There are a number of reasons for this:

• Desire for recognition
• Will to (dis)disrupt
• Exercise of power
• Economic interests (cybercrime)
• …

In the appendix phase, hacking was a kind of sport in which experts wanted to prove their skills. In phase II, script kiddies were often behind it, most of whom didn't even know what they were doing - now it's the playground of organized crime:
The aim is generally not so much to steal data from a private computer as to gain access to the computer, and in the worst case to integrate it into a "botnet", for which special "research centers" are operated to enable attacks even before Day 0 (Zero Day).

There is now a lot of money to be made from finding such vulnerabilities: government agencies, as well as malware manufacturers, anti-virus software creators, and even the makers of the software themselves pay for it!

What is a "Botnet"?

A "botnet" is a network of remotely controllable PC robots that can be used, for example, for a DDoS attack (distributed attack to disrupt a service), sending spam or cracking passwords, whereby these "services" can then also be rented on the Internet for a fee.
Many millions per month are now "earned" by blackmailing major service providers on the Internet (banks, search engines, betting companies, …).

How is a "Botnet" Created?

A botnet is created, for example, by infecting a large number of computers with a worm that then opens backdoors for remote access, e. g. Agobot.

In 2005, for example, J. J. Ancheta from California, who was only 20 years old, connected almost half a million PCs to form a "zombie network" by exploiting a Windows security hole.

As if it were not enough that ICT systems are threatened by operating errors, power failures, network malfunctions, hardware and software defects, there are also troublemakers who have made it their business to produce malware to make our lives even more difficult.
In the past, these were people who either wanted to prove to themselves or others what they were capable of, but for years now there have been tangible financial aspects in the background.

Malware on the Internet generally refers to code that can cause damage (in whatever form), and the current threats are constantly changing.

A distinction is made between different forms of malware:

Viruses

Viruses are programs that are spread via host programs and copy themselves into other programs when these programs are executed (thus also infecting them) - the spread relies solely on the idiocy of computer users.
"Anyone who travels on the Net without virus protection endangers other users in much the same way as a car driver who travels with broken brakes and thus negligently endangers others." (Sven Karge, German Internet Industry Association [heise.de, 8.12.2009]).
New viruses now hardly ever occur, but "anti-virus programs" also protect against other malware and should therefore continue to be used.

Main distribution: Emails (Outlook!).
Protection: Antivirus software.

Worms

Worms do not need a host program, but are independent programs that also spread themselves. In the past, they were also mainly spread via email (and only active after being clicked), but now they mainly spread themselves via the network and operating system holes (vulnerabilities, open ports with security holes), but they still also send themselves via email.
They often do not cause any direct damage to the infected computer and are therefore hardly noticed by the user, but their massive spread puts a strain on the network and/or they also attack servers, which then fail due to the overload - Denial of Service (DoS).
They "live" from the holes in the operating system (or other programs) and from the fact that users are too lazy (or ignorant) to plug these (often known) holes with updates (patches).

Main distribution: Email, vulnerabilities in Windows.
Protection: Firewall bzw. Betriebssystem- oder Softwarepatch.

Trojans

Trojans are often hidden and unwanted additional functions in programs that are useful in themselves. For example, a keylogger can be hidden in an IRC client, a program that registers every keystroke (including password entry, etc.) and forwards it to an arbitrary email address, or a backdoor (a new "service" that gives unauthorized persons access to your computer) is installed.
This group includes "greyware" (spyware such as keyloggers or adware that displays unwanted advertising), but also the particularly dangerous rootkits (which are difficult to detect).

Main distribution: Often installed by viruses/worms, but can also be unknowingly installed with (free) software.
Protection: Protection against viruses and worms, do not install software that you do not know, download software only from official download servers.

Worms and Trojans can also be used to create so-called botnets.

If you have logged in on a computer you do not know (e. g. in an Internet cafe) with username and password, please change the password in TUGRAZonline as soon as possible on a trusted computer (or e. g. via your cell phone).

