New Lynda Video: Creating Secure PHP Websites

lynda.com

Lynda.Com has released a new course on creating secure PHP websites. This video is a must for anyone developing PHP websites and applications.

Watch for free with your MyNEU credentials

Link to the course: Creating Secure PHP Websites

From the Course Details:

Hackers target PHP web applications more often than other sites because most PHP code is written by developers with little security experience. Protecting web applications from these attacks has become an essential skill for all PHP developers. Creating Secure PHP Websites shows you how to meet the most important security challenges when developing websites with PHP. Instructor Kevin Skoglund covers the techniques and PHP code needed to develop sites that are more secure, and to avoid common mistakes. Learn how to configure PHP properly and filter input and escape output. Then check out step-by-step defenses against the most common forms of attack, and the best practices to use for encryption and user authentication.

Topics include:
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
SQL injection
Encrypting and signing cookies
Session hijacking and fixation
Securing uploaded files
User authentication
Throttling brute-force attacks
Blacklisting IPs
Implementing password reset tokens

Posted in Website Security | Comments closed

Changes to NU Wireless Guest Access

Next week, in an ongoing effort to enhance the security of our campus wireless networks, Information Technology Services will be implementing changes to the unsecured wireless network NUwave-guest.

On May 21, 2014, ITS will enable registration requirements and a time limit for NUwave-guest access on the Boston campus. All other Northeastern locations will implement these changes at a later date. Individuals wishing to use the guest wireless network will need to register through a new guest wireless portal page, similar to those used by coffee shops and airports. These changes provide a greater level of security for our campus networks by limiting Internet access to identified guests visiting Northeastern for a certain period of time.

As a reminder, NUwave-guest access is intended for limited guest wireless access only. Northeastern students, faculty, staff and sponsored accounts must use the secure wireless network NUwave.

Registration Details

Individuals wishing to use NUwave-guest will need to register through the guest wireless portal registration page, providing their name, cell phone number and email address. Guests will receive a text message containing their user name and an access code to be entered into the guest portal login page for network access, on up to three devices. Additionally, there will be a new eight-hour time limit for NUwave-guest. Once the allotted time expires, guests will be required to re-register in order to receive a new access code to continue to use the guest wireless network.

Conference and Event Planners

ITS has worked with conference and event organizers to ensure a smooth transition. Organizers may submit a myHelp request one week prior to the event in order to pre-register attendees and provide wireless access for the duration of the event. For access beyond what is already provided with NUwave-guest, organizers may submit a myHelp request two weeks prior to the event date and ITS will work to provide the proper solution. Additional information on how conference and event organizers can provide wireless access to their attendees is located on the NUwave-guest Wireless Network FAQ page.

 

Want to learn more? Visit the NUwave-guest Wireless Network FAQ page on the ITS website.

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

Posted in NU Policy, Safe Computing | Comments closed

Microsoft Releases Patch for Critical Internet Explorer Vulnerablity

 

Microsoft has released a security update for Internet Explorer to resolve the critical vulnerability announced earlier this week. The Internet Explorer vulnerability could be exploited to give a remote attacker control of a user’s computer, letting them install more malicious software onto the machine. This update will be downloaded and installed automatically through Windows Update and will patch all versions of Internet Explorer (IE 6 – IE 11). The update will require a system reboot after installation to complete the patch and should not be delayed.

Computers with Windows XP
Microsoft has made the decision to issue the security update for Windows XP users even though the operating system is no longer supported. Windows XP users are still strongly encouraged to upgrade to Windows 7 and should not expect additional updates. Contact the ITS Service Desk at 617.373.4357 or help@neu.edu for assistance with upgrading to Windows 7.

