If in doubt, users can check their password ages online at the Password Verification utility.

Case users should never send passwords or other sensitive information via email.

The online presentations are at 11:00 AM, Monday 10/26, Tuesday 10/27, and Wednesday 10/28 at

https://connect.case.edu/identity

A valid Case NetworkID and password are required to attend.

The next larger presentation is scheduled for 12:00, Thursday, 10/28, in the MSASS Mandel Center room 108.

Additional details can be found at http://securityaware.case.edu

The first two Town Hall Meetings about the use of Identity Finder for campus users will be held today:

12:30 PM - 1:30 PM Strosacker Auditorium
3:00 PM - 4:00 PM Biomedical Research Building Room 105

Unfortunately, the spam also included the user's name as the sender's signature, and in the from: field.

If you mistakenly clicked on the phishing link, you should have received a message about this being a suspected phishing site.

This event highlights the need for end users to be extremely conscious of fraudulent communications. The university receives regular phishing attacks, but the magnitude is amplified when a single user is phished, and that user's account is used as the source of more spam and phishing messages.

A recent attack at North Carolina State University described in the Chronicle of Higher Education illustrates how far thieves will go. In this case, they created a bogus web page to collect UserID and passwords from people. This is an interesting attack I've seen discussed in security circles, and even done as security tests. It is amazing to see that somebody actually tried it in the real world against a university. I recommend users of web-based email clients install the McAfee Site Advisor utility in their browsers. If you click on a link of questionable nature, this will alert you to what could be a potential drive-by attack (you browse to a malicous site or a site with hidden malicous content).

The question that remains is, how do we stop phishing? Perhaps if we plead,

"Yo, phisher dudes! Chill!"

No, I don't think that will work. Phishing is a type of sales cold call. If you answer it, you open the door to larger theft and online misuse that leads to bigger security problems. Case users certainly have received enough of them over the 2007-2009 timeframe that they have been well-educated by the experience.

I recommend two things for users to do when they get a phish message:

1. Report phishing
2. Tell your friends and colleagues.

We used to request that Case users send phishing messages to Castlecops, but with their demise in 2008, I recommend you report them directly to the US-CERT Phishing Group by sending email to phishing-report@us-cert.gov. Of course, please remember to view the full headers to make the message investigation possible.

There still seem to be unwary users in our community who fall victim to phishing, so I suggest users make this a conversation topic. What a way to break the ice, "Hey, did you get that latest phishing message from..."

When they become ineffective, the phish will cease.

Internet Explorer remains a particularly exploitable application; the Critical patch released in this month's collection applies to various versions, including IE 8.

For more details, see http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

Reply-to security@case.edu,
"support@cwru.edu" [tsupportteam@gmail.com] <--alert! Off-campus Reply-to address!
to support@cwru.edu
date Tue, Feb 3, 2009 at 2:45 PM
subject Important Notice

Dear cwru.edu User,

We have noticed an unauthorized attempt to change your
cwru.edu password from a foreign IP. This was going to
result to your inability to access your account due to the
password change. If you know you are the authorized owner of
this account, kindly reply by providing your original
username (*******) and PASSWORD (*******) so as to protect
your ID and password from unauthorized access.

Failure to do this will violate the Case Western Reserve
University email terms & conditions.

Thanks for using Case Western Reserve University

The Case Western Reserve University® Help Support.
All content (c) Copyright Case Western Reserve University®

This phishing example is instructive, because it illustrates several of the ways phishers attempt to dress up their scams with trappings of authority and social-engineer their way past your Shenanigan detectors.

Specifically, any time a message demands that you enter a visible, clear-text password into the text of an email, that *always* indicates that the sender is up to no good. These requests should immediately activate your Delete-key trigger finger.

Any time a message claims to be an "official" communication from the University, yet the "Reply-To" field sends your response to an address outside of the Case domain, you should experience shivers of intuition that Something Is Not Right. Check the Reply-To field in this example, and do not be fooled: Even users provisioned for Case Google Apps will still have @case.edu as their top-level domain.

