Home - Office and Services - Information Technology - Information Technology News
Information Technology News

Latest Posts

ITS ALERT: Phishing Email, August 9, 2014

By Peter Setlak on August 9, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email’s subject line is, “System Administrator”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


ITS ALERT: Phishing Email, June 29, 2014

By Peter Setlak on June 29, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email’s subject line is, “Verification Alert!!”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


On Exporting Sensitive Data

By Peter Setlak on June 10, 2014

On June 5, 2014, UVA accidentally exposed the GPA, class rankings, work experience, recommendations and other sensitive data on a large group of applicants to a Listserv. Incidents like this do not leave UVA in a league of their own; last month Columbia University was found to have exposed 6,800 patient records on the Internet and Indiana University let 146,000 student records loose when it accidentally stored exported data in the wrong location earlier this year. At the heart of these breaches is the notion that our own misuse of sensitive data can pose as much or more risk to the institution as hackers. The loss of sensitive data can have an immediate and long-lasting effect on our reputation and our users’ lives. When our parents, alumni and students lose their trust in us; when they feel we cannot protect their private and personal information, they will go elsewhere. When easily avoided mistakes are made that put their financial and personal information at risk, their trust in us is lost – possibly forever. But mistakes can be avoided when dealing with sensitive data. Simple steps can be taken to mitigate or even prevent the slippage of data through our own hands. The privacy and security of our students’ data begins with each one of us.

Predominantly, companies lose sensitive information through the accidental misplacement of data. Even the risks associated with a stolen laptop can be chalked-up to the misuse of spreadsheets and scanned data. If sensitive data is never exported from its primary source – if it is never stored locally on a hard drive or thumb drive, then it is better protected and less-likely to be stolen. If emails and attached documents don’t contain sensitive data, sending them to the wrong person(s) holds no risk – even a breached account poses a lower risk. Yet the reality is that to get our work done, many of us export data from databases into spreadsheets and share those sheets and the data they contain through email. It is these very documents themselves and the way we share them that tend to cause the most harm.

As we shift resources into cloud  services such as Gmail or Salesforce and implement new solutions for handling “big data” such as Tableau and paperless solutions like Nolij, we begin to lower the risk posed by handling data in traditional ways. This transition does not happen over-night and even after we complete these projects there may still be a need to create documents outside these solutions. So how do we protect ourselves, our students’, alumni’s and employees’ sensitive information? We can follow these simple guidelines outlined below and ask ourselves, before exporting and sharing data, these simple questions:

 1. Do I really need to export this data?

Exported data is by far the easiest way to lose sensitive data. The number-one way to prevent the loss of exported data is to not export it in the first place. We tend to export data because we feel it is easier to work with. Instead of exporting the data, take the time to get to know and to learn the tools inside Banner, Nolij and Tableau, or contact ITS to help develop ways to work with data without having to export it. If you find you truly need to export data to a spreadsheet, be sure to do two things:
  • Name the document something meaningful. A meaningful name can help prevent you from sharing the wrong spreadsheet.
  • Password protect the Excel spreadsheet or create it using Google Docs instead. These methods add some control over who can actually see the data if for some reason it falls into the wrong hands.

2. Do I really need to export this type of / this much data?

We often tend to export more data than we need, “just in case”. By doing so, we set ourselves up for forgetting what data we exported. More-so, we seldom need to export sensitive data types such as Social Security Numbers, Financial Information, Medical Information, Driver’s Licenses, Passport Numbers or Academic Standings. Instead of exporting data you don’t need, limit the amount and type of data you export to only exactly what you do need. If you find you need more later, export it then, not before you need it. Remember, it is never permitted to store full Social Security Numbers along side of names outside of Banner nor Credit Card Numbers and CVV values anywhere.

3. How long do I need this data?

Throughout a year, month, week or even a day, some of us export several spreadsheets worth of data – data which once we’re done manipulating we never need again. Yet we tend to keep this data, again, “just in case”. This exported data tends to build-up on our hard drives, ending up on old forgotten folders, sub-directories, shared drives or even laptops, tablets, phones or personal cloud services like Dropbox! Instead of keeping this data around, be sure to delete exported data as soon as you no longer need it. If it is something that can be recreated, delete the exported data and recreate it when you need it.

4. Who needs to see the data?

Even if you are the only one who needs to see this data, never save it to your local hard drive. Each of us has a network drive and a Google Apps account. By saving the file to one of these locations, it is less-likely to be lost or stolen especially if you use a laptop! Additionally, data stored in these locations can often be restored if it is accidentally deleted. If you do need to share the data, take a moment to think about the why, what, how and with who.

The “why”

Be sure to ask yourself why you need to share this data – especially in its current format. Can (or should) this data be shared in a different manner like an aggregate presentation, person-to-person, or through a tool such as Tableau?

