NYU IT Security News and Alerts

NYU IT Security News and Alerts

Adobe releases patches for 60+ vulnerabilities

On November 14, Adobe released patches to fix numerous security flaws, including serious issues with Adobe Flash and Reader. These vulnerabilities affect Mac, PC and Chrome OS. In order to protect against these and future vulnerabilities, you should make sure that automatic updates are set:

https://helpx.adobe.com/flash-player/kb/flash-player-background-updates.html

and remember to restart your browser on a regular basis to ensure that any updates are fully applied.

This is just the latest reminder of the serious security issues associated with running Flash. NYU IT recommends that you uninstall it completely by downloading and running the Uninstaller from adobe.com. If you enabled Flash to complete the Benefits Annual Enrollment process, this is a good time to remove it. In addition, Adobe has announced that Flash is being retired by 2020 and replaced with newer interactive media, such as HTML5.

If you need to run Flash, require permission before the plugin runs, so that you can control the circumstances in which it is used. You can set this up via the Adobe Settings Manager website (which, ironically, requires Flash to run) to “Always Ask” before performing functions.

https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager02.html

or check the instructions for your browser below:

If you would like more information on the specific vulnerabilities addressed by these updates, see:

New Wireless Vulnerabilities: KRACK

A security researcher recently demonstrated that there are fundamental flaws in WPA2, the protocol that manages encryption for wireless connections. These flaws, if exploited properly, allow an attacker to see all the traffic passing between a target computer/phone/smart device and their destination.

This attack is not easy to execute and is not yet being widely used, but it impacts any device that connects using WPA2, including phones, computers, and other devices, such as wireless tvs, game consoles, Amazon Echo, etc.

How does this affect NYU?

We use Cisco equipment and have already enabled the recommended workaround. Patches will be applied as soon as they are available

What can I do?

As always, the most important thing is to apply updates for your computer and mobile devices promptly. Last month’s Windows patch already included its fix for this vulnerability and Apple released their fixes this week.

Vendors were informed of this vulnerability before it was made public and have been working on fixes. Here are some that have been released:

Can you explain the hack in more detail?

When an individual initially connects to Wi-Fi, before they visit any websites, their laptop or phone will do something called a four-way handshake. This is a process that checks that the password the user has provided is correct, and establishes the encrypted connection between the wireless router and the device.  However, the researcher was able to show a way to interfere with that initial handshake between your device and the WiFi router in a way that allows them to decrypt the traffic you exchange over WiFi.  In order for this to work, the attacker must be physically close to the victim

Once the attack is successful, the hacker can do many malicious things, for example, inject malware into otherwise ok sites. Using other widely-available tools, the hacker could also break web encryption, meaning that they would be able to see all of your sensitive traffic, including for example, banking information or credit card transactions.

References:

Full explanation of vulnerability: https://www.krackattacks.com/

Vulnerability Notes DB: https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&SearchOrder=4

List of Updates available:

https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/

https://char.gd/blog/2017/wifi-has-been-broken-heres-the-companies-that-have-already-fixed-it

WordPress SQL injection vulnerability, patch ASAP to 4.8.3

A security researcher has disclosed a SQL injection vulnerability in WordPress 4.8.2, so any WordPress installs should be updated to 4.8.3 asap. This is particularly important for groups which run their own version(s) of WordPress, which is an extremely common target for attackers. If you support web servers where clients perform their own WP installs, please make sure that they receive this notification.

SQL injection attacks consist of creating an SQL query embedded the input data from a client to the application. That is, the code is “injected” into the input. If successful, the exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.

wikis.nyu.edu is externally hosted and is planned to be updated as soon as testing is complete.

 

Resources

https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

https://www.welivesecurity.com/2017/11/01/wordpress-update-now/

https://www.owasp.org/index.php/SQL_Injection

Ransomware Reminder

With the return of newer strains of the Locky malware, ransomware remains a top threat for all computer users. Ransomware is malicious software that usually arrives via email with subjects such as “please print” or “document”. When the user clicks the attachment, a script runs to download additional software which encrypts the user’s hard drive, as well as any attached drives.

Even if the malware has different names or uses different attachments, the steps you take to protect the data entrusted to you are the same. Take this opportunity to review the resources we have available, starting with our  Connect article on Ransomware scams here, as well the alerts on ransomware in the NYU IT Security News & Alerts Blog below. If you have questions, please feel free to send email to security@nyu.edu

 

Resources

New Ransomware Alert “Petya” https://wp.nyu.edu/itsecurity/2017/06/28/new-ransomware-alert-petya/

WannaCry (also known as WannaCrypt, WanaCrypt0r 2.0, and Wanna Decryptor) Malware/Ransomware https://wp.nyu.edu/itsecurity/2017/05/16/update-5162017-re-wannacry-also-known-as-wannacrypt-wanacrypt0r-2-0-and-wanna-decryptor-malwareransomware/

New Ransomware exploits MS vulnerability, spreading quickly https://wp.nyu.edu/itsecurity/2017/05/12/new-ransomware-exploits-ms-vulnerability-spreading-quickly/

Locky/Osiris Ransomware Alert https://wp.nyu.edu/itsecurity/2016/12/07/lockyosiris-ransomware-alert/

Locky Ransomware Spreading via JavaScript (.js) Attachments https://wp.nyu.edu/itsecurity/2016/03/29/locky-ransomware-spreading-via-javascript-js-attachments/

Locky Ransomware Alert https://wp.nyu.edu/itsecurity/2016/02/19/locky-ransomware-alert/

The Return of Locky https://www.itgovernance.co.uk/blog/the-return-of-locky-a-closer-look-at-2017s-largest-malware-campaign/

 

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

WordPress 4.8.2 Security & Maintenance Release

Please be advised that WordPress 4.8.2 is now available and we strongly recommend that you update all sites asap as this is a security release for all previous versions. The security issues addressed by the update affect version 4.8.1 and all earlier versions.

