Information Security at the University of Hawaii
Patch Windows Systems Now!
Microsoft released critical patches to fix a flaw in Remote Desktop Services (formerly called Windows Terminal Services) on older Windows machines (pre-Win8) CVE-2019-0708 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708)
It is considered a serious threat that may be exploited very soon. It's so significant, MS is even released patches for Windows 2003 and Windows XP, which are no longer supported. This vulnerability is pre-authentication and requires no user interaction (in other words, the vulnerability is ‘wormable’ (it can spread quickly from the Internet and within networks, with no login required - like WannaCry or even similar to Blaster)).
Windows 8 and Windows 10 are not affected by this vulnerability.
Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Out-of-support systems include Windows 2003 and Windows XP. These must be patched or upgraded, or completely isolated from the network.
For more information, see: https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/ or search for "CVE-2019-0708"
2FA—Control in the Palm of Your Hand
Wouldn't it be nice if your accounts could let you know when someone new is trying to get into them? Even better, wouldn't it be terrific to make a stolen password useless to others? Were you tricked into revealing your password through a phishing scam? Rest easy, your account is safe! That's essentially the control that two-factor authentication (2FA)—also known as two-step verification or login approval—gives to you. And, it only takes about two minutes to set up and two seconds to use. That's a lot of power for very little effort!
How does it work? Once you've activated two-factor authentication on an account, whenever an account login with your password comes from a different device from what you've already permitted, an authorization check will come to your smartphone or other registered device. Without your approval or current code, a password thief can't get into your account.
Is it difficult to set up? 2FA is becoming more widely available and easier to use. Typically, you'll either install a mobile security app on your smartphone and use that to handle the authorization checks for accounts, or you could use the text/phone call method if you can't install a mobile app. For international travelers, the mobile app also generates a code so that a data or cellular service connection isn't required for this second step.
Can I adjust frequency of the checks? In many cases, yes, although some accounts may require the verification for specific transactions or functions. You may want to have the extra verification every time you log in (e.g., personal website administration), or you might be comfortable requesting the verification only when an access attempt comes from a computer/device other than the one you originally permitted when you set up 2FA—such as personal email account you typically only check from one laptop and one smartphone.
Which accounts should I protect with 2FA? Why wouldn't you protect all of them where it's available? But, start with those that are most critical to your identity and livelihood.
Here are some suggestions:
- UH Account, visit https://www.hawaii.edu/its/uhlogin/ for more information!
- Email accounts: "Forgot password” reset requests typically send instructions and links here, so protect this account to make sure you keep control of resetting your account passwords!
- Financial accounts: Protect your money!
- Social media accounts and website management accounts: Protect your brand!
- Online shopping accounts: Protect usage of your stored credit card information!
US-CERT Vulnerability Alerts
The United States Computer Emergency Readiness Team (US-CERT) provides the latest updates about current threats and vulnerabilities. You can subscribe to their feed to get the latest updates about ongoing vulnerabilities and other cyber threats.
Visit https://www.us-cert.gov/ to learn more.