National Cybersecurity Awareness Month wraps up

Protect IT! Final tips for keeping your data safe

It’s essential to take proactive measures to enhance cybersecurity at home, on campus, at work, and when you’re out and about. In previous weeks, we addressed how to best own and secure your personal information. Now, we need to safeguard all of that invaluable data.

 

If You Connect, You Must Protect

Turn on automatic updates, if you can, and protect your devices with antivirus software.

Stay Protected While Connected

Before you connect to any public wireless hotspot – like at an airport, hotel, coffee shop or café – confirm the name of the network and exact login procedures with appropriate staff. Avoid sensitive activities (e.g., banking) that require passwords or credit cards.  If you just can’t avoid it, try to use a VPN (Virtual Private Network) connection, whether it’s provided by your employer or one you pay monthly for yourself.

If You Collect It, Protect It

If you’re involved in collecting data for or about people, it’s important that you treat it with care. It is vital that organizations of all sizes take measures to keep customer/consumer data and information safe.

 

Thanks for reading!  As always, if you ever have a question about any computer or device, please call the Helpdesk at x1047, or email at helpdesk@widener.edu.  If you get a phishing or questionable email, please forward it to phish@widener.edu.

Stay secure during National Cybersecurity Awareness Month

Secure IT! New info for a secure October

It‘s true: bad guys are getting better at stealing personal information from unsuspecting victims. But all is not lost; taking a few proactive steps can help to improve your account and device security. Here are the key messages to “Secure IT.”

 

Shake Up Your Passphrase Protocol

Passphrases can be inconvenient, but they’re important if you want to keep your information safe. Here are some simple ways to secure your accounts through better passphrase practices.

  • Make your passphrase a sentence: A strong passphrase is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
  • Unique account, unique passphrase: Having separate passphrases for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passphrases.
  • Write it down and keep it safe: Everyone can forget a passphrase. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a passphrase manager to keep track of your passphrase.

Double Your Login Protection

Enable multi-factor authentication (MFA) to ensure that the only person who has access to your account is you. Use it for email, banking, social media, and any other service that requires logging in. If MFA is an option, enable it by using a trusted mobile device, such as your smartphone, an authenticator app, or a secure token—a small physical device that can hook onto your key ring.  Who’s offering multi-factor?  Check out a list of services here. (link)

Shop Safe Online

  • Conduct research: When using a new website for purchases, read reviews and see if other consumers have had a positive or negative experience with the site.
  • When in doubt, throw it out: Links in emails, posts and texts are often how cybercriminals try to steal your information or infect your devices.
  • Personal information is like money: value it and protect it: When making a purchase online, be alert to the kinds of information being collected to complete the transaction. Make sure you think it is necessary for the vendor to request that information. Remember, you only need to fill out required fields at checkout.
  • Use safe payment options: Credit cards are generally the safest option because they allow buyers to seek a credit from the issuer if the product isn’t delivered or isn’t what was ordered.
  • Protect your $$: When shopping, check to be sure the site is security enabled. Look for web addresses with “https:// indicating extra measures to help secure your information.

Always Play Hard To Get With Strangers

A malicious email can look just like it comes from a financial institution, an e-commerce site, a government agency – or even Widener University. It often urges you to act quickly, “because your account has been compromised,” “your order cannot be fulfilled” or there is another urgent matter to address. If you are unsure whether an email request is legitimate, try to verify it with these steps:

  • Contact the company directly – using information provided on an account statement, on the company’s official website or on the back of a credit card.
  • Search for the company online – but not with information provided in the email.
  • Pay attention to the website’s URL – Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net).
  • Read Between the Lines – Is the message to you, or to “valued customer?”  Are you the only one in the “TO:” line?  These are common red flags for phishing emails.

As always, if you ever have a question about any computer or device, please call the Helpdesk at x1047, or email at helpdesk@widener.edu.  If you get a phishing or questionable email, please forward it to phish@widener.edu.

National Cybersecurity Awareness Month Continues

More tips for National Cybersecurity Awareness Month – Own IT!

Internet-based devices are everywhere in our lives: at home, school, work and on the go. An “always-on” network gives us ways to create, connect, and share, but also presents opportunities for cybersecurity threats that can compromise our most sensitive personal information.

