Archive for the 'Information Security' Category

Security Alert: Heartbleed SSL Web Vulnerability

A major security vulnerability named Heartbleed was disclosed Monday night. The vulnerability affects a large portion of websites on the Internet and here at Davenport University that use OpenSSL to encrypt webpages (pages that start with https). SSL, or secure socket layer, is a cryptographic protocol which is designed to provide communication security over the Internet.

The security issue allows the stealing of information protected by SSL by stealing the private keys that protect the confidentiality of the information. Sites affected by the security vulnerability can have login credentials stolen as well as other data that would normally be protected by an SSL connection. In addition, once an attacker has the private key for a particular website, they can use the key to decrypt traffic previously sent to the server prior to the bug being disclosed.

Since Monday evening, the Information Security Team has been working with website and service owners throughout Davenport to ensure that their services are securely configured to mitigate risks associated with this issue.

The web servers that maintain our authentication portal, the primary web-based authentication method used by Davenport services, were updated on April 8th and are not vulnerable to this issue. Other campus services that utilize OpenSSL have been updated to mitigate the risk associated with the vulnerability.

Concerned individuals may wish to change their Davenport password. That can be done by following the ‘password reset’ link in the portal or by pressing ctrl+alt+del on your Davenport-owned workstation.

Due to the widespread nature of this problem, it is advisable to watch for notifications from online service providers suggesting you change your password. Alternatively, you can try to determine on your own (suggested source) if your service provider was impacted. Remember to avoid clicking on any email links that say “Change your password here” or “Click here to verify your account” – go directly to the service provider website.

The Information Security Team urges users to consider adding multifactor authentication to popular services like Google, Facebook, Evernote, Dropbox, Linkedin, PayPal, or Twitter.

Also, watch for fraudulent email claiming to be from companies with which you do business, as criminals will undoubtedly use this issue to create targeted phishing email messages to trick people into divulging their passwords. Remember: ITS will NEVER ask for your password!

Some addition information on this issue can be found here: http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/

Finally, a little humor showing how heartbleed works.

If you have any questions or concerns about this issue, please feel free to contact the Customer Support Center at extension 1212.

Defense in Depth

Defense in depth is a strategy that entails applying multiple layers of protection to deter and prevent successful attacks. In military terms this involves multiple lines of defense instead of a single fortified defense. The theory is that if attackers are forced to break through multiple defense lines to achieve their goal the attack will lose momentum before achieving success – they may break through the first or second line of defense but give up before achieving their goal.

In information security the strategy is similar, applying multiple layers of defense, but often the purpose is to enhance detection as well as deter attackers. Enhancing detection can occur through either forcing the attacker to touch more systems and perform more reconnaissance or through extending the amount of time necessary for a successful attack, both of which give automated detection systems and log monitors time to recognize and correlate the attack activities and take appropriate action.

In practice, defense in depth can take many forms. The recent CryptoLocker malware provides an example of a situation in which defense in depth has worked well for us at Davenport. We have three main layers of defense that have thus far prevented any infections or serious damage from CryptoLocker:

  1. Email filters. Incoming email is filtered by our Google services for both spam and malware. Many of the emails we have received over the past two months have contained CryptoLocker malware and have been correctly quarantined by our Google filtering services. One popular email message subject for many messages received by Davenport employees was: “Authorization to Use Privately Owned Vehicle on State Business”. The quarantining of incoming messages buys additional time for the other layers of protection to update detection signatures.
  2. OpenDNS. We use the OpenDNS service to filter malware and botnet traffic. This service protects all devices that are attached to Davenport’s wired or wireless networks. Details on OpenDNS’s protections against CryptoLocker can be found here and here.
  3. Endpoint protection. All Davenport-managed devices (servers, desktops, laptops, etc.) employ malware protection technology, involving both software execution control policies as well as antivirus detection and removal software. Software execution control policies specify where software is allowed to start from on a system – if it is launched from a non-approved location it will not run. Antivirus, although seen by some as an outdated method of protection, still plays an important role in keeping our systems safe from current threats – all threats investigated by the security team were detected by our current antivirus solution and prevented from infecting the machine.

Using these successive layers of defense we have so far experienced no CryptoLocker infections. That is a clear sign that defense in depth can be highly effective in information security.

Calling all Mules

Money Mules are used by criminal organizations to receive stolen or fraudulent money or goods and transfer them quickly overseas. Mules are often recruited through “work from home” type scams, either involving “payroll” or “logistics” work.

Below is an example of a recruiting message for a “logistics” type mule operation. If you see a “work from home” message that seems too good to be true, it probably is a scam. Be alert for money mule scams which often target the unemployed or those unfamiliar with this type of criminal operation. Here is the scam message:

We are now hiring for a Logistic specialist. If you are responsible, active, easy-going person, looking for a great job opportunity with a stable income, this job will suit you.

About company:
We are a business unit delivering services to European customers. We are a global brand and the world’s third largest logistic company. We present virtual addresses for customers from Europe and Asia.

