Welcome to the October 2015 edition of the Information Security Newsletter.
Printer Repair and Toner Scams
I’ve received a number of alerts from campus departments that have received cold calls concerning printer maintenance or toner/ink offers. They are becoming very aggressive and the business tactics being used are quite shady. The Purchasing Department reminds us that they advise departments to never order toner from anyone contacting them by phone, e-mail or direct mail. SUU has relationships with several reputable State Contract vendors and we would prefer to patronize these businesses.
Other Phone Scams
Some other phone scams campus employees have recently encountered include calls purporting to be from Microsoft and the IRS. - With the Microsoft calls, they claim that your computer is having some kind of problem, and they called to help you fix it. This is always 100% a scam. Microsoft will never call you about any of their products. By the way, the scammers are starting to target Macs now too. So don’t be surprised if you get a phone call from “Apple” offering to help fix the “problems” on your Mac. - In the case of the IRS, you get a call that you have some unpaid back taxes and that the IRS will pursue legal action if you don’t pay up immediately. Don’t be fooled, the IRS won’t contact you this way.
Remember to always be very suspicious of any cold calls.
We’ve recently seen an uptick in the cases of individuals using peer-to-peer (P2P) file-sharing software like BitTorrent to illegally download copyrighted material such as music, movies, and TV shows. Since this is illegal, this kind of activity is in violation of campus policy. There are a number of legitimate websites (Netflix, Hulu, Pandora, iTunes, etc.) to legally access this kind of material.
Additionally there are potentially harmful effects from the use of P2P software. P2P software is designed to allow the sharing of files between computers. If the software is not properly configured, unintended access to other parts of your computer could be enabled, thus unintentionally sharing potentially sensitive and private data. Also, due to the nature of this kind of software, it is frequently the target for viruses and other malware that could infect your computer and further compromise the integrity of your system.
10 Security Mistakes Nearly Everyone is Guilty Of - #3 & #4
Mistake #3: Reusing Passwords
One of the biggest mistakes we continue to make is weak and/or reused passwords. A weak password is one that is easily guessed, or based on a single dictionary word which makes it easy for criminals to crack. In order to pick a strong password, take 3 or 4 random dictionary words and combine them together, using some kind of symbol (like a space or hyphen) to separate the words and then throw in your favorite number.
This password is 17 characters (the longer the password the better), and also includes some complexity. It is also fairly easy to remember as it’s just three words. This would be much harder to crack than say:
This is a list of the 10 most common passwords so far for 2015. Is yours on the list?
The other mistake we often make is to reuse the same password on every account. Best practice is to have a different password for every account. That’s a lot of passwords! It is recommended to use a Password Manager, like KeePass, 1Password, or LastPass to keep track of all your passwords.
Mistake #4: Oversharing on social media
People tend to share way too much information about themselves on social media sites, especially younger generations. This information can be used for social engineering, identify theft, or other nefarious purposes. Or maybe it just comes back to bite you later. Employers now often research prospective employees on social media and make employment decisions based on the kind of information posted.
As a good rule of thumb, don’t post anything you wouldn’t want your mom to see. And remember, what’s posted to the Internet, stays on the Internet, forever.
Questionable Link Requests
Web Services has heard from several users around campus after they received an email asking them to “add a link to your website.” Frequently these are written in a very personable/friendly tone, but aren’t really something to help your web pages/users. These are a way for that person to get more incoming links to their own site. If you get a request from someone you don’t know asking you to link to a site that doesn’t really have much to do with your content, you can delete those! If you get one and aren’t certain if it’s legit, forward it to email@example.com.
Information Security Awareness Training
I appreciate those who have already completed the training. For those that want to attend a live training session, I’ll be scheduling more sessions in November. To complete the training online, simply log into Canvas at http://suu.instructure.com (enter your campus credentials), and look for Information Security Awareness Training in your list of courses.
Winner of the Monthly Bookstore Drawing
September: Brandon Street
Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to firstname.lastname@example.org, or send an e-mail detailing any scams to the same address. You will be entered for every e-mail you send in.