RIT set to Roll out MFA 10/24/18

    RIT is rolling out Multi Factor Authentication very soon. Multi Factor Authentication is adding an extra factor to validate your credentials. For example, when you log into RIT services you are prompted your username and password; with the new multi factor authentication, you will need to provide an extra form of authentication. These methods include: Using the DUO mobile app, text, phone call, office phone call, and email. RIT has been experiencing more attacks than ever before, and this is their attempt at mitigating the risk of attacks. Last year MFA was put into effect for faculty, staff, and student employees. This was because many Ebiz accounts became compromised. The attackers then changed direct deposit numbers to be routed somewhere else. Luckily no one lost money because controllers saw the change in numbers and knew what was happening because another university was attacked in the same manner.

Image result for multi factor authentication

Why does this matter to us?

If we do not enroll in MFA by the 24th of October, there will be a hold on your account and you will not be able to enroll for classes next semester.

Possible Problems:

With MFA comes the use of another device to authenticate yourself on RIT services. For example, if you signed up and planned on using the DUO app, DO NOT forget your phone. ITS will have to give you a Bypass until you can get access to your phone, which would be unfortunate if you need to log onto something ASAP. I personally don’t see why the students need MFA, but I have no choice but to enroll into it.

Image result for locked out

By: Alejandro Juarez

 

Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

 

 

Iranian Hackers Target US Professors

On March 23rd the Justice Department charged nine Iranians with multiple counts of identity theft and conspiracy to commit computer intrusions.  The main targets of the attack were professors at both US and foreign universities. Also targets were several US and European based private companies as well as multiple government agencies. The hackers were accused of being affiliated with the Mabna Institute and acted under behest of an Iranian intelligence agency. The attorney who brought the case claims that the Mabna Institute may seem legitimate, but that it only exists for the sole reason of stealing scientific resources from around the world. They used phishing emails that appeared to come from other universities to target more than 100,000 accounts belonging to professors worldwide and compromised about 8,000. They also compromised at least 37 US based companies, 11 based in Europe, and at least 5 government agencies including the Labor Department, the Federal Energy Regulatory Commission, and the UN. With this attack dating back to 2013, the hackers were able to steal more than 31 terabytes of information, worth about $3 billion in intellectual property. The justice department has recently said that the nine hackers are still at large.

–  Owen Ryan

Sources:

https://www.cnbc.com/2018/03/23/us-indicts-iranian-nationals-in-iran-government-backed-scheme-on-us-universities.html

https://www.wired.com/story/iran-cyberattacks-us-universities-indictment/

Under Armour: My FitnessPal Hack

On March 25, 2018, Under Armour was alerted of a breach that took place in February 2018. Under Armour notified the media, that 150 million MyFitnessPal user accounts were hacked from the breach of its database. However, since information like Social Security numbers and drivers license weren’t even asked for by the app, and since payment cards were processed separately, they were not stolen in the data breach. The stolen data consists of account usernames, as well as the email address associated with it and the hashed passwords. Meaning that though the passwords were obtained, they remained encrypted. The reason this is important to note is because, though the hackers have access to the above mentioned info, they still don’t have all the account passwords. Therefore, users still have time to change their passwords. Since many users use the same username and password across multiple sites and applications, it would be a good idea for them to change their passwords on their other accounts as well. Nevertheless, the risk still remains from this data breach. With the emails, the attackers are able to send phishing attacks to the user, making the email seem like its from the fitness app. Under Armour said it is working data security firms and law enforcement, but did not provide details on how the hackers got into its network or pulled out the data without getting caught in the act.

 

Sources:

https://www.reuters.com/article/us-under-armour-databreach/under-armour-says-150-million-myfitnesspal-accounts-breached-idUSKBN1H532W

https://www.slashgear.com/under-armour-myfitnesspal-hack-5-things-to-know-30525418/

-Noor Mohammad

Myfitnesspal.jpg

Russian Government Cyber Attacks Targeting Critical US Infrastructure

In this modern, technology-run day-and-age, the use of cyber hacking by one nation against another is an increasingly frequent method of attack. The United States Computer Emergency Readiness Team in joint with the DHS and FBI recently released a report outlining specific types of attacks they have identified being used by the Russian government targeting the U.S. government as well as “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. They have also confirmed that these attacks have been ongoing since at least March of 2016.

One type of attack uses spear phishing emails containing Microsoft Word files loaded with a malicious script. These script first installs some credential-harvesting tools like Hydra and CrackMapExec. Then, it attempts to retrieve a file on a server via SMB request. By doing so—whether or not the file exists—an authentication request is typically prompted to the user before continuing. At this point, the script will capture the hash of the user’s credentials, and make an attempt to extract the full username and password using the aforementioned tools installed on the machine.

Another type of attack again used phishing to obtain credentials via a link in a falsified .pdf contract agreement. Users were directed to follow a link in the document to enter their email address and password in order to agree to the service contract. Once the credentials were in hand, attackers used them to attempt to gain access to the internal systems of these important infrastructure institutions. A back-door was installed to allow persistent access, and attackers could then modify firewall settings and Windows registry keys.

The release of this information is significant in two ways. First, it is just another example as to the extreme importance of vigilant cyber security awareness and practice. Both of these attacks rely on the ignorance and thoughtlessness on the side of the end-user to gain access into the system. Whether it’s opening unsolicited Microsoft Word documents or agreeing to unfamiliar (and unofficial) contracts, both scenarios rely on users divulging their credentials without suspicion as to whether the requesting source is legitimate.

Second, it is another example of the changing landscape of cyber security and cyber hacking as it continues to be used more frequently by governments as a weapon against other nations. Now more than ever is cyber security conversation and awareness important for all people as we enter an age of online warfare.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing


Source:
Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors