bmarkham – GW Information Security Blog

Tech Update: Phishing Scam Currently Circulating

bmarkhamSeptember 6, 2018May 23, 2022

The US Department of Education Office of Federal Student Aid has identified a malicious phishing campaign that may lead to potential fraud associated with student refunds and aid distributions. Multiple institutions of higher education have reported that attackers are using a phishing email to obtain access to student accounts by providing links to bogus student portals.

If you have received this email or a similar one, please do not reply to it, open any attachments or click on the link.

If you have responded to the phishing attempt with your GW UserID and corresponding password, please change your password immediately by visiting identity.gwu.edu and clicking on “Reset/Forgot Password”.

Please remember that you should always be wary of messages requesting account verification, confirmation or upgrade, payment or personal information such as your passwords, GWid, Social Security number or credit card information. Additionally, please ensure that your computer is patched with the most recent operating system updates.

If you receive any phishing attempts in the future, please do not reply to them, open any attachments or click on any links. Please forward the email to abuse@gwu.edu.

If you have any questions about the validity of a link you see or a message you receive, please contact the IT Support Center at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

Why is GW blocking this website?

bmarkhamMarch 9, 2018March 9, 2020

We get this question a lot. You're surfing the web and you click a link and all of the sudden, you see this screen:

We understand that this can be frustrating, especially when you believe that the website in question is completely safe and legitimate. The GW Security team is happy to correct any incorrect blocks and encourage you to contact us using the form provided on the block page. We also want to take this opportunity to provide an overview as to why some websites get blocked and what you can do.

The GW network is set up to use domain resolution services provided by Cisco OpenDNS Umbrella. OpenDNS serves over 65 million users daily and provides timely protection against an ever growing array of threats.

Before we talk about blocked sites, we want to mention a few categories that are commonly mentioned in block complaints and want to confirm that we do not block the following categories:

Controversial (for political, lifestyle or any reason) sites
Pornography (except illegal)
Gaming
Coin mining (except for domains implicated in unsolicited browser coin mining and seen used by coin stealing / mining malware)
Video streaming / sharing / downloads

You can read OpenDNS anti-censorship policy here: https://www.opendns.com/about/anti-censorship-policy/

That said, pornography, gaming, coin mining, and (illegal) video sharing or streaming sites have higher than normal percentage of compromised and malicious / malvertising (ads redirecting to malware and adware) sites that could be blocked.

We also strongly advise against running gaming or coin mining servers on the GW network as they are often a target of various types of cyberattacks, including DDoS, and could be flagged for inappropriate use of GW resources such as electricity and shared bandwidth.

Here are some reasons why a website you're trying to visit may be blocked:

Reason #1. This is not the site you intended to visit.

We block a lot of malicious and malvertising (ads redirecting to malware and adware) sites. Sometimes legitimate and clean websites could have an advertising pop up or redirect that gets blocked, thus giving an impression that the site you are visiting is blocked as well.

Double check the URL. You may be trying to visit a similar, likely malicious, website that is blocked (e.g. gwu.com vs. gwu.edu)

What to do:

Check the URL shown in the block page. If this is not the URL you typed or expected, try your original destination URL or check for other open tabs in your browser where the site you visited may still be open.

Reason #2. Malware, Adware, Scareware, Scams, Phishing, Bad hosting.

This category is obvious but still requires a few notes. Imagine your hometown restaurant site gets blocked and you believe it is wrong because you visited that site many times before so it seemed clean. There are a few reasons why blocks of legitimate sites may occur:

The site might actually be compromised. It does not have to be infecting visitors, but it could be detected as having phishing links, browser coin mining code, or malicious code redirecting visitors to suspicious sites.
Collateral damage from bad sites using the same hosting server. Sometimes OpenDNS services block IP addresses that are home to multiple malicious domains.
The site was compromised in the past but is clean now. However, some security providers may still have it blacklisted. Usually blocklists are shared between companies.
False positive blocks by some security providers may affect the overall score.
Human errors - non-malicious websites that were mistakenly blocked as part of an incident response investigation.

What to do:

If you believe it is wrong, fill in the form on the block page and we will reply promptly and whitelist or unblock clean sites.

Reason #3 Newly seen domains.

Newly seen (by OpenDNS) domains are temporarily blocked.

New domains are often registered in the thousands as a new malware campaign effort to bypass blocks on the sites that have already been flagged as malicious. The Newly Seen Domains (NSD) is a security category that works by checking OpenDNS logs to see lookups for that domain that were not seen across all OpenDNS global sensors in the past. If they see a lookup for that new domain, it is flagged as “newly seen” and added to the NSD list. This temporary block will eventually expire. The expiry time depends on the characteristics of the parent domain or the IP space / registrant. Typically domains stay in the list between one to three days, but it isn't fixed to a set period of time. During that time malicious domains often get added to the appropriate security category and benign domains will become unblocked.

A significant portion of the domains that are categorized as newly seen will not, in fact, be malicious and OpenDNS takes precautions against blocking content delivery networks (CDN) known to generate a lot of new subdomains as well as other well known benign providers.

Please note that the first query to the domain will be allowed, because if OpenDNS has never seen it, it was not yet added to the Newly Seen Domain Category. The time gap between when a domain is first queried and before it appears in the list of domains matching the Newly Seen category is ?????

