently very hard because of their large populations using social networking tools that in turn offer perpetrators easy information and common "locales" that they can target subjects en masse.


How do SF State students e-mail accounts fall victim to hackers?

Much like any other site that is targeted. Either their email is:

• public-domain available (posted for professional or personal reasons on another website like Educause or Facebook, for instance.)
• can be derived using common naming conventions at an academic center
• can be derived using name dictionaries and common email addresses in use within an academic environment (helpdesk@sfsu, student-news@sfsu.edu , etc.)

Has the university found a source for the emails?

Indirectly yes; we know they came from compromised accounts on the Yahoo European domains. The volume of this type of activity is so high "in the wild" however, that we suspect we will be unlikely to find the exact perpetrators. Currently the majority of these attacks are coming from Russia, China, Romania and Brazil. However, this means the originating or transiting/forwarding systems were more likely to be compromised there, not necessarily that the hackers physically reside or are necessarily from those countries. In most cases they have taken over the resources of another entity to send out more spam and spear phishing attempts. This was part of their objective at SFSU.

How many students and faculty members have been targeted?

These attacks were in waves, each with a new message crafted using information from bounced messages as well as replies to then draft subsequent variants. In a practical sense, anyone with a userid on the sfsu.edu domain was and is a target. Many of these ids were harvested off social networking websites, public websites where staff, faculty or students may post or otherwise display their email for personal or professional reasons. Others were generated using dictionary type attacks which generate a number of variants using email naming conventions. Conservatively, we can probably estimate about 50,000 were or are targets.



How did the perpetrators get a hold of students and faculty info?

Please see answer above regarding how email accounts and sites are targeted. Dictionary like attacks based on userid naming conventions as well as public website postings of email messages and cookie harvesting are common ways to get ids.


Have you heard from other universities about the problem?

Yes. Several regional universities also have the same technology we have in place from CISCO but there has been unfortunately a large increase in phishing traffic that the security solution vendors such as CISCO have been having difficulty stopping with their current signature databases.


If so, what are they doing to combat it?

Like SFSU, currently pressuring vendors to enhance their products to better meet the needs of academic environments which have been traditionally ignored because prior attacks have focused on banks and other online communities like EBay. Hence, this has likewise been the focus of security vendors and they are a bit behind the curve, so to speak in understanding the signatures of messages targeted for academic environments.


What specifically is SFSU doing to combat this?

We are working with vendors developing some of the next generation technologies like machine learning, domain signing and network forensics which help to better catch these messages in the first place (so that they would ideally never be seen) as well as better track perpetrators or monitor their overall behavior and try to determine what they are really up to. Budget cuts are significantly impacting out ability to deploy these new technologies but we continue to work with the vendors to evaluate and help them refine the products to meet our environment's unique needs.


What can students do to insure their online safety?

Please see the guidance in my next post


What can they do if they've fallen victim and supplied personal information?

Please see the guidance in my next post


What are your personal thoughts on the "phishing" problem?

I think it is an unfortunate waste of people's time and a real drag to the online experience, which is why technology that does a better job of catching these messages in the first place is a strong desire of mine. We are unfortunately seeing significant increases in multi-vector attacks meaning that the techniques and sources are coming via multiple communication mediums such as email, web, forged caller-id, etc. Many attacks are spanning multiple webservices or Web 2.0 platforms. This further degrades the web experience and "trust" we have in these sites and communities.