SRSU OIT Security Advisory – Virus in Email Attachment 8/12/2016

Sul Ross is receiving email messages that contain a harmful virus.  The Locky virus encrypts all the files on your computer’s hard drive and these files cannot be recovered.  The only mechanism we have to clean up the virus is to reformat your hard drive.

The email message indicates it is coming from a account and contains a Microsoft Word document (*.doc, *.docx, *.docm) that when clicked, spreads the virus to your local machine and any attached devices, including thumb drives, external hard drives, and any other physically attached devices.

Our advice is that you never click on any attachments in an email message unless you are specifically expecting the attachment.  We also suggest you look carefully at the sender, the subject line, and the body of the message for indications the email is not legitimate (poor grammar, invalid references, etc.).

In the instances we are seeing today, the email purports to come from Dorothy, Gwendolyn and other common names (e.g.  We do not use only first names in our email addresses, although some individuals have an alias that includes their first and last, e.g.

If you receive an email from a peer, we suggest you take a moment, call the individual that supposedly sent the email and verify they did so and that they included an attachment.

Attacks on all institutions are on the rise.  Our best line of defense is you.  Be aware.  Don’t click.  Call us if you need help or are unsure at 432-837-8888.


Mobile Device Theft

Mobile Device in Hand

With an increasing amount of sensitive data being stored on mobile devices, the value and mobility of smartphones, tablets, and laptops make them appealing and easy targets. These simple tips will help you be prepared in case your mobile device is lost or stolen or misplaced.

  • Don’t leave your device alone, even for a minute! If you’re not using it, lock your device in a cabinet or drawer, use a security cable, or take it with you. It’s not enough to simply ask the stranger next to you in a library or coffee shop to watch your laptop for a few minutes.
  • Differentiate your device. It’s less likely that someone will steal your device and say they thought it belonged to them if your device looks unique. Sometimes these markings make the laptop harder to resell, so they’re less likely to be stolen. Use a permanent marking, engraving, or tamper-resistant commercial asset tracking tag.
  • Delete sensitive information. Don’t keep any restricted data on your laptop. We recommend searching your computer for restricted data and deleting it. Restricted data includes your Social Security number, credit card numbers, network IDs, passwords, and other personally identifiable information. You’d be surprised how easy it is to forget that this information is on your computer!
  • Back it up. Set a reminder to backup your data on a regular basis! Keep an external copy of important files stored on your laptop in a safe location in case it is lost or stolen. Your photos, papers, research, and other files are irreplaceable, and losing them may be worse than losing your device.
  • Encrypt information. Protect your personal data with the built-in disc encryption feature included with your computer’s operating system (e.g., BitLocker or FileVault).
  • Record the serial number. Jot down the serial number of your device and store it in a safe place. This information can be useful for verifying your device if it’s found.
  • Install software. Install and use tracking and recovery software included with most devices (e.g., the “Find iDevice” feature in iOS) or invest in commercial products like LoJack or Prey. Some software includes remote-wipe capabilities. This feature allows you to log on to an online account and delete all of the information on your laptop. There are both paid and free versions of this type of software, and each provides different levels of features. Search online to find the best combination of cost and functions to meet your needs.

If you have question, please contact the Helpdesk at 432-837-8888.

Guard Your Privacy Online


You and your information are everywhere. When you’re online you leave a trail of “digital exhaust” in the form of cookies, GPS data, social network posts, and e-mail exchanges, among others. It is critical to learn how to protect yourself and guard your privacy. Here are some ideas that can help protect you, your information, as well as the data you are entrusted with from SR.

  • Use long and complex passwords or passphrase. These are often the first line of defense in protecting an online account. The length and complexity of your passwords can provide an extra level of protection for your personal information.
  • Take care what you share. Periodically check the privacy settings for your social networking apps to ensure that they are set to share only what you want, with whom you intend. Be very careful about putting personal information online. What goes on the Internet, usually stays on the Internet.
  • Go stealth when browsing. Your browser can store quite a bit of information about your online activities, including cookies, cached pages, and history. To ensure the privacy of personal information online, limit access by going “incognito” and using the browser’s private mode.
  • Using Wi-Fi? If only public Wi-Fi is available, restrict your activity to simple searches (no banking!) or use a VPN (virtual private network). The latter provides an encrypted tunnel between you and the sites you visit.
  • Should you trust that app? Only use apps from reputable sources. Check out reviews from users or other trusted sources before downloading anything that is unfamiliar.

