Alerts

Security Alert
Mar 3, 2014 - 2:43 pm

Patches are now available for the security flaws in iPhone, iPad, AND OSX devices. Last Friday Apple released iOS 7.0.6 to address a security flaw and provided these details on that fix:

iOS 7.0.6 | Data Security | CVE-2014-1266

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Since this flaw is easily exploitable, ISG recommends that you upgrade to 7.0.6 as soon as you can. It is an unfortunate reminder that Apple products can be vulnerable and its users need to stay current with all security patches.

The same flaw existed in desktop and laptop computers powered by its OS X operating system. The OS X Update 10.9.2 is now available, which includes the security fix.

Related Links:
Apple's Security Update page: http://support.apple.com/kb/HT1222
About the security content of iOS 7.0.6:  http://support.apple.com/kb/HT6147
About the security content of OS X Mavericks v10.9.2 and Security Update 2014-001:  http://support.apple.com/kb/HT6150
SANS Internet Storm Center: https://isc.sans.edu/forums/diary/IOS+SSL+vulnerability+also+present+in+OS+X/17702
Brian Krebs blog post: http://krebsonsecurity.com/2014/02/ios-update-quashes-dangerous-ssl-bug/

Security Alert
Feb 13, 2014 - 4:14 pm

First reported in December, the Googledoc phishing scam persists with a variety of subject lines (IMPORTANT DOCUMENT and ... Sent You a Google Doc are two examples).  Many are from Brown addresses (accounts that have been compromised). Do NOT click on the link. If you have not already deleted it, mark the email as phishing and then delete it.  Below are screenshots of two examples. 

 

Security Alert
Feb 6, 2014 - 3:44 pm

The phishing scam, subject line "INCOMING FAX REPORT" has resurfaced at Brown.  An example follows.  As with similar emails, DO NOT CLICK on the link. If you receive one, either delete it immediately or report it as phishing then delete it.

Security Alert
Dec 19, 2013 - 10:38 am

Two phishing scams were reported today, one from a supposed Brown address (service@brown.edu) and another from compromised Brown accounts.  Both contained a link that recipients were told to click. As with others, do NOT click on the link. If you have not already deleted it, mark the email as phishing and then delete it.  Examples follow of these latest phishing attempts.

---------- Forwarded message ----------
From: <different Brown addresses>
Date: Thu, Dec 12, 2013 at 5:00 PM
Subject: <Name> Sent You a Google Doc
To:

Google Drive. Keep everything. Share anything
Please check the document i uploaded for you using Google docs. CLICK HERE to sign in securely with your email to view the document its very important.
Thank You. 

---------- Forwarded message ----------
From: Brown University <service@brown.edu>
Date: Thu, Dec 12, 2013 at 7:22 AM
Subject: Message From Brown University
To:

We received a notification fro m our date base system stating your email has been hacked by someone.

You are require to Click Here and log-in to your email in other to validate and secure your email profile.

Sincerely,
Brown University 

Security Alert
Dec 12, 2013 - 12:48 pm

ISG has received reports of emails from "Brown IT Alert" warning recipients that their brown.edu account was "accessed from a blacklisted IP located in Arizona", listing the details, then requesting they click on a link to "allow the new IP monitoring alert system (to) automatically block the suspicious IP from further future compromise."  This is not a legitimate request but a phishing attempt and should be treated as such.  Do NOT click on the link. If you have not already deleted it, mark the email as phishing and then delete it.

Note: The address oitalert@brown.edu has been blocked from being able to send to Brown Gmail addresses.

An example follows:

---------- Forwarded message ----------
From: Brown IT Alert
Date: Wed, Nov 20, 2013 at 11:16 AM
Subject: URGENT: BROWN incident where your NET ID was compromised
To: <redacted>@brown.edu

Hello,

Our new IP monitoring alert system that checkmates the increased incidents of phishing attacks and database compromise detected that your "brown.edu" account was accessed from a blacklisted IP located in Arizona. The suspicious login details are shown hereunder:

Access Location: Phoenix, Arizona
IP Address: 23.19.88.141
ISP: Nobis Technology Group, LLC
Host Name: 23.19.88.141.rdns.ubiquity.io
Time of compromise : 10:27 AM, Eastern Standard Time (EST) -0500 UTC
Date of compromise: Wednesday, November 20, 2013

Did you access your account from this location? If this wasn't you, your computer might have been infected by a malicious malware code unnoticed. To protect your account from any further compromise, kindly follow these two steps immediately:

1. Follow this ITS secure link below to reconfirm your login details and allow the new IP monitoring alert system automatically block the suspicious IP (23.19.88.141) from further future compromise

<redacted>

2. Scan your PC immediately to remove all malware codes and any other malignant viruses With these two steps taken, your account will be secured.

Serving you better,
ITS and Database Security
Brown University

Security Alert
Dec 12, 2013 - 12:48 pm

The following is a phishing attempt. Please do not click the link and delete the email.

From: "Brown University" <sech@brown.edu>
Date: December 6, 2013 5:12:24 AM EST
To: Recipients <sech@brown.edu>
Subject: Brown University Email Alert [Code: 5841]

Dear User,

The following alert has been posted to your webmail account regarding an unauthorised access to your account:

*Brown University Alert*

Your account has been compromised and used to send unsolicited commercial email (spam).