No Case employee should ever ask you to share your username and password, and we will especially never ask users to transmit credential info in the clear text body of an email. Any such request for credential information should be met with deep suspicion, or at least scoffed at, and deleted at your earliest opportunity.

Case users are advised to update their versions of Adobe Acrobat or the Acrobat Reader by following the instructions in the Adobe Security Bulletin for vulnerability APSB09-06.

Users should note that third party products are not updated by operating system auto updates. Case will continue to notify users when manual updates such as these present a risk to networked IT systems.

Update: if you browse to this web site at the University of Notre Dame, it will give you a visual indication if your computer has been affected by the Conficker worm. If you don't see the images at the top, you may be infected, and should call the Case Help Desk at 368-HELP.

Case users who have been using the mandated Symantec Endpoint Protection and performing automated updates as mandated by the Case Tier I Controls should not be affected, however the few hosts that are infected are predicted to attempt scanning and logins to windows shares on the Case network.

If your Symantec Endpoint Protection alerts you to an intrusion attempt, please call the Case Help Desk with the alert information.

Case users of MacOS and Linux variants are not expected to be affected by the attack.

An exploit for the vulnerability found last month in both Acrobat and Adobe Reader has already been documented in the wild. It affects all versions of Acrobat and Reader, across all platforms (yes, even Macs). Today, Adobe has released the patch for version 9 of both products (incrementing the version number to 9.1). Users who have not upgraded from versions 6, 7 or 8 will be kept waiting - patches for those versions are scheduled for release on 3/18. Read more here: http://www.adobe.com/support/security/bulletins/apsb09-03.html

Case users can upgrade to the most recent version of Acrobat free of charge, through our volume license on the Software Center. Once the version is current, obtain and install the update appropriate to your OS at your earliest convenience: http://www.adobe.com/support/downloads/new.jsp.

Additionally, on Tuesday Acrobat released an update to close a fistful of flaws in its Flash software. Read more about it here: http://www.adobe.com/support/security/bulletins/apsb09-01.html

and obtain the installer here:
http://get.adobe.com/flashplayer/

Users who do not have Administrative privileges on their systems should contact their department's IT support organization, or call the Case Helpdesk at (216) 368-4357 for assistance in downloading and installing these updates.

A CERT Critical Infrastructure Notice was issued on Friday, February 20, to notify the community that an open vulnerability has been announced and exploited in version 9 of Adobe Acrobat and Acrobat Reader.

The exploit can be delivered in the form of maliciously crafted *.pdf files, either as emailed attachments or as downloads available from web sites. The maliciously crafted .pdf contains java script that calls a malware distribution server and invites malware and rootkits onto the compromised system.

Adobe has announced a patch for this vulnerability that will not be released until March 10, 2009. To mitigate the effects of this exploit, users should not open PDFs from untrusted sources, and should disable the JavaScript function in Acrobat and Reader. We also recommend disabling the automatic display of PDF documents within the web browser (instructions after the jump):

A few users have reported frustration when the passwords they attempt are serially rejected. The password change tool gives the user instructive feedback about the reason an attempted password is rejected, until the user creates one that passes the "isGood" check. This activity is also logged at the server, so we have been able to observe the issues that trip people up. Here are a few of the most common logged errors:

Users who run automated updates as part if the Tier I controls should see this appear tomorrow (Dec 17, 2009).

The browser is vulnerable to a number of new exploits, and a possible worm/botnet. Users are best served by downloading and using an alternate browser until then. Administrators are advised to prepare for a deployment to managed hosts.

Q: Why are passwords important to Case users?

A: In an open campus IT environment, authentication of users is the primary means to grant or deny access to online resources. Case uses passwords as a cost-effective means to protect data from unauthorized access.

The value and sensitivity of the data we manage have increased, and therefore our collective responsibility to protect this data has increased. In the past, the university used the network ID (half of the user account credential) as an email address (e.g. abc123@case.edu), and these are readily available for anybody with a modicum of search engine experience. Since that information is already publicly available, it is doubly important that password be handled with increased vigilance.

