Information Security News and Events
News, events, views, tips, and hints for keeping your personal information private.
Wednesday, Apr. 9, 2014
Immediate action required whether you use a PC, Mac, or smartphone. Researchers have discovered a critical bug in the communication protocol that is used to secure transactions on an estimated 500,000 websites. When you log into a website, your username and password are sent to that website's server. Typically your credentials are encrypted using a protocol called Secure Sockets Layer, or SSL. One of the most commonly used implementations of SSL is called OpenSSL and it is used by approximately 66% of websites.
Heartbleed is a bug in OpenSSL that allows attackers to decode and read text from emails, instant messages, passwords, even business documents -- anything sent to a vulnerable site's server. Heartbleed is so critical that almost every major web site and vendor service is scrambling to resolve it.
Google has released a statement that their sites are not vulnerable. SCU’s technical staff is working with our vendors to identify and address the issue on other SCU systems.
SCU's Information Security Office strongly recommends that you change your SCU Network ID and eCampus passwords right away.
You can change your Network ID password here: https://sso.scu.edu/gam/passwords.html.
We also recommend changing passwords for all sites where you conduct financial or personal business. Be sure to use long and strong passwords and change them regularly.
More information about Heartbleed
Tuesday, Mar. 4, 2014
Apple has reported a flaw in their code for iOS versions 6 and 7, as well as Mac OS X 10.9.1 (Mavericks). The bug allows hackers to intercept and decrypt SSL-encrypted network connections. That means email or other online transactions can be read by attackers, who can possibly gather sensitive, personal information.
Apple's Safari web browser and Mail client, and other apps such as Face, iMessage, and some third-party programs running on iOS versions 6 and 7, and OS X 10.9.1 are vulnerable to SSL snoopers. However, Google Chrome and Mozilla Firefox are not vulnerable, as they use a different SSL library.
Maverick (running 10.9.0 or 10.9.1) and iPhone users should install the Update as soon as possible. You can get it by running Software Update.
About the OS X Mavericks v10.9.2 Update
Security updates for Apple products.
Thursday, Dec. 5, 2013
There has been much press about a nasty peice of malicious software (malware) called Cryptolocker. Here is the rest of the story
What is CryptoLocker?
CryptoLocker is a particularly malicious ransomware program.
How do you get infected?
CryptoLocker is a trojan horse. It is typically spread through email attachments and phishing attacks.
What does it do?
After CrytopLocker gets installed it quietly starts encrypting your files. After it's encrypted enough files it will present you with a popup window telling you what it has done and instructing you to pay (usually $150-300) if you'd like your files back. You have 72 hrs to comply (though this has changed recently, being more lenient - if you're willing to pay they will take your money and decrypt your files).
How do you protect against CryptoLocker?
CryptoLocker is a serious threat. If you do get infected you're either going to have to pay the ransom or say goodbye to family photographs and important personal data. We do not recommend that you pay the ransom--these are criminals and have taken credit card numbers without decrypting the data.
- Keep your operating system (OS) up to date with the latest patches.
- Install anti-virus software on your computers if you don't already have it installed. Keep this up to date as well. Here is a link to Symantec’s description of how their software protects against Cryptolocker: http://www.symantec.com/connect/blogs/ransomcrypt-thriving-menace
- Make backups of important data in a regular basis.
- Only browse to trusted websites.
- Only open email attachments or links from trusted sources.
If you think your computer is infected, call the IT service center at (408)554-5700
To learn much more about CryptoLocker the Malwarebtes blog has this:
Saturday, Mar. 9, 2013
It is critical that you install anti-virus software and keep it updated. Browsing the Internet, sharing files, infected thumb drives, portable hard drives, mp3 players, smart phones, etc. can all infect your computer with viruses. No computer is immune--Windows, Mac, Linux, PDP-11--can all be infected.
Many viruses don't do anything you would readily notice. They just run in the background using your computer to send SPAM or spread malware to the people you communicate with so that their computers send SPAM or infect other computers. All you may notice is that your computer is running more slowly or the drive access light is blinking all the time.
Anti-virus software does more than just protect from viruses. There is a lot of other bad stuff out there like malware that collects your keystrokes and sends them to a computer somewhere. Then the criminal behind the malware will try to use your information to steal your identity (think about all the usernames and passwords that you type and what you access).
If your computer gets a virus, you will probably lose some of your work and a technician will have to eradicate the virus from your computer--that usually means fully erasing the hard drive and reinstalling all your software. While that is being done, you won't be using your computer. Further, your infected computer probably passed a virus onto someone else's computer and that person will have go through the same process to disinfect that computer. It would be inconvenient to you if your computer got a virus, it would be irresponsible if you allowed one to be passed to people you communicate with!
For more information, check out this site, http://www.us-cert.gov/ncas/tips/ST04-005
Monday, Feb. 18, 2013
The first five correct answers will win an SCU Data Privacy Day T-Shirt. You must use an SCU email address to win.
The question: What was the first computer worm on the Internet? Who developed the worm and what else is he know for being "first" for?
Send your answer to email@example.com. Winners will be notified via email.
Monday, Jan. 28, 2013
Monday, Jan. 28, 2013
January 28 is Data Privacy Day, an international event emphasizing the dignity of the individual and the value of privacy in supporting that dignity. At SCU, the Information Security Office will have an information table on the Benson Center Plaza on the 28th from 11:00-1:00 and the 29th from 4:30 to 6:00. Students, faculty, and staff can stop by and learn about information privacy & security--and win T-Shirts!
Learn more about Data Privacy Day from Stay Safe Online.
Monday, Jan. 28, 2013
The mission of the Information Security Office is to support Santa Clara University’s outstanding undergraduate, graduate, and research programs by protecting the university’s information assets.
Ensuring that Santa Clara University’s students, faculty, and staff have access to all of the information resources they need to fulfill their role(s) at the university is the core value of this mission.
The Information Security Office leads efforts to implement industry and higher education best practices in information security. Examples of these efforts are establishing an information privacy & security awareness program, developing information governance and policy programs, and identifying ways to prevent information security incidents.
SCU established the Information Security Office with the hiring of Robert Henry as Chief Information Security Officer in December 2012. Bob comes to SCU with over 20 years experience in information technology, the last 5 1/2 years serving as the Information Security Officer for Boise State University. He started out his career in Higher Education teaching Rhetoric and American Literature at Boise State in 1989. His teaching career morphed into an IT career when he joined two other faculty members in setting up networked computer classrooms for teaching writing in 1991. Since '91, he served in systems and network administration before focusing on information security.
Read Bob's philosophy of information security on his personal blog.