The “what”

Share only what the person(s) needs to see. Often we send entire spreadsheets of detailed data when all the other person ever needs to see is a summary. If they don’t need the detailed data, don’t send it! They can always ask for it later if they really need it.

The “how”

Typically, we tend to share data as an email attachment. This use to be the only method available but today, there are other options. By creating your spreadsheet as a Google Doc, you can share a link to the document in an email instead of the document itself. This protects you in several ways:

  • Only those with the link to the document, who have been explicitly permitted to see the document can open it – even if the email with the link is sent to the wrong person(s), and, you can easily “un-share” a document if and when you need to.
  • You can make changes to the document and all those who have access to it can see the changes without you having to send updated attachments with each revision – with Google Docs, you can even collaborate in real-time.
  • Users can view the document online without having to download the document to their laptop or a thumb drive. This keeps the data in the cloud and off other peoples’ laptops and home computers.
  • You can limit who can change or update the document as well as see a history of who changed what and when giving you the ability to collaborate on different levels with different users with the same document.

You can also share Excel documents using Goole Drive (although users can then download the spreadsheet if they so choose). When sharing the document, be sure to select the proper choice appropriate with the level of access you wish to grant. If you decide not to use Google Drive, save the Excel document to your department’s shared folder. You can then send a link to the document’s location instead of the document itself. Your collaborators can then access the data through the VPN instead of saving it to their local hard drive or storing a copy in their email.

The “who”

Finally, it only takes one fat finger to share the data with the wrong person(s). Be sure to double and triple-check the following:

  • The names AND email addresses of the people in the To:, CC: or BCC: field. Sometimes names and emails can be very similar but totally different. There may be two Bob Smiths on campus and only bEsmith is the person who should see your data, not bsmith…
  • The names AND email addresses of the people in the sharing configuration of your Google Doc – be sure never to share the data with the world or entire campus unless that is what you absolutely need. Hint: you will rarely ever need to share with the world.
  • That your shared document only has in it only exactly what you need to share and nothing more.

By going through this exercise each time you work with data, you can virtually eliminate much of the risks associated with handling sensitive information. Doing so will not only help keep the University safe, it will help our students, alumni and employees live and work in a more-secure world. Practicing these tips can work for areas in your personal life as well – being careful where and how to store and share personal information about yourself with financial institutions, doctors and commercial enterprises can greatly reduce the risk of your identity being stolen. Combining these tips above with using strong passwords and knowing how to identify and deal-with fraudulent emails can and will make the Internet a safer, more-secure place for you and Colgate!


ITS ALERT: Phishing Email, June 4, 2014

By Peter Setlak on June 4, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email’s subject line is, “IT(S) Help Desk: Webmail Violation Warning!!

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


ITS ALERT: Vulnerability in Internet Explorer Could Allow Remote Code Execution, April 27, 2014

By Peter Setlak on April 27, 2014

UPDATE:

Microsoft has released a patch to address the zero-day vulnerability found in Internet Explorer. The patch is available through the Automatic Update feature on Microsoft Windows and is being made available to users of Windows XP. For details about the patch and how to manually run Automatic Updates, follow the link below. Additionally, you are encouraged to update Adobe Flash on all operating systems including Linux, Mac OS X and Windows.

http://blogs.technet.com/b/msrc/archive/2014/05/01/out-of-band-release-to-address-microsoft-security-advisory-2963983.aspx

ISSUE: Vulnerability in Internet Explorer Could Allow Remote Code Execution

OVERVIEW:

Microsoft is currently investigating reports of active attacks in the wild against IE 9, 10 & 11 using a “zero-day” exploit that could allow a hacker to remotely run code on affected PCs. The IE exploit takes advantage of a vulnerability in Adobe Flash on Windows, Mac OS X & Linux. ITS is keeping an eye on the results of Microsoft’s progress and putting measures in place to help mitigate risk of exposure on campus PCs.

WHO DOES THIS AFFECT?

Anyone using Microsoft Internet Explorer versions 6 through 11.

WHAT YOU SHOULD DO:  

1. When possible and until Microsoft releases a patch, use a different browser such as Google Chrome, Opera or Mozilla Firefox.
2. *UPDATE* Upgrade Adobe Flash (including Macs & Linux). You can download the latest version here: http://get.adobe.com/flashplayer/otherversions/
3. Install Microsoft’s Enhanced Mitigation Experience Toolkit (found here: http://technet.microsoft.com/en-us/security/jj653751)
4. Refrain from surfing the Web directly on servers you run or manage.

See more information about this issue and Microsoft’s & Adobe’s announcements here:

https://technet.microsoft.com/en-us/library/security/2963983.aspx
http://helpx.adobe.com/security/products/flash-player/apsb14-13.html

If you have questions or need assistance please open a ticket with the help desk or call x7111.

Thank you for your patience and cooperation.


