Info Sec Alerts

macOS High Sierra – Critical Security Update

This is an important computer security bulletin from Marshall University Information Technology team directed at Marshall University students, faculty and staff who own or use an Apple Macintosh computer. Apple has released a critical security update which should be applied to all computers which are running macOS High Sierra 10.13. Marshall University IT staff are working to address this issue on University-owned devices; students, faculty and staff need to be aware of this issue needs addressed on personal-owned devices.

What computers are at risk?

If you have an Apple Macintosh computer which is running the current release of macOS High Sierra 10.13 or 10.13.1, you are at risk and need to apply this update ASAP. If you are still running macOS Sierra 10.12.6 or earlier, this update is not needed.

How do I check which version of macOS in on my computer?

Click on the ‘Apple’ icon menu (in the upper left corner of your computer), and select ‘About This Mac’. You should see a pop-up window which will list the operating system name and version (see below):


 

How do I check for and apply needed software updates?

If your computer shows ‘macOS High Sierra Version 10.13 or 10.13.1’, click on the ‘Software Update…’ button in the lower-right of the pop-up. This will launch the Apple ‘App Store’ utility. Click on the ‘Updates’ menu and apply any needed updates. If the App Store shows ‘No Updates Available’, be sure to confirm that these 2 critical updates ‘MacOS 10.13.1 Update’ and ‘Security Update 2017-001’ are listed as being installed:

Please review the links below for further information and assistance

  • Apple Security Update 2017-001

https://support.apple.com/en-us/HT208315

  • Apple releases macOS High Sierra Security Updates

https://9to5mac.com/2017/11/29/macos-root-fix/

  • Marshall University IT Service Desk

https://www.marshall.edu/it/departments/it-service-desk/

  • Marshall University IT Information Security Team

https://www.marshall.edu/infosec

Protecting Your Marshall MUNet/Email Account from Phishing Attacks

Recent Phishing Attacks

Over the past several months, the Office of Information Technology has seen an influx of fraudulent “phishing” messages, many which appear urgent, and are designed to trick account holders into clicking a link (or in some cases, replying to an email) and providing a username and password.

In most cases, these emails have been sent from other Marshall University account holders who have already been victims of these fraudulent messages and thus have had their accounts compromised. Once an account is compromised, it is then being used by a cyber-criminal to distribute more phishing messages to other MUNet/Office365 account holders.

Since the messages are coming from @marshall.edu or @live.marshall.edu addresses, the recipient is more likely to trust the sender and be tricked into clicking a link and logging in to what they think is a legitimate web page. Many of these web pages are designed to look like authentic Marshall University, Microsoft, or financial institution login pages, but are actually capturing credentials.

Prevention and Education

The IT department is doing their best to catch compromised accounts before more phishing messages can be distributed, however, the best way to protect yourself and others is to use caution when checking your email.

ALWAYS be suspicious of any unexpected email messages, regardless of the source, which include file attachments, web URLs, or are written with a sense of urgency and require you to provide credentials or other personal information.

Phishing Examples

Below are a few examples of recent phishing messages. Notice that each includes hyperlinked text which, when the mouse is hovered over, reveals a web address that is NOT a marshall.edu or microsoft.com address. Also, these messages have a sense of urgency and ask that the recipient verify information. Marshall University will never send you unsolicited email asking you to verify your password or personal information, nor will any other trusted organization.

If You Receive A Fraudulent Email

  1. (Optional) Report a suspicious email sent to your @marshall.edu or @live.marshall.edu email address by forwarding the message to phishing@marshall.edu. YOu will receive an auto-reply confirming receipt of the message as well as additional instructions.
  2. Delete the message from your inbox
  3. As long as you did not attempt to open the attachment, reply/click on the web link, or provide any personal information, no additional action is needed; however…
  4. If you attempted to open an attachment or visited a website where you submitted your username, password or other sensitive information, you should immediately contact the Marshall IT Service Desk at (304)-696-3200 / itservicedesk@marshall.edu.

Protecting Yourself From Email Fraud(AKA Phishing)

Phishing Scams


InfoSec Tips #7: Don’t Be Tricked

Tip 7: Don’t Be Tricked

 
 

This alert was also sent to the Marshall community via e-mail

MU WiFi

MU WiFi is back up and functioning normally.  We apologize for the inconvenience.  If you encounter WiFi problems contact MUIT service desk, itservicedesk@marshall.edu, 304-696-3200.

IMPORTANT – Campus MUNet Wireless Service Currently Unavailable

Marshall University Wireless Network services for the Huntington and Regional Campuses are currently offline. The current issue was reported earlier this morning.  IT staff and management are working alongside Cisco, our wireless vendor, to resolve what is reported to be a technical issue in their product.

