Advisories

Adobe Flash Player Flaw

Earlier this week Adobe announced a significant flaw in Adobe Flash that can allow an attacker to take over your computer. It is vitally important for Windows, Mac and Linux users to install the new upgrade as soon as possible.

If you use Google Chrome your Chrome browser will automatically be updated to the latest Adobe Flash Player.

Microsoft Internet Explorer 10 and IE 11 users will get the update via the Microsoft Update Service. NOTE: At the time of this Announcement, Notre Dame users are being asked not to use Internet Explorer for browsing the web until Microsoft corrects their current vulnerabilities.

Mac OS X users and Mozilla Firefox the update can be found at the Flash Player Download Center: http://get.adobe.com/flashplayer/

NOTE: Before clicking the Install now button, always UN-Check the “Optional offer” checkbox. Your ND computer does not need the free McAfee Security Scan Plus utility.

Heartbleed

The OpenSSL heartbleed vulnerability is a very serious bug in the software that encrypts your Internet traffic to keep it safe. Heartbleed allows encrypted traffic to be easily read in the clear from computer memory, including passwords and other confidential information.

OIT’s Information Security team has determined that a large majority of OIT systems are not vulnerable since they do not use the vulnerable version of OpenSSL. The OIT has also determined that only a few department systems are vulnerable and they are in the process of working with those departments to patch their systems. Notre Dame’s exposure to the bug appears to be extremely limited.

However, all of us are at risk of exposing our passwords on vulnerable sites outside of Notre Dame, and many people have already received notices from those sites to change their passwords. OIT’s Information Security team recommends that they do change their passwords when asked by the vendors. Please follow the usual precaution of not following email links, but instead going directly to the web sites in your web browser to change passwords. We continue to assess the risk here at Notre Dame, so we are not asking our users to reset their ND passwords at this time.

The OIT will continue to share information or recommendations on this vulnerability. If you have any questions, please contact infosec@nd.edu.

For additional information on the OpenSSL heartbleed bug, please see this Washington Post article:

http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/?tid=pm_pop

Back to Top

iOS and OS X

Because of a flaw in iPhone, iPod, iPad and Mac software, your passwords and email can be stolen, leaving you subject to identity theft and eavesdropping.

If you have an iPhones 4 or 5, fifth generation iPod touch, or iPad 2 and later, please update to iOS 7.0.6. Most phones, iPods and iPads will automatically get or prompt you to update to the new version, but you should check your Software Update settings and confirm that you have IOS 7.0.6.

To see if your devices are up to date, go to: Settings > General > Software Update. If you need to update your device, it will recommend you have at least 50 percent battery and be connected to private WiFi (not Starbucks or any other public WiFi) before running the update.

If you have a Mac desktop or laptop running Mac OS X 10.9.0 or 10.9.1, please update to OS X 10.9.2 as soon as possible. Again, do not upgrade from any public WiFi but from a private network.

Note: If you have a version previous to 10.9, please do NOT upgrade to 10.9 at this time.  Previous versions do not have this vulnerability, and 10.9 does not currently work with well with several ND services

To check your current OS X version on your Mac, click the Apple icon and choose “About This Mac”. If you are on a version lower than 10.9.2, you need to update to the newest version. Click on “Software Update…” to begin the process.

Back to Top

Cryptolocker Ransomware

Cryptolocker Ransomware is a computer malware infection that is installed on a computer when a person clicks on a link to a malicious website, opens a document from a fake email, or visits a site from a phony FedEx or UPS tracking notice. A computer may also become infected with Cryptolocker if it is currently infected with another form of malware.

Cryptolocker encrypts files on your computer,making them unusable to you. It is also capable of finding and encrypting files on:

  • Shared network drives

  • USB drives

  • External drives

  • Network file shares (e.g., Webfile)

  • Some cloud storage drives

Once the files are encrypted, the malware prompts you with a pop-up window that has a countdown timer, normally set to three days, that states you must pay a ransom, anywhere from $200 to $400, to receive the key that will decrypt (unlock) your data. If you do not retrieve the keys to unlock your data within the specified time, your data will be destroyed.

Though these cybercrooks are targeting both business and individual users, there are steps you can take to protect yourself.

  • Do not open attachments in email that you were not expecting, or from senders you do not recognize.

  • Perform regular backups.

  • If you receive the Cryptolocker pop-up window, contact the OIT Help Desk immediately. The sooner you report the infection the more likely it is that your data can be recovered, especially anything that is backed up on a network share.

  • Make sure your anti-virus software is running and is receiving its regular updates.

Back to Top

LinkedIn Intro

LinkedIn has recently released an app called LinkedIn Intro for your iPhone or iPad. Using this application with your Notre Dame E-mail account will put you in violation of Responsible Use policy.

- http://policy.nd.edu/policy_files/ResponsibleUseITResourcesPolicy.pdf

This application intercepts all of your email. Not only does this mean that LinkedIn can see all of your mail, but it also makes you reliant on LinkedIn service for your mail to work.

At this time using this application for your personal email is also not recommended.

