Apply Apple Critical Update (iOS 9.5.3) Now

Apple recently released a critical security update (iOS 9.3.5) addressing three security vulnerabilities, for which there are known exploits. It is strongly recommended that iPhone and iPad users perform this update asap. You may not have yet received a prompt to perform the update, but the update is available on your device(s) via Settings -> General -> Software Update. More information about the vulnerabilities is available below.

Background:
Recently, a foreign government affiliated “cyber-war” company exploited a set of three zero-day vulnerabilities (dubbed ‘Trident’) in Apple’s iOS version < 9.3.5 to spy on a prominent human rights activist. The vulnerabilities, when exploited, can allow the malicious actor(s) to decrypt and steal emails, text messages, call logs, as well as remotely activate the phone’s microphone among other invasions of privacy and device compromises. Apple released an update several hours later that patches the vulnerabilities.

Targets:
While this security bulletin affects the internet community as a whole, the Trident spyware has been seen to specifically target high profile individuals such as political activists and be used against anyone to compromise access and device privacy. In this case, evidence exists where a political dissident and internationally renowned human rights defender Ahmed Mansoor was sent a suspicious text message claiming to have “New secrets about torture of Emiratis in state prisons” with a link. The link in the text message would have compromised the phone. However Ahmed Mansoor, cautious as he was, instead alerted a technology laboratory that works with human rights activists. This lab is called CitizenLab and together with Lookout Mobile Security, they traced the source of the compromise attempt as well as noted the effects of the mobile malware.

Source:
The source was traced to NSO Group Technologies Ltd. “NSO Group, based in Herzelia, Israel […], develops and sells mobile phone surveillance software to governments around the world. The company describes itself as a ‘leader’ in ‘mobile and cellular Cyber Warfare,’ and has been operating for more than six years since its founding in 2010.” – CitizenLab

Extent of Effects:
According to CitizenLab, the Trident spyware would effectively allow the malicious actor to gain complete control over the target phone by jailbreaking it remotely. After jailbreaking the device, the attacker essentially has full and unrestricted access to almost everything the device contains or processes including but not limited to:

– Calls made by phone, WhatsApp and Viber, SMS messages, as well as messages and other data from popular apps like Gmail, WhatsApp, Skype, Facebook, KakaoTalk, Telegram, and others
– A wide range of personal data, such as calendar data and contact lists, as well as passwords, including Wi-Fi passwords. (above list taken from CitizenLab)

The malware also has the ability to persist throughout patches of individual applications since the compromise affects the operating system layer underneath.

Recommendations:
Update any and all Apple iOS devices to the latest version 9.3.5 or greater.

References:
Ahmed Mansoor – https://www.hrw.org/tag/ahmed-mansoor
CitizenLab’s full analysis – https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://wp.nyu.edu/itsecurity/category/alerts/
Lookout Security’s analysis – https://blog.lookout.com/blog/2016/08/25/trident-pegasus/
Apple’s patch notes (iOS v.9.3.5) – https://support.apple.com/en-us/HT207107
Ars Technica news article – http://arstechnica.com/apple/2016/08/apple-releases-ios-9-3-5-with-an-important-security-update/

 

 

Proofpoint Secure Email

secure_emailBy leveraging the Proofpoint appliances we have today, which are responsible for scanning messages for spam and viruses, we are able to provide UMass Lowell users with the ability to send encrypted email whenever necessary.  Proofpoint works seamlessly with our existing email Exchange servers as it encrypts email leaving the University’s private networks and heads out onto the Internet. Continue reading

Making “Digital Spring Cleaning” an Annual Ritual

Last week, the National Cyber Security Alliance (NCSA) and Better Business Bureau (BBB) announced that they are encouraging consumers to put cybersecurity top of mind by urging them to make digital devices an additional target of their spring cleaning activities. Let’s encourage students, faculty, staff, family, and friends to make a thorough “digital spring cleaning” an annual ritual. Internet users can get a fresh start with their online life by keeping all machines clean, purging their online files, enhancing security features and ensuring that their online reputation shines.

Continue reading

Yes Virginia, you do need antivirus software for your Mac

If you’re one of those people who think their Mac is absolved from getting viruses, think again.  According to this analysis at Bit9, in 2015 alone researchers have discovered five times the amount of unique OS X malware than in the last five years combined.  Makes perfect sense due to the growth in popularity of Macs in the business and at home.

Information Technology reminds everyone that all users are required to install an antivirus program on their computers, regardless of the computers’ operating systems. IT offers McAfee VirusScan software for free to all UMass Lowell students, faculty, and staff.  Check out the software applications page on the IT website for more information.

Social Media – What Hackers Can Learn About You in Less than 30 Minutes

Have you ever stopped to think how much information about yourself is freely available online? With over 2 billion active social media accounts today, hackers are shifting their focus to target social media users. In less than 30 minutes, nearly anyone can learn your name, email address, location, past work experience, hobbies, and more just by looking at your profile. If hackers gain access to other information such as a credit card or social security number, they can even apply for loans and mortgages in your name.

Here are some ways to protect your personal information and keep your online presence secure when using social media by visiting one of industry’s leading authority on security awareness.  What Hackers Can Learn From Social Media in Less than 30 Minutes.  (pdf viewer is required).

Additional Resources:

Stay Safe Online
Staying Safe on Social Networking Sites
5 Tips for Social Media Security and Privacy

 

 

Protecting Your Digital Life – 2 Steps Ahead

Using a password alone to secure your data on online accounts is the first step toward protecting yourself. Learn how to take the second step and add an extra layer of security and take control of your online accounts with 2 step authentication. Get more at www.stopthinkconnect.org/2stepsahead.

