Computer Security

In Brief:

Contents:

Why Computer Security Affects YOU

Computers today are an integral part of day to day campus life. E-mail and instant messages are heavily used for communications. University administrative business processes depend upon computer automation, record keeping, and dependable, confidential, and quick access to reliable information. The university's academic processes make use of computers for classroom presentations, lab demonstrations and simulations, and online research. For many of us, computers are also used frequently in our private lives.

We all have a vested interest in ensuring that our computing infrastructure continues to operate reliably and that it preserves the confidentiality and integrity of the information it handles - both our own and that of those we serve. Our JMU network is made up of over 15,000 computing devices. Each and every device contributes to our network's security. Each and every operator of those devices has a necessary and important part in preserving the integrity of our network, just as every citizen has a necessary and important part in preserving a society.

Each and every day, some of the 600 million people on the Internet are reaching out and touching our computers in attempts to violate our privacy, use our resources, dupe us into helping them perform a crime, or steal information. Every one of the 15,000 or so computers on the JMU network is an attractive target for criminals. Serious crimes have been committed on, by, and through five year old laptops.

"The people of the world have granted control of their existence to computers, networks, and databases. You own property if a computer says you do. You can buy a house if a computer says you may. You have money in the bank if a computer says so. Your blood type is what the computer says it is. You are who the computer says you are." How to Own an Identity

Do you think your computer isn't an attractive target for criminals? Think again:

And while setting up a computer and operating it in a more secure manner may sometimes be confusing, frustrating, and inconvenient, some simple steps can help prevent not only crimes against the network at large, but also personal losses:

The resources found here will hopefully help provide an understanding of the threats we face and the steps we can take to protect both ourselves and the rest of the JMU computing infrastructure.

Current Hot Topics

Critical Adobe Reader/Acrobat Security Update Needed ASAP ( 11/11/08 )

Several security defects were recently discovered in the popular Adobe Reader and Acrobat software products used to handle PDF documents. The software is likely installed on most computers. Malicious web sites are already exploiting these defects to infect visiting computers.

Windows, Macintosh, and Linux platforms are all affected.

JMU IT managed desktops ( those in the JMU IT domain ) will have the security installed in the near future as soon as testing is complete.

Operators of other computers should download and install the latest security update for the Adobe software ASAP at home and at work or as instructed by their local desktop support organization.

The currently installed version of Adobe Reader can be determined by:

  1. Starting Adobe ( On Windows XP click Start->Programs->Adobe Reader )
  2. Selecting the Help menu
  3. Clicking the Help menu item that begins with "About Adobe Reader"

All versions prior to 8.1.3 need to be updated.

The latest version 9 update is available at http://www.adobe.com/go/getreader.

Links to other Reader versions, Acrobat updates, and more details can be found at http://www.adobe.com/support/security/bulletins/apsb08-19.html. The RedHat linux security update is available at https://rhn.redhat.com/errata/RHSA-2008-0974.html.

While you are updating the Adobe Reader software, visit the following Adobe web site to see if you have the popular Adobe Flash software installed and, if so, download and install the most recent version.

http://www.adobe.com/products/flash/about

It too as security defects associated with it.

Present and future security risk associated with the Adobe Reader product can be significantly decreased generically by disabling scripting. To accomplish this:

  1. Start Adobe
  2. Select the Edit menu
  3. Select the Preferences item
  4. Highlight the Javascript catagory
  5. Uncheck the box labeled 'Enable Acrobat Javascript'

Emergency Windows Update Needed ASAP( 10/24/08 )

 

Update 11/05/2008 - E-mail messages are being sent to registered owners of computers on the JMU network determined by a network scan to be in need of this update. The content of the messages can be verified at http://www.jmu.edu/computing/security/jmuonly/msgverify11052008a.shtml

A serious defect in Windows computers has been discovered that has prompted Microsoft to issue an emergency update. Last night and early this morning the update was approved for distribution to all campus JMU owned computers subscribed to WSUS windows update services.

The update fixes a defect allowing a computer to be compromised simply by being plugged into the wired or wireless network. No operator interaction is required. In this it is similar to the defect that led to the Blaster and other worms in 2003. There have already been limited attacks infecting computers using this defect.

The primary systems at risk are:

  • Unmanaged desktop and laptop computers
    Computers set up according to JMU StartSafe recommendations are at little risk. They will get the update automatically and their firewall will protect them in the meantime. However, due to the virulence of attacks using this defect, it is recommended that the automatic updates setting be double checked. Instructions are on the Microsoft site. At particular risk are:
    • Windows 2000 computers
    • Computers whose owners have modified their firewall settings to allow file/print sharing.
    • Computers that connect to home cable networks, student networks, and public wireless networks.
  • Servers intentionally exposing file sharing and RPC based services to clients.
    Any server offering these services must be updated in the next 48 hours or risk compromise of itself and its clients.