Back to Top

New Internet Explorer 8 exploit (05/08/13)

Microsoft has confirmed a zero-day remote-code vulnerability in Internet Explorer version 8. Once a system is compromised by the IE 8 zero-day, systems are infected with a version of Poison Ivy, a backdoor tool that has been widely used in past espionage campaigns.

What can you do? Versions 6, 7, 9, and 10 of the browser are immune to these attacks, so anyone who can upgrade to one of the latest two versions should do so immediately or switch to a different browser.

This is inconvenient but until a better patch is released it's the best answer. You should:

  • Upgrade to one of the latest two IE versions OR switch to a different browser.
  • Make sure you have Anti-Virus software running and updated - https://oit.nd.edu/software-downloads/
  • Be cautious when going to unfamiliar sites.
  • Update your computer's operating system and software.
  • Turn on your browser's Pop-Up blocker.

For anyone who absolutely can not move away from IE 8, follow the following precautions:

  • Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
    This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones
    This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption.

Back to Top

Adobe Flash Vulnerabilities announced

Yesterday Adobe released emergency patches for their Flash media player. If you are running Adobe Flash Player on your Windows, Mac or Linux computer with ANY browser, Adobe advises you to update Flash. Without the patch, malicious Flash programs can take control of your system or cause it to crash. Here is the link for updating your computer:

http://get.adobe.com/flashplayer/

Note: Unless you uncheck the box labeled “Yes, install McAfee Security Scan Plus” before clicking Download new McAfee program will be installed on your computer.

Back to Top

New Java Exploit (1/10/13)

There is a new Java exploit circulating on the Internet. This exploit can be used to completely control a Windows or Mac computer. Currently there is no new patch available to fix the newly discovered exploits, but we will notify the campus community when it is released and tested.

What can you do? The best protection is to disable the Java plugin in your browser. However this will prevent you from using many University supplied applications including Banner and Sakai. The best alternative is to use a browser with Java for your University supplied applications and a different browser, with Java turned off, for browsing the internet.

This is inconvenient but until a better patch is released it's the best answer. If you choose to browse the web with Java enabled, please follow safe browsing habits:

• Make sure you have Anti-Virus software running and updated - https://oit.nd.edu/software-downloads/
• Be cautious when going to unfamiliar sites.
• Update your computer's operating system and software.
• Turn on your browser's Pop-Up blocker.

Instructions for disabling Java can be found here: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/.  For Internet Explorer assistance we recommend you contact your DSS representative or the OIT Help Desk.

The attack is reported to work with Internet Explorer, Firefox, Safari, Chrome, or any web browser with Java enabled, and on Windows, Mac OS, and Linux. Compromises now exist for all versions of Java up to Java 7 Update 10.

Back to Top
 

Fake Help Desk Email

Recently, students have received email that appears to have come from the Notre Dame Help Desk. These messages ask students to send their password, phone number and other account information back to the sender.

Do not respond to these emails! Please remember that no one at the Notre Dame Help Desk or any other department should ever ask you for your password. The Office of Information Technology already has your account information so there’s no reason to ask for it.

In some cases Notre Dame users who have replied to these emails have received calls from the email spammers (sometimes multiple times) demanding their password. The Notre Dame Help Desk will never call you on the phone and demand your password. Please report harassing phone calls of this nature to Notre Dame Security Police at 574 631-5555.

Back to Top

Java Exploit

Please be advised that there is a new Java exploit circulating on the Internet. This exploit can be used to completely control a Windows or Mac computer. As announced, Oracle released a patch on 8/30, but on 8/31 flaws in this new version were discovered. Currently there is no new patch available to fix the newly discovered exploits and no patch is expected soon.

What can you do? The best protection is to disable the Java plugin in your browser. However this will prevent you from using many University supplied applications including Banner and Sakai. The best alternative is to use a browser with Java for your University supplied applications and a different browser, with Java turned off, for browsing the internet.

This is inconvenient but until a better patch is released it's the best answer. If you choose to browse the web with Java enabled, please follow safe browsing habits:

  • Make sure you have Anti-Virus software running and updated - https://oit.nd.edu/software-downloads/
  • Be cautious when going to unfamiliar sites.
  • Update your computer's operating system and software.
  • Turn on your browser's Pop-Up blocker.

Instructions for disabling Java can be found here: http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/ For Internet Explorer assistance we recommend you contact your DSS representative or the OIT Help Desk.

The attack is reported to work with Internet Explorer, Firefox, Safari, Chrome, or any web browser with Java enabled, and on Windows, Mac OS, and Linux. Compromises now exist for all versions of Java 7.

Back to Top

Flashback (Flashfake) – Virus – For Mac Only (April 2012)

What is Flashback?

Flashback is software designed to monitor what you type, save a copy of what you type and send it to the author of the Flashback. When you log into your bank website, your email account or fill out a form online, flashback quietly saves that log-in information and sends it to the author. In March of 2012, more than 600,000 Macs worldwide were infected with Flashback.

How do you get Flashback?

