Click here to return to the James Madison University main page
  
 Computing Home | Self-Help | Accounts Info | Downloads | e-campus | Forms | Passwords | JMU  May 18, 2008


Search Computing
Site map
Updates
System Alerts
Security and Virus News
Computer Security
Computer Security Home
StartSafe
R.U.N.S.A.F.E.
Hot Topics - Current Issues
Critical Security Updates
Cleaning Windows Infections
Internet Fraud
SPAM
Report Computer Security Incidents
Security Awareness (only accessible on-campus)
Policies
 
Contact Us:
flynngn@jmu.edu
540.568.2364
Policy & Security
Computer Security
Computing Policies
R.U.N.S.A.F.E.
Report a violation
Computing Links
AVP Information Technology
CampusLink
CampusNet
Computer Purchases
Computing Support
Database Administration
Desktop Services
e-campus
HelpDesk
Information Systems
Labs
Network Engineering
PC Services
Systems and Operations
Technical Services

 

Computer Security

 

In Brief:

 

Contents:

 

Why Computer Security Affects YOU

Computers today are an integral part of day to day campus life. E-mail and instant messages are heavily used for communications. University administrative business processes depend upon computer automation, record keeping, and dependable, confidential, and quick access to reliable information. The university's academic processes make use of computers for classroom presentations, lab demonstrations and simulations, and online research. For many of us, computers are also used frequently in our private lives.

We all have a vested interest in ensuring that our computing infrastructure continues to operate reliably and that it preserves the confidentiality and integrity of the information it handles - both our own and that of those we serve. Our JMU network is made up of over 15,000 computing devices. Each and every device contributes to our network's security. Each and every operator of those devices has a necessary and important part in preserving the integrity of our network, just as every citizen has a necessary and important part in preserving a society.

Each and every day, some of the 600 million people on the Internet are reaching out and touching our computers in attempts to violate our privacy, use our resources, dupe us into helping them perform a crime, or steal information. Every one of the 15,000 or so computers on the JMU network is an attractive target for criminals. Serious crimes have been committed on, by, and through five year old laptops.

"The people of the world have granted control of their existence to computers, networks, and databases. You own property if a computer says you do. You can buy a house if a computer says you may. You have money in the bank if a computer says so. Your blood type is what the computer says it is. You are who the computer says you are." How to Own an Identity

Do you think your computer isn't an attractive target for criminals? Think again:

And while setting up a computer and operating it in a more secure manner may sometimes be confusing, frustrating, and inconvenient, some simple steps can help prevent not only crimes against the network at large, but also personal losses:

The resources found here will hopefully help provide an understanding of the threats we face and the steps we can take to protect both ourselves and the rest of the JMU computing infrastructure.

 

Current Hot Topics ( last updated: Friday, May 16, 2008 18:16:38 )

 

 

 

Debian and Ubuntu OpenSSL, OpenSSH, and other security packages and associated cryptographic material fundamentally flawed since 2006 ( 05/13/08 )

(05/16/08) - Any public key authenticated SSH account using keys generated on a Debian/Ubuntu linux system must be immediately rekeyed from a patched machine or disabled. Several exploits have been published making remote exploitation of these accounts imminent.

A developer modified the OpenSSL package shipped with Debian and Ubuntu packages back in 2006 which resulted in ineffective seeding of the random number generator upon which almost all encryption algorithms depend. This results in predictable random numbers which, in turn, results in predictable cryptographic keys. Affected software includes OpenSSL, OpenSSH, OpenVPN, DNSSEC, and X.509 certificate keys. All Debian/Ubuntu packages and associated cryptographic keys generated since around September of 2006 are affected. See references for details.

From the Debian announcement:

"It is strongly recommended that all cryptographic key material which has been generated by OpenSSL versions starting with 0.9.8c-1 on Debian systems is recreated from scratch. Furthermore, all DSA keys ever used on affected Debian systems for signing or authentication purposes should be considered compromised".

