NYU Wordpress Theme

Important VMware update

VMware has issued a critical security alert for

  • VMware ESXi (ESXi)
  • VMware vCenter Server
  • VMware Workstation Pro / Player (Workstation)
  • VMware Fusion Pro, Fusion (Fusion)

regarding a number of issues. The most important is an out-of-bounds write vulnerability in VMware’s products allows guests to break out of their isolation. This means a malicious actor who has compromised a virtual host could escape the constraints of the virtual machine and execute malicious code on the machine the VM is running on. Anyone running these applications should check VMware’s site (below) and apply the appropriate patches as soon as possible.

 

References:

https://www.vmware.com/security/advisories/VMSA-2017-0015.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4924

Gooligan/Googlian Android Malware steals Google credentials

Researchers at Checkpoint, Inc. have found a family of malware which, when installed on vulnerable Android OS version 4 (Ice Cream Sandwich, Jelly Bean, and KitKat) and version 5 (Lollipop) gives the hacker full control of the device. Then it steals Google credentials to give the hackers access to all Google apps. The malware can be downloaded a link in a phishing message or text, or be installed through software downloaded from a third-party site. According to the researchers, more than one million accounts may have been compromised, about 57 percent of devices infected by Gooligan are located in Asia, about 19 percent are in the Americas, about 15 percent are in Africa, and about 9 percent are in Europe.

Google has been actively shutting down compromised accounts as they are found, and has made available instructions for “Verify Apps” https://support.google.com/accounts/answer/2812853?hl=en so that people can check the apps they have and prevent installation of malicious software in the future. There is also a list of known infected apps at the Checkpoint URL listed below in the notes.

Notes:

http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

http://arstechnica.com/security/2016/11/1-million-android-accounts-compromised-by-android-malware-called-gooligan/

Password Best Practices & Use of a Password Manager

Strong passwords and the use of a password manager to manage the many strong passwords you create are essential to keeping your data secure.  For more information on password best practices, and password manager FAQs and recommendations, please see:

Under Lock and Passphrase: Protecting and storing your passwords with a password manager

Critical AppleOS updates

Following last week’s announcement of iOS critical vulnerabilities and their patches, Apple has issued similar patches for OS X Yosemite v10.10.5 and OS X El Capitan v10.11.6. See details on the vulnerabilities in our last post and below for links to the updates and more details.

More info here: https://support.apple.com/en-us/HT207130

https://www.grahamcluley.com/2016/09/mac-users-vulnerable-state-sponsored-trident-attack-fixed-ios-week-patch/

 

 

NYU Email: Recognizing and Reporting Spam and Phishing

Spam is unsolicited bulk email. The key term is “unsolicited” — if you signed up for a mailing list (commercial or otherwise) which you no longer wish to receive, that is not spam. The easy differentiation is that legitimate businesses will have a mailing policy posted on the site where you sign up for the mail, and will give you correct information about how to unsubscribe. NYU Email powered by Google features built-in spam filtering. For more information on spam, please see our NYU Email: Removing spam from your inbox.

NYU Email, powered by Google, features built-in spam filtering. To read more about how it works and how to use it, see the ServiceLink knowledge base.

NYU recommends that you use the NYU Email web interface instead of email programs (Outlook, iPhone Mail, etc.). However, if you choose to use a desktop email client, you must create a filtering rule based on specific spam rating levels. Mail that matches the rule is then redirected into a folder of your choice and you can decide how you wish to handle the redirected messages. The filter level you select will determine the amount of spam you receive. If you find that you are receiving too much spam in your Inbox, try adjusting the level of filtering to be more strict. If you find that desired mail is being filtered, select a level that is less strict.

IMPORTANT: Keep in mind that some legitimate messages will end up in your spam folder if they exhibit characteristics of spam, for example, lots of capital letters, many exclamation points, or phrases such as “click here.” Therefore, it is important to check your spam folder regularly to ensure that you receive messages that may have been inadvertently flagged as spam.

Phishing messages appear to be sent from NYU, NYU IT, or other organizations affiliated with NYU requesting your personal information such as name, date of birth, password, etc. Do not reply to these messages. NYU IT will never request your password information. If a message informs you of an impending account closure or similar action unless you comply with its demands, it is often a sign that the message is a phishing scam. Do not comply with the request. To report phishing or spam attempts, please follow the instructions in the ServiceLink knowledge base.

This is an example of a Phishing email:

*From:* Abul Mohammed, Majeed (2014) [mailto: Majeed.AbulMohammed.2014@live.rhul.ac.uk]

*Sent:* Thursday, October 08, 2015 12:10 PM

*Subject:* NEW YORK UNIVERSITY.

