Skip to content

Category: vulnerabilities

Published on

Reports have surfaced of a vulnerability within the chat function of Zoom for Windows that may permit unauthorized access to online classes and video conferences, which may allow hackers to send a malicious link through Zoom chat.

The malicious link looks slightly different from a URL, but is similar enough to cause confusion for users. When the link is clicked, the user’s credentials (UserID and password) may be leaked online. Leaked passwords can be easily cracked with widely available tools. In addition, hackers could gain access to the user's computer, execute unwanted software, send malicious messages, etc.

While there have been no known impacts to GW accounts, please follow these recommendations for video meetings and online instruction:

  • Use Webex instead of Zoom. Webex is GW’s supported secure video meeting collaboration tool, and is available to all students, faculty and staff. Visit the telecommuting page to learn more.
  • For online instruction, use Blackboard, GW’s online learning platform. Blackboard allows faculty to share materials with students, as well as facilitate synchronous (Blackboard Collaborate) and asynchronous communications (including discussion boards and integrations with VoiceThread and Echo360). Visit the tools for instructional continuity page to learn more.
  • Use meeting passwords for all meetings, verify all participants, and lock entry. To learn how to host secure Webex meetings and lock entry, visit Webex Secure Meetings.
  • Do not share or click on any links from unknown users.
  • Avoid links that start with a double back slash (e.g. \\ for example, \\com).

Remember to protect your information!

GW Information Technology (GW IT) continues to take proactive measures to keep our campus community safe. Please be aware that phishing attempts often seem legitimate. It is important for faculty, staff, and students to be extremely vigilant and take steps to secure logins, passwords, and data.

GW’s Office of Ethics, Compliance and Privacy has developed guidance on best practices for data protection when telecommuting, as well as data protection while using virtual meeting, event and collaboration platforms. Visit COVID-19 data protection guidance to learn more.

Remember to report any suspicious electronic communication or request to abuse@gwu.edu.

Questions? Concerns? Please contact GW Information Technology at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

Published on

Information Security Photo Collage

People have a lot of pre-conceived notions about security teams and practices. While some misconceptions may be grounded in truth and others fairly outlandish, there is a lot going on behind the scenes that users may not see. From claims that we are all hackers wearing hoodies and doing nefarious deeds to the perception that we are here to get in your way, we will help you understand what is true, what is not, and why these perceptions might exist.

Myth #1: Security is just here to say no

Being at a university presents the unique challenge of providing the tools and technology necessary for students and faculty to research, learn, and achieve their goals. We must strike a difficult balance between the availability of those resources and the security of the university and our community. As security professionals, we do everything we can to enable safe and reliable access to the tools that the GW community needs to reach their goals. We are here to facilitate a safe IT environment in which all students, faculty, and staff can access the resources that they need, sometimes it sounds like, “no”, but what we are really requesting is modifications that reduce risk of exposure or breaches at GW.

Myth #2: Security only deals with technology

Many people believe that IT security only works on securing servers, reading logs, and other highly technical tasks. On the contrary, the security team has a wide range of responsibilities of which technology is only a part. The security team is continuously engaging with people and data in a multitude of ways. Often trying to help people protect themselves and the organization through a security awareness program or working directly with other teams to enhance security within their operations. They are constantly trying to improve way to protect the GW community’s data by updating policies, implementing best practices, and assessing security processes.

Myth #3: The security team is just a bunch of hackers

Just as many people think that the security team is nothing but hackers. This is far from the truth. Information security is a wide field with many specializations and it takes all sorts to be effective. While some members of the team might be highly technical penetration testers, their counterparts are security professionals focused on defensive security and protecting the GW network and assets from outside threats. Not to mention that members of the IT Security team range from awareness professionals working with people and outreach to analysts focused on identifying and reducing risk.

