UVM's Information Security Operations Team answers "Why?" Why?security

Posts

R Programming Language Vulnerability

A recently disclosed vulnerability in the R programming language could provide attackers with a foothold to execute arbitrary commands on a system running an unpatched version of R. R is a language widely used at UVM by researchers for a variety of tasks, including statistical analysis and data visualization.

This vulnerability has not yet been assigned a severity score, but is tracked as CVE-2024-27322. Given that this appears to be easy to exploit and to have potentially severe consequences, it should be treated as critical at this time. Exploitation of the vulnerability requires that attackers alter an R Data Serialization (RDS) file, which can then be included in publicly available R packages. In addition to arbitrary code run within the affected program itself, any commands run as a result of this exploit will run with the permissions of the parent package, potentially permitting lateral movement. A good technical summary is available here.

CVE-2024-27322 affects all versions of R prior to 4.4.0. Installations of R should be updated to 4.4.0 or later as soon as possible. In addition, use extreme caution in installing new packages in unpatched instances until an update is possible.

Critical Outlook Vulnerability – Patch ASAP!

On March 14th, Microsoft disclosed a critical security vulnerability that affects Outlook email clients running on Windows. Microsoft has released an update to address this vulnerability as part of this month’s regular updates. ETS has made this update mandatory starting today, so Windows machines that normally receive updates from ETS will receive it right away.

If you are responsible for or have knowledge of any non-managed machines (including personal computers running Outlook), you should ensure this patch is applied to them as soon as possible. Running Windows Update on these machines will apply the full suite of patches that includes mitigation for this vulnerability. The patches may also be downloaded individually at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 (under “Security Updates”).

Microsoft has released a brief technical description of the vulnerability, and Tenable’s narrative of this week’s patch release includes a more detailed description (under “CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability”).

Please contact the Information Security Office with any questions.

Expansion of Duo Protections

Dear UVM Community,

As we noted last month, a significant expansion of Duo multifactor authentication will begin on March 13, and will continue over the next few months in multiple phases. We are making this change because the protection of intellectual property as well as personally identifiable information including student records, personnel information, and research data remains a top priority for the UVM information security program.

In accordance with security best practices as well as common practices in peer higher education institutions, we continue to expand the use of Duo Multi-Factor Authentication (MFA). MFA is a proven method for securing access. You are familiar with this method for accessing PeopleSoft and Banner; it is an added measure of security for access to sensitive systems and data.

Consistent with practices in effect at large research universities, ETS plans to expand the use of Duo to include web access to UVM email and all services under the Microsoft 365 umbrella (Teams, OneDrive) effective March 13, 2023. We have engaged our various stakeholder groups, including the Information Security Council and the Educational & Research Technologies Committee to provide input and feedback on our approach. At their suggestion, the use of Duo was expanded at the beginning of the spring semester to include Brightspace, our new LMS, in its early implementation and pilot phases.

This expansion of Duo will affect https://mail.uvm.edu and other Microsoft services like OneDrive and Teams. These changes will become effective for faculty and staff on March 13. These changes will become effective for students one week after commencement in May. Please ensure that you have your MFA device with you at all times including in the classroom, home and office. If you need assistance, please check our Knowledge Base article to ensure you are set up and working prior to the expansion date.

We thank you for participating in these efforts as we continue to improve protections now and in the future for the data that our students and community have entrusted to us.

Simeon Ananou, Chief Information Officer
and the Enterprise Technology Services Team

Everything Old Is New, Again

UVM technology leaders and staff are monitoring the news around emerging global cybersecurity threats as a result of recent sanctions against Russia. We continuously engage with partners across Higher Education and in law enforcement to improve UVM’s defensive posture. As always, though, we need your help, and “the usual advice” is now more important than ever. Please…

…DO remain cautious of attachments and links that arrive via email.

About to click a link? Where does it go? Is the attachment from someone you know, or is it something you’re expecting? If not, and it’s practical to ask the sender via some other channel (phone? Teams?), do that. When in doubt, contact iso@uvm.edu for help. In the business of dealing with lots of attachments? Make sure you’re running current anti-malware protection. Having your devices managed makes this easy.

