A phishing email message was sent to many @middlebury.edu mailboxes today with a subject line of “Notice!!!” or “Verify”. DO NOT RESPOND ON THIS MESSAGE!
The phishing email message is an attack designed to trick people into disclosing their username and password. Do NOT follow the instructions in the message, as it could lead to your Middlebury account being compromised.
For further assistance, please call the Helpdesk at x2200.
Here’s a sample of the phishing email message:
College Of Middlebury, would be having maintenance as from 12 midnight which your present password would expire due to maintenance updates.
One feature that has been requested with increasing frequency of late is the ability to log in to Windows laptops over a wireless connection, i.e. without plugging into a network cable the first time. We have been piloting a way to do this with our Circulation loaners and a wireless lab in MBH for several months now with good results.
We will be bringing this feature to standard College-owned Windows 7 laptops starting this Monday, June 6th. After the change takes effect, you may notice the words “Windows will try to connect to MiddleburyCollege” underneath the normal login fields. What this means is that Windows will first use the credentials supplied to connect to the wireless network, and if successful, will then authenticate over the network, allowing you to login with your current username and password, whether or not you have used that device previously.
If the wireless connection should fail for some reason, for example because you are too far away from an access point for a good signal, Windows will check for cached credentials from a previous login as normal.
To help raise awareness about community efforts to prevent significant security issues, Middlebury Information Security has launched a ‘Security Scout of the Month’ award.
Highlighting the valuable contributions of community security scouts in an @MiddInfoSec blog post and on Middlebury’s Information Security web site is a great way to show how a cautious and thoughtful approach to computing can protect the College community from cyber risks.
As an example, this past month, an attack against Middlebury’s Banner system was avoided thanks to the contributions of an astute member of our community, Justin Allen, who spotted a targeted phishing attack and raised the awareness around this malicious event.
As Justin Allen describes it:
“I received an email that started out dear account owner which usually gets my attention and as I read down thru the email I noticed that it said I had signed up for a paperless W-2 which I did not and it wanted me to logon to view it. After that I noticed a couple of another things that did not make sense for my Middlebury account one was the sender of the email which wasn’t from the college at all and we all have been told time and time again if the address doesn’t end with middlebury.edu it’s not from the college. Below is a copy of what was sent to me.”
This astute awareness is why Justin is this month’s ‘Security Scout of the Month’.
We are excited to celebrate the hard work and security conscious efforts of our community. Please watch for the next ‘Security Scout of the Month’ and help us recognize these efforts.
If you would like to recognize an individual for their information security contributions or would like to raise an information security concern, please contact firstname.lastname@example.org.
Middlebury ITS is preparing to introduce a new email security service. Over the next few weeks, ITS will begin routing Middlebury email messages through Microsoft’s email message security service, Exchange Online Protection. Microsoft’s service will perform spam filtering, anti-virus, and other security checks on inbound and outbound Internet email.
The way you ACCESS email WILL NOT need to CHANGE in order for you to benefit from this service. Outlook and Outlook Web Access, for example, will continue to behave just as they always have.
How you ALLOW or BLOCK email from specific senders WILL CHANGE. With Exchange Online Protection, you will be able to manage blocked and allowed senders right from within Outlook and Outlook Web Access, using the Safe Senders and Junk Mail tools. For tips on how to use Safe Senders and Junk Mail, please see the following Microsoft articles:
With an increasing amount of storage space and institutional connectivity on personal devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you protect against and prepare for the potential loss or theft of a laptop or mobile device.
Don’t leave your device alone, even for a minute. If you’re not using it, lock your device in a cabinet or drawer, use a security cable, or take it with you. Middlebury has seen laptops stolen in the College library and from individual’s cars. Don’t assume your devices are safe because you feel at home with your surroundings.
Report any lost or stolen device promptly. Both institutional and personal devices may contain Middlebury data. Even if you only lose a personal device, work with the College’s Information Security workgroup to ensure that institutional or sensitive data is accounted for. Information Security may also be able to help you recover the device. If a device is lost or stolen contact the helpdesk at x2200 immediately.
