Security Alerts

Apple vs Turkish Hackers

posted Apr 5, 2017, 9:52 AM by Shawn Kohrman   [ updated Apr 6, 2017, 10:11 AM ]

Apple vs. Turkish Hackers
You may have heard that Apple has been contacted by a Turkish hacker group who threatens to remote wipe a large number of Apple devices if their ransom demands are not met.

What do the hackers want with my stuff?

Nothing in this case.  The hackers claim that they will wipe millions of Apple devices and their iCloud backups unless Apple pays a ransom.
Typically, hackers will target a person’s personal accounts (think Apple ID or personal Google account) for the purpose of identity theft or credit fraud.

Is the threat real?

While it is possible that Apple could have had their security compromised, the technical details around making something like this work at the scale the hackers claim to be capable of make it unlikely.
Security professionals around the globe are leaning towards weak passwords or the same password used for multiple things being the most likely credible threat.

What should I do?

If you have an Apple device, the IMT Security Office recommends doing 2 things.
  1. Make sure your Apple ID/iCloud account uses a strong password that you don’t use anywhere else.  For tips on creating a strong password visit the IMT Security Office website at http://security.apu.edu/home/what-you-need-to-know/password-tips.
  2. Turn on Apple’s 2 factor authentication.  Instructions for using this are available at https://support.apple.com/en-us/HT204915.
For an extra layer of security, if you use a personal Google account, turn on Google’s 2 factor authentication.  Instructions for this are available at https://www.google.com/landing/2step/.

Phishing Alert

posted Feb 27, 2015, 3:22 PM by Shawn Kohrman

In recent months IMT has seen a significant increase in the number of phishing attempts all across campus.  While many people are doing a great job of spotting and reporting these, some users have become victims of the attack.

IMT has been collecting samples of phishing emails for you to view at support.apu.edu in the Latest SPAM and PHISHING Messages article.  

Additionally, IMT has setup a special email address for you to forward any emails that look odd for verification.  That email address is spam@apu.edu.  Sending an email there will help us stop these emails.  

5 Million Gmail Usernames, Passwords Stolen [UPDATED]

posted Sep 10, 2014, 2:36 PM by Shawn Kohrman   [ updated Sep 22, 2014, 3:56 PM ]

A variety of news outlets and media sources are reporting that 5 million usernames and passwords have been stolen from Google.

A number of key points must be acknowledged while considering what this means for you as an individual and as a member of the APU community.

Don't Panic
  • Most of the data appears to be over a year old.  So, if you've changed your Gmail password in the last year this may not affect you.
  • Google has announced to the public that none of its servers or services show any evidence of a breach.  These usernames/passwords appear to have been gathered primarily from personal computers infected with malware.
  • A  tool is available to check if your address is on the list.

How Do I Check?

A tool has been put online that will check your email address against the published list.  If your email address comes up the in list, please change your password immediately.

The tool is available at https://lastpass.com/gmail/

Help! I'm on the List

If your email address comes back as being on the list, there are a few simple steps you can take to protect yourself.
  1. Change your Gmail password immediately.  Tips for building a strong passphrase are available at http://security.apu.edu/home/what-you-need-to-know/password-tips .
  2. If checking your personal account, follow Google's instructions for enabling two-factor authentication.  Instructions for setting this up are available https://support.google.com/accounts/answer/180744?hl=en
  3. Make sure you are not reusing passwords.  Using unique passwords for each account helps prevent cyber criminals from accessing all aspects of your online world. 
  4. Use a password manager.  This will help you sanely utilize unique passwords for all your accounts.  More information is available at http://security.apu.edu/home/what-you-need-to-know/password-tips

References

Get Rid of CryptoLocker for Free

posted Aug 14, 2014, 8:42 AM by Shawn Kohrman

The ransomware variant known as CryptoLocker is a particularly nasty bit of malware that is taking the Internet by storm.  Its use of sound cryptographic practices combined with an ingenious method of extortion to make it an exceptionally potent and dangerous package.

Update
FireEye and Fox-IT have partnered to provide free keys designed to unlock systems infected by CryptoLocker.
The tool is available here:  https://www.decryptcryptolocker.com/

Thanks go out from the IMT Security Office to FireEye and the Fox-IT teams for their tremendous work in tracking down the keys that make this possible.

Russian Hackers Stole 1.2 Billion Credentials

posted Aug 7, 2014, 1:53 PM by Shawn Kohrman   [ updated Aug 7, 2014, 1:57 PM ]

As noted in the major news outlets recently, the security firm Hold Security LLC recently announced its discovery that a Russian cybercrime gang had amassed a collection of over 1.2 billion username/password combinations.







A number of questions still remain regarding this discovery.

  1. It has yet to be clearly determined if the credentials were bought on the black market or acquired via exploiting (hacking) websites.  Speculation exists that points to a combination of the two.

