Information Security Updates
Many people mistakenly believe they are not a target for cyber attackers: that they, their systems, or accounts do not have any value. This could not be further from the truth. If you use technology in anyway, at work or at home, trust us - you have value to the bad guys. But, you are in luck. You already have the best defense there is against these cyber attacks - you. SANS OUCH!
An email message with Subject: Request for Input - UNI Branding Effort is being delivered to many faculty, staff, and perhaps student inboxes this week. I have had several conversations with recipients who are concerned about the legitimacy of this message. This message is legitimate.
While the From: address is a non-UNI address, it is the expected address for email originating from our Qualtrics survey tool. Other clues that this is a legitimate message include:
- A Reply-to: of csbr@uni.edu. Additionally, the content in the body of the message discusses contacting CSBR for questions or administrative issues with the survey.
- The link(s) in the message have a domain of uni.co1.qualtrics.com, the proper domain for Qualtrics surveys administered by UNI.
I understand and greatly appreciate your vigilance regarding this message, especially in the midst of our Phishing Education initiative. Keep up the good work!
A security flaw in libssh leaves thousands of servers at risk of hijacking.
Excerpt: "The vulnerability allows an attacker to bypass authentication procedures and gain access to a server with an SSH connection enabled without having to enter the password. An attacker can do this by sending the SSH server "SSH2_MSG_USERAUTH_SUCCESS" message instead of the "SSH2_MSG_USERAUTH_REQUEST" message that a server usually expects and which libssh uses as a sign that an authentication procedure needs to initiate. Because of a coding error, when libssh receives the "SSH2_MSG_USERAUTH_SUCCESS" message, it will interpret this as the "authentication has already taken place" and will grant the attacker access to the local server."
Source: Catalin Cimpanu, ZDNet Date
Published: October 17, 2018
To read the complete article see: https://www.zdnet.com/article/security-flaw-in-libssh-leaves-thousands-of-servers-at-risk-of-hijacking/
UNI embarked on a phishing education venture starting last October and continuing through April. Simulated but realistic phishing messages were sent periodically to faculty and staff mailboxes by a contracted vendor. Those that respond to these educational messages received some quick and specific training on recognizing and avoiding future phishing messages. Tips for dealing with phishing messages in general are available at Phishing
Here's a summary of the messages sent throughout the academic year.
-
FedEx missed delivery - October: https://it.uni.edu/phishing-education-23452
-
Deprovisioning followup - November: https://it.uni.edu/phishing-education-deprov
-
UNI Coffee Club offer - January: https://it.uni.edu/phishing-education-coffee
-
Target discount offer - February: https://it.uni.edu/phishing-education-53789
-
Google alert - March: https://it.uni.edu/phishing-education-72113
-
CatID Passphrase expiring - April: https://it.uni.edu/phishing-education-97953
Free credit freezes and year-long fraud alerts are here, starting September 21, 2018, thanks to a new federal law. Here’s what you should know: https://it.uni.edu/free-credit-freezes-are-here
This morning has brought another round of scam emails that purport to be from President Nook, but that are not using his real UNI address. An example address that was used was "drmarknook@gmail.com". Personal messages to you from President Nook will come from his normal UNI address, "Mark.Nook@uni.edu". Mass messages will be from a different address, usually "president@uni-mail.org".
The initial content of this morning's scam message was very short and cryptic:
Are you available now?
A response to that message went to a human and generated a conversation that ends with a request for you to purchase several iTunes gift cards for which reimbursement will made. This is an outright scam. The criminals aren't after your credentials or identity, they just want your money! Recognize the fake message from the beginning, mark it as spam, and delete it.
Millions of mobile devices from eleven smartphone vendors are vulnerable to attacks carried out using AT commands, a team of security researchers has discovered.
AT (ATtention) commands, or the Hayes command set, is a collection of short-string commands developed in the early 1980s that were designed to be transmitted via phone lines and control modems. Different AT command strings can be merged together to tell a modem to dial, hang up, or change connection parameters.
The story continues at https://www.bleepingcomputer.com/news/security/smartphones-from-11-oems-vulnerable-to-attacks-via-hidden-at-commands/
Back to School: COBALT DICKENS Targets Universities
Despite indictments in March 2018, the Iranian threat group is likely responsible for a large-scale phishing campaign that targeted university credentials using the same spoofing tactics as previous attacks. Continue the story at https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
Given our Adobe licenses, there may not be a lot of use of ghostscript on campus, but if you're using it anyway, there are a number of vulnerabilities identified yesterday. See https://www.kb.cert.org/vuls/id/332928 for details. From the CERT page:
Ghostscript contains multiple -dSAFER sandbox bypass vulnerabilities, which may allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
UPDATE: See the end of the article for information on how to delete and disable much of Google's tracking information
Is your mobile device spying on you? It may be doing just that! Let's look at the two major mobile arenas, Apple iPhones and Google Android phones.
Apple explains how Siri listens for "Hey, Siri" without eavesdropping and how it keeps Siri usage anonymous. Siri uses a buffer, or a chunk of audio that's continually recorded over, to listen for the "Hey, Siri" trigger phrase. Once the trigger is heard, it records the user's question or command. This recording is sent to Apple with an anonymous identification number that isn't tied to an individual's Apple ID. More on the Apple story here: https://nakedsecurity.sophos.com/2018/08/13/siri-is-listening-to-you-but-shes-not-spying-says-apple/
Google wants to know where you go so badly that it records your movements even when you explicitly tell it not to. An Associated Press investigation found that many Google services on Android devices and iPhones store your location data even if you've used privacy settings that say they will prevent it from doing so. Computer Science researchers at Princeton University confirmed these findings at the AP's request. More on this story is here: https://www.securityweek.com/google-tracks-your-movements-it-or-not
The bottom line - check your device's privacy settings, both overall and on a per-app basis. Set them to levels that you feel comfortable with. If you find that the app doesn't adhere to your settings, complain to the app's authors and consider using an alternate app that provides a similar function.
UPDATE: How to Find and Delete Where Google Knows You've Been
The first thing to do, regardless of device, is to login to myactivity.google.com and go into "Activity Controls." Disable "Web & App Activity" and "Location History" to stop Google from storing location markers on your Google account. Some services won't work well (or at all) without these features, such as Google Assistant or a Google Home speaker. Additional details are in this AP News article: https://www.apnews.com/b031ee35d4534f548e43b7575f4ab494/How-to-find-and-delete-where-Google-knows-you%27ve-been
Pages
- ITTC 36
- (319) 273-5555
