This page is a collection of computer-related e-mails sent to the
English (and formerly, the Psychology) Department. These fall into several categories: procedures
within the department for using computing resources, computer security
notices, software licensing notices, and computing culture bulletins.
2019-11-26
WHAT THIS IS ABOUT:
Don't Panic. This is a PSA about EndNote compatibility with Mac OS Catalina (10.15.1). Two Admiral
Ackbars, because, "It's a Trap!"
WHO SHOULD READ THIS:
Macintosh Users
EndNote Users
Windows Users are not affected
WHAT YOU SHOULD DO:
If you are an EndNote user, be sure to update your version of EndNote to EndNote X9.3.2 for Mac
*BEFORE* updating to MacOS Catalina.
EndNote Users should follow the instructions here:
https://support.alfasoft.com/hc/en-us/articles/360002603017
If you have already upgraded to Catalina OS before updating your EndNote program to EndNote X9.3.1,
the EndNote app will be disabled in the Applications folder. To fix this, you would need to reinstall
the EndNote X9 version with the latest update (EndNote X9.3.1).
ADDITIONAL INFORMATION for the Technically Curious:
I continue to recommend waiting to install Catalina (OS 10.15.1) until the December Break because
updating the Macintosh OS requires collateral updates to other software (e.g. EndNote, Office 2011 for
Mac, a host of Adobe software, etc), and waiting a few more weeks will give Apple and other software
vendors time to address any update bugs. However (he says in a manner trying to invoke Tiresias
before Oedipus) if you're between projects, and you have the inclination and the time right now to
deal with Catalina... well... okay... go ahead.
The Catalina update is aggressive about compatibility and security. This is mostly a good thing, but
it has a side-effect of the upgrade software moving files which don't fit its idea of compatibility
and security into a "Relocated Items" folder on the desktop. If you have document files located
outside of your Documents folder, or if you've tricked out the iMac into a non-standard configuration,
you may run into difficulties with files not being where they were prior to the Mac OS upgrade. Your
Mileage May Vary.
Clarivate's statement and instructions for Updating EndNote:
https://support.clarivate.com/Endnote/s/article/EndNote-for-Mac-macOS-Catalina-Compatibility?language=en_US
Apple: 32-bit app compatibility with macOS High Sierra 10.13.4 and later
https://support.apple.com/en-us/HT208436
EndNote is not in the list of University-offered software; EndNote is available through the UO
Bookstore at an academic discount.
2019-10-07
WHAT THIS IS ABOUT:
Apple has just released a new Macintosh OS, OS 10.15. Three Admiral Ackbars
because IT'S A TRAP!
WHO SHOULD READ THIS:
Folks with Macintosh computers.
Folks with mobile devices (iPhone, iPad, iEtcetera) are obliquely affected.
Windows folks are not affected.
WHAT YOU SHOULD DO:
Very likely, folks will begin to get nagged by their Macintosh computers to upgrade to the new MacOS,
10.15 (Catalina).
Wait.
Always wait whenever Apple releases a major upgrade to the OS. My usual advice is to wait until the
December break. By then, other software venders have had a chance to catch up with the new OS, and
Apple has had a chance to issue updates to clear out the bugs that usually appear. ALSO, this is a
major update that requires folks to update away from legacy application software (and data) to the
latest, newest version -- this will require extra time updating things besides the operating system.
Catalina drops 32-bit support for programs. Remember when you updated to Mojave, and a scary dialog
boxes came up saying a particular app "is not optimized for your Mac"... you'll really have to update
those now. https://support.apple.com/en-us/HT208436
You know that old McAfee program that's been keeping your Macintosh safe for the last few years?
You're going to have to reinstall it. (Or use Apple's Gatekeeper) You know that old Adobe software
you've been hanging onto since forever? You're going to have to reinstall it. Your old English Xerox
Printer Driver -- you'll need to reinstall it if you want to print. You know that super-old Cisco
AnyConnect VPN Client? Yep; needs reinstalling. Office 2011 for Mac? Needs reinstalling. Fetch?
(Does anyone still use Fetch?)... That ancient copy of MalwareBytes; time for an upgrade.... Your "Pin
It!" button browser extension (and probably other, older extensions)... yep, they're all gonna break.
Aperture? Sorry, you need to switch to something like Adobe's Lightroom.
Some of your data will be affected, too:
https://support.apple.com/en-us/HT209000
So wait to update.
Wait.
Really.
ADDITIONAL INFORMATION for the Technically Curious:
How do I check if an app is 32-bit or 64-bit?
From the Apple menu, choose About This Mac,
then click the System Report button.
From the system report, scroll down to Software in the sidebar, then select Applications.
When you select an individual application, you will see a field titled 64-bit (Intel). “Yes" indicates
64-bit; “No" indicates 32-bit.
If you're using macOS Mojave, select Legacy Software in the sidebar to see all applications that have
not been updated to use 64-bit processes.
MacRumors: 32-Bit Apps 'Not Optimized for Your Mac' to Stop Working on macOS Catalina
https://www.macrumors.com/guide/32-bit-mac-apps/
OK; if you're really really really going to die if you don't update at this very moment, go ahead, but
expect it to break things.
Here's a list of hardware that will be able to run Catalina:
MacBook (Early 2015 or newer)
MacBook Air (Mid 2012 or newer)
MacBook Pro (Mid 2012 or newer)
Mac mini (Late 2012 or newer)
iMac (Late 2012 or newer)
iMac Pro (2017)
Mac Pro (Late 2013)
Ars Technica Review:
https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/ "Apple's
operating system releases have all seemed a bit rushed this year—go ahead and give the company a
couple of months to patch Catalina before you install it, if you can."
Ars Technica: New (and sometimes annoying) system security measures
https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/11/#h4
Mac Rumors https://www.macrumors.com/2019/10/07/apple-releases-macos-catalina/ "...macOS Catalina
brings some major changes to the Mac, eliminating the iTunes app in favor of new Music, Podcasts, and
TV apps. The three apps offer similar functionality to iTunes, but are split up by feature."
2019-08-14
WHAT THIS IS ABOUT:
Microsoft has patched a critical security hole in Windows10 that could be used by the Evil Ones to run
arbitrary code on Windows Machines without any action from the legitimate user. Three Admiral
Ackbars.
WHO SHOULD READ THIS:
Microsoft Windows Users
Macintosh Users are Not Affected
WHAT YOU SHOULD DO:
Do this sooner rather than later.
1. For a speedier process, you may wish to connect your machine to Ethernet instead of using a slower
WiFi connection.
2. Save your work and close all applications.
3. In the Windows Desktop, go to the lower left-hand corner and click on the WINDOWS Icon; a pop-up
menu should appear.
4. Click on the Gear Icon to open up Windows SETTINGS; a new window should appear.
5. From the icons displayed, click on the two arcing arrows icon to open UPDATE And SECURITY; the
window should refresh to "Windows Update"
6. You may be prompted to RESTART NOW; if so click on the restart button, wait for the updates to
install themselves and repeat the above steps.
7. You should see a button called CHECK FOR UPDATES; click on this to manually have Windows contact
the Borg Cube Microsoft for operating system updates; a message "Checking for updates" should
appear.
8. Eventually, you may see words to the effect of "Status: Downloading," or "Status: Installing,"
wait while the installer goes through its tasks.
9. After the patches have been downloaded and installed, you may be prompted to RESTART NOW. Click
on the restart button.
10. Very likely you will see a blue screen with white letters and a hypnotic whirling balls telling
you not to turn off your computer while the updates are processed.
11. After a pause, a login screen should appear; log in as you normally do.
12. Repeat the above steps until the update utility tells you "You're up to date."
For extra security, users may wish to disable Remote Desktop following these instructions:
https://www.lifewire.com/disable-windows-remote-desktop-153337
ADDITIONAL INFORMATION for the Technically Curious.
Every second Tuesday of the month, Microsoft issues software patches for Microsoft Software. The
August patch provides important security updates that will harden Windows 10 against Internet Worms.
Internet Worms are especially worrisome, as they can spread around the planet without any user
intervention.
From the Tech News:
Microsoft Overview:
https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/
Naked Security: Patch time! Microsoft warns of new worm-ready RDP bugs
https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/
Hot For Security: Microsoft warns of wormable vulnerabilities in Windows
https://hotforsecurity.bitdefender.com/blog/microsoft-warns-of-wormable-vulnerabilities-in-windows-21450.html
Security Week: Microsoft Warns of New BlueKeep-Like, Wormable RDS Vulnerabilities
https://www.securityweek.com/microsoft-warns-new-bluekeep-wormable-rds-vulnerabilities
The Actual Exploits:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182
2019-08-13
WHAT THIS IS ABOUT:
Don't Panic. UO Information Services will be activating a security service on August 15, 2019, which
will reduce phishing threats by detecting malicious links sent in e-mail and redirecting users to a
notification site if the malicious link is followed. One Admiral Ackbar.
WHO SHOULD READ THIS:
Everyone. This is a campus-wide service.
WHAT YOU SHOULD DO:
No configuration changes are necessary to use this feature.
When you hover over a web link in an e-mail message, (in some cases) the service will have changed the
link to something with "urldefense.com" in it; this is normal and expected. The service is filtering
links as it looks for malicious ones. Following the link will take you to genuine web sites if the
site is legitimate, or to a Warning Page if the link is phishy.
ADDITIONAL INFORMATION for the Technically Curious:
A gentle reminder: just because there's an e-mail filtering service in place doesn't mean you can
click on e-mail links with wild abandon. Please continue to practice common sense and good e-mail
phishing hygiene (see https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=40236 for tips). The URL
Link Protection service is filtering e-mails with an off-campus origin, but isn't looking at on-campus
sources; so, if say, my UO e-mail account picked up an e-mail worm and started spamming everyone with
infected messages, this service wouldn't filter out those messages. Also, it's possible that brand
new malicious e-mail links might not have been added to the URL Link Protection's watch list, which
would mean they wouldn't be filtered out.
URL: Uniform Resource Locator.
UO Service Portal Page on URL Link Protection:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=84238
2019-07-19
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about a recent uncool upgrade Dropbox foisted off on users. One Admiral
Ackbar.
WHO SHOULD READ THIS:
Folks who use Dropbox to synchronize files between computers.
Non-Dropbox Users are Not Affected.
WHAT YOU SHOULD DO:
From Ars Technica:
"By default, your way of launching Dropbox will now open the Dropbox file manager instead of Finder on
a Mac or Explorer on Windows. You can change this, though. Just open the Dropbox Preferences, and in
the "General" tab you'll see an "Open folders in" option. If you've been upgraded to the "New Dropbox
Experience," this will say "Dropbox," just change it to "Explorer" or "Finder" and Dropbox will be
slightly more normal."
ADDITIONAL INFORMATION for the Technically Curious:
I am neither endorsing nor decrying Dropbox use.
I will point out that Dropbox is not FERPA compliant.
Repeat after me: "Dropbox is not a file backup service."
Ars Technica: Dropbox silently installs new file manager app on users’ systems
https://arstechnica.com/gadgets/2019/07/dropbox-silently-installs-new-file-manager-app-on-users-systems/
2019-07-18
WHAT THIS IS ABOUT:
Don't Panic! Network services is conducting maintenance on a number of network switches. Ethernet
and wireless network access will be down Friday, 7/19, from 5:30AM - 7:00 AM. Two Admiral Ackbars
(more like an R2-D2).
WHO SHOULD READ THIS:
Computer users in PLC.
Off-campus users are not as affected.
WHAT YOU SHOULD DO:
There's not a whole lot to do.
You may wish to budget a little extra time Friday morning for machines to figure out where they live
on the network.
Extra bonus "don't confuse the machine" points if Thursday night (tonight) you turn off networked
devices (like printers) so they can be blissfully unaware that the network will be down.
During the 5:30AM - 7:00AM window, computers and printers will be unable to connect to the UO network;
this means folks will be unable to send e-mail from a computer in an affected part of campus, and
printers won't be able to receive print jobs or send scanned documents anywhere.
ADDITIONAL INFORMATION for the Technically Curious:
-----Original Message-----
From: Don Gathers via RT
Sent: Wednesday, July 17, 2019 4:06 PM
Cc: Barbara Luton ; Benjamin Starlin ; John Burridge
; Kim Lilley ; TK Landazuri ;
uonet-outages@lists.uoregon.edu
Subject: [ithelp #1733726] Switch Reboots in PLC
SUBJECT: Switch Reboots in PLC
AFFECTED: PLC Wired and wireless users
STATUS: Planned
START TIME: Fri. 7/19/2019 5:30 AM
END TIME: Fri. 7/119/2019 7:00 AM
DESCRIPTION: NTS will be rebooting several switches during this maintenance window. The network will
be unstable during the reboots.
UPDATE:
TIMESTAMP:Wed Jul 17 16:05:10 PDT 2019
Thank you,
UO Network Services
--
Voice: +1.541.346.6387
Service request: https://service.uoregon.edu Service status: https://status.uoregon.edu
2019-07-09
WHAT THIS IS ABOUT:
Don't panic. There is a zero-day security flaw in a third-party video conferencing program, Zoom,
which allows hackers to remotely turn on a Macintosh's camera and potentially flood a user's Macintosh
with DOS (Denial of Service) attacks. Three Admiral Ackbars, mostly because I'm thinking most people
use Skype instead of Zoom.
WHO SHOULD READ THIS:
Macintosh Users who have ever installed Zoom on their machines.
Folks who have never, ever installed Zoom (ever) are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
+ If you have never ever installed Zoom on your Macintosh, you're fine.
+ If you have Zoom installed and you intend to keep using it, you need to change some settings as a
work-around (procedure from
https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/).
Change Zoom Preferences:
Launch the Zoom app.
Open the Preferences page from the menu bar (or press Command-,).
Click the Video option.
Enable the setting Turn off my video when joining a meeting.
Block Zoom's access to your camera altogether, via the Mac's System Preferences settings:
Click on the Apple menu (top left corner of your screen).
Choose System Preferences...
Click the Security & Privacy icon.
Click the Camera option.
Review which apps have access to your camera.
+ If you think you might have installed Zoom at some point, even if you've deleted it,
Go to the Utilities Folder on your Mactintosh.
Open the Terminal Utiltiy.
Type lsof -i :19421 (that's el-es-oh-eff space dash eye space colon 19421) and press RETURN.
If the Terminal prompt appears with no list, Zoom is not running in the background; you're fine.
If a list appears, then there's a server running in the background... continue.
Permanently disable the localhost web server from running on your Mac, from the Terminal prompt type
the following (procedure from
https://www.macworld.com/article/3407764/zoom-mac-app-flaw-security-camera.html
):
pkill ZoomOpener;rm -rf ~/.zoomus;touch ~/.zoomus &&chmod 000 ~/.zoomus;
Then type:
pkill "RingCentralOpener";rm -rf ~/.ringcentralopener;touch ~/.ringcentralopener &&chmod 000
~/.ringcentralopener;#
ADDITIONAL INFORMATION for the Technically Curious:
Naked Security:
https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/
Macworld: Zoom Mac app flaw sparks serious security concerns
https://www.macworld.com/article/3407764/zoom-mac-app-flaw-security-camera.html
"If you've ever downloaded the Zoom app to participate in a video conference, your Mac may be at
risk—even if you've already deleted it."
SecurityWeek:
https://www.securityweek.com/vulnerability-gives-attackers-remote-access-zoom-users%E2%80%99-cameras
"...when the Zoom Client is installed, a web server running on port 19421 is also created on the local
machine. The issue, the researcher says, is that the web server remains on the machine even after the
application has been uninstalled and can re-install it when the user accesses a webpage, without
interaction."
Medium (technical details):
https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5
"On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port
19421. You can confirm this server is present by running lsof -i :19421 in your terminal.
First off, let me start off by saying having an installed app that is running a web server on my local
machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any
website that I visit can interact with this web server running on my machine is a huge red flag for me
as a Security Researcher."
Common Vulnerabilities and Exposures:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450
2019-07-02
WHAT THIS IS ABOUT:
Take a deep breath. There's a well-crafted phishing e-mail being sent, supposedly by the UO Library,
attempting to trick people out of there usernames and passwords. Two-and-a-half Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with UO e-mail.
WHAT YOU SHOULD DO:
If you receive an e-mail from "UO Libraries" with a subject "Library Notice" and body text along the
lines of "your account will expire if you don't log in and renew it," delete the message unread.
If you clicked on the link and got tricked into giving your username and password, go to
https://duckid.uroegon.edu/ and change your password.
Additional "Ooops, I fell for that one" instructions here:
http://security.uoregon.edu/node/37.html#phished
ADDITIONAL INFORMATION for the Technically Curious:
UO Phishing Guide
http://security.uoregon.edu/node/37.html
List of recent phishing attempts targeting UO folks:
https://phishtank.uoregon.edu/
This particular phishing attempt is well-crafted. It's using the "two truths and a lie" technique,
supplying two valid links to generic library links to trick you into going to the malicious link
(which is using an obscure URL).
The e-mail header is suspicious: the bu.edu domain is Boston University; I would expect a valid
address to be something like library@uoregon.edu. The timestamp is CDT; I would expect PDT. The
Subject is vague; shouldn't it be something like "Library Account Renewal" ?
In the body text, "Dear Student" is another red flag; they've got your account information already,
presumably, they would be able to address you by name.
The message starts to fall apart if you get beyond the reptile-brain-response to "OMG! I'm going to
lose all my library access soon!" The message also relies on the recipient not fully understanding
how all the library accounts at the UO really work (John raises his hand, because... cool, the UO
Library offers all sorts of nifty access to all sorts of electronic holdings in addition to the
physical stacks in the Knight Library... and I think you have to sign up for each type of service
separately...)
For a list of services is a great touch, because https://library.uoregon.edu/ really does exist -- but
it doesn't give you the alleged list without a lot of digging. They might have meant to send folks to
this page: https://library.uoregon.edu/library-technology-services
Contact the "Library Help Desk," is another nice touch... except there isn't anything called that.
The closest would be the "Technology Help Desk", housed in the library at
https://library.uoregon.edu/library-technology-services/help
--- Text of Phishing E-mail ----
From: UO Libraries
Date: July 2, 2019 at 9:13:33 AM CDT
To: burridge
Subject: Library Notice
Dear Student,
As a member of the University of Oregon Libraries System, use of your library account "burridge" must
be renewed annually. Your library enrollment is set to expire on July 15, 2019 12:00, so this is a
notification for you to renew now.
To renew, simply click on the following link:
UO Libraries (Evil Link to httpCOLON-SLASH-SLASHiDOTsfuDOTcaSLASHTDrzCe )
(click only once; multiple clicks will produce an error)
You will not be required to provide any identity information during this renewal process.
The above renewal link is only valid for a limited time. If you fail to renew your library enrollment
before then, you will lose access to all library online services. For a list of the current library
online services, please visit:
https://library.uoregon.edu
If you have any questions concerning your status or access to the library online services, please
contact the Library Help Desk as soon as possible.
Sincerely,
This information was sent by the University of Oregon Libraries Management System:
-------------------------------------------------------------------------------------
Knight Library | UO Libraries
1501 Kincaid St, Eugene, OR 97403
services@uoregon.edu
2019-06-21
WHAT THIS IS ABOUT:
Take a deep breath. Third-party maintenance software, called SupportAssist, factory-installed on
newer Dell Computers, has a security flaw in it that could allow a Malicious Hacker to pretty much do
anything they want on your Dell Computer. Three Admiral Ackbars.
WHO SHOULD READ THIS:
Dell Computer Users with Dell SupportAssist for Business PCs version 2.0
Dell Computer Users with Dell SupportAssist for Home PCs version 3.2.1 and all prior versions
Older Dell Computers may not have the SupportAssist software installed.
Non-Dell Computers are not affected.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
1) Start Windows on your Dell computer.
2) Go to the Search area in the lower left-hand corner of the screen.
3) Type SupportAssist in the search area; Windows should auto-populate a menu with best guesses as to
what you want.
4a) If no SupportAssist App shows up, Yay! The software isn't installed and your computer is secure.
Stop.
4b) If the SupportAssist App does show up, click on it to start the SupportAssist App.
5) Once the SupportAssist App is running, go to the Gear Icon in the upper right-hand side of the
app's window and choose "About SupportAssist."
6a) If the version of SupportAssist is 3.2.2.something, Yay! You're running the patched and secure
version of the software. Stop.
6b) If the version of the software is 3.2.1 or older, then the update needs to run. Contact either
me or CAS-IT for assistance upgrading to SupportAssist 3.2.2. Folks who feel comfortable
installing the update on their own can go to https://downloads.dell.com/serviceability/catalog/
and click on program file SUPPORTASSISTINSTALLER.EXE
ADDITIONAL INFORMATION for the Technically Curious:
SupportAssist is a utility that scans your Dell Computer system and proactively suggests the driver
updates that are required for your computer. It runs with system-level privileges so it can install
updates that it suggests. The flaw in older versions allows hackers to trick it into installing the
software of their choice onto a vulnerable Dell Computer.
The Folks Who Discovered the Problem: (Technical Post)
https://safebreach.com/Post/OEM-Software-Puts-Multiple-Laptops-At-Risk
"In this post, we will demonstrate how to exploit this vulnerability in order to load an arbitrary
unsigned DLL into a service that runs as SYSTEM, achieving privilege escalation and persistence."
Dell's Support Advisory: We Patched This.
https://www.dell.com/support/article/us/en/04/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en
Hot for Security: Millions of Dell PCs vulnerable to attack...
https://hotforsecurity.bitdefender.com/blog/millions-of-dell-pcs-vulnerable-to-attack-due-to-a-flaw-in-bundled-system-health-software-21351.html
"Hadar reported the vulnerability to Dell on 29 April, who confirmed the problem and forwarded details
to PC Doctor on 21 May. A patch was issued by Dell on 28 May, and should mean that any Dell computers
which are configured to receive automatic updates are already patched."
Security Week: Millions of Devices Exposed to Attacks Due to Flaw
https://www.securityweek.com/millions-devices-exposed-attacks-due-flaw-pc-doctor-software
WHAT THIS IS ABOUT:
Microsoft has patched a critical security hole in WindowsXP and Windows7 (operating systems no longer
officially supported) that could be used by the Evil Ones to run arbitrary code on Windows Machines
without any action from the legitimate user. Three Admiral Ackbars.
WHO SHOULD READ THIS:
Microsoft Windows XP Users.
Microsoft Windows 7 Users.
Microsoft Windows 8 and Windows 10 Users are not affected.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
In the long run, I recommend upgrading to Windows 10 where possible.
In the short term...
Windows XP users:
Read the information here:
https://support.microsoft.com/en-gb/help/4500331/windows-update-kb4500331 Windows 7 users:
Follow the instructions for your particular system here:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
ADDITIONAL INFORMATION for the Technically Curious:
The security hole is with the Windows Remote Desktop Services; someone using the vulnerability could
run anything they'd like on a targeted Windows machine without needing the computer's user to do
anything. While Windows 8 and 10 are not affected, there is concern that an Internet Worm could use
the vulnerability to propagate over machines running older, depreciated versions of Windows.
Microsoft: Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/
"The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication
and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any
future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable
computer in a similar way as the WannaCry malware spread across the globe in 2017."
CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
Naked Security: "Critical, remote, ‘wormable’ Windows vulnerability"
https://nakedsecurity.sophos.com/2019/05/15/microsoft-fixes-intel-zombieload-bug-with-patch-tuesday-updates/
Techspot News: Microsoft patches major vulnerability in Windows 7 and XP to prevent another
WannaCry-like security exploit
https://www.techspot.com/news/80083-microsoft-patches-major-vulnerability-windows-7-xp-prevent.html
2019-05-02
WHAT THIS IS ABOUT:
Take a deep breath; Apple will be changing the way MacOS 10.15 (the OS after Mojave) will deal with
photo and video files (and 32-bit software in general). The new MacOS should come out in the Fall of
2019. One and a half Admiral Ackbars for technology inconvenience.
WHO SHOULD READ THIS:
Macintosh users who use iMovie.
Macintosh users who use Aperture.
Macintosh users who use QuickTime7.
Windows users aren't affected.
WHAT YOU SHOULD DO:
Nothing's broken yet, but you'll want to prepare your multimedia files at some point over the summer
for the eventual MacOS upgrade.
iMovie:
If you use iMovie or have older video assets, you'll want to migrate them over the next few months,
before next fall's release of MacOS 10.15 (or consign yourself to banishing your old iMovies onto the
Island of Unloved Toys along with BETA-Max, 8-Track Tapes, and MiniDV video).
Instructions for converting files used by iMovie are here:
https://help.apple.com/imovie/mac/10.1/#/mov1560729bd
1. In iMovie, choose File > Check Media for Compatibility. If incompatible files are found in
the library, a window appears listing them.
2. Click Convert. iMovie creates copies of the media files in the H.264 format. The original
files are moved to an iMovie Incompatible Media folder, located in the same folder as the library.
Your original media is not modified.
QuickTime:
To convert an incompatible media file, open it with QuickTime Player (version 10.0 and later), then
save a copy with a new name.
Do this before updating to macOS 10.15. Versions of macOS after macOS 10.14 Mojave won't support this
method.
Apple Aperture:
Apple Aperture is photo-editing software introduced in 2005 and discontinued in 2015:
https://en.wikipedia.org/wiki/Aperture_(software)
Instructions for migrating Aperture libraries are here: https://support.apple.com/en-us/HT209594
ADDITIONAL INFORMATION for the Technically Curious:
MacOS Mojave is the last version of the MacOS to run 32-bit apps. As part of the transition from
32-bit to 64-bit, some programs and certain files created using older formats or codecs will be
incompatible with future versions of the MacOS after MacOS Mojave. For compatibility reasons, when
MacOS 10.15 comes out, I strongly recommend folks wait until the Fall 2019 term ends in December to
upgrade from MacOS 10.14 (Mojave) to MacOS 10.15.
32-bit app compatibility with macOS High Sierra 10.13.4 and later
https://support.apple.com/en-us/HT208436
About incompatible media in iMovie for MacOS:
https://support.apple.com/en-us/HT209029
Convert incompatible media in iMovie:
https://help.apple.com/imovie/mac/10.1/#/mov1560729bd
Apple Says Aperture Won't Run in Future macOS Versions After Mojave:
https://www.macrumors.com/2019/04/30/aperture-wont-run-beyond-macos-mojave/
2019-04-22
WHAT THIS IS ABOUT:
Leading up to and over the weekend, English Department Faculty were subjected to some
outrageous, anti-Semitic, and just plain crazy e-mail from "Donald Mckiegan Press." There were
several different messages. These were probably phishing attempts designed to get folks to
"unsubscribe" to the spew of insanity. Two-and-a-half Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with UO E-mail.
WHAT YOU SHOULD DO:
If you received e-mail from Donald Mckiegan Press, at the address
mckieganofficialDOTgmailDOTcomATemailDOTbenchmarkappsDOTcom delete it unread.
DON'T follow any of the links in the e-mail to report abuse or unsubscribe; these are almost certainly
links to malicious sites.
If you believe you have become a victim of a phishing attack targeting your University of Oregon
account, immediately change your password and security questions at https://duckid.uoregon.edu and
contact the Information Security Office at infosec@uoregon.edu .
ADDITIONAL INFORMATION for the Technically Curious:
The UO e-mail server offers a configuration that will block e-mail spammers and other miscreants.
Instructions for setting up blocks are here:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=53907
How to Report Suspicious E-mails:
https://phishtank.uoregon.edu/how-report-suspicious-emails
How to see full e-mail headers:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839
2019-04-19
WHAT THIS IS ABOUT:
Heavy sigh. It looks like the April 2018 update for Microsoft Windows 10 is breaking antivirus
software right and left. Two-and-a-half Admiral Ackbars.
WHO SHOULD READ THIS:
Microsoft Windows Users.
Macintosh Users Are Not Affected.
WHAT YOU SHOULD DO:
In worst-case scenarios, Windows machines become unresponsive. Rebooting in Safe Mode should allow
for uninstalling McAfee, and in this case, users should switch to using Windows Defender. Contact
John Burridge at engtech@ithelp.uoregon.edu to schedule a McAfee-ectomy on University Owned Windows
Machines if you need or want help.
If your Windows 10 machine is merely sluggish, you have a choice to keep using McAfee or switch over
to Windows Defender.
Macintosh Users should continue to use McAfee.
ADDITIONAL INFORMATION for the Technically Curious:
Microsoft: Known Issues with this Patch:
https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472
McAfee says, "It's come to our attention..."
https://kc.mcafee.com/corporate/index?page=content&id=KB91465
Ars Technica: "As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit,
Avast, and most recently McAfee are all showing problems with the patch."
https://arstechnica.com/gadgets/2019/04/latest-windows-patch-having-problems-with-a-growing-number-of-anti-virus-software/
2019-03-27
WHAT THIS IS ABOUT:
Accidental exposure of user names and passwords in Elsevier services (an online
scholarly journal platform). One-and-a-half Admiral Ackbars.
WHO SHOULD READ THIS:
Elsevier users.
WHAT YOU SHOULD DO:
You may receive an e-mail from Elsevier asking you to reset your password; do so.
ADDITIONAL INFORMATION for the Technically Curious:
Copied from
https://library.uoregon.edu/accidental-exposure-user-names-and-passwords-elsevier-services :
**Accidental exposure of user names and passwords in Elsevier services
The cybersecurity company SpiderSilk determined that a misconfigured Elsevier server exposed user
email addresses and passwords in plain text for an unknown length of time (see the source article at
https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online ). (Elsevier
is the provider of platforms like Science Direct and Mendeley and a major scholarly journal
publisher.)
Elsevier resolved this problem after being notified by the security vendor and is investigating the
incident. As noted in the article, an Elsevier representative stated that the vendor will be providing
notice to individuals and taking steps to reset user accounts.
We do not know if any members of the UO community were affected. As a precautionary measure, the UO
Libraries recommend that all members of the UO community with an Elsevier or Mendeley account change
their password immediately. Additionally, if any of your Elsevier accounts uses the same password that
you use to login to your DuckID accounts (@uoregon.edu), please change your DuckID password
immediately.
2019-03-13a
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about a brand-new off-campus file sharing service being offered by
Firefox, called "Firefox Send." One Admiral Ackbar, because Timeo Firefoxos et dona ferentes (Beware
of Geeks Bearing Gifts)."
WHO SHOULD READ THIS:
Everyone, because there's a Potential for Evil, and I want folks to have a safe file sharing
experience.
WHAT YOU SHOULD DO:
If you get an e-mail with a link like this one:
https://send.firefox.com/download/030cdf0adf/#11adVwy0P5ht7dQ_B7xZJA
I want you to stop and think about what your response will be.
1) First, rest your cursor over the link and see if the pop-up URL matches what the blue underlined
link says. If they match, (in the above example, they do) then this is a link to a file that
someone is sharing with you.
If they don't match, like the following bogus example:
https://send.firefox.com/download/030cdf0adf/#11adVwy0P5ht7dQ_B7xZJA
then you know There's Dirty Work Afoot. In this case, the bogus displayed link and the actual link
are brazenly different; someone being extra sneaky might try sending you to a site that looks like
send.firefox.com but is really send.firefox.net or send-firefox.com or a variation that you might
not catch at a casual glance. REMEMBER: the correct URL for the Firefox Send service will start with
https://send.firefox.com
2) Second, if the link looks legitimate, ask yourself if you're expecting a file from the person
sending you a link.
Don't click on unexpected or unsolicited links in e-mails. There's nothing wrong with e-mailing
the sender and asking for a confirmation of what's been sent.
If I were Totally Evil and Caffeinated Enough, I would write a piece of Malware that breaks into
your Weird Uncle Fred's computer, logs onto the Firefox Send service as Uncle Fred, uploads my
Evil Malware under his name, and then spam everyone with the link
https://send.firefox.com/MachineLanguageNameHidingTheFactThatThisIsEvilMalware
Only, it wouldn't look like a .EXE or program file, it would look like a picture of a cat. Or it
would be a poisoned PDF or Word Macro file.
So be careful.
3) Third, this is a new service, and there isn't UO policy about its use yet. I am neither endorsing
nor proscribing its use. The data is encrypted at both sides, but unless the link is password
protected, anyone randomly walking through the Firefox Send web addresses can look at an uploaded
file. So, insert the usual FERPA and HIPPA privacy caveats about sharing personal data on secure
sites here. If you're needing to share data with other UO staff, I would use UO-based services
like the CAS IT file server, or other services outlined here:
https://service.uoregon.edu/TDClient/KB/?CategoryID=6179
ADDITIONAL INFORMATION for the Technically Curious:
Firefox Send:
https://send.firefox.com
Help with Firefox Send:
https://support.mozilla.org/en-US/kb/send-files-anyone-securely-firefox-send/
Ars Technica Relase:
https://arstechnica.com/gadgets/2019/03/firefox-send-exits-testing-promising-secure-and-simple-file-sharing/
2019-03-13
WHAT THIS IS ABOUT:
Sigh. Phishing attacks on the UO continue. Two and a half Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who get e-mail.
WHAT YOU SHOULD DO:
If you receive an e-mail from sandra-brownATnorthwesternDOTedu with a subject "Northwestern HSF
Payment - Phase III," delete it unread.
Do not attempt to open the "PDF" attachment, this is a really a link to a malicious web site.
From
https://phishtank.uoregon.edu/self-help
If you believe you have become a victim of a phishing attack targeting your University of Oregon
account, you should immediately change your password and security questions at duckid.uoregon.edu and
contact the Information Security Office at infosec@uoregon.edu.
ADDITIONAL INFORMATION for the Technically Curious:
How to report Phishing:
https://phishtank.uoregon.edu/how-report-suspicious-emails
The UO's Phishing website:
https://phishtank.uoregon.edu/
The e-mail is worded with enough accounting buzzwords to look legitimate. The message is vague and
terse. Sandra Brown is a real person; either her account has been hijacked or else someone is
spoofing her e-mail address.
-------- Copy of e-mail follows:
Wed Mar 13 09:34:30 2019: Request 1669015 was acted upon.
Transaction: Ticket created by sandra-brown@northwesternDOTedu
Queue: engtech
Subject: Northwestern HSF Payment - Phase III
Owner: Nobody
Requestors: sandra-brownATnorthwesternDOTedu
Status: new
Ticket
01262-102-REM.PDF
Enclosed please find our remittance for professional services rendered in the above-referenced
project.
This remittance contains the fees and expenses incurred through February 28, 2019.
Please Apply Payments Accordingly.
Office of the Budget and Planning
Northwestern University
Rebecca Crown Center
633 Clark Street, Room 1-649
Evanston, IL 60208
Phone 847-232-4283
sandra-brownATnorthwesternDOTedu
------------Copy of E-mail Header:---------
THIS PART OF THE E-MAIL HEADER IS SAYING THAT THE MAIL WAS RECEIVED BY THE (LEGITAMATE) UO SMTP MAIL
SERVER.
Received: from ad-cc-ex07.ad.uoregon.edu (184.171.120.167) by
ad-ah-ex03.ad.uoregon.edu (184.171.120.163) with Microsoft SMTP Server (TLS)
id 15.0.1367.3 via Mailbox Transport; Wed, 13 Mar 2019 09:34:31 -0700
Received: from ad-cc-ex05.ad.uoregon.edu (184.171.120.165) by
ad-cc-ex07.ad.uoregon.edu (184.171.120.167) with Microsoft SMTP Server (TLS)
id 15.0.1367.3; Wed, 13 Mar 2019 09:34:30 -0700
Received: from smtp.uoregon.edu (184.171.108.229) by ad-cc-ex05.ad.uoregon.edu
(184.171.120.165) with Microsoft SMTP Server (TLS) id 15.0.1367.3 via
Frontend Transport; Wed, 13 Mar 2019 09:34:30 -0700
Received: from ithelp1.uoregon.edu (ithelp1.uoregon.edu [128.223.143.50])
by smtp.uoregon.edu (8.14.4/8.14.4) with ESMTP id x2DGYUUV001423
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Wed, 13 Mar 2019 09:34:30 -0700
Received: (from apache@localhost)
by ithelp1.uoregon.edu (8.14.4/8.14.4/Submit) id x2DGYUVW009735;
Wed, 13 Mar 2019 09:34:30 -0700
THIS PART IS SAYING THAT THE MAIL WAS DIRECTED TO THE ENGLISH DEPARTMENT'S COMPUTER SUPPORT QUEUE (IE
JOHN BURRIDGE ET AL.)
Subject: [ithelp #1669015] Northwestern HSF Payment - Phase III
From: Sandra D Brown via RT
Reply-To: engtech@ithelp.uoregon.edu
THIS PART IS SAYING THE SUPPORT QUEUE IS RESPONDING TO AN E-MAIL FROM NORTHWESTERN.EDU
In-Reply-To: <64c65afe11d0420da9a47531c613acef@evcspmbx05.ads.northwestern.edu>
References:
<64c65afe11d0420da9a47531c613acef@evcspmbx05.ads.northwestern.edu>
Message-ID: rt-4.0.4-9729-1552494870-1208.1669015-1049-0@uoregon.edu
THIS PART IS SAYING THAT THE UO TICKETING SYSTEM (RT) DID SOME PROCESSING
Precedence: bulk
X-RT-Loop-Prevention: ithelp
RT-Ticket: ithelp #1669015
Managed-by: RT 4.0.4 (http://www.bestpractical.com/rt/)
THE SYSTEM THINKS THE ORIGINAL E-MAIL CAME FROM SANDRA BROWN AT NORTHWESTERN
THERE ISN'T AN ATTACHMENT LISTED (BECAUSE IT'S REALLY A LINK IN THE MESSAGE BODY).
THERE ISN'T A BOGUS "REPLY-TO" ENTRY (MAKING ME THINK SANDRA BROWN'S E-MAIL ACCOUNT HAS BEEN HYJACKED)
RT-Originator: sandra-brown@northwestern.edu
BCC:
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="utf-8"
X-RT-Original-Encoding: utf-8
Date: Wed, 13 Mar 2019 09:34:30 -0700
Return-Path: apache@ithelp1.uoregon.edu
X-MS-Exchange-Organization-Network-Message-Id: 90a7e706-b76c-457b-4fc4-08d6a7d1c465
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: ad-cc-ex05.ad.uoregon.edu
X-MS-Exchange-Organization-AuthAs: Anonymous
2019-03-07
WHAT THIS IS ABOUT:
A Wednesday phishing attack targeted DuckWeb and Duck ID credentials. Two Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with a UO affilation.
WHAT YOU SHOULD DO:
If you received an e-mail from someone at bristolDOTacDOTuk, with the subject: "Important Campus
Security Notifications", delete it unread. Following the links will take you to a fake web page that
will try to harvest your personal information.
If you have responded to this phishing attack, see the self-remediation steps in the message below.
ADDITIONAL INFORMATION for the Technically Curious:
E-mail sent to the DEPT-COMP group.
--------------------------------
From: deptcomp-bounces@lists.uoregon.edu On Behalf Of News from
Information Services
Sent: Wednesday, March 06, 2019 4:44 PM
To: Departmental Computing ; Campus IT Directors, voting members
Subject: deptcomp: Phish targeting DuckWeb & Duck ID credentials
Importance: High
IT colleagues,
We wanted to notify you about a new phishing attack that targets both DuckWeb and Duck ID credentials
of UO employees.
Just today, the Information Security Office has already received over 100 reports of these phishing
messages from staff and faculty. Some people have self-reported the compromise of their credentials.
As you know, DuckWeb offers an attacker access to a great deal of sensitive information, such as
direct deposit settings.
Scammers often seek Duck ID credentials to set up mail redirection rules on the user's email inbox to
hide alerts about changes, such as changes to DuckWeb direct deposit settings.
The Phishing Message
+ Sender: Someone from the University of Bristol (domain: bristol.ac.uk)
+ Subject: "Important Campus Security Notifications"
+ Malicious content: A link in the message directs the user to a fake DuckWeb login page to
collect their UO ID (95#) and PAC. Users who enter data into that page are then sent to a fake
Outlook Web App login page to collect their Duck ID credentials. After that, users are redirected to the real
DuckWeb site.
Through the combination of those credentials, the scammer could capture enough information to
completely take over the user’s UO accounts.
Self-Remediation Steps
If anyone in your unit has clicked on the link and entered their DuckWeb and/or Duck ID credentials,
they should take the following steps immediately:
1. For DuckWeb credentials:
a. Log into Duckweb at https://duckweb.uoregon.edu
i. Alternatively, from the UO homepage, select "Faculty/Staff" in the upper right. Then, under
"Administrative Tools," select "Duckweb."
b. Verify their direct deposit information
i. Select "Employee Information"
ii. Select "Pay Information"
iii. Select "Direct Deposit"
iv. Check the bank account information listed. If the information is incorrect, select "Update
Direct Deposit Allocation" to correct it.
c. Change their PAC (password)
i. Select "Personal Information"
ii. Select "Change PAC"
iii. Follow the directions to change their PAC
2. For Duck ID credentials:
a. Go to Duck ID Self-Service at https://duckid.uoregon.edu
i. Alternatively, from the UO homepage, select "Faculty/Staff" in the upper right. Then, under
"Administrative Tools," select "Duck ID Self-Service."
b. Select "Manage Your Duck ID"
c. Log in with their Duck ID and password
d. Change their DuckID password using the "Change Your Password" option
e. Change the answers to their security questions using the "Update Security Questions and
Answers" option
What We're Doing
The Information Security Office is taking the following steps:
+ Added the phishing websites to our campus blocklist. However, some people clicked the link
before the blocklist was updated. In addition, off-campus users are not protected by our campus
blocklist.
+ Working with self-reporting individuals via their local IT staff to reset credentials and
verify direct deposit information.
+ Working with network and server logs from the IS Middleware team to identify UO users who may
not have felt comfortable self-reporting.
+ Traced the origin of these emails to compromised credentials at other universities and
notified those universities of potential account compromises.
+ Alerted the Payroll office.
We will keep you informed about this situation as it develops, including any plans for broader campus
notifications.
If you have any questions, please contact the Information Security Office at infosec@uoregon.edu, or
the Technology Service Desk at 541-346-4357 (M-F 8am-7pm).
Information Services
University of Oregon
2019-03-06
WHAT THIS IS ABOUT:
Take a deep breath. Google has plugged a security hole in the Chrome web browser which is being
actively exploited in the wild. Manually check Chrome to be sure it's running the latest version.
Three Admiral Ackbars.
WHO SHOULD READ THIS:
People who use Chrome to surf the web.
Other browsers are not affected.
WHAT YOU SHOULD DO:
From within Chrome.
Go to the following URL: chrome://settings/help
Depending on the browser, you may see a message about Chrome downloading an update.
You may be prompted to RELAUNCH Chrome; go ahead and do so. Chrome will shut down and then start back
up again.
After a pause you should see a Chrome page which reads "Google Chrome is up to date." Make sure the
version number is equal to or greater than 72.0.3626.121
If it isn't reload chrome://settings/help and relaunch until the version number is the latest.
ADDITIONAL INFORMATION for the Technically Curious:
The Bad Guys can use unpatched versions of Chrome to crash software in such a way that they end up
with Remote Control Execution, which allows them to install malware on your computer. Go to a
booby-trapped web site, and Hey Presto! You've got a keylogger (or worse) installed.
Naked Security: Google says update “right this minute”
https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/
Chrome Releases Channel:
https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html
Justin Schuh (Google Secuirty Desktop Engineer)
https://twitter.com/justinschuh/status/1103087046661267456
2019-01-29a
WHAT THIS IS ABOUT:
Don't Panic. This is a gentle reminder from me to Windows users to manually check Windows Updates.
One Admiral Ackbar (really more like an R2-D2).
WHO SHOULD READ THIS:
Folks with the Windows 10 Operating System.
Other Windows Operating Systems Users.
Macintosh Users are Not Affected.
WHAT YOU SHOULD DO:
Finish up your work.
Save all documents and close various programs.
Make sure your Windows machine is plugged into the Ethernet or other Really High Speed Internet
connection (i.e. a wifi connection is slow and will make this process more painful).
Get a good book, or otherwise prepare for non-computing activities (like sleep).
Click on the Windows Start icon, usually located in the lower left-hand corner of the screen; a pop-up
menu should appear.
Click on the GEAR Settings icon; a new Windows Settings dialog box should open up.
Click on the two-curving-arrows UPDATES & SECURITY icon; a Windows Update window should appear.
It's possible that Windows Update will begin to LIE to you and say that Windows was last checked a few
hours ago and that your Windows operating system is up to date. Ignore this possible trickery and
click on the CHECK FOR UPDATES anyway.
There will be a pause, and I'm expecting that various cumulative updates will populate a list for
download and installation. Typically, it can take upwards of 20 minutes for the updates to download
before they begin to install. Installation may take a while (this is where that book or sleep comes
in handy).
It's possible that a message about McAfee will appear -- if this happens, you might be prompted to
remove McAfee. If you're comfortable uninstalling McAfee, do so. If you're not comfortable, contact
me at engtech@ithelp.uoregon.edu for an appointment to bring the computer to PLC 124 where I can work
on it.
It's very likely that a RESTART REQUIRED message will come up. Go ahead and click the RESTART NOW
button.
The Windows machine will restart and a blue screen will appear with messages along the lines of
"Installing Updates. This could take a while."
Once the Windows Machine has rebooted, repeat this process until a manual update check comes up with a
"all updates are installed." I am not responsible for any consequences should someone decide to turn
this into a drinking game (which I am not recommending).
If you need to reinstall McAfee, the " VirusScan 8.8 patch 12 Enterprise for Windows" is available
here: https://software.uoregon.edu/software-center/10/1/view
ADDITIONAL INFORMATION for the Technically Curious:
Yes, Windows Updates are supposed to be an automatic process. However, on a variety of machines I've
noticed that the update mechanism has stalled, and then other updates stack up behind it.
I've got several theories why this might be the case: It's possible that the "2019-01 Cumulative
Update for Windows 10 Version 1809 for x64-based Systems (KB4476976)" is to blame. It's possible that
Windows Defender and McAfee are in a fist-fight over who is going to be the King of Antivirus
Programs. It's possible that the Windows machine hasn't been connected to a robust-and-fast network
long enough to download updates. It's possible the machine hasn't restarted or shut-down for some
reason.
Whatever the reason, manual intervention seems to be required.
2019-01-29
WHAT THIS IS ABOUT:
Don't Panic (much). Apple's video-call software, FaceTime, has a bug in it which allows for
eavesdroppers to use a person's devices' microphone and camera. Apple has since partially disabled
the service and closed the hole. Two Admiral Ackbars
WHO SHOULD READ THIS:
Folks with Apple Mobile Devices running iOS 12.1 or later.
Folks with Apple Computers running MacOS 10.14 (Mojave)
Apparently, older Apple Devices are not affected (they can't run the Group option in FaceTime).
Windows users are not affected
WHAT YOU SHOULD DO:
Apple appears to have addressed this issue by temporarily disabling Group FaceTime. One-to-one
FaceTime sessions are still possible.
Keep an eye out for updates. A security update for Group FaceTime is expected from Apple Real Soon.
For extra security points, you can manually disable FaceTime on your Apple devices following the
instructions here:
https://www.macrumors.com/how-to/turn-off-facetime/
ADDITIONAL INFORMATION for the Technically Curious:
This was more a personal privacy issue where you could be spied upon, rather than a computer security
issue where your computer could be used to drain your financial funds or your data held for ransom.
Pretty much everyone in the Technical Press is saying the same thing: "Ooops, this is an embarrassing
bug that Apple missed, but it looks like Apple's closed the barn door after the fact and will update
things really soon." What I'm noticing is that nobody has said, "Hey, everyone's carrying around a
networked microphone and video camera -- maybe we as a society should think about the privacy
implications of that before something goes wrong."
Apple Technical Info - Which Apple Products Support Group FaceTime:
https://support.apple.com/en-us/HT209022
Apple Technical Info - Group FaceTime Disabled:
https://www.apple.com/support/systemstatus/
9to5Mac - They can hear you before you pick up:
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
MacRumors:
Bug Allows Eavesdropping: https://www.macrumors.com/2019/01/28/apple-major-facetime-bug/
Video Demo: https://www.macrumors.com/2019/01/28/facetime-spying-bug-demo/
Apple Disables Group FaceTime:
https://www.macrumors.com/2019/01/28/apple-disables-group-facetime-due-to-bug/
Reuters - Apple to patch privacy bug in video-calling feature:
https://www.reuters.com/article/us-apple-patch/apple-to-patch-privacy-bug-in-video-calling-feature-idUSKCN1PN03R
The Verge - Serious Bug in Apple FaceTime Allows Eavesdropping:
https://www.theverge.com/2019/1/28/18201383/apple-facetime-bug-iphone-eavesdrop-listen-in-remote-call-security-issue
The Register - Disable FaceTime
https://www.theregister.co.uk/2019/01/29/facetime_bug/
Security Week - Semi technical dissection of bug:
https://www.securityweek.com/apple-working-patch-prevent-facetime-spying
Intego Mac Security Blog - Even Governor Cuomo Warns Folks
https://www.intego.com/mac-security-blog/facetime-spying-bug-discovered-temporarily-worked-around/
Techspot - Facepalm
https://www.techspot.com/news/78477-facetime-bug-you-see-hear-someone-before-they.html
We Live Security - Apple Takes Group FaceTime Offline
https://www.welivesecurity.com/2019/01/29/apple-takes-group-facetime-offline-discovery-spying-bug/
2019-01-16
WHAT THIS IS ABOUT:
Take a breath. There's an e-mail phishing attempt going out pretending to be a voice mail attachment.
Two Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who have UO e-mail accounts.
WHAT YOU SHOULD DO:
If you receive an e-mail from "Anderson Brett" that is pretending to be a voicemail preview, delete it
unread. Following the link in the e-mail will very likely send you to a web page that will pretend to
be a voice-mail site and ask you for your UO username and password.
If you believe you have become a victim of a phishing attack targeting your University of Oregon
account, you should immediately change your password and security questions at
https://duckid.uoregon.edu and contact the Information Security Office at infosec@uoregon.edu.
ADDITIONAL INFORMATION for the Technically Curious:
Various phishing attempts from the past are on display here:
https://phishtank.uoregon.edu/
How to see full e-mail headers:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839
Tips for Detecting Phishing E-mails:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=40236
===========================
The text of the e-mail follows:
From: "Anderson Brett (US Stores)"
Date: January 16, 2019 at 8:39:40 AM PST
Subject: Voice Message Attached
Voice mail for: burridge@uoregon.edu
Received on Wed, 16 Jan 2019 16:29:40 GMT
Message length: 22 seconds
Voicemail Preview:
"Hello...."
Listen to message [Really a link to wwwDOTjohnmunsonchicagoDOTcomSLASHuoregon,
which is a Go.Daddy hosted website.]
2019-01-08
WHAT THIS IS ABOUT:
Don't Panic. This is an information e-mail about Microsoft's cloud storage service, OneDrive. One
Admiral Ackbar because... "It's a Trap!"
WHO SHOULD READ THIS:
Folks who use OneDrive, especially Macintosh users who use OneDrive.
Folks who use OneDrive to share team sites.
WHAT YOU SHOULD DO:
Mostly be aware that after January 17, the default sharing options are changing to a more restricted
(and secure) setting.
Macintosh users should make sure they are using Mac OS 10.12 (Sierra) or greater.
ADDITIONAL INFORMATION for the Technically Curious:
My bias against Microsoft (the Evil Empire) and cloud services (how secure is that networked file
server again?) is making me channel my inner-Laocoön and mutter "Timeo Microsoftos et dona ferentes
(Beware of Geeks Bearing Gifts)." That said, I realize that OneDrive can be a useful collaboration
and syncing tool... and that my preference for local files and local software that one licenses
instead of leasing over the Internet may be Old School. Be aware of how files are shared -- this
latest OneDrive update is a case in point: the default set-up allowed anyone with a OneDrive link to
access a file (say, if it was accidentally forwarded in an e-mail).
More importantly, it looks like OneDrive is driving Mac OS upgrades; Mac OS 10.12 (Sierra), Mac OS
10.13 (High Sierra), or Mac OS 10.14 (Mojave) will be required for OneDrive use after Feb 1, 2019.
