Spear Phishing attempt

Now this post is not directly to do with HICS (or SSL inspection, shock horror). However, I have been contacted by a secondary school who has received a targeted spear fishing attempt. The email appeared to be sent from the head teacher to one of the office staff with the relevant text:

Hope your day is going on well , I need you to send out a same day UK to UK
Faster  payment immediately , Kindly email me the required details you will need to send out the payment. I will appreciate a swift email response.
Kind regards.

Despite appearing to, the email was not sent from the head teacher, and the relevant headers show that it was in fact sent from a disposable Yahoo email account. My understanding is that this has been brought to the attention of the relevant email provider and restrictions could be imposed at their end. However, there is very little that myself or Updata can do about this, but it certainly does not do any harm to bring this to your attention.





Posted in Email | Leave a comment

SSL communication

Please see the attached communication that has gone out to all schools on SSL.
Man in the Middle – school comms


Kevin Crawley

Posted in Uncategorized | Leave a comment

Meeting at Updata

Please find attached a copy of the minutes from the recent school’s forum with Updata. Can I please also take this opportunity to thank people for their input and time. I will arrange something again for later on in the year but in the meantime, if anyone has any related queries please get in touch in the normal way.
HICS network managers event June 2015


Kevin Crawley



Posted in Service | Leave a comment

Prepare yourself for SSL inspection

I have added a new page onto the blog, I strongly suggest you read it: http://hics.lea.herts.sch.uk/tech/content-filtering/ssl-inspection/

As explained in the above URL, Google advise they will be making some changes and this will impact your school. If you wish to continue with the existing safe settings, you will need to import the certificate into all devices on your network. Browsing here: http://ssl-filtering.updata.net will provide the instructions required to talk you through what needs to be done. There is also a large message in the middle of the page which clearly tells you whether or not the certificate has been correctly installed or not. Once you are happy that this has been deployed throughout the network, Updata need to enable SSL inspection for your school. Updata are looking to roll this out in a controlled manner. Whilst this is a sensible stance, I am equally keen for Updata to proceed as quickly as possible! However, I strongly suggest you get the certificates deployed throughout the network so you are ready to go. Once you have done this, please email sitss.internet@lea.herts.sch.uk to advise.

Some key points:

Google’s safe search will be forced on with or without SSL inspection – so you will not lose that functionality don’t worry. Once Google make the change scheduled for 24/6, without SSL inspection the search keywords functionality will disappear. This means, that users will be able to search on any term they wish…and get a ‘safe’ return because the Google safety mode will still kick in. With SSL inspection turned on, users will once again be restricted as to what term they can search on.

This is HTTPS already.. Without SSL inspection (as it stands), ALL searches and images in Yahoo will come up when searching, hence the reason for restricting access to this website for WF1 users only. There is no filtering on the search results in Yahoo. However, with SSL inspection enabled, the safety settings will return. Please be aware that for the foreseeable future, Yahoo will stay on WF1 only.

YouTube is also currently HTTPS but with SSL inspection enabled, all unsafe videos will not be viewable. As it stands users can currently disable safety mode. In truth, we receive very few related queries on this… But it’s something to be aware of.

Bing has a HTTPS site (only accessible on WF1) and without SSL inspection, it produces unsafe results. The HTTP site is fully accessible, search keywords work and safety mode is forced on. With this in mind, you may want to suggest this search engine for the time being.

The transparent proxy:
For now, SSL inspection will not be available on this network. The proxy component needs to be changed and discussions are under way for this to happen. Google safe search will be forced on for these users. Further communications will follow..

Import the certificates first:
If Updata enable SSL inspection first, users will get error messages when trying to browse to Yahoo, Google and Yahoo. So once you are happy with you preparation, please then get in touch with us.

IP addresses:
If you have a particular IP addresses you do want to have SSL inspection deployed for, we can arrange this. I’ll give you an example why you may want this.. We have trialled 10 schools on the network for this. One of them reported that their active directory was no longer syncing with the Google cloud, so Updata disabled this particular IP address from having the SSL inspection capabilities – even though it was permitted for the rest of the LAN. The issue has since been fixed by Updata and SSL has been turned on for this IP address once again.

Myself and my colleagues have been busy highlighting these pending changes to schools. Communications are being sent out, and Head Teachers have been briefed on this, so you are likely to be asked questions.

As ever, if you do have any queries on this please get in touch. If you’d be kind enough to email sitss.internet@lea.herts.sch.uk in the first instance, it would be appreciated.


Kevin Crawley


Posted in Web Filtering, Websites | Leave a comment

SSL inspection – action required from schools

As you may recall, last year Yahoo made some changes to the way it retrieves search results. It now diverts users to their HTTPS site, rather than the HTTP site that it previously used. The effect of this change compromised eSafety as this disabled some of the safety features available on HICS..

With this in mind, the decision was made by ICT in Schools Partnership Working Group (head teacher and governor representatives) to restrict access to this website and it was subsequently put on our WF1 filtering level. Yahoo were actually following Google’s lead whereby Google had done the same a year or so before. However what Google also done at the same time was to make available a cluster of HTTP servers. This allowed Updata (and other network providers) to set up a DNS record forcing all requests for Google to go through these HTTP servers.

However, we believe that on June 24th, Google will be discontinuing this clusters of servers. Updata will then send all requests back to the HTTPS site. Rather than restrict access to Google, and to combat this growing trend, the decision has been made by ICT in Schools Partnership Working Group to deploy Man in the Middle technology. This technology has already been successfully adopted by a number of other LAs. It has the capability to decrypt the HTTPS session to apply the necessary safety features.

Man in the Middle technology will decrypt all HTTPS traffic. With this in mind, HICS will have a ‘white list’ detailing which websites to decrypt so as data is only decrypted where necessary. For example, even though this technology has the capabilities to decrypt online banking websites, we will leave banking websites from the list of websites that we will decrypt.

To facilitate the change, instructions will soon be provided and a communication will be sent out to all schools. With June 24th approaching, I was hoping for all the communications to go out at once. But I am aware the clock is ticking so I thought it might be wise to prepare the techies out there. Updata are currently trialling the SSL inspection facilities for another LA but I am told all appears to be going well. Assuming Updata are ready to roll this out in Hertfordshire, schools will then need to import a CA Certificate into their server, or import the details individually for standalone machines. Once the certificate has been correctly installed, you will need to contact the SITSS connectivity Service Desk who will raise a service request with Updata for SSL to be enabled.

Without this action, schools will no longer be able to benefit from the filtering and protection that the HICS network offers. As explained previously though, a communication and step by step instructions will soon be sent out.

Please contact me if you have any queries.


Kevin Crawley

Posted in Service Improvements, Web Filtering, Websites | 2 Comments