Search This Blog

Showing posts with label Universities. Show all posts

An Advisory Issued by Carnegie Mellon University Warns Against the Vulnerability in Checkbox Survey


In the wild, CERT Coordination Center (CERT/CC) in Carnegie Mellon University alerts about a Checkbox Survey vulnerability that might enable a remote attacker to unleash arbitrary code without actual identification. 

A checkbox is a GUI widget that allows the user to choose between one of the two mutually exclusive alternatives. The Checkbox Survey allows organizations generate professional surveys with quick access from any desktop or mobile device, as a customizable online surveillance tool designed in ASP.NET. For example, a basic yes/no inquiry may ask the user to answer in 'yes' or 'no.' Checkboxes will be displayed with the required choices. 

This vulnerability in the Checkbox Survey, which was identified as CVE-2021-27852, is linked to the insecure deserialization of view state data, a technique applied by the ASP.NET web page framework. 

Microsoft stated that “When the HTML markup for the page is rendered, the current state of the page and values that must be retained during postback are serialized into base64-encoded strings. This information is then put into the view state hidden field or fields.”

By using a _VSTATE arguments, before version 7.0 – the Checkbox survey engaged its View State functionality that is deserialized using Los Formatter. 

“Checkbox Survey before version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server, “ read the advisory.

The Checkbox Survey Code organizes the data but overlooks the server configuration of the ASP.NET View State Message Authentication Code (MAC), which an attacker can effectively use to generate a piece of unexpected information that could lead to the execution of the code in the deserialized version. 

The advisory further states that “Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Before version 7.0, Checkbox Survey implements its View State functionality by accepting a _VSTATE argument, which it then deserializes using Los Formatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET View State Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.” 

As an impact of the flaw, a remote, unauthenticated attacker can perform arbitrary Code with the capabilities of a web server by creating a specific request to a server using the Checkbox Survey 6.x. 

View State Data is not being used from Checkbox Survey 7.0. This vulnerability is therefore not included in Checkbox Survey Versions 7.0 or later. One must remove the Checkbox Survey of versions older than 7. 

Also, Checkbox said that they no longer develop Checkbox Survey 6 version, hence it is not at all safe to use this version. If one cannot update to an unimpaired Checkbox Survey version, then at least this software must be deleted from every machine it is installed in.

University of Hertfordshire Hit by Cyberattack


The University of Hertfordshire has become the most recent victim of a spate of digital assaults against academic institutions after a significant incident knocked all its systems offline. The assault on its network is perceived to have started before 10pm on Wednesday 14 April, and the university’s IT teams are right now attempting to restore services. 

The university Wi-Fi network was taken down along with the email system and the university’s student portal. Since the assault students have additionally reported that they have not been able to access Office 365 services, such as Teams, just as other universities paid for services such as Canvas and Zoom.

In a statement, the university said: “As a result, all online teaching will be canceled today (Thursday 15 April), and we understand that this may impact students being able to submit assignments. We want to reassure our students that no one will be disadvantaged as a consequence of this.” 

“Any in-person, on-campus teaching may still continue today, if computer access is not required, but students will have no on-site or remote access to computer facilities in the LRCs [learning resource centres], labs or the university Wi-Fi. We apologize for the inconvenience this situation has caused and will continue to keep you updated,” they added.

The UK's National Cyber Security Center has been cautioning for quite a while of increased targeting of academic institutions – both schools and universities – especially from ransomware groups, and recently updated its own guidance on the subject to mirror the current high assault volumes.
Educational bodies are considered easy targets by cybercriminals since they regularly come up short on the resources to secure their information satisfactorily, hold a lot of personal information, and may come under more public pressure to pay a ransom. 

Jérôme Robert, director at Alsid, said universities are starting to become aware that they are prime targets. “The sheer size of the student and faculty at a university – in Hertfordshire’s case nearly 28,000 people – makes it incredibly difficult to secure and manage the IT estate,” he said. 

“Think of the huge volume of new joiners and leavers each year at universities. IT teams somehow have to manage that process of creating, deleting, and managing all those accounts. It’s a never-ending operation to keep all of that neat and tidy, and any oversights, such as old accounts not being closed down, present risk. On top of this, higher education is currently at heightened risk because of the increase of network activity and general complexity of enabling hybrid learning.” Robert added.

Cyberextortion Threat Evolves as Clop Ransomware Attacked 6 U.S Universities Data Security


Malicious actors are now using novel ways to extract universities' data, and are threatening to share stolen data on dark websites unless universities pay them a lot of money. 
The current update reads that the Clop ransomware group claimed to have access to six top universities of the United States including institutions’ financial documents information and passport data belonging to their staff and students. According to the report, a group of hackers has first posted the stolen data online on March 29. 

The universities' that have been attacked, include — The University of Miami, the Yeshiva University, the University of Maryland, the Stanford University, the University of Colorado Boulder, And the University of California, Merced. 

However, there is no official confirmation regarding this cyber-attack from any of the aforementioned universities, it's unsure whether or not the cyberinfrastructure of these universities has been attacked or the hacker group asked for money in exchange for data. 

Additionally, a few days back, Michigan State University also confirmed a cyber attack by a group that was threatening to share it on the dark websites unless a bounty is paid. 

The data stolen by the Clop ransomware group include federal tax documents, passports, requests for tuition remission paperwork, tax summary documents, and applications for the Board of Nursing. 

This data breach affected several individuals and staff of the universities as the shared information also exposed sensitive credentials, such as names of individuals, date of birth, photos, home addresses, immigration status, passport numbers, and social security numbers. 

Not only this, but some news websites also confirmed that the leaked data included several more screenshots including retirement documentation, and 2019/2020 benefit adjustment requests, late enrollment benefit application forms for employees, and the UCPath Blue Shield health savings plan enrollment requests, amid much more. 

It should be noted that such attacks are not unusual for the Clop ransomware group as the group is known for its assault against various organizations. Furthermore, Michigan State University’s officials stated in the regard that, “Payment to these criminals only allows these crimes to be perpetuated and further target other victims. The decision not to pay was in accordance with law enforcement guidance and reached with support from the university’s Board of Trustees and president”.

Universities Switch to Online Learning but Is it Enough?

With there being no apparent end in view of the pandemic, everyone has been forced to live within a confined space and spend their days not doing anything that needs going out.

Especially students all over the world are having a hard time managing things without the actual physical classes to dote on. Not that online lectures and a virtual education aren’t lucrative but most students find a lack of motivation a common problem.

With the dearth of options, available students are managing to adjust to the online learning life given most institutions have switched to various online mediums like Zoom, which is a great step, globally.

Universities are trying their best to make do with all the possible resources they have at their disposal. But is it okay to consider that online classes shall suffice?

What the students need at such a gloomy time is a way to make education and learning which could provide them technologically rich experience and not just a mere imitation of what otherwise happens in their classes.

The tech-world is overflowing with contemporary ideas of learning. There are hundreds of ways to create and design interactive sessions via podcasts, and virtual reality. Students, from the comfort of their homes, could be better learners if they encourage the right way and could induce better responses.

Online learning or online lectures shouldn’t just be a professor, going on and on for hours like in a physical class. There is such a variety of avenues to follow when it comes to technology-based learning that too, online.

During the past months, the number of students enrolled in online courses has increased substantially. There has also been a rise in the number of students joining full-time online courses.

People who weren’t as tech-savvy as all that lost their jobs and had to get back to studying for any possible chances of a career change.

Per sources, FutureLearn and UofPeople(University of People) have experienced a hike in demand for online courses because of people wanting to be productive in the days of quarantine by acquiring new skills.

According to reports, there has been seen a significant rise in the demand for online courses for the English language, health-related subjects, and mental health topics.

This culture of interactive online learning if does not limit itself to the pandemic times could lead to a better learning mechanism that would prove to be extremely efficacious for students all across the globe.

The availability of online platforms for students to begin or continue their education is massively contributing to lessening the number of chances of students deferring.

Even though the initial online courses that went and probably still do, by the name Moocs (Massive open online courses) weren’t so much of a big hit, but given the times of the “pandemic induced confinement”, people are warming up to them.

The current predicament has everyone bursting with uncertainty. There is no telling if universities would even begin their next sessions any time soon.

Everything can’t certainly be taught online, especially practical-learning which prompts a huge question mark to which no one has the right answer.

Realizing that there is no way to know when the universities would open and commence their normal operations with the added factor of social distancing, ‘the internet is all we have.'