…DO be suspicious of any message demanding that you “verify your account” or otherwise provoking you with a sense of urgency.

Is the message threatening dire consequences for your digital access to UVM if you don’t act? It may be phishing: a social engineering attack designed to steal your access and your information (or UVM’s). Social engineering is a component of many major intrusions and breaches, and successful phishing makes it easier for attackers to succeed. Don’t make it easy for them to succeed. You can do your part to slow them down by making sure you only ever use your UVM credentials to access legitimate UVM sites. Need help determining what those are? Contact your technical support provider (ETS Client Services or LCOM Technology Services) for more assistance.

…DO be skeptical of unfamiliar errors arising on your computing devices.

Did an unusual error just pop up on your computer or mobile? Does it sound threatening or ominous? Does it contain a “click here for assistance” link or a phone number to call for help? Make a note of the exact error (write it down, take a screenshot, take a photo), and contact ETS Client Services or LCOM Technology Services. If there’s really something wrong, we can help. Sometimes, though, this is the result of “scareware” — an effort to frighten or intimidate you into paying money for snake oil tech support, or worse yet, allowing malicious parties to install software on your computer and remotely control it (see below).

…DO keep your computers and mobile devices up-to-date with the latest patches to operating systems and applications.

Computers run software, and software has flaws. All of it. The best thing we can do to protect ourselves from people trying to turn those flaws to their advantage is update our software when its flaws are found and patched. The operating system (OS) on all computers and mobile devices should be set to automatically update. Ditto all the applications or mobile apps in use. It’s especially important to keep any software that will interact with data from the internet — web browser, email program, productivity apps (we’re betting most of those attachments coming in via email are Word/Excel docs and PDFs), media players — current. Likewise anything you’re relying upon for security; most anti-malware tools rely at least in part on threat information collected by the vendor, so it’s critical to keep feeding that info into those tools as it’s made available. Again, ETS’s computer management is your friend.

…DO NOT allow anyone other than approved UVM support staff to remotely control any computer with access to UVM systems and data.

A “Tech Support attack” is particularly insidious, as it can result in directly granting the attacker access to your computer or mobile device. It generally starts in one of two ways: either they contact you, or you contact them.

In the former case, you get a phone call from someone purporting to be from a well-known company (Microsoft, maybe?) who claims that your computer/mobile has been observed doing something harmful on the internet, and they can fix it for you.

In the latter, an otherwise-innocuous piece of software or web page pops up a serious-looking error designed to prey upon your anxiety. Maybe it says your computer is somehow broken; maybe it claims to have found a terrible virus. But! It offers a way out! “Help” is available if you call the number presented on the screen.

Either way, when they call you or you call them, the person at the other ends asks for payment via credit card, and then they frequently require that you install special software on your device in order to fix the “issue”. The cursor moves around, some buttons are clicked, and they assert the “problem” is fixed. In all likelihood, there was nothing wrong. But there is now. The software they wanted installed allows them to remotely-control your device and/or copy your private data (or UVM’s private data) off the device so they can sell it or use it to extort money. They may even leave a parting gift of ransomware, adding insult to injury.

…DO ask questions if you’re unsure about an online interaction.

ETS’s Information Security Office exists not only to protect UVM, but to help UVM’s community protect itself. There are no “stupid questions”, and the increased sophistication of modern cybersecurity threats means that anyone could fall prey to attack. We’re here to help and teach, not to judge. Please feel encouraged to reach out with your questions or concerns by emailing iso@uvm.edu.

In this time of heightened tension, let’s act early on anomalies — unexpected “urgent” emails, novel errors, unexplained reboots. It’s easy to write these off as being the same little bumps in the road that have always existed in online life, and most of them are. Spotting the truly important ones is going to require each of us to be on the lookout. Computer did something weird? Check your gut, then get in touch if needed.

OK, there is something new…

Disinformation and misinformation online are a recognized threat at many levels. While differences of opinion and interpretation are the hallmarks of a vibrant intellectual community, there’s no place for bad-faith misdirection and outright lies. Our law enforcement partners have asked for early warning of disinformation and misinformation campaigns observed by our communities, especially in social media platforms. Please reach out to iso@uvm.edu if you observe something concerning in this vein.

