English Tech Announcements

Various technology-related announcements

This page is a collection of computer-related e-mails sent to the English (and formerly, the Psychology) Department. These fall into several categories: procedures within the department for using computing resources, computer security notices, software licensing notices, and computing culture bulletins.



WHAT THIS IS ABOUT: Don't Panic. This is a PSA about EndNote compatibility with Mac OS Catalina (10.15.1). Two Admiral Ackbars, because, "It's a Trap!" WHO SHOULD READ THIS: Macintosh Users EndNote Users Windows Users are not affected WHAT YOU SHOULD DO: If you are an EndNote user, be sure to update your version of EndNote to EndNote X9.3.2 for Mac *BEFORE* updating to MacOS Catalina. EndNote Users should follow the instructions here: https://support.alfasoft.com/hc/en-us/articles/360002603017 If you have already upgraded to Catalina OS before updating your EndNote program to EndNote X9.3.1, the EndNote app will be disabled in the Applications folder. To fix this, you would need to reinstall the EndNote X9 version with the latest update (EndNote X9.3.1). ADDITIONAL INFORMATION for the Technically Curious: I continue to recommend waiting to install Catalina (OS 10.15.1) until the December Break because updating the Macintosh OS requires collateral updates to other software (e.g. EndNote, Office 2011 for Mac, a host of Adobe software, etc), and waiting a few more weeks will give Apple and other software vendors time to address any update bugs. However (he says in a manner trying to invoke Tiresias before Oedipus) if you're between projects, and you have the inclination and the time right now to deal with Catalina... well... okay... go ahead. The Catalina update is aggressive about compatibility and security. This is mostly a good thing, but it has a side-effect of the upgrade software moving files which don't fit its idea of compatibility and security into a "Relocated Items" folder on the desktop. If you have document files located outside of your Documents folder, or if you've tricked out the iMac into a non-standard configuration, you may run into difficulties with files not being where they were prior to the Mac OS upgrade. Your Mileage May Vary. Clarivate's statement and instructions for Updating EndNote: https://support.clarivate.com/Endnote/s/article/EndNote-for-Mac-macOS-Catalina-Compatibility?language=en_US Apple: 32-bit app compatibility with macOS High Sierra 10.13.4 and later https://support.apple.com/en-us/HT208436 EndNote is not in the list of University-offered software; EndNote is available through the UO Bookstore at an academic discount.



WHAT THIS IS ABOUT: Apple has just released a new Macintosh OS, OS 10.15. Three Admiral Ackbars because IT'S A TRAP! WHO SHOULD READ THIS: Folks with Macintosh computers. Folks with mobile devices (iPhone, iPad, iEtcetera) are obliquely affected. Windows folks are not affected. WHAT YOU SHOULD DO: Very likely, folks will begin to get nagged by their Macintosh computers to upgrade to the new MacOS, 10.15 (Catalina). Wait. Always wait whenever Apple releases a major upgrade to the OS. My usual advice is to wait until the December break. By then, other software venders have had a chance to catch up with the new OS, and Apple has had a chance to issue updates to clear out the bugs that usually appear. ALSO, this is a major update that requires folks to update away from legacy application software (and data) to the latest, newest version -- this will require extra time updating things besides the operating system. Catalina drops 32-bit support for programs. Remember when you updated to Mojave, and a scary dialog boxes came up saying a particular app "is not optimized for your Mac"... you'll really have to update those now. https://support.apple.com/en-us/HT208436 You know that old McAfee program that's been keeping your Macintosh safe for the last few years? You're going to have to reinstall it. (Or use Apple's Gatekeeper) You know that old Adobe software you've been hanging onto since forever? You're going to have to reinstall it. Your old English Xerox Printer Driver -- you'll need to reinstall it if you want to print. You know that super-old Cisco AnyConnect VPN Client? Yep; needs reinstalling. Office 2011 for Mac? Needs reinstalling. Fetch? (Does anyone still use Fetch?)... That ancient copy of MalwareBytes; time for an upgrade.... Your "Pin It!" button browser extension (and probably other, older extensions)... yep, they're all gonna break. Aperture? Sorry, you need to switch to something like Adobe's Lightroom. Some of your data will be affected, too: https://support.apple.com/en-us/HT209000 So wait to update. Wait. Really. ADDITIONAL INFORMATION for the Technically Curious: How do I check if an app is 32-bit or 64-bit? From the Apple menu, choose About This Mac, then click the System Report button. From the system report, scroll down to Software in the sidebar, then select Applications. When you select an individual application, you will see a field titled 64-bit (Intel). “Yes" indicates 64-bit; “No" indicates 32-bit. If you're using macOS Mojave, select Legacy Software in the sidebar to see all applications that have not been updated to use 64-bit processes. MacRumors: 32-Bit Apps 'Not Optimized for Your Mac' to Stop Working on macOS Catalina https://www.macrumors.com/guide/32-bit-mac-apps/ OK; if you're really really really going to die if you don't update at this very moment, go ahead, but expect it to break things. Here's a list of hardware that will be able to run Catalina: MacBook (Early 2015 or newer) MacBook Air (Mid 2012 or newer) MacBook Pro (Mid 2012 or newer) Mac mini (Late 2012 or newer) iMac (Late 2012 or newer) iMac Pro (2017) Mac Pro (Late 2013) Ars Technica Review: https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/ "Apple's operating system releases have all seemed a bit rushed this year—go ahead and give the company a couple of months to patch Catalina before you install it, if you can." Ars Technica: New (and sometimes annoying) system security measures https://arstechnica.com/gadgets/2019/10/macos-10-15-catalina-the-ars-technica-review/11/#h4 Mac Rumors https://www.macrumors.com/2019/10/07/apple-releases-macos-catalina/ "...macOS Catalina brings some major changes to the Mac, eliminating the iTunes app in favor of new Music, Podcasts, and TV apps. The three apps offer similar functionality to iTunes, but are split up by feature."



WHAT THIS IS ABOUT: Microsoft has patched a critical security hole in Windows10 that could be used by the Evil Ones to run arbitrary code on Windows Machines without any action from the legitimate user. Three Admiral Ackbars. WHO SHOULD READ THIS: Microsoft Windows Users Macintosh Users are Not Affected WHAT YOU SHOULD DO: Do this sooner rather than later. 1. For a speedier process, you may wish to connect your machine to Ethernet instead of using a slower WiFi connection. 2. Save your work and close all applications. 3. In the Windows Desktop, go to the lower left-hand corner and click on the WINDOWS Icon; a pop-up menu should appear. 4. Click on the Gear Icon to open up Windows SETTINGS; a new window should appear. 5. From the icons displayed, click on the two arcing arrows icon to open UPDATE And SECURITY; the window should refresh to "Windows Update" 6. You may be prompted to RESTART NOW; if so click on the restart button, wait for the updates to install themselves and repeat the above steps. 7. You should see a button called CHECK FOR UPDATES; click on this to manually have Windows contact the Borg Cube Microsoft for operating system updates; a message "Checking for updates" should appear. 8. Eventually, you may see words to the effect of "Status: Downloading," or "Status: Installing," wait while the installer goes through its tasks. 9. After the patches have been downloaded and installed, you may be prompted to RESTART NOW. Click on the restart button. 10. Very likely you will see a blue screen with white letters and a hypnotic whirling balls telling you not to turn off your computer while the updates are processed. 11. After a pause, a login screen should appear; log in as you normally do. 12. Repeat the above steps until the update utility tells you "You're up to date." For extra security, users may wish to disable Remote Desktop following these instructions: https://www.lifewire.com/disable-windows-remote-desktop-153337 ADDITIONAL INFORMATION for the Technically Curious. Every second Tuesday of the month, Microsoft issues software patches for Microsoft Software. The August patch provides important security updates that will harden Windows 10 against Internet Worms. Internet Worms are especially worrisome, as they can spread around the planet without any user intervention. From the Tech News: Microsoft Overview: https://msrc-blog.microsoft.com/2019/08/13/patch-new-wormable-vulnerabilities-in-remote-desktop-services-cve-2019-1181-1182/ Naked Security: Patch time! Microsoft warns of new worm-ready RDP bugs https://nakedsecurity.sophos.com/2019/08/14/microsoft-warns-of-new-worm-ready-rdp-bugs/ Hot For Security: Microsoft warns of wormable vulnerabilities in Windows https://hotforsecurity.bitdefender.com/blog/microsoft-warns-of-wormable-vulnerabilities-in-windows-21450.html Security Week: Microsoft Warns of New BlueKeep-Like, Wormable RDS Vulnerabilities https://www.securityweek.com/microsoft-warns-new-bluekeep-wormable-rds-vulnerabilities The Actual Exploits: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1181 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1182



WHAT THIS IS ABOUT: Don't Panic. UO Information Services will be activating a security service on August 15, 2019, which will reduce phishing threats by detecting malicious links sent in e-mail and redirecting users to a notification site if the malicious link is followed. One Admiral Ackbar. WHO SHOULD READ THIS: Everyone. This is a campus-wide service. WHAT YOU SHOULD DO: No configuration changes are necessary to use this feature. When you hover over a web link in an e-mail message, (in some cases) the service will have changed the link to something with "urldefense.com" in it; this is normal and expected. The service is filtering links as it looks for malicious ones. Following the link will take you to genuine web sites if the site is legitimate, or to a Warning Page if the link is phishy. ADDITIONAL INFORMATION for the Technically Curious: A gentle reminder: just because there's an e-mail filtering service in place doesn't mean you can click on e-mail links with wild abandon. Please continue to practice common sense and good e-mail phishing hygiene (see https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=40236 for tips). The URL Link Protection service is filtering e-mails with an off-campus origin, but isn't looking at on-campus sources; so, if say, my UO e-mail account picked up an e-mail worm and started spamming everyone with infected messages, this service wouldn't filter out those messages. Also, it's possible that brand new malicious e-mail links might not have been added to the URL Link Protection's watch list, which would mean they wouldn't be filtered out. URL: Uniform Resource Locator. UO Service Portal Page on URL Link Protection: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=84238



WHAT THIS IS ABOUT: Don't panic. This is a PSA about a recent uncool upgrade Dropbox foisted off on users. One Admiral Ackbar. WHO SHOULD READ THIS: Folks who use Dropbox to synchronize files between computers. Non-Dropbox Users are Not Affected. WHAT YOU SHOULD DO: From Ars Technica: "By default, your way of launching Dropbox will now open the Dropbox file manager instead of Finder on a Mac or Explorer on Windows. You can change this, though. Just open the Dropbox Preferences, and in the "General" tab you'll see an "Open folders in" option. If you've been upgraded to the "New Dropbox Experience," this will say "Dropbox," just change it to "Explorer" or "Finder" and Dropbox will be slightly more normal." ADDITIONAL INFORMATION for the Technically Curious: I am neither endorsing nor decrying Dropbox use. I will point out that Dropbox is not FERPA compliant. Repeat after me: "Dropbox is not a file backup service." Ars Technica: Dropbox silently installs new file manager app on users’ systems https://arstechnica.com/gadgets/2019/07/dropbox-silently-installs-new-file-manager-app-on-users-systems/



WHAT THIS IS ABOUT: Don't Panic! Network services is conducting maintenance on a number of network switches. Ethernet and wireless network access will be down Friday, 7/19, from 5:30AM - 7:00 AM. Two Admiral Ackbars (more like an R2-D2). WHO SHOULD READ THIS: Computer users in PLC. Off-campus users are not as affected. WHAT YOU SHOULD DO: There's not a whole lot to do. You may wish to budget a little extra time Friday morning for machines to figure out where they live on the network. Extra bonus "don't confuse the machine" points if Thursday night (tonight) you turn off networked devices (like printers) so they can be blissfully unaware that the network will be down. During the 5:30AM - 7:00AM window, computers and printers will be unable to connect to the UO network; this means folks will be unable to send e-mail from a computer in an affected part of campus, and printers won't be able to receive print jobs or send scanned documents anywhere. ADDITIONAL INFORMATION for the Technically Curious: -----Original Message----- From: Don Gathers via RT Sent: Wednesday, July 17, 2019 4:06 PM Cc: Barbara Luton ; Benjamin Starlin ; John Burridge ; Kim Lilley ; TK Landazuri ; uonet-outages@lists.uoregon.edu Subject: [ithelp #1733726] Switch Reboots in PLC SUBJECT: Switch Reboots in PLC AFFECTED: PLC Wired and wireless users STATUS: Planned START TIME: Fri. 7/19/2019 5:30 AM END TIME: Fri. 7/119/2019 7:00 AM DESCRIPTION: NTS will be rebooting several switches during this maintenance window. The network will be unstable during the reboots. UPDATE: TIMESTAMP:Wed Jul 17 16:05:10 PDT 2019 Thank you, UO Network Services -- Voice: +1.541.346.6387 Service request: https://service.uoregon.edu Service status: https://status.uoregon.edu



WHAT THIS IS ABOUT: Don't panic. There is a zero-day security flaw in a third-party video conferencing program, Zoom, which allows hackers to remotely turn on a Macintosh's camera and potentially flood a user's Macintosh with DOS (Denial of Service) attacks. Three Admiral Ackbars, mostly because I'm thinking most people use Skype instead of Zoom. WHO SHOULD READ THIS: Macintosh Users who have ever installed Zoom on their machines. Folks who have never, ever installed Zoom (ever) are not affected. Windows users are not affected. WHAT YOU SHOULD DO: + If you have never ever installed Zoom on your Macintosh, you're fine. + If you have Zoom installed and you intend to keep using it, you need to change some settings as a work-around (procedure from https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/). Change Zoom Preferences: Launch the Zoom app. Open the Preferences page from the menu bar (or press Command-,). Click the Video option. Enable the setting Turn off my video when joining a meeting. Block Zoom's access to your camera altogether, via the Mac's System Preferences settings: Click on the Apple menu (top left corner of your screen). Choose System Preferences... Click the Security & Privacy icon. Click the Camera option. Review which apps have access to your camera. + If you think you might have installed Zoom at some point, even if you've deleted it, Go to the Utilities Folder on your Mactintosh. Open the Terminal Utiltiy. Type lsof -i :19421 (that's el-es-oh-eff space dash eye space colon 19421) and press RETURN. If the Terminal prompt appears with no list, Zoom is not running in the background; you're fine. If a list appears, then there's a server running in the background... continue. Permanently disable the localhost web server from running on your Mac, from the Terminal prompt type the following (procedure from https://www.macworld.com/article/3407764/zoom-mac-app-flaw-security-camera.html ): pkill ZoomOpener;rm -rf ~/.zoomus;touch ~/.zoomus &&chmod 000 ~/.zoomus; Then type: pkill "RingCentralOpener";rm -rf ~/.ringcentralopener;touch ~/.ringcentralopener &&chmod 000 ~/.ringcentralopener;# ADDITIONAL INFORMATION for the Technically Curious: Naked Security: https://nakedsecurity.sophos.com/2019/07/09/zoom-flaw-could-force-mac-users-into-meetings-expose-video-feed/ Macworld: Zoom Mac app flaw sparks serious security concerns https://www.macworld.com/article/3407764/zoom-mac-app-flaw-security-camera.html "If you've ever downloaded the Zoom app to participate in a video conference, your Mac may be at risk—even if you've already deleted it." SecurityWeek: https://www.securityweek.com/vulnerability-gives-attackers-remote-access-zoom-users%E2%80%99-cameras "...when the Zoom Client is installed, a web server running on port 19421 is also created on the local machine. The issue, the researcher says, is that the web server remains on the machine even after the application has been uninstalled and can re-install it when the user accesses a webpage, without interaction." Medium (technical details): https://medium.com/@jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 "On Mac, if you have ever installed Zoom, there is a web server on your local machine running on port 19421. You can confirm this server is present by running lsof -i :19421 in your terminal. First off, let me start off by saying having an installed app that is running a web server on my local machine with a totally undocumented API feels incredibly sketchy to me. Secondly, the fact that any website that I visit can interact with this web server running on my machine is a huge red flag for me as a Security Researcher." Common Vulnerabilities and Exposures: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13450



WHAT THIS IS ABOUT: Take a deep breath. There's a well-crafted phishing e-mail being sent, supposedly by the UO Library, attempting to trick people out of there usernames and passwords. Two-and-a-half Admiral Ackbars. WHO SHOULD READ THIS: Everyone with UO e-mail. WHAT YOU SHOULD DO: If you receive an e-mail from "UO Libraries" with a subject "Library Notice" and body text along the lines of "your account will expire if you don't log in and renew it," delete the message unread. If you clicked on the link and got tricked into giving your username and password, go to https://duckid.uroegon.edu/ and change your password. Additional "Ooops, I fell for that one" instructions here: http://security.uoregon.edu/node/37.html#phished ADDITIONAL INFORMATION for the Technically Curious: UO Phishing Guide http://security.uoregon.edu/node/37.html List of recent phishing attempts targeting UO folks: https://phishtank.uoregon.edu/ This particular phishing attempt is well-crafted. It's using the "two truths and a lie" technique, supplying two valid links to generic library links to trick you into going to the malicious link (which is using an obscure URL). The e-mail header is suspicious: the bu.edu domain is Boston University; I would expect a valid address to be something like library@uoregon.edu. The timestamp is CDT; I would expect PDT. The Subject is vague; shouldn't it be something like "Library Account Renewal" ? In the body text, "Dear Student" is another red flag; they've got your account information already, presumably, they would be able to address you by name. The message starts to fall apart if you get beyond the reptile-brain-response to "OMG! I'm going to lose all my library access soon!" The message also relies on the recipient not fully understanding how all the library accounts at the UO really work (John raises his hand, because... cool, the UO Library offers all sorts of nifty access to all sorts of electronic holdings in addition to the physical stacks in the Knight Library... and I think you have to sign up for each type of service separately...) For a list of services is a great touch, because https://library.uoregon.edu/ really does exist -- but it doesn't give you the alleged list without a lot of digging. They might have meant to send folks to this page: https://library.uoregon.edu/library-technology-services Contact the "Library Help Desk," is another nice touch... except there isn't anything called that. The closest would be the "Technology Help Desk", housed in the library at https://library.uoregon.edu/library-technology-services/help --- Text of Phishing E-mail ---- From: UO Libraries Date: July 2, 2019 at 9:13:33 AM CDT To: burridge Subject: Library Notice Dear Student, As a member of the University of Oregon Libraries System, use of your library account "burridge" must be renewed annually. Your library enrollment is set to expire on July 15, 2019 12:00, so this is a notification for you to renew now. To renew, simply click on the following link: UO Libraries (Evil Link to httpCOLON-SLASH-SLASHiDOTsfuDOTcaSLASHTDrzCe ) (click only once; multiple clicks will produce an error) You will not be required to provide any identity information during this renewal process. The above renewal link is only valid for a limited time. If you fail to renew your library enrollment before then, you will lose access to all library online services. For a list of the current library online services, please visit: https://library.uoregon.edu If you have any questions concerning your status or access to the library online services, please contact the Library Help Desk as soon as possible. Sincerely, This information was sent by the University of Oregon Libraries Management System: ------------------------------------------------------------------------------------- Knight Library | UO Libraries 1501 Kincaid St, Eugene, OR 97403 services@uoregon.edu



WHAT THIS IS ABOUT: Take a deep breath. Third-party maintenance software, called SupportAssist, factory-installed on newer Dell Computers, has a security flaw in it that could allow a Malicious Hacker to pretty much do anything they want on your Dell Computer. Three Admiral Ackbars. WHO SHOULD READ THIS: Dell Computer Users with Dell SupportAssist for Business PCs version 2.0 Dell Computer Users with Dell SupportAssist for Home PCs version 3.2.1 and all prior versions Older Dell Computers may not have the SupportAssist software installed. Non-Dell Computers are not affected. Macintosh Users are not affected. WHAT YOU SHOULD DO: 1) Start Windows on your Dell computer. 2) Go to the Search area in the lower left-hand corner of the screen. 3) Type SupportAssist in the search area; Windows should auto-populate a menu with best guesses as to what you want. 4a) If no SupportAssist App shows up, Yay! The software isn't installed and your computer is secure. Stop. 4b) If the SupportAssist App does show up, click on it to start the SupportAssist App. 5) Once the SupportAssist App is running, go to the Gear Icon in the upper right-hand side of the app's window and choose "About SupportAssist." 6a) If the version of SupportAssist is 3.2.2.something, Yay! You're running the patched and secure version of the software. Stop. 6b) If the version of the software is 3.2.1 or older, then the update needs to run. Contact either me or CAS-IT for assistance upgrading to SupportAssist 3.2.2. Folks who feel comfortable installing the update on their own can go to https://downloads.dell.com/serviceability/catalog/ and click on program file SUPPORTASSISTINSTALLER.EXE ADDITIONAL INFORMATION for the Technically Curious: SupportAssist is a utility that scans your Dell Computer system and proactively suggests the driver updates that are required for your computer. It runs with system-level privileges so it can install updates that it suggests. The flaw in older versions allows hackers to trick it into installing the software of their choice onto a vulnerable Dell Computer. The Folks Who Discovered the Problem: (Technical Post) https://safebreach.com/Post/OEM-Software-Puts-Multiple-Laptops-At-Risk "In this post, we will demonstrate how to exploit this vulnerability in order to load an arbitrary unsigned DLL into a service that runs as SYSTEM, achieving privilege escalation and persistence." Dell's Support Advisory: We Patched This. https://www.dell.com/support/article/us/en/04/sln317291/dsa-2019-084-dell-supportassist-for-business-pcs-and-dell-supportassist-for-home-pcs-security-update-for-pc-doctor-vulnerability?lang=en Hot for Security: Millions of Dell PCs vulnerable to attack... https://hotforsecurity.bitdefender.com/blog/millions-of-dell-pcs-vulnerable-to-attack-due-to-a-flaw-in-bundled-system-health-software-21351.html "Hadar reported the vulnerability to Dell on 29 April, who confirmed the problem and forwarded details to PC Doctor on 21 May. A patch was issued by Dell on 28 May, and should mean that any Dell computers which are configured to receive automatic updates are already patched." Security Week: Millions of Devices Exposed to Attacks Due to Flaw https://www.securityweek.com/millions-devices-exposed-attacks-due-flaw-pc-doctor-software



WHAT THIS IS ABOUT: Hold on to your asbestos, Apple is launching a recall program for Certain Older MacBook Pros with faulty batteries. Two Amiral Ackbars for units that have a faulty motivator (https://www.youtube.com/watch?v=LqVNGSh-8Wo). WHO SHOULD READ THIS: Users with 15-inch MacBook Pro laptops sold between September 2015 and February 2017.... More specifically, users with a MacBook Pro (Retina, 15-inch, Mid 2015) Other Apple laptop users are not affected. Windows users are not affected. WHAT YOU SHOULD DO: If you think your 15-inch MacBook Pro might have batteries that could overheat, explode, and set your lap on fire... First check to see which 15-inch MacBook Pro you have. 1. Choose About This Mac from the Apple menu in the upper-left corner of your screen. 2. Confirm your model is "MacBook Pro (Retina, 15-inch, Mid 2015)." If it is, visit this website for more instructions: https://support.apple.com/15-inch-macbook-pro-battery-recall If your Apple laptop isn't a MacBook Pro (Retina, 15-inch, Mid 2015), then the batteries in it fall within industry safety standards for potentially explosive power sources. ADDITIONAL INFORMATION for the Technically Curious: Apple: Important notice for batteries in certain MacBook Pro units https://www.apple.com/newsroom/2019/06/important-notice-for-batteries-in-certain-macbook-pro-units/ Reuters: Apple recalls certain older MacBook Pro units https://www.reuters.com/article/us-apple-recall/apple-recalls-certain-older-macbook-pro-units-idUSKCN1TL2BW MacRumors: Apple Launches Recall and Replacement Program https://www.macrumors.com/2019/06/20/apple-2015-macbook-pro-recall-program/ Macworld: Apple issues voluntary recall of 15-inch MacBook Pro https://www.macworld.com/article/3404218/apple-issues-voluntary-recall-of-15-inch-macbook-pro.html



WHAT THIS IS ABOUT: Don't Panic. Computer security folks are writing about an in-the-wild attack against unpatched versions of the Firefox web browser. Two Admiral Ackbars. WHO SHOULD READ THIS: Users of Firefox. Other browsers are not affected. WHAT YOU SHOULD DO: Manually update Firefox until it says "Firefox is up to date." Instructions here: https://support.mozilla.org/en-US/kb/update-firefox-latest-release ADDITIONAL INFORMATION for the Technically Curious: Naked Security: Update Firefox Now https://nakedsecurity.sophos.com/2019/06/20/patch-now-firefox-zero-day-found-in-the-wild/ Security Week: Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges https://www.securityweek.com/firefox-zero-day-exploited-deliver-malware-cryptocurrency-exchanges



WHAT THIS IS ABOUT: Microsoft has patched a critical security hole in WindowsXP and Windows7 (operating systems no longer officially supported) that could be used by the Evil Ones to run arbitrary code on Windows Machines without any action from the legitimate user. Three Admiral Ackbars. WHO SHOULD READ THIS: Microsoft Windows XP Users. Microsoft Windows 7 Users. Microsoft Windows 8 and Windows 10 Users are not affected. Macintosh Users are not affected. WHAT YOU SHOULD DO: In the long run, I recommend upgrading to Windows 10 where possible. In the short term... Windows XP users: Read the information here: https://support.microsoft.com/en-gb/help/4500331/windows-update-kb4500331 Windows 7 users: Follow the instructions for your particular system here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 ADDITIONAL INFORMATION for the Technically Curious: The security hole is with the Windows Remote Desktop Services; someone using the vulnerability could run anything they'd like on a targeted Windows machine without needing the computer's user to do anything. While Windows 8 and 10 are not affected, there is concern that an Internet Worm could use the vulnerability to propagate over machines running older, depreciated versions of Windows. Microsoft: Prevent a worm by updating Remote Desktop Services (CVE-2019-0708) https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ "The Remote Desktop Protocol (RDP) itself is not vulnerable. This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017." CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 Naked Security: "Critical, remote, ‘wormable’ Windows vulnerability" https://nakedsecurity.sophos.com/2019/05/15/microsoft-fixes-intel-zombieload-bug-with-patch-tuesday-updates/ Techspot News: Microsoft patches major vulnerability in Windows 7 and XP to prevent another WannaCry-like security exploit https://www.techspot.com/news/80083-microsoft-patches-major-vulnerability-windows-7-xp-prevent.html



WHAT THIS IS ABOUT: Take a deep breath; Apple will be changing the way MacOS 10.15 (the OS after Mojave) will deal with photo and video files (and 32-bit software in general). The new MacOS should come out in the Fall of 2019. One and a half Admiral Ackbars for technology inconvenience. WHO SHOULD READ THIS: Macintosh users who use iMovie. Macintosh users who use Aperture. Macintosh users who use QuickTime7. Windows users aren't affected. WHAT YOU SHOULD DO: Nothing's broken yet, but you'll want to prepare your multimedia files at some point over the summer for the eventual MacOS upgrade. iMovie: If you use iMovie or have older video assets, you'll want to migrate them over the next few months, before next fall's release of MacOS 10.15 (or consign yourself to banishing your old iMovies onto the Island of Unloved Toys along with BETA-Max, 8-Track Tapes, and MiniDV video). Instructions for converting files used by iMovie are here: https://help.apple.com/imovie/mac/10.1/#/mov1560729bd 1. In iMovie, choose File > Check Media for Compatibility. If incompatible files are found in the library, a window appears listing them. 2. Click Convert. iMovie creates copies of the media files in the H.264 format. The original files are moved to an iMovie Incompatible Media folder, located in the same folder as the library. Your original media is not modified. QuickTime: To convert an incompatible media file, open it with QuickTime Player (version 10.0 and later), then save a copy with a new name. Do this before updating to macOS 10.15. Versions of macOS after macOS 10.14 Mojave won't support this method. Apple Aperture: Apple Aperture is photo-editing software introduced in 2005 and discontinued in 2015: https://en.wikipedia.org/wiki/Aperture_(software) Instructions for migrating Aperture libraries are here: https://support.apple.com/en-us/HT209594 ADDITIONAL INFORMATION for the Technically Curious: MacOS Mojave is the last version of the MacOS to run 32-bit apps. As part of the transition from 32-bit to 64-bit, some programs and certain files created using older formats or codecs will be incompatible with future versions of the MacOS after MacOS Mojave. For compatibility reasons, when MacOS 10.15 comes out, I strongly recommend folks wait until the Fall 2019 term ends in December to upgrade from MacOS 10.14 (Mojave) to MacOS 10.15. 32-bit app compatibility with macOS High Sierra 10.13.4 and later https://support.apple.com/en-us/HT208436 About incompatible media in iMovie for MacOS: https://support.apple.com/en-us/HT209029 Convert incompatible media in iMovie: https://help.apple.com/imovie/mac/10.1/#/mov1560729bd Apple Says Aperture Won't Run in Future macOS Versions After Mojave: https://www.macrumors.com/2019/04/30/aperture-wont-run-beyond-macos-mojave/



WHAT THIS IS ABOUT: Leading up to and over the weekend, English Department Faculty were subjected to some outrageous, anti-Semitic, and just plain crazy e-mail from "Donald Mckiegan Press." There were several different messages. These were probably phishing attempts designed to get folks to "unsubscribe" to the spew of insanity. Two-and-a-half Admiral Ackbars. WHO SHOULD READ THIS: Everyone with UO E-mail. WHAT YOU SHOULD DO: If you received e-mail from Donald Mckiegan Press, at the address mckieganofficialDOTgmailDOTcomATemailDOTbenchmarkappsDOTcom delete it unread. DON'T follow any of the links in the e-mail to report abuse or unsubscribe; these are almost certainly links to malicious sites. If you believe you have become a victim of a phishing attack targeting your University of Oregon account, immediately change your password and security questions at https://duckid.uoregon.edu and contact the Information Security Office at infosec@uoregon.edu . ADDITIONAL INFORMATION for the Technically Curious: The UO e-mail server offers a configuration that will block e-mail spammers and other miscreants. Instructions for setting up blocks are here: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=53907 How to Report Suspicious E-mails: https://phishtank.uoregon.edu/how-report-suspicious-emails How to see full e-mail headers: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839



WHAT THIS IS ABOUT: Heavy sigh. It looks like the April 2018 update for Microsoft Windows 10 is breaking antivirus software right and left. Two-and-a-half Admiral Ackbars. WHO SHOULD READ THIS: Microsoft Windows Users. Macintosh Users Are Not Affected. WHAT YOU SHOULD DO: In worst-case scenarios, Windows machines become unresponsive. Rebooting in Safe Mode should allow for uninstalling McAfee, and in this case, users should switch to using Windows Defender. Contact John Burridge at engtech@ithelp.uoregon.edu to schedule a McAfee-ectomy on University Owned Windows Machines if you need or want help. If your Windows 10 machine is merely sluggish, you have a choice to keep using McAfee or switch over to Windows Defender. Macintosh Users should continue to use McAfee. ADDITIONAL INFORMATION for the Technically Curious: Microsoft: Known Issues with this Patch: https://support.microsoft.com/en-us/help/4493472/windows-7-update-kb4493472 McAfee says, "It's come to our attention..." https://kc.mcafee.com/corporate/index?page=content&id=KB91465 Ars Technica: "As of publication time, client-side antivirus software from Sophos, Avira, ArcaBit, Avast, and most recently McAfee are all showing problems with the patch." https://arstechnica.com/gadgets/2019/04/latest-windows-patch-having-problems-with-a-growing-number-of-anti-virus-software/



WHAT THIS IS ABOUT: Accidental exposure of user names and passwords in Elsevier services (an online scholarly journal platform). One-and-a-half Admiral Ackbars. WHO SHOULD READ THIS: Elsevier users. WHAT YOU SHOULD DO: You may receive an e-mail from Elsevier asking you to reset your password; do so. ADDITIONAL INFORMATION for the Technically Curious: Copied from https://library.uoregon.edu/accidental-exposure-user-names-and-passwords-elsevier-services : **Accidental exposure of user names and passwords in Elsevier services The cybersecurity company SpiderSilk determined that a misconfigured Elsevier server exposed user email addresses and passwords in plain text for an unknown length of time (see the source article at https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online ). (Elsevier is the provider of platforms like Science Direct and Mendeley and a major scholarly journal publisher.) Elsevier resolved this problem after being notified by the security vendor and is investigating the incident. As noted in the article, an Elsevier representative stated that the vendor will be providing notice to individuals and taking steps to reset user accounts. We do not know if any members of the UO community were affected. As a precautionary measure, the UO Libraries recommend that all members of the UO community with an Elsevier or Mendeley account change their password immediately. Additionally, if any of your Elsevier accounts uses the same password that you use to login to your DuckID accounts (@uoregon.edu), please change your DuckID password immediately.



WHAT THIS IS ABOUT: Don't panic. This is a PSA about a brand-new off-campus file sharing service being offered by Firefox, called "Firefox Send." One Admiral Ackbar, because Timeo Firefoxos et dona ferentes (Beware of Geeks Bearing Gifts)." WHO SHOULD READ THIS: Everyone, because there's a Potential for Evil, and I want folks to have a safe file sharing experience. WHAT YOU SHOULD DO: If you get an e-mail with a link like this one: https://send.firefox.com/download/030cdf0adf/#11adVwy0P5ht7dQ_B7xZJA I want you to stop and think about what your response will be. 1) First, rest your cursor over the link and see if the pop-up URL matches what the blue underlined link says. If they match, (in the above example, they do) then this is a link to a file that someone is sharing with you. If they don't match, like the following bogus example: https://send.firefox.com/download/030cdf0adf/#11adVwy0P5ht7dQ_B7xZJA then you know There's Dirty Work Afoot. In this case, the bogus displayed link and the actual link are brazenly different; someone being extra sneaky might try sending you to a site that looks like send.firefox.com but is really send.firefox.net or send-firefox.com or a variation that you might not catch at a casual glance. REMEMBER: the correct URL for the Firefox Send service will start with https://send.firefox.com 2) Second, if the link looks legitimate, ask yourself if you're expecting a file from the person sending you a link. Don't click on unexpected or unsolicited links in e-mails. There's nothing wrong with e-mailing the sender and asking for a confirmation of what's been sent. If I were Totally Evil and Caffeinated Enough, I would write a piece of Malware that breaks into your Weird Uncle Fred's computer, logs onto the Firefox Send service as Uncle Fred, uploads my Evil Malware under his name, and then spam everyone with the link https://send.firefox.com/MachineLanguageNameHidingTheFactThatThisIsEvilMalware Only, it wouldn't look like a .EXE or program file, it would look like a picture of a cat. Or it would be a poisoned PDF or Word Macro file. So be careful. 3) Third, this is a new service, and there isn't UO policy about its use yet. I am neither endorsing nor proscribing its use. The data is encrypted at both sides, but unless the link is password protected, anyone randomly walking through the Firefox Send web addresses can look at an uploaded file. So, insert the usual FERPA and HIPPA privacy caveats about sharing personal data on secure sites here. If you're needing to share data with other UO staff, I would use UO-based services like the CAS IT file server, or other services outlined here: https://service.uoregon.edu/TDClient/KB/?CategoryID=6179 ADDITIONAL INFORMATION for the Technically Curious: Firefox Send: https://send.firefox.com Help with Firefox Send: https://support.mozilla.org/en-US/kb/send-files-anyone-securely-firefox-send/ Ars Technica Relase: https://arstechnica.com/gadgets/2019/03/firefox-send-exits-testing-promising-secure-and-simple-file-sharing/



WHAT THIS IS ABOUT: Sigh. Phishing attacks on the UO continue. Two and a half Admiral Ackbars. WHO SHOULD READ THIS: Folks who get e-mail. WHAT YOU SHOULD DO: If you receive an e-mail from sandra-brownATnorthwesternDOTedu with a subject "Northwestern HSF Payment - Phase III," delete it unread. Do not attempt to open the "PDF" attachment, this is a really a link to a malicious web site. From https://phishtank.uoregon.edu/self-help If you believe you have become a victim of a phishing attack targeting your University of Oregon account, you should immediately change your password and security questions at duckid.uoregon.edu and contact the Information Security Office at infosec@uoregon.edu. ADDITIONAL INFORMATION for the Technically Curious: How to report Phishing: https://phishtank.uoregon.edu/how-report-suspicious-emails The UO's Phishing website: https://phishtank.uoregon.edu/ The e-mail is worded with enough accounting buzzwords to look legitimate. The message is vague and terse. Sandra Brown is a real person; either her account has been hijacked or else someone is spoofing her e-mail address. -------- Copy of e-mail follows: Wed Mar 13 09:34:30 2019: Request 1669015 was acted upon. Transaction: Ticket created by sandra-brown@northwesternDOTedu Queue: engtech Subject: Northwestern HSF Payment - Phase III Owner: Nobody Requestors: sandra-brownATnorthwesternDOTedu Status: new Ticket 01262-102-REM.PDF Enclosed please find our remittance for professional services rendered in the above-referenced project. This remittance contains the fees and expenses incurred through February 28, 2019. Please Apply Payments Accordingly. Office of the Budget and Planning Northwestern University Rebecca Crown Center 633 Clark Street, Room 1-649 Evanston, IL 60208 Phone 847-232-4283 sandra-brownATnorthwesternDOTedu ------------Copy of E-mail Header:--------- THIS PART OF THE E-MAIL HEADER IS SAYING THAT THE MAIL WAS RECEIVED BY THE (LEGITAMATE) UO SMTP MAIL SERVER. Received: from ad-cc-ex07.ad.uoregon.edu ( by ad-ah-ex03.ad.uoregon.edu ( with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Mailbox Transport; Wed, 13 Mar 2019 09:34:31 -0700 Received: from ad-cc-ex05.ad.uoregon.edu ( by ad-cc-ex07.ad.uoregon.edu ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 13 Mar 2019 09:34:30 -0700 Received: from smtp.uoregon.edu ( by ad-cc-ex05.ad.uoregon.edu ( with Microsoft SMTP Server (TLS) id 15.0.1367.3 via Frontend Transport; Wed, 13 Mar 2019 09:34:30 -0700 Received: from ithelp1.uoregon.edu (ithelp1.uoregon.edu []) by smtp.uoregon.edu (8.14.4/8.14.4) with ESMTP id x2DGYUUV001423 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 13 Mar 2019 09:34:30 -0700 Received: (from apache@localhost) by ithelp1.uoregon.edu (8.14.4/8.14.4/Submit) id x2DGYUVW009735; Wed, 13 Mar 2019 09:34:30 -0700 THIS PART IS SAYING THAT THE MAIL WAS DIRECTED TO THE ENGLISH DEPARTMENT'S COMPUTER SUPPORT QUEUE (IE JOHN BURRIDGE ET AL.) Subject: [ithelp #1669015] Northwestern HSF Payment - Phase III From: Sandra D Brown via RT Reply-To: engtech@ithelp.uoregon.edu THIS PART IS SAYING THE SUPPORT QUEUE IS RESPONDING TO AN E-MAIL FROM NORTHWESTERN.EDU In-Reply-To: <64c65afe11d0420da9a47531c613acef@evcspmbx05.ads.northwestern.edu> References: <64c65afe11d0420da9a47531c613acef@evcspmbx05.ads.northwestern.edu> Message-ID: rt-4.0.4-9729-1552494870-1208.1669015-1049-0@uoregon.edu THIS PART IS SAYING THAT THE UO TICKETING SYSTEM (RT) DID SOME PROCESSING Precedence: bulk X-RT-Loop-Prevention: ithelp RT-Ticket: ithelp #1669015 Managed-by: RT 4.0.4 (http://www.bestpractical.com/rt/) THE SYSTEM THINKS THE ORIGINAL E-MAIL CAME FROM SANDRA BROWN AT NORTHWESTERN THERE ISN'T AN ATTACHMENT LISTED (BECAUSE IT'S REALLY A LINK IN THE MESSAGE BODY). THERE ISN'T A BOGUS "REPLY-TO" ENTRY (MAKING ME THINK SANDRA BROWN'S E-MAIL ACCOUNT HAS BEEN HYJACKED) RT-Originator: sandra-brown@northwestern.edu BCC: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="utf-8" X-RT-Original-Encoding: utf-8 Date: Wed, 13 Mar 2019 09:34:30 -0700 Return-Path: apache@ithelp1.uoregon.edu X-MS-Exchange-Organization-Network-Message-Id: 90a7e706-b76c-457b-4fc4-08d6a7d1c465 X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0 X-MS-Exchange-Organization-AuthSource: ad-cc-ex05.ad.uoregon.edu X-MS-Exchange-Organization-AuthAs: Anonymous



WHAT THIS IS ABOUT: A Wednesday phishing attack targeted DuckWeb and Duck ID credentials. Two Admiral Ackbars. WHO SHOULD READ THIS: Everyone with a UO affilation. WHAT YOU SHOULD DO: If you received an e-mail from someone at bristolDOTacDOTuk, with the subject: "Important Campus Security Notifications", delete it unread. Following the links will take you to a fake web page that will try to harvest your personal information. If you have responded to this phishing attack, see the self-remediation steps in the message below. ADDITIONAL INFORMATION for the Technically Curious: E-mail sent to the DEPT-COMP group. -------------------------------- From: deptcomp-bounces@lists.uoregon.edu On Behalf Of News from Information Services Sent: Wednesday, March 06, 2019 4:44 PM To: Departmental Computing ; Campus IT Directors, voting members Subject: deptcomp: Phish targeting DuckWeb & Duck ID credentials Importance: High IT colleagues, We wanted to notify you about a new phishing attack that targets both DuckWeb and Duck ID credentials of UO employees. Just today, the Information Security Office has already received over 100 reports of these phishing messages from staff and faculty. Some people have self-reported the compromise of their credentials. As you know, DuckWeb offers an attacker access to a great deal of sensitive information, such as direct deposit settings. Scammers often seek Duck ID credentials to set up mail redirection rules on the user's email inbox to hide alerts about changes, such as changes to DuckWeb direct deposit settings. The Phishing Message + Sender: Someone from the University of Bristol (domain: bristol.ac.uk) + Subject: "Important Campus Security Notifications" + Malicious content: A link in the message directs the user to a fake DuckWeb login page to collect their UO ID (95#) and PAC. Users who enter data into that page are then sent to a fake Outlook Web App login page to collect their Duck ID credentials. After that, users are redirected to the real DuckWeb site. Through the combination of those credentials, the scammer could capture enough information to completely take over the user’s UO accounts. Self-Remediation Steps If anyone in your unit has clicked on the link and entered their DuckWeb and/or Duck ID credentials, they should take the following steps immediately: 1. For DuckWeb credentials: a. Log into Duckweb at https://duckweb.uoregon.edu i. Alternatively, from the UO homepage, select "Faculty/Staff" in the upper right. Then, under "Administrative Tools," select "Duckweb." b. Verify their direct deposit information i. Select "Employee Information" ii. Select "Pay Information" iii. Select "Direct Deposit" iv. Check the bank account information listed. If the information is incorrect, select "Update Direct Deposit Allocation" to correct it. c. Change their PAC (password) i. Select "Personal Information" ii. Select "Change PAC" iii. Follow the directions to change their PAC 2. For Duck ID credentials: a. Go to Duck ID Self-Service at https://duckid.uoregon.edu i. Alternatively, from the UO homepage, select "Faculty/Staff" in the upper right. Then, under "Administrative Tools," select "Duck ID Self-Service." b. Select "Manage Your Duck ID" c. Log in with their Duck ID and password d. Change their DuckID password using the "Change Your Password" option e. Change the answers to their security questions using the "Update Security Questions and Answers" option What We're Doing The Information Security Office is taking the following steps: + Added the phishing websites to our campus blocklist. However, some people clicked the link before the blocklist was updated. In addition, off-campus users are not protected by our campus blocklist. + Working with self-reporting individuals via their local IT staff to reset credentials and verify direct deposit information. + Working with network and server logs from the IS Middleware team to identify UO users who may not have felt comfortable self-reporting. + Traced the origin of these emails to compromised credentials at other universities and notified those universities of potential account compromises. + Alerted the Payroll office. We will keep you informed about this situation as it develops, including any plans for broader campus notifications. If you have any questions, please contact the Information Security Office at infosec@uoregon.edu, or the Technology Service Desk at 541-346-4357 (M-F 8am-7pm). Information Services University of Oregon



WHAT THIS IS ABOUT: Take a deep breath. Google has plugged a security hole in the Chrome web browser which is being actively exploited in the wild. Manually check Chrome to be sure it's running the latest version. Three Admiral Ackbars. WHO SHOULD READ THIS: People who use Chrome to surf the web. Other browsers are not affected. WHAT YOU SHOULD DO: From within Chrome. Go to the following URL: chrome://settings/help Depending on the browser, you may see a message about Chrome downloading an update. You may be prompted to RELAUNCH Chrome; go ahead and do so. Chrome will shut down and then start back up again. After a pause you should see a Chrome page which reads "Google Chrome is up to date." Make sure the version number is equal to or greater than 72.0.3626.121 If it isn't reload chrome://settings/help and relaunch until the version number is the latest. ADDITIONAL INFORMATION for the Technically Curious: The Bad Guys can use unpatched versions of Chrome to crash software in such a way that they end up with Remote Control Execution, which allows them to install malware on your computer. Go to a booby-trapped web site, and Hey Presto! You've got a keylogger (or worse) installed. Naked Security: Google says update “right this minute” https://nakedsecurity.sophos.com/2019/03/06/serious-chrome-zero-day-google-says-update-right-this-minute/ Chrome Releases Channel: https://chromereleases.googleblog.com/2019/03/stable-channel-update-for-desktop.html Justin Schuh (Google Secuirty Desktop Engineer) https://twitter.com/justinschuh/status/1103087046661267456



WHAT THIS IS ABOUT: Don't Panic. This is a gentle reminder from me to Windows users to manually check Windows Updates. One Admiral Ackbar (really more like an R2-D2). WHO SHOULD READ THIS: Folks with the Windows 10 Operating System. Other Windows Operating Systems Users. Macintosh Users are Not Affected. WHAT YOU SHOULD DO: Finish up your work. Save all documents and close various programs. Make sure your Windows machine is plugged into the Ethernet or other Really High Speed Internet connection (i.e. a wifi connection is slow and will make this process more painful). Get a good book, or otherwise prepare for non-computing activities (like sleep). Click on the Windows Start icon, usually located in the lower left-hand corner of the screen; a pop-up menu should appear. Click on the GEAR Settings icon; a new Windows Settings dialog box should open up. Click on the two-curving-arrows UPDATES & SECURITY icon; a Windows Update window should appear. It's possible that Windows Update will begin to LIE to you and say that Windows was last checked a few hours ago and that your Windows operating system is up to date. Ignore this possible trickery and click on the CHECK FOR UPDATES anyway. There will be a pause, and I'm expecting that various cumulative updates will populate a list for download and installation. Typically, it can take upwards of 20 minutes for the updates to download before they begin to install. Installation may take a while (this is where that book or sleep comes in handy). It's possible that a message about McAfee will appear -- if this happens, you might be prompted to remove McAfee. If you're comfortable uninstalling McAfee, do so. If you're not comfortable, contact me at engtech@ithelp.uoregon.edu for an appointment to bring the computer to PLC 124 where I can work on it. It's very likely that a RESTART REQUIRED message will come up. Go ahead and click the RESTART NOW button. The Windows machine will restart and a blue screen will appear with messages along the lines of "Installing Updates. This could take a while." Once the Windows Machine has rebooted, repeat this process until a manual update check comes up with a "all updates are installed." I am not responsible for any consequences should someone decide to turn this into a drinking game (which I am not recommending). If you need to reinstall McAfee, the " VirusScan 8.8 patch 12 Enterprise for Windows" is available here: https://software.uoregon.edu/software-center/10/1/view ADDITIONAL INFORMATION for the Technically Curious: Yes, Windows Updates are supposed to be an automatic process. However, on a variety of machines I've noticed that the update mechanism has stalled, and then other updates stack up behind it. I've got several theories why this might be the case: It's possible that the "2019-01 Cumulative Update for Windows 10 Version 1809 for x64-based Systems (KB4476976)" is to blame. It's possible that Windows Defender and McAfee are in a fist-fight over who is going to be the King of Antivirus Programs. It's possible that the Windows machine hasn't been connected to a robust-and-fast network long enough to download updates. It's possible the machine hasn't restarted or shut-down for some reason. Whatever the reason, manual intervention seems to be required.



WHAT THIS IS ABOUT: Don't Panic (much). Apple's video-call software, FaceTime, has a bug in it which allows for eavesdroppers to use a person's devices' microphone and camera. Apple has since partially disabled the service and closed the hole. Two Admiral Ackbars WHO SHOULD READ THIS: Folks with Apple Mobile Devices running iOS 12.1 or later. Folks with Apple Computers running MacOS 10.14 (Mojave) Apparently, older Apple Devices are not affected (they can't run the Group option in FaceTime). Windows users are not affected WHAT YOU SHOULD DO: Apple appears to have addressed this issue by temporarily disabling Group FaceTime. One-to-one FaceTime sessions are still possible. Keep an eye out for updates. A security update for Group FaceTime is expected from Apple Real Soon. For extra security points, you can manually disable FaceTime on your Apple devices following the instructions here: https://www.macrumors.com/how-to/turn-off-facetime/ ADDITIONAL INFORMATION for the Technically Curious: This was more a personal privacy issue where you could be spied upon, rather than a computer security issue where your computer could be used to drain your financial funds or your data held for ransom. Pretty much everyone in the Technical Press is saying the same thing: "Ooops, this is an embarrassing bug that Apple missed, but it looks like Apple's closed the barn door after the fact and will update things really soon." What I'm noticing is that nobody has said, "Hey, everyone's carrying around a networked microphone and video camera -- maybe we as a society should think about the privacy implications of that before something goes wrong." Apple Technical Info - Which Apple Products Support Group FaceTime: https://support.apple.com/en-us/HT209022 Apple Technical Info - Group FaceTime Disabled: https://www.apple.com/support/systemstatus/ 9to5Mac - They can hear you before you pick up: https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/ MacRumors: Bug Allows Eavesdropping: https://www.macrumors.com/2019/01/28/apple-major-facetime-bug/ Video Demo: https://www.macrumors.com/2019/01/28/facetime-spying-bug-demo/ Apple Disables Group FaceTime: https://www.macrumors.com/2019/01/28/apple-disables-group-facetime-due-to-bug/ Reuters - Apple to patch privacy bug in video-calling feature: https://www.reuters.com/article/us-apple-patch/apple-to-patch-privacy-bug-in-video-calling-feature-idUSKCN1PN03R The Verge - Serious Bug in Apple FaceTime Allows Eavesdropping: https://www.theverge.com/2019/1/28/18201383/apple-facetime-bug-iphone-eavesdrop-listen-in-remote-call-security-issue The Register - Disable FaceTime https://www.theregister.co.uk/2019/01/29/facetime_bug/ Security Week - Semi technical dissection of bug: https://www.securityweek.com/apple-working-patch-prevent-facetime-spying Intego Mac Security Blog - Even Governor Cuomo Warns Folks https://www.intego.com/mac-security-blog/facetime-spying-bug-discovered-temporarily-worked-around/ Techspot - Facepalm https://www.techspot.com/news/78477-facetime-bug-you-see-hear-someone-before-they.html We Live Security - Apple Takes Group FaceTime Offline https://www.welivesecurity.com/2019/01/29/apple-takes-group-facetime-offline-discovery-spying-bug/



WHAT THIS IS ABOUT: Take a breath. There's an e-mail phishing attempt going out pretending to be a voice mail attachment. Two Admiral Ackbars. WHO SHOULD READ THIS: Folks who have UO e-mail accounts. WHAT YOU SHOULD DO: If you receive an e-mail from "Anderson Brett" that is pretending to be a voicemail preview, delete it unread. Following the link in the e-mail will very likely send you to a web page that will pretend to be a voice-mail site and ask you for your UO username and password. If you believe you have become a victim of a phishing attack targeting your University of Oregon account, you should immediately change your password and security questions at https://duckid.uoregon.edu and contact the Information Security Office at infosec@uoregon.edu. ADDITIONAL INFORMATION for the Technically Curious: Various phishing attempts from the past are on display here: https://phishtank.uoregon.edu/ How to see full e-mail headers: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839 Tips for Detecting Phishing E-mails: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=40236 =========================== The text of the e-mail follows: From: "Anderson Brett (US Stores)" Date: January 16, 2019 at 8:39:40 AM PST Subject: Voice Message Attached Voice mail for: burridge@uoregon.edu Received on Wed, 16 Jan 2019 16:29:40 GMT Message length: 22 seconds Voicemail Preview: "Hello...." Listen to message [Really a link to wwwDOTjohnmunsonchicagoDOTcomSLASHuoregon, which is a Go.Daddy hosted website.]



