Data Destruction Day


APRIL 27, 11:00 am-2:00 pm
Library Quad

The Office of Information Security is pleased to invite you to “Data Destruction Day.”
On April 27th from 11am – 2pm, Rockland IT Solutions, will be on campus with their hard drive
shredding trucks. Bring in any paper items, old hard drives, floppy drives, thumb drives, CDs,
DVDs, zip drives, tapes and Rockland IT Solutions will physically destroy them onsite FOR FREE.
OIS will be available to assist with disassembling your old computers and getting the hard drives out
for safe disposal. A container will be available to recycle all of the other pieces.

– Event is open to all NU Faculty, Staff and Students.
– Electronic media is limited to hard drives, flash/thumb drives, CDs, DVDs, floppy disks,
tapes, and zip drives. If you have an old computer, we can help you remove the hard drive
that day and Rockland will recycle the computer shell and other peripherals.
– Asset disposition forms and all applicable signatures are required for all University assets.
– Feel free to bring in items from home but the University is not responsible for items lost
prior to destruction.
– No vehicles will be allowed in the quad; please prepare to hand carry over all items.

Please contact OIS@Northeastern.edu with any questions.

Posted in Uncategorized | Comments closed

Alert: KRACK Vulnerability

A vulnerability named “KRACK” was made public earlier this week that could potentially affect many wireless users. KRACK, which stands for Key Reinstallation Attack, is a flaw in the way the Wi-Fi Protected Access II (“WPA2”) operates. WPA2 is a widely used security protocol that is designed to protect wireless communications. When a user first attempts to connect to a wireless network, a handshake occurs where a password is exchanged for permission to connect. According to the researcher who discovered the vulnerability, malicious agents can utilize the flaw to potentially hijack connections and eavesdrop on the connections between the devices. However, there have been no reports about this vulnerability being utilized by hackers.

What is Information Technology Services doing for this?
Luckily, the United States Computer Emergency Readiness Team (“US-CERT”) has known about the vulnerability for quite some time, which has allowed vendors to prepare patches before the vulnerability was made public. Many vendors have begun to release patches, including Microsoft Windows, who released a fix on October 10th. While newer versions of iOS are considered unaffected, Apple is working on rolling out a software update for macOS, watchOS and tvOS in a few weeks. Android devices are particularly vulnerable and many phone makers are still developing patches with release dates not yet identified.

Information Technology Services will continue to deploy patches and updates to vulnerable devices as they become available. As always, we encourage our users to have automatic updates enabled to ensure patches are installed in a timely manner. If you need assistance, installing updates on your Northeastern devices, please reach out the ITS Service Desk at 617.373.4357.

How can I protect myself off campus?

While many vendors are working diligently to provide patches, it is ultimately the responsibility of the user to install the available updates. Make sure to check for updates on anything that connects to a wireless network, including thermostats, refrigerators and security cameras. Ensuring automatic updates are enabled on all your devices will make sure you receive patches as soon as they are available.

Posted in Uncategorized | Comments closed

How to Avoid Spear Phishing

Posted in Uncategorized | Comments closed

Spring 2017 Quarterly Information Security Reminder

NU Logo
Dear Members of the Northeastern Community,

This edition includes some quick recommendations for securing your personal information while on and off campus, along with reminders about your responsibilities around protecting sensitive university and student information.

Spring 2017 Information Security Tips:

Spring Forward

Daylight Savings Time begins at 2 a.m., Sunday March 12, 2017. Remember to set your clocks forward one hour. And while most computer and electronic systems will automatically make the change, it is always a good idea to verify that it has occurred correctly to ensure proper functionality.

Are you Truly Ready for Tax Season Scams?

Tax season is upon us, and government and law enforcement entities have reported an uptick in the number, and sophistication of tax fraud schemes targeting the public. Last year the IRS reported over $21 BILLION in fraudulent tax refund claims in 2016. One way to keep this from happening to you is to ensure that you protect your personal information, and to use only reputable and certified tax preparers. Your fees for tax preparation should never be tied to the amount of your refund. All tax preparers will also have a preparer tax identification number (PTIN), which can be checked at http://www.ptindirectory.com/. Also keep in mind that the IRS will never contact you by telephone if there are issues with your returns, or if they need information. They will always send information by U.S. mail, and only by email if you have requested and provided them with an address. Do not respond to any contact that is threatening or attempts alarm you (threatening audits etc). Always contact the IRS through their official website (www.irs.gov) or call for telephone assistance.

