UCL Computer Security Newsletter - November/December 2008
The purpose of this newsletter is to keep all security reps and other interested parties informed about what is happening around UCL regarding computer security. Further information from the Computer Security Team is always available at http://www.ucl.ac.uk/cert.
0. As a follow-up to Friday's phishing frenzy, I attach a colour poster as a pdf to this newsletter. It came from MessageLabs and is part of a free package for educating end-users. Feel free to print it out and put it up around your department.
F-Secure Client Security (version 8) is on https://www.ucl.ac.uk/fsecure/
2. Policy documents
ensure you use the correct link for the information security policy and
the individual supporting policies such as the Computing Regulations
which should be given as
http://www.ucl.ac.uk/cert/swg/public/Regulations.html (shown when you hover over the main page) and not as
http://www.ucl.ac.uk/cert/swg/public/Regulations_ISC_200809.html which is what appears in the URL bar once you click.
This is so that policies can change without having to change referring pages, but it is always clear which version you are getting.
Ensure, too, if you have written local variations, that these keep in line and refer correctly to the originals.
3. Blocking dangerous extensions
This is now in place on central mail servers. Managers of departmental mail servers are strongly advised to block these files on their own servers if they do not already do so.
4. Computer Misuse Act update
The amendments to the Computer Misuse Act 1990 contained in the Police and Justice Act 2006 were finally brought into force in England and Wales (they've been in force in Scotland for a while) on October 1st 2008. Denial of service attacks are now clearly criminal offences.
The new 3A offence of "Making, supplying or obtaining articles for use in offence under section 1 or 3" is now in force. The Crown Prosecution Service have produced guidance to prosecutors providing some indication that those without criminal intent will be distinguished from the real bad guys.
There is a report from Out-law at http://www.out-law.com/page-9592
The texts of the new sections 3 and 3A are in sections 36&37 of the Police and Justice Act 2006 at http://www.opsi.gov.uk/Acts/acts2006/ukpga_20060048_en_7#pt5-pb2-l1g35
The CPS prosecutors' guidance is at http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/
Please note all correspondence from the UCL Computer Security Team is digitally signed either with personal PGP keys or the CERT team key (public keys available from http://www.ucl.ac.uk/cert/contacts.html).
This newsletter and previous ones are available at http://www.ucl.ac.uk/cert/cst-newsletters/index.html (except currently the March 2007 one as that had sensitive information in it).
We welcome feedback on the content and organisation of documents on our web page.