Any high security systems running these operating systems, using cryptographic material generated on one of these operating systems,  or who have clients running these operating systems who access them through SSH public keys should take action ASAP.

General instructions:

  • Apply patches.
  • Regenerate and redistribute keys

References:

 

Increase in attacks against SSH servers ( 05/13/08 )

We are seeing increased password guessing attacks against Internet exposed SSH servers. Recommendations.

 

 

Windows XP Service Pack 3 ( 05/13/08 )

Windows XP Service Pack 3 may be offered to you if you get updates from Microsoft's web site. Pending further testing, it is recommended at this time to avoid the update unless you have a pressing academic or business need for it.

 

 

Misleading MP3 files reported on Gnutella file sharing networks. They hijack users' browsers to take them to potentially malicious web sites. Limewire and other P2P users use caution.  ( 05/08/08 )

McAfee has reported that a large number of misleading and possibly malicious files were seeded into Gnutella file sharing networks. The files contain links that cause some systems to automatically fire up a browser and take the user to web sites offering misleading downloads. The sites may automatically install programs if the visiting computer has out of date software. Otherwise, they require an operator to accept a download and install the malware.

 

 

Trojaned Firefox Vietnamese language pack add-on distributed from Mozilla site for months ( 05/08/08 )

A developer's infected computer resulted in a trojaned Vietnamese language pack add-on for Firefox being posted to and distributed by the Mozilla site between February and May. Apparently, no code review is done on published add-ons. If they pass an anti-virus scan, they are posted.

Regardless of source, Buyer downloader beware. By running any program on your computer, you are implicitly trusting your computer, data, and accounts to the integrity and practices of the developer and distribution network. The care and conservatism you use in the decision to download and run programs should reflect the value of the data stored on and accounts accessed from your computer.

 

 

P2P File Sharing Configuration Guidelines ( 04/24/08 )

The RIAA and other organizations are constantly looking for copyright violators who share copyrighted material over the Internet. Serious financial penalties may be incurred. In addition, misconfigured P2P software can result in confidential documents being unintentionally "published" to the Internet.

The University of Chicago has published a guide on configuring the most common P2P programs so they do not share content. Please check your software to make sure it is properly configured.

 

 

Elevated risk for web browsers ( 03/14/08 )

( 05/08/08 ) This situation is continuing.

Three separate attacks have succeeded in creating an environment making it more likely that people browsing the web or performing searches may be led to web sites that attempt to infect their computers. One attack results in Google search results containing links to malicious web sites that infect the visiting computers. The other attack  has compromised legitimate web sites and inserted code to guide their visitors to malicious web sites that infect the visiting computers. Various reports put the number of sites affected in the tens of thousands.

In both sets of attacks, the malicious web sites attempt to exploit defects in software that, if kept up to date, would be impervious to the attacks. All third party software products should be kept up to date as well as the base operating system software. This includes, but is not limited to realplayer, adobe reader, adobe flash, quicktime, java, iTunes, winamp, games, photo software ). Security updates for other commonly used programs are listed here but whatever you install will need to be kept up to date.

Sometimes, these types of attacks exploit defects in software for which no update is available to fix the software. In those cases, more generic, though intrusive, measures must be used to reduce risk. These measures must be in place while operating the computer at all times.

 

Reports:

 

 

Critical Security Updates

These updates fix software defects that affect security. If a defect exists, even if you do everything right, bad things may still happen. Defects in clients like web browsers, email clients, image viewers, instant messaging software, and media players may allow malicious web sites, email messages, IM messages, images, and sound files to infect or compromise your computer with no action on your part other than viewing or listening to the web site, message, or media. Defects in server software, like web servers, web applications, and core operating system services, can allow your computer to be infected or compromised just by being on the network and powered on.

You can look up security defects and vulnerabilities for any product at the SecurityFocus web site. There is also a list of vendor security resources on the RUNSAFE site.

