Please follow the link to the new site > http://www.case.edu/its/infosec/

Articles pertaining to information security in higher education will be moved to the new Blogger site and announcements for future topics will move to the ITS Announcements feed.

Older entries will remain available at the blog archive.

Vulnerabilities in applications such as Adobe Acrobat and its related product line are not readily patched by operating system updates (such as Microsoft AutoUpdate), and represent an open pathway to computer exploit. According to the IBM X-Force 2009 Trend and Risk Report, the number one web-based exploit was against the Microsoft Office Web Components Spreadsheet ActiveX, and then then next 4 of the top 5 involved Adobe Acrobat, Adobe Reader, and Adobe Flash Player. The most pressing threat to the user is in malicious Flash videos or compromised web sites that use Flash for banners. Here is a Flash video from Symantec that explains the "drive-by" attack.

The university community makes extensive use of Adobe Flash, and this problem is significant in that it affects Windows, MacOS, and linux platforms. The Adobe Flash Player release version 10.1 is available and recommended for all users at the Adobe update site. Systems administrators are advised to plan to push an update as soon as you complete your testing of version 10.1.

The Information Security Office recommendation is to update your device to OS 3.1.3 as soon as possible. The user must connect to iTunes to complete the updates.

Note that we recommend user first update to the latest version of iTunes (9.0.3) before connecting the iPhone/iPod to update the device through iTunes.

Users are still advised to notify the Case Help Desk with any messages that smell "phishy."

All affiliate accounts require an approved Case sponsor, so access to the affiliate request form requires a login with a valid Case Network ID and password.

We thank our customers for their patience while this process was fully reworked to improve the security needs of the university. The request process no longer requires sensitive personal information for the affiliate user. Sponsors can expect approximately 24-hours turn around time from request to account creation.

Additionally, the sponsor is still responsible for ensuring the affiliate user is in compliance with the Case Acceptable Use Policy.

Information Technology Services staff are currently working to redesign and deploy an updated process to create affiliate user accounts that does not require the gathering, storage, or maintenance of sensitive personally identifiable information for the account users. Affiliate account users are not current faculty, staff, or students at the university.

This necessary interruption in service has been driven by the security risk associated with handling sensitive information for non-employees, and to comply with recent updates to the University SSN Use Policy.

Questions about the process may be directed to Case Help Desk at 368-HELP (4357). Until a solution has been implemented, requests for affiliate account creation will be queued in the Help Desk.

If in doubt, users can check their password ages online at the Password Verification utility.

Case users should never send passwords or other sensitive information via email.

The online presentations are at 11:00 AM, Monday 10/26, Tuesday 10/27, and Wednesday 10/28 at

https://connect.case.edu/identity

A valid Case NetworkID and password are required to attend.

The next larger presentation is scheduled for 12:00, Thursday, 10/28, in the MSASS Mandel Center room 108.

Additional details can be found at http://securityaware.case.edu

The first two Town Hall Meetings about the use of Identity Finder for campus users will be held today:

12:30 PM - 1:30 PM Strosacker Auditorium
3:00 PM - 4:00 PM Biomedical Research Building Room 105

Unfortunately, the spam also included the user's name as the sender's signature, and in the from: field.

If you mistakenly clicked on the phishing link, you should have received a message about this being a suspected phishing site.

This event highlights the need for end users to be extremely conscious of fraudulent communications. The university receives regular phishing attacks, but the magnitude is amplified when a single user is phished, and that user's account is used as the source of more spam and phishing messages.

A recent attack at North Carolina State University described in the Chronicle of Higher Education illustrates how far thieves will go. In this case, they created a bogus web page to collect UserID and passwords from people. This is an interesting attack I've seen discussed in security circles, and even done as security tests. It is amazing to see that somebody actually tried it in the real world against a university. I recommend users of web-based email clients install the McAfee Site Advisor utility in their browsers. If you click on a link of questionable nature, this will alert you to what could be a potential drive-by attack (you browse to a malicous site or a site with hidden malicous content).

The question that remains is, how do we stop phishing? Perhaps if we plead,

"Yo, phisher dudes! Chill!"

No, I don't think that will work. Phishing is a type of sales cold call. If you answer it, you open the door to larger theft and online misuse that leads to bigger security problems. Case users certainly have received enough of them over the 2007-2009 timeframe that they have been well-educated by the experience.

I recommend two things for users to do when they get a phish message:

1. Report phishing
2. Tell your friends and colleagues.

We used to request that Case users send phishing messages to Castlecops, but with their demise in 2008, I recommend you report them directly to the US-CERT Phishing Group by sending email to phishing-report@us-cert.gov. Of course, please remember to view the full headers to make the message investigation possible.

There still seem to be unwary users in our community who fall victim to phishing, so I suggest users make this a conversation topic. What a way to break the ice, "Hey, did you get that latest phishing message from..."

When they become ineffective, the phish will cease.

Internet Explorer remains a particularly exploitable application; the Critical patch released in this month's collection applies to various versions, including IE 8.

For more details, see http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

Reply-to security@case.edu,
"support@cwru.edu" [tsupportteam@gmail.com] <--alert! Off-campus Reply-to address!
to support@cwru.edu
date Tue, Feb 3, 2009 at 2:45 PM
subject Important Notice

Dear cwru.edu User,

We have noticed an unauthorized attempt to change your
cwru.edu password from a foreign IP. This was going to
result to your inability to access your account due to the
password change. If you know you are the authorized owner of
this account, kindly reply by providing your original
username (*******) and PASSWORD (*******) so as to protect
your ID and password from unauthorized access.

Failure to do this will violate the Case Western Reserve
University email terms & conditions.

Thanks for using Case Western Reserve University

The Case Western Reserve University® Help Support.
All content (c) Copyright Case Western Reserve University®

This phishing example is instructive, because it illustrates several of the ways phishers attempt to dress up their scams with trappings of authority and social-engineer their way past your Shenanigan detectors.

Specifically, any time a message demands that you enter a visible, clear-text password into the text of an email, that *always* indicates that the sender is up to no good. These requests should immediately activate your Delete-key trigger finger.

Any time a message claims to be an "official" communication from the University, yet the "Reply-To" field sends your response to an address outside of the Case domain, you should experience shivers of intuition that Something Is Not Right. Check the Reply-To field in this example, and do not be fooled: Even users provisioned for Case Google Apps will still have @case.edu as their top-level domain.

No Case employee should ever ask you to share your username and password, and we will especially never ask users to transmit credential info in the clear text body of an email. Any such request for credential information should be met with deep suspicion, or at least scoffed at, and deleted at your earliest opportunity.

Case users are advised to update their versions of Adobe Acrobat or the Acrobat Reader by following the instructions in the Adobe Security Bulletin for vulnerability APSB09-06.

Users should note that third party products are not updated by operating system auto updates. Case will continue to notify users when manual updates such as these present a risk to networked IT systems.

Update: if you browse to this web site at the University of Notre Dame, it will give you a visual indication if your computer has been affected by the Conficker worm. If you don't see the images at the top, you may be infected, and should call the Case Help Desk at 368-HELP.

Case users who have been using the mandated Symantec Endpoint Protection and performing automated updates as mandated by the Case Tier I Controls should not be affected, however the few hosts that are infected are predicted to attempt scanning and logins to windows shares on the Case network.

If your Symantec Endpoint Protection alerts you to an intrusion attempt, please call the Case Help Desk with the alert information.

Case users of MacOS and Linux variants are not expected to be affected by the attack.