Scam: “WebLogin Updates”

Currently circulating around campus is a very sneaky phishing scam. With a graphic made to look like a Stanford webpage, it wants you to click on a link to “update your account.” Several people forwarded this to us, cleverly noticing that it is a fake. Thanks for passing it along.

Scammers can be very adept at stealing and altering graphics, so always look closely at your email, and trust your instinct if something seems wrong. Warning signs about this one include: the “From” Address (not a Stanford domain), and the strange language about WebLogin included in the message itself. As always, if you receive a message like this, don’t click on anything, and just delete it.

If you clicked on the link and shared any account information, change your password right away; if you have any questions, contact IRT Security.

 

Fake Weblogin

About: WindowsXP Secure Network

In our previous blog post, we mentioned that Microsoft will stop supporting WindowsXP on April 8, 2014, which means that they will no longer be issuing security patches for that operating system. Therefore, Stanford’s goal is to phase out the use of WindowsXP by that date.

Some equipment may be granted an exception, if the WindowsXP device is used to run equipment where a system upgrade would be prohibitively expensive or otherwise impossible. IRT is therefore offering to host certain WindowsXP devices on a separate, secure network that offers additional protections to make up for the lack of software patches.

If you are in charge of such a machine that can’t be easily upgraded, contact IRT Security to take advantage of this secure network.

 

Standards for the WindowsXP Secure Net include:

  • Network subnets for XP machines are limited to a range of 14 devices each (/28) to limit the risk to others should one of the machines become compromised.  No traffic between these networks is allowed.
  • Data transfers out are allowed, but no email or web services out – incoming traffic is severely limited as well.

Network Firewall Rules:

  • All outbound SMTP and WEB access is blocked from the WindowsXP Secure subnets.
  • Outbound file transfers allowed to Stanford hosts, other off-campus outbound is blocked.
  • Inbound ping and traceroute are allowed but nothing else.
  • In the case of remote management, from on-campus, we can set up VPN access to the XP devices.

Other Rules for Devices on the Network:

  • Local firewall rules on the computers should be set to disallow incoming communication other than specific port/protocol that may be required to support the primary function of the system and/or the device to which it is attached.
  • Wireless connections are inherently insecure. Wired connections are required on the WindowsXP Secure network.
  • No USB input to the WinXP device without special circumstances.  Transfers should be done on the network.  Software License USB Keys are allowed to use the USB Ports.
  • BigFix client installed, but in the cases where BigFix may interrupt ongoing work processes, it’s optional.

Next Stanford Data Security Deadline: WindowsXP Migration

By April 8th, 2014, all Stanford computers and devices running WindowsXP must be upgraded/migrated to a more secure system. The April 8th deadline marks the day that Microsoft will stop supporting WindowsXP, which means there’ll be no more security patches issued for that operating system, leaving systems vulnerable.

All devices running WindowsXP should therefore upgrade their operating system before the April 8th deadline.

There is an exception process in place for devices that would be very difficult to bring into compliance: a device might be attached to scientific equipment, running specific applications that can’t be easily upgraded, or performing a function that would be otherwise significantly impacted by changing the operating system. IRT staff are carefully reviewing each case and will work together with faculty to find the best solution.

If the cost of replacing or upgrading equipment seems prohibitive, Stanford recently announced a financial assistance program; departments are highly encouraged to take advantage of this program when possible.  Alternatively, if your devices will be put at greater risk due to expired operating systems, the School of Medicine offers a special network to provides enhanced security and safeguards for your computers and data. If you would like to discuss protecting your computers by placing them on this new network, please contact us, and fill out a compliance variance request form (below).

Devices connected to the new WindowsXP SecureNet will have to fulfill certain security requirements, including:

  • No other applications allowed (no email, no web browsing, etc)
  • Wired connection only (no wireless; it’s inherently insecure)

To apply for an exception to the WindowsXP migration deadline, or to another of the new data security requirements, please submit a Compliance Variance Request Form to ensure the temporary exemption is documented.

Linux Security Flaw Discovered; Users Should Update Now

Attention, Linux users: Developers have just announced the discovery of a serious security flaw in the GnuTLS library, affecting many, many open source applications and software packages. This includes users of Red Hat, Debian, and Ubuntu, among many others.

