Information Security Blog

Stanford University Axess Privacy Settings Changed - UNTRUE!

By now, you've probably received the phishing email that's been circulating that claims that Axess privacy settings have changed. This is another attempt to trick you into clicking on the link and providing your login credentials. The objective of this phishing scam is to collect as many SUnetIDs and passwords as possible.

If you've received the email shown below, you should simply delete it. If you thought it was a legitimate email (as many folks have) and have already clicked on the link and the login, CHANGE YOUR SUNETID PASSWORD IMMEDIATELY!

If you're uncertain what to do, or have any questions regarding this phishing scam or any other information security issues, always contact IRT Information Security (irt-security@lists.stanford.edu).

==========================================================

************************************************************************
This is an automatically generated message. Please DO NOT REPLY. If
you require assistance, please contact the Help Center.
************************************************************************

Your Privacy Settings have been changed.

Please update your Privacy Settings from your Student Center tab:

http://axess.stanford.edu.student.from-nm.com/at/index.php?StudentID=IUH7SIJ8&r=stanford

Stanford should reflect your updates the same day they are submitted in Axess.

Axess is generally available 24 hours a day, 7 days a week.

Please don't hesitate to visit our support site if you have any feedback or problems.

Sincerely,

Matthew Ricks,
Executive Director of Computing Services,
IT Services at Stanford.
� 2012 Stanford University, All Rights Reserved. Stanford, CA (650) 723-2300

You Now Have a New Profile on Facebook

Did you receive an email with that subject line? It's the same old phishing scam, but with a new look. The text of this scam is listed below. If you check the real email address of the sender (simply hover your cursor over the From and you'll see the real email address), you'll know instantly that it wasn't sent from Facebook.

Stay diligent! Don't be fooled. Don't click on links in unsolicited emails. If you want to check your profile in Facebook, go directly to the site using your browser, don't use the link in the email.

If you're uncertain what to do about this phishing scam or any other questionable emails you may receive, you can always contact IRT Information Security (irt-security@lists.stanford.edu) and we'll work with you. Remember, when in doubt, don't!

====================================================================
Content of Facebook phishing attempt:

Facebook
You now have a new kind of profile.
It is your collection of the photos, posts and experiences that tell your story. Visit Facebook to choose your cover photo, add important events and photos from your past, and more.
View Your Profile (this is a link in the email)

Learn More (this is also a non-Facebook link in the email)

Change Your LinkedIn Password

Multiple sources are reporting that LinkedIn has been hacked and over six million passwords have been stolen. LinkedIn has not confirmed they were stolen, but are researching the claims. If you have a LinkedIn account, as a precaution, change your password on LinkedIn now.

Here's how to change your LinkedIn Password:

1. Log onto LinkedIn
2. In the Upper Right Side of the screen you will see your name in blue, mouse over your name and select "SETTINGS"
3. In the block with your name, you will "Password: Change." Click on the word Change and follow the instructions.

Links to online stories:

http://www.pcworld.comarticle257045hackers_post_65_million_linkedin_passwords_online.html

http://www.msnbc.msn.com/id/47706147

http://blog.sfgate.com/techchron/2012/06/06/change-your-linkedin-password-now-the-service-has-been-breached/

Trying to Scare You Into Clicking That Link

I received this email today. According to the message, my computer is infected with some type of virus. But I'm not worried, because I know it can't be true: I use Sophos anti-virus on all of my computers. I, like you, can get a free copy of Sophos from the ITS website (https://itservices.stanford.edu/service/ess/pc/docs/sophos), and I can install it on all of the computers that I use for work (both at work and at home). It's a great tool, and using anti-virus helps make sure that you don't need to worry about viruses and malware, and of course, emails that try to scare you into thinking that your computer is infected...

==================================================================

Subject:
[irt-security] Your mailbox has been detected of DGXT Virus!
From:
"Mail Admin"
Date:
Fri, 06 Jan 2012 18:45:54 +0300
To:
undisclosed-recipients:;

Our WebMail automated systems scan shows that your mailbox is been infected by some suspicious DGXT Virus, the DGXT Virus is causing conflict between some of our web users.Please to stop this action you will have to Click the Url to remove and revalidate your mailbox.

