Internet Storm Center Infocon Status

Search ISU Security

RSSSubscribe to the RSS Feed
ISU Information Security

Guard Against Sypware

Tuesday, July 21, 2015 11:01

Warn_NetworkRecently, unidentified attackers breached an Italian company called Hacking Team that sells spyware to governments and other organizations.

Spyware is a kind of targeted malware on both PCs and mobile devices that collects a broad amount of data about a person or organization without their knowledge. It then sends this data to the attacker(s) who typically gather that data for the purpose of espionage (spying) or criminal/financial gain.

Why should you care?
You personal computer and/or mobile device can contain a large amount of information which is valuable. By keeping yourself protected, you can safeguard your security and privacy.

    Targeted malware can get on your device in 2 ways:

  1. An attacker gains physical access to your device.
  2. An attacker tricks you into downloading an app via an email, SMS, or other message.
    How can you protect yourself?

  • Keep a secure passcode on your personal computer and/or mobile device. Some spyware sold on the market requires that the attacker have physical access to your device to install this software. Requiring a passcode (especially on your mobile device) makes it much harder to get the needed access.
  • Don’t download applications from untrusted third party marketplaces or online links. Only download from official and vetted marketplaces such as the Apple App Store and Google Play.
  • Don’t jailbreak your mobile device.

Related Links

Several tech companies are busy issuing patches for exploits found in the Hacking Team data

MicroSoft Windows Update Includes Windows 10 “reservation” invite

Wednesday, June 3, 2015 15:07

windows-logoThis past weekend, Windows 7 and 8 users were prompted, though an update in the regular updates, to “reserve” their free Windows 10 upgrade. While the method of delivering the message was a bit questionable, the widows prompts, in this case, are a legitimate effort by MicroSoft to inform their customer base about upgrading later this summer to Windows 10.

The update isn’t scheduled to start until the end of July, and users of Windows 7 and 8 will have free access to the upgrade for a year.

Related Links

MicroSoft Answers on the upgrade

Microsoft Knowledge Base Article on the update 3035583, the update that provides the prompt

Real world example of why not to reuse passwords

Wednesday, May 20, 2015 15:17

Warn_GlobeIt is a commonly repeated mantra from security specialists, “Never reuse passwords.” Recently Starbucks, the coffee giant, was caught up in a media storm over the possibility of having been hacked. In reality, the culprits never had to try to compromise the company’s servers. It appears, on analysis, that the compromise was due to weak and reused password information on customer accounts.

Last week, news spread over social and mass media that Starbuck’s phone app had been compromised. The ap and the card, through which a customer could pay for their caffeine fix then reload by linking to their bank account or a debit card, were reportedly being drained of the funds then, when connected to another account to auto-load the app’s funds, re-funded from the account and drained again. Without even knowing the person’s bank or PayPal account information, the funds were being siphoned off, sometimes right in front of the person’s eyes.

Initially the claims were that Starbuck’s app system must be compromised. But further analysis points to the thieves gaining access to consumers’ passwords through other means, and then reusing those passwords from other sources to gain access to the Starbuck’s phone app.

So it stands, don’t reuse passwords. Because these people had reused passwords from other accounts that had been compromised (probably without their knowledge), they’d left themselves vulnerable and had their Starbucks account, and by extension their bank account, compromised. And while no reporting on this was followed, just by the data concerning password reuse, we can assume the victims in this case possibly had other accounts compromised.

Related Links

Krebs gives his analysis of the compromise

Password reuse can be as high as 50%

Avoiding Credit Card Fraud

Wednesday, May 6, 2015 13:43

While big breaches of credit card information, like Target or Sony, make the news, the most common way to get credit information is by directly scamming the credit card holder. Consumer Reports has an article on a current phone fraud taking place.

Fraudsters will call a victim, claiming to represent the credit card company’s fraud department, and report they’re contacting the victim because of suspicious activity on the card. All the scammer need do is make up a bogus transaction and then ask the victim if they’ve made such a purchase. Once the victim says no, the scammer says they’ll open an investigation and gives out a false reference number.

And then the fraud happens. The scammer than asks for the three digit security code on the back of the card to “verify” the victim is in actual possession of the card. Of course, that was the whole oint of the scam is to get the victim to give up that number so the scammer, who more than likely has the card number (the long one on the front of the card), can now use that card number for online transactions, or sell the card number and security code to other scammers.

If you get a call like this:

Don’t give the caller any information about the account. Even if he knows lots of details.
Hang up. Call the customer service number on the card and speak with a real security or fraud representative from the company.
Credit Card fraud of this sort should be reported to the FTC at or 877-FTC-HELP.

Related Links

Consumer Reports on Security Code Fraud
Consumer Reports: 9 Tips to protect against credit card fraud
The Consumerist also report on this scam

Another popular phone scam making the rounds

Monday, March 23, 2015 15:42

Warn_GlobeUsers should be aware of a recently reported phone scam. In the scam, the victim is called by a person claiming to be from the police department and threatening arrest of the victim for loan fraud. The scammer then demands the victim wire money via Western Union, MoneyGram, or Greendot to avoid prosecution. Often these scams are conducted using technology that masks the callers real location, spoofing a local number.

