scientific and technical website design projects news

Security bulletin: Fraud against learned societies

Online fraud has hit pandemic proportions over the last two years. The increased volume of attacks is annoying, but profiling techniques are making these attacks a lot harder to spot, and societies are being targetted…

Learned societies face some unique challenges in combating fraud:

  • The executive officers for the society typically carry out their duties in their spare time, and consequently communications between them rely on email …
  • Background details for the executive officers are easily obtained through the society website, their academic website pages and from any social media presence they might have.
  • The details of any conferences or meetings being run by the society are a matter of public record (you are advertising them) – so a short list of likely financial transactions can be compiled.

A recent attack started with a personal email purporting to be from the chairman to the treasurer – apparently harmless, it asked how the treasurer’s family was in passing. This reference encouraged the treasurer to believe that the email address was genuine, while in fact the personal information mentioned in passing had been scraped from social media. Subsequent emails asked about how the society’s audit was proceeding, and finally asked the treasurer to pay the audit team using the bank details provided.

The sum involved was not astronomical, but a nice fee for an hour’s work profiling the executive committee, and a couple of email messages. In this instance the plan was foiled because the treasurer cc’d the chairman’s genuine email account into the last email confirming that he had made the payment. Thankfully the chairman was also working over the weekend, spotted the email, and got in contact in time to get the transaction reversed.

Why did the attack come so close to working?

The attacker used a reasonable email address in the ‘from’ email header. It looked like a genuine University address, but did not actually exist. This email would not be used in any communications with the fraudster as the ‘reply to’ address (which you will often not bother to look at, but it is what your email client will communicate with) was something entirely different. Note some email clients will pick up on this and flag a possible phishing attack.

The attacker inserted some personal details into the email from Social Media that encouraged acceptance of the email at face value. Typically executive officers only meet up a couple of times a year, so the attacker does not need to know the target’s personal life in depth (do you remember what you said to the chairman after the conference in September 2020 anyway;-).

The attacker worked on a weekend. Society executives will typically work weekends, as they are trying to fit Society work around their day job; but this is likely to delay any response from your bank, and increase the chance of the attacker getting away with the cash…

Is it only the treasurer that should be alert?

Generally a fraudster is after money, so the treasurer is the most attractive target within the Society. The Society’s membership details can also be relatively easily monetised, however. Loss of this information would open the Society to the possibility of blackmail, but the information can be leveraged with very little risk by sending your members bogus requests for membership or conference fees…

How would you stop this attack?

To prevent this sort of attack you need a means of confirming the identity of the person you are communicating with. You can go down the root of WW2 spies and issue pass-codes or one-time pads to your executive (there are modern equivalents, for example 2 part authentication, email authentication etc. but they are not as easy to deploy), or you can arrange a brief video call, which raises the bar for any imposter, even in these days of fake news…

It is a very rare occasion that a transaction is so time critical that it cannot wait a couple of days for you to schedule a video call. If it is the chairman will probably want to discuss it face to face anyway!

See also: The other virus pandemic

Barry Kaye, July 22nd 2021

TFI Network+

Screenshot from the TFI Network+ website.

The UK’s Engineering and Physical Science Research Council has provided £2M of funds to form the TFI Network+, which has the objective of connecting scientists and UK foundation industries (glass, concrete, ceramics, paper and chemicals) to remain competitive whilst simultaneously facing challenges from environmental legislation.

The website offers a membership section, within which members can find partners, and submit proposals for funding. Each proposal consists of two uploaded documents – the personal details of the applicants, and the annonimised application itself. Within the administration section proposals to each funding call can be viewed, and proposals can be scored to easily rank them prior to making funding decisions.

The membership section is based on our well established work for Society websites, while the proposal upload section is a custom development for this project. We also developed the Network logo and site design in consultation with the clients.

The home page features an interesting application of the CSS ‘stick’ class. Typically you might use this to keep the header row in a table in view, while the data scrolls underneath it (‘freeze cells’ in spreadsheet terminology). Here, however, we have used it to build a graphic depicting the overall activities of the TFI Network+, from a bullet point list of each of the main objectives. This proved an interesting styling problem to make this work in desktop and mobile views (and anything in-between).

BioMedEng Association

Screenshot from the desktop version of BioMedEng Association website.

The Association of Biomedical Engineers, Medical Engineers and Bioengineers (BioMedEng Association) represents a broad membership that use engineering tools and techniques to solve problems arising from biology and medicine.

