Security, Workstations

Critical Windows Updates TODAY

Scheduled Change: Today, August 15th 5:00 PM
Services Impacted: All Windows desktops and laptops

Google Project Zero has disclosed a critical vulnerability in Microsoft’s Text Services Framework that allows an attacker to gain system level access to any computer. The patch for this vulnerability has been released to campus already, with the deadline for applying it set to next Thursday.

Since Google has now released a proof of concept attack based on this vulnerability it is highly likely that malicious versions will be created and deployed as malware in the next few days.

With this in mind, we have pushed up the deadline for applying this month’s security patches to today at 5pm. This means that the patches will begin applying after 5pm and computers will automatically reboot to apply the patches no later than 5pm tomorrow.

Please leave your computer on when you leave work today so the patches can be applied. If you turn your computer off for the weekend, the patches will apply first thing Monday morning and your computer will reboot once the patches are installed.

Campus technicians who have special exceptions to not have enforced updates should install these updates from software center manually as soon as possible. If you have a Windows computer at home, you should also be sure to check for and apply any updates from Microsoft.

Network, Security, Wireless

Wireless Network Update

Scheduled Change: Wednesday, July 24th 9:00 AM
Services Impacted: Campus Wireless

To ensure a secure campus wireless environment, devices that were configured more than a year ago need to be updated with the current network protocol.

We sent direct emails to those that we identified as using the older wireless protocol. If you are unsure if your device is configured correctly, you may re-run the Eduroam setup from your wireless device now by going to https://www.csuchico.edu/eduroam. Click on the “Join Now” button and follow the prompts.

Your wireless access may be interrupted on July 24th if your wireless configuration is not current.

Phishing, Security

Shipping PhishMe Campaign

CSU, Chico was recently targeted by an email scam that imitated a shipping & receiving notice. ITSS emailed faculty and staff to warn them about this scam in March.

We followed up on this scam in May by creating a PhishMe campaign with similar content:

The PhishMe campaign was sent to ~4,000 campus members. Below are the results of this campaign:

As you can see over 14% of employees were found susceptible to phishing. An alarmingly high number of people opened the file attached to this email. You should never open an attachment that you’re not expecting. If you are unsure of the validity of an email you should check with the sender before opening any attachments or links. Opening a malicious attachment can put you, your computer and files, the university, and university systems at risk.

More information about spam and phishing scams is available at https://www.csuchico.edu/isec/resources/avoid-threats/spam-phishing.shtml.

Security

Google Chrome Security Update

A vulnerability has been reported in Google Chrome, which can be exploited to potentially compromise a vulnerable system.

ITSS is immediately enforcing the auto update function within Chrome, and is enabling the Chrome browser notification agent that notifies users that the browser must be relaunched.

To check that Chrome is up to date (you should update your home computers as well) go to the “About Google Chrome…” window, accessible from the address bar using the special URL “chrome://settings/help”.

If you are prompted to Relaunch, please click the Relaunch button to do so.

When an update has been installed, it does not take effect until the browser is relaunched. Notification of a Relaunch will reappear every 4 hours until the browser has been relaunched.

Security

Campus Web Directory

As part of the ongoing efforts to increase campus information security, student names and email addresses will not be publicly available in the campus web directory (https://apps.csuchico.edu/directory/) after January 15th. They will still be available on campus networks and from external networks with campus VPN. Information about connecting to campus VPN is available at https://support.csuchico.edu/TDClient/KB/ArticleDet?ID=7708.

Security

iTunes Gift Card Scam

IT Support Services has had multiple reports of campus personnel being contacted by fake campus accounts (example: presidentgaylehutchinson@gmail.com) requesting the purchase of iTunes gift cards. Apple describes how the scam works at https://support.apple.com/itunes-gift-card-scams

Here is the content of scam emails recently received by a staff member:

Are you free at the Moment?

Followed by:

Tied up in a Meeting right now and I want you purchase itunes Gift card 7 Pieces-$100 each? Its one of my Best Friend Son Birthday,Still In the meeting and i want it done Right Away! Scratch the silver Labels at the back of the cards and send pictures of them here.I Will reimburse you when am Done

Once the scammer receives the codes from the back of the gift cards they can access the funds. If you are unsure of the validity of an email verify the sender, company, or offer by phone or in person before acting on a request.

Security

Beware of Scams and Phishing Attempts

To: Campus Community
From: Ray Quinto, Information Security Officer

The Information Security Office would like to remind you to be vigilant of scam emails and postings, especially as there may be an increase in fake job offers or rental listings following the Camp Fire.

Scams

Beware of unsolicited emails with offers or requests that seem odd or suspicious such as a work-from-home job opportunity with high pay for little work, asking you to purchase a number of iTunes gift cards and send a picture of the numbers, or that tell you to “contact me” in some urgent fashion. You may see similar postings on sites like Craigslist offering apartments or houses with surprisingly low rent. Sophisticated hackers can even spoof email addresses to make a message look like it’s coming from someone you know.

Treat anything odd as untrustworthy and do your best to verify the sender, company, or offer by phone or in person before acting on a request—hackers may control the sending email address and respond in ways that seem appropriate to get you to fall for the scam.

Remember, if an offer sounds too good to be true, it probably is.

Phishing

One of the most serious cyber-security risks facing the campus comes from phishing email messages. Phishing is the use of email in an attempt to steal personal information or hijack computing resources for fraud and identity theft, usually by having the user click a link that takes them to a familiar-looking login screen where information entered will be captured by the hacker. When employees and students are tricked into giving up their user name and password, criminals may gain access to campus systems and/or your personal information.

  • If you suspect an email is a phishing attack, you should delete it. Look for unfamiliar sender addresses, poor grammaror spelling, and a false sense of urgency, and hover over links to verify the URL they’re sending you to, etc. View more tips for spotting phishing attempts.
  • If you are unsure of an email’s legitimacy, verbally confirm with the sender, or you can consult IT Support Services.
  • Do not click on links or open attachments in a suspicious email.
  • If you suspect that you have fallen victim to a phishing scam, you should immediately go to the CSU, Chico Portal (portal.csuchico.edu) and reset your password.

Remember, Chico State will NEVER ask for your password via email.

Everyone with an email address is a potential target for phishing or scams. We work diligently to keep these types of emails from getting through our security, but it is a daily and sometimes hourly battle. The campus will continue to make improvements to security technology (including 2-Step Verification), but the best defense against these attacks isn’t just technology, it’s learning how to spot and delete phishing and scam emails. For resources and tips, visit the ISEC website.