Information Security

Apple cleanes App Store of tainted iPhone, iPad software

An infected, counterfeit version of Apple's Xcode developer software apparently led to dozens of compromised apps.  Read more here.

Apple iOS 9 fixes serious AirDrop vulnerability

A newly-discovered vulnerability could result in the remote control of iPhones and Macs.  The article recommends upgrading to iOS 9 sooner rather than later to protect your device(s).  Click here to read the details.

On Friday it was revealed that the country's government had been hit by 114,035 cyber attacks since 2011.  Click here to read the whole story.

A recent vulnerability was disclosed that affects all smartphones running the Android operating system (version 2.2 and above). The vulnerability is known as “Stagefright“, it affects SMS/MMS clients by allowing an attacker to send a malformed media file to the user.  When the user receives this malicious message it is automatically downloaded by the messenger client without any intervention required by the user (by default).  Once the malicious file is on the phone the attacker would be able to do anything — such as copy data, delete it, or take over the microphone and camera.

The Information Security Office recommends that users update their phones as soon as a software update is made available by your carrier.  Until that time it is recommended that automatic downloading of media files be disabled within your messenger client.  This will prevent the bug from being exploited simply be receiving a text message and force a user to take the step of opening a malicious text message before the phone would be compromised.  With this in mind, it is recommended that users do not open text messages from unknown numbers.  Click on the "Instructions for Stagefright Vulnerabiility" heading below for details on how to make this change in a few of the most popular messenger clients.

For Google Hangouts, take the following steps to disable automatic downloading of media files sent via MMS:

  1. Open the app
  2. Select More
  3. Select Settings
  4. Select SMS
  5. Disable Auto retrieve MMS

For Google Messenger, take the following steps to disable automatic downloading of media files sent via MMS:

  1. Open the app
  2. Select More
  3. Select Settings
  4. Select Advanced
  5. Disable Auto-retrieve

For the default SMS client on the Samsung Galaxy S6, take the following steps to disable automatic downloading of media files sent via MMS:

  1. Open the Messages app
  2. Select More
  3. Select Settings
  4. Select More settings
  5. Select Multimedia messages
  6. Disable Auto retrieve

TA14-150A: GameOver Zeus P2P Malware

Original release date: June 02, 2014

Systems Affected

  • Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
  • Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012


GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011­1, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.


GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer2. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. 

Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community1. GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data3. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult1.


A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services.


Users are recommended to take the following actions to remediate GOZ infections:

  • Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
  • Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
  • Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
  • Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.


 http://www.f-secure.com/en/web/home_global/online-scanner (Windows Vista, 7 and 8)

 http://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142 (Windows XP systems)


 http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)  


http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)


 http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)


 http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7)

 Trend Micro

 http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

 The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.



National Cyber Awareness System

TA13-309A: CryptoLocker Ransomware Infections

Original release date: November 05, 2013 | Last revised: November 13, 2013

Systems Affected
Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems

US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments.

CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices.  In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground.

The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives.  If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers’ command and control (C2) server to deposit the asymmetric private encryption key out of the victim’s reach.

Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key.

While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key.  US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection:

  • Do not follow unsolicited web links in email messages or submit any information to webpages in links
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments
  • Make sure your operating system is up-to-date with the latest security patches - http://www.bgsu.edu/infosec/page61877.html
  • Install the latest versions of all Internet browsers (e.g., Internet Explorer, Firefox, Chrome, etc.) and apply updates for add-ons such as Java and Adobe Flash and Reader.
  • Make sure that your anti-virus program is running and up to date with the latest signatures. See http://www.bgsu.edu/its/tsc/self-help/page9655.html for more information
  • Perform regular backups of all systems to limit the impact of data and/or system loss
  • Secure open-share drives by only allowing connections from authorized users
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks

US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware:

  • Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network and power off the computer
  • Contact ITS at 372-0999
  • Users who are infected should change all passwords AFTER removing the malware from their system
  • Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods:
    • Restore from backup,
    • Restore from a shadow copy or
    • Perform a system restore.


DISCLAIMER: Information Security Advisories and related resources provide technical and administrative advice to protect sensitive information on the University network and to help BGSU comply with regulations pertaining to information security. Failure to comply with these advisories may directly or indirectly increase the risk of exposure or compromise of sensitive University information. These advisories and resources do not provide legal advice – contact the BGSU Office of General Counsel or other appropriate legal advisor for interpretations of regulations.


Hackers are threatening a major breach in Dropbox security, claiming to have stolen the login details of almost 7 million users, and promising to release more password details if they're not paid a Bitcoin ransom.

For more information see http://www.symantec.com/connect/blogs/dropbox-user-credentials-stolen-reminder-increase-awareness-house and http://blogs.wsj.com/digits/2014/10/14/dropbox-blames-security-breach-on-password-reuse.

The following are samples of e-mail messages received by a BGSU account holder. These messages have been reviewed by the ITS Security Team and determined to be fraudulent. If you receive a message similar to the ones displayed as follows, do not respond by providing information, clicking on any provided link or by calling any provided phone number. It is recommended that you delete the message.
















Welcome to the web presence for the BGSU Information Security Office.

Reporting to the Chief Information Officer, the overall goal of the Information Security Office is to protect the confidentiality, integrity, and availability of information technology resources at Bowling Green State University.

Maintaining these resources at BGSU is vital to the educational, research, and operational missions of the University. Supporting these missions is the responsibility of all members of the University community. This site has been designed to provide BGSU community members with best practices, tools, and preventive measures to secure information technology resources. 

Some of these resources include:

  • alerts regarding the latest relevant security threats
  • tips for protecting data and systems
  • how to report a security incident
  • information security related topics

For assistance or to provide feedback, please contact this office by email at: infosec@bgsu.edu.

Other Security Resources