Requirements:
-Constant access to the Internet;
-Possibility in making the photos of the packages;
-Flexible shipping options;
-Responsibility;
-Activity;
-Readiness working in one team;

Duties;
-Stay at workplace (home address) from 9 am till 5 pm;
-Receive packages during the working hours;
-Inform your coordinating manager with the photos of received packages;
-Print the shipping label;
-Place the shipping label on the package;
-Deliver parcels to the FedEx facility;
-Report your coordinative manager with the receipt

Compensation.
Your salary will be 1500$ per month (Base Salary), plus 20$ for each parcel you have received (Parcel’s Payment). You will get paid Base Salary monthly starting of the day you sign a contract. Parcel’s Payment will be paid biweekly.

If you are interested in this opportunity, please submit your resume by e-mail [email removed]

 

Adobe Breach

ALERT:  Threat to computer accounts due to Adobe security breach

BACKGROUND: In October 2013, Adobe suffered a data breach. Their database of 38 million usernames and passwords was stolen and subsequently posted online [1][2]. Adobe did not protect user passwords to industry standards, and attackers were able to exploit that. Also stored with the passwords were the users’ password hints in clear text. Many of the hints are weak and easily exploited by third parties. Security experts agree that it will be trivial for miscreants to discover the passwords.

Of the estimated 38 million Adobe customers affected, analysis indicates that there were over 2 million education-related accounts. We don’t know how many of the email addresses are attached to active institutional accounts.

Adobe reached out to individual affected users via email. The notification thoughtfully included “[we] recommend that you also change your password on any website where you use the same user ID or password”. However, there are reports of non-delivery (it might have been filtered as spam) and users disregarding the e-mail (it might have been thought to be a phishing message).

IMPACT: If the same password used for Adobe System accounts was used for work, school, banking, or other accounts, those accounts may be at risk. Repercussions could range from simple to severe, such as account hijacks to send spam, theft of bank deposits, or hackers gaining a foothold in a place of employment to conduct widespread damaging attacks.

RECOMMENDATIONS: We recommend that you take the following actions:

1. CHANGE PASSWORDS IMMEDIATELY. Persons who used the same password for
Adobe and other accounts should immediately change their passwords at
the other locations and monitor for unusual activity. [Optional: The
University will be forcing a change of your institutional passwords
[additional local details here]].

2. ADOBE PASSWORDS SHOULD BE RESET only by manually visiting the Adobe website, and not by clicking on links arriving via email, as there is now a concern that there will be a rise in phishing related to this event.

3. NEVER REUSE YOUR INSTITUTIONAL PASSWORD for external web sites or Internet services. If you reuse a password at multiple locations when the password is compromised at one site the miscreants then can gain access to all sites where you’ve used that password. The best policy is to always use different passwords for different accounts.

4. CREATE STRONG PASSWORDS OR PASSPHRASES [3]. The Wikipedia Guidelines for Strong Passwords [4] is a good starting point. You can also use the Microsoft password checker tool [5] to test your chosen password.

5. CONSIDER THE USE OF A PASSWORD “WALLET” such as KeePass and LastPass. These tools make it very easy to have a unique password for every web site or service, and to have strong passwords.

6. BE ON THE LOOKOUT FOR PHISHING. Miscreants will be using the Adobe breach as a pretext for phishing.

7. USE INFORMATION THAT IS NOT EASILY GUESSED. When providing password hints use information that is not easily guessed or discovered. For example, if your hint is “dog’s name” and you mention your dog on social networking sites miscreants can discover that information.

REFERENCES:
[1] http://helpx.adobe.com/x-productkb/policy-pricing/ecc.html
[2] http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
[3] http://xkcd.com/936/
[4] http://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords
[5] https://www.microsoft.com/security/pc-security/password-checker.aspx

Sendori and DNS

There has recently been some interest in Sendori, a web service that offers content filtering and Domain Name System (DNS) services. This can be a useful service for home computers or personal devices, but it is inappropriate for use on our business network.

In no particular order, the top reasons to think twice before using Sendori:

  • Sendori is redundant. Davenport already employs content filtering to protect users on our network. We also contribute information to several global projects that protect internet users worldwide.
  • Sendori degrades performance for some sites. Davenport utilizes a private local network, with many resources not exposed to the internet. We run our own DNS services locally that provide name resolution for both local resources and internet resources. Sendori handles requests for internet resources only and cannot handle requests for local resources, introducing at best a delay and at worst a loss of service for local resource lookups. As an example when visiting www.davenport.edu, Sendori would return our public address (66.202.201.121) while our local DNS service returns the local address (192.168.x.x); the local address is faster and more reliable when accessing www.davenport.edu on campus.
  • Sendori decreases your privacy. The DNS service you choose to use can learn a great deal of information about your browsing habits and interests. The first time you visit any website there will be a DNS lookup to resolve the website name into a numerical service address. A DNS service provider could record the incoming requests and learn a good deal about your browsing habits. At Davenport, we utilize central DNS servers that handle all requests to avoid passing more information than necessary to DNS service providers. That means the when using our central DNS servers it is very difficult for any external company to tie DNS lookups to a specific individual and gather data on them. Utilizing the Sendori service allows a record of every domain visited to be gathered for a certain individual. Sendori’s privacy policy allows them to store data for 18 months and utilize cookies and pixel tags for data collection.

Fortunately, Sendori is easy to remove, simply uninstall Sendori through Add or Remove Programs in the control panel.