Posted in Uncategorized | Comments closed

New Vulnerability in ALL Versions of Internet Explorer

MSFT_logo_Page

Overview

Microsoft and US-Cert have released an alert about a vulnerability in all versions of Internet Explorer (IE 6 – IE 11) that could allow an attacker to install and run code on a computer. The most likely way a computer would be affected is through a website drive-by-download. A drive-by-download is where a user visits a malware infected website and malicious code on the website exploits the vulnerability in the users web browser to infect the computer with malware.

As of now researchers have only seen active campaigns on the Internet targeting IE 9 through IE 11 though earlier versions of IE may become targets in the future.

When Microsoft releases a patch to close this vulnerability only users running Windows 7 and above will be fixed. Windows XP users will never have this vulnerability fixed, forever leaving Windows XP users insecure from a known serious vulnerability in Internet Explorer.

For the user

Windows 7 and above users should use Internet Explorer only if it is necessary for business activities, e.g. NU SharePoint, or Banner. For all other websites it is recommended to use a browser other than Internet Explorer until a patch is released.

Windows XP users, Microsoft no longer releases updates or patches for Windows XP; there will never be a patch for this vulnerability. It is strongly recommended to upgrade to Windows 7 or 8.1.

Contact the Service Desk at 617-373-4357 or help@neu.edu for assistance with alternate browsers or upgrading to Windows 7.

More Information

ThreatPost: NEW INTERNET EXPLORER CVE-2014-1776 ZERO DAY USED IN TARGETED ATTACKS

KrebsonSecurity: Microsoft Warns of Attacks on IE Zero-Day

Sophos: Microsoft acknowledges “in the wild” Internet Explorer zero-day

The Verge: Security flaw puts all Internet Explorer users at risk, exposes Windows XP

Posted in Malware, Anti-Virus, Phishing, Scams, Safe Computing | Comments closed

What is Heartbleed and how to stay secure? – New Lynda.Com Video

lynda.com

Lynda has released two new videos explaining Heartbleed and how you can protect yourself.

The first video, Protecting Yourself from the Heartbleed Bug tells users how they can stay secure and change passwords.

View Here: Protecting Yourself from the Heartbleed Bug

This second video Heartbleed Tactics for Small IT Shops provides an in depth explanation of the Heartbleed Bug.

View Here: Heartbleed Tactics for Small IT Shops

Note: You do not have to be logged into Lynda to view thse videos

Posted in Safe Computing, Video | Comments closed

Heartbleed Bug – What You Need To Know

Heartbleed

As you may be aware from an ITS email and technology news coverage, there has been an extensive security bug found in the OpenSSL cryptographic software library; this news was made public on Tuesday, April 8, 2014. The flaw allows private information, which is normally protected by encryption, to be exposed to attackers. This includes login and password information for affected systems amongst other things.

What does it mean for you?
Information Technology departments here at Northeastern University and across the world have been working to repair vulnerable systems since the flaw was announced. There is a general recommendation that passwords on systems which were affected should be changed. Mashable has compiled a good overview of systems that were vulnerable to this flaw.

It is important to note that you should not instantly change every password to every online resource you use. Take a measured approach and use the following criteria to determine if you need to change your passwords:

  • You have high value accounts that have been identified as vulnerable. This includes financial websites and others which contain Personally Identifiable Information (PII). Examples would be online tax sites, banking sites etc.
  • You have a habit of using the same Login and Password pair across multiple websites. Reuse of credential/password pairs is never a recommended practice as it increases the possibility that one compromised system could ultimately have wider reaching effects.
  • You have accounts on web resources that have been confirmed to be vulnerable. The list from the Mashable link above only contains the top 1,000 sites. You should visit each resource and look for system announcements indicating their status.
  • Any other account where you may have concern.

Other Issues to Address
In the coming weeks, it is vitally important that you have a heightened awareness regarding your different online accounts. Hackers and Internet criminals never pass up a good crisis. Expect to see spam and phishing emails in the future which claim your accounts have possibly been compromised due to Heartbleed and you need to reset your passwords immediately. Always reset your password by visiting the website directly, rather than clicking through in an email. If you have any doubts about the validity of emails, contact the service provider through a known phone number.

