National Cyber Awareness System:
09/25/2014 12:56 PM EDT
Original release date: September 25, 2014
- GNU Bash through 4.3.
- Linux, BSD, and UNIX distributions including but not limited to:
A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system . The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.
GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]
- Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
- Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
- Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
- Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.
This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.
Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.
Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743 .
US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.
- Ars Technica, Bug in Bash shell creates big security hole on anything with *nix in it;
- DHS NCSD; Vulnerability Summary for CVE-2014-6271
- DHS NCSD; Vulnerability Summary for CVE-2014-7169
- Red Hat, CVE-2014-6271
- Red Hat, Bash specially-crafted environment variables code injection attack
- CERT Vulnerability Note VU#252743
The bad guys are at it again! Universities across the nation have been working to tighten security around employee pay and the bad guys are trying to get around the new protections. If you see a message like the one below, it is a scam.
They will ask you directly for your bank account numbers to try to bypass the security we have put in place to keep your information safe. If you have already responded to a message like this, you can report this cyber crime directly to the FBI at www.ic3.gov
The University is having a salary increment program again this year with an average of 2.5%.
The Human Resources department evaluated you for a raise on your next paycheck.
Click below to confirm and access your salary revision documents:
…link removed….to access the documents
Boston University is currently seeing a flood of fishing messages pretending to be from BU. These messages are scams. The link to sends you to a web site that is not BU.EDU (you can see this for yourself if you hover your mouse over the link, or, if you’re on a smart phone, click and hold until the link is displayed).
If you see this message, delete it. Did not click the link and do not login.
Sent: Thursday, May 29, 2014 7:57 AM
Subject: HELP-DESK Boston University
(IMAP) Server – requires Increase, Mailbox has exceeded its storage limit.
Click on Faculty and Staff Portal to increase
Mailbox SEND/RECEIVE Functions will be disabled if account increase is not completed.
Copyright © 2014 Staff and Faculty Mailbox Portal.
Information Services & Technology is piloting a new high-security login process for viewing and editing employee information, including pay statements and benefits on the BUworks Central Portal.
On June 10th, a new login service will be released to support this pilot program. This new service will also improve the capability and reliability of Boston University web authentication.
When we release the new service on June 10th, the login screen you’re used to seeing atwww.bu.edu/buworkscentral/ will change slightly. In addition, Web Login-secured applications (e.g., The Links), including those linked from BUworks Central, will require a separate login.
The high-security login pilot will be followed by a voluntary opt-in for all BU community members that log in to BUworks beginning in July. You can learn more about the new higher-security login process at www.bu.edu/tech/duo/.
Today Microsoft has released an out-of-band security update to address the issue affecting Internet Explorer (IE) that was first discussed in Microsoft Security Advisory 2963983. (Details below).
The new security update MS14-021 – Security Update for Internet Explorer (2965111) is fully tested and ready for release for all affected versions of the browser.
By now you may have heard that US-CERT and an number of other large security organizations are recommending people stop using IE for a while until a security issue is resolved.
Security issues are discovered on a daily basis and, while we always need to act with an abundance of care and caution, we also need to really think through how we respond to events such as this.
The issue in the article above is serious, but it is also something that requires a user to go to an infected web page in order to exploit. If the person is going to web pages that they always go to – web pages associated with their normal business and life – the risk should not be too great. As a practical matter, there are many web sites that don’t work properly on anything other than Internet Explorer, so the advice of “stop using Internet Explorer” really has little practical value for many people. Rather, we should look to provide guidance on how to reduce the risk generally speaking and particularly until the patch for this is released.
A counterpoint to the above story is a recent report by an independent lab, NSS, that showed IE as being far and away the most effect at blocking tested malware at over 99%, with Chrome at 70% and Firefox and Safari a dismal 4%. But these results are always changing as the focus of the bad guys change to take advantage of different things, to keep people guessing. So this new issues hits and for the moment IE is in the spotlight.
One thing that you definitely need to do is stop using XP. It is no longer under support, more and more exploits will be hitting the wild from now on and no one will be releasing fixes. Once you machine is breached, it will stay breached, and that will happen very quickly.