When the Attacks Aren’t Just Cyberattacks

5 min. read

ISO intern Josh Baker contributed the “protecting others by protecting ourselves” theme to this article.

Others have eloquently addressed the injustice that is the ongoing Russian aggression against the people and the state of Ukraine; suffice it to say that no one deserves to be subject to physical violence, and we dearly hope that we soon see the Ukrainian people back in their homes and restored to peace, engaged in the challenge that is self-government by democratic means.

We are no experts in warfare here, but it seems that war has long been waged across the combatants’ full spectrum of capabilities. The addition of cyberattacks — whether designed to spread disinformation or destroy/take control of critical infrastructure like power and water supplies — represents a logical (if frustrating) progression of war’s malignancy. Reliable sources indicate that Russia has waged cyberattacks in its current campaign against Ukraine* and, as global governments move to pressure Russia into abandoning that campaign, many citizens (including leaders) are wondering whether Russia will use its cyberarsenal against their country or their organization in response.

* Attributing cyberattacks to a specific source is difficult and fraught with peril. Our recommendations here apply no matter who’s on the offensive.

Here at Why?security we’re almost always writing about how the UVM community can protect itself from online threats. What if, this time, we look at a few cyber hygiene basics in terms of how we can help others?

Protecting others by protecting ourselves

We can do some meaningful work to improve the cyber landscape, each of us making it just a little more difficult for any adversary to succeed in attacking both ourselves and others. Modern cyberattacks may be a study in variety with endless combinations of the old and the new, but there are a few common themes and we as individuals can actually exert control over two of them in particular. Let’s imagine these as two doors, and a cyberattacker must open at least one of them in order to succeed.

Door #1: unlocked, unguarded

Update your software. All of it. Run current versions of your applications. MS Word. Chrome. And your operating systems. Windows. macOS. Android. On all devices in your control. Laptop. Phone. Watch. Thermostat. Why?

All these devices run software, and all software has flaws. Some of these flaws can allow intruders to remotely control the devices, which means some of them can be turned into cyberweapons in an attack against you. Or your school. Or your town government. Or even someone else entirely. Like a country thousands of miles away that’s fighting for its life. Old, outdated software is like a door that’s cracked open and unwatched. Cyberattackers can waltz right through.

We can’t (yet) stop software from having these flaws, but we can address them by applying updates as soon as they’re available. Successful cyberattacks require an unbroken chain of events. Yes: Updating your web browser may just break that chain. And when enough of us do it, we limit the attackers’ options, increasing the chances that they’ll fail and we’ll win.

Door #2: locked, but…

Pay attention to the places you use your passwords. For your UVM NetID, that’s sites whose domain name ends in uvm.edu, and nowhere else.

Your NetID password secures an account that can do lots of things. Things that probably seem innocuous, like sending or receiving email. Email which can spread malicious software. Or try to harvest others’ passwords. Or sign up for a social account to publish disinformation or intimidation. We can be tricked — especially if we’re in a hurry — into giving away our passwords. That’s like having a locked door with someone on the inside letting in anyone who knocks.

Many of us — even those of us who feel confident we can’t be tricked — have a tendency to hurry when under pressure. And maybe skip steps. Like forgetting to check what site we’re on when entering our NetID and password. Attackers capitalize on this very human tendency by making us feel pressured. Your email will be shut off tonight. Your account will be suspended. You ordered this very expensive thing and we’re about to charge your card. And the message looks like it came from someone else at UVM.

Breathe.

Excellent. Now: Check the site you’re on. No uvm.edu? No NetID and password. Use a password manager; many will prompt for an extra confirmation if asked to fill a password into the wrong site. Find yourself at some other website trying to charm — or intimidate — your UVM password out of you? Window: closed. Threatening email: deleted. Chain: broken. We’re winning.

Is this saving Ukraine?

Directly? Maybe not. But if taking these small steps keeps some weapons out of the hands of cyberattackers, then maybe so. Take as many other meaningful, positive actions as you’re able: Make your voice heard, contribute resources, volunteer. But also guard Door #1 and Door #2, because a world where fewer cyberweapons are left lying around for use in conflict is a world where cyberwarfare won’t grow unchecked. And that’s meaningful too.

