Security & Safe Computing Updates
This upgrade has taken place on Thursday, May 26
In mid-to-late April, a number of Duo applications were upgraded to be able to convert to Duo's new Universal Prompt. See https://it.uni.edu/updates/duo-universal-prompt-phase-2 for those details. However, the set of applications scheduled for April 27 had some issues and was reverted. Those updates are now scheduled for this coming Wednesday, May 17.
- Wednesday, May 17: Many internal and/or higher-use resources, e.g., Google apps, eBiz, Zoom, ServiceHub, CBORD GET, VPN, Docusign, EZ Proxy, FAMIS 360, etc.
The above is a sample of the most common applications affected. A complete list can be found at https://it.uni.edu/shibboleth-and-duo-universal-prompt-upgrades. Details on Duo's Universal Prompt can be found at https://guide.duo.com/universal-prompt
As QR codes continue to be heavily used by legitimate organizations—from Super Bowl advertisements to enforcing parking fees and fines, scammers have crept in to abuse the very technology for their nefarious purposes. The rest of the story is here: https://www.bleepingcomputer.com/news/security/qr-codes-used-in-fake-parking-tickets-surveys-to-steal-your-money/
AI: What is It and Why Should I Care?
Artificial Intelligence (AI) describes systems programmed to think and respond like humans. In fact, we asked the AI solution ChatGPT that very question and got this response. https://www.sans.org/newsletters/ouch/artificial-intelligence/
Duo accounts that have not used a phone call or SMS passcode since the first of the year will have those methods removed from their Duo account later this week. Duo Push via the Duo mobile app remains the primary and best way for users to interact with UNI's multi-factor authentication solution. Those that are actively using phone calls or SMS for authentication may continue to do so for now.
We took a break during the pandemic but the Phishing Education project is returning this spring. With the help of our vendor, realistic phishing messages will be sent to faculty and staff over the coming months. No punitive action will result from this exercise. All individual results will be kept private although large scale results and trends may be shared with appropriate partners. The sole purpose of the project is to educate the community and provide examples of things to watch for in real-life phishing messages.
Mobile devices, such as smartphones, smart watches, and tablets, continue to advance and innovate at an astonishing rate. As a result, you may be replacing a new device as often as every year. Unfortunately, you may not realize just how much personal data are on your devices — far more than your computer. Below we cover the different types of data on your mobile devices and how you can securely wipe your device before disposing or replacing it. Read more at https://www.sans.org/newsletters/ouch/disposing-mobile-devices/
The holiday season is a time when people are especially vulnerable to scams. This is because they are busy and often have their guard down. Criminals take advantage of this by circulating fake e-gift cards, posing as charities, targeting specific demographics, and so on.
- E-gift card scams
- Charities
- Demographic targeting
- Subscription renewals
- Crypto scams
More detail can be found at https://blog.knowbe4.com/send-this-to-your-users-5-top-scams-to-watch-out-for-this-holiday-season
The phishing "impersonation" problem is something that is very hard to deal with from a technical perspective:
- There are LOTS of people to impersonate (virtually any supervisor is a target)
- Impersonation can take many forms, e.g.,
- just a name in the body of the message
- a personal name associated with the sender
- an external address that looks like it belongs to the person being impersonated
- It's up to the recipient to apply a "smell" test:
- Does the real sender match the impersonated sender?
- Does the message come from the impersonated sender's UNI email address?
- Does the content and what's shared from where make sense?
- Remain skeptical about the authenticity of the message
- Perhaps even contact the impersonated sender, not by replying to the questionable message but by reaching out via direct email, a phone call, or a face-to-face question.
If the message seems at all odd, it almost certainly is a phishing attempt. Better to think a real message is phishing than vice versa! You will be forgiven (or certainly should be!).
If you use a computer or mobile device long enough, sooner or later something will go wrong. You may accidentally delete the wrong files, have a hardware failure, or lose a device. Even worse, malware may infect and wipe or encrypt your files. At times like these, backups are often the only way you can rebuild your digital life. Continue reading at https://www.sans.org/newsletters/ouch/emotional-triggers-how-cyber-attackers-trick-you/
Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally. Read more at https://www.cisa.gov/cybersecurity-awareness-month
Pages
- ITTC 36
- (319) 273-5555