This week we look at some of the ways to help keep us and our information safe. Here are the key messages to “Own IT.”

Never Click and Tell: staying safe on social media

Share With Care – remember that what you post – if you let it – goes to the whole world.

  • What you post can last a lifetime: Before posting online, think about what others might learn about you and who might see it in the future – teachers, parents, colleges and potential employers. Share the best of yourself online.
  • Be aware of what’s being shared: Be aware that when you post a picture or video online, you may also be sharing information about others or personal details about yourself like where you live, go to school or hang out.
  • Post only about others as you would like to have them post about you: The golden rule applies online as well. Ask permission before you tag a friend in a photo.
  • Own your online presence: It’s OK to limit who can see your information and what you share. Learn about and use privacy and security settings on your favorite online games, apps and platforms.

Keep Tabs on Your Apps: best practices for apps on your devices

  • Always lock your phone! If your phone gets lost or stolen, the first line of defense is a good lock.  Whether that’s a few numbers, a swipe pattern, or your fingerprint, always put something between your data and someone trying to get to it – and set it to auto-lock when you put it down.
  • Think twice if an app wants permission to use personal information (like your location) it doesn’t need before you say “OK.”
  • Pay attention to how much access the app wants – does it want access to your camera?  To your contacts list?  To your file system?  If so, why?  Does a game really need your camera or access to the people you know?  Make sure the app has a good reason for asking.
  • Always use approved app stores for your apps.  It’s not perfect, but apps from Apple and Google get checked for scams, viruses, malware far more  than anywhere else.

Update Privacy Settings on your phone and on social

Mobile devices – including smartphones, laptops and wearables – are always within reach everywhere we go, and they share a lot of information about us and our habits.  Check this link out to learn how to update your privacy settings on your phone and on the most popular online services to keep better control of your info: Managing Your Privacy

Our devices are a part of our lives, and it’s up to us to use them safely.  If you ever have a question about any computer or device, please call the Helpdesk at x1047, or email at helpdesk@widener.edu.  If you get a phishing or questionable email, please forward it to phish@widener.edu.

National Cybersecurity Awareness Month Begins

It’s National Cybersecurity Awareness Month again!

Every year, the National Cyber Security Alliance designates the month of October to remind us: STOP. THINK. CONNECT.™  With phishing threats and online scams already in full swing, it’s more important than ever to stay alert and show #cyberpride.  This year, there are three main messages for the month:

  • Own IT.

    • Never Click and Tell: staying safe on social media
    • Update Privacy Settings on your phone and on social
    • Keep Tabs on Your Apps: best practices for apps on your devices
  • Secure IT.

    • Shake Up Your Passphrase Protocol: create strong, unique passphrases
    • Double Your Login Protection: turn on multi-factor authentication
    • Shop Safe Online: making sure your purchases are secure
    • Play Hard To Get With Strangers: how to spot and avoid phish
  • Protect IT.

    • If You Connect, You Must Protect: updating to the latest security software, web browser and operating systems
    • Stay Protected While Connected: Wi-Fi safety
    • If You Collect It, Protect It: keeping personal information safe

 

In the upcoming weeks, we’ll explore each of these these further.  The bad guys are always changing their tactics, and trying every way they can – phishing emails, ads on websites, even texts on our smartphones – to trick us.  Keeping up a layered defense is our best approach.

If you ever have a question about an email, please forward it to phish@widener.edu. You can also call the Helpdesk at x1047, or email at helpdesk@widener.edu. And be sure to follow us on Twitter at @WidenerISO. Happy October, and safe computing!

 

Welcome from Information Security

Welcome (and welcome back) to Widener!

It’s a new academic year, and internet threats are ready and waiting as usual. Students, faculty, and staff are all busy preparing for a great year of learning, but the bad guys are trying to sneak past our guard. Here are some of the old classic threats that are still in use:

  • Impersonation emails that look like they’re from someone on campus (“Are you available?” gift card scams)
  • Random offers of on- or off-campus jobs (especially involving exchanges of gift cards or money orders)
  • PDF files that are nothing but a link, or try to get you to “log in”
  • Office365 document shares that don’t look like Widener emails
  • Warnings or threats about your Widener email account being closed or locked out, or that it “needs to be verified”
  • Voicemails or faxes that are supposedly waiting on you
  • Screen pop-ups that try to get you to click something (even legit ads are dangerous)

Please remember to be very careful with email links, especially from addresses you don’t know. The bad guys can also paste a real name onto a fake email, so take care when using your phone – phones often don’t show the email address. And they love to hit you during your commute.

