Computer Security Response Team

Description: The CSRT & Computer Security Professionals from other education institutions and organizations have seen a significant increase in phishing attempts in recent months. In computing, phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication (from Phishing Wiki).

The most recent attempt that has caused a significant increase in concern, are email phising attempts that appear to becoming from @#####.edu computer support teams, and specifically targeting university personnel. We have included an example email:

########################################

> -------- Original Message --------
> >> Subject: Confirm Your Email Address!
> >> Date: Mon, 26 Nov 2007 19:23:03 -0500 (EST)
> >> From: THE xxxxx UNIVERSITY WEBMAIL TEAM
> >> Reply-To: wil_hamilton@yahoo.com.hk
> >> To: undisclosed-recipients:;
> >>
> >> Confirm Your Email Address!
> >>
> >>
> >> Dear xxxxx . edu subsccriber,
> >>
> >> To complete and verify your xxxxx . edu account, you must reply to this
> >> email immediately and enter your password here (*********)
> >>
> >> Failure to do this will immediately render your email address
> >> deactivated from our database.
> >>
> >> You can also confirm your email address by logging into your xxxxx.edu
> >> account at https://webmail.xxxxx.edu/horde/imp/login.php
> >>
> >>
> >> Thank you for using xxxxx . EDU!
> >> THE xxxxx UNIVERSITY WEBMAIL TEAM

########################################

The example above is bogus, and any directions contained in the email should be ignored.

Recommendations: Please be aware, that University of Tulsa Computer Support Personnel will never ask for your password in email, over the phone, or in person. We will also never send URL 'links' in an email, or provide specific instructions in email form. If there are any doubts on the legitimacy of an email, delete the email, and contact your designated Computer Support person or the Help Desk, x3500. As always, please check back on the Computer Security Response Team website (this website) for more information concering Computer Security related items.

Disclaimer: This information is intended to help students, faculty, and staff at The University of Tulsa, no one else. Some information contained in this advisory may be specifically tailored to our systems. Some of the recommendations in this advisory may cause harm to non university systems. If you are not a student, faculty member, or staff member at The University of Tulsa and find this information helpful we are pleased, but do not call or email the Computer Security Response Team or the helpdesk for further information.

During the first two weeks of classes, several submitted reports to the help desk indicating that our wired residential network and our new WiFi wireless network are "slow". All IP data networks are shared resources; excessive expectations and utilization by some result in poor performance for others.

During the weekend of August 31, 2007, one student transferred 250 gigabytes (GB) of data over the wired network in 36 hours before being removed from the network. Moving this much data over a home connection would require more than six weeks assuming typical, arguable, sustained speeds associated with a basic DSL high speed internet plan. The same student then transferred 35GB of data across the wireless network over the subsequent 48 hour period. The 250 GB of data is equivalent to 500 full length VHS quality movies or more than 73,000 CD quality MP3s. If the transferred data were moved illegally, there is an additional problem. Access to all TU campus computing facilities by this student has been terminated pending review by the Dean of Students.

University policy:

The University Ethics Code and Policy for Computer Use is posted at http://www.is.utulsa.edu/policies. The policy contains several provisions related to appropriate use and the consequences of monopolizing resources and degrading performance.

Wireless vs wired network access:

The new wireless network is a significant advancement at The University of Tulsa that is not available in the same ubiquitous fashion at most other universities. It provides convenience and mobility that is not available with a wired only network. However, it is impossible to effectively replace the capacity of a functional wired network with that of a wireless network. The burst rate at a wired port in the new residential apartments is nearly twenty times the rate available to a wireless user, even when there is no other wireless user competing for access in the same vicinity. Further, the performance of a wireless network degrades more quickly with multiple users. When available and reasonable, use a wired connection to help make sure that the wireless network is available for those best served by the mobility of a wireless connection.

Bandwidth Management:

Direct and unfettered access to the extraordinary wireless and wired networks that the University has is an important academic resource for all of our residents. Unfortunately, as indicated above, if a network is not managed, it is possible for a few abusive users to utilize nearly all of our bandwidth which, in turn, causes a degradation of the network resources available to the majority of our residents and to the campus as a whole. Over the last three weeks, two percent of our residential users have been responsible for almost fifty percent of the data passed across our Internet connection. For this reason and as one of our strategies for managing network resources, the University will soon institute a daily capacity cap for all residential and wireless users.

A user who exceeds the cap will see his/her network access to any computers on the residential or wireless network terminated until he/she reauthenticates with our normal network registration procedure. The user will then receive a message that he/she has exceeded the bandwidth cap instituted by the university and will notice a significant decrease in performance when accessing the Internet for a period of at least twenty four (24) hours. Access to filer (w:\ drive), shared space (s:\ drive), WebCT, and all other on campus resources will remain available with no limits. A user who has become limited and has an academic requirement for more generous access may request that his/her limit be temporarily removed by sending email to help@utulsa.edu.