Folks wishing to upgrade their Macintoshes to Mac OS 10.14 (Mojave) may do so -- be aware that Mojave
plays even less well with printing PDFs on the Xerox printer's accounting software than High Sierra
(see the "Caveats, Warnings, and Additional Information" Section in
https://english.uoregon.edu/xerox-workcenter-5955i-instructions).
=========== E-Mail Sent by Information Services to the DeptComp Group:
We would like to highlight some changes to OneDrive, Microsoft's cloud storage service:
+ Starting January 17th, the default for sharing a file will be changed to the "Specific people"
option. This allows users to share files with only the users they specify. Currently, when selecting
a file to share, OneDrive defaults to "Anyone with this link can edit", which means that anyone
with the link to that shared file can access the file. Changing the default sharing behavior in
OneDrive reduces the chance that a user will unintentionally share a file with more people than they intended.
+ OneDrive's storage limit is 1TB per account. At times in the past, OneDrive storage had been
described as "unlimited".
+ The "Go to site" link for accessing team sites in OneDrive has been removed by Microsoft. You
can now access your team site by logging in to https://office.uoregon.edu, selecting the OneDrive
tile, choosing your team site from the list on the left under "Shared Libraries", and then clicking
on the icon for your team site.
+ Starting February 1, 2019, OneDrive will no longer support Mac OS X 10.10 or OS X 10.11. Users
who rely on OneDrive should upgrade to OS X 10.12 or above.
If you have questions, please visit
https://service.uoregon.edu/TDClient/Requests/TicketRequests/NewForm?ID=vECWy6LhppI_ and log in with
your Duck ID to submit a question to the Technology Service Desk.
Please consider sharing this message with others in your unit, especially if you know of users who
will be affected by these changes.
Information Services
University of Oregon
2018-12-19
WHAT THIS IS ABOUT:
Microsoft has released a security update outside of their normal "Patch Tuesday" schedule. This
closes a critical security hole in Microsoft Internet Explorer. Three Admiral Ackbars.
WHO SHOULD READ THIS:
Windows Users who use Microsoft Internet Explorer as their web browser.
Macintosh Users are Not Affected.
WHAT YOU SHOULD DO:
Run Windows Update
Select the Start button, and then go to
Settings > Update & Security > Windows Update, and select Check for updates.
You may or may not see a message about:
2018-12 Cumulative Update for Windows 10
Either this update will be available and Windows will want to know when to install it, or else Windows
will have been aggressive and installed it for you already.
ADDITIONAL INFORMATION for the Technically Curious:
The Register:
https://www.theregister.co.uk/2018/12/19/microsoft_internet_explorer_cve_2018_8653/
Instructions for Updating Windows 10
https://support.microsoft.com/en-us/help/4027667/windows-10-update
From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653
CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability
Security Vulnerability
Published: 12/19/2018
MITRE CVE-2018-8653
A remote code execution vulnerability exists in the way that the scripting engine handles objects in
memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker
could execute arbitrary code in the context of the current user. An attacker who successfully
exploited the vulnerability could gain the same user rights as the current user. If the current user
is logged on with administrative user rights, an attacker who successfully exploited the vulnerability
could take control of an affected system. An attacker could then install programs; view, change, or
delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to
exploit the vulnerability through Internet Explorer and then convince a user to view the website, for
example, by sending an email.
The security update addresses the vulnerability by modifying how the scripting engine handles objects
in memory.
2018-12-04
WHAT THIS IS ABOUT:
Be on your guard. The English Department appears to be the target of a spear phishing attack. Three
Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone who gets UO E-mail.
WHAT YOU SHOULD DO:
If you get an e-mail with the subject line "Follow-up" and Body Text: " Hello. Are you available??"
Delete it unread. The e-mail may appear to be from someone on the UO campus, but the e-mail address
will end in "my.com". For extra points, you can forward it to phishing@uoregon.edu along with the
message's header. Instructions for copying and sending the e-mail header may be found here:
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839
ADDITIONAL INFORMATION for the Technically Curious:
spear phishing (noun):
the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce
targeted individuals to reveal confidential information.
"spear phishing represents a serious threat for every industry"
2018-10-29
WHAT THIS IS ABOUT:
Be prepared! The Computing Center will be doing some maintenance on e-mail, pages, the UNIX shell,
and Duck ID Tuesday, Oct 30, from 5am to 7am. One Admiral Ackbar (or maybe an R2-D2) for maintenance.
WHO SHOULD READ THIS:
Everyone.
WHAT YOU SHOULD DO:
Most likely, e-mail and other services will be back up by 7am...
If you have mission critical e-mail to send, you may wish send it before Tuesday morning.
Early Morning Folks may wish to give themselves a little more time for tasks in case things are slow.
Use the services status page at https://status.uoregon.edu to check
ADDITIONAL INFORMATION for the Technically Curious:
The folks at the Computer Center write:
Tomorrow (Tuesday, Oct. 30), from 5am to 7am, Information Services will be performing maintenance on
several key campus services. Please note the following service outages and impacts:
+ Webmail: Unavailable from 5am to 7am. This also applies to people who use UO's basic email
service (IMAP/POP) through email programs other than Webmail. A maintenance page will display to
people who visit Webmail during the maintenance.
+ Exchange email: Messages sent to other UO Exchange users will not be affected by this
maintenance. However, messages sent to any other recipients between 5am and 7am will be queued by
the system for delivery after 7am.
+ Pages.uoregon.edu: All websites unavailable from 5am to 7am.
+ Shell.uoregon.edu: SSH service will be unavailable from 5am to 7am.
+ Duck ID: The Duck ID Self-Service website (https://duckid.uoregon.edu) will be unavailable
from 5am to 7am. That includes the admin console. In addition, the daily transfer of the previous
day's data changes from Banner to the Duck ID system, normally completed before 8am, will be
delayed until later on Tuesday.
During this maintenance work, the status of affected services will be posted at
https://status.uoregon.edu.
Please note that if this work runs longer than expected, we may not be able to notify you about that
through our normal email lists (voting-itdirs and deptcomp) because they may not be able to distribute
messages. We will use the Status website to communicate about any delays or unplanned impacts. We will
also plan to notify the UO Exchange admins group via OWA, if necessary.
If you have any questions, please contact the Technology Service Desk through the UO Service Portal at
https://service.uoregon.edu or by phone at 541-346-4357.
Information Services
University of Oregon
2018-10-24
WHAT THIS IS ABOUT:
Don't panic. Sometime around 1 PM today, October 24, 2018, you'll get an announcement from Jessie
Minton, Vice Provost for Information Services and Chief Information Officer. This will be a real
announcement about changes in E-mail at the UO. One Admiral Ackbar, and possibly an Emperor
Palpatine.
WHO SHOULD READ THIS:
Everyone who gets E-mail at the UO.
WHAT YOU SHOULD DO:
There's really not much to do. This is mostly an announcement about work that will happen over an
18-month period.
The gist of the e-mail is: "Hi, over the next couple of years, we're moving away from the e-mail
servers here on campus and we'll be using remote e-mail servers maintained by Microsoft. This will
herald in a new age of e-mail and calendaring productivity. Don't worry, if you need it, you'll
receive guidance on the migration, which shouldn't be disruptive at all."
ADDITIONAL INFORMATION for the Technically Curious:
Sneak Preview Here: https://is.uoregon.edu/projects/email
The current UO E-mail servers -- which is being called " UO's basic email service" -- used by users
are smtp.uoregon.edu (to send e-mail out) and imap.uoregon.edu (to read e-mail with Webmail or a mail
client like the ones listed here: https://it.uoregon.edu/set-up-email); some UO E-mail users use an
on-campus Exchange server, usually with the Microsoft Outlook client. The new future service --
being called "UOmail" -- will be off-campus, Microsoft managed Exchange servers. (Insert bemused rant
about Microsoft hegemony here.)
Questions and concerns can be addressed to the Tech Desk: (541) 346-HELP (4357), or via the Service
Portal at: https://service.uoregon.edu/TDClient/Requests/TicketRequests/NewForm?ID=Kz97XmiTvaI_
2018-10-22
WHAT THIS IS ABOUT:
Don't panic. This is a PSA for folks wondering if they should update to Mac OS 10.14 (Mojave). Don't
Just Yet. Two Admiral Ackbars.
WHO SHOULD READ THIS:
Macintosh Users who are getting nagged by their computers to update to Mojave.
Windows Users are not affected.
Mobile Device Users are not affected--Mac OS 10.14 only runs on laptops and desktops.
WHAT YOU SHOULD DO:
Mac OS 10.14 (Mojave) was released September 24, 2018.
For the general user, I advocate waiting four to eight weeks (at least) before installing a new
release of the Macintosh Operating System. This allows other folks to discover any Zero Day Flaws --
yes, Mojave has one -- or other problems with the new OS and gives Apple a chance to release updates
to patch the problems. (As of 10/22/2018 there is no 10.14.1 release.)
If you can't wait and you really really really want to update to OS 10.14 (Mojave), I'm not going to
put on my Software Police Uniform and haul you off to Computer Court (but I might say "I told you so,"
if there's a problem).
ADDITIONAL INFORMATION for the Technically Curious:
A full list of Macs that can run Mojave is below:
+ MacBook (Early 2015 or newer)
+ MacBook Air (Mid 2012 or newer)
+ MacBook Pro (Mid 2012 or newer)
+ Mac mini (Late 2012 or newer)
+ iMac (Late 2012 or newer)
+ iMac Pro (2017)
+ Mac Pro (Late 2013, plus mid 2010 and mid 2012 models with recommended Metal-capable GPU)
Thirteen problems with Mojave (and how to deal with them):
https://macpaw.com/how-to/fix-macos-mojave-problems
The Zero-Day Privacy Flaw in Mojave:
https://www.macrumors.com/2018/09/24/macos-mojave-bypass-vulnerability/
Reminder about 32-bit software and the latest versions of the Mac OS:
https://support.apple.com/en-gb/HT208436
2018-09-27
WHAT THIS IS ABOUT:
UO Webmail is having a problem. Some folks are seeing: "When attempting to load Webmail, users
receive the following error: "DATABASE ERROR: CONNECTION FAILED! Unable to connect to the database!"
Two Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who can't use webmail, from about 11:45, Thursday 9/27/2018 onward.
WHAT YOU SHOULD DO:
There's not much folks with this problem can do. UO Computer staff are working to fix the problem.
Folks who are able to read this should comfort the afflicted.
ADDITIONAL INFORMATION for the Technically Curious:
https://status.uoregon.edu/service/webmail
https://status.uoregon.edu/
See message below:
From: deptcomp-bounces@lists.uoregon.edu On Behalf Of News from
Information Services
Sent: Thursday, September 27, 2018 11:58 AM
To: IT Directors ; Departmental Computing
Subject: deptcomp: Webmail unplanned outage
Starting at approximately 11:45 AM today (9/27), Webmail became unresponsive. When attempting to go to
that website, some users receive the message, "DATABASE ERROR: CONNECTION FAILED! Unable to connect to
the database!" Other users are able to enter their Duck IDs and passwords, but Webmail does not act on
that login request.
Staff are investigating the source of the problem and are working to restore service as soon as
possible.
Information Services
University of Oregon
2018-09-24
WHAT THIS IS ABOUT:
Don't panic, it's that time of year when Apple releases a new Macintosh operating system and I warn
people to wait until after Halloween to install it. Two and a Half Admiral Ackbars.
WHO SHOULD READ THIS:
iMac users.
Macbook users.
Apple mobile device users are not directly affected by the Mac OS upgrade.
Windows users are not affected.
WHAT YOU SHOULD DO:
Sometime soon, your Apple computer may start to bug you to install the latest incarnation of the
Macintosh Operating System, Mac OS 10.14 (Mohave). Resist the urge to update -- at least a week, if
not until November 1 -- and let other folks discover Glaring Security Flaws or Gotchas. The new
operating system Looks Really Cool, which is another way of saying Apple has redesigned the App Store,
taking screen shots, and organizing files.
Folks who absolutely can't wait to update (or who have the operating system thrust upon them), may do
so with the knowledge that previous OS updates have sometimes done things like break network
connectivity or expose users to huge computer security holes. For example, as I am writing this right
now, this security flaw has been discovered:
https://www.macrumors.com/2018/09/24/macos-mojave-bypass-vulnerability/
ADDITTIONAL INFORMATION for the Technically Curious:
Ars Technica Review:
https://arstechnica.com/features/2018/09/macos-10-14-mojave-the-ars-technica-review/
"[Last year] I recommended against upgrading to High Sierra [the current OS] right away because the
operating system's early bugs weren't offset by useful new features - Mojave has no such problem.
Later betas and the GM build have been solid, and all the new stuff gives the Mac a serious and
much-needed makeover. You should probably read the rest of the review before you upgrade, but it's
been quite a while since I liked a new macOS release this much."
Mac Rumors:
https://www.macrumors.com/2018/09/24/apple-releases-macos-mojave/
A full list of Macs that can run Mojave is below:
+ MacBook (Early 2015 or newer)
+ MacBook Air (Mid 2012 or newer)
+ MacBook Pro (Mid 2012 or newer)
+ Mac mini (Late 2012 or newer)
+ iMac (Late 2012 or newer)
+ iMac Pro (2017)
+ Mac Pro (Late 2013, plus mid 2010 and mid 2012 models with recommended Metal-capable GPU)
Past Cassandra Moments:
https://pages.uoregon.edu/burridge/TechAnnouncements.php#2017-09-26
https://pages.uoregon.edu/burridge/TechAnnouncements.php#2016-07-01
https://pages.uoregon.edu/burridge/TechAnnouncements.php#2016-10-20
https://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-10-29
https://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-23
2018-09-21
WHAT THIS IS ABOUT:
The latest phishing attempt making the rounds is an e-mail supposedly with a PDF from "The President
Michal Schill", sent by "Mary Swanson". Please delete unread. Two Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with a UO e-mail account.
WHAT YOU SHOULD DO:
If you receive an e-mail with the subject " Note From The President Michael Schill." from ""Swanson,
Mary - WEL" ", delete the e-mail unread. Don't follow the links in the
e-mail. Don't try to open the PDF.
Visit these web sites to refresh your memory about Phishing at the U of O:
https://it.uoregon.edu/phishing
http://security.uoregon.edu/node/37.html
How to see and copy full e-mail headers:
https://it.uoregon.edu/full-email-headers
ADDITIONAL INFORMATION for the Technically Curious:
The domain psdschools.org is a school safety site in Colorado. I'm guessing one of their users has a
compromised account that's sending phishing attacks.
The text of the e-mail is IN ALL CAPS, and takes the tone "Today, we write a manifesto. Today, we
repeat the first word of our first sentence", followed by vague threats from An Angry and Stern
President and promises of Greatness if Right Behavior is Followed.
Text of the bogus e-mail follows:
DEAR COLLEAGUES:
OUR AIMS IS TO PROVIDE GUIDANCE AND ALIGN OUR BEHAVIORS AS WE MAKE GREAT DECISIONS THAT IMPACT OUR
DAILY OPERATIONS. WE RELY ON OUR VALUES AND THIS CODE AS GUIDELINES, AS A BREACH OF THE POLICY MAY
RESULT IN DISCIPLINARY ACTION AGAINST THE EMPLOYEE CONCERNED.
ALL EMPLOYEES, INCLUDING ALL INDIVIDUALS ON FULL-TIME OR PART-TIME EMPLOYMENT WITH THE INSTITUTION ARE
REQUIRED TO GO THROUGH THE GUIDELINES ATTACHED IN THIS EMAIL. IT IS IMPORTANT THAT WE ALL ADHERE TO
THESE GUIDELINES SO YOU WILL BE HELPING TO ENSURE A FUTURE SUCCESS OF THIS GREAT INSTITUTION
THANK YOU FOR YOUR ONGOING COMMITMENT TO DELIVERING A BETTER AND RELIABLE SERVICE.
MICHAEL H. SCHILL
PRESIDENT
UNIVERSITY OF OREGON.
2018-09-18
WHAT THIS IS ABOUT:
Don't Panic (much). The latest update to Apple's web browser, Safari v.12, is not compatible with the
UO's Java-driven implementation of Banner. Older versions of Safari are not affected. Two Admiral
Ackbars.
WHO SHOULD READ THIS:
Apple Users.
Banner Users.
Windows Users are not affected by the Apple Update.
WHAT YOU SHOULD DO:
If you use Banner on your Apple computer, hold off updating to Safari v12.
If you are not sure what version of Safari you are running, then...
1. Start Safari.
2. From within Safari, go up to the upper left-hand menu item, SAFARI, and click on it.
3. From the drop-down menu, choose ABOUT SAFARI; a dialog box should appear.
4. The dialog box will say, "Safari Version something"
5a. If "something" is 12, Java is not compatible with the version of Safari, and you won't be able to
use Banner.
5b. If "something" is 11, Java and Banner will still work.
5c. If "something" is lower than 10... there are probably some security issues with the Safari
browser and you shouldn't use it for things like banking;
ADDITIONAL INFORMATION for the Technically Curious:
COGNOS, an alternate to BANNER:
https://idr.uoregon.edu/
UO's Banner page:
https://inb.uoregon.edu/
Java and Browers:
https://objective-see.com/blog/blog_0x38.html
2018-07-23
WHAT THIS IS ABOUT:
Don't Panic! This is a PSA about keeping computers cool when it's a zillion degrees outside.
WHO SHOULD READ THIS:
Folks in places where it's going to be warmer than 90F.
Desktop and laptop users (i.e. computers with exhaust fans).
WHAT YOU SHOULD DO:
The forecast for the week of July 23 calls for temperatures in the high 90's. Temperatures like this
make it difficult for computers, especially laptops and small form computers, to adequately cool their
electronic components. To extend the lifetime of your desktop and laptop computers:
+ power them off when they are not in use.
+ try to use them only during the cooler parts of the day.
+ make sure your computer has adequate space for its vents to blow hot air out of the computer
- make sure the computer isn't crammed into a close cabinet space or jammed against a corner where
ventilation is blocked.
- when running a laptop, make sure it's seated on a flat surface that allows for ventilation
underneath it.
+ direct an external fan at the computer's body.
+ use canned air (or for the very careful, a vacuum cleaner) to remove dust from the computer's RAM,
CPU, fans, and vents.
This is less of an issue for mobile devices, such as iPads and mobile phones.
Stay hydrated!
ADDITIONAL INFORMATION for the Technically Curious:
Cleaning and Dusting (Probably Overkill, But Gives An Idea of How Dusty a CPU's Heat Sink Can Get)
https://www.ifixit.com/Wiki/Computer_System_Cleaning
NOAA Weather Service:
https://forecast.weather.gov/MapClick.php?lat=44.045555&lon=-123.101276&site=all&smap=1&searchresult=Eugene%2C%20OR%2C%20USA#.W1YCPNJKhaR
Obligatory Cole Porter Reference:
https://en.wikipedia.org/wiki/Too_Darn_Hot
2018-07-20
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about upgrading to Skype 8.0. Older versions of Skype will no longer be
supported by Microsoft after August. One Admiral Ackbar because "It's a Trap!" from the Microsoft
hegemony.
WHO SHOULD READ THIS:
Users of Skype 7 or older.
Skype 8 users have already updated.
WHAT YOU SHOULD DO:
****** Windows:
Start Skype
Go to the HELP menu and choose CHECK FOR UPDATES; a window will come up saying there's a new version
of Skype.
Click on the DOWNLOAD button to get the latest version.
The machine will think a moment while it downloads, then display a new dialog box with a cheery,
up-beat update message; follow the prompts to allow the download.
Once the new Skype is installed, it will display a dialog box along the lines of "All the sugar, twice
the caffeine!" "New features. New look. All Skype."
Skype will prompt you to Sign in with Microsoft (here's that hegemony part); supply your Skype
username and password.
A new window will appear asking you to choose a Light or Dark format; make your choice and click on
the BLUE ARROW BUTTON.
You may be prompted to update your Skype profile picture; fiddle with your photo as needed and then
click on the BLUE ARROW BUTTON.
Skype will want to do a sound check to make sure it can hear you, followed by a web-cam check... click
on the BLUE ARROW BUTTON...
Eventually, Skye will display its main window, with a message that Skype has been "redesigned for
you." Use Skype or quit as desired.
You may wish to look through the new Skype's settings and see how much you'd like it to share your
Skype sessions with Cortana (Your communications recorded by an Artificial Intelligence living on
Microsoft servers? What could go wrong?)
****** Macintosh:
Start Skype
Skype will try to install a new helper tool, go ahead and let it -- you'll need the Macintosh Admin
User name and password.
Skype will then prompt you to log in (here's that hegemony part); supply your Skype username and
password.
It's possible Skype will want to ask you to install a second helper tool; supply the Macintosh Admin
Username and password (again).
After thinking about things for a moment and going through a Cheerful Greeting Screen, Skype will
announce there's an update.
Click on the blue UPDATE button; Skype will re-start: the Skype Window will vanish and then the Skype
icon should start bouncing again in the Task Bar.
After Skype has finished restarting, go to the SKYPE menu and choose ABOUT SKYPE; a new dialog box
should pop up.
As of 7/20/2018, you should be running Skype version 8.25.0.5 for the Macintosh.
Close the dialog box and continue
You may wish to look through the new Skype's settings and see if Skype is sharing your location with
Bing ("No, really; I was in my office when I made that call....").
ADDITIONAL INFORMATION for the Technically Curious:
https://arstechnica.com/gadgets/2018/07/microsoft-killing-off-the-old-skype-client-adding-built-in-call-recording/
"There is, however, a price to pay for this: the traditional Win32 Skype client is being end-of-lifed
and will not be supported beyond the end of August this year. Users of the Win32 client will have to
upgrade to Skype 8.0 (the desktop version of the new unified app) in order to be able to continue to
use the network."
2018-07-18
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about a new search function installed at
https://english.uoregon.edu/term-course-offerings
WHO SHOULD READ THIS:
Folks looking for course listings or syllabi from previous terms.
WHAT YOU SHOULD DO:
Go to the website
https://english.uoregon.edu/term-course-offerings
Under TERM choose "Any"
Under COURSE type in a course, say "Eng 104"
Press the ENTER key on your keyboard (or scroll down an click the APPLY button at the bottom of the
web page's search tool)
A list of all ENG 104 courses in the website's database will display.
If you're wanting to look at a range of courses, say all ENG 100 courses,
Under TERM choose "Any"
Under COURSE type in "Eng 1"
A list of all ENG 100-level courses in the website's database will display.
If you're wanting to look at all English 240-something courses,
Under TERM choose "Any"
Under COURSE type in a course, say "Eng 24"
A list of all ENG 240-level courses in the website's database will display.
ADDITIONAL INFORMATION for the Technically Curious:
If you know a course's CRN, you can enter it in the website's main search tool, located in the upper
right-hand corner of most English Department web pages.
2018-05-22
WHAT THIS IS ABOUT:
Ugh. Looks like the Phishers of E-mailers are at it again. If you get an e-mail with a subject line:
"EMPLOYEE Q2018 FINAL SCREENING," delete it unread. Two Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who get UO E-mail.
WHAT YOU SHOULD DO:
Delete the e-mail unread. Don't follow the links in the e-mail.
Visit these web sites to refresh your memory about Phishing at the U of O:
https://it.uoregon.edu/phishing
http://security.uoregon.edu/node/37.html
How to see and copy full e-mail headers:
https://it.uoregon.edu/full-email-headers
ADDITIONAL INFORMATION for the Technically Curious:
Commentary and text of the message follows:
Subject: EMPLOYEE Q2018 FINAL SCREENING.
Date: 2018/05/22 05:38
From: Jennifer Hart
To: "ei383@irnd.com"
What does "Q2018 Final Screening" even mean?
Who is Jennifer Hart and why is she sending this?
Why am I getting e-mail sent to someone else? The answer to this one is that the message is spoofing
addresses, and you could probably find out more with a detailed look at the message header.
To all Employee and Staff
Why isn't this being sent to me personally?
Your Q2 Staff Contact 2018 Screening has commenced.
Oooh. HR-speak. An attempt to establish authority of the sender and/or make me worried that my job
might go away. Also, I'm pretty sure the only things that commence at the UO are graduates and/or
possibly games. I might fall for this if I were on a quarter-to-quarter contract.
Please Click Here [link to a Totally Evil Site That Will Try to Steal Your Information] to begin.
So, I'm supposed to believe that my employment (or whatever) contract is supposed to be screened (I
think they mean re-negotiated) on-line through a web-site instead of talking with someone within the
Department or HR? I suppose if it were PEBB renewal time, I would be more likely to fall for this.
In any case, never follow blind HTML links from strangers; and for overt HTML links, always hover your
mouse's cursor over a link and see if the text in the message matches where the link says it's going.
For example, I could say follow this link https://english.uoregon.edu but it could (and this case, does)
go somewhere else.
HR Management
Where's a real person's name? Oh wait, HR's a collective. In any case, there should be a contact
phone or e-mail for reaching the HR collective.
IT-SERVICE DESK
It appears that the phisher forgot this was an HR scam and didn't remove the support-desk scam ending.
APPROVED.
An attempt to establish authority. Or approval. I think this is an evolution from the copyright
notice.
WHAT THIS IS ABOUT
An alleged educator allegedly based in Barcelona is sending some pretty phishy looking SPAM to the
English Department. Two Admiral Ackbars for ham-handed marketing practices.
WHO SHOULD READ THIS
Folks with UO e-mail accounts.
WHAT YOU SHOULD DO
If you receive a message from Richard Davie with a subject "TEFL Iberia, Barcelona", delete it unread.
Following any links in the e-mail will likely get you added to a mailing list (at the best).
ADDITIONAL INFORMATION for the Technically Curious:
It looks like there might be a real TEFL Iberia... but I don't know what it really is (is it a school?
Is it a language business? Is it a placement service? Is it a bunch of folks with access to nice
looking photographs of people in academic settings?).
Hovering one's mouse over the links in the e-mail reveal that none of the links are going where they
say they are; they appear to be rerouting through some sort of tracking site.
A text-only version of the e-mail follows:
From: Richard Davie On Behalf Of Richard Davie
Sent: Tuesday, March 13, 2018 8:45 AM
To: [mail-merged e-mail address]
Subject: TEFL Iberia, Barcelona
Dear [mail-merged recipient's name],
I'm writing to enquire about contacting your current students at the University of Oregon.
We are an English teacher training school based in Barcelona and run monthly TEFL courses for English
speakers who are looking to teach English and travel. The school is externally validated by Trinity
College London and also rated as one of the top TEFL schools in Spain, according to previous graduate
reviews and feedback.
I feel this could be a potential opportunity for many of your students who have a passion for language
and may be looking for summer work / travel options.
I have attached a poster (200KB, pdf) (it says it's a PDF, but it really links to
REDACTED/track/click?u=14228e00bf6efc88dcde365c5&id=7ae282dedb&e=c4d4b8a43b)
should you wish to circulate it amongst your students. If you have a physical mailing address I'd be
happy to send you some flyers too.
If you'd like to learn more about the school in Barcelona please feel free to check out our website:
httpsCOLON-SLASH-SLASHwwwDOTtefl-iberiaDOTcom (not going where it says it's going to, appears to be
rerouted like the above link to a tracking site).
Thank you for your time and if this is something that could interest your students it would be great
to hear back from them. If not I understand and I appreciate you reading this far.
Yours sincerely,
Richard Davie
Course Director
p.s. If you feel this email is irrelevant or inappropriate you can click unsubscribe (yet another
tracking URL) and I will remove you from the list.
Check out our school video! httpCOLON-SLASH-SLASHwwwDOTyoutubeDOTcomSLASHwatch?v=n80CtVC9PzU (still
another tracking URL)
Web: wwwDOTtefl-iberiaDOTcom (you guessed it, another tracking URL)
Address: Calle Valencia 275, 3rd floor, Barcelona 08009
Phone: REDACTED
Skype: REDACTED
2018-01-16
WHAT THIS IS ABOUT:
Take a deep breath. Computer security folks have found some flaws (named "Spectre" and "Meltdown")
in Intel and AMC computer chips and how they can allow data to leak out of your computer and into the
hands of the Evil Ones. It's very exciting and scary and Intel's stock has gone down. I'm going to
guardedly say Four Admiral Ackbars with the caveat that there's not a whole lot the average user can
do except update hardware and software and wait for More Security Updates from Everyone.
WHO SHOULD READ THIS:
Anyone who isn't living in a cave with no power and no computers.
Abacus users are not affected.
WHAT YOU SHOULD DO:
Watch for updates from Pretty Much Every Software and Hardware Vendor in the World.
Update early and often.
Updates may slow down your computer, but no one is quite sure how much....
Macintosh Users: Um, yes; you can update to Mac OS 10.13 (High Sierra). My understanding is that OS
10.12 has been hardened against this as well.
OS 10.13 (High Sierra) will run on the following computers:
MacBook (Late 2009 or newer)
MacBook Pro (Mid 2010 or newer)
MacBook Air (Late 2010 or newer)
Mac mini (Mid 2010 or newer)
iMac (Late 2009 or newer)
Mac Pro (Mid 2010 or newer)
More information here:
https://www.intego.com/mac-security-blog/how-to-prepare-your-mac-for-macos-high-sierra/
Windows Users: Make sure to run Windows Update now, and again the second Tuesday of January. More
information here: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892
Harden Chrome Browser Security:
https://www.blog.google/topics/connected-workspaces/security-enhancements-and-more-enterprise-chrome-browser-customers/
Firefox should be releasing an update soon.
Chromebook users may want to look at this: https://support.google.com/faqs/answer/7622138#chromeos
Android users will want to look at this: https://source.android.com/security/bulletin/2018-01-01
Google Cloud users:
https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/
ADDITIONAL INFORMATION for the Technically Curious:
Computer chips perform computations and store them in memory. Memory has different levels of
privilege. Usually, operating system computations are in high privilege areas of memory (the kernel
or ring 0). However, it's sometimes faster to cache computations in lower privilege areas of memory
(user-land or ring 3). But, uh-oh, data (passwords, user info) sometimes leaks out of the high
privilege area. Software patches that deal with this issue (e.g. Kernel Page Table Isolation) force
the chips to be more secure, but can slow the chips down.
Meltdown Technical Paper (PDF):
https://meltdownattack.com/meltdown.pdf
Spectre Technical Paper (PDF):
https://spectreattack.com/spectre.pdf
Technical Report from Google's Project Zero:
https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html
AMD and Intel (chip manufacturers) statements:
https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
http://www.amd.com/en/corporate/speculative-execution
Malwarebytes:
https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/
"No software patch for Spectre is available at the time of this article. Partial hardening and
mitigations are being worked on, but they are unlikely to be published soon.
The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It
is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is
rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is
taking similar action for Edge and Internet Explorer."
Ars Technica
https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/
"At their heart, both attacks take advantage of the fact that processors execute instructions
speculatively. All modern processors perform speculative execution to a greater or lesser extent;
they'll assume that, for example, a given condition will be true and execute instructions accordingly.
If it later turns out that the condition was false, the speculatively executed instructions are
discarded as if they had no effect.
However, while the discarded effects of this speculative execution don't alter the outcome of a
program, they do make changes to the lowest level architectural features of the processors. For
example, speculative execution can load data into cache even if it turns out that the data should
never have been loaded in the first place. The presence of the data in the cache can then be detected,
because accessing it will be a little bit quicker than if it weren't cached. Other data structures in
the processor, such as the branch predictor, can also be probed and have their performance measured,
which can similarly be used to reveal sensitive information."
Google:
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html
"Project Zero discussed three variants of speculative execution attack. There is no single fix for all
three attack variants; each requires protection independently. Variant 1 (CVE-2017-5753), "bounds
check bypass." This vulnerability affects specific sequences within compiled applications, which must
be addressed on a per-binary basis. Variant 2 (CVE-2017-5715), "branch target injection". This variant
may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software
mitigation technique called "Retpoline" to binaries where concern about information leakage is
present. This mitigation may be applied to the operating system kernel, system programs and libraries,
and individual software programs, as needed. Variant 3 (CVE-2017-5754), "rogue data cache load." This
may require patching the system's operating system. For Linux there is a patchset called KPTI (Kernel
Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar
protections - check with your vendor for specifics."
The Register:
https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
"Whenever a running program needs to do anything useful – such as write to a file or open a network
connection – it has to temporarily hand control of the processor to the kernel to carry out the job.
To make the transition from user mode to kernel mode and back to user mode as fast and efficient as
possible, the kernel is present in all processes' virtual memory address spaces, although it is
invisible to these programs. When the kernel is needed, the program makes a system call, the processor
switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user
mode, and reenter the process. While in user mode, the kernel's code and data remains out of sight but
present in the process's page tables.
Think of the kernel as God sitting on a cloud, looking down on Earth. It's there, and no normal being
can see it, yet they can pray to it.
These KPTI patches move the kernel into a completely separate address space, so it's not just
invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but
clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in
some way.
The downside to this separation is that it is relatively expensive, time wise, to keep switching
between two separate address spaces for every system call and for every interrupt from the hardware.
These context switches do not happen instantly, and they force the processor to dump cached data and
reload information from memory. This increases the kernel's overhead, and slows down the computer."
http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/
(warning, language and High Snark Levels)
"Translation [of Intel's Statement]: When malware steals your stuff, your Intel chip is working as
designed. Also, this is why our stock price fell. Please make other stock prices fall, thank you."
PC World:
"Yes, your iPad and smart-phone, too..."
https://www.pcworld.com/article/3245790/mobile/spectre-cpu-faq-phones-tablets-ios-android.html
CERT:
http://www.kb.cert.org/vuls/id/584653
NATIONAL VULNERABILITY DATABASE -- Systems with microprocessors utilizing speculative execution and
branch prediction may allow unauthorized disclosure of information to an attacker with local user
access via a side-channel analysis.
https://nvd.nist.gov/vuln/detail/CVE-2017-5753
https://nvd.nist.gov/vuln/detail/CVE-2017-5715
https://nvd.nist.gov/vuln/detail/CVE-2017-5754
MacRumors:
https://www.macrumors.com/2018/01/03/intel-design-flaw-fixed-macos-10-13-2/
Reuters:
https://www.reuters.com/article/us-cyberintel-stocks/intel-falls-as-investors-worry-about-costs-of-fixing-chip-bug-idUSKBN1ET1NH
https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR
Security Week:
http://www.securityweek.com/intel-amd-chip-vulnerabilities-put-billions-devices-risk
http://www.securityweek.com/tech-giants-address-critical-cpu-vulnerabilities
http://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities
TechSpot
How much the Windows 10 emergency update slowed down our computer:
https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/
2017-12-11
WHAT THIS IS ABOUT:
Over the weekend, a phishing e-mail was sent out. It's fairly convincing at first glance, so I'll
give it 2 and a half Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with a UO e-mail account.
WHAT YOU SHOULD DO:
If you receive a message from Donald J Tipper, with the subject "Ticket Number: 135863" delete it
unread.
ADDITIONAL INFORMATION for the Technically Curious:
For phishing information from the UO:
https://it.uoregon.edu/phishinghttp://security.uoregon.edu/node/37.html
How to see and copy full e-mail headers:
https://it.uoregon.edu/full-email-headersGeneral discussion: at first glance this looks like a message one might get from a tech support
desk. The main warning signs are that the e-mail is from DonaldDOTTipperATumassmedDOTedu, which is
not a UO e-mail and that hovering over the link for "Your incident" links to an odd WordPress site
that very likely is an Evil Program Designed to Wreak Electronic Havoc. On closer inspection, there's
no UO branding anywhere; also the letter is generically closed with "Instructor, IT Service Desk."
At a third glance, although there's a specific ticket number, there's no actual clue about what the
(bogus) original help request was.
What's working in this particular phishing attempt is that it appears to have specific times and dates
with it, and it could play on a recipient's curiosity and/or altruism, along the lines of "this isn't
me, I wonder if there's some clue about who this really is about that would help me help the IT desk
reconnect with the person who really needs help."
==== TEXT of BOGUS E-MAIL ===
Notification of Ticket Escalation
Workspace: Service Desk
Ticket: Request closed
Ticket Number: 135863
Priority: High Status: Request
Creation Date: 2017-12-08
Description:
I have marked your Request as closed.
Please review the details of your request in the Self Service portal via the following link: [bogus
link here] Your incident
If you feel that your request has not been completed, please visit your incident link to re-open the
request.
The last action taken are as follows:
12/08/2017 08:16 am IT service:
ID checked
If you do not reply, this request will be formally closed this weekend.
Regards,
Instructor,
IT Service Desk
Information Technology
2017-11-28
WHAT THIS IS ABOUT:
Take a deep breath. A security hole in Mac OS High Sierra 10.13 has been found that gives a person
with physical access to an Apple computer the ability to log in as a Super User for Super Hijinks
(i.e., if you leave it out, your kids can install Minecraft on your machine while you're not around).
Three Admiral Ackbars.
WHO SHOULD READ THIS:
Macintosh Users with Computers running High Siera (OS 10.13)
Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected
Apple Mobile Users / iOS Users are not affected
Windows Users are not affected
WHAT YOU SHOULD DO:
If you couldn't wait and gave into the impulse to update to HighSierra, then...
Follow the instructions here:
https://support.apple.com/en-us/HT204012
Enable or disable the root user
+ Choose Apple menu > System Preferences, then click Users & Groups (or Accounts).
+ Click lock icon, then enter an administrator name and password.
+ Click Login Options.
+ Click Join (or Edit).
+ Click Open Directory Utility.
+ Click lock icon in the Directory Utility window, then enter an administrator name and password.
+ From the menu bar in Directory Utility:
+ Choose Edit > Enable Root User, then enter the password that you want to use for the root user.
REMEMBER: The Root User is a UNIX SUPER USER; don't lose the password to this account if you enable
it.
ADDITIONAL INFORMATION for the Technically Curious:
That dull thudding sound you hear is system administrators across the planet hitting their foreheads
against their desks.
The original report (Twitter)
https://twitter.com/lemiorhan/status/935581020774117381
The Loop:
http://www.loopinsight.com/2017/11/28/security-hole-in-macos-high-sierra-lets-anyone-gain-root-access-to-a-logged-in-machine/
MacRumors:
https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/
The Register:
https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/
COMPUTER SECURITY: MacOS High Sierra (10.13) Security Hole Next Day Follow-up
WHAT THIS ABOUT:
The security hole in Mac OS High Sierra 10.13, discovered Tuesday 11/28/17, has been patched by Apple.
(Wow, that was fast.)
WHO SHOULD READ THIS:
Macintosh Users with Computers running High Sierra (OS 10.13)
Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected
Apple Mobile Users / iOS Users are not affected
Windows Users are not affected
WHAT YOU SHOULD DO:
If you have installed Mac OS High Sierra 10.13 onto your Apple Computer, then check for system
software updates via the App Store.
Instructions here:
https://support.apple.com/en-us/HT201541
You'll know if you've installed the secure version of High Sierra if the version number is Version
10.13 (17B1002). Instructions for finding your version number are here:
https://support.apple.com/en-us/HT201260
ADDITIONAL INFORMATION for the Technically Curious:
Folks are wanting to know if they can update to High Sierra now, and my answer is: wait until after
grades are turned in and you're between terms and projects.
Official Apple Site about Security Update 2017-001 :
https://support.apple.com/en-us/HT208315
Malwarebytes Labs (What Root Access is and What You Can Do With It):
https://blog.malwarebytes.com/cybercrime/2017/11/serious-macos-vulnerability-exposes-the-root-user/
The Register (Details on how the hole works and "I am Root" joke)
https://www.theregister.co.uk/2017/11/29/apple_macos_high_sierra_root_bug_patch/
Ars Technica (Cut and Dry Recap):
https://arstechnica.com/gadgets/2017/11/new-security-update-fixes-macos-root-bug/
Naked Security (Backstory and Recap):
https://nakedsecurity.sophos.com/2017/11/29/apple-closes-that-big-root-hole-install-this-update-as-soon-as-possible/
Security Week (Short and Dry Recap):
http://www.securityweek.com/apple-patches-critical-root-access-flaw-macos
COMPUTER SECURITY: MacOS High Sierra (10.13) Security Hole Next Day Follow-up to the Previous Follow-up
WHAT THIS IS ABOUT:
In a Monty Python-esque turn of events there is a patch for the patch closing the High Sierra "I Am
Root" Security Hole. (I knew I should have written "It's a Trap" in yesterday's e-mail...) One
Admiral Ackbar for command-line maintenance.
WHO SHOULD READ THIS:
Macintosh Users with Computers running High Sierra (OS 10.13) who are having difficulties connecting
to file shares.
Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected
Apple Mobile Users / iOS Users are not affected
Windows Users are not affected
WHAT YOU SHOULD DO:
From
https://support.apple.com/en-us/HT208317
If file sharing doesn't work after you install Security Update 2017-001, follow these steps.
If you experience issues with authenticating or connecting to file shares on your Mac after you
install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file
sharing:
+ Open the Terminal app, which is in the Utilities folder of your Applications folder.
+ Type sudo /usr/libexec/configureLocalKDC and press Return.
+ Enter your administrator password and press Return.
+ Quit the Terminal app.
ADDITIONAL INFORMATION for the Technically Curious:
Naked Security (Breezy summary):
https://nakedsecurity.sophos.com/2017/11/30/apples-blank-root-password-fix-needs-a-fix-of-its-own-here-it-is/
Security Week:
(a href="http://www.securityweek.com/patch-macos-root-access-flaw-breaks-file-sharing">
http://www.securityweek.com/patch-macos-root-access-flaw-breaks-file-sharing
2017-10-16
WHAT THIS IS ABOUT:
Take a deep breath. The technical press is abuzz with news about a critical security flaw, called the
key reinstallation attack (KRACK), in encrypted wireless connections. KRACK can lead to identity
theft, man-in-the-middle attacks, and malware software installation. As of 10-16-2017, there is no
evidence that the vulnerability has been exploited maliciously, and major vendors appear to be rushing
in with antidotes to KRACK. Two-and-a-half Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone with a wireless device.
Android and Linux devices are particularly vulnerable.
WHAT YOU SHOULD DO:
Don't Panic Just Yet.
Windows 10 Users should make sure they are running the latest updates from Microsoft.
Apple users should make sure they are running the latest OS and iOS updates from Apple.
KRACK uses a flaw in device handshaking to worm its way into the communication between a wireless
device and a wireless router. Keep your ear to the ground for updates to your devices' wireless
networking software (especially for your home router).
KRACK requires an attacker to be within WiFi range of your laptop, mobile device, wireless TV, or cell
phone. An Evil Hacker trying to break into your device would need to be close enough to pick up your
device's wireless signal; so at least this isn't opening your computers to attacks from all over the
planet. That said, treat all WiFi connections, especially in public areas (i.e. cafés, airports and
libraries) as if a megaphone were attached to them and avoid sending sensitive data over wireless.
Use Ethernet connections instead of WiFi connections when possible.
Secure websites (sites that begin "https") offer some protection from data leakage.
Use VPN to add an extra layer of encryption to your WiFi connections. The UO offers WiFi clients
here: https://it.uoregon.edu/vpn
Don't fiddle with different types of WiFi protocols. Continue to use the WPA2 wireless protocol.
ADDITIONAL INFORMATION for the Technically Curious:
KRACK uses a flaw in a four-part handshake between a router and a device to trick the machines into
re-sending data to each other and figure out the encryption key they're using to keep communication
secure.
The Original Paper (with nifty URL and cool logo):
https://www.krackattacks.com/
Quick Overview from Naked Security:
https://nakedsecurity.sophos.com/2017/10/16/wi-fi-at-risk-from-krack-attacks-heres-what-to-do/
The Register writes:
http://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/
"Key Reinstallation Attacks work against all modern protected Wi-Fi networks. Depending on the network
configuration, it is also possible to inject and manipulate data as well as eavesdropping on
communications over the air. The only main limitation is that an attacker needs to be within range of
a victim to exploit these weaknesses."
Ars Technica's overview (with scary tables):
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/
PC World says Latest Update to Win10 Protects Against KRACK:
https://www.pcworld.com/article/3233255/windows/krack-wi-fi-attacks-shouldnt-harm-updated-windows-pcs.html
Windows Central writes:
https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability
"Microsoft released security updates on October 10th and customers who have Windows Update enabled and
applied the security updates, are protected automatically. We updated to protect customers as soon as
possible, but as a responsible industry partner, we withheld disclosure until other vendors could
develop and release updates."
Apple Insider Hints that Apple Devices are Patched:
http://appleinsider.com/articles/17/10/16/apple-confirms-krack-wi-fi-wpa-2-attack-vector-patched-in-ios-tvos-watchos-macos-betas
More Windows Central:
https://www.windowscentral.com/krack
MacRumors:
https://www.macrumors.com/2017/10/16/wpa2-krack-attacks/
We Live Security:
https://www.welivesecurity.com/2017/10/16/wpa2-security-issues-pose-serious-wi-fi-safety-questions/
Wi-Fi Alliance®
https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update
CERT Information on KRACK:
http://www.kb.cert.org/vuls/id/228519
2017-10-13
WHAT THIS IS ABOUT:
Don't panic; this is merely a message about making sure Windows 10 updates are running correctly. The
Computer Center and Network Security are Very Keen on Windows computers being up-to-date. Two Admiral
Ackbars for tedious maintenance.
WHO SHOULD READ THIS:
Windows 10 users (no one is still using Windows 7 or XP, right?).
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
In Windows 10:
1. Save your work and close all programs.
2. In the search box (usually located near the lower left-hand corner of the screen, next to the
WINDOW icon) type cmd ; a list of options should appear in a pop-up menu above the
search box.
3. At the top of the pop-up menu should be a black icon of a computer screen with some text in it
labeled "Command Prompt"; click on the icon – a new window with a black background and grey-white
text should appear.
4. Click on the new window; a flashing cursor should appear at the end of the text.
5. Type winver and press ENTER.
6. A new window with a white background and big blue letters reading "Windows 10" should appear.
Read the smaller black text underneath, which should begin "Microsoft Windows," then a new line
which should start "Version"
6A. IF the text reads Version 1703 or "build 15063", then Yay! You're up-to date; close all windows
and continue your regular computer tasks.
6B. IF the text reads something else, like version 1507 or "build 10240", then Windows needs some
help updating.
a. Click on the WINDOW icon in the lower left-hand corner of the screen; a pop-up menu should
appear.
b. Click on the white GEAR icon (labeled "Settings" if you hover your mouse over it); a new
windows should appear.
c. Click on the UPDATE & SECURITY icon (two circular arrows chasing each other); the window should
refresh with update information.
d. Click on the CHECK FOR UPDATES button; this should initiate various "I'm working on it"
graphics.
e1. In a Perfect World, the operating system will realize that there are updates and start to
download them (which could take upwards of 30 minutes), or realize that it's already downloaded
everything and that probably now would be a good time to install them.
e2. In a Slightly-Less-Perfect World, there's a possibility that Windows Update will be
complaining that something failed and wants you to click on a FIX or RETRY button; do so and
follow any other prompts.
e3. In a Really-Not-So-Perfect-After-All World, the operating system will blithely tell you it's
up to date, but the version is still something like 1511 or 10240. If that's the case,
e-mail engtech@ithelp.uoregon.edu and make an appointment for
me to Try Some Other Things, like the Microsoft Windows 10 Update Assistant (see below).
7. There's a non-zero chance that updating Windows will re-kindle the Battle Between Windows
Defender and McAfee. During the install, let Windows Defender have its way, and then
reinstall McAfee from here: https://it.uoregon.edu/software/virusscan (UO login required to
be able to download "VirusScan 8.8 patch 9 Enterprise for Windows"). If you need help
re-installing McAfee, please e-mail engtech@ithelp.uoregon.edu and make an appointment for
your machine.
ADDITIONAL INFORMATION for the Technically Curious:
"News from Information Services" (isnews@uoregon.edu ) writes:
"Once a version of Windows 10 falls out of support, Microsoft will no longer issue security and
bug fixes for that version. While the system may seem to be fully operational, Microsoft will not
address any defects or vulnerabilities, leaving the system vulnerable to exploits.
Information Services strongly recommends that university-owned machines run an operating system
version that is fully supported. In the event that a specific vulnerability is found to be
exploitable in an out-of-support OS version, we may need to take machines running that OS version
offline, depending on the scope and risk level."
Or, to translate, "If Network Security sees an out-of-date-and-vulnerable system, we'll block it
from the UO network."
Windows 10 v 1511 Out of Support Notice:
https://support.microsoft.com/en-us/help/4035050/windows-10-version-1511-will-no-longer-receive-security-updates
Memento Mori, the MS Windows Version:
https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
Genealogy of Windows 10 Builds:
https://en.wikipedia.org/wiki/Windows_10_version_history
The Windows 10 Update Assistant
For Those Awkward Moments When Windows Update Inexplicably Fails and You Need a Power Tool:
https://www.microsoft.com/en-us/software-download/windows10
2017-10-12
WHAT THIS IS ABOUT:
Once again, someone is sending the English Department phishing attempts. Two and a half Admiral
Ackbars for extra fancy formatting.
WHO SHOULD READ THIS:
Everyone who reads UO e-mail.
WHAT YOU SHOULD DO:
If you receive an e-mail, supposedly from Marshall Urias (muriasATfullertonDOTedu), with
blue-and-white formatted text saying something about an "ITS CLOSURE," delete it unread.
Extra points for forwarding it to phishing@uoregon.edu
ADDITIONAL INFORMATION for the Technically Curious:
If this were a real message from either CAS-IT or the Computer Center's Tech Support Desk, it would be
formatted in Green and Yellow and stamped with an Oprah-esque O or else branded with Breaking Bad
Elements. More likely it would be in mostly unadorned text.
There is no page at either https://www.uoregon.edu/technology/account/ or
https://www.uoregon.edu/technology/
Rather than the term "Job number", the UO IT support community uses the term "support ticket," "ticket
request" or "ticket number."
Any support message from the UO support desks would include a valid UO e-mail address and/or a valid
UO phone number.
Something like suspension of your UO e-mail would probably have a UO Service Portal ticket opened for
it. You can see all of your UO Service Portal Ticket Requests by going to
https://service.uoregon.edu/TDClient/Requests/TicketRequests/
Message text follows:
(Formatted in a blue banner) Technology Services
(Formatted in large bronze colored typeface) Job number 81576- ITS CLOSURE
Job Number 81576, "Account suspended for spam" has been closed with the following solution:
Deactivation of incoming mails.
(The above text is formatted to look impressive and like it's coming from some kind of official
office. "Job Number XXX" is using a bureaucratic style to give the message a sense of authority.
Words like "account," "suspended," "spam," and "deactivation" are supposed to activate your limbic
brain so your decision-making process is short-circuited.)
(Formatted extra large) What this means
(Whoa, they're trying to sound like Friendly Tech Support Folks... )
Your account will not be able to receive/send mails due to sending large amount of mails exceeding the
maximum limit per day.
To restore default settings for receiving emails visit IT support center here [bogus HTML link]
Please contact us here [bogus HTML link] if you have any questions regarding this closure.
For any correspondence regarding your job, please quote Job Number : 81576
(They're really trying to sound like a real IT support desk here by using the fake job number.)
(Formatted extra large) More information
(Formatted in a blue banner) See our detailed instructions visit:
https://www.uoregon.edu/technology/account/
[really goes to the same bogus HTML link]
(In this case, all the links go to the bogus raulmarceloDOTcomDOTbrSLASHoregon,
which you can see if you hover the computer mouse over the links. This is almost certainly
where they will try to trick you into entering in your e-mail username and password (at least))
Copyright (c) 2017. CRICOS Provider Number 00123M
(Ah yes; the copyright notice that seems to be obligatory on all SPAM e-mails and Phishing
attempts....)
2017-10-02a
WHAT THIS IS ABOUT:
It looks like the same outfit who sent phishing attempts Friday have just sent a smarter-looking
variation of the phishing attempt (see example below). Three Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who get UO e-mail.
WHAT YOU SHOULD DO:
If you get an email, most likely from Jodi Oakerson, and with the subject "IT service: Email address
changed successfully" delete it unread.
Extra points for forwarding it to phishing@uoregon.edu.
