All posts by ddh

Efforts to cut down on spam and phishing email

Michigan Tech IT has seen an increase in spam and phishing email enabled by email spoofing—when a user or system sends an email with a forged header so that it appears to be from an @mtu.edu address. We have been working on solutions, and on March 7 a preventative measure will be enabled to help reduce spoofing. After the change is made, email sent from a forged @mtu.edu address will have a much greater chance of being marked as spam.

We recognize there are legitimate tools that include spoofing as a feature (e.g., survey software) and have pre-approved many of the services used on campus that include spoofing as a part of their normal operation. The following will not be impacted by this new tool:

  • Alumni – iModules
  • Qualtrics Surveys
  • Survey Monkey
  • Collegiate Link/Campus Labs
  • EMAS Recruiting software
  • Systems on campus that relay mail through IT-run services

If you use a tool that isn’t listed above, and the email that it sends appears to be from an @mtu.edu address, please contact us so that we can make sure your service isn’t affected. If you have any questions or experience any issues sending legitimate “spoofed” email after March 7, please contact us at it-help@mtu.edu or 7-1111.


Protecting your identity – BCBSM breach

By now, many of you have heard of the data breach at Anthem, which may have also leaked data of Blue Cross Blue Shield of Michigan (BCBSM) members.  While BCBSM is still investigating what member data has been breached, we do know that Anthem stored data on BCBSM members who received health care in a number of states outside of Michigan.  The data accessed includes names, date of birth, member ID/social security numbers, addresses, phone numbers, emails addresses, and employment information.

Though the investigation as to the extent of the exposure of BCBSM data is still underway, there are a number of steps that all users should take:

  • Monitor you current accounts for any unusual activity.  Data from the breach may be used to try to answer security questions and access your accounts.
  • Sign up for fraud alerts with each of the three major credit bureaus.  This will notify potential credit grantors to verify your identity before extending credit.  This will stay on your account for 90 days and will allow time for BCBSM to complete their investigation.
  • Obtain a current copy of your credit report. You can receive a free copy of your credit report once every 12 months at: https://www.annualcreditreport.com.
  • Be aware of unexpected changes to your credit report or credit score.  Many sites will monitor your credit but may charge a fee.  CreditKarma is a well-respected free site for monitoring your credit score and can be found at: https://www.creditkarma.com.
  • Be suspicious of any email related to the breach that asks you to give personal information.  Anthem will be directly notifying all impacted members via postal mail and will advise you on the next steps to take.  Many cyber criminals are using the incident to target potential members with phishing attempts. If you receive an email that appears to be from Anthem and contains a “click here” link for credit monitoring, it is a scam!
    DO NOT click on any links in an email appearing to be from Anthem.

    • DO NOT reply to the email or reach out to the senders in any way
    • DO NOT supply any information on the website that may open if you do click on a link.
    • DO NOT open any attachments that arrive with email.
  • If you have received heath care services in California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia or Wisconsin, you should contact Anthem at 1-877-263-7995 or visit their website: http://www.anthemfacts.com/.

Regarding recent stories about Google credentials posted on Russian web site

There are a number of news services running a story about a Russian web site posting the gmail and mail.ru credentials of approximately 5 million users.

The 5 million passwords that were posted on the Russian website include a significant number of passwords for Google accounts. These passwords appear to have been acquired over several years worth of phishing campaigns by various hacking groups. Google has reviewed the list and believes that the majority of the accounts on the list have already been suspended or had their password change since the credentials were acquired.

Currently there appears to be no reason to worry about this incident. IT will continue to monitor the situation and work on verifying that no @mtu.edu accounts were on the list.


Important information on the Heartbleed vulnerability

Michigan Tech IT has set up a web page describing the Heartbleed vulnerability and what you should do about it. The page can be found at: https://sites.google.com/a/mtu.edu/heartbleed—what-you-need-to-know/.

Here are some important points:

  • Don’t panic! If you haven’t used a site since Monday April 7th, your information at that site probably isn’t at risk.
  • If you have used a vulnerable site since April 7th, you should change your credentials on that site, but only after they have patched their system. The IT site listed above has the steps that you should take prior to changing your password so that you don’t put your account at further risk.
  • There are many phishing/spam messages being sent to users trying to leverage the media attention regarding Heartbleed to convince you to visit their site and enter your credentials. They will often appear to be your bank or other major online sites telling you that you need to update your account.

Questions? Please contact IT at it-help@mtu.edu or call (906) 487-1111.


Microsoft Ending Support for Windows XP

As many have heard by now, Microsoft will be ending support for Windows XP on Tuesday, April 8th. On that day, Microsoft will release their last set of patches for the operating system. After that, any vulnerability that exists will exist forever. We expect to see attacks on vulnerabilities that Microsoft has not patched, or not known of, starting that afternoon putting machines running Windows XP at risk.

IT has been working with departments to migrate machines running Windows XP over to Windows 7, but there are still many machines on campus that have not been migrated. To mitigate the risks to the remaining Windows XP installations, IT will do the following on Monday, April 7th:

  • Turn on the Windows XP firewall on all Windows XP machines in the Universities various domains blocking all incoming connections but allowing the machine to be used as normal otherwise. This will not impede the user of the machine from browsing the web or any other activity, it will only affect other machines being able to initiate a connection to the Windows XP machine.
  • Put a firewall rule in place to allow remote desktop connections to the machines as long as the user is logged in to the VPN server (vpn.mtu.edu) and has chosen the “Get an MTU address” option. This includes remote desktop connections coming from other areas on campus which have been allowed without a VPN connection previously.
  • Anti-virus software has been installed on all domain machines and will continue to be updated to protect against known attack.