Click or copy http://www.ostisb.org/secure/update/acc.htm to remove threat.

Note that none of your files will be removed or lost during this operation.

Thank you,
Technical Helpdesk Service.

Mailbox Over Quota?

This is a great way for a phisher to try to get your attention: who doesn't worry about running out of mailbox space? As you might have guessed, this is a scam, where the sender is trying to lure you into clicking on the link. But by now you know never to click on unknown links.... And if you're uncertain about your mailbox quota, you can always look at your statistics at http://stanfordyou.stanford.edu and see how much of your mailbox quota you've already used. OR if you think you need an increase in your mailbox quota (size), contact ITS (5-44357 or 5HELP), your local support person, or your DFA for assistance. Additionally, you are always welcome to contact IRT Information Security Services about this or any information security issue you may have (irt-security@lists.stanford.edu).

============================================================

X-Originating-IP: [116.203.50.120]
From: UPDATE YOUR ACCOUNT
Subject: Upgrade Your Webmail Acoount New
Date: Tue, 17 Jan 2012 18:41:42 +0000
X-OriginalArrivalTime: 17 Jan 2012 18:41:42.0925 (UTC) FILETIME=[A842DBD0:01CCD547]
To: undisclosed-recipients:;

Your mailbox is almost full 20GB to 23GB Please Click the Link Below
To Validate Your Mailbox And Increase Your
Quota. https://docs.google.com/spreadsheet/viewform?hl=en_US&formkey=dDRxOVpmQXRPZTNVb0gxMzRtOVFoQlE6MQ#gid=0

Seriously, A Wire Transfer?

You know you haven't sent a wire transfer to anyone (and maybe you've never sent a wire transfer ever), and yet, you've received an email stating that it wasn't successful. It's another phishing scam to try to get you to click on a link that will probably download malware onto your computer. Like all other phishing scams, just ignore it.

A copy of the email is included below.

_____________________________________________________

Subject: Wire transfer ID 3225457876954623496
From:
Date: Wed, 29 Jun 2011 07:03:35 -0700 (PDT)
To:

The outgoing Wire fund transfer that you placed one month ago, was not processed by an intermediary or beneficiary bank.

Please click here to view report

We'd Never Send This To You

The email below has been circulating through Stanford. We would NEVER send you an email like this. It's wrong in so many ways.....

We don't send out threatening emails
We know how to construct properly written sentences
We are here to help you, not scare you
Any email representing Stanford would be sent from a Stanford email address (this one was sent from aaddminoff@qatar.io)
We would ask you to work with your IT support person if there was a problem, or contact us directly (5-8000 or irt-security@lists.stanford.edu)

When you do receive this type of email, please let us know so that we can warn others about it. If you're unsure about the validity of an email, contact us before you take any action. We're here to help you.

==============================================
From: Stanford Admin Center
Date: March 16, 2011 4:08:07 AM PDT
To:
Subject: Dear Account User Security Alert!!!!
Reply-To: aaddminoff@qatar.io

Dear Account User:

It has come to our notice that your email has not passed the verification/Update process that we are presently working on.

We the web-Admin of Standford University are currently upgrading our data base and e-mail account center,thereby deleting all Old mail email account to create more space for new accounts.To prevent your account from closing you will have to update it so that we will know that it's a presently used account. To complete your account re-confirmation, you must reply to this email immediately and enter your account details as requested below.

***********************************************
Email User-name :.............
EMAIL Password :..............
Date of Birth : ...........
Country or Territory :.......
***********************************************

****IMPORTANT :****
This updating is compulsory to all Standford University user as a result of our recent server changes. If you fail to update your email address you will soon be unable to receive/send mails.Also your email will not be equipped with the latest anti-virus system on our new servers.This will make your email and PC
vulnerable to virus attacks from the internet.

**** HOW TO UPDATE***
To update simply reply the above to upgrading admin as appropriate. Failure to do so immediately will lead to SUSPENSION OF YOUR ACCOUNT.