Please note that if you’re using wikis.nyu.edu, the update will be handled by our vendor. Otherwise, WordPress can be updated via Dashboard, Updates, Update Now. Questions?  Please call the NYU IT Service Desk.

For more information on the security issues addressed by this update, please see: https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

CCleaner Compromise

Please be advised that CCleaner, a Windows utility used to remove cookies, wipe browsing histories, and clean temporary internet files has been compromised. Specifically, the affected versions are v5.33.6162 and CCleaner Cloud v1.07.3191 z9 (32 bit versions). The vendor, Avast, has stated that no other Piriform or CCleaner products have been affected. However, given that CCleaner was digitally signed, other software from Avast may be compromised.

The issue, which was identified by Cisco Talos researchers, involved the compromise of download servers used by the vendor to distribute software. The servers were leveraged by malicious actors to deliver malware. Once in place, the malware would determine if a user had admin privileges and would then seek to steal information such as the name of the device, installed software and Windows updates, running processes and the MAC addresses of network adapters.

Recommendations:

  • Users of version 5.33 should roll-back their device to a backup that was created prior to the installation of version 5.33 and update to version 5.34. Be advised that the free edition of CCleaner does not feature automated updates and requires users to manually download updates.
  • Alternately, users should wipe their device, deploy a new image and install another anti-virus software.

For additional information, please see:

Apache Struts Vulnerability Update

As an update to our September 7th blog post on the Apache struts vulnerability, please be advised that Equifax has stated in their September 13th Progress Update for Consumers regarding their recent massive cybersecurity breach, “[t]he vulnerability was Apache Struts CVE-2017-5638”.

It is critical to ensure that all Apache instances/platforms are secure. Please be reminded of the following recommendations:

Fix: It is recommended that you upgrade to Struts 2.5.13 or Struts 2.3.34. Downloads can be found here.

Alternatives to upgrading: No workaround is possible, the best option is to remove the Struts REST plugin when not used or limit it to server normal pages and JSONs only as outlined here: https://struts.apache.org/docs/s2-052.html

If you use Red Hat (for Linux), you can find information here: https://access.redhat.com/security/cve/cve-2017-9805

FTC Issues Alert on Equifax Phishing Scams

The Federal Trade Commission (FTC) released an alert warning consumers to be wary of calls or emails purporting to be from Equifax agents. As with other phishing scams, the phishers are pretending to be Equifax representatives asking for “verification” of your information. Legitimate Equifax employees will not be contacting people to ask for this information.  For up-to-date information on the breach, you can check the site Equifax has set up: https://www.equifaxsecurity2017.com/

For NYU-related spam or fraud, please contact NYU IT Office of Information Security at security@nyu.edu. For commercial fraudulent calls and emails, use the FTC Complaint Assistant <https://www.ftccomplaintassistant.gov/#crnt&panel1-1>

Resources:

https://www.consumer.ftc.gov/blog/2017/09/equifax-isnt-calling

https://www.equifaxsecurity2017.com/

US-CERT Tips on Avoiding Social Engineering and Phishing Attacks <https://www.us-cert.gov/ncas/tips/ST04-014>

Preventing and Responding to Identity Theft <https://www.us-cert.gov/ncas/tips/ST05-019>

 

MongoDB Servers – Ongoing Extortion Attempts

Please be advised that there has been a resurgence of attacks on vulnerable MongoDB servers. The attacks involve malicious actors seeking out MongoDB installations that are poorly implemented and accessible to the internet without a set administrator password. After attackers gain access, they export or delete the data and replace it with a ransom note. The following is an example of ransom note text:

“We have your data. Your database is backed up to our servers. If you want to restore it, then send 0.15 BTC [$650] and text me to email, just send your IP-address and payment info. Messages without payment info will be ignored.”

Please be reminded that ransom payment does not guarantee the restoration of data. In these attacks specifically, there have been reports of ransom payment, but no reports of data restoration (see, https://krebsonsecurity.com/2017/01/extortionists-wipe-thousands-of-databases-victims-who-pay-up-get-stiffed/)

Recommendations:

  • Users/admins should not rely on server default settings and should instead follow the recommendations on the MongoDB Security Checklist.
  • Make sure to perform database backups on a regular basis.
  • Users/admins should perform regular checks on their server’s services, and ensure that all applications are patched/updated and unnecessary services have been shut off.
  • View the “We’re Always Striving to Make Deployment Easier” section of the vendor blog post dated 9/8/17 for a robust list of available resources.

For additional information please see: