Due to current information, we would like to warn you about the new version of Microsoft Outlook for MacOS, because the option "Synchronize with Microsoft Cloud" is activated by default when setting up IMAP accounts. As with the Microsoft Outlook app for Android and iOS, this option means a redirection of access data (e.g. passwords) as well as content via the Microsoft Cloud. Apart from the data protection issues involved, sharing access data in this way is prohibited by IT usage regulations.
The WWU-CERT operates a central logging infrastructure for the evaluation of security-relevant events, a so-called Security Information and Event Management System (SIEM). It is used to detect and resolve security incidents and thus to protect the WWU. For this purpose, security-relevant information (e.g., logs) is compiled in the system and analyzed by the WWU-CERT for anomalies with regard to IT security.
Various personal data are processed in the process, which is why it was decided to introduce the SIEM with the participation of the staff councils.
The deployment and use of the SIEM is governed by a service agreement.
Information on data being processed, storage periods, the technical structure and security measures, among other things, can be found in Appendix 1 of the service agreement.
Due to the longer absence of the current Chief Information Security Officer (CISO) Dustin Gawron from the IT Security department has been appointed deputy CISO.
More information about the role of the CISO can be found here.
In the past few days information about a new vulnerability called "Log4Shell" (CVE-2021-44228) in the "log4j" component of many Java-based applications has been released. Every administrator has to check, if the vulnerable component is used by their service or system. In case a vulnerable version of log4j is used, it has to be updated immediately or a workaround has to be used. Further information
Lately a rising amount of extortion attempts with spam emails has been sent to members of the WWU. The originators usually claim to have "hacked" into a person's computer or email account and threaten to publish sensitive information, e.g. video material, about their private life, if their demands are not met. Often a payment of in a crypto currency like Bitcoin is requested. All those claims are mere pretences to scare the receiving person and urge them to give into their demands.
Due to current requests the IT Security Management Team would like to point out that it is not permitted to use the Microsoft Outlook app for Android and iOS to retrieve e-mails from your WWU Exchange account. By using the app, you are sharing your passwords with third parties, which violates the IT Usage Regulations of the University of Münster. Please uninstall the Outlook app for Android or iOS if you have used it on your mobile device. In addition, you need to change the passwords of all email accounts you have linked via the app as soon as possible.
A vulnerability known as PrintNightmare (CVE-2021-34527) in the Print Spooler service of basically every version of Microsoft Windows has been made public on the 2021-07-01. Under certain circumstances it enables a remote attacker to execute malicious code (remote code execution) as well as a local attacker to perform a privilege escalation. For a remote exploit the print service has to be reachable and the attacker needs a valid account. Several exploits for the vulnerability have already been published.
Microsoft released updates for several Windows versions (see Microsoft Security Advisory). Those updates do not seem to close the vulnerability completely though (see BleepingComputer) and cause printing problems in certain cases!
The WWU-CERT recommends to install the new updates on all Windows systems immediately to make exploitation more difficult. Since the vulnerability is not completely fixed yet and the circumstances under which those exploits succeed are still somewhat unclear, a temporary workaround should be implemented, at least on systems with multiple users (e.g. remote desktop servers). The ACL workaround (see TRUESEC Blog) can prevent exploitation but also prevents the installation of new printers. On servers that do not need printing support, the Print Spooler service should be deactivated in general.
Several attempts of targeted scam via e-mail have been observed over the past few weeks. In those cases directors of different departments have been impersonated to send out e-mails with requests for assistance ("Are you available?"). The necessary information for impersonation as well as the e-mail addresses for the recipients usually have been extracted from public websites. If the recipient answers, the scammers ask the recipient to buy prepaid cards, e.g. Paysafe cards, and promise to reimburse them for the spent amount of money. As soon as the codes for redeeming those prepaid cards are transferred towards the criminals the money will, in most cases, be lost irretrievable since they will be redeemed immediately.
Multiple vulnerabilities in a driver used by Dell products (dbutil_2_3.sys) have been identified which could allow privilege escalation for local attackers.
The vulnerable driver has been shipped preinstalled on a lot of Dell computers since 2009 and could have also been installed alongside Dell update software or firmware updates. Dell recommends users to delete the driver in question immediately (see Dell Security Advisory).
Multiple critical vulnerabilities have been discovered in the Exim mailserver software. Ten of those vulnerabilities enable remote code execution (RCE) for attackers. The other eleven vulnerabilities can only be exploited locally but can be used for privilege escalation.
Almost all versions below 4.94.2 are affected by one or more of those vulnerabilities. Since Exim comes preinstalled on some distributions it could be security problem even if it is not used actively. An updated version (Exim 4.94.2) is available and should be installed immediately, especially on mailservers which are open to the Internet.
A new vulnerability in the "sudo" application (CVE-2021-3156, "Baron Samedit") enables local attackers to escalate their privileges to root access.
The following versions are vulnerable:
Legacy: 1.8.2 - 1.8.31p2
Stable: 1.9.0 - 1.9.5p1
All systems that have sudo installed should be checked and updated to a fixed version. Some versions of MacOS use a vulnerable version of sudo as well.
Due to the incidents of the past months with encryption trojans and the development of the Emotet threat, additional security features have been activated in the central email system.
E-mails with suspicious content from suspicious senders will only be sent with a warning message. In concrete terms, this means that you will receive the suspicious e-mail as an attachment to an information e-mail alerting you to the potential threat and giving you a contact person in case of further inquiries. Suspicious contents are 1) links to dubious websites and 2) attached Office or PDF documents with active contents (so-called macros).
Nevertheless, remain vigilant when opening links and e-mail attachments, especially if they are password protected.
