Info Sec Alerts

Symantec Releases Security Update SYM16-008

Symantec Antivirus Engine Malformed PE Header Parser Memory Access Violation

Just a quick note to Info Tech Service Providers and IT Service Desk Teams to make you aware of a recent announcement by Symantec and US-CERT about a vulnerability with the Symantec Antivirus Engine.

Overview

According to Symantec, their Anti-Virus Engine (AVE) was susceptible to memory access violation due to a kernel-level flaw when parsing a specifically-crafted PE header file. The most common symptom of a successful attack would result in an immediate system crash, aka. Blue Screen of Death (BSOD).

Solution

This issue is currently being resolved via normally scheduled LiveUpdate process. Symantec product engineers have addressed this in the latest AVE update, version 20151.1.1.4 release effective 5/16/2016 delivered to customers via LiveUpdate along with the usual definition and signature updates.

How can I verify that my client has been patched?

Symantec Endpoint Protection (SEP) Clients with AV content dated 2016-05-16 r24 (sequence number 160516024) and newer have already received this update.  You can use that as an indicator that they have received the new engine.  So, any system with older definitions are the ones to target as at risk.

Current Virus Definition & Security Update Versions from Symantec are listed below:

  • Virus and Spyware Protection – Tuesday, May 17, 2016 r7 and newer
  • Proactive Threat Protection – Friday, May 6, 2016 r11 and newer
  • Network Threat Protection – Monday, May 16, 2016 r11 and newer

IT Information Security team will be working with IT Service Desk team to identify and remediate any SEP clients with out of date definitions. Please report any unresolved LiveUpdate issues via MU Support ticket or an e-mail to itservicedesk@marshall.edu.

Reference Links

Thank you for your continued attention to information security,

Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: (304) 696-3270, @joncutler | BeHerd Feedback
http://www.marshall.edu/InfoSec

Information Security Elevated Risk Advisory for Apple QuickTime – Information Technology // 3e3;case”diversity”:return g.fillText(h(55356,57221),0,0),c=g.getImageData(16,16,1,1).data,d=c[0]+”,”+c[1]+”,”+c[2]+”,”+c[3],g.fillText(h(55356,57221,55356,57343),0,0),c=g.getImageData(16,16,1,1).data,e=c[0]+”,”+c[1]+”,”+c[2]+”,”+c[3],d!==e;case”simple”:return g.fillText(h(55357,56835),0,0),0!==g.getImageData(16,16,1,1).data[0];case”unicode8″:return g.fillText(h(55356,57135),0,0),0!==g.getImageData(16,16,1,1).data[0]}return!1}function e(a){var c=b.createElement(“script”);c.src=a,c.type=”text/javascript”,b.getElementsByTagName(“head”)[0].appendChild(c)}var f,g,h,i;for(i=Array(“simple”,”flag”,”unicode8″,”diversity”),c.supports={everything:!0,everythingExceptFlag:!0},h=0;h<!– –>//

[This information from 5/17/2016 security advisory e-mail to IT Service Providers and IT Service Desk]

Information Security Elevated Risk Advisory for Apple QuickTime

no-quicktimeMU Information Security Elevated Risk Advisory
Apple QuickTime for Windows

Apple has announced that it is ending support for their QuickTime 7 for Windows product. QuickTime for Windows was commonly installed on Microsoft Windows PC’s in the form of a web browser plug-in and stand-alone player to support web-based media; it was also included as a component of the Apple iTunes media management software.

According to the Apple support site, current Windows web browsers already support media playback; and iTunes version 10.5 and later no longer include the QuickTime component.

Impact

Because using unsupported software may increase the risk from viruses and other security threats, members of the Marshall University community are advised to discontinue their use of the QuickTime software for Windows on both University- and personally-owned computers. If you have a business-critical application which specifically requires QuickTime for Windows – not just key media formats such as H.264 and AAC which are already supported by current Windows web browsers – we ask that you please contact the Marshall IT Information Security team to discuss alternative risk reduction solutions.

Solution

Apple, the US-CERT, and the Marshall Information Technology team recommend system users and administrators be aware of the risks associated with unsupported software and take the following actions in response to this advisory:

  • Determine if QuickTime is a necessary component for any business-critical applications.*
  • Uninstall QuickTime for Windows Software (if you have administrative privileges) and you have determined that it is not needed for machines which you own or manage; or Contact your IT Service Provider (if you do not have admin privileges ) and ask whether QuickTime can be uninstalled;
  • Be Aware of Automated Efforts Which Are Underway by the Marshall IT Security team through the use of the Dell/KACE software inventory platform to do the following:
    • Compile a list of University-owned computers which still have QuickTime installed
    • Schedule KACE Desktop Alerts for machines which still show QuickTime as installed
    • Automate the uninstallation of QuickTime for shared-use and centrally-managed machines
  • Discontinue installation of QuickTime for Windows software in new system image builds and PC deployments.

*Note: Please contact Marshall IT Information Security and your department IT service provider to let us know if you have a business-critical application which require the continued use of QuickTime.

Reference Material

 Thank you for your continued attention to information security,

Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: (304) 696-3270, @joncutler | BeHerd Feedback
http://www.marshall.edu/InfoSec

[This information from 4/26/2016 security advisory e-mail which was bcc’ed to ALL Marshall University Exchange Users]

Information Security Advisory for Ransomware

RansomewareAlertImgMU Information Security Elevated Risk Advisory…

Don’t get LOCKED out of your computer by RansomWare!

Ransomware is a type of malicious software that infects computer systems, restricting users’ access to the those systems. According to a recent security bulletin released by the US Computer Emergency Response Team (US-CERT) “Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge.”

