It looks like Apple is not the only big player to have issues with SSL/TLS. The GnuTLS library is commonly used by Linux systems for secure communications, and a vulnerability (CVE-2014-0092) has been discovered with regards to certificate verification functions which may cause an attacker to view confidential information without your knowledge or authorization. This vulnerability has been confirmed on major distributions, including Ubuntu, RHEL, Slackware and Oracle Enterprise Linux.
System administrators should patch or upgade their computer systems when possible. This is currently classified as a medium level vulnerability, so while immediate resolution is not necessarily required, please take note and work this into your next upgrade cycle.
If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.
How did this happen? It’s the result of a long chain of events:
- Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
- Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
- Spammers use the compromised AccessIDs to send millions of spam messages
- Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
- Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
- Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
- Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
- The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
- Email resumes flowing again after Wayne Connect is removed from the RBL services.
As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users. You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):
- Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
- Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
- Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address email@example.com — which looks legitimate, but no phone number was provided.
If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.
If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.
If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.
Got questions? Post them below!
I was fortunate enough to be able to talk today on WDET-FM about the recent Yahoo! Voices account compromise, as well as other recent scamming trends and some simple tips on how you can make your passwords harder for intruders to guess. Take a listen:
On July 12, 2012, over 450,000 clear-text passwords were disclosed in relation to Yahoo! Voices accounts. The datafile containing this information is circulating throughout the Internet, and multiple media outlets are reporting on this situation:
You can check to see if an email address you have registered with Yahoo! Voices was part of the data breach:
If you find your email address while searching the above site, it is strongly recommended that you change your passwords *immediately*. This information is public and can be used by anyone at any time. While the above website is courteous enough to not display the disclosed password, any individual can download the datafile and view it unhindered. Hackers frequently will use credentials from one system to social engineer their way into other systems, so no account is too insignificant.
Recently, I got a chance to speak with Craig Fahle on WDET-FM about recent computer security issues occurring here on campus. We discussed an interesting “phishing expedition” recently perpetrated around Wayne State and what you can do to make your information safer:
C&IT’s security staff learned about a new form of phishing that has been spotted at several universities, and we want you to be aware of the technique that the Bad Guys are using.
A small number of people at multiple sites are getting physical mail, not email, indicating a possible security issue they should be aware of. Details are supposedly included on an enclosed DVD. Individuals targeted range from upper management to researcher/student assistant. Nobody is safe.
The DVD contains an executable you are supposed to run that contains the details. In reality it contains a trojan horse that snaps a screenshot every few seconds and uploads it to a remote command/control site. The malware runs as the user, and isn’t picked up by antivirus.
If you receive such a package, please get in contact with C&IT as soon as possible. DO NOT insert the DVD into your system. If you have any questions, please contact the C&IT Help Desk at 313-577-4778 or firstname.lastname@example.org
Making good passwords can sometimes be a challenge. On the one hand, you want something that will be relatively easy for you to recall so that you can access your account. On the other hand, you need a password that is strong enough to withstand guessing or “cracking” attempts that often occur on the Internet. I freely admit that it’s a balancing act, and not an entirely pleasant one.
For me, probably the *single* most frustrating aspect of creating a strong password is that each system uses different rules for what is required and prohibited in passwords. The rules enforced for your AccessID password are different from your accounts that you use for your online banking, Amazon, iTunes, your household utilities, credit cards, etc.
When creating or changing a password, look out for the following “gotchas”:
- What is the maximum number of characters it can use?
- Can I use special characters or punctuation?
- Am I required to use numbers or uppercase letters? How many?
While using the same password for all of your online accounts is bad, creating some sort of pattern or schema for how you create your passwords is actually one of the recommended ways on how you can keep your online identities secure. In the end, you need to create a password that is meaningful to you, while meaningless to everybody else.
- Avoid using a single common word. Attackers frequently use lists of words from the dictionary when trying to brute-force their way in.
- The longer the password, the better! Even adding 3 characters to your password can make it over 140,000 times harder to guess if you are using uppercase and lowercase letters.
- Stay a little abstract. For example, say you enjoy birdwatching, and want to incorporate that meaning into your passwords. Don’t use “birdwatch” or anything similar to that. Instead, think of a place or a time in which you had a really good time birdwatching. Then, recall an object or a thing that stuck out in your mind at that time. Use that final idea as part of your password pattern.
- Use more than just lowercase characters, if the system allows it. You do not need to go overboard, but simply having a single instance of a number, an uppercase character, and a special character increase your security by several orders of magnitude. Doing this also helps protect your password from dictionary attacks.
- DON’T simply add a number to the end of your current password. All the bad guys know you do this, and alter their attacks slightly to compensate.