Spam

Spam generally refers to mass emails that are not wanted.
Although they do not damage the software of the "infected" system, they consume resources (reading and/or deletion time, administration effort on the email server), may block the mailbox or, in extreme cases, paralyze the email server.
As long as only a few "customers" click on the links in the emails of commercial spammers and, on the other hand, sending emails is free of charge, the spammers will continue to spread their garbage.

Main distribution: Intentional sending to previously purchased/collected email addresses, sending by viruses and/or worms.
Protection: Central filters on the email servers (defined via webmail), local (adaptive) email filters in the email client.

Phishing

Phishing (a made-up word from the parts password harvesting and fishing) refers to the attempt (by sometimes clever deception) to trick Internet users into disclosing account data on a fake website (or by email), which is of course especially problematic for bank account data (but we are not responsible for that).

Tools for phishing campaigns are available free of charge on the net, i. e. it is now possible even for laymen to launch such an attack.

Main distribution: HTML emails to ignorant or inattentive Internet users.
Protection: With HTML emails, always check whether a link actually points to the specified page; it is even better if you deactivate HTML for email. Always check the address of the sender!

Spear Phishing

This is the targeted sending of phishing emails, whereby social engineering etc. is used in an attempt to increase the hit quota, e. g. by pretending that the email comes from a colleague, a superior or the HR department, or from a customer, patient etc.
In most cases, the attempt is not to obtain account data, but to infiltrate a Trojan into the system of the person being attacked or to carry out a BEC attack.

Whale Phishing

The people who are targeted are those with whom the greatest impact can be achieved: Management, IT administrators, …

Dynamite Phishing

Very broadly spread spear phishing.

Pharming

Phishing aims to lure inattentive users to false addresses (via emails), where web pages that deceptively mimic the real ones try to elicit passwords from the visitor. Pharming uses various methods to manipulate the DNS entry of a computer (DNS spoofing).
Even if you select the correct address from bookmarks or manually, you will end up on the wrong page because the scammers have managed to assign a different IP address to this web address. This can happen, for example, either by adding a false entry to a local hosts file, e. g. by a Trojan, or by foisting a false name server onto the computer (via DHCP or direct entry), which then resolves the web address incorrectly, or by hacking the correct name server, for example, which then provides a false resolution for all users of this network, which then enables a MITM attack, for example.

Main distribution: Trojans, viruses, "rogue" DHCP server.
Protection: Always check the site's security certificate, especially if it is indicated that it has changed.

Drive-by Exploits

By exploiting security holes (vulnerabilities) it is possible to infect your computer just by visiting a manipulated website or opening an email.

Main distribution: Manipulated websites, emails.
Protection: Current browser, current plug-ins and add-ons. Up-to-date email program with disabled scripts/macros.

Blended Threats - Targeted Attacks

The combination of spam, phishing, spyware, viruses, … with fraud methods from the Web at the application level.
Targeted attacks are generally aimed either at (known) vulnerabilities of the operating system used ("harden" your computers by installing only those programs you really need, use a firewall), at vulnerabilities in widely used programs (e. g. PHP scripts or CMS vulnerabilities as with WordPress on web servers) or at vulnerabilities in your own programs.

Main distribution: There are always more people than you think who are interested in either your data or your Internet connection!
Protection: Hardening of the operating system, use of an (application) firewall, checking of self-written software for vulnerabilities, installation of patches when vulnerabilities of used programs become known (read the corresponding RSS feeds or newsgroups or subscribe to the relevant mailing lists!)

The admin of a server and/or service must take care of the server (operating system) and/or service (e. g. CMS) on a daily basis!

Scareware

Scareware is software that reports the (apparent) infection of the computer with malware to the user in order to then offer to clean up the computer for a fee, the best-known example being the BKA Trojan.
Sometimes this is combined with a lock screen, which is then already a version of ransomware. However, the data is usually not lost: If you boot from a CD or USB stick, for example, you can restore the system because often only the start screen is manipulated.

Ransomware

In contrast, ransomware actually infects your computer, encrypts all data on the hard drive (or all accessible memory areas) and only releases it again upon payment of a ransom.