Important note: A domain will enter the process to be flagged as newly seen not when it is first registered, but rather when it is sampled in a DNS query to OpenDNS Umbrella resolvers - in other words, when a visit is attempted. Not every DNS query to Umbrella is sampled, and therefore some very low traffic domains may not be flagged as newly seen immediately.

What to do:

Fill in the form on the block page; we will reply promptly and whitelist it so you do not have to wait for the Newly Seen Domain block to expire in a few days.

Meltdown and Spectre security vulnerabilities – what you can do now

bmarkhamJanuary 5, 2018January 5, 2018

By now you have likely heard of the security vulnerabilities known as "Meltdown" and "Spectre." The purpose of this blog post is to give you a brief description of these vulnerabilities and what you need to do to mitigate the associated risks.

Let's discuss Meltdown first. Meltdown is the name given to a CPU (central processing unit; basically the microchip that runs your computer) design flaw that affects the security boundaries enforced by the CPU or processor. It essentially breaks down the boundary that separates user applications from accessing privileged system memory space. The Meltdown vulnerability is confirmed to exist in all Intel processors since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo.

Spectre is similar but different in some important ways. Spectre is the name given to a CPU design flaw that allows an attacker to utilize a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre can only read memory from the current process, not from kernel or system memory. Also, unlike Meltdown, Spectre is confirmed to affect Intel, AMD, and ARM processors. This includes computers, tablets and smartphones made by popular vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo. The relatively good news is that it is much more difficult to successfully exploit Spectre and the attack surface is limited to user space processes, e.g. web browsers, desktop applications.

There's two important things that we want you to know about these vulnerabilities. If you remember nothing else, remember this:

1.) Don't panic. While these vulnerabilities are widespread and definitely very bad, there is no need to panic. There's no need to go buy a new computer or go back to using pen and paper. You may read some very scary media reports about the potential impacts of these vulnerabilities. This is common when widespread vulnerabilities are announced.

2.) Keep your software up-to-date. This is good cyber-hygiene no matter the circumstance. This includes your operating system (Windows, MacOS, Linux, iOS, and Android), your browser (Microsoft Edge, Google Chrome, Firefox, Safari), and your browser plug-ins. Vendors are working very hard to produce software to mitigate the risks of these vulnerabilities. Make sure you install these updates when they are available.

If you have any questions about how to make sure that you're running the latest software, call the IT Support Center at 202-994-4948 or e-mail ithelp@gwu.edu.

Want to learn more? Check out the following:

Apple announcement: https://support.apple.com/en-us/HT208394

Simple, brief write-up by security researcher Daniel Miessler: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

Vulnerability website: https://spectreattack.com/

Public credential dumps affecting the GW community

bmarkhamDecember 26, 2017May 23, 2022Leave a comment

Last week, the Division of IT sent an e-mail to the GW community regarding the recent discovery of 1.4 billion stolen credentials(usernames and passwords). The purpose of this blog post is to discuss the risks associated with credential re-use and things you can do to minimize the chances of your GW credentials being used by unauthorized persons. We wanted to take a moment to elaborate on the nature of this threat and how "credential dumps" can impact you and your online safety.

As you may have heard, large websites like Adobe.com, LinkedIn.com, and Yahoo.com have all suffered major cyber incidents in the last few years. A common hallmark of these incidents is that attackers steal the usernames and passwords for users of these sites and then leak the credentials publicly. There's very little that any regular user can do to prevent these types of incidents from occurring, but there are some actions that you can take to safeguard your accounts and your data. The most recent credential dump referenced in the above article is a collection of credentials gathered from numerous hacks.

Follow these guidelines to help protect your accounts:

1.) Check haveibeenpwned.com* to see if any of your e-mail addresses are associated with any large credential breaches. This site is operated and maintained by Troy Hunt, who is a well-known, reputable computer security expert.

Simply type your e-mail address, click the "pwned?" button and see a list of any websites where your e-mail address and password has been part of a known credential breach.

Pwn All-clear Image — If you see this, that's good. No passwords to change.

Pwned report image — If you see this, change the passwords for the impacted accounts.

Feel free to share this URL with your family and friends.

2.) It is important that you do not re-use passwords. For example, if I use my GW e-mail address to register for Pinterest.com, the password used should not be the same as the password that you use with your GW e-mail address. This way, if Pinterest is ever compromised, that password is essentially useless for anything other than Pinterest. If you have trouble remembering passwords (this applies to roughly 99.9% of all people including the author) use a password manager. While not officially supported by the GW Division of IT, we like LastPass. LastPass works on PCs and Macs, as well as mobile devices that run iOS and Android. Password managers help users manage unique, long, complex passwords in an efficient manner.

3.) Choose passwords that are long (the longer the better) and complex (no dictionary words). Easily guessable passwords or passwords that employ obvious obfuscation techniques (e.g. Ra1seH1gh!) are not great passwords. While GW does not require you to change your password, it's not a bad idea to change your password periodically. There are some competing schools of thought on this issue but the GW security team recommends changing your password at least once annually.

The GW information security team is always on the lookout for notices of public credential dumps. We may tell you about these from time to time, especially if we learn that you may have been impacted by one of these dumps. In the meantime, follow the above guidance. These little things will go a long way to protect your accounts and your data from an attacker.

* - "pwned" is hacker-speak for "owned" or compromised.