Home - Office and Services - Information Technology - Information Technology News
Information Technology News

Latest Posts

ITS ALERT: Phishing Email, October 31, 2014

By Peter Setlak on October 31, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email has the subject, “Failure to comply may result in the loss of your account within the next 24 hours.”.

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading.

Read more


ITS ALERT: Security Exploit Reported in emailed Microsoft PowerPoint (.ppt and .pptx) Documents, October 22, 2014

By Peter Setlak on October 22, 2014

ISSUE: Security Exploit Reported in emailed Microsoft PowerPoint (.ppt and .pptx) Documents

OVERVIEW:

A new exploit in Microsoft PowerPoint (.ppt and .pptx) documents being sent in phishing emails has been reported by Microsoft.  The exploit enables a hacker to remotely run programs on a computer.

WHO DOES THIS AFFECT?

Anyone using email and Microsoft PowerPoint in all versions of Windows.

WHAT YOU SHOULD DO:  

1. Always be careful when using email – never open attachments or click links in an unsolicited email.

For more information about this issue and additional things you can do to protect yourself from this exploit, please continue reading: Read more


ITS ALERT: Phishing Email, October 8, 2014

By Peter Setlak on October 8, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email has the subject, “Notices”.

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading.

Read more


ITS ALERT: Vulnerability in Apple Mac OS X, Linux and Unix-based Systems

By Peter Setlak on September 30, 2014

OVERVIEW:

On September, 24, 2014, US-CERT made public vulnerability in the Bourne-Again Shell (bash) found on nearly all Unix-based operating systems including Mac OS X and Linux. In response, ITS patched our public-facing systems and reached-out to staff and faculty running Linux. While waiting for current patches to be released by Apple, ITS took precautionary measures on the campus firewall to help block exploits. Apple has released their patch and ITS strongly recommends that all Unix-based systems, including Mac OS X, be patched.

WHO DOES THIS AFFECT?

Anyone running Mac OS X, Linux or Unix-based operating systems.

WHAT YOU SHOULD DO:  

Obtain and install patches for your operating system. Patches and/or information can be found here:

Apple Mac OS X (Lion) (Mountain Lion) (Mavericks)
Red Hat LinuxCentOS
DebianUbuntu

Package updates are also available for SUSE, FreeBSD and other Unix-based systems including Cygwin. For assistance obtaining patches for these and other Linux distributions, please contact ITS.

See more information about this issue, follow the links below:

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

http://support.apple.com/kb/HT1222

If you have questions or need assistance please open a ticket with the help desk or call x7111.

Thank you for your patience and cooperation.


ITS ALERT: Phishing Email, September 29, 2014

By Peter Setlak on September 29, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email claims to come from “Help Desk” and has the subject line of, “Failure to comply may result in the loss of your account within the next 24 hours.”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading.

Read more


ITS ALERT: Phishing Email, September 18, 2014

By Peter Setlak on September 18, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email has no subject line and comes from “Webmaster”.

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading.

From: Webmaster <morrow@hope.edu>
Date: Thu, Sep 18, 2014 at 11:02 AM
Subject:
To:

Attn Web User.
   Your E-mail was Login from a different device, your account will be
  disabled as a result of multiple login if you do not validate, to validate your account,
Make sure you fill the correct data  to validate your account.
Support Webmaster
Copyright (C) 2014 System Admin.

Read more


ITS ALERT: JP Morgan Chase Phishing Email, August 25, 2014

By Peter Setlak on August 25, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing campaign against JP Morgan Chase customers is circulating the Internet. Please be extra vigilant when opening emails appearing to come from JP Morgan Chase.

WHO DOES THIS AFFECT?

All employees who are JP Morgan Chase card-holders.