Protection: Regular backup to an external (possibly changing) backup medium. Do not pay money: it is not guaranteed that you will really get the unlock code! Research whether there may already be decryption programs available.

Another form of blackmail is to threaten you with the publication of secret (e. g. patent development, company data, …) or private information (e. g. sextortion).

Protection: Such data should only be stored in encrypted form and access to it should be appropriately secured.

Hoax (Fake News)

Hoaxes are emails (mostly in chain letter form) that either warn about something or ask for something. They do not cause any damage per se, but the working time, network resources, etc. alone cost money.

Main distribution: Deliberate forwarding by ignorant Internet users.
Protection: In the case of chain letter-like emails, check whether this type is not already known as a hoax.

CEO Fraud ("Fake President Fraud", "Bogus Boss Email") or BEC

Through trojans but also Social Engineering etc. (at Graz University of Technology we publish this in TUGRAZonline), it is found out who is the boss (CEO) in a company, what his emails usually look like and who is responsible for accounting/payments.
Then a fake email is used to either try to get the accounting department to transfer money or to try to get employees to buy vouchers, for example.

Best known case in Austria: FACC (damage: 50,000,000 euros).

Deepfakes:
In the meantime, voice synthesizers are already being used to imitate the boss's voice and give instructions to pay by phone call.
It is probably only a matter of time before faces and voices are faked in real time on video calls.

There are 2 good reasons for this:

1. If an attacker doesn't know your username or password, it is much, much harder for them to "hack" an account.
2. If an attacker knows your username, he can block you in many systems by simply entering false passwords until your account is blocked or access is at least delayed - i. e. even if he can't get to your data, he can at least make sure that you can't get to your data either (DoS).

Why does ZID require that your password is so long and complicated? It can't matter to ZID if someone gets access to your emails, can it?
The answer is that at Graz University of Technology the TU Graz password is used in many places and not all of these are secured by a second factor. An attacker who knows your password thus has access to many services, e. g. also the SMTP server via which the attacker can then send spam, for example, which then lands the TU SMTP server on blocklists. The consequence is that no one can send emails anymore (and this is not a constructed example, this has already happened several times).

ecommendations for passwords (not only in TUGRAZonline):

• The longer, the better (minimum: 8 characters).
  A significantly longer password is more secure (with respect to a "brute force" attack) than a complicated short password: a password with 6 characters from the character set
  1. upper and lower case letters
  2. 10 special characters
  cracks a modern CPU in under 10 minutes, 2 digits more and it already takes almost a year, always assuming you know the hashed password (in the cloud it is correspondingly faster, if you only have enough money available).
• At least 1 digit.
• At least 1 letter.
• At least 1 special character from ASCII 33 to 126 (although special characters like "-" at the beginning of the password can cause problems!).
• No part > 3 letters
  • from a dictionary (de / en),
  • of a first or last name or
  • of the username.
• Change as often as possible (monthly).
  There is a lot of discussion about this rule, a long password that is never passed on and that has never been used in the same or similar way in other systems is - as long as there is no security incident - probably similarly secure.
• A new password should differ from all old passwords (within a certain period of time) in at least 3 digits.
• Case sensitive (upper and lower case).
• Encrypted transmission only (HTTPS, IMAPS, …).

Such a password is then generally quite complicated and difficult to remember - a hint on how to create a password that meets these criteria and is still not forgotten:

1. Take a nursery rhyme, the chorus of your current favorite song, the title of the book you are reading, etc. and use the first and/or last letters of each word (acronymization method).
2. Individual letters of this string are then encoded based on their appearance using special characters etc. (leetspeak) - example (but you should think of your own table/assignment!):
   

   B C D G H i K L M N O S T U V W Z I3 ( [) 6 I-I ! I< |_ |`1 I\I 0 5 7 I_I \/ \/\/ 2

3. In addition you can add e. g. "," and/or "." or a smiley (e.g. ;-)) to the resulting string - leetspeak alone does not make an insecure password secure, every attacker will try it!

More hints can be found in our password policy.