Access to your e-mail account is about to expired.

Please Click here <http://maillonyuedu.weebly.com/> to restore access to

your e-mail account.

We apologize for any inconvenience and appreciate your understanding.

Regards.

New York University
70 Washington Square South
New York, NY 10012 (This is NOT our zipcode)
212.998.1212

 

To report phishing or spam attempts and for security tips for using email, see:

www.nyu.edu/servicelink/041202716305490

Internet Explorer Vulnerability Affects All Versions

Microsoft has released an update that has been deemed critical for Internet Explorer affecting all supported versions from IE7 through 11. Microsoft says that the vulnerability could allow an attacker to take control of an affected system, and went to the somewhat unusual step of releasing patches out of its normal Patch Tuesday cycle for this vulnerability for the second time in a month.

A thorough description of the attack and how it works has not been published, but it is believed to operate on the “drive-by” attack principle. Simply by visiting a page with a malicious component, including specially crafted ads, can exploit the vulnerability.

If you have Automatic Updates enabled in your version of Windows, you need not take any action regarding this vulnerability. The patch will automatically be applied, and you should simply reboot your computer at your earliest opportunity. If you have for some reason disabled Automatic Updates, then you should run Windows Update as soon as possible. To update, simply locate your Search bar, type in “update” without the quotes, and then click on Windows Update. Follow the prompts to install any available updates, and reboot when prompted.
For more information on this vulnerability, you may read the article at this link:
IT Managers may read Microsoft’s detailed description at the following link:
As a reminder, Microsoft no longer supports versions of Windows older than Vista (i.e., Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.

Android Text Message (MMS) Vulnerability

A vulnerability which could allow an attacker to take control of any Android device that can receive text messages (phones, and some tablets with cellular service (AT&T, T-Mobile, Verizon, etc)) has been discovered. The vulnerability requires no interaction on behalf of the user, which would allow them to take control of the device, compromising any data stored on it. Combined with other vulnerabilities, this may also allow an attacker to compromise any accounts which are accessed by the device (email, Facebook, banking, etc).

This vulnerability is caused by Google Hangouts, and a flaw in the “Stagefright” media player component. Hangouts, when enabled, automatically processes media files in MMS (text) messages. If a malicious media file is sent to an Android device, Hangouts will read the attached media file, and Stagefright will execute the malicious code embedded.

Google has put out a patch for this flaw in its updates to supported versions of Android, but Google does not directly support most Android devices, which rely on their manufacturers for software support (e.g Samsung, HTC, LG, etc). Recent versions of the Nexus line of devices as well as “Google Play” variants of some phones which are directly supported by Google, devices running the Cyanogenmod version of Android (such as the Oppo OnePlus line), and the security based company, Silent Circle with their “Blackphone” product have already issued patches.

Threat Mitigation:

  1. To help secure your device and prevent the flaw from impacting you, you can disable automatic MMS processing in Google Hangouts by doing the following:
  2. Open Google Hangouts on your Android device
  3. Go to the menu, and click on Settings.
  4. Click “SMS” and scroll down until you see “Auto retrieve MMS.”
  5. If the box is checked, uncheck it, otherwise leave it unchecked. Once unchecked, you can close the settings window, and you should be safe from automated attacks
    1. If the item is greyed out but checked, then you will need to change your settings to briefly allow Hangouts to be your default SMS application.
    2. Go to the top of the Settings menu and locate “SMS disabled.” Click it, and allow it to become your default SMS handling application.
    3. Scroll back down, locate the “Auto retrieve MMS” option, and uncheck it.
    4. Now go back up, click to make Hangouts not be your default messaging application again (only do this if it was not your default application before).
    5. Scroll down in the menu presented and locate “Default messaging app.” Click it, then choose the application you were using before. You should typically only have two or three options on the list.

NOTE: Implementing this workaround does not patch the vulnerability. If you open a text message with a malicious media file and do not have the patch from Google installed, your system can still be compromised. As with emails from unknown sources, do not open text messages containing media files (attachments) from unknown numbers.