The new website allows the BioMedEng Association to offer membership discounts to its annual conferences while reducing the exposure of members personal details to the local conference management committee. Each annual conference can be run in a separate WordPress instance using the Multisite option in WordPress installation. Member integration is offered through a set of custom WordPress plugins. Colours, banner and footer areas can be changed in the default conference sub-sites, providing the conference organisers with the option of easily developing their site based on the parent BioMedEng Association appearance. The conference sub-site templates offer registration management, account overviews, and private pages for registrants. Payments are readily managed through PayPal, typically the local conference organiser can set up their own PayPal account to manage these finances.

George & Dragon, Lancaster

George and Dragon logo, remastered from the pub-sign original by Barry (Sept. 2020).

The George and Dragon is one of the oldest pubs in Lancaster – it has been serving beer for longer than many coutries have existed! It was a great pleasure to work with Mike and Anne to develop this new website for them – allowing visitors to check what is available without crowding around the bar.

The new website is driven by a custom administration section that allows Mike to add new beers to his cellar, and put them on the virtual bar at the click of a button. The one-page site is built around Google’s ‘Rich Results’ platform, providing meta-data to help publicise opening times, current selection of beers, and events (when these become possible).

The George and Dragon Pub on the historic Quay in Lancaster. (Photo by Barry Nov. 2017)
the George and Dragon (center) on the historic quay in Lancaster.

To keep their patrons safe during the COVID-19 crisis; the George is offering at table service in their beer garden:

The George & Dragon pub, Lancaster

Viruses and viruses

Amongst the unwelcome side effects of the COVID-19 pandemic is an increase in phishing and hacking activity. Perhaps as a result of the reduced opportunities as a consequence of lock-down, smaller websites and companies are finding themeselves on the receiving end of quite carefully targetted phishing and hacking attacks.

To add to the problem, attacks are becoming lot more sophisticated; I was quite impressed by one effort asking me to login to my account at Gooql adwords, to re-activate my account.

Less dangerous, but no less annoying, is the upswing in unsolicited spam. Most of this is now also carefully profiled to match your potential personal interests or business requirements. It almost makes you nostalgic for an invitation to look after a few million dollars from a Liberian Prince…

(When is Elon going to get back to me with those bitcoins?)

Blockprint your mug with SVG!

We’ll start with a real webdesign conundrum: How do you build a site that is interesting, but does not overload my server, your data-connection, or your device’s processing capability. I guess you might also appreciate my not using up all of this months data allowance too!

You can start block printing your mug design with this traditional gardener’s plea: Grow, damn you!

Flower blockprint dev

Here I have built a large-ish graphic using the block printing concept; a concept I first encountered on the mugs my mother owned in the 60’s. The design is generated by repeating three simple graphical elements. When you click the ‘Grow, damn you!’ link these are assembled in a step-wise fashion to generate a pseudo random pattern. I believe there are 274 million different final designs possible (see; most permutations look OK, though some are more visually interesting than others.

Does it work? Well, if you have read this far, then yes! Putting this into numbers for comparison; the code required to generate the block-print comes in at under 4kB. The photograph shown below comes in at 44kB…

Photograph of a wildflower.

I think both images are quite pleasing; clearly they would serve very different roles in a website, and would be used in different circumstances. When a technique like this is appropriate, however, you can enhance your visitor’s experience, at minimal cost to yourself OR to your visitor (what is not to like?)*

If you like the design you have generated you can get it printed on a mug at the T shirt Studio (link below), but you will need to zoom in on the graphic (it is SVG, so you can zoom the page as much as you need without it pixelating – this will not work for the photograph;-), and grab a screenshot first – as the design will (almost certainly) be different the next time you visit!

tshirtstudio (other online printers are available).

* Custom art is ALWAYS expensive to create; the saving is in ensuring your server gets pages to more (up to 10× more) potential visitors (customers?) for the same infrastructure cost!

Mobile statistics (2)

In 2015, we noted that access to websites through mobile devices was a vital consideration in any new website design. Back then the headline figures from Ofcom were somewhat exaggerated, being based on kB of data transferred, but claimed 61% of web traffic was through mobile devices. This was not reflected in statistical reports based on visitor numbers to ‘normal’ websites, or in own observation of browsing statistics on client’s websites.

