• As computing devices become increasingly numerous and increasingly portable, they become much easier to lose — or to have stolen. Recently, phones and computers have gone missing even from within SoM offices and labs. Any employee who's lost a device that is being used for Stanford business, whether

    Reporting a Lost or Stolen Device

Mac OSX Yosemite: Compatibility

Apple recently released the newest version of their desktop/laptop operating system: Mac OSX 10.10, nicknamed Yosemite. It’s even a free downloadable upgrade!

Usually Stanford recommends, for security reasons, that computer users upgrade to the newest system; but should you upgrade to Yosemite yet? Stanford ITS has hopefully answered that question for you. They’ve made a list of security and productivity software that is important to Stanford users, and they’ve outlined whether or not that software is compatible with Yosemite.

So, before you upgrade, check out the ITS page on Yosemite (which they plan to update frequently).

Anti-Spam Filter

Are you getting a lot of spam in your inbox? You may want to update your webmail spam filters.

Stanford uses a product called Proofpoint to scan email at the server level, on its way to your email inbox. Mail that it judges to be spam with 100% certainty will be filtered out automatically. Other questionable email is marked with a “spam score” in the subject line, showing how closely it matches patterns based on known spam. The score will be between one and four hashmarks, with four being the most likely: [SPAM:####]

You can set a filter in your email program so that suspected spam with a specific number of hashes be sent automatically to the “Junk” folder (or deleted immediately, though that may mean legitimate email could be deleted). If an email gets filtered out accidentally, you can configure your email program to let it through.

How to set a filter, for Stanford Webmail, Apple Mail, Thunderbird, and Microsoft Outlook.

More about Stanford’s spam filtering

 

Check the whole URL

A few days ago, someone sent us this example of a phishing email, which she correctly identified as a scam. It’s a good example of how scammers will try to disguise a fraudulent link using words you might recognize:

From: Stanford University© <xxxx@nyu.edu>  [Would a Stanford email come from NYU?]
Date: July 21, 2014 at 9:00:33 AM PDT
To: undisclosed-recipients:;
Subject: Re-Notification Update!!!

Your two incoming mail has been placed on hold, click on the link http://secure-weblogin-stanford-edu.yolasite.com/ to reactivate it,

Copyright © 2001-2014,© Stanford University. All Rights Reserved..
SU Home Maps & Directions Search Stanford Terms of Use Emergency Info
© Stanford University.  Stanford, California 94305. Copyright Complaints Trademark Notice

Now, the rest of the email already makes it pretty clear that it’s a scam. But if we just had the URL to consider, we can see what it’s using as a disguise. It has some of the words you should look for — “secure,” “weblogin,” “Stanford,” — BUT there’s more between the first set of slashes that’s a dead giveaway: the real domain is yolasite.com, which means it’s definitely not a real Stanford address. A real Stanford address may have a variety of words between the first set of slashes, but will always end the address with stanford.edu, so that the format looks like this: http://xxxxxxxxxx.stanford.edu/

And even if the link text seems to be formatted correctly, the true link, revealed by mousing over the text, will show you where it’s really leading you. Always check and make sure you know where you’re going, before clicking on a link; stay safe out there!

Phishing: Two Strategies

The goal of a phishing scam is to get you to provide the scammers with your personal, private information; in order to do that, they have to get you to click on their link. Two scams recently sent to us illustrate two common, yet opposite, strategies. An interesting twist is that both emails actually use the concept of email security to gain your trust: hey, if it’s about security, it must be a legitimate email, right? That’s why it’s very important to check any link in any email before you click on it.

Scared into Submission

This is a very common technique: the scammer, usually pretending to represent a trusted institution, presents you with a problem that’s meant to scare you into immediate action, and then provides you a link in order to “fix” your “problem.” In this case, they’re pretending to be Google, and they’re threatening to shut off your email account—unless you click the link. Often, as in this case, scammers use the term “verification,” as if reassuring you that you’re not revealing anything they don’t already know; “verify” is always a warning sign. The email’s grammar and spelling is already dodgy, and hovering over the link reveals that it’s a fake.

Dear xxxx@stanford.edu ,Sorry you are seeing this.
We are doing a spam and fraudulent verification survey.Please its very important you participate in this survey to help us serve you better.Move message to Inbox and perform this verification survey.
Click here to help you perform this verification survey.
The achievement of this survey is to track and shut down fraudulent user and phising domain to help improve and make your mailing system better.Please If a verification response is not gotten from you in the next 24 hours, we will assume you are a fraulent user and shut down your mail account, till after proper verification recovery before you can access you mail account again.Thanks.
All Domain 2014 Team.

powered by: Google+

Under the Radar

This is the type of phishing scam that’s trying to slide under your radar. Rather than scare you, it’s trying to lull and/or bore you. It’s pretending to be a routine business email. Terse and to the point, it’s trying to be an innocuous everyday communication. It seems important, but not that interesting: just the kind of thing you’d be likely to click on, just to clear your inbox. Hovering your cursor over this link reveals that it’s a website based out of India, not Stanford. (We’ve removed the link; we don’t want anyone to actually click on it.)

