Update Recommended for Chrome Browser

Google recently released an advisory telling users to update their Chrome browser immediately due to a zero-day vulnerability.  The flaw allows a specially-scripted page to read older file data in Chrome’s cache (the quick-read files that browsers store to speed things up).  This could potentially expose personal information such as medical data, banking information, tax returns (’tis the season), and much more.

All that was the bad news – the good news is that Chrome updates itself by default, and it never asks you if you want to turn that off.  Nevertheless, it’s worth a look to see if your Chrome installation has updated.

Users on Windows, Mac and Linux can access Chrome settings by visiting chrome://settings/help and checking to see if the version is up to date.  You can also click on the Customize and Control icon (the three vertical dots in the upper right of the browser) and choose Help > About Google Chrome.  If your browser has 72.0.3626.121 as the version, it is up to date (and will say so). If this isn’t your version, you can manually start a download.

As always, if you need assistance, please contact the Helpdesk at x1047, or open a ticket.

It’s Everyone’s Job to Ensure Online Safety at Work

It takes all of us to keep each other secure.

Photo by Stanley Dai on UnsplashIt’s often said that “people are the weakest link” in cybersecurity. We prefer to think of them as our greatest assets – not only our focus of protection, but also our greatest allies! A lot of phishes and spam that gets past our filters is caught by you. You’ve been forwarding the weird stuff to phish@widener.edu (keep it going!), and we’ve had a lot of success in reducing the number of compromised accounts. So, don’t let up – the bad guys sure aren’t. Every user at Widener is a target, even President Wollman herself. In fact, she’s one of our most eagle-eyed phish catchers!

Last week we spoke about the many scams that are hitting universities, and ours is no exception. Since that post, we’ve had several of the same types of scams come through our systems. We were safe from each due to skeptical and security-aware staff. Nevertheless, the attacks continue, and we expect them to get more targeted and better crafted.

Please be aware that one of the methods used is to build a scam so that you can’t easily verify the sender’s email address on a smartphone. Plus, if the bad guys send it during your commute, it’s even harder to know if it’s legit. Add to that an “URGENT” or a “right now,” and your red flags should go up. We want you to know who the sender really is, but we also want you to drive safely and get here okay. Check that email sender’s address on your PC, laptop, or tablet before replying.

Whether it’s preventing phishes, spam, and malware by a system we’ve put in place, or by the awareness of our user community, keeping Widener University safe is a shared responsibility.

Sometimes the Spam is a Scam

National Cybersecurity Awareness Month continues, and so do the scams.

 

There’s never a lull in email scams here at Widener.  Our community is targeted daily by one or more scams.  Some of them are old classics, and some are brand new.  Here is a list of a few we’ve seen – but even though it’s a short list, we get plenty of them.

Invoices – the bad guys send us “invoices” that are often spoofing or impersonating Widener employees.  The attachments usually have some sort of installer that tries to put malware (probably Ransomware) on the computer.  Sometimes they’re just PDFs with “links” to phishing sites.  So far, our defenses are finding them before they do anything bad (the author here knocks on wood).  Still, it’s best to be aware of any invoice, especially those that don’t refer to anything that’s due. (FTC link about this)

Direct Deposit – we’ve seen several instances of the bad guys impersonating employees to try to get our Payroll and HR groups to change their direct deposit info.  The goal is to catch a payroll or reimbursement deposit and then drain the account before the absence is noticed by the employee. This one is bad because when the money is gone, it’s gone. Since these started, we’ve put controls in place to verify requests. (Lexology link about this)

Dog-Walking/Babysitting/Nanny/Caregiver Offer – This scam involves the offer of a job doing some light care of pets, children, or a loved one.  Once responded to, the bad guy begins a scheme where a bad check is deposited, and the victim is directed to pay a third party to buy needed supplies and pay themselves.  The third party (the scammer) gets the money before the bank discovers the check is bogus, and victim is stuck with the shortage. (FTC link about this)

Sextortion” – The victim gets an email claiming to know their password, and it is often a valid one (usually old).  The scammer tells the victim that he/she has been caught looking at porn sites, and will release a pic “from the user’s camera” unless a sum of money is paid.  This one really gets to users because the password that the scammer sends is from one of the many breaches that have revealed passwords tied to addresses.  It’s a really popular scam – we’ve received dozens here at Widener – but it’s a scam nonetheless. (Forbes link about this)

Gift Cards – In this one, scammers impersonate someone that has a management position, and direct the employee to buy a sum of gift cards, scrape off the back, and provide the verification numbers back to the scammer.  Everyone wants to please their boss, so this one can be a real problem.  The best defense is to get to know your boss, and never use gift cards like this. (FTC link about this)

The goal of the scammer/phisher is to appear legitimate, which makes this difficult.  The better they are, the more people they can fool. Use this to your advantage: if it looks good, but you shouldn’t be getting it, that’s a red flag. Forward any email that’s weird or out of the ordinary to phish@widener.edu.