Thanks for your co-operation,
Mail Administrator.
Standford University

Debunking Some Common Cyber Security Myths

US-CERT Cyber Security Tip ST06-002
Debunking Some Common Myths

There are some common myths that may influence your online security
practices. Knowing the truth will allow you to make better decisions about
how to protect yourself.

How are these myths established?

There is no one cause for these myths. They may have been formed because of
a lack of information, an assumption, knowledge of a specific case that was
then generalized, or some other source. As with any myth, they are passed
from one individual to another, usually because they seem legitimate enough
to be true.

Why is it important to know the truth?

While believing these myths may not present a direct threat, they may cause
you to be more lax about your security habits. If you are not diligent about
protecting yourself, you may be more likely to become a victim of an attack.

What are some common myths, and what is the truth behind them?

* Myth: Anti-virus software and firewalls are 100% effective.
Truth: Anti-virus software and firewalls are important elements to
protecting your information (see Understanding Anti-Virus Software and
Understanding Firewalls for more information). However, neither of these
elements are guaranteed to protect you from an attack. Combining these
technologies with good security habits is the best way to reduce your
risk.
* Myth: Once software is installed on your computer, you do not have to
worry about it anymore.
Truth: Vendors may release updated versions of software to address
problems or fix vulnerabilities (see Understanding Patches for more
information). You should install the updates as soon as possible; some
software even offers the option to obtain updates automatically. Making
sure that you have the latest virus definitions for your anti-virus
software is especially important.
* Myth: There is nothing important on your machine, so you do not need to
protect it.
Truth: Your opinion about what is important may differ from an
attacker's opinion. If you have personal or financial data on your
computer, attackers may be able to collect it and use it for their own
financial gain. Even if you do not store that kind of information on
your computer, an attacker who can gain control of your computer may be
able to use it in attacks against other people (see Understanding
Denial-of-Service Attacks and Understanding Hidden Threats: Rootkits and
Botnets for more information).
* Myth: Attackers only target people with money.
Truth: Anyone can become a victim of identity theft. Attackers look for
the biggest reward for the least amount of effort, so they typically
target databases that store information about many people. If your
information happens to be in the database, it could be collected and
used for malicious purposes. It is important to pay attention to your
credit information so that you can minimize any potential damage (see
Preventing and Responding to Identity Theft for more information).
* Myth: When computers slow down, it means that they are old and should be
replaced.
Truth: It is possible that running newer or larger software programs on
an older computer could lead to slow performance, but you may just need
to replace or upgrade a particular component (memory, operating system,
CD or DVD drive, etc.). Another possibility is that there are other
processes or programs running in the background. If your computer has
suddenly become slower, it may be compromised by malware or spyware, or
you may be experiencing a denial-of-service attack (see Recognizing and
Avoiding Spyware and Understanding Denial-of-Service Attacks for more
information).

Here's Another One...

No, the helpdesk did not send you an email about your account. No, you should not provide your login credentials. Once again, there's a phishing scam circulating, and it could seem to be valid.

Please remember, STANFORD WILL NEVER ASK YOU FOR YOUR PASSWORD. If you are asked and you're still unsure, regardless of who it is, check with Information Security Services first. We can be reached by email (irt-security@stanford.edu) or through the Help Desk (5-8000 option 4).

Rule of thumb: WHEN IN DOUBT, DON'T!

The email is posted below.

===============================================

From: indentco@brain.net.pk
Sent: Friday, February 4, 2011 7:21:36 AM
Subject: Importance notice from the helpdesk

EMAIL ACCOUNT UPGRADE

Your E-mail box has reached its maximum limit of 20 GB of storage and
Your account will be disabled if you do not update
now.

stanford.edu To upgrade your account, please click
the link below and follow the instructions to upgrade to more
storage space.

http://quadlightjobs.com/phpform/use/webmail/form1.html

Your account will remain active after you have confirmed your account
successfully.

stanford.edu | Auburn, Alabama 36849

A Reminder about the Importance of Passwords and Encryption

Password, PIN codes, and security questions may feel like time-wasting nuisances, but that couldn't be further from the truth. These vital nuggets of secret information, when paired with encryption technology, keep patient and other restricted information safe. Without these protections in place, a lost or stolen device leads to an immense amount of time spent investigating, reviewing files, and notifying affected individuals - much more time than would be spent entering passwords.