This video is courtesy of the Stop.Think.Connect campaign as part of the National Cyber Security Awareness Month.

Two-step, multi-factor authentication or 2FA is a security tool that uses multiple verification techniques to prove that the person attempting to log onto an account is really that person.

One method with which many of us are already familiar is that special code we receive via phone text after we’ve logged onto a password-protected site or app on our laptop or other device from a browser we normally don’t use. We gain access to our account only after we correctly enter the code.  Banks have been doing this for years to protect your information.

Two-factor authentication can combine multiple types of verification.

Some of these methods include:

  • Something you know: a password, code, passphrase or PIN
  • Something you have: a physical token, chip,  or phone

These methods provide an extra layer of security. Most people only have one layer – their password – to protect their account. But combining something you know (your password) with something you have (your phone, token, etc.), makes your account even more secure.

In just one example of its use, Information Technology has enabled two-factor authentication for system administrators accessing UML resources from off-campus locations via our Virtual Private Network (VPN).  Stay tuned for more 2FA announcements accessing other applications like HR Direct and SIS.

Big sites already using two-factor authentication include Facebook, Twitter, Dropbox, Gmail, PayPal, eBay, and Amazon Web Services.

Turn It On: See step-by-step instructions on how to add two-factor authentication to more than 100 online accounts

 

 

How To Create a Cyber Secure Home

Most homes have devices linked to their wireless networks, including computers, laptops, gaming devices, TVs, tablets, and smartphones that access the Internet. To protect your home network and your family, you need to have the right tools in place and confidence that you and your family members can use the Internet safely and securely.

Secure Your Computers / Devices

The first step is to keep a clean machine and make sure all of your Internet-enabled devices have the latest operating system, web browsers and security software. These are the best defenses against viruses, malware, and other online threats.  This includes mobile devices that access your wireless network.  Whenever possible, enable automatic updating.

If possible, have two computers at home: one for parents and one for the children.  If you are sharing one computer, make sure you have separate accounts for everyone and the children do not have privileged (administrative) access.

Secure Yourself

Cyber attackers have learned years ago that the best way to get something is simply to ask for it. Use your common sense as your best defense.  If a message seems odd, suspicious, or too good to be true, it may be an attack.   Examples:

Someone calls your pretending to be Microsoft tech support. They claim your computer is infected and would like remote access to your computer to “fix” it, or want you to purchase their fake anti-virus software.

“Phishing” emails are very convincing and are designed to fool you into opening an infected attachment or clicking on a malicious link. These emails may appear to come from a friend or organization you know.  If you are not sure or something just doesn’t look right, call the user or company using a phone number you know to be valid and legitimate.  With the explosion of social media, cyber criminals may even use details from your social media accounts to craft a customized message.

Secure Your Home Network

A wireless network means connecting an Internet access point – such as a cable modem – to a wireless router. Going wireless is a convenient way to allow multiple devices to connect to the Internet from different areas of your home. However, unless you secure your router, you’re vulnerable to people accessing information on your computer, using your Internet service for free and potentially using your network to commit cyber crimes.

  • Change the name of your router: The default ID – called a “service set identifier” (SSID) is assigned by the manufacturer. Change your router to a name that is unique to you and won’t be easily guessed by others.
  • Change the pre-set password on your router: When creating a new password, make sure it is long and strong, using a mix of numbers, letters and symbols.  Be careful with whom you share this password.
  • Configure your Wi-Fi network so that if anyone wants to join it, they must use the password.  Additionally, always configure your router to use the latest encryption, which is currently WPA2.
  • Be aware of all the devices connected to your home network, including baby monitors, gaming consoles, sound systems, TVs, and smartphones.   They all can be used as attack vectors into your homes.  Make sure that they are running the latest versions of the software (sometimes called firmware) on them, downloadable from the manufacturer.
  • If connecting to UMass Lowell resources (i.e. servers, network file shares, you must use the campus VPN solution (https://vpn.uml.edu) to encrypt the traffic from your home device to the UMass Lowell network.

Secure your Accounts

Like most people, you probably have many accounts online and on your devices and computers. Here are some simple steps to protect them:

  • Always use strong passwords that are hard to guess.  If possible, use passphrases such as “RedSoxAreTheBest!”
  • Use different passwords for each of your accounts and devices.  If you have too many accounts and too many passwords, use a password manager to securely store them.  These are applications that securely store all of your passwords in an encrypted vault.
  • Use a two-step verification whenever possible.  This is also called 2 Factor Authentication (2FA).  This uses a password and something else to log into your account such as a code sent to your smartphone.  Banks have been using this for a few years now.
  • On social media sites, post only what you want the public to see.  Assume anything you post will eventually be seen by your neighbors, strangers, or even your management.

Have You Been Hacked?

No matter how secure you are, sooner or later you may become a victim of an online crime or even hacked. Here are some tips:

  • Create regular backups of all your personal information.  If your computer or mobile device is hacked, the only way you can recover all of your personal information may be from backups.
  • If one of your online accounts have been hacked, immediately log in and change your password to something strong and unique.  If you no longer have access, contact the company.  If you use that same password on other accounts, change it on those too.
  • Monitor all of your credit cards.  If you see any charges you do not recognize, contact the credit card company right away and consider “freezing” your credit.
  • When banking and shopping, check to be sure the sites is security enabled. Look for web addresses with “https://” which means the site takes extra measures to help secure your information. “http://” is not secure.