WHAT YOU SHOULD DO:  

If you suspect that you have received one of these phishing emails, please do the following:

1. Open a ticket with the help desk.
2. Do NOT give out your username and password.
3. Do NOT click on any links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see an article showing a copy of this particular phishing email, please visit http://www.proofpoint.com/threatinsight/posts/smash-and-grab-jpmorgan.php


ITS ALERT: Phishing Email, August 9, 2014

By Peter Setlak on August 9, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email’s subject line is, “System Administrator”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


ITS ALERT: Phishing Email, June 29, 2014

By Peter Setlak on June 29, 2014

ACTION REQUIRED:  PHISHING EMAIL / SECURITY ALERT

OVERVIEW:

A phishing email trying to trick users into giving up their username and password has been reported. The email’s subject line is, “Verification Alert!!”

WHO DOES THIS AFFECT?

Everyone on campus is urged to take caution when using email and to be aware that Colgate ITS will never ask for your username and password. Also, ITS will never ask you to update or confirm your email account via email due to congestion, deactivation or lack of use. Additionally, all users are urged to use strong passwords on all their accounts.

WHAT YOU SHOULD DO:  

1. Delete the email.
2. Never give out your username and password.
3. Never click on links in emails that are unsolicited.

If you have questions, need assistance, or replied to the email, please open a ticket with the help desk or call x7111.

To learn more about phishing and how to spot it, please visit http://colgate.edu/itsecurity/phishing

Thank you for your patience and cooperation.

To see a copy of this particular phishing email, continue reading. Read more


On Exporting Sensitive Data

By Peter Setlak on June 10, 2014

On June 5, 2014, UVA accidentally exposed the GPA, class rankings, work experience, recommendations and other sensitive data on a large group of applicants to a Listserv. Incidents like this do not leave UVA in a league of their own; last month Columbia University was found to have exposed 6,800 patient records on the Internet and Indiana University let 146,000 student records loose when it accidentally stored exported data in the wrong location earlier this year. At the heart of these breaches is the notion that our own misuse of sensitive data can pose as much or more risk to the institution as hackers. The loss of sensitive data can have an immediate and long-lasting effect on our reputation and our users’ lives. When our parents, alumni and students lose their trust in us; when they feel we cannot protect their private and personal information, they will go elsewhere. When easily avoided mistakes are made that put their financial and personal information at risk, their trust in us is lost – possibly forever. But mistakes can be avoided when dealing with sensitive data. Simple steps can be taken to mitigate or even prevent the slippage of data through our own hands. The privacy and security of our students’ data begins with each one of us.

Predominantly, companies lose sensitive information through the accidental misplacement of data. Even the risks associated with a stolen laptop can be chalked-up to the misuse of spreadsheets and scanned data. If sensitive data is never exported from its primary source – if it is never stored locally on a hard drive or thumb drive, then it is better protected and less-likely to be stolen. If emails and attached documents don’t contain sensitive data, sending them to the wrong person(s) holds no risk – even a breached account poses a lower risk. Yet the reality is that to get our work done, many of us export data from databases into spreadsheets and share those sheets and the data they contain through email. It is these very documents themselves and the way we share them that tend to cause the most harm.

As we shift resources into cloud  services such as Gmail or Salesforce and implement new solutions for handling “big data” such as Tableau and paperless solutions like Nolij, we begin to lower the risk posed by handling data in traditional ways. This transition does not happen over-night and even after we complete these projects there may still be a need to create documents outside these solutions. So how do we protect ourselves, our students’, alumni’s and employees’ sensitive information? We can follow these simple guidelines outlined below and ask ourselves, before exporting and sharing data, these simple questions:

 1. Do I really need to export this data?

Exported data is by far the easiest way to lose sensitive data. The number-one way to prevent the loss of exported data is to not export it in the first place. We tend to export data because we feel it is easier to work with. Instead of exporting the data, take the time to get to know and to learn the tools inside Banner, Nolij and Tableau, or contact ITS to help develop ways to work with data without having to export it. If you find you truly need to export data to a spreadsheet, be sure to do two things:
  • Name the document something meaningful. A meaningful name can help prevent you from sharing the wrong spreadsheet.
  • Password protect the Excel spreadsheet or create it using Google Docs instead. These methods add some control over who can actually see the data if for some reason it falls into the wrong hands.

