Last night, a new server vulnerability was disclosed on the Internet that is making shockwaves and causing large amounts of frustration and pain around the world. Certain versions of OpenSSL, which is used to encrypt web traffic, has been discovered to have a gaping security hole which can allow a remote attacker to read the memory of a vulnerable server. This attack can be performed remotely and without any authentication whatsoever. More information regarding this critical vulnerability can be found at:
Wayne State C&IT because aware of this issue late last night, and immediately began an analysis to see how much of our computing environment was affected and what the potential risk would be. Thankfully, no critical systems (Banner, Wayne Connect, Blackboard, Pipeline, WiFi, Academica) are currently at risk.
Centrally-managed servers have been addressed and/or patched at this point. Other system administrators, including persons supporting hosted systems, have also been contacted to ensure their applications are up to date and secure. We are running periodic scans of our computing environment to discover any systems which may need additional assistance.
We are continuing to monitor the progress of these events, and will keep the community informed of any developments.
Microsoft and the IT community have been talking about it for months (if not years), but the time is almost here where Windows XP will no longer be supported by Microsoft. This means no new security updates or patches will ever be created – the final and last set of updates will be coming out on April 8, 2014. At that time, no official support will be provided to problems with Windows XP, and any vulnerabilities discovered will remain unfixed until the end of time. This is bad news, as any remaining XP systems could be easily exploited by attackers intent on stealing your data or controlling your computer.
If you have a computer that is still running Windows XP, please finalize any plans to upgrade or replace it during the next month. Information regarding some of your options can be found here:
Official publications regarding this situation can be found here:
It looks like Apple is not the only big player to have issues with SSL/TLS. The GnuTLS library is commonly used by Linux systems for secure communications, and a vulnerability (CVE-2014-0092) has been discovered with regards to certificate verification functions which may cause an attacker to view confidential information without your knowledge or authorization. This vulnerability has been confirmed on major distributions, including Ubuntu, RHEL, Slackware and Oracle Enterprise Linux.
System administrators should patch or upgade their computer systems when possible. This is currently classified as a medium level vulnerability, so while immediate resolution is not necessarily required, please take note and work this into your next upgrade cycle.
If you have sent an email from your Wayne Connect account to a Hotmail, MSN, or Live.com email address within the past week, you probably had it bounce back as “undeliverable.” That’s because these email providers have flagged Wayne Connect as a source of spam.
How did this happen? It’s the result of a long chain of events:
- Spammers send phishing messages to Wayne Connect accounts. Some users — even a handful– take the bait and send in their AccessID and password
- Or, the spammers used passwords from LinkedIn accounts to break into a Wayne Connect account — because the Wayne Connect user’s passwords were identical on both systems
- Spammers use the compromised AccessIDs to send millions of spam messages
- Spam recipients report spam to Real-Time Blackhole List (RBL) services such as SpamCop
- Multiple reports to the RBL service “confirm” that Wayne Connect is a spam source, and it is placed on the RBL.
- Email providers check the RBL to make a quick decision about an incoming message that originated from Wayne Connect. If Wayne Connect is on the RBL, they bounce the message and send some cryptic info mentioning SMTP Error 550.
- Wayne Connect support staff is alerted about the RBL status; locate the compromised Wayne Connect accounts and close them down; then contact the RBL services to remove Wayne Connect’s entry.
- The RBL services wait several days to process the request, to make sure that the spam has truly stopped.
- Email resumes flowing again after Wayne Connect is removed from the RBL services.
As you can see, even if just a few people are victimized by spammers, it can spell trouble for many other Wayne Connect users. You can help by being vigilant when handling your email. Here are some good tips to remember (adapted from Microsoft’s Safety & Security Center):
- Before you click, preview a link’s web address. Move your mouse pointer over a link without clicking it. The address should appear on the bottom bar of your web browser. Official Wayne State web addresses always end in wayne.edu
- Check the spelling. Spammers often use deliberate, easily overlooked misspellings to deceive users. Examples that we have seen include wanye.edu and waney.edu
- Carefully evaluate contact information in email messages. Watch out for spelling errors or if no phone number provided. One recent phish used the non-existent email address firstname.lastname@example.org — which looks legitimate, but no phone number was provided.
If you have found a phish — report it! Just follow these simple instructions on WSU’s IT Knowledgebase.
If you’re in doubt, just leave the email message alone and contact the C&IT Help Desk 313-577-4778.
If you want to learn more ways to identify phish, check out our Is an email legitimate? guide.
Got questions? Post them below!
I was fortunate enough to be able to talk today on WDET-FM about the recent Yahoo! Voices account compromise, as well as other recent scamming trends and some simple tips on how you can make your passwords harder for intruders to guess. Take a listen:
On July 12, 2012, over 450,000 clear-text passwords were disclosed in relation to Yahoo! Voices accounts. The datafile containing this information is circulating throughout the Internet, and multiple media outlets are reporting on this situation:
You can check to see if an email address you have registered with Yahoo! Voices was part of the data breach:
If you find your email address while searching the above site, it is strongly recommended that you change your passwords *immediately*. This information is public and can be used by anyone at any time. While the above website is courteous enough to not display the disclosed password, any individual can download the datafile and view it unhindered. Hackers frequently will use credentials from one system to social engineer their way into other systems, so no account is too insignificant.