TU Graz Password

The TU Graz passwords must not be used in systems not connected to TUGRAZonline, because the security might be much lower there! If an institute wants to protect data on the web with the TU Graz account, we offer a SSO solution with Shibboleth!

Password Storage

Many programs now offer you the possibility to save the password - we do not recommend to do this, because

• depending on the program, passwords are stored (almost) unencrypted - Thunderbird/Firefox/Mozilla offer the possibility to encrypt this storage area with a master password: this should (if you store passwords) be used by all means! Google Chrome does not use a master password, anyone who has access to your computer will have access to all your passwords stored in Google Chrome!
• so someone who gets access to your computer will also get access to all those applications (if they are not protected with a master password).
• you, on the other hand, easily forget the password (since you never have to type it in) and then can't get in via someone else's computer (the master password has nothing to do with the TU Graz account!)
• in case of an expired password you have to change it in all applications (or in the password manager for all applications).

However, the ZID offers you a secure way to store and also share your passwords: sesam.TUGraz.at.

Usage

Use the password (if possible) only on systems whose integrity is guaranteed to a high degree, on insecure systems you should better prefer an SMS-TAN system instead, which is also available for TUGRAZonline via the mobile signature.

Safety and security in the workplace includes many points, which are suggested below:

• fixed location of the equipment on the floor/table/shelf, etc.
• lock the PC when leaving the workplace (screen saver with password etc.)
• do not use simple passwords
• lock the room when leaving
• protect the PC against unauthorized use with a BIOS password
• do not store data on the local hard disk (use network drives)
• up all user-related data before hardware replacement
• back up data to backup media (network drives are backed up)
• do not install unsafe additional software such as screen savers, games, etc.
• possibly installation of an institute firewall by the EDV Beauftragten
• Signing and possibly encryption of emails

The security of the operating system software of a workstation requires the following additional settings or precautions:

• Use of a securely installed/configured operating system (Linux, Mac, UNIX).
  Regarding Microsoft Windows, we would also like to refer you to the information provided by Microsoft.
• Installation of current updates & patches
• pay attention to current virus protection
• if you use Outlook (Express), you have to deactivate the "attachment preview"!
• always display the extensions of the files
• activate the internal firewall of Linux/MacOS/Windows or install a personal firewall
• disable Microsoft network functionality or do not use file and printer sharing
• use SSH and SFTP instead of Telnet and FTP.

Use the Windows update server of ZID within the TU Graz!

Please make sure that no data is stored locally on the small computer, but always a network drive is used. Then there can be no unpleasant loss of data in case of damage to the local hard disk!

The servers for the administration and the rectorate are backed up centrally by the ZID.

The institutes are usually responsible for backing up their data on institute servers themselves. Further information can be found under backup.

To ensure trouble-free operation of all servers - and also network components - the machines of ZID are housed in special air-conditioned rooms and are also protected against power failures by an uninterruptible power supply (UPS). Furthermore, a fire protection system and an access control system are in place.

Servers in the institutes' premises that are not secured in this way should at least be protected against unauthorized access by a separate, locked and well-ventilated room and by locking the console.

There is a wide range of software tools that can be used for security control and monitoring of servers.

Access data (username/password) should only be given to users by the administrator in one of the following ways:

• personally
• in encrypted emails
• via our password safe "sesam"

Network sockets in (semi)public areas of TU Graz (corridors, seminar rooms, lecture halls, lounges etc.) may only be in one of the following 3 states:

1. unpatched (i.e. without connection to TUGnet)
2. private IP-area, from which you can only get an IP from the TUGnet (and therefore internet connectivity) authenticated (PPPoE, possibly also VPN)
3. special IP range for printers, scanners etc., from which only special services (ftp, email) can be accessed and which itself can only be accessed from certain areas of the TUGnet (e. g. the VLAN of the organizational unit) for special services (e. g. printing).

In the network area of the administration, in the sub-centers and the premises of ZID, a solid basic security is established by ZID through appropriate configurations of routers and switches as well as the use of virtual networks and a careful hardware renewal.