ADDITIONAL INFORMATION for the Technically Curious:
This e-mail is smarter because it's more professional looking. Also, it looks like a UO employee's
account is being used to lend authenticity to the e-mail.
Warning signs:
* The UO help desk almost always gives a phone number and plain-text e-mail for help; this message
doesn't.
* This message is formatted for Blue and White, which aren't the university's colors.
* We don't have separate help desks for students, staff, and faculty.
Text of phishing attempt follows:
From: Jodi Oakerson
Sent: Monday, October 02, 2017 12:05 PM
Subject: IT service: Email address changed successfully
(BLUE HEADER) Information Technology service
(BLUE BOLD TEXT) Email address changed successfully
Hi,
We just wanted to let you know that your University email address was recently changed on Monday,2nd
October 2017 08:08 AM.
Don't recognize this activity?
If you have not recently changed your address please contact us urgently for assistance.
Students and applicants
o Contact our Student Support Team [Evil Link to hallinydorosaDOTcomDOTbrSLASHwp-contentSLASHpluginsSLASHuoregon
Staff, contractors, alumni and visiting academics
o Contact the Staff Service Centre [Same Evil Link]
More contact details can be found here. [Same Evil Link Here, Too]
(Grey Bar with Small White Text) Copyright | Privacy | Disclaimer
WHAT THIS IS ABOUT:
Don't Panic. Apple has released a new Macintosh Operating System, MacOS 10.13.0 (High Sierra).
DON'T update; High Sierra is not quite ready. Two Admiral Ackbars, because new operating systems are
always A Trap!
WHO SHOULD READ THIS:
Macintosh iMac and MacBook Users.
iPad and iPhone users are not affected (they use iOS, not MacOS)
Windows Users are not affected.
WHAT YOU SHOULD DO:
Macintosh desktop and laptop computer users should continue to use MacOS 10.12.6 (Sierra) or OS 10.11
(El Capitan). OS 10.10 (Yosemite) is OK, but if your desktop or laptop can run 10.12 or 10.11,
upgrade to those for improved security. Older OSes have passed end-of-life support and are less
secure. Wait to update to 10.13 (High Sierra) until the end of Fall Term.
ADDITIONAL INFORMATION for the Technically Curious:
MacRumors says there's a security vulnerability with High Sierra's keychain (turns out it's not just
High Sierra...):
https://www.macrumors.com/2017/09/25/macos-high-sierra-security-vulnerability/
Ars Technica says wait until October-ish:
https://arstechnica.com/gadgets/2017/09/macos-10-13-high-sierra-the-ars-technica-review/9/#h7
The Register says wait (Warning: High Snark Content)
https://www.theregister.co.uk/2017/09/26/so_should_i_upgrade_to_macos_high_sierra/
Once Apple stamps out various bugs, OS 10.13 (High Sierra) will run on the following computers:
MacBook (Late 2009 or newer)
MacBook Pro (Mid 2010 or newer)
MacBook Air (Late 2010 or newer)
Mac mini (Mid 2010 or newer)
iMac (Late 2009 or newer)
Mac Pro (Mid 2010 or newer)
More information here:
https://www.intego.com/mac-security-blog/how-to-prepare-your-mac-for-macos-high-sierra/
WHAT THIS IS ABOUT:
Don't Panic. This is a PSA about the new way to get computing help from the Computing Center.
WHO SHOULD READ THIS:
All computer users on the UO campus who need help with centralized computing issues, like e-mail
quotas and password problems.
WHAT YOU SHOULD DO:
Instead of sending e-mail to the Computer Center asking for help, visit
https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=31704
to initiate a support ticket.
Also, take a moment to review the contents of the Knowledge Base:
https://service.uoregon.edu/TDClient/KB/Default
to review help articles for various computing services offered on campus.
To request help from me, engtech@ithelp.uoregon.edu is still the way to go; no word yet on when
department-specific IT support will be folded into the new portal system, but I'll dare to prophesy
that it will be sometime in twelve to eighteen months.
ADDITIONAL INFORMATION for the Technically Curious:
Various services on campus are converting to a web-based, searchable catalog of offered services,
FAQs, and help-request forms. The aim is to streamline answers to typical problems, to track time
spent on maintenance, and to provide service metrics for budgeting. More information is included
below.
From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of News from Information Services
Sent: Monday, August 28, 2017 9:02 AM
To: Departmental Computing
Subject: deptcomp: UO Service Portal is here!
The new UO Service Portal is here!
Visit https://service.uoregon.edu.
The UO Service Portal offers a new way for people to find and request tech help on campus, and a new
way for IT support groups to manage those help requests.
How do I use the UO Service Portal?
There are several ways to get tech help through the UO Service Portal:
• Request help online
o Visit the Service Catalog, locate the service you'd like help with, and submit a help request.
Requests will be routed to the appropriate IT group (see list below).
o You must log in with your Duck ID to submit most kinds of help requests. There are also help options
for people who can't log in or aren't sure where to ask for help.
• Self-help
o Visit the Knowledge Base for how-to guides, troubleshooting information, and answers to common
questions.
• Contact us
o Look up alternative contact information — such as phone numbers and physical locations — for the
four IT groups currently using the UO Service Portal (see list below).
• Search
o You can search the entire portal or limit your search to the Knowledge Base or Service Catalog.
You can also use the UO Service Portal to report an IT service outage or view IT service requests
you've submitted.
Who should use the UO Service Portal?
People should use the UO Service Portal to request help from the following IT groups:
• Information Services*, including the Technology Service Desk
• College of Design (formerly AAA) Technology Services
• School of Journalism and Communication (SOJC) IT
• Student Life IT (SAIT)
For other IT groups: If you refer a customer to one of the above IT groups, please refer them to the
UO Service Portal. The above groups are now asking customers to contact them through webforms in the
UO Service Portal instead of by email*.
*Some Information Services groups are keeping their queues in RT (ithelp.uoregon.edu) for now. If
you're accustomed to requesting services from IS via RT, please consult the individual IS groups to
determine whether to continue using RT or switch to the UO Service Portal for contacting them.
How can I get help with the UO Service Portal?
Here are two ways:
• Submit a help request through the UO Service Portal itself using one of the Service Catalog
"services" listed here: https://service.uoregon.edu/TDClient/Requests/ServiceCatalog?CategoryID=6907
• Contact the Technology Service Desk — one of the groups now using the UO Service Portal! Please note
that, as of today, the Tech Desk is no longer accepting service requests through the email address
techdesk@uoregon.edu. To contact the Tech Desk, please call 541-346-4357 or submit a help request at
service.uoregon.edu.
More information
A brief overview of the UO Service Portal is available on the IT website:
https://it.uoregon.edu/uo-service-portal-launch-aug-28-2017
We're excited about the improved tech support experience this new tool will offer, for both customers
and IT staff!
Information Services
University of Oregon
2017-07-27
WHAT THIS IS ABOUT:
Don't panic, this is a follow-up to the Petya varient e-mail sent yesterday, and some instructions
which supposedly protect your machine from the Petya variant, now known as PetyaWrap. Two Admiral
Ackbars.
WHO SHOULD READ THIS:
Windows Users.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
The ransomware looks at the computer to see if there's already a copy of it installed; you can trick
it (Ha-ha! Take that!) into thinking the computer has already been infected with a blank file named
perfc.
1. Go to the Windows 10 Search Blank, and type cmd; a new window should appear.
2. Type in the following command cd C:\Windows
3. Type in the following command echo "" > perfc
4. Type in the following command exit
Once the blank file perfc lives in the C:\Windows folder, the ransomware will think it sees another
copy running and halt itself.
Note: it's likely that newer versions of the PetyaWrap ransomware will figure this trick out, but at
least it works on the original malware.
ADDITIONAL INFORMATION:
Review of PetaWrap from Naked Security (has a sales pitch for Sophos):
https://nakedsecurity.sophos.com/2017/06/28/new-petya-ransomware-all-you-wanted-to-know-but-were-afraid-to-ask/
Security Week Overview:
http://www.securityweek.com/petyanotpetya-what-we-know-first-24-hours
Forum discussing the perfc kill-switch:
https://www.cybereason.com/blog-cybereason-discovers-notpetya-kill-switch/
2017-06-27
WHAT THIS IS ABOUT:
Take a deep breath; a new variant of ransomware is attacking infrastructure in Ukraine, Russia,
Britain, France and Spain. The ransomware appears to be a variant of Petya, and the technical press
is comparing this to the WannaCry outbreak a few months ago. Because this is nasty and wide-spread
(but not here yet, as far as I know), I'll give it Three Admiral Ackbars.
[Editor's Note: This malware was later reclassified as a computer wiper, and appeared to be designed
to disrupt services.]
WHO SHOULD READ THIS:
Everyone on the Internet.
Macintosh Users Are Not Affected, but should be vigilant.
WHAT YOU SHOULD DO:
Make sure your Windows machine is running the latest update to close various security holes (External
Blue) Petya uses.
Update your McAfee antivirus definitions.
Make a back-up of your files on a separate, removable device; Dropbox, Google Docs, and OneDrive are
network shares and don't count -- if ransomware can encrypt files on your computer, it can
encrypt files on remote network shares.
Petya spreads in part by attachments. Be extra extra careful opening e-mailed PDFs or Microsoft
Office Documents; if you don't recognize the sender, or if the sent file is unexpected, be extra
paranoid and confirm by phone that the sender actually sent it.
ADDITIONAL INFORMATION for the Technically Curious:
Ransomware is software that encrypts the data on your computer's hard drive, then demands a ransom
(usually paid in Bitcoins) from the user to unencrypt the files.
Petya and its variants are particularly bad, because they go after the Master Boot Record, not just
user files and documents.
Master Boot Record: https://en.wikipedia.org/wiki/Master_boot_record
The Technical Press Becomes Alarmed...
The Register (warning, high snark levels):
https://www.theregister.co.uk/2017/06/27/ransomware_outbreak_hits_ukraine/
Overview from Security Week:
http://www.securityweek.com/petya-ransomware-outbreak-hits-organizations-globally
We Live Security:
https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/
Forbes Tech:
https://www.forbes.com/sites/thomasbrewster/2017/06/27/ransomware-spreads-rapidly-hitting-power-companies-banks-airlines-metro/
Ars Technica:
https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/
Technical Analysis:
Malwarebytes Discusses Petya
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/
Security Week Discussion of External Blue (an exploit Petya uses):
http://www.securityweek.com/nsas-eternalblue-exploit-fully-ported-metasploit
2017-05-15
WHAT THIS IS ABOUT:
Take a deep breath. This is a summary of the "WannaCry Worm" that hit the Internet last Friday
afternoon. It's serious, and should be taken as a cautionary tale to update operating system
software. Three and a half Admiral Ackbars.
WHO SHOULD READ THIS:
Windows Users
Windows XP users, especially.
Windows 10 users are mostly safe.
Macintosh users are only affected if they run Windows on their Macintoshes.
Everyone, in an engaged Internet Citizen kind of way.
WHAT YOU SHOULD DO:
Windows users should run Windows Update to be sure that they are running the latest version.
Windows XP users should contact me at engtech@ithelp.uoregon.edu about strategies for upgrading to
Windows 10.
ADDITIONAL INFORMATION for the Technically Curious:
--Excerpted from a message from the UO Techdesk:
Information Security staff recommend prompt action to address a new ransomware risk.
A vulnerability in Windows networking that was disclosed in March is now being exploited to infect
Windows computers worldwide with ransomware codenamed "WannaCry." The ransomware can encrypt dozen of
common file types (see list below). Once encrypted, the files are inaccessible for use. The ransomware
demands payment in bitcoins to deliver the decryption key. Infected users without off-machine backups
may lose a significant amount of work.
There are three main vectors of infection:
o Opening a malicious email attachment
o Opening a malicious link in an email
o Having an unpatched Windows computer on the network
To prevent infection and mitigate risk, Information Security staff recommend the following steps:
For end users:
o Save backups of your work somewhere other than on your computer, such as on a network
fileshare or in OneDrive
o Don't click suspicious links or open attachments that you aren't expecting
o Report suspicious emails to phishing@uoregon.edu
o Deploy Microsoft Windows Updates as promptly as possible (if you manage your own computer)
Information Security staff notified departmental IT staff on Monday, May 8, of machines in their
departments that were vulnerable to network propagation of this worm. They performed a network rescan
this afternoon (Friday, May 12) and will follow up with OU admins over the weekend and on Monday (May
15) about computers that remain vulnerable to network propagation of this worm.
---
Various Articles from the Technical Press:
Hot For Security:
(Quick Overview)
https://hotforsecurity.bitdefender.com/blog/how-to-protect-against-wannacry-ransomware-18037.html
Naked Security:
(Not-so-quick Overview, ads for Sophos...)
https://nakedsecurity.sophos.com/2017/05/12/wanna-decrypter-2-0-ransomware-attack-what-you-need-to-know/
(Why Haven't We Learned? (also, ads for Sophos))
https://nakedsecurity.sophos.com/2017/05/14/wannacry-benefits-from-unlearned-lessons-of-slammer-conficker/
Brad Smith, Microsoft's President and CLO:
(Computer Security is a globally collective endeavor, and the NSA needs to shape up)
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/
Ars Technica
(Hey! I found a kill switch! Also, some patching advice.)
https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/
(That Pesky NSA…)
https://arstechnica.com/security/2017/05/2-days-after-wcry-worm-microsoft-decries-exploit-stockpiling-by-governments/
There's no Kill Switch in New Variants:
http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch
Technical Aspects of the Worm:
https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
2017-05-09
WHAT THIS IS ABOUT:
Don't panic; this is a quick announcement that today is Patch Tuesday, and to urge folks to patch
Microsoft Windows to close a "crazy bad" security hole. Four Admiral Ackbars.
WHO SHOULD READ THIS:
Microsoft Windows 10 Users
Microsoft Windows 8 Users
Microsoft Windows 7 Users are Unaffected
Macintosh Users are Unaffected
WHAT YOU SHOULD DO:
Windows 10:
Click on the Windows Icon in the lower left-hand corner of the screen; a menu will pop up.
From the menu choose the Gear icon (Settings); a new window with settings should appear.
On the left-hand side of the new window should be a column of icons. Click on the shield icon for
Windows Defender; the window's contents should change.
In the main body of the window, there will be text about the VERSION INFO; look for the ENGINE
VERSION:
+ If the Engine Version is 1.1.13704.0 or higher, you're safe (yay).
+ If the Engine Version is lower than 1.1.13704.0 run WINDOWS UPDATE until it is.
ADDITIONAL INFORMATION for the Technically Curious:
In addition to the regular monthly updates, this round includes a fix for a Big Security Vulnerability
in Windows Defender.
Ars Technica:
https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/
"The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without
any interaction from the system owner: it's simply enough for the attacker to send an e-mail or
instant message that is scanned by Windows Defender."
Techspot:
http://www.techspot.com/news/69243-microsoft-patches-crazy-bad-remote-attack-vulnerability-found.html
Hot for Security:
https://hotforsecurity.bitdefender.com/blog/emergency-patch-released-for-critical-security-hole-in-microsofts-malware-scanner-18013.html
Technical Proof of Concept:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
2017-04-21
WHAT THIS IS ABOUT:
Don't panic, this is an announcement to update Chrome and Firefox to protect yourself from future
phishing attempts. There's no threat that I know about (yet), so I'll give this Two Admiral Ackbars.
WHO SHOULD READ THIS:
Google Chrome Users.
Mozilla Firefox Users.
Opera Users.
Other web browsers are not affected (that I know of).
WHAT YOU SHOULD DO:
Opera:
There is no fix for Opera. Be careful.
Chrome:
Go to chrome://help/
Update to Chrome version 58 or higher.
FireFox :
This procedure could cause problems if you are going to non-Latin-character-using (e.g. German or
Chinese) websites (sorry, you won't be able to go to www.Spın̈alTap.com after this).
1. Start FireFox.
2. Go to about:config
3. A scary "this might void your warranty" message will appear. Click "I accept the risk!"
4. A new browser screen will appear. At the top will be a SEARCH BOX; type in punycode
5. An item, "network.IDN_show_punycode" should appear; double-click on the word false (on the far
right) - this should change false to true.
You've told Firefox to show non-Latin characters as code, which should thwart phishing attempts to
misdirect you to rogue websites; continue to browse.
ADDITIONAL INFORMATION for the Technically Curious
The same mechanism that lets your computer display a floral heart dingbat, ❦-- or accents in words
like Spın̈al Tap -- can also be used to make a homograph of a legitimate website put misleading
characters in a malicious web page's address (URL) to trick humans into thinking it's a legitimate
website. More on the mechanism, called Punycode, here: https://en.wikipedia.org/wiki/Punycode
Ars Techinca article (hat tip to Kate Meyers):
https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/
McAfee's take on Punycode and homographs:
https://securingtomorrow.mcafee.com/business/neutralize-threats/chrome-and-firefox-adding-protection-against-this-nasty-phishing-trick/
Phishing with Unicode Domains:
https://www.xudongz.com/blog/2017/idn-phishing/
Demonstration site that pretends to be Apple's web site:
https://www.xn--80ak6aa92e.com/
2017-03-31
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about Internet privacy after the rollback of FCC privacy opt-out rules.
WHO SHOULD READ THIS:
Folks wondering about their Internet privacy.
WHAT YOU SHOULD DO:
Realize that anything you do on the Internet leaves a trail.
You may wish to read this guide from WIRED on going invisible on the Internet:
https://www.wired.com/2017/02/famed-hacker-kevin-mitnick-shows-go-invisible-online/
You may wish to learn about the Tor network:
https://www.torproject.org/about/overview.html.en
You may wish to read this Wirecutter guide on Virtual Private Networks (VPNs):
http://thewirecutter.com/blog/vpns-are-for-most-people/
ADDITIONAL INFORMATION for the Technically Curious:
You know how Google keeps a record of how you search and Facebook keeps a record of things you like so
that both companies can make little adds pop up on your computer screen? Your local Internet Service
Provider (ISP) wants to do the same thing.
The rollback of FCC privacy opt-out rules doesn't mean that someone can search your name or address
and get your browsing habits. What it does mean is that your local ISP can sell information about
which machines (i.e. their operating systems, their MAC address, their browser, their physical area,
the computer's name, etc) at which internet protocol (IP) address (e.g. 128.223.32.36), visited which
web sites (http://english.uoregon.edu). While an ISP isn't selling your name along with this
information, if a company already has your name (because you signed in an created an account), it's
likely they can attach it to your computer's MAC address.
While you are on the campus Ethernet, or using the UOwireless or UO Secure Wi-Fi, the UO is your
Internet Service Provider (ISP).
PC World Overview:
http://www.pcworld.com/article/3184410/security/senate-votes-to-kill-fccs-broadband-privacy-rules.html
More In-depth Overview from Ars Technica:
https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/
Other Overviews:
https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/
https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/the-house-just-voted-to-wipe-out-the-fccs-landmark-internet-privacy-protections/
https://www.nytimes.com/2017/03/29/opinion/how-the-republicans-sold-your-privacy-to-internet-providers.html
How the Internet Works (long):
https://arstechnica.co.uk/information-technology/2016/05/how-the-internet-works-submarine-cables-data-centres-last-mile/
…and where the NSA spy hubs are:
https://arstechnica.com/information-technology/2017/03/internet-surveillance-map-nsa-gchq/
2017-03-30
WHAT THIS IS ABOUT:
LastPass -- a password management system that allows you to navigate the labyrinth of password
protected sights you visit with a single password -- has some security issues that could 1) expose
users' passwords, or 2) in some cases allow a malicious person to run arbitrary commands. I'm going
to give this Two and a Half Admiral Ackbars.
WHO SHOULD READ THIS:
Folks who use LastPass.
Folks interested in password managers.
People without LastPass are unaffected (but may see an uptick in Phishing e-mails attempting to take
advantage of the flaw).
WHAT YOU SHOULD DO:
+ Windows Desktop and Laptop users:
The arbitrary command execution appears to only work on the Windows desktop. Windows users should
Double-click the LastPass icon,
Choose More Options->About LastPass -> and disable "Binary Component."
Some more information about the binary plugin here:
https://lastpass.com/support.php?cmd=showfaq&id=3206
+ All users:
From
https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/
Steps LastPass users can take to further protect themselves from these types of client-side issues:
o Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault.
This is the safest way to access your credentials and sites until this vulnerability is resolved.
(Help here: https://helpdesk.lastpass.com/your-lastpass-vault/ )
o Two-Factor Authentication on any service that offers it – Whenever possible, turn on
two-factor authentication with your accounts; many websites now offer this option for added security.
o Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click
on links from people you don't know, or that seem out of character from your trusted contacts and
companies. Take a look at our phishing primer
(https://blog.lastpass.com/2016/01/staying-safe-from-phishing-attacks.html/ ).
Here's a quick intro to the LastPass Vault:
https://helpdesk.lastpass.com/your-lastpass-vault/
Here's a quick intro to Two-Factor Authentication:
https://nakedsecurity.sophos.com/2016/06/27/two-factor-authentication-2fa-why-you-should-care/
ADDITIONAL INFORMATION for the Technically Curious:
Arbitrary Commands Proof of Concept:
https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html (overview)
https://bugs.chromium.org/p/project-zero/issues/detail?id=1209 (technical discussion)
From
https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/
Ultimately, password managers likely make the average user safer because they make it possible to use
long, complex, and unique passwords. And that protects people in the event that their password is
exposed in website breaches, which are much more common than real-world password manager exploits.
LastPass is working on it:
https://nakedsecurity.sophos.com/2017/03/27/lastpass-steps-up-quickly-to-fix-vulnerabilities-spotted-by-researchers/
Other articles:
https://nakedsecurity.sophos.com/2017/03/27/lastpass-steps-up-quickly-to-fix-vulnerabilities-spotted-by-researchers/
2017-03-15
WHAT THIS IS ABOUT:
Evil people are sending phishing e-mails to UO folks. Again. Three Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone who uses e-mail.
WHAT YOU SHOULD DO:
If you received a message (see below) from D Dugan, saying your account was accessed from an
unrecognized device, delete it unread. It is really a phishing attempt attempting to get your
personal information. Extra Internet Citizen Points for forwarding it to phishing@uoregon.edu.
ADDITIONAL INFORMATION for the Technically Curious:
First some legitimate links for checking various services:
UO Webmail:
https://webmail.uoregon.edu/
Gmail Security Tips:
https://support.google.com/mail/answer/7036019?visit_id=1-636251907492419486-2456929806&rd=2
Apps with access to your Google Account:
https://myaccount.google.com/permissions?pli=1
Compromised Twitter Account?
https://support.twitter.com/articles/31796
A general guide:
https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/
https://it.uoregon.edu/phishing
http://security.uoregon.edu/node/37.html
How to see and copy full e-mail headers:
https://it.uoregon.edu/full-email-headers
A break-down of the original message follows:
-------- Original Message --------
Subject: Unrecognized sign in
Date: 2017/03/14 13:57
From: D Dugan
The first red flag is that this message says it is from Daniel Dugan, at wayne.edu. If this were a
real security message, it would be from one of the network security folks at the UO. Or possibly
Google or from a service you actually subscribe to.
To:
[ EITHER A FAIRLY COOL LOOKING AND IMPRESSIVE IMAGE OR
ELSE A HIDDEN PIXEL HOSTED ON A REMOTE SERVER ]
I've got images blocked by default on my e-mail client, so I haven't actually seen the image. It's
possible this is supposed to look like some business header, in which case you're supposed to believe
this is a valid message. It's also possible that the image is a web beacon -- since it lives on a
remote server somewhere, the Evil Ones can see who opened it and get information like the recipient's
IP address, the recipient's e-mail client, and likely the type of computer they're using.
This is to notify you that our system has detected several attempts to access your email account
account from an unrecognized device.
Sharp-eyed readers will catch the "account account" slip, which isn't a good sign that this is a
legitimate message.
New login from Chrome on Windows
Tuesday, March 14th, 2017 at 1:22 AM 162.173.05.11
Manassas, Virginia, United States*
The above is an attempt to establish legitimacy with a meaningless and vague display of technology.
"New login from Chrome on Windows," is supposed to make you worried that someone logged into your
account... but wait, WHICH account is being logged into again? Apparently it's an account that one
can use Chrome (a web browser) to log into, so presumably, the bogus alert is about a web-based
service. The bogus break-in was done from a Windows machine, which lends credibility to the alert if
one is a Macintosh user (those evil Windows users). This is followed by a time stamp (what time zone
was that in?) and a (probably bogus) IP address (which doesn't show up with InterNIC's WHOIS
utility).
If you don't recognize this activity, we strongly recommend you Review [link to evil
akotourDOTcomSLASHwp-adminSLASHuoregonSLASH] your account to save your current IP in our database.
Otherwise, you can disregard this message
Of course you won't recognize this activity -- it's made up. Saving your current location on the
internet in their database will do nothing to help a breached account's password, but the author of
this phishing attempt is hoping you won't stop to realize that (until it's too late).
Why are we sending this?
We didn't recognize the browser or device you used to log into your email account. This could be the
result of accessing your account from a new or public computer or changing your browser settings, but
it could also be a sign of unauthorized account activity.
Follow-up "trust us" verbiage to establish the author's legitimacy. This is fairly slick on the
author's part; it is true that some services will send a "hey, is this you?" message if a new browser
or IP address connects to them.
Protect yourself from phishing emails
More "trust us" verbiage. This is can't be a phishing email because it's warning us about phishing
emails (whew, I feel so safe). File this one under the "Only the true Messiah denies his divinity"
file.
We will never ask for your password in an email. If you don't trust a link in an email, go directly to
the normal login page at Here [identical evil link redacted]
"No, really; you can trust us. Here, follow this blind link here. It's safe...." Um, what service
are you warning us has supposedly been breached, again? If this were a real message, it would say
something like, log into webmail.uroegon.edu to check your security settings.
Copyright 2016
Do not reply as this is an automated message.
Ooh. A Copyright. This is the best copyright I've ever seen.
2017-03-10
WHAT THIS IS ABOUT:
The English Department is being spammed with scam tutor requests (message included below). This is a
trick (which John rates at Three Admiral Ackbars) to get your banking information and money.
WHO SHOULD READ THIS:
Everyone who reads e-mail.
WHAT YOU SOULD DO:
If you receive a vaguely worded e-mail from Chris Rolando, a.k.a. Mr. Christopher, requesting a tutor,
the safest thing to do would be to delete the message. If you're feeling like you'd like to be
helpful, you could forward the message to the University Teaching and Learning Center (TLC), at
tlc@uoregon.edu.
ADDITIONAL INFORMATION:
How this scam usually plays out:
1) Scammer requests a tutor for a non-existent child.
2) Friendly tutor replies and sets up session.
3) Scammer over-pays, then request money back.
4) Insert bank shenanigans here, resulting in tutor's lost money.
https://www.berkeleyparentsnetwork.org/recommend/tutors/scam
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-09-04
http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html
========================
[scam message text]:
Subject: tutor
Date: 2017/03/10 06:08
From: chris rolando
Hello,
My name is Chris. I came across your e-mail on the University of Oregon, Department of English
Directory. I would like to hire you as a private tutor for my daughter.
Let me know if you would be available for the tutorial job. If yes, then i will subsequently provide
you with more details of my daughter.
Please also let me know your fee, area of specialization, preferred location for the lessons and
policy with regard to cancellations and make-up lessons if you are available.
I hope to hear from you soon.
Regards,
Mr. Christopher
2017-03-03
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about UO Wireless Networking: The connection
configuration software and interface is being updated March 14. [Editor's
note, since this is a maintenance issue and not a threat, in lieu of Admiral
Ackbars, I'd give it an R2-D2.]
WHO SHOULD READ THIS:
Folks who use the Wireless Networks, UOSecure and Eduroam.
WHAT YOU SHOULD DO:
Beware the Ides of March and give yourself a little extra time to connect on
Tuesday the 14th on the off chance the new wireless utility breaks
connectivity. You can preview what the utility will look like here:
https://it.uoregon.edu/node/5331.
The wireless update shouldn't affect Ethernet connections (knock on wood),
and in the event that wireless connectivity breaks, wired Ethernet should be
a viable back-up.
ADDITIONAL INFORMATION for the Technically Curious
E-mail message from the DEPTCOMP list:
From: deptcomp-bounces@lists.uoregon.edu
[mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service
Desk
Sent: Thursday, March 02, 2017 11:44 AM
To: Departmental Computing
Subject: deptcomp: New look & feel at wireless.uoregon.edu starting March 14
On Tuesday, March 14, at 8am, Information Services will be updating
wireless.uoregon.edu.
Specifically, IS will be releasing a new auto-configuration tool for UO
Secure and Eduroam.
As you may know, the tool automatically configures devices to connect to
those two networks for users who experience trouble joining them. The current
utility is out of date and requires replacement.
The new auto-config tool is intuitive to use, but has a different look and
feel. You can preview it at https://it.uoregon.edu/node/5331.
The existing utility at wireless.uoregon.edu will continue to be available
until the switchover at 8am on March 14. In fact, you may continue to see the
old tool for a few more days, until the new DNS information is propagated
across DNS servers on the web. To see the new tool sooner, clear your DNS
cache.
If you have any questions, please contact the Technology Service Desk
(techdesk@uoregon.edu; 541-346-4357).
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2017-02-27
WHAT THIS IS ABOUT:
Cloudflare, a cloud service for services such as Uber and OKCupid, has been
leaking information - possibly private information - from September 2016 to
February 2017, which was then stored in Google caches. Three Admiral Ackbars
- it's probable The Bad Guys didn't know about this, tech folks are scrubbing
Google archives, and information was haphazardly leaked.
[EDITOR'S NOTE: as of 3/2/17, Cloudflare says they haven't found any active
exploitation of this memory leak.]
WHO SHOULD READ THIS:
Folks with Uber or OKCupid or Grindr or Yelp accounts.
Folks using Dropbox apps on their mobile devices.
Folks with FitBit accounts.
Folks who use the same password for all computer accounts.
WHAT YOU SHOULD DO:
Short form:
Change all your passwords.
Long form:
Be sure to practice good password hygiene by having a different password for
every account you have on the internet (I can hear you laughing). Here's one
method for generating passwords:
http://gizmodo.com/create-an-ultra-secure-easy-to-remember-passphrase-usi-1694021321
Where possible, use two-factor authentication (2FA) to make your
internet-based services more secure.
If you have a Uber, OKCupid, or FitBit account, change the password with these
services.
UO webmail, Gmail, Facebook, Twitter, and Snapchat appear to not be affected.
If you have an account with another service, go to this site
https://cloudbleedcheck.com/
and type in a domain (e.g. snapchat.com or fitbit.com) to see if that service
has been affected by the Cloudflare leak.
Check the list of iOS apps here:
https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/
to be sure some obscure app is not affected by the data leak. Some
services, such as Dropbox, may not be directly affected (and therefore don't
show up on the cloudbleedcheck site above), but use mobile apps which are.
If one of the apps on your smart phone or iPhone or mobile device is listed,
be sure to change the password for that service.
ADDITIONAL INFORMATION for the Technically Curious:
A web-based memory leak is when a computer serving web pages leaks more
information than is wanted. Let's say you've got a measuring cup (the web
page) and you fill it from a faucet (the web server), but you get a
cup-and-half of water out of the faucet; the extra half-cup (the leaked data
which may or may not be your password) is outside the cup on the counter (the
Google cache, where anyone can read it). In this case, the problem was that
Cloudflare's software was sending extra data because of a programming error
-- which has been fixed. Now everyone's scrambling to clean up the spilled
data.
The Information Services Security group is reviewing whether the University of
Oregon has a direct business relationship with Cloudflare or any of the
affected sites.
Some folks are calling this "Cloudbleed" because of the technical similarity
to the Heartbleed bug of 2014
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-09
Official Response from Cloudflare:
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
News:
A massive Cloudflare bug means Uber, Fitbit and OKCupid passwords have been
leaking for months
http://www.businessinsider.com/r-bug-causes-personal-data-leak-but-no-sign-of-hackers-exploiting-cloudflare-2017-2
CloudFlare Leaked Sensitive Data Across the Internet For Months
http://fortune.com/2017/02/24/cloudflare-leak-bug-sensitive-information/
Technical News:
General overview:
https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165
Gizmodo (warning: some strong language)
http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616
Cloudbleed's sliver lining: the response system worked
https://nakedsecurity.sophos.com/2017/02/27/cloudbleeds-sliver-lining-the-response-system-worked/
Really technical forum:
System administrators chatting with each other:
https://news.ycombinator.com/item?id=13718752
2017-02-14
WHAT THIS IS ABOUT:
Someone (apparently from Ireland) pretending to be with the UO Computer Center
is sending out fake quota e-mails; these are phishing attempts. I'm giving
this 2 Admiral Ackbars for clumsy execution.
WHO SHOULD READ THIS:
E-mail users at the UO.
WHAT YOU SHOULD DO:
If you receive a message from gerdalyDOTcaraATittraleeDOTie (see message
below), delete it unread. It is a phishing attempt.
If you want to know what your quota is, see
https://duckid.uoregon.edu/quota/
ADDITIONAL INFORMATION for the Technically Curious:
A breakdown of the message follows:
Subject: Quota Alert!
A real subject would be something like, Warning, user burridge using 49,500
GB of allocated 50,000 GB
Date: 2017-02-13 12:40 PM
From: UOREGON Webmail Admin gerdalyDOTcaraATittraleeDOTie
A real sender would have a uoregon.edu e-mail address. Apparently, the .ie
domain is Ireland.
To: li@s.com
The real recipient should be your regular e-mail address; this address
indicates e-mail header spoofing is happening.
Dear User,
I have a name, and the Computer Center knows what it is. It would be
trivial for them to send me a personalized e-mail.
Mail system found out that you have used up your quota space.Your mailbox
size has reached 997.70MB, which is over 99% of your 1G quota.
Who or what is this "Mail system" (pause to ponder the effects of the
patriarchy) ? This is really an irrelevant sentence, because it doesn't
matter who or what made the supposed discovery; this is an attempt on the
sender's part to establish authority to trick you into complying with
requests. Also, it's customary to include space after a period. "Your
mailbox size" is an attempt to impress with numbers and establish the
writer's authority.
To avoid exceeding your quota.Click here [link to Earthlink redacted] to
expand your inbox for incoming messages immediately.
Here's the request to follow a blind link to what is undoubtedly a Web Page
of Evil. Anyone who has been with the UO long enough will start laughing
now at the idea that a simple, one-click utility to expand your e-mail
quota immediately (and possibly perpetually) exists.
Nullum gratuitum prandium.
Our mail server is gradually filling up and we need to free up some space.
This is an appeal to the reader's altruism. Harden your hearts with the
knowledge that as long as there have been e-mail servers, they've always
been too small to accommodate users' desires to use e-mail as a
personal journal.
Thanks.
Help Desk.
If this had been a real message from the UO Help Desk, there would have been
some Duckalicious graphic here, along with detailed contact information for
reaching the UO help desk.
This e-mail is subject to the following disclaimer(s) - Ta an r-phost seo fe
reir an tseanta/na seanta seo leanas ata le fail ag - available at
http://REDACTED/EmailDisclaimer.html
Huh. A disclaimer. (Checks Google) In ?Irish? I suppose it makes this
message seem more official. At least it's not a copyright notice.
FOLLOW-UP:
At least two people have fallen for Monday afternoon's phishing scam (and were
brave enough to let me know).
From http://security.uoregon.edu/node/37.html#phished
What to do if you responded to a phishing scam:
If you provided your account credentials in response to a phishing scam,
please immediately change your account password for the affected account and
any other account that uses the same, or a similar password.
If the scam involves UO credentials such as your 'DuckID', please e-mail
phishing@uoregon.edu.
If you took other action in response to the phishing e-mail, such as opening
an attachment, or downloading a file, please include this information in your
e-mail to phishing@uoregon.edu.
Be sure to include the full headers of the phishing e-mail when reporting the
incident. If you are not familiar with how to view the full headers of an
e-mail, please consult the following site:
Information on e-mail full headers can be found here:
http://it.uoregon.edu/full-email-headers
2017-01-25
WHAT THIS IS ABOUT:
Don't panic. This is a PSA. HP is extending its recall of HP Laptop
Batteries. Since the batteries could melt or char during use ("It's a
trap!"), I'm giving this 3.5 Admiral Ackbars.
WHO SHOULD READ THIS:
Owners of HP Laptops.
All other computer users are not affected.
WHAT YOU SHOULD DO:
If you own an HP laptop purchased between March 2013 and October 2016, take a
look at the battery's serial number. Batteries included in the expanded
recall have barcodes starting with 6BZLU, 6CGFK, 6CGFQ, 6CZMB, 6DEMA, 6DEMH,
6DGAL and 6EBVA.
If your battery is being recalled,
+ stop using the battery,
+ contact HP here: https://h30686.www3.hp.com/ for a replacement
+ only use the laptop when it's powered by an electrical outlet.
ADDITIONAL INFORMATION:
http://www.techspot.com/news/67899-hp-recalls-additional-101000-laptop-batteries-over-fire.html
2016-11-30
WHAT THIS IS ABOUT:
Don't Panic. Maintenance on the UO Secure Network may make some computers ask
about a new security certificate Friday Morning, Dec 2. Not really a threat,
so this doesn't rank any Admiral Ackbars; since it's maintenance, I'll give it
an R2-D2.
WHO SHOULD READ THIS:
Off-campus users who use VPN to connect to the UO network.
On-campus users who use VPN to connect to secured services like Banner.
Non-VPN users are not affected.
WHAT YOU SHOULD DO:
This Friday morning, Virtual Private Network (VPN) users will be asked to
accept a brand new security certificate the first time they connect to the
UO's VPN. This is expected, first-time behavior. After accepting the new
certificate, proceed with whatever work you intended to do.
Users of the VPN may wish to either finish tasks requiring the secure network
Thursday evening, or else give themselves a little extra time Friday to
navigate any unforeseen network difficulties.
ADDITIONAL INFORMATION:
The original network services message follows:
-----Original Message-----
From: uonet-outages-bounces@network-services.uoregon.edu
[mailto:uonet-outages-bounces@network-services.uoregon.edu] On Behalf Of Chris
Trown via RT
Sent: Wednesday, November 30, 2016 9:42 AM
Cc: uonet-outages@network-services.uoregon.edu
Subject: [Uonet-outages] [ithelp #1220483] uovpn - Maintenance
SUBJECT: uovpn - Maintenance
AFFECTED:
STATUS: Planned - Pending CAB approval
START TIME: 12/02/2016 05:30 AM
END TIME: 12/02/2016 06:00 AM
DESCRIPTION: During this maintenance, the SSL certificate on uovpn will be
replaced.
UPDATE:
TIMESTAMP: 11/30/2016 09:37:49 AM
If you would like more details about this issue, please feel free to contact
us via email to nethelp@ithelp.uoregon.edu or by calling us at
+1.541.346.NETS (6387) and select option 2.
Thank you,
--
UO Network & Telecom Services
Email: nethelp@ithelp.uoregon.edu
URL: http://nts.uoregon.edu
Voice: +1.541.346.NETS (6387)
Archive: http://nts.uoregon.edu/pipermail/uonet-outages
_______________________________________________
Uonet-outages mailing list
Uonet-outages@ns.uoregon.edu
http://ns.uoregon.edu/mailman/listinfo/uonet-outages
2016-10-25
WHAT THIS IS ABOUT:
Apple has released some operating system updates for both its mobile platforms
(iPhones, iPads, iPods) and its desktop (iMac) and laptop models (MacBooks).
These close up some serious security holes, the scariest being the
CoreGraphics (CVE-2016-4673) iOS security flaw which can allow an iPhone or
iPad to be taken over if it views a maliciously crafted JPEG file. Four
Admiral Ackbars.
WHO SHOULD READ THIS:
Users of Apple Devices: iPads, iMacs, iPhones, and other i-Things
Windows users are not affected.
WHAT YOU SHOULD DO:
+ iPad, iPod, and iPhone users:
Update your device to iOS 10.1
https://support.apple.com/en-us/HT204204
If you have an older device (John ruefully looks at his iPad), you may be
stuck at iOS 9.3.5 everything I'm seeing indicates older devices won't be
patched and will remain vulnerable to the JPEG exploit (thanks, Apple, my
iPad's not _that_ old).
+ iMac and MacBook users:
Update your MacOS with the latest security patches.
Apple Menua > About This Mac > Software Upgrade
You may be prompted to install macOS 10.12 (Sierra) if you aren't a Banner
user and you have about 90 minutes to install an upgrade, you may do so.
Otherwise, OS 10.11.7 (El Capitan) should be fine.
You can check to see if Sierra will run here:
http://www.apple.com/macos/how-to-upgrade/
Upgrading to Sierra typically breaks McAfee, which requires a re-install.
You can reinstall it from here (UO login required):
https://it.uoregon.edu/system/files/software/2045/UO_McAfeeVirusScan_9.7.dmg
ADDITIONAL INFORMATION:
Apple's Announcements:
General Security page:
https://support.apple.com/en-us/HT201222
iOS 10.1
https://support.apple.com/en-gb/HT207271
macOS:
https://support.apple.com/en-gb/HT207275
The technical press responds:
https://www.grahamcluley.com/boobytrapped-jpeg-infect-iphone-upgrade-ios-10-1/
https://nakedsecurity.sophos.com/2016/10/25/apple-ios-users-taste-android-anxiety-with-nasty-coregraphics-image-flaw/
http://www.theregister.co.uk/2016/10/24/apple_security_update/
2016-10-21
WHAT THIS IS ABOUT:
Early Friday morning, a distributed denial of service (DDoS) attack knocked
major sites off of the internet. Mostly the Eastern Seaboard was affected.
As of this writing, service has been restored. Two Admiral Ackbars for past
inconvenience and future anxiety.
WHO SHOULD READ THIS:
Folks who might have sent e-mail to other folks on the East Coast.
Internet Users.
Folks with a lot of Internet aware things
WHAT YOU SHOULD DO:
Civic minded Internet users may wish to review the security of their wifi
internet enabled devices (home wireless routers, wifi-enabled stereos or TVs,
etc.) to tighten security. Doing so will deprive The Evil Ones of their
botnet army slaves.
If you're having difficulties connecting to various Internet sites "is this
site down?" site may be useful.
http://www.downforeveryoneorjustme.com/
Google specific:
https://www.google.com/appsstatus#hl=en&v=status
ADDITIONAL INFORMATION:
DNS: Domain Name Server. This is a device that translates
www.twitter.com into an internet protocol address number.
DoS Attack: Denial of Service Attack. When someone sends so many
requests to a computer or router that it bogs down and is unable to provide
service to legitimate users.
DDoS Attack: Distributed Denial of Service Attack. Imagine you're in
your office. Imagine everyone on campus decides to call your telephone at the
same time. You might try blocking nuisance callers, but there are so many
other callers that this doesn't work and you end up with a n unusable phone
(for those of us over 40: remember calling your favorite radio station to try
to be "caller number nine" and win a give-away ? Remember how the busy signal
was extra fast? )
The status page of DYN, the internet service provider affected:
https://www.dynstatus.com/incidents/nlr4yrr162t8
The technical press goes wild:
https://www.hotforsecurity.com/blog/ddos-attack-against-dns-provider-knocks-major-sites-offline-16977.html
http://www.pcworld.com/article/3133847/internet/ddos-attack-on-dyn-knocks-spotify-twitter-github-etsy-and-more-offline.html
http://www.securityweek.com/twitter-others-disrupted-ddos-attack-dyn-dns-service
http://arstechnica.com/security/2016/10/dos-attack-on-major-dns-provider-brings-internet-to-morning-crawl/
A concern is that an increase in distributed denial of service attacks'
frequency and severity is on the horizon, or that these DDoS attacks are
rehearsals for bringing the whole internet down. Related reading:
https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html
2016-10-20
WHAT THIS IS ABOUT:
Don't panic. There's a bug in the brand new version of the Macintosh
Operating system that makes it incompatible with Banner. One Admiral Ackbar
for inconvenience.
WHO SHOULD READ THIS:
Folks using Mac OS 10.12 (Sierra).
Folks who use Banner.
Non-Banner users are not affected.
Folks using Mac OS 10.11 (El Capitan) or older are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
If you need to use Banner and your main machine is a Macintosh, hold off on
updating to OS 10.12 (Sierra).
If it's Too Late, or you have a Brand New Machine with Sierra pre-installed,
the only recourse is to get access to another machine or operating system (I
personally think it's easier to find another machine than to us Parallels or
Boot Camp) that can run Banner until Apple/Oracle can fix the issue.
ADDITIONAL INFORMATION:
See the e-mail from the Tech Desk below:
-----Original Message-----
From: banner-status-bounces@lists.uoregon.edu
[mailto:banner-status-bounces@lists.uoregon.edu] On Behalf Of Technology
Service Desk
Sent: Wednesday, October 19, 2016 2:01 PM
To: banner-status@lists.uoregon.edu
Subject: banner-status: Banner incompatibility with macOS Sierra
There is an incompatibility between Banner and macOS Sierra (10.12). If
someone tries to use Banner on a Mac and they press Shift, Caps Lock,
Command, or other modifier keys, an error message appears and prevents
further use of Banner.
We recommend waiting to install macOS Sierra until the vendor fixes this
issue. In the meantime, workarounds include using a PC for Banner or
installing a Windows OS on your Mac using Parallels or Boot Camp.
The new version of Java that came out yesterday (Java 8 update 111 build
1.8.0_111-b14) helps somewhat but does not resolve this issue.
If you have any questions, please contact the Technology Service Desk
(techdesk@uoregon.edu; 541-346-4357).
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2016-09-23
WHAT THIS IS ABOUT:
Don't panic. I'm noticing that some folks are having difficulties connecting
to the UO Secure wireless network. This is a typical start of the academic
year problem.
WHO SHOULD READ THIS:
Folks who connect to the UO Secure wireless network. Or would if the darn
thing would work.
WHAT YOU SHOULD DO:
1) Plug your device into the UO Ethernet
2) Go to
https://wireless.uoregon.edu
This will take you to Network Service's wireless page, where they have a
connection utility wizard.
3) Click the check box by "I accept the terms" and then the START button. The
wizard should run some scripts to install a new security certificate. It
should take no more than five minutes (unless you have to repeat the
procedure...)
"But John!" you say, "I have a mobile device that doesn't have an Ethernet
jack and I _can't_ plug into the Ethernet"
In that case try
1) Go to your device's wireless network settings.
2) Connect to plain old vanilla UO Wireless.
3) Go to
https://wireless.uoregon.edu
This will take you to Network Service's wireless page, where they have a
connection utility wizard.
4) Click the check box by "I accept the terms" and then the START button. The
wizard should run some scripts to install a new security certificate. It
should take no more than five minutes (unless you have to repeat the
procedure...)
Navigating this problem can be tricky. I'm happy to assist folks. E-mail
me at engtech@ithelp.uoregon.edu to schedule an appointment.
ADDITIONAL INFORMATION:
I'm going to blame summer maintenance for this, which typically includes
giving the wireless router new security certificates. When a machine that
hasn't connected for a few months returns to campus, it doesn't have the
latest certificate, and the connection doesn't work.
2016-09-12
WHAT THIS IS ABOUT:
Don't panic, this is a PSA about iOS 10, which Apple will unleash on
September 13, 2016.
WHO SHOULD READ THIS:
Owners of iPhones, iPads and iPods.
WHAT YOU SHOULD DO:
The new iOS is probably harmless; however, I always advise folks to wait
about two weeks before upgrading operating systems in case there are any
hidden problems.
ADDITIONAL INFORMATION:
The Apple Store may be sluggish on 9/13 as Apple fans worldwide jump on the
update bandwagon.
http://www.apple.com/ios/ios-10/
iOS 10 is compatible with these devices.
iPhone 7
iPhone 7 Plus
iPhone 6s
iPhone 6s Plus
iPhone 6
iPhone 6 Plus
iPhone SE
iPhone 5s
iPhone 5c
iPhone 5
iPad Pro 12.9-inch
iPad Pro 9.7-inch
iPad Air 2
iPad Air
iPad 4th generation
iPad mini 4
iPad mini 3
iPad mini 2
iPod touch 6th generation
2016-08-25
WHAT THIS IS ABOUT:
Apple has released a new operating system update for iPads and iPhones which
closes three serious zero-day flaws being used by state-sponsored spy
organizations. iPad and iPhone users are encouraged to download iOS 9.3.5 as
soon as possible. 4 Admiral Ackbars (serious enough for me to post this at
9:45 PM in the middle of a vacation).
WHO SHOULD READ THIS:
Owners of iPads and iPhones.
Windows users are not affected.
WHAT YOU SHOULD DO:
iPad and iPhone users should update to iOS 9.3.5. Now would be good.
On the device, go to Settings > General > Software Update
More detailed instructions here: https://support.apple.com/en-us/HT204204
I will be back in the office after Labor Day. If you need additional help
sooner, please visit the folks at the Technical Support Desk in the basement
of McKenzie, 346-HELP.
ADDITIONAL INFORMATION for the Technically Curious:
The three flaws are collectively being called The Trident. The spy package
being used to exploit The Trident is called Pegasus. Pegasus and other
malware taking advantage of the flaws can be installed from a malicious web
site or an SMS, grab super-user privileges, and go from there to do everything
from reading your e-mails, to spying on you with your iThing's microphone and
camera, to tracking your physical location via an i-Thing's GPS.
Official Apple Security Notice (kind of info-lite):
https://support.apple.com/en-us/HT207107
The Original Discovery Write-up from Citizen Lab (recommended if you've got
the time to read it for the government and social implications as well as the
technical information):
https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
The Technical Press Chimes In:
http://arstechnica.com/apple/2016/08/apple-releases-ios-9-3-5-with-an-important-security-update/
http://arstechnica.com/security/2016/08/actively-exploited-ios-flaws-that-hijack-iphones-likely-spread-for-years/
https://nakedsecurity.sophos.com/2016/08/26/apple-ios-users-update-now-zero-day-attack-seen-in-the-wild/
http://gizmodo.com/israeli-cyber-weapon-dealers-figured-out-how-to-hack-ev-1785747391
https://www.intego.com/mac-security-blog/emergency-ios-9-3-5-update-thwarts-pegasus-spyware-patch-now/
http://www.techspot.com/news/66106-rare-ios-spyware-caught-wild-exploiting-three-zero.html
http://www.theregister.co.uk/2016/08/25/update_your_ios_devices_now_theres_an_apt_in_the_wild/
http://www.macrumors.com/2016/08/25/apple-releases-ios-9-3-5/
And so does the Non-Technical Press:
http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html?_r=0
http://www.wsj.com/articles/firm-manipulated-iphone-software-to-allow-spying-report-says-1472149087
http://www.reuters.com/article/us-apple-iphone-cyber-idUSKCN1102B1
2016-07-29
WHAT THIS IS ABOUT:
Sigh. This is a PSA. With the latest Microsoft Windows 10 update, released
July 29 (today), Microsoft is integrating User Information Gathering
Cortana, its on-line search assistant, more closely into Windows 10. Instead
of Admiral Ackbars, I'd give this a rating of 2 Sith Lord Spy 'Droids.
WHO SHOULD READ THIS:
People using Windows 10.
WHAT YOU SHOULD DO:
To improve your privacy
From
http://www.windowscentral.com/you-can-disable-cortana-windows-10
How to sign out of Cortana in Windows 10 Anniversary Update
Click Cortana
Choose Notebook
Choose About me
Select User Account
Select Sign Out
Cortana will now revert to a generic search engine for your PC and web with
no links to your Microsoft Account.
Other privacy settings:
Go to the Start Menu in the lower left-hand corner of the Windows 10 screen.
Choose Settings; the Settings dialog box should appear.
Click on the Privacy icon; the Privace dialog box should appear
Select Speech, Inking & Typing from the menu on the left; new text should
appear.
Toggle an option called 'Stop getting to know me' OFF.
Close the dialog box.