This scam uses the seeming weight of authority, of law enforcement, to con victims out of money. No legitimate law enforcement agency would use such tactics. In a similar vein, scammers may try to impersonate an IRS agent or other federal agent, claiming “tax fraud”, to con a victim.

Users are advised, as with online scams and spam, to not respond to these calls and not engage with the scammer, and, if they receive such a call, to note down what details about the call they can (names, and numbers) and contact the local authorities with what information they can provide.

Related Links

See our past posting on holiday phone scams for more information and links

The Pocatello Police Department provides online crime reporting

OpenSSL security patches released

Thursday, March 19, 2015 17:54,the organization tasked with maintaining a widely used open-source version of the SSL/TLS security protocols, has released patches to OpenSSL that fixes fourteen(14) security vulnerabilities. The organization kept the patching under wraps until the roll out, in part, because of the inadvertent announcement of the FREAK vulnerability to the public at large.

Of the 14 listed vulnerabilities, 2 are listed with “High” priority ratings, indicating a severe risk to compromise. As always, we encourage users to make sure they make sure to update and apply security patches as quickly as possible to avoid risk of compromise.

Related Links advisory of the patching

FREAK, the new SSL vulnerability

Wednesday, March 11, 2015 15:45

Warn_GlobeEarly this month security researchers announced the discovery of a new vulnerability in SSL, the security protocol used by web browsers and applications for encrypting and ensuring connection between clients and servers. This vulnerability comes on the heels of last year’s discovery of Heartbleed and other SSL vulnerabilities.

The vulnerability allows attackers to force vulnerable clients and servers to use a weakened and easily broken encryption. The vulnerability is considered a severe risk and all users are advised to apply updates to their web browsers. All the major browsers, Chrome, Safari, Firefox, and Internet Explorer have been patched.

Related links

Test your browser to see if you’re vulnerable. (Site requires scripts to be running to perform the tests)

Avoiding Malware on OS X

Monday, March 2, 2015 16:32

apple-logoThe Mac has long enjoyed a lower incidence of malware infection. Hackers and makers of adware and spyware, like other opportunistic types, would rather go after the low hanging fruit and bigger population of the Windows PC market. That is changing though, as hackers look to expand their “markets”.

How to Geek, a tech website is reporting that they’ve found several download sites “bundling” adware and spyware into downloads of regular freeware and shareware applications. Most usually this bundling attempts to take advantage of unwary and non-technically savvy consumers by including the malware in the installer for he regular applications, portraying it as an “extra”. This malware usually targets the web browser on the operating system, hijacking, in part, how the browser connects to a site, so the company can inject ads into the regular content of a website.

Mac users should be aware of these less than savory downloads. Avoid commercial download sites other than Apple’s App Store, as Apple has very strict controls on what content they allow int eh store. If you must download an application from a site other than the App store, try to find a download directly from the maker of the product rather than one of the download aggregators, collection sites that feature hundreds of different applications, usually bundled in some way with adware.

If a user finds they’ve been infected with some sort of adware, there are a few products out there, in addition to virus scanners like McAfee, built to scan Macs and clean up unwanted malware. Adware Medic is one such application. Adware Medic is also backed by “The Safe Mac”, a site dedicated to reporting on adware, spyware, and malware targeting the Mac platform and teaching users how to get rid of it.

Related Links

How to Geek article on the rising prevalence of compromised downloaders and adware on the Mac.

Adware Medic for the Mac

The Safe Mac, blog and news reporting on adware scams and how to clean them up. Makers of Adware Medic

Be aware. Lenovo machines possibly compromised

Thursday, February 19, 2015 14:20

Warn_LaptopCurrently there is a controversy concerning Lenovo computers adding in adware (software that is usually used to redirect a web user to certain paid commercial sites or add in web advertisements to the pages that users visit) that could result in a compromised machine. Lenovo, security researchers found, has been pre-installing an adware service from a company called Superfish that installs a self-signed certificate that replaces the intercepts all of the secure traffic from the machine.

This certificate interception can lead to what is known as a man-in-the-middle attack, in which a bad guy can intercept and pretend they are a legitimate store or bank without the user ever knowing. To add to this problem, the certificate for every Lenovo machine with this adware uses the same encryption key, making it possible for attackers to compromise large numbers of machines in this fashion.

Lenovo claims the Superfish adware as only installed on certain laptop models shipped between October and December 2014. The company has released a list of models that may have had Superfish installed:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30

Related Links

A researcher has put up a webpage that can inform you if your Lenovo machine is affected by this adware.

Details from Ars Technica on the compromise

Secure your printers

Monday, January 26, 2015 16:21

Warn_NetworkOn occasion, malicious agents outside of ISU will send print jobs to unsecured printers here on campus. These print jobs may have lewd or inappropriate content or they can be extremely large garbage printouts that are just designed to waste resources.

Users are advised to make sure their networked printers are secured:

  1. Set an admin password on the printer
  2. Disable remote web printing
  3. Disable the telnet protocol on the printer

Most manufacturers’ websites will have instructions on how to perform these tasks. If an ISU user still has questions or needs assistance they can call the helpdesk at 282-HELP.