Systems Affected:
Windows 2000
Windows XP
Windows 2003 Server
Windows Vista (all versions)

Description:
The “Storm Worm” started arriving in email boxes in January of 2007. Unlike many worms or viruses that infect large quantities of machines quickly and then all but disappear, the number of machines infected with the “Storm Worm” has continued to grow until it now has nearly 2 million systems infected. The “Storm Worm” is unique in that all of the infected machines are in nearly constant communication, sending updates to one another and launching attacks on Internet victims in a coordinated fashion. Since the “Storm Worm” systems are always in communication, the “Storm Worm” has the ability to update itself automatically in an effort to avoid detection by AntiVirus programs, so most Antivirus programs will not properly detect the most recent versions of “Storm Worm”. A clean bill of health from antivirus programs (even multiple antivirus programs) does not necessarily indicate that a system is clean.

The “Storm Worm” generally arrives in an email message that appears to be a greeting card or some form of news information. The “Subject:” line has changed with time, and the email message can sometimes be very convincing. Once a user clicks on the link and runs the downloaded file, the computer is infected with the “Storm Worm”. For added protection, the “Storm Worm” installs a special piece of software on the computer called a “rootkit” which is designed to hide the “Storm Worm” so that it cannot be detected or removed by even the most up-to -date Antivirus program, making it essentially impossible to ensure that the worm is totally removed from a system without formatting (erasing) the hard drive and reinstalling the operating system and all software from CDs.

Recommendations:
• Users should not open attachments or follow web links received in email messages without independently (by phone or return email) confirming that the attachment or link was sent intentionally.
• Faculty or Staff who have already followed the instructions in an electronic greeting card, downloading and running a program from a webpage on a university owned machine should contact his or her systems administrator immediately.
• A user on a personally owned system who has already followed the instructions in an electronic greeting card, downloading and running a program from a webpage should make backups, format his or her hard drive, and rebuild his or her system, or take it to a professional to do so.
• Every student, faculty, and staff member should connect to MyTU and download the latest antivirus software onto their personally owned computer(s).

Although this particular worm can be fairly successful at evading detection by antivirus software, the CSRT still believes that the combination of due diligence on the part of a user and properly updated Antivirus software is the best defense against computer viruses and worms.

Disclaimer: This information is intended to help students, faculty, and staff at The University of Tulsa, no one else. Some information contained in this advisory may be specifically tailored to our systems. Some of the recommendations in this advisory may cause harm to non-university systems. If you are not a student, faculty member, or staff member at The University of Tulsa and find this information helpful, we are pleased, but do not call or email the Computer Security Response Team or the Helpdesk for further information.

From the Adobe Website:

Affected software versions:
Adobe Reader 7.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected.

"Critical vulnerabilities have been identified in Adobe Reader and Acrobat 7.0 through 7.0.8 that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious file must be opened by the end user for an attacker to exploit these vulnerabilities. "

The Computer Security Response Team strongly encourages all user's to be extremely careful when downloading and/or opening files from email/internet. For all University maintained machines, your system adminsitrators in the colleges & departments will begin work on patching & securing machines.

Recommendations: For all personally managed machines (including student computers), we strongly encourage you to upgrade, patch, and secure your machine before you download/open any files from the internet or email.

For more information please visit the Adobe website

www.adobe.com/support/security/bulletins/apsb06-20.html

Please check the CSRT website for updates.

Disclaimer: This information is intended to help students, faculty, and staff at The University of Tulsa, no one else. Some information contained in this advisory may be specifically tailored to our systems. Some of the recommendations in this advisory may cause harm to non university systems. If you are not a student, faculty member, or staff member at The University of Tulsa and find this information helpful we are pleased, but do not call or email the Computer Security Response Team or the Help Desk for further information.

Systems Affected:
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP
Microsoft Word

Description: A flaw in Microsoft Word Programs has been recently found. Successful exploitation of this flaw would lead to the attacker gaining full rights in the context of the exploited user. As an example, if an exploited system was being run under Administrator privileges, then the attacker would gain Administrator privileges for that machine and be able to execute code, delete or edit files or change configuration settings.

Through Office XP or Office 2003, the vulnerability could be exploited through e-mail attachments. For an attack to be successful a user must open an attachment that is sent in an e-mail message.

Also, an attacker could host a Web site that contains an Office file that is used to exploit this vulnerability.

Recommendations: Be wary of unsolicited attachments, even from people you know - Just because an email message looks like it came from your mom, grandma, or boss doesn't mean that it did. Many viruses can "spoof" the return address, making it look like the message came from someone else. If you can, check with the person who supposedly sent the message to make sure it's legitimate before opening any attachments. If there are any doubts on the legitimacy of an email or its attachment, delete the email, and request the send to send again.


Disclaimer: This information is intended to help students, faculty, and staff at The University of Tulsa, no one else. Some information contained in this advisory may be specifically tailored to our systems. Some of the recommendations in this advisory may cause harm to non university systems. If you are not a student, faculty member, or staff member at The University of Tulsa and find this information helpful we are pleased, but do not call or email the Computer Security Response Team or the helpdesk for further information.