2. Do I really need to export this type of / this much data?

We often tend to export more data than we need, “just in case”. By doing so, we set ourselves up for forgetting what data we exported. More-so, we seldom need to export sensitive data types such as Social Security Numbers, Financial Information, Medical Information, Driver’s Licenses, Passport Numbers or Academic Standings. Instead of exporting data you don’t need, limit the amount and type of data you export to only exactly what you do need. If you find you need more later, export it then, not before you need it. Remember, it is never permitted to store full Social Security Numbers along side of names outside of Banner nor Credit Card Numbers and CVV values anywhere.

3. How long do I need this data?

Throughout a year, month, week or even a day, some of us export several spreadsheets worth of data – data which once we’re done manipulating we never need again. Yet we tend to keep this data, again, “just in case”. This exported data tends to build-up on our hard drives, ending up on old forgotten folders, sub-directories, shared drives or even laptops, tablets, phones or personal cloud services like Dropbox! Instead of keeping this data around, be sure to delete exported data as soon as you no longer need it. If it is something that can be recreated, delete the exported data and recreate it when you need it.

4. Who needs to see the data?

Even if you are the only one who needs to see this data, never save it to your local hard drive. Each of us has a network drive and a Google Apps account. By saving the file to one of these locations, it is less-likely to be lost or stolen especially if you use a laptop! Additionally, data stored in these locations can often be restored if it is accidentally deleted. If you do need to share the data, take a moment to think about the why, what, how and with who.

The “why”

Be sure to ask yourself why you need to share this data – especially in its current format. Can (or should) this data be shared in a different manner like an aggregate presentation, person-to-person, or through a tool such as Tableau?

The “what”

Share only what the person(s) needs to see. Often we send entire spreadsheets of detailed data when all the other person ever needs to see is a summary. If they don’t need the detailed data, don’t send it! They can always ask for it later if they really need it.

The “how”

Typically, we tend to share data as an email attachment. This use to be the only method available but today, there are other options. By creating your spreadsheet as a Google Doc, you can share a link to the document in an email instead of the document itself. This protects you in several ways:

  • Only those with the link to the document, who have been explicitly permitted to see the document can open it – even if the email with the link is sent to the wrong person(s), and, you can easily “un-share” a document if and when you need to.
  • You can make changes to the document and all those who have access to it can see the changes without you having to send updated attachments with each revision – with Google Docs, you can even collaborate in real-time.
  • Users can view the document online without having to download the document to their laptop or a thumb drive. This keeps the data in the cloud and off other peoples’ laptops and home computers.
  • You can limit who can change or update the document as well as see a history of who changed what and when giving you the ability to collaborate on different levels with different users with the same document.

You can also share Excel documents using Goole Drive (although users can then download the spreadsheet if they so choose). When sharing the document, be sure to select the proper choice appropriate with the level of access you wish to grant. If you decide not to use Google Drive, save the Excel document to your department’s shared folder. You can then send a link to the document’s location instead of the document itself. Your collaborators can then access the data through the VPN instead of saving it to their local hard drive or storing a copy in their email.

The “who”

Finally, it only takes one fat finger to share the data with the wrong person(s). Be sure to double and triple-check the following:

  • The names AND email addresses of the people in the To:, CC: or BCC: field. Sometimes names and emails can be very similar but totally different. There may be two Bob Smiths on campus and only bEsmith is the person who should see your data, not bsmith…
  • The names AND email addresses of the people in the sharing configuration of your Google Doc – be sure never to share the data with the world or entire campus unless that is what you absolutely need. Hint: you will rarely ever need to share with the world.
  • That your shared document only has in it only exactly what you need to share and nothing more.

By going through this exercise each time you work with data, you can virtually eliminate much of the risks associated with handling sensitive information. Doing so will not only help keep the University safe, it will help our students, alumni and employees live and work in a more-secure world. Practicing these tips can work for areas in your personal life as well – being careful where and how to store and share personal information about yourself with financial institutions, doctors and commercial enterprises can greatly reduce the risk of your identity being stolen. Combining these tips above with using strong passwords and knowing how to identify and deal-with fraudulent emails can and will make the Internet a safer, more-secure place for you and Colgate!

css.php