  2. What specific websites were comprised?  As yet, the specifics on this have not been made public.  More importantly, it is unknown how “fresh” (newly acquired and usable) these credentials are.  

  3. If the credentials are still “fresh” (newly acquired and usable), what will they be used for?  Depending on the source, they can be used to access bank accounts for outright theft, access personal email addresses for sending spam and gaining access to other accounts, or simply spam.


While the size and scope of the database held by this criminal group is impressive, the remaining questions mitigate our overall reaction to the threat.


Recommendations

As general good practices, the IMT Security Office recommends the following:

  1. Change the password on your personal email account to something unique.  Your personal email account can be used as a gateway to all your other accounts.  This happens because your other accounts usually will send “Forgot Password” or “Reset Password” links to your personal email account.  Helpful instructions on creating good passwords are available at http://security.apu.edu/home/what-you-need-to-know/password-tips

  2. Use a password manager to help you create and manage strong, unique passwords for all your accounts.  It is extremely important to not reuse passwords at multiple sites.  However, this can make password management a chore.  More information on password managers is available at http://security.apu.edu/home/what-you-need-to-know/password-tips


References

Heartbleed Bug [UPDATED]

posted Apr 10, 2014, 10:30 AM by Shawn Kohrman   [ updated Apr 10, 2014, 11:51 AM ]

You may have read in the news about a web security flaw known as the ‘Heartbleed’ bug. Heartbleed affects the encryption technology designed to protect online activities such as commercial emailing, banking, and online shopping. It only affects websites that use OpenSSL.
 
We would like to inform the APU Community that IMT is aware of the Heartbleed bug and has been actively scanning and updating our servers, where appropriate, to address any vulnerabilities.
 
The good news is that a very small percentage of our servers use OpenSSL and we have determined that GMail and Google Apps are not affected by Heartbleed.
 
We continue to ensure the University’s data is protected and we will keep the community updated.

How to protect yourself from the "Heartbleed" security bug

Change your online passwords -- all of them

"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software.

And follow these guidelines for choosing secure passwords. Don't use common words or a string of consecutive numbers. Experts recommend passwords be at least eight characters long, using a combination of letters, numbers and symbols. Avoid using the same user name and password for multiple sites.

Make sure Web services you use have updated their security

Changing your passwords won't do any good, experts explained, until the affected Web services install software to fix the problem. They would then need to alert their users to the potential risks, and let them know when the Heartbleed fix has been installed so they can change their passwords.

Fortunately, "many of the biggest and most important services have already been patched and fixed," Mandiant Security senior consultant William Ballenthin tells CBS News. "I've already received notices from Google and Amazon and Yahoo that they identified the issue last week and they've already fixed it."

CNET advises Web users to check the security of individual sites here, though it warns that caution is still warranted even if the site has an "all clear" indication. If you're given a red flag, avoid the site for now.

Yahoo Inc., which boasts more than 800 million users worldwide, is among the Internet services reportedly compromised by Heartbleed. Yahoo says most of its most popular services -- including sports, finance and Tumblr -- has been fixed, but work was still being done on other products that it didn't identify in a statement Tuesday.

"We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data," Yahoo said.

CNET reports that other major Web services, including Facebook, Google and Twitter, did not appear to be compromised -- but as Chartier points out, it's hard to know for sure.

Keep an eye on your credit card statements
Just in case your data was breached, check your financial statements and report any suspicious activity to your credit card company.

Be cautious of smaller Web sites

Despite the worries raised by the Heartbleed bug, Codenomicon said many large consumer sites aren't likely to be affected because of their "conservative choice" of equipment and software. "Ironically, smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm said in a blog post.

Although it may take months for smaller sites to install the Heartbleed fix, Chartier predicts all the major Internet services will act quickly to protect their reputations.

In the meantime, Ballenthin says, there's no need to panic. "I think really you just need to be aware that the issue's out there, and when [a Web site] asks you to reset your password, or change some settings, go ahead and do it as soon as you can." 
 
If you have any questions, please don’t hesitate to contact the Support Desk.

Tool To See if a Website is Safe


References
http://heartbleed.com/
http://www.cbsnews.com/news/how-to-protect-yourself-from-the-heartbleed-security-bug/
http://www.engadget.com/2014/04/09/google-heartbleed-patch-info/

Apple Security Protocol Breach [UPDATED]

posted Feb 25, 2014, 11:54 AM by Shawn Kohrman   [ updated Feb 25, 2014, 12:26 PM ]

Background
There is a flaw in Apple’s iOs and OS X platforms that essentially allows a hacker to get in between the initial verification “handshake” connection between the user and the destination server, enabling the adversary to masquerade as a trusted endpoint. This means the connection which is supposed to be encrypted between you and your bank, email server, healthcare provider and more is open to attack.