For more Windows 10 Privacy tips, see:
http://www.windowscentral.com/how-turn-cortana-and-stop-personal-data-gathering-windows-10
ADDITIONAL INFORMATIO for the Technically Curious:
A "Hold Your Horses, It's Not Quite _That_ Bad" Article:
http://www.windowscentral.com/you-can-disable-cortana-windows-10
A Click-bait Headline Article:
http://www.techspot.com/news/65766-microsoft-make-cortana-mandatory-anniversary-update.html
Microsoft's Page on Cortana:
https://support.microsoft.com/en-us/help/17214/windows-10-what-is-cortana
2016-07-27
WHAT THIS IS ABOUT:
Don't Panic (much)! This is public service announcement about a newly
discovered security hole in LastPass, a password manager. No exploits in the
wild; I'd rate this at about One and a Half Admiral Ackbars.
WHO SHOULD READ THIS:
Only folks who use LastPass
WHAT YOU SHOULD DO:
Keep your eyes open for a security patch from LastPass to be released soon.
ADDITIONAL INFORMATION for the Technically Curious:
An explanation of what LastPass is, and the nature of the exploit:
https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/
A sensational article that throws around a lot of big numbers before admitting
no in-the-wild attacks:
http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/
The LastPass website:
https://lastpass.com/
2016-07-12
WHAT THIS IS ABOUT:
Don't panic; this is simply a PSA about the Pokemon Go application that is
causing groups of lost-looking people to wander the campus while holding up
smart phones and frowning in confusion as if they were trying to find PLC or
maybe the Library or the Museum
WHO SHOULD READ THIS:
Folks with mobile smart-phones (you've given them to your kids, haven't you).
WHAT YOU SHOULD DO:
Be aware of your physical safety.
iPhone users especially: Make sure you download the official version of this
game (not a problem if you are in the US).
Review privacy settings for the game.
Have fun. Be safe. Catch 'em all.
ADDITIONAL INFORMATION for the Technically Curious:
https://www.hotforsecurity.com/blog/pokemon-go-privacy-and-security-concerns-you-should-be-aware-of-15917.html
http://www.macrumors.com/2016/07/11/pokemon-go-launch-car-accidents/
List of Pokemon
https://en.wikipedia.org/wiki/List_of_Pok%C3%A9mon
2016-07-06
WHAT THIS IS ABOUT:
Don't panic. This is a public service announcement about a piece of Malware
the Technical Security Press is in a dither about called "Eleanor," which is
distributed through a third-party document converter, and which was up until
recently hosted on the MacDownload website. I'd rate this at Two Admiral
Ackbars.
WHO SHOULD READ THIS:
Macintosh Users, especially folks who download apps from the MacDownload site.
Windows Users are not affected.
WHAT YOU SHOULD DO:
Eleanor is malware that is bundled with a third-party document converter
called EasyDoc Converter. EasyDoc Converter appears to have been abandoned by
its initial creators and turned into a Trojan Horse by The Evil Ones.
If you have never visited MacDownload, you're safe.
If you've never downloaded EasyDoc Converter, you're safe.
If you have downloaded EasyDoc Converter, install or update MalwareBytes for
Macintosh, which will remove it.
https://www.malwarebytes.com/antimalware/mac/
ADDITIONAL INFORMATION for the Technically Curious:
qui cum canibus concumbunt cum pulicibus surgent - He that lieth down with
dogs shall rise up with fleas.
Original report from Bit Defender:
https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/
The site of the crime:
https://www.macupdate.com/app/mac/56544/easydoc-converter
Secondary Reports:
https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/
"The app is not signed with a certificate issued to an Apple developer ID.
This is fortunate, in a way, as this makes it more difficult to open. (By
default, Mac OS X will not open unsigned apps.)"
http://www.securityweek.com/os-x-backdoor-provides-unfettered-access-mac-systems
http://www.macrumors.com/2016/07/06/backdoor-mac-eleanor-faq/
"The most important and obvious preventative measure is to avoid downloading
"EasyDoc Converter.app" from any source. Installing unknown apps from
unidentified developers is almost always a security risk."
2016-07-01a
WHAT THIS IS ABOUT:
The deadline for downloading the free upgrade to Windows 10 is July 29, 2016.
Resistance is futile.
WHO SHOULD READ THIS:
Windows users not using Windows 10.
WHAT YOU SHOULD DO:
If you've been holding out on a Windows 10 upgrade, now's the time to do it
while the upgrade is still free. Downloading the upgrade typically takes
about an hour, and the installation typically takes about 90 minutes.
Windows XP is no longer supported.
Windows 7 should be supported through 2020.
Windows 8 should be supported through 2023.
The PROS:
+ Since Windows 10 has been out about a year, some of the bugs in it
have been addressed.
+ MacAfee now runs with Windows 10.
+ Running Windows 10 will make your machine compatible with the latest
software.
+ Microsoft has recognized that Win8 charms (or application tiles) was
a bad idea and scaled them back.
+ Upgrading old machines to Win 10 will make them look the same as
newly purchased Windows machines.
The CONS:
+ Older computers may not be able to run Windows 10.
+ Windows 10 is Microsoft's way to become an advertiser for what you
want; by default it collects a dismaying amount of information.
+ Windows 10 still wants to make your computer talk to other computers
so it can become a local hotspot and serve Windows updates.
+ Microsoft took out the Media Player - so no playing DVDs after an
update without additional software installations.
+ The usual annoyances at a new system's apparently random
reconfiguration of system controls: The control panel has been split into
a control panel and a preferences panel, and the Start Icon does
almost-but-not-quite-the-same things
If you do upgrade to Windows 10, follow these instructions to improve your
privacy:
http://arstechnica.com/information-technology/2015/08/windows-10-doesnt-offer-much-privacy-by-default-heres-how-to-fix-it/
ADDITIONAL INFORMATION for the Technically Curious:
Other Configuration Guides:
http://arstechnica.com/information-technology/2014/10/hands-on-with-the-windows-10-start-menu-as-big-or-as-small-as-you-want-it/
Microsoft's Win10 FAQ:
https://support.microsoft.com/en-us/help/12435/windows-10-upgrade-faq
A list of Microsoft products' life cycles:
https://support.microsoft.com/en-us/gp/lifeselectindex
Last Year's Tech Announcement:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-08-05
Various Privacy Concern Links:
http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
http://arstechnica.com/information-technology/2015/08/windows-10s-privacy-policy-is-the-new-normal/
https://privacy.microsoft.com/en-us/privacystatement/
2016-07-01
WHAT THIS IS ABOUT:
Don't panic. This is a message about the Macintosh operating system and
software dependencies. It's more of a warning than anything.
WHO SHOULD READ THIS:
Macintosh Users with Mac OS 10.8 (Mountain Lion) and Older who use VPN
Macintosh Users with Mac OS 10.9 (Mavericks)
Newer Mac OS users are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
It depends.
First, go to the Apple Menu in the upper left-hand corner and choose ABOUT
THIS MAC; a dialog box will pop up.
The dialog box will display the name of the operating system (i.e. Yosemite)
in big letters, and the version (i.e. 10.10.3) in smaller letters underneath.
Make a note of the OS and close the dialog box.
If you are using Mac OS 10.8 or earlier, and you have to use VPN to connect to
the UO secure computing assents, then you'll need to update the Mac OS. This
will probably mean updating to OS 10.11.5 (El Capitan).
If you're using Mac OS 10.8 or earlier, and you don't need VPN, then you're
probably OK for the next month. Be advised that Apple ceased supporting Mac
OS 10.8 at the beginning of 2016, so it's becoming less secure as time goes by
and various vulnerabilities are discovered but not patched. Also, the Chrome
Browser no longer provides security updates for Mac OS 10.8. If you think
you'll continue to use the iMac or MacBook you're using beyond July, I would
upgrade to improve computer security; again this will probably mean updating
to OS 10.11.5. Don't wait too long (see below).
If you're going to get new hardware, I'd get it sooner rather than later.
Getting the hardware now means it will ship with the latest version of OS
10.11, which fixes irritating bugs discovered by early adapters last
September. Getting the hardware in early August risks the possibility of it
coming factory installed with OS 10.12.0 (Sierra). New OSes from Apple don't
exactly have a sterling reputation as far as introducing funny little bugs
with networking or printing or talking with peripherals or with iTunes wanting
to store everything on the iCloud.
ADDITIONAL INFORMATION for the Technically Curious:
OS 10.6 (Snow Leopard) Unsupported
OS 10.7 (Lion) Unsupported
OS 10.8 (Mountain Lion) Unsupported
OS 10.9 (Mavericks) Supported (*probably* through December 2016)
OS 10.10 (Yosemite) Supported
OS 10.11 (El Capitan) Supported
OS 10.12 (Sierra) To be released soon
See message below:
From: deptcomp-bounces@lists.uoregon.edu
[mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service
Desk
Sent: Thursday, June 30, 2016 11:56 AM
To: IT Directors; Departmental Computing
Subject: deptcomp: Mac OS X compatibility with VPN
As you may recall, Information Services made available an update to the UO VPN
software, AnyConnect, yesterday morning. That upgrade installs itself when the
user next attempts to connect using AnyConnect.
This version of AnyConnect (4.3.00748) does not work on Mac OS X 10.8 and
earlier. (AnyConnect supports Mac OS X 10.9 through Mac OS X 10.11.)
Apple ended support for Mac OS X 10.8 on December 31, 2015 when they stopped
providing security updates for that operating system. Since Apple no longer
supports OS X 10.8, AnyConnect dropped support for that operating system as
well, since OS security updates are a key way of keeping an OS secure.
If you have any questions, please contact the Technology Service Desk
(techdesk@uoregon.edu; 541-346-4357).
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2016-06-09
WHAT THIS IS ABOUT:
The folks in McKenzie will be reconfiguring the UO wireless network next
Thursday, June 16; this will require fiddling with network settings.
WHO SHOULD READ THIS:
Everyone who uses the wireless network.
Ethernet users shouldn't be affected.
WHAT YOU SHOULD DO:
Whenever there is a major change in the network, I always advise making sure
time-sensitive work is finished the day before. Be sure to give yourself
extra time Thursday morning, June 16, to get computer work done.
Macintosh users:
The Computer Center is advising Macintosh users to visit
http://wireless.uoregon.edu/ between now and June 16 to install the new
configuration. In the past, I have found that it's useful to be connected to
the UO Ethernet when visiting the website.
Windows users:
Windows users should be able to simply connect to the UO wireless network.
The first time you connect, you may need to trust a new security certificate
and re-enter your username and password. If you get network password errors,
and you know your UO password is correct, go to http://wireless.uoregon.edu/
and follow the steps to install a new profile.
Mobile device users:
iPhone, iPad, Android, and other mobile device users will need to visit
http://wireless.uoregon.edu/ on June 16.
ADDITIONAL INFORMATION for the Technically Curious:
When computers talk to each other, especially when they are talking over a
secure connection, they use something called a security certificate to verify
each other's identities. The new wireless configuration comes with a new
certificate.
The following message is from the Technology Serivce Desk:
From: deptcomp-bounces@lists.uoregon.edu
[mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service
Desk
Sent: Wednesday, June 08, 2016 3:16 PM
To: Departmental Computing
Subject: deptcomp: Wireless change Jun. 16 will require some user action
**Please share with others in your unit.**
On Thursday, June 16, between 5am and 7am, we will be switching to a new
system for the UO Secure and eduroam wireless networks. This change will
require action by many users the first time they connect to these wireless
networks after the change.
" Some Mac users (and others) may be unable to connect until they
install a new wireless profile from http://wireless.uoregon.edu/
" Some people may simply be asked to trust a new certificate or reenter
their credentials
Mac users can act proactively by installing a new wireless profile before June
16. To do that, go to http://wireless.uoregon.edu/ and walk through the steps.
(This will install the new certificate while leaving the old one in place.)
In the past, Windows 7 users have sometimes received misleading prompts saying
their passwords were bad when really they just needed to install a new
wireless profile. We did not encounter this situation in recent testing.
If you have any questions or run into issues on June 16 (or any time), please
let us know.
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2016-05-17
WHAT THIS IS ABOUT:
iOS 9.3.2 can brick iPads (in computer parlance, to "brick" a computer means
to break a computer so thoroughly that it becomes the equivalent of a brick,
door-stop, or anchor). The problem appears to be limited to newer 9.7 inch
iPad Pros. I'd give this 4 Admiral Ackbars.
WHOU SHOULD READ THIS:
Folks with new 9.7 inch iPads.
Folks with older iPads, iPhones or other iThings should take note.
iMacs or divices running the desktop OS are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
Hold off on updating to iOS 9.3.2 on your iPad for a few weeks.
ADDITIONAL INFORMATION for the Technically Curious
To quote
http://www.forbes.com/sites/gordonkelly/2016/05/16/apple-ios-9-3-2-ipad-pro-problems/
"When affected devices install iOS 9.3.2 and restart users are presented
with an 'Error 56' code which tells them to connect to iTunes. The
problem is connecting to iTunes does nothing, the device is locked and
forced reboots only return it the same state.
As for the error code itself, according to Apple's code guide, Error 56
is loosely described as a "hardware issue", which doesn't sound like a
credible explanation."
What an new 9.7 inch iPad Pro is (detailed information and review):
http://www.macrumors.com/roundup/ipad-pro/
Mac Rumors (iOS 9.3.2 bricking 9.7 inch ipad pros):
http://www.macrumors.com/2016/05/16/ios-9-3-2-bricking-some-9-7-ipad-pros/
The Register (iOS 9.3.2 updates, then bricks iPads):
http://www.theregister.co.uk/2016/05/17/apple_bricks_ipads/
International Business Times
http://www.ibtimes.co.uk/ios-9-3-2-released-by-apple-fixes-iphone-se-bluetooth-problem-bricks-some-ipads-error-56-1560419
The upgrade from Apple causing the problem (techno-heavy, info-light):
https://support.apple.com/en-au/HT206568
Error 56 (not to be confused with Palpatine's Order 66):
https://support.apple.com/en-us/HT204770#hardware
2016-04-18
WHAT THIS IS ABOUT:
Apple Computer has ceased supporting QuickTime for Windows (in computer
support parlance, QuickTime for Windows is deprecated); this means that two
zero-day vulnerabilities in QuickTime will not be patched. Ever. 2.5
Admiral Ackbars.
WHO SHOULD READ THIS:
Windows Users with Apple QuickTime Installed on their computers.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
Uninstall Apple QuickTime on your Windows Computer.
(Lifted shamelessly from Time Magazine's instructions for uninstalling
QuickTime:
http://time.com/4297456/uninstall-quicktime-windows-10-7/ )
For Windows 10:
1. Press the Start button.
2. Select "Settings."
3. Choose "System" and then navigate to "Apps and features."
4. Find QuickTime in the list of apps, and select "Uninstall."
For Windows 7:
1. Press the Start button.
2. Select "Control Panel."
3. Choose "Programs" and then navigate to "Programs and features."
4. Find QuickTime in the list of programs, and select "Uninstall."
ADDITIONAL INFORMATION for the Technically Curious:
Apple's Instructions (which point to Microsoft's instructions):
https://support.apple.com/en-us/HT205771
http://windows.microsoft.com/en-us/windows/uninstall-change-program#uninstall-change-program=windows-7
Time Magazine's instructions for uninstalling QuickTime:
http://time.com/4297456/uninstall-quicktime-windows-10-7/
US Computer Emergency Readiness Team (US-CERT) Advisory:
https://www.us-cert.gov/ncas/alerts/TA16-105A
Trend Micro Report:
http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/
Ars Technica:
http://arstechnica.com/security/2016/04/apple-stops-patching-quicktime-for-windows-despite-2-active-vulnerabilities/
The Register:
http://www.theregister.co.uk/2016/04/14/uninstall_quicktime_for_windows/
Details on the Zero-Day Flaws (summary: the Evil Ones trick the computer into
running Malicious Software and take over your computer):
http://zerodayinitiative.com/advisories/ZDI-16-241/
http://zerodayinitiative.com/advisories/ZDI-16-242/
2016-04-08
WHAT THIS IS ABOUT:
The computer security press is abuzz (again) about the latest Adobe Flash
security hole (again). Given that this opens up one's computer to Ransomware
Attacks, I'll give it 3.5 Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone who hasn't already uninstalled Adobe Flash from their computers.
WHAT YOU SHOULD DO:
1) Make sure you are running the latest version of your web browser:
Chrome:
Follow this link: chrome://help/ and follow the prompts.
Firefox:
Go to the HELP menu and choose ABOUT FIREFOX. Follow the prompts.
Safari:
Go to the APPLE MENU and choose APP STORE, then choose UPDATES. Any Safari
updates will be listed.
Internet Explorer:
Go to the START MENU, Choose ALL PROGRAMS, and WINDOWS UPDATE. Follow
prompts to install important or critical updates.
2A) First Option: Uninstall Flash. Seriously.
Windows:
Control Panel > Programs and Features > Select Adobe Flash Player software(s)
> Select UNINSTALL
Macintosh:
It's a little more complicated see
http://www.macworld.com/article/2993361/security/how-to-uninstall-flash-player-from-your-mac.html
for instructions.
2B) Or Second Option: Live with Flash by updating it.
If you must have the Flash Player on your computer, go here:
https://helpx.adobe.com/security/products/flash-player/apsb16-10.html
and follow the instructions to update Flash.
ADDITIONAL INFORMATION for the Technically Curious:
Flash exploit and link to fix:
http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7102/adobe-flash-player-vulnerability-cve20161019
Quick Summary of the Flash Exploit:
https://nakedsecurity.sophos.com/2016/04/08/adobe-ships-0-day-patch-for-flash-get-it-while-its-hot/
http://www.reuters.com/article/us-adobe-systems-cyber-ransomware-idUSKCN0X502K
What The Bad Guys Are Up To with the Flash Security Hole:
http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-magnitude-ek
An Analysis of the Malicious Payload using the Flash Security Hole:
https://www.proofpoint.com/uk/threat-insight/post/killing-zero-day-in-the-egg
Ars Technica article on the Flash Exploit:
http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-windows-10/
Slightly Related Article on Ransomware:
http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/
Adobe Flash's Track Record of Shame:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-07-14
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-06-24
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-01-27
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-21
2016-03-15
WHAT THIS IS ABOUT:
Take a deep breath. Malvertisers have infected very popular websites (NY
Times, BBC, MSL, AOL) with malware which will attempt to encrypt your data for
a ransom. I'd give this situation Three and a Half Admiral Ackbars.
WHOU SHOULD READ THIS:
Sigh. Everyone.
Macintosh users may be OK, as the encryption package appears to only work on
Windows machines however, I'm putting on my Casandra Outfit and warning
Macintosh users to follow the steps below to protect themselves from next
time.
WHAT YOU SHOULD DO:
Make physical backups of your data. (Go to the Duckstore, get two USB sticks,
back up your data, alternate sticks every week; store the off-week USB at a
friend's house in case there's a fire.) Dropbox, Google Docs, and OneDrive
are not backup options; the data needs to be physically removed from your main
computer for it to be backed up.
Go to McAfee (or whatever anti-viral software you have running) and update it.
The campaign is aggressive, but stealthy; if the malware sees an antiviral
package, it will retreat to avoid detection.
The malware uses the usual attack methods: Java, Silverlight, Adobe Flash.
Uninstalling these pieces of software will help protect your computer. If you
must use them, be sure you are running the latest versions.
Technically advanced users may wish to edit home router block lists, adding
the following domains:
answers.com
zerohedge.com
infolinks.com
brentsmedia.com
evangmedia.com
shangjiamedia.com
ADDITIONAL INFORMATION for the Technically Curious:
Malvertisement: an advertisement, typically on a side-bar on a web
page, that attempts to install malware onto a computer.
Malware: Malicious software.
Ransomware: Software that typically encrypts your data and then
demands a ransom to unencrypt it.
http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
http://www.pcworld.com/article/3044145/security/top-websites-affected-by-angler-exploit-kit-malvertising-security-vendors-say.html
http://www.hotforsecurity.com/blog/angler-exploit-kit-updated-to-target-pcs-and-macs-with-silverlight-attack-13449.html
Heimdal Security Infomercial about how Angler Works (introductory info, and
they're pitching their security product)
https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/
Technicallly Detailed Overview of the Angler Exploit Kit:
https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
2016-02-29a
This is information-lite, but of possible interest:
http://www.welivesecurity.com/2016/02/29/5-threats-every-company-needs-pay-attention/
I'm forwarding it to raise awareness of computer security in the wake of last
week's ransomware attack and because Windows is what we're using in the main
office.
The take away:
The main computer security threats are
Malicious e-mail
Malicious RAM sticks.
Malicious web pages that run exploits (Internet Explorer, I'm looking at
you)
Ransomware
Unprotected mobile devices (see #2)
The implied solutions are
Have anti-viral software scan your e-mail, and be careful opening
attachments.
Know the history of the RAM sticks you load on your computer; also, use
the server to share files.
Have anti-viral software look over your shoulder when you surf; also,
don't use Internet Explorer.
See above; also have a "fire plan" so you can recover data that has been
encrypted.
Protect mobile devices before they connect to the UO computing
environment.
2016-02-29
WHAT THIS IS ABOUT:
Don't panic. This is a PSA for users of Macintosh OS 10.11 (El Capitan).
Over the last weekend in February, Apple released a security update that
disables a Macintosh's Ethernet. Wireless still works, so I'll rate this at
One Admiral Ackbar for inconvenience.
WHO SHOULD READ THIS:
Users of Macintosh OS 10.11 (El Capitan)
Other Macintosh Users are Not Affected
Windows Users are Not Affected
WHAT YOU SHOULD DO:
If you use Mac OS 10.11 (El Capitan), and over the weekend your Ethernet
suddenly stopped working (and you know your cables are securely plugged in),
chances are an Apple system update disabled your Ethernet.
You can re-enable it following the instructions here:
https://support.apple.com/en-us/HT6672
ADDITIONAL INFORMATION for the Technically Curious:
Apple attempts to protect users by installing a blacklist of untrusted kernel
extensions within the OS. The kernel is the software that creates the OS, and
an extension is extra software. For example, if Apple knows that a certain
brand of printer driver causes crashes, it will blacklist it to prevent the
system crashes. This time around, Apple blacklisted its own Ethernet driver
kernel extensions.
http://arstechnica.com/apple/2016/02/os-x-blacklist-accidentally-disables-ethernet-in-os-x-10-11/
https://derflounder.wordpress.com/2016/02/28/apple-security-update-blocks-apple-ethernet-drivers-on-el-capitan/
2016-02-26
Sent on behalf of Will Laney, Chief Information Security Officer
Hello Everyone,
We have recently had some users infected with malware known as "Locky".
Locky is a ransomware program that encrypts the user's data on their local
hard drive as well as any data on mapped network drives (such as file shares)
the user can access. Once Locky encrypts all of the user's data, they will be
offered the opportunity to buy a decryption key to unlock their data.
Its current infection process is to trick users into opening an MS Office
(Word/Excel/PPT/etc.) document loaded with a macro that they receive via
email. The malware is loaded through the MS Office macro. To entice the users,
the subjects and names of the emails and files include words such as "Invoice"
or "Remittance" (this will certainly change over time). If the macro isn't
immediately run by opening the file, the document will ask the user to enable
the running of macros. We believe this macro downloads Locky and runs it on
the user's computer.
We are also getting reports of a similar infection method via PDF files.
At this point, Locky only targets Windows systems. If a user reports opening a
suspicious document such as the ones described above, please have them turn
off the system as quickly as possible to avoid more files being encrypted. We
suggest that you remove the hard drive from the system and reimage the hard
drive. You can use tools (such as McAfee) to look for the malware, but there
may be other variations of the malware that would be missed by these tools. If
you are going to use these tools, make sure you are not booting from the
infected drive or it will continue to encrypt more files. This is why a clean
reimaging of the system is recommended.
You may have heard about this happening in a California hospital:
http://sanfrancisco.cbslocal.com/2016/02/18/california-hospital-ransomware-attack-hackers/
One important issue this brings up is that of backup procedures. If you
already have something in place, please make sure those procedures continue.
If you do not have any procedures in place, we will be releasing guidelines
for server and individual backups in the coming weeks to help aid in
developing your own.
Take care and stay safe,
Will Laney, CISSP, CISA
Chief Information Security Officer
The University of Oregon
2016-02-02
WHAT THIS IS ABOUT:
Don't panic. This is a PSA. Microsoft is stepping up its efforts to get
folks to upgrade to Windows 10.
WHO SHOULD READ THIS:
Windows users.
Macintosh users are not affected.
WHAT YOU SHOULD DO:
The Windows 10 update is now a recommended update. This means Windows
automatic updates will be more aggressive about downloading and installing the
new Windows operating system. Users are still given the option to upgrade or
not. Be mindful of where you click.
At this point, I'm advising folks to upgrade if they would like to - however,
this may be a good Spring Break task.
The main hurdle to updating last Fall Term was that McAfee hadn't caught up to
Windows 10, but McAfee works now. Some of the issues with the initial release
of Windows 10 have been addressed.
There are some privacy issues with Windows phoning the mothership back at
Microsoft; see the privacy links below for how to turn down the flow of
surveillance from Redmond.
ADDITIONAL INFORMATION:
http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq
http://arstechnica.com/information-technology/2016/02/ready-or-not-here-comes-windows-10/
http://www.theregister.co.uk/2016/02/02/microsoft_ups_pressure_win_10_holdouts/
Making Window 10 Respect Your Privacy:
http://arstechnica.com/information-technology/2015/08/windows-10-doesnt-offer-much-privacy-by-default-heres-how-to-fix-it/
https://fix10.isleaked.com/
http://www.theregister.co.uk/2015/08/03/windows_10_privacy_defaults/
Some older information
What Happens to Your Home WiFi Security when a Win10 User Logs in:
https://grahamcluley.com/2015/08/windows-10-wifi/
Windows 10 Doesn't Use Child Accounts:
http://www.theregister.co.uk/2015/08/05/windows_10_wipes_child_safety_settings_upgrade/
Random Bug Complaints:
http://www.theregister.co.uk/2015/07/29/windows_10_bug_alert_start_menu_breaks_512_entries/
That Auto-update Driver problem:
http://www.theregister.co.uk/2015/07/28/windows_10_update_nvidia_driver_conflict/
https://grahamcluley.com/2015/07/windows-10-borked-automatic-updates-nvidia-drivers/
http://www.cnet.com/news/microsoft-fixes-windows-10-crash-bug-ahead-of-july-29-launch/
2016-01-29
WHAT THIS IS ABOUT:
Don't panic: this is a PSA about how a new UO network configuration will
affect printing from home.
WHO SHOULD READ THIS:
Folks who print from home to one of the English Department Printers in PLC.
Folks who print within PLC only are not affected.
WHAT YOU SHOULD DO:
If you are working from home, and your home computer suddenly can't seem to
find the English Department printers
Connect to the UO network with VPN. Instructions for installing and using
VPN are here:
https://it.uoregon.edu/vpn
Once VPN is running on your home computer, the UO network will think you are
on campus, and the printers will start talking to your computer; you should be
able to print from home.
ADDITIONAL INFORMATION for the Technically Curious.
UO Network Security and CAS-IT -- in an attempt to secure printers from the
recent FTP attacks which caused printers to spew out reams' worth of machine
code -- have teamed up and put an IP Block on the English Department's
Printers' static IP addresses. If you think of a printer like a leaf, the IP
Block is like a ninja praying mantis lower down on the branch, refusing to let
any slugs from the roots at the bottom of the trunk pass it. Ants already
above the praying mantis can carry messages back and forth among the leaves.
2015-12-18
WHAT THIS IS ABOUT:
A malicious bot is scanning printers on the UO campus in an attempt to gather
user information from them. This is confusing the printers and making them
print blank sheets of paper until the paper runs out or the printer jams. I'm
rating this at Two Admiral Ackbars because the bot is simple and our printers
aren't using factory default security settings.
WHO SHOULD READ THIS:
Folks using the English Department Printers in PLC 118, 228, and 232.
Local desktop printers may be affected.
WHAT YOU SHOULD DO:
This is particularly obnoxious during the holiday season, when printer attacks
may go for some time before being noticed.
The English Department Staff will be powering down the printers overnight to
prevent the malicious bot from doing its dirty deeds.
As an added precaution, paper levels in the printer may be lower than typical
levels.
During the last weeks of December, if you come in in the morning and expect to
print, you'll want to confirm the printer is on before doing so.
If you turn on a printer, print, and are finished, you are encouraged to turn
the printer off.
If you are leaving your office for the holidays, turn off all your computers
and printers.
ADDITIONAL INFORMATION for the Technically Curious:
Most printers have web, FTP, and other network servers built into them.
The bot is trying to find out information about users entered into the printer
(e.g. usernames and UO ID codes)
The bot isn't very smart, and seems to be easily defeated by non-factory
security settings.
There's no official word out about this yet; I just happened to bump into a
CAS-IT tech who told me about it. Official word may show up in the dept-comp
list: https://lists-prod.uoregon.edu/mailman/private/deptcomp/
There's no word here:
https://twitter.com/UOTechDesk
https://www.facebook.com/UOTechDesk
http://blogs.uoregon.edu/casitblog/
https://casit.uoregon.edu/news
Sort of related, but not this specific problem:
https://casit.uoregon.edu/news/printer-security-incidents
2015-11-24
WHAT THIS IS ABOUT:
Dell Computer installed a self-signed root security certificate on some of its
newer laptop and desktop computers. This is a huge security hole that some
folks are likening to Lenovo's SuperFish Debacle. Rated at 3.5 Admiral
Ackbars for hack-ability and man-in-the-middle attacks.
WHO SHOULD READ THIS:
Users with newer Dell model computers, especially:
XPS 15, L
Latitude E7450,
Inspirion 5548,
Inspirion 5000,
Inspiron 3647,
Precision M4800
Other computer users are not affected.
WHAT YOU SHOULD DO:
Use Chrome or Internet Explorer on your Dell computer to visit this site:
https://edell.tlsfun.de/
If you get a green banner that says "No bad eDell certificate found" then
you're not vulnerable. Yay!
If you get a warning message about bad eDell certificates, go here:
(PDF)
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertificateRemovalInstructions.pdf
Or use this uninstall tool here:
https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe
(Dell's Uninstall Tool) .
ADDITIONAL INFORMATION for the Technically Curious:
Dell wanted to make things easier for remotely servicing machines, so they
created "Dell Foundation Systems" utilities using the eDell root security
certificate. No, really; they're not bundling in Adware or Malware.
http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate
Technical News Reports:
http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certificate-fiasco-provides-removal-tool/
http://www.securityweek.com/root-certificate-shipped-dell-pcs-poses-serious-risk
http://www.welivesecurity.com/2015/11/24/dell-root-certificate-vulnerability-leaves-users-open-attack/
http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/
http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/
http://www.kb.cert.org/vuls/id/870761
Original researcher's research:
http://joenord.blogspot.com/2015/11/new-dell-computer-comes-with-edellroot.html
2015-10-01
WHAT THIS IS ABOUT:
Microsoft Windows Users appear to be receiving a "unexplained and almost
certainly unauthorized patch" Windows Update. The technical security folks
worry that the Microsoft Update server may have been compromised. If this is
true, then this is worth Four Admiral Ackbars.
Next-day Follow-up: Yesterday's suspicious Windows Update was a test
update mistakenly published by Microsoft.
http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/
Downgraded to a half an Admiral Ackbar, or maybe even a Jar-Jar Binks.
John (whew)
WHO SHOULD READ THIS:
Windows Users, especially Windows 7 users.
Macintosh Users are unaffected.
WHAT YOU SHOULD DO:
If you receive a Windows Update, which appears to be some sort of language
pack update, with the following details:
gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL
Download size: 4.3 MB
You may need to restart your computer for this update to take effect.
Update type: Important
qQMphgyOoFUxFLfNprOUQpHS
Do not install it. I've read one report of the upgrade crashing Windows (at
least).
ADDITIONAL INFORMATION:
Microsoft typically releases Windows updates the second Tuesday of every
month. Occasionally they will release an "out of band" update to fix a
particularly worrisome problem, but this does not appear to be the case this
time around.
As of 2/9/30/2015 11:50 AM, this is a breaking story
"People around the world are receiving a highly suspicious software bulletin
through the official Windows Update, raising concerns that Microsoft's
automatic patching mechanism may be broken or, worse, has been compromised to
attack end users."
http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/
https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e
2015-09-22
WHAT THIS IS ABOUT:
Over the weekend, computer security folks discovered that a host of iOS aps
infected with malicious code, called XcodeGhost, had snuck past Apple
Security and made it to the App Store, I'll rate this Two and a Half Admiral
Ackbars.
WHO SHOULD READ THIS:
Users of iPhones, iPads, and other iThings.
Windows Users are Not Affected.
WHAT YOU SHOULD DO:
Most American-based users won't be affected by this problem. However, if you
have
WeChat,
CamCard
Angry Birds 2 (Chinese Version)
Didi Chuxing
Installed on your iThing, you should delete it now. A full list of (mostly
China-based) apps infected with XcodeGhost may be found here:
http://www.cultofmac.com/389693/xcodeghost-hack-delete-these-infected-ios-apps-immediately/
If you discover that an XcodeGhost app made it onto your mobile device, make
sure to change passwords on any web or internet sites the poisoned app may
have used.
ADDITIONAL INFORMATION for the Technically Curious:
Xcode is a programming tool for iOS; folks use it to program apps.
Programmers write a program, and then use Xcode to create a stand-alone app
(in computing terminology, Xcode is called a compiler). A malicious copy of
Xcode, called XcodeGhost, managed to poison the software of various companies,
mostly based in China. An unsuspecting programmer using the poisoned
compiler would unwittingly put data-siphoning software into their program.
Infected apps would then track
Current time
Current infected app's name
The app's bundle identifier
Current device's name and type
Current system's language and country
Current device's UUID
Network type
A list of what to delete:
http://www.cultofmac.com/389693/xcodeghost-hack-delete-these-infected-ios-apps-immediately/
Some more technical advice:
https://isc.sans.edu/forums/diary/Detecting+XCodeGhost+Activity/20171/
News of the Malicious Code Lapse:
http://www.cultofmac.com/389644/apple-cleans-up-the-app-store-after-biggest-security-lapse-in-history/
http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/
Technical Report of Xcode Ghost:
http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/
No, really, it's just the Chinese Version of Angry Birds II:
https://support.rovio.com/hc/en-us/articles/210094088-Is-Angry-Birds-2-infected-with-malware-
What Xcode is:
https://developer.apple.com/xcode/
2015-09-16b
WHAT THIS IS ABOUT:
With the arrival of iOS 9 for Apple mobile devices, computer security seems
extraordinarily focused on a (oldish) security hole in AirDrop, a BlueTooth
tool for sharing files. The vulnerability allows an attacker to install
malicious software onto an iDevice with AirDrop turned on. This is a real
problem, but since AirDrop is turned off by default, I'm rating this at 3.5
Ackbars.
WHO SHOULD READ THIS:
Folks with newer iPhones, iPads, and other iThings.
Older iThings may not be able to run AirDrop.
AirDrop for Lion, Mountain Lion, Mavericks, Yosemite, and El Capitan
(coming soon) may be affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
Confirm that you have AirDrop turned off.
* Instructions For Mobile Devices.
If your iThing is running iOS 6 or older, STOP; you cannot run
AirDrop and you're safe.
If your iThing is one of the following:
+ iPhone 4 or older;
+ iPad 3rd generation or older;
+ iPod touch 4th generation or older
STOP; your device cannot run AirDrop and you're safe.
If your device can run AirDrop, confirm that it's turned off:
1. Turn on your device.
2. Swipe up from the bottom of the screen to show the Control Center
3. Tap AirDrop (if you see no AirDrop icon, your device can't run it: Yay!)
4. Choose OFF to turn AirDrop off (if it isn't already).
Instructions for Apple Macintosh Operating System:
1. Start your computer.
2. Click on the double-faced Finder icon in the task bar; a finder window
should appear.
3. On the left-hand side, in the FAVORITES column, click on the AirDrop
option; an AirDrop icon should appear.
4. AirDrop for Macintosh requires Wi-Fi; your UO Office Macintosh should be
connected to the UO Network through an Ethernet Cable. Turning off
Wi-Fi will turn off Airdop.
5. If for some reason you must use Wi-Fi, you can mitigate AirDrop by
selecting "Allow me to be discovered by: NO ONE"
ADDITIONAL INFORMATION for the Technically Curious:
This isn't exactly a new security flaw, as pranksters and stalkers have
been using AirDrop maliciously to deliver funny or disturbing photos to
targets for a while. The more cynical part of me notes that the articles
(springing up today) about AirDrop include the news that updating to iOS 9
(also released today) supposedly fixes this security hole (it doesn't
completely). However, the new twist appears to be that someone's figured
out how to deliver malware via AirDrop in addition to unwanted pictures.
AirDrop for OS 10.7 (Lion) and above:
https://support.apple.com/en-us/HT202267
AirDrop for mobile devices:
https://support.apple.com/en-gb/HT204144
Ars Technica Article:
http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully-fix-critical-ios-airdrop-vulnerability/
The Register Article:
http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/
2015-09-16a
WHAT THIS IS ABOUT:
Don't panic. This is merely a PSA. The latest operating system for Apple
mobile devices, iOS 9, will be released this morning (9/16/2015) at 10.
WHO SHOULD READ THIS:
Users with iPhones, iPads, iPods, and other iThings.
WHAT YOU SHOULD DO:
Resist the urge to jump on the update bandwagon the microsecond iOS 9
appears. Major iOS changes tend to have a handful of bugs (er,
"features!") that can range from the annoying (new gestures for e-mail!) to
really painful (but I just charged the battery!), and it's always a good
idea to wait a week or two for the early adaptors to discover the hidden
gotchas.
ADDITIONAL INFORMATION for the Technically Curious:
Generally, reviewers love the new iOS; folks with older iPads and iPhones
may not have the hardware to take advantage of some of the super-cool
features of iOS 9.
Ars Technica's Review of iOS 9:
http://arstechnica.com/apple/2015/09/ios-9-thoroughly-reviewed/1/
Cult of Mac's Love Letter to iOS 9:
http://www.cultofmac.com/388770/ios-9-review-all-about-speed/
2015-09-03
WHAT THIS IS ABOUT:
Don't panic: This is merely a PSA about following links to shady sites.
WHO SHOULD READ THIS:
Everyone who uses the web or e-mail.
WHAT YOU SHOULD DO:
If you are reading an e-mail or a web page, and as you hover your mouse's
cursor over a link, and the web address ends in one of the following domains:
.zip
.review
.country
.kim
.cricket
.science
.work
.party
.gq
.link
then, Gentle Reader, stay your mouse's click; the link is almost certainly
going to take you to the shady side of the web where malware bots, spammers
and phishers ply their unwholesome wares and lay their tangled snares.
So, for example, if one is urged to update one's UO account password by
following the link to accounts.uoregon.link, then you know It's A Trap.
Likewise, if the Transylvania Polygnostic University is asking you to take a
look at a call for papers at www.tpu.review, think before you click.
ADDITIONAL INFORMATION for the Technically Curious:
http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/http://arstechnica.com/business/2011/06/icann-approves-plan-to-vastly-expand-top-level-domains/http://www.theregister.co.uk/2015/09/03/blue_coat_domain_report/
WHAT THIS IS ABOUT:
UO e-mail users have received a phishing attempt, directing them to an
off-campus web site in the hope of harvesting UO usernames and passwords.
WHO SHOULD READ THIS:
Everyone (sigh).
WHAT YOU SHOULD DO:
If you received an e-mail message with a generic message along the lines that
your login password will expire, trash it. Do not follow any links in the
message. At the worst, they'll take you to a site that will try to trick you
into entering your username and password. At the worst, the rogue web page
will try to hijack your web browser.
If you did follow the link and give information about your account, please
contact the University of Oregon Technology Service Desk immediately at
techdesk@uoregon.edu or (541) 346-HELP (346-4357).
More information is here:
https://it.uoregon.edu/node/2019
ADDITIONAL INFORMATION for the Technically Curious:
The UO Tech Desk has the following information:
https://it.uoregon.edu/phishinghttps://it.uoregon.edu/node/4339
Here's what a REAL message from the UO Tech Desk looks like:
-----Original Message-----
From: authmail@uoregon.edu [mailto:authmail@uoregon.edu]
Sent: Sunday, June 21, 2015 1:09 AM
To: engl@uoregon.edu
Subject: [Duck ID] Password Nearing Expiration
This is a courtesy email to let you know that your Duck ID password for
'engl' will expire in 7 days. Once your password expires you will not be able
to access Blackboard, the UO wireless network, email, or other services that
require authentication. For this reason, you may wish to change your password
before it expires. To change your password, go to https://duckid.uoregon.edu
and login with your username and expired password.
Please contact the Technology Service Desk if you have questions.
Information Services Technology Service Desk
(541) 346-4357
techdesk@uoregon.edu
And here's what a FAKE message looks like:
-------- Forwarded Message --------
Subject: Login Authentication
Date: Mon, 06 Jul 2015 13:45:42 +0000
From: MARTA PALACIN MEJIAS
To: Undisclosed recipients: ;
Dear (UO) University of Oregon Email User,
Your login password will expire in 48hrs. To avoid expiry, click the below UO
Help Desk link, to authenticate your password immediately:-
Click link: REDACTED
UO Help Desk
Copyright 2015 University of Oregon. All Rights Reserved.
Discussion Contrasting and Comparing the Authentic and Fake E-mails:
In the first, authentic message, the sender is on-campus; this is not
the case in the second message.
In the first message, the recipient is a single user; in the fake
message, the recipients is an undisclosed list, suggesting a mass
e-mailing.
In the first message, the text is addressing a specific account; in the
fake message, the text is generic and vague.
The second message says to follow a link "to authenticate your password
immediately." One does not simply click a link to authenticate a password,
especially when it's off campus. Anyone who has used DuckID knows you have
to put on your UO Duck apparel and use your DuckId and your DuckPassword (and
possibly supply a few Duck security question answers) before changing your
Duck computer credentials.
The authentic message provides multiple contact points for folks with
questions; the fake one doesn't.
The end of the fake message includes a Copyright notice. Because, you
know, the Help Desk's messages are so valuable they don't want anyone
infringing on their intellectual property rights.
2015-06-24
WHAT THIS IS ABOUT:
Adobe has released an emergency patch for a critical zero-day in the Flash
Player. Flash Player is software that allows animation on web pages to run,
and is frequently targeted by The Bad Guys. Exploits for the flaw are
limited but active, and I'd rate this at two-and-half Admiral Ackbars.
WHO SHOULD READ THIS:
Windows users with Adobe Flash Player Installed.
Macintosh users with Adobe Flash Player Installed.
WHAT YOU SHOULD DO:
Go here:
https://www.adobe.com/software/flash/about/
This is a page which will tell you which version (if any) of the Flash Player
you have installed. You may need to authorize the player to run when the
page comes up.
If you have Adobe Flash Player installed, as of June 24, 2015 it should be
version 18.0.0.194.
The Adobe Flash Player's poor security track record make it a preferred
target for The Bad Guys; you may wish to uninstall it and see if you miss it.
That said. Depending on if your browser and what type of computer you use, do
one of the following:
ALL CHROME and INETERNET EXPLORER USERS:
If you use Chrome or Microsoft Internet Explorer to browse the web, update
your browser to automatically install the latest Flash update.
WINDOWS FIREFOX USERS:
If you use Firefox to browse the web then:
WHAT THIS IS ABOUT:
This is a PSA: A special sequence of text characters sent to an Apple iPhone
or iPad via a text messaging service will cause the device to crash. This is
more of an annoyance than a security issue.
WHO SHOULD READ THIS:
iPhone and iPad users.
Macintosh users.
Other users are not affected; this is a bug in Mac OS and iOS.
WHAT YOU SHOULD DO:
The bug is in the software in the notification center which displays a new
instant message's text. If you turn it off, there's no problem.
On an iPhone or iPad:
Tap the SETTINGS icon.
Tap NOTIFICATIONS from the selection menu.
Tap MESSAGES from the list that shows up.
Scroll down a bit to SHOW PREVIEWS and turn it off.
This bug affects Macintoshes as well, but only under unlikely cut-and-paste
circumstances.
ADDITIONAL INFORMATION:
http://www.intego.com/mac-security-blog/crash-text-message-iphone/
http://arstechnica.com/security/2015/05/beware-of-the-text-message-that-crashes-iphones/
2015-05-13
WHAT THIS IS ABOUT:
This is a PSA about a computer security problem called Venom. Venom has
been around since 2004. There is no active exploit in the wild for this
security flaw, so I'd rate this at Half a General Ackbar.
WHO SHOULD READ THIS:
Anyone. This is an internet-wide problem.
WHAT YOU SHOULD DO:
Don't panic when NPR covers this.
There's not a whole lot the average user can do; but computer system
administrators are probably freaking out a little.
On the very, very low chance remote file storage services (e.g. Dropbox,
GoogleDocs, Apple iCloud, etc.) are affected by this you may wish to review
important files and create local back-ups on USB stick or other physical
media you control.
ADDITIONAL INFORMATION for the Technically Curious:
Venom is being hyped as "worse than Heartbleed." Probably this is not the
case, but that hasn't stopped a security firm from designing a cool cobra
logo for the security flaw.
Venom works like this.
A physical computer in a data center creates a virtual electronic copy of
itself for users to use.
Legacy software controlling the virtual floppy drive on the virtual
machine has a buffer overflow error in it.
The Bad Guys hide Evil Commands in the overflow which gives them control
of the physical computer's operating system.
Now they can do anything they'd like on the physical machine, like
manipulate user files stored there.
WHAT THIS IS ABOUT:
Don't panic; there's some e-mail server reconfiguration going on. Many folks
will not be affected.
WHO SHOULD READ THIS:
Everyone who reads e-mail using a client such as Outlook, Thunderbird, or MacMail.
Webmail users are not affected.
WHAT YOU SHOULD DO:
Thursday morning (4/30) after 9 AM, if you discover that you can't send out
e-mails, go to your e-mail client's configuration and make sure the setting
for SMTP server is smtp.uoregon.edu, enable SSL, and set the port to 587.
Information Services maintains a set of instructions for configuring e-mail
clients here: https://it.uoregon.edu/set-up-email
ADDITIONAL INFORMATION for the Technically Curious:
https://it.uoregon.edu/email-settings
=======
Message from Information Services:
On the morning of March 24, IS staff changed the IP address for UO SMTP
(smtp.uoregon.edu):
Old IP address: 128.223.142.44
New IP address: 184.171.108.237
For most users and most use cases, this change was not
disruptive. However, we have received reports about several issues. We
apologize for not having notified you in advance about this change.
If you have a device such as a printer, fax, or multifunction device that
sends email, you may need to update the SMTP settings on the device itself,
or on the firewall or filters you use to protect such devices.
Whenever possible, please use "smtp.uoregon.edu" rather than the IP address.
That will avoid future disruptions if the IP address changes again.
However, if you are unable to use "smtp.uoregon.edu" in configurations,
please use the new IP address noted above.
The old IP address will be disabled in late April. In the meantime, when
possible, we will be working to identify and contact anyone still using the
old IP address.
This change to smtp.uoregon.edu is part of a broader, ongoing process of
streamlining services. Unfortunately, this type of work causes occasional
disruptions.
If you have any questions, please contact the Technology Service Desk
(techdesk@uoregon.edu; 541-346-4357).
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2015-04-24
WHAT THIS IS ABOUT:
A flaw in an iOS software library can allow The Bad Guys to see private data
used by certain apps. Don't panic; this flaw is not mobile operating system
wide - it's an app-by-app flaw.
WHOU SHOULD READ THIS:
Users of Apple Mobile Devices: iPhone, iPad, iPod, etc.
Macintosh Users are not affected (directly).
Windows Users are not affected.
WHAT YOU SHOULD DO:
There isn't a patch for this yet (although they're working on it).
You should check the security of various apps installed on your iPhone or
iPad, especially apps that send financial or other personal data:
Start up your iThing.
Tap the blue icon for the APP STORE.
Along the bottom of the App Store screen, tap the PURCHASED icon; a list of
purchased apps will appear.
Make a note of the App name and its developer (i.e., Blogger, by Google,
Inc). Or leave the list up and start up a browser on a different machine.
Once you have the list, go to
http://searchlight.sourcedna.com/lookup
It's a little confusing, but type in the name of a developer in the blank
text area (under the bold "iTunes Developer Name"). For example, you could
type in "Oregon Community Credit Union".
Once you've typed in the name of a company, press the SUBMIT button on the
web page.
A confirmation page will come up. It may display a list of similarly named
companies; select the company you want.
Press SUBMIT again.
A new page will come up with a security report for the app's developer.
(Apparently, Oregon Community Credit Union is in the clear.)
If the apps that a company makes are vulnerable, you'll see a red button
indicating so. If the company's software doesn't have this vulnerability,
the page will indicate that, too.
A random sampling of apps:
Skype 1.4.1 and 1.5.0 (both older versions) are vulnerable.
Pinterest 4.3 and 4.5.1 (both older versions) are vulnerable.
Clash of Clans is not vulnerable.
SimpleNote, by Automattic comes up with no report; but
Wordpress, also by Automattic, is vulnerable.
If an app is vulnerable, you'll want to make sure you aren't making an in-app
credit card purchase or using it to send banking information; keep an eye
out for app upgrades.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
From
http://arstechnica.com/security/2015/04/critical-https-bug-may-open-25000-ios-apps-to-eavesdropping-attacks/
"the bug resides in AFNetworking, an open-source code library that allows
developers to drop networking capabilities into their iOS and OS X apps. Any
app that uses a version of AFNetworking prior to the just-released 2.5.3 may
expose data that's trivial for hackers to monitor or modify, even when it's
protected by the secure sockets layer (SSL) protocol. The vulnerability can
be exploited by using any valid SSL certificate for any domain name, as long
as the digital credential was issued by a browser-trusted certificate
authority (CA)."
1,500 iOS apps have HTTPS-crippling bug.
http://arstechnica.com/security/2015/04/1500-ios-apps-have-https-crippling-bug-is-one-of-them-on-your-device/http://www.intego.com/mac-security-blog/ios-apps-data-vulnerability/http://www.macrumors.com/2015/04/21/security-flaws-1500-ios-apps-rootpipe/
Security Tool for Reviewing iOS 8.3 Apps
https://sourcedna.com/blog/20150420/afnetworking-vulnerability.html
Other iOS 8.3 News
Apple Releases iOS 8.3 With Emoji Updates, Wireless CarPlay, Space Bar UI Fix
http://www.macrumors.com/2015/04/08/apple-releases-ios-8-3/
iOS bug sends iPhones into endless crash cycle when exposed to rogue Wi-Fi
http://arstechnica.com/security/2015/04/ios-bug-sends-iphones-into-endless-crash-cycle-when-exposed-to-rogue-wi-fi/http://www.engadget.com/2015/04/22/ios-ssl-flaw-skycure/
WHAT THIS IS ABOUT:
Microsoft has recently released some security patches which close several
security holes.
WHO SHOULD READ THIS:
Folks using Windows 7.
Macintosh Users running Microsoft Office.
WHAT YOU SHOULD DO:
Windows Users:
Run Windows update, following the instructions here:
https://casitdocs.uoregon.edu/display/PUB/How+to+use+Windows+Update Macintosh Users:
Save and close any documents.
Make sure to close any web browsers.
Start Microsoft Word.
It's possible that the Microsoft AutoUpdate tool will launch.
If the AutoUpdate tool does not automatically launch, go to Word's HELP menu
and choose CHECK FOR UPDATES.
Once the AutoUpdate tool launches, let it install updates. Click INSTALL;
there will be a pause.
The AutoUpdate tool should launch a Update Installer; it will guide you -
follow the prompts to install.
Eventually, the update should install successfully. Click OK to close the
success message.
The AutoUpdate tool should auto-run one more time to check for any more
updates.
Keep going until the AutoUpdate Tool says there are no new updates.
ADDITIONAL INFORMATION:
Description of the MS Office for Mac 2011 14.4.9 Update: April 14
https://support.microsoft.com/en-us/kb/3051737
Microsoft Security Updates:
https://technet.microsoft.com/en-us/library/security/ms15-032.aspx
https://technet.microsoft.com/en-us/library/security/ms15-033.aspx
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
https://technet.microsoft.com/en-us/library/security/ms15-035.aspx
Message from Sam Crow, of CAS-IT:
Please pass the following information along to your faculty and staff:
Microsoft has announced a critical security vulnerability that affects all
computers running Microsoft Windows, versions 7 and 8. Apple computers
running OS X are not affected unless Windows is running on those machines, in
any form.