BOLO: COVID-themed Attacks

As COVID-19 continues to dominate the news cycle and daily life, the UVM Information Security Office would like the community to Be On the Look-Out (BOLO) for cyber criminals using COVID-19 as a theme for phishing emails, scams, and other attacks on the security of your information and that of the University.

These attacks could take the form of:

  • phishing emails regarding online learning or telecommuting, potentially providing a link to log in to an “online learning portal”;
  • fraudulent donation sites;
  • news hoaxes;
  • messages that look like they come from officials (such as WHO representatives or Red Cross workers) and ask for personal information or donations.

Remember: Be wary of any email or message that urges you to take swift action, plays on your fears, or involves money. Be skeptical of “UVM” communications coming from outside of the UVM community and remember not to enter your NetID credentials on non-UVM websites.

More information on these types of phishing attacks can be found at https://www.helpnetsecurity.com/2020/03/09/coronavirus-scams/ and more information on UVM’s response to COVID-19 can be found at https://go.uvm.edu/covid19.

Windows 7 Advisory

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

On January 14th, 2020, Microsoft support for Windows 7 will end, which means that version of Windows will no longer receive patches to fix bugs or security flaws.

Why is this happening?

End of life is the term used by Microsoft when they no longer support a system or service, often because it has become outdated. With the arrival of Windows 10, Microsoft began phasing out mainstream support for Windows 7 in January of 2015.

How does this affect me?

Failing to update to Windows 10 and continuing to run Windows 7 can leave users vulnerable to cyberthreats. With no more patches or updates to fix bugs and vulnerabilities, hackers can exploit these security flaws. Even if Microsoft or its users discover additional security flaws in Windows 7 after January 14th, it is likely that they will not be patched. Some attackers even be sitting on zero-days, a security flaw that is known with no patch, and waiting for the system end-of-life to exploit this vulnerability.

Updating your machines to Windows 10 will mitigate this risk.

How do I know which version of Windows I’m running?

By searching for “system information” in your start menu, you will be directed to a window with information on your system, including what version of Windows you’re running under “OS Name.”

What should I do now?

If you haven’t yet updated to Windows 10, it is important to do that in the coming weeks before the Windows 7 end of life. Encourage your friends, classmates, and your co-workers to do the same. If you are unable to upgrade, keep a close eye on your machine for unusual behavior in the weeks following the Windows 7 end-of-life and keep your anti-virus and security software up to date.

Help!

For more information or help upgrading to Windows 10, please visit or contact UVM’s Tech Team at tech.team@uvm.edu or www.uvm.edu/it/help.

“DUO” the Necessary Steps to Protect Yourself!

Enabling Multifactor Authentication

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

What is multifactor authentication? How do I use the DUO app? How do I lock down my passwords? If these questions keep you up at night, read on. If not, read on anyway; it’s important knowledge to have.

Multifactor authentication (MFA) is the practice of having two or more methods of verifying your identity when logging into an account. Entering your password is one method of verification, and others may include a text sent to your phone with a code, a security question, or even biometrics, like your fingerprint.

MFA types fall into three major categories: something you know, something you have, something you are.

A password or a security question is something you know. It doesn’t change often and is a piece of information that can be leaked or stolen. However, the second piece of authentication requires something you have (a one-time code) or something you are (fingerprint) to proceed. These are harder to get false access to without physically stealing your phone or stealing one of your fingers (in which case you’d have much bigger problems).

You’ve probably used multifactor authentication before—Google accounts often enforce it when you’re logging in on a new device.

Multifactor authentication helps protect your account by setting up several ways to verify that it’s really you logging into your account. That way, even if someone cracks your password, there is another, tougher layer of security for them to get through.

Multifactor Authentication at UVM

Here at UVM, some resources are protected by DUO Multifactor Authentication. With this tool and the free smartphone app, users are sent a one-time verification method to use alongside their login credentials. This verification can be sent as a push notification from the app (easiest method), or as the six-digit code provided in the app. This code can also be sent as a text message, through a landline phone, or even as a generated list of codes users can use when offline as well.

