News

Ransomware is not new; but, it's been popping up more and more in higher ed. Each week brings news of colleges and universities that have fallen victim to ransomware attacks. Some hackers demand payment, while others steal personal data (to sell to identity thieves). Whatever the motives are, school systems around the country have been the targets of recent attacks.

The CalNet AD team has created several Group Policy Objects (GPOs) templates for system administrators to utilize. These templates, or Build Kits, are based on the Center for Internet Security’s (CIS) benchmarks and allow for quick and easy implementation of CIS Benchmark configurations. 

The Information Security Office recently updated the Minimum Security Standards for Networked Devices and the Draft of that Standard is currently under Campus review. The update incorporates elements from UC’s systemwide Electronic Information Security Policy, IS-3, and brings the Standard into alignment with current industry best practices. 

Zoom V. 5 is available for download

The newest version further addresses issues related to security and privacy

Specific changes include these user experience/controls

• Security icon: Zoom’s security features are now grouped together and located in the "Security" icon in the host's meeting menu bar.

Zoom has released new version updates that resolve issues related to security and privacy: Windows ver. 4.6.19253.0401 and MacOS ver. 4.6.19273.0402.

We recommend that users patch immediately. Both updates are accessible for manual download through the desktop-client:

• Open the Zoom application on your system and select “Check for Updates...” from the zoom.us drop-down menu

Summary

The Information Security Office (ISO) is aware of the new, unpatched Windows Zero-day exploit, that has been reported by Microsoft[1] and in the press[2]. The vulnerability is currently unpatched; however, workarounds are available.

Summary

*** Patch Windows 10 and affected Windows Server 2019 systems IMMEDIATELY, even where there is a potential business impact (unscheduled maintenance). Notify security@berkeley.edu if you anticipate delays in patching. ***

On Mar. 23 CalNet fully depreciated TLS 1.0/1.1.

On Mar. 23, CalNet disabled TLS 1.0 and 1.1 protocols from being used to access CAS, Shibboleth, CalGroups, CalNet Account Manager, and LDAP. 

TLS 1.0 and 1.1 are insecure and vulnerable to attacks which risk the integrity and authentication of data sent between client and destination. Disabling these protocols will mitigate these issues, adhere to campus policy, and to protect institutional data and IT resources. 

With the California Consumer Privacy Act taking effect this year, data privacy will become a central issue for businesses in 2020. Consumers conduct much of their lives on the internet, yet few understand the critical issue of privacy and how their personal information is used, collected and shared by businesses. Your data can be stored indefinitely and used in both beneficial and unwelcome ways.

Summary

Mozilla has published an out-of-band patch for Mozilla Firefox and Firefox Extended Support Release (ESR).  It fixes a type confusion vulnerability in Mozilla’s Javascript compiler, IonMonkey. This vulnerability is identified as CVE-2019-17026. [1]

Mozilla’s advisory states they are “aware of targeted attacks in the wild abusing this flaw.” Based on this note in the advisory, it appears the vulnerability was exploited in the wild as a zero-day. [2]

In honor of International Data Privacy Day, January 28

All of us exist in digital form on the Internet. When you're online you leave a trail of "digital exhaust" in the form of cookies, GPS data, social network posts, browser searches, and email exchanges, among others. Services that you don’t even use may have information about you. And once something is online, it can be there forever.

What's Data Privacy Day?

We are excited to announce some organizational developments and opportunities to work with us.

Recently ISO underwent a structural reorganization. This new structure allows us to continue to evolve and respond to challenges in the information security space, to streamline operations, and to create additional efficiencies. Vacant positions will be posted shortly to jobs.berkeley.edu and to our website.

Even outside the traditional "Holiday" season we find ourselves purchasing items online. And so, it's good to remember online shopping best practices year round. In addition to our holiday shopping tips, here are a few others to keep you safe while online shopping: 

The Information Security Office is proud to graduate Ryan Tran, our first Staff Information Security Intern!

We wanted to mark the occasion by talking with him about what he learned while at ISO.