Do not store extremely sensitive or internal data. Never store protected or sensitive data on your laptop. Refer to the Data Classification policy for clear definitions of data types. (http://go.middlebury.edu/dcp)
Keep your master and working copy of all data on network storage. Keeping your master and working copies of all of your data on Middlebury Google Drive or other secure network file storage such as Middfiles. This ensures that your data is protected and backed-up if your laptop is stolen or lost. Photos, papers, research, and other files are irreplaceable, and losing them may be worse than losing your device.
Record the serial number. Keep the serial number and asset tag of your device and store it in a safe place. This information can be useful for verifying your device if it’s found. This is especially important when you travel. Airport and police agencies may ask for this information when reporting lost or stolen devices.
Enable device tracking and wiping services. Use tracking and recovery software included with most devices (e.g., the “Find iDevice” feature in iOS) Some software includes remote-wipe capabilities. This feature allows you to log on to an online account and delete all of the information on your laptop. Mobile resources can be found here:
Join us tomorrow, May 3rd, 12:15-1:30 PM, in Hillcrest 103 for the DLA’s final Behind the Scenes of the year, led by Albert Kim (Math). Albert will be sharing his experiences using GitHub as a feedback tool in his Data Science class this semester. Lunch will be served, so please RSVP at go/DLAscenes. Full description below.
Inspired by a humanist colleague’s approach to grading papers and discussions taking place in statistics pedagogy circles, Albert Kim (Math) presents his use of the GitHub web-based repository hosting service in his Introduction to Data Science course to encourage open and collaborative development of students’ coding skills and to facilitate the delivery of feedback from instructor to student. This short presentation will be followed by discussion of using digital tools for feedback in the classroom, so come with your questions. Lunch will be served, so please RSVP at go/DLAscenes.
Albert Y. Kim is originally from Montreal Quebec. After completing his PhD in statistics at the University of Washington in Seattle, he worked at Google as a Data Scientist for two years, followed by a two-year visiting stint at Reed College. He joined the Middlebury faculty in August 2015.
You may not realize it, but you are a phishing target at school, at work, and at home. Phishing attacks are a type of computer attack that use malicious emails to trick targets into giving up sensitive information. Ultimately, you are the most effective way to detect and stop phishing scams. When viewing email messages, texts, or social media posts, use the following techniques to prevent your passwords, personal data, or private information from being stolen by a phishing attack.
Verify the source. Check the sender’s email address to make sure it’s legitimate. Remember that the name of the sender is not the important part. The sender’s email address is what you are really looking for. If in doubt, forward your message to email@example.com.
Read the entire message carefully. Phishing messages may include a formal salutation, overly-friendly tone, grammatical errors, urgent requests, or gimmicks that do not match the normal tone of the sender.
Avoid clicking on erroneous links. Even if you know the sender, be cautious of links and attachments in messages. Don’t click on links that could direct you to a bad website. Hovering your mouse over a link should disclose the actual web address that the link is directing you too, which may be different from what is displayed in the message. Make sure this masked address is a site you want to visit.
Verify the intent of all attachments with the sender before opening them. Even when you know a sender, you should never open an attachment unless have checked with the sender to verify the attachment was sent intentionally. Word and Excel documents can contain malicious macros which could harm your computer. Other files, such as zip files and PDF files, could download malware onto your system. Always verify the intent of attachments with the sender before you open them from an email.
Verifying a message is always better than responding to a phish. If you ever receive a message that provides reason to pause, it is always better to forward the message to firstname.lastname@example.org or to send a separate email to the sender to verify its intent, before clicking a link or opening an attachment that could potentially impact the security of your computer..
Change your passwords if you have fallen for a phish. If you think you have fallen for a phishing attack, change your password at go/password and then contact the helpdesk at x2200. It is also a good practice to change your personal passwords outside of the College.
Watch for phishing scams. Common phishing scams are published at sites such as http://IC3.gov , http://phishing.org ,https://www.irs.gov/uac/Report-Phishing. These resources will also allow you to report phishing attacks if you should fall victim outside of the College. Again, if you think you have fallen victim to a phishing attack, always start by changing your passwords.