WHAT THIS IS ABOUT: Don't Panic. This is an information e-mail about Microsoft's cloud storage service, OneDrive. One Admiral Ackbar because... "It's a Trap!" WHO SHOULD READ THIS: Folks who use OneDrive, especially Macintosh users who use OneDrive. Folks who use OneDrive to share team sites. WHAT YOU SHOULD DO: Mostly be aware that after January 17, the default sharing options are changing to a more restricted (and secure) setting. Macintosh users should make sure they are using Mac OS 10.12 (Sierra) or greater. ADDITIONAL INFORMATION for the Technically Curious: My bias against Microsoft (the Evil Empire) and cloud services (how secure is that networked file server again?) is making me channel my inner-Laocoön and mutter "Timeo Microsoftos et dona ferentes (Beware of Geeks Bearing Gifts)." That said, I realize that OneDrive can be a useful collaboration and syncing tool... and that my preference for local files and local software that one licenses instead of leasing over the Internet may be Old School. Be aware of how files are shared -- this latest OneDrive update is a case in point: the default set-up allowed anyone with a OneDrive link to access a file (say, if it was accidentally forwarded in an e-mail). More importantly, it looks like OneDrive is driving Mac OS upgrades; Mac OS 10.12 (Sierra), Mac OS 10.13 (High Sierra), or Mac OS 10.14 (Mojave) will be required for OneDrive use after Feb 1, 2019. Folks wishing to upgrade their Macintoshes to Mac OS 10.14 (Mojave) may do so -- be aware that Mojave plays even less well with printing PDFs on the Xerox printer's accounting software than High Sierra (see the "Caveats, Warnings, and Additional Information" Section in https://english.uoregon.edu/xerox-workcenter-5955i-instructions). =========== E-Mail Sent by Information Services to the DeptComp Group: We would like to highlight some changes to OneDrive, Microsoft's cloud storage service: + Starting January 17th, the default for sharing a file will be changed to the "Specific people" option. This allows users to share files with only the users they specify. Currently, when selecting a file to share, OneDrive defaults to "Anyone with this link can edit", which means that anyone with the link to that shared file can access the file. Changing the default sharing behavior in OneDrive reduces the chance that a user will unintentionally share a file with more people than they intended. + OneDrive's storage limit is 1TB per account. At times in the past, OneDrive storage had been described as "unlimited". + The "Go to site" link for accessing team sites in OneDrive has been removed by Microsoft. You can now access your team site by logging in to https://office.uoregon.edu, selecting the OneDrive tile, choosing your team site from the list on the left under "Shared Libraries", and then clicking on the icon for your team site. + Starting February 1, 2019, OneDrive will no longer support Mac OS X 10.10 or OS X 10.11. Users who rely on OneDrive should upgrade to OS X 10.12 or above. If you have questions, please visit https://service.uoregon.edu/TDClient/Requests/TicketRequests/NewForm?ID=vECWy6LhppI_ and log in with your Duck ID to submit a question to the Technology Service Desk. Please consider sharing this message with others in your unit, especially if you know of users who will be affected by these changes. Information Services University of Oregon



WHAT THIS IS ABOUT: Microsoft has released a security update outside of their normal "Patch Tuesday" schedule. This closes a critical security hole in Microsoft Internet Explorer. Three Admiral Ackbars. WHO SHOULD READ THIS: Windows Users who use Microsoft Internet Explorer as their web browser. Macintosh Users are Not Affected. WHAT YOU SHOULD DO: Run Windows Update Select the Start button, and then go to Settings > Update & Security > Windows Update, and select Check for updates. You may or may not see a message about: 2018-12 Cumulative Update for Windows 10 Either this update will be available and Windows will want to know when to install it, or else Windows will have been aggressive and installed it for you already. ADDITIONAL INFORMATION for the Technically Curious: The Register: https://www.theregister.co.uk/2018/12/19/microsoft_internet_explorer_cve_2018_8653/ Instructions for Updating Windows 10 https://support.microsoft.com/en-us/help/4027667/windows-10-update From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8653 CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability Security Vulnerability Published: 12/19/2018 MITRE CVE-2018-8653 A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website, for example, by sending an email. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.



WHAT THIS IS ABOUT: Be on your guard. The English Department appears to be the target of a spear phishing attack. Three Admiral Ackbars. WHO SHOULD READ THIS: Everyone who gets UO E-mail. WHAT YOU SHOULD DO: If you get an e-mail with the subject line "Follow-up" and Body Text: " Hello. Are you available??" Delete it unread. The e-mail may appear to be from someone on the UO campus, but the e-mail address will end in "my.com". For extra points, you can forward it to phishing@uoregon.edu along with the message's header. Instructions for copying and sending the e-mail header may be found here: https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=32839 ADDITIONAL INFORMATION for the Technically Curious: spear phishing (noun): the fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information. "spear phishing represents a serious threat for every industry"



WHAT THIS IS ABOUT: Be prepared! The Computing Center will be doing some maintenance on e-mail, pages, the UNIX shell, and Duck ID Tuesday, Oct 30, from 5am to 7am. One Admiral Ackbar (or maybe an R2-D2) for maintenance. WHO SHOULD READ THIS: Everyone. WHAT YOU SHOULD DO: Most likely, e-mail and other services will be back up by 7am... If you have mission critical e-mail to send, you may wish send it before Tuesday morning. Early Morning Folks may wish to give themselves a little more time for tasks in case things are slow. Use the services status page at https://status.uoregon.edu to check ADDITIONAL INFORMATION for the Technically Curious: The folks at the Computer Center write: Tomorrow (Tuesday, Oct. 30), from 5am to 7am, Information Services will be performing maintenance on several key campus services. Please note the following service outages and impacts: + Webmail: Unavailable from 5am to 7am. This also applies to people who use UO's basic email service (IMAP/POP) through email programs other than Webmail. A maintenance page will display to people who visit Webmail during the maintenance. + Exchange email: Messages sent to other UO Exchange users will not be affected by this maintenance. However, messages sent to any other recipients between 5am and 7am will be queued by the system for delivery after 7am. + Pages.uoregon.edu: All websites unavailable from 5am to 7am. + Shell.uoregon.edu: SSH service will be unavailable from 5am to 7am. + Duck ID: The Duck ID Self-Service website (https://duckid.uoregon.edu) will be unavailable from 5am to 7am. That includes the admin console. In addition, the daily transfer of the previous day's data changes from Banner to the Duck ID system, normally completed before 8am, will be delayed until later on Tuesday. During this maintenance work, the status of affected services will be posted at https://status.uoregon.edu. Please note that if this work runs longer than expected, we may not be able to notify you about that through our normal email lists (voting-itdirs and deptcomp) because they may not be able to distribute messages. We will use the Status website to communicate about any delays or unplanned impacts. We will also plan to notify the UO Exchange admins group via OWA, if necessary. If you have any questions, please contact the Technology Service Desk through the UO Service Portal at https://service.uoregon.edu or by phone at 541-346-4357. Information Services University of Oregon



WHAT THIS IS ABOUT: Don't panic. Sometime around 1 PM today, October 24, 2018, you'll get an announcement from Jessie Minton, Vice Provost for Information Services and Chief Information Officer. This will be a real announcement about changes in E-mail at the UO. One Admiral Ackbar, and possibly an Emperor Palpatine. WHO SHOULD READ THIS: Everyone who gets E-mail at the UO. WHAT YOU SHOULD DO: There's really not much to do. This is mostly an announcement about work that will happen over an 18-month period. The gist of the e-mail is: "Hi, over the next couple of years, we're moving away from the e-mail servers here on campus and we'll be using remote e-mail servers maintained by Microsoft. This will herald in a new age of e-mail and calendaring productivity. Don't worry, if you need it, you'll receive guidance on the migration, which shouldn't be disruptive at all." ADDITIONAL INFORMATION for the Technically Curious: Sneak Preview Here: https://is.uoregon.edu/projects/email The current UO E-mail servers -- which is being called " UO's basic email service" -- used by users are smtp.uoregon.edu (to send e-mail out) and imap.uoregon.edu (to read e-mail with Webmail or a mail client like the ones listed here: https://it.uoregon.edu/set-up-email); some UO E-mail users use an on-campus Exchange server, usually with the Microsoft Outlook client. The new future service -- being called "UOmail" -- will be off-campus, Microsoft managed Exchange servers. (Insert bemused rant about Microsoft hegemony here.) Questions and concerns can be addressed to the Tech Desk: (541) 346-HELP (4357), or via the Service Portal at: https://service.uoregon.edu/TDClient/Requests/TicketRequests/NewForm?ID=Kz97XmiTvaI_



WHAT THIS IS ABOUT: Don't panic. This is a PSA for folks wondering if they should update to Mac OS 10.14 (Mojave). Don't Just Yet. Two Admiral Ackbars. WHO SHOULD READ THIS: Macintosh Users who are getting nagged by their computers to update to Mojave. Windows Users are not affected. Mobile Device Users are not affected--Mac OS 10.14 only runs on laptops and desktops. WHAT YOU SHOULD DO: Mac OS 10.14 (Mojave) was released September 24, 2018. For the general user, I advocate waiting four to eight weeks (at least) before installing a new release of the Macintosh Operating System. This allows other folks to discover any Zero Day Flaws -- yes, Mojave has one -- or other problems with the new OS and gives Apple a chance to release updates to patch the problems. (As of 10/22/2018 there is no 10.14.1 release.) If you can't wait and you really really really want to update to OS 10.14 (Mojave), I'm not going to put on my Software Police Uniform and haul you off to Computer Court (but I might say "I told you so," if there's a problem). ADDITIONAL INFORMATION for the Technically Curious: A full list of Macs that can run Mojave is below: + MacBook (Early 2015 or newer) + MacBook Air (Mid 2012 or newer) + MacBook Pro (Mid 2012 or newer) + Mac mini (Late 2012 or newer) + iMac (Late 2012 or newer) + iMac Pro (2017) + Mac Pro (Late 2013, plus mid 2010 and mid 2012 models with recommended Metal-capable GPU) Thirteen problems with Mojave (and how to deal with them): https://macpaw.com/how-to/fix-macos-mojave-problems The Zero-Day Privacy Flaw in Mojave: https://www.macrumors.com/2018/09/24/macos-mojave-bypass-vulnerability/ Reminder about 32-bit software and the latest versions of the Mac OS: https://support.apple.com/en-gb/HT208436



WHAT THIS IS ABOUT: UO Webmail is having a problem. Some folks are seeing: "When attempting to load Webmail, users receive the following error: "DATABASE ERROR: CONNECTION FAILED! Unable to connect to the database!" Two Admiral Ackbars. WHO SHOULD READ THIS: Folks who can't use webmail, from about 11:45, Thursday 9/27/2018 onward. WHAT YOU SHOULD DO: There's not much folks with this problem can do. UO Computer staff are working to fix the problem. Folks who are able to read this should comfort the afflicted. ADDITIONAL INFORMATION for the Technically Curious: https://status.uoregon.edu/service/webmail https://status.uoregon.edu/ See message below: From: deptcomp-bounces@lists.uoregon.edu On Behalf Of News from Information Services Sent: Thursday, September 27, 2018 11:58 AM To: IT Directors ; Departmental Computing Subject: deptcomp: Webmail unplanned outage Starting at approximately 11:45 AM today (9/27), Webmail became unresponsive. When attempting to go to that website, some users receive the message, "DATABASE ERROR: CONNECTION FAILED! Unable to connect to the database!" Other users are able to enter their Duck IDs and passwords, but Webmail does not act on that login request. Staff are investigating the source of the problem and are working to restore service as soon as possible. Information Services University of Oregon



WHAT THIS IS ABOUT: Don't panic, it's that time of year when Apple releases a new Macintosh operating system and I warn people to wait until after Halloween to install it. Two and a Half Admiral Ackbars. WHO SHOULD READ THIS: iMac users. Macbook users. Apple mobile device users are not directly affected by the Mac OS upgrade. Windows users are not affected. WHAT YOU SHOULD DO: Sometime soon, your Apple computer may start to bug you to install the latest incarnation of the Macintosh Operating System, Mac OS 10.14 (Mohave). Resist the urge to update -- at least a week, if not until November 1 -- and let other folks discover Glaring Security Flaws or Gotchas. The new operating system Looks Really Cool, which is another way of saying Apple has redesigned the App Store, taking screen shots, and organizing files. Folks who absolutely can't wait to update (or who have the operating system thrust upon them), may do so with the knowledge that previous OS updates have sometimes done things like break network connectivity or expose users to huge computer security holes. For example, as I am writing this right now, this security flaw has been discovered: https://www.macrumors.com/2018/09/24/macos-mojave-bypass-vulnerability/ ADDITTIONAL INFORMATION for the Technically Curious: Ars Technica Review: https://arstechnica.com/features/2018/09/macos-10-14-mojave-the-ars-technica-review/ "[Last year] I recommended against upgrading to High Sierra [the current OS] right away because the operating system's early bugs weren't offset by useful new features - Mojave has no such problem. Later betas and the GM build have been solid, and all the new stuff gives the Mac a serious and much-needed makeover. You should probably read the rest of the review before you upgrade, but it's been quite a while since I liked a new macOS release this much." Mac Rumors: https://www.macrumors.com/2018/09/24/apple-releases-macos-mojave/ A full list of Macs that can run Mojave is below: + MacBook (Early 2015 or newer) + MacBook Air (Mid 2012 or newer) + MacBook Pro (Mid 2012 or newer) + Mac mini (Late 2012 or newer) + iMac (Late 2012 or newer) + iMac Pro (2017) + Mac Pro (Late 2013, plus mid 2010 and mid 2012 models with recommended Metal-capable GPU) Past Cassandra Moments: https://pages.uoregon.edu/burridge/TechAnnouncements.php#2017-09-26 https://pages.uoregon.edu/burridge/TechAnnouncements.php#2016-07-01 https://pages.uoregon.edu/burridge/TechAnnouncements.php#2016-10-20 https://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-10-29 https://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-23



WHAT THIS IS ABOUT: The latest phishing attempt making the rounds is an e-mail supposedly with a PDF from "The President Michal Schill", sent by "Mary Swanson". Please delete unread. Two Admiral Ackbars. WHO SHOULD READ THIS: Everyone with a UO e-mail account. WHAT YOU SHOULD DO: If you receive an e-mail with the subject " Note From The President Michael Schill." from ""Swanson, Mary - WEL" ", delete the e-mail unread. Don't follow the links in the e-mail. Don't try to open the PDF. Visit these web sites to refresh your memory about Phishing at the U of O: https://it.uoregon.edu/phishing http://security.uoregon.edu/node/37.html How to see and copy full e-mail headers: https://it.uoregon.edu/full-email-headers ADDITIONAL INFORMATION for the Technically Curious: The domain psdschools.org is a school safety site in Colorado. I'm guessing one of their users has a compromised account that's sending phishing attacks. The text of the e-mail is IN ALL CAPS, and takes the tone "Today, we write a manifesto. Today, we repeat the first word of our first sentence", followed by vague threats from An Angry and Stern President and promises of Greatness if Right Behavior is Followed. Text of the bogus e-mail follows: DEAR COLLEAGUES: OUR AIMS IS TO PROVIDE GUIDANCE AND ALIGN OUR BEHAVIORS AS WE MAKE GREAT DECISIONS THAT IMPACT OUR DAILY OPERATIONS. WE RELY ON OUR VALUES AND THIS CODE AS GUIDELINES, AS A BREACH OF THE POLICY MAY RESULT IN DISCIPLINARY ACTION AGAINST THE EMPLOYEE CONCERNED. ALL EMPLOYEES, INCLUDING ALL INDIVIDUALS ON FULL-TIME OR PART-TIME EMPLOYMENT WITH THE INSTITUTION ARE REQUIRED TO GO THROUGH THE GUIDELINES ATTACHED IN THIS EMAIL. IT IS IMPORTANT THAT WE ALL ADHERE TO THESE GUIDELINES SO YOU WILL BE HELPING TO ENSURE A FUTURE SUCCESS OF THIS GREAT INSTITUTION THANK YOU FOR YOUR ONGOING COMMITMENT TO DELIVERING A BETTER AND RELIABLE SERVICE. MICHAEL H. SCHILL PRESIDENT UNIVERSITY OF OREGON.



WHAT THIS IS ABOUT: Don't Panic (much). The latest update to Apple's web browser, Safari v.12, is not compatible with the UO's Java-driven implementation of Banner. Older versions of Safari are not affected. Two Admiral Ackbars. WHO SHOULD READ THIS: Apple Users. Banner Users. Windows Users are not affected by the Apple Update. WHAT YOU SHOULD DO: If you use Banner on your Apple computer, hold off updating to Safari v12. If you are not sure what version of Safari you are running, then... 1. Start Safari. 2. From within Safari, go up to the upper left-hand menu item, SAFARI, and click on it. 3. From the drop-down menu, choose ABOUT SAFARI; a dialog box should appear. 4. The dialog box will say, "Safari Version something" 5a. If "something" is 12, Java is not compatible with the version of Safari, and you won't be able to use Banner. 5b. If "something" is 11, Java and Banner will still work. 5c. If "something" is lower than 10... there are probably some security issues with the Safari browser and you shouldn't use it for things like banking; ADDITIONAL INFORMATION for the Technically Curious: COGNOS, an alternate to BANNER: https://idr.uoregon.edu/ UO's Banner page: https://inb.uoregon.edu/ Java and Browers: https://objective-see.com/blog/blog_0x38.html



WHAT THIS IS ABOUT: Don't Panic! This is a PSA about keeping computers cool when it's a zillion degrees outside. WHO SHOULD READ THIS: Folks in places where it's going to be warmer than 90F. Desktop and laptop users (i.e. computers with exhaust fans). WHAT YOU SHOULD DO: The forecast for the week of July 23 calls for temperatures in the high 90's. Temperatures like this make it difficult for computers, especially laptops and small form computers, to adequately cool their electronic components. To extend the lifetime of your desktop and laptop computers: + power them off when they are not in use. + try to use them only during the cooler parts of the day. + make sure your computer has adequate space for its vents to blow hot air out of the computer - make sure the computer isn't crammed into a close cabinet space or jammed against a corner where ventilation is blocked. - when running a laptop, make sure it's seated on a flat surface that allows for ventilation underneath it. + direct an external fan at the computer's body. + use canned air (or for the very careful, a vacuum cleaner) to remove dust from the computer's RAM, CPU, fans, and vents. This is less of an issue for mobile devices, such as iPads and mobile phones. Stay hydrated! ADDITIONAL INFORMATION for the Technically Curious: Cleaning and Dusting (Probably Overkill, But Gives An Idea of How Dusty a CPU's Heat Sink Can Get) https://www.ifixit.com/Wiki/Computer_System_Cleaning NOAA Weather Service: https://forecast.weather.gov/MapClick.php?lat=44.045555&lon=-123.101276&site=all&smap=1&searchresult=Eugene%2C%20OR%2C%20USA#.W1YCPNJKhaR Obligatory Cole Porter Reference: https://en.wikipedia.org/wiki/Too_Darn_Hot



WHAT THIS IS ABOUT: Don't panic. This is a PSA about upgrading to Skype 8.0. Older versions of Skype will no longer be supported by Microsoft after August. One Admiral Ackbar because "It's a Trap!" from the Microsoft hegemony. WHO SHOULD READ THIS: Users of Skype 7 or older. Skype 8 users have already updated. WHAT YOU SHOULD DO: ****** Windows: Start Skype Go to the HELP menu and choose CHECK FOR UPDATES; a window will come up saying there's a new version of Skype. Click on the DOWNLOAD button to get the latest version. The machine will think a moment while it downloads, then display a new dialog box with a cheery, up-beat update message; follow the prompts to allow the download. Once the new Skype is installed, it will display a dialog box along the lines of "All the sugar, twice the caffeine!" "New features. New look. All Skype." Skype will prompt you to Sign in with Microsoft (here's that hegemony part); supply your Skype username and password. A new window will appear asking you to choose a Light or Dark format; make your choice and click on the BLUE ARROW BUTTON. You may be prompted to update your Skype profile picture; fiddle with your photo as needed and then click on the BLUE ARROW BUTTON. Skype will want to do a sound check to make sure it can hear you, followed by a web-cam check... click on the BLUE ARROW BUTTON... Eventually, Skye will display its main window, with a message that Skype has been "redesigned for you." Use Skype or quit as desired. You may wish to look through the new Skype's settings and see how much you'd like it to share your Skype sessions with Cortana (Your communications recorded by an Artificial Intelligence living on Microsoft servers? What could go wrong?) ****** Macintosh: Start Skype Skype will try to install a new helper tool, go ahead and let it -- you'll need the Macintosh Admin User name and password. Skype will then prompt you to log in (here's that hegemony part); supply your Skype username and password. It's possible Skype will want to ask you to install a second helper tool; supply the Macintosh Admin Username and password (again). After thinking about things for a moment and going through a Cheerful Greeting Screen, Skype will announce there's an update. Click on the blue UPDATE button; Skype will re-start: the Skype Window will vanish and then the Skype icon should start bouncing again in the Task Bar. After Skype has finished restarting, go to the SKYPE menu and choose ABOUT SKYPE; a new dialog box should pop up. As of 7/20/2018, you should be running Skype version for the Macintosh. Close the dialog box and continue You may wish to look through the new Skype's settings and see if Skype is sharing your location with Bing ("No, really; I was in my office when I made that call...."). ADDITIONAL INFORMATION for the Technically Curious: https://arstechnica.com/gadgets/2018/07/microsoft-killing-off-the-old-skype-client-adding-built-in-call-recording/ "There is, however, a price to pay for this: the traditional Win32 Skype client is being end-of-lifed and will not be supported beyond the end of August this year. Users of the Win32 client will have to upgrade to Skype 8.0 (the desktop version of the new unified app) in order to be able to continue to use the network."



WHAT THIS IS ABOUT: Don't panic. This is a PSA about a new search function installed at https://english.uoregon.edu/term-course-offerings WHO SHOULD READ THIS: Folks looking for course listings or syllabi from previous terms. WHAT YOU SHOULD DO: Go to the website https://english.uoregon.edu/term-course-offerings Under TERM choose "Any" Under COURSE type in a course, say "Eng 104" Press the ENTER key on your keyboard (or scroll down an click the APPLY button at the bottom of the web page's search tool) A list of all ENG 104 courses in the website's database will display. If you're wanting to look at a range of courses, say all ENG 100 courses, Under TERM choose "Any" Under COURSE type in "Eng 1" A list of all ENG 100-level courses in the website's database will display. If you're wanting to look at all English 240-something courses, Under TERM choose "Any" Under COURSE type in a course, say "Eng 24" A list of all ENG 240-level courses in the website's database will display. ADDITIONAL INFORMATION for the Technically Curious: If you know a course's CRN, you can enter it in the website's main search tool, located in the upper right-hand corner of most English Department web pages.



WHAT THIS IS ABOUT: Ugh. Looks like the Phishers of E-mailers are at it again. If you get an e-mail with a subject line: "EMPLOYEE Q2018 FINAL SCREENING," delete it unread. Two Admiral Ackbars. WHO SHOULD READ THIS: Folks who get UO E-mail. WHAT YOU SHOULD DO: Delete the e-mail unread. Don't follow the links in the e-mail. Visit these web sites to refresh your memory about Phishing at the U of O: https://it.uoregon.edu/phishing http://security.uoregon.edu/node/37.html How to see and copy full e-mail headers: https://it.uoregon.edu/full-email-headers ADDITIONAL INFORMATION for the Technically Curious: Commentary and text of the message follows: Subject: EMPLOYEE Q2018 FINAL SCREENING. Date: 2018/05/22 05:38 From: Jennifer Hart To: "ei383@irnd.com" What does "Q2018 Final Screening" even mean? Who is Jennifer Hart and why is she sending this? Why am I getting e-mail sent to someone else? The answer to this one is that the message is spoofing addresses, and you could probably find out more with a detailed look at the message header. To all Employee and Staff Why isn't this being sent to me personally? Your Q2 Staff Contact 2018 Screening has commenced. Oooh. HR-speak. An attempt to establish authority of the sender and/or make me worried that my job might go away. Also, I'm pretty sure the only things that commence at the UO are graduates and/or possibly games. I might fall for this if I were on a quarter-to-quarter contract. Please Click Here [link to a Totally Evil Site That Will Try to Steal Your Information] to begin. So, I'm supposed to believe that my employment (or whatever) contract is supposed to be screened (I think they mean re-negotiated) on-line through a web-site instead of talking with someone within the Department or HR? I suppose if it were PEBB renewal time, I would be more likely to fall for this. In any case, never follow blind HTML links from strangers; and for overt HTML links, always hover your mouse's cursor over a link and see if the text in the message matches where the link says it's going. For example, I could say follow this link https://english.uoregon.edu but it could (and this case, does) go somewhere else. HR Management Where's a real person's name? Oh wait, HR's a collective. In any case, there should be a contact phone or e-mail for reaching the HR collective. IT-SERVICE DESK It appears that the phisher forgot this was an HR scam and didn't remove the support-desk scam ending. APPROVED. An attempt to establish authority. Or approval. I think this is an evolution from the copyright notice.



WHAT THIS IS ABOUT: As announced at the last English Faculty Meeting, on March 26, the English Department website got an updated look, which is compliant with the College of Arts and Science's Office of Digital Communications. One Admiral Ackbar, because "It's a Trap!" is always true. WHO SHOULD READ THIS: Everyone who uses the new English Website. WHAT YOU SHOULD DO: Don't panic. In most cases, the information from the old site transferred over to the new site, and the menu structures is very similar. Rejoice! (Grumbling about change in general and the new ascetic specifically is optional) If you're making yourself more familiar with the site and you notice a typo or syntax error, please let me know at engtech@ithelp.uoregon.edu If you notice your office hours are wrong or your profile picture needs replacing, follow the instructions for changing them here: https://english.uoregon.edu/changing-web-profile-information ADDITIONAL INFORMATION for the Technically Curious: The new site has pretty much the same information as the old site. We've tried to streamline the website's menu structure to be cleaner and less confusing. - COURSES The most useful addition to the new site is the way it shows the class schedule. A general class schedule is here: https://english.uoregon.edu/term-course-offerings?offering_term=201703 Courses can be listed in various ways. A list of courses fulfilling the Undergraduate Major II: B-Literature 1500-1789 requirement is here: https://english.uoregon.edu/term-course-offerings?offering_term=All&fulfillment%5B%5D=38 A list of Graduate Studies courses is here: https://english.uoregon.edu/term-course-offerings?offering_term=All&fulfillment%5B%5D=43&fulfillment%5B%5D=55&fulfillment%5B%5D=54&fulfillment%5B%5D=53&fulfillment%5B%5D=52&fulfillment%5B%5D=51&fulfillment%5B%5D=50 Courses are also listed at the bottom of individual faculty member's pages: https://english.uoregon.edu/profile/sclark11 Each Undergraduate Course requirement has a summary page, like this one: https://english.uoregon.edu/fulfillment/major-ii-literature-pre-1500 - DEPARTMENTAL NEWS The new site has a news feature that allows us to more closely associate announcements with specific groups and faculty. News items show at the top and bottom of the new splash page: https://english.uoregon.edu News also shows up here: https://english.uoregon.edu/news-events News items also show up near the bottom of field of focus pages, like this: https://english.uoregon.edu/field-of-focus/poetry-and-poetics - FACULTY PAGES Faculty Pages continue to show a statement and publications, and now include courses taught https://english.uoregon.edu/profile/whalan - MINOR PROGRAMS Descriptions: o Comics and Cartoon Studies Minor o Digital Humanities Minor o Disability Studies Minor o Writing, Public Speaking, and Critical Reasoning Minor Courses: o Comics and Cartoon Studies Minor o Digital Humanities Minor o Disability Studies Minor o Writing, Public Speaking, and Critical Reasoning Minor The Search Engine in the upper right-hand corner of most English Department web pages is your friend; try searching for a course by CRN, or for "Old English". Getting to the Faculty Resource Page requires an additional step of authenticating with shibboleth before entering in the Resource Page's password. Go here: https://english.uoregon.edu/about/administrative-and-faculty-resources



WHAT THIS IS ABOUT An alleged educator allegedly based in Barcelona is sending some pretty phishy looking SPAM to the English Department. Two Admiral Ackbars for ham-handed marketing practices. WHO SHOULD READ THIS Folks with UO e-mail accounts. WHAT YOU SHOULD DO If you receive a message from Richard Davie with a subject "TEFL Iberia, Barcelona", delete it unread. Following any links in the e-mail will likely get you added to a mailing list (at the best). ADDITIONAL INFORMATION for the Technically Curious: It looks like there might be a real TEFL Iberia... but I don't know what it really is (is it a school? Is it a language business? Is it a placement service? Is it a bunch of folks with access to nice looking photographs of people in academic settings?). Hovering one's mouse over the links in the e-mail reveal that none of the links are going where they say they are; they appear to be rerouting through some sort of tracking site. A text-only version of the e-mail follows: From: Richard Davie On Behalf Of Richard Davie Sent: Tuesday, March 13, 2018 8:45 AM To: [mail-merged e-mail address] Subject: TEFL Iberia, Barcelona Dear [mail-merged recipient's name], I'm writing to enquire about contacting your current students at the University of Oregon. We are an English teacher training school based in Barcelona and run monthly TEFL courses for English speakers who are looking to teach English and travel. The school is externally validated by Trinity College London and also rated as one of the top TEFL schools in Spain, according to previous graduate reviews and feedback. I feel this could be a potential opportunity for many of your students who have a passion for language and may be looking for summer work / travel options. I have attached a poster (200KB, pdf) (it says it's a PDF, but it really links to REDACTED/track/click?u=14228e00bf6efc88dcde365c5&id=7ae282dedb&e=c4d4b8a43b) should you wish to circulate it amongst your students. If you have a physical mailing address I'd be happy to send you some flyers too. If you'd like to learn more about the school in Barcelona please feel free to check out our website: httpsCOLON-SLASH-SLASHwwwDOTtefl-iberiaDOTcom (not going where it says it's going to, appears to be rerouted like the above link to a tracking site). Thank you for your time and if this is something that could interest your students it would be great to hear back from them. If not I understand and I appreciate you reading this far. Yours sincerely, Richard Davie Course Director p.s. If you feel this email is irrelevant or inappropriate you can click unsubscribe (yet another tracking URL) and I will remove you from the list. Check out our school video! httpCOLON-SLASH-SLASHwwwDOTyoutubeDOTcomSLASHwatch?v=n80CtVC9PzU (still another tracking URL) Web: wwwDOTtefl-iberiaDOTcom (you guessed it, another tracking URL) Address: Calle Valencia 275, 3rd floor, Barcelona 08009 Phone: REDACTED Skype: REDACTED



WHAT THIS IS ABOUT: Take a deep breath. Computer security folks have found some flaws (named "Spectre" and "Meltdown") in Intel and AMC computer chips and how they can allow data to leak out of your computer and into the hands of the Evil Ones. It's very exciting and scary and Intel's stock has gone down. I'm going to guardedly say Four Admiral Ackbars with the caveat that there's not a whole lot the average user can do except update hardware and software and wait for More Security Updates from Everyone. WHO SHOULD READ THIS: Anyone who isn't living in a cave with no power and no computers. Abacus users are not affected. WHAT YOU SHOULD DO: Watch for updates from Pretty Much Every Software and Hardware Vendor in the World. Update early and often. Updates may slow down your computer, but no one is quite sure how much.... Macintosh Users: Um, yes; you can update to Mac OS 10.13 (High Sierra). My understanding is that OS 10.12 has been hardened against this as well. OS 10.13 (High Sierra) will run on the following computers: MacBook (Late 2009 or newer) MacBook Pro (Mid 2010 or newer) MacBook Air (Late 2010 or newer) Mac mini (Mid 2010 or newer) iMac (Late 2009 or newer) Mac Pro (Mid 2010 or newer) More information here: https://www.intego.com/mac-security-blog/how-to-prepare-your-mac-for-macos-high-sierra/ Windows Users: Make sure to run Windows Update now, and again the second Tuesday of January. More information here: https://support.microsoft.com/en-us/help/4056892/windows-10-update-kb4056892 Harden Chrome Browser Security: https://www.blog.google/topics/connected-workspaces/security-enhancements-and-more-enterprise-chrome-browser-customers/ Firefox should be releasing an update soon. Chromebook users may want to look at this: https://support.google.com/faqs/answer/7622138#chromeos Android users will want to look at this: https://source.android.com/security/bulletin/2018-01-01 Google Cloud users: https://blog.google/topics/google-cloud/what-google-cloud-g-suite-and-chrome-customers-need-know-about-industry-wide-cpu-vulnerability/ ADDITIONAL INFORMATION for the Technically Curious: Computer chips perform computations and store them in memory. Memory has different levels of privilege. Usually, operating system computations are in high privilege areas of memory (the kernel or ring 0). However, it's sometimes faster to cache computations in lower privilege areas of memory (user-land or ring 3). But, uh-oh, data (passwords, user info) sometimes leaks out of the high privilege area. Software patches that deal with this issue (e.g. Kernel Page Table Isolation) force the chips to be more secure, but can slow the chips down. Meltdown Technical Paper (PDF): https://meltdownattack.com/meltdown.pdf Spectre Technical Paper (PDF): https://spectreattack.com/spectre.pdf Technical Report from Google's Project Zero: https://googleprojectzero.blogspot.co.uk/2018/01/reading-privileged-memory-with-side.html AMD and Intel (chip manufacturers) statements: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/ http://www.amd.com/en/corporate/speculative-execution Malwarebytes: https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/ "No software patch for Spectre is available at the time of this article. Partial hardening and mitigations are being worked on, but they are unlikely to be published soon. The Spectre bug can be exploited via JavaScript and WebAssembly, which makes it even more critical. It is therefore recommended to apply some countermeasures such as Site Isolation in Chrome. Mozilla is rolling out a Firefox patch to mitigate the issue while working on a long-term solution. Microsoft is taking similar action for Edge and Internet Explorer." Ars Technica https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ "At their heart, both attacks take advantage of the fact that processors execute instructions speculatively. All modern processors perform speculative execution to a greater or lesser extent; they'll assume that, for example, a given condition will be true and execute instructions accordingly. If it later turns out that the condition was false, the speculatively executed instructions are discarded as if they had no effect. However, while the discarded effects of this speculative execution don't alter the outcome of a program, they do make changes to the lowest level architectural features of the processors. For example, speculative execution can load data into cache even if it turns out that the data should never have been loaded in the first place. The presence of the data in the cache can then be detected, because accessing it will be a little bit quicker than if it weren't cached. Other data structures in the processor, such as the branch predictor, can also be probed and have their performance measured, which can similarly be used to reveal sensitive information." Google: https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html "Project Zero discussed three variants of speculative execution attack. There is no single fix for all three attack variants; each requires protection independently. Variant 1 (CVE-2017-5753), "bounds check bypass." This vulnerability affects specific sequences within compiled applications, which must be addressed on a per-binary basis. Variant 2 (CVE-2017-5715), "branch target injection". This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software mitigation technique called "Retpoline" to binaries where concern about information leakage is present. This mitigation may be applied to the operating system kernel, system programs and libraries, and individual software programs, as needed. Variant 3 (CVE-2017-5754), "rogue data cache load." This may require patching the system's operating system. For Linux there is a patchset called KPTI (Kernel Page Table Isolation) that helps mitigate Variant 3. Other operating systems may implement similar protections - check with your vendor for specifics." The Register: https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/ "Whenever a running program needs to do anything useful – such as write to a file or open a network connection – it has to temporarily hand control of the processor to the kernel to carry out the job. To make the transition from user mode to kernel mode and back to user mode as fast and efficient as possible, the kernel is present in all processes' virtual memory address spaces, although it is invisible to these programs. When the kernel is needed, the program makes a system call, the processor switches to kernel mode and enters the kernel. When it is done, the CPU is told to switch back to user mode, and reenter the process. While in user mode, the kernel's code and data remains out of sight but present in the process's page tables. Think of the kernel as God sitting on a cloud, looking down on Earth. It's there, and no normal being can see it, yet they can pray to it. These KPTI patches move the kernel into a completely separate address space, so it's not just invisible to a running process, it's not even there at all. Really, this shouldn't be needed, but clearly there is a flaw in Intel's silicon that allows kernel access protections to be bypassed in some way. The downside to this separation is that it is relatively expensive, time wise, to keep switching between two separate address spaces for every system call and for every interrupt from the hardware. These context switches do not happen instantly, and they force the processor to dump cached data and reload information from memory. This increases the kernel's overhead, and slows down the computer." http://www.theregister.co.uk/2018/01/04/intel_meltdown_spectre_bugs_the_registers_annotations/ (warning, language and High Snark Levels) "Translation [of Intel's Statement]: When malware steals your stuff, your Intel chip is working as designed. Also, this is why our stock price fell. Please make other stock prices fall, thank you." PC World: "Yes, your iPad and smart-phone, too..." https://www.pcworld.com/article/3245790/mobile/spectre-cpu-faq-phones-tablets-ios-android.html CERT: http://www.kb.cert.org/vuls/id/584653 NATIONAL VULNERABILITY DATABASE -- Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. https://nvd.nist.gov/vuln/detail/CVE-2017-5753 https://nvd.nist.gov/vuln/detail/CVE-2017-5715 https://nvd.nist.gov/vuln/detail/CVE-2017-5754 MacRumors: https://www.macrumors.com/2018/01/03/intel-design-flaw-fixed-macos-10-13-2/ Reuters: https://www.reuters.com/article/us-cyberintel-stocks/intel-falls-as-investors-worry-about-costs-of-fixing-chip-bug-idUSKBN1ET1NH https://www.reuters.com/article/us-cyber-intel-researcher/how-a-researcher-hacked-his-own-computer-and-found-worst-chip-flaw-idUSKBN1ET1ZR Security Week: http://www.securityweek.com/intel-amd-chip-vulnerabilities-put-billions-devices-risk http://www.securityweek.com/tech-giants-address-critical-cpu-vulnerabilities http://www.securityweek.com/hackers-expected-remotely-exploit-cpu-vulnerabilities TechSpot How much the Windows 10 emergency update slowed down our computer: https://www.techspot.com/article/1554-meltdown-flaw-cpu-performance-windows/



WHAT THIS IS ABOUT: Over the weekend, a phishing e-mail was sent out. It's fairly convincing at first glance, so I'll give it 2 and a half Admiral Ackbars. WHO SHOULD READ THIS: Everyone with a UO e-mail account. WHAT YOU SHOULD DO: If you receive a message from Donald J Tipper, with the subject "Ticket Number: 135863" delete it unread. ADDITIONAL INFORMATION for the Technically Curious: For phishing information from the UO: https://it.uoregon.edu/phishing http://security.uoregon.edu/node/37.html How to see and copy full e-mail headers: https://it.uoregon.edu/full-email-headers General discussion: at first glance this looks like a message one might get from a tech support desk. The main warning signs are that the e-mail is from DonaldDOTTipperATumassmedDOTedu, which is not a UO e-mail and that hovering over the link for "Your incident" links to an odd WordPress site that very likely is an Evil Program Designed to Wreak Electronic Havoc. On closer inspection, there's no UO branding anywhere; also the letter is generically closed with "Instructor, IT Service Desk." At a third glance, although there's a specific ticket number, there's no actual clue about what the (bogus) original help request was. What's working in this particular phishing attempt is that it appears to have specific times and dates with it, and it could play on a recipient's curiosity and/or altruism, along the lines of "this isn't me, I wonder if there's some clue about who this really is about that would help me help the IT desk reconnect with the person who really needs help." ==== TEXT of BOGUS E-MAIL === Notification of Ticket Escalation Workspace: Service Desk Ticket: Request closed Ticket Number: 135863 Priority: High Status: Request Creation Date: 2017-12-08 Description: I have marked your Request as closed. Please review the details of your request in the Self Service portal via the following link: [bogus link here] Your incident If you feel that your request has not been completed, please visit your incident link to re-open the request. The last action taken are as follows: 12/08/2017 08:16 am IT service: ID checked If you do not reply, this request will be formally closed this weekend. Regards, Instructor, IT Service Desk Information Technology



WHAT THIS IS ABOUT: Take a deep breath. A security hole in Mac OS High Sierra 10.13 has been found that gives a person with physical access to an Apple computer the ability to log in as a Super User for Super Hijinks (i.e., if you leave it out, your kids can install Minecraft on your machine while you're not around). Three Admiral Ackbars. WHO SHOULD READ THIS: Macintosh Users with Computers running High Siera (OS 10.13) Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected Apple Mobile Users / iOS Users are not affected Windows Users are not affected WHAT YOU SHOULD DO: If you couldn't wait and gave into the impulse to update to HighSierra, then... Follow the instructions here: https://support.apple.com/en-us/HT204012 Enable or disable the root user + Choose Apple menu > System Preferences, then click Users & Groups (or Accounts). + Click lock icon, then enter an administrator name and password. + Click Login Options. + Click Join (or Edit). + Click Open Directory Utility. + Click lock icon in the Directory Utility window, then enter an administrator name and password. + From the menu bar in Directory Utility: + Choose Edit > Enable Root User, then enter the password that you want to use for the root user. REMEMBER: The Root User is a UNIX SUPER USER; don't lose the password to this account if you enable it. ADDITIONAL INFORMATION for the Technically Curious: That dull thudding sound you hear is system administrators across the planet hitting their foreheads against their desks. The original report (Twitter) https://twitter.com/lemiorhan/status/935581020774117381 The Loop: http://www.loopinsight.com/2017/11/28/security-hole-in-macos-high-sierra-lets-anyone-gain-root-access-to-a-logged-in-machine/ MacRumors: https://www.macrumors.com/2017/11/28/macos-high-sierra-bug-admin-access/ The Register: https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/

COMPUTER SECURITY: MacOS High Sierra (10.13) Security Hole Next Day Follow-up

WHAT THIS ABOUT: The security hole in Mac OS High Sierra 10.13, discovered Tuesday 11/28/17, has been patched by Apple. (Wow, that was fast.) WHO SHOULD READ THIS: Macintosh Users with Computers running High Sierra (OS 10.13) Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected Apple Mobile Users / iOS Users are not affected Windows Users are not affected WHAT YOU SHOULD DO: If you have installed Mac OS High Sierra 10.13 onto your Apple Computer, then check for system software updates via the App Store. Instructions here: https://support.apple.com/en-us/HT201541 You'll know if you've installed the secure version of High Sierra if the version number is Version 10.13 (17B1002). Instructions for finding your version number are here: https://support.apple.com/en-us/HT201260 ADDITIONAL INFORMATION for the Technically Curious: Folks are wanting to know if they can update to High Sierra now, and my answer is: wait until after grades are turned in and you're between terms and projects. Official Apple Site about Security Update 2017-001 : https://support.apple.com/en-us/HT208315 Malwarebytes Labs (What Root Access is and What You Can Do With It): https://blog.malwarebytes.com/cybercrime/2017/11/serious-macos-vulnerability-exposes-the-root-user/ The Register (Details on how the hole works and "I am Root" joke) https://www.theregister.co.uk/2017/11/29/apple_macos_high_sierra_root_bug_patch/ Ars Technica (Cut and Dry Recap): https://arstechnica.com/gadgets/2017/11/new-security-update-fixes-macos-root-bug/ Naked Security (Backstory and Recap): https://nakedsecurity.sophos.com/2017/11/29/apple-closes-that-big-root-hole-install-this-update-as-soon-as-possible/ Security Week (Short and Dry Recap): http://www.securityweek.com/apple-patches-critical-root-access-flaw-macos

COMPUTER SECURITY: MacOS High Sierra (10.13) Security Hole Next Day Follow-up to the Previous Follow-up

WHAT THIS IS ABOUT: In a Monty Python-esque turn of events there is a patch for the patch closing the High Sierra "I Am Root" Security Hole. (I knew I should have written "It's a Trap" in yesterday's e-mail...) One Admiral Ackbar for command-line maintenance. WHO SHOULD READ THIS: Macintosh Users with Computers running High Sierra (OS 10.13) who are having difficulties connecting to file shares. Macintosh Users with Computers running Sierra (OS 10.12.6) or OLDER are not affected Apple Mobile Users / iOS Users are not affected Windows Users are not affected WHAT YOU SHOULD DO: From https://support.apple.com/en-us/HT208317 If file sharing doesn't work after you install Security Update 2017-001, follow these steps. If you experience issues with authenticating or connecting to file shares on your Mac after you install Security Update 2017-001 for macOS High Sierra 10.13.1, follow these steps to repair file sharing: + Open the Terminal app, which is in the Utilities folder of your Applications folder. + Type sudo /usr/libexec/configureLocalKDC and press Return. + Enter your administrator password and press Return. + Quit the Terminal app. ADDITIONAL INFORMATION for the Technically Curious: Naked Security (Breezy summary): https://nakedsecurity.sophos.com/2017/11/30/apples-blank-root-password-fix-needs-a-fix-of-its-own-here-it-is/ Security Week: (a href="http://www.securityweek.com/patch-macos-root-access-flaw-breaks-file-sharing"> http://www.securityweek.com/patch-macos-root-access-flaw-breaks-file-sharing



WHAT THIS IS ABOUT: Take a deep breath. The technical press is abuzz with news about a critical security flaw, called the key reinstallation attack (KRACK), in encrypted wireless connections. KRACK can lead to identity theft, man-in-the-middle attacks, and malware software installation. As of 10-16-2017, there is no evidence that the vulnerability has been exploited maliciously, and major vendors appear to be rushing in with antidotes to KRACK. Two-and-a-half Admiral Ackbars. WHO SHOULD READ THIS: Everyone with a wireless device. Android and Linux devices are particularly vulnerable. WHAT YOU SHOULD DO: Don't Panic Just Yet. Windows 10 Users should make sure they are running the latest updates from Microsoft. Apple users should make sure they are running the latest OS and iOS updates from Apple. KRACK uses a flaw in device handshaking to worm its way into the communication between a wireless device and a wireless router. Keep your ear to the ground for updates to your devices' wireless networking software (especially for your home router). KRACK requires an attacker to be within WiFi range of your laptop, mobile device, wireless TV, or cell phone. An Evil Hacker trying to break into your device would need to be close enough to pick up your device's wireless signal; so at least this isn't opening your computers to attacks from all over the planet. That said, treat all WiFi connections, especially in public areas (i.e. cafés, airports and libraries) as if a megaphone were attached to them and avoid sending sensitive data over wireless. Use Ethernet connections instead of WiFi connections when possible. Secure websites (sites that begin "https") offer some protection from data leakage. Use VPN to add an extra layer of encryption to your WiFi connections. The UO offers WiFi clients here: https://it.uoregon.edu/vpn Don't fiddle with different types of WiFi protocols. Continue to use the WPA2 wireless protocol. ADDITIONAL INFORMATION for the Technically Curious: KRACK uses a flaw in a four-part handshake between a router and a device to trick the machines into re-sending data to each other and figure out the encryption key they're using to keep communication secure. The Original Paper (with nifty URL and cool logo): https://www.krackattacks.com/ Quick Overview from Naked Security: https://nakedsecurity.sophos.com/2017/10/16/wi-fi-at-risk-from-krack-attacks-heres-what-to-do/ The Register writes: http://www.theregister.co.uk/2017/10/16/wpa2_krack_attack_security_wifi_wireless/ "Key Reinstallation Attacks work against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data as well as eavesdropping on communications over the air. The only main limitation is that an attacker needs to be within range of a victim to exploit these weaknesses." Ars Technica's overview (with scary tables): https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/ PC World says Latest Update to Win10 Protects Against KRACK: https://www.pcworld.com/article/3233255/windows/krack-wi-fi-attacks-shouldnt-harm-updated-windows-pcs.html Windows Central writes: https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability "Microsoft released security updates on October 10th and customers who have Windows Update enabled and applied the security updates, are protected automatically. We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates." Apple Insider Hints that Apple Devices are Patched: http://appleinsider.com/articles/17/10/16/apple-confirms-krack-wi-fi-wpa-2-attack-vector-patched-in-ios-tvos-watchos-macos-betas More Windows Central: https://www.windowscentral.com/krack MacRumors: https://www.macrumors.com/2017/10/16/wpa2-krack-attacks/ We Live Security: https://www.welivesecurity.com/2017/10/16/wpa2-security-issues-pose-serious-wi-fi-safety-questions/ Wi-Fi Alliance® https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-security-update CERT Information on KRACK: http://www.kb.cert.org/vuls/id/228519



WHAT THIS IS ABOUT: Don't panic; this is merely a message about making sure Windows 10 updates are running correctly. The Computer Center and Network Security are Very Keen on Windows computers being up-to-date. Two Admiral Ackbars for tedious maintenance. WHO SHOULD READ THIS: Windows 10 users (no one is still using Windows 7 or XP, right?). Macintosh Users are not affected. WHAT YOU SHOULD DO: In Windows 10: 1. Save your work and close all programs. 2. In the search box (usually located near the lower left-hand corner of the screen, next to the WINDOW icon) type cmd ; a list of options should appear in a pop-up menu above the search box. 3. At the top of the pop-up menu should be a black icon of a computer screen with some text in it labeled "Command Prompt"; click on the icon – a new window with a black background and grey-white text should appear. 4. Click on the new window; a flashing cursor should appear at the end of the text. 5. Type winver and press ENTER. 6. A new window with a white background and big blue letters reading "Windows 10" should appear. Read the smaller black text underneath, which should begin "Microsoft Windows," then a new line which should start "Version" 6A. IF the text reads Version 1703 or "build 15063", then Yay! You're up-to date; close all windows and continue your regular computer tasks. 6B. IF the text reads something else, like version 1507 or "build 10240", then Windows needs some help updating. a. Click on the WINDOW icon in the lower left-hand corner of the screen; a pop-up menu should appear. b. Click on the white GEAR icon (labeled "Settings" if you hover your mouse over it); a new windows should appear. c. Click on the UPDATE & SECURITY icon (two circular arrows chasing each other); the window should refresh with update information. d. Click on the CHECK FOR UPDATES button; this should initiate various "I'm working on it" graphics. e1. In a Perfect World, the operating system will realize that there are updates and start to download them (which could take upwards of 30 minutes), or realize that it's already downloaded everything and that probably now would be a good time to install them. e2. In a Slightly-Less-Perfect World, there's a possibility that Windows Update will be complaining that something failed and wants you to click on a FIX or RETRY button; do so and follow any other prompts. e3. In a Really-Not-So-Perfect-After-All World, the operating system will blithely tell you it's up to date, but the version is still something like 1511 or 10240. If that's the case, e-mail engtech@ithelp.uoregon.edu and make an appointment for me to Try Some Other Things, like the Microsoft Windows 10 Update Assistant (see below). 7. There's a non-zero chance that updating Windows will re-kindle the Battle Between Windows Defender and McAfee. During the install, let Windows Defender have its way, and then reinstall McAfee from here: https://it.uoregon.edu/software/virusscan (UO login required to be able to download "VirusScan 8.8 patch 9 Enterprise for Windows"). If you need help re-installing McAfee, please e-mail engtech@ithelp.uoregon.edu and make an appointment for your machine. ADDITIONAL INFORMATION for the Technically Curious: "News from Information Services" (isnews@uoregon.edu ) writes: "Once a version of Windows 10 falls out of support, Microsoft will no longer issue security and bug fixes for that version. While the system may seem to be fully operational, Microsoft will not address any defects or vulnerabilities, leaving the system vulnerable to exploits. Information Services strongly recommends that university-owned machines run an operating system version that is fully supported. In the event that a specific vulnerability is found to be exploitable in an out-of-support OS version, we may need to take machines running that OS version offline, depending on the scope and risk level." Or, to translate, "If Network Security sees an out-of-date-and-vulnerable system, we'll block it from the UO network." Windows 10 v 1511 Out of Support Notice: https://support.microsoft.com/en-us/help/4035050/windows-10-version-1511-will-no-longer-receive-security-updates Memento Mori, the MS Windows Version: https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet Genealogy of Windows 10 Builds: https://en.wikipedia.org/wiki/Windows_10_version_history The Windows 10 Update Assistant For Those Awkward Moments When Windows Update Inexplicably Fails and You Need a Power Tool: https://www.microsoft.com/en-us/software-download/windows10



WHAT THIS IS ABOUT: Once again, someone is sending the English Department phishing attempts. Two and a half Admiral Ackbars for extra fancy formatting. WHO SHOULD READ THIS: Everyone who reads UO e-mail. WHAT YOU SHOULD DO: If you receive an e-mail, supposedly from Marshall Urias (muriasATfullertonDOTedu), with blue-and-white formatted text saying something about an "ITS CLOSURE," delete it unread. Extra points for forwarding it to phishing@uoregon.edu ADDITIONAL INFORMATION for the Technically Curious: If this were a real message from either CAS-IT or the Computer Center's Tech Support Desk, it would be formatted in Green and Yellow and stamped with an Oprah-esque O or else branded with Breaking Bad Elements. More likely it would be in mostly unadorned text. There is no page at either https://www.uoregon.edu/technology/account/ or https://www.uoregon.edu/technology/ Rather than the term "Job number", the UO IT support community uses the term "support ticket," "ticket request" or "ticket number." Any support message from the UO support desks would include a valid UO e-mail address and/or a valid UO phone number. Something like suspension of your UO e-mail would probably have a UO Service Portal ticket opened for it. You can see all of your UO Service Portal Ticket Requests by going to https://service.uoregon.edu/TDClient/Requests/TicketRequests/ Message text follows: (Formatted in a blue banner) Technology Services (Formatted in large bronze colored typeface) Job number 81576- ITS CLOSURE Job Number 81576, "Account suspended for spam" has been closed with the following solution: Deactivation of incoming mails. (The above text is formatted to look impressive and like it's coming from some kind of official office. "Job Number XXX" is using a bureaucratic style to give the message a sense of authority. Words like "account," "suspended," "spam," and "deactivation" are supposed to activate your limbic brain so your decision-making process is short-circuited.) (Formatted extra large) What this means (Whoa, they're trying to sound like Friendly Tech Support Folks... ) Your account will not be able to receive/send mails due to sending large amount of mails exceeding the maximum limit per day. To restore default settings for receiving emails visit IT support center here [bogus HTML link] Please contact us here [bogus HTML link] if you have any questions regarding this closure. For any correspondence regarding your job, please quote Job Number : 81576 (They're really trying to sound like a real IT support desk here by using the fake job number.) (Formatted extra large) More information (Formatted in a blue banner) See our detailed instructions visit: https://www.uoregon.edu/technology/account/ [really goes to the same bogus HTML link] (In this case, all the links go to the bogus raulmarceloDOTcomDOTbrSLASHoregon, which you can see if you hover the computer mouse over the links. This is almost certainly where they will try to trick you into entering in your e-mail username and password (at least)) Copyright (c) 2017. CRICOS Provider Number 00123M (Ah yes; the copyright notice that seems to be obligatory on all SPAM e-mails and Phishing attempts....)