The Cassandra service will allow you to set up profiles indicating products of interest to you and receive email notifications when vulnerabilities associated with those products are reported. The service is offered by the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

Click the platform you're interested in to see a list of security defects and fixes for some of the most common software on campus:

Miscellaneous updates of note:

 

 

Notable reported security defects without a fix

The following products contain defects that could result in a security compromise. There are no patches to fix the defects. Depending upon the product and defect, simply clicking a link or opening an associated document could result in a compromise.

Risk reduction measures include:

  • Avoidance of unnecessary software is the first line of defense.
  • Operating the computer with a least privilege user account is the most generic and easily understood technical risk reduction measure.
  • Avoidance of unsolicited e-mail links, documents, and web sites is the most generic operational risk reduction measure.
  • Many exploits can be prevented by disabling scripting in browsers.
  • A combination of measures is the most effective.

More generic risk reduction measures can be found on the StartSafe pages.

 

Date Product Public Exploit Reports of Active Exploitation Notes
04/22/08 Adobe Photoshop Album Starter Edition 3.2 yes no May also affect Adobe After Effects
04/21/08 Windows ( primarily affects web hosting and other servers allowing untrusted code to run or Windows 2003 computers in shared environments such as kiosks and labs. ) no no A defect allowing elevation of privilege. Quite a few details have been published and it may take a while for a patch to be available, if indeed the situation can be fixed by a patch alone. Quite a few details have been made public.
03/26/08 Various IP Security Camera Windows components yes yes Some security cameras require the viewer to install software. Many use Internet Explorer ActiveX controls. Defects in the software included with three different camera products allow a malicious web site to take control of a visiting computer. Symantec is reporting active exploitation of one vendor.

 

 

 

Reporting a Computer Security Violation or Incident

 

Viruses and Worms and Trojans and Spyware, Oh My!

More than 2000 virus and worm carrying email messages arrive at the JMU email server each and every day and we're seeing increasing numbers of virus carrying instant messages. Infected computers spew out thousands of packets per minute attempting to infect neighboring computers with worms. Web visitors using Internet Explorer have spyware and trojans installed on their computers. Regardless of name, virus, worm, trojan, or spyware, any of these examples of malicious software, henceforth referred to collectively as malware, are undesirable additions to our computers.

Unless a particular piece of malware is extraordinarily virulent, unique, or common, special announcements will not be made. With tens of thousands of unique malware copies already existing, and new ones coming out daily, it is impractical to keep in mind all the possible symptoms which they may present. Posting alerts to the entire population on every new virus would just result in needless clutter, alarm, and probably eventual numbness. The same piece of malware is often referred to by different names by anti-virus companies and the press leading to further confusion. General StartSafe and  R.U.N.S.A.F.E. guidelines will protect against almost all malicious software regardless of form or name - virus, worm, trojan, spyware, adware:

An ounce of prevention is worth a pound of cure. Once malware runs on a computer, its actions are limited mostly by the whims of the author. Malware that opens the computer to control by third parties is often seen. Damage is sometimes irreversible and often causes large amounts of frustration and lost time. The relative benevolence of past malware should not be expected of future malware.

Email messages containing attachments with certain names and extensions have their attachments stripped off by the JMU email server because of their common use by malicious software. Thousands of virus carrying messages are prevented from reaching our computers each day. The types of messages that are blocked are described here.

A lot of computers have recently had problems with undesirable programs that are being called  "Spyware" or "Adware". The programs are sometimes installed along with free programs such as music sharing programs. They are also sometimes offered by web sites and even forced upon you if you haven't kept up with Windows Updates. There have been instances of it being found in software that is supposed to remove it so stick to the removal tools found on the JMU downloads page. This software may track your movements, steal your passwords, pop up targeted ads, take control of your web browser, or report your movements to online web sites.

