Heartbleed Vulnerability

The following note has been adapted from a Texas Department of Information Resources notice to state agencies:

As you may have heard, there could be a serious weakness in the mechanism that protects your username, passwords, and other confidential information on various Internet sites. This advisory provides IT personnel with steps to ensure agency websites are safe. It also provides all agency staff with guidance for protecting credentials on work-related or personal websites that have the Heartbleed vulnerability.

IT personnel should take the following steps immediately:

  1. Patch all vulnerable OpenSSL systems – The information Security Office  has identified a number of servers and has contacted most server owners directly. Server owners include OIT and those in departments. Servers for whom OIT is unable to identify owners or that are not patched will be disconnected.
  2. Revoke and reissue certificates that use OpenSSL/TLS – Contact the information security office if you need assistance with this for a University owned server.
  3. Once items 1 and 2 are completed, force user password changes for all impacted accounts. UT Arlington Office of Information Technology will send a communication when NetID password changes should occur.

Additionally, all staff should take the following steps to protect their personal information:

  • Check to see if any non-UT Arlington websites you use (and on which you have accounts) are vulnerable:
    • Heartbleed Hit List – a listing of some popular websites and their vulnerability status [http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/]
    • Heartbleed Test – a tool for checking status of individual websites [http://filippo.io/Heartbleed/]
    • Qualys Heartbleed Test – a more in-depth analysis of encryption on websites [https://www.ssllabs.com/ssltest/]
    • CNET has posted a list of the Heartbleed status of the web’s top 100 sites [http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/]
    • The password manager, LastPass, also offers a simple Heartbleed checker that not only tells you if a site uses OpenSSL, but when the SSL certificate was regenerated, providing additional insight into what companies are doing to protect users [https://lastpass.com/heartbleed/]
  • Immediately change passwords for non-UT Arlington sites that are not vulnerable (whether repaired or never affected), giving first priority to critical accounts and email.
    • Create fresh, unique passwords for each account. Hackers will use credentials from one account to break into your other accounts.
    • Be alert for phishing scams attempting to lure you to credential-stealing sites. Do not click on links in emails that ask you to reset your passwords. To change your password, type the URL of the organization in a browser.
    • Note: Do not change your password before a site has addressed its Heartbleed vulnerability.

Now is a great time for everyone to do some password maintenance. Make sure your usernames and passwords are strong, choose unique passwords for different accounts, and change critical passwords frequently. And always be on the alert for malicious activity on the Internet.

“Heartbleed” OpenSSL Vulnerability (CVE-2014-0160)

A serious vulnerability in the OpenSSL library has been discovered. This vulnerability, known as “Heartbleed” (the bug is in the heartbeat extension of the OpenSSL code) makes it possible for a malicious entity to steal information from a server that utilizes the OpenSSL library.

The following OpenSSL branches are vulnerable:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive)

The following branches are NOT vulnerable:

  • OpenSSL 1.0.1g
  • OpenSSL 1.0.0
  • OpenSSL 0.9.8

More details are available at http://www.heartbleed.com .

Be aware of the Cryptolocker malware

Please be aware that a potentially new variant of the Cryptolocker ransomware has been identified. “Ransomware” is a new category of malware that can prevent access to a computer, or the data on it, unless the victim pays a ransom to the malware creator. The Cryptolocker malware encrypts files on the victims computer and then demands payment for the files to be unlocked.

Because this is a new variant of the malware, there are no current ways to protect you from it. The only protection is to not open attachments that you are not expecting or that look suspicious.  The malware is primarily delivered via email and often contain a subject line enticing you to open an accompanying attachment. Below is an example of the message (Subject: Invoice Payment Confirmation; Attachment: Invoice_Details_01.04.2014.zip).

The malware can potentially be sent to your UTA email or your personal email (e.g. gmail, Hotmail, yahoo, etc) account.

If you fall victim to this virus, you will not be able to unlock your files and must rely on your backups. The malware can be aggressive has been known to encrypt files on local hard drives, external drives and potentially your file shares (e.g. your K: and J: drives).

UTA Employees: To backup your data on a UTA owned computer, you may use CrashPlan  (search for “CrashPlan” in the search box on the UTA website).

For updates on this advisory, please check back periodically or send an email to security@uta.edu. If you need help on how to use CrashPlan or if you are a victim of this virus, contact the Help Desk at 2-2208.

Please see our previous blog entry about Cryptolocker for background and tips.

Microsoft Security Advisory

Microsoft has announced security advisory 2934088 for Internet Explorer 9 & 10 –

An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

You should apply the Fix it solution provided by Microsoft as soon as possible to mitigate this vulnerability – http://support.microsoft.com/kb/2934088.  If your computer is a member of the UTA domain, you should receive the patch automatically via SCCM.

The Information Security Office will continue to monitor this threat and can be reached via email at security@uta.edu.

Holiday Phishing & Online Cyber Scam Alert

As we approach the holidays, the Information Security Office (ISO) would like to remind the UT Arlington community to be aware of seasonal scams, phishing and malicious software (malware) distribution campaigns.

Every year, cyber criminals take advantage of the uptick in online purchases and electronic seasonal greeting cards to trick victims into believing they’ve received packages or personal messages. They often use multiple methods to attract victims, such as posing as legitimate websites and/or using fraudulent emails that are crafted to look legitimate; they steal the logos, email or web templates of legitimate businesses (e.g. FedEx, DHL, UPS, Amazon.com, etc.) in an effort to entice victims into clicking links or opening attachments.

These phishing and malware campaigns may come in the form of:

  • Fake shipping/courier notifications.
  • Electronic greeting cards or links to holiday screensavers or other forms of media.
  • Requests for charitable contributions that may appear to be for legitimate causes but originate from illegitimate sources claiming to be charities.
  • Credit card or gift card applications or enticing discounts in online shopping advertisements that lead to websites you’re unfamiliar.

In addition be aware of social engineers who may call you on your personal or work phone using a themed pretext (holiday offers, package pickup, etc).

Don’t be a victim! The ISO advises caution when you encounter these types of email messages or websites by:

  • Looking for tell-tale signs that a website or email is not legitimate:
    • The senders address or website address does not match the organization listed in the content of the message.
    • The grammar in the message or website is poor.
    • Format of the email or website is poor or inconsistent with what you’re used to seeing from the organization.
    • Hovering over the links with your mouse reveals web address inconsistent with the content of the message.
    • Never clicking on links in emails that you’re not expecting.
    • Never opening attachments in emails that you’re not expecting.
    • Never providing your personal information in an email or on a website unless you are completely sure.

For additional security tips for Shopping Safely Online, visit the United States Computer Emergency Readiness Team site at http://www.us-cert.gov/ncas/tips/st07-001.

If you do receive any suspicious email messages, please contact the security office at security@uta.edu or 2-5487.