From: Stanford University <server@stanford.edu>
Subject: You have (1) new Security Mail
Date:
June 16, 2014 6:40:46 AM PDT
Reply-To: Stanford University <server@stanford.edu>

Dear User,
You have (1) new Security Mail.
Kindly CLICK HERE to read now.

© Stanford University. Stanford, California 94305

 

Scam: “WebLogin Updates”

Currently circulating around campus is a very sneaky phishing scam. With a graphic made to look like a Stanford webpage, it wants you to click on a link to “update your account.” Several people forwarded this to us, cleverly noticing that it is a fake. Thanks for passing it along.

Scammers can be very adept at stealing and altering graphics, so always look closely at your email, and trust your instinct if something seems wrong. Warning signs about this one include: the “From” Address (not a Stanford domain), and the strange language about WebLogin included in the message itself. As always, if you receive a message like this, don’t click on anything, and just delete it.

If you clicked on the link and shared any account information, change your password right away; if you have any questions, contact IRT Security.

 

Fake Weblogin

About: WindowsXP Secure Network

In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.

Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.

If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.

 

Standards for the WindowsXP Secure Net include:

  • Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised.  No traffic between these networks is allowed.
  • Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.

Network Firewall Rules:

  • All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
  • Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
  • Inbound ping and traceroute are allowed but nothing else.
  • In the case of remote management, from on-campus, we can set up VPN access to the XP devices.

Other Rules for Devices on the Network:

  • Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
  • Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
  • No USB input to the WinXP device without special circumstances.  Transfers should be done on the network.  Software License USB Keys are allowed to use the USB Ports.
  • BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Linux Security Flaw Discovered; Users Should Update Now

Attention, Linux users: Developers have just announced the discovery of a serious security flaw in the GnuTLS library, affecting many, many open source applications and software packages. This includes users of Red Hat, Debian, and Ubuntu, among many others.

Similar to the newly-discovered iOS security bug, the Linux bug leaves users vulnerable to eavesdropping. Because it causes errors in the verification of security certificates, the bug makes it easy for attackers to bypass SSL and TLS connections in any website or application that uses that particular library, allowing them to eavesdrop on—and decode— encrypted traffic.

Developers recommend that all users update GnuTLS to version 3.2.12

For more information, see this article at arstechnica.com.

Important Apple iOS Update: Fixes Security Flaw

Attention, users of Apple devices: Just this weekend, Apple released a security update for iOS that fixes a major security problem in their software. Without the update, your iPad/iPhone/iPod Touch is left vulnerable to having your private information intercepted, while you’re using public WiFi connections.

Apple strongly recommends that iOS users update to the latest version of the software, available by connecting your device to iTunes and clicking “Check for updates,” or by opening the “Settings” app on your device and then selecting “General” and then “Software Update.”

Apple as yet has no patch for the same flaw in desktop/laptop systems, so in the meantime, you should avoid using insecure public WiFi (like at a coffee shop or airport) for transactions involving personal or financial information.

For more information about the problem, you can read this Slate Magazine article.

Scam: “Greetings everyone!”

There’s been a phishing scam circulating on campus lately that has been submitted to us by several members of the Stanford Medicine community—because it’s being widely circulated, and because it’s also got some glaring warning signs that people have spotted right away.

This phishing scam employs the strategies of vague-enough-to-seem-relevant, and mundane-enough-to-seem-safe.  Yet even in such a short email there are numerous strange phrases and misspellings. But the biggest warning sign is the URL, in red below: it’s not even close to a Stanford address. Yes, it’s a fake.

Thanks everyone for checking before you click, and letting us know when you find scam emails!

Below is the email text:

From: “© Stanford University” <knbrevard@email.wm.edu>
Sent: Wednesday, February 19, 2014 1:40:07 PM
Subject: Greetings everyone!

Stanford University
450 Serra Mall
Stanford, CA 94305-2004

Deal All

A private message have been sent to you by the HEAD of department. Use
the link below to Login and view your message.

http://update-weblogin-stan-ford-university.yolasite.com/

Sign.
HEAD of department
Info Centre stanford
(c) Stanford University. All Rights Reserved.