Category: Information Security
Last week, Symantec said it was unable to predict when it would complete its patching of pcAnywhere, citing the unpredictability of its investigation and the creation of the necessary fixes. However, they have now released an update that addresses the security issues we reported earlier this week. We therefore will not be implementing an inbound filter to 5631/TCP, 5632/UDP on Sunday 2/5 as previously mentioned.
The updates can be manually downloaded from Symantec’s website, or customers can use pcAnywhere’s built-in updating service to retrieve and install the patches. http://www.symantec.com/business/support/index?page=content&id=TECH179960
Modena also confirmed that customers running versions of pcAnywhere prior to version 12.0 will be offered a free upgrade to 12.5. “If requested, Symantec will honor an update to version 12.5 for the customer.”
Information Security Incident Response Team, Information Services & Technology
Security Alert – Due to a security issue with pcAnywhere, we plan to create a new rule to block in bound traffic to ports: 5631/TCP, 5632/UDP. This rule will go into effect on Sunday, 2/5.
If you are using pcAnywhere, please read this message in its entirety.
In a white paper released on 1/23, Symantec revealed that proprietary source code for current versions of its pcAnywhere software were stolen in 2006 and that all users are at risk of attack and should disable the product.
Symantec, in their official report on this event, provides this statement: “Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks.“
What you should do:
- For any system that contains Restricted Use information, pcAnywhere must be disabled and alternatives sought. (For a definition of Restricted Use information, please see the Data Classification Guide, part of the Data Protection Standards: http://www.bu.edu/infosec/policies/data-protection-standards/)
- For any other system where you are using pcAnywhere and where an alternative solution will work, you should switch to the alternate solutions. Some possible solutions include:
- Windows Remote Desktop (see http://www.bu.edu/tech/security/protect/bestpractice/remote-desktop/ for details)
- GotomyPC (security has not evaluated this product and it does have a price tag, so this is not a specific recommendation of this product, but simply an alternative if Remote Desktop will not work)
- Avoid RealVNC. It is known to have significant security issues.
- Where you (1) have a business critical function (2) on a system not containing Restricted Use information and (3) pcAnywhere is the only solution that will work for that function, you may continue to use it provided you do the following:
- Upgrade to the latest version
- Update your pcAnywhere configuration as recommended in the white paper from Symantec in the “pcAnywhere Security Best Practices” section, beginning on page 5
- Set up your pcAnywhere connection to use different authentication credentials than you use for any other BU system
- If you are outside of BU, Connect to BU via VPN prior to establishing the pcAnywhere connection
- Monitor Symantec’s site for further security information and updates
What we will be doing:
- As recommended by the vendor, we will be writing a new rule to block traffic coming in to BU using the standard pcAnywhere communication ports: 5631/TCP, 5632/UDP. This rule will go into effect on Sunday, 2/5.
Sun Java 6.0.24
As announced in a notification from IBM, Host On-Demand is not supported by Java 6, update 24 and will not work after the computer has been upgraded. If you have upgraded to the most recent version of Java, we recommend downgrading to update 23:
Sun Java 6.0.21
When using Java 6 update 21, you will receive a security notification when trying to connect with Host On-Demand.
To remove this warning, named HODAPPlet:
- Open your Control Panel.
- Click on the Java icon.
- Select the Advanced tab.
- Choose Security.
- For “Mixed code (sandboxed vs trusted) security verification,” choose Hide warning and run with protections.
Sun Java 6.0.15, 6.0.16, and 6.0.17
If you are using either Sun Java 6.0 update 15, 16, or 17, Host On-Demand will not install or start in any browser.
As a work around, the next-generation plug-in can be disabled in the Java control panel.
- Open the Java control panel (Start/Control Panel/Java).
- Select the Advanced tab.
- Select Java plug-in.
- Uncheck Enable the next-generation Java plug-in.
- Click OK.
- A confirmation dialog box will appear. Click OK.
- Restart HOD.
Internet Explorer 8
If you are using IE 8, Host On-Demand may not install or start, depending on the version of Sun Java that is installed.
As a workaround, revert back to Sun Java 6.0.14.
- Uninstall Java 6.0.15 (or any more recent version, if installed)
- Download Java 6.0.14.
- Double-click on the 6.0.14 file to install.
- Re-install Host On-Demand.
Note: Administrative privileges are required.
If you got an e-mail from “firstname.lastname@example.org” asking you to supply for you email username and email password appears to be a phishing scheme. We would *never* ask you to e-mail your password. Please just delete the e-mail.
As always, if you have an e-mail that is suspect, you can call the Service Desk at (617) 638-5419 or forward the e-mail to email@example.com to verify if it is legitimate.
For more information about phishing e-mails, click here.
Many at BUMC are victims of “spamming” attacks and are forced to filter through hundreds of unwanted and inappropriate email daily. While there’s no cure for spam, BUMC IT encourages using SpamAssassin for anyone with a BU email account to minimize its effects. Questions? Contact (617) 638-5914 or firstname.lastname@example.org.
Click here for more information about Information Security.