When an email asks you to click a link, it’s best if you initiate the reply using a fresh start. Contact the person or department the way you’re familiar with, or check on my.widener.edu for the correct campus link.

Any phishing, scam, questionable, or just plain weird emails should be sent to phish@widener.edu. We’ll gladly check whether it’s real or a scam.

Follow our blog here at itsnews.widener.edu – we post on all types of ITS issues. Follow on Twitter at @WidenerISO for security news and current issues. If you ever have a question about email, passwords, viruses, or computer security in general, feel free to call the Information Security Office at ext. 1044, or open a ticket at the HelpDesk (quickticket.widener.edu).

Thanks, and have a great year!

Update Recommended for Chrome Browser

Google recently released an advisory telling users to update their Chrome browser immediately due to a zero-day vulnerability.  The flaw allows a specially-scripted page to read older file data in Chrome’s cache (the quick-read files that browsers store to speed things up).  This could potentially expose personal information such as medical data, banking information, tax returns (’tis the season), and much more.

All that was the bad news – the good news is that Chrome updates itself by default, and it never asks you if you want to turn that off.  Nevertheless, it’s worth a look to see if your Chrome installation has updated.

Users on Windows, Mac and Linux can access Chrome settings by visiting chrome://settings/help and checking to see if the version is up to date.  You can also click on the Customize and Control icon (the three vertical dots in the upper right of the browser) and choose Help > About Google Chrome.  If your browser has 72.0.3626.121 as the version, it is up to date (and will say so). If this isn’t your version, you can manually start a download.

As always, if you need assistance, please contact the Helpdesk at x1047, or open a ticket.

It’s Everyone’s Job to Ensure Online Safety at Work

It takes all of us to keep each other secure.

Photo by Stanley Dai on UnsplashIt’s often said that “people are the weakest link” in cybersecurity. We prefer to think of them as our greatest assets – not only our focus of protection, but also our greatest allies! A lot of phishes and spam that gets past our filters is caught by you. You’ve been forwarding the weird stuff to phish@widener.edu (keep it going!), and we’ve had a lot of success in reducing the number of compromised accounts. So, don’t let up – the bad guys sure aren’t. Every user at Widener is a target, even President Wollman herself. In fact, she’s one of our most eagle-eyed phish catchers!

Last week we spoke about the many scams that are hitting universities, and ours is no exception. Since that post, we’ve had several of the same types of scams come through our systems. We were safe from each due to skeptical and security-aware staff. Nevertheless, the attacks continue, and we expect them to get more targeted and better crafted.

Please be aware that one of the methods used is to build a scam so that you can’t easily verify the sender’s email address on a smartphone. Plus, if the bad guys send it during your commute, it’s even harder to know if it’s legit. Add to that an “URGENT” or a “right now,” and your red flags should go up. We want you to know who the sender really is, but we also want you to drive safely and get here okay. Check that email sender’s address on your PC, laptop, or tablet before replying.

Whether it’s preventing phishes, spam, and malware by a system we’ve put in place, or by the awareness of our user community, keeping Widener University safe is a shared responsibility.

Sometimes the Spam is a Scam

National Cybersecurity Awareness Month continues, and so do the scams.

 

There’s never a lull in email scams here at Widener.  Our community is targeted daily by one or more scams.  Some of them are old classics, and some are brand new.  Here is a list of a few we’ve seen – but even though it’s a short list, we get plenty of them.

