The (yearly) tax season phishing emails

With tax season or tax refund season in full swing it is almost a guarantee that you will see an increase in tax related spam and scams.  First, remember the IRS does not initiate taxpayer communications through email.  So any email purporting to be from the IRS regarding specific taxpayer information is a scam.

Over the past day a spam message may have landed in your CU mailbox claiming to notify you of an available tax refund.  Obviously this is a scam, not only did many of us receive this spam in our mailboxes we may also be receiving this spam from the CU_wellness list serve.  Spam is spam regardless of the sender.  The sender of an email is very easy to fabricate so it should not be relied upon to validate authenticity of an email.  As always I recommend looking at the following indicators when authenticating an email:

-           Is the from address logical? In this case why would CU_wellness be sending tax refund notifications, this is obviously spam and should be deleted.

-           Is the salutation generic? In the case it is ‘Dear Taxpayer’, a good indicator of suspicious email.

-           Are there links in the email that are pointing to websites that are not logical to the subject of the email?

-           Is the email asking for private or personal information such as bank account, credit card, SSN, or passwords?  This is an obvious indicator or spam.

-           Is the formatting and language of the email professional, or is it hastily put together?

If you have questions about specific emails that appear suspicious you can send them (as an attachment) to or call the Service Desk at 402-280-1111.


Posted in email, phishing, spam | Comments Off

MS Windows patch KB2823324 causing problems

It appears that one of the most recent patches released by Microsoft (KB2823324) causes a problem on computers running windows Vista, 7,  and Server 2008 running Kaspersky antivirus.  There are also reports that Brazilian editions of Windows 7 are having issues with the update without Kaspersky installed.  Affected systems report that the system drive may be corrupted and try to run the chkdsk utility at every boot.  Kaspersky is aware of and working on a fix for the issue.

At this time we recommend that you skip the installation of KB2823324 on any machine that may be affected as described above.  If you already have installed this update and are experiencing issues, uninstalling the update and performing a reboot should resolve the issue.

We are continuing to monitor the situation and will release an update as soon as one is available.

Posted in antivirus, patching, windows | Comments Off

New anti-spam service coming to campus!

In efforts to improve email spam filtering services, a new solution, Proofpoint, will be implemented in mid-March.  This commercial service will replace the current Postini service used for anti-spam and anti-virus filtering. All incoming mail will be processed through the continuously updated Proofpoint filters.

We believe you will see a significant reduction in the amount of spam clogging your email inbox.

For the most part, the new system will be automatic, requiring no changes to your particular email setup. If you have created approved sender or approved domains lists in Postini, these lists will be imported into Proofpoint for you.  Proofpoint will also use the NetID/BLUE password for authentication so no more forgotten Postini passwords!

If you have any questions, please contact the DoIT Service Desk at 402-280-1111 or read the Proofpoint FAQ at:

Posted in changes, email, spam | Comments Off possibly infected

We have received reports of users visiting the omaha world hearld site, and getting viruses downloaded to their computers.  At this time, it appears that kaspersky A/V is successfully blocking these viruses, though we are cautioning everyone to avoid the site at this time.  We will be blocking access temporarily from on-campus, though anyone visiting from home will not be protected.  We have reached out to the OWH to let them know and will update everyone when we hear more.

Update (1/2/2012): has corrected the issue that lead to the infections.  We have removed the network block preventing access to the site from on-campus.

Posted in malware | Comments Off

New Phishing scam on campus

Several people have reported receiving a telephone call from someone claiming to be from Microsoft wanting to help troubleshoot a problem on their computers.  The caller attempts to install “helper” software that will solve the issue, and even offers to remote into the computer to provide support.  If the user does not have administrative access, the caller attempts to request the password in order to perform the install and finish support.

This is an important deviation from the usual email or website phishing as it involves an actual telephone call.  Remember, any unsolicited offers for support, requests for information, or requests for access should always be treated with suspicion.  DoIT will never ever ask you for your password in ANY circumstance.  No outside vendor or company should ever be providing any help or support without the involvement of Creighton IT.

If you receive a call like this, or have received one recently, please contact the service desk immediately.  Try to capture as much information about the call as possible: caller’s number, date/time of call, what was said, information about the caller (name, gender, any accents or other distinguishing characteristics)

Posted in social engineering | Leave a comment

New Antivirus on Campus!

Starting this month, we will begin rolling out the replacement for our current antivirus solution, Symantec.  After weeks of testing across campus we have decided to roll out Kaspersky as our replacement AV vendor.  Kaspersky is known as being a market leader in this field and it was chosen due to its proven ability to stop and detect malware across both Windows and Macintosh platforms.

We will begin deployment in stages using Landesk.  ALL Creighton owned Macs or PCs will be required to have the new AV product, and since the only deployment mechanism available is Landesk, all machines will be required to have Landesk installed as well.  DoIT will pilot the roll out to verify that the installation works and iron out any last-minute issues.  Starting August 13th, the installers will be released for deployment across campus, though we will likely target smaller departments and computers with existing Landesk / Symantec installations first.

The install may require that you reboot your computer as it removes any existing AV and installs Kaspersky.  You should receive a prompt asking you to reboot.  Please save your work and reboot to let the install process finish and ensure that you have continued protection for your computer.

As always, if you have any questions please contact the service desk at 402.280.2383 or

Posted in antivirus, changes | Leave a comment

Wireless Security

At the recent Defcon hacker conference, an important security protocol MSCHAPv2 was shown to be easily cracked.  This protocol is widely used in VPN and secure wireless to allow a user to authenticate without sending a password in the clear that others could intercept.  The good news is that the authentication information sent using this protocol is often wrapped or tunneled inside another well-known security protocol – SSL.  This offers two layers of protection against attackers who may try to steal your credentials or private information.  However, because the inner authentication protocol can be broken, maintaining proper security for the outer protocol is now doubly important as anyone within radio distance can easily eavesdrop on communication over wireless.

The best defense against attacks on SSL are to ensure that the certificate presented to you by the wireless authentication servers is valid, and that you are connecting to the REAL servers for that wireless network.  At Creighton, our authentication servers are named and  If you are configuring your wireless to connect to CUWireless, make sure you only accept valid certificates with those names, and nothing else.  If you are using a Creighton-owned windows computer that is joined to BLUE, there is nothing you need to do, this is already configured for you.  If you are not, or are using a Mac, make sure you verify the certificate information when you connect for the first time.


Certificate information for acs1.creighton.eduCertification information for

Posted in ssl, tips, wireless | Leave a comment

LinkedIn passwords compromised

It appears that the passwords for over six million LinkedIn users worldwide have been compromised and released to the public.  It appears that only the password list has been leaked and is not correlated to usernames, though it is probably safe to assume that if hackers have the passwords, they likely have the usernames.  The passwords were not leaked in plain-text but were encrypted.  LinkedIn is still recommending that users change their passwords to LinkedIn as well as any other location where the same password is used.

Please be aware that there has also been an upswing of phishing emails pretending to be from linkedin asking users to change their password and/or confirm their email address. Be sure to only visit by directly typing the url in to your browser, or following a trusted bookmark, NOT  by clicking links in emails.  As always, be wary of suspicious emails and if you are unsure, submit them to abuse [at] as an attachment.

Posted in breaches, passwords, phishing | Leave a comment

Creighton @InCommon

Creighton University is now a participating member of the InCommon federation!  What does this mean?  We can now more easily enable collaboration with other universities that are also members (participant list).  Individuals who can log in to BLUE here at Creighton can use those credentials to access online resources at other universities, and Creighton can offer services that are available to individuals from other schools without having to create or manage accounts for those users.  Some organizations and services that we use including JSTOR, Atomic Learning, and Digital Measures (to name just a few) are also members, which means we could see single sign-on (?) service from these providers in the near future.   Single sign-on service across campus is already growing as more and more applications take advantage of our Shibboleth (?) system.

You can learn more about InCommon at

Posted in changes, InCommon, SSO | Leave a comment

Boundary Firewall Changes for DNS

On Wednesday May 23 at 0900 we will be making a change to the boundary firewall to block port 53 (DNS) inbound to all of campus, except for cu-one.  We are making this change for several reasons:

1) Prevent access to rogue DNS servers that may be operating on campus, primarily from machines that may have been infected with a virus

2) Prevent DNS based DDOS attacks using recursive queries from affecting CU networks, or using our hosts to attack others

3) Prevent a common Botnet command and control channel from being used to control infected machines on campus

4) Help protect resources that should not be accessible or visible to the outside world

What this means for Creighton Users:

1) If your hosts are properly configured to use cu-one as the DNS server on campus, you should have no problems.

2) If you are using an external DNS server to resolve hosts, you will need to configure your host to use the DHCP assigned DNS servers, or statically configure cu-one as your DNS server

3) If you are running your own DNS server, off-campus hosts will need to connect via VPN before they will be able to use your server to resolve hostnames.

4) blue.jays will not resolve from off campus.  Users trying to access non-static IPs from off campus, will need to VPN in first.  This is already true for networks that have converted to address space.

If you have any questions about why we are making this change, or about  how it may affect you, please contact the Security Team ( or the service desk (402.280.1111 /

Posted in changes, firewall | Leave a comment