Over the past day a spam message may have landed in your CU mailbox claiming to notify you of an available tax refund.  Obviously this is a scam, not only did many of us receive this spam in our mailboxes we may also be receiving this spam from the CU_wellness list serve.  Spam is spam regardless of the sender.  The sender of an email is very easy to fabricate so it should not be relied upon to validate authenticity of an email.  As always I recommend looking at the following indicators when authenticating an email:

-           Is the from address logical? In this case why would CU_wellness be sending tax refund notifications, this is obviously spam and should be deleted.

-           Is the salutation generic? In the case it is ‘Dear Taxpayer’, a good indicator of suspicious email.

-           Are there links in the email that are pointing to websites that are not logical to the subject of the email?

-           Is the email asking for private or personal information such as bank account, credit card, SSN, or passwords?  This is an obvious indicator or spam.

-           Is the formatting and language of the email professional, or is it hastily put together?

If you have questions about specific emails that appear suspicious you can send them (as an attachment) to abuse@creighton.edu or call the Service Desk at 402-280-1111.

At this time we recommend that you skip the installation of KB2823324 on any machine that may be affected as described above.  If you already have installed this update and are experiencing issues, uninstalling the update and performing a reboot should resolve the issue.

We are continuing to monitor the situation and will release an update as soon as one is available.

We believe you will see a significant reduction in the amount of spam clogging your email inbox.

For the most part, the new system will be automatic, requiring no changes to your particular email setup. If you have created approved sender or approved domains lists in Postini, these lists will be imported into Proofpoint for you.  Proofpoint will also use the NetID/BLUE password for authentication so no more forgotten Postini passwords!

If you have any questions, please contact the DoIT Service Desk at 402-280-1111 or read the Proofpoint FAQ at:  http://doit.creighton.edu/spam-proofpoint

Update (1/2/2012): omaha.com has corrected the issue that lead to the infections.  We have removed the network block preventing access to the site from on-campus.

This is an important deviation from the usual email or website phishing as it involves an actual telephone call.  Remember, any unsolicited offers for support, requests for information, or requests for access should always be treated with suspicion.  DoIT will never ever ask you for your password in ANY circumstance.  No outside vendor or company should ever be providing any help or support without the involvement of Creighton IT.

If you receive a call like this, or have received one recently, please contact the service desk immediately.  Try to capture as much information about the call as possible: caller’s number, date/time of call, what was said, information about the caller (name, gender, any accents or other distinguishing characteristics)

We will begin deployment in stages using Landesk.  ALL Creighton owned Macs or PCs will be required to have the new AV product, and since the only deployment mechanism available is Landesk, all machines will be required to have Landesk installed as well.  DoIT will pilot the roll out to verify that the installation works and iron out any last-minute issues.  Starting August 13th, the installers will be released for deployment across campus, though we will likely target smaller departments and computers with existing Landesk / Symantec installations first.

The install may require that you reboot your computer as it removes any existing AV and installs Kaspersky.  You should receive a prompt asking you to reboot.  Please save your work and reboot to let the install process finish and ensure that you have continued protection for your computer.

As always, if you have any questions please contact the service desk at 402.280.2383 or servicedesk@creighton.edu

The best defense against attacks on SSL are to ensure that the certificate presented to you by the wireless authentication servers is valid, and that you are connecting to the REAL servers for that wireless network.  At Creighton, our authentication servers are named acs1.creighton.edu and acs2.creighton.edu.  If you are configuring your wireless to connect to CUWireless, make sure you only accept valid certificates with those names, and nothing else.  If you are using a Creighton-owned windows computer that is joined to BLUE, there is nothing you need to do, this is already configured for you.  If you are not, or are using a Mac, make sure you verify the certificate information when you connect for the first time.

Please be aware that there has also been an upswing of phishing emails pretending to be from linkedin asking users to change their password and/or confirm their email address. Be sure to only visit linkedin.com by directly typing the url in to your browser, or following a trusted bookmark, NOT  by clicking links in emails.  As always, be wary of suspicious emails and if you are unsure, submit them to abuse [at] creighton.edu as an attachment.

You can learn more about InCommon at http://www.incommon.org/basics.html

1) Prevent access to rogue DNS servers that may be operating on campus, primarily from machines that may have been infected with a virus

2) Prevent DNS based DDOS attacks using recursive queries from affecting CU networks, or using our hosts to attack others

3) Prevent a common Botnet command and control channel from being used to control infected machines on campus

4) Help protect resources that should not be accessible or visible to the outside world

What this means for Creighton Users:

1) If your hosts are properly configured to use cu-one as the DNS server on campus, you should have no problems.

2) If you are using an external DNS server to resolve hosts, you will need to configure your host to use the DHCP assigned DNS servers, or statically configure cu-one as your DNS server

3) If you are running your own DNS server, off-campus hosts will need to connect via VPN before they will be able to use your server to resolve hostnames.

4) blue.jays will not resolve from off campus.  Users trying to access non-static IPs from off campus, will need to VPN in first.  This is already true for networks that have converted to 10.0.0.0/8 address space.

If you have any questions about why we are making this change, or about  how it may affect you, please contact the Security Team (security_team@creighton.edu) or the service desk (402.280.1111 / servicedesk@creighton.edu)

As always, if an email looks “phishy” forward the suspicious emails to abuse@creighton.edu and we will help you verify the veracity of the email.

Here are some examples of the phishing messages we are seeing:

With the new system, a few changes will be occurring.  Primary among them is that the new system uses a technology called “Split tunneling”.  What this means is that any traffic destined for Creighton will go through the VPN.  Any traffic that is destined for the internet will go directly out to the internet as it would have without the VPN turned on.  This helps save bandwidth for the University as we don’t have to route that traffic through our network before sending it back out to the internet.  It also means a faster, better experience for you since your traffic can go more directly to its destination.

Another change is occurring that will impact both the VPN and CUWireless.  We will be restricting access to only active netid/guestid accounts.  If you are using some kind of generic or service account to log in to the VPN or CUWireless, this will no longer work after April 20th, 2012.

As always, if you have any questions, please contact the service desk by calling 402.280.1111 or emailing servicedesk@creighton.edu

You can get more information from the IRS themselves at the irs.gov site.  They even have a helpful youtube video [or see below].

Remember to never click on links or download unexpected attachments in emails.  No reputable retailer is going to ask you to enter personal or account information as a response to an email.  Avoid fraudulent or unscrupulous sites by directly navigating to trusted online retailers (ex, by typing www.amazon.com directly in your browser).

Be safe and Happy Holidays from the DoIT Security Office!!

1) Don’t click links in unsolicited emails!  Avoid fake phishing emails sending you to fraudulent copies of real sites by typing the urls into the browser directly by hand.  At least verify that the email link is legitimate before you click it.  (You can check links in outlook or entourage by hovering over them with your mouse before clicking on them.)

2) Make sure you are at the REAL (amazon.com, ebay.com, half.com, etc.) site before you start entering your personal information.  Also, you will want to check that the site is using SSL to keep the information protected as its sent across the internet (most browsers will display a locked padlock or highlight the URL of a site using SSL).

3) Remember that legitimate retailers (this goes for banks and yes, even Creighton) will NEVER ask for your personal or account information via an unsolicited email or phone call.

1) A good password is often the only thing standing between your confidential data and people you don’t want seeing that data.  Choose a good, strong password, and change it regularly

1.1) Don’t use the same password everywhere.  Just like you have different keys for your house, your car, and your office, you should have a different password for different services/applications.

2) Patch. Patch. Patch. Not only does your operating system have vulnerabilities (yes even Macs and Linux!), but your most used applications do also.  Adobe flash, Acrobat, and firefox/chrome/IE are all very important to keep updated.  Most malware could have been prevented by a properly patched computer.

3) Backup your important documents.  That computer you bought in 2001 isn’t going to last forever, and if you wait till it dies before getting a new one, you could be looking at re-writing your thesis from scratch.  Ouch.  At the very least you could burn your My Documents folder to a CD/DVD every once in a while.  Or get an external HD and some backup software.

One other thing to note is that this worm (currently) uses a brute-force mechanism to log in using a pre-defined list of passwords.  As such, the best prevention is to make sure you have a strong password for all of your accounts.

If you have any questions or run into a problem, please contact the service desk at 402.280.1111

If you want to check if your information has been publicly disclosed, there are a number of sites that have aggregated the data and made it searchable.  Try https://shouldichangemypassword.com/.  If you find yourself, make sure you change your passwords IMMEDIATELY.

Remember, as always, NEVER give out your password to anyone ever!