WHAT THIS IS ABOUT: It looks like the same outfit who sent phishing attempts Friday have just sent a smarter-looking variation of the phishing attempt (see example below). Three Admiral Ackbars. WHO SHOULD READ THIS: Folks who get UO e-mail. WHAT YOU SHOULD DO: If you get an email, most likely from Jodi Oakerson, and with the subject "IT service: Email address changed successfully" delete it unread. Extra points for forwarding it to phishing@uoregon.edu. ADDITIONAL INFORMATION for the Technically Curious: This e-mail is smarter because it's more professional looking. Also, it looks like a UO employee's account is being used to lend authenticity to the e-mail. Warning signs: * The UO help desk almost always gives a phone number and plain-text e-mail for help; this message doesn't. * This message is formatted for Blue and White, which aren't the university's colors. * We don't have separate help desks for students, staff, and faculty. Text of phishing attempt follows:

From: Jodi Oakerson
Sent: Monday, October 02, 2017 12:05 PM
Subject: IT service: Email address changed successfully

(BLUE HEADER) Information Technology service

(BLUE BOLD TEXT) Email address changed successfully

We just wanted to let you know that your University email address was recently changed on Monday,2nd 
October 2017 08:08 AM.

Don't recognize this activity?

If you have not recently changed your address please contact us urgently for assistance.

Students and applicants

       o Contact our Student Support Team [Evil Link to hallinydorosaDOTcomDOTbrSLASHwp-contentSLASHpluginsSLASHuoregon

Staff, contractors, alumni and visiting academics

       o Contact the Staff Service Centre [Same Evil Link] 

More contact details can be found here. [Same Evil Link Here, Too]
(Grey Bar with Small White Text) Copyright | Privacy | Disclaimer



WHAT THIS IS ABOUT: Starting sometime last Friday (9/29), various English Department folks received a bogus warning letter, with the subject "Unknown Login," about failed attempts "to access your email account from an unrecognized device." This is a phishing attempt. Delete it. Three Admiral Ackbars. WHO SHOULD READ THIS: Folks who have UO e-mail. WHAT YOU SHOULD DO: In general, when you get a message about an account's security breach, take a deep breath and don't panic. Ask yourself, is this message coming from the UO or my personal internet service provider (if the answer is no, it's more likely to be a fake message)? As yourself, is this message addressing a specific account, like my UO e-mail (if the answer is no, it's more likely to be a fake message)? Hover the mouse over the links to see where they're going. In this case, all of the links were going to a .br domain. Extra Internet Citizen Points for forwarding suspected phishing e-mails to phishing@uoregon.edu . https://it.uoregon.edu/phishing http://security.uoregon.edu/node/37.html ADDITIONAL INFORMATION for the Technically Curious: An almost identical phishing attempt happened last March: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2017-03-15 Legitimate links for checking various services: UO Webmail: https://webmail.uoregon.edu/ Gmail Security Tips: https://support.google.com/mail/answer/7036019?visit_id=1-636251907492419486-2456929806&rd=2 Apps with access to your Google Account: https://myaccount.google.com/permissions?pli=1 Compromised Twitter Account? https://support.twitter.com/articles/31796 A general guide: https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/



WHAT THIS IS ABOUT: Don't Panic. Apple has released a new Macintosh Operating System, MacOS 10.13.0 (High Sierra). DON'T update; High Sierra is not quite ready. Two Admiral Ackbars, because new operating systems are always A Trap! WHO SHOULD READ THIS: Macintosh iMac and MacBook Users. iPad and iPhone users are not affected (they use iOS, not MacOS) Windows Users are not affected. WHAT YOU SHOULD DO: Macintosh desktop and laptop computer users should continue to use MacOS 10.12.6 (Sierra) or OS 10.11 (El Capitan). OS 10.10 (Yosemite) is OK, but if your desktop or laptop can run 10.12 or 10.11, upgrade to those for improved security. Older OSes have passed end-of-life support and are less secure. Wait to update to 10.13 (High Sierra) until the end of Fall Term. ADDITIONAL INFORMATION for the Technically Curious: MacRumors says there's a security vulnerability with High Sierra's keychain (turns out it's not just High Sierra...): https://www.macrumors.com/2017/09/25/macos-high-sierra-security-vulnerability/ Ars Technica says wait until October-ish: https://arstechnica.com/gadgets/2017/09/macos-10-13-high-sierra-the-ars-technica-review/9/#h7 The Register says wait (Warning: High Snark Content) https://www.theregister.co.uk/2017/09/26/so_should_i_upgrade_to_macos_high_sierra/ Once Apple stamps out various bugs, OS 10.13 (High Sierra) will run on the following computers: MacBook (Late 2009 or newer) MacBook Pro (Mid 2010 or newer) MacBook Air (Late 2010 or newer) Mac mini (Mid 2010 or newer) iMac (Late 2009 or newer) Mac Pro (Mid 2010 or newer) More information here: https://www.intego.com/mac-security-blog/how-to-prepare-your-mac-for-macos-high-sierra/



Hello All, After exploring the new UO Service Portal at https://service.uoregon.edu/TDClient/Home/ I've come to the conclusion that someone looking to use it to get computer help will find the new portal tool a little confounding. One thing that hasn't changed is that I'm still here as a computing resource weekday mornings, and I'm still the first-stop for computer questions. If you have a question or need computer help, you can always reach me (and other English Department staff members) at engtech@ithelp.uoregon.edu or by phone at 6-3570. While e-mailing the Technical Desk directly isn't possible, they still have a telephone number: 346-HELP. Here are some short-cuts to "actually requesting help" web pages: ACCOUNTS: If you have a problem with your DUCK ID and can't get to your e-mail, request password help here: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=21333 Direct e-mail questions here: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=18715 For help with DuckWeb (Faculty and Staff Employee Info): https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19366 For help with DuckWeb (student enrollment and info): https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=20232 If you need a special, single account for departmental use (i.e. you want an e-mail for a particular departmental program), request one here: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=20173 NETWORKING: If you're having problems connecting your Wireless device to UOwireless or UOsecure: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19081 If you're having problems connecting your computer to the Ethernet: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19861 If you need help with using VPN: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19862 INSTRUCTIONAL TOOLS: For help with Canvas: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=22132 To request assistance from CMET: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=21150 For help using UOBlogs, the webpage-generating software you might use for a particular class: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19075 If you need an e-mail list created for a class, request one here: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19493 OTHER: For help with DuckDocs: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19365 For help with COGNOS: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=18948 To report that a service -- like the network, or banner, or canvas -- is apparently down, go here: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19096 WHEN ALL ELSE FAILS: The "OMG, You Guys Buried the Particular Topic I Have a Question About So Deeply, I Can't Find The Request Help Page You Want Me To Use" request help page: https://service.uoregon.edu/TDClient/Requests/ServiceDet?ID=19093



WHAT THIS IS ABOUT: Don't Panic. This is a PSA about the new way to get computing help from the Computing Center. WHO SHOULD READ THIS: All computer users on the UO campus who need help with centralized computing issues, like e-mail quotas and password problems. WHAT YOU SHOULD DO: Instead of sending e-mail to the Computer Center asking for help, visit https://service.uoregon.edu/TDClient/KB/ArticleDet?ID=31704 to initiate a support ticket. Also, take a moment to review the contents of the Knowledge Base: https://service.uoregon.edu/TDClient/KB/Default to review help articles for various computing services offered on campus. To request help from me, engtech@ithelp.uoregon.edu is still the way to go; no word yet on when department-specific IT support will be folded into the new portal system, but I'll dare to prophesy that it will be sometime in twelve to eighteen months. ADDITIONAL INFORMATION for the Technically Curious: Various services on campus are converting to a web-based, searchable catalog of offered services, FAQs, and help-request forms. The aim is to streamline answers to typical problems, to track time spent on maintenance, and to provide service metrics for budgeting. More information is included below. From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of News from Information Services Sent: Monday, August 28, 2017 9:02 AM To: Departmental Computing Subject: deptcomp: UO Service Portal is here! The new UO Service Portal is here! Visit https://service.uoregon.edu. The UO Service Portal offers a new way for people to find and request tech help on campus, and a new way for IT support groups to manage those help requests. How do I use the UO Service Portal? There are several ways to get tech help through the UO Service Portal: • Request help online o Visit the Service Catalog, locate the service you'd like help with, and submit a help request. Requests will be routed to the appropriate IT group (see list below). o You must log in with your Duck ID to submit most kinds of help requests. There are also help options for people who can't log in or aren't sure where to ask for help. • Self-help o Visit the Knowledge Base for how-to guides, troubleshooting information, and answers to common questions. • Contact us o Look up alternative contact information — such as phone numbers and physical locations — for the four IT groups currently using the UO Service Portal (see list below). • Search o You can search the entire portal or limit your search to the Knowledge Base or Service Catalog. You can also use the UO Service Portal to report an IT service outage or view IT service requests you've submitted. Who should use the UO Service Portal? People should use the UO Service Portal to request help from the following IT groups: • Information Services*, including the Technology Service Desk • College of Design (formerly AAA) Technology Services • School of Journalism and Communication (SOJC) IT • Student Life IT (SAIT) For other IT groups: If you refer a customer to one of the above IT groups, please refer them to the UO Service Portal. The above groups are now asking customers to contact them through webforms in the UO Service Portal instead of by email*. *Some Information Services groups are keeping their queues in RT (ithelp.uoregon.edu) for now. If you're accustomed to requesting services from IS via RT, please consult the individual IS groups to determine whether to continue using RT or switch to the UO Service Portal for contacting them. How can I get help with the UO Service Portal? Here are two ways: • Submit a help request through the UO Service Portal itself using one of the Service Catalog "services" listed here: https://service.uoregon.edu/TDClient/Requests/ServiceCatalog?CategoryID=6907 • Contact the Technology Service Desk — one of the groups now using the UO Service Portal! Please note that, as of today, the Tech Desk is no longer accepting service requests through the email address techdesk@uoregon.edu. To contact the Tech Desk, please call 541-346-4357 or submit a help request at service.uoregon.edu. More information A brief overview of the UO Service Portal is available on the IT website: https://it.uoregon.edu/uo-service-portal-launch-aug-28-2017 We're excited about the improved tech support experience this new tool will offer, for both customers and IT staff! Information Services University of Oregon



WHAT THIS IS ABOUT: Don't panic, this is a follow-up to the Petya varient e-mail sent yesterday, and some instructions which supposedly protect your machine from the Petya variant, now known as PetyaWrap. Two Admiral Ackbars. WHO SHOULD READ THIS: Windows Users. Macintosh Users are not affected. WHAT YOU SHOULD DO: The ransomware looks at the computer to see if there's already a copy of it installed; you can trick it (Ha-ha! Take that!) into thinking the computer has already been infected with a blank file named perfc. 1. Go to the Windows 10 Search Blank, and type cmd; a new window should appear. 2. Type in the following command cd C:\Windows 3. Type in the following command echo "" > perfc 4. Type in the following command exit Once the blank file perfc lives in the C:\Windows folder, the ransomware will think it sees another copy running and halt itself. Note: it's likely that newer versions of the PetyaWrap ransomware will figure this trick out, but at least it works on the original malware. ADDITIONAL INFORMATION: Review of PetaWrap from Naked Security (has a sales pitch for Sophos): https://nakedsecurity.sophos.com/2017/06/28/new-petya-ransomware-all-you-wanted-to-know-but-were-afraid-to-ask/ Security Week Overview: http://www.securityweek.com/petyanotpetya-what-we-know-first-24-hours Forum discussing the perfc kill-switch: https://www.cybereason.com/blog-cybereason-discovers-notpetya-kill-switch/



WHAT THIS IS ABOUT: Take a deep breath; a new variant of ransomware is attacking infrastructure in Ukraine, Russia, Britain, France and Spain. The ransomware appears to be a variant of Petya, and the technical press is comparing this to the WannaCry outbreak a few months ago. Because this is nasty and wide-spread (but not here yet, as far as I know), I'll give it Three Admiral Ackbars. [Editor's Note: This malware was later reclassified as a computer wiper, and appeared to be designed to disrupt services.] WHO SHOULD READ THIS: Everyone on the Internet. Macintosh Users Are Not Affected, but should be vigilant. WHAT YOU SHOULD DO: Make sure your Windows machine is running the latest update to close various security holes (External Blue) Petya uses. Update your McAfee antivirus definitions. Make a back-up of your files on a separate, removable device; Dropbox, Google Docs, and OneDrive are network shares and don't count -- if ransomware can encrypt files on your computer, it can encrypt files on remote network shares. Petya spreads in part by attachments. Be extra extra careful opening e-mailed PDFs or Microsoft Office Documents; if you don't recognize the sender, or if the sent file is unexpected, be extra paranoid and confirm by phone that the sender actually sent it. ADDITIONAL INFORMATION for the Technically Curious: Ransomware is software that encrypts the data on your computer's hard drive, then demands a ransom (usually paid in Bitcoins) from the user to unencrypt the files. Petya and its variants are particularly bad, because they go after the Master Boot Record, not just user files and documents. Master Boot Record: https://en.wikipedia.org/wiki/Master_boot_record The Technical Press Becomes Alarmed... The Register (warning, high snark levels): https://www.theregister.co.uk/2017/06/27/ransomware_outbreak_hits_ukraine/ Overview from Security Week: http://www.securityweek.com/petya-ransomware-outbreak-hits-organizations-globally We Live Security: https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/ Forbes Tech: https://www.forbes.com/sites/thomasbrewster/2017/06/27/ransomware-spreads-rapidly-hitting-power-companies-banks-airlines-metro/ Ars Technica: https://arstechnica.com/security/2017/06/a-new-ransomware-outbreak-similar-to-wcry-is-shutting-down-computers-worldwide/ Technical Analysis: Malwarebytes Discusses Petya https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ Security Week Discussion of External Blue (an exploit Petya uses): http://www.securityweek.com/nsas-eternalblue-exploit-fully-ported-metasploit



WHAT THIS IS ABOUT: Take a deep breath. This is a summary of the "WannaCry Worm" that hit the Internet last Friday afternoon. It's serious, and should be taken as a cautionary tale to update operating system software. Three and a half Admiral Ackbars. WHO SHOULD READ THIS: Windows Users Windows XP users, especially. Windows 10 users are mostly safe. Macintosh users are only affected if they run Windows on their Macintoshes. Everyone, in an engaged Internet Citizen kind of way. WHAT YOU SHOULD DO: Windows users should run Windows Update to be sure that they are running the latest version. Windows XP users should contact me at engtech@ithelp.uoregon.edu about strategies for upgrading to Windows 10. ADDITIONAL INFORMATION for the Technically Curious: --Excerpted from a message from the UO Techdesk: Information Security staff recommend prompt action to address a new ransomware risk. A vulnerability in Windows networking that was disclosed in March is now being exploited to infect Windows computers worldwide with ransomware codenamed "WannaCry." The ransomware can encrypt dozen of common file types (see list below). Once encrypted, the files are inaccessible for use. The ransomware demands payment in bitcoins to deliver the decryption key. Infected users without off-machine backups may lose a significant amount of work. There are three main vectors of infection: o Opening a malicious email attachment o Opening a malicious link in an email o Having an unpatched Windows computer on the network To prevent infection and mitigate risk, Information Security staff recommend the following steps: For end users: o Save backups of your work somewhere other than on your computer, such as on a network fileshare or in OneDrive o Don't click suspicious links or open attachments that you aren't expecting o Report suspicious emails to phishing@uoregon.edu o Deploy Microsoft Windows Updates as promptly as possible (if you manage your own computer) Information Security staff notified departmental IT staff on Monday, May 8, of machines in their departments that were vulnerable to network propagation of this worm. They performed a network rescan this afternoon (Friday, May 12) and will follow up with OU admins over the weekend and on Monday (May 15) about computers that remain vulnerable to network propagation of this worm. --- Various Articles from the Technical Press: Hot For Security: (Quick Overview) https://hotforsecurity.bitdefender.com/blog/how-to-protect-against-wannacry-ransomware-18037.html Naked Security: (Not-so-quick Overview, ads for Sophos...) https://nakedsecurity.sophos.com/2017/05/12/wanna-decrypter-2-0-ransomware-attack-what-you-need-to-know/ (Why Haven't We Learned? (also, ads for Sophos)) https://nakedsecurity.sophos.com/2017/05/14/wannacry-benefits-from-unlearned-lessons-of-slammer-conficker/ Brad Smith, Microsoft's President and CLO: (Computer Security is a globally collective endeavor, and the NSA needs to shape up) https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/ Ars Technica (Hey! I found a kill switch! Also, some patching advice.) https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/ (That Pesky NSA…) https://arstechnica.com/security/2017/05/2-days-after-wcry-worm-microsoft-decries-exploit-stockpiling-by-governments/ There's no Kill Switch in New Variants: http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch Technical Aspects of the Worm: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/



WHAT THIS IS ABOUT: Don't panic; this is a quick announcement that today is Patch Tuesday, and to urge folks to patch Microsoft Windows to close a "crazy bad" security hole. Four Admiral Ackbars. WHO SHOULD READ THIS: Microsoft Windows 10 Users Microsoft Windows 8 Users Microsoft Windows 7 Users are Unaffected Macintosh Users are Unaffected WHAT YOU SHOULD DO: Windows 10: Click on the Windows Icon in the lower left-hand corner of the screen; a menu will pop up. From the menu choose the Gear icon (Settings); a new window with settings should appear. On the left-hand side of the new window should be a column of icons. Click on the shield icon for Windows Defender; the window's contents should change. In the main body of the window, there will be text about the VERSION INFO; look for the ENGINE VERSION: + If the Engine Version is 1.1.13704.0 or higher, you're safe (yay). + If the Engine Version is lower than 1.1.13704.0 run WINDOWS UPDATE until it is. ADDITIONAL INFORMATION for the Technically Curious: In addition to the regular monthly updates, this round includes a fix for a Big Security Vulnerability in Windows Defender. Ars Technica: https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/ "The exploit (officially dubbed CVE-2017-0290) allows a remote attacker to take over a system without any interaction from the system owner: it's simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender." Techspot: http://www.techspot.com/news/69243-microsoft-patches-crazy-bad-remote-attack-vulnerability-found.html Hot for Security: https://hotforsecurity.bitdefender.com/blog/emergency-patch-released-for-critical-security-hole-in-microsofts-malware-scanner-18013.html Technical Proof of Concept: https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5



WHAT THIS IS ABOUT: Don't panic, this is an announcement to update Chrome and Firefox to protect yourself from future phishing attempts. There's no threat that I know about (yet), so I'll give this Two Admiral Ackbars. WHO SHOULD READ THIS: Google Chrome Users. Mozilla Firefox Users. Opera Users. Other web browsers are not affected (that I know of). WHAT YOU SHOULD DO: Opera: There is no fix for Opera. Be careful. Chrome: Go to chrome://help/ Update to Chrome version 58 or higher. FireFox : This procedure could cause problems if you are going to non-Latin-character-using (e.g. German or Chinese) websites (sorry, you won't be able to go to www.Spın̈alTap.com after this). 1. Start FireFox. 2. Go to about:config 3. A scary "this might void your warranty" message will appear. Click "I accept the risk!" 4. A new browser screen will appear. At the top will be a SEARCH BOX; type in punycode 5. An item, "network.IDN_show_punycode" should appear; double-click on the word false (on the far right) - this should change false to true. You've told Firefox to show non-Latin characters as code, which should thwart phishing attempts to misdirect you to rogue websites; continue to browse. ADDITIONAL INFORMATION for the Technically Curious The same mechanism that lets your computer display a floral heart dingbat, ❦-- or accents in words like Spın̈al Tap -- can also be used to make a homograph of a legitimate website put misleading characters in a malicious web page's address (URL) to trick humans into thinking it's a legitimate website. More on the mechanism, called Punycode, here: https://en.wikipedia.org/wiki/Punycode Ars Techinca article (hat tip to Kate Meyers): https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/ McAfee's take on Punycode and homographs: https://securingtomorrow.mcafee.com/business/neutralize-threats/chrome-and-firefox-adding-protection-against-this-nasty-phishing-trick/ Phishing with Unicode Domains: https://www.xudongz.com/blog/2017/idn-phishing/ Demonstration site that pretends to be Apple's web site: https://www.xn--80ak6aa92e.com/



WHAT THIS IS ABOUT: Don't panic. This is a PSA about Internet privacy after the rollback of FCC privacy opt-out rules. WHO SHOULD READ THIS: Folks wondering about their Internet privacy. WHAT YOU SHOULD DO: Realize that anything you do on the Internet leaves a trail. You may wish to read this guide from WIRED on going invisible on the Internet: https://www.wired.com/2017/02/famed-hacker-kevin-mitnick-shows-go-invisible-online/ You may wish to learn about the Tor network: https://www.torproject.org/about/overview.html.en You may wish to read this Wirecutter guide on Virtual Private Networks (VPNs): http://thewirecutter.com/blog/vpns-are-for-most-people/ ADDITIONAL INFORMATION for the Technically Curious: You know how Google keeps a record of how you search and Facebook keeps a record of things you like so that both companies can make little adds pop up on your computer screen? Your local Internet Service Provider (ISP) wants to do the same thing. The rollback of FCC privacy opt-out rules doesn't mean that someone can search your name or address and get your browsing habits. What it does mean is that your local ISP can sell information about which machines (i.e. their operating systems, their MAC address, their browser, their physical area, the computer's name, etc) at which internet protocol (IP) address (e.g., visited which web sites (http://english.uoregon.edu). While an ISP isn't selling your name along with this information, if a company already has your name (because you signed in an created an account), it's likely they can attach it to your computer's MAC address. While you are on the campus Ethernet, or using the UOwireless or UO Secure Wi-Fi, the UO is your Internet Service Provider (ISP). PC World Overview: http://www.pcworld.com/article/3184410/security/senate-votes-to-kill-fccs-broadband-privacy-rules.html More In-depth Overview from Ars Technica: https://arstechnica.com/information-technology/2017/03/how-isps-can-sell-your-web-history-and-how-to-stop-them/ Other Overviews: https://arstechnica.com/tech-policy/2017/03/for-sale-your-private-browsing-history/ https://www.washingtonpost.com/news/the-switch/wp/2017/03/28/the-house-just-voted-to-wipe-out-the-fccs-landmark-internet-privacy-protections/ https://www.nytimes.com/2017/03/29/opinion/how-the-republicans-sold-your-privacy-to-internet-providers.html How the Internet Works (long): https://arstechnica.co.uk/information-technology/2016/05/how-the-internet-works-submarine-cables-data-centres-last-mile/ …and where the NSA spy hubs are: https://arstechnica.com/information-technology/2017/03/internet-surveillance-map-nsa-gchq/



WHAT THIS IS ABOUT: LastPass -- a password management system that allows you to navigate the labyrinth of password protected sights you visit with a single password -- has some security issues that could 1) expose users' passwords, or 2) in some cases allow a malicious person to run arbitrary commands. I'm going to give this Two and a Half Admiral Ackbars. WHO SHOULD READ THIS: Folks who use LastPass. Folks interested in password managers. People without LastPass are unaffected (but may see an uptick in Phishing e-mails attempting to take advantage of the flaw). WHAT YOU SHOULD DO: + Windows Desktop and Laptop users: The arbitrary command execution appears to only work on the Windows desktop. Windows users should Double-click the LastPass icon, Choose More Options->About LastPass -> and disable "Binary Component." Some more information about the binary plugin here: https://lastpass.com/support.php?cmd=showfaq&id=3206 + All users: From https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/ Steps LastPass users can take to further protect themselves from these types of client-side issues: o Use the LastPass Vault as a launch pad – Launch sites directly from the LastPass vault. This is the safest way to access your credentials and sites until this vulnerability is resolved. (Help here: https://helpdesk.lastpass.com/your-lastpass-vault/ ) o Two-Factor Authentication on any service that offers it – Whenever possible, turn on two-factor authentication with your accounts; many websites now offer this option for added security. o Beware of Phishing Attacks – Always be vigilant to avoid phishing attempts. Do not click on links from people you don't know, or that seem out of character from your trusted contacts and companies. Take a look at our phishing primer (https://blog.lastpass.com/2016/01/staying-safe-from-phishing-attacks.html/ ). Here's a quick intro to the LastPass Vault: https://helpdesk.lastpass.com/your-lastpass-vault/ Here's a quick intro to Two-Factor Authentication: https://nakedsecurity.sophos.com/2016/06/27/two-factor-authentication-2fa-why-you-should-care/ ADDITIONAL INFORMATION for the Technically Curious: Arbitrary Commands Proof of Concept: https://lock.cmpxchg8b.com/SaiGhij5/lastpass.html (overview) https://bugs.chromium.org/p/project-zero/issues/detail?id=1209 (technical discussion) From https://arstechnica.com/security/2017/03/potent-lastpass-exploit-underscores-the-dark-side-of-password-managers/ Ultimately, password managers likely make the average user safer because they make it possible to use long, complex, and unique passwords. And that protects people in the event that their password is exposed in website breaches, which are much more common than real-world password manager exploits. LastPass is working on it: https://nakedsecurity.sophos.com/2017/03/27/lastpass-steps-up-quickly-to-fix-vulnerabilities-spotted-by-researchers/ Other articles: https://nakedsecurity.sophos.com/2017/03/27/lastpass-steps-up-quickly-to-fix-vulnerabilities-spotted-by-researchers/



WHAT THIS IS ABOUT: Evil people are sending phishing e-mails to UO folks. Again. Three Admiral Ackbars. WHO SHOULD READ THIS: Everyone who uses e-mail. WHAT YOU SHOULD DO: If you received a message (see below) from D Dugan, saying your account was accessed from an unrecognized device, delete it unread. It is really a phishing attempt attempting to get your personal information. Extra Internet Citizen Points for forwarding it to phishing@uoregon.edu. ADDITIONAL INFORMATION for the Technically Curious: First some legitimate links for checking various services: UO Webmail: https://webmail.uoregon.edu/ Gmail Security Tips: https://support.google.com/mail/answer/7036019?visit_id=1-636251907492419486-2456929806&rd=2 Apps with access to your Google Account: https://myaccount.google.com/permissions?pli=1 Compromised Twitter Account? https://support.twitter.com/articles/31796 A general guide: https://nakedsecurity.sophos.com/2017/03/15/latest-phishing-tactics-infected-pdfs-bogus-friend-requests-fake-hr-emails/ https://it.uoregon.edu/phishing http://security.uoregon.edu/node/37.html How to see and copy full e-mail headers: https://it.uoregon.edu/full-email-headers A break-down of the original message follows: -------- Original Message -------- Subject: Unrecognized sign in Date: 2017/03/14 13:57 From: D Dugan The first red flag is that this message says it is from Daniel Dugan, at wayne.edu. If this were a real security message, it would be from one of the network security folks at the UO. Or possibly Google or from a service you actually subscribe to. To: [ EITHER A FAIRLY COOL LOOKING AND IMPRESSIVE IMAGE OR ELSE A HIDDEN PIXEL HOSTED ON A REMOTE SERVER ] I've got images blocked by default on my e-mail client, so I haven't actually seen the image. It's possible this is supposed to look like some business header, in which case you're supposed to believe this is a valid message. It's also possible that the image is a web beacon -- since it lives on a remote server somewhere, the Evil Ones can see who opened it and get information like the recipient's IP address, the recipient's e-mail client, and likely the type of computer they're using. This is to notify you that our system has detected several attempts to access your email account account from an unrecognized device. Sharp-eyed readers will catch the "account account" slip, which isn't a good sign that this is a legitimate message. New login from Chrome on Windows Tuesday, March 14th, 2017 at 1:22 AM Manassas, Virginia, United States* The above is an attempt to establish legitimacy with a meaningless and vague display of technology. "New login from Chrome on Windows," is supposed to make you worried that someone logged into your account... but wait, WHICH account is being logged into again? Apparently it's an account that one can use Chrome (a web browser) to log into, so presumably, the bogus alert is about a web-based service. The bogus break-in was done from a Windows machine, which lends credibility to the alert if one is a Macintosh user (those evil Windows users). This is followed by a time stamp (what time zone was that in?) and a (probably bogus) IP address (which doesn't show up with InterNIC's WHOIS utility). If you don't recognize this activity, we strongly recommend you Review [link to evil akotourDOTcomSLASHwp-adminSLASHuoregonSLASH] your account to save your current IP in our database. Otherwise, you can disregard this message Of course you won't recognize this activity -- it's made up. Saving your current location on the internet in their database will do nothing to help a breached account's password, but the author of this phishing attempt is hoping you won't stop to realize that (until it's too late). Why are we sending this? We didn't recognize the browser or device you used to log into your email account. This could be the result of accessing your account from a new or public computer or changing your browser settings, but it could also be a sign of unauthorized account activity. Follow-up "trust us" verbiage to establish the author's legitimacy. This is fairly slick on the author's part; it is true that some services will send a "hey, is this you?" message if a new browser or IP address connects to them. Protect yourself from phishing emails More "trust us" verbiage. This is can't be a phishing email because it's warning us about phishing emails (whew, I feel so safe). File this one under the "Only the true Messiah denies his divinity" file. We will never ask for your password in an email. If you don't trust a link in an email, go directly to the normal login page at Here [identical evil link redacted] "No, really; you can trust us. Here, follow this blind link here. It's safe...." Um, what service are you warning us has supposedly been breached, again? If this were a real message, it would say something like, log into webmail.uroegon.edu to check your security settings. Copyright 2016 Do not reply as this is an automated message. Ooh. A Copyright. This is the best copyright I've ever seen.



WHAT THIS IS ABOUT: The English Department is being spammed with scam tutor requests (message included below). This is a trick (which John rates at Three Admiral Ackbars) to get your banking information and money. WHO SHOULD READ THIS: Everyone who reads e-mail. WHAT YOU SOULD DO: If you receive a vaguely worded e-mail from Chris Rolando, a.k.a. Mr. Christopher, requesting a tutor, the safest thing to do would be to delete the message. If you're feeling like you'd like to be helpful, you could forward the message to the University Teaching and Learning Center (TLC), at tlc@uoregon.edu. ADDITIONAL INFORMATION: How this scam usually plays out: 1) Scammer requests a tutor for a non-existent child. 2) Friendly tutor replies and sets up session. 3) Scammer over-pays, then request money back. 4) Insert bank shenanigans here, resulting in tutor's lost money. https://www.berkeleyparentsnetwork.org/recommend/tutors/scam http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-09-04 http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html ======================== [scam message text]: Subject: tutor Date: 2017/03/10 06:08 From: chris rolando Hello, My name is Chris. I came across your e-mail on the University of Oregon, Department of English Directory. I would like to hire you as a private tutor for my daughter. Let me know if you would be available for the tutorial job. If yes, then i will subsequently provide you with more details of my daughter. Please also let me know your fee, area of specialization, preferred location for the lessons and policy with regard to cancellations and make-up lessons if you are available. I hope to hear from you soon. Regards, Mr. Christopher



WHAT THIS IS ABOUT: Don't panic. This is a PSA about UO Wireless Networking: The connection configuration software and interface is being updated March 14. [Editor's note, since this is a maintenance issue and not a threat, in lieu of Admiral Ackbars, I'd give it an R2-D2.] WHO SHOULD READ THIS: Folks who use the Wireless Networks, UOSecure and Eduroam. WHAT YOU SHOULD DO: Beware the Ides of March and give yourself a little extra time to connect on Tuesday the 14th on the off chance the new wireless utility breaks connectivity. You can preview what the utility will look like here: https://it.uoregon.edu/node/5331. The wireless update shouldn't affect Ethernet connections (knock on wood), and in the event that wireless connectivity breaks, wired Ethernet should be a viable back-up. ADDITIONAL INFORMATION for the Technically Curious E-mail message from the DEPTCOMP list: From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service Desk Sent: Thursday, March 02, 2017 11:44 AM To: Departmental Computing Subject: deptcomp: New look & feel at wireless.uoregon.edu starting March 14 On Tuesday, March 14, at 8am, Information Services will be updating wireless.uoregon.edu. Specifically, IS will be releasing a new auto-configuration tool for UO Secure and Eduroam. As you may know, the tool automatically configures devices to connect to those two networks for users who experience trouble joining them. The current utility is out of date and requires replacement. The new auto-config tool is intuitive to use, but has a different look and feel. You can preview it at https://it.uoregon.edu/node/5331. The existing utility at wireless.uoregon.edu will continue to be available until the switchover at 8am on March 14. In fact, you may continue to see the old tool for a few more days, until the new DNS information is propagated across DNS servers on the web. To see the new tool sooner, clear your DNS cache. If you have any questions, please contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-4357). UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: Cloudflare, a cloud service for services such as Uber and OKCupid, has been leaking information - possibly private information - from September 2016 to February 2017, which was then stored in Google caches. Three Admiral Ackbars - it's probable The Bad Guys didn't know about this, tech folks are scrubbing Google archives, and information was haphazardly leaked. [EDITOR'S NOTE: as of 3/2/17, Cloudflare says they haven't found any active exploitation of this memory leak.] WHO SHOULD READ THIS: Folks with Uber or OKCupid or Grindr or Yelp accounts. Folks using Dropbox apps on their mobile devices. Folks with FitBit accounts. Folks who use the same password for all computer accounts. WHAT YOU SHOULD DO: Short form: Change all your passwords. Long form: Be sure to practice good password hygiene by having a different password for every account you have on the internet (I can hear you laughing). Here's one method for generating passwords: http://gizmodo.com/create-an-ultra-secure-easy-to-remember-passphrase-usi-1694021321 Where possible, use two-factor authentication (2FA) to make your internet-based services more secure. If you have a Uber, OKCupid, or FitBit account, change the password with these services. UO webmail, Gmail, Facebook, Twitter, and Snapchat appear to not be affected. If you have an account with another service, go to this site https://cloudbleedcheck.com/ and type in a domain (e.g. snapchat.com or fitbit.com) to see if that service has been affected by the Cloudflare leak. Check the list of iOS apps here: https://www.nowsecure.com/blog/2017/02/23/cloudflare-cloudbleed-bugs-impact-mobile-apps/ to be sure some obscure app is not affected by the data leak. Some services, such as Dropbox, may not be directly affected (and therefore don't show up on the cloudbleedcheck site above), but use mobile apps which are. If one of the apps on your smart phone or iPhone or mobile device is listed, be sure to change the password for that service. ADDITIONAL INFORMATION for the Technically Curious: A web-based memory leak is when a computer serving web pages leaks more information than is wanted. Let's say you've got a measuring cup (the web page) and you fill it from a faucet (the web server), but you get a cup-and-half of water out of the faucet; the extra half-cup (the leaked data which may or may not be your password) is outside the cup on the counter (the Google cache, where anyone can read it). In this case, the problem was that Cloudflare's software was sending extra data because of a programming error -- which has been fixed. Now everyone's scrambling to clean up the spilled data. The Information Services Security group is reviewing whether the University of Oregon has a direct business relationship with Cloudflare or any of the affected sites. Some folks are calling this "Cloudbleed" because of the technical similarity to the Heartbleed bug of 2014 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-09 Official Response from Cloudflare: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/ News: A massive Cloudflare bug means Uber, Fitbit and OKCupid passwords have been leaking for months http://www.businessinsider.com/r-bug-causes-personal-data-leak-but-no-sign-of-hackers-exploiting-cloudflare-2017-2 CloudFlare Leaked Sensitive Data Across the Internet For Months http://fortune.com/2017/02/24/cloudflare-leak-bug-sensitive-information/ Technical News: General overview: https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165 Gizmodo (warning: some strong language) http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616 Cloudbleed's sliver lining: the response system worked https://nakedsecurity.sophos.com/2017/02/27/cloudbleeds-sliver-lining-the-response-system-worked/ Really technical forum: System administrators chatting with each other: https://news.ycombinator.com/item?id=13718752



WHAT THIS IS ABOUT: Someone (apparently from Ireland) pretending to be with the UO Computer Center is sending out fake quota e-mails; these are phishing attempts. I'm giving this 2 Admiral Ackbars for clumsy execution. WHO SHOULD READ THIS: E-mail users at the UO. WHAT YOU SHOULD DO: If you receive a message from gerdalyDOTcaraATittraleeDOTie (see message below), delete it unread. It is a phishing attempt. If you want to know what your quota is, see https://duckid.uoregon.edu/quota/ ADDITIONAL INFORMATION for the Technically Curious: A breakdown of the message follows: Subject: Quota Alert! A real subject would be something like, Warning, user burridge using 49,500 GB of allocated 50,000 GB Date: 2017-02-13 12:40 PM From: UOREGON Webmail Admin gerdalyDOTcaraATittraleeDOTie A real sender would have a uoregon.edu e-mail address. Apparently, the .ie domain is Ireland. To: li@s.com The real recipient should be your regular e-mail address; this address indicates e-mail header spoofing is happening. Dear User, I have a name, and the Computer Center knows what it is. It would be trivial for them to send me a personalized e-mail. Mail system found out that you have used up your quota space.Your mailbox size has reached 997.70MB, which is over 99% of your 1G quota. Who or what is this "Mail system" (pause to ponder the effects of the patriarchy) ? This is really an irrelevant sentence, because it doesn't matter who or what made the supposed discovery; this is an attempt on the sender's part to establish authority to trick you into complying with requests. Also, it's customary to include space after a period. "Your mailbox size" is an attempt to impress with numbers and establish the writer's authority. To avoid exceeding your quota.Click here [link to Earthlink redacted] to expand your inbox for incoming messages immediately. Here's the request to follow a blind link to what is undoubtedly a Web Page of Evil. Anyone who has been with the UO long enough will start laughing now at the idea that a simple, one-click utility to expand your e-mail quota immediately (and possibly perpetually) exists. Nullum gratuitum prandium. Our mail server is gradually filling up and we need to free up some space. This is an appeal to the reader's altruism. Harden your hearts with the knowledge that as long as there have been e-mail servers, they've always been too small to accommodate users' desires to use e-mail as a personal journal. Thanks. Help Desk. If this had been a real message from the UO Help Desk, there would have been some Duckalicious graphic here, along with detailed contact information for reaching the UO help desk. This e-mail is subject to the following disclaimer(s) - Ta an r-phost seo fe reir an tseanta/na seanta seo leanas ata le fail ag - available at http://REDACTED/EmailDisclaimer.html Huh. A disclaimer. (Checks Google) In ?Irish? I suppose it makes this message seem more official. At least it's not a copyright notice.


At least two people have fallen for Monday afternoon's phishing scam (and were brave enough to let me know). From http://security.uoregon.edu/node/37.html#phished What to do if you responded to a phishing scam: If you provided your account credentials in response to a phishing scam, please immediately change your account password for the affected account and any other account that uses the same, or a similar password. If the scam involves UO credentials such as your 'DuckID', please e-mail phishing@uoregon.edu. If you took other action in response to the phishing e-mail, such as opening an attachment, or downloading a file, please include this information in your e-mail to phishing@uoregon.edu. Be sure to include the full headers of the phishing e-mail when reporting the incident. If you are not familiar with how to view the full headers of an e-mail, please consult the following site: Information on e-mail full headers can be found here: http://it.uoregon.edu/full-email-headers



WHAT THIS IS ABOUT: Don't panic. This is a PSA. HP is extending its recall of HP Laptop Batteries. Since the batteries could melt or char during use ("It's a trap!"), I'm giving this 3.5 Admiral Ackbars. WHO SHOULD READ THIS: Owners of HP Laptops. All other computer users are not affected. WHAT YOU SHOULD DO: If you own an HP laptop purchased between March 2013 and October 2016, take a look at the battery's serial number. Batteries included in the expanded recall have barcodes starting with 6BZLU, 6CGFK, 6CGFQ, 6CZMB, 6DEMA, 6DEMH, 6DGAL and 6EBVA. If your battery is being recalled, + stop using the battery, + contact HP here: https://h30686.www3.hp.com/ for a replacement + only use the laptop when it's powered by an electrical outlet. ADDITIONAL INFORMATION: http://www.techspot.com/news/67899-hp-recalls-additional-101000-laptop-batteries-over-fire.html



WHAT THIS IS ABOUT: Don't Panic. Maintenance on the UO Secure Network may make some computers ask about a new security certificate Friday Morning, Dec 2. Not really a threat, so this doesn't rank any Admiral Ackbars; since it's maintenance, I'll give it an R2-D2. WHO SHOULD READ THIS: Off-campus users who use VPN to connect to the UO network. On-campus users who use VPN to connect to secured services like Banner. Non-VPN users are not affected. WHAT YOU SHOULD DO: This Friday morning, Virtual Private Network (VPN) users will be asked to accept a brand new security certificate the first time they connect to the UO's VPN. This is expected, first-time behavior. After accepting the new certificate, proceed with whatever work you intended to do. Users of the VPN may wish to either finish tasks requiring the secure network Thursday evening, or else give themselves a little extra time Friday to navigate any unforeseen network difficulties. ADDITIONAL INFORMATION: The original network services message follows: -----Original Message----- From: uonet-outages-bounces@network-services.uoregon.edu [mailto:uonet-outages-bounces@network-services.uoregon.edu] On Behalf Of Chris Trown via RT Sent: Wednesday, November 30, 2016 9:42 AM Cc: uonet-outages@network-services.uoregon.edu Subject: [Uonet-outages] [ithelp #1220483] uovpn - Maintenance SUBJECT: uovpn - Maintenance AFFECTED: STATUS: Planned - Pending CAB approval START TIME: 12/02/2016 05:30 AM END TIME: 12/02/2016 06:00 AM DESCRIPTION: During this maintenance, the SSL certificate on uovpn will be replaced. UPDATE: TIMESTAMP: 11/30/2016 09:37:49 AM If you would like more details about this issue, please feel free to contact us via email to nethelp@ithelp.uoregon.edu or by calling us at +1.541.346.NETS (6387) and select option 2. Thank you, -- UO Network & Telecom Services Email: nethelp@ithelp.uoregon.edu URL: http://nts.uoregon.edu Voice: +1.541.346.NETS (6387) Archive: http://nts.uoregon.edu/pipermail/uonet-outages _______________________________________________ Uonet-outages mailing list Uonet-outages@ns.uoregon.edu http://ns.uoregon.edu/mailman/listinfo/uonet-outages



WHAT THIS IS ABOUT: Apple has released some operating system updates for both its mobile platforms (iPhones, iPads, iPods) and its desktop (iMac) and laptop models (MacBooks). These close up some serious security holes, the scariest being the CoreGraphics (CVE-2016-4673) iOS security flaw which can allow an iPhone or iPad to be taken over if it views a maliciously crafted JPEG file. Four Admiral Ackbars. WHO SHOULD READ THIS: Users of Apple Devices: iPads, iMacs, iPhones, and other i-Things Windows users are not affected. WHAT YOU SHOULD DO: + iPad, iPod, and iPhone users: Update your device to iOS 10.1 https://support.apple.com/en-us/HT204204 If you have an older device (John ruefully looks at his iPad), you may be stuck at iOS 9.3.5 everything I'm seeing indicates older devices won't be patched and will remain vulnerable to the JPEG exploit (thanks, Apple, my iPad's not _that_ old). + iMac and MacBook users: Update your MacOS with the latest security patches. Apple Menua > About This Mac > Software Upgrade You may be prompted to install macOS 10.12 (Sierra) if you aren't a Banner user and you have about 90 minutes to install an upgrade, you may do so. Otherwise, OS 10.11.7 (El Capitan) should be fine. You can check to see if Sierra will run here: http://www.apple.com/macos/how-to-upgrade/ Upgrading to Sierra typically breaks McAfee, which requires a re-install. You can reinstall it from here (UO login required): https://it.uoregon.edu/system/files/software/2045/UO_McAfeeVirusScan_9.7.dmg ADDITIONAL INFORMATION: Apple's Announcements: General Security page: https://support.apple.com/en-us/HT201222 iOS 10.1 https://support.apple.com/en-gb/HT207271 macOS: https://support.apple.com/en-gb/HT207275 The technical press responds: https://www.grahamcluley.com/boobytrapped-jpeg-infect-iphone-upgrade-ios-10-1/ https://nakedsecurity.sophos.com/2016/10/25/apple-ios-users-taste-android-anxiety-with-nasty-coregraphics-image-flaw/ http://www.theregister.co.uk/2016/10/24/apple_security_update/



WHAT THIS IS ABOUT: Early Friday morning, a distributed denial of service (DDoS) attack knocked major sites off of the internet. Mostly the Eastern Seaboard was affected. As of this writing, service has been restored. Two Admiral Ackbars for past inconvenience and future anxiety. WHO SHOULD READ THIS: Folks who might have sent e-mail to other folks on the East Coast. Internet Users. Folks with a lot of Internet aware things WHAT YOU SHOULD DO: Civic minded Internet users may wish to review the security of their wifi internet enabled devices (home wireless routers, wifi-enabled stereos or TVs, etc.) to tighten security. Doing so will deprive The Evil Ones of their botnet army slaves. If you're having difficulties connecting to various Internet sites "is this site down?" site may be useful. http://www.downforeveryoneorjustme.com/ Google specific: https://www.google.com/appsstatus#hl=en&v=status ADDITIONAL INFORMATION: DNS: Domain Name Server. This is a device that translates www.twitter.com into an internet protocol address number. DoS Attack: Denial of Service Attack. When someone sends so many requests to a computer or router that it bogs down and is unable to provide service to legitimate users. DDoS Attack: Distributed Denial of Service Attack. Imagine you're in your office. Imagine everyone on campus decides to call your telephone at the same time. You might try blocking nuisance callers, but there are so many other callers that this doesn't work and you end up with a n unusable phone (for those of us over 40: remember calling your favorite radio station to try to be "caller number nine" and win a give-away ? Remember how the busy signal was extra fast? ) The status page of DYN, the internet service provider affected: https://www.dynstatus.com/incidents/nlr4yrr162t8 The technical press goes wild: https://www.hotforsecurity.com/blog/ddos-attack-against-dns-provider-knocks-major-sites-offline-16977.html http://www.pcworld.com/article/3133847/internet/ddos-attack-on-dyn-knocks-spotify-twitter-github-etsy-and-more-offline.html http://www.securityweek.com/twitter-others-disrupted-ddos-attack-dyn-dns-service http://arstechnica.com/security/2016/10/dos-attack-on-major-dns-provider-brings-internet-to-morning-crawl/ A concern is that an increase in distributed denial of service attacks' frequency and severity is on the horizon, or that these DDoS attacks are rehearsals for bringing the whole internet down. Related reading: https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html



WHAT THIS IS ABOUT: Don't panic. There's a bug in the brand new version of the Macintosh Operating system that makes it incompatible with Banner. One Admiral Ackbar for inconvenience. WHO SHOULD READ THIS: Folks using Mac OS 10.12 (Sierra). Folks who use Banner. Non-Banner users are not affected. Folks using Mac OS 10.11 (El Capitan) or older are not affected. Windows users are not affected. WHAT YOU SHOULD DO: If you need to use Banner and your main machine is a Macintosh, hold off on updating to OS 10.12 (Sierra). If it's Too Late, or you have a Brand New Machine with Sierra pre-installed, the only recourse is to get access to another machine or operating system (I personally think it's easier to find another machine than to us Parallels or Boot Camp) that can run Banner until Apple/Oracle can fix the issue. ADDITIONAL INFORMATION: See the e-mail from the Tech Desk below: -----Original Message----- From: banner-status-bounces@lists.uoregon.edu [mailto:banner-status-bounces@lists.uoregon.edu] On Behalf Of Technology Service Desk Sent: Wednesday, October 19, 2016 2:01 PM To: banner-status@lists.uoregon.edu Subject: banner-status: Banner incompatibility with macOS Sierra There is an incompatibility between Banner and macOS Sierra (10.12). If someone tries to use Banner on a Mac and they press Shift, Caps Lock, Command, or other modifier keys, an error message appears and prevents further use of Banner. We recommend waiting to install macOS Sierra until the vendor fixes this issue. In the meantime, workarounds include using a PC for Banner or installing a Windows OS on your Mac using Parallels or Boot Camp. The new version of Java that came out yesterday (Java 8 update 111 build 1.8.0_111-b14) helps somewhat but does not resolve this issue. If you have any questions, please contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-4357). UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: Don't panic. I'm noticing that some folks are having difficulties connecting to the UO Secure wireless network. This is a typical start of the academic year problem. WHO SHOULD READ THIS: Folks who connect to the UO Secure wireless network. Or would if the darn thing would work. WHAT YOU SHOULD DO: 1) Plug your device into the UO Ethernet 2) Go to https://wireless.uoregon.edu This will take you to Network Service's wireless page, where they have a connection utility wizard. 3) Click the check box by "I accept the terms" and then the START button. The wizard should run some scripts to install a new security certificate. It should take no more than five minutes (unless you have to repeat the procedure...) "But John!" you say, "I have a mobile device that doesn't have an Ethernet jack and I _can't_ plug into the Ethernet" In that case try 1) Go to your device's wireless network settings. 2) Connect to plain old vanilla UO Wireless. 3) Go to https://wireless.uoregon.edu This will take you to Network Service's wireless page, where they have a connection utility wizard. 4) Click the check box by "I accept the terms" and then the START button. The wizard should run some scripts to install a new security certificate. It should take no more than five minutes (unless you have to repeat the procedure...) Navigating this problem can be tricky. I'm happy to assist folks. E-mail me at engtech@ithelp.uoregon.edu to schedule an appointment. ADDITIONAL INFORMATION: I'm going to blame summer maintenance for this, which typically includes giving the wireless router new security certificates. When a machine that hasn't connected for a few months returns to campus, it doesn't have the latest certificate, and the connection doesn't work.



WHAT THIS IS ABOUT: Don't panic, this is a PSA about iOS 10, which Apple will unleash on September 13, 2016. WHO SHOULD READ THIS: Owners of iPhones, iPads and iPods. WHAT YOU SHOULD DO: The new iOS is probably harmless; however, I always advise folks to wait about two weeks before upgrading operating systems in case there are any hidden problems. ADDITIONAL INFORMATION: The Apple Store may be sluggish on 9/13 as Apple fans worldwide jump on the update bandwagon. http://www.apple.com/ios/ios-10/ iOS 10 is compatible with these devices. iPhone 7 iPhone 7 Plus iPhone 6s iPhone 6s Plus iPhone 6 iPhone 6 Plus iPhone SE iPhone 5s iPhone 5c iPhone 5 iPad Pro 12.9-inch iPad Pro 9.7-inch iPad Air 2 iPad Air iPad 4th generation iPad mini 4 iPad mini 3 iPad mini 2 iPod touch 6th generation



WHAT THIS IS ABOUT: Apple has released a new operating system update for iPads and iPhones which closes three serious zero-day flaws being used by state-sponsored spy organizations. iPad and iPhone users are encouraged to download iOS 9.3.5 as soon as possible. 4 Admiral Ackbars (serious enough for me to post this at 9:45 PM in the middle of a vacation). WHO SHOULD READ THIS: Owners of iPads and iPhones. Windows users are not affected. WHAT YOU SHOULD DO: iPad and iPhone users should update to iOS 9.3.5. Now would be good. On the device, go to Settings > General > Software Update More detailed instructions here: https://support.apple.com/en-us/HT204204 I will be back in the office after Labor Day. If you need additional help sooner, please visit the folks at the Technical Support Desk in the basement of McKenzie, 346-HELP. ADDITIONAL INFORMATION for the Technically Curious: The three flaws are collectively being called The Trident. The spy package being used to exploit The Trident is called Pegasus. Pegasus and other malware taking advantage of the flaws can be installed from a malicious web site or an SMS, grab super-user privileges, and go from there to do everything from reading your e-mails, to spying on you with your iThing's microphone and camera, to tracking your physical location via an i-Thing's GPS. Official Apple Security Notice (kind of info-lite): https://support.apple.com/en-us/HT207107 The Original Discovery Write-up from Citizen Lab (recommended if you've got the time to read it for the government and social implications as well as the technical information): https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ The Technical Press Chimes In: http://arstechnica.com/apple/2016/08/apple-releases-ios-9-3-5-with-an-important-security-update/ http://arstechnica.com/security/2016/08/actively-exploited-ios-flaws-that-hijack-iphones-likely-spread-for-years/ https://nakedsecurity.sophos.com/2016/08/26/apple-ios-users-update-now-zero-day-attack-seen-in-the-wild/ http://gizmodo.com/israeli-cyber-weapon-dealers-figured-out-how-to-hack-ev-1785747391 https://www.intego.com/mac-security-blog/emergency-ios-9-3-5-update-thwarts-pegasus-spyware-patch-now/ http://www.techspot.com/news/66106-rare-ios-spyware-caught-wild-exploiting-three-zero.html http://www.theregister.co.uk/2016/08/25/update_your_ios_devices_now_theres_an_apt_in_the_wild/ http://www.macrumors.com/2016/08/25/apple-releases-ios-9-3-5/ And so does the Non-Technical Press: http://www.nytimes.com/2016/08/26/technology/apple-software-vulnerability-ios-patch.html?_r=0 http://www.wsj.com/articles/firm-manipulated-iphone-software-to-allow-spying-report-says-1472149087 http://www.reuters.com/article/us-apple-iphone-cyber-idUSKCN1102B1



WHAT THIS IS ABOUT: Sigh. This is a PSA. With the latest Microsoft Windows 10 update, released July 29 (today), Microsoft is integrating User Information Gathering Cortana, its on-line search assistant, more closely into Windows 10. Instead of Admiral Ackbars, I'd give this a rating of 2 Sith Lord Spy 'Droids. WHO SHOULD READ THIS: People using Windows 10. WHAT YOU SHOULD DO: To improve your privacy From http://www.windowscentral.com/you-can-disable-cortana-windows-10 How to sign out of Cortana in Windows 10 Anniversary Update Click Cortana Choose Notebook Choose About me Select User Account Select Sign Out Cortana will now revert to a generic search engine for your PC and web with no links to your Microsoft Account. Other privacy settings: Go to the Start Menu in the lower left-hand corner of the Windows 10 screen. Choose Settings; the Settings dialog box should appear. Click on the Privacy icon; the Privace dialog box should appear Select Speech, Inking & Typing from the menu on the left; new text should appear. Toggle an option called 'Stop getting to know me' OFF. Close the dialog box. For more Windows 10 Privacy tips, see: http://www.windowscentral.com/how-turn-cortana-and-stop-personal-data-gathering-windows-10 ADDITIONAL INFORMATIO for the Technically Curious: A "Hold Your Horses, It's Not Quite _That_ Bad" Article: http://www.windowscentral.com/you-can-disable-cortana-windows-10 A Click-bait Headline Article: http://www.techspot.com/news/65766-microsoft-make-cortana-mandatory-anniversary-update.html Microsoft's Page on Cortana: https://support.microsoft.com/en-us/help/17214/windows-10-what-is-cortana



WHAT THIS IS ABOUT: Don't Panic (much)! This is public service announcement about a newly discovered security hole in LastPass, a password manager. No exploits in the wild; I'd rate this at about One and a Half Admiral Ackbars. WHO SHOULD READ THIS: Only folks who use LastPass WHAT YOU SHOULD DO: Keep your eyes open for a security patch from LastPass to be released soon. ADDITIONAL INFORMATION for the Technically Curious: An explanation of what LastPass is, and the nature of the exploit: https://nakedsecurity.sophos.com/2016/07/27/lastpass-password-manager-zero-day-bug-hits-the-news/ A sensational article that throws around a lot of big numbers before admitting no in-the-wild attacks: http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpass_users_who_visit_a_site/ The LastPass website: https://lastpass.com/



WHAT THIS IS ABOUT: Don't panic; this is simply a PSA about the Pokemon Go application that is causing groups of lost-looking people to wander the campus while holding up smart phones and frowning in confusion as if they were trying to find PLC or maybe the Library or the Museum WHO SHOULD READ THIS: Folks with mobile smart-phones (you've given them to your kids, haven't you). WHAT YOU SHOULD DO: Be aware of your physical safety. iPhone users especially: Make sure you download the official version of this game (not a problem if you are in the US). Review privacy settings for the game. Have fun. Be safe. Catch 'em all. ADDITIONAL INFORMATION for the Technically Curious: https://www.hotforsecurity.com/blog/pokemon-go-privacy-and-security-concerns-you-should-be-aware-of-15917.html http://www.macrumors.com/2016/07/11/pokemon-go-launch-car-accidents/ List of Pokemon https://en.wikipedia.org/wiki/List_of_Pok%C3%A9mon



WHAT THIS IS ABOUT: Don't panic. This is a public service announcement about a piece of Malware the Technical Security Press is in a dither about called "Eleanor," which is distributed through a third-party document converter, and which was up until recently hosted on the MacDownload website. I'd rate this at Two Admiral Ackbars. WHO SHOULD READ THIS: Macintosh Users, especially folks who download apps from the MacDownload site. Windows Users are not affected. WHAT YOU SHOULD DO: Eleanor is malware that is bundled with a third-party document converter called EasyDoc Converter. EasyDoc Converter appears to have been abandoned by its initial creators and turned into a Trojan Horse by The Evil Ones. If you have never visited MacDownload, you're safe. If you've never downloaded EasyDoc Converter, you're safe. If you have downloaded EasyDoc Converter, install or update MalwareBytes for Macintosh, which will remove it. https://www.malwarebytes.com/antimalware/mac/ ADDITIONAL INFORMATION for the Technically Curious: qui cum canibus concumbunt cum pulicibus surgent - He that lieth down with dogs shall rise up with fleas. Original report from Bit Defender: https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/ The site of the crime: https://www.macupdate.com/app/mac/56544/easydoc-converter Secondary Reports: https://blog.malwarebytes.com/cybercrime/2016/07/new-mac-backdoor-malware-eleanor/ "The app is not signed with a certificate issued to an Apple developer ID. This is fortunate, in a way, as this makes it more difficult to open. (By default, Mac OS X will not open unsigned apps.)" http://www.securityweek.com/os-x-backdoor-provides-unfettered-access-mac-systems http://www.macrumors.com/2016/07/06/backdoor-mac-eleanor-faq/ "The most important and obvious preventative measure is to avoid downloading "EasyDoc Converter.app" from any source. Installing unknown apps from unidentified developers is almost always a security risk."