Other Resources
The following are resources to check if a website is still vulnerable to the Heartbleed bug. Note that this only determines the current status, not if it was previously vulnerable:
Heartbleed test
Symantec SSL Toolbox
Qualys SSL Labs Server test

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

Posted in Safe Computing, Secure Programming, Website Security | Comments closed

ALERT: Heartbleed – Internet Encryption Bug

Heartbleed

This week, security researchers announced the discovery of an extensive security flaw in OpenSSL, called the Heartbleed Bug. OpenSSL is used by a majority of online services to encrypt data over the internet. Sites like Facebook, Yahoo, and Gmail all leverage OpenSSL to encrypt your data.

What is the Heartbleed Bug?
In a nutshell, the Heartbleed Bug provides an opening for hackers to access your data that has traveled across the internet using OpenSSL. This includes things like user names and passwords, personal information, and credit card information that you would use on sites like Gmail, Yahoo, Facebook, or ecommerce and banking sites.

What can we do to protect ourselves?
Although it was recently discovered, this bug has been in place for a few years. Security experts are still determining the scope of the impact. ITS recommends that you immediately change your passwords for high value accounts like financial accounts or accounts that allow access to personal data like tax information. Sites like Gmail, Yahoo, ecommerce, and online banking sites are all working to correct any vulnerability to minimize the risk to users going forward. ITS also advises that you continue to monitor your accounts in the coming months, especially those that contain more sensitive data like banking or credit card information.

ITS has no indication that myNEU passwords would need to be changed at this time. If you have a non ITS-managed machine, particularly one running UNIX/Linux, ITS advises that you immediately check for operating system patches and apply any critical or recommended security patches.

What is ITS doing to protect Northeastern?
To reduce our risk internally, ITS has already been working through the week to patch all of Northeastern’s technology that relies on OpenSSL. This includes patching of applications, servers, and our networks. We are continuing to work with our partner providers and vendors to address this serious security concern.

How can I get more information on the Heartbleed Bug?
More information on the Heartbleed Bug can be found here:
CNET – Heartbleed Bug Undoes Web Encryption, Reveals Yahoo Passwords
ComputerWorld – Heartbleed Bug in OpenSSL Leaves Encrypted Communications at Risk
Heartbleed Main Information Page

Questions or concerns? Please contact the ITS Service Desk at 617.373.4357 (xHELP) or help@neu.edu.

Image credit:Codenomicon

Posted in Safe Computing, SecureNU Information, Website Security | Comments closed

Phishing Email 4/4/2014: [BULK] ALERT !

Today we have a phishing email that looks like it is from the Help Desk. This phishing email attempts to trick the user into supplying their myNEU username, password, and birth date.

The Service Desk will NEVER ask for your password in an email.

Please delete this email from your inbox.

Contact the Service Desk (x4357) if you have any questions.

—–Original Message—–
From: circledo@xxxxx.edu [mailto:circledo@xxxx.edu] On Behalf Of ITS Help Desk
Sent: Thursday, April 03, 2014 5:55 PM
Subject: [BULK] Alert !

This is a WebNews Email Account Update
See the below mailing information
———————————————————————–

Dear Faculty/Staffs,

We are currently carrying out an upgrade on our outlook system due to the fact that it had come to our notice that one or more of our subscriber are introducing a strong virus into our system and it is affecting our network.We are trying to find out the specific person.For this reason all subscribers are to provide their USER NAME AND PASSWORD for us to verify and have them cleared against this virus,and to upgrade to the latest outlook 2014 webmail interface.

Those that refuses, their Email Account will be terminated.

Information to send are;

myNEU username:

myNEU password:

Confirm Password:

Date of birth :

Thank you for using NEU webmail

Hoping to serve you better
Outlook Upgrade Centre
Technical Department.
Copyright © 2014. Northeastern University,All Rights Reserved.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed