Category: Information Security

Phishing Scam: “Boston University IT Help Center – Please Upgrade Today!”

July 12th, 2012 in Featured, Information Security, News

Be on the lookout for a new phishing email that is circulating through the BU community. The email appears to come from ithelp@bu.edu and has the subject “Boston University IT Help Center – Please Upgrade Today!” A full transcript of this phishing message can be found below.

THIS IS A PHISHING EMAIL AND NOT FROM BOSTON UNIVERSITY.

As long as you disregard these e-mails and do not click on any of the links you should be fine. You can learn more about phishing e-mails on our website: http://www.bumc.bu.edu/it/comm-collab/e-mail/unwanted-email/phishing/.

As a reminder, BU will never ask you for personal information or your password.

Here are a few simple tips to avoid being hooked by a phisher:

  1. If the email asks for your password, it is a scam. Delete it.
  2. If the email is about a financial account you don’t have or an order that you don’t know anything about, it is almost certainly a scam.
  3. If you feel you must check out something sent to you in email DON’T CLICK THE LINK. It is completely possible to make a link lie to you. Instead, use your browser to go to the known and trusted website by typing in the URL/Web Address yourself.
  4. You can tell where a link is going to take you by hovering over it with your mouse. Don’t click. Hover. If you do this for the link above you will see yahoo pop up in a box by your pointer or in a space at the bottom of your email client or browser. General rule: if the email message is lying to you about where it wants to send you, it is a scam.

As always, forward any e-mails you are unsure about to abuse@bu.edu and then delete them. When forwarding an e-mail to abuse@bu.edu, it is helpful to include the full headers if possible. If in doubt, call the BUMC IT Service Desk at (617) 638-5914 or the IT Help Desk (Charles River Campus) at (617) 353-4357.

Transcript of Phishing Scam:

From: Boston University IT Help Center [ithelp@bu.edu]
Sent: Thursday, July 12, 2012
To: IT Help Center
Subject: Boston University IT Help Center – Please Upgrade Today!

Dear Colleague,

Due to congestion in our webmail database, we will be shutting down some unused accounts.

You will need to confirm your account as soon as possible so we can upgrade your account before the deadline.

To Upgrade your account, kindly CLICK THE UNIVERSITY LINK BELOW and fill out the form.

*****************************************************

http://www.123contactform.com/form-353182/Boston-University

*****************************************************

After following the instructions on the sheet, your account will not be interrupted and will continue as normal.

Thank you for attending to this request.

We apologize for any inconvenience.
Thanks and Best Regards, Boston University IT Help Center.
***********************************************************************************
This is an Administrative Message from Boston University IT Help Center! This is not Spam. From time to time, Boston University IT Help Center may send you such messages in order to communicate important information about your subscription.
***********************************************************************************

DO NOT RESPOND to “IMPORTANT NOTICE” phishing message

May 14th, 2012 in Information Security, News

Please do not respond to a recent message that appears to come from the IT Help Center (ithelp@bu.edu) with the Subject “IMPORTANT NOTICE.” Although this message contains BU logos and a sender address that make it seem legitimate, it is a phishing message. To learn more, especially if you did already respond to the message or click on the link it provides, please contact the Service Desk at 617-638-5914 or refer to the page on Spoofed Messages and Phishing.

As always, if you are unsure whether an e-mail is real or if you receive an e-mail message that is abusive or harassing in nature, report it to abuse@bu.edu. If possible, it is helpful to include full headers when forwarding a message.

Security Alert for Microsoft Windows Users and VPN Required for RDP

March 26th, 2012 in Information Security, News

(View the original post from IS&T here)

Summary

Action Required for all Microsoft Windows Users:

  1. If you are running Microsoft Windows and you do not have it set to Automatically Update, you should run Windows Update immediately.  See instructions at www.bu.edu/tech/desktop/virus-protection-security/safe-computing/autoupdate/ and confirm that you have the correct patches using the instructions below on this page.
  2. If you do have Automatic Updates turned on, you should have received the patch last Tuesday and you are all set – no further action is required toward installing it. You can confirm that you are updating automatically by following the instructions at www.bu.edu/tech/desktop/virus-protection-security/safe-computing/autoupdate/.
  3. If you use Microsoft Windows Remote Desktop (RDP) to connect to a BU computer from outside of BU, you will need to connect to the VPN prior to connecting via RDP – login at http://vpn.bu.edu.
  4. If you have set up your system to allow remote access, or if you run a server, see the additional instructions below.

