CISO Newsletter :Office of the CISO -

Office of the CISO

CISO Newsletter

Volume 3, Issue 2
October 2014

Subscribe button

October is Cyber Security Awareness Month

Top 12 Logo

Cyber Security Awareness Month was established to help promote safety and security online. In observance, we would like to remind you of our Top 12 Smart Computing tips.

Top 5 Password Don’ts

A recent headline sensationalized the “leak” of millions of passwords from a popular email service, but the story that followed it revealed that the purported list wasn’t really newsworthy. It was actually an assortment of stolen usernames and passwords that were mixed and matched from various sources over a period of years, and in many cases, the credentials were no longer in use. Not only does this illustrate the dilemma of discerning truth from hype in security and privacy news, but an analysis of the story’s list of compromised passwords also yields a troubling bit of reality: people continue to mix easy-to-guess passwords with flawed password practices. Below are some considerations to avoid putting personal and UW institutional information at risk:

  1. Don’t use personal information, such as Social Security Numbers or birth dates, as passwords.
  2. Don’t reuse the same password for multiple accounts and services, such as your UW NetID and your online banking account.
  3. Don’t use the commonly used (and commonly breached) passwords on widely reported Top 25 Worst Passwords lists.
  4. Don’t use public Wifi networks, such as those in cafes, to log in to accounts.
  5. Don’t enter passwords on shared computers, such as kiosks in hotels and Internet cafes.

If you have trouble remembering login information, consider using password manager software. For more information and pointers, see our online training, Passwords and Passphrases: Guidelines and Best Practices.

Shellshock: What You Should Know

A vulnerability in a prevalent and decades-old software program named Bash made headlines this week, and it is being described with superlatives such as “10 on a scale of 1 to 10.” The perceived severity of the threat, dubbed “Shellshock,” is based on its unique combination of pervasiveness, potential for high impact, and low complexity — meaning that it could easily be used by cyber criminals to exploit victims’ computers, servers, routers, and mobile devices.

What is Bash?
An important thing to understand about Bash, its bug, and its potential vulnerability, is that Bash functions in computing in a variety of ways – some that the user initiates consciously, and some that run surreptitiously in the background while browsing the Internet.

Bash is a shell, or command-line interface that allows users to type in text to issue commands to a computer program. There are various shells that may be used for this purpose, but Bash is a popular one, and it is the default shell for Linux, Mac OS X, and some versions of Unix. Windows machines and Windows servers don’t run Bash by default, though Bash may be installed on Windows by the user.

Bash also functions as an interpreter for Common Gateway Interface (GGI) scripts, one way that websites display dynamic content. These CGI scripts may be executed on Apache, an open-source Web server that accounts for half of web servers worldwide. Bash’s widespread, automatic use on Apache servers is one reason why the Shellshock bug is seen as particularly serious threat.

Is Shellshock the “New Heartbleed”?
Shellshock has drawn comparisons to Heartbleed, a security threat that garnered media attention earlier this year, because both vulnerabilities lie in open-source software. But Heartbleed only impacted certain servers (those running OpenSSL) and could only be used to cipher information. The capability for exploit of the Bash vulnerability exists on many more servers worldwide and it could be used to remotely take over an entire machine or device to gain access to all of its information – or, in some cases, add it to a botnet.

Potential Threat Vectors
Because Bash is used and embedded in a variety of ways, some of which are automatically called from system to system via scripts and Internet protocols, it is difficult to determine all of the vulnerable systems and patch them.

It is said that this threat doesn’t affect most Windows users, but use of Bash is common in embedded Internet devices, such as routers, wireless access points, phones, TVs, and other home and health devices with an IP address. In order for an attack of such devices to be successful, however, the attacker needs to know a specific vulnerable file to attack. Users should check for updates and patches on all systems that connect to the Internet.

For system administrators and technical users, Red Hat has a guide on how to determine if your system is unpatched and vulnerable.

What to do
US-CERT, the Department of Homeland Security’s Computer Emergency Readiness Team, has advised users and administrators to refer to their Linux or Unix-based operating systems suppliers for a patch.

In a statement, Apple said that most of its OS X users were not at risk from the Shellshock bug because Apple’s default settings protect users from remote exploits used to covertly access a personal desktop or laptop computer. For users who have reconfigured their advanced Unix services (underlying code in OS X), Apple released a patch on Tuesday, September 30.

Users should watch for updates and patches and regularly check manufacturer websites, particularly for hardware like routers. Users should also make sure routers and Wireless Access Points are secured with a password, and that the remote management feature is turned off.

All users should back up data regularly, as the vulnerability may be used to delete valuable data.