WHAT THIS IS ABOUT: The deadline for downloading the free upgrade to Windows 10 is July 29, 2016. Resistance is futile. WHO SHOULD READ THIS: Windows users not using Windows 10. WHAT YOU SHOULD DO: If you've been holding out on a Windows 10 upgrade, now's the time to do it while the upgrade is still free. Downloading the upgrade typically takes about an hour, and the installation typically takes about 90 minutes. Windows XP is no longer supported. Windows 7 should be supported through 2020. Windows 8 should be supported through 2023. The PROS: + Since Windows 10 has been out about a year, some of the bugs in it have been addressed. + MacAfee now runs with Windows 10. + Running Windows 10 will make your machine compatible with the latest software. + Microsoft has recognized that Win8 charms (or application tiles) was a bad idea and scaled them back. + Upgrading old machines to Win 10 will make them look the same as newly purchased Windows machines. The CONS: + Older computers may not be able to run Windows 10. + Windows 10 is Microsoft's way to become an advertiser for what you want; by default it collects a dismaying amount of information. + Windows 10 still wants to make your computer talk to other computers so it can become a local hotspot and serve Windows updates. + Microsoft took out the Media Player - so no playing DVDs after an update without additional software installations. + The usual annoyances at a new system's apparently random reconfiguration of system controls: The control panel has been split into a control panel and a preferences panel, and the Start Icon does almost-but-not-quite-the-same things If you do upgrade to Windows 10, follow these instructions to improve your privacy: http://arstechnica.com/information-technology/2015/08/windows-10-doesnt-offer-much-privacy-by-default-heres-how-to-fix-it/ ADDITIONAL INFORMATION for the Technically Curious: Other Configuration Guides: http://arstechnica.com/information-technology/2014/10/hands-on-with-the-windows-10-start-menu-as-big-or-as-small-as-you-want-it/ Microsoft's Win10 FAQ: https://support.microsoft.com/en-us/help/12435/windows-10-upgrade-faq A list of Microsoft products' life cycles: https://support.microsoft.com/en-us/gp/lifeselectindex Last Year's Tech Announcement: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-08-05 Various Privacy Concern Links: http://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/ http://arstechnica.com/information-technology/2015/08/windows-10s-privacy-policy-is-the-new-normal/ https://privacy.microsoft.com/en-us/privacystatement/



WHAT THIS IS ABOUT: Don't panic. This is a message about the Macintosh operating system and software dependencies. It's more of a warning than anything. WHO SHOULD READ THIS: Macintosh Users with Mac OS 10.8 (Mountain Lion) and Older who use VPN Macintosh Users with Mac OS 10.9 (Mavericks) Newer Mac OS users are not affected. Windows users are not affected. WHAT YOU SHOULD DO: It depends. First, go to the Apple Menu in the upper left-hand corner and choose ABOUT THIS MAC; a dialog box will pop up. The dialog box will display the name of the operating system (i.e. Yosemite) in big letters, and the version (i.e. 10.10.3) in smaller letters underneath. Make a note of the OS and close the dialog box. If you are using Mac OS 10.8 or earlier, and you have to use VPN to connect to the UO secure computing assents, then you'll need to update the Mac OS. This will probably mean updating to OS 10.11.5 (El Capitan). If you're using Mac OS 10.8 or earlier, and you don't need VPN, then you're probably OK for the next month. Be advised that Apple ceased supporting Mac OS 10.8 at the beginning of 2016, so it's becoming less secure as time goes by and various vulnerabilities are discovered but not patched. Also, the Chrome Browser no longer provides security updates for Mac OS 10.8. If you think you'll continue to use the iMac or MacBook you're using beyond July, I would upgrade to improve computer security; again this will probably mean updating to OS 10.11.5. Don't wait too long (see below). If you're going to get new hardware, I'd get it sooner rather than later. Getting the hardware now means it will ship with the latest version of OS 10.11, which fixes irritating bugs discovered by early adapters last September. Getting the hardware in early August risks the possibility of it coming factory installed with OS 10.12.0 (Sierra). New OSes from Apple don't exactly have a sterling reputation as far as introducing funny little bugs with networking or printing or talking with peripherals or with iTunes wanting to store everything on the iCloud. ADDITIONAL INFORMATION for the Technically Curious: OS 10.6 (Snow Leopard) Unsupported OS 10.7 (Lion) Unsupported OS 10.8 (Mountain Lion) Unsupported OS 10.9 (Mavericks) Supported (*probably* through December 2016) OS 10.10 (Yosemite) Supported OS 10.11 (El Capitan) Supported OS 10.12 (Sierra) To be released soon See message below: From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service Desk Sent: Thursday, June 30, 2016 11:56 AM To: IT Directors; Departmental Computing Subject: deptcomp: Mac OS X compatibility with VPN As you may recall, Information Services made available an update to the UO VPN software, AnyConnect, yesterday morning. That upgrade installs itself when the user next attempts to connect using AnyConnect. This version of AnyConnect (4.3.00748) does not work on Mac OS X 10.8 and earlier. (AnyConnect supports Mac OS X 10.9 through Mac OS X 10.11.) Apple ended support for Mac OS X 10.8 on December 31, 2015 when they stopped providing security updates for that operating system. Since Apple no longer supports OS X 10.8, AnyConnect dropped support for that operating system as well, since OS security updates are a key way of keeping an OS secure. If you have any questions, please contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-4357). UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: The folks in McKenzie will be reconfiguring the UO wireless network next Thursday, June 16; this will require fiddling with network settings. WHO SHOULD READ THIS: Everyone who uses the wireless network. Ethernet users shouldn't be affected. WHAT YOU SHOULD DO: Whenever there is a major change in the network, I always advise making sure time-sensitive work is finished the day before. Be sure to give yourself extra time Thursday morning, June 16, to get computer work done. Macintosh users: The Computer Center is advising Macintosh users to visit http://wireless.uoregon.edu/ between now and June 16 to install the new configuration. In the past, I have found that it's useful to be connected to the UO Ethernet when visiting the website. Windows users: Windows users should be able to simply connect to the UO wireless network. The first time you connect, you may need to trust a new security certificate and re-enter your username and password. If you get network password errors, and you know your UO password is correct, go to http://wireless.uoregon.edu/ and follow the steps to install a new profile. Mobile device users: iPhone, iPad, Android, and other mobile device users will need to visit http://wireless.uoregon.edu/ on June 16. ADDITIONAL INFORMATION for the Technically Curious: When computers talk to each other, especially when they are talking over a secure connection, they use something called a security certificate to verify each other's identities. The new wireless configuration comes with a new certificate. The following message is from the Technology Serivce Desk: From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of Technology Service Desk Sent: Wednesday, June 08, 2016 3:16 PM To: Departmental Computing Subject: deptcomp: Wireless change Jun. 16 will require some user action **Please share with others in your unit.** On Thursday, June 16, between 5am and 7am, we will be switching to a new system for the UO Secure and eduroam wireless networks. This change will require action by many users the first time they connect to these wireless networks after the change. " Some Mac users (and others) may be unable to connect until they install a new wireless profile from http://wireless.uoregon.edu/ " Some people may simply be asked to trust a new certificate or reenter their credentials Mac users can act proactively by installing a new wireless profile before June 16. To do that, go to http://wireless.uoregon.edu/ and walk through the steps. (This will install the new certificate while leaving the old one in place.) In the past, Windows 7 users have sometimes received misleading prompts saying their passwords were bad when really they just needed to install a new wireless profile. We did not encounter this situation in recent testing. If you have any questions or run into issues on June 16 (or any time), please let us know. UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: iOS 9.3.2 can brick iPads (in computer parlance, to "brick" a computer means to break a computer so thoroughly that it becomes the equivalent of a brick, door-stop, or anchor). The problem appears to be limited to newer 9.7 inch iPad Pros. I'd give this 4 Admiral Ackbars. WHOU SHOULD READ THIS: Folks with new 9.7 inch iPads. Folks with older iPads, iPhones or other iThings should take note. iMacs or divices running the desktop OS are not affected. Windows users are not affected. WHAT YOU SHOULD DO: Hold off on updating to iOS 9.3.2 on your iPad for a few weeks. ADDITIONAL INFORMATION for the Technically Curious To quote http://www.forbes.com/sites/gordonkelly/2016/05/16/apple-ios-9-3-2-ipad-pro-problems/ "When affected devices install iOS 9.3.2 and restart users are presented with an 'Error 56' code which tells them to connect to iTunes. The problem is connecting to iTunes does nothing, the device is locked and forced reboots only return it the same state. As for the error code itself, according to Apple's code guide, Error 56 is loosely described as a "hardware issue", which doesn't sound like a credible explanation." What an new 9.7 inch iPad Pro is (detailed information and review): http://www.macrumors.com/roundup/ipad-pro/ Mac Rumors (iOS 9.3.2 bricking 9.7 inch ipad pros): http://www.macrumors.com/2016/05/16/ios-9-3-2-bricking-some-9-7-ipad-pros/ The Register (iOS 9.3.2 updates, then bricks iPads): http://www.theregister.co.uk/2016/05/17/apple_bricks_ipads/ International Business Times http://www.ibtimes.co.uk/ios-9-3-2-released-by-apple-fixes-iphone-se-bluetooth-problem-bricks-some-ipads-error-56-1560419 The upgrade from Apple causing the problem (techno-heavy, info-light): https://support.apple.com/en-au/HT206568 Error 56 (not to be confused with Palpatine's Order 66): https://support.apple.com/en-us/HT204770#hardware



WHAT THIS IS ABOUT: Apple Computer has ceased supporting QuickTime for Windows (in computer support parlance, QuickTime for Windows is deprecated); this means that two zero-day vulnerabilities in QuickTime will not be patched. Ever. 2.5 Admiral Ackbars. WHO SHOULD READ THIS: Windows Users with Apple QuickTime Installed on their computers. Macintosh Users are not affected. WHAT YOU SHOULD DO: Uninstall Apple QuickTime on your Windows Computer. (Lifted shamelessly from Time Magazine's instructions for uninstalling QuickTime: http://time.com/4297456/uninstall-quicktime-windows-10-7/ ) For Windows 10: 1. Press the Start button. 2. Select "Settings." 3. Choose "System" and then navigate to "Apps and features." 4. Find QuickTime in the list of apps, and select "Uninstall." For Windows 7: 1. Press the Start button. 2. Select "Control Panel." 3. Choose "Programs" and then navigate to "Programs and features." 4. Find QuickTime in the list of programs, and select "Uninstall." ADDITIONAL INFORMATION for the Technically Curious: Apple's Instructions (which point to Microsoft's instructions): https://support.apple.com/en-us/HT205771 http://windows.microsoft.com/en-us/windows/uninstall-change-program#uninstall-change-program=windows-7 Time Magazine's instructions for uninstalling QuickTime: http://time.com/4297456/uninstall-quicktime-windows-10-7/ US Computer Emergency Readiness Team (US-CERT) Advisory: https://www.us-cert.gov/ncas/alerts/TA16-105A Trend Micro Report: http://blog.trendmicro.com/urgent-call-action-uninstall-quicktime-windows-today/ Ars Technica: http://arstechnica.com/security/2016/04/apple-stops-patching-quicktime-for-windows-despite-2-active-vulnerabilities/ The Register: http://www.theregister.co.uk/2016/04/14/uninstall_quicktime_for_windows/ Details on the Zero-Day Flaws (summary: the Evil Ones trick the computer into running Malicious Software and take over your computer): http://zerodayinitiative.com/advisories/ZDI-16-241/ http://zerodayinitiative.com/advisories/ZDI-16-242/



WHAT THIS IS ABOUT: The computer security press is abuzz (again) about the latest Adobe Flash security hole (again). Given that this opens up one's computer to Ransomware Attacks, I'll give it 3.5 Admiral Ackbars. WHO SHOULD READ THIS: Everyone who hasn't already uninstalled Adobe Flash from their computers. WHAT YOU SHOULD DO: 1) Make sure you are running the latest version of your web browser: Chrome: Follow this link: chrome://help/ and follow the prompts. Firefox: Go to the HELP menu and choose ABOUT FIREFOX. Follow the prompts. Safari: Go to the APPLE MENU and choose APP STORE, then choose UPDATES. Any Safari updates will be listed. Internet Explorer: Go to the START MENU, Choose ALL PROGRAMS, and WINDOWS UPDATE. Follow prompts to install important or critical updates. 2A) First Option: Uninstall Flash. Seriously. Windows: Control Panel > Programs and Features > Select Adobe Flash Player software(s) > Select UNINSTALL Macintosh: It's a little more complicated see http://www.macworld.com/article/2993361/security/how-to-uninstall-flash-player-from-your-mac.html for instructions. 2B) Or Second Option: Live with Flash by updating it. If you must have the Flash Player on your computer, go here: https://helpx.adobe.com/security/products/flash-player/apsb16-10.html and follow the instructions to update Flash. ADDITIONAL INFORMATION for the Technically Curious: Flash exploit and link to fix: http://www.trendmicro.com/vinfo/us/threat-encyclopedia/vulnerability/7102/adobe-flash-player-vulnerability-cve20161019 Quick Summary of the Flash Exploit: https://nakedsecurity.sophos.com/2016/04/08/adobe-ships-0-day-patch-for-flash-get-it-while-its-hot/ http://www.reuters.com/article/us-adobe-systems-cyber-ransomware-idUSKCN0X502K What The Bad Guys Are Up To with the Flash Security Hole: http://www.securityweek.com/adobe-patches-flash-zero-day-exploited-magnitude-ek An Analysis of the Malicious Payload using the Flash Security Hole: https://www.proofpoint.com/uk/threat-insight/post/killing-zero-day-in-the-egg Ars Technica article on the Flash Exploit: http://arstechnica.com/security/2016/04/adobe-flash-update-ransomware-windows-10/ Slightly Related Article on Ransomware: http://arstechnica.com/security/2016/04/ok-panic-newly-evolved-ransomware-is-bad-news-for-everyone/ Adobe Flash's Track Record of Shame: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-07-14 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-06-24 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2015-01-27 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-21



WHAT THIS IS ABOUT: Take a deep breath. Malvertisers have infected very popular websites (NY Times, BBC, MSL, AOL) with malware which will attempt to encrypt your data for a ransom. I'd give this situation Three and a Half Admiral Ackbars. WHOU SHOULD READ THIS: Sigh. Everyone. Macintosh users may be OK, as the encryption package appears to only work on Windows machines however, I'm putting on my Casandra Outfit and warning Macintosh users to follow the steps below to protect themselves from next time. WHAT YOU SHOULD DO: Make physical backups of your data. (Go to the Duckstore, get two USB sticks, back up your data, alternate sticks every week; store the off-week USB at a friend's house in case there's a fire.) Dropbox, Google Docs, and OneDrive are not backup options; the data needs to be physically removed from your main computer for it to be backed up. Go to McAfee (or whatever anti-viral software you have running) and update it. The campaign is aggressive, but stealthy; if the malware sees an antiviral package, it will retreat to avoid detection. The malware uses the usual attack methods: Java, Silverlight, Adobe Flash. Uninstalling these pieces of software will help protect your computer. If you must use them, be sure you are running the latest versions. Technically advanced users may wish to edit home router block lists, adding the following domains: answers.com zerohedge.com infolinks.com brentsmedia.com evangmedia.com shangjiamedia.com ADDITIONAL INFORMATION for the Technically Curious: Malvertisement: an advertisement, typically on a side-bar on a web page, that attempts to install malware onto a computer. Malware: Malicious software. Ransomware: Software that typically encrypts your data and then demands a ransom to unencrypt it. http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/ http://www.pcworld.com/article/3044145/security/top-websites-affected-by-angler-exploit-kit-malvertising-security-vendors-say.html http://www.hotforsecurity.com/blog/angler-exploit-kit-updated-to-target-pcs-and-macs-with-silverlight-attack-13449.html Heimdal Security Infomercial about how Angler Works (introductory info, and they're pitching their security product) https://heimdalsecurity.com/blog/ultimate-guide-angler-exploit-kit-non-technical-people/ Technicallly Detailed Overview of the Angler Exploit Kit: https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/



This is information-lite, but of possible interest: http://www.welivesecurity.com/2016/02/29/5-threats-every-company-needs-pay-attention/ I'm forwarding it to raise awareness of computer security in the wake of last week's ransomware attack and because Windows is what we're using in the main office. The take away: The main computer security threats are

  1. Malicious e-mail
  2. Malicious RAM sticks.
  3. Malicious web pages that run exploits (Internet Explorer, I'm looking at you)
  4. Ransomware
  5. Unprotected mobile devices (see #2)
The implied solutions are
  1. Have anti-viral software scan your e-mail, and be careful opening attachments.
  2. Know the history of the RAM sticks you load on your computer; also, use the server to share files.
  3. Have anti-viral software look over your shoulder when you surf; also, don't use Internet Explorer.
  4. See above; also have a "fire plan" so you can recover data that has been encrypted.
  5. Protect mobile devices before they connect to the UO computing environment.



WHAT THIS IS ABOUT: Don't panic. This is a PSA for users of Macintosh OS 10.11 (El Capitan). Over the last weekend in February, Apple released a security update that disables a Macintosh's Ethernet. Wireless still works, so I'll rate this at One Admiral Ackbar for inconvenience. WHO SHOULD READ THIS: Users of Macintosh OS 10.11 (El Capitan) Other Macintosh Users are Not Affected Windows Users are Not Affected WHAT YOU SHOULD DO: If you use Mac OS 10.11 (El Capitan), and over the weekend your Ethernet suddenly stopped working (and you know your cables are securely plugged in), chances are an Apple system update disabled your Ethernet. You can re-enable it following the instructions here: https://support.apple.com/en-us/HT6672 ADDITIONAL INFORMATION for the Technically Curious: Apple attempts to protect users by installing a blacklist of untrusted kernel extensions within the OS. The kernel is the software that creates the OS, and an extension is extra software. For example, if Apple knows that a certain brand of printer driver causes crashes, it will blacklist it to prevent the system crashes. This time around, Apple blacklisted its own Ethernet driver kernel extensions. http://arstechnica.com/apple/2016/02/os-x-blacklist-accidentally-disables-ethernet-in-os-x-10-11/ https://derflounder.wordpress.com/2016/02/28/apple-security-update-blocks-apple-ethernet-drivers-on-el-capitan/



Sent on behalf of Will Laney, Chief Information Security Officer Hello Everyone, We have recently had some users infected with malware known as "Locky". Locky is a ransomware program that encrypts the user's data on their local hard drive as well as any data on mapped network drives (such as file shares) the user can access. Once Locky encrypts all of the user's data, they will be offered the opportunity to buy a decryption key to unlock their data. Its current infection process is to trick users into opening an MS Office (Word/Excel/PPT/etc.) document loaded with a macro that they receive via email. The malware is loaded through the MS Office macro. To entice the users, the subjects and names of the emails and files include words such as "Invoice" or "Remittance" (this will certainly change over time). If the macro isn't immediately run by opening the file, the document will ask the user to enable the running of macros. We believe this macro downloads Locky and runs it on the user's computer. We are also getting reports of a similar infection method via PDF files. At this point, Locky only targets Windows systems. If a user reports opening a suspicious document such as the ones described above, please have them turn off the system as quickly as possible to avoid more files being encrypted. We suggest that you remove the hard drive from the system and reimage the hard drive. You can use tools (such as McAfee) to look for the malware, but there may be other variations of the malware that would be missed by these tools. If you are going to use these tools, make sure you are not booting from the infected drive or it will continue to encrypt more files. This is why a clean reimaging of the system is recommended. You may have heard about this happening in a California hospital: http://sanfrancisco.cbslocal.com/2016/02/18/california-hospital-ransomware-attack-hackers/ One important issue this brings up is that of backup procedures. If you already have something in place, please make sure those procedures continue. If you do not have any procedures in place, we will be releasing guidelines for server and individual backups in the coming weeks to help aid in developing your own. Take care and stay safe, Will Laney, CISSP, CISA Chief Information Security Officer The University of Oregon



WHAT THIS IS ABOUT: Don't panic. This is a PSA. Microsoft is stepping up its efforts to get folks to upgrade to Windows 10. WHO SHOULD READ THIS: Windows users. Macintosh users are not affected. WHAT YOU SHOULD DO: The Windows 10 update is now a recommended update. This means Windows automatic updates will be more aggressive about downloading and installing the new Windows operating system. Users are still given the option to upgrade or not. Be mindful of where you click. At this point, I'm advising folks to upgrade if they would like to - however, this may be a good Spring Break task. The main hurdle to updating last Fall Term was that McAfee hadn't caught up to Windows 10, but McAfee works now. Some of the issues with the initial release of Windows 10 have been addressed. There are some privacy issues with Windows phoning the mothership back at Microsoft; see the privacy links below for how to turn down the flow of surveillance from Redmond. ADDITIONAL INFORMATION: http://windows.microsoft.com/en-us/windows-10/upgrade-to-windows-10-faq http://arstechnica.com/information-technology/2016/02/ready-or-not-here-comes-windows-10/ http://www.theregister.co.uk/2016/02/02/microsoft_ups_pressure_win_10_holdouts/ Making Window 10 Respect Your Privacy: http://arstechnica.com/information-technology/2015/08/windows-10-doesnt-offer-much-privacy-by-default-heres-how-to-fix-it/ https://fix10.isleaked.com/ http://www.theregister.co.uk/2015/08/03/windows_10_privacy_defaults/ Some older information What Happens to Your Home WiFi Security when a Win10 User Logs in: https://grahamcluley.com/2015/08/windows-10-wifi/ Windows 10 Doesn't Use Child Accounts: http://www.theregister.co.uk/2015/08/05/windows_10_wipes_child_safety_settings_upgrade/ Random Bug Complaints: http://www.theregister.co.uk/2015/07/29/windows_10_bug_alert_start_menu_breaks_512_entries/ That Auto-update Driver problem: http://www.theregister.co.uk/2015/07/28/windows_10_update_nvidia_driver_conflict/ https://grahamcluley.com/2015/07/windows-10-borked-automatic-updates-nvidia-drivers/ http://www.cnet.com/news/microsoft-fixes-windows-10-crash-bug-ahead-of-july-29-launch/



WHAT THIS IS ABOUT: Don't panic: this is a PSA about how a new UO network configuration will affect printing from home. WHO SHOULD READ THIS: Folks who print from home to one of the English Department Printers in PLC. Folks who print within PLC only are not affected. WHAT YOU SHOULD DO: If you are working from home, and your home computer suddenly can't seem to find the English Department printers Connect to the UO network with VPN. Instructions for installing and using VPN are here: https://it.uoregon.edu/vpn Once VPN is running on your home computer, the UO network will think you are on campus, and the printers will start talking to your computer; you should be able to print from home. ADDITIONAL INFORMATION for the Technically Curious. UO Network Security and CAS-IT -- in an attempt to secure printers from the recent FTP attacks which caused printers to spew out reams' worth of machine code -- have teamed up and put an IP Block on the English Department's Printers' static IP addresses. If you think of a printer like a leaf, the IP Block is like a ninja praying mantis lower down on the branch, refusing to let any slugs from the roots at the bottom of the trunk pass it. Ants already above the praying mantis can carry messages back and forth among the leaves.



WHAT THIS IS ABOUT: A malicious bot is scanning printers on the UO campus in an attempt to gather user information from them. This is confusing the printers and making them print blank sheets of paper until the paper runs out or the printer jams. I'm rating this at Two Admiral Ackbars because the bot is simple and our printers aren't using factory default security settings. WHO SHOULD READ THIS: Folks using the English Department Printers in PLC 118, 228, and 232. Local desktop printers may be affected. WHAT YOU SHOULD DO: This is particularly obnoxious during the holiday season, when printer attacks may go for some time before being noticed. The English Department Staff will be powering down the printers overnight to prevent the malicious bot from doing its dirty deeds. As an added precaution, paper levels in the printer may be lower than typical levels. During the last weeks of December, if you come in in the morning and expect to print, you'll want to confirm the printer is on before doing so. If you turn on a printer, print, and are finished, you are encouraged to turn the printer off. If you are leaving your office for the holidays, turn off all your computers and printers. ADDITIONAL INFORMATION for the Technically Curious: Most printers have web, FTP, and other network servers built into them. The bot is trying to find out information about users entered into the printer (e.g. usernames and UO ID codes) The bot isn't very smart, and seems to be easily defeated by non-factory security settings. There's no official word out about this yet; I just happened to bump into a CAS-IT tech who told me about it. Official word may show up in the dept-comp list: https://lists-prod.uoregon.edu/mailman/private/deptcomp/ There's no word here: https://twitter.com/UOTechDesk https://www.facebook.com/UOTechDesk http://blogs.uoregon.edu/casitblog/ https://casit.uoregon.edu/news Sort of related, but not this specific problem: https://casit.uoregon.edu/news/printer-security-incidents



WHAT THIS IS ABOUT: Dell Computer installed a self-signed root security certificate on some of its newer laptop and desktop computers. This is a huge security hole that some folks are likening to Lenovo's SuperFish Debacle. Rated at 3.5 Admiral Ackbars for hack-ability and man-in-the-middle attacks. WHO SHOULD READ THIS: Users with newer Dell model computers, especially: XPS 15, L Latitude E7450, Inspirion 5548, Inspirion 5000, Inspiron 3647, Precision M4800 Other computer users are not affected. WHAT YOU SHOULD DO: Use Chrome or Internet Explorer on your Dell computer to visit this site: https://edell.tlsfun.de/ If you get a green banner that says "No bad eDell certificate found" then you're not vulnerable. Yay! If you get a warning message about bad eDell certificates, go here: (PDF) https://dellupdater.dell.com/Downloads/APP009/eDellRootCertificateRemovalInstructions.pdf Or use this uninstall tool here: https://dellupdater.dell.com/Downloads/APP009/eDellRootCertFix.exe (Dell's Uninstall Tool) . ADDITIONAL INFORMATION for the Technically Curious: Dell wanted to make things easier for remotely servicing machines, so they created "Dell Foundation Systems" utilities using the eDell root security certificate. No, really; they're not bundling in Adware or Malware. http://en.community.dell.com/dell-blogs/direct2dell/b/direct2dell/archive/2015/11/23/response-to-concerns-regarding-edellroot-certificate Technical News Reports: http://arstechnica.com/security/2015/11/dell-apologizes-for-https-certificate-fiasco-provides-removal-tool/ http://www.securityweek.com/root-certificate-shipped-dell-pcs-poses-serious-risk http://www.welivesecurity.com/2015/11/24/dell-root-certificate-vulnerability-leaves-users-open-attack/ http://arstechnica.com/security/2015/11/dell-does-superfish-ships-pcs-with-self-signed-root-certificates/ http://www.theregister.co.uk/2015/11/23/dude_youre_getting_pwned/ http://www.kb.cert.org/vuls/id/870761 Original researcher's research: http://joenord.blogspot.com/2015/11/new-dell-computer-comes-with-edellroot.html



WHAT THIS IS ABOUT: Microsoft Windows Users appear to be receiving a "unexplained and almost certainly unauthorized patch" Windows Update. The technical security folks worry that the Microsoft Update server may have been compromised. If this is true, then this is worth Four Admiral Ackbars. Next-day Follow-up: Yesterday's suspicious Windows Update was a test update mistakenly published by Microsoft. http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/ Downgraded to a half an Admiral Ackbar, or maybe even a Jar-Jar Binks. John (whew) WHO SHOULD READ THIS: Windows Users, especially Windows 7 users. Macintosh Users are unaffected. WHAT YOU SHOULD DO: If you receive a Windows Update, which appears to be some sort of language pack update, with the following details: gYxseNjwafVPfgsoHnzLblmmAxZUiOnGcchqEAEwjyxwjUIfpXfJQcdLapTmFaqHGCFsdvpLarmPJLOZYMEILGNIPwNOgEazuBVJcyVjBRL Download size: 4.3 MB You may need to restart your computer for this update to take effect. Update type: Important qQMphgyOoFUxFLfNprOUQpHS Do not install it. I've read one report of the upgrade crashing Windows (at least). ADDITIONAL INFORMATION: Microsoft typically releases Windows updates the second Tuesday of every month. Occasionally they will release an "out of band" update to fix a particularly worrisome problem, but this does not appear to be the case this time around. As of 2/9/30/2015 11:50 AM, this is a breaking story "People around the world are receiving a highly suspicious software bulletin through the official Windows Update, raising concerns that Microsoft's automatic patching mechanism may be broken or, worse, has been compromised to attack end users." http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/ https://answers.microsoft.com/en-us/windows/forum/windows_7-update/windows-7-update-appears-to-be-compromised/e96a0834-a9e9-4f03-a187-bef8ee62725e



WHAT THIS IS ABOUT: Over the weekend, computer security folks discovered that a host of iOS aps infected with malicious code, called XcodeGhost, had snuck past Apple Security and made it to the App Store, I'll rate this Two and a Half Admiral Ackbars. WHO SHOULD READ THIS: Users of iPhones, iPads, and other iThings. Windows Users are Not Affected. WHAT YOU SHOULD DO: Most American-based users won't be affected by this problem. However, if you have WeChat, CamCard Angry Birds 2 (Chinese Version) Didi Chuxing Installed on your iThing, you should delete it now. A full list of (mostly China-based) apps infected with XcodeGhost may be found here: http://www.cultofmac.com/389693/xcodeghost-hack-delete-these-infected-ios-apps-immediately/ If you discover that an XcodeGhost app made it onto your mobile device, make sure to change passwords on any web or internet sites the poisoned app may have used. ADDITIONAL INFORMATION for the Technically Curious: Xcode is a programming tool for iOS; folks use it to program apps. Programmers write a program, and then use Xcode to create a stand-alone app (in computing terminology, Xcode is called a compiler). A malicious copy of Xcode, called XcodeGhost, managed to poison the software of various companies, mostly based in China. An unsuspecting programmer using the poisoned compiler would unwittingly put data-siphoning software into their program. Infected apps would then track Current time Current infected app's name The app's bundle identifier Current device's name and type Current system's language and country Current device's UUID Network type A list of what to delete: http://www.cultofmac.com/389693/xcodeghost-hack-delete-these-infected-ios-apps-immediately/ Some more technical advice: https://isc.sans.edu/forums/diary/Detecting+XCodeGhost+Activity/20171/ News of the Malicious Code Lapse: http://www.cultofmac.com/389644/apple-cleans-up-the-app-store-after-biggest-security-lapse-in-history/ http://arstechnica.com/security/2015/09/apple-scrambles-after-40-malicious-xcodeghost-apps-haunt-app-store/ Technical Report of Xcode Ghost: http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/ http://researchcenter.paloaltonetworks.com/2015/09/malware-xcodeghost-infects-39-ios-apps-including-wechat-affecting-hundreds-of-millions-of-users/ No, really, it's just the Chinese Version of Angry Birds II: https://support.rovio.com/hc/en-us/articles/210094088-Is-Angry-Birds-2-infected-with-malware- What Xcode is: https://developer.apple.com/xcode/



WHAT THIS IS ABOUT: With the arrival of iOS 9 for Apple mobile devices, computer security seems extraordinarily focused on a (oldish) security hole in AirDrop, a BlueTooth tool for sharing files. The vulnerability allows an attacker to install malicious software onto an iDevice with AirDrop turned on. This is a real problem, but since AirDrop is turned off by default, I'm rating this at 3.5 Ackbars. WHO SHOULD READ THIS: Folks with newer iPhones, iPads, and other iThings. Older iThings may not be able to run AirDrop. AirDrop for Lion, Mountain Lion, Mavericks, Yosemite, and El Capitan (coming soon) may be affected. Windows users are not affected. WHAT YOU SHOULD DO: Confirm that you have AirDrop turned off. * Instructions For Mobile Devices. If your iThing is running iOS 6 or older, STOP; you cannot run AirDrop and you're safe. If your iThing is one of the following: + iPhone 4 or older; + iPad 3rd generation or older; + iPod touch 4th generation or older STOP; your device cannot run AirDrop and you're safe. If your device can run AirDrop, confirm that it's turned off: 1. Turn on your device. 2. Swipe up from the bottom of the screen to show the Control Center 3. Tap AirDrop (if you see no AirDrop icon, your device can't run it: Yay!) 4. Choose OFF to turn AirDrop off (if it isn't already). Instructions for Apple Macintosh Operating System: 1. Start your computer. 2. Click on the double-faced Finder icon in the task bar; a finder window should appear. 3. On the left-hand side, in the FAVORITES column, click on the AirDrop option; an AirDrop icon should appear. 4. AirDrop for Macintosh requires Wi-Fi; your UO Office Macintosh should be connected to the UO Network through an Ethernet Cable. Turning off Wi-Fi will turn off Airdop. 5. If for some reason you must use Wi-Fi, you can mitigate AirDrop by selecting "Allow me to be discovered by: NO ONE" ADDITIONAL INFORMATION for the Technically Curious: This isn't exactly a new security flaw, as pranksters and stalkers have been using AirDrop maliciously to deliver funny or disturbing photos to targets for a while. The more cynical part of me notes that the articles (springing up today) about AirDrop include the news that updating to iOS 9 (also released today) supposedly fixes this security hole (it doesn't completely). However, the new twist appears to be that someone's figured out how to deliver malware via AirDrop in addition to unwanted pictures. AirDrop for OS 10.7 (Lion) and above: https://support.apple.com/en-us/HT202267 AirDrop for mobile devices: https://support.apple.com/en-gb/HT204144 Ars Technica Article: http://arstechnica.com/security/2015/09/apple-mitigates-but-doesnt-fully-fix-critical-ios-airdrop-vulnerability/ The Register Article: http://www.theregister.co.uk/2015/09/16/airdrop_hole_malware_pre_ios_9/



WHAT THIS IS ABOUT: Don't panic. This is merely a PSA. The latest operating system for Apple mobile devices, iOS 9, will be released this morning (9/16/2015) at 10. WHO SHOULD READ THIS: Users with iPhones, iPads, iPods, and other iThings. WHAT YOU SHOULD DO: Resist the urge to jump on the update bandwagon the microsecond iOS 9 appears. Major iOS changes tend to have a handful of bugs (er, "features!") that can range from the annoying (new gestures for e-mail!) to really painful (but I just charged the battery!), and it's always a good idea to wait a week or two for the early adaptors to discover the hidden gotchas. ADDITIONAL INFORMATION for the Technically Curious: Generally, reviewers love the new iOS; folks with older iPads and iPhones may not have the hardware to take advantage of some of the super-cool features of iOS 9. Ars Technica's Review of iOS 9: http://arstechnica.com/apple/2015/09/ios-9-thoroughly-reviewed/1/ Cult of Mac's Love Letter to iOS 9: http://www.cultofmac.com/388770/ios-9-review-all-about-speed/



WHAT THIS IS ABOUT: Don't panic: This is merely a PSA about following links to shady sites. WHO SHOULD READ THIS: Everyone who uses the web or e-mail. WHAT YOU SHOULD DO: If you are reading an e-mail or a web page, and as you hover your mouse's cursor over a link, and the web address ends in one of the following domains: .zip .review .country .kim .cricket .science .work .party .gq .link then, Gentle Reader, stay your mouse's click; the link is almost certainly going to take you to the shady side of the web where malware bots, spammers and phishers ply their unwholesome wares and lay their tangled snares. So, for example, if one is urged to update one's UO account password by following the link to accounts.uoregon.link, then you know It's A Trap. Likewise, if the Transylvania Polygnostic University is asking you to take a look at a call for papers at www.tpu.review, think before you click. ADDITIONAL INFORMATION for the Technically Curious: http://arstechnica.com/security/2015/09/many-new-top-level-domains-have-become-internets-bad-neighborhoods/ http://arstechnica.com/business/2011/06/icann-approves-plan-to-vastly-expand-top-level-domains/ http://www.theregister.co.uk/2015/09/03/blue_coat_domain_report/



WHAT THIS IS ABOUT: Don't panic. This is a PSA. (Cue picture of the Borg Cube Ship) Microsoft released Windows 10 on July 29. Don't upgrade to it just yet. There's no rush, it will be a free upgrade for several months. WHO SHOULD READ THIS: Microsoft Windows Users. WHAT YOU SHOULD DO: Wait. Don't hit that upgrade button. The Computer Center recommends folks wait until at least Aug 26, when McAfee is expected to release a Windows 10 compatible version of McAfee. Additional (ahem) issues include: + some Windows 10 opt-out settings that aren't checked by default, + privacy settings that aren't so private, + Non-optional Automatic updates that break other hardware drivers, and + some weirdness with e-mail, ADDITIONAL INFORMATION: The news about Windows 10's release reads a little like a conspiracy theorist's dystopia novel. Or maybe a Microsoft Business Plan written by Kafka. What Happens to Your Home WiFi Security when a Win10 User Logs in: https://grahamcluley.com/2015/08/windows-10-wifi/ Making Window 10 Respect Your Privacy: https://fix10.isleaked.com/ http://www.theregister.co.uk/2015/08/03/windows_10_privacy_defaults/ Windows 10 Doesn't Use Child Accounts: http://www.theregister.co.uk/2015/08/05/windows_10_wipes_child_safety_settings_upgrade/ Random Bug Complaints: http://www.theregister.co.uk/2015/07/29/windows_10_bug_alert_start_menu_breaks_512_entries/ That Auto-update Driver problem: http://www.theregister.co.uk/2015/07/28/windows_10_update_nvidia_driver_conflict/ https://grahamcluley.com/2015/07/windows-10-borked-automatic-updates-nvidia-drivers/ http://www.cnet.com/news/microsoft-fixes-windows-10-crash-bug-ahead-of-july-29-launch/



WHAT THIS IS ABOUT: Sigh. Once again, Evil People are sending phishing e-mails to University of Oregon. WHO SHOULD READ THIS: Everyone. Knowledge is Power. WHAT YOU SHOULD DO: Fidite Nemini. Trust no one. If you get a message about your "webmail expiration summary update, " delete it unread. Do not follow any links in the e-mail; the link goes to a PHP script, which may or may not maliciously try to install malicious software onto your computer. ADDITIONAL INFORMATION: The Computer Center has this guide on phishing: https://it.uoregon.edu/phishing A breakdown of the message follows. Dear Subscriber, The Computer Center has access to your e-mail address, UO ID, and name. It would be trivial for them to program a customized greeting to you. Yet this message uses the generic "Dear Subscriber". At the very least, they would have said something like "Hey Awesome Duck Subscriber!" Welcome to your uoregon.edu webmail expiration summary update from IS Technology Service Desk. Welcome to your update? Welcome to your "webmail expiration summary update"? What does this even mean? The author is trying to sound official by using big words. "...from IS Technology Service Desk". The dropped "the" after "from" could be a dropped word, but could be a sign the author is really an Evil Foreign Hacker. Please visit this link [link redacted] to renew your webmail subscription today. Points for using "please," but a legitimate message would have shown the actual link instead of using "this link". Also, the link would have gone to something like https://duckid.uoregon.edu/ which A) is using the secure prefix https in the URL, B) links to a uoregon.edu web site instead of some unknown .com or .net site, and C) doesn't end in mail.php, which is a PHP script that could pass your computer all sorts of shady commands. Also . . . one does not subscribe or unsubscribe to webmail. Webmail is a service provided to all UO faculty, staff and students. The only way you can "unsubscribe" from it is to quit, be fired, die, drop out, graduate or retire. The author of this message hopes you will panic, your limbic reptile brain will kick in, and you'll follow the mystery link in a Skinnerian fashion. For additional information, contact UO Information Technology. The author is trying to establish their authority. However, they've left out any form of contact for those of us wanting information. A real message would have included a link to techdesk@ithelp.uoregon.edu, or the phone number for the Tech Desk: 6-HELP. Also, there would have been a clear link to various semi-useful pages, like this one: https://it.uoregon.edu/email © UNIVERSITY OF OREGON. ALL RIGHTS RESERVED I'm still not sure why phishing authors copyright their phishing attempts. It's not like they get royalties or anything. I can see that I and all the rest of the computer support techs are going to have to start copyrighting all of our electronic communications to keep rival techs from OSU from stealing our work.



WHAT THIS IS ABOUT: The technical press (and NPR) is abuzz with a security flaw, dubbed "Stagefright," in Android smart-phones which allows The Bad Guys to have their way with it (it also affects Firefox). There are no exploits in the wild yet, but this is a serious flaw. I'm giving this three Admiral Ackbars (I'd give it more if there were active exploits). WHO SHOULD READ THIS: Android Smart-Phone users Firefox users on all computing platforms. WHAT YOU SHOULD DO: Android Smart-Phone users should keep an eye out for firmware patches from the phones' manufacturers (which may take months, assuming any come out). Until then, there's not a whole lot you can do. Firefox users should update Firefox to the latest version (39 at the time of this writing, July 27, 2015). ADDITIONAL INFORMATION for the Technically Curious: Researchers' original paper (which reads a little like an advertisement for their security software): http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/ Ars Technica: http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/ Security Week: http://www.securityweek.com/critical-stagefright-vulnerabilities-expose-950-million-android-devices NPR: http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text



WHAT THIS IS ABOUT: Three recent, critical, zero-day security exploits in Adobe Flash Player have caused the folks who make Firefox to block it. Because these are being actively exploited, I'd give this three Admiral Ackbars. WHO SHOULD READ THIS: Folks who use Firefox. Folks who use Adobe Flash. WHAT YOU SHOULD DO: Update all Adobe Software on your computers. Instructions for updating Adobe Flash Player are here: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-08-07 ADDITIONAL INFORMATION: Adobe's Statements (It's Patch Time Again! Don't Hate Us Because Our Software Is Full of Security Holes): http://blogs.adobe.com/psirt/?p=1247 https://helpx.adobe.com/security/products/flash-player/apsb15-18.html The Technical Press Calls for Flash Player's Head on a Silver Platter: http://www.securityweek.com/adobe-patches-two-zero-day-vulnerabilities-flash-player http://arstechnica.com/security/2015/07/once-again-adobe-releases-emergency-flash-patch-for-hacking-team-0-days http://www.theregister.co.uk/2015/07/14/adobe_patch_tuesday http://www.techspot.com/news/61353-mozilla-disables-flash-firefox-default-due-security-concerns.html http://arstechnica.com/security/2015/07/firefox-blacklists-flash-player-due-to-unpatched-0-day-vulnerabilities http://arstechnica.co.uk/information-technology/2015/06/google-chrome-will-soon-intelligently-block-auto-playing-flash-ads



WHAT THIS IS ABOUT: UO e-mail users have received a phishing attempt, directing them to an off-campus web site in the hope of harvesting UO usernames and passwords. WHO SHOULD READ THIS: Everyone (sigh). WHAT YOU SHOULD DO: If you received an e-mail message with a generic message along the lines that your login password will expire, trash it. Do not follow any links in the message. At the worst, they'll take you to a site that will try to trick you into entering your username and password. At the worst, the rogue web page will try to hijack your web browser. If you did follow the link and give information about your account, please contact the University of Oregon Technology Service Desk immediately at techdesk@uoregon.edu or (541) 346-HELP (346-4357). More information is here: https://it.uoregon.edu/node/2019 ADDITIONAL INFORMATION for the Technically Curious: The UO Tech Desk has the following information: https://it.uoregon.edu/phishing https://it.uoregon.edu/node/4339 Here's what a REAL message from the UO Tech Desk looks like: -----Original Message----- From: authmail@uoregon.edu [mailto:authmail@uoregon.edu] Sent: Sunday, June 21, 2015 1:09 AM To: engl@uoregon.edu Subject: [Duck ID] Password Nearing Expiration This is a courtesy email to let you know that your Duck ID password for 'engl' will expire in 7 days. Once your password expires you will not be able to access Blackboard, the UO wireless network, email, or other services that require authentication. For this reason, you may wish to change your password before it expires. To change your password, go to https://duckid.uoregon.edu and login with your username and expired password. Please contact the Technology Service Desk if you have questions. Information Services Technology Service Desk (541) 346-4357 techdesk@uoregon.edu And here's what a FAKE message looks like: -------- Forwarded Message -------- Subject: Login Authentication Date: Mon, 06 Jul 2015 13:45:42 +0000 From: MARTA PALACIN MEJIAS To: Undisclosed recipients: ; Dear (UO) University of Oregon Email User, Your login password will expire in 48hrs. To avoid expiry, click the below UO Help Desk link, to authenticate your password immediately:- Click link: REDACTED UO Help Desk Copyright 2015 University of Oregon. All Rights Reserved.

Discussion Contrasting and Comparing the Authentic and Fake E-mails:



WHAT THIS IS ABOUT: Adobe has released an emergency patch for a critical zero-day in the Flash Player. Flash Player is software that allows animation on web pages to run, and is frequently targeted by The Bad Guys. Exploits for the flaw are limited but active, and I'd rate this at two-and-half Admiral Ackbars. WHO SHOULD READ THIS: Windows users with Adobe Flash Player Installed. Macintosh users with Adobe Flash Player Installed. WHAT YOU SHOULD DO: Go here: https://www.adobe.com/software/flash/about/ This is a page which will tell you which version (if any) of the Flash Player you have installed. You may need to authorize the player to run when the page comes up. If you have Adobe Flash Player installed, as of June 24, 2015 it should be version The Adobe Flash Player's poor security track record make it a preferred target for The Bad Guys; you may wish to uninstall it and see if you miss it. That said. Depending on if your browser and what type of computer you use, do one of the following: ALL CHROME and INETERNET EXPLORER USERS: If you use Chrome or Microsoft Internet Explorer to browse the web, update your browser to automatically install the latest Flash update. WINDOWS FIREFOX USERS: If you use Firefox to browse the web then:

  1. Go here: https://get.adobe.com/flashplayer/
  2. UNSELECT the insidious bloatware option (usually an offer for McAfee).
  3. Double-check that you've unselected the unwanted software installed then click on the Yellow INSTALL NOW button.
  4. Follow the prompts.
  1. Go to the APPLE MENU
  3. Click on the FLASH PLAYER icon (in the bottom row). If there is no Flash Player icon, stop.
  4. Click on the UPDATES tab (second from the right).
  5. SELECT "Allow Adobe to install updates (recommended)."
  6. Click on the CHECK NOW button.
  7. Close the System Preferences Window.
ADDITIONAL INFORMATION for the Technically Curious: Official Word from Adobe: https://helpx.adobe.com/security/products/flash-player/apsb15-14.html The Researchers Who Discovered the Exploit: https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html Ars Technica Article: http://arstechnica.com/security/2015/06/patch-early-patch-often-adobe-pushes-emergency-fix-for-active-0-day/ Cult-Of-Mac Article Extoling Readers to Ditch the Flash Player: http://www.cultofmac.com/327202/dump-flash-player-now-or-spend-the-rest-of-your-life-patching-it/



WHAT THIS IS ABOUT: This is a PSA: A special sequence of text characters sent to an Apple iPhone or iPad via a text messaging service will cause the device to crash. This is more of an annoyance than a security issue. WHO SHOULD READ THIS: iPhone and iPad users. Macintosh users. Other users are not affected; this is a bug in Mac OS and iOS. WHAT YOU SHOULD DO: The bug is in the software in the notification center which displays a new instant message's text. If you turn it off, there's no problem. On an iPhone or iPad: Tap the SETTINGS icon. Tap NOTIFICATIONS from the selection menu. Tap MESSAGES from the list that shows up. Scroll down a bit to SHOW PREVIEWS and turn it off. This bug affects Macintoshes as well, but only under unlikely cut-and-paste circumstances. ADDITIONAL INFORMATION: http://www.intego.com/mac-security-blog/crash-text-message-iphone/ http://arstechnica.com/security/2015/05/beware-of-the-text-message-that-crashes-iphones/



WHAT THIS IS ABOUT: This is a PSA about a computer security problem called Venom. Venom has been around since 2004. There is no active exploit in the wild for this security flaw, so I'd rate this at Half a General Ackbar. WHO SHOULD READ THIS: Anyone. This is an internet-wide problem. WHAT YOU SHOULD DO: Don't panic when NPR covers this. There's not a whole lot the average user can do; but computer system administrators are probably freaking out a little. On the very, very low chance remote file storage services (e.g. Dropbox, GoogleDocs, Apple iCloud, etc.) are affected by this you may wish to review important files and create local back-ups on USB stick or other physical media you control. ADDITIONAL INFORMATION for the Technically Curious: Venom is being hyped as "worse than Heartbleed." Probably this is not the case, but that hasn't stopped a security firm from designing a cool cobra logo for the security flaw. Venom works like this.