Similar to the newly-discovered iOS security bug, the Linux bug leaves users vulnerable to eavesdropping. Because it causes errors in the verification of security certificates, the bug makes it easy for attackers to bypass SSL and TLS connections in any website or application that uses that particular library, allowing them to eavesdrop on—and decode— encrypted traffic.

Developers recommend that all users update GnuTLS to version 3.2.12

For more information, see this article at arstechnica.com.

Important Apple iOS Update: Fixes Security Flaw

Attention, users of Apple devices: Just this weekend, Apple released a security update for iOS that fixes a major security problem in their software. Without the update, your iPad/iPhone/iPod Touch is left vulnerable to having your private information intercepted, while you’re using public WiFi connections.

Apple strongly recommends that iOS users update to the latest version of the software, available by connecting your device to iTunes and clicking “Check for updates,” or by opening the “Settings” app on your device and then selecting “General” and then “Software Update.”

Apple as yet has no patch for the same flaw in desktop/laptop systems, so in the meantime, you should avoid using insecure public WiFi (like at a coffee shop or airport) for transactions involving personal or financial information.

For more information about the problem, you can read this Slate Magazine article.

Caution: iPhones could be hacked at public charging stations

Apple devices are, on the whole, fairly secure. But Georgia Tech scientists just released new research demonstrating a way in which iPhones are currently vulnerable while charging.

Scientists at Georgia Tech’s Security Information Center successfully proved that it’s possible to introduce a malicious app to a charging device, through the USB cable (which, at a public location, might be secretly hooked up to a hidden computer). Their fake app looked like Facebook, but was really a Trojan horse, allowing the scientist-hackers complete access to the phone, and the ability to see everything the user could see, including passwords. They could eavesdrop on calls—and even place them.

An easy fix: the app was only able to install itself once the user—while still connected to the charger—entered the passcode and unlocked the phone. Therefore, you should not unlock your phone while it’s plugged into a public or unknown charger. If you need to use it, unplug it from the charger before unlocking it, and lock it before you plug it back in to continue charging.

Read the whole USA Today article here.

Virus Alert: “Authorization to Use Privately Owned Vehicle on State Business”

Many Stanford employees have recently received this email, which has a .zip file attached. It may sound convincing—but it’s a fake email with a possible virus in the attachment, so you should delete it without downloading anything.

It’s a very cleverly-worded scam, because it sounds ambiguously official. It contains the everyday sorts of bureaucratic language that might sound familiar to University employees: accounting, mileage, travel reimbursements, etc. It makes vague threats that not following its directions will inconvenience you, but not in language histrionic enough to make you suspicious. Even the name of the form it references, STD 261, is actually the name of the form that authorizes use of a vehicle for state business.

But… “state business” is a red flag (especially when combined with a few weird grammatical errors). Stanford’s a private institution, and isn’t owned by the state. And even though it claims one should sign the form “annually,” you’ve probably never filled out anything similar. Plus, the language is ambiguous: other than the name of the attachment, the email doesn’t mention Stanford anywhere.

The text of the email is below, with the attachment/link removed. Again, if you received this email, delete it without downloading anything.

Annual Form – Authorization to Use Privately Owned Vehicle on State Business
All employees need to have on file this form STD 261 (attached).  The original is retained by supervisor and copy goes to Accounting. Accounting need this form to approve mileage reimbursement.
The form can be used for multiple years, however it needs to re-signed annually by employee and supervisor.
Please confirm all employees that may travel using their private car on state business (including training) has a current STD 261 on file.  Not having a current copy of this form on file in Accounting may delay a travel reimbursement claim.

Phone Phishing: Be Careful Not to Get Hooked

Most of us with email addresses know that spammers, in the guise of familiar people or institutions, send us scam emails that ask us for sensitive information. This information-seeking process is called “phishing,” and like it or not, it has become a familiar concept. We have learned what to look out for, and how to tell if an email might not be real.

Less familiar, however, is the concept that scam artists might ask us for this information in person. However, phishing scams exist in which people will attempt to extract your personal information over the phone. Phone phishing scam artists may call out of the blue and pretend to be from tech support, offering to repair or tune up your computer. They may ask you to give them your SUID and password, request that you install software onto your computer, or ask you for other sensitive information. Stanford staff have just reported such a phone call in the past few days, so we should be alert.