Any Windows computer can be updated by the operator at any time by using the Windows Update item on the Internet Explorer Tools menu.

Microsoft Security bulletin: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Technical Details: http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx

 Music Sharing - Harmless Entertainment or Enterprise Risk? ( 07/29/08 )

There are both personal and enterprise risks associated with music sharing programs. Read more here.

Higher education passwords under attack ( 05/30/08 )

UNDER NO CIRCUMSTANCE WILL JMU EVER ASK FOR YOUR PASSWORD VIA EMAIL. DO NOT PROVIDE IT REGARDLESS OF CIRCUMSTANCE.

Over the past several months, many higher education organizations, including JMU, have been the target of criminals fishing for university passwords. These attacks are ongoing and we have no reason to expect them to go away any time soon.

The attacks come in the form of  e-mail messages pretending to be from various university support and technology organizations. They use various ruses to convince the recipients to give up their university account passwords. They may say the e-mail system is undergoing maintenance. They may say the recipient's computer was seen spreading viruses. They may say the recipient's account has been compromised.

UNDER NO CIRCUMSTANCE WILL JMU EVER ASK FOR YOUR PASSWORD VIA EMAIL. DO NOT PROVIDE IT REGARDLESS OF CIRCUMSTANCE.

Most of the attacks thus far have asked the recipients to reply to the message and include the requested information in the reply. A few attacks have links in the message that lead to a fake university web site that asks for the information similar to the bank phishing messages that have been seen for years. Defensive measures are similar.

NEVER TYPE YOUR JMU PASSWORD INTO A WEB SITE YOU ARE UNFAMILIAR WITH. DO NOT TYPE IT INTO WEB SITES LED TO BY LINKS IN EMAIL. USE TRUSTED JMU WEB ADDRESSES YOU HAVE PREVIOUSLY VISITED OR THAT ARE PUBLISHED ON A TRUSTED JMU WEB SITE.

Many of the attacks thus far have been poorly worded, use addresses that are obviously fake, or otherwise contain content that reveal the fraud. But they are getting more sophisticated. Many have used JMU addresses. Some have used JMU images and logos. Some reference actual university departments and organizations. It is just a matter of time before they start referring to real people or events that are public information.

Any technical maintenance or information security issues affecting campus services will be posted on the JMU computing page at www.jmu.edu/computing. Verify any received messages with information posted there.

If you have provided your password, it is important that you follow JMU eID Account Recovery Steps to protect your information and JMU resources.

UNDER NO CIRCUMSTANCE WILL JMU EVER ASK FOR YOUR PASSWORD VIA EMAIL. DO NOT PROVIDE IT REGARDLESS OF CIRCUMSTANCE.

Critical Security Updates

These updates fix software defects that affect security. If a defect exists, even if you do everything right, bad things may still happen. Defects in clients like web browsers, email clients, image viewers, instant messaging software, and media players may allow malicious web sites, email messages, IM messages, images, and sound files to infect or compromise your computer with no action on your part other than viewing or listening to the web site, message, or media. Defects in server software, like web servers, web applications, and core operating system services, can allow your computer to be infected or compromised just by being on the network and powered on.

You can look up security defects and vulnerabilities for any product at the SecurityFocus web site. There is also a list of vendor security resources on the RUNSAFE site.

The Cassandra service will allow you to set up profiles indicating products of interest to you and receive email notifications when vulnerabilities associated with those products are reported. The service is offered by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Click the platform you're interested in to see a list of security defects and fixes for some of the most common software on campus:

Miscellaneous updates of note:

Notable reported security defects without a fix

The following products contain defects that could result in a security compromise. There are no patches to fix the defects. Depending upon the product and defect, simply clicking a link or opening an associated document could result in a compromise.

Risk reduction measures include:

More generic risk reduction measures can be found on the StartSafe pages.

DateProductPublic ExploitReports of Active ExploitationNotes
12/04/08 VLC Media Player no no
10/23/08 mIRC no no
10/23/08 Hummingbird no no

Reporting a Computer Security Violation or Incident

Viruses and Worms and Trojans and Spyware, Oh My!

More than 2000 virus and worm carrying email messages arrive at the JMU email server each and every day and we're seeing increasing numbers of virus carrying instant messages. Infected computers spew out thousands of packets per minute attempting to infect neighboring computers with worms. Web visitors using Internet Explorer have spyware and trojans installed on their computers. Regardless of name, virus, worm, trojan, or spyware, any of these examples of malicious software, henceforth referred to collectively as malware, are undesirable additions to our computers.

