This is the first post for “Hawkland Security“, the security newsletter of SUNY New Paltz’s Computer Services Department. This newsletter is where we keep Faculty, Staff, and Students of the college aware of some timely and ongoing threats you should be aware of online. Our goal with this is to make you aware not just of specific threats, but how you can recognize these threats in the future.
Being cautious online not only helps protect your own identity and computer, but the college and its sensitive data as well. Its the obligation of everyone to be cautious when online, especially if you are someone who has access to sensitive data.
To suggest topics for future issues, email me at: email@example.com
- Paul Chauvet, Computer Services
If you follow a few safety guidelines, its really not difficult to protect your computer from getting infected with viruses, spyware, and other malware. Its equal parts technical protections and common sense.
- Keep your software updated. Its extremely important to have your computer’s software up-to-date. This especially is true for the following (which are the most common vectors for virus infection):
- Operating system updates (Windows Updates and any Apple updates)
- Updates to Adobe Flash & Adobe PDF
- Updates to Java (note: When Java updates, if you don’t specifically uncheck a box during the install, it will want to install an unneeded ‘toolbar’ which you don’t need. Make sure to uncheck any unneeded extras that are offered when updating.
- Updates to your web browser. Recent versions of Firefox, and all versions of Google Chrome automatically update to the latest version. Note: Internet Explorer 9 is still not certified with Banner. If you use Banner in your office, don’t update to Internet Explorer 9.
- Be cautious about what you are downloading online. Don’t pollute your computer with toolbars, screensavers, cool mouse cursors, etc. Don’t download games to your work computer.
- When downloading something, ask yourself if you need it (and if you’re at work, ask yourself if its appropriate for your work computer).
- Don’t believe warnings about viruses on your computer unless they come from the Anti Virus that you actually have on your computer. A common tactic of criminals is to have fraudulent warnings about viruses (either as ads or pop-up ads) on websites. Legitimate anti-virus messages will come from Symantec for campus computers and will come from whatever anti-virus you have installed on your home computer.
For extra protection, consider using Mozilla Firefox or Google Chrome with an Ad Blocking plugin for your web browsing whenever possible. You’ll have to continue using Internet Explorer for Argos and Banner for now at least.
Ad Block Plus is available for Mozilla Firefox and Google Chrome at: http://adblockplus.org
One of the major ways that security issues happen is when people click on what they think are safe, legitimate links in email, but are in fact, fraudulent. Before getting started on how to recognize these, I’m including some links below. I’ve made all except the last non-clickable since some of them are fake. Which of the following are real and which are fake? Look at each one carefully and guess.
- Fake: when looking at a web address, separate the address into two parts. The first is the ‘domain name’ which is to the left of the first forward slash (/). In this case, that would be www.newpaltz.wordpress.com. This site has newpaltz in the name, but is really a ‘subdomain’ to wordpress.com. That is not legitimate but this is a common tactic by criminals. Put some portion of the ‘target’ in the subdomain to make it look real.
- Real: The portion before the first / is a newpaltz.edu site. This is legitimate even though it mentions www3 instead of www.
- Fake: The address after the slash is chosen to make it look like it belongs to SUNY New Paltz but it is an external site.
- Uncertain but potentially dangerous: This is a google docs link. If you go to this site and just see a document, its safe. If you go to this link and it asks you to login, then you should be extremely suspicious. There are some RARE circumstances where you do need to login to see a google doc, but you would almost certainly be expecting these (i.e. its coming from a student or classmate who is sharing a document with you).
- Fake: We’re newpaltz.edu not newpaltz.com
- Fake: The link ‘text’ is blackboard.newpaltz.edu but if you highlight the link with your cursor, you’ll see that its not bringing you to Blackboard but an alternate site (scamsite.com – but the destination may not look that obviously suspicious).
For more examples, we highly recommend taking these two online quizzes. Take them and see how you do. For those you get wrong, look carefully as to what caught you.