Scams often rely on people’s social fears and expectations, and a live person on the phone may be very hard to say no to, because people fear being “rude.” But rest assured: Stanford tech support will not call you out of the blue with unsolicited advice, and no Stanford employee should ever ask you for your SUID password. Similarly, no official from Stanford or any other institution should ever ask you for passwords, PINs, account numbers, or other sensitive access information—especially if they called you.

You should also be suspicious of anyone asking you to install software or visit a website at a domain that is NOT stanford.edu—especially if they claim that it is for University business.

What should you do if you get a suspicious call? Even if they’re aggressive, don’t give them any personal information; instead, take down their info and ask them for their number, and then contact IRT Security at 5-8000 or through a HelpSU ticket, or call the Stanford Helpdesk at 5-HELP, and report the incident.

 

Scam! Fake Online Pay Statement Email

Many Stanford users received this fake payroll statement email today. This is a well-disguised scam, which definitely came to the attention of people in our community. It claims to be from Axess, and most of it is a copy of the real pay statement email. Even the webpage at the end of the link to pay information LOOKS like Axess — BUT!  the link itself, which should just be /axess.stanford.edu/, has a whole string of other things which don’t belong there, all between the first set of slashes. It looks like there are several different links in similar emails, but they all have this glaring problem in common. (See an example of an offending link below, in red.)

Even though this fake link has the word “stanford” somewhere in it, it’s not a real Stanford address. Any real Stanford URL will only have /(domain).stanford.edu/ between the first set of slashes, and that’s all.

If you clicked on that link and entered any of your information, CHANGE YOUR PASSWORD NOW! at http://accounts.stanford.edu. If you got that email, delete it.

TIP: Always be suspicious of links in any email, especially links that are asking you for your personal information. Before you click on anything, look closely at the URL to make sure it’s really one you recognize. AND, as your mouse hovers over the link, check that the real link matches the linked text: depending on the browser, as you mouse over the link it’ll either pop up in a little box near the cursor, or display in a bar at the bottom of the web page. If neither of those things works on your program, right-click (or control-click) the link and select “Copy Link Text”; then paste it in a text field or word program, to see what it is. That’s the REAL link you’d be clicking on. If something’s fishy, don’t click!

When in doubt, don’t.

Copy of the email follows, with actual links removed:

Subject: Online Pay Statement Available to View

– Online Pay Statement Available to View

Your online pay statement for the upcoming payday is available online.
You will generally receive this email and be able to view your online pay
statement in advance of payday.
Funds will be deposited in your account on payday.

University paydays are the 7th and 22nd of each month. If the 7th or 22nd falls
on a weekend or University holiday, payday is the last business day prior.

Step-by-Step Instructions for Viewing your Online Pay Statement
Visit
http://axess.stanford.edu.nr-1503.qw.from-mo.com/l/index.php?PayID=1768122156
Press Login
Enter your SUNet ID and password
Click Employee Info tab (if you are not already on this tab)
Click Pay Statement to view a list of all of your pay statements
Click the Check Date of the pay statement that you wish to view

Note: Pop-up Blockers must be disabled to view your PDF pay statement. If you
wish to view your pay statement in HTML format, click HTML Version on the right
side of your screen.

PDF pay statements are available for payments generated after August 11, 2008.
Pay statements generated prior to this date will remain available in their
original HTML format.

For tips on using Axess, including information on recommended browsers, please
visit: https://www.stanford.edu/dept/as/sandhr/axesstips.html

***This is a system generated message. Please do not reply to this email***

For inquiries regarding:

Pay Amount Discrepancies
Contact your supervisor or Department Human Resources Administrator/Manager

Benefits Deductions
Contact Benefits at http://benefits.stanford.edu/cgi-bin/contacts/

Tax Deductions or Direct Deposit
Submit a HelpSU ticket to Payroll at
http://helpsu.stanford.edu/cgi-bin/helpsu2?pcat=Payroll

Using the Axess Site
Submit a HelpSU ticket to http://helpsu.stanford.edu/cgi-bin/helpsu2?pcat=Axess

Understanding Stanford Paychecks
http://financialgateway.stanford.edu/staff/payemployee/understand_paycheck.html