A personal glimpse of current browsing habits (July 2020), suggests that our client’s websites are now more closely in-line with the earlier Ofcom report:

Visitors to commercial websites now split approximately evenly between desktop and mobile devices, while visitors using a tablet come in at about 20% of the total.

Visitors to our academic websites, in contrast, have more conservative browsing habits: Most academics have access to a larger desktop device which they use for research, and the statistical split is closer to 80% on desktops, with most of the remaining visitors being on smaller mobile devices, and only about 1% accessing sites through tablets. For some academic sites there will also be issues with getting access to an internal site that is only available over a VPN, but that is not a factor in these statistics.

Despite the change in visitor profile, very few modern websites pay more than lip-service to design for mobile use. The design principle stops at cramming a large desktop site (that the boss sees in the design briefs) into a smaller format, with no consideration to the reduced processing power and bandwidth that these devices have access to, or increased cost a visitor may experience in downloading a graphics heavy website…

Wilkinson Charitable Foundation

Logo of the Wilkinson Charitable Foundation.

The Wilkinson Charitable Foundation was established under a Trust Deed made by the late Professor Sir Geoffrey Wilkinson in 1978. Sir Geoffrey Wilkinson needs no introduction to fellow chemists, being the 1973 Nobel Prize winner for his work developing Organometallic Chemistry, but also as the co-author of ‘Cotton and Wilkinson’ the standard undergraduate inorganic chemistry text for many years.

The Foundation has been acting behind the scenes for many years, offering studentships and prizes for chemiatry related activities. Recently the board decided that the Foundation would be better served by having an online presence.

We used a standard WordPress template (‘Twenty Seventeen’), minimising development costs for the Foundation whilst providing a fully featured website. Our role was in helping to prepare content for inclusion in the site, including images and video hosting.

UK Society for Biomaterials

The UK Society for Biomaterials (UKSB) is a non-profit organization working to develop novel biomaterials to tackle current clinical needs for medical devices, prosthetics and for regenerative medicine. Their membership interests include medical materials science, biosensors, biomechanics, biocompatibility, tissue engineering, and many other subjects.

The site is fully mobile compatible. It is built in WordPress, to permit the society to add and edit content, and includes a separate membership section, where members can add a brief profile and gallery of work to illustrate their scientific activity.

Screenshot of the UKSB website from a mobile device.

The WordPress installation has a custom Newsletter (see our previous post on society newsletters), and facility for uploading banner images. Banner images are automatically saved at multiple resolutions to optimise site performance – lowe resolution images being served initially, and for mobile devices, to ensure the site responds quickly to visitor requests. Higher resolution banners download after the page has been displayed, and quietly replace the low res. version, giving the appearance of the image snapping into focus. On mobile devices the iinitial low res. version is adequate for the smaller display area, and a high res. version is not downloaded to save the visitor’s bandwidth costs.

Membership payments, including a reminder system, are automated. Payments are made through PayPal.

On-line Safety System

Biohazard icon.

Developed with the School of Medicine at the University of Sheffield; the Online-Safety System provides a gateway to safety management for members of the School. It includes CoSHH, which has been adapted to make it more relevant for biological agents. There is also an on-line substance safety data catalogue, and the Standard Operating Procedures library. The Risk Assessments system (STAR), developed for the University, is linked from within OSS.

Recent itterations of the CoSHH system, upon which OSS is based, have included a great deal more focus on the evaluation of exposure to substances during a procedure, though each lcient is viewing this requirement in different ways, and have evolved different procedures for capturing this information as part of their assessment process.

Existing CoSHH assessments can be electronically signed by other users.
Existing CoSHH assessments can be electronically signed by other users.

The update also introduced provision for the establishment of standardised processes. In this users could opt to electronically sign an existing CoSHH assessment, rather than publishing a new assessment for each process they wished to undertake. This change ties in well with the operation of the School of Medicine, where most users only encounter potentially hazardous substances as part of a well documented procedure, such as fixing histology slides.

The ability to sign existing, approved, COSHH assessments greatly simplifies the management of CoSHH. The administrator has fewer procedures to evaluate, but can be more thorough in ensuring that a full and accurate process is described in them. The balance of the work of managing safety within the laboratory environment is that of checking that the user wanting to undertake the procedure is sufficiently trained and competent to do this. This task can generally best undertaken by the academic supervisor in the first instance, as she will have direct experience of working with the student involved.

The OSS system can only be accessed by members of the University of Sheffield:

On-line Safety System