Myth #4: The security team takes care of security so I don’t have to

The security team works tirelessly to ensure that the GW community, information, and assets are as well protected as possible, but the team is not always the first line of defense. Security is your responsibility too. Our community is often the first line of defense when it comes to attacks from outside GW. Social engineering (aka tricking people and deceiving them) is a common tactic employed by attackers and encompasses phishing, piggy backing, and taking advantage of users in the workplace. All of this means that you, the user, needs to play a vital role in protecting the university, or, as we call it #SecuringGW. Protecting your own information is an essential puzzle piece to overall security of GW.  Catching phishing emails and forwarding them to abuse at GW may seem like a small task, but it is small actions like this that alert the team and protect GW from large breaches. Being aware of people trying to enter buildings where they don’t belong, and maintaining a clean desk free of sensitive materials are all security measures that you can take to do your part in #SecuringGW.

Fact: GW Information Security – Your Trusted Advisor

The information security team strives to facilitate access to the resources that the GW Community needs in as secure a manner as possible. Security affects everyone; data loss, lack of availability, and compromised systems impede day to day business functions, which means it affects the day to day lives of everyone on campus. In order to help prevent this, the security team acts as a Trusted Advisor to everyone in the GW Community. Whether you want to implement a new system, service, or application, or begin a new project, involving the GW security team as Trusted Advisors from the start enables us to aid in proper project oversight and completion while maintaining and promoting the confidentiality, integrity, and availability of GW’s data, systems, and services.

 

Published on
Phishing diagram
From Wombat Security

Phishing

Phishing is a very simple and useful tool in an attacker’s arsenal. Phishing can lead to the exposure of sensitive information such as usernames, passwords, PII (personally identifiable information), and credit card information. So what is Phishing? It is at method used to obtain sensitive information from a victim that leverages social engineering and communications technologies that normal people use every day. There are various methods of phishing, with the most common being email, vishing (voice phishing), and smshing (text phishing). These methods can be blanket attempts that rely on quantity instead of quality (often called campaigns) or they can be very carefully crafted attacks with very specific targets (spear phishing and whaling). Luckily, identifying and defeating these attacks can be simple if you know what to look out for.

Email Phishing

Email is the hacker’s go-to for most phishing attacks; people wouldn’t think twice about receiving an email. Often times phishing emails will contain a malicious link, a malware attachment, or directly ask for sensitive information. In order to trick victims, these emails are crafted to appear from a big company, such as FedEx, Apple, or even from inside your own organization. Attackers use look-a-like or spoof emails to convince the target the email is legitimate. This can lead to compromised systems and/or exposed personal information, which can lead to further exposure of friends, family, and the victim’s organization.

Defeating Email Phishing:

  • Is the company logo/banner/design slightly off?
  • Would this person/company normally be sending you an email?
  • Should they already have the information they are asking for?
  • Never open unsolicited attachments
  • Legitimate Companies should never ask sensitive information through email
  • Use other methods to confirm the communication

Vishing

Voice phishing is growing in popularity and just like other types of phishing, vishing can be automated making it a dangerous tool. Attack examples include an “FBI” automated message, “IRS” tax refund/payment notification, or as a call from your local home improvement company. When attackers get on the line with their target they present a well thought out and engaging backstory to hook their victims. Impersonation is used in most vishing calls; attackers will impersonate IT staff, management in your company, and HR to appear official.

Defeating Vishing:

  • Ask the caller to provide information only you and they would know to ensure the caller’s identity
  • Never give sensitive information over the phone
  • If the call is suspicious, contact someone close to the individual, or through other means
  • Offer to call the individual back at the number in your staff/corporate directory, or at the number listed on the legitimate website

       

Smshing

Smishing sends texts to the targets phone in hopes of them clicking a malicious link, downloading malware, or returning sensitive information. Texts follow email phishing outlines and can be identified similarly. Many victims fall for smishing because they are unaware of the tactic and more trusting of texts. Don’t trust it more just because it’s a text message.

Defeating Smshing

  • Never provide sensitive information over text message
  • Avoid following random links
  • If you are unsure, reach out to your security team, or the communicating company
  • Do not call the number that texted you

Spear-phishing, Whaling & Campaigns

Most individuals come into contact with phishing campaigns. The goal of campaigns are to reach as many people as possible and hope for a hit. Whereas, spear phishing and whaling are techniques aimed at selected groups of individuals and executives. These are well planned, crafted, and executed, and shouldn’t be taken lightly. They aim to compromise victims with privileged access to systems, accounts, and resources. Victims typically don’t have the time to review these carefully crafted emails highly specific to the target and fall for the trap.