To address the vulnerability, Microsoft has released a patch that must be
applied through Windows Update. After Windows Update have been applied,
restarting the computer is required. Your machine may have automatic updates
installed, but the above process is required.
Instructions for updating Windows can be found here:
http://goo.gl/MHcjEp
If you need further assistance, or have further questions, please contact
CASIT at casit@uoregon.edu, or 346-2388.
More information on the vulnerability can be found here:
http://goo.gl/MsDKIj
Thank you,
--
Sam Crow, Help Desk Manager, CASIT
College of Arts and Sciences IT Support Services
University of Oregon
2015-02-19
WHAT THIS IS ABOUT:
Lenovo, a computer manufacturer, in a move that seems inspired by Star Trek
Ferengis, has admitted to pre-installing Superfish, a piece of
man-in-the-middle adware, on some of its computer models. This makes secure
web use unsecure.
WHO SHOULD READ THIS:
Folks who have purchased Levono computers over the last two years.
Other computers are not at risk.
[Update from Ars Technica: Lenovo has released a list of models that may have
had Superfish installed.
G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
Y Series: Y430P, Y40-70, Y50-70
Z Series: Z40-75, Z50-75, Z40-70, Z50-70
S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
E Series: E10-30]
WHAT YOU SHOULD DO:
If you have a newly purchased Levono computer, visit this site:
https://filippo.io/Badfish/
If your Lenovo computer has Superfish on it, the report will tell you.
If Superfish is on your Lenovo, you can try to uninstall it.
From: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-application/ta-p/2029206
Uninstalling Superfish Visual Discovery
Go to Control Panel > Uninstall a Program
Select Visual Discovery > Uninstall
Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot.
However, this procedure will not remove the bogus security certificates Superfish installs. To remove bogus security certificates, PC-World suggests
http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
First, press Windows key + R on your keyboard to bring up the Run tool
search for certmgr.msc to open your PC's certificate manager
click on "Trusted root certificate authorities" in the left-hand navigation pane,
double-click "Certificates" in the main pane. A list of all trusted root certificates will appear.
Find the Superfish entry, then right-click on it and select "Delete."
Users may wish to review Microsoft's Guide to Removing Bogus Security Certificates:
http://support.microsoft.com/kb/293819
ADDITIONAL INFORMATION:
What makes this particular pre-install troubling is that it breaks security
on web browsing. Superfish looks at what you're doing on the web by using
its own web security certificates and then serves up competitive adds.
Possibly cool if you're shopping for cars, not so cool if you're doing
on-line banking. Lenovo and Superfish probably aren't looking at your
banking, but by breaking web security with bogus security certificates, they
make it easier for Bad Guys.
Review of Superfish and Steps Needed to Cleanse it:
http://www.tripwire.com/state-of-security/security-data-protection/superfish-lenovo-adware-faq/
Microsoft's Guide to Removing Bogus Security Certificates:
http://support.microsoft.com/kb/293819
Technical Ars Technica Article on Lenovo and Superfish:
http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
Lenovo's Official Statement and Protestation That It Wants What's Best For Customers:
http://news.lenovo.com/article_display.cfm?article_id=1929
Ars Technica Plays the Wounded Computer User Card:
http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/
Other Technical Press Coverage:
http://www.engadget.com/2015/02/19/lenovo-superfish-adware-preinstalled/http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/http://www.pcworld.com/article/2886357/lenovo-preinstalls-man-in-the-middle-adware-that-hijacks-https-traffic-on-new-pcs.htmlhttp://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html
2015-02-09a
WHAT THIS IS ABOUT:
This is a PSA.
WHO SHOULD READ THIS:
Folks with iOS or Android Mobile Devices
WHAT YOU SHOULD DO:
Microsoft Outlook for iOS and Android have some security flaws which expose a
user's private data. The folks at McKenzie hall recommend against installing
the mobile version of MS Outlook.
ADDITIONAL INFORMATION for the Technically Curious:
From: deptcomp-bounces@lists.uoregon.edu
Sent: Friday, February 06, 2015 1:31 PM
To: UO IT Directors; Departmental Computing
Subject: deptcomp: Security concerns about Outlook for iOS and Android
Microsoft released Outlook for iOS and Android in late January. We recommend
against using these apps due to security concerns. Primarily, the current
version of these apps store your username, password, and Outlook data in the
cloud and it is unclear whether removing your account configuration from the
application properly removes that data.
A secondary security concern involves the apps's ability to save attachments
to Dropbox, OneDrive, and Google Drive. The use of these cloud storage
services becomes a security issue when sensitive data is saved to those
services.
This decision was made in consultation with Chief Information Security
Officer Will Laney.
If you have any questions, please contact security@ithelp.uoregon.edu.
For more information, see the WindowsITPro article at
http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues
.
UO Technology Service Desk
Information Services
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
2015-02-09
WHAT THIS IS ABOUT:
The latest operating system for Apple mobile devices, iOS 8, which has been
released for the last four months, has gotten to a stable version.
WHO SHOULD READ THIS:
Users with iPhones, iPads, iPods, and other iThings.
WHAT YOU SHOULD DO:
For those of you still waiting to update to iOS 8.1.3, go ahead and update if
you wish. I've updated my iPad2, model MC980LL/a, and smoke has not come out
of it (yet). Folks with an original iPad, or with an iPad with less than 32
GB of memory may have a less than optimal experience.
ADDITIONAL INFORMATION for the Technically Curious:
Some observations:
I had to go through my photo and videos and clear out things until a little
over 5 GB was free on the iPad before I could update the iOS from 7 to 8.1.3
I've had one report of a newer iPad getting snagged at the user agreement
form (the update was relatively painless for me).
The update _really_ wants me to sign into iCloud. If I were sharing data
between my iPad and other Apple devices, the allure would be stronger. I do
not use iCloud because I'd like my files and photos to stay on a physical
device in my control, and I like to know that someone hacking into my
(non-existent) iCloud account can't maliciously wipe my iPad's contents.
I have not gotten used to the text completion tool, which displays word
suggestions along the top. I may turn it off so it's less intrusive.
There is a slight, but noticeable lag for some applications to start-up.
Safari's bookmarks on iOS 8.1.3 are moved around; they now show up by
shrinking the web page you're looking at and appearing along the left-hand
side of the browser's window.
After iOS 8.3 was installed, I was required to re-enter my UO username and to
log onto the less secure UOwireless, and then install a new security
certificate from http://wireless.uroegon.edu before I could move forward to
connecting automatically to UOSecure.
Ars Technica's In-Depth and Very Long Total Review of iOS8
http://arstechnica.com/apple/2014/09/ios-8-thoroughly-reviewed/
iOS8 Mail New Swipe Gestures:
http://www.tuaw.com/2014/09/15/ios-8-mail-new-swipe-gestures/
Expect updating to take 20 to 120 minutes:
http://www.gottabemobile.com/2014/09/16/how-long-will-the-ios-8-update-take/
Reasons Not to Update (just yet):
http://www.gottabemobile.com/2014/09/16/iphone-6-nfc-limited-apple-pay/
Various iOS8 tips:
http://www.gottabemobile.com/2014/09/16/which-iphone-6-we-bought-and-why/
The Cult of Mac's Articles on iOS8
http://www.tuaw.com/tag/ios8
2015-02-03
WHAT THIS IS ABOUT:
This is a PSA. A proof-of-concept exploit for a security issue with
Microsoft Internet Explorer has been found. I'd give this Two Admiral
Ackbars.
WHO SHOULD READ THIS:
People who use Internet Explorer to surf the web.
Other browsers are not affected.
WHAT YOU SHOULD DO:
Don't panic. At the moment this is only a proof-of-concept.
As usual, think twice before following links in e-mails.
Folks may wish to switch to a different browser (e.g. Chrome or Firefox) for
everyday web browsing.
ADDITIONAL INFORMATION for the Technically Curious:
The proof-of-concept code tricks Internet Explorer into 1) displaying a valid
URL in the browser's address bar and 2) allowing for (evil) code written at
one web site to be run on a (trusted) site. In other words, Explorer could
be made to initially connect to your bank's web site - which it would display
-- and then display a rogue web form asking you for banking information. At
the moment the Bad Guys have to trick users to a maliciously designed web
page to make this work, but the concern is that malvertising could prime
Internet Explorer to serve phishing pages.
PC-World Article:
http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html
Technical Demonstration:
http://seclists.org/fulldisclosure/2015/Feb/0
2015-01-27
WHAT THIS IS ABOUT:
Adobe Flash Player has some security holes in it (again). One hole has been
patched; another is still being exploited. [Editor's note: The second hole
in Adobe Flash Player has been patched.]
WHO SHOULD READ THIS:
People who use Adobe Flash Player to look at high-impact, rich web content.
WHAT YOU SHOULD DO:
In each browser (Safari, Chrome, Internet Explorer, Firefox) on your machine
go to this web site
http://helpx.adobe.com/flash-player.html
and check to see if Flash is running for that browser. Follow instructions
on the web page if you want to update to the partially patched version of the
Adobe Flash player.
More than one Computer Security Expert has bandied about the idea of
disabling Adobe Flash over the next few days until the second security hole
is patched. [Editor's Note: The second hole has been patched.] If you wish
to do so, follow the browser-specific links in step 4 on the above Adobe web
page, only (hang on to your looking glass!) DISABLE the flash player instead
of enabling it.
REMEMBER: Although version 16.0.0.287 of the Adobe Flash player is the
latest version, it still has a security hole in it; expect another patch from
Adobe next week [which it was].
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
Naked Security Article:
https://nakedsecurity.sophos.com/2015/01/23/adobe-issues-emergency-fix-for-flash-zero-day/
Graham Cluley Article:
http://grahamcluley.com/2015/01/running-adobe-flash-need-read-today/
Jargon-filled Technical Description of the Unpatched Flash Malware:
http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
Adobe Announcement:
http://blogs.adobe.com/psirt/?p=1166
http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/
2015-01-23a
WHAT THIS IS ABOUT:
Oracle has released an update to Java which closes several security holes,
including the POODLE security hole. The latest version is Version 8 Update
31.
WHO SHOULD READ THIS:
Folks with Java installed on their computers (e.g. Banner users and Minecraft
users)
WHAT YOU SHOULD DO:
If you think, but you're not sure if you have Java, go here:
https://www.java.com/en/download/installed8.jsp
and click on the red button "Verify Java Version."
It's possible the web browser will try to block Java from running; you may
need to grant one-time-only permission for Java to run.
After a short pause, the web page should tell you what version of Java is
running. It should be Version 8 Update 31.
If you do not have Java installed on your machine, and you haven't missed it,
then celebrate in the knowledge that you have a secure machine.
If you need to update, follow the link for updating. BE CAREFUL: Make sure
to read download instructions carefully so you do not inadvertently install
the ASK search bar or sell family members to Oracle.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
A Simple Overview of Java:
https://krebsonsecurity.com/2015/01/java-patch-plugs-19-security-holes/
The Macintosh operating system and Java don't always play well together:
Macintosh users may wish to see
https://www.java.com/en/download/faq/java_mac.xml
Oracle Technical Paper:
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
Oracle on POODLE:
http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html
2015-01-23
WHAT THIS IS ABOUT:
Don't Panic! This is a PSA.
Dropbox, a popular file sharing and synchronization service, has announced
that it will drop support for Macintosh users using OS X Leopard (OS 10.5)
and earlier . This shouldn't be too surprising, as Apple dropped support for
OS X Snow Leopard (OS 10.6), a newer operating system, last year.
WHO SHOULD READ THIS:
Folks running Snow Leopard (OS 10.6) or older on their Macintoshes.
Folks running Lion (OS 10.7) or newer are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
Dropbox users with older Macintosh operating systems will be unable to use
the desktop application to sync files.
The options are:
Use Dropbox's web interface
Or
Update the Macintosh operating system (if possible).
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
Cult of Mac announcement:
http://www.cultofmac.com/309519/love-dropbox-time-upgrade-mac/
Official DropBox announcement:
https://www.dropbox.com/help/8058
Some thoughts on upgrading older Mac operating systems:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-29
Old annoucement about Snow Leopard (OS 10.5):
http://www.computerworld.com/s/article/9246609/Apple_retires_Snow_Leopard_from_support_leaves_1_in_5_Macs_vulnerable_to_attacks
2014-12-19
WHAT THIS IS ABOUT:
Don't panic (much). Computer security experts have discovered a security
hole, dubbed "Misfortune Cookie," in many home routers which could allow the
Bad Guys to read all the data you send to your bank, your mobile devices,
your home internet-connected thermostat, webcams, or your toaster. There's
no firm evidence of active exploits, so this is at Two Admiral Ackbars, but
the worry is that cyber crooks will exploit the Bad Fortune flaw for identity
theft.
WHO SHOULD READ THIS:
Everyone with an internet router (typically, the box that connects to a DSL
modem and allows multiple computing devices to connect to the internet and
each other) at home.
WHAT YOU SHOULD DO:
Don't panic when this hits the general press. This is a manufacturing error
in certain routers which has existed since 2002; at this time there's not a
whole lot you can do until flash updates for your home router are released.
Look at the router and write down the manufacturer and model.
Go to this PDF:
http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
If your router is listed, then it's vulnerable.
If it isn't listed, you've (probably) dodged the bullet.
If your router is listed, check the manufacturer's web site for instructions
about any upgrades they may have issued.
** Some Technical Work-Arounds:
When web browsing, make sure to use https:// in web addresses to encrypt web
communications.
Encrypt sensitive data to prevent files from being read if they are stolen
via the Misfortune Cookie exploit.
Extra-credit problem: If you can connect to your home router's web
page and can navigate to its configuration page, look for which version of
RomPager is running. RomPager v4.34 or higher does not have this flaw.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
The specific security hole is with RomPager, software baked into routers to
provide easy, web-based access to home routers. By sending a malicious HTTP
cookie file to the router, the Bad Guys can take it over.
Technical information about RomPager:
https://www.allegrosoft.com/embedded-web-server
The Official Misfortune Cookie Website:
http://mis.fortunecook.ie/
A quick primer on what a "residential gateway" is and other networking terms:
http://en.wikipedia.org/wiki/Residential_gateway
The Computer Security Press Goes Wild:
Security Week Summary:
http://www.securityweek.com/misfortune-cookie-vulnerability-exposes-millions-routers
Ars Technica's More Detailed Summary:
http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/
The Register's Regurgitation of Check Point's claims:
http://www.theregister.co.uk/2014/12/18/misfortune_cookie/
PC World:
http://www.pcworld.com/article/2861232/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html
http://www.pcworld.com/article/2861713/dangerous-misfortune-cookie-flaw-discovered-in-12-million-home-routers.html
2014-10-29
WHAT THIS IS ABOUT:
John Burridge gives his Macintosh operating system advice: Macintosh users
should stay with OS 10.7 (Lion), OS 10.8 (Mountain Lion), or OS 10.9
(Mavericks) and put off updating to OS 10.10 (Yosemite) for the next four to six
months.
WHO SHOULD READ THIS:
Macintosh Users
Windows Users are Unaffected
WHAT YOU SHOULD DO:
Go to the Apple Menu.
Choose About this Mac.
A window should pop up. In big bold letters, you should see the words "OS X";
look underneath this for a version number (it will start 10).
** Version 10.6.something or older (Snow Leopard or older)
Apple no longer supports these versions of the operating system. This means
that security vulnerabilities have not been addressed and some newer programs
may not be able to run. If possible, consider upgrading to Mac OS 10.7. If
upgrading is not an option because the Macintosh's hardware will not support it,
consider retiring the machine or sequestering it from the internet.
** Version 10.7.something (Lion)
Although this is an older version of the Mac OS, it's fine to use for now; be
aware that probably sometime in 2015, Apple will consign it to retirement and it
will suffer the same fate as previous operating systems in terms of support and
security.
** Version 10.8.something (Mountain Lion)
If the Macintosh is running OS 10.8, let it. This is the most stable version
of the operating system currently released.
** Version 10.9.something (Mavericks)
If the Macintosh is running 10.9 (Mavericks), that's fine; aside from a few
networking quirks and a few problems with initial incarnations (i.e. 10.9.0,
10.9.1), Mavericks appears to run well. Be sure that you're running the latest
version, 10.9.5.
** Version 10.10 (Yosemite)
I recommend avoiding Yosemite at this time. There are some problems with
WiFi and Mac Mail which may cause some Macintoshes to not run, and some
privacy issues with the way 10.10 (Yosemite) shares user data with Apple.
If you have a Macintosh running 10.10, it's not fatal, but be aware of the
technical consequences. I expect that Apple will release updates over the
next few months which will address problems.
Editor's Note: Even with the release of 10.10.1, I still recommend
waiting until Apple has had a chance to shake out all the WiFi bugs still
lurking in this update.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
Yosemite Memory Leak Problems Break MacMail
http://www.cultofmac.com/301031/os-x-yosemites-mail-app-mac-crashing-memory-hog/
Yosemite WiFi problems:
http://nakedsecurity.sophos.com/2014/10/22/os-x-yosemite-wi-fi-problems-can-you-help-us-solve-them/
Yosemite iCloud Irks the Privacy Conscious:
http://www.theregister.co.uk/2014/10/27/icloud_data_grab_irks_privacy_conscious/
Yosemite Leaks User Location and Search Results to Apple:
http://www.hotforsecurity.com/blog/mac-os-x-yosemite-leaks-user-location-and-search-results-to-apple-10669.html
http://www.cultofmac.com/300301/keep-os-x-yosemite-sending-spotlight-data-apple/
2014-10-22
WHAT THIS IS ABOUT:
Computer security researchers have discovered a zero-day exploit in Microsoft
Office. A maliciously crafted Office File (typically a PowerPoint presentation)
will run malicious software when opened. I rate this threat at two and a half
Admiral Ackbars, given that it requires opening an e-mail attachment and that
it's easily mitigated.
WHO SHOULD READ THIS:
Microsoft Office Users.
Windows users.
Macintosh users are not affected.
WHAT YOU SHOULD DO:
Be very very careful when opening Microsoft Office Documents, especially
surprise documents from someone you don't know very well.
Windows users should go to this web page:
https://support.microsoft.com/kb/3010060
and click on the faceless wrench-guy icon to Apply the OLE packager shim
workaround.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
This particular attack uses a malicious Object Linking and Embedding (OLE)
object. OLE objects allow Word, Excel, and other Office programs to share data
between themselves (and Evil Programmers to take over your Windows computer).
Security Week Article:
http://www.securityweek.com/windows-zero-day-exploited-targeted-attacks-through-powerpoint
The Register Article:
http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/
Hot for Security Article:
http://www.hotforsecurity.com/blog/zero-day-remote-code-execution-flaw-disclosed-by-microsoft-workarounds-issued-10654.html
Security Intelligence Blog Article:
http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-attack/
Nation Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6352
2014-10-16
WHAT THIS IS ABOUT: Computer security researchers have discovered a new
security vulnerability, dubbed Poodle, which could allow a Cyber Crook on
the same network as the victim to gain control of the victim's web
browsing and execute malicious code. This is a clunky attack using a
depreciated security setting, so I'm giving it 2.5 Admiral Ackbars.
WHO SHOULD READ THIS:
Everyone who reads web pages.
WHAT YOU SHOULD DO:
Don't panic.
There's really not a whole lot to be done at this time; the producers of
web browsers will be updating their software over the next few weeks.
All web users should make sure they are using the latest versions of
Safari, Firefox, Chrome, and Internet Explorer.
ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS:
The Secure Sockets Layer (SSL) 3 protocol is a legacy way computers talk
to each other securely; it is included in modern web browsers as a
fall-back way to exchange information with web pages on legacy web
servers. A Poodle Attack works by tricking a web browser into using the
old SSL 3 protocol, and then launching a man-in-the-middle exploit, which
allows a near-by cyber-crook to control the web browsing session (insert
web-mail and web banking fun here).
ADVANCED USERS may wish to turn off SSL manually - this may be trickier
than it seems, and may cause some older web sites to break. Caveat
Lector. Editor's Note Here's a link to a friendlier set of instructions:
http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/
++ Internet Explorer:
Start Internet Explorer.
Go to the TOOLS menu.
Choose INTERNET OPTIONS.
Select the ADVANCED tab.
Scroll down to the Security Section.
UNCHECK options Use SSL 3.0 and SSL 2.0
CHECK options Use TLS 1.0, 1.1 and 1.2
Click OK.
Restart Internet Explorer.
++Firefox Users:
Firefox should be safe from the Poodle Attack after November 25. Mozilla
has created an extension as a work-around.
If you want to turn off SSL in Firefox now, go here:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
and install the Add-On.
++ Chrome Users:
Chrome users that just want to get rid of SSLv3 can use the command line
flag --ssl-version-min=tls1 to do so.
Instructions for using this flag are here:
http://www.chromium.org/for-testers/command-line-flags
++ Safari Users:
As of this time, I am not finding a procedure for getting at the SSL
settings in Safari.
NYTimes Article on the Poodle Security Flaw:
http://bits.blogs.nytimes.com/2014/10/15/poodle-bug-marks-third-major-security-flaw-discovered-this-year/
Techspot Article on the Poodle Security Flaw:
http://www.techspot.com/news/58436-google-discovers-ssl-30-vulnerability.html
Hot for Security Article on the Poodle Security Flaw:
http://www.hotforsecurity.com/blog/ssl-3-0-poodle-flaw-opens-encrypted-data-to-eavesdropping-10524.html
Google's Article on the Poodle Security Flaw:
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Ars Technica Article on the Poodle Security Flaw:
http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/
Twitter disables SSL:
https://twitter.com/twittersecurity/status/522190947782643712
Mozilla Firefox Blog Entry on Poodle:
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Highly technical review of Poodle:
https://www.openssl.org/~bodo/ssl-poodle.pdf
Technical Page from Microsoft:
https://technet.microsoft.com/en-us/library/security/3009008.aspx
"Poodle with a Mohawk" Cartoon:
http://seattletimes.com/html/thearts/2017750833_realcomet15.html
2014-10-01
WHAT THIS IS ABOUT:
Apple has released operating system patches for Shellshock (aka The Bash
Bug), a vulnerability which allows Evil Ones to run any command they'd like
on compromised computers.
WHO SHOULD READ THIS:
Macintosh Users running
OS 10.9 (Mavericks)
OS 10.8 (Mountain Lion)
OS 10.7 (Lion)
Macintosh Users running OS 10.6 or older have no patch available at this
time.
Windows Users are not affected.
WHAT YOU SHOULD DO:
Depending on how fast the network connection is, this should take about ten
minutes.
1. Save all work and close all programs. You'll need to be logged in as an
administrator.
2. Go to the Apple Menu.
3. Choose ABOUT THIS MAC
4. A dialog box should appear. Underneath the OS X text, there should be a
version number (e.g. 10.9.5)
5. Make a note of the first two numbers (e.g. 10.9) and close the dialog
box.
6. Follow the appropriate link for the Macintosh's operating system.
OS 10.9 (Mavericks)
http://support.apple.com/downloads/DL1769/en_US/BashUpdateMavericks.dmg
OS 10.8 (Mountain Lion)
http://support.apple.com/downloads/DL1768/en_US/BashUpdateMountainLion.dmg
OS 10.7 (Lion)
http://support.apple.com/downloads/DL1767/en_US/BashUpdateLion.dmg
7. Clicking on one of the links will begin the download of a Disk Image File
(dmg); once it has downloaded, open it.
8. A window should appear. There should be an icon of a package with a name
starting "BashUpdate"; double-click on it.
9. An installation dialog box will appear welcoming you to the OS X bash
Update installer. Click CONTINUE; follow the prompts through the
information screens and agreements.
10. At some point you should see an icon of a hard disk with a green arrow
over it; make sure the icon has the name of your hard drive, then press
CONTINUE. Then INSTALL.
11. A dialog box will come up asking you for your password. After you clear
this hurdle, there will be a short pause and you should see a message
congratulating you on a successful installation. Press CLOSE.
12. Once the update is installed, you no longer need a copy of the dmg.
ADDITIONAL INFORMATION:
Macintosh users running Mac OS 10.6 (Snow Leopard) or older may wish to
consider updating their OS to take advantage of this and other security
patches.
Message Excerpt From Garron Hale, Director of CAS-IT :
What is Shellshock?
The Shellshock vulnerability is a security problem, announced September 24,
that can allow remote execution of code on a wide variety of Unix- and
Linux-based systems, including Linux servers and Macintosh computers.
The majority of servers on campus could be affected. Central UO Information
Services has notified us to expect downtime as they install updates to their
systems.
Users of CASIT systems will also experience brief periods of downtime as we
install patches on approximately one hundred servers. We will notify our
users prior to downtime.
Ars Technica:
http://arstechnica.com/security/2014/09/shellshock-fixes-beget-another-round-of-patches-as-attacks-mount/
The Unofficial Apple Weblog:
http://www.tuaw.com/2014/09/30/apple-releases-os-x-bash-update-1-0/
Apple Insider:
http://appleinsider.com/articles/14/09/29/apple-releases-bash-update-to-plug-shellshock-flaw
CAS-IT Announcement:
https://casit.uoregon.edu/event/shellshock-alert
2014-09-30
WHAT THIS IS ABOUT:
Some folks have run into problems with the iMacs refusing to authenticate
users.
WHO SHOULD READ THIS:
GTFs in PLC 184
Grads in PLC 232
WHAT YOU SHOULD DO:
If you enter your DuckID and your UO e-mail password and you know it's
correct, but the Macintoshes in the labs simply shake the password box at
you...
1) Click on the RESTART button below the login area and restart the machine.
2) Wait a minute (don't burn incense; smoke is bad for the machines)
3) If a message about network logins being unavailable appears, wait a few
moments more for it to disappear.
4) Attempt to log in again.
If you continue to have problems-especially if you can't login to neither
Macs nor Windows machines--please let me know. Rarely, there's a problem
with the authentication server dealing with certain passwords (see personal
message below).
ADDITIONAL INFORMATION:
Appearently, the DuckID authentication server was having a rough first day:
** Message sent to the DeptComp group:
Around 10:30 AM on 29-Sep-2014, we received reports that the DuckID site was
experiencing a service degradation.
Users were intermittently receiving an "Internal Server Error".
This service degradation was resolved around 12:00 PM on 29-Sep-2014. Staff
are continuing to monitor the situation.
During the first week of Fall Term, due to heavy loads on the system, users
may experience longer load times than normal. If there are continued issues
with the DuckID site, please contact the Technology Service Desk.
If you have any questions, please contact the Technology Service Desk
(techdesk@uoregon.edu; 541-346-4357).
UO Technology Service Desk
541-346-HELP
techdesk@uoregon.edu
facebook.com/UOTechDesk | twitter.com/UOTechDesk
====
** Personal Message from the TechDesk:
On 2014/09/29 16:50, Support via RT wrote:
> Hi John,
> This problem with users having issues logging into Active Directory
> machines happens rather sporadically. While we can't say with absolute
> certainty what causes the problem, we think it is related to using
> special characters in the user's password. A password reset will
> normally fix this issue
2014-09-26
WHAT THIS IS ABOUT:
Take a deep breath. Computer security experts have discovered a flaw in the
Bourne shell (or Bash), which is part of the operating system of many
devices. The flaw allows The Evil Ones all sorts of access, and they're
already leveraging exploits. This is four Admiral Ackbars - although, like
the Heartbleed security issue last Spring, the effects will be mostly
indirect, and there's not much most home users can do at this point except to
wait for patches.
WHO SHOULD READ THIS:
Linux users.
Macintosh users; although default Macs are not at high risk.
Windows users are not directly affected.
Devices with servers (e.g. printers with web interfaces, Wireless routers)
could be susceptible.
WHAT YOU SHOULD DO:
Macintosh users should assume that their computers are affected; however, as
most people don't turn on the Macintosh Apache Servers, there shouldn't be
too much to worry about.
If you do have a web server running on your Macintosh (and you'd know if you
did, because you would have fiddled with it), then take steps to lock it down
(highly technical link here):
http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851
Macintosh users should also check that the FIREWALL is turned on:
APPLE MENU > System Preferences > Security and Privacy
> Firewall tab > make sure Firewall is ON
Click the FIREWALL button; this will bring up a report of what services (e.g.
games) can connect to the Macintosh.
Other devices
Take a look at your home Wireless Router, then visit the vendor's page for
any firmware updates.
Take a look at your networked printer, then visit the vendor's page for any
firmware updates.
Folks with printers connected to home networks may wish to turn off the
printer when not in use (if it's turned off, the Evil Ones can't talk to it).
ADDITIONAL INFORMATION
Shellshock is a 22 year old bug in the Bourne shell. The Bourne shell is a
text-only command line interface; those of you who remember using DARKWING in
2000-2005 will have an idea of what it does. The bug allows the Bad Guys to
run malicious commands on affected machines.
Optional "Let's See It In Action" script for Macintosh Users:
Go to Applications > Utilities > Terminal
Copy and paste the following (the spaces in this are important):
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If your system is vulnerable to the Bash bug, you'll see the following:
vulnerable
this is a test
If your system has already been patched to protect against the bug, on the
other hand, you'll see something similar to this:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash:
warning: x: ignoring function definition attempt bash: error importing
function definition for `x' this is a test
THE TECHNICAL PRESS HAS A HEYDAY:
Ars Technica: Apple Says Most Users Should Be Fine:
http://arstechnica.com/security/2014/09/apple-working-on-shellshock-fix-says-most-users-not-at-risk/
Cult of Mac: Relax, if you didn't turn advanced stuff on, you're fine:
http://www.cultofmac.com/297901/apple-shellshock-exploit/
Most Vulnerable Targets are Apache Servers:
http://www.hotforsecurity.com/blog/shellshock-roundup-what-to-do-if-you-are-vulnerable-10297.html
NYT: MILLIONS of Devices at Risk!
http://bits.blogs.nytimes.com/2014/09/26/daily-report-flaw-in-code-puts-millions-of-devices-at-risk/
Security Week: Shellshock likely to become an engine for Internet Worms:
http://www.securityweek.com/what-we-know-about-shellshock-so-far-and-why-bash-bug-matters
PC World (annoying autoplay video):
http://www.pcworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html
Very Dense National Security Report:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
2014-09-25
WHAT THIS IS ABOUT:
Don't panic. This is merely a (kind of long) beginning of the Fall Term
reminder to update various software packages on computers you love and use.
You do love them, right?
WHO SHOULD READ THIS:
Everyone. Even if you don't love computers.
WHAT YOU SHOULD DO:
Go through your computer and make sure to have all the software updated.
** General Software
* Chrome users:
1. Start Chrome
2. Go to the utility button on the upper-right-hand corner of Chrome (it
looks like three stacked horizontal lines) and choose ABOUT GOOGLE
CHROME.
3. A new browser window should open and Chrome will talk with Google.
Follow any prompts to download the latest version. As of this writing,
the version number should start 37.0.0262 (different versions for
different platforms will have slightly different endings).
* Firefox users:
1. Start Firefox
2. Windows: Go to the HELP menu and choose ABOUT FIREFOX
3. Macintosh: Go to the FIREFOX menu and choose ABOUT FIREFOX.
4. A new browser window should open and Firefox will talk with Mozilla.
Follow any prompts to download the latest version. As of this writing,
the version number should be 32.0.2.
* Explorer users:
1. The latest version of Explorer is installed during Windows Update. Be
sure to enable and run windows updates - even if you don't use Internet
Explorer.
* Safari users:
1. The latest version of Safari comes with the Macintosh operating system
updates.
* Adobe Reader:
1. Start Adobe Reader.
2. Go to the HELP menu and choose CHECK FOR UPDATES. The reader will
talk to the Adobe server and download any needed updates. The latest
version as of this writing is 11.0.09.
* McAfee:
1. Open McAfee:
1a. Windows Users
Find the McAfee icon running in the Notification Area (System Tray) at
the right end of the taskbar, right-click on it.
1b. Macintosh users
Find the McAfee icon at the top right of their screen, click on it.
2. The McAfee icon will open up a menu with an "Update Now" option. Click
this and the update process will start.
* Microsoft Office:
On Windows, Office updates automatically with Windows Updates.
Macintosh users will need to update with a special tool
1. Start the Macintosh
2. Start Microsoft Word
3. Go to the HELP menu and choose CHECK FOR UPDATES
4. A new window should appear; (OPTIONAL: you may wish to select
"automatically") click on the button CHECK FOR UPDATES.
5. The Macintosh will talk with the Microsoft mothership and then display a
dialog box with updates (if any).
6. This is tricky; select the Word window and QUIT Word. The updater is a
separate program and will continue to run.
7. Click INSTALL (if there are new things to install) on the Microsoft
Update window; the software updates should download.
8. A dialog box should appear to guide you through the steps necessary to
install the updates. Follow any prompts to install the updates.
** Windows Operating System:
As of this writing, the latest version of the Windows Operating System is
Windows 8. I recommend Windows 7, if only because Windows Charms seem to add
an extra, annoying, and unnecessary layer between the user and software which
is actually useful. Windows XP is no longer supported by Microsoft - if
you are using a Win XP computer, you need to take steps to either keep it off
the internet or update it.
1. Start Windows
2. Go to the Start Menu Globe icon in the lower left-hand corner of the
screen; a pop-up menu should appear.
3. Select ALL PROGRAMS from the menu; a secondary menu should appear.
4. Select WINDOWS UPDATE; a new window should appear.
5. Within the new window, click "Check for Updates".
6. After a moment of talking with Microsoft, the computer should tell you if
there are critical updates; follow any prompts to install critical
updates. (NB: There may be optional updates; you don't have to install these unless
you want to.)
** Macintosh Operating System:
As of this writing, the latest version of the Macintosh Operating System is
OS 10.9.5 (Mavericks). Other Macintosh OS's which are current are 10.8
(Mountain Lion), and 10.7 (Lion). Apple dropped support for OS 10.6 (Snow
Leopard) in February of 2014. I have no recommendations about OS upgrades,
although users of 10.6 should try to update to OS 10.7 for better security,
and users of 10.7 may wish to consider an upgrade to 10.8 to stay ahead of
its possible retirement in 2015.
To see what version of the Apple OS your machine is running,
1. Go to the APPLE menu and choose ABOUT THIS MAC.
2. A window should appear which says "OS X" in big bold letters, and then
the version underneath.
3. Click the red jewel in the upper left-hand corner of the window to close
it.
To install updates,
1. Save and close your work.
2. Go to the Apple Menu.
3. Choose Software Update; a new window will appear announcing that new
updates are being searched for.
4. Any updates should appear in a list. Look at this list carefully so
that you are not updating everything blindly.
5. The update window may want to update you to Mavericks; this is a major
OS upgrade you may wish to defer.
6. Click on the UPDATE button next to application software such as
iTunes
Safari
Digital Camera RAW Compatibility Update
or Software Updates which are within your version
(e.g. OS X Update 10.9.5 if you're running OS 10.9)
7. Follow any prompts to restart your Macintosh
** iPads, iPods, iPhones, and other iThings
Apple recently released iOS 8 for its mobile devices.
I recommend iOS 7; users may wish to upgrade after Halloween.
As of this writing, the general sense from the technical press is that iOS
8.0 is mostly OK, although older devices, such as iPad 2, may have
difficulties running iOS8 quickly. On Sept 25, Apple released an update for
iOS 8, 8.0.1, which was quickly pulled because it broke cellular connections
on some iPhones (oops).
ADDITIONAL INFORMATION:
Yes; this is a lot of information.
Yes; e-mail me at engtech@ithelp.uoregon.edu and I'll be happy to set up an
appointment to help.
Yes; you can poke your head into my office or call, too (although I might be
running around a bit the first of the term).
WHAT THIS IS ABOUT:
The UO Information Services team is stepping up anti-phishing measures by
blocking "phishy" network traffic and redirecting UO network users to a UO
network services web page.
WHO SHOULD READ THIS:
Everyone. This is a campus-wide security measure.
WHAT YOU SHOULD DO:
If your computer is on the UO network, and you follow a bogus link from an
e-mail or web page, instead of some fake merchant's site, you should see a
web page that says "Site Blocked Due to Suspicious Activity." You've been
protected by the UO network and redirected to their warning page. This is a
good thing. Don't panic.
As usual, when you receive a suspicious looking e-mail, forward phishing
attempts that you receive, with full e-mail headers, to phishing@uoregon.edu
Doing so allows Information Services staff to take steps to mitigate the
threat. Information on full e-mail headers can be found at the following
link:
https://it.uoregon.edu/full-email-headers
ADDITIONAL INFORMATION:
UO E-mail security:
http://security.uoregon.edu/node/37.html
How to send full e-mail headers:
https://it.uoregon.edu/full-email-headers
=== TEXT OF E-MAIL SENT FROM UO IS:
From: deptcomp-bounces@lists.uoregon.edu
[mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of News from
Information Services
Sent: Friday, September 12, 2014 4:40 PM
To: Departmental Computing
Subject: deptcomp: Information Services to roll out phishing education page
Beginning Monday, Sept. 15, Information Services is enhancing its phishing
protection for campus through the use of a phishing landing web page.
With the new landing page, when a user attempts to visit a known phishing
website he or she will be automatically redirected to the phishing landing
page instead of the malicious page requested. The landing page displays
explanations of why that particular web pages was blocked and how to protect
yourself against phishing scams.
A sample of that page is attached to this message.
Previously, users who attempt to load malicious web pages receive a generic
"Page not found" error.
This feature does not apply to off-campus users except for those connected
via UO VPN.
Information Services will use phishing reports sent to phishing@uoregon.edu,
in addition to several other vetted sources, to populate the list of blocked
phishing sites.
Questions? Contact the Technology Service Desk (techdesk@uoregon.edu;
541-346-HELP).
Information Services
University of Oregon
2014-08-07
WHAT THIS IS ABOUT:
Adobe has released a new version of the Flash Player (Version14.0.0.145 )
(again!) which closes some security holes. Three-and-a-Half Admiral Ackbars
(maliciously crafted flash files can maliciously cause your computer to do
malicious things like expose security credentials).
WHO SHOULD READ THIS:
All computer users are potentially at risk, especially those with Firefox
installed. This hole affected some social media sites like Twitter, YouTube,
and Instagram; surprisingly, Facebook wasn't one of them.
WHAT YOU SHOULD DO:
For EACH web browser you use, go here:
http://helpx.adobe.com/flash-player.html
and follow the instructions. In some cases (Chrome or Internet Explorer),
you'll be directed to update the web browser.
Two caveats:
One:
If you discover that you don't have the Flash Player installed, and you
haven't missed it, you can stop and rejoice that you have one less "Kick
Me" sign installed on your computer.
Two:
Adobe has the slimy habit of bundling bloat-ware with the software that
you actually want. If you need to manually download and install the
latest version of the Flash player, carefully read the screens before you
click OK or NEXT so that you don't inadvertently install Clippy The
Microsoft Office Assistant on your computer or something.
ADDITIONAL INFORMATION:
This Adobe Flash exploit allowed Flash files with alphanumeric code in them
to be run as programs. When embedded in various web sites, The Evil Ones
could cause collateral data leaks and XML cross-scripting attacks simply by
having targets view the web site.
Security hole and Flash Update Announced:
http://grahamcluley.com/2014/07/rosetta-flash-adobe-google/
http://grahamcluley.com/2014/07/rosetta-flash-adobe-google/
Adobe Security Bulletin:
https://helpx.adobe.com/security/products/flash-player/apsb14-17.html
https://helpx.adobe.com/security/products/flash-player/apsb14-17.html
Ars Technica: Weaponized Exploit Can Steal User Cookies
http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookies-on-ebay-tumblr-other-sites/
http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookies-on-ebay-tumblr-other-sites/
Original Highly Technical Article on Adobe Rosetta Flash:
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
The Broken Record of Flash Update Announcements:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-29http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-21http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-04http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-10-11
WHAT THIS IS ABOUT:
Don't Panic. German computer security researchers have created a
Proof-Of-Concept demonstration called BadUSB, that Turns USB Devices (e.g.
thumb drives, keyboards, webcams, etc) EVIL. Really EVIL. I think Dante
would need a tenth circle for how EVIL this is. Sigh. This isn't in the
wild, so it's isn't Eleven Admiral Ackbars. Yet.
WHO SHOULD READ THIS:
Everyone. "Eternal vigilance" and all that.
WHAT YOU SHOULD DO:
Don't panic when NPR or the general press hypes up the "We're Doomed" aspect
of this computer security problem. BadUSB probably isn't in the wild (John
pointedly doesn't think of the NSA, and other similar spy organizations).
At this point, there's not a whole lot you can do other than get into the
habit of physically isolating your computer now, so that you have good
computer USB hygiene when Organized Crime comes up with BadUSB malware.
This means:
+ Don't put your USB Flash Drive or USB keyboard or USB mouse or USB External
hard drive or USB webcam or digital camera into a strange computer's USB
port.
+ Don't allow a USB device that you haven't had under your control connect to
your computer.
+ Consider DropBox, e-mail attachments, UO Docs, or other means of file
sharing and transfer to get computer files between home and campus
computers.
OK - I can hear you all laughing. At least _think_ about this stuff
once or twice before you do it.
ADDITIONAL INFORMATION:
BadUSB works by using a flash install to place malware onto a USB-enabled
device. A computer infected with BadUSB will be really hard to clean up.
BadUSB works at the machine driver level and reformatting a computer's hard
drive is not enough to clean out a computer's BIOS (Basic Input/Output
System). The BIOS is where a computer looks to learn how to power up - if a
CPU is a computer's brain, and the hard drive is a computer's long-term
memory, the BIOS is like the computer's autonomic system. USB-enabled
devices with a subverted BIOS can lie about their status and there's no way
to tell that they're lying.
Those of us old enough to remember will recall the early 1980's, when floppy
disks were floppy, and computer viruses could infect the boot blocks of
floppy diskettes, using them as a host to infect the floppy drives in
computers (e.g. http://en.wikipedia.org/wiki/Elk_Cloner ). The BadUSB is
similar, only now its 2014 and BadUSB can use fake web pages and a host of
other Internet tricks to steal funds and identities.
Probably what will happen is that in six to eighteen months
+ USB manufacturers will have to make USB devices harder to subvert and
they'll become more like Bluetooth devices which require authentication or
pairing before they'll work. ("Now with Hardened USB...")
+ Current antivirus software is not able to detect USB devices tainted with
BadUSB; USB Manufacturers will probably come up with some sort of formatting
tool that resets USB devices practically at the atomic level. ("The autoclave
feature insures your USB device is sterilized for safe use...")
+ Manufacturers will begin to offer "power only" charging cables with the
data wires physically removed so that BadUSB in charging stations in airports
can be used more safely. ("Conveniently charge your mobile device without
the worry of BadUSB...")
THE ORIGINAL PRESENTATION of BadUSB, by Karsten Nohl and Jakob Lell:
https://srlabs.de/badusb/
Security Professionals in the Technical Press Prophesy the Apocalypse:
http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/
http://www.wired.com/2014/07/usb-security/
http://venturebeat.com/2014/07/31/why-you-can-no-longer-trust-any-usb-device-plugged-into-your-pc/
http://gizmodo.com/usb-has-a-fundamental-security-flaw-that-you-cant-detec-1613833339
http://www.hotforsecurity.com/blog/keyboards-usb-devices-can-be-used-in-enhanced-hacking-attacks-9788.html
2014-06-30
WHAT THIS IS ABOUT:
Apple has released an update for iOS, 7.1.2; this is a utility update for the
operating systems for iPads, iPods, iPhones, and other iThings. Apple has
also released an update for the Mac OS, Mavericks (10.9.4).
WHO SHOULD READ THIS:
Owners of newer iPads, iPods, iPhones and other iThings.
Macintosh desktop computer (e.g. iMac) users.
Windows users are not affected.
WHAT YOU SHOULD DO:
Both system updates address various bugs and networking issues.
Updating is important to close any security holes, but since there is a
non-zero probability that the updates will break something, I'd wait a week
for any Lamentations of the Users to echo from the Internet before upgrading.
ADDITIONAL INFORMATION:
Tech Specs for MacOS 10.9 (Mavericks)
http://www.apple.com/osx/specs/
iOS Information Obviously Written by a Marketer:
http://www.apple.com/ios/what-is/
iBeacon:
http://en.wikipedia.org/wiki/IBeacon
Update Announcements in the Technical Press:
http://www.macrumors.com/2014/06/30/apple-release-ios-7-1-2/
http://www.tuaw.com/2014/06/30/apple-releases-os-x-10-9-4-with-fixes-for-wi-fi-connectivity-and/
2014-05-27
WHAT THIS IS ABOUT:
Owners of Macintoshes, iPhones and iPads -- mostly in Australia -- are reporting
that their iThings have been locked by "Oleg Pliss" ransom-ware which demands a
fee to unlock the device. The ransom-ware appears to be using the Find My Mac
and Find My Phone utilities to do its dirty work. I'd give this 3.5 Admiral
Ackbars.
WHO SHOULD READ THIS:
Macintosh Users.
iPad Users.
iPhone Users.
Non-Apple device users are not affected.
WHAT YOU SHOULD DO:
** Prevention:
+ Make sure your mobile devices require a four digit number for access.
+ Make sure your Apple ID password is unique to Apple and iTunes - As a
precautionary measure, you may wish to change your Apple ID password.
+ Set up Two Factor Authentication for your Apple ID:
http://www.tuaw.com/2013/03/22/apple-adds-two-factor-authentication-to-your-apple-id/
Go to My Apple ID
https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/, select "Manage your
Apple ID," and sign in.
Select "Password and Security."
Under Two-Step Verification, select Get Started and follow the onscreen
instructions.
+ For the Extra Paranoid, Turn off "Find my iPad", "Find my iPhone," or "Find
my Mac", there's a good instruction set here:
http://www.tuaw.com/2014/05/27/ransomware-worries-turn-off-find-my-mac-find-my-iphone/
N.B.: While this will protect you from the Oleg Pliss ransomware, it
will also prevent the utilities from finding your device in the event that it is
lost or stolen.
** If you are a victim of the "Oleg Pliss" ransomware, do not pay the ransom:
Graham Cluley advises:
"...erase your device using Recovery Mode and restore from a backup.
Disconnect all cables from your device.
Turn off your device.
Press and hold the Home button. While holding the Home button, connect
your device to iTunes. If your device doesn't turn on automatically, turn it
on.
Continue holding the Home button until you see the Connect to iTunes
screen.
iTunes will alert you that it has detected a device in recovery mode.
Click OK, then restore the device."
ADDITIONAL INFORMATION:
So far, no one is quite sure how the ransomware works. There's a lot of
speculation that data stolen from eBay or other services was used to hack into
the AppleID service.
Apple Guide to iPhone and iPad security codes:
http://support.apple.com/kb/ht1212
Apple Guide to Two-Step Verification:
http://support.apple.com/kb/HT5570
The Unofficial Weblog Guide to Two-Step Verification:
http://www.tuaw.com/2013/03/22/apple-adds-two-factor-authentication-to-your-apple-id/
Mac Security Blog
http://www.intego.com/mac-security-blog/oleg-pliss-hack/
Naked Security:
http://nakedsecurity.sophos.com/2014/05/27/apple-ransomware-strikes-australia-pay-oleg-100-or-else/
The Unofficial Apple Weblog:
http://www.tuaw.com/2014/05/27/ransomware-worries-turn-off-find-my-mac-find-my-iphone/
And one US user reports they're a victim:
http://gigaom.com/2014/05/27/hackers-demanding-ransoms-by-locking-ios-devices-through-find-my-iphone/
2014-05-23
WHAT THIS IS ABOUT:
Apple has fixed various bugs with last week's software updates.
Specifically, an iTunes bug that caused user folders to disappear, and
some security holes in Safari. The technical press is quiet about
these updates, so they're probably OK to install.
WHO SHOULD READ THIS:
Users running Mac OS 10.9 (Mavericks), 10.8 (Mountain Lion), and 10.7 (Lion)
Earlier users of the Mac OS (Snow Leopard, Leopard, etc)
should check for Safari updates.
Windows users are not affected.
WHAT YOU SHOULD DO:
Save your work and close applications. You may need to restart your
Macintosh.
Go to the Apple Menu and choose Software Update.
After a moment, the dialog box should display available updates.
Depending on which operating system is being used, different updates
will appear. The ones to look for are:
OS X Update version 10.9.3 (this is the OS update for Mavericks users)
iTunes version 11.2.1 (this fixes the iTunes bug that hides folders)
Safari 7.0.4 (for Mavericks users)
Safari 6.1.4 (for non-Mavericks users)
Select which software to update (I'm guessing UPDATE ALL will work for
most folks).
Follow any additional prompts.
ADDITIONAL INFORMATION:
MacRumors: Safari Update Released
http://www.macrumors.com/2014/05/21/apple-releases-safari-7-0-4/
The Unofficial Apple Weblog:
http://www.tuaw.com/2014/05/17/apple-patches-missing-users-folder-bug-spawned-by-itunes-update/
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-16
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-15
2014-05-16
WHAT THIS IS ABOUT:
Sigh. Yesterday's Macintosh OS 10.9.3 upgrade does indeed have a bug
in it that will hide users' home directories. This is mostly
harmless, but annoying; cue Jar-Jar Binks shouting "Mesa thinks disa
trap!"
WHO SHOULD READ THIS:
Users who upgraded to OS 10.9.3 (Mavericks)
Users with OS 10.9.2 (Mavericks)
Users of OS 10.8 (Mountain Lion), OS 10.7 (Lion),
OS 10.6 (Snow Leopard), or earlier OS's are not affected.
Windows users are not affected.
WHAT YOU SHOULD DO:
If you have updated to OS 10.9.3 and your home directory is now
hidden, you can temporarily get it back (at least until the next
reboot) with the following procedure:
Be sure to log on as a user with administrative privileges.
From the finder, press COMMAND-SHIFT-U -- this will bring up the
utilities folder.
Double-click on the TERMINAL icon; this should bring up a new window.
Type in the following command:
sudo chflags nohidden /Users
the system will ask you for the password you use to log onto the
Macintosh before it will execute the command.
This will temporarily unhide your folders until the Macintosh is
rebooted.
ADDITIONAL INFORMATION:
This is an OS bug that hides your home directory. It doesn't always
manifest. I can demo it for you on my office iMac.
MacRumors:
http://www.macrumors.com/2014/05/16/os-x-10-9-3-bug-user-folder/
The Unofficial Apple Weblog:
http://www.tuaw.com/2014/05/16/automatically-unhide-the-users-folder-after-10-9-3-update/
2014-05-15
WHAT THIS IS ABOUT:
Apple has released an update for Macintosh Operating System 10.9
(Mavericks), v 10.9.3. This is a security update for the OS.
WHO SHOULD READ THIS:
Macintosh Users currently running Mac OS 10.9
Older Macintoshes are unable to run Mac OS 10.9
Windows users are not affected.
WHAT YOU SHOULD DO:
This is a minor update which restores some broken capabilities and fixes
some security holes.
I would wait a week or so before installing it to let any bugs be
discovered by the rest of the Apple herd. Usually in updates of this
nature are fine, but it never hurts to let someone else find any hidden
problems.
ADDITIONAL INFORMATION:
If you decide to become an early adopter, set aside about a half hour of
time and make sure your files are backed up.
I've installed OS 10.9.3 on my desk iMac and will let folks know if smoke
starts billowing from it.
Ars Technica article:
http://arstechnica.com/apple/2014/05/apple-releases-os-x-10-9-3-with-improved-4k-support-restored-usb-sync/
MacRumors:
http://www.macrumors.com/2014/05/15/apple-releases-os-x-10-9-3/
Official Apple Happy Let's Do It How-To:
http://support.apple.com/kb/HT6228
2014-05-01
WHAT THIS IS ABOUT:
Microsoft has released an out-of-cycle patch for Internet Explorer, which
closes last week's security hole (Take that, Forces of Evil!). (See
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-28)
WHO SHOULD READ THIS:
Microsoft Internet Explorer Users
Windows XP users.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
Sometime today (May 1, 2014), Windows users should run Windows Update to
make sure the patch for Internet Explorer has been downloaded and applied.