Details

The Problem:

On Tuesday, March 13, Microsoft announced that a critical vulnerability had been discovered in all versions of Windows from XP and up.  This vulnerability affects the Remote Desktop (RDP) feature of Windows.  RDP allows a remote user to connect to the computer and the vulnerability may allow even an unauthorized person to do so.

The Impact:

An exploit has already been released that will cause a Blue Screen of Death on Windows 7 and a Denial of Service on Windows XP.  It is expected that another exploit will soon be released that will allow an attacker to have complete control of the computer.  After that, the next expected step is that a self-replicating worm will be released that will automatically jump from host to host, granting the attacker access to the system and taking any other action the attacker may wish.

The Solution:

Microsoft has released a patch for this vulnerability.  See below for details on installing it.

What IS&T and the IT Partners are doing:

  • IS&T and the IT Partners have been working to install this patch on the servers at BU.
  • Due to the serious nature of this vulnerability, IS&T will be blocking RDP access at the BU firewall within the next few days. This block is necessary because it is common for people to disable the automatic update functionality.  It can reasonably be expected that many systems will remain unpatched for an extended period of time.  If we take no action to block access to RDP through the firewall, exploit code could significantly impact the stable operation of computers at BU or otherwise compromise BU operations or protected information.  (For reference, as of Monday (3/19) there were over 3000 computers at BU that had RDP up and operating.)

Related Instructions

If you never use RDP…:

If you are running a server:

Confirm that you have the correct patches:

Windows 7

1.       Go to Start -> All Programs -> Windows Update -> View Update History and confirm that KB2667402 and KB2621440 are installed

image002

Windows XP
  1. Go to Start -> Microsoft Update -> Review your update history
  2. Confirm that KB2621440 is installed

How to disable RDP if you don’t use it:

Windows 7
  1. Go to Control Panel, click System And Security, and then click System.
  2. On the System page, click Remote Settings in the left pane. This opens the System Properties dialog box to theRemote tab.
  3. To disable Remote Desktop, select Don’t Allow Connections To This Computer,
  4. Also uncheck the  Allow Remote Assistance box as shown below and then click OK

image006

Windows XP
  1. Click System in Control Panel.
  2. On the Remote tab, clear the Allow users to connect remotely to your computer check box, and then click OK.

UPDATE: Symantec Releases Patch for pcAnywhere

February 2nd, 2012 in Incidents, Information Security, News

Last week, Symantec said it was unable to predict when it would complete its patching of pcAnywhere, citing the unpredictability of its investigation and the creation of the necessary fixes.  However, they have now released an update that addresses the security issues we reported earlier this week.  We therefore will not be implementing an inbound filter to 5631/TCP, 5632/UDP on Sunday 2/5 as previously mentioned.

The updates can be manually downloaded from Symantec’s website, or customers can use pcAnywhere’s built-in updating service to retrieve and install the patches.  http://www.symantec.com/business/support/index?page=content&id=TECH179960

Modena also confirmed that customers running versions of pcAnywhere prior to version 12.0 will be offered a free upgrade to 12.5.  “If requested, Symantec will honor an update to version 12.5 for the customer.”

Warm Regards,

-IRT

Information Security Incident Response Team, Information Services & Technology
Boston University
T(617)358-1100
F(617)353-6260
irt@bu.edu

Security Issue with pcAnywhere

January 30th, 2012 in Information Security, News

Security AlertDue to a security issue with pcAnywhere, we plan to create a new rule to block in bound traffic to ports: 5631/TCP, 5632/UDP.  This rule will go into effect on Sunday, 2/5.

If you are using pcAnywhere, please read this message in its entirety.

In a white paper released on 1/23, Symantec revealed that  proprietary source code for current versions of its pcAnywhere software were stolen in 2006 and that all users are at risk of attack and should disable the product.

Symantec, in their official report on this event, provides this statement:  “Symantec recommends disabling the product until Symantec releases a final set of software updates that resolve currently known vulnerability risks.“

What you should do:

  • For any system that contains Restricted Use information, pcAnywhere must be disabled and alternatives sought.  (For a definition of Restricted Use information, please see the Data Classification Guide, part of the Data Protection Standards: http://www.bu.edu/infosec/policies/data-protection-standards/)
  • For any other system where you are using pcAnywhere and where an alternative solution will work, you should switch to the alternate solutions.  Some possible solutions include:
    1. Windows Remote Desktop (see http://www.bu.edu/tech/security/protect/bestpractice/remote-desktop/ for details)
    2. GotomyPC (security has not evaluated this product and it does have a price tag, so this is not a specific recommendation of this product, but simply an alternative if Remote Desktop will not work)
    3. Avoid RealVNC.  It is known to have significant security issues.
  • Where you (1) have a business critical function (2) on a system not containing Restricted Use information and (3) pcAnywhere is the only solution that will work for that function, you may continue to use it provided you do the following:
    1. Upgrade to the latest version
    2. Update your pcAnywhere configuration as recommended in the white paper from Symantec in the “pcAnywhere Security Best Practices” section, beginning on page 5
    3. Set up your pcAnywhere connection to use different authentication credentials than you use for any other BU system
    4. If you are outside of BU, Connect to BU via VPN prior to establishing the pcAnywhere connection
    5. Monitor Symantec’s site for further security information and updates

What we will be doing:

  • As recommended by the vendor, we will be writing a new rule to block traffic coming in to BU using the standard pcAnywhere communication ports: 5631/TCP, 5632/UDP.  This rule will go into effect on Sunday, 2/5.

References:

UIS/HOD Important Information About Java Updates, IE 8

March 28th, 2011 in Information Security, News

Sun Java 6.0.24

As announced in a notification from IBM, Host On-Demand is not supported by Java 6, update 24 and will not work after the computer has been upgraded. If you have upgraded to the most recent version of Java, we recommend downgrading to update 23:

  1. Uninstall Java from your computer.
  2. Download update 23 from Oracle’s website.
  3. Install Java 6.0.23.

Sun Java 6.0.21

When using Java 6 update 21, you will receive a security notification when trying to connect with Host On-Demand.

hod_error

To remove this warning, named HODAPPlet:

  1. Open your Control Panel.
  2. Click on the Java icon.
  3. Select the Advanced tab.
  4. Choose Security.
  5. For “Mixed code (sandboxed vs trusted) security verification,” choose Hide warning and run with protections.

Sun Java 6.0.15, 6.0.16, and 6.0.17

If you are using either Sun Java 6.0 update 15, 16, or 17, Host On-Demand will not install or start in any browser.

As a work around, the next-generation plug-in can be disabled in the Java control panel.

  1. Open the Java control panel (Start/Control Panel/Java).
  2. Select the Advanced tab.
  3. Select Java plug-in.
  4. Uncheck Enable the next-generation Java plug-in.
  5. Click OK.
  6. A confirmation dialog box will appear. Click OK.
  7. Restart HOD.

Internet Explorer 8

If you are using IE 8, Host On-Demand may not install or start, depending on the version of Sun Java that is installed.

As a workaround, revert back to Sun Java 6.0.14.

  1. Uninstall Java 6.0.15 (or any more recent version, if installed)
  2. Download Java 6.0.14.
  3. Double-click on the 6.0.14 file to install.
  4. Re-install Host On-Demand.

Note: Administrative privileges are required.

“Verify Your BU Account Now” E-Mail is spam – Delete it

January 31st, 2008 in Information Security, News

If you got an e-mail from “upgrade@bu.edu” asking you to supply for you email username and email password appears to be a phishing scheme. We would *never* ask you to e-mail your password. Please just delete the e-mail.

As always, if you have an e-mail that is suspect, you can call the Service Desk at (617) 638-5419 or forward the e-mail to abuse@bu.edu to verify if it is legitimate.

For more information about phishing e-mails, click here.

Managing Spam at BUMC

April 4th, 2006 in Information Security, News

Many at BUMC are victims of “spamming” attacks and are forced to filter through hundreds of unwanted and inappropriate email daily. While there’s no cure for spam, BUMC IT encourages using SpamAssassin for anyone with a BU email account to minimize its effects. Questions? Contact (617) 638-5914 or bumchelp@bu.edu.

Click here for more information about Information Security.

Tagged