Technical Details:

The Stagefright exploit is a result of seven separate bugs in the media player component, which are

detailed in the following Google bug logs:

  • CVE-2015-1538,
  • CVE-2015-1539,
  • CVE-2015-3824,
  • CVE-2015-3826,
  • CVE-2015-3827,
  • CVE-2015-3828,
  • CVE-2015-3829

For more details, you can visit Sophos Labs’ Naked Security blog here:

https://nakedsecurity.sophos.com/2015/07/28/the-stagefright-hole-in-android-what-you-need-to- know/

 

Critical Microsoft Patch for Adobe OpenType Manager Library

This week, several previously unidentified critical vulnerabilities in a common component of all supported versions of Microsoft Windows were announced. The flaw is in the Adobe OpenType Manager Library. These flaws were found as a result of the infiltration of an Italian spyware making firm, and have been confirmed by Microsoft. In an unusual step, Microsoft has released a patch for these flaws between their usual patch release date, the second Tuesday of the month.

If you have Automatic Updates enabled in your version of Windows, you need not take any action regarding this vulnerability. The patch will automatically be applied, and you should simply reboot your computer at your earliest opportunity. If you have for some reason disabled Automatic Updates, then you should run Windows Update as soon as possible. To update, simply locate your Search bar, type in “update” without the quotes, and then click on Windows Update. Follow the prompts to install any available updates, and reboot when prompted.

For more information on this vulnerability, you may read the article at this link:

http://www.update.microsoft. com/windowsupdate/v6/thanks. aspx?ln=en&&thankspage=5

IT Managers may read Microsoft’s detailed description at the following link:

https://technet.microsoft.com/ library/security/MS15-078

As a reminder, Microsoft no longer supports versions of Windows older than Vista (i.e., Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.

Microsoft Security Vulnerabilities

On Tuesday, Microsoft identified two major vulnerabilities in the Windows operating system, in addition to other Microsoft products and non-critical updates. One vulnerability in particular exploits common system components for every major release of Windows since 95 and through Windows 10 (still in development) which can be used to retrieve Windows login credentials (username and password). These credentials can then be cracked in less than a day using moderate resources by an attacker. As of right now, there has been no patch for this vulnerability, identified as “Redirect to SMB.” To mitigate the risk posed by this vulnerability, TSS recommends following safe browsing and computing procedures. Do not click on links in unsolicited emails, and note the path of any link you click on while browsing the Internet. The vulnerability will exploit links that begin with “file://”.

For more on this vulnerability, you can read here: www.computing.co.uk/ctg/news/2403924/windows-redirect-to-smb-exploit-could-affect-millions-say-security-researchers

As a reminder, Microsoft no longer supports versions of Windows older than Vista (i.e., Windows 95, 98, 2000, ME, and XP). If you are still using a version of Windows that is unsupported by Microsoft, these vulnerabilities, as well as any newly discovered ones going forward will remain unpatched. NYU TSS strongly recommends that you upgrade your operating system immediately by purchasing a new version of Windows or a new computer.

TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Summary:
A piece of pre-installed adware (Superfish) on recently purchased Lenovo consumer PCs can allow an attacker to view normally secured web communications.

What Does This Mean For Me:
This software may expose web mail, banking, and shopping transactions and information, and more, regardless of which web browser (Internet Explorer, Chrome, Firefox, etc) you are using.

Detailed Description:
Adware (software designed to intercept user data for advertising purposes) that was preinstalled by Lenovo, Superfish, is vulnerable to being redirected to a malicious server, used to collect private information. The nature of this vulnerability means that your information is acquired before it is encrypted by your browser, known as a “Man-in-the-Middle” attack. Lenovo itself has “shut off” the data collection on its own servers, but the software remains vulnerable to malicious third parties. This attack bypasses even secured connections (HTTPS). Follow the directions below under the Solution section to remove Superfish and its supporting software.

For more information on this alert and Lenovo’s response, the following CNET article is included for reference:
Lenovo’s Superfish security snafu blows up in its face

Technical Details:
Alert (TA15-051A) Lenovo Superfish Adware Vulnerable to HTTPS Spoofing

Solution:
Remove the Superfish adware and its associated components.

Removal Instructions (Automatic):
1) Download the automatic removal tool from Lenovo, located here:
Superfish Automatic Removal Tool
2) Locate the downloaded file, and run the program.
3) Click “Analyze and Remove Superfish Now.” You will be prompted to close any open browsers. Wait while the program runs.
4) At the conclusion of the scan, the tool will indicate whether or not Superfish was identified on your system, and what action was taken.

Removal Instructions (Manual):
Lenovo has provided a detailed set of instructions for removal here:
Superfish Uninstall Instructions
Alternatively, Naked Security, a cyber-security blog run by the antivirus firm Sophos, has also provided their own removal instructions if you prefer:
How to Get Rid of the Lenovo “Superfish” Adware