ADDITIONAL INFORMATION:
In a case of having to eat their own words, the technical press was
incorrect in assuming that Windows XP users would not get an update.
NBC News:
http://www.nbcnews.com/tech/security/microsoft-issues-fix-major-internet-explorer-bug-n94821
TechCrunch News:
http://techcrunch.com/2014/05/01/microsoft-patches-latest-internet-explorer-security-flaw-even-for-xp-users/
2014-04-29
WHAT THIS IS ABOUT:
Adobe has released a new version of the Flash Player (Version13.0.0.206 )
which closes some security holes. Two Admiral Ackbars (only some
tightly-focused state-funded spying detected so far).
WHO SHOULD READ THIS:
All computer users are potentially at risk, especially those with Firefox
installed.
WHAT YOU SHOULD DO:
For EACH web browser you use, go here:
http://helpx.adobe.com/flash-player.html
and follow the instructions. In some cases (Chrome or Internet Explorer),
you'll be directed to update the web browser.
Two caveats:
One:
If you discover that you don't have the Flash Player installed, and you
haven't missed it, you can stop and rejoice that you have one less "Kick
Me" sign installed on your computer.
Two:
Adobe has the excessively unattractive habit of bundling bloat-ware with
the software that you actually want. If you need to manually download
and install the latest version of the Flash player, carefully read the
screens before you click OK or NEXT so that you don't inadvertently
install Lightroom 5, or the Bing Search Bar, or an antivirus product, or
film clips from "Flashdance" or something.
ADDITIONAL INFORMATION:
Adobe's Security Bulletin:
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html
Ars Technica Write-up:
http://arstechnica.com/security/2014/04/windows-0day-flash-bug-under-active-attack-threatens-os-x-linux-too/
which includes this little quote: "The exploitation of critical
vulnerabilities by state-sponsored or state-motivated adversaries has grown
increasingly common in recent years. Most notable examples include the
Stuxnet, Flame, and Red October malware campaigns. A raft of other smaller
campaigns have regularly targeted the Macs and Windows PCs belonging to
dissidents of China and other countries as well as private companies and
government agencies, although many such attacks don't rely on previously
unknown vulnerabilities in widely used products."
2014-04-28
WHAT THIS IS ABOUT:
The Evil Ones have discovered a way to trick Microsoft Internet Explorer
into granting Full User Rights onto a Microsoft Windows Machine. Yet
Again. I give this 2.75 Admiral Ackbars.
WHO SHOULD READ THIS:
Users of Microsoft Internet Explorer, versions 6 through 11.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
The easiest work-around is to use another browser.
Microsoft has not released a patch for this security hole (EDITOR's NOTE:
this hole has been patched, see
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-01).
The Technical Press has been quick to point out that Microsoft probably
won't release a patch for this security hole on Windows XP, ever.
For Windows users required to use Internet Explorer, Microsoft is
recommending things we already do at the UO:
+ use a firewall
+ use antivirus software
+ stay on the narrow internet path; don't pick flowers or talk to wolves.
Additionally, users may wish to go the extra mile and install Microsoft's
Enhanced Mitigation Experience Toolkit (EMET):
http://support.microsoft.com/kb/2458544
ADDITIONAL INFORMATION:
Because Internet Explorer is tightly integrated into the Windows Operating
System, it's like a giant "Kick Me!" sign the Evil Ones can't resist. The
exploit works when a user visits a malicious web site. Malicious web code
uses Adobe Flash software to trick Internet Explorer into granting The Evil
Ones the same rights on a Windows computer as the user, and hey-presto,
there go your banking codes.
Microsoft Security Advisory:
https://technet.microsoft.com/en-us/library/security/2963983
Ars Technica article:
http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/
National Vulnerability Database:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776
PC World article:
http://www.pcworld.com/article/2148368/new-internet-explorer-zero-day-puts-web-at-risk-and-xp-isnt-getting-a-fix.html#tk.rss_all
Technical Breakdown of the Exploit from FireEye Labs:
http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html
2014-04-09
WHAT THIS IS ABOUT:
The Open source library, OpenSSL, which enables Secure Socket Layers (SSL) has a bug in it that
exposes information in a server's RAM. Because the bug involves the heartbeat signal machines use
to keep track of each other, this bug is called "Heartbleed". The Heartbleed bug enables Evil
Doers to read encrypted communications, like passwords and encryption keys (i.e. everything).
This counts as Five Admiral Ackbars. OK, Six. Seriously.
WHO SHOULD READ THIS:
Anyone who uses internet services (Yahoo, Minecraft, www.efn.org, your bank). This is a worldwide
security issue affecting machine-level communication between computers. Two thirds of the world's
web servers are affected.
WHAT YOU SHOULD DO:
Don't Panic - Yes the barn door's (wide) open, but no one is really sure if the aliens have been
leading the cows astray. They could be fine. System admins everywhere are scrambling to keep
electronic assets secure. Unless you are a computer server administrator, you won't be directly
affected by this bug; however, secondary effects are serious and will affect end-users.
Expect to see a spike in warning messages on your computer along the lines of "the security
certificates for this site are untrusted" or requests to change your passwords on internet sites
(bother, there will probably be an uptick in Phishing E-mail Attempts, too).
Wait for the server administrators to upgrade to OpenSSL 1.0.1g and update their servers' security.
Expect "We've updated our security/Now Heartbleed Free!" notices from various internet-based
providers. They'll probably look something like this:
http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/.
I'll be sure to forward any messages from UO central computing.
Use a site like https://www.ssllabs.com/ssltest/ to
test various web sites you frequent.
Change your passwords, BUT only after the site has updated their SSL (or is using a different
version of SSL). This is really important; changing your password on a site before they have a
chance to update their security will do no good. (Some security folks are saying to change
passwords now, and again in a week.)
Be nice to system administrators.
It might be wise to minimize internet access over the next few days, especially to places like your
bank's web site. Or Yahoo.
Be extra vigilant over the next few weeks when looking at financial reports for signs of identity
theft. Although it's newly discovered, the Heartbleed bug has been around for over a year, and
computer security experts are concerned that The Evil Ones may have sneaked personal data out
without a trace.
ADDITIONAL INFORMATION:
UO Central Computing is taking steps to address the Heartbleed bug on campus computers.
Webmail.uroegon.edu is currently (4/9/2013) secured from the bug, according to SSLlabs.
An Overview of Heartbleed
http://heartbleed.com/
Yahoo at Extra Risk:
http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
Super Technical Dissection of the Heartbleed Bug:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
Additional Lamentations and Various News Items:
http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/
http://www.bbc.com/news/technology-26935905
http://hosted.ap.org/dynamic/stories/U/US_TEC_INTERNET_SECURITY_THREAT
http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
2014-02-27
WHAT THIS IS ABOUT:
Apple Computer has released a security update closing the recently
discovered SSL network hole (see
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-24)
in Macintosh Operating Systems 10.9, 10.8, and 10.7. Macintosh
users with Snow Leopard (OS 10.6) and older are still vulnerable
to this hole (and will be forever).
WHO SHOULD READ THIS:
Macintosh Users, Especially Snow Leopard (or older) Users
Windows Users are Not Affected
WHAT YOU SHOULD DO:
* If you have Mavericks (10.9), Mountain Lion (10.8), or Lion
(10.7):
Save and back up your work.
Close all programs.
Go to the Apple Menu
Choose SOFTWARE UPDATE
Follow the prompts to install the update; the system may require a
reboot.
* If you have Snow Leopard (10.6) or older, Apple has done nothing
for you; the only recourse for avoiding "man-in-the-middle"
attacks and having random people (or at least the NSA) looking at
your network traffic (i.e. your username and password) is to
insure your Macintosh computer is hooked up to an Ethernet wire or
a home wireless network (i.e. no sipping beverages in a cafand
surfing the net).
You may wish to evaluate your Macintosh Computer and see if its
hardware will support an operating system upgrade. Thoughts and
links here:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-29
Apple has instructions and some places to check hardware here:
http://www.apple.com/osx/how-to-upgrade/
ADDITIONAL INFORMATION:
Previous Security Alert About This Issue on iThings:
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-24
News on OS X 10.9.2
http://arstechnica.com/apple/2014/02/apple-releases-os-x-10-9-2-patches-ssl-flaw-and-adds-facetime-audio-support/
The Technical Press Cries FOUL!
Apple Retires Snow Leopard:
http://www.computerworld.com/s/article/9246609/Apple_retires_Snow_Leopard_from_support_leaves_1_in_5_Macs_vulnerable_to_attacks
Apple Leaves 19% of Users Vulnerable:
http://www.techspot.com/news/55828-apple-leaves-19-of-mac-users-vulnerable-no-longer-offers-security-updates-for-snow-leopard-.html
Fanbois Face XP Moment:
http://www.theregister.co.uk/2014/02/27/fanbois_face_xp_moment_as_snow_leopard_is_left_to_die/
2014-02-25
WHAT THIS IS ABOUT:
Don't Panic. Security researchers have created a proof-of-concept
iOS app which utilizes a software bug in various iOS versions to
capture screen taps, and which demonstrates that what happens on
the touch screen doesn't necessarily stay on the touch screen.
This is a demo from the Good Guys; the internet is not down in
flames (yet).
WHO SHOULD READ THIS:
Users of iThings.
iOS 7.0.4
iOS 7.0.5
iOS 7.0.6
iOS 6.0.x
Windows Users are Unaffected
WHAT YOU SHOULD DO:
Presumably, Apple will release an updated version of iOS in a few
weeks that will close this security hole.
In the meantime, users can mitigate this security hole by
occasionally reviewing the iOS task manager and halting unneeded
programs running in the background.
1. Log into your mobile device
2. Press the HOME button twice; the main screen should shrink
down and become the left-most mini-screen of a list of running
programs.
3. Swipe through the list. If you see a program (say,
Camera) that you aren't currently running, swipe its miniaturized
screen UP; this will close the program and the list should
contract to the left.
4. When you're finished closing programs, press the HOME
button again to restore the main screen.
ADDITIONAL INFORMATION:
Original Proof-of-Concept Report:
http://www.fireeye.com/blog/technical/2014/02/background-monitoring-on-non-jailbroken-ios-7-devices-and-a-mitigation.html
Parallel Research on "keylogging" touch-screens:
http://www.ibtimes.co.uk/researcher-creates-malware-captures-every-tap-your-smartphone-or-tablet-1434673
And the Technical Press Responds:
http://arstechnica.com/security/2014/02/new-ios-flaw-makes-devices-susceptible-to-covert-keylogging-researchers-say/
http://www.macrumors.com/2014/02/25/security-flaw-log-touch-inputs/
http://www.pcworld.com/article/2101580/new-ios-flaw-allows-malicious-apps-to-record-touch-screen-presses.html
2014-02-24
WHAT THIS IS ABOUT:
Friday, Apple released a security update for the operating system
of mobile devices, iOS 7.0.6 which closes a gaping security hole
in how iThings talk to wireless networks. Older iThings got a
special security update to iOS 6.1.6. Unpatched Apple mobile
devices' wireless communication can be spied upon much more easily
than was previously known. And, um, probably Apple iMacs and
laptops, too.
WHO SHOULD READ THIS:
Folks with iThings: iPads, iPhones, iPods
Macintosh Users are affected, but there is no patch at this time.
Users of other mobile devices are not affected.
Windows Users are not affected.
WHAT YOU SHOULD DO:
This vulnerability allows snoopers to read your encrypted
communication: like e-mail passwords and bank statements.
Mobile device users are strongly encouraged to update the iOS (to
either iOS 7.0.6 or 6.1.6) to close the hole. Follow these
instructions from http://support.apple.com/kb/ht4623
1. Plug in your device to a power source.
2. Tap Settings > General > Software Update.
3. Tap Download and Install to download the update. Updates
might download automatically while your device is connected to
Wi-Fi and a power source.
4. Tap Install when the download completes.
There is no patch for the Macintosh OS yet. Macintosh users
should avoid using public Wifi; caf, the downtown Public Library
are out. Presumably, your secure home WiFi is secure enough.
I've spoken with the UO Helpdesk and the UOSecure network is
probably OK, but I would recommend using an Ethernet cable where
possible. Additionally, security on Macintosh computers may be
enhanced by use of either the Firefox or Chrome browsers.
ADDITIONAL INFORMATION:
Apple devices use Secure Socket Layer (SSL) to talk with wireless
network routers. SSL uses encryption so that Evil Ones monitoring
wireless communication can't simply listen in for key words like
"password" or "username" and figure out things from there. The
Apple security hole allows the Evil Ones to essentially disguise
their voice, say to the Apple devices, "Why yes; I'm the ArtsyCafe
wireless server, sit down and tell me everything", and the Apple
device proceeds to do just that without checking its list of
Approved Devices to Talk To (cue C-3PO saying, "R2D2! You know
better than to trust a strange computer!" ).
Apple releases iOS 7.0.6 and 6.1.6 to patch an SSL problem
http://arstechnica.com/apple/2014/02/apple-releases-ios-7-0-6-and-6-1-6-to-patch-an-ssl-problem/
About the security content of iOS 7.0.6
http://support.apple.com/kb/HT6147
About the security content of iOS 6.1.6
http://support.apple.com/kb/HT6146
Extremely critical crypto flaw in iOS may also affect fully
patched Macs
http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/
2014-02-21a
WHAT THIS IS ABOUT:
There is a zero-day security exploit in Microsoft Internet
Explorer 10 and 9. Versions of Microsoft Internet Explorer 10 and
older are becoming less secure. Microsoft and the technical press
recommend strongly recommend Explorer 11 for users who use
Explorer to avoid exposure to various computer security exploits.
WHO SHOULD READ THIS:
Users of Microsoft Internet Explorer 10 and Earlier.
WHAT YOU SHOULD DO:
If you need to use Microsoft Internet Explorer, use Explorer 11.
If your computer hasn't already downloaded it, you can find it
here:
http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide-languages
If you need to use Internet Explorer, but are unable to upgrade to
Explorer 11, there's a work-around here:
https://support.microsoft.com/kb/2934088
If you don't need to use Internet Explorer, you may wish to use
the Firefox or Chrome browsers instead.
ADDITIONAL INFORMATION:
Official Word from Microsoft:
http://technet.microsoft.com/en-us/security/advisory/2934088
http://www.zdnet.com/microsoft-advises-on-ie-zero-day-vulnerability-7000026532/
http://grahamcluley.com/2014/02/internet-explorer-zero-day/
http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/
Report of a Watering Hole Attack using this Exploit
http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
2014-02-21
WHAT THIS IS ABOUT:
There's a security hole in Adobe Flash Player. The Evil Ones are using it in
conjunction with older Windows software to target non-profit organizations.
WHO SHOULD READ THIS:
Macintosh Users (although not specifically targeted, Macintosh Flash Player has
this security hole, too).
Windows Users.
WHAT YOU SHOULD DO:
Visit this page
http://helpx.adobe.com/flash-player.html
Click the CHECK NOW button that appears.
If you have one of the following versions:
Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.336 and earlier versions for Linux
Adobe AIR 4.0.0.1390 and earlier versions for Android
You should be prompted to update.
Follow the instructions that appear (if any) on the Adobe web page.
NB: Chrome users will have to update Chrome to get the latest version of the
Adobe Flash Player.
http://helpx.adobe.com/flash-player/kb/flash-player-google-chrome.html
For WINDOWS users:
Make sure Windows Update is doing what it should.
If you must have Java installed on your Windows computer, make sure it is Java to
the latest 1.7
ADDITIONAL INFORMATION:
Official News from Adobe
http://helpx.adobe.com/security/products/flash-player/apsb14-07.html
http://arstechnica.com/security/2014/02/adobe-releases-emergency-flash-update-amid-new-zero-day-drive-by-attacks/
http://nakedsecurity.sophos.com/2014/02/21/adobe-pushes-out-critical-flash-update-second-zero-day-hole-of-month/
http://blog.malwarebytes.org/exploits-2/2014/02/adobe-flash-player-zero-day-details-and-mitigation/
Technical report on the exploit:
http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html
2014-02-11
WHAT THIS IS ABOUT:
Last week, Comcast had a security breach. It's not clear what data about 19.9
million Internet customers was stolen. Comcast customers are advised to change
their passwords, even if they don't use Comcast e-mail.
WHO SHOULD READ THIS:
Comcast subscribers.
WHAT YOU SHOULD DO:
(I am not a Comcast subscriber, and I haven't had a chance yet to walk my parents
through this)
Sign in to Comcast and change your password here (I think):
https://login.comcast.net/login
More information on Comcast accounts:
http://customer.comcast.com/help-and-support/account/accounts-usernames-passwords
If you don't remember your Comcast password, you can reset it here:
http://customer.comcast.com/help-and-support/account/changing-or-resetting-your-password
ADDITIONAL INFORMATION:
This is another example of why it's bad to use the same password across several
accounts. If your Comcast password is the same as your Google password or your
UO password or your banking password, you'll want to change those as well.
CAS-IT Blog:
https://blogs.uoregon.edu/casitblog/2014/02/11/comcast-email-servers-potentially-hacked/
PCWorld Article
http://www.pcworld.com/article/2095445/comcast-gets-hacked-downplays-potential-dangers.html
The vulnerability the Evil Ones used:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091&cid=3
2014-02-06
WHAT THIS IS ABOUT:
On February 11, 2014, Information Services will be upgrading the central McAfee
ePO server. They recommend that Windows users running VSE 8.7 or earlier and
Management Agent 4.6 or earlier upgrade their applications.
Oh, gee; it's a Microsoft Patch Tuesday, too. Try to get stuff done Monday to
avoid an aggravating computer-update Tuesday.
WHO SHOULD READ THIS:
Windows users using the UO distributed McAfee.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
Your computer wont explode or anything, but after the central McAfee ePO server
upgrade next Tuesday, you may start to receive worrying error messages and the
McAfee protection will be reduced on your computer.
** Check your version of McAfee
Go to the START menu.
Choose the CONTROL PANEL or ALL CONTROL PANEL ITEMS.
If you are directed to the CONTROL PANEL, then look for PROGRAMS
and select the option below, UNINSTALL A PROGRAM
If you are using ALL CONTROL PANEL ITEMS, then select PROGRAMS AND FEATURES
A list of programs should appear. Look for McAfee VirusScan.
NB: If you don't see McAfee VirusScan, use McAfee Agent,
Look to the right of McAfee VirusScan (or Agent), there should be a version
number.
Windows users running McAfee VirusScan Enterprise (VSE) 8.7 or earlier and/ or
McAfee Management Agent 4.6 or earlier may experience some compatibility issues.
Windows users running VSE 8.7 or earlier and Management Agent 4.6 or earlier
should upgrade.
** If you've got an old version of McAfee, uninstall it.
Follow these instructions: https://it.uoregon.edu/node/4094
** Once you've removed old versions of McAfee, install the latest version.
Follow these instructions (Duck ID login required):
https://it.uoregon.edu/node/2017
** Getting Additional Help
The Newly Re-named IS Technology Service Desk (formally the Help Desk) in the
basement of McKenzie can offer help migrating to a new version of McAfee:
6-HELP, techdesk@uoregon.edu, or in person in the north end of the basement of
McKenzie Hall.
CAS-IT is also available to help with this upgrade: 6-2388, castit@uoregon.edu
I'm also here in the mornings to provide assistance: 6-3570,
engtech@ithelp.uoregon.edu
ADDITIONAL INFORMATION:
Central IT's Announcement:
https://it.uoregon.edu/mcafee-upgrade
Finding your current version of McAfee:
https://it.uoregon.edu/node/4093
How to Uninstall OLD versions of McAfee:
https://it.uoregon.edu/node/4094
How to Install the Latest version of McAfee:
https://it.uoregon.edu/node/2017
Managed and Unmanaged Versions of McAfee:
https://it.uoregon.edu/mcafee-agent
CAS-IT's Blog:
https://blogs.uoregon.edu/casitblog/2014/02/05/mcafee-license-server-upgrade/
EXTRA POWERFUL McAFEE REMOVAL UTILITY TOOL:
For those of you who get stuck uninstalling McAfee and feel comfortable using
Power Utility Tools there's always (cue the Escaping Penguins from "Madagascar"
music ) the McAfee Consumer Product Removal (MCPR) tool:
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
which I'm including in this message partially so I can quickly find it next week
(Remember, you saw *nothing*)
2014-02-04
WHAT THIS IS ABOUT:
Adobe has released a patch for a zero-day vulnerability in its
Flash Player. You know the drill: Evil People, Adobe Security
Hole, Computer Zombie Slave Impersonates You at the Bank.
WHO SHOULD READ THIS:
Windows, Macintosh, and Linux folks with Adobe Flash Player
installed.
WHAT YOU SHOULD DO:
I haven't heard any wailing or gnashing of teeth that this update
breaks things; I'll keep an eye on the technical press. I haven't
noticed that the update breaks Flash Player on the single
installation I've done. Generally, I advise people to wait a day
or two on upgrades like this. It's probably safe, and I would
update no later than Wednesday evening.
Verify which version of the Adobe Flash Player you have installed
by visiting this page
http://www.adobe.com/software/flash/about/
If you have version 12.0.0.44, then you have the latest version of
the software. You can STOP.
If you see a message about installing Plug-ins, then you don't
have Adobe Flash Player installed. You can STOP.
SAFARI AND FIREFOX USERS:
Adobe recommends that all Flash Player users upgrade to the most
recent version of the player through the Player Download Center to
take advantage of security updates:
http://get.adobe.com/flashplayer
CHROME USERS
The Chrome browser automatically updates Adobe Flash Player when
updates are available. In Chrome, left-click on the Three
Horizontal Bars beneath the CLOSE X to bring up a menu.
Choose ABOUT GOOGLE CROME; a new window will appear.
Chrome should begin to automatically update itself. This may
require restarting Chrome. The updated version of Chrome is
Version 32.0.1700.107 m.
INTERNET EXPLORER USERS
Explorer 10 and 11 users should have a similar upgrade path to
Chrome users. Newer versions of Internet Explorer should
automatically update the Flash Player. Older versions of
Explorer will need to manually visit
http://get.adobe.com/flashplayer
ADDITIONAL INFORMATION:
If you regularly use more than one browser for surfing the web,
you will want to test all browsers. When I tested Safari, Firefox
and Chrome on an iMac running Mavericks, only Chrome (the browser
I use) showed an active installation; Safari and Firefox asked if
I wanted to download a Missing Plug-in.
Security Week:
http://www.securityweek.com/adobe-issues-emergency-patch-address-flash-player-zero-day
Adobe Security Bulletin:
http://helpx.adobe.com/security/products/flash-player/apsb14-04.html
Ars Technica Alert:
http://arstechnica.com/security/2014/02/adobe-releases-unscheduled-flash-update-to-patch-critical-zero-day-threat/
2014-01-28a
WHAT THIS IS ABOUT:
The folks at US CERT released a security advisory warning users of Mozilla
Thunderbird that slightly older versions of Thunderbird can allow Evil Code in
HTML formatted e-mails to run when the Evil E-mail is replied to or forwarded.
WHO SHOULD READ THIS:
Users of the e-mail client Mozilla Thunderbird
No other e-mail clients are affected
WHAT YOU SHOULD DO:
If you are a Thunderbird user, be sure you are using Thunderbird version 24.2
Start Thunderbird
Go to the HELP menu and select ABOUT THUNDERBIRD
A dialog box should appear telling you which version of Thunderbird is in use and
offering updates if applicable; follow any instructions (restarting Thunderbird
may be required).
ADDITIONAL INFORMATION
Mozilla Thunderbird does not adequately restrict HTML elements
http://www.kb.cert.org/vuls/id/863369
Security Advisorys from Mozilla about Thurderbird
http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html
Updating Thunderbird
https://support.mozillamessaging.com/en-US/kb/updating-thunderbird
2014-01-28
WHAT THIS IS ABOUT:
DuckID Authentication and a slew of other central computing services are having
issues. Many users are having difficulty using services which require a login,
such as e-mail and connecting to the UO Wireless network. Off-campus users are
reporting that e-mails sent to UO folks are bouncing because "the user is
unknown."
WHO SHOULD READ THIS:
Everyone (assuming this message actually gets though)
WHAT YOU SHOULD DO:
There's not a whole lot end-users can do. The folks at Central Computing are
aware of the problems and are working on them.
Students in PLC 184 may have to use the generic student login while DuckID
authentication is down.
Periodically, check https://status.uoregon.edu/ for updates.
Seize the opportunity for uninterrupted time to use your computer free from the
distractions of e-mail.
ADDITIONAL INFORMATION:
DuckID status history:
https://status.uoregon.edu/status-history/9
IMAP/POP3 status history:
https://status.uoregon.edu/status-history/12
Webmail status history:
https://status.uoregon.edu/status-history/1
UO Wireless status history:
https://status.uoregon.edu/status-history/15
2014-01-17
WHAT THIS IS ABOUT:
To the best of my knowledge, there hasn't been a Target Phishing Scam. Yet. The
only current Phishing Scam I'm aware of is a "Your Apple ID will be restricted"
scam.
WHO SHOULD READ THIS:
Target Shoppers.
Macintosh Users.
Home crafters and Windows folks are unaffected.
WHAT YOU SHOULD DO:
So far I have not heard of any scam. Target's CEO really did send out an apology
and Target does have a program offering a year's worth of free credit monitoring.
The letter's a little confusing because it offers links on one hand, and then
warns folks not to follow unsolicited links from strangers on the other.
Here's Target's FAQ site:
https://corporate.target.com/about/payment-card-issue/credit-monitoring-FAQ
And it looks like
http://creditmonitoring.target.com/
is a valid site.
I will continue to monitor the tech news and will forward any news of
cyber-scams.
Speaking of which. The latest scam that is showing up in the technical press is a
scam trying to get your Apple ID and password:
http://www.tuaw.com/2014/01/17/beware-of-this-apple-id-phishing-scam/
If you get an e-mail, supposedly from Apple, saying that someone supposedly tried
to log into your Apple ID account from a different IP address and now you need to
verify your ID and password, delete the message.
ADDITIONAL INFORMATION:
News Item on Public Reaction to Apology Letter:
http://www.komonews.com/news/consumer/Target-email-legit-but-consumers-think-its-a-scam-240666341.html
PC World: Stolen Target Data Sent to Russia.
http://www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.html
Ars Technica: Technical write-up of Point-of-Sale malware infecting Target:
http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/
2013-12-18
WHAT THIS IS ABOUT:
Don't Panic. This is only a PSA about malware masquerading as bogus Amazon
Delivery Notices. (One and a half Admiral Ackbars. Plus a Pre-Enlightenment
Grinch.)
WHO SHOULD READ THIS:
People who have e-mail.
People who order stuff through Amazon.
People who don't order stuff through Amazon, too.
WHAT YOU SHOULD DO:
If you receive an Amazon Delivery Notice thanking you for your early December
order, look at it carefully. If it's dated from Dec 8, you should become
Very Suspicious (some variants use Dec 9 or 10). If it is CC'd to a bunch of
people, you should become Very Suspicious. If you've never ordered anything
through Amazon in your life, you should become Very Suspicious.
Don't follow any links or download any PDFs included in the Very Suspicious
E-mail. These will install malware on your computer. Delete the Very
Suspicious E-mail.
If you are worried that your order from Amazon has a problem, go to
http://www.amazon.com directly, sign into your account, and check the order
there.
Updated anti-virus software and some e-mail services' spam filters will catch
the malicious software attached to the bogus Amazon message -- but still,
practice caution over the holidays as The Bad People take advantage of the
increased on-line shopping frenzy.
ADDITIONAL INFORMATION:
Details about Amazon Invoice Malware:
http://blog.malwarebytes.org/fraud-scam/2013/12/amazon-invoice-malware-spamrun-continues/
More about the malware:
http://blog.dynamoo.com/2013/12/fake-amazoncouk-order-spam-am-order.html
Amazon's Security, Privacy and Accessibility web page (United Kingdom
version):
http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=492866
Exhaustive List of other Fake Product Purchase Order Email Messages:
http://tools.cisco.com/security/center/viewAlert.x?alertId=31225
2013-12-05
WHAT THIS IS ABOUT:
This is a friendly reminder to folks using Window XP that Windows XP will no
longer be supported by Microsoft after April 8, 2014.
WHO SHOULD READ THIS:
Folks using Windows XP.
Users of Windows 7 or Windows 8 are unaffected.
Windows 98, 2000, and Vista users may wish to reminisce.
WHAT YOU SHOULD DO:
If you have a University owned Windows XP machine that you are using, please
let John Burridge or Marilyn Reid know and we can work forward from there to
asses if the machine should or can be upgraded to a newer operating system.
Preferably sooner than April.
ADDITIONAL INFORMATION:
The Computer Security Press would like us to believe that the Legion of Evil
People are quietly biding their time until April 9, where-upon they will
spring upon a unsuspecting Windows-XP-using populous with a Super Cyber
Arsenal of hither-to undiscovered Windows XP security holes which will never
ever be patched by Microsoft (and thus be wide open targets for ever and
ever). (Cue the Burgermeister Meisterburger chortling, "Children of
Cyber-town, you will never use your credit cards again!") There is the other
difficulty in that more and more newer programs will not work on an
increasingly aging Windows XP.
Windows XP Support Ends April 8, 2014
http://www.microsoft.com/en-us/windows/endofsupport.aspx
2013-12-02
WHAT THIS IS ABOUT:
Don't Panic. This is merely a public service announcement about being
careful when you install software and only installing what you want instead
of software parasites like that pesky "Ask Toolbar" and, most recently,
unwanted software that turns your computer into a Bitcoin Mining Zombie
Slave.
WHO SHOULD READ THIS:
Everyone. Especially everyone who has family members with computers they
support --er-- visit over the winter holidays.
WHAT YOU SHOULD DO:
This is a concrete example of someone literally stealing your computing
resources to make a buck. The antidote is
A) be mindful when installing software so that you catch the places where the
installer is saying "Oh, uh, and here's where we're going to give you
Added Value and throw in This Cool Browser Tool Bar (that tracks
everything you do)"; and,
B) Read the End User License Agreement (EULA). Ha. OK. Scan it? Print it
out and read it to your kids at bedtime? Um, pretend you're in a Star
Trek episode and you're dealing with an Evil Ferengi Character?
ADDITIONAL INFORMATION:
As the Bitcoin Bubble grows, I expect that there will be a rise in unwanted
software and malware related to Bitcoins. Bitcoins are virtual money
currently enjoying internet buzz and hype and wild speculation. They are
"created" by using computers to run a complicated program; running a Bitcoin
program is sometimes called "mining for Bitcoins." Creating Bitcoins takes a
long time and a lot of computing resources. Bitcoins are decentralized,
meaning no one government nor bank controls them. In the case of this PSA,
some unscrupulous folks have created distributed computing programs that
gobble up a host computer's resources to make Bitcoins. (If you've ever run
astronomy programs like PlanetQuest or SETI@home, which crunch astronomical
data on home computers, you're familiar with distributed computing. The
distributed astronomy programs are good, in that you knowingly install them
and they only run when your computer is idle; the Bitcoin Mining software
that comes bundled with something else is bad because of its stealthy,
parasitic nature.)
Bitcoin protocol:
http://en.wikipedia.org/wiki/Bitcoin_protocol
Malwarebytes' Blog:
http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-to-make-btc/
Sneaky software turns your PC into a Bitcoin-mining zombie -- and owns up to
it in the EULA
http://www.pcworld.com/article/2068102/sneaky-software-turns-your-pc-into-a-bitcoin-mining-zombie-and-owns-up-to-it-in-the-eula.html#tk.rss_all
2013-11-19
WHAT THIS IS ABOUT:
Noon Tuesday: UO e-mail service is having continuing troubles (is it the
Full Moon in Taurus, or the comet ISON?). Here's an oracle to answer the
question: "Is it me, or is mail not working?"
WHO SHOULD READ THIS:
Everyone, especially folks with questions in the afternoons (when I'm
off-campus) about UO computing services.
WHAT YOU SHOULD DO:
If you have a question about UO electronic services, my web page has some
useful links.
Go to http://pages.uoregon.edu/burridge
Along the right-hand side of the page is a list of UO related Twitter posts;
these are sometimes useful.
Right above the Twitter posts is a link to Status Updates:
https://status.uoregon.edu/ ; follow this link for status updates and
services' histories.
On the left-hand side is a link to previous announcements:
http://pages.uoregon.edu/burridge/TechAnnouncements.php
ADDITIONAL INFORMATION:
https://status.uoregon.edu/
https://twitter.com/UOTechDesk
https://twitter.com/UOregonLibNews
https://twitter.com/UOregonTEP
https://twitter.com/UOEnglishDept
2013-11-18
WHAT THIS IS ABOUT:
E-mail sent to UO folks purportedly with an announcement of an upgrade to a
new WebMail Service is a scam (this gets points for insidious cleverness, but
loses them for poor grammar and vague phrases: 2 Admiral Ackbars).
WHO SHOULD READ THIS:
Sigh. Everyone.
WHAT YOU SHOULD DO:
If you receive an e-mail announcing an updated version of WebMail, Delete it
unread. (See bogus message below)
ADDITIONAL INFORMATION:
Look at the date of this supposed upgrade notice; it's a Sunday. No system
administrator in his or her right mind (well, OK) would upgrade a heavily
used system on a Sunday and subject themselves to the Monday Morning from
Support Heck.
Webmail is a web service which doesn't require updates for you to update.
(Unlike, say, Banner.)
The surprise nature of "Hey! We just Updated a Mail Service You All Use on a
Daily Basis Without Warning Anyone Ahead of Time" should be a tip-off that
this isn't on the level.
The link that the Evil Ones want to send you to ends in .net; if this were a
valid update, it would end in a uoregon.edu.
Read the text below out loud to catch the grammatical errors.
Also, what are "advanced secured functions" ? (I think the author means
"advanced security functions", which is still vague enough to raise scamming
concerns.)
For some reason, the phishers think that including a copyright notice will
increase compliance (because once a message has been sent as a mass e-mail,
they still want to preserve their anthology and film rights).
A real upgrade notice would direct you to the Help Desk in McKenzie, and very
likely be from someone like Spencer Smith or Jon Miyake.
[Text of Bogus Letter]
-------- Original Message --------
Subject: Information Technology Services Help Desk
Date: 2013/11/17 08:48
From: University of Oregon
To: Recipients
The University of Oregon have released a new version of uoregon.edu webmail
Sunday , Nov 17, 2013.
This newest webmail version comes with new and advanced secured functions and
anti-spam protection.
You are advised to click and follow the link below to migrate today, and to
enable advanced security features;
http://[REDACTED].net/f/uoregon.edu
----------------------------------------------------------------------------------------------------------------------------
Copyright 2013 University of Oregon.
-----------------------------------------------------------------------------------------------------------
2013-11-14
WHAT THIS IS ABOUT:
The English Department is being spammed with scam tutor requests (message
included below). This is a trick (which John rates at Three-and-a-half
Admiral Ackbars) to get your banking information.
WHO SHOULD READ THIS:
Everyone who reads e-mail.
WHAT YOU SOULD DO:
If you receive a vaguely worded e-mail from Colvin Hostetter, requesting a
tutor, the safest thing to do would be to delete the message. If you're
feeling like you'd like to be helpful, you could forward the message to the
University Teaching and Learning Center (TLC), at tlc@uoregon.edu.
ADDITIONAL INFORMATION:
How this scam usually plays out:
1) Scammer requests a tutor for a non-existent child.
2) Friendly tutor replies and sets up session.
3) Scammer over-pays, then request money back.
4) Insert bank shenanigans here, resulting in tutor's lost money.
http://tlc.uoregon.edu/learningservices/tutoring.html
http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-09-04
http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html
http://mattbestmusic.blogspot.com/2011/12/beware-private-lesson-scam.html
========================
[scam message text]:
Hello,
How are you doing today? My name is Colvin Hostetter. I came across your
e-mail under the Graduate Students portal while surfing online for tutorial
for my daughter, Debra. Debra is a 18 years old girl. She is ready to learn.
I would like the lessons to be at your location. Kindly let me know your
policy with regard to the fees, cancellations, location and make-up lessons.
Also, get back to me with your area of SPECIALIZATION and any necessary
information you think that might help.
The lessons can start by next week. Mind you, any break during Thanksgiving
and Christmas would be observed respectively.
Looking forward reading from you.
My best regard,
2013-11-06a
WHAT THIS IS ABOUT:
Staff in the English Department have received multiple phishing e-mails that
attempt to trick the reader into visiting a sketchy-looking web site.
WHO SHOULD READ THIS:
Everyone.
WHAT YOU SHOULD DO:
If you receive a vague message from a vague source (see messages below),
purportedly with vague information for you, don't follow the links in the
message. One message is from "Frank" who is "John's Assistant" (I'm not sure
if this is lucky guessing on my name, or just a gamble that there are enough
Johns and Franks in IT for this to work or what). The other one is from
"Blackboard Notifications."
The e-mails have been forwarded to phishing@uroegon.edu and UO Network
Security has taken steps to block this particular strain of phishing
attempts.
ADDITIONAL INFORMATION:
The UO's official site for Phishing:
http://security.uoregon.edu/node/37.html
Sample Message ONE:
From: Frank Morello [mailto:f.morello@usc.edu]
Sent: Wednesday, November 06, 2013 9:32 AM
To: f.morello@usc.edu
Subject: Re: Report from John
Hello,
Good Morning. My name is Frank and I am John's assistant. He asked me to
forward you a copy of your school report.
I have uploaded it for you, please click here [LINK REDACTED] to confirm this
report.
Thanks!
Frank Morello.
Sample Message TWO:
From: Blackboard Notifications [mailto:notifications@now.eloqua.com]
Sent: Wednesday, November 06, 2013 9:21 AM
To: notifications@now.eloqua.com
Subject: New Message Alert - Course Form
Good Morning,
Your school has uploaded an important course form for you on the Blackboard
Learning System.
Click here [LINK REDACTED] to view the course form now
Thank you.
Blackboard Notifications.
2013-11-06
WHAT THIS IS ABOUT:
Microsoft is warning users that older versions of Microsoft Word for Windows
has a security hole in it that could allow a booby-trapped Word document sent
as an e-mail attachment to do Evil Things. But don't panic, it seems to only
be targeting Windows Vista and Windows XP computers in the Middle East.
WHO SHOULD READ THIS:
Users of Microsoft Office 2003 through 2010
Users of Windows XP
Office 2013 Users are not affected.
Windows 7 Users are not affected.
Windows 8 Users are not affected.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
As a general practice, avoid opening unexpected attachments sent by
strangers.
If you are using an older version of Microsoft Office on a Windows XP or
Vista computer, then continue with these instructions; otherwise STOP.
There is no full-blown security patch for this problem. Microsoft has
instead issued a "Fix it" script as a work around.
Save your work and close Microsoft Office.
Go to this Microsoft web site: https://support.microsoft.com/kb/2896666
There may be a System Tip near the top of the page; if it says "this article
applies to a different version of Windows than the one you are using" then
STOP.
Scroll Down a bit. There will be two icons of a faceless person in a blue
cap and blue overalls wielding a wrench. Click on the faceless person on the
left, Microsoft Fix it 51004. (The other icon is for _UN_installing the Fix
it.)
The work-around should install itself. Follow any additional instructions.
ADDITIONAL INFORMATION:
This exploit works by having The Bad Guys make a mal-formed graphic (with
code) and placing it into a Word document. Then they e-mail the Word
document as an attachment. When MS Word on a target machine attempts to
display the graphic, it runs Evil Code. The Fix-It workaround doesn't
address the root of the problem (older versions of Word shouldn't execute
code hidden in Evil Graphics), but beefs up security settings within Word.
It's expected that Microsoft will roll out a more permanent fix during a
future Patch Tuesday. Microsoft is taking this opportunity to point out that
old software is insecure software, that WinXP will not be supported after
April 2014, and that bright, shiny new software will keep your data secure.
Warning from Graham Cluley:
http://grahamcluley.com/2013/11/microsoft-zero-day-attack/
Microsoft Technical Paper on the Security Hole:
http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx
Microsoft Security Advisory:
https://support.microsoft.com/kb/2896666
2013-10-29
WHAT THIS IS ABOUT:
This is a follow-up message about Mavericks (OS 10.9), Apple's latest operating
system for the Macintosh. Mavericks is not Totally Evil (I'd give it 2.5 Admiral
Ackbars), but , like any major operating system upgrade, it does have some quirks
and road-bumps. Install with caution for improved security.
WHO SHOULD READ THIS:
Folks running Snow Leopard (10.6), Lion (10.7) or Mountain Lion (10.8) on their
Macintosh computers.
Older machines may be unable to install the latest Apple operating system.
Windows 7 folks may wish to read as a cautionary tale.
WHAT YOU SHOULD DO:
If the answer to "Am I using my Macintosh to work on something important that's Due
Really Soon?" is YES, then I'd wait to do the update to a less busy time.
If the answer to "Do I use Keynote or Pages a lot?" is YES, then you might want to
read http://www.theregister.co.uk/2013/10/28/apples_massive_software_update_fail/
and decide if you can live with a dumbed-down version of Keynote or Pages or if you
want to reinstall the previous version after updating to Mavericks.
If the answer to "Do I use Outlook or the Apple Mail client?" is YES, then you
might want to consider switching to a web-based e-mail client before upgrading to
Mavericks. If you use a web browser (e.g. Firefox, Chrome, Safari) to read UO Web
Mail or Gmail, you'll be fine.
If you and your Macintosh are ready to upgrade to Mavericks, then
- Save all work and close all applications.
- For extra piece of mind, make a back-up of important work you can't live without.
- Go to
http://www.apple.com/osx/how-to-upgrade/
and follow the instructions there.
- You will need about a half-hour to download the upgrade (with campus internet
connection speeds). Once the upgrade is downloaded, it takes about an hour to
install - this is a good time to do other tasks or take lunch.
- The Macintosh should restart itself during the install process.
After about an hour or so, the new operating system should come up and ask you some
simple configuration questions, like what's your AppleID and do you want to set up
an iCloud account?
I personally think iCloud Keychain is putting all your security eggs in one basket,
so I opted out of signing into iCloud - we'll see how often the iMac bugs me to log
into iCloud However, if I had several Apple Devices that I regularly switched back
and forth between on a daily basis, I could see how the iCloud Keychain could come
in handy. But back on the Geeks-Bearing-Gifts hand, if I'm using my AppleID to
purchase Fun Things on my Fun Machine, do I really want that information used on my
Work Machine (and vice versa - think credit card charges)?
ADDITIONAL INFORMATION:
Although I'm grumbling a bit about Mavericks, installing it should improve the
security on Macintoshes.
I have installed Mavericks on an iMac which I use mostly for web browsing and
trouble-shooting. Other than Maverick's disinclination to print to a Ricoh Aficio
MP 4002 (printing to the MailRoom printer works fine), I have not run into any
problems so far, but I have been reading about the odd glitch here and there. The
most annoying "upgrade" to me is the loss of the RSS feed in the screen saver (OK,
yeah, and the printer driver problem). I have not installed this on my home
computer yet, partially because it's an older machine that may not be able to run
the latest operating system (it turns out it's too old), and partially because I
don't know how well Scrivener (writer's software) works with it (it should).
Links to various articles as I find them:
http://pages.uoregon.edu/burridge/UsefulLinks.html#Mavericks
Ars Technica Review of Mavericks (or the "Oh What a Wonderful Feeling!" Five Hour
Aria):
http://arstechnica.com/apple/2013/10/os-x-10-9/
Mavericks Version of iWork (Keynote, Numbers, and Pages) a Software Update FAIL
http://www.theregister.co.uk/2013/10/28/apples_massive_software_update_fail/
Top 6 Mavericks Annoyances and How To Fix Them:
http://www.maclife.com/article/howtos/top_6_mavericks_annoyances_and_how_fix_them
Airdrop Woes Between Apple Devices:
http://www.tuaw.com/2013/10/23/alternatives-to-airdrop-between-iphone-and-mac/
Mavericks Mail Woes:
Gmail
http://www.tuaw.com/2013/10/23/how-mavericks-ruined-apple-mail-for-gmail-users/
FastMail SMTP & Outlook Servers
http://www.theregister.co.uk/2013/10/27/os_x_mavericks_mail_client_spews_infinite_spam/
Fixing SMB Network Drive Access (NB: this was not a problem for me):
http://www.tuaw.com/2013/10/27/did-mavericks-kill-your-network-drive-access-heres-a-fix/
OS X Mavericks breaks multi-monitor setups with some USB displays:
http://arstechnica.com/information-technology/2013/10/os-x-mavericks-breaks-multi-monitor-setups-with-some-usb-displays/
A Technical How-To for the Technically Able:
http://arstechnica.com/apple/2013/10/how-to-make-your-own-bootable-os-x-10-9-mavericks-usb-install-drive/
Apple's How-To For Installing Mavericks:
http://www.apple.com/osx/how-to-upgrade/
2013-10-23
WHAT THIS IS ABOUT:
Apple is luring people to a new operating system called OS X Mavericks (OS 10.9)
with a free update (pause while I ponder if I should dress as Cassandra or Admiral
Ackbar).
WHO SHOULD READ THIS:
Macintosh users running OS 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain
Lion)
Folks using earlier Apple OS may have machines that can't run Mavericks (OS 10.9)
Windows Users are Unaffected
WHAT YOU SHOULD DO:
Remember when iOS7 for the iThings had quite a few bugs when it first came out?
It's possible my fear of the words "iCloud Keychain" (you want to keep all my
Macintosh's passwords on your remote iCloud server?) is totally unfounded, but if
folks could hold off updating to the new OS until sometime after Halloween, that
will give the world at large (and myself) time to see how everything looks and what
bugs lurk deep in the heart of this new operating system.
ADDITIONAL INFORMATION:
OS X Mavericks breaks multi-monitor setups with some USB displays
http://arstechnica.com/information-technology/2013/10/os-x-mavericks-breaks-multi-monitor-setups-with-some-usb-displays/
OS X 10.9 Mavericks: The Ars Technica Review
http://arstechnica.com/apple/2013/10/os-x-10-9/
That iCloud Keychain Thing.
http://arstechnica.com/apple/2013/10/os-x-10-9/5/#icloud-keychain
A Technical How-To for the Technically Able:
http://arstechnica.com/apple/2013/10/how-to-make-your-own-bootable-os-x-10-9-mavericks-usb-install-drive/
Apple's How-To For the Those Who Embrace Bleeding Edge Adoption:
http://www.apple.com/osx/how-to-upgrade/
2013-10-21
WHAT THIS IS ABOUT:
Don't panic. This is a PSA about CryptoLocker -- a nasty piece of ransom-ware --
more than anything else. CryptoLocker is software that encrypts data files on your
computer, and then demands hundreds of dollars to unlock the files.
WHO SHOULD READ THIS:
Everyone; this is a computer security issue.
Macintosh users are not as affected by CryptoLocker as Windows users, but could be
vulnerable through file sharing services such as DropBox.
WHAT YOU SHOULD DO:
As usual, don't click on unexpected attachment files which show up in your e-mail
box. CryptoLocker spreads through e-mail attachments.
An ounce of prevention is worth a pound of cure; keep your operating system updated
and make sure to have current antivirus software on your machine. CryptoLocker
also spreads through botnets: networks of computers compromised through security
holes and under the control of Evil People.
Keep a back-up of important files on a USB or other external device not always
connected to the computer. I want to stress that DropBox, GoogleDocs, and MS
Skydrive are (wildly convenient) synchronization tools, not back-up tools. If
CryptoLocker gets onto a computer connected to networked drives, it will encrypt
networked files as well.
If CryptoLocker gets onto your machine and encrypts files, don't pay the ransom.
There's no promise that the ransom will be honored. Clean up the computer and
restore the unencrypted files from backup.
ADDITIONAL INFORMATION:
Info-Lite Description of CryptoLocker
http://networksunlimited.com/blog/2013/9/13/new-virus-cryptolocker-on-the-rise
Technical Description of CryptoLocker
http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/
Video of how CryptoLocker Works:
http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/
CryptoLocker Info with Informercial Ending
http://www.becktek.ca/2013/10/malware-causing-severe-data-loss-is-on-the-loose-heres-what-to-do/
2013-10-03
WHAT THIS IS ABOUT:
Adobe Systems, the folks who bring you Adobe Acrobat and Adobe Reader, has been
hacked. Information from 2.9 million Adobe customers has been stolen. This
includes customer names, encrypted debit and credit card numbers, and
username-password combinations used to download Adobe software. Oh, and the
source code for Adobe products, too.
(But don't panic, the data was encrypted.)
WHO SHOULD READ THIS:
Everyone, alas.
The price of freedom is eternal vigilance, even in the panopticon.)
WHAT YOU SHOULD DO:
Adobe recommends users change their passwords on any website where they may have
used the same user ID and password as their Adobe ID's.
If you have an Adobe username and password, follow the instructions from Adobe
here:
http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF
Expect Emergency OMG-They-Found-A-Security-Hole-In-Our-Products! patches from
Adobe next week....
ADDITIONAL INFORMATION:
So... if you've _personally downloaded_ Adobe Acrobat, Adobe Reader, or Adobe
Whatever and been forced to use Adobe's Download Assistant, you've got an Adobe
user ID and password. (If a tech person downloaded and installed Adobe stuff
for you, then chances are lower that you have an Adobe user ID and password;
guess what IT folks all over campus will be doing Friday...) If you've been
performing Adobe Software _updates only_, those don't require Adobe
username/passwords (usually).
Adobe says it's working with law enforcement and banks to help control the
damage. Accounts which Adobe thinks have been compromised will have passwords
reset.
This is an object lesson on why one should not use the same password for every
web site on the internet. If the Bad Guys figure out your username and password
at Adobe, and it's the same as your password on Gmail, or UO Mail, or your bank,
it's a pretty safe bet you'll have some identity theft problems.
Adobe's Costumer Security Alert (with FAQ at end):
http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF
Adobe Does Post Damage Damage Control:
http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html
A Security Expert Gives the Bad News:
http://grahamcluley.com/2013/10/adobe-hacked-product-source-code-stolen-customer-database-accessed/
Security Week:
http://www.securityweek.com/adobe-confirms-source-code-breach-theft-customer-data
The Unoficcial Apple Website:
http://www.tuaw.com/2013/10/03/2-9-million-adobe-customer-accounts-compromised/
2013-10-02
WHAT THIS IS ABOUT:
On October 1, Apple released a firmware update for all MacBook models. The
update fixes problems where the laptop loses track of the battery, then obsesses
on where the battery is to the exclusion of all else (like user requests).
WHO SHOULD READ THIS:
Users of MacBook Air, MacBook Pro or MacBook Pro with Retina
Users of other kinds of Macintosh Computers are unaffected
Windows users are unaffected.
WHAT YOU SHOULD DO:
I haven't come across any electronic wailing or gnashing of teeth about the
updates in the 24 hours since the firmware release.
This might make a good computer hygiene task after Oct 7, by then any gotchas
lurking in the updates should have surfaced.
The firmware updates will show up in a regular software update.
Save work and close out any programs.
Go to the Apple Menu.
Choose Software Update.
There should be a pause, then the Mac should say that Software updates are
available.
Click on the SHOW DETAILS button.
If the MacBook needs a firmware update, it should be listed in the updated
software list; look for the letters SMC.
Make sure there's a check in the box for the update (the default is
checked).
Press the INSTALL ITEMS button.
A new dialog box should appear and display the download and installation
process.
Follow any remaining prompts. It's possible the machine will need to be
rebooted.
ADDITIONAL INFORMATION:
Most of these updates require Apple OS 10.7 or OS 10.8, and the file size of the
updates are 1MB or less.
The Unofficial Apple Website announcement:
http://www.tuaw.com/2013/10/02/apple-releases-smc-firmware-update-battery-fixes-for-macbooks/
MacBook Air SMC Update v1.8
http://support.apple.com/kb/DL1627
MacBook Pro Retina SMC Update v1.2
http://support.apple.com/kb/DL1559
MacBook Pro SMC Firmware Update 1.7
http://support.apple.com/kb/DL1633
WHAT THIS IS ABOUT:
Microsoft is in a dither about a security flaw in Internet Explorer which allows
Maliciously Crafted Web Pages to Run Malicious Software on your computer.
