Information Security Tips Archive
Don't Fall Victim to PHISHing! (August, 2011)
Welcome to a new semester at ESU! The start of a new school year brings many e-mail hoaxes and PHISHing attempts. At ESU, there are e-mail quotas in place - meaning you have limited storage space for your e-mailbox. When you are near or over your e-mail quota, you will receive a pop up message to that effect when you log in to GroupWise. No one at ESU will ever send you an e-mail and ask you to send your user name, password or other information to validate your mailbox so that your e-mail account stays active. E-mail messages you receive stating your e-mail account is in danger of being shut down are called HOAX e-mails. Sometimes a message also states you must click on a link or reply to the message and provide your user name, password, or other information. These are known as PHISHing e-mails. DO NOT SHARE YOUR PASSWORD WITH ANYONE. Providing your password to someone allows them to access YOUR information.
When TCS becomes aware of HOAX or PHISHing e-mail, an alert is posted on the Information Security Alerts channel in Buzz In, under the Technology Resources tab. If you receive an e-mail and do not know if it is legitimate, check there first; contact the HelpDesk second. The HelpDesk can be reached via phone (extension 5555), e-mail (email@example.com) or in person at Butcher Education Center during the weekday or White Library in the evenings and on weekends. For more details about the HelpDesk, visit Techsite http://techsite.emporia.edu.
Remember: Keep your information safe. Do not respond to e-mail asking for your information or password!
Password policy change (November, 2009)
On October 13, 2009, the Emporia State University Password Policy was amended. The amended policy is published on page 185 of the University Policy Manual. Starting Tuesday, December 8, the new password policy will be enforced. This means the next time you are prompted to change your password, it will need to meet the criteria of the new password policy: it must be at least 8 characters in length, use 3 of 4 character sets (i.e., uppercase letters, lowercase letters, numbers, special characters), and must not be reused within a 12 month period. You will continue to need to change your password every 180 days.
Things to do for the end of the semester (December, 2009)
Here are some things you should consider doing to help protect your information and your computing equipment during the Christmas break:
- Apply any software updates the computer has prompted
- Run a Symantec AntiVirus scan
- Clear out your Internet cache directory and cookies (instructions)
- Empty the recycle or trash bin on your desktop
- Take care if you apply a GroupWise vacation rule to automatically reply. Configure it to not reply to any messages sent to your account from a listserv (a server you subscribe to for email)
- When leaving for break, power off your printer. If it's not necessary to remote to your computer, power off your computer.
When checking your e-mail from https://gwweb.emporia.edu, be alert and do not reply to hoax e-mails asking for your username and password. If you question whether an e-mail is legitimate, contact the TCS HelpDesk (341.5555).
Browser History and Online Payments (November, 2009)
By default, most browsers save the history information from the web sites visited. Not only the history of visited sites is kept; also, temporary files are downloaded and stored in temporary Internet cache directories to help bring up web sites visited most often faster. In addition, some web sites track your visit by storing “cookies,” or your account information, to web sites. Many browsers also allow you to store your passwords for quick access to web sites that require them.
You should never let your browser store passwords to websites. In addition, you should regularly clear the browser’s temporary Internet cache directories and cookies. Not sure how? get the instructions for clearing these browser settings for Safari, Internet Explorer, and Firefox.
Be Aware of Online Payments
Whether you are purchasing supplies, purchasing books, or paying fees online, you must be sure to protect your payment card information. When accessing a website which asks for your credit or debit card information for payment, make sure the website is protected by looking for the padlock either in the address bar (for Internet Explorer) or in the lower right hand corner of the page (for Firefox). If you enter your payment card information on a website that does not use this type of security – you will be sending your information “in the clear.” It would be like putting your payment card information on a post card and sending it through postal mail. Anyone could see if they wanted to. Here's another tip: to help keep straight what you have purchased, consider making a print screen of your purchases or printing a copy of the payment page. This way you will have proof of your purchase. If you receive a payment notification email, you'll be able to determine if the email is a hoax or not.
Security Awareness Month (October, 2009)
October is Cyber Security Awareness Month. This is a good time to make sure you have up-to-date antivirus software, scan for spyware, make sure you have latest software patches installed on your system, and to clean up old files and old e-mail.
Watch out for those HOAX e-mails! Hoax e-mails are e-mails sent to tempt you into sending your usernames, passwords, personal information or to attempt to get you to reply to verify your account is valid. Hoax e-mails cover things like asking you to verify your account settings, verify your identity, send money to unknown/unauthorized entities, warn you about fake viruses, send fake photos or just about anything else. There are several valid entities which research and report on hoax e-mail. TCS WILL NOT ask you to verify your account by replying with your username, password or personal information. When you receive an e-mail asking you to verify your account, whether it’s a web user account, an e-mail account, or a network access account; do NOT reply. If you need to verify the e-mail was sent by TCS, contact the TCS HelpDesk by calling extension 5555 on campus, off-campus at 341.5555, or toll free at 877.341.5555.
