ALERT: Heartbleed – Internet Encryption Bug

Heartbleed

This week, security researchers announced the discovery of an extensive security flaw in OpenSSL, called the Heartbleed Bug. OpenSSL is used by a majority of online services to encrypt data over the internet. Sites like Facebook, Yahoo, and Gmail all leverage OpenSSL to encrypt your data.

What is the Heartbleed Bug?
In a nutshell, the Heartbleed Bug provides an opening for hackers to access your data that has traveled across the internet using OpenSSL. This includes things like user names and passwords, personal information, and credit card information that you would use on sites like Gmail, Yahoo, Facebook, or ecommerce and banking sites.

What can we do to protect ourselves?
Although it was recently discovered, this bug has been in place for a few years. Security experts are still determining the scope of the impact. ITS recommends that you immediately change your passwords for high value accounts like financial accounts or accounts that allow access to personal data like tax information. Sites like Gmail, Yahoo, ecommerce, and online banking sites are all working to correct any vulnerability to minimize the risk to users going forward. ITS also advises that you continue to monitor your accounts in the coming months, especially those that contain more sensitive data like banking or credit card information.

ITS has no indication that myNEU passwords would need to be changed at this time. If you have a non ITS-managed machine, particularly one running UNIX/Linux, ITS advises that you immediately check for operating system patches and apply any critical or recommended security patches.

What is ITS doing to protect Northeastern?
To reduce our risk internally, ITS has already been working through the week to patch all of Northeastern’s technology that relies on OpenSSL. This includes patching of applications, servers, and our networks. We are continuing to work with our partner providers and vendors to address this serious security concern.

How can I get more information on the Heartbleed Bug?
More information on the Heartbleed Bug can be found here:
CNET – Heartbleed Bug Undoes Web Encryption, Reveals Yahoo Passwords
ComputerWorld – Heartbleed Bug in OpenSSL Leaves Encrypted Communications at Risk
Heartbleed Main Information Page

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

Image credit:Codenomicon

Posted in Safe Computing, SecureNU Information, Website Security | Comments closed

Phishing Email 4/4/2014: [BULK] ALERT !

Today we have a phishing email that looks like it is from the Help Desk. This phishing email attempts to trick the user into supplying their myNEU username, password, and birth date.

The Service Desk will NEVER ask for your password in an email.

Please delete this email from your inbox.

Contact the Service Desk (x4357) if you have any questions.

—–Original Message—–
From: circledo@xxxxx.edu [mailto:circledo@xxxx.edu] On Behalf Of ITS Help Desk
Sent: Thursday, April 03, 2014 5:55 PM
Subject: [BULK] Alert !

This is a WebNews Email Account Update
See the below mailing information
———————————————————————–

Dear Faculty/Staffs,

We are currently carrying out an upgrade on our outlook system due to the fact that it had come to our notice that one or more of our subscriber are introducing a strong virus into our system and it is affecting our network.We are trying to find out the specific person.For this reason all subscribers are to provide their USER NAME AND PASSWORD for us to verify and have them cleared against this virus,and to upgrade to the latest outlook 2014 webmail interface.

Those that refuses, their Email Account will be terminated.

Information to send are;

myNEU username:

myNEU password:

Confirm Password:

Date of birth :

Thank you for using NEU webmail

Hoping to serve you better
Outlook Upgrade Centre
Technical Department.
Copyright © 2014. Northeastern University,All Rights Reserved.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Phishing Email Hits Campus – 3/25/2014 – Last Warning!!!

The following phishing email has been received by members of the Northeastern community.

If you receive this email please delete it immediately. Do NOT click on the link in the email.

Contact the Service Desk, 617-373-4357 if you have any questions.

From: ITS Help Desk [mailto:xxxxx]
Sent: Tuesday, March 25, 2014 2:49 PM
Subject: Last Warning!!!

WARNING: You’ve Exceeded Your web Bandwidth Limit

You’re currently over your bandwidth limit. Your current bandwidth is
limited,Your Incoming messages Are pending,contact us as soon as
possible Please review that you received this messages today by
contacting us to Automatically renewal your bandwidth Click now

Webmail Communications Inc. All Rights Reserved
Copyright © Helpdesk Information Department

— 本郵件來自HiNet WebMail —

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Changes to Guest Wireless – NUwave-guest

In an ongoing effort to enhance the security of our campus wireless networks, Information Technology Services will be implementing changes to the unsecured wireless network NUwave-guest.

This May ITS will enable registration requirements and a time limit for NUwave-guest access on the Boston campus. Individuals wishing to use the guest wireless network will need to register through a new guest wireless portal page, similar to those used by coffee shops and airports. These changes provide a greater level of security for our campus networks by limiting Internet access to identified guests visiting Northeastern for a certain period of time.

As a reminder, NUwave-guest access is intended for limited guest wireless access only. Northeastern students, faculty, staff and sponsored accounts must use the secure wireless network NUwave.

We will continue to reach out to the the campus community and encourage you to provide feedback on this initiative through myHelp, after logging in with your myNEU credentials. As the launch date approaches, ITS will provide reminders and additional details about these changes.

Want to learn more? Visit the NUwave-guest Wireless Network FAQ page on the ITS website.
Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

Posted in NU Policy | Comments closed

Windows XP Death Watch – 1 Month Left

Are you still using Windows XP or know someone who is?

xp-rip-170

On April 8, 2014 Microsoft support will end for Windows XP. As a result ITS will no longer support the operating system. Any faculty, staff and labs that are still using computers running Windows XP need to upgrade to Windows 7.