  1. A physical computer in a data center creates a virtual electronic copy of itself for users to use.
  2. Legacy software controlling the virtual floppy drive on the virtual machine has a buffer overflow error in it.
  3. The Bad Guys hide Evil Commands in the overflow which gives them control of the physical computer's operating system.
  4. Now they can do anything they'd like on the physical machine, like manipulate user files stored there.
Ars Technica article: http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/ Techspot article: http://www.techspot.com/news/60662-venom-vulnerability-more-dangerous-than-heartbleed-targets-most.html ZDnet article (with striking cobra photo): http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/ The original CrowdStrike report: http://venom.crowdstrike.com/



WHAT THIS IS ABOUT: Don't panic; there's some e-mail server reconfiguration going on. Many folks will not be affected. WHO SHOULD READ THIS: Everyone who reads e-mail using a client such as Outlook, Thunderbird, or MacMail. Webmail users are not affected. WHAT YOU SHOULD DO: Thursday morning (4/30) after 9 AM, if you discover that you can't send out e-mails, go to your e-mail client's configuration and make sure the setting for SMTP server is smtp.uoregon.edu, enable SSL, and set the port to 587. Information Services maintains a set of instructions for configuring e-mail clients here: https://it.uoregon.edu/set-up-email ADDITIONAL INFORMATION for the Technically Curious: https://it.uoregon.edu/email-settings ======= Message from Information Services: On the morning of March 24, IS staff changed the IP address for UO SMTP (smtp.uoregon.edu): Old IP address: New IP address: For most users and most use cases, this change was not disruptive. However, we have received reports about several issues. We apologize for not having notified you in advance about this change. If you have a device such as a printer, fax, or multifunction device that sends email, you may need to update the SMTP settings on the device itself, or on the firewall or filters you use to protect such devices. Whenever possible, please use "smtp.uoregon.edu" rather than the IP address. That will avoid future disruptions if the IP address changes again. However, if you are unable to use "smtp.uoregon.edu" in configurations, please use the new IP address noted above. The old IP address will be disabled in late April. In the meantime, when possible, we will be working to identify and contact anyone still using the old IP address. This change to smtp.uoregon.edu is part of a broader, ongoing process of streamlining services. Unfortunately, this type of work causes occasional disruptions. If you have any questions, please contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-4357). UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: A flaw in an iOS software library can allow The Bad Guys to see private data used by certain apps. Don't panic; this flaw is not mobile operating system wide - it's an app-by-app flaw. WHOU SHOULD READ THIS: Users of Apple Mobile Devices: iPhone, iPad, iPod, etc. Macintosh Users are not affected (directly). Windows Users are not affected. WHAT YOU SHOULD DO: There isn't a patch for this yet (although they're working on it). You should check the security of various apps installed on your iPhone or iPad, especially apps that send financial or other personal data: Start up your iThing. Tap the blue icon for the APP STORE. Along the bottom of the App Store screen, tap the PURCHASED icon; a list of purchased apps will appear. Make a note of the App name and its developer (i.e., Blogger, by Google, Inc). Or leave the list up and start up a browser on a different machine. Once you have the list, go to http://searchlight.sourcedna.com/lookup It's a little confusing, but type in the name of a developer in the blank text area (under the bold "iTunes Developer Name"). For example, you could type in "Oregon Community Credit Union". Once you've typed in the name of a company, press the SUBMIT button on the web page. A confirmation page will come up. It may display a list of similarly named companies; select the company you want. Press SUBMIT again. A new page will come up with a security report for the app's developer. (Apparently, Oregon Community Credit Union is in the clear.) If the apps that a company makes are vulnerable, you'll see a red button indicating so. If the company's software doesn't have this vulnerability, the page will indicate that, too. A random sampling of apps: Skype 1.4.1 and 1.5.0 (both older versions) are vulnerable. Pinterest 4.3 and 4.5.1 (both older versions) are vulnerable. Clash of Clans is not vulnerable. SimpleNote, by Automattic comes up with no report; but Wordpress, also by Automattic, is vulnerable. If an app is vulnerable, you'll want to make sure you aren't making an in-app credit card purchase or using it to send banking information; keep an eye out for app upgrades. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: From http://arstechnica.com/security/2015/04/critical-https-bug-may-open-25000-ios-apps-to-eavesdropping-attacks/ "the bug resides in AFNetworking, an open-source code library that allows developers to drop networking capabilities into their iOS and OS X apps. Any app that uses a version of AFNetworking prior to the just-released 2.5.3 may expose data that's trivial for hackers to monitor or modify, even when it's protected by the secure sockets layer (SSL) protocol. The vulnerability can be exploited by using any valid SSL certificate for any domain name, as long as the digital credential was issued by a browser-trusted certificate authority (CA)." 1,500 iOS apps have HTTPS-crippling bug. http://arstechnica.com/security/2015/04/1500-ios-apps-have-https-crippling-bug-is-one-of-them-on-your-device/ http://www.intego.com/mac-security-blog/ios-apps-data-vulnerability/ http://www.macrumors.com/2015/04/21/security-flaws-1500-ios-apps-rootpipe/ Security Tool for Reviewing iOS 8.3 Apps https://sourcedna.com/blog/20150420/afnetworking-vulnerability.html Other iOS 8.3 News Apple Releases iOS 8.3 With Emoji Updates, Wireless CarPlay, Space Bar UI Fix http://www.macrumors.com/2015/04/08/apple-releases-ios-8-3/ iOS bug sends iPhones into endless crash cycle when exposed to rogue Wi-Fi http://arstechnica.com/security/2015/04/ios-bug-sends-iphones-into-endless-crash-cycle-when-exposed-to-rogue-wi-fi/ http://www.engadget.com/2015/04/22/ios-ssl-flaw-skycure/



WHAT THIS IS ABOUT: Apple released an update for Mac OS 10.10 (Yosemite). Supposedly OS 10.10.3 closes a vulnerability affecting Macintoshes called Rootpipe, but it turns out it doesn't. WHO SHOULD READ THIS: Macintosh Users using (or forced to use) Yosemite OS 10.10 Mactionsh Users interested in Rootpipe Windows users are not affected WHAT YOU SHOULD DO: Users of Mac OS 10.10 (Yosemite) may wish to apply software updates and bring the system to 10.10.3. Doing so will enable some features: Active Domain logins are fixed, some video drivers will actually work, and some cable connectivity is gained. It will also change the interface for iPhoto (thanks, Apple). Although there were high hopes for a fix for Rootpipe, this is not the case. If you wish to update, go to the APPLE menu. Choose APP STORE Click on the blue UPDATES icon; there will be a pause as the Macintosh downloads updates. Install any updates. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: John's Commentary on the Macintosh Operating System: My comments from six months ago are here: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-10-29 and they haven't changed. Apple is in the process of abandoning its older OS's, but until there's a real fix for Rootpipe, there's no compelling reason to upgrade from OS 10.8 (Mountain Lion) or OS 10.9 (Mavericks). Discovered last October, the Rootpipe flaw essentially allows a hidden backdoor to be created on a particular system, opening up root access of a computer to a hacker after they obtain local privileges on the device (i.e. they have to sit down at the keyboard to take advantage of this flaw). Physical access or previously granted remote access to the target machine is required in order for the vulnerability to be exploited. https://truesecdev.wordpress.com/2015/04/21/os-x-10-10-3-still-vulnerable/ https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/ Macintosh OS 10.10 (Yosemite) Latest version of OS X closes backdoor-like bug (But Not Really) http://www.intego.com/mac-security-blog/os-x-yosemite-still-vulnerable-to-rootpipe-attacks/ http://arstechnica.com/security/2015/04/latest-version-of-os-x-closes-backdoor-like-bug-that-gives-attackers-root/ http://www.techspot.com/news/60443-apple-rootpipe-security-vulnerability-prevalent-following-patch-researchers.html Apple Releases OS X 10.10.3 Supplemental Update With Video Driver Fix http://www.macrumors.com/2015/04/16/apple-10-10-3-supplemental-update/ OS X 10.10.3 Now Supports Dell's Dual-Cable 5K Monitor http://www.macrumors.com/2015/04/13/os-x-10-10-3-dell-5k/ OS X 10.10.3 With All-New Photos App http://www.macrumors.com/2015/04/08/os-x-10-10-3-photos-app-launching-today/ Rootpipe Backdoor Flaw Not Going to be Patched on Older Versions of OS X http://www.intego.com/mac-security-blog/rootpipe-backdoor-flaw-no-patch/



WHAT THIS IS ABOUT: Microsoft has recently released some security patches which close several security holes. WHO SHOULD READ THIS: Folks using Windows 7. Macintosh Users running Microsoft Office. WHAT YOU SHOULD DO: Windows Users: Run Windows update, following the instructions here: https://casitdocs.uoregon.edu/display/PUB/How+to+use+Windows+Update Macintosh Users: Save and close any documents. Make sure to close any web browsers. Start Microsoft Word. It's possible that the Microsoft AutoUpdate tool will launch. If the AutoUpdate tool does not automatically launch, go to Word's HELP menu and choose CHECK FOR UPDATES. Once the AutoUpdate tool launches, let it install updates. Click INSTALL; there will be a pause. The AutoUpdate tool should launch a Update Installer; it will guide you - follow the prompts to install. Eventually, the update should install successfully. Click OK to close the success message. The AutoUpdate tool should auto-run one more time to check for any more updates. Keep going until the AutoUpdate Tool says there are no new updates. ADDITIONAL INFORMATION: Description of the MS Office for Mac 2011 14.4.9 Update: April 14 https://support.microsoft.com/en-us/kb/3051737 Microsoft Security Updates: https://technet.microsoft.com/en-us/library/security/ms15-032.aspx https://technet.microsoft.com/en-us/library/security/ms15-033.aspx https://technet.microsoft.com/en-us/library/security/ms15-034.aspx https://technet.microsoft.com/en-us/library/security/ms15-035.aspx

Message from Sam Crow, of CAS-IT: Please pass the following information along to your faculty and staff: Microsoft has announced a critical security vulnerability that affects all computers running Microsoft Windows, versions 7 and 8. Apple computers running OS X are not affected unless Windows is running on those machines, in any form. To address the vulnerability, Microsoft has released a patch that must be applied through Windows Update. After Windows Update have been applied, restarting the computer is required. Your machine may have automatic updates installed, but the above process is required. Instructions for updating Windows can be found here: http://goo.gl/MHcjEp If you need further assistance, or have further questions, please contact CASIT at casit@uoregon.edu, or 346-2388. More information on the vulnerability can be found here: http://goo.gl/MsDKIj Thank you, -- Sam Crow, Help Desk Manager, CASIT College of Arts and Sciences IT Support Services University of Oregon



WHAT THIS IS ABOUT: Lenovo, a computer manufacturer, in a move that seems inspired by Star Trek Ferengis, has admitted to pre-installing Superfish, a piece of man-in-the-middle adware, on some of its computer models. This makes secure web use unsecure. WHO SHOULD READ THIS: Folks who have purchased Levono computers over the last two years. Other computers are not at risk. [Update from Ars Technica: Lenovo has released a list of models that may have had Superfish installed. G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45 U Series: U330P, U430P, U330Touch, U430Touch, U530Touch Y Series: Y430P, Y40-70, Y50-70 Z Series: Z40-75, Z50-75, Z40-70, Z50-70 S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10 MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11 YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW E Series: E10-30] WHAT YOU SHOULD DO: If you have a newly purchased Levono computer, visit this site: https://filippo.io/Badfish/ If your Lenovo computer has Superfish on it, the report will tell you. If Superfish is on your Lenovo, you can try to uninstall it. From: https://forums.lenovo.com/t5/Lenovo-P-Y-and-Z-series/Removal-Instructions-for-VisualDiscovery-Superfish-application/ta-p/2029206 Uninstalling Superfish Visual Discovery Go to Control Panel > Uninstall a Program Select Visual Discovery > Uninstall Superfish will be removed from Program Files and Program Data directories, files in user directory will stay intact for the privacy reason. Registry entry and root certificate will remain as well. The Superfish service will stop working as soon as it is uninstalled via above process, and following reboot. However, this procedure will not remove the bogus security certificates Superfish installs. To remove bogus security certificates, PC-World suggests http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html First, press Windows key + R on your keyboard to bring up the Run tool search for certmgr.msc to open your PC's certificate manager click on "Trusted root certificate authorities" in the left-hand navigation pane, double-click "Certificates" in the main pane. A list of all trusted root certificates will appear. Find the Superfish entry, then right-click on it and select "Delete." Users may wish to review Microsoft's Guide to Removing Bogus Security Certificates: http://support.microsoft.com/kb/293819 ADDITIONAL INFORMATION: What makes this particular pre-install troubling is that it breaks security on web browsing. Superfish looks at what you're doing on the web by using its own web security certificates and then serves up competitive adds. Possibly cool if you're shopping for cars, not so cool if you're doing on-line banking. Lenovo and Superfish probably aren't looking at your banking, but by breaking web security with bogus security certificates, they make it easier for Bad Guys. Review of Superfish and Steps Needed to Cleanse it: http://www.tripwire.com/state-of-security/security-data-protection/superfish-lenovo-adware-faq/ Microsoft's Guide to Removing Bogus Security Certificates: http://support.microsoft.com/kb/293819 Technical Ars Technica Article on Lenovo and Superfish: http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/ Lenovo's Official Statement and Protestation That It Wants What's Best For Customers: http://news.lenovo.com/article_display.cfm?article_id=1929 Ars Technica Plays the Wounded Computer User Card: http://arstechnica.com/security/2015/02/lenovo-honestly-thought-youd-enjoy-that-superfish-https-spyware/ Other Technical Press Coverage: http://www.engadget.com/2015/02/19/lenovo-superfish-adware-preinstalled/ http://www.forbes.com/sites/thomasbrewster/2015/02/19/superfish-need-to-know/ http://www.pcworld.com/article/2886357/lenovo-preinstalls-man-in-the-middle-adware-that-hijacks-https-traffic-on-new-pcs.html http://www.pcworld.com/article/2886278/how-to-remove-the-dangerous-superfish-adware-presintalled-on-lenovo-pcs.html



WHAT THIS IS ABOUT: This is a PSA. WHO SHOULD READ THIS: Folks with iOS or Android Mobile Devices WHAT YOU SHOULD DO: Microsoft Outlook for iOS and Android have some security flaws which expose a user's private data. The folks at McKenzie hall recommend against installing the mobile version of MS Outlook. ADDITIONAL INFORMATION for the Technically Curious: From: deptcomp-bounces@lists.uoregon.edu Sent: Friday, February 06, 2015 1:31 PM To: UO IT Directors; Departmental Computing Subject: deptcomp: Security concerns about Outlook for iOS and Android Microsoft released Outlook for iOS and Android in late January. We recommend against using these apps due to security concerns. Primarily, the current version of these apps store your username, password, and Outlook data in the cloud and it is unclear whether removing your account configuration from the application properly removes that data. A secondary security concern involves the apps's ability to save attachments to Dropbox, OneDrive, and Google Drive. The use of these cloud storage services becomes a security issue when sensitive data is saved to those services. This decision was made in consultation with Chief Information Security Officer Will Laney. If you have any questions, please contact security@ithelp.uoregon.edu. For more information, see the WindowsITPro article at http://windowsitpro.com/blog/worried-about-security-and-privacy-outlook-ios-and-android-heres-your-chance-debate-issues . UO Technology Service Desk Information Services 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk



WHAT THIS IS ABOUT: The latest operating system for Apple mobile devices, iOS 8, which has been released for the last four months, has gotten to a stable version. WHO SHOULD READ THIS: Users with iPhones, iPads, iPods, and other iThings. WHAT YOU SHOULD DO: For those of you still waiting to update to iOS 8.1.3, go ahead and update if you wish. I've updated my iPad2, model MC980LL/a, and smoke has not come out of it (yet). Folks with an original iPad, or with an iPad with less than 32 GB of memory may have a less than optimal experience. ADDITIONAL INFORMATION for the Technically Curious: Some observations: I had to go through my photo and videos and clear out things until a little over 5 GB was free on the iPad before I could update the iOS from 7 to 8.1.3 I've had one report of a newer iPad getting snagged at the user agreement form (the update was relatively painless for me). The update _really_ wants me to sign into iCloud. If I were sharing data between my iPad and other Apple devices, the allure would be stronger. I do not use iCloud because I'd like my files and photos to stay on a physical device in my control, and I like to know that someone hacking into my (non-existent) iCloud account can't maliciously wipe my iPad's contents. I have not gotten used to the text completion tool, which displays word suggestions along the top. I may turn it off so it's less intrusive. There is a slight, but noticeable lag for some applications to start-up. Safari's bookmarks on iOS 8.1.3 are moved around; they now show up by shrinking the web page you're looking at and appearing along the left-hand side of the browser's window. After iOS 8.3 was installed, I was required to re-enter my UO username and to log onto the less secure UOwireless, and then install a new security certificate from http://wireless.uroegon.edu before I could move forward to connecting automatically to UOSecure. Ars Technica's In-Depth and Very Long Total Review of iOS8 http://arstechnica.com/apple/2014/09/ios-8-thoroughly-reviewed/ iOS8 Mail New Swipe Gestures: http://www.tuaw.com/2014/09/15/ios-8-mail-new-swipe-gestures/ Expect updating to take 20 to 120 minutes: http://www.gottabemobile.com/2014/09/16/how-long-will-the-ios-8-update-take/ Reasons Not to Update (just yet): http://www.gottabemobile.com/2014/09/16/iphone-6-nfc-limited-apple-pay/ Various iOS8 tips: http://www.gottabemobile.com/2014/09/16/which-iphone-6-we-bought-and-why/ The Cult of Mac's Articles on iOS8 http://www.tuaw.com/tag/ios8



WHAT THIS IS ABOUT: This is a PSA. A proof-of-concept exploit for a security issue with Microsoft Internet Explorer has been found. I'd give this Two Admiral Ackbars. WHO SHOULD READ THIS: People who use Internet Explorer to surf the web. Other browsers are not affected. WHAT YOU SHOULD DO: Don't panic. At the moment this is only a proof-of-concept. As usual, think twice before following links in e-mails. Folks may wish to switch to a different browser (e.g. Chrome or Firefox) for everyday web browsing. ADDITIONAL INFORMATION for the Technically Curious: The proof-of-concept code tricks Internet Explorer into 1) displaying a valid URL in the browser's address bar and 2) allowing for (evil) code written at one web site to be run on a (trusted) site. In other words, Explorer could be made to initially connect to your bank's web site - which it would display -- and then display a rogue web form asking you for banking information. At the moment the Bad Guys have to trick users to a maliciously designed web page to make this work, but the concern is that malvertising could prime Internet Explorer to serve phishing pages. PC-World Article: http://www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html Technical Demonstration: http://seclists.org/fulldisclosure/2015/Feb/0



WHAT THIS IS ABOUT: Adobe Flash Player has some security holes in it (again). One hole has been patched; another is still being exploited. [Editor's note: The second hole in Adobe Flash Player has been patched.] WHO SHOULD READ THIS: People who use Adobe Flash Player to look at high-impact, rich web content. WHAT YOU SHOULD DO: In each browser (Safari, Chrome, Internet Explorer, Firefox) on your machine go to this web site http://helpx.adobe.com/flash-player.html and check to see if Flash is running for that browser. Follow instructions on the web page if you want to update to the partially patched version of the Adobe Flash player. More than one Computer Security Expert has bandied about the idea of disabling Adobe Flash over the next few days until the second security hole is patched. [Editor's Note: The second hole has been patched.] If you wish to do so, follow the browser-specific links in step 4 on the above Adobe web page, only (hang on to your looking glass!) DISABLE the flash player instead of enabling it. REMEMBER: Although version of the Adobe Flash player is the latest version, it still has a security hole in it; expect another patch from Adobe next week [which it was]. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: Naked Security Article: https://nakedsecurity.sophos.com/2015/01/23/adobe-issues-emergency-fix-for-flash-zero-day/ Graham Cluley Article: http://grahamcluley.com/2015/01/running-adobe-flash-need-read-today/ Jargon-filled Technical Description of the Unpatched Flash Malware: http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html Adobe Announcement: http://blogs.adobe.com/psirt/?p=1166 http://arstechnica.com/security/2015/01/those-teeth-gnashings-you-hear-are-flash-users-installing-a-new-0day-patch/



WHAT THIS IS ABOUT: Oracle has released an update to Java which closes several security holes, including the POODLE security hole. The latest version is Version 8 Update 31. WHO SHOULD READ THIS: Folks with Java installed on their computers (e.g. Banner users and Minecraft users) WHAT YOU SHOULD DO: If you think, but you're not sure if you have Java, go here: https://www.java.com/en/download/installed8.jsp and click on the red button "Verify Java Version." It's possible the web browser will try to block Java from running; you may need to grant one-time-only permission for Java to run. After a short pause, the web page should tell you what version of Java is running. It should be Version 8 Update 31. If you do not have Java installed on your machine, and you haven't missed it, then celebrate in the knowledge that you have a secure machine. If you need to update, follow the link for updating. BE CAREFUL: Make sure to read download instructions carefully so you do not inadvertently install the ASK search bar or sell family members to Oracle. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: A Simple Overview of Java: https://krebsonsecurity.com/2015/01/java-patch-plugs-19-security-holes/ The Macintosh operating system and Java don't always play well together: Macintosh users may wish to see https://www.java.com/en/download/faq/java_mac.xml Oracle Technical Paper: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Oracle on POODLE: http://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html



WHAT THIS IS ABOUT: Don't Panic! This is a PSA. Dropbox, a popular file sharing and synchronization service, has announced that it will drop support for Macintosh users using OS X Leopard (OS 10.5) and earlier . This shouldn't be too surprising, as Apple dropped support for OS X Snow Leopard (OS 10.6), a newer operating system, last year. WHO SHOULD READ THIS: Folks running Snow Leopard (OS 10.6) or older on their Macintoshes. Folks running Lion (OS 10.7) or newer are not affected. Windows users are not affected. WHAT YOU SHOULD DO: Dropbox users with older Macintosh operating systems will be unable to use the desktop application to sync files. The options are: Use Dropbox's web interface Or Update the Macintosh operating system (if possible). ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: Cult of Mac announcement: http://www.cultofmac.com/309519/love-dropbox-time-upgrade-mac/ Official DropBox announcement: https://www.dropbox.com/help/8058 Some thoughts on upgrading older Mac operating systems: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-29 Old annoucement about Snow Leopard (OS 10.5): http://www.computerworld.com/s/article/9246609/Apple_retires_Snow_Leopard_from_support_leaves_1_in_5_Macs_vulnerable_to_attacks



WHAT THIS IS ABOUT: Don't panic (much). Computer security experts have discovered a security hole, dubbed "Misfortune Cookie," in many home routers which could allow the Bad Guys to read all the data you send to your bank, your mobile devices, your home internet-connected thermostat, webcams, or your toaster. There's no firm evidence of active exploits, so this is at Two Admiral Ackbars, but the worry is that cyber crooks will exploit the Bad Fortune flaw for identity theft. WHO SHOULD READ THIS: Everyone with an internet router (typically, the box that connects to a DSL modem and allows multiple computing devices to connect to the internet and each other) at home. WHAT YOU SHOULD DO: Don't panic when this hits the general press. This is a manufacturing error in certain routers which has existed since 2002; at this time there's not a whole lot you can do until flash updates for your home router are released. Look at the router and write down the manufacturer and model. Go to this PDF: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf If your router is listed, then it's vulnerable. If it isn't listed, you've (probably) dodged the bullet. If your router is listed, check the manufacturer's web site for instructions about any upgrades they may have issued. ** Some Technical Work-Arounds: When web browsing, make sure to use https:// in web addresses to encrypt web communications. Encrypt sensitive data to prevent files from being read if they are stolen via the Misfortune Cookie exploit. Extra-credit problem: If you can connect to your home router's web page and can navigate to its configuration page, look for which version of RomPager is running. RomPager v4.34 or higher does not have this flaw. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: The specific security hole is with RomPager, software baked into routers to provide easy, web-based access to home routers. By sending a malicious HTTP cookie file to the router, the Bad Guys can take it over. Technical information about RomPager: https://www.allegrosoft.com/embedded-web-server The Official Misfortune Cookie Website: http://mis.fortunecook.ie/ A quick primer on what a "residential gateway" is and other networking terms: http://en.wikipedia.org/wiki/Residential_gateway The Computer Security Press Goes Wild: Security Week Summary: http://www.securityweek.com/misfortune-cookie-vulnerability-exposes-millions-routers Ars Technica's More Detailed Summary: http://arstechnica.com/security/2014/12/12-million-home-and-business-routers-vulnerable-to-critical-hijacking-hack/ The Register's Regurgitation of Check Point's claims: http://www.theregister.co.uk/2014/12/18/misfortune_cookie/ PC World: http://www.pcworld.com/article/2861232/vulnerability-in-embedded-web-server-exposes-millions-of-routers-to-hacking.html http://www.pcworld.com/article/2861713/dangerous-misfortune-cookie-flaw-discovered-in-12-million-home-routers.html



WHAT THIS IS ABOUT: John Burridge gives his Macintosh operating system advice: Macintosh users should stay with OS 10.7 (Lion), OS 10.8 (Mountain Lion), or OS 10.9 (Mavericks) and put off updating to OS 10.10 (Yosemite) for the next four to six months. WHO SHOULD READ THIS: Macintosh Users Windows Users are Unaffected WHAT YOU SHOULD DO: Go to the Apple Menu. Choose About this Mac. A window should pop up. In big bold letters, you should see the words "OS X"; look underneath this for a version number (it will start 10).

** Version 10.6.something or older (Snow Leopard or older)

Apple no longer supports these versions of the operating system. This means that security vulnerabilities have not been addressed and some newer programs may not be able to run. If possible, consider upgrading to Mac OS 10.7. If upgrading is not an option because the Macintosh's hardware will not support it, consider retiring the machine or sequestering it from the internet.

** Version 10.7.something (Lion)

Although this is an older version of the Mac OS, it's fine to use for now; be aware that probably sometime in 2015, Apple will consign it to retirement and it will suffer the same fate as previous operating systems in terms of support and security.

** Version 10.8.something (Mountain Lion)

If the Macintosh is running OS 10.8, let it. This is the most stable version of the operating system currently released.

** Version 10.9.something (Mavericks)

If the Macintosh is running 10.9 (Mavericks), that's fine; aside from a few networking quirks and a few problems with initial incarnations (i.e. 10.9.0, 10.9.1), Mavericks appears to run well. Be sure that you're running the latest version, 10.9.5.

** Version 10.10 (Yosemite)

I recommend avoiding Yosemite at this time. There are some problems with WiFi and Mac Mail which may cause some Macintoshes to not run, and some privacy issues with the way 10.10 (Yosemite) shares user data with Apple. If you have a Macintosh running 10.10, it's not fatal, but be aware of the technical consequences. I expect that Apple will release updates over the next few months which will address problems. Editor's Note: Even with the release of 10.10.1, I still recommend waiting until Apple has had a chance to shake out all the WiFi bugs still lurking in this update. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: Yosemite Memory Leak Problems Break MacMail http://www.cultofmac.com/301031/os-x-yosemites-mail-app-mac-crashing-memory-hog/ Yosemite WiFi problems: http://nakedsecurity.sophos.com/2014/10/22/os-x-yosemite-wi-fi-problems-can-you-help-us-solve-them/ Yosemite iCloud Irks the Privacy Conscious: http://www.theregister.co.uk/2014/10/27/icloud_data_grab_irks_privacy_conscious/ Yosemite Leaks User Location and Search Results to Apple: http://www.hotforsecurity.com/blog/mac-os-x-yosemite-leaks-user-location-and-search-results-to-apple-10669.html http://www.cultofmac.com/300301/keep-os-x-yosemite-sending-spotlight-data-apple/



WHAT THIS IS ABOUT: Computer security researchers have discovered a zero-day exploit in Microsoft Office. A maliciously crafted Office File (typically a PowerPoint presentation) will run malicious software when opened. I rate this threat at two and a half Admiral Ackbars, given that it requires opening an e-mail attachment and that it's easily mitigated. WHO SHOULD READ THIS: Microsoft Office Users. Windows users. Macintosh users are not affected. WHAT YOU SHOULD DO: Be very very careful when opening Microsoft Office Documents, especially surprise documents from someone you don't know very well. Windows users should go to this web page: https://support.microsoft.com/kb/3010060 and click on the faceless wrench-guy icon to Apply the OLE packager shim workaround. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: This particular attack uses a malicious Object Linking and Embedding (OLE) object. OLE objects allow Word, Excel, and other Office programs to share data between themselves (and Evil Programmers to take over your Windows computer). Security Week Article: http://www.securityweek.com/windows-zero-day-exploited-targeted-attacks-through-powerpoint The Register Article: http://www.theregister.co.uk/2014/10/22/powerpoint_attacks_exploit_ms_0day/ Hot for Security Article: http://www.hotforsecurity.com/blog/zero-day-remote-code-execution-flaw-disclosed-by-microsoft-workarounds-issued-10654.html Security Intelligence Blog Article: http://blog.trendmicro.com/trendlabs-security-intelligence/microsoft-windows-hit-by-new-zero-day-attack/ Nation Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6352



WHAT THIS IS ABOUT: Computer security researchers have discovered a new security vulnerability, dubbed Poodle, which could allow a Cyber Crook on the same network as the victim to gain control of the victim's web browsing and execute malicious code. This is a clunky attack using a depreciated security setting, so I'm giving it 2.5 Admiral Ackbars. WHO SHOULD READ THIS: Everyone who reads web pages. WHAT YOU SHOULD DO: Don't panic. There's really not a whole lot to be done at this time; the producers of web browsers will be updating their software over the next few weeks. All web users should make sure they are using the latest versions of Safari, Firefox, Chrome, and Internet Explorer. ADDITIONAL INFORMATION for the TECHNICALLY CURIOUS: The Secure Sockets Layer (SSL) 3 protocol is a legacy way computers talk to each other securely; it is included in modern web browsers as a fall-back way to exchange information with web pages on legacy web servers. A Poodle Attack works by tricking a web browser into using the old SSL 3 protocol, and then launching a man-in-the-middle exploit, which allows a near-by cyber-crook to control the web browsing session (insert web-mail and web banking fun here). ADVANCED USERS may wish to turn off SSL manually - this may be trickier than it seems, and may cause some older web sites to break. Caveat Lector. Editor's Note Here's a link to a friendlier set of instructions: http://nakedsecurity.sophos.com/poodle-some-tips-for-turning-off-ssl-3-0/ ++ Internet Explorer: Start Internet Explorer. Go to the TOOLS menu. Choose INTERNET OPTIONS. Select the ADVANCED tab. Scroll down to the Security Section. UNCHECK options Use SSL 3.0 and SSL 2.0 CHECK options Use TLS 1.0, 1.1 and 1.2 Click OK. Restart Internet Explorer. ++Firefox Users: Firefox should be safe from the Poodle Attack after November 25. Mozilla has created an extension as a work-around. If you want to turn off SSL in Firefox now, go here: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ and install the Add-On. ++ Chrome Users: Chrome users that just want to get rid of SSLv3 can use the command line flag --ssl-version-min=tls1 to do so. Instructions for using this flag are here: http://www.chromium.org/for-testers/command-line-flags ++ Safari Users: As of this time, I am not finding a procedure for getting at the SSL settings in Safari. NYTimes Article on the Poodle Security Flaw: http://bits.blogs.nytimes.com/2014/10/15/poodle-bug-marks-third-major-security-flaw-discovered-this-year/ Techspot Article on the Poodle Security Flaw: http://www.techspot.com/news/58436-google-discovers-ssl-30-vulnerability.html Hot for Security Article on the Poodle Security Flaw: http://www.hotforsecurity.com/blog/ssl-3-0-poodle-flaw-opens-encrypted-data-to-eavesdropping-10524.html Google's Article on the Poodle Security Flaw: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html Ars Technica Article on the Poodle Security Flaw: http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/ Twitter disables SSL: https://twitter.com/twittersecurity/status/522190947782643712 Mozilla Firefox Blog Entry on Poodle: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/ Highly technical review of Poodle: https://www.openssl.org/~bodo/ssl-poodle.pdf Technical Page from Microsoft: https://technet.microsoft.com/en-us/library/security/3009008.aspx "Poodle with a Mohawk" Cartoon: http://seattletimes.com/html/thearts/2017750833_realcomet15.html



WHAT THIS IS ABOUT: Apple has released operating system patches for Shellshock (aka The Bash Bug), a vulnerability which allows Evil Ones to run any command they'd like on compromised computers. WHO SHOULD READ THIS: Macintosh Users running OS 10.9 (Mavericks) OS 10.8 (Mountain Lion) OS 10.7 (Lion) Macintosh Users running OS 10.6 or older have no patch available at this time. Windows Users are not affected. WHAT YOU SHOULD DO: Depending on how fast the network connection is, this should take about ten minutes. 1. Save all work and close all programs. You'll need to be logged in as an administrator. 2. Go to the Apple Menu. 3. Choose ABOUT THIS MAC 4. A dialog box should appear. Underneath the OS X text, there should be a version number (e.g. 10.9.5) 5. Make a note of the first two numbers (e.g. 10.9) and close the dialog box. 6. Follow the appropriate link for the Macintosh's operating system. OS 10.9 (Mavericks) http://support.apple.com/downloads/DL1769/en_US/BashUpdateMavericks.dmg OS 10.8 (Mountain Lion) http://support.apple.com/downloads/DL1768/en_US/BashUpdateMountainLion.dmg OS 10.7 (Lion) http://support.apple.com/downloads/DL1767/en_US/BashUpdateLion.dmg 7. Clicking on one of the links will begin the download of a Disk Image File (dmg); once it has downloaded, open it. 8. A window should appear. There should be an icon of a package with a name starting "BashUpdate"; double-click on it. 9. An installation dialog box will appear welcoming you to the OS X bash Update installer. Click CONTINUE; follow the prompts through the information screens and agreements. 10. At some point you should see an icon of a hard disk with a green arrow over it; make sure the icon has the name of your hard drive, then press CONTINUE. Then INSTALL. 11. A dialog box will come up asking you for your password. After you clear this hurdle, there will be a short pause and you should see a message congratulating you on a successful installation. Press CLOSE. 12. Once the update is installed, you no longer need a copy of the dmg. ADDITIONAL INFORMATION: Macintosh users running Mac OS 10.6 (Snow Leopard) or older may wish to consider updating their OS to take advantage of this and other security patches. Message Excerpt From Garron Hale, Director of CAS-IT : What is Shellshock? The Shellshock vulnerability is a security problem, announced September 24, that can allow remote execution of code on a wide variety of Unix- and Linux-based systems, including Linux servers and Macintosh computers. The majority of servers on campus could be affected. Central UO Information Services has notified us to expect downtime as they install updates to their systems. Users of CASIT systems will also experience brief periods of downtime as we install patches on approximately one hundred servers. We will notify our users prior to downtime. Ars Technica: http://arstechnica.com/security/2014/09/shellshock-fixes-beget-another-round-of-patches-as-attacks-mount/ The Unofficial Apple Weblog: http://www.tuaw.com/2014/09/30/apple-releases-os-x-bash-update-1-0/ Apple Insider: http://appleinsider.com/articles/14/09/29/apple-releases-bash-update-to-plug-shellshock-flaw CAS-IT Announcement: https://casit.uoregon.edu/event/shellshock-alert



WHAT THIS IS ABOUT: Some folks have run into problems with the iMacs refusing to authenticate users. WHO SHOULD READ THIS: GTFs in PLC 184 Grads in PLC 232 WHAT YOU SHOULD DO: If you enter your DuckID and your UO e-mail password and you know it's correct, but the Macintoshes in the labs simply shake the password box at you... 1) Click on the RESTART button below the login area and restart the machine. 2) Wait a minute (don't burn incense; smoke is bad for the machines) 3) If a message about network logins being unavailable appears, wait a few moments more for it to disappear. 4) Attempt to log in again. If you continue to have problems-especially if you can't login to neither Macs nor Windows machines--please let me know. Rarely, there's a problem with the authentication server dealing with certain passwords (see personal message below). ADDITIONAL INFORMATION: Appearently, the DuckID authentication server was having a rough first day: ** Message sent to the DeptComp group: Around 10:30 AM on 29-Sep-2014, we received reports that the DuckID site was experiencing a service degradation. Users were intermittently receiving an "Internal Server Error". This service degradation was resolved around 12:00 PM on 29-Sep-2014. Staff are continuing to monitor the situation. During the first week of Fall Term, due to heavy loads on the system, users may experience longer load times than normal. If there are continued issues with the DuckID site, please contact the Technology Service Desk. If you have any questions, please contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-4357). UO Technology Service Desk 541-346-HELP techdesk@uoregon.edu facebook.com/UOTechDesk | twitter.com/UOTechDesk ==== ** Personal Message from the TechDesk: On 2014/09/29 16:50, Support via RT wrote: > Hi John, > This problem with users having issues logging into Active Directory > machines happens rather sporadically. While we can't say with absolute > certainty what causes the problem, we think it is related to using > special characters in the user's password. A password reset will > normally fix this issue



WHAT THIS IS ABOUT: Take a deep breath. Computer security experts have discovered a flaw in the Bourne shell (or Bash), which is part of the operating system of many devices. The flaw allows The Evil Ones all sorts of access, and they're already leveraging exploits. This is four Admiral Ackbars - although, like the Heartbleed security issue last Spring, the effects will be mostly indirect, and there's not much most home users can do at this point except to wait for patches. WHO SHOULD READ THIS: Linux users. Macintosh users; although default Macs are not at high risk. Windows users are not directly affected. Devices with servers (e.g. printers with web interfaces, Wireless routers) could be susceptible. WHAT YOU SHOULD DO: Macintosh users should assume that their computers are affected; however, as most people don't turn on the Macintosh Apache Servers, there shouldn't be too much to worry about. If you do have a web server running on your Macintosh (and you'd know if you did, because you would have fiddled with it), then take steps to lock it down (highly technical link here): http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-shellshock-the-remote-exploit-cve-2014-6271-an/146851#146851 Macintosh users should also check that the FIREWALL is turned on: APPLE MENU > System Preferences > Security and Privacy > Firewall tab > make sure Firewall is ON Click the FIREWALL button; this will bring up a report of what services (e.g. games) can connect to the Macintosh. Other devices Take a look at your home Wireless Router, then visit the vendor's page for any firmware updates. Take a look at your networked printer, then visit the vendor's page for any firmware updates. Folks with printers connected to home networks may wish to turn off the printer when not in use (if it's turned off, the Evil Ones can't talk to it). ADDITIONAL INFORMATION Shellshock is a 22 year old bug in the Bourne shell. The Bourne shell is a text-only command line interface; those of you who remember using DARKWING in 2000-2005 will have an idea of what it does. The bug allows the Bad Guys to run malicious commands on affected machines. Optional "Let's See It In Action" script for Macintosh Users: Go to Applications > Utilities > Terminal Copy and paste the following (the spaces in this are important): $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" If your system is vulnerable to the Bash bug, you'll see the following: vulnerable this is a test If your system has already been patched to protect against the bug, on the other hand, you'll see something similar to this: $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test THE TECHNICAL PRESS HAS A HEYDAY: Ars Technica: Apple Says Most Users Should Be Fine: http://arstechnica.com/security/2014/09/apple-working-on-shellshock-fix-says-most-users-not-at-risk/ Cult of Mac: Relax, if you didn't turn advanced stuff on, you're fine: http://www.cultofmac.com/297901/apple-shellshock-exploit/ Most Vulnerable Targets are Apache Servers: http://www.hotforsecurity.com/blog/shellshock-roundup-what-to-do-if-you-are-vulnerable-10297.html NYT: MILLIONS of Devices at Risk! http://bits.blogs.nytimes.com/2014/09/26/daily-report-flaw-in-code-puts-millions-of-devices-at-risk/ Security Week: Shellshock likely to become an engine for Internet Worms: http://www.securityweek.com/what-we-know-about-shellshock-so-far-and-why-bash-bug-matters PC World (annoying autoplay video): http://www.pcworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html Very Dense National Security Report: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271



WHAT THIS IS ABOUT: Don't panic. This is merely a (kind of long) beginning of the Fall Term reminder to update various software packages on computers you love and use. You do love them, right? WHO SHOULD READ THIS: Everyone. Even if you don't love computers. WHAT YOU SHOULD DO: Go through your computer and make sure to have all the software updated. ** General Software * Chrome users: 1. Start Chrome 2. Go to the utility button on the upper-right-hand corner of Chrome (it looks like three stacked horizontal lines) and choose ABOUT GOOGLE CHROME. 3. A new browser window should open and Chrome will talk with Google. Follow any prompts to download the latest version. As of this writing, the version number should start 37.0.0262 (different versions for different platforms will have slightly different endings). * Firefox users: 1. Start Firefox 2. Windows: Go to the HELP menu and choose ABOUT FIREFOX 3. Macintosh: Go to the FIREFOX menu and choose ABOUT FIREFOX. 4. A new browser window should open and Firefox will talk with Mozilla. Follow any prompts to download the latest version. As of this writing, the version number should be 32.0.2. * Explorer users: 1. The latest version of Explorer is installed during Windows Update. Be sure to enable and run windows updates - even if you don't use Internet Explorer. * Safari users: 1. The latest version of Safari comes with the Macintosh operating system updates. * Adobe Reader: 1. Start Adobe Reader. 2. Go to the HELP menu and choose CHECK FOR UPDATES. The reader will talk to the Adobe server and download any needed updates. The latest version as of this writing is 11.0.09. * McAfee: 1. Open McAfee: 1a. Windows Users Find the McAfee icon running in the Notification Area (System Tray) at the right end of the taskbar, right-click on it. 1b. Macintosh users Find the McAfee icon at the top right of their screen, click on it. 2. The McAfee icon will open up a menu with an "Update Now" option. Click this and the update process will start. * Microsoft Office: On Windows, Office updates automatically with Windows Updates. Macintosh users will need to update with a special tool 1. Start the Macintosh 2. Start Microsoft Word 3. Go to the HELP menu and choose CHECK FOR UPDATES 4. A new window should appear; (OPTIONAL: you may wish to select "automatically") click on the button CHECK FOR UPDATES. 5. The Macintosh will talk with the Microsoft mothership and then display a dialog box with updates (if any). 6. This is tricky; select the Word window and QUIT Word. The updater is a separate program and will continue to run. 7. Click INSTALL (if there are new things to install) on the Microsoft Update window; the software updates should download. 8. A dialog box should appear to guide you through the steps necessary to install the updates. Follow any prompts to install the updates. ** Windows Operating System: As of this writing, the latest version of the Windows Operating System is Windows 8. I recommend Windows 7, if only because Windows Charms seem to add an extra, annoying, and unnecessary layer between the user and software which is actually useful. Windows XP is no longer supported by Microsoft - if you are using a Win XP computer, you need to take steps to either keep it off the internet or update it. 1. Start Windows 2. Go to the Start Menu Globe icon in the lower left-hand corner of the screen; a pop-up menu should appear. 3. Select ALL PROGRAMS from the menu; a secondary menu should appear. 4. Select WINDOWS UPDATE; a new window should appear. 5. Within the new window, click "Check for Updates". 6. After a moment of talking with Microsoft, the computer should tell you if there are critical updates; follow any prompts to install critical updates. (NB: There may be optional updates; you don't have to install these unless you want to.) ** Macintosh Operating System: As of this writing, the latest version of the Macintosh Operating System is OS 10.9.5 (Mavericks). Other Macintosh OS's which are current are 10.8 (Mountain Lion), and 10.7 (Lion). Apple dropped support for OS 10.6 (Snow Leopard) in February of 2014. I have no recommendations about OS upgrades, although users of 10.6 should try to update to OS 10.7 for better security, and users of 10.7 may wish to consider an upgrade to 10.8 to stay ahead of its possible retirement in 2015. To see what version of the Apple OS your machine is running, 1. Go to the APPLE menu and choose ABOUT THIS MAC. 2. A window should appear which says "OS X" in big bold letters, and then the version underneath. 3. Click the red jewel in the upper left-hand corner of the window to close it. To install updates, 1. Save and close your work. 2. Go to the Apple Menu. 3. Choose Software Update; a new window will appear announcing that new updates are being searched for. 4. Any updates should appear in a list. Look at this list carefully so that you are not updating everything blindly. 5. The update window may want to update you to Mavericks; this is a major OS upgrade you may wish to defer. 6. Click on the UPDATE button next to application software such as iTunes Safari Digital Camera RAW Compatibility Update or Software Updates which are within your version (e.g. OS X Update 10.9.5 if you're running OS 10.9) 7. Follow any prompts to restart your Macintosh ** iPads, iPods, iPhones, and other iThings Apple recently released iOS 8 for its mobile devices. I recommend iOS 7; users may wish to upgrade after Halloween. As of this writing, the general sense from the technical press is that iOS 8.0 is mostly OK, although older devices, such as iPad 2, may have difficulties running iOS8 quickly. On Sept 25, Apple released an update for iOS 8, 8.0.1, which was quickly pulled because it broke cellular connections on some iPhones (oops). ADDITIONAL INFORMATION: Yes; this is a lot of information. Yes; e-mail me at engtech@ithelp.uoregon.edu and I'll be happy to set up an appointment to help. Yes; you can poke your head into my office or call, too (although I might be running around a bit the first of the term).



WHAT THIS IS ABOUT: The latest operating system for Apple mobile devices, iOS 8, is about to be released. (Release the Kraken!) WHO SHOULD READ THIS: Users with iPhones, iPads, iPods, and other iThings. WHAT YOU SHOULD DO: Resist the urge to jump on the update bandwagon the microsecond iOS 8 appears. Major iOS changes tend to have a handful of bugs (er, "features!") that range from the annoying (new gestures for e-mail!) to really painful (but I just charged the battery!), and it's always a good idea to wait a week or two for the early adaptors to discover the hidden gotchas. ADDITIONAL INFORMATION: Ars Technica's In-Depth and Very Long Total Review of iOS8 http://arstechnica.com/apple/2014/09/ios-8-thoroughly-reviewed/ iOS8 Mail New Swipe Gestures: http://www.tuaw.com/2014/09/15/ios-8-mail-new-swipe-gestures/ Expect updating to take 20 to 120 minutes: http://www.gottabemobile.com/2014/09/16/how-long-will-the-ios-8-update-take/ Reasons Not to Update (just yet): http://www.gottabemobile.com/2014/09/16/iphone-6-nfc-limited-apple-pay/ Various iOS8 tips: http://www.gottabemobile.com/2014/09/16/which-iphone-6-we-bought-and-why/ The Cult of Mac's Articles on iOS8 http://www.tuaw.com/tag/ios8



WHAT THIS IS ABOUT: The UO Information Services team is stepping up anti-phishing measures by blocking "phishy" network traffic and redirecting UO network users to a UO network services web page. WHO SHOULD READ THIS: Everyone. This is a campus-wide security measure. WHAT YOU SHOULD DO: If your computer is on the UO network, and you follow a bogus link from an e-mail or web page, instead of some fake merchant's site, you should see a web page that says "Site Blocked Due to Suspicious Activity." You've been protected by the UO network and redirected to their warning page. This is a good thing. Don't panic. As usual, when you receive a suspicious looking e-mail, forward phishing attempts that you receive, with full e-mail headers, to phishing@uoregon.edu Doing so allows Information Services staff to take steps to mitigate the threat. Information on full e-mail headers can be found at the following link: https://it.uoregon.edu/full-email-headers ADDITIONAL INFORMATION: UO E-mail security: http://security.uoregon.edu/node/37.html How to send full e-mail headers: https://it.uoregon.edu/full-email-headers === TEXT OF E-MAIL SENT FROM UO IS: From: deptcomp-bounces@lists.uoregon.edu [mailto:deptcomp-bounces@lists.uoregon.edu] On Behalf Of News from Information Services Sent: Friday, September 12, 2014 4:40 PM To: Departmental Computing Subject: deptcomp: Information Services to roll out phishing education page Beginning Monday, Sept. 15, Information Services is enhancing its phishing protection for campus through the use of a phishing landing web page. With the new landing page, when a user attempts to visit a known phishing website he or she will be automatically redirected to the phishing landing page instead of the malicious page requested. The landing page displays explanations of why that particular web pages was blocked and how to protect yourself against phishing scams. A sample of that page is attached to this message. Previously, users who attempt to load malicious web pages receive a generic "Page not found" error. This feature does not apply to off-campus users except for those connected via UO VPN. Information Services will use phishing reports sent to phishing@uoregon.edu, in addition to several other vetted sources, to populate the list of blocked phishing sites. Questions? Contact the Technology Service Desk (techdesk@uoregon.edu; 541-346-HELP). Information Services University of Oregon



WHAT THIS IS ABOUT: Adobe has released a new version of the Flash Player (Version14.0.0.145 ) (again!) which closes some security holes. Three-and-a-Half Admiral Ackbars (maliciously crafted flash files can maliciously cause your computer to do malicious things like expose security credentials). WHO SHOULD READ THIS: All computer users are potentially at risk, especially those with Firefox installed. This hole affected some social media sites like Twitter, YouTube, and Instagram; surprisingly, Facebook wasn't one of them. WHAT YOU SHOULD DO: For EACH web browser you use, go here: http://helpx.adobe.com/flash-player.html and follow the instructions. In some cases (Chrome or Internet Explorer), you'll be directed to update the web browser. Two caveats: One: If you discover that you don't have the Flash Player installed, and you haven't missed it, you can stop and rejoice that you have one less "Kick Me" sign installed on your computer. Two: Adobe has the slimy habit of bundling bloat-ware with the software that you actually want. If you need to manually download and install the latest version of the Flash player, carefully read the screens before you click OK or NEXT so that you don't inadvertently install Clippy The Microsoft Office Assistant on your computer or something. ADDITIONAL INFORMATION: This Adobe Flash exploit allowed Flash files with alphanumeric code in them to be run as programs. When embedded in various web sites, The Evil Ones could cause collateral data leaks and XML cross-scripting attacks simply by having targets view the web site. Security hole and Flash Update Announced: http://grahamcluley.com/2014/07/rosetta-flash-adobe-google/ http://grahamcluley.com/2014/07/rosetta-flash-adobe-google/ Adobe Security Bulletin: https://helpx.adobe.com/security/products/flash-player/apsb14-17.html https://helpx.adobe.com/security/products/flash-player/apsb14-17.html Ars Technica: Weaponized Exploit Can Steal User Cookies http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookies-on-ebay-tumblr-other-sites/ http://arstechnica.com/security/2014/07/weaponized-exploit-can-steal-user-cookies-on-ebay-tumblr-other-sites/ Original Highly Technical Article on Adobe Rosetta Flash: http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/ The Broken Record of Flash Update Announcements: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-29 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-21 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-04 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-10-11



WHAT THIS IS ABOUT: Sigh. Shadowy, Foreign Hackers, dubbed The CyberVor Gang by the security firm which discovered them, have Tricked Websites All Over The World into Divulging usernames and passwords. 1.2 BILLION usernames and passwords. I'm calling this 2.5 Admiral Ackbars (EDITOR'S NOTE: I'm downgrading this to 1.5 Ackbars because the security firm may have discovered more stale accounts than they originally reported). WHO SHOULD READ THIS: Anyone who's used the world wide web. WHAT YOU SHOULD DO: Don't panic. Assume that your passwords have been compromised. Change all your passwords (cue plucky 1950's "Duck and Cover" instructional movie music), keeping in mind: + Each website that you log into should have its very own password; don't use the same password for multiple web sites. + At sites which have two-step verification, enable it. + Strong passwords are acronyms of personal phrases (e.g. "I'm getting married in the morning" becomes "Imgemainthmo") + Strong passwords are 12 to 18 characters long. + Strong passwords use mixed case letters, numbers, and special characters (e.g. "Imgemainthmo" becomes "Im!G3M4InThM0?") ADDITIONAL INFORMATION: The Security Firm that Discovered the Evil Foreign Hackers' Nefarious Doings: http://www.holdsecurity.com/news/cybervor-breach/ Original NY Times article that everyone else points to: http://www.nytimes.com/2014/08/06/technology/russian-gang-said-to-amass-more-than-a-billion-stolen-internet-credentials.html Gee this is even in the Register-Guard: http://projects.registerguard.com/apf/biz/us-stolen-passwords/ The Technical Press Points to the NY Times article: http://arstechnica.com/security/2014/08/report-shadowy-russian-hacker-group-now-has-1-2b-usernames-passwords/ http://nakedsecurity.sophos.com/2014/08/06/1-2-billion-logins-scooped-up-by-cybervor-hacking-crew-what-you-need-to-do/ http://www.hotforsecurity.com/blog/over-1-2-billion-credentials-stolen-by-russian-cybercriminals-9868.html http://www.theregister.co.uk/2014/08/05/russians_amass_1_2bn_stolen_passwords/ Some tips for improving computer security: http://www.nytimes.com/interactive/2014/08/05/technology/what-you-need-to-know-with-russian-hack.html And a post Decrying Fear-Mongering: http://techcrunch.com/2014/08/06/the-business-of-fear-2/



WHAT THIS IS ABOUT: Don't Panic. German computer security researchers have created a Proof-Of-Concept demonstration called BadUSB, that Turns USB Devices (e.g. thumb drives, keyboards, webcams, etc) EVIL. Really EVIL. I think Dante would need a tenth circle for how EVIL this is. Sigh. This isn't in the wild, so it's isn't Eleven Admiral Ackbars. Yet. WHO SHOULD READ THIS: Everyone. "Eternal vigilance" and all that. WHAT YOU SHOULD DO: Don't panic when NPR or the general press hypes up the "We're Doomed" aspect of this computer security problem. BadUSB probably isn't in the wild (John pointedly doesn't think of the NSA, and other similar spy organizations). At this point, there's not a whole lot you can do other than get into the habit of physically isolating your computer now, so that you have good computer USB hygiene when Organized Crime comes up with BadUSB malware. This means: + Don't put your USB Flash Drive or USB keyboard or USB mouse or USB External hard drive or USB webcam or digital camera into a strange computer's USB port. + Don't allow a USB device that you haven't had under your control connect to your computer. + Consider DropBox, e-mail attachments, UO Docs, or other means of file sharing and transfer to get computer files between home and campus computers. OK - I can hear you all laughing. At least _think_ about this stuff once or twice before you do it. ADDITIONAL INFORMATION: BadUSB works by using a flash install to place malware onto a USB-enabled device. A computer infected with BadUSB will be really hard to clean up. BadUSB works at the machine driver level and reformatting a computer's hard drive is not enough to clean out a computer's BIOS (Basic Input/Output System). The BIOS is where a computer looks to learn how to power up - if a CPU is a computer's brain, and the hard drive is a computer's long-term memory, the BIOS is like the computer's autonomic system. USB-enabled devices with a subverted BIOS can lie about their status and there's no way to tell that they're lying. Those of us old enough to remember will recall the early 1980's, when floppy disks were floppy, and computer viruses could infect the boot blocks of floppy diskettes, using them as a host to infect the floppy drives in computers (e.g. http://en.wikipedia.org/wiki/Elk_Cloner ). The BadUSB is similar, only now its 2014 and BadUSB can use fake web pages and a host of other Internet tricks to steal funds and identities. Probably what will happen is that in six to eighteen months + USB manufacturers will have to make USB devices harder to subvert and they'll become more like Bluetooth devices which require authentication or pairing before they'll work. ("Now with Hardened USB...") + Current antivirus software is not able to detect USB devices tainted with BadUSB; USB Manufacturers will probably come up with some sort of formatting tool that resets USB devices practically at the atomic level. ("The autoclave feature insures your USB device is sterilized for safe use...") + Manufacturers will begin to offer "power only" charging cables with the data wires physically removed so that BadUSB in charging stations in airports can be used more safely. ("Conveniently charge your mobile device without the worry of BadUSB...") THE ORIGINAL PRESENTATION of BadUSB, by Karsten Nohl and Jakob Lell: https://srlabs.de/badusb/ Security Professionals in the Technical Press Prophesy the Apocalypse: http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ http://www.wired.com/2014/07/usb-security/ http://venturebeat.com/2014/07/31/why-you-can-no-longer-trust-any-usb-device-plugged-into-your-pc/ http://gizmodo.com/usb-has-a-fundamental-security-flaw-that-you-cant-detec-1613833339 http://www.hotforsecurity.com/blog/keyboards-usb-devices-can-be-used-in-enhanced-hacking-attacks-9788.html