Next Generation Firewall

A NGFW scans traffic for abnormal patterns (this includes e. g. web traffic on a port that is not normally used by web servers) and blocks unwanted communication; in doing so, all network traffic of Graz University of Technology (i. e. also outgoing traffic!) is checked for possible attack attempts (whether deliberately or unknowingly, e. g. by malware), with the exception of email traffic, which is routed via the cenral mailgates anyway.
If an attack is detected, it is blocked, but the computer's allowed connections are not affected.
If you suspect that a service is blocked (by NGFW) by mistake, please send us an email - due to the large amount of data, log files are only stored for a very short time, so it is often difficult to determine afterwards why something was blocked, the process must then often be reproduced.

Traffic Shaper

Computers infected with malware are blocked at the transition to the Internet by a TUGRAZonline application at the traffic shaper, IPs without DNS entry are automatically blocked.

You can find the status of your own IPs (and a possible reason for blocking like worm or virus or portscan etc.) in TUGRAZonline, the EDV Beauftragten can see the status of each IP in the IP range they are responsible for.

When an IP is blocked, an email with the reason for the block is sent to the "owner" of the IP - each IP should therefore be assigned to a person (as has long been the case), and conversely, only those IPs should be assigned to a person for which that person is actually responsible (this may well have consequences under criminal, civil and official law!). You can also find this blocking reason for an IP (except in the email) by clicking on the status in the host name administration and then going to "Detail" view.

Firewall

The areas of administration and the central database servers of TU Graz are protected by a central firewall.
Institutes are responsible for securing their network infrastructure themselves, but are supported by ZID depending on the available resources (e. g. setting up "open source" firewalls or using a "virtual" firewall of ZID).

Comprehensive security measures should be implemented in several layers - like an onion or matryoshka:
Already on the network level we try to detect and minimize certain potential dangers (e. g. by port blocking), the NGFW detects certain attacks and blocks access as well, the firewall can allow access only to certain IPs or only to certain protocols, we also support the "hardening" of the operating system, but where we currently cannot help (yet) are (self-developed) programs e. g. in the web server environment, which may be vulnerable: if the web page is called normally, but invalid parameters are passed, then it is the task of the programmer of the application to prevent that damage can occur, an "application firewall" is currently not operated by ZID!

Examples for such attack scenarios on application level:

SQL Injection

If your (web) application is based on an SQL database, then you need to check whether it is possible to insert new, additional code via input fields or call parameters.

Parameter Tampering

The above-mentioned procedure could also work, for example, with "normal" programs in script languages: in this case, no attempt is made to include SQL statements, but either command lines in the respective script language (e. g. PERL or PHP) or direct calls to other programs stored on the server. If PHP uses the include() function to load external code, this is also referred to as server-side XSSi (Cross Site Scripting - description and example).

Other possible vulnerabilities

Cookies, Session Parameter, Hidden Field Tampering, Formatstring, FormMail …

Please note that with many "modern" applications there is a great risk that your computer will be infected with malware:
Virus filters do not take effect here when exchanging data - so hands off if you do not know exactly which options to activate!

Please always consider the GDPR when using new programs and ask the DPC if it is legally possible to use them at TU Graz at all!

Computer not yet infected

1. Update operating system (continuously)
2. Apply security patches (as soon as available)
3. Update antivirus software and firewall or keep them up to date

Infected computer

1. Disconnect computer from network
2. Report infection to ZID
3. In case of a criminal incident, leave the computer in this state to preserve evidence, otherwise:
4. Reinstall the operating system or at least remove the malware from computer
5. Install or activate firewall
6. Apply patches (e.g. via floppy disk/CD/USB stick/external drive)
7. Only now re-establish a network connection

If the computer is locked by ZID:

1. Possibly wait for the blocking period (applies only to external access)
2. Send an email to the NOC with the TU Graz user name (external access) or the blocked IP address (internal TU Graz computer).

We ask you to keep yourself informed about security relevant matters (read e. g. RSS feeds or newsgroups or subscribe to the relevant mailing lists!), as this is part of your obligations in TUGnet!