Unless a particular piece of malware is extraordinarily virulent, unique, or common, special announcements will not be made. With tens of thousands of unique malware copies already existing, and new ones coming out daily, it is impractical to keep in mind all the possible symptoms which they may present. Posting alerts to the entire population on every new virus would just result in needless clutter, alarm, and probably eventual numbness. The same piece of malware is often referred to by different names by anti-virus companies and the press leading to further confusion. General StartSafe and  R.U.N.S.A.F.E. guidelines will protect against almost all malicious software regardless of form or name - virus, worm, trojan, spyware, adware:

An ounce of prevention is worth a pound of cure. Once malware runs on a computer, its actions are limited mostly by the whims of the author. Malware that opens the computer to control by third parties is often seen. Damage is sometimes irreversible and often causes large amounts of frustration and lost time. The relative benevolence of past malware should not be expected of future malware.

Email messages containing attachments with certain names and extensions have their attachments stripped off by the JMU email server because of their common use by malicious software. Thousands of virus carrying messages are prevented from reaching our computers each day. The types of messages that are blocked are described here.

A lot of computers have recently had problems with undesirable programs that are being called  "Spyware" or "Adware". The programs are sometimes installed along with free programs such as music sharing programs. They are also sometimes offered by web sites and even forced upon you if you haven't kept up with Windows Updates. There have been instances of it being found in software that is supposed to remove it so stick to the removal tools found on the JMU downloads page. This software may track your movements, steal your passwords, pop up targeted ads, take control of your web browser, or report your movements to online web sites.

Being no different than any other undesirable programs, it is less risky and usually easier to prevent a compromise of your computer and privacy than it is to recover from it. In particular, read all program documentation thoroughly before installing it and only load programs obtained and written from trusted sources. Oftentimes the distributors of programs that include spyware or adware tell you in the fine print of the licensing or installation documentation. Also make sure to keep up with Windows Updates. Some of these programs are being installed by web sites taking advantage of Internet Explorer defects to force installation without operator knowledge.

Two tools, Adaware and SpyBot, are available on the JMU Computing Downloads site to detect these undesirable programs on your computer.

These types of programs (Spyware) are no different than other malware programs other than that they've been labeled, been given press coverage, and are widespread. The functions they perform on your computer vary widely and any name given to them or attempt to classify them is quite generalized. Regardless of anti-virus software, anti-spyware software, anti-trojan software, firewalls, other security precautions, and even legislation, the first line of defense is to refuse to run unknown programs. Inadvertent installation of spyware can often be prevented by operating the computer using a regular user account. Windows XP instructions are here. Macintosh instructions are here.  Generic information is here.

You can submit suspicious files though a web browser to http://www.virustotal.com/flash/index_en.html and virusscan.jotti.org which will run various anti-virus products against the submission. Do not assume, however, that a clean bill of health means the file is harmless.

Because there are many malicious software packages in circulation that are not detected by anti-virus software, conventional security measures such as anti-virus software, firewalls, and security updates will often not prevent an infection caused by an operator run program. Additionally, since many of the malicious programs that are circulating disable anti-virus, firewall, and automated update software and tools used to detect an infection, the chances are good that the computer will remain compromised exposing the operator's privacy, accounts, and documents.

One security measure that is presently effective at limiting or entirely preventing a compromise due to an operating mistake is to operate the computer using an account that will limit the resources available to the malicious program. Most computer operators will have little or no problems using this type of account once it is set up. And if problems are experienced, they can always use the riskier account temporarily to accomplish these infrequent activities. Macintosh instructions are here. Windows XP instructions are here. Generic information is here. This practice is effective for preventing  the majority of viruses, worms, trojans, spyware, and other malicious programs from getting a toehold in a computer and limits the ability of others to do damage or hide themselves.

Help! I'm getting e-mail messages returned from people I didn't send anything to. Some of them are telling me I have a virus.

These types of messages are almost never an indication that you, your computer, or your e-mail account have a problem.

The messages are almost always caused when criminals or infected computers forge your e-mail address in the FROM section of messages they are sending to other people. This is often done to decrease risk of detection, cause confusion, or increase the chances of fooling recipients by using names the recipient may trust. It can be done by any computer anywhere in the world.

The messages are a reflection of the trusting design of the Internet and the abuse of that trust. Internet e-mail standards allow anyone to pretend to be anyone else.

This activity ebbs and flows. During periods of high virus, scam, or SPAM activity, you may see quite a lot of such messages. If the messages are sent to a public e-mail distribution list, a lot of people may see them, respond, and cause a flood of confusing messages.