We implore you to follow our secure https://www.brown.edu to confirm your details to avoid account suspended from our system.

Thank you .

Brown University Technical Service

Security Alert
Dec 4, 2013 - 2:26 pm

Beware of an email from updatea67@gmail.com with the subject "Update Your brown University edu Account. " This is a phishing email, attempting to get you to click on the link and/or open the attachment. Do not do either. If you have not already deleted it, mark the email as phishing and then delete it.

Clues that the email is bogus include:

  • It was sent from a non-Brown address.
  • The TO field is blank. 
  • Use of the generic "Dear User!!!" 
  • Grammatical and spelling errors (such as "upgraded and maintain.") 
  • It contains a threat that you will lose services if you do not respond quickly.

An example follows:

---------- Forwarded message ----------

From: Account update <updatea67@gmail.com>
Date: Sat, Nov 16, 2013 at 11:02 AM
Subject: Update Your brown University edu Account::
To: 

Dear User!!!

Information Technology Services (ITS) are currently upgrading and
maintaining all e-mail accounts.This will provide you the ability to
store a greatly increased amount of

e-mail correspondence in your e-mail account. Your account has been
identified as one of the accounts which are to be upgraded and
maintain.

Please click the link below and follow the instruction. If you are
unable to click the link copy and paste in on your browser:

Sign in to brown.edu !

webmail brown.edu !User  ID ..............
Password............................................

The new minimum quota level for e-mail accounts will be set to 1000mb.
Warning!!!  Account owner that refuses to upgrade and maintain his or
her account before 24 hours of receiving this warning may lose his or
her account permanently.

Computing Services Help Desk
more information about the service.
Sign.
Helpdesk

Security Alert
Dec 4, 2013 - 10:43 am

Beware of an email from secure @ brown.edu sending an "Important Message About Your Brown University Account." This is a phishing email, attempting to get you to click on the link and/or open the attachment. Do not do either. If you have not already deleted it, mark the email as phishing and then delete it.

Clues that the email is bogus include:  use of the generic "Recipients" in the TO field, an empty address line ("Dear ,"), when mousing over the link its address is other than shown, missing punctuation and a suspicious attachment. An example follows:

---------- Forwarded message ----------
From: Brown University Account
Date: Mon, Nov 11, 2013 at 6:30 AM
Subject: Important Message About Your Brown University Account
To: Recipients 

Dear,

We regret to inform you that recently we are unable to verify your webmail account with us

We therefore implore you to confirm your webmail details by clicking our secure site link below

https: // www . brown . edu

To avoid permanent webmail account suspension

Thank you.

Brown University

Security Alert
Dec 4, 2013 - 10:43 am

You may have read of a major breach of account at Adobe Systems, which has been called a “very sophisticated hack” resulting in a compromise of over 38 million accounts.  Adobe provides many commonly used applications (including Acrobat, Flash, etc.), and so it may come as no surprise that some Brown users are going to have Adobe accounts that are affected.  We are aware of least 2,200 accounts that were from a Brown address. If you were affected, you should have been contacted by Adobe directly.

The list of exposed email addresses and encrypted passwords was anonymously posted online, presumably by those who hacked the Adobe site.  As a result, multiple hackers are reportedly actively working to decrypt the passwords.  Decrypting a 6-character password can take as little as 3 to 5 minutes, even if it is a "complex" password with a combination of upper and lower case letters, numbers and symbols.  Longer passwords take more time to crack but with enough computational power and time, any password shorter than 15 or so characters is probably at risk.

We strongly urge everyone to you to change your Adobe password as soon as possible, whether you have been contacted or not.  In addition, if you used the same password for other accounts (e.g. your Brown or Google password, or your bank account password) you should change those immediately as well.  Reports have surfaced detailing that passwords are already being unencrypted.  Please note that you should never use your Brown password on an external website, and it is never a good practice to use the same password in all of your locations.

Security Alert
Dec 4, 2013 - 10:42 am

This global spam message contains a malicious virus in the attachment.  Code named “Crypto Locker”, it is already considered to be an historically devastating virus because it holds your computer hostage until you pay a fee.  This latest effort is part of a growing area of computer crime known as “ransom ware”.  If the virus is allowed to run on the computer, it encrypts all of the files, attached USB and backup drives, as well as files on department files shares that may be open. A notice appears indicating what has happened, and demanding payment of various amounts between $100-$500 in order to get the key to unlock the data.  Even when paid, it has been reported that the key does not always work.  Evidence indicates that the encryption can not be undone.

The emails arrive in legitimate-looking formats from companies such as Fedex, UPS, and DHL, and contain a zip attachment in the file under the disguise of a PDF.  Please be on a heightened state of awareness for any such messages that may make it to your inbox, and report them as phishing to Google.  We remind you that you should always be aware and cautious of opening any attachments that you receive.  In addition to these two baseline defenses, having a backup of your files in case of such an attack is the only sure way that you do not experience a complete loss. Your DCC or ITSC can discuss backup options available to you.