Encryption and passwords go hand in hand. One without the other provides no protection. And remember, giving out your password is just like removing it. Never share your password with anyone, even if they appear to work for the technology group. The various Stanford technology groups will never ask you to reveal your passwords.

These same rules apply to smartphones (Blackberry, iPhone, Android, etc.) and tablets (iPad). Only devices that are encrypted and password-protected can be used to access or store patient or other restricted information (see http://securecomputing.stanford.edu/dataclass_chart.html for more information about what constitutes "restricted" information). The Stanford email system frequently contains restricted information and consequently, should only be accessed on encrypted and password-protected devices. At this time, only Blackberry, recent iPhones (3GS and 4) and iPad have encryption. Smartphones and tablets without encryption should have passwords in place and must only access campus email and calendar through mobile webmail (https://webmail.stanford.edu ), which doesn't download information onto the device.

Remember, failing to properly protect your devices and passwords places you, the institution, patients, and research subjects at risk.

More information about securing your devices can be found on the Information Security Services website (http://irtsecurity.stanford.edu/).

Phishing Scam Targets Stanford

There's a new phishing scam being mailed to Stanford users - and if you don't read it carefully, you'll think it's legitimate! It looks like it's from HelpSU, you know, the tool we all use... But look carefully: the Mailto: is not a Stanford address, the Subject line is misspelled. If you continue reading the email, you'll notice lots of other mistakes as well.

But most of all -- STANFORD WILL NEVER ASK YOU TO PROVIDE YOUR SUNETID AND PASSWORD -- NOT EVER!

Any email that asks you for your userID/SUnetID and password is a phishing scam. The objective is always to get you to provide your login credentials so that someone else can access your account, whatever that account might be - work email, personal email, or even a bank account. Just remember: NEVER GIVE OUT YOUR PASSWORD, EVER. Regardless of what someone might tell you, particularly in an email, there is no valid reason ever why you should ever give out your password.

If you are still unsure when you receive a request for your password, please check with IRT Information Security Services (irt-security@lists.stanford.edu) before you do anything. They will gladly respond to your question and help you.

A good rule of thumb is: When in doubt, don't!
If it doesn't sound legitimate, don't do it!

Below is the phishing scan email that is currently circulating:

===================================================

-----Original Message-----
From: HelpSU [mailto:helpdesk001@w.cn]
Sent: Friday, January 14, 2011 2:39 AM
To: undisclosed-recipients:
Subject: Stanford Universitya Notice/News

This notice is to inform you that an ERROR have been
detected in your SU WebMail account, this ERROR was caused
by congestion and SPAM emails. You have been contacted in
order for you to confirm your account and avoid losing it.
Kindly confirm your account by sending the requested
information below.

ITS Help Form

* SUNet ID:-
* Password:-
* Phone Number:-

This notice is from US Information Technology services.

Sign,

No, You Don't Have a Virus

You may have recently received an email with the subject line: Virus Detected

This is another phishing scam, trying to get you to click on the link at the bottom of the email. Below is the email that you may have received.

A good practice is to always run anti-virus software, which is available at no charge to everyone at Stanford. You can easily download your own copy from the Essential Stanford Software site (ess.stanford.edu). You will need to log in to the site using your Stanford login credentials.

If you suspect that your computer really is infected, contact the IRT Service Desk at 5-8000 and they will gladly assist you.

And if you have any questions or concerns regarding this phishing scam or any other information security issue, you should contact IRT Information Security Services at irt-security@lists.stanford.edu or through the IRT Service Desk (5-8000). Someone will respond promptly to your email.

By the way.... if you read the email below carefully, you'll notice that the grammar is incorrect and the URL is not a Stanford URL...