Cleaning Files? Protect Information! (September, 2009)
It’s the start of a new semester and many times, the start of new file folders in file cabinets or on office computers. And for some of us, cleaning up the old files. Remember, just because the information is old does NOT mean it is okay to toss the files in the trash can. If you are cleaning out old paper files – you MUST check documents for protected information. There are many regulations and industry standards which have to be followed regarding storage, timeliness of keeping information and proper disposal of information. It is difficult to stay on top of all of the requirements, but a good rule is if the documents are no longer needed or required to be stored and the documents include sensitive information, the documents should be shredded. Do you have old Floppy Disks or CD’s storing sensitive information and which are no longer needed or required? Shred this media as well. When you delete files from your Windows XP or MAC OS computer, the files remain in your Recycle Bin or Trash. You still have to empty the Recycle Bin and Trash—make sure you do so.
In regards to proper disposal and reuse of computers, TCS takes precautions when computers are destined for the compound to securely and properly dispose of hard drives to help protect information. When computers are to be passed from one faculty or staff member to another, contact the TCS HelpDesk so the computer can be setup for the new user (and remove old data from the computer to protect the previous user). These simple steps help keep ESU’s student, employee and business information safe.
Peer to Peer File Sharing (August, 2009)
Emporia State University’s security policies are in place to help not only protect ESU’s information, but to set standards on acceptable computing using ESU’s Internet access. ESU’s Digital Millennium Copyright Act (DMCA) policy states “..users of Internet services and equipment and equipment provided by ESU are responsible for their compliance with all copyright laws pertaining to information they place on or retrieve from the Internet.” ESU’s DMCA policy references unauthorized distribution of copyrighted material, including music, movies, games and software distributed from a computer using peer-to-peer applications. Distributing copyrighted works without explicit permission from the copyright owner is considered theft and is a violation of ESU policy and Federal copyright law.
Many do not know they are distributing copyrighted works; most people think they are just downloading their favorite song, game or movie. Be careful using peer-to-peer file sharing applications.
Updated lately? (July, 2009)
Is your system software set up to get automatic software updates? If so, do you install the updates and reboot as necessary? Software updates are generally released to fix security holes known as exploits. Other times, they are enable new features in software. For all ESU owned Windows based computers, Windows Updates are "pushed" to the computers. The user simply needs to click on the GOLD SHEILD in the lower right hand corner of their desktop (in the system tray area of the desktop) and select INSTALL UPDATES. After updates are installed, you might need to reboot the Windows computer. DO SO IMMEDIATELY. Until the reboot is done, the updates are not applied.
For Macintosh based systems, system software updates can be checked through the Apple Menu and selecting Software Update menu item. In addition, many other software applications automatically check for updates periodically (e.g., Java, Adobe). Watch for messages to update the software and follow the instructions given for downloading and installing the updates.
Protect your information by updating system software to keep malware from installing!
To E-mail or Not To E-mail (June, 2009)
E-mail is becoming the standard of sending files to someone who needs access to the information you have. However, take care before sending that file by asking yourself a few questions.
- First, what type of information is in the file? Is the receiver authorized to see the information? If not, you should rethink sending the e-mail attachment to them.
- Second, is the information in the file protected information? If it is, is the e-mail being sent and read securely? When e-mail leaves the ESU system, it may no longer be secure. Secure transmission can be acquired by using digital e-mail certificates; much like certified postal mail, these certificates verify the delivery is secure. However, it is more difficult to verify the receiver is actually the person who opened the e-mail. There are other systems which allow you to login to a secure server and drop off and pick up messages and files. This does not allow for secure transmission, but verifies the authentication of the person picking up the message.
- Finally, does the file need to be sent via e-mail? If it is being shared within ESU, is there be a place on a network share where the file can be stored and retrieved securely?
There are many more challenges to securing digital information than hard copy information alone. Think before you hit the SEND button to protect your information!
Is Your Data Safe? (May, 2009)
Keeping your information safe starts with keeping your computer system free from Spyware and safe from thieves, while deleting information no longer needed on your system. Besides using anti-virus software, keeping your software up to date and using strong passwords, users should dispose of data in a timely manner. It’s easy to store information on your computer and forget you have it. Periodically, go through your documents and delete what no longer is needed. And don’t forget that when you delete items, you need to empty your recycle bin or trash bin. Frequently scan your computer for spyware. Consider using a firewall to protect your system (Windows XP and Vista systems have software firewalls which can be enabled). In addition, be careful installing extra software. For instance, when installing a Java update, many times there are options listed to download and install additional software or utilities. Do not always assume it is OK to install that extra software. There could be hidden risks, even if the software is legitimate. Bottom line: if you don’t need it, don’t install it.