There are serious implications related to using Windows XP after April 8, 2014. In addition to the lack of support, there are significant security risks. If your machine represents a security threat to Northeastern’s networks, your network access will be revoked.

How to upgrade from Windows XP to Windows 7

If you are still using Windows XP and have not yet taken steps to upgrade to Windows 7, please contact the ITS Service Desk at 617.373.4357 (xHELP) or at help@neu.edu to begin the transition to Windows 7. We are asking faculty and staff members to upgrade as soon as possible to ensure that we can accommodate requests in a timely manner.

NOTE: All computers must be backed up before the new operating system is installed. The ITS Service Desk can assist you with this process. Additionally, some older machines may be advised to upgrade to a newer model.

Want to learn more? Visit the Windows XP retirement FAQ page on the ITS website

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

——————-
Related links:
Windows XP Retirement FAQ page
Microsoft – Windows XP retirement page
CNET – Windows XP starts countdown to end-of-support on April 8
Lynda.com – Migrating from Windows XP to Windows 7 tutorial
PC World – Making the transition from XP to the Windows interface
Computerworld – XP’s retirement will be hacker heaven

——————-

Image Credit: Sophos.Com

Posted in Safe Computing | Comments closed

New Lynda Video: Web Programming Security

lynda.com

Lynda.Com has released a new course focusing on web programming security. This video is a must for anyone developing online websites and applications.

Watch for free with your MyNEU credentials

Link to the course: Foundations of Programming: Web Security

From the Course Details:

Learn about the most important security concerns when developing websites, and what you can do to keep your servers, software, and data safe from harm. Instructor Kevin Skoglund explains what motivates hackers and their most common methods of attacks, and then details the techniques and mindset needed to craft solutions for these web security challenges. Learn the eight fundamental principles that underlie all security efforts, the importance of filtering input and controlling output, and smart strategies for encryption and user authentication. Kevin also covers special considerations when it comes to credit cards, regular expressions, source code managers, and databases.

This course is great for developers who want to secure their client’s websites, and for anyone else who wants to learn more about web security.
Topics include:
Why security matters
What is a hacker?
How to write a security policy
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
SQL injection
Session hijacking and fixation
Passwords and encryption
Secure credit card payments

Posted in Secure Programming, Video, Website Security | Comments closed

Dangerous Security Bug in iOS and OS X

ios-7-logo

Feburary 25, 2014: Apple releases update for OS X

Apple: Instructions on updating OS X

Arstechnica: Apple releases OS X 10.9.2, patches SSL flaw and adds FaceTime Audio support

Update iOS NOW!

Apple has released an update to address a very serious security problem with iOS 7 and iOS 6. If you have an iPhone, iPod, or iPad install the update immediately.

Apple has not yet released an update for the OS X, though it promises one shortly. If you use Safari on Mac, consider using Firefox or Chrome instead (though this is not a guaranteed solution). This page will be updated when an OS X update is released.

The vulnerability affects the way SSL connections are verified. In other words the operating system is not able to determine if a connection to a secure website, i.e. banking, online shopping, Gmail, etc., is real. Attackers could impersonate a real website, tricking the user to enter their credentials; or an attacker could intercept and read the encrypted traffic between the user and the secure website.

More Information:

Posted in Apple, Safe Computing | Comments closed

Target Credit & Debit Card Data Breach

Target_Red

What happened?

A data breach occurred at Target stores between November 27 and December 15 where criminals stole 40 million credit and debit card numbers including customer name, expiration date, and CVV.

Am I at risk?

If you swiped your credit or debit card in a Target store between November 27 and December 15 you are potentially at risk for fraudulent purchases and identity theft.

Online shoppers at Target.Com are not affected by this data breach.

What should I do now; how can I protect myself?

Fraudulent Charges: Check your online statements often for fraudulent charges. Criminals will often make a small charge of $1 or $2 to make sure the card works before they go on to buy large items. If you see any strange charges to your account contact your bank for assistance.

Defend Against Identity Theft: Federal law entitles you to one free credit report every 12 months from each of the three credit reporting agencies (Equifax, Experian, TransUnion). Review your credit reports and contact your bank and credit agencies to correct any mistakes on your report.

Go to https://www.annualcreditreport.com/ to receive all three reports.

Go to FTC.Gov for signs that your identity has been stolen: http://www.consumer.ftc.gov/articles/0271-signs-identity-theft

If you believe you are a victim of identity theft please contact your local law enforcement and to the Federal Trade Commission: www.consumer.gov/idtheft or (877) IDTHEFT (438-4338).

How did this happen?

The cause of the breach is still unreported and unknown. Target along with third party investigators and the Secret Service is currently investigation this data breach.

Related Information

Statement From Target: https://corporate.target.com/discover/article/Important-Notice-Unauthorized-access-to-payment-ca

Mass.Gov Consumer Affairs – Identity Theft Resources: http://www.mass.gov/ocabr/consumer/identity-theft/

OnGuardOnline.Gov: Are you affected by the recent Target Attack: http://www.onguardonline.gov/blog/are-you-affected-recent-target-hack

Sohpos.Com: Target Confirms 40m filched payment cards: http://nakedsecurity.sophos.com/2013/12/20/target-confirms-crooks-may-have-spent-holiday-shopping-season-feasting-on-40m-filched-payment-cards/

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed