Next Thursday, January 26 is National Data Privacy Day. Data privacy is becoming more and more crucial as our personal data is being collected, used, and mined in all sorts of ways that we could not even fathom a few years ago. Think for a second – how would YOU want organizations and companies to use information they collect about you and your family? How could disclosing personal details on Facebook and Instagram affect you in the future? What is that “free” app scanning and analyzing so you can play that hot new game? Should it be alright or acceptable for the maker of your SmartFridge to report back when you are low on milk? Questions like this need to be thought about and answered as we keep moving forward in this information age.
So mark your calendars and come on down! The Privacy Office, C&IT, and University Libraries are sponsoring a web-based talk that day from 1:00pm to 2:00 pm in the Simons Room, on the first floor of Purdy/Kresge Library. Refreshments will be provided! Relax, step away from your daily routine, and listen in on this crucial growing area of data privacy.
Speaking is Cindy Compert, Chief Technology Officer for Data Security and Privacy at IBM. Further details about the talk can be found here:
Later this spring, additional live speakers will be announced. Watch Geoff Nathan’s ProfTech blog and campus announcements like this one for details. The goal of our campaign is to raise awareness of privacy as an important issue and perhaps to gather a group of people on this campus who are interested in ongoing conversation about these issues.
Thanks, and looking forward to seeing many of you there!
Two posts from IT Security in a single day? Say it isn’t so! Don’t worry, this one is relatively painless.
It’s time to deal with our not-so-favorite time of the month, Microsoft Patch Tuesday. Happily, Microsoft has released *only* four patches yesterday — and one of them is a patch for Adobe Flash Player. Told you it was relatively painless!
More information regarding the January patches can be found here:
C&IT is testing and deploying these updates to our enterprise and supported desktop environments this week. It is strongly recommended that you update your computer with these important security fixes; Wayne State computers should be patched by departmental IT staff, while any personal computers will usually download and install them automatically:
Stay safe and stay patched!
Good morning all,
Happy New Year to everyone! I hope that you all had an enjoyable and relaxing break.
One of our higher education brethren in California did not enjoy a nice break; Los Angeles Valley College was just hit with ransomware on their central servers which encrypted all email and shared files. This brought all operations to a standstill and unfortunately, because of a lack of security controls, the college forked out $28,000 in bitcoin in order to get back in business:
Ransomware is a serious threat — thankfully there are a few easy ways you can protect yourself from downtime and financial (and reputation) loss:
- Ensure you have backups of critical data on removable or offline media
Any departmental shared drives you use should be backed up on a regular basis to media that malware cannot access. This can be tape, a USB drive, or a hard drive that nobody has access to remotely. Your backups do no good if the malware can just encrypt and hold those files hostage too. And make sure to test your restore procedures every few months to make sure your backups can save you!
- Use Application Whitelisting
C&IT DeskTech began using application whitelisting after the “invoice.zip” outbreak to outstanding success. By only permitting software signed by known vendors (or manual exceptions by file hash), the initial malware that could encrypt all your files CAN NOT RUN. It’s hard to get infected when the OS refuses to run unknown software!
- Limit Administrator Privileges
This should be old hat right now, but it’s still important, especially for the people on this list — limit any administrative privileges to your accounts. This includes removing accounts from a computer’s local “Administrators” group, as well as using DIFFERENT accounts when YOU need to perform administrator actions. Best practice is for you to use one account for your day-to-day office work and to do a special “Run As” execution when running any administrative programs. This way, any damage caused by malware should be limited to just one computer or user profile instead of an entire network or domain.
As always, thank you for the hard work you do in keeping the university safe and secure from these electronic threats.
Alright, now that I have your attention, I can try to explain the slightly convoluted scenario that Microsoft has foisted onto us.
First of all, any vanilla Windows 8 systems are not affected. For the time being, systems running Windows 8 will continue to receive their updates as scheduled.
However, if you are running Windows 8.1, you will be required to install “Windows 8.1 Update” in order to meet Microsoft’s new product baseline and continue to receive security updates for your operating system. This Update (with a Capital U) is the rough equivalent of a Service Pack, and Microsoft will require this Update to be installed if you want to get any security updates published in the future.
Home users should update their systems with this “Update” by May 13 to remain supported, while enterprise customers and systems have been given a small reprieve and have until August 12 to make the same changes. If you do not patch by this time, the *only* patch available to you will be this lovely “Update” instead of anything more current. From the Microsoft website:
“…the Windows 8.1 Update is a required update to keep Windows 8.1 devices current. It will need to be installed to receive new updates from Windows Update starting on May 13th. The vast majority of these customers already have Automatic Update turned on, so they don’t need to be concerned since the update will simply install in the background prior to May 13th. For customers managing updates on their devices manually who haven’t installed the Windows 8.1 Update prior to May 13th, moving forward they will only see the option to install the Windows 8.1 Update in Windows Update. No new updates will be visible to them until they install the Windows 8.1 Update.”