Make Your Home a Haven for Online Safety

It’s National Cybersecurity Awareness Month again!

https://staysafeonline.org/ncsam/

Since 2004, the National Cyber Security Alliance has designated the month of October to remind us: STOP. THINK. CONNECT.™  ITS posts every week this month with a new theme to keep cybersecurity awareness at the top of mind.

This week’s theme is “Make Your Home a Haven for Online Safety.”  We live in an age where having the internet in your home is a fact of life.  Most of us have learned how to give our home router a strong password.  We are routinely connecting PCs and smartphones, as well as game consoles and tablets.  Many of us have more fully-connected homes with devices such as thermostats, security systems, cameras – even things like refrigerators, door locks, and light bulbs! Keeping these items secure is critical, since each is a small computer, and carries much of the same risk as your other data devices.

It’s also important to remember that, for many students, Widener is their home for most of the year.  ITS maintains many security measures, but keeping out the bad guys also means having a strong password and staying alert for scams and phishing.  Keep in mind that the bad guys hit us when we’re most busy, and for us that’s the start of the semester and finals.

If you ever have a question about an email, feel free to forward it to phish@widener.edu.  You can also call the Helpdesk at x1047, or email at helpdesk@widener.edu. And be sure to follow us on Twitter at @WidenerISO.  Happy October, and safe computing!

Reeling In The Phish

Organizations worldwide are being hammered by phishing email attacks, and Widener is no exception.

In order to help you keep your email communications smooth and secure, we’ve built two new addresses to report emails that you think may be suspicious:

  • phish (at) widener.edu
  • phishing (at) widener.edu

(replace (at) with the @ symbol appropriately; this is an anti-spam measure)

Both the addresses lead to the same place; once we get your forwarded email, we’ll take a look, pull out the relevant info, block what we can, then let everyone that received the email know it’s a phish.

We have a lot of tools to help minimize the impact of phishing, and the earlier we can use them, the smaller the population that is affected.  Also, please remember that “false positives” are a part of the process – if it’s a legit email, we’ll let you know, too.  If it feels like a red flag kind of email, forward it along, and we’ll take a look.  You’ll probably help a lot of folks have a much easier day.

With that said, a big THANK YOU to the many that have forwarded phishing emails to us.  You’ve helped immeasurably – please keep up the good work!

 

 

Meltdown and Spectre

The computing industry has just publicly announced two major vulnerabilities affecting virtually every computer.

The vulnerabilities are being called Meltdown and Spectre, and they are very significant issues. They will require immediate and ongoing attention to secure your computing environment. While Widener ITS is working hard to address the issues with University equipment, everyone that has a personal computer, tablet, or smartphone needs to check with their manufacturer/carrier to find out what updates are available.

For your computer, you’ll first need to update your OS, likely either Windows or Apple (but other OS’s are vulnerable, too). Follow your standard method of patching (Windows Update or Apple AppStore Updates). NOTE FOR MAC USERS: we’re still asking you to avoid updating to High Sierra (version 10.13), so please look for the “Update All” button.

For your IOS device (iPad, iPod Touch, iPhone) you’ll go into Settings > General > Software Update. The AppStore will likely alert you, too.

For Android, this can vary, but should be found in Settings > System Updates. Android is usually good about putting updates in front of users quickly.

Browsers – every major browser (Chrome, Firefox, IE, Safari, and others) is being updated. The quickest way to update is usually through the Help > About section of your browser found using the control icon in the upper right corner.

 

This is a confusing issue, and that’s because it’s a big issue. Also, please be aware that scams around this will be out there soon. If you have any questions, please contact us at the Helpdesk at x1047 or at Helpdesk@widener.edu.

Happy (and Safe!) Holidays

With the holidays upon us, and the new year coming up, it’s a good time to remember that cybercriminals use the rush of the season to target unsuspecting users.