It is ALWAYS Phishing Season

Social engineering and Phishing scams are still the single greatest vector in data compromises and computer virus infections.  This risk is heightened with the massive surge in Ransomware attacks across multiple industries. Healthcare, Financial, Higher Education and even Law Enforcement have been targeted, and have fallen victim.  The computer virus will encrypt your files, data, even any online backups or network drives. Then offer you the chance to retrieve them, for a modest fee of $200‐$5000. This can cause irrevocable harm to businesses if they have no available off‐line back‐ups. Recently a California Hospital had to transfer patients out of their facility, when all their systems and patient files where encrypted.  Many of these incidents start with a simple Phishing email. Contact the Office of Information Security at OIS@northeastern.edu to find out how you can protect yourself and the institution.

Hold Your Password Close

Northeastern University WILL NEVER ASK FOR YOUR PASSWORD. Any email you receive claiming to need your login and password is spurious and should be deleted without replying. If you have given a Northeastern password to another person, change the relevant password immediately. Each of us at the university is held responsible for all activity conducted under our user ID and password.

Protection of Sensitive Information / Regulatory Compliance:

Social Security Numbers, dates of birth, grades, non‐public personal financial information, protected health information, and other similar types of sensitive information are to be protected at all times from unauthorized disclosure and/or use, consistent with applicable University policies and/or applicable Federal laws, including the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act  (HIPAA), the Financial Services Modernization Act (also known as Gramm‐Leach‐Bliley), the CAN‐SPAM Act of 2003, and Massachusetts Data Security Regulation MA201 CMR17.00. Personal information of members of the Northeastern community, including but not limited to students, faculty and staff, may not be posted or maintained on public networks or sites, unless the user fully complies with applicable laws and regulations governing handling of personal information.

Compliance with Copyright Law and Software Licensing Agreements:

All members of the community are required to comply with copyright law and software licensing agreements. In addition, all software installed on University‐owned devices shall be the product of legal copies, and shall be properly licensed at all times. University resources shall not be used to offer, exchange or store copyrighted materials nor the indexes pointing to such materials, unless the use is in compliance with copyright law or other applicable regulation. All use of file‐sharing technologies shall be in strict compliance with University policy and copyright law.

Responsibilities under Regulation:

Our responsibilities under regulation includes, among other reasonable steps, that we refrain from displaying or listing sensitive information in public venues such as hallway bulletin boards, office doors, globally shared computer files, and publicly‐accessible web sites, that we observe privacy practices, and that we use appropriate safeguards to protect sensitive information and information‐bearing devices from unauthorized access, alteration, theft or loss. These responsibilities include taking appropriate steps to ensure confidential/sensitive paperwork is properly discarded, that mobile devices are appropriately protected from loss or theft, and that computer disk drives and information storage devices are properly processed to remove sensitive information prior to reallocation or disposal.

Consequences Arising from Unauthorized Disclosure or Loss of Sensitive Information:

The potential consequences of unauthorized disclosure or loss of sensitive information may include for the individual, loss of privacy, identity theft, financial loss, erosion of customer confidence, and for the University, damage to reputation, civil penalties, and regulatory sanction. By recognizing the value in protecting sensitive information, the University is better positioned to avoid these consequences, maintain customer trust, and enjoy a reputation more demonstrative of the University comment to excellence and distinction, and other goals to which the University aspires.

Requirement to Read and Comply with the Appropriate Use Policy (AUP):

The Appropriate Use Policy describes policies for use of all computers, networks and telecommunications facilities at the University. All members of the University community are required to read and comply with the AUP, which can be read at www.northeastern.edu/aup. Use of University computer/telecommunication networks and/or computers, implies agreement with the terms of the Appropriate Use Policy.

Shared Responsibility

Security is a shared responsibility. Do your part to help promote a safer and more secure computing environment by observing and supporting secure practices in your academic or business unit. If assistance is required, please contact OIS@northeastern.edu

Posted in Quarterly Security Reminder | Comments closed

Spring 2016 Quarterly Information Security Reminder

NU Logo

 

 

 

Dear Members of the Northeastern Community,

This edition includes some quick recommendations for securing your personal information while on and off campus, along with reminders about your responsibilities around protecting sensitive university and student information.