Defeating Spear-phishing and Whaling

  • Report suspicious emails looking for information to security
  • Verify communication with the contact through other methods
  • Attackers often impersonate colleagues, friends, and family
  • Always assume you’re a target
  • Opt for face to face meetings when possible (online or in person)

Published on

FaceTime LogoIf you use an iPhone, chances are you use FaceTime. Several sources have reported a bug discovered in the FaceTime application. The vulnerability allows a caller to remotely listen to the recipient's microphone before the recipient accepts the FaceTime call. It has also been reported that a variation of this vulnerability will allow a caller to receive video prior to the recipient accepting the FaceTime call.

Apple is working to release a software update to correct the problem later this week. In the meantime, we recommend the GW community disable FaceTime on Apple devices including iPads, iPhones, and Macs.

Instructions for iOS (12.1):

  1. Unlock device and go to “Settings”
  2. Scroll to FaceTime
  3. Toggle FaceTime off

Instructions for macOS (10.14):

  1. Open FaceTime application
  2. Click on the FaceTime menu (to the right of the Apple menu in the top left corner of the screen)
  3. Select “Turn FaceTime off”

Questions? For questions or to report any problems, please contact GW Information Technology at 202-994-GWIT (4948), ithelp@gwu.edu or IT.GWU.EDU.

Sources:

https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

https://www.theverge.com/2019/1/28/18201383/apple-facetime-bug-iphone-eavesdrop-listen-in-remote-call-security-issue

 

Published on

spectre and meltdown graphic

By now you have likely heard of the security vulnerabilities known as "Meltdown" and "Spectre." The purpose of this blog post is to give you a brief description of these vulnerabilities and what you need to do to mitigate the associated risks.

Let's discuss Meltdown first. Meltdown is the name given to a CPU (central processing unit; basically the microchip that runs your computer) design flaw that affects the security boundaries enforced by the CPU or processor. It essentially breaks down the boundary that separates user applications from accessing privileged system memory space. The Meltdown vulnerability is confirmed to exist in all Intel processors since 1995, except for Intel Itanium and Intel Atom before 2013. This includes computers by popular vendors such as Apple, Microsoft, Dell, HP, and Lenovo.

Spectre is similar but different in some important ways. Spectre is the name given to a CPU design flaw that allows an attacker to utilize a CPU's cache channel to read arbitrary memory from a running process. Unlike Meltdown, Spectre can only read memory from the current process, not from kernel or system memory. Also, unlike Meltdown, Spectre is confirmed to affect Intel, AMD, and ARM processors. This includes computers, tablets and smartphones made by popular vendors such as Apple, Microsoft, Dell, HP, Google, and Lenovo. The relatively good news is that it is much more difficult to successfully exploit Spectre and the attack surface is limited to user space processes, e.g. web browsers, desktop applications.

There's two important things that we want you to know about these vulnerabilities. If you remember nothing else, remember this:

1.) Don't panic. While these vulnerabilities are widespread and definitely very bad, there is no need to panic. There's no need to go buy a new computer or go back to using pen and paper. You may read some very scary media reports about the potential impacts of these vulnerabilities. This is common when widespread vulnerabilities are announced.

2.) Keep your software up-to-date. This is good cyber-hygiene no matter the circumstance. This includes your operating system (Windows, MacOS, Linux, iOS, and Android), your browser (Microsoft Edge, Google Chrome, Firefox, Safari), and your browser plug-ins. Vendors are working very hard to produce software to mitigate the risks of these vulnerabilities. Make sure you install these updates when they are available.

If you have any questions about how to make sure that you're running the latest software, call the IT Support Center at 202-994-4948 or e-mail ithelp@gwu.edu.

Want to learn more? Check out the following:

Apple announcement: https://support.apple.com/en-us/HT208394

Simple, brief write-up by security researcher Daniel Miessler: https://danielmiessler.com/blog/simple-explanation-difference-meltdown-spectre/

Vulnerability website: https://spectreattack.com/

Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.