Invoices – the bad guys send us “invoices” that are often spoofing or impersonating Widener employees.  The attachments usually have some sort of installer that tries to put malware (probably Ransomware) on the computer.  Sometimes they’re just PDFs with “links” to phishing sites.  So far, our defenses are finding them before they do anything bad (the author here knocks on wood).  Still, it’s best to be aware of any invoice, especially those that don’t refer to anything that’s due. (FTC link about this)

Direct Deposit – we’ve seen several instances of the bad guys impersonating employees to try to get our Payroll and HR groups to change their direct deposit info.  The goal is to catch a payroll or reimbursement deposit and then drain the account before the absence is noticed by the employee. This one is bad because when the money is gone, it’s gone. Since these started, we’ve put controls in place to verify requests. (Lexology link about this)

Dog-Walking/Babysitting/Nanny/Caregiver Offer – This scam involves the offer of a job doing some light care of pets, children, or a loved one.  Once responded to, the bad guy begins a scheme where a bad check is deposited, and the victim is directed to pay a third party to buy needed supplies and pay themselves.  The third party (the scammer) gets the money before the bank discovers the check is bogus, and victim is stuck with the shortage. (FTC link about this)

Sextortion” – The victim gets an email claiming to know their password, and it is often a valid one (usually old).  The scammer tells the victim that he/she has been caught looking at porn sites, and will release a pic “from the user’s camera” unless a sum of money is paid.  This one really gets to users because the password that the scammer sends is from one of the many breaches that have revealed passwords tied to addresses.  It’s a really popular scam – we’ve received dozens here at Widener – but it’s a scam nonetheless. (Forbes link about this)

Gift Cards – In this one, scammers impersonate someone that has a management position, and direct the employee to buy a sum of gift cards, scrape off the back, and provide the verification numbers back to the scammer.  Everyone wants to please their boss, so this one can be a real problem.  The best defense is to get to know your boss, and never use gift cards like this. (FTC link about this)

The goal of the scammer/phisher is to appear legitimate, which makes this difficult.  The better they are, the more people they can fool. Use this to your advantage: if it looks good, but you shouldn’t be getting it, that’s a red flag. Forward any email that’s weird or out of the ordinary to phish@widener.edu.

Make Your Home a Haven for Online Safety

It’s National Cybersecurity Awareness Month again!

https://staysafeonline.org/ncsam/

Since 2004, the National Cyber Security Alliance has designated the month of October to remind us: STOP. THINK. CONNECT.™  ITS posts every week this month with a new theme to keep cybersecurity awareness at the top of mind.

This week’s theme is “Make Your Home a Haven for Online Safety.”  We live in an age where having the internet in your home is a fact of life.  Most of us have learned how to give our home router a strong password.  We are routinely connecting PCs and smartphones, as well as game consoles and tablets.  Many of us have more fully-connected homes with devices such as thermostats, security systems, cameras – even things like refrigerators, door locks, and light bulbs! Keeping these items secure is critical, since each is a small computer, and carries much of the same risk as your other data devices.

It’s also important to remember that, for many students, Widener is their home for most of the year.  ITS maintains many security measures, but keeping out the bad guys also means having a strong password and staying alert for scams and phishing.  Keep in mind that the bad guys hit us when we’re most busy, and for us that’s the start of the semester and finals.

If you ever have a question about an email, feel free to forward it to phish@widener.edu.  You can also call the Helpdesk at x1047, or email at helpdesk@widener.edu. And be sure to follow us on Twitter at @WidenerISO.  Happy October, and safe computing!

Reeling In The Phish

Organizations worldwide are being hammered by phishing email attacks, and Widener is no exception.

In order to help you keep your email communications smooth and secure, we’ve built two new addresses to report emails that you think may be suspicious:

  • phish (at) widener.edu
  • phishing (at) widener.edu

(replace (at) with the @ symbol appropriately; this is an anti-spam measure)

Both the addresses lead to the same place; once we get your forwarded email, we’ll take a look, pull out the relevant info, block what we can, then let everyone that received the email know it’s a phish.

We have a lot of tools to help minimize the impact of phishing, and the earlier we can use them, the smaller the population that is affected.  Also, please remember that “false positives” are a part of the process – if it’s a legit email, we’ll let you know, too.  If it feels like a red flag kind of email, forward it along, and we’ll take a look.  You’ll probably help a lot of folks have a much easier day.

With that said, a big THANK YOU to the many that have forwarded phishing emails to us.  You’ve helped immeasurably – please keep up the good work!