Peer to Peer File Sharing (April, 2009)
Emporia State University’s security policies are in place to help protect not only ESU’s information, but to set standards on acceptable computing using ESU’s Internet access. ESU’s Digital Millennium Copyright Act (DMCA) policy states “..users of Internet services and equipment provided by ESU are responsible for their compliance with all copyright laws pertaining to information they place on or retrieve from the Internet.” ESU’s DMCA policy references unauthorized distribution of copyrighted material, including music, movies, games and software distributed from a computer using peer-to-peer applications. Distributing copyrighted works without explicit permission from the copyright owner is considered theft and is a violation of ESU policy and Federal copyright law.
Don't be a Victim! (March, 2009)
We have all seen at least one e-mail using phishing to try to gain access to personal information. As we become more and more vigilant verifying e-mail, the bogus e-mailers get more and more sophisticated; the messages look more and more like authentic e-mail. Here are some tricks to use when trying to determine if e-mail is authentic:
First, always check the sender's e-mail address. Does it match the type of information being displayed in the e-mail?
Second, there is NO REASON for a bank or other type of financial institution to verify your information via e-mail. In addition, TCS will NEVER ask you to verify your account or do anything to your account by asking you for your PASSWORD. NEVER RESPOND TO ANY E-MAIL ASKING FOR YOUR PASSWORD. If you wondering if the e-mail is authentic, CALL THE ENTITY claiming to send the e-mail.
TCS has become more vigilant about notifying users of issues through either the HelpDesk e-mail account (firstname.lastname@example.org) or individually by a member of the TCS department.
Lastly, always be suspicious of clicking on a link supplied in an e-mail asking you to verify your account information. There are numerous e-mail hoaxes coming into mailboxes daily. Don't be a victim. Always check it out.
Watch out for SPAM (February, 2009)
ESU employs an e-mail device, to help stop SPAM or e-mails with viruses. However, at the rate that new types of SPAM and viruses are being created, the device is unable to catch all unwanted or malicious e-mail.
You must be diligent as well. First, you should NEVER respond to an e-mail asking for your logon information or any personal information. The TCS HelpDesk will not ask you to verify your password through e-mail. Banks are unable to ask you to verify information via e-mail. If you are unsure if the e-mail you received is legitimate, contact the sender via phone. Be careful clicking on links included in an e-mail. Sometimes the link in the e-mail looks legitimate, but it may actually connect to a malicious web site designed to download and install unwanted controls or software. If you are not expecting an attachment from someone, do not open it until you can verify from the sender that it's a legitimate, safe attachment. Compare e-mail to a strange box arriving on your doorstep. Would you open the box without another thought, or would you take a moment to make sure the box is safe? Email attachments and url links need to be considered the same way.
Cleaning out Old Files (January, 2009)
The start of a new year is a good time to think about all those files you store on your computer. Are you keeping old files you no longer need to keep on your computer? It's easy to forget what files you keep on your home computer. Did you once keep track of all your passwords for all the different web sites in a Word file? You should consider not storing that information on your computer. What if a new virus or exploit has unknowingly opened up your computer to those electronic thieves? Do you have old tax returns stored on your computer? Do you need to keep them? If so, can you back them up to CD and remove them from your hard drive? For those of you with office computers and network storage (also known as i: drive), do you need to keep all those files stored on disk, or can you burn them to DVD or CD for archiving purposes? Take the time to clear out the clutter from your computer storage.
Online Shopping Tip (December, 2008)
Online shopping is an easy way to do your holiday shopping, but beware! When shopping online, make sure the web site you are connected to is a secure site; look for the padlock in the browser status bar at the bottom. Make sure you are shopping from a well known "store." Be careful giving out your personal information and credit card number. Take the time and read the fine print.
This time of year also brings out the scams. A popular one is an e-mail disguised as coming from Fed Ex or UPS, asking you to click on a link because they need to verify information regarding a package being delivered to you. Go directly to the shipping vendor's web site. Visit FedEx or UPS directly. Both of these sites have ways for you to track a package if you sent it. The sender will be responsible for the information for the delivery of the package.
Another e-mail scam is picking up digital cards or e-greetings. Always be careful clicking on links in an e-mail, because it could be a malicious site trying to install malicious software on your computer without your knowledge.
Remember: Keep your information safe. Do not respond to e-mail asking for your information or password!