This method adds a second step to the login process and thwarts would-be attackers who may have your password, but do not have access to your phone. Multifactor authentication protects you, your information, and the University’s information.

However, beware if you receive a request in your DUO app that was not sent by you.  Sometimes, users can get a request and know they did not send a push notification to their mobile device (tablet or mobile phone). Denying the request is your best option; it could be someone else attempting to gain access to your account.

More information

To learn more about multifactor authentication here at UVM you can visit https://www.uvm.edu/it/kb/article/duo-multi-factor-authentication or read the Duo FAQ at https://www.uvm.edu/it/kb/article/duo-faq. We also made another blog post back in 2016 on the matter, which you can read here.

Go Phish!

Defeating phishing emails and securing your inbox

This post is part of a series contributed by the ISO’s 2019-2020 student intern Emily Connolly, ’20.

It’s 8am on a Monday morning. You pour yourself a cup of coffee and open your laptop to read all the emails you’ve been putting off since Friday afternoon.

This is you.

When you open your mail inbox, this message is waiting:

“Oh no!” you think. “Have I not been getting my emails? What does this mean?”

Hmm. Now this is interesting.

Before doing anything, however, it’s important to consider the threat of a phishing scam— an attempt to steal your UVM credentials (your NetID and password). A phishing scam often comes in the form of an email, perhaps one asking for you to enter your UVM credentials or offering a well-paying part-time job from a professor working overseas.

Often times, phishing scams will try to play off your emotions—such as a mail message threatening to delete your account, the idea of an easy side job, or a compromised UVM NetID. The goal is to get you to act fast, getting you to enter in your UVM credentials to solve the problem quickly without noticing the signs that the email you received isn’t actually legitimate.

It’s time to be a detective!

Here are some things to look for when you see a suspicious message:

  1. Check the email subject. Has it been left blank? Is it vague? Does it use a “scare-tactic” to get you to act fast? Do you feel pressured?
  2. Who is it being sent by? Is it not a UVM email? Is it someone you don’t know? If it is someone you know, is it a strange request for them to have?
  3. Where are the links going to? Any email that asks you to enter your UVM password on a non-UVM web site is a phishing scam. UVM will never ask you to enter your UVM NetID and password on a non-UVM web page—even if it looks like a UVM page, and even if it’s on a reputable site, such as Google Docs, or if it contains UVM graphics and you’ve been directed there by an email that appears to come from a UVM email address. Remember: The UVM Tower logo or any related graphic is not a guarantor of legitimacy.

For example, this email here is directing users to a Weebly site, and by mousing over the link, you can see where the link will take you without clicking.

  1. Does the email have strange capitalizations or odd grammar and spelling? Is there no greeting or sign off? Does the signature not match the email sender?
  2. Is money involved? Do they want me to help them pass checks or move money with the promise of payment afterward?
This email here contains the strange formatting and the promise of money. It’s a scam!
  1. Ask your friends. Does the email seem like a scam to them? Sometimes, taking a step back from the situation can help you think more clearly.
“Harold, that’s not from UVM! They’ll never ask for you to enter your credentials on a non-UVM page!”

If you’re even unsure about the legitimacy of a message, you can contact the Computing Help Line at 656-2604, or submit a help request online. You can also directly contact the party involved by directly mailing the organization or office the email is purporting to be from, but not by replying to the suspicious email. Instead, use the email you have on file for the organization or the one they display publicly on their website.

You can also report phishing emails by forwarding the phishing email with full headers to abuse@uvm.edu. (To forward a message with headers, please see https://www.uvm.edu/it/kb/article/forwarding-full-mail-headers)

What to do if you’ve fallen for a phishing scam

Time to call the UVM Computing Helpline!

If you’ve followed the link in the message, or replied to this email or one like it, you should change your password immediately at www.uvm.edu/account. Contact the UVM Computing Helpline if you need assistance changing your password. You should also change any similar passwords to your UVM password.

More info

For more information about phishing scams, view our Web page on protecting your NetID and password

Yahoo! You’re now ready to conquer the inbox!