Spring 2016 Information Security Tips:

Spring Forward

Daylight Savings Time begins at 2 a.m., Sunday March 13, 2016. Remember to set your clocks forward one hour. And while most computer and electronic systems will automatically make the change, it is always a good idea to verify that it has occurred correctly to ensure proper functionality.

Are you Truly Ready for Tax Season Scams?

Tax season is upon us, and government and law enforcement entities have reported an uptick in the number, and sophistication of tax fraud schemes targeting the public. Did you know that the IRS reported a 400% increase in the number of false tax refund claims in just the past few months? One way to keep this from happening to you is to ensure that you protect your personal information, and to use only reputable and certified tax preparers. Your fees for tax preparation should never be tied to the amount of your refund. All tax preparers will also have a preparer tax identification number (PTIN), which can be checked at http://www.ptindirectory.com/. Also keep in mind that the IRS will never contact you by telephone if there are issues with your returns, or if they need information. They will always send information by U.S. mail, and only by email if you have requested and provided them with an address. Do not respond to any contact that is threatening or attempts alarm you (threatening audits etc). Always contact the IRS through their official website (www.irs.gov) or call for telephone assistance.

 Appropriate Use

All users of Northeastern University computer resources are required to read and abide by the Appropriate Use Policy. This year’s policy has been updated to include changes in wireless coverage on campus. Be on the lookout for the new format in upcoming publications of the Student Handbook, as well as on Information Technology Services web pages.

Hold Your Password Close

Northeastern University WILL NEVER ASK FOR YOUR PASSWORD.  Any email you receive claiming to need your login and password is spurious and should be deleted without replying. If you have given a Northeastern password to another person, change the relevant password immediately. Each of us at the university is held responsible for all activity conducted under our user ID and password.

A Statement of Privacy

Did you know that the university has created a new Privacy Statement? The statement replaces the old myNeu Privacy Policy and the link can be found in the footer of the Northeastern main webpage. This statement details the ways Northeastern collects and uses information it collects as you interact with its online systems. This will be adopted by all web resources which represent the university and should been seen as the authoritative source.

Protection of Sensitive Information / Regulatory Compliance:

Social Security Numbers, dates of birth, grades, non-public personal financial information, protected health information, and other similar types of sensitive information are to be protected at all times from unauthorized disclosure and/or use, consistent with applicable University policies and/or applicable Federal laws, including the Family Educational Rights and Privacy Act (FERPA), the Health Insurance Portability and Accountability Act  (HIPAA), the Financial Services Modernization Act (also known as Gramm-Leach-Bliley), the CAN-SPAM Act of 2003, and Massachusetts Data Security Regulation MA201 CMR17.00. Personal information of members of the Northeastern community, including but not limited to students, faculty and staff, may not be posted or maintained on public networks or sites, unless the user fully complies with applicable laws and regulations governing handling of personal information.

Compliance with Copyright Law and Software Licensing Agreements:
All members of the community are required to comply with copyright law and software licensing agreements. In addition, all software installed on University-owned devices shall be the product of legal copies, and shall be properly licensed at all times. University resources shall not be used to offer, exchange or store copyrighted materials nor the indexes pointing to such materials, unless the use is in compliance with copyright law or other applicable regulation. All use of file-sharing technologies shall be in strict compliance with University policy and copyright law.

Responsibilities under Regulation:

Our responsibilities under regulation includes, among other reasonable steps, that we refrain from displaying or listing sensitive information in public venues such as hallway bulletin boards, office doors, globally shared computer files, and publicly-accessible web sites, that we observe privacy practices, and that we use appropriate safeguards to protect sensitive information and information-bearing devices from unauthorized access, alteration, theft or loss. These responsibilities include taking appropriate steps to ensure confidential/sensitive paperwork is properly discarded, that mobile devices are appropriately protected from loss or theft, and that computer disk drives and information storage devices are properly processed to remove sensitive information prior to reallocation or disposal.

Consequences Arising from Unauthorized Disclosure or Loss of Sensitive Information:

The potential consequences of unauthorized disclosure or loss of sensitive information may include for the individual, loss of privacy, identity theft, financial loss, erosion of customer confidence, and for the University, damage to reputation, civil penalties, and regulatory sanction. By recognizing the value in protecting sensitive information, the University is better positioned to avoid these consequences, maintain customer trust, and enjoy a reputation more demonstrative of the University comment to excellence and distinction, and other goals to which the University aspires.