Being no different than any other undesirable programs, it is less risky and usually easier to prevent a compromise of your computer and privacy than it is to recover from it. In particular, read all program documentation thoroughly before installing it and only load programs obtained and written from trusted sources. Oftentimes the distributors of programs that include spyware or adware tell you in the fine print of the licensing or installation documentation. Also make sure to keep up with Windows Updates. Some of these programs are being installed by web sites taking advantage of Internet Explorer defects to force installation without operator knowledge.

Two tools, Adaware and SpyBot, are available on the JMU Computing Downloads site to detect these undesirable programs on your computer.

These types of programs (Spyware) are no different than other malware programs other than that they've been labeled, been given press coverage, and are widespread. The functions they perform on your computer vary widely and any name given to them or attempt to classify them is quite generalized. Regardless of anti-virus software, anti-spyware software, anti-trojan software, firewalls, other security precautions, and even legislation, the first line of defense is to refuse to run unknown programs.

You can submit suspicious files though a web browser to www.virustotal.com and virusscan.jotti.org which will run various anti-virus products against the submission. Do not assume, however, that a clean bill of health means the file is harmless.

Because there are many malicious software packages in circulation that are not detected by anti-virus software, conventional security measures such as anti-virus software, firewalls, and security updates will often not prevent an infection caused by an operator run program. Additionally, since many of the malicious programs that are circulating disable anti-virus, firewall, and automated update software and tools used to detect an infection, the chances are good that the computer will remain compromised exposing the operator's privacy, accounts, and documents.

One security measure that is presently effective at limiting or entirely preventing a compromise due to an operating mistake is to operate the computer using an account that will limit the resources available to the malicious program. Most computer operators will have little or no problems using this type of account once it is set up. And if problems are experienced, they can always use the riskier account temporarily to accomplish these infrequent activities. Macintosh instructions are here. Windows XP instructions are here. Generic information is here. This practice is effective for preventing  the majority of viruses, worms, trojans, spyware, and other malicious programs from getting a toehold in a computer and limits the ability of others to do damage or hide themselves.

 

Help! I'm getting e-mail messages returned from people I didn't send anything to. Some of them are telling me I have a virus.

These types of messages are almost never an indication that you, your computer, or your e-mail account have a problem.

The messages are almost always caused when criminals or infected computers forge your e-mail address in the FROM section of messages they are sending to other people. This is often done to decrease risk of detection, cause confusion, or increase the chances of fooling recipients by using names the recipient may trust. It can be done by any computer anywhere in the world.

The messages are a reflection of the trusting design of the Internet and the abuse of that trust. Internet e-mail standards allow anyone to pretend to be anyone else.

This activity ebbs and flows. During periods of high virus, scam, or SPAM activity, you may see quite a lot of such messages. If the messages are sent to a public e-mail distribution list, a lot of people may see them, respond, and cause a flood of confusing messages.

Here is an example of what is happening:

  1. A computer somewhere in the world owned by "Bill" becomes compromised. It may be compromised by a virus program that randomly picks e-mail addresses or those found on the computer or it may be compromised in a way allowing criminals to use his computer to send SPAM and messages with malicious intent.
  2. The computer, under the control of the virus program or remote criminal, composes an e-mail message. It has the ability to put anything it wants in the TO and FROM fields. It makes little difference to where the message actually gets sent or from what account or computer it is sent. It should be particularly noted that the FROM field is as meaningless and easily forged as the return address on the outside of an envelope. Anything or anyone can write anything they want there. For example:
  3. The compromised computer sends a message. For example:

    From: DukeDog@jmu.edu ( Note that it does not say Bill though it could. It might list your address, helpdesk@jmu.edu, santaclause@northpole.net, President@bank.com,  or anything else the virus or criminal wants to put there. )

    To: HokieBird@vt.edu ( The message may be received by HokieBird or someone else entirely. Actual mail routing does not depend on this field. You may receive messages not appearing to be addressed to you.)

