Critical Linux Kernel Security Update
Welcome to Flight CVE-2013-2094
This week, a vulnerability in the Linux kernel appeared publicly on the radar with an active exploit close on its tail. A local, unprivileged user can leverage a Linux kernel flaw to gain escalated privileges, without authentication, on a system running a Linux kernel version 3.8.8. And just when you think your old frequent flyer miles are safe, the vulnerable code affects any kernel version between 2.6.37 and 3.8.8 (and even to centos 6 2.6.32 kernels).
Details about the vulnerability can be found here:
S/MIME certificates available
The University Information Security Office (UISO) is pleased to announce that Client Certificates (a.k.a S/MIME certificates) are now available to all IU personnel at no cost. These certificates can be used to encrypt and digitally sign email.
Information on obtaining and using the certificates is available in the Knowledge Base.
Policy Draft IT-28 Provisioning of IT Services
The University Information Policy Office recently posted and distributed a new policy draft for review, Policy IT-28 Provisioning of Information Technology Services.
Policy IT-28 was drafted and developed with input from key stakeholders, paying particular attention to the Board of Trustees' concerns related to information and information technology risk — which have been continually highlighted by internal audits and repeated security incidents.
IT-28 seeks to reduce the university’s exposure to threats and create economic efficiencies by leveraging common IT infrastructure and services to the greatest extent practicable (thereby freeing up resources for unit-specific needs).
VP for IT and Chief Information Officer Brad Wheeler spoke at a town hall meeting on March 8th on the subject of: “Mitigating Cyber Risks”, which covered the current risk environment, and the development of IT-28.
Cloud Data Storage and the New User Roles
The Paradigm Shift
One might think that as an IT security professional I would wish to tactfully discourage the use of Cloud computing; however, that is not entirely the case. Cloud computing opens avenues for collaboration on a scale never before realized by those wishing to integrate in thought and data sharing. Cloud computing virtually dissolves limitations defined by enterprise level networks and even geographical spans. As technology connects individuals, potentially on a global scale, our abilities to develop peer relations and interactions are greatly enhanced.
Protection for PGP/Bitlocker whole disk Encryption
Whole-disk encryption (WDE) provides an added layer of security for the data on your computer. Tools exist which can circumvent this technology under certain conditions. Lately, you may have heard about a tool from Elcomsoft which combines many popular WDE cracking methods in one.
Some attacks you are probably aware of. If an attacker can guess the encryption password through brute force, he can decrypt the disk without any tools. That's why a good passphrase is a critical part of the encryption process.
UPnP Vulnerabilities - Network Devices
Universal Plug and Play (UPnP) is a protocol standard that allows communication between computers and network-enabled devices. UPnP allows devices to discover each other on the network and establish functional network services for data sharing and communication. This protocol is enabled by default on millions of devices, including routers, printers, media servers, IP cameras, smart TVs, home automation systems, and network storage servers.
You may be sharing your IU voicemail through iTunes
Users of the Lync voicemail system should be aware that under certain conditions, they could be unintentionally sharing their University voicemail message with other people.
If a person has iTunes installed on a device, and iTunes is configured to share the iTunes library, (as may be set by default during the installation), there exists a strong possibility that retrieving Lync voicemail messages can result in sharing that voicemail message with individuals with access to your iTunes shared Library folder.
Responding to a phish.
This morning I got three phishing email messages. They came From different senders.
From: Indiana University <ABarrientos@med.miami.edu>
Subject: Important secure message
To: Undisclosed recipients:;From: Indiana University <skonig@towson.edu>
Subject: Important secure message
To: Undisclosed recipients:;
From: Indiana University <mcfarlia@mailbox.sc.edu>
Subject: Important secure message
To: Undisclosed recipients:;
- 1