ITS INFO: Heartbleed Announcement, April 10, 2014

By Peter Setlak on April 10, 2014

On the evening of April 7, 2014, the world became aware of a major flaw in how secure transactions are handled on the Internet. The flaw, known as the OpenSSL Heartbleed bug (CVE-2014-0160) enables the decryption of secure traffic by unauthorized third parties.

Colgate’s Response

While the bug affected over half the servers on the Internet, most companies, including Colgate, acted quickly and patched their systems. ITS began patching systems promptly on the morning of April 8; all systems were patched by 10:00 PM EST. ITS has no indication that our systems were compromised.

In staying true to our word that we will never contact you via phone or email to change your passwords, ITS chose not to send a mass-email alert with a link to our password page. 

What should I do?

The vast majority of secure traffic and transactions on the Web are encrypted using the SSL protocol. Everyone who uses the Internet or mobile apps for banking, shopping, communicating, sharing, or storing information may be at risk of having their information, including passwords, revealed to a third party.

That said, this bug has potentially serious consequences and ITS advises all users to change their passwords for personal services they use on the Internet.

If you have questions please contact the helpline at (315) 228-7111 or send an email to itshelp@colgate.edu

For more information about Heartbleed, see our initial blog alert at:


ITS ALERT: Password Security at Risk, April 8, 2014

By Peter Setlak on April 9, 2014

ACTION REQUIRED:  PASSWORD SECURITY AT RISK

OVERVIEW:

A major flaw in how web servers handle encrypted data including passwords was discovered. Known as the “Heartbleed” bug, the vulnerability could expose your password to an attacker. ITS worked diligently throughout the day to patch web services across campus.

WHO DOES THIS AFFECT?

Anyone who logged in to any Colgate web services prior to 10:00 PM on April 8, 2014 and anyone who uses web services and mobile apps for banking, email, social media, etc.

WHAT YOU SHOULD DO:  

1. Go to https://accounts.colgate.edu and change your Colgate passwords.
2. Work with your personal web services such as your bank, email and social networks to change your passwords.

To learn more about how to create strong passwords, please visit http://colgate.edu/itsecurity/passwords

If you have questions or need assistance please open a ticket with the help desk or call x7111.

To learn more about “Heartbleed” and how to protect yourself, click here.


ITS ALERT: Phishing Email, March 31, 2014

By Peter Setlak on March 31, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email states, “If you are receiving this message it means that your email address has been queued for deactivation”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions or need assistance please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


Tax Phishing Fraud Season

By Peter Setlak on March 31, 2014

It is that time of year when someone you’ve never met tries to get you to give up your money and I’m not talking about Uncle Sam. Each year starting in late March and early April and going through May, hackers send out phishing emails that look as though they are from tax service providers or the IRS. These phishing attacks are particularly successful (to the hacker) since the targets (we) are already flustered and confused about the filing process. The hackers prey on this fact and count on our fear of making a mistake, not filing on time, or guaranteeing our refund. During seasons like this, it is important to slow down and double-check any and every communication from tax service providers, the IRS and financial institutions. Scrutinize any email, phone call or text message you receive in relation to these institutions. It never hurts, even if you’re “pretty sure it’s legit” to contact the institution directly to verify the message. In general, follow these suggestions and you improve your chances of being safe:

1. If it came to you unsolicited and you’ve never done business with them, it’s probably a phish.
2. Handle interactions with the IRS by going to them directly: http://www.irs.gov - the same goes for your tax service or financial institution.
3. Never give out your password, Social Security Number, credit card information or other personal information in response to an email, phone call or text message.

For more information on how to spot and avoid phishing, check out our phishing page at: http://www.colgate.edu/itsecurity/phishing


ITS ALERT: Security Exploit Reported in Rich Text Format (.rtf) Documents, March 25, 2014

By Peter Setlak on March 25, 2014

ISSUE: Security Exploit Reported in Rich Text Format (.rtf) Documents

OVERVIEW:

A new exploit in how Microsoft Word and Outlook handles Rich Text Format (.rtf) documents has been reported by Microsoft.  The exploit enables a hacker to remotely run programs on a computer. As a precaution, ITS will temporarily block .rtf email attachments until a patch for this exploit has been put in place.

WHO DOES THIS AFFECT?

Anyone using Microsoft Word and Outlook (including Macs) and anyone expecting an .rtf document as an email attachment.

WHAT YOU SHOULD DO:  

1. If you use Outlook to read your email, you should make sure you are using the latest version. Staff should notify ITS to schedule an upgrade.
2. If you currently use Rich Text Format (.rtf) documents, open them in something other than Microsoft Word.
3. If you are expecting an .rtf attachment, notify the sender to have them zip the file or change its format.
4. Always be careful when using email – never open attachments or click links in unsolicited email.

For more information about this issue and additional things you can do to protect yourself from this exploit, please continue reading: Read more

css.php