Recently, I got a chance to speak with Craig Fahle on WDET-FM about recent computer security issues occurring here on campus. We discussed an interesting “phishing expedition” recently perpetrated around Wayne State and what you can do to make your information safer:
C&IT’s security staff learned about a new form of phishing that has been spotted at several universities, and we want you to be aware of the technique that the Bad Guys are using.
A small number of people at multiple sites are getting physical mail, not email, indicating a possible security issue they should be aware of. Details are supposedly included on an enclosed DVD. Individuals targeted range from upper management to researcher/student assistant. Nobody is safe.
The DVD contains an executable you are supposed to run that contains the details. In reality it contains a trojan horse that snaps a screenshot every few seconds and uploads it to a remote command/control site. The malware runs as the user, and isn’t picked up by antivirus.
If you receive such a package, please get in contact with C&IT as soon as possible. DO NOT insert the DVD into your system. If you have any questions, please contact the C&IT Help Desk at 313-577-4778 or email@example.com
Making good passwords can sometimes be a challenge. On the one hand, you want something that will be relatively easy for you to recall so that you can access your account. On the other hand, you need a password that is strong enough to withstand guessing or “cracking” attempts that often occur on the Internet. I freely admit that it’s a balancing act, and not an entirely pleasant one.
For me, probably the *single* most frustrating aspect of creating a strong password is that each system uses different rules for what is required and prohibited in passwords. The rules enforced for your AccessID password are different from your accounts that you use for your online banking, Amazon, iTunes, your household utilities, credit cards, etc.
When creating or changing a password, look out for the following “gotchas”:
- What is the maximum number of characters it can use?
- Can I use special characters or punctuation?
- Am I required to use numbers or uppercase letters? How many?
While using the same password for all of your online accounts is bad, creating some sort of pattern or schema for how you create your passwords is actually one of the recommended ways on how you can keep your online identities secure. In the end, you need to create a password that is meaningful to you, while meaningless to everybody else.
- Avoid using a single common word. Attackers frequently use lists of words from the dictionary when trying to brute-force their way in.
- The longer the password, the better! Even adding 3 characters to your password can make it over 140,000 times harder to guess if you are using uppercase and lowercase letters.
- Stay a little abstract. For example, say you enjoy birdwatching, and want to incorporate that meaning into your passwords. Don’t use “birdwatch” or anything similar to that. Instead, think of a place or a time in which you had a really good time birdwatching. Then, recall an object or a thing that stuck out in your mind at that time. Use that final idea as part of your password pattern.
- Use more than just lowercase characters, if the system allows it. You do not need to go overboard, but simply having a single instance of a number, an uppercase character, and a special character increase your security by several orders of magnitude. Doing this also helps protect your password from dictionary attacks.
- DON’T simply add a number to the end of your current password. All the bad guys know you do this, and alter their attacks slightly to compensate.
Knowing all of this, let’s break out a little math to show how much more important it is to add complexity into your passwords. In the case of a 10 Character Password:
|Character Sets Used in Password:||Possible Combinations:|
|Lowercase & Uppercase:||144,555,105,949,057,024|
|Lower/Upper & Numbers:||839,299,365,868,340,224|
|Lower/Upper/Numbers & Special Characters:||59,873,693,923,837,890,625|
Over 59 quintillion ways to create a 10-character password if you follow all of the rules above…wow! Knowing all of this, what are some examples of good passwords? Well, keeping in mind any possible restrictions that the password system may have, using the above principles you can generate passwords similar to these:
Steeple Gardens @August
R0tten Tree Stump Beneath The Wind0w
Lastly, never give up hope! Many times I have sat on a password screen, desperately trying to come up with a good password that meets all of the inane requirements of their system. In the end, it IS worth it! Having the peace of mind that your online identity is secure and is less likely to be hijacked by unscrupulous people is a good thing indeed.
It wasn’t that long ago that things were so much simpler! Before you may have only had to worry about your password for your email account. In today’s brave new world, you have passwords for your phone, your WiFi (at home and at work), your banks, your utilities, your magazine subscriptions, etc. etc. It’s a lot of accounts to keep track of! This series of articles over the next few weeks will give you some practical ways to manage this headache.
Sadly, all these wonderful tools to help manage your life also have a nasty dark side: with the exponential rise in computer crime, they can be used by other people to manage your life for you. Or, at least, drain your bank account and use your identity to commit fraud. The best way to combat this is to start with a change in mindset: you can no longer think of your password as just a way to check email from your family. Your passwords are your life! A competent criminal can do just as much damage to your life with access to your electronic records as they can with your Social Security Number. No sane person would give up their SSN to a stranger, and you should think THE SAME WAY in regards to your passwords.
Many institutions dictate that any activity done with your account is your responsibility. The reasoning is that ONLY YOU should know the password to access your account, thus any activity on your accounts MUST have been authorized by you. This has resulted in several tricky legal scenarios in both civil and criminal court.
The moral of the story: PASSWORDS ARE CRITICAL! This is important so I will say it again – Passwords are like underwear:
- Change them often;
- NEVER share them with others;
- Leaving them out in the open is something kids do;
- It can be really hard to part ways with one you are used to, but it needs to be done.
Next time, I will share some tips on how create good passwords. In the meantime, feel free to use the comments to ask questions or share your thoughts!