By now, most people have seen at least one phishing email. The campus was hit with a few very widespread mailings earlier in the Fall 2012 semester. We’re going to cover what Phishing is, why it is used by criminals, and most importantly how to recognize it when you see it.
What is Phishing?
The term is a portmanteau of phreaking and fishing. The term is used to describe methods where a user is baited into getting hooked by a scam. The actual bait used can be a promise of reward (click here to win!) but is more commonly a warning or threat. This includes phrases such as “click here to validate your account within 48 hours or your email will be shutdown“, or “we’ve seen suspicious activity on your account, reply back with your username and account number to prevent your credit card from being closed”.
What is their purpose?
It depends on what kind of email you are receiving and what the immediate goal of the scammer is, but the end goal is always financial gain for the criminals involved. There are two primary types of Phishing emails that I’m going to call primary and secondary phishing.
Primary phishing is when the criminals are looking for the information which will net them actual financial gain. This is usually credit card numbers, bank account numbers, usernames & passwords for banks, paypal, or ecommerce sites, etc. When users provide this information to the criminals, funds are pulled from these accounts (often within minutes). These scams are much harder to get through spam filters, especially when sent from random free email accounts like AOL or Hotmail.
Secondary phishing is when the criminals are looking to obtain usernames & passwords for email accounts, especially at ‘trusted’ email providers like businesses or colleges. These emails try to get you to think something will happen to your email account if you don’t comply. They may not even try that and will just have an email with a link (and the link asks you for your username & password). When the scammers have the usernames & passwords for accounts at trusted providers such as SUNY New Paltz, they are then free to send their fraudulent emails for financial gain (Primary Phishing) to addresses across the Internet, with more likelihood that they will be allowed through spam filters.
How to recognize phishing
- Be cautious about clicking on links in emails, and be doubly cautious if you have clicked a link and it brought you to a page that requires you to login.
- Don’t be fooled by names alone. For more sophisticated phishing attacks, the criminals will take the time to study their targets. They may put the name of someone you know in the email to make it look more trustworthy.
- Think about what you are being asked to do. If the sender is legitimate, do they really need what they are asking? For example, a common tactic is for scammers to ask you to validate your account by logging in. If you’ve received their email (and you already have to login to access your email) then what is the point of this supposed validation?
- Phishing doesn’t just happen over email. It can be over the phone as well. If someone calls saying they are from your Bank (especially when they don’t even mention the NAME of the bank), then you don’t verify who you are to them, they called you. Ask them to verify who they are. If in doubt, hang up and call the business or institution directly (through a number on your statement/card/etc.)
As we have advised in the past, it is a good practice to keep have separate accounts for work and personal email. In this age of e-discovery, this is becoming even more important.
It has always been a best practice to have a campus Zimbra account to use for work email and calendar. For those of us who started using “newpaltz.edu” years ago, we may have had a mixture of personal end College emails going to that account. In addition, a few of us may not want to “bother” checking two accounts, and so we forward all of our “newpaltz.edu” email to our Google or Hotmail account and read and respond to work correspondence from there. This is not a good practice. Security may well be different on your personal email account and it is best to have potentially private correspondence about staff and students in a more secure place. Also important, we are in the age of e-discovery where electronic correspondence may well need to be archived and potentially reviewed subject to a court order for cases pending against the University. If you have a mixture of College and personal emails going to a single account, everything co-mingled in that account may be scanned subject to the court order. This unintended and undesirable consequence is easily avoided by having a “work” email account which is used somewhat strictly just for College business.
If you’ve been keeping things together for a long time (and having personal mail sent to your New Paltz email), now is a good time to start weaning yourself off this. Setup a personal email (if you don’t have one, we recommend GMail) and start having your friends and personal contacts use that address instead of your New Paltz account. Its not something you have to cut over all in one day (and doing so gradually will make the process easier). Aside from that, its nice to be able to check your personal email at home & on vacation without seeing your work email hanging over you!