However there are several things that you can do to protect yourself again this particular issue and many others and still continue to use IE. Microsoft outlines a few of those here, but to summarize, the article suggests setting IE up in “Enhanced Security Configuration”—something that is good security practice anyway. These are the general steps:
Go to IE > Internet Options
Click on the Security Tab
Ensure that the following levels are set for each zone:
For the Internet zone, the security level is set to High. This will mean that any site you browse to that is not in your trusted sites category, will be prohibited from running scripts and dynamic content. This will protect you from a large number of threats out there, but it also means that most of the sites you normally use will not work correctly until you put them into trusted sites
For the Trusted sites zone, the security level is set to Medium, which allows dynamic content and normal operation of most Internet sites.
For the Local intranet zone, the security level is set to Medium-low, which allows your user credentials (user name and password) to be sent automatically to sites and applications that need them.
For the Restricted sites zone, the security level is set to High.
You will then need to add the sites you normally use and trust to the Trusted sites zones so that they will work properly. This takes some time to set up the first time, but once you have done so, you will be much more secure moving in to the future.
Quinn R Shamblin .
Executive Director of Information Security, Boston University
Boston University is committed to securing the personal information of our faculty and staff. In light of the recent Phishing events the Direct Deposit banking information on Employee Self Service (ESS) was disabled as a security precaution. A working group was formed and has been working diligently to develop more robust security measures to safeguard our employee’s personal banking information.
We are pleased to announce starting February 19, 2014 the Direct Deposit Link on ESS is once again available for use. Enhancements have been made to the Direct Deposit application by adding Banking validation checks. You will now be asked for your Current MAIN Bank account information when making banking changes to your existing account. Newly hired employees may skip this field.
The working group is also looking at developing more advanced and long term security solutions for the SAP Employee Self Service portal. We will have more information to share with soon on these future improvements.
Thank you for your continued support. If you have any problems or questions related to Direct Deposit, please feel free to contact the Payroll Office at 617-353-2270 or e-mail firstname.lastname@example.org.
Chief Human Resources Officer
The phishing scammers are at it again.
The phishing scammers are trying again. We have received several reports this morning of the message below being received by members of our community. This is the kind of phishing message we believe was responsible for the direct deposit problem we reported earlier this month, and the scammers are trying to use the fact that they were successful last time to continue and extend their crime. This message claims to be from security and talks protecting you from the evils of phishing.
The way that you can really tell that this message is a fake—is that it claims to be from BU, it even uses our logos, but it is sending you to a link that is not a bu.edu link.
A real BU link will always have “ .bu.edu/ ” in it.
There is always a dot before bu and always a slash after edu
These are examples of legitimate URLs:
You can see in the message below, that they are trying to look like a BU URL by including “bu.edu”, but it is not preceded by a dot as shown above. A small, but crucial difference.
Another few things to look for:
If you are prompted to Web Login, make sure it is the authentic BU Web Login page which begins with https://weblogin.bu.edu/something
And remember that BU will NEVER ask you for your password or ask you to “verify” it; nor would any other legitimate business or institution. It is important that you safeguard your passwords and never give them to anyone.
For more good ways to detect phishing, go to: http://www.bu.edu/infosec/howtos/how-to-detect-phishing/
Additional information on phishing is provided by IS&T at http://www.bu.edu/tech/phishing
Making your spam/phishing filter more effective
Mail that is clearly spam is filtered for you, automatically. However, one person’s spam might be another person’s research project, so other messages are simply tagged as suspicious and then allowed to go through. You can decide how to handle suspicious mail that does get through, following the tips for Managing Spam provided by IS&T at http://www.bu.edu/tech/comm/email/unwanted-email/spam/
If you see a phishing message, please send it and full headers to email@example.com
For details on how to do this, see: http://www.bu.edu/tech/comm/email/unwanted-email/report-abuse/
Thank you all for your attention and help in fighting this problem.
Quinn R Shamblin .
Executive Director of Information Security, Boston University