More and more cybercrimes occur every day over the world. Unfortunately, many
people are still unaware of the dangers that lurk just around the mouse click.
It is for this reason that, over the past few years, Homeland Security has made
it a priority to bring cyber awareness to the masses. With the help of various
organizations they are able to reach a vast number of individuals. That is why
SHSU will participate in National Cyber Security Awareness Month with other
organizations across the country. Read More.
At least one agency in the Texas State University System has been the target of two attempted social engineering events in the past few weeks. We want to make sure that you are careful with the information that you provide to those that contact your department.
Social engineering is a means of manipulating a person into releasing information or performing acts that will give another person access to secure information. A lot of times the person being manipulated may not realize what is happening until well after the information is given out.
For additional information on this topic including steps to help you avoid being a target, read the July 2012 Cyber Security Tip Newsletter published by the Texas Department of Information Resources. Additional information can also be found on the United States Computer Emergency Readiness Team site.
If you feel you have been the target of social engineering, please do not hesitate to contact IT@Sam to report the issue.
Last month we talked about some ways that you can help mitigate the likelihood of getting a virus, downloading malware or falling prey to a phishing attempt. This month we will touch on a few ways you can protect yourself from a phishing attempt.
For a bit of background on “phishing,” see Wikipedia.
“Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.”
E-mail and Phishing
E-mail is the main attack route for a phishing attempt, the goal of which is to steal your personal information. To help recognize a phishing attempt use these five guidelines.
- A non-specific or generic greeting.Internet criminals don’t normally setup mailing lists with users names autoloaded in, so their email messages usually start with:
- Dear Customer
- Dear Account Holder
- Dear PayPal user
- Fake links. A link in an email can be made to say anything in the text. Place the mouse cursor over the link and Outlook will display the actual link destination. In my example I made a link that displays as the Home Depot website but in reality is a link to the SHSU Homepage.
- Links to Non-secure login pages. All legitimate login pages will exist on a secure website. To see if the site you are on is secure look at the beginning of the address. Secure sites begin with “HTTPS:” not just “HTTP:”. The S at the end denotes that site as secure. If you are unsure about a page that claims to be secure you can click on the name of the company to the left of the URL address and see who has verified the website. For example SHSU’s SamWeb is located at HTTPS://SAMWEB.SHSU.EDU and we have been verified by GlobalSign as a secure site.
- Asking for personal information. The entire point of the phishing attempt is get you to give up your personal information (Social Security Number, Credit Card Number, Bank Account, Residential Address, etc.) so that they can either steal your identity or sell your contact information to companies around the world. Every company that you do business with probably already has all of the information that they need from you. If you think it might be a legitimate request for information then look up that company’s contact information online (not from the e-mail they sent you) and call them to confirm.
- Immediate Needs and Deadlines. Criminals don’t want to wait around for you to send them your vital information so they will put emergency notices and deadlines into their phishing attempts. They will frequently say that an account is going to expire within a few days if you don’t respond or that a service will be terminated and you will have to pay exorbinant reconnect fees. Don’t be fooled by this, take the time you need to verify that this is a real request before you give out any information, and whatever info you do give, do it over the phone and not via e-mail.
October is Cyber Security Awareness month and IT@Sam is proud to announce that we are hosting a Cyber Security Poster Contest.
We are also issuing a call for judges. If you have experience dealing with cyber security issues, technology issues, or are just interested in becoming a judge please contact Lucrecia Chandler at UCS_LKN@shsu.edu
2011 Poster Contest Entry Requirements
Poster submissions should cover a cyber security problem and specific remedies or actions to combat that problem.
- This contest is open to all currently enrolled students at Sam Houston State University.
- Students can submit more than one poster.
- Students must be willing to make minor adjustments if necessary based on feedback from judging committee.
- Resolution must be sufficient to be printed at a max of 24”x36” without scaling (300dpi minimum).
- Submissions must be in .jpg format.
- Content should be targeted for a large audience that will include fellow students along with faculty and staff.
- Correct spelling, punctuation, and grammar must be used.
- All content must be original and generic. No brands, vendors, etc.
- A long shelf life is desirable.
- Professional (or paid) assistance is not allowed.
- Sponsorship is not allowed.
- This contest is to showcase your work to the higher education community. We will license all entries under a Creative Commons Attribution-Non Commercial-Share Alike 3.0 Unported License (http://creativecommons.org/licenses/by-nc-sa/3.0/).
- Submissions will be featured on the IT@Sam Service Desk Blog, Twitter feed, and Facebook pages along with various Cyber Security related presentations.
There will be prizes for the top three posters and an Honorable mention for the fourth place winner. Please stay tuned for an update in a future IT@Sam Newsletter issue about the prizes.
Many of you may have received an email over the weekend from a company that you do business with that reads similarly to the following:
We have been informed by Epsilon, the vendor that sends email to you on our behalf, that your e-mail address may have been exposed by unauthorized entry into their system.
Epsilon has assured us that the only information that may have been obtained was your first and last name and e-mail address. REST ASSURED THAT THIS VENDOR DID NOT HAVE ACCESS TO OTHER MORE SENSITIVE INFORMATION SUCH AS SOCIAL SECURITY NUMBER OR CREDIT CARD DATA.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties.
In keeping with standard security practices, the <COMPANY> will never ask you to provide or confirm any information, including credit card numbers, unless you are on a secure <COMPANY> site.
Epsilon has reported this incident to, and is working with, the appropriate authorities.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
Security Week has published a story regarding this breach and is keeping it updated with the brands that have been affected. Please take a look and if you do business with any of the reported companies, please be extra cautious of any emails that appear to be sent from them to you in coming weeks, especially if they are asking you for personal information. If you are concerned about the legitimacy of an e-mail, it is always best to contact the company for verification.
Stay safe out there!