Knowing all of this, let’s break out a little math to show how much more important it is to add complexity into your passwords. In the case of a 10 Character Password:
|Character Sets Used in Password:||Possible Combinations:|
|Lowercase & Uppercase:||144,555,105,949,057,024|
|Lower/Upper & Numbers:||839,299,365,868,340,224|
|Lower/Upper/Numbers & Special Characters:||59,873,693,923,837,890,625|
Over 59 quintillion ways to create a 10-character password if you follow all of the rules above…wow! Knowing all of this, what are some examples of good passwords? Well, keeping in mind any possible restrictions that the password system may have, using the above principles you can generate passwords similar to these:
Steeple Gardens @August
R0tten Tree Stump Beneath The Wind0w
Lastly, never give up hope! Many times I have sat on a password screen, desperately trying to come up with a good password that meets all of the inane requirements of their system. In the end, it IS worth it! Having the peace of mind that your online identity is secure and is less likely to be hijacked by unscrupulous people is a good thing indeed.
It wasn’t that long ago that things were so much simpler! Before you may have only had to worry about your password for your email account. In today’s brave new world, you have passwords for your phone, your WiFi (at home and at work), your banks, your utilities, your magazine subscriptions, etc. etc. It’s a lot of accounts to keep track of! This series of articles over the next few weeks will give you some practical ways to manage this headache.
Sadly, all these wonderful tools to help manage your life also have a nasty dark side: with the exponential rise in computer crime, they can be used by other people to manage your life for you. Or, at least, drain your bank account and use your identity to commit fraud. The best way to combat this is to start with a change in mindset: you can no longer think of your password as just a way to check email from your family. Your passwords are your life! A competent criminal can do just as much damage to your life with access to your electronic records as they can with your Social Security Number. No sane person would give up their SSN to a stranger, and you should think THE SAME WAY in regards to your passwords.
Many institutions dictate that any activity done with your account is your responsibility. The reasoning is that ONLY YOU should know the password to access your account, thus any activity on your accounts MUST have been authorized by you. This has resulted in several tricky legal scenarios in both civil and criminal court.
The moral of the story: PASSWORDS ARE CRITICAL! This is important so I will say it again – Passwords are like underwear:
- Change them often;
- NEVER share them with others;
- Leaving them out in the open is something kids do;
- It can be really hard to part ways with one you are used to, but it needs to be done.
Next time, I will share some tips on how create good passwords. In the meantime, feel free to use the comments to ask questions or share your thoughts!
Common tips to always keep in mind:
- Beware of misspellings, broken links or undisplayed images in emails.
- Hover over email links to see if they will take you to reputable sites. In this case, hovering over the link brings you to:
- Visit websites by typing their address directly into your browser bar. Avoid clicking email links if you are not expecting them!
- If something seems too good or too strange to be true, it probably is. Proceed with caution!
Several local and national news outlets have been reporting on the potential consequences of the DNSChanger Trojan recently, and I have fielded several inquiries about what is going on. Here is a quick rundown on the situation:
DNSChanger is a Trojan family from 2007 that, when you got infected, changed your DNS server settings to point to other malware DNS servers, as opposed to your normal trusted ones. The idea being, if you control a computer’s DNS settings, you can also control what comes up when you go to any particular webpage. Infected computers were being redirected to illicit and virus-riddled websites, thus propagating the problem even further.
The FBI took this seriously, and in 2011 with the assistance of Estonian law enforcement, arrested the responsible individuals and additionally seized those rogue DNS servers and domains. They made sure that no more malicious activity was going on, but then they came to the sad realization that the moment they power down those rogue servers, all the infected computers will be slightly borked because their programmed DNS servers will no longer respond to requests. Originally slated for shutdown on March 8, the servers will now stay online until July 9 just so that the 100k+ infected computers don’t grind to a standstill. Meanwhile, they are trying to get out the word for people to check their settings by going to a website such as:
More information regarding the DNSChanger Trojan can be found at the following FBI publication:
Thankfully, none of those 100,000 infections appear to be here on Wayne State’s campus. Network logs do not show any DNS traffic going to these malicious domains, and IT Security staff receive notifications from our ISP (Merit) when they detect DNSChanger traffic as well. Perhaps once every two weeks I get a single notification that a student’s laptop on the Wireless is infected, but that is all.
Thankfully, I do not believe that there will that large of a negative impact when July 9 rolls around. The “fix” for cleaning your computer of this is remarkably simple, and can usually be performed without any special tools or software. Unfortunately, when the news hears that “the government can shut down hundreds of thousands of computers” rumors and emotions can start to flare pretty quickly.