Requirement to Read and Comply with the Appropriate Use Policy (AUP):

The Appropriate Use Policy describes policies for use of all computers, networks and telecommunications facilities at the University. All members of the University community are required to read and comply with the AUP, which can be read at www.Northeastern.edu/aup. Use of University computer/telecommunication networks and/or computers, implies agreement with the terms of the Appropriate Use Policy.

Shared Responsibility

Security is a shared responsibility. Do your part to help promote a safer and more secure computing environment by observing and supporting secure practices in your academic or business unit. If assistance is required, please contact OIS@neu.edu

Posted in Uncategorized | Comments closed

Don’t Get Sucked in by Tax Scams

Don’t Get Sucked in by Tax Scams

Each year the looming deadlines of the U.S. tax season heralds a new spate of tax fraud scams, and this year is no different. Fraudsters like to take advantage of your stress and heightened emotions to trick you into taking actions, which under normal situations, you would not normally take.

  • Phone Scams – These have become increasingly aggressive over the past years. Callers will claim that there may be a pending audit and that only a credit card payment can stop the process, or that there is a pending refund and an account number is needed to deposit the funds.
  • Email Scams – These emails range from purporting to be the IRS, tax preparers, electronic W2 providers, banks or state tax authorities. They will often request information including Social Security Numbers and financial data.
  • Mail Fraud – While the majority of people now receive their tax refunds electronically through direct deposit, if you still receive a refund check through the mail you are vulnerable to mail fraud. Scammers know that IRS payments are sent in batches and will often dip into mailboxes looking for tell-tale IRS envelopes.
  • Identity Theft – If your identity details have already been stolen fraudsters may leverage this information during tax season. The IRS has seen a huge increase in false IRS claims over the past few years, where the perpetrators file for a refund under your identity.
  • Tax Preparer Fraud – Ensure that you only use a licensed tax preparer service. A licensed preparer will have a specific credentialed ID number that you can verify. Beware of services offering ‘free’ services or services where their fee is based on the amount of your refund

Many of the precautions for these scenarios are the same ones that Northeastern’s Office of Information Security advocate all year long:

  • Watch for language in emails that is inflammatory, and tries to urge you into action to avoid “dire” consequences.
  • Use the “hover for cover” technique – float your mouse cursor over the link to reveal the URL and see where you are going to be taken.
  • Only access your accounts through their main site link. If you use an online tax preparation service, use that main page link to connect. There are scams now which will send emails which will direct you to legitimate sites, but your internet traffic passes through the fraudster’s systems, capturing all your information as it goes to the legitimate site.
  • Electronic W2s – If you receive your W2 in an electronic format only download them on a private computer on a network that you know is secure, i.e. your home network. Remember that when you download this form an electronic copy may be cached on the computer and discoverable by someone else who has access to that machine.
  • Beware of attachments – Take extra caution when opening email attachments from strangers (pdf, doc) containing “tax documents” as they may include malware.

If you believe you are a victim of tax fraud, please reach out to the IRS for assistance:

How to Report Suspected Tax Fraud Activity
FTC Identity Theft Assistance

Posted in Uncategorized | Comments closed

Phishing in the New Year

Follow us on Twitter @securenu for the latest security bulletins and alerts.

Its 2016 and criminals have not stopped trolling the waters for usernames and passwords. Today the following phishing message was sent to members of the Northeastern community. If you have clicked on the link in the email and entered your myNEU username and password please contact the Service Desk (x4357) immediately. Please delete this message from your inbox.

phish

Follow us on Twitter @securenu for the latest security bulletins and alerts.

Posted in Malware, Anti-Virus, Phishing, Scams | Comments closed

Phish Tank Contest – DAY 5

From: ITS Service Desk <northeastern@service-now.com>
Sent: Friday, October 30, 2015   2:55 PM
To: OIS@neu.edu
Subject: We have received your Northeastern myHelp incident INC0129989

Hi OIS,

We have received your request for assistance. You should hear back from us within one business day. Should you need help sooner, please call the Information Technology Services Customer Service Desk at: 617-373-4357.

Your request was assigned a ticket number of INC0129989 with a description of “Phishing e-mail”. The details of your request are available at the following link: LINK

Thank you,

Information Technology Services
Customer Services

helpKnowledge Base — 24×7 Answers to your Northeastern Technology Questions.

 

lockNortheastern University will never request details of your password or account by email at any time. 

Email Notification: Incident Opened

Ref:MSG3136961

Posted in Cyber Security Awareness Month, Malware, Anti-Virus, Phishing, Scams | Comments closed