     

  4. HokieBird's e-mail server receives the message.

    If the server delivers the message to HokieBird's mailbox, HokieBird sees a message that appears to have been sent by DukeDog@jmu.edu but that was actually sent by Bill's computer under the control of a virus or criminal. If HokieBird replies to the message, the reply will usually get sent to DukeDog@jmu.edu, the apparent sender. Other fields under control of the virus or criminal can change this behavior to send replies to a completely different third party, for example tuitionpayment@criminal.net .

    Dukedog may also receive a message if HokieBird's e-mail server refuses to deliver the message to HokieBird's mailbox. The server may do so for a number of reasons but whatever the reason, it will send any error or status messages to the apparent sender: DukeDog@jmu.edu because that is whose name is in the FROM field.

    Reasons DukeDog@jmu.edu may get a response from HokieBird's server:

    1. The VT server can't find a user named HokieBird@vt.edu ( example message subject: Returned mail: User unknown )
    2. HokieBird's mailbox is full
    3. The server detects a virus
    4. The message has an illegal attachment
    5. The message looks like SPAM

There is nothing that can be done about the problem on this end. We cannot stop a computer outside JMU from sending e-mail messages, even forged ones, to other computers. In cases of gross abuse, we can complain to their internet provider but this is rarely effective. Hundreds of thousands of computers outside JMU are infected and compromised, some say millions, and are often used by criminals to send SPAM, scams, and viruses. We have no control over them.

For those interested, the true source of an infected message can usually be determined by examining the full mail headers. Note that the headers from the original, infected message must be examined, not the headers of a complaint or bounced message. Also note that some viruses add false information to make this more difficult.

We are limited in what we can filter in our central e-mail system. However, individuals may create custom filters suited to their tolerance, desires, and abilities. These capabilities are more fully described here. Such filters won't stop the forgery or the response messages but may allow you to discard messages resulting from them if they get too numerous or bothersome.

The only generic statement that can be made about the issue is that e-mail and instant messages are not reliable communications methods on which to make any type of decision concerning sensitive information or the identity of the apparent sender. Note that the same statement applies to telephone numbers and addresses included in such messages. If sensitive information, finances, or computer programs are involved, always verify the information on a trusted source - web site, previously known or published phone number, etc. - independent of information provided in the message. While these statements are true of all such messages, messages you expect will understandably be trusted more. However, be wary of generic messages such as 'here you go' and 'it's ready now' that can be interpreted as responses to almost anything. Authors of business messages can help combat this problem by crafting complete messages and/or including original requests in the responses.

 

Internet Fraud:

Can you tell the difference?

Phishing in the news:

Other Internet Fraud:

FBI Internet Fraud and Crime Complaint Center

Scams, Hoaxes, and Fables

 

Common Mistakes Affecting Our Privacy, Accounts, Computers, and Data

 

Common Appropriate Use Violations

 

Security Measures That May Impact Your Computer Use

By default, computers outside the JMU network cannot connect to computers on the JMU network. Most computers do not need this exposure and not having it decreases risk significantly. If you are a faculty or staff member and run a server that needs to accept connections directly from outside computers, you will need to request exposure of the server.

Some security measures decrease risk by eliminating high risk access. Two such measures at JMU may affect things you're trying to do at JMU. First, some email messages are blocked based on various properties in an effort to reduce virus transmissions. Second, some network services are blocked because they are often used to exploit systems, are commonly misconfigured, are generally not needed, and/or commonly have defects. Details are here.

Network Restrictions

Computers found to be infected with computer viruses or otherwise threatening the network will be put in quarantine. This is necessary to protect everyone on the JMU network and JMU operations in general.  A computer in quarantine will be able to reach all JMU sites but only a few sites on the Internet. Generally those will be sites needed to download software to correct the problem. The most common problems can be corrected by following the Windows clean-up instructions here.

 
JMU Division of Administration and Finance James Madison University Website
Publisher:  Security Engineering   Contact: Security Engineering
Last Revised: May 16, 2008 Privacy Statement