You can get Flashback by simply visiting a website. Flashback masquerades as a standard browser plug-in. Back in September of last year, Flashback first presented itself as an Adobe Flash installer. If you click “Yes” to install the update, the virus is installed.

What can I do?

Be sure your Mac has all the latest software updates. Apple released an update on April 3, fixing the weakness that Flashback uses to infect your Mac. Click here for more information on the update.

Apple Inc. is working on a program that will remove the Flashback virus; we will post that link when available.

I had the virus, was my information stolen?

It’s nearly impossible to tell if any of your information was stolen. Flashback leaves behind little or no evidence of this. However, you can safeguard your online accounts by changing their passwords.

You should change the password for your ND account. (click here) If you use online banking or online credit card account management you should change your password for those systems as well. In fact, you should consider changing passwords for any account you access using your Mac.

Back to Top

FireSheep -- Why Stealing Your Passwords Just Got Easier

What is FireSheep?

FireSheep is a tool that allows other people on an unsecure wireless or wired network to hijack your connection to websites like Facebook and Twitter. As a result, anyone sitting near you at Starbucks, Martin’s, Panera, etc., could steal your Facebook account, send email via your Google email account, or could buy things on Amazon.com if you use the site while on an unsecure wireless network.

Does this affect me at Notre Dame?

If you use the ND-Secure network, your traffic is encrypted, and is protected from FireSheep and similar tools hackers use. If you use NOMAD, or an open wireless network off campus, your traffic is not encrypted and may be at risk. Notre Dame’s wired networks are protected against this type of attack, but off-campus wired networks also may be vulnerable.


What can I do?

First, make sure that you use an ENCRYPTED wireless network whenever possible. If you are off-site, you can use Notre Dame’s VPN when accessing Notre Dame resources to help ensure your security. (Note: Notre Dame’s VPN will not protect your connections to non-Notre Dame websites.)

If you live off-campus and have your own wireless router or access point, be sure to follow the manufacturer’s instructions to configure it to encrypt all traffic.

You can also protect your personal information from those using FireSheep by ensuring your browser sessions are ENTIRELY encrypted. However, it’s not easy to do on most of these sites. If you use Firefox, you can use a plugin like EFF’s HTTPS Everywhere (https://www.eff.org/https-everywhere). This plugin offers added security by making sure all traffic to the site it helps to protect is encrypted, but may cause some sites to work differently.

What sites does FireSheep scan for?

By default, FireSheep scans for people who are logged into the following sites: Amazon.com, Basecamp, Bit.ly, Cisco, CNET, Dropbox, Enom, Evernote, Facebook, Flickr, Foursquare, GitHub, Google, Gowalla, Hacker News, Harvest, Windows Live, New York Times, Pivotal Tracker, ToorCon: San Diego, Slicehost SliceManager, Tumbler.com, Twitter, Wordpress, Yahoo, Yelp.

Once it identifies unencrypted sessions, it allows the attacker to steal access to their accounts on most websites. But remember, FireSheep is not limited to the sites listed above. It can be configured to scan any other site the attacker chooses to identify.

Back to Top

Fake Antivirus

Fake antivirus (AV) programs have become increasingly common threats to computers running Windows. They typically appear as pop-ups, seemingly from an antivirus website or from your AV software, that claim to have found infections in your computer. Their dire warnings of massive virus infection or security issues are intended to scare their victims into installing a fake antivirus program and then providing a credit card number to pay for disinfecting the computer.

The image below shows a typical fake AV popup window:

microantivirus2009_img1

How They Work

Fake AV programs generally work this way, although they can vary slightly:

  • You inadvertently visit a website that hosts fake AV malware.
  • A pop-up window appears, seeming to come from your antivirus software or your control panel, indicating many viruses or security issues.
  • You try to close the window, or you click anywhere in the window.
  • An executable program downloads and installs itself.
  • The program then asks for a credit card number to authorize and pay for disinfecting your computer.

What To Do

If you encounter a fake antivirus popup, DO NOT attempt to close the window using the close button in the top right corner. DO NOT click anywhere in the pop-up window. Instead, immediately do the following:

  • Press Control-Alt-Delete and select the Task Manager.
  • Under the Applications tab, find your Web browser (e.g., Firefox, Internet Explorer, Chrome) and select it.
  • Click End Task.

This will force your browser to close, and will prevent the malware from attacking your computer.

Then immediately reboot your computer and do a full scan with an up-to-date McAfee, Norton, or other reputable antivirus tool. You should do this any time there is concern that your computer may have been infected.

If you are unable to update your AV software, or it does not appear to launch or run normally, this may be an indication that your computer already has been infected, and that malware has damaged your real AV software.

Contact your IT support staff or the OIT Help Desk at (574) 631-8111 or via email to oithelp@nd.edu for assistance.

Fake MAC Defender Antivirus Software Scam

MAC Defender is the new FAKE antivirus software phishing scam that targets Mac users. It is an attempt to convince you that your Mac is infected with a virus, to steal your bank account information or your credit card number.

Links to this software scam have appeared at the top of search results in Google and other search engines. Do NOT click on a MAC Defender link.

Back to Top