WHO SHOULD READ THIS:
Users of Internet Explorer to browse web pages.
Other web browser users are not affected.
WHAT YOU SHOULD DO:
There is no permanent patch for this hole, only some configurations you can follow
(or have a FixIt script install for you) to mitigate damage. The simplest solution
would be to use the Firefox or Chrome browsers.
Firefox download: http://www.mozilla.org/en-US/firefox/new/
Chrome download: https://www.google.com/intl/en/chrome/browser/
If you need to use Microsoft Internet Explorer, there is a temporary "FixIt" patch
here: https://support.microsoft.com/kb/2887505N.B.: This works only for 32-bit versions of Explorer.
Microsoft values your computer security, so while there isn't a permanent patch
available yet, there should be one next Patch Tuesday (October 8), or possibly
sooner if Microsoft thinks this is a large enough hole.
ADDITIONAL INFORMATION:
The current Microsoft stance on this appears to be "Oh, hey; we've noticed The Bad
Guys are kind of starting to hijack your computers with this Internet Explorer
security hole. But it's only a limited number of Bad Guys. So, um, be a little
careful out there. Here's safety guidelines our lawyers said we should give you."
Microsoft's Technical Advisory:
http://technet.microsoft.com/en-us/security/advisory/2887505
Microsoft's Blog about Microsoft's Technical Advisory:
http://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-security-advisory-2887505.aspx
Ars Technica article:
http://arstechnica.com/security/2013/09/microsoft-issues-fix-to-stop-active-attacks-exploiting-serious-ie-bug/
2013-08-29
WHAT THIS IS ABOUT:
Evil People are pretending to be computer security folks and are sending phishing
attempts disguised as anti-phishing messages.
WHO SHOULD READ THIS:
All UO e-mail users.
WHAT YOU SHOULD DO:
If you received a message from "webinfo" [see below] or if you receive a message
saying something along the lines of "Your account has been blocked (or expired or
possibly compromised), please go to [some website] to restore (or verify) it,"
then delete the message. Please do not follow any links in it. It's a trick.
For extra Good Internet Citizen points, you can report it by forwarding it to
phishing@uoregon.edu (be sure to include the e-mail's full headers).
If you have responded to this phishing email, please contact the Central Computing
Help Desk in the basement of McKenzie (346-HELP or helpdesk@uoregon.edu).
ADDITIONAL INFORMATION:
The University's Information Technology Department maintains some useful sites here:
http://security.uoregon.edu/node/37.html
https://it.uoregon.edu/node/2022
And you can use
https://duckid.uoregon.edu/
to manage your electronic accounts with the University.
To take a closer look at the phishing attempt
The message opens up with statistics, because statistics make the sender sound
authoritative. Then the message attempts to disarm the recipient's suspicions by
A) providing a Capitalized Bogus Division of Security Name and B) masquerading as a
PSA.
The second paragraph is using words like "advised" and "verify." Again, this is to
try to establish the sender's authority, and to connect with the recipient's
reptilian brain by the use of fear of a hacked in account.
The site the e-mail sends you to looks like it's a uoregon site, but it doesn't end
in uoregon.edu, it ends in webform.com.
The message concludes with another attempt at computer security fear-mongering to
get you to comply with the request to visit the link.
A legitimate message from Central Computing would close with contact information
for the Help Desk in McKenzie Hall, or would include specific contact information
from Jon Miyake, Senior IT Policy & Security Administrator. This message doesn't
but does append a copyright notice (because, you know, we don't want anyone to
infringe on this message by copying it without proper compensation to the
University).
Phishing e-mail text (links redacted)
---------- Forwarded message ----------
From:
Date: Thu, Aug 29, 2013 at 8:18 AM
Subject: University of Oregon Webmail
To: Recipients
As phishing schemes become more sophisticated with phishers being able to convince
up to 50% of recipients to respond, it has become increasingly important for The
Division of Information Protection and Security at the Office of Information
Technology to inform you that we are seeing an increase in email accounts that have
been compromised by phishes.
As a result you are advised to verify your account to confirm that it has not been
compromised by phishes. To verify your account, please click and follow the
verification link below or simply copy and paste it into your web browser;
https://uoregon.webform.com/[redacted)] To ensure full protection of your account,
please take a few minutes now - it could save you a lot of time and frustration
later.
Copyright 2013 University of Oregon. All rights Reserved
1585 E. 13th Avenue Eugene Oregon, 97403
Phone: 541-346-1000
2013-08-20
WHAT THIS IS ABOUT:
Apple will start a buy back program for third-party USB adaptors for some its
products.
WHO SHOULD READ THIS:
Users who have bought _non-Apple_ produced USB re-chargers for their iPhones,
iPads, or iPods and who are worried about spontaneous combustion.
Dell, HP, Android and other hardware users are not affected.
WHAT YOU SHOULD DO:
If you have a third-party USB power adaptor for an iPhone, iPad, or iPod, you can
bring it in to a Certified Apple Dealer and buy a safety-approved, official
Apple-made adaptor.
To quote from TUAW: "To qualify for a new specially-priced US$10 Apple USB power
adapter, you must bring your third-party adapter and your iPhone, iPad, or iPod to
an Apple Retail Store or an Apple Authorized Service Provider. The retailers will
validate the serial numbers and you can buy one adapter for each iOS device you
bring in until October 18, 2013. Not all Apple Authorized Service Providers may be
participating in the buyback program, so check Apple's site for potential
locations."
As of this writing, neither the UO Bookstore or the Hardware Desk in McKenzie are
participating in the USB Tackback program.
ADDITIONAL INFORMATION:
The Unofficial Apple Website article:
http://www.tuaw.com/2013/08/06/apple-begins-takeback-program-to-replace-third-party-usb-charger/
Office Apple Announcement:
http://www.apple.com/support/usbadapter-takeback/
What Official Apple Adapters are Officially Supposed to Look Like:
http://www.apple.com/power-adapters/
Apple Sales Locations for Eugene (hint, they're off-campus)
https://locate.apple.com/sales/?pt=all&lat=43.9697922&lon=-123.2005853
2013-05-06
WHAT THIS IS ABOUT:
An newly discovered, unpatched security hole in Internet Explorer 8 is
being used to download backdoor trojan horse software onto computers.
WHOU SHOULD READ THIS:
Computer users who use Internet Explorer 8 (especially if they test nuclear weapons
for the Department of Energy)
Users of other versions of Explorer are not affected.
WHAT YOU SHOULD DO:
There is no fix for this security hole at this time. Microsoft recommends
using a different version of Explorer.
If using a different version is not possible, Microsoft suggests
increasing the security settings for ActiveX within Explorer (which may
break some things)
Lifted from http://technet.microsoft.com/en-us/security/advisory/2847140,
to raise the browsing security level in Internet Explorer, perform the
following steps:
On the Internet Explorer Tools menu, click Internet Options.
In the Internet Options dialog box, click the Security tab, and then click
Internet.
Under Security level for this zone, move the slider to High. This sets the
security level for all websites you visit to High.
C Click Local
intranet.
Under Security level for this zone, move the slider to High. This sets the
security level for all websites you visit to High.
Click OK to accept the changes and return to Internet Explorer.
Note If no slider is visible, click Default Level, and then move the slider to
High.
Note Setting the level to High may cause some websites to work incorrectly. If you
have difficulty using a website after you change this setting, and you are sure the
site is safe to use, you can add that site to your list of trusted sites. This will
allow the site to work correctly even with the security setting set to High.
ADDITIONAL INFORMATION:
This particular Internet Explorer security hole is being used in what is
called a "watering hole attack." Malware is installed on a site (in this
particular instance a Department of Labor web site) likely to be visited
by members of a target institution (in this case, Department of Energy
employees). The malware being installed is a trojan back-door package
known as "Poison Ivy."
Microsoft's Security Advisory on this Issue:
http://technet.microsoft.com/en-us/security/advisory/2847140
Ars Tecgbuca:
http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/
Invincea's technical write-up:
http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/
2013-04-12
WHAT THIS IS ABOUT
A Microsoft Windows 7 Security Update is causing _some_ Windows 7 machines
to display an error message (Event ID 55 or a 0xc000021a Stop error)
instead of starting up properly. Microsoft is aware of the problem and
has removed the offending Security Update 2823324 update from its download
utility.
WHO SHOULD READ THIS
Windows 7 users.
Windows XP users are not affected.
Windows 8 users are not affected
Macintosh users are not affected.
WHAT YOU SHOULD DO
Locate a Windows 7 install CD, which may be needed. If you have a machine
that doesn't have a CD drive, all is not lost, but recovery may be
trickier.
A. If the security update has been installed, but the problem hasn't
manifested,
In Control Panel, open Programs, and then click View Installed updates.
Select Security Update for Microsoft Windows (KB2823324), and then click
Uninstall to uninstall the security update
B. If the Windows 7 machine doesn't start and instead displays worrisome
error messages like Event ID 55 or a 0xc000021a Stop error then... go back
to a previous Windows Restore Point. There are several ways to do this,
the simplest is probably
1. Restart by using the F8 key.
2. Select Repair your Computer.
3. Select the language, and then log on to the computer. (NOTE: If you
do not know the local password, you must start by using a Windows 7 DVD
or USB bootable media. Then, access System Recovery Options.
4. Select System Restore from the menu:
5. Restore the last restore point. This uninstalls security update 2823324.
6. Restart the computer into normal mode.:
Other recovery options are listed under "Scenario B: Recovery steps for
computers...." about half-way down the web page:
http://support.microsoft.com/kb/2839011
ADDITIONAL INFORMATION
Sophos Report about the Patch Tuesday Bug:
http://nakedsecurity.sophos.com/2013/04/12/patch-tuesday-fatal-system-error/
Microsoft Response:
http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx
Microsoft Triage Page leading to other Microsoft pages
http://support.microsoft.com/kb/2839011
Instructions for using the Bootrec.exe tool (this is a heavy duty utility for fixing start-up problems)
http://support.microsoft.com/kb/927392
2013-03-14
WHAT THIS IS ABOUT:
A recent upgrade to INB broke Banner for some Macintosh users.
WHO SHOULD READ THIS:
Macintosh OS 10.6 users who need to use Banner.
WHAT YOU SHOULD DO:
Visit this page
http://support.apple.com/kb/HT5559
and run the scripts to enable Apple's Java 6 SE.
ADDITIONAL INFORMATION:
Queue the Wagner. Imagine the forces of Apple, Sun Microsystems, Oracle,
and Microsoft arrayed over a misty craggy setting... the end user has to
endure twenty hours of opera and dies at the end.
2013-02-14
WHAT THIS IS ABOUT:
Adobe is reporting about a recently discovered security flaw in Acrobat
and Reader which could allow a maliciously designed PDF file to crash and
potentially take over your computer.
WHO SHOULD READ THIS:
People who use Adobe Acrobat and Reader:
+ Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
+ Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
+ Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintos& Linux
+ Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
+ Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
+ Abobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh
WHAT YOU SHOULD DO:
Currently, there is no patch for this security flaw.
In general, be mindful when opening PDFs, especially ones e-mailed from
strangers. (If it helps you to be more cautious, imagine a five-year-old
sniffling with a runny nose every time you see a PDF attachment in
e-mail.)
Windows Users:
If you have version XI of the software, go into the preferences, select
"Security (Enhanced)" and choose "Enable Protected Mode at Startup" for
ALL FILES.
Macintosh Users:
The Macintosh version of the Acrobat software does not have a protected
mode option. Macintosh users may opt to use the Preview application to
look at PDFs
ADDITIONAL INFORMATION:
https://www.adobe.com/support/security/advisories/apsa13-02.html
http://nakedsecurity.sophos.com/2013/02/14/no-patch-yet-for-pdf-exploits/
2013-01-22
WHAT THIS IS ABOUT:
This is a public service announcement about LAP LAMBERT Academic
Publishing, a vanity "academic" press.
WHO SHOULD READ THIS:
Folks who have received e-mail solicitations from one of this publishing
house's "acquisition editors."
WHAT YOU SHOULD DO:
Delete e-mail from this company. Hang onto your author's rights.
ADDITIONAL INFORMATION:
http://scholarlyoa.com/2012/11/05/lambert-academic-publishing-a-must-to-avoid/
http://en.wikipedia.org/wiki/VDM_Publishing
http://chrisnf.blogspot.com/2010/06/lambert-academic-publishing-continues.html
2013-01-16
WHAT THIS IS ABOUT
Oracle has released release 11 of Java version 7 to fix a critical
security flaw.
WHO SHOULD READ THIS
Everyone. This is a cross-platform security issue.
WHAT YOU SHOULD DO
I.A Macintosh Users with OS 10.6 (Snow Leopard) or Older:
Older Macintoshes use a version of Java provided by Apple.
1. Save your work and close all applications.
2. Go to Apple -> Software Update. A dialog box will appear showing the
Macintosh's progress downloading updates. Eventually, a new dialog box
should appear.
3. The new dialog box should list software updates the utility wants to
install. Click the blue INSTALL button to install updates, if any.
4. A new dialog box should appear showing the status of the installation.
This may take some time, depending on how many installs there are.
Eventually, the Macintosh should display a dialog box which reads "The
update was installed successfully." Click OK.
Skip to the instructions in II.A
------
I.B Windows Users and Macintosh Users with OS 10.7 (Lion) or
Newer:
Determine if Java is installed on your machine.
1. Go here: http://www.java.com/en/download/installed.jsp
You should see a red button with the words "Verify Java version" on it.
If there is no big red button, but instead you see a message about
visiting Apple, your computer is a Macintosh running older operating
system software: please read the previous section above.
2. Click the red verify button. The browser will pause, then display a
new window.
3a. If the web site reports that you do not have Java installed,
STOP (no Java = no Java security hole). You're done. Close the browser.
3b. If the web site reports that you have Java version 7 release 11
installed, you have the latest release. Proceed to the next section.
3c. If the web site reports that you have an older version of Java,
update to Java 7 release 11.
-------
II.A Disabling Java within Browsers:
Once Java's status is confirmed, and assuming Java is installed on the
computer, follow the instructions here to limit how it interacts with web
browsers:
http://www.java.com/en/download/help/disable_browser.xml
ADDITIONAL INFORMATION
NB: Users of older Macintosh computers (10.6 Snow Leopard or older) use
an Apple-flavored version of Java 6. Java 7 is not available for OS 10.6
and older because.... "The Java Runtime depends on the availability of an
Application programming interface (API). Some of the API were added in Mac
OS X 10.7.3. Apple has no plans to make those API available on older
versions of the Mac OS."
FAQ for Macintosh Java Users:
http://www.java.com/en/download/faq/java_mac.xml
About Java for Mac OS X v10.6 Update 11
http://support.apple.com/kb/HT5494
Oracle patches widespread Java zero-day bug in three days (Updated)
http://arstechnica.com/security/2013/01/oracle-patches-widespread-java-zero-day-bug-in-just-three-days-that-is/
Oracle releases v11 fix for zero-day Java security flaw
http://www.tuaw.com/2013/01/14/oracle-releases-fix-for-zero-day-java-security-bug/
Some Responses to Java Security Flaws for Apple Users:
http://www.tuaw.com/2013/01/11/a-reasonable-response-to-java-security-problems/
2013-01-11
WHAT THIS IS ABOUT:
Thursday, Jan 10, 2013, someone e-mailed phishing attempts to people with
UO e-mail accounts (see message below).
WHO SHOULD READ THIS:
Everyone.
WHAT YOU SHOULD DO:
If you receive a message saying something along the lines of "Your account
has been blocked (or expired), please go to [some website] to restore it,"
then, in the words of Admiral Ackbar, "IT'S A TRAP!"
The university will never ask for personal information via email.
Please delete the phishing attempt or report it by forwarding it to
phishing@uoregon.edu (be sure to include the e-mail's full headers).
Do NOT click on the link provided in the phishing email. If you have
responded to this phishing email, please contact the Central Computing
Help Desk in the basement of McKenzie (346-HELP or helpdesk@uoregon.edu).
ADDITIONAL INFORMATION:
https://it.uoregon.edu/node/2022
http://security.uoregon.edu/node/37.html
COPY OF THE PHISHING E-MAIL:
-------- Original Message --------
Subject: **{Suspension Of Your Email uoregon.edu}**
Date: 2013/01/10 18:01
From: "University of Oregon Support"
To: Recipients
Reply-To: noreply@uoregon.edu
Access to this server is available from your location through the
Universal Resource Locator Click or Copy the below link to a browser and
fill the required
information's:https://docs.google.com/spreadsheet/[ADDRESS REDACTED]
2013-01-07
WHAT THIS IS ABOUT:
The power (and network) is still out in Straub (and for much of Campus
east of Straub). We have it from a reliable source in Campus Operations
that power will continue to be out for the rest of the day. Several
locations are ahead of Straub on the restoration priority list. The
Psychology Department Admin Staff has been sent home for the day.
Instructors may teach classes in Straub at their discretion.
WHO SHOULD READ THIS:
People who can't see in the dark, or who can't improvise when PowerPoint
isn't an option.
WHAT YOU SHOULD DO:
Consider working from the comfort of home or other place still blessed
with the wonders of electricty, heat, and an internet connection.
If you are teaching in Straub, the daylight should provide lighting for
students to see you and their notes. Signs in Straub are directing
students to various classrooms.
This may be a germane time to review safety procdures -- do you have a
working flashlight in your office?
The University sends text alerts during emergencies (like this one) to
people who sign up with their cell phones:
http://emc.uoregon.edu/content/sign-uo-alert (Guess who had to rely on
his co-workers and go access the UO wireless in the EMU for good
information because he didn't set up his phone?)
ADDITIONAL INFORMATION:
For up-to-date information:
http://alerts.uoregon.edu/
Explosions on Campus (photos):
http://dailyemerald.com/2013/01/07/photos-explosion-on-campus/
Daily Emerald Coverage:
http://dailyemerald.com/2013/01/07/university-reports-emergency-incident-at-health-center/
KVAL Coverage:
http://www.kval.com/news/local/Emergency-crews-evacuate-UO-health-center-185904912.html
WHAT THIS IS ABOUT:
An infrastructure failure (and fire!) in the steam tunnel underneath Agate
Street has knocked out power in Straub Hall. There is no electrical power
nor network service in Straub. We're not sure if there is steam service
to Straub.
WHOU SHOULD READ THIS:
Everyone who likes to use modern technology.
WHAT YOU SHOULD DO:
There is no timetable for when services will be restored. If you can work
from home, this may be the most productive strategy. You may wish to
bring auxilary light sources to navigate some of the darker corners of
Straub.
ADDITIONAL INFORMATION:
http://alerts.uoregon.edu/
2012-12-18
WHAT THIS IS ABOUT:
CERT has released three critical security notes about the Adobe Shockwave
Player. Shockwave is media software used by some web pages and in some
e-mail messages to display animations. The vulnerabilities in Shockwave
could allow Evil People using a Malicious Web Page or E-mail Message to
run your computer as if they were you. Don't panic too much; Shockwave
has been superseded by Adobe Flash Player, and is more likely to be
installed on older machines or on computers used to play arcade-style
games.
WHO SHOULD READ THIS:
Folks who use Shockwave.
Shockwave runs on both Windows and Macintosh platforms.
Folks who do not use Shockwave are not affected.
WHAT YOU SHOULD DO:
Find out if you have Shockwave installed.
1) Steel your resolve to _not_ install anything. Don't do the
stimulius-response-point-and-click thing.
2) Visit http://www.adobe.com/shockwave/welcome/ which will try to
automatically download stuff. Don't let it. If something automatically
downloads, don't run it.
3a) If the web page doesn't play an animation under the words "Adobe
Shockwave Player" then you can rejoice in the knowledge that its
vulnerabilities don't affect you. (Yay!) Close your browser window.
3b) If the web page does does play an animation, then you have Shockwave
and are vulnerable to the exploits. There are several options. The
easiest is to uninstall Shockwave (which means unsteeling your resolve and
downloading some utilities...)
Windows XP users can use this utility:
http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe
Macintosh users will have to run the Full Shockwave Installer (which
includes the uninstaller). The Full Installer may be found here:
http://www.adobe.com/shockwave/download/alternates/#sp
Click on the link for your Macintosh's operating system.
If you need to keep Shockwave, there are some work-arounds to try to
mitigate the vulnerabilities. These include
Making sure your web browser is secure:
http://www.us-cert.gov/reading_room/securing_browser/#how_to_secure
Using the Microsoft Enhanced Mitigation Experience Toolkit:
http://support.microsoft.com/kb/2458544
Additional, scarily technical work-arounds may be found in the CERT
advisories (see below)
ADDITIONAL INFORMATION:
http://www.kb.cert.org/vuls/id/519137
http://www.kb.cert.org/vuls/id/323161
http://www.kb.cert.org/vuls/id/546769
http://helpx.adobe.com/shockwave/kb/shockwave-player-faq.html
http://helpx.adobe.com/shockwave/kb/download-shockwave-stand-alone-installer.html
2012-12-14
WHAT THIS IS ABOUT:
The UO site-license for SPSS will expire December 31, 2012. As of this
writing, a shiny bright new license for 2013 is still being finalized.
WHO SHOULD READ THIS:
Researchers using UO licensed copies of SPSS.
WHAT YOU SHOULD DO:
If you anticipate the need for statistical analysis around the hinge of
the year, it would be a good thing to do it earlier rather than later, OR
arrange to perform the analysis in mid-January to avoid that awkward
moment when the results of chi squared are "your license has expired." As
soon as Central IT has the licensing codes for SPSS available, I'll inform
folks.
ADDITIONAL INFORMATION:
http://pages.uoregon.edu/burridge/SPSShelp.html
https://it.uoregon.edu/software/spss
2012-12-10
WHAT THIS IS ABOUT:
Don't panic; things seem to be working as of 10 AM. Gmail, Google
Calendar, Google Plus and other Google services appeared to have technical
difficulties early Monday morning, Dec 10. In addition to breaking Gmail,
in some cases the Chrome web browser would crash.
WHO SHOULD READ THIS:
People who use the Chrome web browser and have configured it to
automatically sync with Google services.
People who use other browsers are unaffected.
WHAT YOU SHOULD DO:
The report I've read says that this appeared to be an authentication issue
with Google. The problem appears to be fixed as of this writing. My
experience was that Chrome crashed, but when I rebooted my Macintosh, the
problem fixed itself. Various Google services I've since tested (with
both via MacBook and iPad) appear to be working properly.
If you continue to have difficulties with the Chrome Browser crashing, try
the following:
Start Chrome.
Click on your user avatar in the upper right-hand corner; a menu should
appear.
Click on Sign-out.
This should allow you to use Chrome without it crashing. From there,
you'd want to see if you can connect to G-mail or Google Plus.
ADDITIONAL INFORMATION:
http://techcrunch.com/2012/12/10/gmail-experiences-a-widespread-outage-most-users-affected/
2012-10-26
WHAT THIS IS ABOUT:
Central IT is updating the security certificates on the e-mail servers
Tuesday, Oct 30.
WHO SHOULD READ THIS:
Everyone. This is a campus-wide e-mail issue.
WHAT YOU SHOULD DO:
When you use e-mail for the first time Tuesday morning, you will be
prompted to accept a new security certificate from the e-mail server.
This will look scary and suspicious, but it is expected and legitimate
(think of it as an early cyber-version of Trick-or-Treat). Accept the new
security certificate (this should only happen once for each computer you
read e-mail on), and continue to enjoy your normal e-mail experience.
Those who are mistrustful of the phrase "in the unlikely event" may wish
to attend to any pressing e-mail business Monday.
ADDITIONAL INFORMATION:
Begin forwarded message:
From: helpdesk@uoregon.edu
Date: October 25, 2012 10:44:09 AM PDT
To: deptcomp@lists.uoregon.edu
Subject: deptcomp: Scheduled email SSL certificate renewal on 10/30/12
Reply-To: deptcomp@lists.uoregon.edu
All-
On Tuesday, October 30, 2012 from 5am to 7am, Information Services will be
renewing the SSL certificates for the POP, IMAP, and SMTP email servers.
There will be NO SERVICE OUTAGE during this time.
If you are using an email client, such as Mac Mail, Outlook, or
Thunderbird, you may be prompted to accept the new security certificate.
This announcement is to inform you of the SSL certificate renewal in the
unlikely event that issues arise. Please contact the Information Services
Help Desk at 541-346-HELP (4357) with questions or problems.
Please forward this message to customers and other groups as needed.
Sincerely,
UO Information Services HelpDesk
541-346-HELP
helpdesk@uoregon.edu
facebook.com/UOHelpDesk | twitter.com/UOHelpDesk
2012-10-22
WHAT THIS IS ABOUT:
The latest update for Java may break Banner.
WHO SHOULD READ THIS:
Macintosh users with Java installed (required for Banner)
Windows users with Java installed (required for Banner)
Chrome browser users
WHAT YOU SHOULD DO:
Many computer security folks are throwing their hands into the air and
saying, "If you don't need Java, uninstall it."
However, Banner and some other university business related software
requires Java.
* Windows Users:
Any Windows users who are encountering difficulties with Java 7 should do
the following:
1) Quit the browser.
2) Clear your browser caches. See instructions at
http://pages.uoregon.edu/leblanc/Clear%20Firefox%20and%20IE%20Cache.pdf.
3) Empty your Java cache. See instructions at
https://it.uoregon.edu/faq/how-do-i-clear-my-java-cache.
* Macintosh Users:
A) If you have not yet run a Software Upgrade, you may still be running
Java 6. If the Software Update comes up, you may be better served by
_not_ installing the Java Upgrade:
B) If you've already installed Apple Java Update 11, and you use the
Firefox or Safari web browser, all is not lost.
1) Go into the Finder (click the left-most icon on the dock, or click on
the Desktop)
2) Go into the Applications folder (Go menu > Applications)
3) Click once on the Safari or Firefox icon, and select File > Get Info
4) Confirm that the “Open in 32-bit mode” box is unchecked (uncheck
it if not) and close the Get Info window
Chrome Browser users are in a bind, as Chrome only runs in 32 bit mode.
ADDITIONAL INFORMATION:
http://support.apple.com/kb/HT5494
http://support.apple.com/kb/HT1222
Begin forwarded message:
From: David Walton
Date: October 19, 2012 4:24:21 PM PDT
To: "Departmental Computing List (deptcomp@lists.uoregon.edu)"
Subject: deptcomp: Problems with recent Java updates
Reply-To: Departmental Computing List
Folks,
The latest round of Java updates has been causing some problems on both
Windows and Macintosh platforms. We don’t have a detailed procedure for
resolving the problems on the Macintosh side yet, but I wanted to alert
people to the problems we’ve heard about, and where available, to
suggest what you can do to resolve them.
On the Windows side: some users have reported hanging problems when they
updated Java to the latest version (others, it should be noted, have
applied it without any issues). Any Windows users who are encountering
difficulties should do the following:
- Quit the browser (close all browser windows).
- Clear their browser caches. See instructions at
http://pages.uoregon.edu/leblanc/Clear%20Firefox%20and%20IE%20Cache.pdf.
- Empty their Java cache. See instructions at
https://it.uoregon.edu/faq/how-do-i-clear-my-java-cache.
On the Macintosh side: the latest Java update that Apple released for Mac
OS X (Java for OS X 2012-006) removes support for the Java plugin. As a
result, Banner (and any other applets) will not load after users run the
update. One user managed to resolve it by reinstalling the 6.0 plugin and
doing some trickery behind the scenes (creating a symlink to the newly
installed plugin in /Library/Internet Plug-Ins/), and I am using his notes
to put together a the instructions for doing that, but unfortunately, the
fix is not really an official Apple-supported one, so I’ll need to talk
it over with some people before we release an FAQ. Unfortunately, since
the problem stems from an Apple-supplied software update, I suspect we
will start to hear from users in fairly short order.
If you have encountered either of these problems and have found fixes
other than what I alluded to, please let me know and I’ll try to include
it in the FAQ.
David Walton
~~~~~~~~~
David Walton
Enterprise Systems Developer, Enterprise Administrative Applications
University of Oregon
Mail: walton2@uoregon.edu
Voice: 541-346-1798
Archives of past DeptComp postings can be found
on the Web page
http://pages.uoregon.edu/consult/deptcomp/
ADDITIONAL ADDITIONAL INFORMATION:
To follow up on Chris’s note: Chrome will not run Java 7 on Mac OS X at
all, as it only runs in 32-bit mode.
To make sure that Firefox or Safari is running in 64-bit mode on Mac OS X:
- Go into the Finder (click the left-most icon on the dock, or
click on the Desktop)
- Go into the Applications folder (Go menu > Applications)
- Click once on the Safari or Firefox icon, and select File > Get
Info
- Confirm that the “Open in 32-bit mode” box is unchecked
(uncheck it if not) and close the Get Info window
Note that this should only be necessary if you are running Java 7.
David
~~~~~~~~~
David Walton
Enterprise Systems Developer, Enterprise Administrative Applications
University of Oregon
Mail: walton2@uoregon.edu
Voice: 541-346-1798
From: Chris LeBlanc
Sent: Monday, October 22, 2012 9:46 AM
To: Departmental Computing List
Cc: David Walton
Subject: Re: deptcomp: Problems with recent Java updates
Just to let folks know, you can run into the blank screen instead of Java
loading if the browser is running in 32-bit mode, since the Java applet is
now 64-bit only.
Thanks,
Chris
2012-10-11
WHAT THIS IS ABOUT:
Adobe has released a security fix for 25 security holes in the Adobe Flash
Player. Unpatched holes could allow a malicious person to run Evil
Software on your computer. The Flash Player is software that displays
moving pictures on web pages.
WHO SHOULD READ THIS:
Windows, Macintosh, and mobile users of Adobe Flash Player.
WHAT YOU SHOULD DO:
Microsoft and Google released new versions of Internet Explorer and Chrome
which update
++ Windows Users using Internet Explorer:
Set aside some time.
Confirm that Windows Update has run since Oct 9.
START -> All Programs -> Windows Update
Let Windows Update install any critical updates
++ Folks (Windows OR Mac) using Google Chrome:
Start Chrome.
Go to the Chrome -> About Google Chrome
A new browser window will open.
Confirm that you're using Version 22.0.1229.94; if you are not, Chrome
will prompt you to update.
++ Other browser users (Windows OR Mac):
Start your browser of choice.
Go to http://get.adobe.com/flashplayer/
Follow any update instructions.
ADDITIONAL INFORMATION:
Adobe's Security Bulletin:
http://www.adobe.com/support/security/bulletins/apsb12-22.html
Adobe fixes 25 critical security holes in its software:
http://nakedsecurity.sophos.com/2012/10/09/adobe-security-update/
Microsoft Update for Vulnerabilities in Adobe Flash Player in Internet
Explorer 10
http://technet.microsoft.com/en-us/security/advisory/2755801
2012-10-05
WHAT THIS IS ABOUT:
An e-mail sent out in the last twenty-four hours claimed to be from
"Customer care, University of Oregon Webmail" and included a (bogus) link
to verify active UO Webmail account information. This is really a
phishing attempt; the e-mail message is attempting to send you to a bogus
web site and trick you into revealing personal information. Central IT is
now blocking the bogus web site.
WHO SHOULD READ THIS:
Everyone with a UO e-mail account.
WHAT YOU SHOULD DO:
If you receive an e-mail that seems suspicious...
+ Don't follow any links in the e-mail.
+ It's OK to ask the Psych Tech staff (psychtech@ithelp.uoregon.edu)
or the folks at Central IT (phishing@uoregon.edu) if the message
is bogus or real.
+ When in doubt, delete the message.
ADDITIONAL INFORMATION:
https://it.uoregon.edu/node/2022
http://security.uoregon.edu/node/37.html
Jon K. Miyake, Senior IT Policy and Security Administrator at the UO,
recommends:
* Never respond to e-mail that asks for personal or financial account
information.
Information Services will never send out e-mail asking for account
usernames, passwords, and PAC codes. Ever. This type of information should
never be sent to anyone over e-mail.
* Do not trust 'urgent' e-mail demands for action.
It is a common phishing technique to foster a false sense of urgency in
order to provoke a response. Do not be afraid to ask your local technical
support staff or the IS Helpdesk if an e-mail is phishing before using
information contained in the e-mail or replying to the e-mail.
* Do not trust company phone numbers in e-mail
If you believe the e-mail that you have received to be a phishing attempt
but are concerned that it may actually be real and not fraudulent, please
directly contact the purported sending institution. Do not use the
information from the suspect e-mail. Be sure to use phone number or e-mail
information published on their official website or other established
resource. Information Services has seen phishing e-mails that utilize
VOIP phone numbers with 503 and 541 area codes to encourage recipients to
provide confidential information over the phone to phishers.
* Do not trust unexpected e-mails that contain attachments or website
links.
Be careful when accessing attachments and websites links that you receive
via e-mail. For suspect e-mails, please ask your local technical support
staff or the IS Helpdesk if an e-mail fraudulent or contains malicious
content, prior to accessing the attachment or website link.
* Do not visit fraudulent websites referenced in phishing e-mails
Increasingly the phishing e-mails you receive may not just be attempting
to gain access to your usernames and passwords. If you click on the
phishing website link, the website may then attempt to automatically
compromise your workstation via security issues that can exist with your
web browser or associated web plugins (Flash, Java, Acrobat, etc.)
* Use a web browser that has anti-phishing capability
From past experience, Chrome and Firefox have a faster turn around time in
labeling phishing website as fraudulent. You may wish to use Chrome or
Firefox over other browsers for this and other reasons. If you prefer not
to use Firefox or Chrome, there may be anti-phishing plugins or similar
functionality that you can enable in your preferred browser.
Information Services has a phishing@uoregon.edu e-mail address that you
can use to send in questions about phishing and examples of phishing
attempts that you receive. For phishing samples please include the full
e-mail header. If you are unfamiliar with e-mail full headers the
Information Services Helpdesk has a web page that explains how to enable
full headers for variety of popular e-mail clients.
https://it.uoregon.edu/full-email-headers
We would appreciate it if you would limit phishing examples that you send
to be strictly those directed at gaining access to UO credentials, such as
the UO Duck ID. Phishing attempts for 3rd party institutions such as
banks, online retailers, and similar should be sent directly to those
organizations as they are better able to effectively address such phishing
attempts.
2012-09-19
WHAT THIS IS ABOUT:
A recently discovered, and as-of-yet unpatched, security hole in Microsoft
Internet Explorer could allow Evil People to take over your Windows-based
computer if they tricked you into visiting an Evilly Designed Web Page.
WHO SHOULD READ THIS:
Microsoft Windows users using Internet Explorer to browse the web.
Other browsers are not affected by this exploit.
Windows Users without Java installed on their computers are unaffected.
Macintosh users are not affected by this exploit.
WHAT YOU SHOULD DO:
The wicked-easy option is:
1) Download and use web browser alternates such as Firefox (available
here: http://www.mozilla.org/en-US/firefox/new/) or Chrome
(https://www.google.com/intl/en/chrome/browser/).
If you need to use Internet Explorer and migrating to a different browser
is not an option, then the more complicated option is...
1) Open Internet Explorer (there may be some variations across different
versions of Explorer)
2) Select the TOOLS menu.
3) Choose INTERNET OPTIONS; a dialog box should appear
4) Click on the SECURITY tab
5) Select the Internet Security Zone & set it to HIGH
6) Disable disable Active Scripting
7) Select the Local Intranet Security Zone & set it to HIGH
8) Disable Active Scripting here, too.
Additional security may be provided by installing a security package from
Microsoft, the Enhanced Mitigation Experience Toolkit (EMET). NB: Please
note that before you install EMET, you’ll need to have Microsoft’s
.NET platform installed. And while it does technically work on Windows
XP(Service Pack 3 only), XP users cannot take advantage of mandatory ASLR
and some of the other notable protections included in this tool.
1) Go to http://www.microsoft.com/en-us/download/details.aspx?id=29851
2) Download and install the Enhanced Mitigation Experience Toolkit.
Computer security folks are recommending that all computer users uninstall
Java if they have no need for it.
ADDITIONAL INFORMATION:
http://technet.microsoft.com/en-us/security/advisory/2757760
http://www.microsoft.com/en-us/download/details.aspx?id=29851
http://support.microsoft.com/kb/174360
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969
http://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/
http://www.techspot.com/news/50193-internet-explorer-hit-by-zero-day-exploit-temporary-fix-issued.html
--
DEPARTMENTAL COMPUTING E-MAIL SENT FROM JON MIYAKE:
A vulnerability was recently identified, with Microsoft Internet
Explorer (IE), that could allow the execution of arbitrary code on a
vulnerable system. The issue is reported to affect most version of IE
running on Microsoft Windows. At this time Microsoft does not have a
patch for the vulnerability. Use of the vulnerability has been reported
in the wild and exploit code was recently made publicly available.
IT staff will want to notify their end-users of this issue. In most
instances the recommendation is to use an alternate web browser, such as
Firefox or Chrome. Microsoft has published general mitigation
recommendations for the vulnerability. It is important to note that the
Microsoft EMET recommendation, by itself, may not be sufficient to
prevent successful exploitation of the vulnerability. See the "Kreb's
on Security" article (link available below) for more details.
Mitigation Recommendations from Microsoft:
- Deploy the Enhanced Mitigation Experience Toolkit (EMET) - This
will help prevent exploitation by providing mitigations to help
protect against this issue and should not affect usability of Web
sites.
- Set Internet and local intranet security zone settings to "High" to
block ActiveX Controls and Active Scripting in these zones - This
will help prevent exploitation but may affect usability; therefore,
trusted sites should be added to the Internet Explorer Trusted Sites
zone to minimize disruption.
- Configure Internet Explorer to prompt before running Active
Scripting or to disable Active Scripting in the Internet and local
intranet security zones - This will help prevent exploitation but can
affect usability, so trusted sites should be added to the Internet
Explorer Trusted Sites zone to minimize disruption.
Microsoft Advisory and Mitigation Toolkit
http://technet.microsoft.com/en-us/security/advisory/2757760
http://www.microsoft.com/en-us/download/details.aspx?id=29851
Kreb's Article on Enhanced Mitigation Experience Toolkit (EMET)
http://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/
Additional Details about IE Vulnerability
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969
http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/
- --
Jon K. Miyake
Information Services Sr. IT Policy and Security Administrator
University of Oregon voice #: (541) 346-1635
(541) 346-5837
Computing Center Rm 225
2012-09-06
WHAT THIS IS ABOUT:
MatLab licenses for Psychology Department machines will expire in 56 days
(the day after Halloween). The new license for the 2012-13 academic year
_should_ be negotiated by Central IT before this time.
WHOU SHOULD READ THIS:
Folks with Matlab Installed on machines.
WHAT YOU SHOULD DO:
At the moment, there's nothing to do except circle Halloween on your
research calendar and anticipate possible technical difficulties. Matlab
will continue to run right up to the expiration date. When the new
license is negotiated, the warning should go away. Older versions of
Matlab on some legacy computers may need extra help validating the new
license extension.
When the new license is active, I'll send out a notice.
ADDITIONAL INFORMATION:
When MatLab first starts up, it checks with Mathworks to see if its
license is still valid. Each installed instance of MatLab is associated
with a specific user ID, and each user ID has a specific license. The
Psychology Department uses Central IT's total headcount license agreement
with MathWorks to validate copies of MatLab installed on campus machines.
Every Fall, a new license is negotiated. Once the negotiations go
through, the license's expiration date is extended.
http://it.uoregon.edu/software/matlab
2012-09-04
WHAT THIS IS ABOUT:
The UO Psychology Department appears to have been spammed with messages
claming the sender is in search of a tutor for her son.
WHO SHOULD READ THIS:
Everyone.
WHAT YOU SHOULD DO:
This may or may not be a variation on the Nigerian Tutoring Scam (brought
to my attention by Shannon Peake--thanks!)...
http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html
... in which case a follow-up message would be an offer for pre-payment
(get your banking information ready).
The safest thing to do would be to delete the message. If you're feeling
like you'd like to be helpful, you could forward the message to the
University Teaching and Learning Center (TLC), at tlc@uoregon.edu (which
I've done for this instance).
ADDITIONAL INFORMATION:
Reading the e-mail out loud brings out some oddities in the request:
things like vague arrival dates, and a generic arrival locations; at no
point is the University of Oregon mentioned (like, "Ethan will be a
transfer student at the University of Oregon").
Forwarded message:
Hello
How are you doing? I am presently looking for a Psychology Instructor for
my son in the area. After surfing your department's website, I decided to
contact with my request.
Ethan is a 3rd year Psychology undergraduate at the Univeristy of Berne he
being taught in English,he is a basketball player and missed a few classes
and he could not take the exams of those course we are from a city called
Lugano in Switzerland. Our main language here is Italian and I hope you
can pardon my English as it is not perfect.
We need someone to work with him when he arrives, he will become a
exchange student in Jan 2013 using this time he has now. Let me know your
hourly rates and also time during the week and on week ends you will be
available to coach him (total number of hours you can use with him a
week). Please let us hear from you soon as he would be in America in a
couple of days/week to stay with my sister in-law for the time been and I
will very much appreciate it very much if you can introduce me to someone
qualified in the case you are not available.
Thanks
2012-08-27.1
WHAT THIS IS ABOUT:
Bogus e-mails claiming to be from "Uoregon Webmail"
have been sent to UO e-mail users to try to trick them into revealing
private information.
WHO SHOULD READ THIS:
Everyone -- this attack targets UO e-mail users.
WHAT YOU SHOULD DO:
If you receive a message (see Bogus Message below) warning you that you've
transgressed the Webmail user agreement and that you'll be given one
chance to reactivate it, delete it. If you want to help out Central
Computing, you can forward the message to helpdesk@ithelp.uoregon.edu to
help them track the problem.
ADDITIONAL INFORMATION:
A real message would be much more specific, citing times of any
infractions and very likely requiring an in-person visit with UO ID to the
Help Desk in the basement of McKenzie Hall. If Central Computing needed
to suspend your UO account, they'd suspend it first and contact you by
some other means (either UO extension or via the Psych Tech Support staff)
later. There would also be an individual UO Computing Security Team
member associated with any message.
The trick to bogus messages is (break out your Robert Cialdini texts) to
try to establish authority.
The cyber-crooks here have gotten clever; they've created a message that
uses an image from the UO, located here:
https://uoregon.edu/sites/all/themes/uo_homesite/logo.png
and put it into their message to make the message look legitimate.
They're using buzz-words like Webmail User Agreement, and the cyber-crooks
are also using fear that a resource (in this case e-mail) might be taken
away to try to suspend the victim's rational thought process.
UO Central IT Web Page on Phishing:
http://it.uoregon.edu/node/2022
SAMPLE BOUS MESSAGE:
From: "Uoregon Webmail"
Subject: Service Disabled
Date: August 26, 2012 12:36:16 PM PDT
Dear Student,
Due to the violation of your Webmail User Agreement, your access has been
suspended.
We are giving one chance to reactivate your access now or permanently
suspended.
Click on 'Reactivate' below to start process.
[Bogus 'Reactivate' link redacted][
**Incomplete process might lead to blocked user account.
2012-08-27
WHAT THIS IS ABOUT:
There is a new, unpatched vulnerability in Java version 7--specifically
the Java Runtime Environment (JRE) 1.7--that could leave a computer
subject to malicious software when the user visits a maliciously crafted
(or corrupted) web site.
WHO SHOULD READ THIS:
Computer users--Macintosh, Windows and Linux--with Java 7/JRE 1.7
installed on their machines.
WHAT YOU SHOULD DO:
To be completely safe, Java should be uninstalled.
If Java is installed on a Macintosh, the majority of the installations are
using Apple's version of Java. The Apple version does not have the Java
Runtime Environment 1.7, and therefore is not subject to the unpatched
security hole that has the computing security community in a dither. So
Macintosh folks can rest a little easier.
http://www.tuaw.com/2012/08/28/java-1-7-zero-day-exploit-unlikely-to-impact-most-mac-users/
Windows users may use Control Panel > Add/Remove Software; Macintosh users
who have installed the Oracal version of Java 7 will need to follow the
instructions here:
http://www.java.com/en/download/help/mac_uninstall_java.xml
However, uninstalling Java may not be possible for some users, in which
case disabling Java browser plug-ins is the next best route.
Apple Safari: https://support.apple.com/kb/HT5241
Firefox:
https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Microsoft Internet Explorer: In the Windows Control panel, open the Java
item. Select the "Java" tab and click the "View" button. Uncheck "enabled
for any JRE version listed.
Chrome: Go to chrome://plugins/, scroll down the list and disable Java.
https://support.google.com/chrome/bin/answer.py?hl=en&answer=142064
ADDITIONAL INFORMATION:
The discovered exploit allows maliciously crafted web pages to install
espionage software on a targeted computer to enable accept commands from a
remote controller. This will be a problem until Oracle provides a patch
for Java (their track record isn't so good on responding to things like
this, so it may be some time). At this time (1:20PM 27-Aug-2012) it
appears that version 6 of Java does not have this vulnerability. If you
need Java installed on your machine, you may be able to downgrade to
version 6: http://www.java.com/en/download/manual_v6.jsp
US-CERT Advisory:
http://www.kb.cert.org/vuls/id/636312
Critical flaw under active attack prompts calls to disable Java
http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/
Unpatched Java Vulnerability Exploited in Targeted Attacks
http://www.pcworld.com/businesscenter/article/261484/unpatched_java_vulnerability_exploited_in_targeted_attacks_researchers_say.html
Secunia Security Advisory:
http://secunia.com/advisories/50133/
New Java Exploit Spotted in the Wild:
http://www.securityweek.com/new-java-exploit-spotted-wild
New Java 0day exploited in the wild:
http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/
ZERO-DAY SEASON IS NOT OVER YET:
http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
2012-08-23
WHAT THIS IS ABOUT:
McAfee issued a buggy virus definition code August 17, 2012, which may
1) prevent web browsing access or 2) disable the McAfee Security Center on
Windows machines. McAfee is available to the UO community via Central IT.
WHO SHOULD READ THIS:
Windows users with McAfee installed on their machines.
Macintosh users are not affected.
WHAT YOU SHOULD DO:
1) Confirm that you are able to connect to a remote web site.
2) Confirm that you can manually update McAfee virus definitions.
+ Go to the Start Menu.
+ Choose All Programs.
+ Choose McAfee
+ Choose Console
+ Run a manual virus definition update.
McAfee discribes both problems here:
http://service.mcafee.com/faq/TS101446.htm
and provides three workarounds for resolving them. The workaround for no
internet access involves rebooting in Safe mode with Networking. The
workaround for fixing the Security Center involves installing a Virtual
Technician. If neither workaround resolves the problem, a reinstallation
of McAfee will be required.
ADDITIONAL INFORMATION:
PCWorld: McAfee Update Causes Problems:
http://www.pcworld.com/businesscenter/article/261165/mcafee_antivirus_update_causes_problems_for_home_and_enterprise_customers.html
McAfee Bug Knocks Computers Off-line:
http://www.theregister.co.uk/2012/08/23/mcafee_net_cutoff_bug/
McAfee Workarounds for Denied Internet Access:
http://service.mcafee.com/faq/TS101446.htm
Technical Entry from McAfee's Corporate KnowledgeBase:
https://kc.mcafee.com/corporate/index?page=content&id=KB76004&elq=a20a206709c24aa9ad7bcbfd33282145
Slightly Technical McAfee FAQ About This Issue:
https://kc.mcafee.com/corporate/index?page=content&id=KB76042
McAfee's Virtual Technician (the Workarounds for a broken console):
http://mvt.mcafee.com
Central IT's McAfee Page:
http://it.uoregon.edu/software/virusscan
2012-08-09
WHAT THIS IS ABOUT:
The general press (NPR) has picked up the buzz from the technical press
about hacking victim Mat Honan. Mr. Honan's accounts were hacked with
some person-to-person (or in this case hacker-to-helpdesk) social tricks.
The Bad Guys wanted to own Mr. Honan's Twitter handle. Collateral damage
from the hacks resulted in his iPhone, iPad and MacBook being wiped clean.
Gory details here:
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
WHO SHOULD READ THIS:
Computer users worried that computer information from one account (say
gmail) can be used to compromise security on another account (say, Apple)
resulting in personal and mobile computer erasure.
WHAT YOU SHOULD DO:
Review on-line contact information so that the Bad Guys can't pretend to
be you when they speak with service desk personnel. (In Mr. Honan's case,
the ISP hosting his personal internet domain displayed his real world
contact information.)
Have a data recovery plan:
+ Store data off-line
+ Consider storing archives of important data at a friend's house or a
safety deposit box
+ Print important documents (like pictures of relatives)
Increase security between on-line services (like gmail) and home computing
devices (like your laptop or iPhone). Here's an article with the steps:
http://www.maclife.com/article/howtos/how_activate_twostep_verification_your_google_account
Ask yourself if you are using Good Security Practices on the Computing
Cloud ("Computing Cloud" is a fancy way of saying computing services--like
DropBox, Gmail, and iTunes--on a computer far away from you):
http://arstechnica.com/information-technology/2012/08/secure-your-digital-self-auditing-your-cloud-identity/
ADDITIONAL INFORMATION:
The hackers (apparently two teens) were able to trick staff at Amazon into
generating bogus account information. Then they called Apple and used the
bogus Amazon information to get an Apple account password reset. Since
last week, both Apple and Amazon have changed their helpdesk procedures.
Once they reset the Apple password, they had access to Mr. Honan's Gmail
and could request password resets from other on-line services: in this
case Twitter.
How Apple and Amazon Security Flaws Led to My Epic Hacking
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/
Mat Honan details the Amazon and Apple security flaws that let hackers
wipe his MacBook
http://www.tuaw.com/2012/08/06/mat-honan-details-the-amazon-and-apple-security-flaws-that-let-h/
Amazon exploited by hacker in scribe's epic Apple iCloud pwn
http://www.theregister.co.uk/2012/08/07/apple_amazon_hack/
NPR, All Tech Considered: How His Life Was Hacked
http://www.npr.org/blogs/alltechconsidered/2012/08/07/158365355/how-his-life-was-hacked-in-the-cloud
NPR: Hackers Wreak Havoc On 'Wired' Writer's Digital Life
http://www.npr.org/2012/08/09/158477219/hacker-s-wreak-havoc-on-wired-writer-s-digital-life
Amazon, Apple tighten security following devastating Mat Honan attack
http://www.techspot.com/news/49693-amazon-apple-tighten-security-following-devastating-mat-honan-attack.html
How to Activate Twostep Verification:
http://www.maclife.com/article/howtos/how_activate_twostep_verification_your_google_account
Apple Temporarily Suspends Phone Password Resets
http://www.pcworld.com/article/260603/apple_temporarily_suspends_phone_password_resets.html
2012-08-03
-----Original Message-----
From: Debbie Cadigan [mailto:dcadigan@uoregon.edu]
Sent: Wednesday, August 01, 2012 16:17
To: Undisclosed recipients:
Subject: End of August Planned Power Testing
Importance: High
August 1, 2012
MEMORANDUM
TO: All Campus Building Managers and Contacts
FROM: Debbie Cadigan, Campus Relations Manager, Campus Operations
SUBJECT: August Campus Wide Power Shutdown
Hello
In our continuing effort to improve campus utility systems reliability, a
new co-generation, steam and electrical production system is under
construction. To ensure all systems perform as anticipated, it is
imperative to test every aspect of the system as equipment is installed
and software programs are updated prior to being placed into normal
operation. It is also a condition of the local utility and Bonneville
Power Administration to fully test and confirm system safety operations
and metering.
At the end of August the second of two testing phases by Campus Operations
will occur. The purpose is to connect the new co-generation system to the
utility grid, and verify proper operation and coordination of all
equipment.
Testing has been scheduled to take place from late evening to early
morning for minimal impact although we realize any shutdown will impact
campus. Campus Operations planned campus wide electrical shutdown will
affect all campus facilities, except those few that receive their power
directly from EWEB. See the list below for buildings excluded or for a map
of the buildings go to http://alerts.uoregon.edu/.