WHAT THIS IS ABOUT: Apple has released an update for iOS, 7.1.2; this is a utility update for the operating systems for iPads, iPods, iPhones, and other iThings. Apple has also released an update for the Mac OS, Mavericks (10.9.4). WHO SHOULD READ THIS: Owners of newer iPads, iPods, iPhones and other iThings. Macintosh desktop computer (e.g. iMac) users. Windows users are not affected. WHAT YOU SHOULD DO: Both system updates address various bugs and networking issues. Updating is important to close any security holes, but since there is a non-zero probability that the updates will break something, I'd wait a week for any Lamentations of the Users to echo from the Internet before upgrading. ADDITIONAL INFORMATION: Tech Specs for MacOS 10.9 (Mavericks) http://www.apple.com/osx/specs/ iOS Information Obviously Written by a Marketer: http://www.apple.com/ios/what-is/ iBeacon: http://en.wikipedia.org/wiki/IBeacon Update Announcements in the Technical Press: http://www.macrumors.com/2014/06/30/apple-release-ios-7-1-2/ http://www.tuaw.com/2014/06/30/apple-releases-os-x-10-9-4-with-fixes-for-wi-fi-connectivity-and/



WHAT THIS IS ABOUT: Owners of Macintoshes, iPhones and iPads -- mostly in Australia -- are reporting that their iThings have been locked by "Oleg Pliss" ransom-ware which demands a fee to unlock the device. The ransom-ware appears to be using the Find My Mac and Find My Phone utilities to do its dirty work. I'd give this 3.5 Admiral Ackbars. WHO SHOULD READ THIS: Macintosh Users. iPad Users. iPhone Users. Non-Apple device users are not affected. WHAT YOU SHOULD DO: ** Prevention: + Make sure your mobile devices require a four digit number for access. + Make sure your Apple ID password is unique to Apple and iTunes - As a precautionary measure, you may wish to change your Apple ID password. + Set up Two Factor Authentication for your Apple ID: http://www.tuaw.com/2013/03/22/apple-adds-two-factor-authentication-to-your-apple-id/

  1. Go to My Apple ID https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/, select "Manage your Apple ID," and sign in.
  2. Select "Password and Security."
  3. Under Two-Step Verification, select Get Started and follow the onscreen instructions.
+ For the Extra Paranoid, Turn off "Find my iPad", "Find my iPhone," or "Find my Mac", there's a good instruction set here: http://www.tuaw.com/2014/05/27/ransomware-worries-turn-off-find-my-mac-find-my-iphone/ N.B.: While this will protect you from the Oleg Pliss ransomware, it will also prevent the utilities from finding your device in the event that it is lost or stolen. ** If you are a victim of the "Oleg Pliss" ransomware, do not pay the ransom: Graham Cluley advises: "...erase your device using Recovery Mode and restore from a backup.
  1. Disconnect all cables from your device.
  2. Turn off your device.
  3. Press and hold the Home button. While holding the Home button, connect your device to iTunes. If your device doesn't turn on automatically, turn it on.
  4. Continue holding the Home button until you see the Connect to iTunes screen.
  5. iTunes will alert you that it has detected a device in recovery mode. Click OK, then restore the device."
  6. ADDITIONAL INFORMATION: So far, no one is quite sure how the ransomware works. There's a lot of speculation that data stolen from eBay or other services was used to hack into the AppleID service. Apple Guide to iPhone and iPad security codes: http://support.apple.com/kb/ht1212 Apple Guide to Two-Step Verification: http://support.apple.com/kb/HT5570 The Unofficial Weblog Guide to Two-Step Verification: http://www.tuaw.com/2013/03/22/apple-adds-two-factor-authentication-to-your-apple-id/ Mac Security Blog http://www.intego.com/mac-security-blog/oleg-pliss-hack/ Naked Security: http://nakedsecurity.sophos.com/2014/05/27/apple-ransomware-strikes-australia-pay-oleg-100-or-else/ The Unofficial Apple Weblog: http://www.tuaw.com/2014/05/27/ransomware-worries-turn-off-find-my-mac-find-my-iphone/ And one US user reports they're a victim: http://gigaom.com/2014/05/27/hackers-demanding-ransoms-by-locking-ios-devices-through-find-my-iphone/



WHAT THIS IS ABOUT: Apple has fixed various bugs with last week's software updates. Specifically, an iTunes bug that caused user folders to disappear, and some security holes in Safari. The technical press is quiet about these updates, so they're probably OK to install. WHO SHOULD READ THIS: Users running Mac OS 10.9 (Mavericks), 10.8 (Mountain Lion), and 10.7 (Lion) Earlier users of the Mac OS (Snow Leopard, Leopard, etc) should check for Safari updates. Windows users are not affected. WHAT YOU SHOULD DO: Save your work and close applications. You may need to restart your Macintosh. Go to the Apple Menu and choose Software Update. After a moment, the dialog box should display available updates. Depending on which operating system is being used, different updates will appear. The ones to look for are: OS X Update version 10.9.3 (this is the OS update for Mavericks users) iTunes version 11.2.1 (this fixes the iTunes bug that hides folders) Safari 7.0.4 (for Mavericks users) Safari 6.1.4 (for non-Mavericks users) Select which software to update (I'm guessing UPDATE ALL will work for most folks). Follow any additional prompts. ADDITIONAL INFORMATION: MacRumors: Safari Update Released http://www.macrumors.com/2014/05/21/apple-releases-safari-7-0-4/ The Unofficial Apple Weblog: http://www.tuaw.com/2014/05/17/apple-patches-missing-users-folder-bug-spawned-by-itunes-update/ http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-16 http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-15



WHAT THIS IS ABOUT: Sigh. Yesterday's Macintosh OS 10.9.3 upgrade does indeed have a bug in it that will hide users' home directories. This is mostly harmless, but annoying; cue Jar-Jar Binks shouting "Mesa thinks disa trap!" WHO SHOULD READ THIS: Users who upgraded to OS 10.9.3 (Mavericks) Users with OS 10.9.2 (Mavericks) Users of OS 10.8 (Mountain Lion), OS 10.7 (Lion), OS 10.6 (Snow Leopard), or earlier OS's are not affected. Windows users are not affected. WHAT YOU SHOULD DO: If you have updated to OS 10.9.3 and your home directory is now hidden, you can temporarily get it back (at least until the next reboot) with the following procedure: Be sure to log on as a user with administrative privileges. From the finder, press COMMAND-SHIFT-U -- this will bring up the utilities folder. Double-click on the TERMINAL icon; this should bring up a new window. Type in the following command: sudo chflags nohidden /Users the system will ask you for the password you use to log onto the Macintosh before it will execute the command. This will temporarily unhide your folders until the Macintosh is rebooted. ADDITIONAL INFORMATION: This is an OS bug that hides your home directory. It doesn't always manifest. I can demo it for you on my office iMac. MacRumors: http://www.macrumors.com/2014/05/16/os-x-10-9-3-bug-user-folder/ The Unofficial Apple Weblog: http://www.tuaw.com/2014/05/16/automatically-unhide-the-users-folder-after-10-9-3-update/



WHAT THIS IS ABOUT: Apple has released an update for Macintosh Operating System 10.9 (Mavericks), v 10.9.3. This is a security update for the OS. WHO SHOULD READ THIS: Macintosh Users currently running Mac OS 10.9 Older Macintoshes are unable to run Mac OS 10.9 Windows users are not affected. WHAT YOU SHOULD DO: This is a minor update which restores some broken capabilities and fixes some security holes. I would wait a week or so before installing it to let any bugs be discovered by the rest of the Apple herd. Usually in updates of this nature are fine, but it never hurts to let someone else find any hidden problems. ADDITIONAL INFORMATION: If you decide to become an early adopter, set aside about a half hour of time and make sure your files are backed up. I've installed OS 10.9.3 on my desk iMac and will let folks know if smoke starts billowing from it. Ars Technica article: http://arstechnica.com/apple/2014/05/apple-releases-os-x-10-9-3-with-improved-4k-support-restored-usb-sync/ MacRumors: http://www.macrumors.com/2014/05/15/apple-releases-os-x-10-9-3/ Official Apple Happy Let's Do It How-To: http://support.apple.com/kb/HT6228



WHAT THIS IS ABOUT: Microsoft has released an out-of-cycle patch for Internet Explorer, which closes last week's security hole (Take that, Forces of Evil!). (See http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-04-28) WHO SHOULD READ THIS: Microsoft Internet Explorer Users Windows XP users. Macintosh Users are not affected. WHAT YOU SHOULD DO: Sometime today (May 1, 2014), Windows users should run Windows Update to make sure the patch for Internet Explorer has been downloaded and applied. ADDITIONAL INFORMATION: In a case of having to eat their own words, the technical press was incorrect in assuming that Windows XP users would not get an update. NBC News: http://www.nbcnews.com/tech/security/microsoft-issues-fix-major-internet-explorer-bug-n94821 TechCrunch News: http://techcrunch.com/2014/05/01/microsoft-patches-latest-internet-explorer-security-flaw-even-for-xp-users/



WHAT THIS IS ABOUT: Adobe has released a new version of the Flash Player (Version13.0.0.206 ) which closes some security holes. Two Admiral Ackbars (only some tightly-focused state-funded spying detected so far). WHO SHOULD READ THIS: All computer users are potentially at risk, especially those with Firefox installed. WHAT YOU SHOULD DO: For EACH web browser you use, go here: http://helpx.adobe.com/flash-player.html and follow the instructions. In some cases (Chrome or Internet Explorer), you'll be directed to update the web browser. Two caveats: One: If you discover that you don't have the Flash Player installed, and you haven't missed it, you can stop and rejoice that you have one less "Kick Me" sign installed on your computer. Two: Adobe has the excessively unattractive habit of bundling bloat-ware with the software that you actually want. If you need to manually download and install the latest version of the Flash player, carefully read the screens before you click OK or NEXT so that you don't inadvertently install Lightroom 5, or the Bing Search Bar, or an antivirus product, or film clips from "Flashdance" or something. ADDITIONAL INFORMATION: Adobe's Security Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-13.html Ars Technica Write-up: http://arstechnica.com/security/2014/04/windows-0day-flash-bug-under-active-attack-threatens-os-x-linux-too/ which includes this little quote: "The exploitation of critical vulnerabilities by state-sponsored or state-motivated adversaries has grown increasingly common in recent years. Most notable examples include the Stuxnet, Flame, and Red October malware campaigns. A raft of other smaller campaigns have regularly targeted the Macs and Windows PCs belonging to dissidents of China and other countries as well as private companies and government agencies, although many such attacks don't rely on previously unknown vulnerabilities in widely used products."



WHAT THIS IS ABOUT: The Evil Ones have discovered a way to trick Microsoft Internet Explorer into granting Full User Rights onto a Microsoft Windows Machine. Yet Again. I give this 2.75 Admiral Ackbars. WHO SHOULD READ THIS: Users of Microsoft Internet Explorer, versions 6 through 11. Macintosh Users are not affected. WHAT YOU SHOULD DO: The easiest work-around is to use another browser. Microsoft has not released a patch for this security hole (EDITOR's NOTE: this hole has been patched, see http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-05-01). The Technical Press has been quick to point out that Microsoft probably won't release a patch for this security hole on Windows XP, ever. For Windows users required to use Internet Explorer, Microsoft is recommending things we already do at the UO: + use a firewall + use antivirus software + stay on the narrow internet path; don't pick flowers or talk to wolves. Additionally, users may wish to go the extra mile and install Microsoft's Enhanced Mitigation Experience Toolkit (EMET): http://support.microsoft.com/kb/2458544 ADDITIONAL INFORMATION: Because Internet Explorer is tightly integrated into the Windows Operating System, it's like a giant "Kick Me!" sign the Evil Ones can't resist. The exploit works when a user visits a malicious web site. Malicious web code uses Adobe Flash software to trick Internet Explorer into granting The Evil Ones the same rights on a Windows computer as the user, and hey-presto, there go your banking codes. Microsoft Security Advisory: https://technet.microsoft.com/en-us/library/security/2963983 Ars Technica article: http://arstechnica.com/security/2014/04/active-0day-attack-hijacking-ie-users-threatens-a-quarter-of-browser-market/ National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1776 PC World article: http://www.pcworld.com/article/2148368/new-internet-explorer-zero-day-puts-web-at-risk-and-xp-isnt-getting-a-fix.html#tk.rss_all Technical Breakdown of the Exploit from FireEye Labs: http://www.fireeye.com/blog/uncategorized/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html



WHAT THIS IS ABOUT: The Open source library, OpenSSL, which enables Secure Socket Layers (SSL) has a bug in it that exposes information in a server's RAM. Because the bug involves the heartbeat signal machines use to keep track of each other, this bug is called "Heartbleed". The Heartbleed bug enables Evil Doers to read encrypted communications, like passwords and encryption keys (i.e. everything). This counts as Five Admiral Ackbars. OK, Six. Seriously. WHO SHOULD READ THIS: Anyone who uses internet services (Yahoo, Minecraft, www.efn.org, your bank). This is a worldwide security issue affecting machine-level communication between computers. Two thirds of the world's web servers are affected. WHAT YOU SHOULD DO: Don't Panic - Yes the barn door's (wide) open, but no one is really sure if the aliens have been leading the cows astray. They could be fine. System admins everywhere are scrambling to keep electronic assets secure. Unless you are a computer server administrator, you won't be directly affected by this bug; however, secondary effects are serious and will affect end-users. Expect to see a spike in warning messages on your computer along the lines of "the security certificates for this site are untrusted" or requests to change your passwords on internet sites (bother, there will probably be an uptick in Phishing E-mail Attempts, too). Wait for the server administrators to upgrade to OpenSSL 1.0.1g and update their servers' security. Expect "We've updated our security/Now Heartbleed Free!" notices from various internet-based providers. They'll probably look something like this: http://arstechnica.com/security/2014/04/dear-readers-please-change-your-ars-account-passwords-asap/. I'll be sure to forward any messages from UO central computing. Use a site like https://www.ssllabs.com/ssltest/ to test various web sites you frequent. Change your passwords, BUT only after the site has updated their SSL (or is using a different version of SSL). This is really important; changing your password on a site before they have a chance to update their security will do no good. (Some security folks are saying to change passwords now, and again in a week.) Be nice to system administrators. It might be wise to minimize internet access over the next few days, especially to places like your bank's web site. Or Yahoo. Be extra vigilant over the next few weeks when looking at financial reports for signs of identity theft. Although it's newly discovered, the Heartbleed bug has been around for over a year, and computer security experts are concerned that The Evil Ones may have sneaked personal data out without a trace. ADDITIONAL INFORMATION: UO Central Computing is taking steps to address the Heartbleed bug on campus computers. Webmail.uroegon.edu is currently (4/9/2013) secured from the bug, according to SSLlabs. An Overview of Heartbleed http://heartbleed.com/ Yahoo at Extra Risk: http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ Super Technical Dissection of the Heartbleed Bug: http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html Additional Lamentations and Various News Items: http://bits.blogs.nytimes.com/2014/04/08/flaw-found-in-key-method-for-protecting-data-on-the-internet/ http://www.bbc.com/news/technology-26935905 http://hosted.ap.org/dynamic/stories/U/US_TEC_INTERNET_SECURITY_THREAT http://www.pcworld.com/article/2140920/heartbleed-bug-in-openssl-puts-encrypted-communications-at-risk.html http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160



WHAT THIS IS ABOUT: Apple Computer has released a security update closing the recently discovered SSL network hole (see http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-24) in Macintosh Operating Systems 10.9, 10.8, and 10.7. Macintosh users with Snow Leopard (OS 10.6) and older are still vulnerable to this hole (and will be forever). WHO SHOULD READ THIS: Macintosh Users, Especially Snow Leopard (or older) Users Windows Users are Not Affected WHAT YOU SHOULD DO: * If you have Mavericks (10.9), Mountain Lion (10.8), or Lion (10.7): Save and back up your work. Close all programs. Go to the Apple Menu Choose SOFTWARE UPDATE Follow the prompts to install the update; the system may require a reboot. * If you have Snow Leopard (10.6) or older, Apple has done nothing for you; the only recourse for avoiding "man-in-the-middle" attacks and having random people (or at least the NSA) looking at your network traffic (i.e. your username and password) is to insure your Macintosh computer is hooked up to an Ethernet wire or a home wireless network (i.e. no sipping beverages in a cafand surfing the net). You may wish to evaluate your Macintosh Computer and see if its hardware will support an operating system upgrade. Thoughts and links here: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2013-10-29 Apple has instructions and some places to check hardware here: http://www.apple.com/osx/how-to-upgrade/ ADDITIONAL INFORMATION: Previous Security Alert About This Issue on iThings: http://pages.uoregon.edu/burridge/TechAnnouncements.php#2014-02-24 News on OS X 10.9.2 http://arstechnica.com/apple/2014/02/apple-releases-os-x-10-9-2-patches-ssl-flaw-and-adds-facetime-audio-support/ The Technical Press Cries FOUL! Apple Retires Snow Leopard: http://www.computerworld.com/s/article/9246609/Apple_retires_Snow_Leopard_from_support_leaves_1_in_5_Macs_vulnerable_to_attacks Apple Leaves 19% of Users Vulnerable: http://www.techspot.com/news/55828-apple-leaves-19-of-mac-users-vulnerable-no-longer-offers-security-updates-for-snow-leopard-.html Fanbois Face XP Moment: http://www.theregister.co.uk/2014/02/27/fanbois_face_xp_moment_as_snow_leopard_is_left_to_die/



WHAT THIS IS ABOUT: Don't Panic. Security researchers have created a proof-of-concept iOS app which utilizes a software bug in various iOS versions to capture screen taps, and which demonstrates that what happens on the touch screen doesn't necessarily stay on the touch screen. This is a demo from the Good Guys; the internet is not down in flames (yet). WHO SHOULD READ THIS: Users of iThings. iOS 7.0.4 iOS 7.0.5 iOS 7.0.6 iOS 6.0.x Windows Users are Unaffected WHAT YOU SHOULD DO: Presumably, Apple will release an updated version of iOS in a few weeks that will close this security hole. In the meantime, users can mitigate this security hole by occasionally reviewing the iOS task manager and halting unneeded programs running in the background. 1. Log into your mobile device 2. Press the HOME button twice; the main screen should shrink down and become the left-most mini-screen of a list of running programs. 3. Swipe through the list. If you see a program (say, Camera) that you aren't currently running, swipe its miniaturized screen UP; this will close the program and the list should contract to the left. 4. When you're finished closing programs, press the HOME button again to restore the main screen. ADDITIONAL INFORMATION: Original Proof-of-Concept Report: http://www.fireeye.com/blog/technical/2014/02/background-monitoring-on-non-jailbroken-ios-7-devices-and-a-mitigation.html Parallel Research on "keylogging" touch-screens: http://www.ibtimes.co.uk/researcher-creates-malware-captures-every-tap-your-smartphone-or-tablet-1434673 And the Technical Press Responds: http://arstechnica.com/security/2014/02/new-ios-flaw-makes-devices-susceptible-to-covert-keylogging-researchers-say/ http://www.macrumors.com/2014/02/25/security-flaw-log-touch-inputs/ http://www.pcworld.com/article/2101580/new-ios-flaw-allows-malicious-apps-to-record-touch-screen-presses.html



WHAT THIS IS ABOUT: Friday, Apple released a security update for the operating system of mobile devices, iOS 7.0.6 which closes a gaping security hole in how iThings talk to wireless networks. Older iThings got a special security update to iOS 6.1.6. Unpatched Apple mobile devices' wireless communication can be spied upon much more easily than was previously known. And, um, probably Apple iMacs and laptops, too. WHO SHOULD READ THIS: Folks with iThings: iPads, iPhones, iPods Macintosh Users are affected, but there is no patch at this time. Users of other mobile devices are not affected. Windows Users are not affected. WHAT YOU SHOULD DO: This vulnerability allows snoopers to read your encrypted communication: like e-mail passwords and bank statements. Mobile device users are strongly encouraged to update the iOS (to either iOS 7.0.6 or 6.1.6) to close the hole. Follow these instructions from http://support.apple.com/kb/ht4623 1. Plug in your device to a power source. 2. Tap Settings > General > Software Update. 3. Tap Download and Install to download the update. Updates might download automatically while your device is connected to Wi-Fi and a power source. 4. Tap Install when the download completes. There is no patch for the Macintosh OS yet. Macintosh users should avoid using public Wifi; caf, the downtown Public Library are out. Presumably, your secure home WiFi is secure enough. I've spoken with the UO Helpdesk and the UOSecure network is probably OK, but I would recommend using an Ethernet cable where possible. Additionally, security on Macintosh computers may be enhanced by use of either the Firefox or Chrome browsers. ADDITIONAL INFORMATION: Apple devices use Secure Socket Layer (SSL) to talk with wireless network routers. SSL uses encryption so that Evil Ones monitoring wireless communication can't simply listen in for key words like "password" or "username" and figure out things from there. The Apple security hole allows the Evil Ones to essentially disguise their voice, say to the Apple devices, "Why yes; I'm the ArtsyCafe wireless server, sit down and tell me everything", and the Apple device proceeds to do just that without checking its list of Approved Devices to Talk To (cue C-3PO saying, "R2D2! You know better than to trust a strange computer!" ). Apple releases iOS 7.0.6 and 6.1.6 to patch an SSL problem http://arstechnica.com/apple/2014/02/apple-releases-ios-7-0-6-and-6-1-6-to-patch-an-ssl-problem/ About the security content of iOS 7.0.6 http://support.apple.com/kb/HT6147 About the security content of iOS 6.1.6 http://support.apple.com/kb/HT6146 Extremely critical crypto flaw in iOS may also affect fully patched Macs http://arstechnica.com/security/2014/02/extremely-critical-crypto-flaw-in-ios-may-also-affect-fully-patched-macs/



WHAT THIS IS ABOUT: There is a zero-day security exploit in Microsoft Internet Explorer 10 and 9. Versions of Microsoft Internet Explorer 10 and older are becoming less secure. Microsoft and the technical press recommend strongly recommend Explorer 11 for users who use Explorer to avoid exposure to various computer security exploits. WHO SHOULD READ THIS: Users of Microsoft Internet Explorer 10 and Earlier. WHAT YOU SHOULD DO: If you need to use Microsoft Internet Explorer, use Explorer 11. If your computer hasn't already downloaded it, you can find it here: http://windows.microsoft.com/en-us/internet-explorer/ie-11-worldwide-languages If you need to use Internet Explorer, but are unable to upgrade to Explorer 11, there's a work-around here: https://support.microsoft.com/kb/2934088 If you don't need to use Internet Explorer, you may wish to use the Firefox or Chrome browsers instead. ADDITIONAL INFORMATION: Official Word from Microsoft: http://technet.microsoft.com/en-us/security/advisory/2934088 http://www.zdnet.com/microsoft-advises-on-ie-zero-day-vulnerability-7000026532/ http://grahamcluley.com/2014/02/internet-explorer-zero-day/ http://arstechnica.com/security/2014/02/new-zero-day-bug-in-ie-10-exploited-in-active-malware-attack-ms-warns/ Report of a Watering Hole Attack using this Exploit http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html



WHAT THIS IS ABOUT: There's a security hole in Adobe Flash Player. The Evil Ones are using it in conjunction with older Windows software to target non-profit organizations. WHO SHOULD READ THIS: Macintosh Users (although not specifically targeted, Macintosh Flash Player has this security hole, too). Windows Users. WHAT YOU SHOULD DO: Visit this page http://helpx.adobe.com/flash-player.html Click the CHECK NOW button that appears. If you have one of the following versions: Adobe Flash Player and earlier versions for Windows and Macintosh Adobe Flash Player and earlier versions for Linux Adobe AIR and earlier versions for Android You should be prompted to update. Follow the instructions that appear (if any) on the Adobe web page. NB: Chrome users will have to update Chrome to get the latest version of the Adobe Flash Player. http://helpx.adobe.com/flash-player/kb/flash-player-google-chrome.html For WINDOWS users: Make sure Windows Update is doing what it should. If you must have Java installed on your Windows computer, make sure it is Java to the latest 1.7 ADDITIONAL INFORMATION: Official News from Adobe http://helpx.adobe.com/security/products/flash-player/apsb14-07.html http://arstechnica.com/security/2014/02/adobe-releases-emergency-flash-update-amid-new-zero-day-drive-by-attacks/ http://nakedsecurity.sophos.com/2014/02/21/adobe-pushes-out-critical-flash-update-second-zero-day-hole-of-month/ http://blog.malwarebytes.org/exploits-2/2014/02/adobe-flash-player-zero-day-details-and-mitigation/ Technical report on the exploit: http://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html



WHAT THIS IS ABOUT: Last week, Comcast had a security breach. It's not clear what data about 19.9 million Internet customers was stolen. Comcast customers are advised to change their passwords, even if they don't use Comcast e-mail. WHO SHOULD READ THIS: Comcast subscribers. WHAT YOU SHOULD DO: (I am not a Comcast subscriber, and I haven't had a chance yet to walk my parents through this) Sign in to Comcast and change your password here (I think): https://login.comcast.net/login More information on Comcast accounts: http://customer.comcast.com/help-and-support/account/accounts-usernames-passwords If you don't remember your Comcast password, you can reset it here: http://customer.comcast.com/help-and-support/account/changing-or-resetting-your-password ADDITIONAL INFORMATION: This is another example of why it's bad to use the same password across several accounts. If your Comcast password is the same as your Google password or your UO password or your banking password, you'll want to change those as well. CAS-IT Blog: https://blogs.uoregon.edu/casitblog/2014/02/11/comcast-email-servers-potentially-hacked/ PCWorld Article http://www.pcworld.com/article/2095445/comcast-gets-hacked-downplays-potential-dangers.html The vulnerability the Evil Ones used: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7091&cid=3



WHAT THIS IS ABOUT: On February 11, 2014, Information Services will be upgrading the central McAfee ePO server. They recommend that Windows users running VSE 8.7 or earlier and Management Agent 4.6 or earlier upgrade their applications. Oh, gee; it's a Microsoft Patch Tuesday, too. Try to get stuff done Monday to avoid an aggravating computer-update Tuesday. WHO SHOULD READ THIS: Windows users using the UO distributed McAfee. Macintosh Users are not affected. WHAT YOU SHOULD DO: Your computer wont explode or anything, but after the central McAfee ePO server upgrade next Tuesday, you may start to receive worrying error messages and the McAfee protection will be reduced on your computer. ** Check your version of McAfee Go to the START menu. Choose the CONTROL PANEL or ALL CONTROL PANEL ITEMS. If you are directed to the CONTROL PANEL, then look for PROGRAMS and select the option below, UNINSTALL A PROGRAM If you are using ALL CONTROL PANEL ITEMS, then select PROGRAMS AND FEATURES A list of programs should appear. Look for McAfee VirusScan. NB: If you don't see McAfee VirusScan, use McAfee Agent, Look to the right of McAfee VirusScan (or Agent), there should be a version number. Windows users running McAfee VirusScan Enterprise (VSE) 8.7 or earlier and/ or McAfee Management Agent 4.6 or earlier may experience some compatibility issues. Windows users running VSE 8.7 or earlier and Management Agent 4.6 or earlier should upgrade. ** If you've got an old version of McAfee, uninstall it. Follow these instructions: https://it.uoregon.edu/node/4094 ** Once you've removed old versions of McAfee, install the latest version. Follow these instructions (Duck ID login required): https://it.uoregon.edu/node/2017 ** Getting Additional Help The Newly Re-named IS Technology Service Desk (formally the Help Desk) in the basement of McKenzie can offer help migrating to a new version of McAfee: 6-HELP, techdesk@uoregon.edu, or in person in the north end of the basement of McKenzie Hall. CAS-IT is also available to help with this upgrade: 6-2388, castit@uoregon.edu I'm also here in the mornings to provide assistance: 6-3570, engtech@ithelp.uoregon.edu ADDITIONAL INFORMATION: Central IT's Announcement: https://it.uoregon.edu/mcafee-upgrade Finding your current version of McAfee: https://it.uoregon.edu/node/4093 How to Uninstall OLD versions of McAfee: https://it.uoregon.edu/node/4094 How to Install the Latest version of McAfee: https://it.uoregon.edu/node/2017 Managed and Unmanaged Versions of McAfee: https://it.uoregon.edu/mcafee-agent CAS-IT's Blog: https://blogs.uoregon.edu/casitblog/2014/02/05/mcafee-license-server-upgrade/ EXTRA POWERFUL McAFEE REMOVAL UTILITY TOOL: For those of you who get stuck uninstalling McAfee and feel comfortable using Power Utility Tools there's always (cue the Escaping Penguins from "Madagascar" music ) the McAfee Consumer Product Removal (MCPR) tool: http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe which I'm including in this message partially so I can quickly find it next week (Remember, you saw *nothing*)



WHAT THIS IS ABOUT: Adobe has released a patch for a zero-day vulnerability in its Flash Player. You know the drill: Evil People, Adobe Security Hole, Computer Zombie Slave Impersonates You at the Bank. WHO SHOULD READ THIS: Windows, Macintosh, and Linux folks with Adobe Flash Player installed. WHAT YOU SHOULD DO: I haven't heard any wailing or gnashing of teeth that this update breaks things; I'll keep an eye on the technical press. I haven't noticed that the update breaks Flash Player on the single installation I've done. Generally, I advise people to wait a day or two on upgrades like this. It's probably safe, and I would update no later than Wednesday evening. Verify which version of the Adobe Flash Player you have installed by visiting this page http://www.adobe.com/software/flash/about/ If you have version, then you have the latest version of the software. You can STOP. If you see a message about installing Plug-ins, then you don't have Adobe Flash Player installed. You can STOP. SAFARI AND FIREFOX USERS: Adobe recommends that all Flash Player users upgrade to the most recent version of the player through the Player Download Center to take advantage of security updates: http://get.adobe.com/flashplayer CHROME USERS The Chrome browser automatically updates Adobe Flash Player when updates are available. In Chrome, left-click on the Three Horizontal Bars beneath the CLOSE X to bring up a menu. Choose ABOUT GOOGLE CROME; a new window will appear. Chrome should begin to automatically update itself. This may require restarting Chrome. The updated version of Chrome is Version 32.0.1700.107 m. INTERNET EXPLORER USERS Explorer 10 and 11 users should have a similar upgrade path to Chrome users. Newer versions of Internet Explorer should automatically update the Flash Player. Older versions of Explorer will need to manually visit http://get.adobe.com/flashplayer ADDITIONAL INFORMATION: If you regularly use more than one browser for surfing the web, you will want to test all browsers. When I tested Safari, Firefox and Chrome on an iMac running Mavericks, only Chrome (the browser I use) showed an active installation; Safari and Firefox asked if I wanted to download a Missing Plug-in. Security Week: http://www.securityweek.com/adobe-issues-emergency-patch-address-flash-player-zero-day Adobe Security Bulletin: http://helpx.adobe.com/security/products/flash-player/apsb14-04.html Ars Technica Alert: http://arstechnica.com/security/2014/02/adobe-releases-unscheduled-flash-update-to-patch-critical-zero-day-threat/



WHAT THIS IS ABOUT: The folks at US CERT released a security advisory warning users of Mozilla Thunderbird that slightly older versions of Thunderbird can allow Evil Code in HTML formatted e-mails to run when the Evil E-mail is replied to or forwarded. WHO SHOULD READ THIS: Users of the e-mail client Mozilla Thunderbird No other e-mail clients are affected WHAT YOU SHOULD DO: If you are a Thunderbird user, be sure you are using Thunderbird version 24.2 Start Thunderbird Go to the HELP menu and select ABOUT THUNDERBIRD A dialog box should appear telling you which version of Thunderbird is in use and offering updates if applicable; follow any instructions (restarting Thunderbird may be required). ADDITIONAL INFORMATION Mozilla Thunderbird does not adequately restrict HTML elements http://www.kb.cert.org/vuls/id/863369 Security Advisorys from Mozilla about Thurderbird http://www.mozilla.org/security/known-vulnerabilities/thunderbird.html Updating Thunderbird https://support.mozillamessaging.com/en-US/kb/updating-thunderbird



WHAT THIS IS ABOUT: DuckID Authentication and a slew of other central computing services are having issues. Many users are having difficulty using services which require a login, such as e-mail and connecting to the UO Wireless network. Off-campus users are reporting that e-mails sent to UO folks are bouncing because "the user is unknown." WHO SHOULD READ THIS: Everyone (assuming this message actually gets though) WHAT YOU SHOULD DO: There's not a whole lot end-users can do. The folks at Central Computing are aware of the problems and are working on them. Students in PLC 184 may have to use the generic student login while DuckID authentication is down. Periodically, check https://status.uoregon.edu/ for updates. Seize the opportunity for uninterrupted time to use your computer free from the distractions of e-mail. ADDITIONAL INFORMATION: DuckID status history: https://status.uoregon.edu/status-history/9 IMAP/POP3 status history: https://status.uoregon.edu/status-history/12 Webmail status history: https://status.uoregon.edu/status-history/1 UO Wireless status history: https://status.uoregon.edu/status-history/15



WHAT THIS IS ABOUT: To the best of my knowledge, there hasn't been a Target Phishing Scam. Yet. The only current Phishing Scam I'm aware of is a "Your Apple ID will be restricted" scam. WHO SHOULD READ THIS: Target Shoppers. Macintosh Users. Home crafters and Windows folks are unaffected. WHAT YOU SHOULD DO: So far I have not heard of any scam. Target's CEO really did send out an apology and Target does have a program offering a year's worth of free credit monitoring. The letter's a little confusing because it offers links on one hand, and then warns folks not to follow unsolicited links from strangers on the other. Here's Target's FAQ site: https://corporate.target.com/about/payment-card-issue/credit-monitoring-FAQ And it looks like http://creditmonitoring.target.com/ is a valid site. I will continue to monitor the tech news and will forward any news of cyber-scams. Speaking of which. The latest scam that is showing up in the technical press is a scam trying to get your Apple ID and password: http://www.tuaw.com/2014/01/17/beware-of-this-apple-id-phishing-scam/ If you get an e-mail, supposedly from Apple, saying that someone supposedly tried to log into your Apple ID account from a different IP address and now you need to verify your ID and password, delete the message. ADDITIONAL INFORMATION: News Item on Public Reaction to Apology Letter: http://www.komonews.com/news/consumer/Target-email-legit-but-consumers-think-its-a-scam-240666341.html PC World: Stolen Target Data Sent to Russia. http://www.pcworld.com/article/2088920/target-credit-card-data-was-sent-to-server-in-russia.html Ars Technica: Technical write-up of Point-of-Sale malware infecting Target: http://arstechnica.com/security/2014/01/point-of-sale-malware-infecting-target-found-hiding-in-plain-sight/



WHAT THIS IS ABOUT: Don't Panic. This is only a PSA about malware masquerading as bogus Amazon Delivery Notices. (One and a half Admiral Ackbars. Plus a Pre-Enlightenment Grinch.) WHO SHOULD READ THIS: People who have e-mail. People who order stuff through Amazon. People who don't order stuff through Amazon, too. WHAT YOU SHOULD DO: If you receive an Amazon Delivery Notice thanking you for your early December order, look at it carefully. If it's dated from Dec 8, you should become Very Suspicious (some variants use Dec 9 or 10). If it is CC'd to a bunch of people, you should become Very Suspicious. If you've never ordered anything through Amazon in your life, you should become Very Suspicious. Don't follow any links or download any PDFs included in the Very Suspicious E-mail. These will install malware on your computer. Delete the Very Suspicious E-mail. If you are worried that your order from Amazon has a problem, go to http://www.amazon.com directly, sign into your account, and check the order there. Updated anti-virus software and some e-mail services' spam filters will catch the malicious software attached to the bogus Amazon message -- but still, practice caution over the holidays as The Bad People take advantage of the increased on-line shopping frenzy. ADDITIONAL INFORMATION: Details about Amazon Invoice Malware: http://blog.malwarebytes.org/fraud-scam/2013/12/amazon-invoice-malware-spamrun-continues/ More about the malware: http://blog.dynamoo.com/2013/12/fake-amazoncouk-order-spam-am-order.html Amazon's Security, Privacy and Accessibility web page (United Kingdom version): http://www.amazon.co.uk/gp/help/customer/display.html?nodeId=492866 Exhaustive List of other Fake Product Purchase Order Email Messages: http://tools.cisco.com/security/center/viewAlert.x?alertId=31225



WHAT THIS IS ABOUT: This is a friendly reminder to folks using Window XP that Windows XP will no longer be supported by Microsoft after April 8, 2014. WHO SHOULD READ THIS: Folks using Windows XP. Users of Windows 7 or Windows 8 are unaffected. Windows 98, 2000, and Vista users may wish to reminisce. WHAT YOU SHOULD DO: If you have a University owned Windows XP machine that you are using, please let John Burridge or Marilyn Reid know and we can work forward from there to asses if the machine should or can be upgraded to a newer operating system. Preferably sooner than April. ADDITIONAL INFORMATION: The Computer Security Press would like us to believe that the Legion of Evil People are quietly biding their time until April 9, where-upon they will spring upon a unsuspecting Windows-XP-using populous with a Super Cyber Arsenal of hither-to undiscovered Windows XP security holes which will never ever be patched by Microsoft (and thus be wide open targets for ever and ever). (Cue the Burgermeister Meisterburger chortling, "Children of Cyber-town, you will never use your credit cards again!") There is the other difficulty in that more and more newer programs will not work on an increasingly aging Windows XP. Windows XP Support Ends April 8, 2014 http://www.microsoft.com/en-us/windows/endofsupport.aspx



WHAT THIS IS ABOUT: Don't Panic. This is merely a public service announcement about being careful when you install software and only installing what you want instead of software parasites like that pesky "Ask Toolbar" and, most recently, unwanted software that turns your computer into a Bitcoin Mining Zombie Slave. WHO SHOULD READ THIS: Everyone. Especially everyone who has family members with computers they support --er-- visit over the winter holidays. WHAT YOU SHOULD DO: This is a concrete example of someone literally stealing your computing resources to make a buck. The antidote is A) be mindful when installing software so that you catch the places where the installer is saying "Oh, uh, and here's where we're going to give you Added Value and throw in This Cool Browser Tool Bar (that tracks everything you do)"; and, B) Read the End User License Agreement (EULA). Ha. OK. Scan it? Print it out and read it to your kids at bedtime? Um, pretend you're in a Star Trek episode and you're dealing with an Evil Ferengi Character? ADDITIONAL INFORMATION: As the Bitcoin Bubble grows, I expect that there will be a rise in unwanted software and malware related to Bitcoins. Bitcoins are virtual money currently enjoying internet buzz and hype and wild speculation. They are "created" by using computers to run a complicated program; running a Bitcoin program is sometimes called "mining for Bitcoins." Creating Bitcoins takes a long time and a lot of computing resources. Bitcoins are decentralized, meaning no one government nor bank controls them. In the case of this PSA, some unscrupulous folks have created distributed computing programs that gobble up a host computer's resources to make Bitcoins. (If you've ever run astronomy programs like PlanetQuest or SETI@home, which crunch astronomical data on home computers, you're familiar with distributed computing. The distributed astronomy programs are good, in that you knowingly install them and they only run when your computer is idle; the Bitcoin Mining software that comes bundled with something else is bad because of its stealthy, parasitic nature.) Bitcoin protocol: http://en.wikipedia.org/wiki/Bitcoin_protocol Malwarebytes' Blog: http://blog.malwarebytes.org/fraud-scam/2013/11/potentially-unwanted-miners-toolbar-peddlers-use-your-system-to-make-btc/ Sneaky software turns your PC into a Bitcoin-mining zombie -- and owns up to it in the EULA http://www.pcworld.com/article/2068102/sneaky-software-turns-your-pc-into-a-bitcoin-mining-zombie-and-owns-up-to-it-in-the-eula.html#tk.rss_all



WHAT THIS IS ABOUT: Noon Tuesday: UO e-mail service is having continuing troubles (is it the Full Moon in Taurus, or the comet ISON?). Here's an oracle to answer the question: "Is it me, or is mail not working?" WHO SHOULD READ THIS: Everyone, especially folks with questions in the afternoons (when I'm off-campus) about UO computing services. WHAT YOU SHOULD DO: If you have a question about UO electronic services, my web page has some useful links. Go to http://pages.uoregon.edu/burridge Along the right-hand side of the page is a list of UO related Twitter posts; these are sometimes useful. Right above the Twitter posts is a link to Status Updates: https://status.uoregon.edu/ ; follow this link for status updates and services' histories. On the left-hand side is a link to previous announcements: http://pages.uoregon.edu/burridge/TechAnnouncements.php ADDITIONAL INFORMATION: https://status.uoregon.edu/ https://twitter.com/UOTechDesk https://twitter.com/UOregonLibNews https://twitter.com/UOregonTEP https://twitter.com/UOEnglishDept



WHAT THIS IS ABOUT: E-mail sent to UO folks purportedly with an announcement of an upgrade to a new WebMail Service is a scam (this gets points for insidious cleverness, but loses them for poor grammar and vague phrases: 2 Admiral Ackbars). WHO SHOULD READ THIS: Sigh. Everyone. WHAT YOU SHOULD DO: If you receive an e-mail announcing an updated version of WebMail, Delete it unread. (See bogus message below) ADDITIONAL INFORMATION: Look at the date of this supposed upgrade notice; it's a Sunday. No system administrator in his or her right mind (well, OK) would upgrade a heavily used system on a Sunday and subject themselves to the Monday Morning from Support Heck. Webmail is a web service which doesn't require updates for you to update. (Unlike, say, Banner.) The surprise nature of "Hey! We just Updated a Mail Service You All Use on a Daily Basis Without Warning Anyone Ahead of Time" should be a tip-off that this isn't on the level. The link that the Evil Ones want to send you to ends in .net; if this were a valid update, it would end in a uoregon.edu. Read the text below out loud to catch the grammatical errors. Also, what are "advanced secured functions" ? (I think the author means "advanced security functions", which is still vague enough to raise scamming concerns.) For some reason, the phishers think that including a copyright notice will increase compliance (because once a message has been sent as a mass e-mail, they still want to preserve their anthology and film rights). A real upgrade notice would direct you to the Help Desk in McKenzie, and very likely be from someone like Spencer Smith or Jon Miyake. [Text of Bogus Letter] -------- Original Message -------- Subject: Information Technology Services Help Desk Date: 2013/11/17 08:48 From: University of Oregon To: Recipients The University of Oregon have released a new version of uoregon.edu webmail Sunday , Nov 17, 2013. This newest webmail version comes with new and advanced secured functions and anti-spam protection. You are advised to click and follow the link below to migrate today, and to enable advanced security features; http://[REDACTED].net/f/uoregon.edu ---------------------------------------------------------------------------------------------------------------------------- Copyright 2013 University of Oregon. -----------------------------------------------------------------------------------------------------------



WHAT THIS IS ABOUT: The English Department is being spammed with scam tutor requests (message included below). This is a trick (which John rates at Three-and-a-half Admiral Ackbars) to get your banking information. WHO SHOULD READ THIS: Everyone who reads e-mail. WHAT YOU SOULD DO: If you receive a vaguely worded e-mail from Colvin Hostetter, requesting a tutor, the safest thing to do would be to delete the message. If you're feeling like you'd like to be helpful, you could forward the message to the University Teaching and Learning Center (TLC), at tlc@uoregon.edu. ADDITIONAL INFORMATION: How this scam usually plays out: 1) Scammer requests a tutor for a non-existent child. 2) Friendly tutor replies and sets up session. 3) Scammer over-pays, then request money back. 4) Insert bank shenanigans here, resulting in tutor's lost money. http://tlc.uoregon.edu/learningservices/tutoring.html http://pages.uoregon.edu/burridge/TechAnnouncements.php#2012-09-04 http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html http://mattbestmusic.blogspot.com/2011/12/beware-private-lesson-scam.html ======================== [scam message text]: Hello, How are you doing today? My name is Colvin Hostetter. I came across your e-mail under the Graduate Students portal while surfing online for tutorial for my daughter, Debra. Debra is a 18 years old girl. She is ready to learn. I would like the lessons to be at your location. Kindly let me know your policy with regard to the fees, cancellations, location and make-up lessons. Also, get back to me with your area of SPECIALIZATION and any necessary information you think that might help. The lessons can start by next week. Mind you, any break during Thanksgiving and Christmas would be observed respectively. Looking forward reading from you. My best regard,



WHAT THIS IS ABOUT: Staff in the English Department have received multiple phishing e-mails that attempt to trick the reader into visiting a sketchy-looking web site. WHO SHOULD READ THIS: Everyone. WHAT YOU SHOULD DO: If you receive a vague message from a vague source (see messages below), purportedly with vague information for you, don't follow the links in the message. One message is from "Frank" who is "John's Assistant" (I'm not sure if this is lucky guessing on my name, or just a gamble that there are enough Johns and Franks in IT for this to work or what). The other one is from "Blackboard Notifications." The e-mails have been forwarded to phishing@uroegon.edu and UO Network Security has taken steps to block this particular strain of phishing attempts. ADDITIONAL INFORMATION: The UO's official site for Phishing: http://security.uoregon.edu/node/37.html Sample Message ONE: From: Frank Morello [mailto:f.morello@usc.edu] Sent: Wednesday, November 06, 2013 9:32 AM To: f.morello@usc.edu Subject: Re: Report from John Hello, Good Morning. My name is Frank and I am John's assistant. He asked me to forward you a copy of your school report. I have uploaded it for you, please click here [LINK REDACTED] to confirm this report. Thanks! Frank Morello. Sample Message TWO: From: Blackboard Notifications [mailto:notifications@now.eloqua.com] Sent: Wednesday, November 06, 2013 9:21 AM To: notifications@now.eloqua.com Subject: New Message Alert - Course Form Good Morning, Your school has uploaded an important course form for you on the Blackboard Learning System. Click here [LINK REDACTED] to view the course form now Thank you. Blackboard Notifications.



WHAT THIS IS ABOUT: Microsoft is warning users that older versions of Microsoft Word for Windows has a security hole in it that could allow a booby-trapped Word document sent as an e-mail attachment to do Evil Things. But don't panic, it seems to only be targeting Windows Vista and Windows XP computers in the Middle East. WHO SHOULD READ THIS: Users of Microsoft Office 2003 through 2010 Users of Windows XP Office 2013 Users are not affected. Windows 7 Users are not affected. Windows 8 Users are not affected. Macintosh Users are not affected. WHAT YOU SHOULD DO: As a general practice, avoid opening unexpected attachments sent by strangers. If you are using an older version of Microsoft Office on a Windows XP or Vista computer, then continue with these instructions; otherwise STOP. There is no full-blown security patch for this problem. Microsoft has instead issued a "Fix it" script as a work around. Save your work and close Microsoft Office. Go to this Microsoft web site: https://support.microsoft.com/kb/2896666 There may be a System Tip near the top of the page; if it says "this article applies to a different version of Windows than the one you are using" then STOP. Scroll Down a bit. There will be two icons of a faceless person in a blue cap and blue overalls wielding a wrench. Click on the faceless person on the left, Microsoft Fix it 51004. (The other icon is for _UN_installing the Fix it.) The work-around should install itself. Follow any additional instructions. ADDITIONAL INFORMATION: This exploit works by having The Bad Guys make a mal-formed graphic (with code) and placing it into a Word document. Then they e-mail the Word document as an attachment. When MS Word on a target machine attempts to display the graphic, it runs Evil Code. The Fix-It workaround doesn't address the root of the problem (older versions of Word shouldn't execute code hidden in Evil Graphics), but beefs up security settings within Word. It's expected that Microsoft will roll out a more permanent fix during a future Patch Tuesday. Microsoft is taking this opportunity to point out that old software is insecure software, that WinXP will not be supported after April 2014, and that bright, shiny new software will keep your data secure. Warning from Graham Cluley: http://grahamcluley.com/2013/11/microsoft-zero-day-attack/ Microsoft Technical Paper on the Security Hole: http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx Microsoft Security Advisory: https://support.microsoft.com/kb/2896666



WHAT THIS IS ABOUT: This is a follow-up message about Mavericks (OS 10.9), Apple's latest operating system for the Macintosh. Mavericks is not Totally Evil (I'd give it 2.5 Admiral Ackbars), but , like any major operating system upgrade, it does have some quirks and road-bumps. Install with caution for improved security. WHO SHOULD READ THIS: Folks running Snow Leopard (10.6), Lion (10.7) or Mountain Lion (10.8) on their Macintosh computers. Older machines may be unable to install the latest Apple operating system. Windows 7 folks may wish to read as a cautionary tale. WHAT YOU SHOULD DO: If the answer to "Am I using my Macintosh to work on something important that's Due Really Soon?" is YES, then I'd wait to do the update to a less busy time. If the answer to "Do I use Keynote or Pages a lot?" is YES, then you might want to read http://www.theregister.co.uk/2013/10/28/apples_massive_software_update_fail/ and decide if you can live with a dumbed-down version of Keynote or Pages or if you want to reinstall the previous version after updating to Mavericks. If the answer to "Do I use Outlook or the Apple Mail client?" is YES, then you might want to consider switching to a web-based e-mail client before upgrading to Mavericks. If you use a web browser (e.g. Firefox, Chrome, Safari) to read UO Web Mail or Gmail, you'll be fine. If you and your Macintosh are ready to upgrade to Mavericks, then - Save all work and close all applications. - For extra piece of mind, make a back-up of important work you can't live without. - Go to http://www.apple.com/osx/how-to-upgrade/ and follow the instructions there. - You will need about a half-hour to download the upgrade (with campus internet connection speeds). Once the upgrade is downloaded, it takes about an hour to install - this is a good time to do other tasks or take lunch. - The Macintosh should restart itself during the install process. After about an hour or so, the new operating system should come up and ask you some simple configuration questions, like what's your AppleID and do you want to set up an iCloud account? I personally think iCloud Keychain is putting all your security eggs in one basket, so I opted out of signing into iCloud - we'll see how often the iMac bugs me to log into iCloud However, if I had several Apple Devices that I regularly switched back and forth between on a daily basis, I could see how the iCloud Keychain could come in handy. But back on the Geeks-Bearing-Gifts hand, if I'm using my AppleID to purchase Fun Things on my Fun Machine, do I really want that information used on my Work Machine (and vice versa - think credit card charges)? ADDITIONAL INFORMATION: Although I'm grumbling a bit about Mavericks, installing it should improve the security on Macintoshes. I have installed Mavericks on an iMac which I use mostly for web browsing and trouble-shooting. Other than Maverick's disinclination to print to a Ricoh Aficio MP 4002 (printing to the MailRoom printer works fine), I have not run into any problems so far, but I have been reading about the odd glitch here and there. The most annoying "upgrade" to me is the loss of the RSS feed in the screen saver (OK, yeah, and the printer driver problem). I have not installed this on my home computer yet, partially because it's an older machine that may not be able to run the latest operating system (it turns out it's too old), and partially because I don't know how well Scrivener (writer's software) works with it (it should). Links to various articles as I find them: http://pages.uoregon.edu/burridge/UsefulLinks.html#Mavericks Ars Technica Review of Mavericks (or the "Oh What a Wonderful Feeling!" Five Hour Aria): http://arstechnica.com/apple/2013/10/os-x-10-9/ Mavericks Version of iWork (Keynote, Numbers, and Pages) a Software Update FAIL http://www.theregister.co.uk/2013/10/28/apples_massive_software_update_fail/ Top 6 Mavericks Annoyances and How To Fix Them: http://www.maclife.com/article/howtos/top_6_mavericks_annoyances_and_how_fix_them Airdrop Woes Between Apple Devices: http://www.tuaw.com/2013/10/23/alternatives-to-airdrop-between-iphone-and-mac/ Mavericks Mail Woes: Gmail http://www.tuaw.com/2013/10/23/how-mavericks-ruined-apple-mail-for-gmail-users/ FastMail SMTP & Outlook Servers http://www.theregister.co.uk/2013/10/27/os_x_mavericks_mail_client_spews_infinite_spam/ Fixing SMB Network Drive Access (NB: this was not a problem for me): http://www.tuaw.com/2013/10/27/did-mavericks-kill-your-network-drive-access-heres-a-fix/ OS X Mavericks breaks multi-monitor setups with some USB displays: http://arstechnica.com/information-technology/2013/10/os-x-mavericks-breaks-multi-monitor-setups-with-some-usb-displays/ A Technical How-To for the Technically Able: http://arstechnica.com/apple/2013/10/how-to-make-your-own-bootable-os-x-10-9-mavericks-usb-install-drive/ Apple's How-To For Installing Mavericks: http://www.apple.com/osx/how-to-upgrade/



WHAT THIS IS ABOUT: Apple is luring people to a new operating system called OS X Mavericks (OS 10.9) with a free update (pause while I ponder if I should dress as Cassandra or Admiral Ackbar). WHO SHOULD READ THIS: Macintosh users running OS 10.6 (Snow Leopard), 10.7 (Lion) or 10.8 (Mountain Lion) Folks using earlier Apple OS may have machines that can't run Mavericks (OS 10.9) Windows Users are Unaffected WHAT YOU SHOULD DO: Remember when iOS7 for the iThings had quite a few bugs when it first came out? It's possible my fear of the words "iCloud Keychain" (you want to keep all my Macintosh's passwords on your remote iCloud server?) is totally unfounded, but if folks could hold off updating to the new OS until sometime after Halloween, that will give the world at large (and myself) time to see how everything looks and what bugs lurk deep in the heart of this new operating system. ADDITIONAL INFORMATION: OS X Mavericks breaks multi-monitor setups with some USB displays http://arstechnica.com/information-technology/2013/10/os-x-mavericks-breaks-multi-monitor-setups-with-some-usb-displays/ OS X 10.9 Mavericks: The Ars Technica Review http://arstechnica.com/apple/2013/10/os-x-10-9/ That iCloud Keychain Thing. http://arstechnica.com/apple/2013/10/os-x-10-9/5/#icloud-keychain A Technical How-To for the Technically Able: http://arstechnica.com/apple/2013/10/how-to-make-your-own-bootable-os-x-10-9-mavericks-usb-install-drive/ Apple's How-To For the Those Who Embrace Bleeding Edge Adoption: http://www.apple.com/osx/how-to-upgrade/



WHAT THIS IS ABOUT: Don't panic. This is a PSA about CryptoLocker -- a nasty piece of ransom-ware -- more than anything else. CryptoLocker is software that encrypts data files on your computer, and then demands hundreds of dollars to unlock the files. WHO SHOULD READ THIS: Everyone; this is a computer security issue. Macintosh users are not as affected by CryptoLocker as Windows users, but could be vulnerable through file sharing services such as DropBox. WHAT YOU SHOULD DO: As usual, don't click on unexpected attachment files which show up in your e-mail box. CryptoLocker spreads through e-mail attachments. An ounce of prevention is worth a pound of cure; keep your operating system updated and make sure to have current antivirus software on your machine. CryptoLocker also spreads through botnets: networks of computers compromised through security holes and under the control of Evil People. Keep a back-up of important files on a USB or other external device not always connected to the computer. I want to stress that DropBox, GoogleDocs, and MS Skydrive are (wildly convenient) synchronization tools, not back-up tools. If CryptoLocker gets onto a computer connected to networked drives, it will encrypt networked files as well. If CryptoLocker gets onto your machine and encrypts files, don't pay the ransom. There's no promise that the ransom will be honored. Clean up the computer and restore the unencrypted files from backup. ADDITIONAL INFORMATION: Info-Lite Description of CryptoLocker http://networksunlimited.com/blog/2013/9/13/new-virus-cryptolocker-on-the-rise Technical Description of CryptoLocker http://nakedsecurity.sophos.com/2013/10/12/destructive-malware-cryptolocker-on-the-loose/ Video of how CryptoLocker Works: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/ CryptoLocker Info with Informercial Ending http://www.becktek.ca/2013/10/malware-causing-severe-data-loss-is-on-the-loose-heres-what-to-do/



WHAT THIS IS ABOUT: Adobe Systems, the folks who bring you Adobe Acrobat and Adobe Reader, has been hacked. Information from 2.9 million Adobe customers has been stolen. This includes customer names, encrypted debit and credit card numbers, and username-password combinations used to download Adobe software. Oh, and the source code for Adobe products, too. (But don't panic, the data was encrypted.) WHO SHOULD READ THIS: Everyone, alas. The price of freedom is eternal vigilance, even in the panopticon.) WHAT YOU SHOULD DO: Adobe recommends users change their passwords on any website where they may have used the same user ID and password as their Adobe ID's. If you have an Adobe username and password, follow the instructions from Adobe here: http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF Expect Emergency OMG-They-Found-A-Security-Hole-In-Our-Products! patches from Adobe next week.... ADDITIONAL INFORMATION: So... if you've _personally downloaded_ Adobe Acrobat, Adobe Reader, or Adobe Whatever and been forced to use Adobe's Download Assistant, you've got an Adobe user ID and password. (If a tech person downloaded and installed Adobe stuff for you, then chances are lower that you have an Adobe user ID and password; guess what IT folks all over campus will be doing Friday...) If you've been performing Adobe Software _updates only_, those don't require Adobe username/passwords (usually). Adobe says it's working with law enforcement and banks to help control the damage. Accounts which Adobe thinks have been compromised will have passwords reset. This is an object lesson on why one should not use the same password for every web site on the internet. If the Bad Guys figure out your username and password at Adobe, and it's the same as your password on Gmail, or UO Mail, or your bank, it's a pretty safe bet you'll have some identity theft problems. Adobe's Costumer Security Alert (with FAQ at end): http://helpx.adobe.com/x-productkb/policy-pricing/customer-alert.html?promoid=KHQGF Adobe Does Post Damage Damage Control: http://blogs.adobe.com/conversations/2013/10/important-customer-security-announcement.html A Security Expert Gives the Bad News: http://grahamcluley.com/2013/10/adobe-hacked-product-source-code-stolen-customer-database-accessed/ Security Week: http://www.securityweek.com/adobe-confirms-source-code-breach-theft-customer-data The Unoficcial Apple Website: http://www.tuaw.com/2013/10/03/2-9-million-adobe-customer-accounts-compromised/



WHAT THIS IS ABOUT: On October 1, Apple released a firmware update for all MacBook models. The update fixes problems where the laptop loses track of the battery, then obsesses on where the battery is to the exclusion of all else (like user requests). WHO SHOULD READ THIS: Users of MacBook Air, MacBook Pro or MacBook Pro with Retina Users of other kinds of Macintosh Computers are unaffected Windows users are unaffected. WHAT YOU SHOULD DO: I haven't come across any electronic wailing or gnashing of teeth about the updates in the 24 hours since the firmware release. This might make a good computer hygiene task after Oct 7, by then any gotchas lurking in the updates should have surfaced. The firmware updates will show up in a regular software update.