Antivirus Software (November, 2008)
Do you update your antivirus software? You should. TCS installs the antivirus software Sophos on all ESU-owned computers . TCS maintains the updates for Sophos, and they are pulled from the ESU computer to get those updates when the computer is connected to the Internet. However, if you use your own computer/laptop to access the ESU wireless network, you are responsible for purchasing/installing and keeping your antivirus software up to date. TCS does what it can to stop viruses from reaching your e-mail account and the ESU owned computer you use, but to protect your information and your personal computers, you need to take an active role.
Remember: Keep your information safe. Do not respond to e-mail asking for your information or password!
National CyberSecurity Awareness Month! (October, 2008)
October is National CyberSecurity Awareness Month and ESU is having Security Awareness Days each Wednesday in October. From 11 am until 1 pm at the TCS Kiosk in the Memorial Union, there will be information, games, prizes and treats available for the ESU community. Stop by and pick up some tips and tricks regarding fighting phishing, viruses and spyware. Stop by and pick up a treat of candy or popcorn. Stop by and enter win a drawing for a weekly prize. Watch Buzz In for announcements and tips each week on how to protect your information and your computer.
What is the deal with the gold shield in the bottom right hand corner of my Windows screen? The first Tuesday of each month (and whenever there is a major exploit discovered), Microsoft releases patches to the Windows software. These patches are pieces of program code which will help the computer's Windows system be more secure. For all ESU owned computers, patches will be downloaded automatically â€” but you must apply those patches. When Windows is downloading or ready to install the patches, the gold shield will be displayed in the lower right hand corner of your screen. Click on the shield and select INSTALL. For some patches, you will need to reboot your Windows computer â€” go ahead and do it. These patches are necessary to install, but won't be applied until you reboot the computer.
Do you have an Apple iBook or Mac desktop computer or a personal Windows computer? Download updated software manually. For Windows, click start, All Programs, Windows Update and follow the prompts. For Mac and iBook computers, click on the Apple, select Software Update and follow the prompts.
Remember: Keep your information safe. Do not respond to emails asking for your information or password!
Good Email Practices (September, 2008)
Over the last few years, there have many attempts to obtain people's identity through email hoaxes using a technique named phishing. It was easier to suspect those email because there would be misspelled words, phrases which did not make sense or the email did not look legitimate. However, those email phishing attempts continue to look more and more legitimate and have lured unsuspecting people to give usernames, passwords, personal information such as social security numbers to match those with public information like a birth date and address. Always be suspicious of any email which has a message asking for any of this type of information.
The ESU HelpDesk has been instructed to not ask for passwords and social security numbers. ESU does not ask you to verify information to keep your account active. Banks do not ask you to verify your information via email. Think about who might be at the other end of the email, regardless of their email address. Think about why they would need the information. Question them. If you know (or think you know) who is asking, call them and ask them why they need this information.
By the way, think before clicking on a URL or opening an attachment. Were you expecting the attachment? Where does the link in the email really go? Is it a safe site or a site filled with malicious code to install unwanted spyware or Trojan software? Keep your information safe.
Start good email practices today: Do not respond to the "Update Your emporia.edu Email Account To Avoid Closure" e-mail. Delete it!
Sharing Your Password (August, 2008)
When you share your password with someone else for whatever reason, you have just given the person the capability to look at your personal information, to use your account to send unauthorized email from your account, to change YOUR information or submit a discussion item in your Blackboard course.
Do not share your password. If you have shared your password, change it immediately in Buzz In (after logging into Buzz In, scroll to the bottom and select PASSWORD MANAGEMENT).
Remember: protect your information through protecting your authentication.
E-MAIL Hoax Alert (July, 2008)
A new e-mail has made its way onto campus that you need to be made aware is NOT a valid e-mail. It shows the sender to be EMPORIA HELP DESK. The subject is Dear emporia.edu User (Verify Your Account) and the body of the message asks for your USERNAME and PASSWORD, while asking you to verify your email address at https://buzzin.emporia.edu. This email is a PHISHING email. DO NOT REPLY. The email address is actually an account at GMAIL; NOT the TCS HelpDesk. Someone is trying to gain access to your account. Please delete the email.
If you already replied to the email, thinking it was valid; change your password IMMEDIATELY and contact Cheryl O'Dell.
For future reference, the TCS HelpDesk will NOT ask you to verify your username AND password via email. Also, the HelpDesk email account will show FROM as email@example.com.
Be on the alert always when an e-mail arrives asking you to verify your account. Contact the HelpDesk (extension 5555, locally at 341.5555, or toll free at 877.341.5555), or contact me directly to ask if an email is valid.