Impact

Ransomware targets both institutional and home users and systems which become infected can lead to negative consequences, including:

Temporary or permanent loss of sensitive or proprietary information,

Disruption to regular operations,

Financial losses incurred to restore systems and files, and

Potential harm to an organization’s reputation.

Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed. Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist.

Solution

US-CERT and Marshall Information Technology team recommends system users and administrators take the following preventive measures to protect their computers from ransomware infection:

Backup Your Data – Perform and test regular data backups to limit the impact of data or system loss and to expedite recovery in the event of infection. NOTE: Ideally this data should be kept on a separate off-line device because an infected system can attempt to encrypt ALL attached storage (including network shares) to which the individual has write permissions.

Update Your System Early and Often – Ensure that your computer has the latest operating system and application updates. Systems running vulnerable software are targets of most attacks.

Maintain Up-to-Date Anti-Virus Software – Running current versions of anti-virus/anti-malware software with the latest virus definitions and scanning all Internet software downloads prior to their use.

Avoid Enabling Macros on E-mail Attachments – Currently Microsoft Office products will disable executable macros in files. Do not enable macros on unsolicited files from untrusted sources.

ALWAYS be wary of unexpected e-mail messages (regardless of the apparent source) which include file attachments,  web URL’s, or are written with a sense of urgency for you to provide computer passwords or reveal personal financial information.

If you receive one of these messages…

Please protect yourself and your campus colleagues by following the principle of STOP-THINK-CONNECT:

STOP. Do not act too quickly to open the attachment or follow an unsolicited URL. The criminal is counting on you responding quickly to the urgent nature of the message.

THINK. Why did this person send me this file? Should I verify the sender before opening? Am I 100% confident that my system and data are protected should this attachment end up being malicious? If not, then perhaps you should simply delete the e-mail message.

CONNECT. Get a second opinion from a co-worker and report the message to your department IT Service Provider or a member of the Marshall Information Technology team.

If you receive a suspicious looking e-mail message….

We ask that you take the following actions:

Please delete the message from your inbox if it is obviously fraudulent.

As long as you did not attempt to open the attachment, reply/click on the web link, or provide any personal information, no additional action is needed; however

If you attempted to open an attachment or visited a website where you submitted your username, password or other sensitive information, you should immediately contact the Marshall IT Service Desk at (304) 696-3200 / itservicedesk@marshall.edu.

Protecting Yourself From E-mail Fraud (aka Phishing)

http://www.marshall.edu/it/departments/information-security/phishing-scams/

InfoSec Tip #7: Don’t Be Tricked

http://www.marshall.edu/it/training/infosec-tips-7/

 

Thank you for your continued awareness,

Jon B. Cutler, MS, CISSP
Chief Information Security Officer
Marshall University, Division of Information Technology
Drinko Library 324, 1 John Marshall Drive, Huntington, WV 25755
Phone: (304) 696-3270, @joncutler | BeHerd Feedback
http://www.marshall.edu/InfoSec

Maintenance Window

Information Technology schedules a weekly maintenance window on Sundays from 7am to 1pm Eastern time. Our services may be intermittent during this time each week.

LastPass Password Manager Warns of Breach

LastPass, a company which makes a password manager product which is a combination of software and cloud service and allows you to generate, store and protect your personal library of authentication credentials (username and passwords), disclosed on 15-June, 2015 that they discovered and blocked suspicious activity on their network. Their investigation confirmed that some of their customer data had been compromised. A number of tech news sites also reported and provided details on this event includingKrebsonSecurity and NetworkWorld.

The MU IT Security team recommends using a password manager as a strategy to both manage and protect your network logon credentials. Otherwise the tendency is towards using the same credentials across multiple sites.

It’s important to understand what information was compromised and what if believed to still be secure. LastPass reported that what the compromised data included lists of user e-mail addresses, password reminders, and additional data encryption elements called ‘salts’ and ‘hashes’. What is believed to still be protected are the user password vaults which contain lists of user websites and credentials. These vaults are kept encrypted with a extremely strong process which LastPass reports “includes running 100,000 rounds of PBKDF2-SHA256 server-side” and which makes it “difficult to attack the stolen hashes with any significant speed.”

That being said, if you use LastPass and either have a weak ‘master password’ or your have reused your master password with other websites, you may be at risk. So you should follow LastPass recommendation to visit their website http://www.lastpass.com and change your master password immediately.

Here are a few additional tips to ensure your password vault does not create a single-point of failure for your security:

  1. DO create a very strong master password (UPPER and lower case, numbers and special characters) and at least 15 or more characters long; since this is your first line of defense, don’t skimp on characters and don’t use anything obvious.
  2. DO NOT ever use your master password credentials at another website.
  3. DO enable multi-factor authentication with LastPass. When you turn on multi-factor, you will need more than simply an e-mail address and master password to open/view your password vault. Often you can use a smartphone app like Google Authenticator and Duo Security (both supported with the free version) to enter an additional PIN or click on a notification generated by your mobile phone. If you upgrade to the paid (premium version) then you also get a mobile version of LastPass which supports fingerprint sensors and card readers.
  4. DO NOT respond to any e-mails or click on any web URLs included in e-mail messages. Remember the cybercriminals now have a list that includes your e-mail address and we can almost guarantee you will see any number of e-mail messages urging you to ‘click here to change your password’. Do not become a victim of a phishing attack.
  5. DO contact the Marshall IT Service Desk, your department IT Service Provider or the IT Information Security team to report suspicious activity or if you have reason to believe that access to your Marshall Network account has been compromised.