Here is an example of what is happening:

  1. A computer somewhere in the world owned by "Bill" becomes compromised. It may be compromised by a virus program that randomly picks e-mail addresses or those found on the computer or it may be compromised in a way allowing criminals to use his computer to send SPAM and messages with malicious intent.
  2. The computer, under the control of the virus program or remote criminal, composes an e-mail message. It has the ability to put anything it wants in the TO and FROM fields. It makes little difference to where the message actually gets sent or from what account or computer it is sent. It should be particularly noted that the FROM field is as meaningless and easily forged as the return address on the outside of an envelope. Anything or anyone can write anything they want there. For example:
  3. The compromised computer sends a message. For example:

    From: DukeDog@jmu.edu ( Note that it does not say Bill though it could. It might list your address, helpdesk@jmu.edu, santaclause@northpole.net, President@bank.com,  or anything else the virus or criminal wants to put there. )

    To: HokieBird@vt.edu ( The message may be received by HokieBird or someone else entirely. Actual mail routing does not depend on this field. You may receive messages not appearing to be addressed to you.)

  4. HokieBird's e-mail server receives the message.

    If the server delivers the message to HokieBird's mailbox, HokieBird sees a message that appears to have been sent by DukeDog@jmu.edu but that was actually sent by Bill's computer under the control of a virus or criminal. If HokieBird replies to the message, the reply will usually get sent to DukeDog@jmu.edu, the apparent sender. Other fields under control of the virus or criminal can change this behavior to send replies to a completely different third party, for example tuitionpayment@criminal.net .

    Dukedog may also receive a message if HokieBird's e-mail server refuses to deliver the message to HokieBird's mailbox. The server may do so for a number of reasons but whatever the reason, it will send any error or status messages to the apparent sender: DukeDog@jmu.edu because that is whose name is in the FROM field.

    Reasons DukeDog@jmu.edu may get a response from HokieBird's server:

    1. The VT server can't find a user named HokieBird@vt.edu ( example message subject: Returned mail: User unknown )
    2. HokieBird's mailbox is full
    3. The server detects a virus
    4. The message has an illegal attachment
    5. The message looks like SPAM

There is nothing that can be done about the problem on this end. We cannot stop a computer outside JMU from sending e-mail messages, even forged ones, to other computers. In cases of gross abuse, we can complain to their internet provider but this is rarely effective. Hundreds of thousands of computers outside JMU are infected and compromised, some say millions, and are often used by criminals to send SPAM, scams, and viruses. We have no control over them.

For those interested, the true source of an infected message can usually be determined by examining the full mail headers. Note that the headers from the original, infected message must be examined, not the headers of a complaint or bounced message. Also note that some viruses add false information to make this more difficult.

We are limited in what we can filter in our central e-mail system. However, individuals may create custom filters suited to their tolerance, desires, and abilities. These capabilities are more fully described here. Such filters won't stop the forgery or the response messages but may allow you to discard messages resulting from them if they get too numerous or bothersome.

The only generic statement that can be made about the issue is that e-mail and instant messages are not reliable communications methods on which to make any type of decision concerning sensitive information or the identity of the apparent sender. Note that the same statement applies to telephone numbers and addresses included in such messages. If sensitive information, finances, or computer programs are involved, always verify the information on a trusted source - web site, previously known or published phone number, etc. - independent of information provided in the message. While these statements are true of all such messages, messages you expect will understandably be trusted more. However, be wary of generic messages such as 'here you go' and 'it's ready now' that can be interpreted as responses to almost anything. Authors of business messages can help combat this problem by crafting complete messages and/or including original requests in the responses.

Internet Fraud:

Can you tell the difference?

Phishing in the news:

Other Internet Fraud:

FBI Internet Fraud and Crime Complaint Center

Scams, Hoaxes, and Fables

Common Mistakes Affecting Our Privacy, Accounts, Computers, and Data

Common Appropriate Use Violations

Security Measures That May Impact Your Computer Use

By default, computers outside the JMU network cannot connect to computers on the JMU network. Most computers do not need this exposure and not having it decreases risk significantly. If you are a faculty or staff member and run a server that needs to accept connections directly from outside computers, you will need to request exposure of the server.

Some security measures decrease risk by eliminating high risk access. Two such measures at JMU may affect things you're trying to do at JMU. First, some email messages are blocked based on various properties in an effort to reduce virus transmissions. Second, some network services are blocked because they are often used to exploit systems, are commonly misconfigured, are generally not needed, and/or commonly have defects. Details are here.

Network Restrictions

Computers found to be infected with computer viruses or otherwise threatening the network will be put in quarantine. This is necessary to protect everyone on the JMU network and JMU operations in general.  A computer in quarantine will be able to reach all JMU sites but only a few sites on the Internet. Generally those will be sites needed to download software to correct the problem. The most common problems can be corrected by following the Windows clean-up instructions here.