We are receiving reports from students and staff about a new spam email arriving in University Inboxes.

This spam email is quite sophisticated in that it is uses the title of a genuine email that you have replied to previously in order to trick you into believing it is authentic.

If you open the email you will see a mostly blank email with an information notification at the top of the email saying, “If there are problems with how this message is displayed, click here to view in a web browser” or something similar. If you click this link it will take you to a BBC website but in the process collects your private user credentials. It then uses these credentials to send out more harmful emails from your account. On mobile devices the email sometimes appears with a green button saying ‘Display Message’.

Do not open this email as it could damage your work and computer and may make your private details vulnerable.

If you are concerned about this email or other similar emails then please call ex.6262 or go to reading.ac.uk/it

For tips on keeping yourself and your information safe online, visit the IT web page on PC Security.

IT have been receiving reports of a new scam/phishing email coming into University staff inboxes.

The scam email is designed to make the person who receives it believe that a senior member of staff is contacting them.  If you reply to the email it will send a new email with harmful links that could damage your work and computer and may make your private details vulnerable. Do not open or reply to this email.

This email has affected other institutions including Universities in America and has been reported on the mainstream news.

If you are concerned about this email or other similar emails then please call ex.6262 or go to reading.ac.uk/it

For tips on keeping yourself and your information safe online, visit the IT web page on PC Security.

From: ‘xxxxxx’ <‘xxxxxxxx’@gmail.com>
Sent: Thursday, November 29, 2018 10:31 am
To: ‘xxxxxxxxxxxx’
Subject: Are you on campus

Available?
Thanks
Adrian

Sent from my Iphone

On the 24^th and 25^th of October we had two critical incidents in IT.

24^th – Network Issue

The incident on Wednesday 24^th October affected both the wired and Wi-Fi networks and meant that many services were not available.  The incident started at about 13:30.The severe impact of the incident was picked up quickly and a critical incident was called within IT.

The first meeting of the Critical Incident Team was held at 13:45.  Some staff were able to continue working but many key services were unavailable (web pages, RISIS, Trent, Agresso etc.)  Email remained available.

The nature of the incident meant that we could not use many of our standard communications channels (mail lists, status page, IT blog) to update University staff and students.  Information was emailed out individually to key contacts and Tweeted at 13:53.

Resolution:

Our Networks and Infrastructure Services teams, along with our network supplier, investigated the issue as a priority and identified what looked to be a faulty network device on our Earley Gate data centre.  The network device was disabled at about 16:30 as soon as the cause was identified.

The diagnosis was especially difficult which is why it took about 2.5 hours.  Whilst some services were available again quite quickly after this, our staff worked into the evening to restore others including: eduroam, Skype for Business, MyID, Apps Anywhere, Managed Print.

Further work took place over the following week to determine the exact fault before the device could be re-connected to the network.

25^th – Data Storage Issue

On Thurs 25^th October we had another critical incident that affected our Research Data Storage service.

All storage on the Gold tier was affected and about half of storage on the Basic tier were unavailable.  This outage was logged with our supplier at approximately 10:00.

It was flagged as a Critical Incident at 11:12. We held four Critical Incident Team meetings during that day and worked closely with our supplier on a resolution.  Following investigation by our supplier, the incident was found to have been caused by the file system manager (ZFS) locking up on one of the two nodes and the system not automatically switching over to the other node.

Resolution:

The failover was forced by our suppler and all services were restored before 16:00.  We continue to work with our supplier on determining the root cause to reduce the likelihood of this re-occurring.

Next Time

Following these two critical incidents, we are reviewing our Critical Incident Plan and our Communications Plan to further improve our incident response.

We are receiving reports of a Phishing email coming into University inboxes. This is not an official University email and clinking on the links could harm your computer/data.

The email claims to come from ‘IT Service Desk’ and that there has been a blocked sign in attempt on your university email account. It looks like this:

The IT department blocks thousands of scam emails a week but some still get through. Please always check the sender address and hover your mouse over links to check them before clicking.

To learn more on keeping safe online at the University, read the PC Security page on the IT website.

If you are unsure of an email or want to talk to IT about phishing emails then please call ex.6262 or go to reading.ac.uk/it

Over the first two days of November 2018, a substantial number of staff at the University of Reading became locked out of their user accounts meaning that they had no access to centrally provided University resources such as their desktop, Eduroam (Wi-Fi) and email. Over the course of the two days, IT saw approximately 500 individual incidents of this. 

Cause 

The cause of this was an attack on University accounts through a legacy service providing email access to a small number of accounts. This service, known as IMAP (Internet Message Access Protocol), is used by some older email clients to gain access to email stored on central email servers. Most clients at the University do not use this method but it was once very common, and some systems still use it to get access. 

 A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. 

https://en.wikipedia.org/wiki/Botnet 

A “botnet” was attempting to connect to this system using a real username (e.g. ab123456) and then randomly guessing a password. As a defence against this, central authentication services will lock the account to slow down the attacks. This is a standard approach to reduce these attacks and forms best practice. The account is locked for a period of time and will then unlock to allow the end-user to regain access. During the time that the account is locked, the user cannot access services. 

Once identified, IT blocked access to the computer being used to launch the attack at the University Network Perimeter (known as a Firewall). Unfortunately, because a large and random number of computers can make up a botnet, these switched to a different source machine and started up again. Infrastructure Services were effectively playing whack-a-mole to stop the problem. In total we blocked 25599 different addresses during the course of the attack 

Resolution 

Due to the small number of end-users using the legacy IMAP service, and the larger number of users affected by the lockouts problem, IT took the action to remove external access to the IMAP service. This will remove the ability of the attackers to access the service and lock the accounts. University users of the external legacy IMAP service should use the email web portal to access their emails, calendar etc and contact the IT Service Desk for further advice. 

We will continue to monitor the situation as always for additional problems. 

This morning we identified an issue with the Card Finance system that is preventing users from logging on and is also affecting users trying to print.

This is being investigated by the supplier and we shall update with any further information as soon as possible.