Welcome to the February 2016 edition of the Information Security Newsletter.

Updated Password Policy

In the next few weeks IT will be rolling out a new password policy. We will be raising the minimum password length from 8 to 10 characters. That’s the bad news. The good news? If you pick a really good password, then we’ll let you keep it longer than the current 6 month period. Typically the longer the password the stronger it is. So for those of you that pick a longer password, you won’t have to change it as often. I’ll send out another e-mail when we get closer to implementing the new policy, but just wanted to give everyone a heads up. The bad guys are continually upping their game, it’s time for us to do the same.

Phish

I want to thank everyone that reported the phish that many of you received on Tuesday. It was sent to 251 employees and I received reports from about 45. It had the classic red flags for a phish:

  • Unknown Sender
  • General Greeting
  • Using language to solicit a quick or emotional response
  • Link that goes to an unfamiliar address
  • Just a reminder to always be careful with links in e-mails. Your computer can become infected by simply visiting a web site. If you recognize it as a phish, resist the temptation to click on the link. Sometimes that’s all they need.

Ransomware

We’ve recently had a couple cases of ransomware on campus. Ransomware is malware that encrypts all of the data on your computer and any shared network drives. The bad guys then offer to decrypt all of your data if you pay the ransom, which is usually around $500. Fortunately, the employees that were affected didn’t have any important documents on their local harddrives (which were all lost), and notified IT immediately so we could restore network files from recent backups.

They were infected by opening up an attachment in a phishing e-mail. Remember to be careful with any attachment or link in an e-mail that you weren’t expecting. If you don’t know what it is, don’t open it.

We’ve been lucky to only have a few isolated incidents. Hollywood Presbyterian Medical Center has been affected by a massive incident where nearly their entire network has been down for more than a week as they work to recover from a ransomware attack. Their ransom? $3.6M. Yes, that’s an “M” for million.

Fraudulent Tax Return

Remember the warning that I gave last month about the fraudsters filing bogus tax returns in the hopes of collecting refund money? Well, it happened to one of our own. This employee recently reported his experience to me and I wanted to share. He received a Green Dot prepaid debit card in the mail. At first glance he just thought it was a typical credit card offer, but then he looked more closely. This didn’t look like one of those fake cards, but looked real. So he did some Google searching and found out that tax fraudsters often use prepaid debit cards as a part of their scam. Sure enough, when he called the IRS, somebody had attempted to file a tax return in his name, using his social security number. Luckily, the IRS had flagged it as suspicious and hadn’t paid out the refund. He promptly placed a credit freeze with all of the credit reporting agencies. This one is scary because it could easily happen to any one of us. Watch out for suspicious cards in the mail.

OUCH Newsletter

The SANS Institute puts out a monthly security newsletter. This month’s newsletter is on “Securing Your Home Network.” Just want to pass it on as a resource for helping protect our home networks.

I’ll be including a link that goes to securingthehuman[.]sans[.]org. Notice the sans[.]org in the hostname. That’s the official domain of the SANS Institute so you know the link is going to the right place.

https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201602_en.pdf

10 Security Mistakes Nearly Everyone is Guilty Of - #9 & #10

Mistake #9: Ignoring SSL certificate warnings

When you visit a secure web site, you should see a little green padlock in your address bar. This lets you know that the site you are visiting is really who they say they are. If you ever get a pop-up that says that your browser can’t verify the site, then you need to be very cautious. There is a chance that you are actually visiting a fake site. If you run into that situation, feel free to contact me so I can help verify the site.

Mistake #10: Downloading apps from third-parties

Both Google Play and the Apple AppStore have some protections in place to help ensure that apps downloaded from their sites are safe and malware free. However, if you download apps from third-party sites, you have no such protections. The large majority of infected apps come from third-party sites and not the official stores. Be very careful if you are ever prompted to download an app from anyplace other than the official stores.

Winner of the Monthly Bookstore Drawing

January: Andrea Donovan

Our great employees are our best early warning system for phishing and other social engineering attacks. We encourage all employees to report any phishing e-mails they receive or scams they are aware of. Every month we conduct a drawing for a bookstore gift card. To enter the monthly drawing, simply forward phishing e-mails that you have received to phish@suu.edu, or send an e-mail detailing any scams to the same address. You will be entered for every e-mail you send in.