  1. Save work and close out any programs.
  2. Go to the Apple Menu.
  3. Choose Software Update.
  4. There should be a pause, then the Mac should say that Software updates are available.
  5. Click on the SHOW DETAILS button.
  6. If the MacBook needs a firmware update, it should be listed in the updated software list; look for the letters SMC.
  7. Make sure there's a check in the box for the update (the default is checked).
  8. Press the INSTALL ITEMS button.
  9. A new dialog box should appear and display the download and installation process.
  10. Follow any remaining prompts. It's possible the machine will need to be rebooted.
ADDITIONAL INFORMATION: Most of these updates require Apple OS 10.7 or OS 10.8, and the file size of the updates are 1MB or less. The Unofficial Apple Website announcement: http://www.tuaw.com/2013/10/02/apple-releases-smc-firmware-update-battery-fixes-for-macbooks/ MacBook Air SMC Update v1.8 http://support.apple.com/kb/DL1627 MacBook Pro Retina SMC Update v1.2 http://support.apple.com/kb/DL1559 MacBook Pro SMC Firmware Update 1.7 http://support.apple.com/kb/DL1633



WHAT THIS IS ABOUT: Last week, Apple released an update for the operating systems for mobile devices: iOS 7. WHO SHOULD READ THIS: Folks with iThings. Andriod cell phone users are not affected. Non-apple tablet users are not affected. WHAT YOU SHOULD DO: I personally recommend waiting a week or four before updating to give other folks a chance to find the inevitable gotchas that come with a major operating system upgrade. iOS 7 requires 3.1GB of free memory to upgrade, so you may need to winnow old photos, videos and unused apps. If you want to be cutting edge-cool, update your device's OS yesterday. There's an instruction set here: http://www.macworld.com/article/2048720/how-to-upgrade-to-ios-7.html ADDITIONAL INFORMATION: iOS 7 Thoroughly Reviewed http://arstechnica.com/apple/2013/09/ios-7-thoroughly-reviewed/ There are a raft-load of articles about iOS7 at The Unofficial Apple Weblog http://www.tauw.com/tag/ios7 Which iThings can use the Shiny New Parts of iOS7 http://techcrunch.com/2013/06/10/ios-7-leaves-older-iphones-and-ipads-out-of-the-fun/ iOS7 Review (more like an infomercial) http://techcrunch.com/2013/09/17/ios-7-review-apple/ iOS7 Tricks http://techcrunch.com/2013/09/18/a-few-tricks-all-the-new-ios-7-users-should-know/



WHAT THIS IS ABOUT: Microsoft is in a dither about a security flaw in Internet Explorer which allows Maliciously Crafted Web Pages to Run Malicious Software on your computer. WHO SHOULD READ THIS: Users of Internet Explorer to browse web pages. Other web browser users are not affected. WHAT YOU SHOULD DO: There is no permanent patch for this hole, only some configurations you can follow (or have a FixIt script install for you) to mitigate damage. The simplest solution would be to use the Firefox or Chrome browsers. Firefox download: http://www.mozilla.org/en-US/firefox/new/ Chrome download: https://www.google.com/intl/en/chrome/browser/ If you need to use Microsoft Internet Explorer, there is a temporary "FixIt" patch here: https://support.microsoft.com/kb/2887505 N.B.: This works only for 32-bit versions of Explorer. Microsoft values your computer security, so while there isn't a permanent patch available yet, there should be one next Patch Tuesday (October 8), or possibly sooner if Microsoft thinks this is a large enough hole. ADDITIONAL INFORMATION: The current Microsoft stance on this appears to be "Oh, hey; we've noticed The Bad Guys are kind of starting to hijack your computers with this Internet Explorer security hole. But it's only a limited number of Bad Guys. So, um, be a little careful out there. Here's safety guidelines our lawyers said we should give you." Microsoft's Technical Advisory: http://technet.microsoft.com/en-us/security/advisory/2887505 Microsoft's Blog about Microsoft's Technical Advisory: http://blogs.technet.com/b/msrc/archive/2013/09/17/microsoft-releases-security-advisory-2887505.aspx Ars Technica article: http://arstechnica.com/security/2013/09/microsoft-issues-fix-to-stop-active-attacks-exploiting-serious-ie-bug/



WHAT THIS IS ABOUT: Evil People are pretending to be computer security folks and are sending phishing attempts disguised as anti-phishing messages. WHO SHOULD READ THIS: All UO e-mail users. WHAT YOU SHOULD DO: If you received a message from "webinfo" [see below] or if you receive a message saying something along the lines of "Your account has been blocked (or expired or possibly compromised), please go to [some website] to restore (or verify) it," then delete the message. Please do not follow any links in it. It's a trick. For extra Good Internet Citizen points, you can report it by forwarding it to phishing@uoregon.edu (be sure to include the e-mail's full headers). If you have responded to this phishing email, please contact the Central Computing Help Desk in the basement of McKenzie (346-HELP or helpdesk@uoregon.edu). ADDITIONAL INFORMATION: The University's Information Technology Department maintains some useful sites here: http://security.uoregon.edu/node/37.html https://it.uoregon.edu/node/2022 And you can use https://duckid.uoregon.edu/ to manage your electronic accounts with the University. To take a closer look at the phishing attempt The message opens up with statistics, because statistics make the sender sound authoritative. Then the message attempts to disarm the recipient's suspicions by A) providing a Capitalized Bogus Division of Security Name and B) masquerading as a PSA. The second paragraph is using words like "advised" and "verify." Again, this is to try to establish the sender's authority, and to connect with the recipient's reptilian brain by the use of fear of a hacked in account. The site the e-mail sends you to looks like it's a uoregon site, but it doesn't end in uoregon.edu, it ends in webform.com. The message concludes with another attempt at computer security fear-mongering to get you to comply with the request to visit the link. A legitimate message from Central Computing would close with contact information for the Help Desk in McKenzie Hall, or would include specific contact information from Jon Miyake, Senior IT Policy & Security Administrator. This message doesn't but does append a copyright notice (because, you know, we don't want anyone to infringe on this message by copying it without proper compensation to the University). Phishing e-mail text (links redacted) ---------- Forwarded message ---------- From: Date: Thu, Aug 29, 2013 at 8:18 AM Subject: University of Oregon Webmail To: Recipients As phishing schemes become more sophisticated with phishers being able to convince up to 50% of recipients to respond, it has become increasingly important for The Division of Information Protection and Security at the Office of Information Technology to inform you that we are seeing an increase in email accounts that have been compromised by phishes. As a result you are advised to verify your account to confirm that it has not been compromised by phishes. To verify your account, please click and follow the verification link below or simply copy and paste it into your web browser; https://uoregon.webform.com/[redacted)] To ensure full protection of your account, please take a few minutes now - it could save you a lot of time and frustration later. Copyright 2013 University of Oregon. All rights Reserved 1585 E. 13th Avenue Eugene Oregon, 97403 Phone: 541-346-1000



WHAT THIS IS ABOUT: Apple will start a buy back program for third-party USB adaptors for some its products. WHO SHOULD READ THIS: Users who have bought _non-Apple_ produced USB re-chargers for their iPhones, iPads, or iPods and who are worried about spontaneous combustion. Dell, HP, Android and other hardware users are not affected. WHAT YOU SHOULD DO: If you have a third-party USB power adaptor for an iPhone, iPad, or iPod, you can bring it in to a Certified Apple Dealer and buy a safety-approved, official Apple-made adaptor. To quote from TUAW: "To qualify for a new specially-priced US$10 Apple USB power adapter, you must bring your third-party adapter and your iPhone, iPad, or iPod to an Apple Retail Store or an Apple Authorized Service Provider. The retailers will validate the serial numbers and you can buy one adapter for each iOS device you bring in until October 18, 2013. Not all Apple Authorized Service Providers may be participating in the buyback program, so check Apple's site for potential locations." As of this writing, neither the UO Bookstore or the Hardware Desk in McKenzie are participating in the USB Tackback program. ADDITIONAL INFORMATION: The Unofficial Apple Website article: http://www.tuaw.com/2013/08/06/apple-begins-takeback-program-to-replace-third-party-usb-charger/ Office Apple Announcement: http://www.apple.com/support/usbadapter-takeback/ What Official Apple Adapters are Officially Supposed to Look Like: http://www.apple.com/power-adapters/ Apple Sales Locations for Eugene (hint, they're off-campus) https://locate.apple.com/sales/?pt=all&lat=43.9697922&lon=-123.2005853



WHAT THIS IS ABOUT: An newly discovered, unpatched security hole in Internet Explorer 8 is being used to download backdoor trojan horse software onto computers. WHOU SHOULD READ THIS: Computer users who use Internet Explorer 8 (especially if they test nuclear weapons for the Department of Energy) Users of other versions of Explorer are not affected. WHAT YOU SHOULD DO: There is no fix for this security hole at this time. Microsoft recommends using a different version of Explorer. If using a different version is not possible, Microsoft suggests increasing the security settings for ActiveX within Explorer (which may break some things) Lifted from http://technet.microsoft.com/en-us/security/advisory/2847140, to raise the browsing security level in Internet Explorer, perform the following steps:

  1. On the Internet Explorer Tools menu, click Internet Options.
  2. In the Internet Options dialog box, click the Security tab, and then click Internet.
  3. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
  4. C Click Local intranet.
  5. Under Security level for this zone, move the slider to High. This sets the security level for all websites you visit to High.
  6. Click OK to accept the changes and return to Internet Explorer.
Note If no slider is visible, click Default Level, and then move the slider to High. Note Setting the level to High may cause some websites to work incorrectly. If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High. ADDITIONAL INFORMATION: This particular Internet Explorer security hole is being used in what is called a "watering hole attack." Malware is installed on a site (in this particular instance a Department of Labor web site) likely to be visited by members of a target institution (in this case, Department of Energy employees). The malware being installed is a trojan back-door package known as "Poison Ivy." Microsoft's Security Advisory on this Issue: http://technet.microsoft.com/en-us/security/advisory/2847140 Ars Tecgbuca: http://arstechnica.com/security/2013/05/internet-explorer-zero-day-exploit-targets-nuclear-weapons-researchers/ Invincea's technical write-up: http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/



WHAT THIS IS ABOUT A Microsoft Windows 7 Security Update is causing _some_ Windows 7 machines to display an error message (Event ID 55 or a 0xc000021a Stop error) instead of starting up properly. Microsoft is aware of the problem and has removed the offending Security Update 2823324 update from its download utility. WHO SHOULD READ THIS Windows 7 users. Windows XP users are not affected. Windows 8 users are not affected Macintosh users are not affected. WHAT YOU SHOULD DO Locate a Windows 7 install CD, which may be needed. If you have a machine that doesn't have a CD drive, all is not lost, but recovery may be trickier. A. If the security update has been installed, but the problem hasn't manifested, In Control Panel, open Programs, and then click View Installed updates. Select Security Update for Microsoft Windows (KB2823324), and then click Uninstall to uninstall the security update B. If the Windows 7 machine doesn't start and instead displays worrisome error messages like Event ID 55 or a 0xc000021a Stop error then... go back to a previous Windows Restore Point. There are several ways to do this, the simplest is probably 1. Restart by using the F8 key. 2. Select Repair your Computer. 3. Select the language, and then log on to the computer. (NOTE: If you do not know the local password, you must start by using a Windows 7 DVD or USB bootable media. Then, access System Recovery Options. 4. Select System Restore from the menu: 5. Restore the last restore point. This uninstalls security update 2823324. 6. Restart the computer into normal mode.: Other recovery options are listed under "Scenario B: Recovery steps for computers...." about half-way down the web page: http://support.microsoft.com/kb/2839011 ADDITIONAL INFORMATION Sophos Report about the Patch Tuesday Bug: http://nakedsecurity.sophos.com/2013/04/12/patch-tuesday-fatal-system-error/ Microsoft Response: http://blogs.technet.com/b/msrc/archive/2013/04/11/kb2839011-released-to-address-security-bulletin-update-issue.aspx Microsoft Triage Page leading to other Microsoft pages http://support.microsoft.com/kb/2839011 Instructions for using the Bootrec.exe tool (this is a heavy duty utility for fixing start-up problems) http://support.microsoft.com/kb/927392



WHAT THIS IS ABOUT: A recent upgrade to INB broke Banner for some Macintosh users. WHO SHOULD READ THIS: Macintosh OS 10.6 users who need to use Banner. WHAT YOU SHOULD DO: Visit this page http://support.apple.com/kb/HT5559 and run the scripts to enable Apple's Java 6 SE. ADDITIONAL INFORMATION: Queue the Wagner. Imagine the forces of Apple, Sun Microsystems, Oracle, and Microsoft arrayed over a misty craggy setting... the end user has to endure twenty hours of opera and dies at the end.



WHAT THIS IS ABOUT: Adobe is reporting about a recently discovered security flaw in Acrobat and Reader which could allow a maliciously designed PDF file to crash and potentially take over your computer. WHO SHOULD READ THIS: People who use Adobe Acrobat and Reader: + Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh + Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh + Adobe Reader 9.5.3 and earlier 9.x versions for Windows, Macintos& Linux + Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh + Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh + Abobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh WHAT YOU SHOULD DO: Currently, there is no patch for this security flaw. In general, be mindful when opening PDFs, especially ones e-mailed from strangers. (If it helps you to be more cautious, imagine a five-year-old sniffling with a runny nose every time you see a PDF attachment in e-mail.) Windows Users: If you have version XI of the software, go into the preferences, select "Security (Enhanced)" and choose "Enable Protected Mode at Startup" for ALL FILES. Macintosh Users: The Macintosh version of the Acrobat software does not have a protected mode option. Macintosh users may opt to use the Preview application to look at PDFs ADDITIONAL INFORMATION: https://www.adobe.com/support/security/advisories/apsa13-02.html http://nakedsecurity.sophos.com/2013/02/14/no-patch-yet-for-pdf-exploits/



WHAT THIS IS ABOUT: This is a public service announcement about LAP LAMBERT Academic Publishing, a vanity "academic" press. WHO SHOULD READ THIS: Folks who have received e-mail solicitations from one of this publishing house's "acquisition editors." WHAT YOU SHOULD DO: Delete e-mail from this company. Hang onto your author's rights. ADDITIONAL INFORMATION: http://scholarlyoa.com/2012/11/05/lambert-academic-publishing-a-must-to-avoid/ http://en.wikipedia.org/wiki/VDM_Publishing http://chrisnf.blogspot.com/2010/06/lambert-academic-publishing-continues.html



WHAT THIS IS ABOUT Oracle has released release 11 of Java version 7 to fix a critical security flaw. WHO SHOULD READ THIS Everyone. This is a cross-platform security issue. WHAT YOU SHOULD DO I.A Macintosh Users with OS 10.6 (Snow Leopard) or Older: Older Macintoshes use a version of Java provided by Apple. 1. Save your work and close all applications. 2. Go to Apple -> Software Update. A dialog box will appear showing the Macintosh's progress downloading updates. Eventually, a new dialog box should appear. 3. The new dialog box should list software updates the utility wants to install. Click the blue INSTALL button to install updates, if any. 4. A new dialog box should appear showing the status of the installation. This may take some time, depending on how many installs there are. Eventually, the Macintosh should display a dialog box which reads "The update was installed successfully." Click OK. Skip to the instructions in II.A ------ I.B Windows Users and Macintosh Users with OS 10.7 (Lion) or Newer: Determine if Java is installed on your machine. 1. Go here: http://www.java.com/en/download/installed.jsp You should see a red button with the words "Verify Java version" on it. If there is no big red button, but instead you see a message about visiting Apple, your computer is a Macintosh running older operating system software: please read the previous section above. 2. Click the red verify button. The browser will pause, then display a new window. 3a. If the web site reports that you do not have Java installed, STOP (no Java = no Java security hole). You're done. Close the browser. 3b. If the web site reports that you have Java version 7 release 11 installed, you have the latest release. Proceed to the next section. 3c. If the web site reports that you have an older version of Java, update to Java 7 release 11. ------- II.A Disabling Java within Browsers: Once Java's status is confirmed, and assuming Java is installed on the computer, follow the instructions here to limit how it interacts with web browsers: http://www.java.com/en/download/help/disable_browser.xml ADDITIONAL INFORMATION NB: Users of older Macintosh computers (10.6 Snow Leopard or older) use an Apple-flavored version of Java 6. Java 7 is not available for OS 10.6 and older because.... "The Java Runtime depends on the availability of an Application programming interface (API). Some of the API were added in Mac OS X 10.7.3. Apple has no plans to make those API available on older versions of the Mac OS." FAQ for Macintosh Java Users: http://www.java.com/en/download/faq/java_mac.xml About Java for Mac OS X v10.6 Update 11 http://support.apple.com/kb/HT5494 Oracle patches widespread Java zero-day bug in three days (Updated) http://arstechnica.com/security/2013/01/oracle-patches-widespread-java-zero-day-bug-in-just-three-days-that-is/ Oracle releases v11 fix for zero-day Java security flaw http://www.tuaw.com/2013/01/14/oracle-releases-fix-for-zero-day-java-security-bug/ Some Responses to Java Security Flaws for Apple Users: http://www.tuaw.com/2013/01/11/a-reasonable-response-to-java-security-problems/



WHAT THIS IS ABOUT: Thursday, Jan 10, 2013, someone e-mailed phishing attempts to people with UO e-mail accounts (see message below). WHO SHOULD READ THIS: Everyone. WHAT YOU SHOULD DO: If you receive a message saying something along the lines of "Your account has been blocked (or expired), please go to [some website] to restore it," then, in the words of Admiral Ackbar, "IT'S A TRAP!" The university will never ask for personal information via email. Please delete the phishing attempt or report it by forwarding it to phishing@uoregon.edu (be sure to include the e-mail's full headers). Do NOT click on the link provided in the phishing email. If you have responded to this phishing email, please contact the Central Computing Help Desk in the basement of McKenzie (346-HELP or helpdesk@uoregon.edu). ADDITIONAL INFORMATION: https://it.uoregon.edu/node/2022 http://security.uoregon.edu/node/37.html COPY OF THE PHISHING E-MAIL: -------- Original Message -------- Subject: **{Suspension Of Your Email uoregon.edu}** Date: 2013/01/10 18:01 From: "University of Oregon Support" To: Recipients Reply-To: noreply@uoregon.edu Access to this server is available from your location through the Universal Resource Locator Click or Copy the below link to a browser and fill the required information's:https://docs.google.com/spreadsheet/[ADDRESS REDACTED]



WHAT THIS IS ABOUT: The power (and network) is still out in Straub (and for much of Campus east of Straub). We have it from a reliable source in Campus Operations that power will continue to be out for the rest of the day. Several locations are ahead of Straub on the restoration priority list. The Psychology Department Admin Staff has been sent home for the day. Instructors may teach classes in Straub at their discretion. WHO SHOULD READ THIS: People who can't see in the dark, or who can't improvise when PowerPoint isn't an option. WHAT YOU SHOULD DO: Consider working from the comfort of home or other place still blessed with the wonders of electricty, heat, and an internet connection. If you are teaching in Straub, the daylight should provide lighting for students to see you and their notes. Signs in Straub are directing students to various classrooms. This may be a germane time to review safety procdures -- do you have a working flashlight in your office? The University sends text alerts during emergencies (like this one) to people who sign up with their cell phones: http://emc.uoregon.edu/content/sign-uo-alert (Guess who had to rely on his co-workers and go access the UO wireless in the EMU for good information because he didn't set up his phone?) ADDITIONAL INFORMATION: For up-to-date information: http://alerts.uoregon.edu/ Explosions on Campus (photos): http://dailyemerald.com/2013/01/07/photos-explosion-on-campus/ Daily Emerald Coverage: http://dailyemerald.com/2013/01/07/university-reports-emergency-incident-at-health-center/ KVAL Coverage: http://www.kval.com/news/local/Emergency-crews-evacuate-UO-health-center-185904912.html WHAT THIS IS ABOUT: An infrastructure failure (and fire!) in the steam tunnel underneath Agate Street has knocked out power in Straub Hall. There is no electrical power nor network service in Straub. We're not sure if there is steam service to Straub. WHOU SHOULD READ THIS: Everyone who likes to use modern technology. WHAT YOU SHOULD DO: There is no timetable for when services will be restored. If you can work from home, this may be the most productive strategy. You may wish to bring auxilary light sources to navigate some of the darker corners of Straub. ADDITIONAL INFORMATION: http://alerts.uoregon.edu/



WHAT THIS IS ABOUT: CERT has released three critical security notes about the Adobe Shockwave Player. Shockwave is media software used by some web pages and in some e-mail messages to display animations. The vulnerabilities in Shockwave could allow Evil People using a Malicious Web Page or E-mail Message to run your computer as if they were you. Don't panic too much; Shockwave has been superseded by Adobe Flash Player, and is more likely to be installed on older machines or on computers used to play arcade-style games. WHO SHOULD READ THIS: Folks who use Shockwave. Shockwave runs on both Windows and Macintosh platforms. Folks who do not use Shockwave are not affected. WHAT YOU SHOULD DO: Find out if you have Shockwave installed. 1) Steel your resolve to _not_ install anything. Don't do the stimulius-response-point-and-click thing. 2) Visit http://www.adobe.com/shockwave/welcome/ which will try to automatically download stuff. Don't let it. If something automatically downloads, don't run it. 3a) If the web page doesn't play an animation under the words "Adobe Shockwave Player" then you can rejoice in the knowledge that its vulnerabilities don't affect you. (Yay!) Close your browser window. 3b) If the web page does does play an animation, then you have Shockwave and are vulnerable to the exploits. There are several options. The easiest is to uninstall Shockwave (which means unsteeling your resolve and downloading some utilities...) Windows XP users can use this utility: http://fpdownload.macromedia.com/get/shockwave/uninstall/win/sw_uninstaller.exe Macintosh users will have to run the Full Shockwave Installer (which includes the uninstaller). The Full Installer may be found here: http://www.adobe.com/shockwave/download/alternates/#sp Click on the link for your Macintosh's operating system. If you need to keep Shockwave, there are some work-arounds to try to mitigate the vulnerabilities. These include Making sure your web browser is secure: http://www.us-cert.gov/reading_room/securing_browser/#how_to_secure Using the Microsoft Enhanced Mitigation Experience Toolkit: http://support.microsoft.com/kb/2458544 Additional, scarily technical work-arounds may be found in the CERT advisories (see below) ADDITIONAL INFORMATION: http://www.kb.cert.org/vuls/id/519137 http://www.kb.cert.org/vuls/id/323161 http://www.kb.cert.org/vuls/id/546769 http://helpx.adobe.com/shockwave/kb/shockwave-player-faq.html http://helpx.adobe.com/shockwave/kb/download-shockwave-stand-alone-installer.html



WHAT THIS IS ABOUT: The UO site-license for SPSS will expire December 31, 2012. As of this writing, a shiny bright new license for 2013 is still being finalized. WHO SHOULD READ THIS: Researchers using UO licensed copies of SPSS. WHAT YOU SHOULD DO: If you anticipate the need for statistical analysis around the hinge of the year, it would be a good thing to do it earlier rather than later, OR arrange to perform the analysis in mid-January to avoid that awkward moment when the results of chi squared are "your license has expired." As soon as Central IT has the licensing codes for SPSS available, I'll inform folks. ADDITIONAL INFORMATION: http://pages.uoregon.edu/burridge/SPSShelp.html https://it.uoregon.edu/software/spss



WHAT THIS IS ABOUT: Don't panic; things seem to be working as of 10 AM. Gmail, Google Calendar, Google Plus and other Google services appeared to have technical difficulties early Monday morning, Dec 10. In addition to breaking Gmail, in some cases the Chrome web browser would crash. WHO SHOULD READ THIS: People who use the Chrome web browser and have configured it to automatically sync with Google services. People who use other browsers are unaffected. WHAT YOU SHOULD DO: The report I've read says that this appeared to be an authentication issue with Google. The problem appears to be fixed as of this writing. My experience was that Chrome crashed, but when I rebooted my Macintosh, the problem fixed itself. Various Google services I've since tested (with both via MacBook and iPad) appear to be working properly. If you continue to have difficulties with the Chrome Browser crashing, try the following: Start Chrome. Click on your user avatar in the upper right-hand corner; a menu should appear. Click on Sign-out. This should allow you to use Chrome without it crashing. From there, you'd want to see if you can connect to G-mail or Google Plus. ADDITIONAL INFORMATION: http://techcrunch.com/2012/12/10/gmail-experiences-a-widespread-outage-most-users-affected/



WHAT THIS IS ABOUT: Central IT is updating the security certificates on the e-mail servers Tuesday, Oct 30. WHO SHOULD READ THIS: Everyone. This is a campus-wide e-mail issue. WHAT YOU SHOULD DO: When you use e-mail for the first time Tuesday morning, you will be prompted to accept a new security certificate from the e-mail server. This will look scary and suspicious, but it is expected and legitimate (think of it as an early cyber-version of Trick-or-Treat). Accept the new security certificate (this should only happen once for each computer you read e-mail on), and continue to enjoy your normal e-mail experience. Those who are mistrustful of the phrase "in the unlikely event" may wish to attend to any pressing e-mail business Monday. ADDITIONAL INFORMATION: Begin forwarded message: From: helpdesk@uoregon.edu Date: October 25, 2012 10:44:09 AM PDT To: deptcomp@lists.uoregon.edu Subject: deptcomp: Scheduled email SSL certificate renewal on 10/30/12 Reply-To: deptcomp@lists.uoregon.edu All- On Tuesday, October 30, 2012 from 5am to 7am, Information Services will be renewing the SSL certificates for the POP, IMAP, and SMTP email servers. There will be NO SERVICE OUTAGE during this time. If you are using an email client, such as Mac Mail, Outlook, or Thunderbird, you may be prompted to accept the new security certificate. This announcement is to inform you of the SSL certificate renewal in the unlikely event that issues arise. Please contact the Information Services Help Desk at 541-346-HELP (4357) with questions or problems. Please forward this message to customers and other groups as needed. Sincerely, UO Information Services HelpDesk 541-346-HELP helpdesk@uoregon.edu facebook.com/UOHelpDesk | twitter.com/UOHelpDesk



WHAT THIS IS ABOUT: The latest update for Java may break Banner. WHO SHOULD READ THIS: Macintosh users with Java installed (required for Banner) Windows users with Java installed (required for Banner) Chrome browser users WHAT YOU SHOULD DO: Many computer security folks are throwing their hands into the air and saying, "If you don't need Java, uninstall it." However, Banner and some other university business related software requires Java. * Windows Users: Any Windows users who are encountering difficulties with Java 7 should do the following: 1) Quit the browser. 2) Clear your browser caches. See instructions at http://pages.uoregon.edu/leblanc/Clear%20Firefox%20and%20IE%20Cache.pdf. 3) Empty your Java cache. See instructions at https://it.uoregon.edu/faq/how-do-i-clear-my-java-cache. * Macintosh Users: A) If you have not yet run a Software Upgrade, you may still be running Java 6. If the Software Update comes up, you may be better served by _not_ installing the Java Upgrade: B) If you've already installed Apple Java Update 11, and you use the Firefox or Safari web browser, all is not lost. 1) Go into the Finder (click the left-most icon on the dock, or click on the Desktop) 2) Go into the Applications folder (Go menu > Applications) 3) Click once on the Safari or Firefox icon, and select File > Get Info 4) Confirm that the “Open in 32-bit mode” box is unchecked (uncheck it if not) and close the Get Info window Chrome Browser users are in a bind, as Chrome only runs in 32 bit mode. ADDITIONAL INFORMATION: http://support.apple.com/kb/HT5494 http://support.apple.com/kb/HT1222 Begin forwarded message: From: David Walton Date: October 19, 2012 4:24:21 PM PDT To: "Departmental Computing List (deptcomp@lists.uoregon.edu)" Subject: deptcomp: Problems with recent Java updates Reply-To: Departmental Computing List Folks, The latest round of Java updates has been causing some problems on both Windows and Macintosh platforms. We don’t have a detailed procedure for resolving the problems on the Macintosh side yet, but I wanted to alert people to the problems we’ve heard about, and where available, to suggest what you can do to resolve them. On the Windows side: some users have reported hanging problems when they updated Java to the latest version (others, it should be noted, have applied it without any issues). Any Windows users who are encountering difficulties should do the following: - Quit the browser (close all browser windows). - Clear their browser caches. See instructions at http://pages.uoregon.edu/leblanc/Clear%20Firefox%20and%20IE%20Cache.pdf. - Empty their Java cache. See instructions at https://it.uoregon.edu/faq/how-do-i-clear-my-java-cache. On the Macintosh side: the latest Java update that Apple released for Mac OS X (Java for OS X 2012-006) removes support for the Java plugin. As a result, Banner (and any other applets) will not load after users run the update. One user managed to resolve it by reinstalling the 6.0 plugin and doing some trickery behind the scenes (creating a symlink to the newly installed plugin in /Library/Internet Plug-Ins/), and I am using his notes to put together a the instructions for doing that, but unfortunately, the fix is not really an official Apple-supported one, so I’ll need to talk it over with some people before we release an FAQ. Unfortunately, since the problem stems from an Apple-supplied software update, I suspect we will start to hear from users in fairly short order. If you have encountered either of these problems and have found fixes other than what I alluded to, please let me know and I’ll try to include it in the FAQ. David Walton ~~~~~~~~~ David Walton Enterprise Systems Developer, Enterprise Administrative Applications University of Oregon Mail: walton2@uoregon.edu Voice: 541-346-1798 Archives of past DeptComp postings can be found on the Web page http://pages.uoregon.edu/consult/deptcomp/ ADDITIONAL ADDITIONAL INFORMATION: To follow up on Chris’s note: Chrome will not run Java 7 on Mac OS X at all, as it only runs in 32-bit mode. To make sure that Firefox or Safari is running in 64-bit mode on Mac OS X: - Go into the Finder (click the left-most icon on the dock, or click on the Desktop) - Go into the Applications folder (Go menu > Applications) - Click once on the Safari or Firefox icon, and select File > Get Info - Confirm that the “Open in 32-bit mode” box is unchecked (uncheck it if not) and close the Get Info window Note that this should only be necessary if you are running Java 7. David ~~~~~~~~~ David Walton Enterprise Systems Developer, Enterprise Administrative Applications University of Oregon Mail: walton2@uoregon.edu Voice: 541-346-1798 From: Chris LeBlanc Sent: Monday, October 22, 2012 9:46 AM To: Departmental Computing List Cc: David Walton Subject: Re: deptcomp: Problems with recent Java updates Just to let folks know, you can run into the blank screen instead of Java loading if the browser is running in 32-bit mode, since the Java applet is now 64-bit only. Thanks, Chris



WHAT THIS IS ABOUT: Adobe has released a security fix for 25 security holes in the Adobe Flash Player. Unpatched holes could allow a malicious person to run Evil Software on your computer. The Flash Player is software that displays moving pictures on web pages. WHO SHOULD READ THIS: Windows, Macintosh, and mobile users of Adobe Flash Player. WHAT YOU SHOULD DO: Microsoft and Google released new versions of Internet Explorer and Chrome which update ++ Windows Users using Internet Explorer: Set aside some time. Confirm that Windows Update has run since Oct 9. START -> All Programs -> Windows Update Let Windows Update install any critical updates ++ Folks (Windows OR Mac) using Google Chrome: Start Chrome. Go to the Chrome -> About Google Chrome A new browser window will open. Confirm that you're using Version 22.0.1229.94; if you are not, Chrome will prompt you to update. ++ Other browser users (Windows OR Mac): Start your browser of choice. Go to http://get.adobe.com/flashplayer/ Follow any update instructions. ADDITIONAL INFORMATION: Adobe's Security Bulletin: http://www.adobe.com/support/security/bulletins/apsb12-22.html Adobe fixes 25 critical security holes in its software: http://nakedsecurity.sophos.com/2012/10/09/adobe-security-update/ Microsoft Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10 http://technet.microsoft.com/en-us/security/advisory/2755801



WHAT THIS IS ABOUT: An e-mail sent out in the last twenty-four hours claimed to be from "Customer care, University of Oregon Webmail" and included a (bogus) link to verify active UO Webmail account information. This is really a phishing attempt; the e-mail message is attempting to send you to a bogus web site and trick you into revealing personal information. Central IT is now blocking the bogus web site. WHO SHOULD READ THIS: Everyone with a UO e-mail account. WHAT YOU SHOULD DO: If you receive an e-mail that seems suspicious... + Don't follow any links in the e-mail. + It's OK to ask the Psych Tech staff (psychtech@ithelp.uoregon.edu) or the folks at Central IT (phishing@uoregon.edu) if the message is bogus or real. + When in doubt, delete the message. ADDITIONAL INFORMATION: https://it.uoregon.edu/node/2022 http://security.uoregon.edu/node/37.html Jon K. Miyake, Senior IT Policy and Security Administrator at the UO, recommends: * Never respond to e-mail that asks for personal or financial account information. Information Services will never send out e-mail asking for account usernames, passwords, and PAC codes. Ever. This type of information should never be sent to anyone over e-mail. * Do not trust 'urgent' e-mail demands for action. It is a common phishing technique to foster a false sense of urgency in order to provoke a response. Do not be afraid to ask your local technical support staff or the IS Helpdesk if an e-mail is phishing before using information contained in the e-mail or replying to the e-mail. * Do not trust company phone numbers in e-mail If you believe the e-mail that you have received to be a phishing attempt but are concerned that it may actually be real and not fraudulent, please directly contact the purported sending institution. Do not use the information from the suspect e-mail. Be sure to use phone number or e-mail information published on their official website or other established resource. Information Services has seen phishing e-mails that utilize VOIP phone numbers with 503 and 541 area codes to encourage recipients to provide confidential information over the phone to phishers. * Do not trust unexpected e-mails that contain attachments or website links. Be careful when accessing attachments and websites links that you receive via e-mail. For suspect e-mails, please ask your local technical support staff or the IS Helpdesk if an e-mail fraudulent or contains malicious content, prior to accessing the attachment or website link. * Do not visit fraudulent websites referenced in phishing e-mails Increasingly the phishing e-mails you receive may not just be attempting to gain access to your usernames and passwords. If you click on the phishing website link, the website may then attempt to automatically compromise your workstation via security issues that can exist with your web browser or associated web plugins (Flash, Java, Acrobat, etc.) * Use a web browser that has anti-phishing capability From past experience, Chrome and Firefox have a faster turn around time in labeling phishing website as fraudulent. You may wish to use Chrome or Firefox over other browsers for this and other reasons. If you prefer not to use Firefox or Chrome, there may be anti-phishing plugins or similar functionality that you can enable in your preferred browser. Information Services has a phishing@uoregon.edu e-mail address that you can use to send in questions about phishing and examples of phishing attempts that you receive. For phishing samples please include the full e-mail header. If you are unfamiliar with e-mail full headers the Information Services Helpdesk has a web page that explains how to enable full headers for variety of popular e-mail clients. https://it.uoregon.edu/full-email-headers We would appreciate it if you would limit phishing examples that you send to be strictly those directed at gaining access to UO credentials, such as the UO Duck ID. Phishing attempts for 3rd party institutions such as banks, online retailers, and similar should be sent directly to those organizations as they are better able to effectively address such phishing attempts.



WHAT THIS IS ABOUT: A recently discovered, and as-of-yet unpatched, security hole in Microsoft Internet Explorer could allow Evil People to take over your Windows-based computer if they tricked you into visiting an Evilly Designed Web Page. WHO SHOULD READ THIS: Microsoft Windows users using Internet Explorer to browse the web. Other browsers are not affected by this exploit. Windows Users without Java installed on their computers are unaffected. Macintosh users are not affected by this exploit. WHAT YOU SHOULD DO: The wicked-easy option is: 1) Download and use web browser alternates such as Firefox (available here: http://www.mozilla.org/en-US/firefox/new/) or Chrome (https://www.google.com/intl/en/chrome/browser/). If you need to use Internet Explorer and migrating to a different browser is not an option, then the more complicated option is... 1) Open Internet Explorer (there may be some variations across different versions of Explorer) 2) Select the TOOLS menu. 3) Choose INTERNET OPTIONS; a dialog box should appear 4) Click on the SECURITY tab 5) Select the Internet Security Zone & set it to HIGH 6) Disable disable Active Scripting 7) Select the Local Intranet Security Zone & set it to HIGH 8) Disable Active Scripting here, too. Additional security may be provided by installing a security package from Microsoft, the Enhanced Mitigation Experience Toolkit (EMET). NB: Please note that before you install EMET, you’ll need to have Microsoft’s .NET platform installed. And while it does technically work on Windows XP(Service Pack 3 only), XP users cannot take advantage of mandatory ASLR and some of the other notable protections included in this tool. 1) Go to http://www.microsoft.com/en-us/download/details.aspx?id=29851 2) Download and install the Enhanced Mitigation Experience Toolkit. Computer security folks are recommending that all computer users uninstall Java if they have no need for it. ADDITIONAL INFORMATION: http://technet.microsoft.com/en-us/security/advisory/2757760 http://www.microsoft.com/en-us/download/details.aspx?id=29851 http://support.microsoft.com/kb/174360 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 http://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/ http://www.techspot.com/news/50193-internet-explorer-hit-by-zero-day-exploit-temporary-fix-issued.html -- DEPARTMENTAL COMPUTING E-MAIL SENT FROM JON MIYAKE: A vulnerability was recently identified, with Microsoft Internet Explorer (IE), that could allow the execution of arbitrary code on a vulnerable system. The issue is reported to affect most version of IE running on Microsoft Windows. At this time Microsoft does not have a patch for the vulnerability. Use of the vulnerability has been reported in the wild and exploit code was recently made publicly available. IT staff will want to notify their end-users of this issue. In most instances the recommendation is to use an alternate web browser, such as Firefox or Chrome. Microsoft has published general mitigation recommendations for the vulnerability. It is important to note that the Microsoft EMET recommendation, by itself, may not be sufficient to prevent successful exploitation of the vulnerability. See the "Kreb's on Security" article (link available below) for more details. Mitigation Recommendations from Microsoft: - Deploy the Enhanced Mitigation Experience Toolkit (EMET) - This will help prevent exploitation by providing mitigations to help protect against this issue and should not affect usability of Web sites. - Set Internet and local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones - This will help prevent exploitation but may affect usability; therefore, trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption. - Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and local intranet security zones - This will help prevent exploitation but can affect usability, so trusted sites should be added to the Internet Explorer Trusted Sites zone to minimize disruption. Microsoft Advisory and Mitigation Toolkit http://technet.microsoft.com/en-us/security/advisory/2757760 http://www.microsoft.com/en-us/download/details.aspx?id=29851 Kreb's Article on Enhanced Mitigation Experience Toolkit (EMET) http://krebsonsecurity.com/2012/09/internet-explorer-users-please-read-this/ Additional Details about IE Vulnerability http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4969 http://labs.alienvault.com/labs/index.php/2012/new-internet-explorer-zero-day-being-exploited-in-the-wild/ - -- Jon K. Miyake Information Services Sr. IT Policy and Security Administrator University of Oregon voice #: (541) 346-1635 (541) 346-5837 Computing Center Rm 225



WHAT THIS IS ABOUT: MatLab licenses for Psychology Department machines will expire in 56 days (the day after Halloween). The new license for the 2012-13 academic year _should_ be negotiated by Central IT before this time. WHOU SHOULD READ THIS: Folks with Matlab Installed on machines. WHAT YOU SHOULD DO: At the moment, there's nothing to do except circle Halloween on your research calendar and anticipate possible technical difficulties. Matlab will continue to run right up to the expiration date. When the new license is negotiated, the warning should go away. Older versions of Matlab on some legacy computers may need extra help validating the new license extension. When the new license is active, I'll send out a notice. ADDITIONAL INFORMATION: When MatLab first starts up, it checks with Mathworks to see if its license is still valid. Each installed instance of MatLab is associated with a specific user ID, and each user ID has a specific license. The Psychology Department uses Central IT's total headcount license agreement with MathWorks to validate copies of MatLab installed on campus machines. Every Fall, a new license is negotiated. Once the negotiations go through, the license's expiration date is extended. http://it.uoregon.edu/software/matlab



WHAT THIS IS ABOUT: The UO Psychology Department appears to have been spammed with messages claming the sender is in search of a tutor for her son. WHO SHOULD READ THIS: Everyone. WHAT YOU SHOULD DO: This may or may not be a variation on the Nigerian Tutoring Scam (brought to my attention by Shannon Peake--thanks!)... http://consumerist.com/2009/06/stay-away-from-the-nigerian-tutoring-scam.html ... in which case a follow-up message would be an offer for pre-payment (get your banking information ready). The safest thing to do would be to delete the message. If you're feeling like you'd like to be helpful, you could forward the message to the University Teaching and Learning Center (TLC), at tlc@uoregon.edu (which I've done for this instance). ADDITIONAL INFORMATION: Reading the e-mail out loud brings out some oddities in the request: things like vague arrival dates, and a generic arrival locations; at no point is the University of Oregon mentioned (like, "Ethan will be a transfer student at the University of Oregon"). Forwarded message: Hello How are you doing? I am presently looking for a Psychology Instructor for my son in the area. After surfing your department's website, I decided to contact with my request. Ethan is a 3rd year Psychology undergraduate at the Univeristy of Berne he being taught in English,he is a basketball player and missed a few classes and he could not take the exams of those course we are from a city called Lugano in Switzerland. Our main language here is Italian and I hope you can pardon my English as it is not perfect. We need someone to work with him when he arrives, he will become a exchange student in Jan 2013 using this time he has now. Let me know your hourly rates and also time during the week and on week ends you will be available to coach him (total number of hours you can use with him a week). Please let us hear from you soon as he would be in America in a couple of days/week to stay with my sister in-law for the time been and I will very much appreciate it very much if you can introduce me to someone qualified in the case you are not available. Thanks



WHAT THIS IS ABOUT: Bogus e-mails claiming to be from "Uoregon Webmail" have been sent to UO e-mail users to try to trick them into revealing private information. WHO SHOULD READ THIS: Everyone -- this attack targets UO e-mail users. WHAT YOU SHOULD DO: If you receive a message (see Bogus Message below) warning you that you've transgressed the Webmail user agreement and that you'll be given one chance to reactivate it, delete it. If you want to help out Central Computing, you can forward the message to helpdesk@ithelp.uoregon.edu to help them track the problem. ADDITIONAL INFORMATION: A real message would be much more specific, citing times of any infractions and very likely requiring an in-person visit with UO ID to the Help Desk in the basement of McKenzie Hall. If Central Computing needed to suspend your UO account, they'd suspend it first and contact you by some other means (either UO extension or via the Psych Tech Support staff) later. There would also be an individual UO Computing Security Team member associated with any message. The trick to bogus messages is (break out your Robert Cialdini texts) to try to establish authority. The cyber-crooks here have gotten clever; they've created a message that uses an image from the UO, located here: https://uoregon.edu/sites/all/themes/uo_homesite/logo.png and put it into their message to make the message look legitimate. They're using buzz-words like Webmail User Agreement, and the cyber-crooks are also using fear that a resource (in this case e-mail) might be taken away to try to suspend the victim's rational thought process. UO Central IT Web Page on Phishing: http://it.uoregon.edu/node/2022 SAMPLE BOUS MESSAGE: From: "Uoregon Webmail" Subject: Service Disabled Date: August 26, 2012 12:36:16 PM PDT Dear Student, Due to the violation of your Webmail User Agreement, your access has been suspended. We are giving one chance to reactivate your access now or permanently suspended. Click on 'Reactivate' below to start process. [Bogus 'Reactivate' link redacted][ **Incomplete process might lead to blocked user account.