Any C&IT DeskTech managed systems will be taken care of during this transition process, however due to our diverse desktop deployment I wanted to make sure that all of our campus system administrators are properly aware of this interesting wrinkle.
Microsoft has revealed that a fresh vulnerability has been discovered for all versions of Internet Explorer. Specifically, there is a way for malicious code to run on your computer if you use Internet Explorer (Versions 6 thru 10) and visit some bad web content. Microsoft is actively working on a security patch which should be available in a few days. In the interim, refrain from using Internet Explorer when browsing to unknown or unfamiliar websites. The US Department of Homeland Security is also recommending that a different browser be used until a security patch is delivered.
While these vulnerabilities are not new, this part is: Windows XP WILL NOT have a fix for this. If you are still running Windows XP, your computer will be vulnerable to the end of time and there is no way to properly secure yourself. Microsoft will not be providing any further support for Windows XP, so if you are still running it, today should be a sign that you should upgrade as soon as possible.
But wait, there’s more! Unfortunately we are hit with a double-whammy today. Adobe just came out with a critical patch for yet another zero-day vulnerability completely unrelated to the above IE exploit. Thankfully, Adobe has a software patch available to address this issue. Computers that have Flash (and whose doesn’t) need for it to be updated immediately. You can check your current version of Flash – and update it as well – at the following site: http://helpx.adobe.com/flash-player.html
More info regarding the Adobe exploit:
Last night, a new server vulnerability was disclosed on the Internet that is making shockwaves and causing large amounts of frustration and pain around the world. Certain versions of OpenSSL, which is used to encrypt web traffic, has been discovered to have a gaping security hole which can allow a remote attacker to read the memory of a vulnerable server. This attack can be performed remotely and without any authentication whatsoever. More information regarding this critical vulnerability can be found at:
Wayne State C&IT because aware of this issue late last night, and immediately began an analysis to see how much of our computing environment was affected and what the potential risk would be. Thankfully, no critical systems (Banner, Wayne Connect, Blackboard, Pipeline, WiFi, Academica) are currently at risk.
Centrally-managed servers have been addressed and/or patched at this point. Other system administrators, including persons supporting hosted systems, have also been contacted to ensure their applications are up to date and secure. We are running periodic scans of our computing environment to discover any systems which may need additional assistance.
We are continuing to monitor the progress of these events, and will keep the community informed of any developments.
Microsoft and the IT community have been talking about it for months (if not years), but the time is almost here where Windows XP will no longer be supported by Microsoft. This means no new security updates or patches will ever be created – the final and last set of updates will be coming out on April 8, 2014. At that time, no official support will be provided to problems with Windows XP, and any vulnerabilities discovered will remain unfixed until the end of time. This is bad news, as any remaining XP systems could be easily exploited by attackers intent on stealing your data or controlling your computer.
If you have a computer that is still running Windows XP, please finalize any plans to upgrade or replace it during the next month. Information regarding some of your options can be found here:
Official publications regarding this situation can be found here:
It looks like Apple is not the only big player to have issues with SSL/TLS. The GnuTLS library is commonly used by Linux systems for secure communications, and a vulnerability (CVE-2014-0092) has been discovered with regards to certificate verification functions which may cause an attacker to view confidential information without your knowledge or authorization. This vulnerability has been confirmed on major distributions, including Ubuntu, RHEL, Slackware and Oracle Enterprise Linux.
System administrators should patch or upgade their computer systems when possible. This is currently classified as a medium level vulnerability, so while immediate resolution is not necessarily required, please take note and work this into your next upgrade cycle.
If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.
How did this happen? It’s the result of a long chain of events:
- Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
- Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
- Spammers use the compromised AccessIDs to send millions of spam messages
- Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
- Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
- Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
- Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
- The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
- Email resumes flowing again after Wayne Connect is removed from the RBL services.
As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users. You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):
- Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
- Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
- Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address email@example.com — which looks legitimate, but no phone number was provided.
If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.
If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.
If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.
Got questions? Post them below!
I was fortunate enough to be able to talk today on WDET-FM about the recent Yahoo! Voices account compromise, as well as other recent scamming trends and some simple tips on how you can make your passwords harder for intruders to guess. Take a listen: