Information Security Archives - Page 4 of 13 - Office of Information Technology

Crypto Locker Holds SJU Files Hostage

By In Information Security October 14, 2013

As was mentioned in a recent IT Alert, numerous campus computers were infected with a very serious, destructive piece of malware called “Crypto Locker”.

Wikipedia defines malware as “software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.^[1] It can appear in the form of code, scripts, active content, and other software.^[2] ‘Malware’ is a general term used to refer to a variety of forms of hostile or intrusive software.^[3]

Malware includes computer viruses, ransomware, worms, trojan horses, rootkits, keyloggers, dialers, spyware, adware, malicious BHOs, rogue security software and other malicious programs; the majority of active malware threats are usually worms or trojans rather than viruses.^[4] In law, malware is sometimes known as a computer contaminant, as in the legal codes of several U.S. states.^[5][6] Malware is different from defective software, which is a legitimate software but contains harmful bugs that were not corrected before release. However, some malware is disguised as genuine software, and may come from an official company website in the form of a useful or attractive program which has the harmful malware embedded in it along with additional tracking software that gathers marketing statistics.”

What does it do?

Crypto Locker is a very specific type of malware known as RansomWare that does exactly what the name implies, it holds you ransom. Computers infected will immediately begin encrypting files on local disk drives as well as network drives, such as your J: and S: drives, with a private key that is only known by the malware. When any such file is accessed, a popup window is displayed (as shown) informing you that it was encrypted and that the only way to get them unencrypted is to pay the perpetrators $300.

What should you do if you find that you are infected?

If you receive the message above, you should immediately turn the computer off. Then, if you have a laptop, bring it to the Technology Service Center (TSC) in SC 129. If you have a desktop, contact the TSC at 610-660-2920 to arrange a pickup. IT specialists need to run various software utilities to remove the malware completely from the computer. Note: IT will have to hold your computer for several hours, if not days, due to the complexity of removing Crypto Locker as well as the volume of systems that are infected at this time. Plus, due to the limited supply of loaner systems, we cannot guarantee that one will be available to everyone who requests a loaner.

What is OIT currently doing about it?

At this time, OIT staff members are doing many things to limit the effects of the malware, fix the systems that are infected, and prevent any further spreading. This includes:

Cleaning all infected systems on a one-by-one basis as they are identified.
Disabling access to network shared drives, typically mounted as the S: drive, in order to prevent further damage to files residing on those drives.
Implementing stronger measures on the SPAM-filtering software to reduce the number of malicious ZIP files delivered to individual mailboxes. We are currently blocking over 98% of them.
Working with our Anti-Virus software vendor, Symantec, to determine a better means of cleaning up infected systems and preventing further infections.
Scanning the network for additional systems that may be infected.
Implementing additional Windows security policies to help prevent it from spreading further. Note: We recommend that all Windows users restart their computer as soon as possible to ensure that these new policies take full effect.

What are the plans for moving forward?

Once we are reasonably sure that the infection has been fully contained and no further spread is possible, we will start addressing means of restoring access to share drives and fix the files that have been affected. At this time, there is no known method of unencrypting files. The only method of restoring access to these files is to restore them from a backup. Unfortunately, if the backup is also compromised or the file is too new to be part of a backup, there is no way for it to be restored.

How did the computers get infected?

We believe that the primary way computers on campus got infected with Crypto Locker is by people opening an attached ZIP file within a fraudulent e-mail message. Over the past few days, several such messages have been sent to numerous SJU faculty and staff and we have linked the infections with a number of these messages. Below is one such example of a fraudulent message that has been linked to this malware outbreak.

It has been reported that other methods of infection include clicking on malicious links on websites and in social media tools, but we have not verified that at this time.

What can you do to avoid being infected?

First, you should NEVER, EVER open an attachment sent from someone you do not know, even if it appears to be someone from SJU. In the example above, the message appears to be coming from someone named “Deon Tillman” with e-mail address “deon@sju.edu”. But if you were to look this person up in a University Directory (which is available at http://www.sju.edu/directory), you would find that this person does not actually exist, at least at St. Joe’s. We highly recommend that everyone do this for any such messages.

Second, look at who the message is sent to in the To: field. Looking at the same example above, it shows as being sent to someone else. This is usually a tell-tale sign of a fraudulent message. If you receive a message that is not addressed to you or a well-known distribution list (such as a departmental list like oit@sju.edu) you should NOT open it.

Are we the only ones being affected?

No, this seems to be a well-established scam that has hit many other universities, corporations, and government agencies. The perpetrators are doing so well that they’ve upped their ransom from $100 to $300 since they first started and are rumored to be generating over $300,000 a month from the scam. Below are some news stories and web posts that we’ve found about Crypto Locker and various incidents of it:

If you have any questions or concerns, please contact the Technology Service Center at techhelp@sju.edu or x2920.

Resurgence of Virus Problems on Campus

By Olivia In Scam/SPAM Email, Tech News on Hawk Hill October 9, 2013

Over the past few weeks, IT has seen some extremely bad virus infections on campus. As a result, we made modifications to our antivirus software, Symantec Endpoint Protection. This update was sent to all campus computers last night. Please keep in mind that if you do not know the sender of an email, you should not open any attachments in the email. By opening a file from an unknown sender, you not only jeoparde your computer’s data, but could possibly infect campus network drives, in turn infecting shared data. At this time, IT has completed full virus scans and removal of the virus from infected computers. As an employee, you play a significant part in making sure you are diligent about what you open and share on your computer. If you receive an email you are uncertain of, please contact the TSC.

More information on this particular virus can be found here.

Spam Email: October 8, 2013

By Olivia In Scam/SPAM Email October 8, 2013

To: undisclosed-recipients:
Subject: WARNING: ITS HELPDESK (ACT FAST)

Attention Faculty & Staff:

You have reached the storage limit for your Mailbox.
Please visit the following link to your e-mail access restore.

Copy or Click:
http://eznet5.com/forms/form1.html

192.168.12
System Administrator.
WARNING! Protect your privacy.
Logout When You Are Done And Completely.
Technology & District Records Supervisor

Spam Email: October 3, 2013

By Olivia In Scam/SPAM Email October 3, 2013

From: USPS Express Services [mailto:service-notification@usps.gov]
Sent: Thursday, October 03, 2013 9:44 AM
To: js604887@sju.edu
Subject: USPS – Your package is available for pickup ( Parcel 641123814215
)

The courier company was not able to deliver your parcel by your address.

Cause: Error in shipping address.

Label: 641123814215

Print this label to get this package at our post office.

Please attention!
For mode details and shipping label please see the attached file.

Please do not reply to this e-mail, it is an unmonitored mailbox!

Thank you,
UPS Logistics Services.

CONFIDENTIALITY NOTICE:
This electronic mail transmission and any attached files contain
information intended for the exclusive use of the individual or entity to
whom it is addressed and may contain information belonging to the sender
(UPS , Inc.) that is proprietary, privileged, confidential and/or
protected from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any viewing, copying,
disclosure or distributions of this electronic message are violations of
federal law. Please notify the sender of any unintended recipients and
delete the original message without making any copies. Thank You

Mobilizing Cyber Security.

By In Information Security October 2, 2013

As our lives become more dependent upon instant communication, a growing number of people are purchasing some type of mobile device allowing on the spot Internet access. In “The mobile web in numbers,” Royal Pingdom offered the following statistics regarding mobile devices and the massive amount of data trafficked and consumed by their users:

5.9 billion – The estimated number of mobile subscriptions worldwide in 2011.
13% – The smartphone share of all mobile handsets in use worldwide.
78% – The percentage of worldwide mobile data traffic that is consumed by smartphones.
1.6 billion – Number of mobile devices sold to end users in 2010, an increase of almost 32% compared to the year before.
19% – The percentage of worldwide mobile devices sold that were smartphones.
472 million – Number of smartphones estimated to be sold worldwide in 2011.
982 million – Estimated number of smartphones to be sold in 2015.
80% – The share of devices accessing mobile websites that have a touchscreen.
50 million – The number of people worldwide who have a mobile phone but that do not have electricity at home. In other words, mobile access has further reach than electricity.

In addition, they went on to cite the following statistics for mobile web browsing:

11.7% – Percentage of web users in China that exclusively use a mobile device to access the web.
140 million – Number of people that used the Opera Mini browser in October 2011.
86.2 billion – Number of pages served By Opera Mini.
12.7 petabytes – Amount of operator data that was compressed for Opera Mini users.
6.95% – Mobile’s share of global web browsing stats in November 2011.

With numbers like this, it’s easy to see how important it is for consumers to protect themselves when accessing the Internet from some form of mobile device. In a report entitled “Today’s Mobile Cybersecurity Protected, Secured and Unified,” CTIA, The Wireless Association suggests adhering to the following practices :

Configure Devices to Be more Secure – Smartphones and other mobile devices have password features that lock the devices on a scheduled basis. After a predetermined period of time of inactivity (e.g., one minute, two minutes, etc.) the device requires the correct PIN or password to be entered. Encryption, remote-wipecapabilities and – depending on the operating system – anti-virus software may also serve to improve security.
“Caveat Link” – Beware of suspicious links. Do not click on links in suspicious emails or text messages as they may lead to malicious websites.
Exercise Caution Downloading apps – Avoid applications from unauthorized application stores. Some application stores vet apps so they do not contain malware. Online research on an app before downloading is often a sound first step.
Check Permissions – Check the access (i.e., access to which segments of your mobile device) that an application requires, including Web-based applications, browsers and native applications.
Know your Network – Avoid using unknown Wi-Fi networks and use public Wi-Fi hot spots sparingly. Hackers can create “honeypot” Wi-Fi hot spots intended to attract, and subsequentlycompromise, mobile devices. Similarly, they troll public Wi-Fi spots looking for unsecured devices. If you have Wifi at home, enable encryption.
Don’t Publish your mobile Phone Number – Posting your mobile phone number on a public website can make it a target for software programs that crawl the Web collecting phone numbers that may later receive spam, if not outright phishing attacks.
Use your Mobile Device as it Was Setup – Some people use third-party firmware to override settings on their mobile devices (e.g., enabling them to switch service providers). Such “jailbreaking” or “rooting” can result in malware or malicious code infecting the mobile devices.

Remember that while mobile devices such as smartphones provide convenience and ease of access to the Internet and the vast warehouse of data it contains, they also provide yet another opportunity for Cybercriminals to strike.

SPAM EMAIL: Friday, September 27th, 2013

By rmayer In Scam/SPAM Email September 27, 2013

All,
This email was sent out to several users in the community. This IS NOT a legitimate email from SJU OIT. Even though it references zmail.sju.edu, the sender is NOT an sju.edu address, does not have our standard heading or signature. PLEASE DO NOT CLICK THE LINK. If you have questions, please contact the TSC at x2920.

________________________________________________________________________________________________________

From: “Patricia Rissmiller” <patricia.rissmiller@simmons.edu>
Sent: Friday, September 27, 2013 12:05:23 PM
Subject: Upgrade Alert

You have exceeded your zmail.sju.edu quota limit of 500MB and you need to expand the zmail.sju.edu quota before the next 48 hours. If you have not updated your zmail.sju.edu account in 2013, you must do it now. You can expand to 10GB zmail.sju.edu quota limit.

Click on the link below to upgrade your account: LINK REMOVED

Thanks for your understanding.

NCSAM: Celebrating 10 Years of Cybersecurity Awareness

By In Information Security September 25, 2013

This October marks the 10^th anniversary of National Cybersecurity Awareness Month (NCSAM). Sponsored by the Department of Homeland Security and the National Cyber Security Alliance, NCSAM has helped educate online consumers and businesses about cybersecurity issues and the best practices for avoiding them.

As a growing number of consumers turn to online shopping as their primary means of doing business, the number of cybercrimes – and the financial impact of those crimes – continues to rise; and the numbers are staggering.

According to the October 2011 issue of Practical Commerce, in the second quarter of 2011, an estimated 170 million US consumers purchased something online, resulting in approximately 539 million transactions.

Another article published in Internet Retailer on May 10, 2013 states that consumers spent 50.2 billion dollars online in the first quarter of this year alone.

The US Government, in its 2012 IC3 Report, cites 289,874 complaints of cybercrime, with over 114,000 of those reporting a financial loss averaging $4573.00. Projected worldwide, as Norton did in its 2012 Cybercrime Report, it’s estimated that 556 million people per year (1.5 million per day) experience some form of cybercrime. And while the total loss per person averages out to $197.00, the total global loss is reported in the neighborhood of 110 billion dollars. Clearly, the Internet commerce financial pie is a large one; and everyone seems to be looking for a piece of it.

As technology continues to advance, so do the tactics of those seeking to gain your personal information. The National Cyber Security Alliance, on its StaySafeOnline.org website, suggests observing the following practices in order to ensure your personal – and financial – safety while online:

Keep a Clean Machine: Having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats.
When in doubt, throw it out: Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
Protect all devices that connect to the Internet: Along with computers, smart phones, gaming systems, and other web-enabled devices also need protection from viruses and malware.
Plug & scan: “USBs” and other external devices can be infected by viruses and malware. Use your security software to scan them.

Those wishing to know more about NCSAM and suggested best practices can check out StaySafeOnline.org for further details.

Spam Email: September 25, 2013

By Olivia In Scam/SPAM Email September 25, 2013

From: “IT OFFICE” <aheckma@lps.org>
Sent: Wednesday, September 25, 2013 7:55:36 AM
Subject: Maintenance Alert.

Take note of this important update that our new web mail has been improved with a new messaging system from Zimbra which also include faster usage on email, shared calendar, and web documents. Please use the link below to complete your update for our new zimbra improved web mail.

http://houtmaiil.allalla.com/index.html TO UPDATE.

Regards,
sju.edu IT/Helpdesk Member Services

Spam Email: September 9th, 2013

By Olivia In Scam/SPAM Email September 9, 2013

Recently, we’ve seen a number of emails informing SJU employees that they are over their email quota. These are not legitimate SJU emails and should be deleted. These messages tend to tell you to click a link and provide personal information such as a password. While we work actively to keep as many of these messages from reaching you as possible, it is important to remember that the Office of Information Technology will never send out a message asking for anyone’s password via e-mail, over the phone or in person. IT receives many spam/phishing attempts on a daily basis. Technology Service Center staff always posts information regarding the latest phishing attempt on the IT Blog located at sites.sju.edu/oit

If you have already responded to one of these scams, you must immediately change your password from the “Forget/Reset Password” link in the gray login box located at http://my.sju.edu. You should also notify the TSC at techhelp@sju.edu or 610-660-2920 so that IT can determine if your account has been compromised in any way. This is a very serious matter. A single compromised account could jeopardize the security of all SJU members. So we ask that you do your part by keeping your password private.

A good way to know that an e-mail is fake and not from SJU IT is to remember that employees of SJU will never ask you to provide your User Id and Password via email. When the Saint Joseph’s University Technology Service Center sends out a message to the community, it will come from the email address tscstaff@sju.edu. The message will also have the SJU Office of Information Technology header at the top and usually contain “IT Alert or IT Outage” in the subject line. There is also a standard TSC signature that concludes the IT Alert or IT Outage emails.

Maintaining the security and integrity of the university’s technology resources is a responsibility shared by every member of the community. Your attention to this serious matter is greatly appreciated.

If you have any questions, please contact the TSC at x2920.

Spam Email: Thursday, August 29th

By Olivia In Scam/SPAM Email August 29, 2013

Please be aware that if you received the following email, it should be deleted:

Your mailbox is almost full.

20GB		23GB
Current size

Your mailbox is almost full (CLICK HERE

) Update it now

Thanks

HELP DESK

The Office of Information Technology will never send an email of this nature. If you are ever unsure about the origin of an email, please contact the TSC at techhelp@sju.edu or 610-660-2920.