WHAT THIS IS ABOUT: There is a new, unpatched vulnerability in Java version 7--specifically the Java Runtime Environment (JRE) 1.7--that could leave a computer subject to malicious software when the user visits a maliciously crafted (or corrupted) web site. WHO SHOULD READ THIS: Computer users--Macintosh, Windows and Linux--with Java 7/JRE 1.7 installed on their machines. WHAT YOU SHOULD DO: To be completely safe, Java should be uninstalled. If Java is installed on a Macintosh, the majority of the installations are using Apple's version of Java. The Apple version does not have the Java Runtime Environment 1.7, and therefore is not subject to the unpatched security hole that has the computing security community in a dither. So Macintosh folks can rest a little easier. http://www.tuaw.com/2012/08/28/java-1-7-zero-day-exploit-unlikely-to-impact-most-mac-users/ Windows users may use Control Panel > Add/Remove Software; Macintosh users who have installed the Oracal version of Java 7 will need to follow the instructions here: http://www.java.com/en/download/help/mac_uninstall_java.xml However, uninstalling Java may not be possible for some users, in which case disabling Java browser plug-ins is the next best route. Apple Safari: https://support.apple.com/kb/HT5241 Firefox: https://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets Microsoft Internet Explorer: In the Windows Control panel, open the Java item. Select the "Java" tab and click the "View" button. Uncheck "enabled for any JRE version listed. Chrome: Go to chrome://plugins/, scroll down the list and disable Java. https://support.google.com/chrome/bin/answer.py?hl=en&answer=142064 ADDITIONAL INFORMATION: The discovered exploit allows maliciously crafted web pages to install espionage software on a targeted computer to enable accept commands from a remote controller. This will be a problem until Oracle provides a patch for Java (their track record isn't so good on responding to things like this, so it may be some time). At this time (1:20PM 27-Aug-2012) it appears that version 6 of Java does not have this vulnerability. If you need Java installed on your machine, you may be able to downgrade to version 6: http://www.java.com/en/download/manual_v6.jsp US-CERT Advisory: http://www.kb.cert.org/vuls/id/636312 Critical flaw under active attack prompts calls to disable Java http://arstechnica.com/security/2012/08/critical-flaw-under-active-attack-prompts-calls-to-disable-java/ Unpatched Java Vulnerability Exploited in Targeted Attacks http://www.pcworld.com/businesscenter/article/261484/unpatched_java_vulnerability_exploited_in_targeted_attacks_researchers_say.html Secunia Security Advisory: http://secunia.com/advisories/50133/ New Java Exploit Spotted in the Wild: http://www.securityweek.com/new-java-exploit-spotted-wild New Java 0day exploited in the wild: http://labs.alienvault.com/labs/index.php/2012/new-java-0day-exploited-in-the-wild/ ZERO-DAY SEASON IS NOT OVER YET: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html



WHAT THIS IS ABOUT: McAfee issued a buggy virus definition code August 17, 2012, which may 1) prevent web browsing access or 2) disable the McAfee Security Center on Windows machines. McAfee is available to the UO community via Central IT. WHO SHOULD READ THIS: Windows users with McAfee installed on their machines. Macintosh users are not affected. WHAT YOU SHOULD DO: 1) Confirm that you are able to connect to a remote web site. 2) Confirm that you can manually update McAfee virus definitions. + Go to the Start Menu. + Choose All Programs. + Choose McAfee + Choose Console + Run a manual virus definition update. McAfee discribes both problems here: http://service.mcafee.com/faq/TS101446.htm and provides three workarounds for resolving them. The workaround for no internet access involves rebooting in Safe mode with Networking. The workaround for fixing the Security Center involves installing a Virtual Technician. If neither workaround resolves the problem, a reinstallation of McAfee will be required. ADDITIONAL INFORMATION: PCWorld: McAfee Update Causes Problems: http://www.pcworld.com/businesscenter/article/261165/mcafee_antivirus_update_causes_problems_for_home_and_enterprise_customers.html McAfee Bug Knocks Computers Off-line: http://www.theregister.co.uk/2012/08/23/mcafee_net_cutoff_bug/ McAfee Workarounds for Denied Internet Access: http://service.mcafee.com/faq/TS101446.htm Technical Entry from McAfee's Corporate KnowledgeBase: https://kc.mcafee.com/corporate/index?page=content&id=KB76004&elq=a20a206709c24aa9ad7bcbfd33282145 Slightly Technical McAfee FAQ About This Issue: https://kc.mcafee.com/corporate/index?page=content&id=KB76042 McAfee's Virtual Technician (the Workarounds for a broken console): http://mvt.mcafee.com Central IT's McAfee Page: http://it.uoregon.edu/software/virusscan



WHAT THIS IS ABOUT: The general press (NPR) has picked up the buzz from the technical press about hacking victim Mat Honan. Mr. Honan's accounts were hacked with some person-to-person (or in this case hacker-to-helpdesk) social tricks. The Bad Guys wanted to own Mr. Honan's Twitter handle. Collateral damage from the hacks resulted in his iPhone, iPad and MacBook being wiped clean. Gory details here: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ WHO SHOULD READ THIS: Computer users worried that computer information from one account (say gmail) can be used to compromise security on another account (say, Apple) resulting in personal and mobile computer erasure. WHAT YOU SHOULD DO: Review on-line contact information so that the Bad Guys can't pretend to be you when they speak with service desk personnel. (In Mr. Honan's case, the ISP hosting his personal internet domain displayed his real world contact information.) Have a data recovery plan: + Store data off-line + Consider storing archives of important data at a friend's house or a safety deposit box + Print important documents (like pictures of relatives) Increase security between on-line services (like gmail) and home computing devices (like your laptop or iPhone). Here's an article with the steps: http://www.maclife.com/article/howtos/how_activate_twostep_verification_your_google_account Ask yourself if you are using Good Security Practices on the Computing Cloud ("Computing Cloud" is a fancy way of saying computing services--like DropBox, Gmail, and iTunes--on a computer far away from you): http://arstechnica.com/information-technology/2012/08/secure-your-digital-self-auditing-your-cloud-identity/ ADDITIONAL INFORMATION: The hackers (apparently two teens) were able to trick staff at Amazon into generating bogus account information. Then they called Apple and used the bogus Amazon information to get an Apple account password reset. Since last week, both Apple and Amazon have changed their helpdesk procedures. Once they reset the Apple password, they had access to Mr. Honan's Gmail and could request password resets from other on-line services: in this case Twitter. How Apple and Amazon Security Flaws Led to My Epic Hacking http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/ Mat Honan details the Amazon and Apple security flaws that let hackers wipe his MacBook http://www.tuaw.com/2012/08/06/mat-honan-details-the-amazon-and-apple-security-flaws-that-let-h/ Amazon exploited by hacker in scribe's epic Apple iCloud pwn http://www.theregister.co.uk/2012/08/07/apple_amazon_hack/ NPR, All Tech Considered: How His Life Was Hacked http://www.npr.org/blogs/alltechconsidered/2012/08/07/158365355/how-his-life-was-hacked-in-the-cloud NPR: Hackers Wreak Havoc On 'Wired' Writer's Digital Life http://www.npr.org/2012/08/09/158477219/hacker-s-wreak-havoc-on-wired-writer-s-digital-life Amazon, Apple tighten security following devastating Mat Honan attack http://www.techspot.com/news/49693-amazon-apple-tighten-security-following-devastating-mat-honan-attack.html How to Activate Twostep Verification: http://www.maclife.com/article/howtos/how_activate_twostep_verification_your_google_account Apple Temporarily Suspends Phone Password Resets http://www.pcworld.com/article/260603/apple_temporarily_suspends_phone_password_resets.html



-----Original Message----- From: Debbie Cadigan [mailto:dcadigan@uoregon.edu] Sent: Wednesday, August 01, 2012 16:17 To: Undisclosed recipients: Subject: End of August Planned Power Testing Importance: High August 1, 2012 MEMORANDUM TO: All Campus Building Managers and Contacts FROM: Debbie Cadigan, Campus Relations Manager, Campus Operations SUBJECT: August Campus Wide Power Shutdown Hello In our continuing effort to improve campus utility systems reliability, a new co-generation, steam and electrical production system is under construction. To ensure all systems perform as anticipated, it is imperative to test every aspect of the system as equipment is installed and software programs are updated prior to being placed into normal operation. It is also a condition of the local utility and Bonneville Power Administration to fully test and confirm system safety operations and metering. At the end of August the second of two testing phases by Campus Operations will occur. The purpose is to connect the new co-generation system to the utility grid, and verify proper operation and coordination of all equipment. Testing has been scheduled to take place from late evening to early morning for minimal impact although we realize any shutdown will impact campus. Campus Operations planned campus wide electrical shutdown will affect all campus facilities, except those few that receive their power directly from EWEB. See the list below for buildings excluded or for a map of the buildings go to http://alerts.uoregon.edu/. On Tuesday, Aug. 28, Wednesday, Aug. 29, and Thursday, Aug. 30, from 10:00 p.m. to 7:00 a.m. each morning, campus will experience intermittent outages, lasting from several seconds to several minutes. Standby power will also experience intermittent outages. The frequency and duration of theses power interruptions will be taken into consideration when developing the testing sequence to aid UPS systems in recovery. Please turn off all electronic equipment, including computers and printers prior to the shutdown each night. Anticipated Impacts: + Egress lighting will experience intermittent outages but will restore. . + Elevators will be out of operation beginning at 6:00 p.m. Tuesday, returning to service between 7:30 a.m. and 9:00 a.m. each day. Buildingswith multiple elevators will have one elevator in service until the testing is completed Friday morning. Signage will be posted on elevators, with directions to the operable elevator in multiple elevator buildings. + Fire System : Fire systems will remain active and monitored. + HVAC (heating, ventilation and cooling) will be monitored. + Telephones that have data capabilities will be affected by the power interruptions. These phones should be working once testing is completed unless there is an issue with the Network or Ethernet switch in your building. These switches will be monitored by Network Services. Please be sure everyone in your department or anyone who may use or have access to your building is aware of this planned shutdown. A few may receive this notice more than once as we send this to multiple distribution lists. We appreciate your patience as we work diligently to improve the reliability of the equipment on campus. For questions please contact Campus Operations at electric@uoregon.edu or call Campus Operations customer service desk at 346-2319 or myself at 346 -2389 or 541 729- 2444. [Straub Hall will be affected by this shutdown.] Buildings on EWEB power that will NOT be affected by this shutdown: AAA Woodshop HEP Peace Health Alder Hall Howe Field Rainer Building Agate Hall/Agate House Innovation Center Riley Hall Autzen Complex LERC/Military Science Riverfront Research Park Baker Center Matthew Knight Arena U of O Annex Barnhart Hall Millrace Studios 1,2,3 Vet. Services Quonset 108 EC-Cares Moss Street Childcare Facilities Quonsets 128,132 MNCH 107, 115, 116 Fine Arts (Site 125) MNCH (1724 Moss) 134, 135 Greenhouses 109, 110, 111 Neuromuscular Educ.



WHAT THIS IS ABOUT: As a result of a security breach, Dropbox is sending some Dropbox users security e-mail advising them about insecure passwords. WHO SHOULD READ THIS: Dropbox users. WHAT YOU SHOULD DO: If you are a Dropbox user, you may receive an advisory e-mail from Dropbox asking you to change your Dropbox password. Make sure to look at any links it may contain carefully to be sure that it isn't a cyber-crook's knock-off message. (My guess, not having seen the Dropbox message, is that a valid e-mail will send you to something like https://www.dropbox.com/account#security so you can change your password.) Then follow the directions (which will probably include suggestions for strong passwords). Once again, I offer http://xkcd.com/936/ as a salve for the password weary. Oh; and as a gentle reminder: Dropbox does not meet HIPAA compliance. ADDITIONAL INFORMATION: Dropbox sends password change notification to some users http://www.tuaw.com/2012/08/01/dropbox-sends-password-change-notification-to-some-users/ Dropbox Blox: New Security Features http://blog.dropbox.com/index.php/security-update-new-features/ Dropbox confirms it got hacked, will offer two-factor authentication http://arstechnica.com/security/2012/07/dropbox-confirms-it-got-hacked-will-offer-two-factor-authentication/ Dropbox Reports User Accounts Were Hijacked, Adds New Security Features http://techcrunch.com/2012/07/31/dropbox-admits-user-accounts-were-hijacked-adds-new-security-features/ Oregon University System Information Security Web Page: http://www.ous.edu/dept/cont-div/fpm/genl-56-350



WHAT THIS IS ABOUT: A vulnerability in Microsoft XML (Extensible Markup Language) Core Services, which affects Microsoft Internet Explorer and certain versions of Microsoft Office, is being actively exploited in the wild. The vulnerability could allow a maliciously crafted web page on a malicious web site to run malware on your computer as you. Attacks are targeting Gmail accounts. WHO SHOULD READ THIS: Users of Microsoft Internet Explorer. Users of Microsoft Office 2003 and Office 2007 for Windows. Users of Microsoft Office 2010 are not affected. Users of Other Web Browsers (Chrome, Firefox, Safari, etc.) are not affected. Macintosh Users are not affected. WHAT YOU SHOULD DO: If you use Microsoft Office 2003 or 2007 for Windows, OR Internet Explorer is your primary web browser on your Windows machine, please visit http://support.microsoft.com/kb/2719615 scroll down about a third of the way down the web page until you see icons for Microsoft Fix it 50897 and Microsoft Fix it 50898 (the icons feature a stylized mechanic with a crescent wrench). Click on the LEFT Fix it icon, number 50897. This will download a software wizard to your computer. Once a wizard is downloaded, a dialog box should appear: choose the RUN option to run the wizard. The Microsoft Fix it Solution is a temporary work-around until this problem can be properly patched by Microsoft. ADDITIONAL INFORMATION: This vulnerability is in the way that Microsoft products handle XML. XML is a little like HTML. Some web pages and Microsoft documents are encoded with XML, which is why certain Microsoft Office users are affected. Because of the way that Internet Explorer is integrated with Microsoft Windows and Microsoft Office, an XML exploit that tricks Internet Explorer (or Office) can sometimes enable a maliciously crafted web page or Office document to run a program as if it were the human viewing it. http://www.techspot.com/news/48994-internet-explorer-zero-day-flaw-being-used-to-target-gmail-accounts.html http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462 http://googleonlinesecurity.blogspot.com/2012/06/microsoft-xml-vulnerability-under.html http://support.microsoft.com/kb/2719615 http://technet.microsoft.com/en-us/security/advisory/2719615 http://en.wikipedia.org/wiki/XML



WHAT THIS IS ABOUT: Two security problems with LinkedIn, a social media service, have surfaced. The most serious one has resulted in 6.5 million (or about 1 in every 25) LinkedIn users' account information being publicly posted. WHO SHOULD READ THIS: People with accounts with LinkedIn. LinkedIn users who use LinkedIn's mobile calendar app. WHAT YOU SHOULD DO: Log onto LinkedIn and change your password. Today (6/6/12). If you use the same password across multiple internet services, it would be a good idea to change the passwords with those services, too. (Best security practice is to have different passwords for different services.) If you use an iPhone or iPad version of LinkedIn, be sure to install the latest app update (version 5.0.3, June 6, 2012). You may wish to review the calendar settings for the LinkedIn app to prevent inadvertent information sharing. ADDITIONAL INFORMATION: As one article put it, it is not a good day to be a LinkedIn user. The first problem is that someone managed to get a copy of LinkedIn user account information and post them publicly. Cyber-criminals will now use the account information to crack users' passwords. The concern is that this may enable cyber-criminals to compromise e-mail and other accounts associated with LinkedIn accounts. The second LinkedIn problem to surface today is the news that the LinkedIn app for apple devices was ferreting away information in iCal onto LinkedIn servers. So, if you put a doctor's appointment on the iCal app, then opened the LinkedIn app, any information about the appointment got beamed over to LinkedIn. This is similar to the GeoTagging issue last February, where Apple mobile devices were gleaning GPS information from photos. LinkedIn has issued a statement saying (more-or-less) we're not storing your info on our servers, you can configure how much your calendar shares, and we're working on fixing app issues. They've also released an update today (June 6, 2012). Hackers Post 6.5 Million LinkedIn Passwords Online http://www.pcworld.com/article/257045/hackers_post_65_million_linkedin_passwords_online.html 8 million leaked passwords connected to LinkedIn, dating website http://arstechnica.com/security/2012/06/8-million-leaked-passwords-connected-to-linkedin/ Russian hackers expose 6.5 MILLION 'LinkedIn passwords' http://www.theregister.co.uk/2012/06/06/linkedin_password_leak/ LinckedIn Was Breached, Now What? http://bits.blogs.nytimes.com/2012/06/06/linkedin-was-breached-now-what/ LinkedIn's Leaky Mobile App http://bits.blogs.nytimes.com/2012/06/05/linkedins-leaky-mobile-app-has-access-to-your-meeting-notes/ LinkedIn leaks password hashes, iOS app is scraping your meeting notes http://www.tuaw.com/2012/06/06/linkedins-ios-app-is-scraping-your-private-and-personal-meeti/ LinkedIn's Mobile App is Harvesting User Information - Here's How to Fix It http://www.securityweek.com/linkedins-mobile-app-harvesting-user-information-heres-how-fix-it



WHAT THIS IS ABOUT: Microsoft has released a patch for Windows (ahead of next week's Patch Tuesday) which updates a flaw in security certificates and closes the ability of malware called Flame to trick your Windows computer into thinking that it's visiting Microsoft's update site when in fact it is installing malware. WHO SHOULD READ THIS: Microsoft Windows Users. WHAT YOU SHOULD DO: Run Windows Update. ADDITIONAL INFORMATION: The technical press been in a flurry writing missives, speculations, and extolments about Flame. Flame is malware that appears have been written by Very Smart People Funded by a Nation-State to spy on Iranian Infrastructure. Flame uses spoofed Microsoft Security Certificates to spread. A Microsoft Security Certificate is an electronic version of a king's seal or notary's stamp. While Flame appears to be mostly in the middle-east, the concern is that the methods Flame uses may be copied by other malware writers into a more wide-spread, global attack on Windows computers. Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing http://technet.microsoft.com/en-us/security/advisory/2718704 Flame Malware Hijacks Windows Update Mechanism http://www.securityweek.com/flame-malware-hijacks-windows-update-mechanism Flame malware wielded rare "collision" crypto attack against Microsoft http://arstechnica.com/security/2012/06/flame-wields-rare-collision-crypto-attack/ Spy malware infecting Iranian networks is engineering marvel to behold | Ars Technica http://arstechnica.com/security/2012/05/spy-malware-infecting-iranian-networks-is-engineering-marvel-to-behold/



WHAT THIS IS ABOUT: Networking Services will perform maintenance on the wireless network, Thursday, June 7, 2012 from 3:30 to 7:00AM WHO SHOULD READ THIS: Users of the UO Wireless Network. Ethernet users should be unaffected. WHAT YOU SHOULD DO: Don't panic. Wireless network services should not be interrupted. However, to safeguard one's computing serenity, it might be a good idea to complete any computing tasks requiring wireless network access by Wednesday evening. Thursday morning, wireless network users may wish to schedule an extra ten minutes into their routine to visit wireless.uoregon.edu in order to reinstall the UO Secure Wireless Network and update network certificates (see additional information, below). Unless Something Goes Wildly Wrong, direct connections to the UO ethernet should still function. ADDITIONAL INFORMATION: (e-mail message from the McKenzie Hall Help Desk:) This service announcement is to inform the IT community of a planned maintenance window for the UO Secure Wireless Network. The planned maintenance will take place on June 7, 2012 from 3:30am to 7:00am. Information Services will be servicing the following: * UO Secure Wireless Network * Radius clients connecting to rad1 and rad2 that use SSL/TLS Please note that there will not be a service outage during this time; all services will remain up during the maintenance work. This announcement is to inform you of the maintenance window in the unlikely event that any issues arise. If any issues do arise, please contact the Information Services Help Desk at 541-346-HELP (4357). After the maintenance window for UO Secure, some users may need to reinstall the UO Secure installer or may be prompted to accept a new certificate. * To reinstall the UO Secure installer, simply go to wireless.uoregon.edu and follow the directions. * If a user is prompted to accept a new certificate, simply accept and always trust the certificate for UO Secure. Sincerely, UO Information Services HelpDesk 541-346-HELP helpdesk@uoregon.edu



WHAT THIS IS ABOUT: As we get closer to July 9, 2012, the technical and popular media will start to tell us all about a piece of malware called DNSChanger (Domain Name Server Changer). Phrases such as, "The Internet will stop working for infected users" and "Internet Doomsday" will be thrown about with reckless abandon. Starting May 22, 2012, the Google search engine will display a message warning users with computers infected with DNSChanger. WHO SHOULD READ THIS: All users; this is a network spoofing issue. WHAT YOU SHOULD DO: Start your favorite web browser. Visit http://www.dns-ok.us/ If you get a friendly green icon, your computer is DNSChanger free. You can rest at night knowing that, this time, cyber-criminals have not sniffed out personal data and that The Internet will continue to work for you after July 9. If you get a red icon, that's a sign that DNSChanger has infected your computer. This means that the security on the machine has been compromised and that personal information (such as banking passwords) may have been stolen. Visit http://www.dcwg.org/fix/ for more detailed instructions for cleaning the computer, or contact the Help Desk in McKenzie. ADDITIONAL INFORMATION: DNSChanger is part of a packet of malware distributed by cyber-criminals who were based in Estonia, and who were arrested in 2011. DNSChanger disconnects infected computers from certified internet domain name servers and re-connects them to fraudulent domain name servers and a shadowy, evil parallel internet. This is like a swindler standing outside the entrance of a town and handing out fraudulent maps misdirecting unsuspecting tourists to fake stores and banks. The humans are in jail, but because so many computers world-wide were infected and using the parallel internet, the FBI kept the fraudulent domain name servers running in order to keep infected computers operational. The fraudulent servers will go away on July 9, at which point infected personal computers will be unable to connect to any internet. http://googleonlinesecurity.blogspot.com/2012/05/notifying-users-affected-by-dnschanger.html http://www.fbi.gov/news/stories/2011/november/malware_110911 http://www.dcwg.org/



WHAT THIS IS ABOUT: A recent Lion OS update to a Macintosh encryption utility, FileVault, has a bug which stores users' passwords in plain text in an unprotected area of the Mac's disk. This is the physical equivalent of writing the combination numbers on the back of a padlock. WHO SHOULD READ THIS: Don't panic. This bug only affects Macintosh Snow Leopard OS (OS 10.6) users who used FileVault, upgraded to the Lion OS (OS 10.7), and now use the legacy version of File Vault 10.7.3. Users who never enabled FileVault are not affected. Users of FileVault 2, the default utility for Lion, are not affected. Snow Leopard and earlier versions of the Macintosh operating system are not affected. Windows users are unaffected. WHAT YOU SHOULD DO: 01. If your Macintosh came out of the box with Macintosh OS X Lion 10.7 installed on it, then you are running FileVault 2 and are not affected by this bug; STOP. 02. If you are using a Macintosh and you think it used to run the Snow Leopard OS and now runs the Lion OS, then continue. 03. Go to the Apple Menu and choose "About this Mac"; a dialog box will appear. 04. Underneath the big bold MAC OS there will be a version number. If the version number is 10.7.3, continue. If the version number is 10.6.X or lower, STOP: you are using an older operating system. 05. Go to the Apple Menu and choose "System Preference..."; a dialog box will appear. 06. Click on the Security icon in the top row (it looks like a house outline with a combination lock on the front); most of the icons will disappear and three tabs will appear. 07. Click on the middle tab, FileVault; new information will appear. 08. If there is a button on the lower right-hand side which reads "Turn On FileVault..." STOP; you are not running FileVault and are not affected by this bug. 09. If you have gotten this far in the instructions, then you are probably running FileVault 10.7.3 on a Lion OS Macintosh that was formally a Snow Leopard Macintosh. http://reviews.cnet.com/8301-13727_7-20081045-263/about-filevault-2-in-os-x-10.7-lion/ and http://support.apple.com/kb/HT4790 suggest that turning legacy FileVault off, then attempting to turn it on, will bring up a dialog box with the option to use FileVault 2. 10. Once FileVault 2 is running on the Macintosh, all users of the Macintosh, especially administrative users, should change their passwords. ADDITIONAL INFORMATION: The original FileVault, a utility to encrypt files, was introduced in Mac OS X 10.3 During the latest update, a programmer goofed and mistakenly left a debugger turned on in FileVault, with the result that usernames and passwords are stored in plain text in an accessible location on the hard drive. Wikipedia Entry for FileVault: http://en.wikipedia.org/wiki/FileVault Passwords stored in plain text after Lion update: http://www.tuaw.com/2012/05/07/passwords-stored-in-plain-text-after-lion-update/ OS X Lion security blunder exposes login passwords in plain text: http://www.techspot.com/news/48473-os-x-lion-security-blunder-exposes-login-passwords-in-plain-text.html Security Blunder Exposes Lion Passwords: http://www.zdnet.com/blog/security/apple-security-blunder-exposes-lion-login-passwords-in-clear-text/11963 Lion Update Exposes Passwords: http://nakedsecurity.sophos.com/2012/05/06/apple-update-to-os-x-lion-exposes-encryption-passwords/ Macworld Guide to FileVault 2: http://www.macworld.com/article/1162999/complete_guide_to_filevault_2_in_lion.html



WHAT THIS IS ABOUT: Some people are having difficulties sending e-mail attachments to various UO campus e-mail server lists. WHO SHOULD READ THIS: Everyone who sends e-mail file attachments to UO campus lists. WHAT YOU SHOULD DO: This appears to be a bug between certain e-mail clients and the (new) Mailman server. If you discover that your e-mail attachments sent to lists are bouncing back to you, or that the attachments have been turned into long streams of text appended to the end of your message, make a note of - the time of the post - the email program used - the type of attachment - the email address posting to the list (and the list name) and send the information to Spencer Smith, UO Listmaster, at listmaster@lists.uoregon.edu This may be an Outlook-related issue. You may have better results using the web portal: http://webmail.uoregon.edu to send file attachments. ADDITIONAL INFORMATION: http://wiki.list.org/pages/viewpage.action?pageId=4030707 On May 1, the UO computer center switched the mail servers from (the old, outdated) Majordomo system to the (shiny and new) Mailman system. This is a symptom of the seamless switchover. ------- From the DeptComp e-mail list: ------- From my current research, the symptoms that we're experiencing with some list postings being wrapped in impenetrable attachments has to do with the MIME encoding of those initial email messages. There's a fairly good breakdown of the problem, and the possible solutions, on this Web page: http://wiki.list.org/pages/viewpage.action?pageId=4030707 I'll be working with the Mailman development team to address this issue; we may need some time to install the patches and solutions available, assess them, and make sure that they don't introduce other problems by addressing this one. There may be some settings issues that would help address this problem as well; I'll be creating my own test environment so I can replicate this problem, then doing some testing and refinement to try and solve it off the server. In the meantime, I know that there's definite and urgent needs to work around this issue. If you're finding the posts to your lists are being wrapped as attachments, or if there's similar issue with posting to Mailman, please contact me with - the time of the post - the email program used - the type of attachment - the email address posting to the list (and the list name) That should give me enough information to begin parsing the logs and finding a baseline parameter for the problem. I'll certainly keep you all informed as to my progress. Let me know if I can help in any way. -Spencer A. Smith Listmaster ----- Archives of past DeptComp postings can be found on the Web page http://pages.uoregon.edu/consult/deptcomp/



WHAT THIS IS ABOUT: Folks at the UO are receiving fake update e-mail notices for Adobe Acrobat Reader updates. These are malicious e-mails designed to trick you into visiting a malicious web site. WHO SHOULD READ THIS: Everyone. This is a social engineering problem. WHAT YOU SHOULD DO: Specifically, if you receive an e-mail message with the phrase, "ADOBE PDF READER 2012 UPGRADE NOTIFICATION", delete it. Do not follow any of the links in it. Generally, if you receive an unsolicited e-mail claiming to be from Microsoft, Adobe, or your bank, which provides a link for you to install software, renew your account, or verify your records, chances are good it's bad guys trying to trick you. Delete the message. ADDITIONAL INFORMATION: Most software upgrades are available from within programs already installed on your computer. For example, Adobe Reader for Windows has a "Check for Updates" option under its Help menu. Use these avenues to upgrade your software. Also, most programs will display reminder notices about updates at start-up. Additionally, the links in malicious, fake update e-mail messages will have links that look odd. Most software companies will have a link that looks like http://www.adobe.com/products/catalog.edu.html or https://www.acrobat.com/ instead of something like acrobat-upgrade.com/something.cfm?AwholeLotOfNumbersAndCodeHere -----Original Message----- ADOBE PDF READER 2012 UPGRADE NOTIFICATION This is to remind that a new version of Adobe Acrobat Reader 2012 with enhanced features for viewing, creating, editing, printing and internet-sharing PDF documents has been released. To upgrade your application: + Go to [REDACTED] + Get your options, download and upgrade. Copyright 2012 Adobe Systems Incorporated. All rights reserved. Adobe Systems Incorporated 343 Preston Street Ottawa, ON K1S 1N4 Canada



WHAT THIS IS ABOUT: Many Macintoshes on the UO campus have been infected by the Mac Flashback Trojan. WHO SHOULD READ THIS Macintosh users, especially those running Mac OS X 10.5 or older. Windows users are not affected. WHAT YOU SHOULD DO If your Macintosh has been quarantined from the network, chances are it has been infected by Flashback. The best course is to visit the Help Desk in the basement of McKenzie (this will take some time). IMPORTANT -- Flashback is malware that will steal passwords: if a system you use is infected with Flashback, you will need to change your computer passwords in order to safeguard any HIPAA, FERPA, or other sensitive data. If you haven't already, please run Software Update to install any Java software updates. Go to Apple > About this Mac A window will appear. Underneath the next Mac OS X will be a version. If the version starts 10.5, then disable Java in your web browser to mitigate Java security holes. ADDITIONAL INFORMATION Antiviral software for the Macintosh will help mitigate Flashback. Jon Miyake of network services recommends either the UO site licensed McAfee Virus Scan or the free Sophos software. http://it.uoregon.edu/software/duckware (UO id required, see links at bottom of page) http://www.sophos.com/en-us/products/endpoint/endpoint-protection.aspx ----------------------- Begin forwarded message: From: Garrett Stewart Date: April 13, 2012 11:29:35 AM PDT To: "deptcomp@lists.uoregon.edu" Subject: deptcomp: Mac 'Flashback' Trojan Reply-To: deptcomp@lists.uoregon.edu Hello Everyone, You may have heard by now about the Flashbak Trojan that has infected over 600,000 Mac computers worldwide. It is a piece of malware that pretends to be an update to Java and/or Flash Player, and can infect a computer simply by navigating to an infected site. Once present, it will monitor network traffic to steal personal information including login details. Many Macs on the UO campus have been affected by this Trojan, and have been quarantined from our network. Apple released a fix on Thursday that is deployed via the OS X software update utility. The fix will remove the many common variants of the virus and patch the vulnerability, but only for OS X 10.6 and newer. The fix is a part of the Java update (the third update in the last 4 days.) The problem is installing the update; if you're quarantined from the UO network, you won't be able to access this solution. The Information Services Help Desk has filtered Ethernet connections available that will allow you to install this update on campus. Come to Room 151 McKenzie Hall, and we'll be glad to help you with this solution. The folks at Kaspersky and F-Secure have also released a tool to automate the check and remove process, but it was later discovered that these tools had a low chance to also remove some important components of the operating system, and so they are not recommended at this time. We will be monitoring these vnedors for an update to their removal tools, and will send more information as it becomes available. Symantec has released a similar tool that is yet untested. It can be found here: http://www.symantec.com/security_response/writeup.jsp?docid=2012-041214-1825-99 For those that are running 10.5 or older, the best advice at the moment (aside from upgrading your operating system) is to disable Java in the browser preferences of your web browser. There are other recovery options for these systems, but they are more intrusive and require a fresh operating system installation. Please contact the Information Services Helpdesk at 541-346-HELP (541-346-4357) or helpdesk@uoregon.edu with any questions or concerns.



WHAT THIS IS ABOUT: It's Update Tuesday and Microsoft has released six security updates -- four of which are critical -- for Microsoft Windows and Office. Most of these updates close security holes which would allow malicious websites to run malicious software on a visitor's computer. WHO SHOULD READ THIS: Windows users. Macintosh users are not affected. WHAT YOU SHOULD DO: Most users have Windows Update set to run automatically. If your windows computer wants to install some updates, let it. If you haven't run Windows Update in a while, now would be a good time to do so. ADDITIONAL INFORMATION: http://technet.microsoft.com/en-us/security/bulletin http://technet.microsoft.com/en-us/security/bulletin/MS12-023 Closes a security hole in Internet Explorer that allows a maliciously crafted web page to gain the same privileges as the visiting user. http://technet.microsoft.com/en-us/security/bulletin/MS12-024 Closes a security hole in Windows that could allow maliciously crafted software to hijack a computer. http://technet.microsoft.com/en-us/security/bulletin/MS12-025 Closes a security hole in the .Net framework that allows a maliciously crafted web page to gain the same privileges as a visiting user. http://technet.microsoft.com/en-us/security/bulletin/MS12-026 Closes a security hole that allows a malicious website to pretend to be a trusted site and then collect private data. http://technet.microsoft.com/en-us/security/bulletin/MS12-027 Closes a security hole which allows a malicious website to attack a computer. http://technet.microsoft.com/en-us/security/bulletin/MS12-028 Closes a security hole that allows maliciously crafted Microsoft Works files from running malicious code.



WHAT THIS IS ABOUT: There is a simple utility available which checks for Mac Flashback malware infection. (Alas, it does not remove the infection.) Mac Flashback is malware which takes advantage of an unpatched Java security hole. Mac Flashback has infected an estimated half million users. WHO SHOULD READ THIS: Macintosh users. Windows users are unaffected. WHAT YOU SHOULD DO: 01: Visit this web site: https://github.com/jils/FlashbackChecker/wiki 02: Scroll down to the Download area 03: Click on the link FlashbackChecker 1.0, this will download a zip file called FlashbackChecker.1.0.zip 04: Go to the download folder, usually located in the Macintosh's user home directory / Downloads 05: Double-click FlashbackChecker.1.0.zip, this will create a program icon called FlashbackChecker. 06: Double-click FlashbackChecker. 07: You may receive a warning message saying that FlashbackChecker was downloaded from the internet. Confirm that you wish to run the application. 08: A simple dialog box will appear. Click on the big button that reads "Check for Flashback Infection." 09: Text will appear. 09-A: If the fourth line down should syas "No Signs of infection were found." then press command-Q to quit the checker and celebrate. 09-B: If the checker says that it did find an infection, you'll need to remove Mac Flashback with these instructions: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml ADDITIONAL INFORMATION: Running the Software Update program (located under the Apple Menu) will tell the Macintosh to check for and install any new Java updates. Within the technical community there's some question about how necessary Java is for the Macintosh and the merits of uninstalling it. In this case "no Java = no security hole." http://arstechnica.com/apple/news/2012/04/checking-for-mac-flashback-infestation-theres-an-app-for-that.ars https://github.com/jils/FlashbackChecker/wiki http://arstechnica.com/apple/news/2012/04/how-to-check-forand-get-rid-ofa-mac-flashback-infection.ars http://arstechnica.com/apple/news/2012/04/flashback-trojan-reportedly-controls-half-a-million-macs-and-counting.ars http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml



WHAT THIS IS ABOUT: The technical press is abuzz with a trojan-horse installer which targets Macintosh computers running old, out-of-date software. This is newsworthy because previously this sort of malware has only been seen on Windows machines. WHO SHOULD READ THIS: Macintosh users; Windows users may wish to read out of schadenfreude. WHAT YOU SHOULD DO: The security exploits take advantage of two security holes in older versions of Microsoft Office (patched in 2009) and Java patched in Oct 2011). To install the latest patches of Java: Go to the Apple Menu Choose Software Update Install any updated software To install the latest patches for Microsoft Office Start Word Go to the Help Menu Choose Check for Updates Follow the prompts to update (you will be asked for an administrative password) ADDITIONAL INFORMATION http://arstechnica.com/apple/news/2012/03/james-bond-style-malware-attacks-come-to-the-mac.ars http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/ http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/



WHO SHOULD READ THIS: Everyone; this is a campus-wide issue. WHAT THIS IS ABOUT: Campus Operations will be maintaining the campus power grid, which will cause power outages in the early morning hours of March 27 and March 28. WHAT YOU SHOULD DO: Before you leave for Spring Break, or Monday and Tuesday nights, be sure to turn off or unplug any unused computers, printers, or sensitive electronic equipment. ADDITIONAL INFORMATION: Begin forwarded message: From: Ryan Stasel Date: March 19, 2012 9:17:29 AM PDT To: "deptcomp@lists.uoregon.edu" Subject: deptcomp: Fwd: Spring Break Campus wide power shutdown Reply-To: deptcomp@lists.uoregon.edu In case those on Deptcomp do not also get building manager mailings Begin forwarded message: From: Debbie Cadigan > Subject: Spring Break Campus wide power shutdown Date: March 19, 2012 8:06:57 AM PDT March 19, 2012 MEMORANDUM TO: All Campus Building Users with the exception of those listed below: FROM: Debbie Cadigan, Campus Relations Manager, Campus Operations SUBJECT: Spring Break Campus Wide Power Shutdown Good Morning In our continuing effort to improve campus utility systems reliability, a new co-generation (steam and electrical production) system is under construction. To ensure all systems perform as anticipated; it is imperative to test every aspect of the system prior to being placed into normal operation as equipment is installed and software programs are updated. These planned simulations are designed to encompass all types of campus and utility provider events and to test new systems to ensure they function as planned under normal operation and in the event an upset may occur. In the next several months, Campus Operations will be scheduling two planned shutdowns. The first one is to update existing CPS Switch house software in preparation for the new co-generation system. The second shutdown will be later this spring or summer when all equipment is in place and has been tested to the extent possible without effecting campus. Our intent is to schedule testing and shutdowns for minimal impact although we realize any shutdown impacts campus. Campus Operations planned campus-wide electrical shutdown will affect all campus facilities, except those few that receive their power directly from EWEB. See list below for buildings excluded. * On Tuesday, March 27th & Wednesday, March 28th from 3:30am to 7:30am each day, campus will experience intermittent outages, lasting from several seconds to several minutes, while testing is being performed. Standby power will also experience intermittent outages. * On Tuesday, March 27th & Wednesday, March 28th from 7:30 am to 8:30 am each day, testing will continue. Although we do not anticipate any intermittent outages, there will be a potential for interruptions during this 60 minutes each day. Elevators will be shut down and posted, egress lighting will experience the intermittent outages but will immediately come back on. After the shutdown has been completed, Campus Operations personnel will be sure HVAC systems, elevators and other equipment are reset. Make sure all sensitive electronics, including computers and printers, are turned off or disconnected prior to this shutdown. Be sure everyone in your department is aware of this. We regret any inconvenience this may cause. For questions please contact Del McGee or Jeff Madsen at electric@uoregon.edu or call Campus Operations customer service desk at 346-2319. Buildings on EWEB power that will not be affected by this shutdown: AAA Woodshop HEP Rainier Building Alder Hall Howe Field Riley Hall Agate Hall/Agate House Innovation Center Riverfront Research Park Autzen Complex LERC/Military Science Specialized Training 582,603 Baker Center Matthew Knight Arena Trailers 054, 055, 057, 058 Barnhart Hall Millrace Studios 1,2,3 U of O Annex EC-Cares Moss Street Childcare Vet. Services Quonset 108 Fine Arts (Site 125) MNCH 107, 115, 116 Facilities Quonsets 128, 132 Greenhouses 109, 110, 111 MNCH (1724 Moss) 134, 135 Neuromuscular Educ.



WHAT THIS IS ABOUT Adobe has released a security upgrade which closes a critical hole in the Adobe Flash Player, which, if exploited, could allow a malicious person to take over a computer. WHO SHOULD READ THIS Windows, Macintosh, Linux and Solaris users with the Adobe Flash Player installed. (Additionally, Android 2.x, 3.x and 4.x users.) WHAT YOU SHOULD DO (Windows, Macintosh, Linux and Solaris users.) Visit the About Flash Player page: http://www.adobe.com/software/flash/about/ A) If you do not have Adobe Flash Player, stop; no Adobe Flash Player = no security threat. B) If you have Adobe Flash Player version, stop; you are already using the patched version. C) If you have an earlier version of the Flash Player, download an updated version via the Player Download Center: http://get.adobe.com/flashplayer/ Some computers may not be able to run the 11.x version of the Player. In this case, Adobe recommends using Flash Player, which supposedly may be downloaded at http://kb2.adobe.com/cps/142/tn_14266.html, but appears to be unlisted at this time... (sigh, check back later in the week to see if this problem has been addressed). ADDITIONAL INFORMATION The curious and users of mobile devices running the Flash Player may find additional information here: http://www.adobe.com/support/security/bulletins/apsb12-05.html



WHAT THIS IS ABOUT: The technical news community is abuzz about a security loophole in iOS which leaks photos and the geographical information associated with them. iOS is the operating system on Apple iPhones and other iDevices. WHO SHOULD READ THIS: Users with Apple mobile devices (iPhone, iPad, iPod Touch). WHAT YOU SHOULD DO: This is a security loophole that Apple says will be fixed in a future upgrade to the iOS. Users may mitigate some of the privacy threat by powering up a mobile device and 1) Clicking on the Settings icon, 2) Selecting Location Services, 3) Locating the Camera app, and; 4) Turning off location services This wont stop a photo-grabbing app from grabbing a mobile device's photos, but it will keep any future pictures from being geotagged. ADDITIONAL INFORMATION: Apple Loophole Gives Developers Access to Photos http://bits.blogs.nytimes.com/2012/02/28/tk-ios-gives-developers-access-to-photos-videos-location/ iOS security loophole lets apps grab user photos http://www.techspot.com/news/47607-ios-security-loophole-lets-apps-grab-user-photos.html iOS allows contacts to be uploaded without consent, Apple promises fix - TechSpot News http://www.techspot.com/news/47480-ios-allows-contacts-to-be-uploaded-without-consent-apple-promises-fix.html Fix reportedly coming for iOS photo uploading loophole http://arstechnica.com/apple/news/2012/02/fix-reportedly-coming-for-ios-photo-uploading-loophole.ars iPhone photo-slurping loophole sparks app privacy fears http://www.theregister.co.uk/2012/02/29/iphone_photo_slurping_privacy_risk/ Prompted by Congress, Apple Promises Updates http://arstechnica.com/apple/news/2012/02/congressmen-question-apple-on-path-controversy-as-apple-promises-updates.ars Wikipedia article on geotagging and digital cameras http://en.wikipedia.org/wiki/Geotagged_photograph



WHO SHOULD READ THIS: Users who have Adobe Shockwave (not to be confused with Adobe's Flash Player) installed on their computers. WHAT THIS IS ABOUT: Adobe has released a security patch for the Shockwave Player. A type of programming error called a cross-scripting error could allow a malicious website to use older versions of the Shockwave player in conjunction with Microsoft's Internet Explorer browser to hijack a computer and steal authentication cookies, log onto private accounts, or send spam. WHAT YOU SHOULD DO: Determine if you have the Shockwave player installed. 1) Visit http://www.adobe.com/shockwave/welcome/ 2) Underneath the header "Adobe Shockwave Player" is a space for an animation to play. If there is no animation, stop; you do not have to worry about this particular computer security threat. 3) If there is an animation, it should be accompanied with information about what version of Shockwave is being run. If the version running is, then you can stop: you have the newest, patched version. 4) If the version of Shockwave running on the computer is or earlier, then visit http://get.adobe.com/shockwave to download the latest version. (EXTRA CREDIT OPTION: If you think you can get by with using only Adobe's Flash player, you may wish to uninstall the Shockwave player). ADDITIONAL INFORMATION: http://www.adobe.com/support/security/bulletins/apsb12-02.html http://nakedsecurity.sophos.com/2012/02/15/oracle-java-and-adobe-shockwave-patches-for-february-too/ http://arstechnica.com/business/news/2012/02/exotic-xss-bug-in-adobe-flash-exploited-to-control-users-web-accounts.ars http://www.adobe.com/products/shockwaveplayer/ -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



WHAT THIS IS ABOUT: A new security patch for with Windows version of Oracle Java is available for download; this patch closes a number security holes. WHO SHOULD READ THIS: Windows users with Java installed on their machines. Macintosh users have no upgrade yet. WHAT YOU SHOULD DO: Windows users (from http://java.com/en/download/help/java_update.xml#howto)-- Make sure you are logged onto the Windows machine with administrative privileges. Save your work and close all other programs. 1) Click Start > Settings > Control Panel (For Windows XP) OR Click Start > Control Panel (For Windows Vista and Windows 7) 2) Double-click Java icon. The Java Control Panel appears. If you have no Java icon, then Java is not installed on the machine and you can stop, secure in the knowledge that "No Installed Java" = "No Java Security Holes". 3) Click the Update tab 4) Click on the "Update Now" button 5) Follow the prompts to install the update Macintosh users -- Although there is no update for Java at this time, you may wish to check for software updates for older software. Select Apple Menu -> Software Update to see if there are any software updates available. ADDITIONAL INFORMATION: http://java.com/en/download/help/java_update.xml#howto http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html#PatchTable http://nakedsecurity.sophos.com/2012/02/15/oracle-java-and-adobe-shockwave-patches-for-february-too/ -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



Hello, Just a FYI: (Apparently for Valentine's Day) Microsoft has released a ton of Windows Security updates. Most people should receive these updates automatically. If you are on a Windows machine that doesn't automatically install Windows Updates, please fire up Microsoft Internet Explorer and point it at http://windowsupdate.microsoft.com/ (note, this only works for Internet Explorer) ADDITIONAL INFORMATION: http://technet.microsoft.com/en-us/security/bulletin/ms12-feb MS12-016 - Critical : Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026) - Version: 1.0 http://technet.microsoft.com/en-us/security/bulletin/ms12-016 MS12-010 - Critical : Cumulative Security Update for Internet Explorer (2647516) - Version: 1.0 http://technet.microsoft.com/en-us/security/bulletin/ms12-010 MS12-013 - Critical : Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428) - Version: 1.0 http://technet.microsoft.com/en-us/security/bulletin/ms12-013 -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



WHO SHOULD READ THIS: Macintosh Users running system X (Lion) 10.7.x. Folks with a different Mac OS than Lion and folks using Windows are not affected. WHAT THIS IS ABOUT: There are reports of problems with the February 1, 2012 Macintosh OS X (Lion) 10.7.3 Update. The problems don't affect all Macintoshes, and range from frequent crashes, to an inability to start the Macintosh, to various dialog boxes displaying CUI icons instead of helpful messages. WHAT YOU SHOULD DO: A) If you have not yet installed the upgrade, this is a good thing. 1) Make sure that Time Machine has run and made a backup of your Macintosh's system. 2) Go here; http://support.apple.com/kb/DL1484 to download a OS X Lion Update 10.7.3 (Client Combo) 3) Click on the blue DOWNLOAD button, located in the upper right-hand corner of the window. This will put a A DMG, or disk image on the Macintosh's screen. It may take about two or three minutes for the disk image to appear; it will be called "Mac OS X 1.7.3 Update Combo." 4) Once the disk image has appeared on your screen (the icon will look like a small white hard drive), double-click on it. A new window will appear. 5) Inside the window "Mac OS X 10.7.3 Update Combo" there will be an icon of an opened box called "MacOSXUpdCombo10.7.3.pkg." Double-click on the icon to launch the installer and follow the prompts. 6) Restart the computer (it's likely that the computer will want to reboot anyway). B) If you have installed the upgrade, but the Macintosh appears to be working, the recommendation is to run the Update Combo on top of the upgrade. Follow steps 1 through 6 above. C) If you installed OS X Lion 10.7.3 and now the Macintosh is not working properly Try to follow steps 1 through 6 above. If this is not possible, there are some strategies to follow here: http://osxdaily.com/2012/02/01/fix-mac-os-x-10-7-3-update-problems-cui-errors-stuck-installs-and-crashes/ ADDITIONAL INFORMATION: http://osxdaily.com/2012/02/01/fix-mac-os-x-10-7-3-update-problems-cui-errors-stuck-installs-and-crashes/ http://arstechnica.com/apple/news/2012/02/problems-with-the-os-x-1073-update-combo-updater-to-the-rescue.ars http://www.tuaw.com/2012/02/02/os-x-10-7-3-causing-cui-errors-for-some-combo-update-recommende/ http://support.apple.com/kb/DL1484 -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



This is a FYI; don't panic. On March 1, Google will merge the privacy policies for all of their services into one big policy. There's a good review of what this means and some things you can do to tailor Google use to your own comfort levels here: http://nakedsecurity.sophos.com/2012/01/31/how-to-navigate-googles-privacy-options/ The gist of the article is that the policies aren't changing much (they're mostly just being consolidated) and that Google will begin to use the data they've been collecting for a while more (mostly to send you custom ads). I should also add a gentle reminder here that it's a good idea to conduct university business on university machines and keep it separate from personal business on non-university computing services. Google privacy policies may be found here: https://www.google.com/policies/privacy/preview/ https://www.google.com/policies/terms/ - John -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



Hello All, This morning at least three folks have forwarded phishing attempts to me that they received over the weekend. The messages look like this: ===================== Subject: Validation!!! Date: Mon, 30 Jan 2012 02:52:07 GMT From: "Admin" To: Dear User, We have observed suspicious activities from your Internet account. Kindly click on uoregon.edu or copy and paste this link [URL redacted] on your browser to verify your account now in orders to avoid disconnection of service. Regards, Web Admin. ================== These messages are fake. The sender is trying to trick you into into visiting a web site that will attempt to install malicious spyware onto your computer. The UO computer security folks are aware of this attempt. You can delete the message. More information is here: http://security.uoregon.edu/phishing Some clues that these are fake messages: 1) The Subject: header is "Validation!!!!" This is vague. The triple exclamation points, an attempt to inject urgency into the message, are another clue. 2) The From: header leads back to "Admin" -- if this were a real message it would be from someone like Jon Miyake who uses an address like miyake@network-services.uoregon.edu or miyake@uoregon.edu 3) "We have observed suspicious activities from your Internet account." This is a vague statement; if the folks in McKenzie Hall were contacting you about a suspected security breach via e-mail, they'd say something along the lines of, "The account burridge is showing signs of being compromised with [Conficker or some other piece of malware]," or "We've had reports of SPAM being sent with the burridge account." In cases of serious breach, you'd receive a phone call and various Psych IT folks would be alerted. 4) If you look at the redacted URL in the message, you'd see it doesn't look like http://psych.uoregon.edu or http://it.uoregon.edu/ or https://duckid.uoregon.edu/ or https://shibboleth.uoregon.edu/idp/Authn/UserPassword. The redacted URL starts with http, which is not secure. The redacted URL ends in .tk, which is the domain for Tokelau, a territory of New Zealand located in the South Pacific. 5) The message reads " verify your account now in orders to avoid disconnection of service." 'In orders to'? Not a good sign. 6) The closing of this message is also vague. A real message would include at the very least contact information to the UO Computing Helpdesk in McKenzie, or a more specific contact, like Jon Miyake (IT Policy and Security Administrator), Kelsey Davis (Help Desk Services Coordinator) or Connie French (Accounts). -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



Hello All, This Monday morning I'm seeing a pattern of folks having difficulty sending out e-mail. If you've suddenly started to receive e-mail rejection error messages from a SMTP server, or if you've noticed that your e-mail program is accumulating messages in the outbox instead of sending them, there may be a problem with your advanced SMPT server settings. Confirming that the SMTP server is using port 587 has cleared the problem General e-mail configuration instructions are here: http://it.uoregon.edu/set-up-email N.B. These instructions for Mac Mail http://it.uoregon.edu/node/183 are more helpful for dealing with this specific problem than the other Mac Mail instructions. In the machines I've seen, the SMTP port was either misconfigured or using an old port configuration - the SMTP or outgoing mail server port should be 587.



WHAT THIS IS ABOUT FYI: A design flaw in some wireless network routers could allow malefic people onto your network. WHO SHOULD READ THIS Folks who access sensitive, confidential or HIPAA records from the comfort of home. Anyone in charge of configuring their home wireless network. WHAT YOU SHOULD DO Specific instructions will vary by wireless router manufacturer. Generally: Disable the WPS protocol. Use WPA2 encryption with a strong password, disabling UPnP, and enabling MAC address filtering so only trusted computers and devices can connect to the wireless network. A non-exhaustive, non-endorsing couple of example router guides are included below: Netgear Recommended Wireless Setup: http://support.netgear.com/app/answers/detail/a_id/112 Cisco Linksys Router checklist: http://www6.nohold.net/Cisco2/ukp.aspx?vw=1&articleid=3698 ADDITIONAL INFORMATION It is possible that individual router manufacturers will provide a router firmware patch in the future. US-CERT Vulnerability Note VU#723755 http://www.kb.cert.org/vuls/id/723755 Open-Source Tool for Hacking WiFi Protected Setup (WPS) http://arstechnica.com/business/news/2011/12/researchers-publish-open-source-tool-for-hacking-wifi-protected-setup.ars Hands-on: hacking WiFi Protected Setup with Reaver http://arstechnica.com/business/news/2012/01/hands-on-hacking-wifi-protected-setup-with-reaver.ars -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



Hello All, The technical press is buzzing with news about how "Hactivists" Target Various Security & Intelligence Firms, which is making Computer Security this season's New Black (wait, is "Black the New Black"... or is it "Black is the New Pink" ....?). Worst Passwords of 2011: http://www.forbes.com/sites/davidcoursey/2011/11/21/25-worst-passwords-of-2011-revealed/ How Passwords Are Cracked and How You Can Keep Them Safer (kind of dry, you might want to skip to the heading with Brutus and the stars) http://www.securityweek.com/how-passwords-are-cracked-and-how-you-can-make-yours-stronger Dot-dash-diss: The gentleman hacker's 1903 lulz http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html?full=true Last week's Stratfor cyber attacks: Hackers Breach the Web Site of Stratfor Global Intelligence http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-web-site-of-stratfor-global-intelligence.html Analysis of Data Exposed in STRATFOR Cyber Attack http://www.securityweek.com/analysis-data-exposed-stratfor-cyber-attack Technology: Hacked Intelligence Company Is a Target Again http://www.nytimes.com/2011/12/27/technology/hacked-intelligence-company-is-a-target-again.html Antisec hits private intel firm; millions of docs allegedly lifted http://arstechnica.com/tech-policy/news/2011/12/antisec-hits-private-intel-firm-millions-of-docs-allegedly-lifted.ars -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



WHAT THIS IS ABOUT: There is a vulnerability in Adobe Reader and Acrobat that could allow a malicious attacker to crash a computer and take control of it. So far the scope of attacks has been limited. WHO SHOULD READ THIS Both Windows and Macintosh users of Adobe Acrobat or Reader are affected. The vulnerability involves the following software. Adobe Reader X 10.1.1 and earlier 10.x for Windows and Macintosh Adobe Reader 9.46 and earlier 9.X versions for Windows, Macintosh and UNIX. Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh. Other platforms and Adobe software are not affected. WHAT YOU SHOULD DO Remember that Adobe will not e-mail you a fix for this security problem. Do not try to install any purported fixes sent by Adobe; these will be trojan horses sent by Evil People to trick you into installing malware onto your computer. A fix from Adobe for this problem is not available at this time (Dec 7, 2011) but is expected in the next week. Be careful opening PDF files sent via e-mail or from the web to be sure they are from a trusted source. The 10.x versions of the software have a setting to help mitigate this threat: Acrobat X: Open Acrobat Reader X Go to Edit > Preferences > Security (Enhanced) Make sure either "Files from potentially unsafe locations" OR "All files" have "Enable Enhanced Security" checked. Reader X: To to Edit > Preferences > General Make sure "Engalbe Protected Mode at startup" is checked. FURTHER INFORMATION http://www.adobe.com/support/security/advisories/apsa11-04.html http://www.physorg.com/news/2011-12-adobe-zero-day-danger-reader-acrobat.html http://nakedsecurity.sophos.com/2011/12/06/beware-adobe-software-upgrade-notification-malware-attached/ -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge



WHAT THIS IS ABOUT: Apple has updated their list of unsafe downloads. Using this update protects some Macintosh users from accidental download of malware. WHO SHOULD READ THIS: Folks using Mac OS X Snow Leopard (10.6) and Mac OS X Lion (10.7). Macintosh users with older operating system software do not have a built-in malware protection software package. Windows users are not affected by this update. WHAT YOU SHOULD DO: 01. Save your work and close applications. 02. Go to the APPLE menu and choose ABOUT THIS MAC. A new window will appear. 03. Big bold letters should say Mac OS X. Under this will be a version. If the version number is 10.5.8 or lower, stop; you do not have a version of the Macintosh operating system which uses built-in malware protection. (You might want to click on SOFTWARE UPDATE to be sure you have the latest updates available for your operating system). 04. If the version number is 10.6.0 or greater, continue. Check that the version is 10.6.8 or 10.7.2. If it is not, click SOFTWARE UPDATE to update the operating system. This will require a system reboot, and the operating system may ask you for an administrative username and password. Repeat the above directions until the macintosh is running 10.6.8 or 10.7.2. 05. Go to the APPLE menu and choose SYSTEM PREFERENCES. A new window will appear. 06. Click on the SECURITY icon (a house with a safe dial on the front). Security settings will appear. 07. Click on the GENERAL tab (it should be the default selection) 08. In the lower left-hand corner, make sure the padlock icon is unlocked. If it isn't, click on it and supply an administrative username and password to unlock it. 09. UNCHECK "Automatically update safe downloads list" (yes, this is counter-intuitive) 10. Count to five. 11. RECHECK "Automatically update safe downloads list" (this will force a silent update of the list -- there will be no bells or whistles) 12. Close the System Preferences window. 13. Resume work. ADDITIONAL INFORMATION: http://security.thejoshmeister.com/2011/11/how-to-update-apples-safe-downloads.html http://nakedsecurity.sophos.com/2010/06/18/apple-secretly-updates-mac-malware-protection/ -------------------- John Burridge | Technical Services | STB 358 Department of Psychology phone: 541-346-4982 University of Oregon fax: 541-346-4271 Eugene, OR 97403-1227 burridge@uoregon.edu http://pages.uoregon.edu/burridge


Remote Technology:   http://is.uoregon.edu/remote      
The tools you need to learn,
teach, & work remotely

John Burridge, Web Communications Technician ⚣ he/him/his
University of Oregon, Robert D. Clark Honors College
M-F: 8AM-Noon, 1PM-3PM     burridge@uoregon.edu     http://pages.uoregon.edu/burridge