A vulnerability has been discovered in Apache Struts2, a framework for providing application services through a web server.
What is the risk?
When successfully exploited, this vulnerability gives a cyber attacker the ability to run commands on the web server running the affected software. Exploiting this vulnerability does not require sophisticated technical skill. Active exploits have been widely detected across the Internet.
While Dropbox is not approved for Harvard data, we realize many members of the community use it for personal data. For University data, you may use departmental shares or Harvard’s instances of Google Drive, OneDrive, and SharePoint.
A security incident at Dropbox in 2012 resulted in the breach of 60+ million email addresses and password has. Dropbox has forced password resets for affected users.
LastPass has been in the news recently after the disclosure of two vulnerabilities in the LastPass browser plugin. At this time, both vulnerabilities have been fixed. The first was disclosed and addressed a year ago. The second was disclosed and patched two days ago (July 26). Read more about LastPass Security Update
Harvard Information Security has been made aware of a phishing email scam targeting the Harvard community. The attackers are posing as Harvard University representatives asking for account information, including HarvardKey credentials, and linking to a fake Harvard login screen. We believe the goal of this phishing attack is to access personal information including W-2s. Harvard Information Security is reaching out directly to any individuals who have been affected by this attack and we are taking other protective steps.
LastPass is the preferred password manager recommended by Harvard University Information Security. If you use LastPass, you may have received a security notification regarding a security incident disclosed on Monday June 15th that involves LastPass servers.
Cyber criminals illegally accessed LastPass servers and stole the following information:
The FREAK (Factoring Attack on RSA-EXPORT Keys) vulnerability is a flaw in some popular SSL clients that would allow the use of weak encryption ciphers that are possible to decrypt. These insecure ciphersuites were “retired” decades ago, but if they are still present among the list of potential encryption ciphers in a web server’s library, the web site could be tricked into using them for an HTTPS connection. Read more about SSL/TLS "FREAK" Vulnerability