In addition to “urgent” messages to reset your password (reminder: even if you miss the reset date, we’re not deleting your account), it’s important to be ready for themed phishing emails such as Post Office/UPS/FedEx shipping notices.  It’s tempting to check “just in case,” but unless the email has your specific tracking number on it, it’s likely a scam.

Be careful if you get an email that looks like it’s from your bank saying that your card has gone over your limit – the bad guys often take the graphics straight from banking portals to trick people into entering their login data. Check your balance from your app, or give the support number on your card a call.

Remember that Wi-Fi hotspots aren’t secure – while you’re checking your bank balance, someone might be trying to intercept your ID and password.  Head out into the malls with the numbers beforehand, or just use your data connection.  At a busy Starbucks, your own service will probably be faster anyway.

Happy holidays everyone, and be safe out there.

 

Safety for Mobile Devices

National Cyber Security Awareness Month continues, and this week we have some tips on mobile device safety.

Today, we are more dependent on our mobile devices than ever.  At Widener, we make every effort to keep using them easy (did you see our latest update about guest wireless?). But with that ease of use comes some risk.  Take a look at some ideas from the #CyberAware campaign:

  • Mobile Apps – Only download your apps from Google Play or the Apple Store. Apps from other sources are rarely checked for malware or bugs.
  • WiFi hotspots – Although handy, WiFi hotspots are not secure. Anyone connected to it can scan your outgoing data (hello, bank account app), or they can attack your device with no firewall between them and you.  Wait until you’re on your own network, use your cell data network, or check into using a Virtual Private Network (VPN), which is a way to communicate securely over a less-secure network.
  • Lock your device – It sounds basic to those of us that do it, but many people don’t have a passcode or fingerprint reader set up. Our devices are small and portable; they’re easy to misplace, lose, or get stolen.  And most of your apps are probably password-cached, because it’s easy. Nearly everyone does it.  Just make sure that you have your device locked down so that no one can get in if it ends up in someone else’s hands.

For more info, check out this tip sheet, Safety Tips for Mobile Devices. As always, please call the Helpdesk at x1047 for assistance with any IT issue.

Keeping Information Private

National Cyber Security Awareness Month continues, and this week we’re passing along info about keeping personal information private.

In 2016, over 15 million people fell victim to identity theft, with financial losses totaling over $16 billion.  Here at Widener we take information privacy seriously. We ask (and have approved policy) that users do not share Social Security numbers (SSN’s) via email.  Email services are insecure by default, and if your WUMail message is going to an outside address, it’s at risk.

Also remember that Credit Card numbers are Personally-Identifiable Information (PII). Industry rules guide our use of these, and misuse represents a great risk of loss to the cardholder.

Below is a list taken from our Information Security and Compliance Program that shows the actions we should take with PII.

 

Classification Level: Confidential

Examples: SSN, Passwords, Credit Card Numbers

In electronic form: Must be encrypted when on the network and in electronic or physical data storage. Data must be protected with strong passwords. Data cannot be copied onto portable media without managerial consent (including laptops).

In print form: Must not be posted on any website or sent through email. Trash documents must be shredded. Retained documents must be stored in locked cabinets.

Classification Level: Restricted

Examples: Personally identifiable (combination of name, address, date of birth) student records, student grades, infrastructure design

In electronic form: Data must be protected with strong passwords. Data cannot be copied onto portable media without executive consent (including laptops).

In print form: Retained documents must be stored in locked cabinets.

Classification Level: Public

Examples: Not confidential or sensitive. Information on University website.

In electronic form: May be posted externally with appropriate approval (department head). May be sent through email.

In print form: Trash documents do not require shredding.

 

If your department is required to provide PII to other organizations or agencies and you need assistance with securing private info, installing encryption software, or any other issue, please contact the Helpdesk at x1047.

October is Cyber Security Awareness Month

The National Cyber Security Alliance (NCSA) is running its 14th annual campaign to increase security awareness online.

At Widener, we value and protect your online security and privacy.  Each week in October, we’ll feature information to help you strengthen your online safety. 2017’s theme is “Our Shared Responsibility,” recognizing that we’re all in this together, and that we help each other when we’re safer online.

Kicking off with a focus on the campaign “STOP. THINK. CONNECT.™, below are some tips to keep in mind as you live your digital life.  Remember that if you ever have questions, or feel uneasy about an email or a link, call the Helpdesk at x1047, and we’ll walk you through.

BasicTipsAndAdviceSTC

For more information, you can also visit the National Cyber Security Alliance (NCSA).