We do not have an estimate at this time when services will be back online.  Look for further updates to be posted on the News/Alerts section of the Marshall IT main web page https://www.marshall.edu/IT.

Thank you for your patience and we regret any disruption caused by these technical issues.

Computer Security Advisory: ‘WannaCry’ Ransomware

Computer Security Advisory for All University Faculty & Staff E-mail Recipients

Starting last Friday (5/13/2017) computer security researchers and news media began sharing information about a new computer security attack called ‘WannaCry’. This attack is another variation of malicious software referred to as ‘ransomware’. When a computer becomes infected with ransomware, this malicious code attempts to encrypt (scramble and password-protect) as many data files as it can find available. This occurs not only to the local computer but also to any attached drives and network shares to which  your user account has write access. This tactic is called ransomware because the only way to regain access to those encrypted files is to pay a fee – a ransom often starting at $300 and up – to the criminals. If the victim does not pay, then the only other recovery method is to restore the files from a secure backup location.

There have been no major outbreaks reported on the University campus network nor detected by campus network security services. We attribute this in part to faculty and staff cooperation with regular computer software updates, increased information security awareness, and not being heavily targeted (yet) by computer criminals.

If you are responsible for software updates whether on your personally-owned computer, a University-owned computer or a group of your department’s computers, we ask that you take a moment to review the following guidance.

How can you minimize risk to University- and personally-owned computers?

We trust that the following guidance should sound familiar when we remind you that the best defense is to already be following computer security best-practices:

  • Is Your Software Updated and Supported? – Be sure all of your computers – whether located on-campus or off-campus – are running the latest supported operating system, security and application software appropriate for your academic or business unit. This is not simply so we can say we run the ‘latest-and-greatest’. Rather software authors focus their efforts on their latest products so they will include the latest security features as well as fix known-security bugs. For a PC: we strongly suggest Microsoft Windows 10 ver 1607 and later and Symantec Endpoint Protection v. 14. Windows XP, Windows Vista and Windows 8.0 are no longer supported; For a Mac: you should be at Mac OS 10.12.x and Symantec Endpoint Protection for Mac v. 14. Mac OS prior to 10.10 (Yosemite) is no longer supported. Marshall University Information Technology provides the above recommendations. Please consult with your campus IT Support team for configurations supported by the MU School of Medicine and Marshall Health.
  • Are you Patched? – Be sure all of your computers – whether located on-campus or off-campus – are configured to automatically receive and apply security updates when they are released. For a PC: Use Windows Update and make sure both Critical and Important Updates are applied. For a Mac: Go to your Apple menu click ‘About this Mac…’ and then ‘Software Updates’ or open the App Store and click on the ‘Updates’ icon.
  • Is Your Important University and Personal Data Backed-up? – Take steps now to have a backup copy of important documents and data. For items which are essential to University or Department operations, these should be saved to a secure location (such as a campus-managed fileserver) which has a regularly scheduled backup. For personal items, use of an external hard drive or high-capacity thumb-drive which can be attached for backup then promptly disconnected, is highly recommended. Remember, ransomware will attempt to encrypt any and all data files which you have write access. Recovery is limited to those items which were inaccessible by the user (campus-managed backups) or were offline (disconnected hard drive or thumb-drive) at the point of infection.
  • Are You Being Cautious with E-mail and Websites? – Always exercise suspicion for unsolicited e-mail and unfamiliar web sites, particularly those which urge you to ‘open this attached file’ or ‘click this web page link’ for some urgent action. Many of us work in areas where we do receive unsolicited documents and in those cases, ask a trusted colleague or an IT support resources for a second opinion before opening the message. A mobile device may be used in cases where you want to preview the file, but understand that the malicious payload may only be designed to affect a desktop or laptop computer. This allows you to delete the file or entire message before ever attempting to preview/open it on the computer.
  • Report Suspicious Computer Behavior, Alerts, or E-mail Messages – We understand that it is difficult for everyone to stay up-to-date and how they should respond to an ongoing stream of important computer security issues. You can assist by reporting  unexpected or suspicious activity to computers located to your closest campus Information Technology Support or IT Information Security professional.Please reach out to one of the following IT Service Desk or IT Service Provider contacts:

IT Upgrade: WiFi (Requires Action for All Users)

Over the holiday break the IT Infrastructure Communications Team began upgrading the Wireless LAN Controllers and the radius authentication servers.  Those upgrades were completed early this morning.  Due to the nature of our authentication protocols you will now have to “accept” a new security certificate to connect to the WiFi network.  During this upgrade the security certificates on the radius servers were moved to our InCommon provider.  Although each device connects differently; the iOS (iPhone and iPad) certificate should look like this other devices will have similar notices:

apple-trust

 

 

 

 

If this message does not appear and you are unable to connect to the wireless network, you may need to turn off wireless on your device and turn it back on to re-establish the connection to your device.  If it still fails, you can try “forgetting” the network from your device and re-connecting.