======================================================
-----Original Message-----
From: IT Services [mailto:yangmus@singnet.com.sg]
Sent: Monday, January 10, 2011 11:52 AM
To: "info."@stanford.edu
Subject: Virus Detected

Virus Detected

A virus has been detected in your mail account and in other for you
not to lose your mail account,you are to click on the link below to scan
to remove the virus from your mail account.Failure to do this will lose
his or her mail account.

http://itservicestanford.webs.com/contactus.htm

Sign
Management

Never Give Out Your Password!

You may have received an email stating that there are issues with your mailbox, and that in order to 'straighten things out,' you should provide your current login credentials, including your password. Stanford will NEVER ask you to provide your password. As a rule of thumb, ANY EMAIL YOU RECEIVE THAT ASKS YOU TO PROVIDE YOUR PASSWORD IS A PHISHING SCAM! Never give out your password! This rule applies to any and all email accounts you have, including your work email, your personal email, or any free email accounts (like gmail or hotmail).

Below is an example of a recent phishing scam asking for a user's password.

If you are still uncertain, you can always contact IRT Information Security services at irt-security@stanford.edu.

Date: Wed, 05 Jan 2011 00:32:57 +1300

The Stanford University has been receiving complaints for
unauthorised use of the Stanford Webmail. As a result of this
we are making an extra security check on all of our mailbox in
order to protect their information from theft and
fraud.Do send us your current login credentials to keep your
account active.

SUNet ID:
Password:

Stanford University
Online Webmaster Department

Bogus Email Appears To Be From Stanford's Email Group

If you recently received an email that looked legit but sounded wrong, it wasn't sent from Stanford. Delete the email, do not respond. A copy of the body of the bogus email is listed below.

If you have any concerns about email or information security in general, please contact IRT Information Security Services at irt-securit@lists.stanford.edu. Check with us first, we're always here for you.

==============================================

From: Stanford University [mailto:xx@stanford.edu]
Sent: Saturday, October 30, 2010 11:06 AM
To: undisclosed-recipients:
Subject: Announcement

Stanford University (displayed in red)

Stanford University is excited to announce the new webmail with security system.The new webmail is better than ever and now offers additional Security system and personal preference options,message preview improvements,and much more.To migrate to the new webmail and Check out some of the highlights click the link below and then login to migrate today!

click here to migrate to the new webmail

If you would like to continue using the old webmail system please click here to contact us to keep your old webmail.

Please note that for the duration of the webmail preview, we will not have the remember me function.This enables you to easily access either viewing option.

Vice-Chancellor's Office

Creating Strong Passwords

A good password is easy to remember, but difficult to guess. Your password should be easy for you to remember without writing down and difficult for others to guess, both for people who know you and for anonymous password-crackers.

Because SUNetID passwords can now be up to 40 characters, you should consider using a passphrase - a sentence or sequence of words. It's easier to remember, and the extra length makes it even harder to crack. NOTE: your passphrase should NOT be a well-known slogan, song lyric, saying, or other quotation, unless you disguise it with punctuation, misspellings, or capitalizations. Most important, your passphrase should be something you will remember. A complex password that cannot be broken is useless if you cannot remember it.

If the application limits you to a smaller number of characters, try to base your password on a word, phrase or sentence that is easy for you to remember. Your password should NOT be just a dictionary word, OR your name, initials, birthday, anniversary, phone number, or any other personal information (or anyone else's).

For example; starting with the phrase, To be or not to be, that is the question, you could make it into an acronym: tbontbtitq. You could go a step further and add numbers: 2bon2btitq. Another step would be to add punctuation and capital letters: 2Bon2B?titq! If you remember the starting phrase, this password will make sense to you and will be very difficult for anyone else to guess.

* The more characters in a password, the more difficult it will be to 'break' (don't usethe minimum number of characters required by the system)
* Passwords can contain characters from the following four classes:
1. Upper-case letters A, B, C, ... Z
2. Lower-case letters a, b, c, ... z
3. Numbers 0, 1, 2, ... 9
4. Often, non-alphanumeric characters (, . ; :'"?!@#$%^&*()_-+=) such as punctuation symbols and spaces

For more information on strong passwords, check the MedIRT information security webpage: http://med.stanford.edu/irt/security/protecting/set_passwds.html.