October 2015 Security Newsletter

Welcome to the October 2015 edition of the Information Security Newsletter.

Printer Repair and Toner Scams

I’ve received a number of alerts from campus departments that have received cold calls concerning printer maintenance or toner/ink offers. They are becoming very aggressive and the business tactics being used are quite shady. The Purchasing Department reminds us that they advise departments to never order toner from anyone contacting them by phone, e-mail or direct mail. SUU has relationships with several reputable State Contract vendors and we would prefer to patronize these businesses.

Other Phone Scams

Some other phone scams campus employees have recently encountered include calls purporting to be from Microsoft and the IRS. - With the Microsoft calls, they claim that your computer is having some kind of problem, and they called to help you fix it. This is always 100% a scam. Microsoft will never call you about any of their products. By the way, the scammers are starting to target Macs now too. So don’t be surprised if you get a phone call from “Apple” offering to help fix the “problems” on your Mac. - In the case of the IRS, you get a call that you have some unpaid back taxes and that the IRS will pursue legal action if you don’t pay up immediately. Don’t be fooled, the IRS won’t contact you this way.

Remember to always be very suspicious of any cold calls.

Illegal file-sharing

We’ve recently seen an uptick in the cases of individuals using peer-to-peer (P2P) file-sharing software like BitTorrent to illegally download copyrighted material such as music, movies, and TV shows. Since this is illegal, this kind of activity is in violation of campus policy. There are a number of legitimate websites (Netflix, Hulu, Pandora, iTunes, etc.) to legally access this kind of material.

Additionally there are potentially harmful effects from the use of P2P software. P2P software is designed to allow the sharing of files between computers. If the software is not properly configured, unintended access to other parts of your computer could be enabled, thus unintentionally sharing potentially sensitive and private data. Also, due to the nature of this kind of software, it is frequently the target for viruses and other malware that could infect your computer and further compromise the integrity of your system.

10 Security Mistakes Nearly Everyone is Guilty Of - #3 & #4

Mistake #3: Reusing Passwords

One of the biggest mistakes we continue to make is weak and/or reused passwords. A weak password is one that is easily guessed, or based on a single dictionary word which makes it easy for criminals to crack. In order to pick a strong password, take 3 or 4 random dictionary words and combine them together, using some kind of symbol (like a space or hyphen) to separate the words and then throw in your favorite number.

Example: aspen-jet-tower99

This password is 17 characters (the longer the password the better), and also includes some complexity. It is also fairly easy to remember as it’s just three words. This would be much harder to crack than say:

  • 123456
  • password
  • 12345
  • 1234
  • football
  • qwerty
  • 1234567890
  • 1234567
  • princess
  • solo

This is a list of the 10 most common passwords so far for 2015. Is yours on the list?

The other mistake we often make is to reuse the same password on every account. Best practice is to have a different password for every account. That’s a lot of passwords! It is recommended to use a Password Manager, like KeePass, 1Password, or LastPass to keep track of all your passwords.

Mistake #4: Oversharing on social media

People tend to share way too much information about themselves on social media sites, especially younger generations. This information can be used for social engineering, identify theft, or other nefarious purposes. Or maybe it just comes back to bite you later. Employers now often research prospective employees on social media and make employment decisions based on the kind of information posted.

As a good rule of thumb, don’t post anything you wouldn’t want your mom to see. And remember, what’s posted to the Internet, stays on the Internet, forever.

Web Services has heard from several users around campus after they received an email asking them to “add a link to your website.” Frequently these are written in a very personable/friendly tone, but aren’t really something to help your web pages/users. These are a way for that person to get more incoming links to their own site. If you get a request from someone you don’t know asking you to link to a site that doesn’t really have much to do with your content, you can delete those! If you get one and aren’t certain if it’s legit, forward it to webservices@suu.edu.

Information Security Awareness Training

I appreciate those who have already completed the training. For those that want to attend a live training session, I’ll be scheduling more sessions in November. To complete the training online, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

Winner of the Monthly Bookstore Drawing

September: Brandon Street

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an e-mail detailing any scams to the same address. You will be entered for every e-mail you send in.


September 2015 Security Newsletter

Welcome to the September 2015 edition of the Information Security Newsletter.

Information Security Awareness Training

I appreciate those who have already completed the training. For those that were unable to attend a live training session last month, see the schedule below for September training opportunities. To complete the training online, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

All live sessions will be in room LIB002 (Library).

  • Friday, Sep 18th @ 9:00-10:30am

  • Monday, Sep 28th @ 2:30-4:00pm

  • Tuesday, Sep 29th @ 9:30-11:00am

More sessions will be scheduled during the upcoming months for those who are unable to attend this month, and still want to participate in a live session. If a particular department/unit would like to schedule an individualized training, please contact Mark Walton to schedule a time.

10 Security Mistakes Nearly Everyone is Guilty Of - #1 & #2

I found a good article by Information Security Buzz () titled, "10 Security Mistakes Nearly Everone's Guilty Of." It highlighted 10 common mistakes that we make when it comes to information security. I'm going to borrow their list and highlight two mistakes each month for the next few months. If you just can't wait for the full list, go to their web site and do a search (search box found towards the bottom of the page) on "10 Security Mistakes."

Mistake #1: Poor patching Every piece of software has programming mistakes (bugs). Some of those bugs are just annoying, like when a feature doesn’t work, or it crashes the application. Others can actually be serious enough to allow the bad guys to execute their code on your computer by exploiting the bug. This is frequently how they take control of your computer. The software vendors fix those bugs by releasing patches and updates, but it’s up to us to make sure those updates get installed. The very best way to protect yourself from becoming a victim is by keeping all of your software updated by patching regularly.

You want to make sure that all of your software is up-to-date. This includes:

  1. Operating System (Windows 7, Windows 10, Mac OS X, etc.)
  2. Anti-Virus (McAfee, Symantec, AVG, etc.)
  3. Web Browser (Chrome, Firefox, IE, etc.)
  4. Browser Plugins (Adobe Reader, Oracle Java, Adobe Flash, etc.)
  5. All application software (MS Office, games, etc.)

To help you do that on your home computer, you can download PSI (Personal Software Inspector) from Secunia.com. PSI will scan your computer for the software that is installed, and then tell you which applications are out-of-date and need updating.

Mistake #2: Too trustworthy We need to be almost paranoid about opening attachments and clicking on links in e-mails. The criminals often use phishing e-mails to try and trick us into either opening an attachment, or clicking on a link, which could lead to the compromise of our computer. Be really careful with those kinds of things in e-mails, especially for e-mails that just don’t sound right, even if they came from a “trusted” source. Remember, it’s trivial to spoof a FROM address, and people’s e-mail accounts get hacked and misused all the time. It’s not just emails any more; we need to be just as careful with links in text messages, as they can lead to the compromise of our mobile device.

Friendly Warning From One of Our Own

One of our employees shared this experience that happened to someone in their family:

“She read her final book on her Kindle and wanted to buy another one. Her credit card info was outdated and she couldn’t figure out how to change it. She decided to call customer service at Kindle and googled their phone number. She found the phone number and called. The man was very helpful and was walking her through how to load private information but she first needed to plug her device into her home computer. There he remotely took over her computer and she watched in horror as he trolled her information and files. He said he was completing a security check and was going to take an hour to load some sort of software and said if she needed to run errands, she was free to go and he would continue “working.” She left the room and called her local IT guy that helps her sometimes and he said, “UNPLUG your machine NOW!” She did and the “Kindle Customer Service Guy” called her immediately and said he lost connection and he wasn’t finished. On further examination of her computer by her local IT person whom she can trust, discovered files and malware the Customer Service Guy had installed and her files/information he looked at. Come to find out, she called a fictitious Customer Service and not the “real company” at all. She ended up having to change all of her bank accounts, credit cards, and passwords to everything! Luckily, she didn’t lose anything and learned a lesson to be more aware of what is legitimate internet information. This could happen to anyone.”

They’re right, it could happen to anyone. When you call customer support for any company, you have to make sure you’re contacting the real company. If you do a search, there are a lot of “Sponsored Ads” that show up at the top of the search. These are companies that pay to be at the top, and usually are NOT the official company. You can easily get into trouble if you aren’t paying close attention.

Winner of the Monthly Bookstore Drawing

August: Sheila Johnson

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an email detailing any scams to the same address. You will be entered for every email you send in.


Campus WiFi:
Get your moble devices connected

Wireless Internet access at Southern Utah University is available on one of two secure wireless networks. Students and faculty/staff should connect to the “SUU” wireless network. Campus guests can use the “suu-conference” wireless network. Your campus host will provide you with the password, or any faculty/staff member can look it up.

The Help Center contains walkthrough instructions to help you connect your devices. If you are unable to connect to the WiFi on your own you can contact the Help Desk or bring your device into the Help Desk in ST107.


August 2015 Security Newsletter

Welcome to the August 2015 edition of the Information Security Newsletter.

I hope we all had a great summer and I would like to personally welcome the new faculty and staff to SUU.

###Information Security Awareness Training

To help members of our campus community better protect both campus information as well as personal information, the University provides Information Security Awareness Training. The goal of the training is to increase awareness in our campus community of how information, whether campus related or personal, is targeted and the steps we can take to better protect ourselves, our campus, and our families.

Every employee is expected to complete the Information Security Awareness Training yearly. The training period runs during Fall and Spring semesters, so we are beginning a new round of training for the upcoming year, beginning August 17th.

The training can either be completed online via Canvas or by attending a live training session offered regularly throughout the year. The online training offers the flexibility of completing it at your own pace. To access the online training, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.

The live training offers the opportunity to complete the training in one sitting. For the month of August, the live training sessions will be offered during Welcome Week. Multiple sessions are offered for your convenience. Simply attend the session that works best with your schedule.

All live sessions will be in room PEB 101 (PE Building).

Tuesday, Aug 18th @ 9:30-11:00am Tuesday, Aug 18th @ 1:00-2:30pm Tuesday, Aug 18th @ 3:00-4:30pm Wednesday, Aug 19th @ 2:30-4:00pm

More sessions will be scheduled once the semester gets under way to accommodate those who are unable to attend during Welcome Week, and still want to participate in a live session. If a particular department/unit would like to schedule an individualized training, please contact Mark Walton to schedule a time.

###Help Desk Move

The IT Help Desk has moved. It is now located in the Sharwan Smith Center in Room 106, which is right across the hall from the Chartwell’s dining area. If you have any IT needs, you’ll want to check the Help Desk first. They often can help you right over the phone. They can be reached at 865-8200.

###Password Managers

We’ve talked a lot about passwords and password managers in the past. Best practices for passwords include having sufficiently long/complex passwords and having unique passwords for every account. To help keep track of all those passwords, we recommend the use of a password manager. With a password manager, you use a “master” password to access your password vault, which then stores all of your other passwords. There are two categories of password managers: file-based and cloud-based. A file-based manager is where the password vault is created and stored on your local computer. The advantage is that your passwords are protected from the hackers of the world. The disadvantage is that if you want access to your passwords on multiple devices, then you’ll need to use a file replication service, such as Dropbox, to sync your password vault on all of your devices. A cloud-based service is where you log into their web site and store all of your passwords within their service. An advantage is that because it’s web-based, it’s accessible from any web browser. The disadvantage is that it’s a cloud service, and as such is a target for hackers.

For on-campus use, the IT Department officially supports KeePass. For those running Windows 7, simply download the latest version from keepass.info, and install it. For Windows 8.1 users, it is available in the Software Center.

KeePass is meant to be a simple and easy-to-use password manager. There are certainly other password managers out there, which work equally well. Some IT recommendations for home use, in addition to KeePass, include 1Password (file-based) and LastPass (cloud-based). They both have basic versions which are free, and you can upgrade to their premium versions for additional functionality. An added word of caution. Make sure you remember your “master” password. If you forget that password, there is absolutely no way to recover your password vault. That’s kind of the point of a password manager.

###Windows 10 - Beware scams

Windows 10 was released at the end of July. For those with home computers running Vista, Windows 7, or Windows 8/8.1, you should be eligible for a free upgrade. Just make sure you’re downloading it from Microsoft. The bad guys are using this as an opportunity to trick people into installing malware on their computers. They are sending out fake Windows 10 upgrade emails with either malicious links or malicious attachments in an attempt to gain access to people’s computers.

As for the campus deployment of Windows 10, our current plan is for IT to evaluate Windows 10 in our offices and test compatibility with our suite of enterprise software. We may deploy Windows 10 in a pilot phase in one of our open student labs either late this fall, or early spring. As the compatibilty improves with other enterprise software we use on campus, we will provide deployment to new faculty/staff computers as an optional install. As with any new operating system, sufficient testing must be completed internally in order to provide the best support we can to the campus community.

###Winner of the Monthly Bookstore Drawing

July: Aimee Uchman

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing emails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing emails that you have received to phish@suu.edu, or send an email detailing any scams to the same address. You will be entered for every email you send in.

Mark Walton Director IT Security walton@suu.edu