Detailed instructions for connecting a device to the wireless network can be found at: www.marshall.edu/wifi .

Please check your cellular/wireless mobile devices to avoid unwanted data usage over the cell network.

If you require further assistance, please contact the IT Service Desk:

304.696.3200   (Huntington)
304.746.1969   (Charleston)
itservicedesk@marshall.edu

Symantec Endpoint Protection Software Updated to 12.1RU6MP6

The Marshall University campus Symantec Endpoint Protection Management (SEPM) Servers and Symantec Endpoint Protection (SEP) client install packages have been upgraded to version 12.1.7061.6600 (Windows/Mac/Linux). This Symantec provided update addresses Symantec Security Advisory SYM16-015 (client decomposer engine). This update provided client OS support for Mac OS 10.12 (Sierra).

SEP client patches are being distributed via background update process for managed client installs. Updated client install packages will be made available on the campus \Distributions share and via web download https://www.marshall.edu/antivirus for new installs and off-site computers.

Please contact the Marshall IT Service Desk at 304-696-3200 or via e-mail at itservicedesk@marshall.edu to report any questions or issues related to the install/upgrade process.

Additional details are available at the following URL:
* Security Advisories Relating to Symantec Products – Symantec Endpoint
Protection Manager Multiple Security Issues
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160919_00

* New Fixes and Component Versions in Symantec Endpoint Protection 12.1.6MP6
https://support.symantec.com/en_US/article.INFO9413.html

Symantec Endpoint Protection Software Updated to 12.1RU6MP5

The Marshall University campus Symantec Endpoint Protection Management (SEPM) Servers and Symantec Endpoint Protection (SEP) client install packages have been upgraded to version 12.1.7004.6500 (Windows/Linux) and 12.1.6867.6400 (MacOS). This Symantec provided update addresses Symantec Security Advisory SYM16-010 (client decomposer engine) and SYM16-011 (multiple SEPM security issues). This update addresses several ‘high severity’ issues in both the SEPM hosts as well as SEP Client software.

SEP client patches are being distributed via background update process for managed client installs. Updated client install packages are available on the campus \Distributions share and via web download https://www.marshall.edu/antivirus for new installs and off-site computers.

Please contact the Marshall IT Service Desk at 304-696-3200 or via e-mail at itservicedesk@marshall.edu to report any questions or issues related to the install/upgrade process.

Additional details are available at the following URL:
* Security Advisories Relating to Symantec Products – Symantec Endpoint
Protection Manager Multiple Security Issues
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160317_00

* New Fixes and Component Versions in Symantec Endpoint Protection 12.1.6MP5
https://support.symantec.com/en_US/article.INFO3801.html

Symantec Releases Security Update SYM16-010

Symantec Decomposer Engine Multiple Parsing Vulnerabilities

Just a quick note to Info Tech Service Providers and IT Service Desk Teams to make you aware of a recent announcement by Symantec and US-CERT about a vulnerability with the Symantec Decomposer Engine.

Overview

According to Symantec, parsing of maliciously-formatted container files may cause memory corruption, integer overflow or buffer overflow in Symantec’s Decomposer engine. Successful exploitation of these vulnerabilities typically results in an application-level denial of service but could result in arbitrary code execution. An attacker could potentially run arbitrary code by sending a specially crafted file to a user.

Solution

This issue was resolved via a maintenance patch release to the Symantec Endpoint Protection (SEP) client software for Microsoft Windows OS. Windows SEP clients updated to at least version 12.1.7004.6500 (aka 12.1.6 MP5) will be protected against this vulnerability.

How can I verify that my client has been patched?

Symantec Endpoint Protection (SEP) client running version 12.1.7004.6500 will have already received this update.  Marshall University has updated our campus software distribution points to make this latest release available via background update to all currently managed clients. The update will require a reboot of the client computer in order to complete the upgrade process.

IT Information Security team will be working with IT Service Desk team to identify and remediate any SEP clients with out of date software versions. Please report any unresolved background update issues via MU Support ticket or an e-mail to itservicedesk@marshall.edu.

Reference Links

  • Security Advisories Relating to Symantec Products – Symantec Decomposer Engine Multiple Parsing Vulnerabilities
    https://support.symantec.com/en_US/article.ALERT2047.html
    https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_00

Thank you for your continued attention to information security,

Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: (304) 696-3270, @joncutler | BeHerd Feedback
http://www.marshall.edu/InfoSec