On Tuesday, Aug. 28, Wednesday, Aug. 29, and Thursday, Aug. 30, from 10:00
p.m. to 7:00 a.m. each morning, campus will experience intermittent
outages, lasting from several seconds to several minutes. Standby power
will also experience intermittent outages. The frequency and duration of
theses power interruptions will be taken into consideration when
developing the testing sequence to aid UPS systems in recovery.
Please turn off all electronic equipment, including computers and printers
prior to the shutdown each night.
Anticipated Impacts:
+ Egress lighting will experience intermittent outages but will restore.
.
+ Elevators will be out of operation beginning at 6:00 p.m. Tuesday,
returning to service between 7:30 a.m. and 9:00 a.m. each day.
Buildingswith multiple elevators will have one elevator in service
until the testing is completed Friday morning. Signage will be
posted on elevators, with directions to the operable elevator in
multiple elevator buildings.
+ Fire System : Fire systems will remain active and monitored.
+ HVAC (heating, ventilation and cooling) will be monitored.
+ Telephones that have data capabilities will be affected by the power
interruptions. These phones should be working once testing is
completed unless there is an issue with the Network or Ethernet switch
in your building. These switches will be monitored by Network
Services.
Please be sure everyone in your department or anyone who may use or have
access to your building is aware of this planned shutdown. A few may
receive this notice more than once as we send this to multiple
distribution lists.
We appreciate your patience as we work diligently to improve the
reliability of the equipment on campus. For questions please contact
Campus Operations at electric@uoregon.edu or
call Campus Operations customer service desk at 346-2319 or myself at 346
-2389 or 541 729- 2444.
[Straub Hall will be affected by this shutdown.]
Buildings on EWEB power that will NOT be affected by this shutdown:
AAA Woodshop
HEP
Peace Health
Alder Hall
Howe Field
Rainer Building
Agate Hall/Agate House
Innovation Center
Riley Hall
Autzen Complex
LERC/Military Science
Riverfront Research Park
Baker Center
Matthew Knight Arena
U of O Annex
Barnhart Hall
Millrace Studios 1,2,3
Vet. Services Quonset 108
EC-Cares
Moss Street Childcare
Facilities Quonsets 128,132
MNCH 107, 115, 116
Fine Arts (Site 125)
MNCH (1724 Moss) 134, 135
Greenhouses 109, 110, 111
Neuromuscular Educ.
2012-08-01
WHAT THIS IS ABOUT:
As a result of a security breach, Dropbox is sending some Dropbox users
security e-mail advising them about insecure passwords.
WHO SHOULD READ THIS:
Dropbox users.
WHAT YOU SHOULD DO:
If you are a Dropbox user, you may receive an advisory e-mail from Dropbox
asking you to change your Dropbox password. Make sure to look at any
links it may contain carefully to be sure that it isn't a cyber-crook's
knock-off message. (My guess, not having seen the Dropbox message, is
that a valid e-mail will send you to something like
https://www.dropbox.com/account#security so you can change your password.)
Then follow the directions (which will probably include suggestions for
strong passwords).
Once again, I offer http://xkcd.com/936/ as a salve for the password weary.
Oh; and as a gentle reminder: Dropbox does not meet HIPAA compliance.
ADDITIONAL INFORMATION:
Dropbox sends password change notification to some users
http://www.tuaw.com/2012/08/01/dropbox-sends-password-change-notification-to-some-users/
Dropbox Blox: New Security Features
http://blog.dropbox.com/index.php/security-update-new-features/
Dropbox confirms it got hacked, will offer two-factor authentication
http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/
Dropbox Reports User Accounts Were Hijacked, Adds New Security Features
http://techcrunch.com/2012/07/31/dropbox-admits-user-accounts-were-hijacked-adds-new-security-features/
Oregon University System Information Security Web Page:
http://www.ous.edu/dept/cont-div/fpm/genl-56-350
2012-06-14
WHAT THIS IS ABOUT:
A vulnerability in Microsoft XML (Extensible Markup Language) Core
Services, which affects Microsoft Internet Explorer and certain versions
of Microsoft Office, is being actively exploited in the wild. The
vulnerability could allow a maliciously crafted web page on a malicious
web site to run malware on your computer as you. Attacks are targeting
Gmail accounts.
WHO SHOULD READ THIS:
Users of Microsoft Internet Explorer.
Users of Microsoft Office 2003 and Office 2007 for Windows.
Users of Microsoft Office 2010 are not affected.
Users of Other Web Browsers (Chrome, Firefox, Safari, etc.) are not
affected.
Macintosh Users are not affected.
WHAT YOU SHOULD DO:
If you use Microsoft Office 2003 or 2007 for Windows, OR Internet Explorer
is your primary web browser on your Windows machine, please visit
http://support.microsoft.com/kb/2719615
scroll down about a third of the way down the web page until you see icons
for Microsoft Fix it 50897 and Microsoft Fix it 50898 (the icons feature
a stylized mechanic with a crescent wrench).
Click on the LEFT Fix it icon, number 50897. This will download a
software wizard to your computer.
Once a wizard is downloaded, a dialog box should appear: choose the RUN
option to run the wizard.
The Microsoft Fix it Solution is a temporary work-around until this
problem can be properly patched by Microsoft.
ADDITIONAL INFORMATION:
This vulnerability is in the way that Microsoft products handle XML. XML
is a little like HTML. Some web pages and Microsoft documents are encoded
with XML, which is why certain Microsoft Office users are affected.
Because of the way that Internet Explorer is integrated with Microsoft
Windows and Microsoft Office, an XML exploit that tricks Internet Explorer
(or Office) can sometimes enable a maliciously crafted web page or Office
document to run a program as if it were the human viewing it.
http://www.techspot.com/news/48994-internet-explorer-zero-day-flaw-being-used-to-target-gmail-accounts.html
http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462
http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html
http://support.microsoft.com/kb/2719615
http://technet.microsoft.com/en-us/security/advisory/2719615
http://en.wikipedia.org/wiki/XML
2012-06-06
WHAT THIS IS ABOUT:
Two security problems with LinkedIn, a social media service, have
surfaced. The most serious one has resulted in 6.5 million (or about 1 in
every 25) LinkedIn users' account information being publicly posted.
WHO SHOULD READ THIS:
People with accounts with LinkedIn.
LinkedIn users who use LinkedIn's mobile calendar app.
WHAT YOU SHOULD DO:
Log onto LinkedIn and change your password. Today (6/6/12).
If you use the same password across multiple internet services, it would
be a good idea to change the passwords with those services, too. (Best
security practice is to have different passwords for different services.)
If you use an iPhone or iPad version of LinkedIn, be sure to install the
latest app update (version 5.0.3, June 6, 2012). You may wish to review
the calendar settings for the LinkedIn app to prevent inadvertent
information sharing.
ADDITIONAL INFORMATION:
As one article put it, it is not a good day to be a LinkedIn user. The
first problem is that someone managed to get a copy of LinkedIn user
account information and post them publicly. Cyber-criminals will now use
the account information to crack users' passwords. The concern is that
this may enable cyber-criminals to compromise e-mail and other accounts
associated with LinkedIn accounts.
The second LinkedIn problem to surface today is the news that the LinkedIn
app for apple devices was ferreting away information in iCal onto LinkedIn
servers. So, if you put a doctor's appointment on the iCal app, then
opened the LinkedIn app, any information about the appointment got beamed
over to LinkedIn. This is similar to the GeoTagging issue last February,
where Apple mobile devices were gleaning GPS information from photos.
LinkedIn has issued a statement saying (more-or-less) we're not storing
your info on our servers, you can configure how much your calendar shares,
and we're working on fixing app issues. They've also released an update
today (June 6, 2012).
Hackers Post 6.5 Million LinkedIn Passwords Online
http://www.pcworld.com/article/257045/hackers_post_65_million_linkedin_passwords_online.html
8 million leaked passwords connected to LinkedIn, dating website
http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/
Russian hackers expose 6.5 MILLION 'LinkedIn passwords'
http://www.theregister.co.uk/2012/06/06/linkedin_password_leak/
LinckedIn Was Breached, Now What?
http://bits.blogs.nytimes.com/2012/06/06/linkedin-was-breached-now-what/
LinkedIn's Leaky Mobile App
http://bits.blogs.nytimes.com/2012/06/05/linkedins-leaky-mobile-app-has-access-to-your-meeting-notes/
LinkedIn leaks password hashes, iOS app is scraping your meeting notes
http://www.tuaw.com/2012/06/06/linkedins-ios-app-is-scraping-your-private-and-personal-meeti/
LinkedIn's Mobile App is Harvesting User Information - Here's How to Fix
It
http://www.securityweek.com/linkedins-mobile-app-harvesting-user-information-heres-how-fix-it
2012-06-05
WHAT THIS IS ABOUT:
Microsoft has released a patch for Windows (ahead of next week's Patch
Tuesday) which updates a flaw in security certificates and closes the
ability of malware called Flame to trick your Windows computer into
thinking that it's visiting Microsoft's update site when in fact it is
installing malware.
WHO SHOULD READ THIS:
Microsoft Windows Users.
WHAT YOU SHOULD DO:
Run Windows Update.
ADDITIONAL INFORMATION:
The technical press been in a flurry writing missives, speculations, and
extolments about Flame. Flame is malware that appears have been written
by Very Smart People Funded by a Nation-State to spy on Iranian
Infrastructure. Flame uses spoofed Microsoft Security Certificates to
spread. A Microsoft Security Certificate is an electronic version of a
king's seal or notary's stamp. While Flame appears to be mostly in the
middle-east, the concern is that the methods Flame uses may be copied by
other malware writers into a more wide-spread, global attack on Windows
computers.
Microsoft Security Advisory (2718704): Unauthorized Digital Certificates
Could Allow Spoofing
http://technet.microsoft.com/en-us/security/advisory/2718704
Flame Malware Hijacks Windows Update Mechanism
http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism
Flame malware wielded rare "collision" crypto attack against Microsoft
http://arstechnica.com/security/2012/06/flame-wields-rare-collision-crypto-attack/
Spy malware infecting Iranian networks is engineering marvel to behold |
Ars Technica
http://arstechnica.com/security/2012/05/spy-malware-infecting-iranian-networks-is-engineering-marvel-to-behold/
2012-06-01
WHAT THIS IS ABOUT:
Networking Services will perform maintenance on the wireless network,
Thursday, June 7, 2012 from 3:30 to 7:00AM
WHO SHOULD READ THIS:
Users of the UO Wireless Network.
Ethernet users should be unaffected.
WHAT YOU SHOULD DO:
Don't panic. Wireless network services should not be interrupted.
However, to safeguard one's computing serenity, it might be a good idea to
complete any computing tasks requiring wireless network access by
Wednesday evening.
Thursday morning, wireless network users may wish to schedule an extra ten
minutes into their routine to visit wireless.uoregon.edu in order to
reinstall the UO Secure Wireless Network and update network certificates
(see additional information, below).
Unless Something Goes Wildly Wrong, direct connections to the UO ethernet
should still function.
ADDITIONAL INFORMATION:
(e-mail message from the McKenzie Hall Help Desk:)
This service announcement is to inform the IT community of a planned
maintenance window for the UO Secure Wireless Network.
The planned maintenance will take place on June 7, 2012 from 3:30am to
7:00am. Information Services will be servicing the following:
* UO Secure Wireless Network
* Radius clients connecting to rad1 and rad2 that use SSL/TLS
Please note that there will not be a service outage during this time; all
services will remain up during the maintenance work. This announcement is
to inform you of the maintenance window in the unlikely event that any
issues arise. If any issues do arise, please contact the Information
Services Help Desk at 541-346-HELP (4357).
After the maintenance window for UO Secure, some users may need to
reinstall the UO Secure installer or may be prompted to accept a new
certificate.
* To reinstall the UO Secure installer, simply go to
wireless.uoregon.edu and follow the directions.
* If a user is prompted to accept a new certificate, simply
accept and always trust the certificate for UO Secure.
Sincerely, UO Information Services HelpDesk 541-346-HELP
helpdesk@uoregon.edu
2012-05-25
WHAT THIS IS ABOUT:
As we get closer to July 9, 2012, the technical and popular media will
start to tell us all about a piece of malware called DNSChanger (Domain
Name Server Changer). Phrases such as, "The Internet will stop working
for infected users" and "Internet Doomsday" will be thrown about with
reckless abandon. Starting May 22, 2012, the Google search engine will
display a message warning users with computers infected with DNSChanger.
WHO SHOULD READ THIS:
All users; this is a network spoofing issue.
WHAT YOU SHOULD DO:
Start your favorite web browser.
Visit http://www.dns-ok.us/
If you get a friendly green icon, your computer is DNSChanger free. You
can rest at night knowing that, this time, cyber-criminals have not
sniffed out personal data and that The Internet will continue to work for
you after July 9.
If you get a red icon, that's a sign that DNSChanger has infected your
computer. This means that the security on the machine has been
compromised and that personal information (such as banking passwords) may
have been stolen. Visit http://www.dcwg.org/fix/ for more detailed
instructions for cleaning the computer, or contact the Help Desk in
McKenzie.
ADDITIONAL INFORMATION:
DNSChanger is part of a packet of malware distributed by cyber-criminals
who were based in Estonia, and who were arrested in 2011. DNSChanger
disconnects infected computers from certified internet domain name servers
and re-connects them to fraudulent domain name servers and a shadowy, evil
parallel internet. This is like a swindler standing outside the entrance
of a town and handing out fraudulent maps misdirecting unsuspecting
tourists to fake stores and banks.
The humans are in jail, but because so many computers world-wide were
infected and using the parallel internet, the FBI kept the fraudulent
domain name servers running in order to keep infected computers
operational. The fraudulent servers will go away on July 9, at which
point infected personal computers will be unable to connect to any
internet.
http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html
http://www.fbi.gov/news/stories/2011/november/malware_110911
http://www.dcwg.org/
2012-05-08
WHAT THIS IS ABOUT:
A recent Lion OS update to a Macintosh encryption utility, FileVault, has
a bug which stores users' passwords in plain text in an unprotected area
of the Mac's disk. This is the physical equivalent of writing the
combination numbers on the back of a padlock.
WHO SHOULD READ THIS:
Don't panic. This bug only affects Macintosh Snow Leopard OS (OS 10.6)
users who used FileVault, upgraded to the Lion OS (OS 10.7), and now use
the legacy version of File Vault 10.7.3.
Users who never enabled FileVault are not affected.
Users of FileVault 2, the default utility for Lion, are not affected.
Snow Leopard and earlier versions of the Macintosh operating system are
not affected.
Windows users are unaffected.
WHAT YOU SHOULD DO:
01. If your Macintosh came out of the box with Macintosh OS X Lion 10.7
installed on it, then you are running FileVault 2 and are not affected
by this bug; STOP.
02. If you are using a Macintosh and you think it used to run the Snow
Leopard OS and now runs the Lion OS, then continue.
03. Go to the Apple Menu and choose "About this Mac"; a dialog box will
appear.
04. Underneath the big bold MAC OS there will be a version number. If
the version number is 10.7.3, continue. If the version number is
10.6.X or lower, STOP: you are using an older operating system.
05. Go to the Apple Menu and choose "System Preference..."; a dialog box
will appear.
06. Click on the Security icon in the top row (it looks like a house
outline with a combination lock on the front); most of the icons will
disappear and three tabs will appear.
07. Click on the middle tab, FileVault; new information will appear.
08. If there is a button on the lower right-hand side which reads "Turn
On FileVault..." STOP; you are not running FileVault and are not
affected by this bug.
09. If you have gotten this far in the instructions, then you are
probably running FileVault 10.7.3 on a Lion OS Macintosh that was
formally a Snow Leopard Macintosh.
http://reviews.cnet.com/8301-13727_7-20081045-263/about-filevault-2-in-os-x-10.7-lion/
and http://support.apple.com/kb/HT4790 suggest that turning legacy
FileVault off, then attempting to turn it on, will bring up a dialog
box with the option to use FileVault 2.
10. Once FileVault 2 is running on the Macintosh, all users of the
Macintosh, especially administrative users, should change their
passwords.
ADDITIONAL INFORMATION:
The original FileVault, a utility to encrypt files, was introduced in Mac
OS X 10.3 During the latest update, a programmer goofed and mistakenly
left a debugger turned on in FileVault, with the result that usernames and
passwords are stored in plain text in an accessible location on the hard
drive.
Wikipedia Entry for FileVault:
http://en.wikipedia.org/wiki/FileVault
Passwords stored in plain text after Lion update:
http://www.tuaw.com/2012/05/07/passwords-stored-in-plain-text-after-lion-update/
OS X Lion security blunder exposes login passwords in plain text:
http://www.techspot.com/news/48473-os-x-lion-security-blunder-exposes-login-passwords-in-plain-text.html
Security Blunder Exposes Lion Passwords:
http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963
Lion Update Exposes Passwords:
http://nakedsecurity.sophos.com/2012/05/06/apple-update-to-os-x-lion-exposes-encryption-passwords/
Macworld Guide to FileVault 2:
http://www.macworld.com/article/1162999/complete_guide_to_filevault_2_in_lion.html
2012-05-04
WHAT THIS IS ABOUT:
Some people are having difficulties sending e-mail attachments to various
UO campus e-mail server lists.
WHO SHOULD READ THIS:
Everyone who sends e-mail file attachments to UO campus lists.
WHAT YOU SHOULD DO:
This appears to be a bug between certain e-mail clients and the (new)
Mailman server.
If you discover that your e-mail attachments sent to lists are bouncing
back to you, or that the attachments have been turned into long streams of
text appended to the end of your message, make a note of
- the time of the post
- the email program used
- the type of attachment
- the email address posting to the list (and the list name)
and send the information to Spencer Smith, UO Listmaster, at
listmaster@lists.uoregon.edu
This may be an Outlook-related issue. You may have better results using
the web portal: http://webmail.uoregon.edu to send file attachments.
ADDITIONAL INFORMATION:
http://wiki.list.org/pages/viewpage.action?pageId=4030707
On May 1, the UO computer center switched the mail servers from (the old,
outdated) Majordomo system to the (shiny and new) Mailman system. This is
a symptom of the seamless switchover.
------- From the DeptComp e-mail list: -------
From my current research, the symptoms that we're experiencing with some
list postings being wrapped in impenetrable attachments has to do with the
MIME encoding of those initial email messages. There's a fairly good
breakdown of the problem, and the possible solutions, on this Web page:
http://wiki.list.org/pages/viewpage.action?pageId=4030707
I'll be working with the Mailman development team to address this issue;
we may need some time to install the patches and solutions available,
assess them, and make sure that they don't introduce other problems by
addressing this one.
There may be some settings issues that would help address this problem as
well; I'll be creating my own test environment so I can replicate this
problem, then doing some testing and refinement to try and solve it off
the server.
In the meantime, I know that there's definite and urgent needs to work
around this issue. If you're finding the posts to your lists are being
wrapped as attachments, or if there's similar issue with posting to
Mailman, please contact me with
- the time of the post
- the email program used
- the type of attachment
- the email address posting to the list (and the list name)
That should give me enough information to begin parsing the logs and
finding a baseline parameter for the problem.
I'll certainly keep you all informed as to my progress. Let me know if I
can help in any way.
-Spencer A. Smith
Listmaster
-----
Archives of past DeptComp postings can be found
on the Web page
http://pages.uoregon.edu/consult/deptcomp/
2012-04-26
WHAT THIS IS ABOUT:
Folks at the UO are receiving fake update e-mail notices for Adobe Acrobat
Reader updates. These are malicious e-mails designed to trick you into
visiting a malicious web site.
WHO SHOULD READ THIS:
Everyone. This is a social engineering problem.
WHAT YOU SHOULD DO:
Specifically, if you receive an e-mail message with the phrase, "ADOBE PDF
READER 2012 UPGRADE NOTIFICATION", delete it. Do not follow any of the
links in it.
Generally, if you receive an unsolicited e-mail claiming to be from
Microsoft, Adobe, or your bank, which provides a link for you to install
software, renew your account, or verify your records, chances are good
it's bad guys trying to trick you. Delete the message.
ADDITIONAL INFORMATION:
Most software upgrades are available from within programs already
installed on your computer. For example, Adobe Reader for Windows has a
"Check for Updates" option under its Help menu. Use these avenues to
upgrade your software. Also, most programs will display reminder notices
about updates at start-up.
Additionally, the links in malicious, fake update e-mail messages will
have links that look odd. Most software companies will have a link that
looks like http://www.adobe.com/products/catalog.edu.html or
https://www.acrobat.com/ instead of something like
acrobat-upgrade.com/something.cfm?AwholeLotOfNumbersAndCodeHere
-----Original Message-----
ADOBE PDF READER 2012 UPGRADE NOTIFICATION
This is to remind that a new version of Adobe Acrobat Reader 2012 with
enhanced features for viewing, creating, editing, printing and
internet-sharing PDF documents has been released.
To upgrade your application:
+ Go to [REDACTED]
+ Get your options, download and upgrade.
Copyright 2012 Adobe Systems Incorporated. All rights reserved.
Adobe Systems Incorporated
343 Preston Street
Ottawa, ON K1S 1N4
Canada
2012-04-13
WHAT THIS IS ABOUT:
Many Macintoshes on the UO campus have been infected by the Mac Flashback
Trojan.
WHO SHOULD READ THIS
Macintosh users, especially those running Mac OS X 10.5 or older. Windows
users are not affected.
WHAT YOU SHOULD DO
If your Macintosh has been quarantined from the network, chances are it
has been infected by Flashback.
The best course is to visit the Help Desk in the basement of McKenzie
(this will take some time). IMPORTANT -- Flashback is malware that
will steal passwords: if a system you use is infected with Flashback,
you will need to change your computer passwords in order to safeguard any
HIPAA, FERPA, or other sensitive data.
If you haven't already, please run Software Update to install any Java
software updates.
Go to Apple > About this Mac
A window will appear. Underneath the next Mac OS X will be a version.
If the version starts 10.5, then disable Java in your web browser to
mitigate Java security holes.
ADDITIONAL INFORMATION
Antiviral software for the Macintosh will help mitigate Flashback. Jon
Miyake of network services recommends either the UO site licensed McAfee
Virus Scan or the free Sophos software.
http://it.uoregon.edu/software/duckware (UO id required, see links at
bottom of page)
http://www.sophos.com/en-us/products/endpoint/endpoint-protection.aspx
-----------------------
Begin forwarded message:
From: Garrett Stewart
Date: April 13, 2012 11:29:35 AM PDT
To: "deptcomp@lists.uoregon.edu"
Subject: deptcomp: Mac 'Flashback' Trojan
Reply-To: deptcomp@lists.uoregon.edu
Hello Everyone,
You may have heard by now about the Flashbak Trojan that has
infected over 600,000 Mac computers worldwide. It is a piece of malware
that pretends to be an update to Java and/or Flash Player, and can infect
a computer simply by navigating to an infected site. Once present, it will
monitor network traffic to steal personal information including login
details. Many Macs on the UO campus have been affected by this Trojan, and
have been quarantined from our network.
Apple released a fix on Thursday that is deployed via the OS X software
update utility. The fix will remove the many common variants of the virus
and patch the vulnerability, but only for OS X 10.6 and newer. The fix is
a part of the Java update (the third update in the last 4 days.) The
problem is installing the update; if you're quarantined from the UO
network, you won't be able to access this solution. The Information
Services Help Desk has filtered Ethernet connections available that will
allow you to install this update on campus. Come to Room 151 McKenzie
Hall, and we'll be glad to help you with this solution.
The folks at Kaspersky and F-Secure have also released a tool to automate
the check and remove process, but it was later discovered that these tools
had a low chance to also remove some important components of the operating
system, and so they are not recommended at this time. We will be
monitoring these vnedors for an update to their removal tools, and will
send more information as it becomes available. Symantec has released a
similar tool that is yet untested. It can be found here:
http://www.symantec.com/security_response/writeup.jsp?docid=2012-041214-1825-99
For those that are running 10.5 or older, the best advice at the moment
(aside from upgrading your operating system) is to disable Java in the
browser preferences of your web browser. There are other recovery options
for these systems, but they are more intrusive and require a fresh
operating system installation.
Please contact the Information Services Helpdesk at 541-346-HELP
(541-346-4357) or helpdesk@uoregon.edu with any questions or concerns.
2012-04-10
WHAT THIS IS ABOUT:
It's Update Tuesday and Microsoft has released six security updates --
four of which are critical -- for Microsoft Windows and Office. Most of
these updates close security holes which would allow malicious websites to
run malicious software on a visitor's computer.
WHO SHOULD READ THIS:
Windows users.
Macintosh users are not affected.
WHAT YOU SHOULD DO:
Most users have Windows Update set to run automatically. If your windows
computer wants to install some updates, let it.
If you haven't run Windows Update in a while, now would be a good time to
do so.
ADDITIONAL INFORMATION:
http://technet.microsoft.com/en-us/security/bulletin
http://technet.microsoft.com/en-us/security/bulletin/MS12-023
Closes a security hole in Internet Explorer that allows a maliciously
crafted web page to gain the same privileges as the visiting user.
http://technet.microsoft.com/en-us/security/bulletin/MS12-024
Closes a security hole in Windows that could allow maliciously crafted
software to hijack a computer.
http://technet.microsoft.com/en-us/security/bulletin/MS12-025
Closes a security hole in the .Net framework that allows a maliciously
crafted web page to gain the same privileges as a visiting user.
http://technet.microsoft.com/en-us/security/bulletin/MS12-026
Closes a security hole that allows a malicious website to pretend to be a
trusted site and then collect private data.
http://technet.microsoft.com/en-us/security/bulletin/MS12-027
Closes a security hole which allows a malicious website to attack a
computer.
http://technet.microsoft.com/en-us/security/bulletin/MS12-028
Closes a security hole that allows maliciously crafted Microsoft Works
files from running malicious code.
2012-04-09
WHAT THIS IS ABOUT:
There is a simple utility available which checks for Mac Flashback malware
infection. (Alas, it does not remove the infection.) Mac Flashback is
malware which takes advantage of an unpatched Java security hole. Mac
Flashback has infected an estimated half million users.
WHO SHOULD READ THIS:
Macintosh users. Windows users are unaffected.
WHAT YOU SHOULD DO:
01: Visit this web site: https://github.com/jils/FlashbackChecker/wiki
02: Scroll down to the Download area
03: Click on the link FlashbackChecker 1.0, this will download a zip file
called FlashbackChecker.1.0.zip
04: Go to the download folder, usually located in the Macintosh's user
home directory / Downloads
05: Double-click FlashbackChecker.1.0.zip, this will create a program
icon called FlashbackChecker.
06: Double-click FlashbackChecker.
07: You may receive a warning message saying that FlashbackChecker was
downloaded from the internet. Confirm that you wish to run the
application.
08: A simple dialog box will appear. Click on the big button that reads
"Check for Flashback Infection."
09: Text will appear.
09-A: If the fourth line down should syas "No Signs of infection were
found." then press command-Q to quit the checker and celebrate.
09-B: If the checker says that it did find an infection, you'll need to
remove Mac Flashback with these instructions:
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
ADDITIONAL INFORMATION:
Running the Software Update program (located under the Apple Menu) will
tell the Macintosh to check for and install any new Java updates.
Within the technical community there's some question about how necessary
Java is for the Macintosh and the merits of uninstalling it. In this case
"no Java = no security hole."
http://arstechnica.com/apple/news/2012/04/checking-for-mac-flashback-infestation-theres-an-app-for-that.ars
https://github.com/jils/FlashbackChecker/wiki
http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars
http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars
http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml
2012-04-03
WHAT THIS IS ABOUT:
The technical press is abuzz with a trojan-horse installer which targets
Macintosh computers running old, out-of-date software. This is newsworthy
because previously this sort of malware has only been seen on Windows
machines.
WHO SHOULD READ THIS:
Macintosh users; Windows users may wish to read out of schadenfreude.
WHAT YOU SHOULD DO:
The security exploits take advantage of two security holes in older
versions of Microsoft Office (patched in 2009) and Java patched in Oct
2011).
To install the latest patches of Java:
Go to the Apple Menu
Choose Software Update
Install any updated software
To install the latest patches for Microsoft Office
Start Word
Go to the Help Menu
Choose Check for Updates
Follow the prompts to update (you will be asked for an administrative
password)
ADDITIONAL INFORMATION
http://arstechnica.com/apple/news/2012/03/james-bond-style-malware-attacks-come-to-the-mac.ars
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/
2012-03-19
WHO SHOULD READ THIS:
Everyone; this is a campus-wide issue.
WHAT THIS IS ABOUT:
Campus Operations will be maintaining the campus power grid, which will
cause power outages in the early morning hours of March 27 and March 28.
WHAT YOU SHOULD DO:
Before you leave for Spring Break, or Monday and Tuesday nights, be sure
to turn off or unplug any unused computers, printers, or sensitive
electronic equipment.
ADDITIONAL INFORMATION:
Begin forwarded message:
From: Ryan Stasel
Date: March 19, 2012 9:17:29 AM PDT
To: "deptcomp@lists.uoregon.edu"
Subject: deptcomp: Fwd: Spring Break Campus wide power shutdown
Reply-To: deptcomp@lists.uoregon.edu
In case those on Deptcomp do not also get building manager mailings
Begin forwarded message:
From: Debbie Cadigan >
Subject: Spring Break Campus wide power shutdown
Date: March 19, 2012 8:06:57 AM PDT
March 19, 2012
MEMORANDUM
TO: All Campus Building Users with the exception of those listed below:
FROM: Debbie Cadigan, Campus Relations Manager, Campus Operations
SUBJECT: Spring Break Campus Wide Power Shutdown
Good Morning
In our continuing effort to improve campus utility systems reliability, a
new co-generation (steam and electrical production) system is under
construction. To ensure all systems perform as anticipated; it is
imperative to test every aspect of the system prior to being placed into
normal operation as equipment is installed and software programs are
updated. These planned simulations are designed to encompass all types of
campus and utility provider events and to test new systems to ensure they
function as planned under normal operation and in the event an upset may
occur.
In the next several months, Campus Operations will be scheduling two
planned shutdowns. The first one is to update existing CPS Switch house
software in preparation for the new co-generation system. The second
shutdown will be later this spring or summer when all equipment is in
place and has been tested to the extent possible without effecting campus.
Our intent is to schedule testing and shutdowns for minimal impact
although we realize any shutdown impacts campus. Campus Operations planned
campus-wide electrical shutdown will affect all campus facilities, except
those few that receive their power directly from EWEB. See list below for
buildings excluded.
* On Tuesday, March 27th & Wednesday, March 28th from 3:30am to 7:30am
each day, campus will experience intermittent outages, lasting from
several seconds to several minutes, while testing is being performed.
Standby power will also experience intermittent outages.
* On Tuesday, March 27th & Wednesday, March 28th from 7:30 am to 8:30 am
each day, testing will continue. Although we do not anticipate any
intermittent outages, there will be a potential for interruptions during
this 60 minutes each day.
Elevators will be shut down and posted, egress lighting will experience
the intermittent outages but will immediately come back on.
After the shutdown has been completed, Campus Operations personnel will be
sure HVAC systems, elevators and other equipment are reset.
Make sure all sensitive electronics, including computers and printers, are
turned off or disconnected prior to this shutdown. Be sure everyone in
your department is aware of this.
We regret any inconvenience this may cause. For questions please contact
Del McGee or Jeff Madsen at
electric@uoregon.edu or call Campus
Operations customer service desk at 346-2319.
Buildings on EWEB power that will not be affected by this shutdown:
AAA Woodshop HEP Rainier Building
Alder Hall Howe Field Riley Hall
Agate Hall/Agate House Innovation Center Riverfront Research Park
Autzen Complex LERC/Military Science Specialized Training 582,603
Baker Center Matthew Knight Arena Trailers 054, 055, 057, 058
Barnhart Hall Millrace Studios 1,2,3 U of O Annex
EC-Cares Moss Street Childcare Vet. Services Quonset 108
Fine Arts (Site 125) MNCH 107, 115, 116 Facilities Quonsets 128, 132
Greenhouses 109, 110, 111 MNCH (1724 Moss) 134, 135
Neuromuscular Educ.
2012-03-05
WHAT THIS IS ABOUT
Adobe has released a security upgrade which closes a critical hole in the
Adobe Flash Player, which, if exploited, could allow a malicious person to
take over a computer.
WHO SHOULD READ THIS
Windows, Macintosh, Linux and Solaris users with the Adobe Flash Player
installed.
(Additionally, Android 2.x, 3.x and 4.x users.)
WHAT YOU SHOULD DO
(Windows, Macintosh, Linux and Solaris users.)
Visit the About Flash Player page:
http://www.adobe.com/software/flash/about/
A) If you do not have Adobe Flash Player, stop; no Adobe Flash Player = no
security threat.
B) If you have Adobe Flash Player version 11.1.102.63, stop; you are
already using the patched version.
C) If you have an earlier version of the Flash Player, download an updated
version via the Player Download Center: http://get.adobe.com/flashplayer/
Some computers may not be able to run the 11.x version of the Player. In
this case, Adobe recommends using Flash Player 10.3.183.16, which
supposedly may be downloaded at
http://kb2.adobe.com/cps/142/tn_14266.html, but appears to be unlisted at
this time... (sigh, check back later in the week to see if this problem
has been addressed).
ADDITIONAL INFORMATION
The curious and users of mobile devices running the Flash Player may find
additional information here:
http://www.adobe.com/support/security/bulletins/apsb12-05.html
2012-02-29
WHAT THIS IS ABOUT:
The technical news community is abuzz about a security loophole in iOS which
leaks photos and the geographical information associated with them. iOS is the
operating system on Apple iPhones and other iDevices.
WHO SHOULD READ THIS:
Users with Apple mobile devices (iPhone, iPad, iPod Touch).
WHAT YOU SHOULD DO:
This is a security loophole that Apple says will be fixed in a future upgrade to
the iOS. Users may mitigate some of the privacy threat by powering up a mobile
device and
1) Clicking on the Settings icon,
2) Selecting Location Services,
3) Locating the Camera app, and;
4) Turning off location services
This wont stop a photo-grabbing app from grabbing a mobile device's photos, but
it will keep any future pictures from being geotagged.
ADDITIONAL INFORMATION:
Apple Loophole Gives Developers Access to Photos
http://bits.blogs.nytimes.com/2012/02/28/tk-ios-gives-developers-access-to-photos-videos-location/
iOS security loophole lets apps grab user photos
http://www.techspot.com/news/47607-ios-security-loophole-lets-apps-grab-user-photos.html
iOS allows contacts to be uploaded without consent, Apple promises fix - TechSpot News
http://www.techspot.com/news/47480-ios-allows-contacts-to-be-uploaded-without-consent-apple-promises-fix.html
Fix reportedly coming for iOS photo uploading loophole
http://arstechnica.com/apple/news/2012/02/fix-reportedly-coming-for-ios-photo-uploading-loophole.ars
iPhone photo-slurping loophole sparks app privacy fears
http://www.theregister.co.uk/2012/02/29/iphone_photo_slurping_privacy_risk/
Prompted by Congress, Apple Promises Updates
http://arstechnica.com/apple/news/2012/02/congressmen-question-apple-on-path-controversy-as-apple-promises-updates.ars
Wikipedia article on geotagging and digital cameras
http://en.wikipedia.org/wiki/Geotagged_photograph
2012-02-16a
WHO SHOULD READ THIS:
Users who have Adobe Shockwave (not to be confused with Adobe's Flash
Player) installed on their computers.
WHAT THIS IS ABOUT:
Adobe has released a security patch for the Shockwave Player. A type of
programming error called a cross-scripting error could allow a malicious
website to use older versions of the Shockwave player in conjunction with
Microsoft's Internet Explorer browser to hijack a computer and steal
authentication cookies, log onto private accounts, or send spam.
WHAT YOU SHOULD DO:
Determine if you have the Shockwave player installed.
1) Visit http://www.adobe.com/shockwave/welcome/
2) Underneath the header "Adobe Shockwave Player" is a space for an
animation to play. If there is no animation, stop; you do not have to
worry about this particular computer security threat.
3) If there is an animation, it should be accompanied with information
about what version of Shockwave is being run. If the version running is
11.6.4.634, then you can stop: you have the newest, patched version.
4) If the version of Shockwave running on the computer is 11.6.3.633 or
earlier, then visit http://get.adobe.com/shockwave to download the latest
version. (EXTRA CREDIT OPTION: If you think you can get by with using
only Adobe's Flash player, you may wish to uninstall the Shockwave
player).
ADDITIONAL INFORMATION:
http://www.adobe.com/support/security/bulletins/apsb12-02.html
http://nakedsecurity.sophos.com/2012/02/15/oracle-java-and-adobe-shockwave-patches-for-february-too/
http://arstechnica.com/business/news/2012/02/exotic-xss-bug-in-adobe-flash-exploited-to-control-users-web-accounts.ars
http://www.adobe.com/products/shockwaveplayer/
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2012-02-16
WHAT THIS IS ABOUT:
A new security patch for with Windows version of Oracle Java is available
for download; this patch closes a number security holes.
WHO SHOULD READ THIS:
Windows users with Java installed on their machines. Macintosh users have
no upgrade yet.
WHAT YOU SHOULD DO:
Windows users (from
http://java.com/en/download/help/java_update.xml#howto)--
Make sure you are logged onto the Windows machine with administrative
privileges. Save your work and close all other programs.
1) Click Start > Settings > Control Panel (For Windows XP)
OR
Click Start > Control Panel (For Windows Vista and Windows 7)
2) Double-click Java icon. The Java Control Panel appears. If you have
no Java icon, then Java is not installed on the machine and you can stop,
secure in the knowledge that "No Installed Java" = "No Java Security
Holes".
3) Click the Update tab
4) Click on the "Update Now" button
5) Follow the prompts to install the update
Macintosh users -- Although there is no update for Java at this time, you
may wish to check for software updates for older software. Select Apple
Menu -> Software Update to see if there are any software updates
available.
ADDITIONAL INFORMATION:
http://java.com/en/download/help/java_update.xml#howto
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html#PatchTable
http://nakedsecurity.sophos.com/2012/02/15/oracle-java-and-adobe-shockwave-patches-for-february-too/
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2012-02-14
Hello,
Just a FYI: (Apparently for Valentine's Day) Microsoft has released a ton
of Windows Security updates. Most people should receive these updates
automatically. If you are on a Windows machine that doesn't automatically
install Windows Updates, please fire up Microsoft Internet Explorer and
point it at
http://windowsupdate.microsoft.com/ (note, this only works for Internet
Explorer)
ADDITIONAL INFORMATION:
http://technet.microsoft.com/en-us/security/bulletin/ms12-feb
MS12-016 - Critical : Vulnerabilities in .NET Framework and Microsoft
Silverlight Could Allow Remote Code Execution (2651026) - Version: 1.0
http://technet.microsoft.com/en-us/security/bulletin/ms12-016
MS12-010 - Critical : Cumulative Security Update for Internet Explorer
(2647516) - Version: 1.0
http://technet.microsoft.com/en-us/security/bulletin/ms12-010
MS12-013 - Critical : Vulnerability in C Run-Time Library Could Allow
Remote Code Execution (2654428) - Version: 1.0
http://technet.microsoft.com/en-us/security/bulletin/ms12-013
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2012-02-01
WHO SHOULD READ THIS: Macintosh Users running system X (Lion) 10.7.x.
Folks with a different Mac OS than Lion and folks using Windows are not
affected.
WHAT THIS IS ABOUT: There are reports of problems with the February 1,
2012 Macintosh OS X (Lion) 10.7.3 Update. The problems don't affect all
Macintoshes, and range from frequent crashes, to an inability to start the
Macintosh, to various dialog boxes displaying CUI icons instead of
helpful messages.
WHAT YOU SHOULD DO:
A) If you have not yet installed the upgrade, this is a good thing.
1) Make sure that Time Machine has run and made a backup of your
Macintosh's system.
2) Go here; http://support.apple.com/kb/DL1484 to download a OS X Lion
Update 10.7.3 (Client Combo)
3) Click on the blue DOWNLOAD button, located in the upper right-hand
corner of the window. This will put a A DMG, or disk image on the
Macintosh's screen. It may take about two or three minutes for the disk
image to appear; it will be called "Mac OS X 1.7.3 Update Combo."
4) Once the disk image has appeared on your screen (the icon will look
like a small white hard drive), double-click on it. A new window will
appear.
5) Inside the window "Mac OS X 10.7.3 Update Combo" there will be an icon
of an opened box called "MacOSXUpdCombo10.7.3.pkg." Double-click on the
icon to launch the installer and follow the prompts.
6) Restart the computer (it's likely that the computer will want to reboot
anyway).
B) If you have installed the upgrade, but the Macintosh appears to be
working, the recommendation is to run the Update Combo on top of the
upgrade.
Follow steps 1 through 6 above.
C) If you installed OS X Lion 10.7.3 and now the Macintosh is not working
properly
Try to follow steps 1 through 6 above.
If this is not possible, there are some strategies to follow here:
http://osxdaily.com/2012/02/01/fix-mac-os-x-10-7-3-update-problems-cui-errors-stuck-installs-and-crashes/
ADDITIONAL INFORMATION:
http://osxdaily.com/2012/02/01/fix-mac-os-x-10-7-3-update-problems-cui-errors-stuck-installs-and-crashes/
http://arstechnica.com/apple/news/2012/02/problems-with-the-os-x-1073-update-combo-updater-to-the-rescue.ars
http://www.tuaw.com/2012/02/02/os-x-10-7-3-causing-cui-errors-for-some-combo-update-recommende/
http://support.apple.com/kb/DL1484
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2012-01-31
This is a FYI; don't panic.
On March 1, Google will merge the privacy policies for all of their
services into one big policy.
There's a good review of what this means and some things you can do to
tailor Google use to your own comfort levels here:
http://nakedsecurity.sophos.com/2012/01/31/how-to-navigate-googles-privacy-options/
The gist of the article is that the policies aren't changing much (they're
mostly just being consolidated) and that Google will begin to use the data
they've been collecting for a while more (mostly to send you custom ads).
I should also add a gentle reminder here that it's a good idea to conduct
university business on university machines and keep it separate from
personal business on non-university computing services.
Google privacy policies may be found here:
https://www.google.com/policies/privacy/preview/
https://www.google.com/policies/terms/
- John
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge
2012-01-30
Hello All,
This morning at least three folks have forwarded phishing attempts to me
that they received over the weekend. The messages look like this:
=====================
Subject: Validation!!!
Date: Mon, 30 Jan 2012 02:52:07 GMT
From: "Admin"
To:
Dear User,
We have observed suspicious activities from your Internet account.
Kindly click on uoregon.edu or copy and paste this link
[URL redacted] on your browser to verify your account
now in orders to avoid disconnection of service.
Regards,
Web Admin.
==================
These messages are fake. The sender is trying to trick you into into
visiting a web site that will attempt to install malicious spyware onto
your computer. The UO computer security folks are aware of this attempt.
You can delete the message. More information is here:
http://security.uoregon.edu/phishing
Some clues that these are fake messages:
1)
The Subject: header is "Validation!!!!" This is vague. The triple
exclamation points, an attempt to inject urgency into the message, are
another clue.
2)
The From: header leads back to "Admin" -- if this
were a real message it would be from someone like Jon Miyake who uses an
address like miyake@network-services.uoregon.edu or miyake@uoregon.edu
3)
"We have observed suspicious activities from your Internet account."
This is a vague statement; if the folks in McKenzie Hall were contacting
you about a suspected security breach via e-mail, they'd say something
along the lines of, "The account burridge is showing signs of being
compromised with [Conficker or some other piece of malware]," or "We've
had reports of SPAM being sent with the burridge account." In cases of
serious breach, you'd receive a phone call and various Psych IT folks
would be alerted.
4)
If you look at the redacted URL in the message, you'd see it doesn't look
like http://psych.uoregon.edu or http://it.uoregon.edu/ or
https://duckid.uoregon.edu/ or
https://shibboleth.uoregon.edu/idp/Authn/UserPassword. The redacted URL
starts with http, which is not secure. The redacted URL ends in .tk,
which is the domain for Tokelau, a territory of New Zealand located in the
South Pacific.
5)
The message reads " verify your account now in orders to avoid
disconnection of service." 'In orders to'? Not a good sign.
6)
The closing of this message is also vague. A real message would include
at the very least contact information to the UO Computing Helpdesk in
McKenzie, or a more specific contact, like Jon Miyake (IT Policy and
Security Administrator), Kelsey Davis (Help Desk Services Coordinator) or
Connie French (Accounts).
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge
2012-01-23
Hello All,
This Monday morning I'm seeing a pattern of folks having difficulty
sending out e-mail.
If you've suddenly started to receive e-mail rejection error messages from
a SMTP server, or if you've noticed that your e-mail program is
accumulating messages in the outbox instead of sending them, there may be
a problem with your advanced SMPT server settings. Confirming that the
SMTP server is using port 587 has cleared the problem
General e-mail configuration instructions are here:
http://it.uoregon.edu/set-up-email
N.B. These instructions for Mac Mail http://it.uoregon.edu/node/183 are
more helpful for dealing with this specific problem than the other Mac
Mail instructions.
In the machines I've seen, the SMTP port was either misconfigured or using
an old port configuration - the SMTP or outgoing mail server port should
be 587.
2012-01-10
WHAT THIS IS ABOUT
FYI: A design flaw in some wireless network routers could allow malefic
people onto your network.
WHO SHOULD READ THIS
Folks who access sensitive, confidential or HIPAA records from the comfort
of home.
Anyone in charge of configuring their home wireless network.
WHAT YOU SHOULD DO
Specific instructions will vary by wireless router manufacturer.
Generally:
Disable the WPS protocol.
Use WPA2 encryption with a strong password, disabling UPnP, and enabling
MAC address filtering so only trusted computers and devices can connect to
the wireless network.
A non-exhaustive, non-endorsing couple of example router guides are
included below:
Netgear Recommended Wireless Setup:
http://support.netgear.com/app/answers/detail/a_id/112
Cisco Linksys Router checklist:
http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=3698
ADDITIONAL INFORMATION
It is possible that individual router manufacturers will provide a router
firmware patch in the future.
US-CERT Vulnerability Note VU#723755
http://www.kb.cert.org/vuls/id/723755
Open-Source Tool for Hacking WiFi Protected Setup (WPS)
http://arstechnica.com/business/news/2011/12/researchers-publish-open-source-tool-for-hacking-wifi-protected-setup.ars
Hands-on: hacking WiFi Protected Setup with Reaver
http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2012-01-06
Hello All,
The technical press is buzzing with news about how "Hactivists" Target
Various Security & Intelligence Firms, which is making Computer Security
this season's New Black (wait, is "Black the New Black"... or is it
"Black is the New Pink" ....?).
Worst Passwords of 2011:
http://www.forbes.com/sites/davidcoursey/2011/11/21/25-worst-passwords-of-2011-revealed/
How Passwords Are Cracked and How You Can Keep Them Safer
(kind of dry, you might want to skip to the heading with Brutus and the
stars)
http://www.securityweek.com/how-passwords-are-cracked-and-how-you-can-make-yours-stronger
Dot-dash-diss: The gentleman hacker's 1903 lulz
http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html?full=true
Last week's Stratfor cyber attacks:
Hackers Breach the Web Site of Stratfor Global Intelligence
http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-web-site-of-stratfor-global-intelligence.html
Analysis of Data Exposed in STRATFOR Cyber Attack
http://www.securityweek.com/analysis-data-exposed-stratfor-cyber-attack
Technology: Hacked Intelligence Company Is a Target Again
http://www.nytimes.com/2011/12/27/technology/hacked-intelligence-company-is-a-target-again.html
Antisec hits private intel firm; millions of docs allegedly lifted
http://arstechnica.com/tech-policy/news/2011/12/antisec-hits-private-intel-firm-millions-of-docs-allegedly-lifted.ars
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2011-12-07
WHAT THIS IS ABOUT:
There is a vulnerability in Adobe Reader and Acrobat that could allow a
malicious attacker to crash a computer and take control of it. So far
the scope of attacks has been limited.
WHO SHOULD READ THIS
Both Windows and Macintosh users of Adobe Acrobat or Reader are affected.
The vulnerability involves the following software.
Adobe Reader X 10.1.1 and earlier 10.x for Windows and Macintosh
Adobe Reader 9.46 and earlier 9.X versions for Windows, Macintosh and
UNIX.
Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and
Macintosh
Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh.
Other platforms and Adobe software are not affected.
WHAT YOU SHOULD DO
Remember that Adobe will not e-mail you a fix for this security problem.
Do not try to install any purported fixes sent by Adobe; these will be
trojan horses sent by Evil People to trick you into installing malware
onto your computer.
A fix from Adobe for this problem is not available at this time (Dec 7,
2011) but is expected in the next week.
Be careful opening PDF files sent via e-mail or from the web to be sure
they are from a trusted source.
The 10.x versions of the software have a setting to help mitigate this
threat:
Acrobat X:
Open Acrobat Reader X
Go to Edit > Preferences > Security (Enhanced)
Make sure either "Files from potentially unsafe locations" OR "All files"
have "Enable Enhanced Security" checked.
Reader X:
To to Edit > Preferences > General
Make sure "Engalbe Protected Mode at startup" is checked.
FURTHER INFORMATION
http://www.adobe.com/support/security/advisories/apsa11-04.html
http://www.physorg.com/news/2011-12-adobe-zero-day-danger-reader-acrobat.html
http://nakedsecurity.sophos.com/2011/12/06/beware-adobe-software-upgrade-notification-malware-attached/
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
2011-11-29
WHAT THIS IS ABOUT:
Apple has updated their list of unsafe downloads. Using this update
protects some Macintosh users from accidental download of malware.
WHO SHOULD READ THIS:
Folks using Mac OS X Snow Leopard (10.6) and Mac OS X Lion (10.7).
Macintosh users with older operating system software do not have a
built-in malware protection software package. Windows users are not
affected by this update.
WHAT YOU SHOULD DO:
01. Save your work and close applications.
02. Go to the APPLE menu and choose ABOUT THIS MAC. A new window will
appear.
03. Big bold letters should say Mac OS X. Under this will be a version.
If the version number is 10.5.8 or lower, stop; you do not have a version
of the Macintosh operating system which uses built-in malware protection.
(You might want to click on SOFTWARE UPDATE to be sure you have the latest
updates available for your operating system).
04. If the version number is 10.6.0 or greater, continue. Check that the
version is 10.6.8 or 10.7.2. If it is not, click SOFTWARE UPDATE to
update the operating system. This will require a system reboot, and the
operating system may ask you for an administrative username and password.
Repeat the above directions until the macintosh is running 10.6.8 or
10.7.2.
05. Go to the APPLE menu and choose SYSTEM PREFERENCES. A new window
will appear.
06. Click on the SECURITY icon (a house with a safe dial on the front).
Security settings will appear.
07. Click on the GENERAL tab (it should be the default selection)
08. In the lower left-hand corner, make sure the padlock icon is
unlocked. If it isn't, click on it and supply an administrative username
and password to unlock it.
09. UNCHECK "Automatically update safe downloads list" (yes, this is
counter-intuitive)
10. Count to five.
11. RECHECK "Automatically update safe downloads list" (this will force
a silent update of the list -- there will be no bells or whistles)
12. Close the System Preferences window.
13. Resume work.
ADDITIONAL INFORMATION:
http://security.thejoshmeister.com/2011/11/how-to-update-apples-safe-downloads.html
http://nakedsecurity.sophos.com/2010/06/18/apple-secretly-updates-mac-malware-protection/
--------------------
John Burridge | Technical Services | STB 358
Department of Psychology phone: 541-346-4982
University of Oregon fax: 541-346-4271
Eugene, OR 97403-1227 burridge@uoregon.edu
http://pages.uoregon.edu/burridge
John Burridge, Web Communications Technician ⚣ he/him/his
University of Oregon, Robert D. Clark Honors College
M-F: 8AM-Noon, 1PM-3PM burridge@uoregon.edu http://pages.uoregon.edu/burridge