For our users, your machine should only be at minimal risk after these changes with the exception of your web browser of choice. We ask that users on Windows XP machines do not use Internet Explorer as it will remain vulnerable. Both Firefox and Chrome will continue to be updated to correct future vulnerabilities.

If we discover a Windows XP machine on the network that has been compromised and is attacking other machines, we will follow our normal procedure of temporarily taking the machine off from the network, but instead of cleaning it, it will be rebuilt with Windows 7. If you believe that your machine may be infected, please contact IT User Services as soon as possible.

If you have a University owned machine that is still running Windows XP, please contact User Services at it-help@mtu.edu or 7-1111 to schedule a time for your machine to be transitioned to Windows 7.

For home users still running Windows XP you can add similar protection to your machine to help extend its life, but the machine should be updated as soon as possible. You should do the following:

  • Make sure you have the Windows Firewall turned on from the control panel. Though important, many home routers will already offer you most of this protection, even if it’s turned off.
  • Avoid using a Windows XP laptop on a public wireless system unless you have turned on the firewall, as your home router will not be of assistance.
  • Make sure you are running an up-to-date anti-virus program. AVG is available for free to users at http://free.avg.com.
  • Upgrade your system to version Windows 7 or later as soon as you can.

We’ve launched a Google Site with more information on the end of Windows XP (https://sites.google.com/a/mtu.edu/itss-winxp-transition/). If you have any questions or concerns regarding the transition to Windows 7 or about an existing Windows XP installation, please contact User Services.


Recent phishing attacks against Michigan Tech

* REMINDER: NEVER submit your password over email. Michigan Tech will never ask for your credentials over email.

With the holiday season upon us, we are seeing an expected increase in the number of phishing attacks against campus. Hackers tend to take advantage of holidays to launch these attacks for a number of reasons. It’s a time of year when students, faculty, and staff are likely away from campus and do not have any in-person support. It’s also a time when most IT support is running at a lower staffing level. Both of these combine to create lowered awareness of attacks and slower response times to compromised accounts.

These messages will often appear as legitimate messages warning you of some time critical process that requires you to verify you identity. Recently these have mentioned that you email access may be revoked. Other examples of phishing attacks can be found at http://www.security.mtu.edu/email-security/.

We would like to remind our users that Michigan Tech will never ask you to put your password in an email message. We do not ever need to know your password. If we do need to verify your identity we may direct you to a University website ending in .mtu.edu, most likely https://www.login.mtu.edu or https://banweb.mtu.edu.

If you do receive a message asking for your credentials, please be sure to mark it in Gmail as a phishing attempt. This will help Google identify similar messages and will also allow them to remove or flag the message in other users accounts. Instructions on marking the message as a phishing attempt can be found on the IT Blog at:

http://blogs.mtu.edu/it/2013/10/04/phishing-attacks-keep-your-information-safe/

If you do accidentally reply to a phishing attempt or fill in a form on a non-MTU website you should immediately change your ISO password by visiting https://www.login.mtu.edu and selecting the “Change your MTU ISO password” option. You should also report the potential disclosure to it-help@mtu,edu as we can ensure that any connections that the attacker may have established with your credentials are terminated.

We appreciate your awareness and diligence in dealing with these situations.

-Dave Hale
Sr. Security Officer
IT/Michigan Technological University


Microsoft Security Essentials/System Center Endpoint Protection as new University anti-virus solution

In recent years McAfee, the current anti-virus solution for campus, has been falling behind its competitors. Starting in 2012, IT began looking at alternative solutions for both University-owned computers and for home users. After comparing the available products, we have decided to implement Microsoft’s security solution for both groups of machines. The existing agreement with McAfee will end on December 13th, at which point current installations will cease to update.

For University-managed machines – those that use MTU ISO logins – IT will be making the transition in the near future. We will also be posting instructions for users of University-owned equipment that is not managed by IT so that they can transition their system.

For home users, whether they are students, faculty, or staff, Microsoft Security Essentials is free and readily available for download on Windows computers. A link for downloading the software is listed at the end of this post. If you currently have an alternative anti-virus solution installed such as McAfee, you will need to uninstall it prior to installing Security Essentials. IT will be posting more detailed instructions for this in the near future.

Download Microsoft Security Essentials for home users:
http://windows.microsoft.com/en-us/windows/security-essentials-download


Bradford Agent

Michigan Tech uses a Network Access Control tool – Bradford Agent. But what exactly does it do?

The agent installs itself on your system as a part of the registration process. Once the agent is installed it sends back the hardware (MAC) addresses of all network interfaces on your system. This information is used so that you do not need to re-register a device if you switch between a wired and wireless network.

If your device is running Windows, the agent then checks to see if you have anti-virus software installed and relatively up-to-date, that you are running a version of Windows that still supported for security patches (Windows XP or newer) and that you have installed recent security patches from Microsoft. If you do not have up-to-date anti-virus software or Windows updates, you are placed on to a remediation network where you can download the updates but cannot do any browsing beyond that.

These checks happen the first time that you register, and may occur after that if your device has been off from the network for an extended period of time. We can also force the agent to re-run the tests the next time you connect, which we may do if there is some virus spreading around campus.

To be clear about what the agent does not do, it does not change any settings, monitor any network traffic, or look at which programs you have installed or are running. Once you are connected to the network, the agent has nothing to do with your connection, and in fact can be uninstalled from your system. Please note that if you do uninstall that you may need to re-register your device and install the agent if another scan is needed in the future due to either of the situations mentioned above. We use the persistent agent as a convenience to our users so that they do not need to go through the registration process more than once.

If you would like any more information about the Bradford system, feel free to contact us at it-help@mtu.edu and we will do our best to answer your questions.

Related links: Michigan Tech’s Network Access Control Policy