The highest risk we have of stolen passwords is from our wireless environment. Changing your password at regular intervals helps limit the risk of someone obtaining and/or guessing your password through a variety of attack methods. It also limits the amount of time a compromised password can be used. A password change policy also protects against passwords cached in browsers, leading to disclosure via shared machines.

The policy mandates an annual password change, but we recommend a higher frequency of change for employees or faculty whose work involves access to higher-sensitivity (Tier III) information.

Q: Why do I have to change my password at all? I mean, even my bank doesn't make me change my password.

A: Because your Case Password grants faculty, students, and some staff access to key IT infrastructure, such as the Student Information System, password changes have been implemented on an annual basis. Case implemented password complexity controls in 2005, and is now adding the annual password change requirement as a risk mitigation for theft or sharing of passwords which will lead to disclosure of sensitive information. In the past, this was not the case for faculty users, who previously had no access to student information online in this fashion.

Financial institutions drive security controls based on the threats they experience, and won't drive password changes to their customers because a compromised account will only affect that one customer. You can bet your bailout package that the bank employees, who have a greater impact on the overall business, have stringent access and password controls. While there can be much debate about password controls, information management and security standards bodies state password complexity and regular change intervals as best practice (see NIST Special Publication 800-12, chapter 16).

Q: If I have to change my password, I'll make it simple and write it down. Won't that increase the likelihood of it being stolen in some other way?

A: We all agree that Case is a highly selective academic environment. Without submitting all faculty, students, and staff to an IQ test, we can be confident that that Case users can easily memorize a new password, once per year.

When we surveyed other universities, noting we were coming from a 'no change' background, we found a wide range of access-control stringency in their policies, varying from requiring password change every 90 days to every 180 days (see below).

The bottom line in the Acceptable Use Policy is that users are held accountable for what is done with their passwords.

Q: That email notification about changing my password, is that for real?

A: The first time around, users will get a 60-day notification before their password is set to expire. We get many phish messages in higher education, so you should check with the Case Help Desk (http://help.case.edu) to be certain. You can tell the change notice from a phishing message apart from this alert because ours doesn't tell you to do anything. If users ignore the notice, that's okay too. The password will just expire when its date rolls over.

Q: Where are we going next with passwords?

A: We are experimenting with a 2-factor authentication system that will reduce our access-control and user authentication dependency on passwords. These technologies are becoming more affordable as they mature.

Q: Who else, academically, has a password change policy?

The Network Engineering and Security Group has been working on responding to the attacks and restoring services. Case users should be aware these attacks originated both internally and externally to the University networks, with the most recent outage being caused by a spike in network traffic that was much larger than what is considered normal traffic patterns. Several factors have contributed to the outage:
- We have evidence of a new botnet (ref: SANS, Computerworld) creating havoc among users of Microsoft Windows, based on the MS08-067 vulnerability. This is a possible cause of attacks on our network from outside and within.
- We also suspect a new Facebook/Myspace virus attack.

These offer a multi-axis combination of factors affecting network connectivity.

Users are an integral part of the overall security posture for the University networks, and the presence of multiple compromised computers on-campus participating as zombies in a botnet illustrates the need for awareness of Tier I controls. What should users do?

Make sure you have applied the Tier I controls. These are Case's baseline security configurations designed to help your system survive the most common attacks. These controls are mandatory, and I'll include just a few for readers to digest:

1. Automated patching for software security updates. This prevents worms from spreading through new vulnerabilities.
2. Installation of the Case Symantec Endpoint Protection anti-virus and firewall software. This is free for Case users through the Software Center. Did I say these anti-virus tools are free for all Case users? Yes they are free, so there is no reason not to have them installed and updated.
3. Be aware of the threat. Users can keep themselves, "...in the know" by subscribing to the SANS Ouch! newsletter and by visiting the Information Security site regularly (use the RSS feed!).

Case users are advised to contact the Case Help Desk (368-HELP) or with questions about network connectivity. The Help Desk is always your data dissemination point for outages.