Recommendations
  1. Update your Apple devices and systems as soon as possible to the latest available versions. 
  2. Do not use untrusted networks (especially WiFi) while traveling, until you can update the devices from a trusted network.
  3. On unpatched mobile and laptop devices, set “Ask to Join Networks” setting to OFF, which will prevent them from showing prompts to connect to untrusted networks
Update
Apple has released an software update for Mac laptops and desktops.













Sources

IMT Security Office Alert - CryptoLocker

posted Nov 10, 2013, 11:08 AM by Shawn Kohrman   [ updated Nov 12, 2013, 11:45 AM ]

The ransomware variant known as CryptoLocker is a particularly nasty bit of malware that is taking the Internet by storm.  Its use of sound cryptographic practices combined with an ingenious method of extortion to make it an exceptionally potent and dangerous package.

How to Avoid CryptoLocker

Azusa Pacific University has several layers of protection in place to help detect and prevent malware of all kinds.  While these are generally very effective, the CryptoLocker malware has the ability to circumvent these controls if you unknowingly execute an infected file or click on a malicious link in an email.

CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious web sites by exploiting outdated browser plugins.

Tips for avoiding these malicious email attachments, malicious websites, and more are available on this site here and here.  Additional information is made available via US-CERT (United States Computer Emergency Readiness Team) here.

Backup Your Computer

Having good backups of the data on your computer is the fastest and most reliable way to recover from any malware--this is especially true with CryptoLocker.  If you are using a good backup system, chances are, you'll be able to recover from CryptoLocker with very little impact.

Personal Computers
There are a number of good computer backup solutions available at a very reasonable price.  These solutions have been evaluated by IMT and, while not officially recommended, are known to be effective.

If you believe you have the CryptoLocker malware on your personal computer, contact the IMT Support Desk immediately.  

APU Owned Equipment

The main campus file server is backed up on a regular basis.  We strongly recommend that you store your critical work files on your "L" and "M" drives to ensure recovery if your machine(s) become infected.  Google Drive also provides revisions for native Google files.  However, non-native files (Word, Excel, and Powerpoint) may not have revision history.

If you believe that you have the CryptoLocker malware on your APU owned machine, contact the IMT Support Desk immediately.

Help! CryptoLocker Is On My Computer

If your machine has been infected with the CryptoLocker malware, you have only a few feasible options.  Since CrytpoLocker encrypts everything it can find on your local hard drive, your Dropbox, Box.net, SkyDrive, Google Drive, etc., having good backups is the best recovery option available.

Restore Your Backup

Personal Computers

If you have used one of the recommended backup solutions or have a backup solution of your own, there are two keys steps to recovering from CryptoLocker.
  1. Use the factory restore CD/DVDs that came with your computer to recover your machine to its original state.
  2. Restore your files using the backup solution you have chosen.

APU Owned Equipment

If you believe that you have the CryptoLocker malware on your APU owned machine, contact the IMT Support Desk immediately.

Pay the Ransom
If you don't have any backups of your work, and the files that have been encrypted by CryptoLocker are critical, you may want to consider paying the ransom. While this is ideologically offensive to most, there have been numerous reports of individuals who have paid the ransom and successfully recovered their files.

Before you consider paying the ransom, please contact the IMT Support Desk first. We will help you determine the best course of action for recovering your data. 

Other Resources 

There is a growing number of resources on the web dealing with CryptoLocker. Here are some sites that can provide additional accurate information.

Malwarebytes: Cryptolocker Ransomware: What you need to know.

Naked Security (Sophos): Destructive malware Cryptolocker on the loose.

http://www.symantec.com/connect/forums/cryptolocker-and-adc-policies

Reddit thread: Proper care and feeding of your Cryptolocker

Makeuseof.com: Cryptolocker is the nastiest malware ever and here’s what you can do

Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins

IMT Security Office Alert - Microsoft Digital Crimes Unit

posted Mar 11, 2013, 10:31 AM by Shawn Kohrman   [ updated Nov 10, 2013, 9:36 AM ]

Malware attack poses as security warning from Microsoft Digital Crimes Unit

The irony of a cybercriminal attack posing as the Microsoft Digital Crimes Unit, and using the fear of vulnerabilities and malware infection to trick users into unwittingly compromising their Windows computers shouldn't be lost on any of us.
http://nakedsecurity.sophos.com/2013/03/07/malware-attack-microsoft-digital-crimes/

IMT Security Office Alert - Evernote Hacked

posted Mar 4, 2013, 9:38 AM by Shawn Kohrman   [ updated Nov 10, 2013, 10:11 AM ]


"Evernote, the productivity service that allows people to take notes, clip articles and view them on a range of devices, told users that it had been hacked Saturday. As a result of the hack, which the company said leaked user e-mails and encrypted passwords, the company decided to reset the passwords of its entire userbase — estimated to be around 50 million."

http://www.washingtonpost.com/business/technology/evernote-hacked-millions-must-change-passwords/2013/03/04/8279306c-84c7-11e2-98a3-b3db6b9ac586_story.html

1-10 of 12