Protecting Your NetID Password

You’ve probably heard by now that UVM has been subject to a computer system intrusion that has the potential to result in the malicious use of UVM NetIDs and passwords. Here’s the crux of the announcement:

The University has no indication that personally identifiable information has been accessed or compromised. Nonetheless, the University is taking the proactive step of requiring that ALL passwords be changed immediately and no later than 4:30 PM on Thursday, May 24.  Accounts with passwords that have not been changed by this time will receive an additional notification, will have their passwords expired, and a change will be required before the account can be used again.

Ongoing monitoring of the University’s computer systems resulted in early detection of this system intrusion, which improved our ability to implement protection and mitigation strategies. The University continues to work with law enforcement and information security experts to investigate and address the intrusion.  Users are asked to be extra vigilant with their computer use and report any suspicious activity to abuse@uvm.edu.

For more information you can read the full announcement and an up-to-date FAQ.

While no one likes maintaining passwords, they remain an important part of the security infrastructure at UVM and our peer institutions. We’ve recently implemented Multifactor Authentication for access to our most sensitive services, such as PeopleSoft, VPN (Virtual Private Network), and Virtual Desktop Infrastructure, and we may protect more systems with MFA in the future. Even with MFA in place and our strong password standards, you can help protect yourself and the University by following these guidelines:

  1. The longer the password, the more difficult it will be to crack. UVM NetID passwords are required to be at least 12 characters long, but longer is better. You can use even use a phrase, or a string of random words, e.g. ‘owls are my favorite flying Things.’, or ‘house caterpillar verify peanut’.
  2. The more character sets used, the more secure the password. Different character sets include:
    • upper case letters (A B C D)
    • lower case letters (a b c d)
    • numbers (1 2 3 4)
    • punctuation or other symbols (! @ # $)

    UVM NetID passwords require at least two different character sets, but more is better.

  3. The more complex a password is, the more difficult to guess. Complex passwords are:
    • not based on single words found in the dictionary, in any language
    • not words spelled backwards, common misspellings or abbreviations
    • not sequences (12345678) or repeated characters (22222222)
    • not common mathematic sequences and series like Fibonacci numbers, Pi, or prime numbers
    • not keyboard layout sequences (QWERTYPOIU, qazwsxedc or similar)
    • not dates like birthdays or anniversaries
    • not personal information like names of friends, relatives, pets or children
    • not another unique identifier like your Social Security Number, student ID number, bank PIN, driver’s license number or passport number

An ideal password is one that is easy for you to remember, impossible for a human to guess, and more difficult for a computer to crack. While UVM stores passwords in a strongly encrypted form, attackers could potentially leverage the computational power of botnets and modern supercomputers to crack weaker passwords with relative ease.

Using a string of random words is a great alternative to remembering a string of gibberish (or choosing a weak password):

Image: xkcd—a webcomic of romance, sarcasm, math, and language (Creative Commons BY-NC 2.5)

A few other tips:

  1. Use a password keeper. You’ll only need to remember your master password, and most password keepers can generate strong passwords for you that you won’t need to remember. Many password keepers integrate with your web browser so you don’t even need to type the passwords to use them. Among the password keepers used by IT staff at UVM are LastPass, Dashlane, KeePass, and 1Password. While we don’t support or endorse a specific password keeper at this point, they represent a mature technology that is reliable, secure, and convenient.
  2. Don’t use your UVM password anywhere else. This is the main reason we require annual password changes- if another password database has been breached (such as those at Yahoo!, eBay, and Adobe) and users have used the same password there that they do at UVM, eventually the attackers will discover that they have working UVM credentials.
  3.  No passwords on sticky notes! (No, really. It’s 2018.)
  4. Take steps to protect yourself from malware and phishing scams. Keylogger malware, which captures your keystrokes and passes them along to malicious actors, is a common source of compromised credentials. Keep your antivirus software up to date and don’t visit any dubious websites. Be sure to check the URL bar of your browser any time you’re entering your UVM credentials into a website (even if it looks familiar); make sure you’re always at uvm.edu/.

 

 

Skip to toolbar