If you have questions about how to follow any of these guidelines, contact the Helpdesk at 432-837-8888.

By the way, never use your laptop as a coffee mug coaster as in the picture.  Not a good idea. 🙂


Guard Your Privacy When Offline or Traveling

suitcasePlanning a summer vacation? People are frequently more vulnerable when traveling because a break from their regular routine or encounters with unfamiliar situations often result in less cautious behavior. If this sounds like you or someone you know, these five tips will help you protect yourself and guard your privacy.

  • Track that device! Install a device finder or manager on your mobile device in case it’s lost or stolen. Make sure it has remote wipe capabilities and also protects against malware.
  • Avoid social media announcements about your travel plans. It’s tempting to share your upcoming vacation plans with family and friends, but consider how this might make you an easy target for local or online thieves. While traveling, avoid using social media to “check in” to airports and consider posting those beautiful photos after you return home. Find out how burglars are using your vacation posts to target you in this infographic.
  • Traveling soon? If you’re traveling with a laptop or mobile device, remove or encrypt confidential information. Consider using a laptop or device designated for travel with no personal information, especially when traveling out of the country.
  • Limit personal information stored on devices. Use a tool like Identity Finder to locate your personally identifiable information (e.g., SSN, credit card numbers, or bank accounts) on your computer, then secure or remove that information.
  • Physically protect yourself and your devices. Use a laptop lock, avoid carrying identification cards, shred sensitive paperwork before you recycle it, and watch out for “shoulder surfers” at the ATM.

These tips can’t protect you from every possible scenario but they will provide some protections and give you ideas for others.  The best advice of all … be aware.

Securing Mobile Devices

erblogbondscontent Mobile devices have become one of the primary ways we communicate and interact with each other. The power of a computer is now at our fingertips, allowing us to bank, shop, view medical history, attend to work remotely, and communicate virtually anywhere. With all these convenient features come added risks, but here are some tips to protect your devices and your personal information.

  • Password-protect your devices. If you mobile device is ever lost or stolen, giving yourself more time to protect your data and remote wipe your device could be the difference between the pain of losing the device and the pain of losing much of your important information. Enabling passwords, PINs, fingerprint scans, or other forms of authentication will slow down anyone intent on getting to your personal information and give you more time to take action and remove personal or sensitive information from your device.
  • Backup data. Be sure to back up data on each device in case it is ever lost or stolen. If the original device is never found, you can restore the backed up data to a new one.
  • Verify app permissions. Don’t forget to review app specifications and privacy permissions before installing it!
  • Update operating systems. Security fixes or patches for mobile device operating systems are often included in these updates.
  • Be cautious of public Wi-Fi hot spots. Avoid financial or other sensitive transactions while connected to public Wi-Fi hot spots.
  • Think Before You Click

    Phishing attempts are fraudulent email messages that appear to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages direct you to divulge private information (e.g., passphrase, credit card, or other account updates).

    These scams are designed to induce panic in the reader. They attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam, as responsible companies and organizations will never take these types of actions via email.

    Things to know and remember when opening ANY e-mail that is asking you to provide information:
    – No reputable organization, including OIT, will ever ask you for confidential information via e-mail.
    – Never respond to an e-mail from a source you are not 100 percent sure of. When in doubt, call them.
    – Always check the authenticity of a Web site before you provide any of your personal information.
    – Never click on a link in a suspicious e-mail because it may take you to a malicious site. Open a new browser window and type in the link manually.
    – Phishing e-mail will often have a sense of urgency. (“Your account will be closed if you don’t…” etc.) They may also contain strange words, misspelled words or unusual or awkward phrasing to help them avoid SPAM-filtering software.

    With the recent rise in phishing activity, be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.

    A Word on Passwords

    Passwords are your first line of defense against break-ins to your online accounts, computers, smart phones and tablets. Poorly crafted passwords, those that are used on multiple accounts, and those seldom changed are more susceptible for being compromised. This situation can leave the technology resources and information on those devices, whether owned by the university or on your own personal devices, at higher risk of being stolen or damaged. The best antidote available against the cyber criminals and others that are intent on stealing or damaging your devices and information is better password management.

    Poorly Crafted Passwords

    One reason for poorly crafted passwords is they fall into recognizable patterns. This usually occurs because these patterns are more easily remembered than some ambiguous string of characters. These patterns are often in the form of someone’s name, a date, a memorable place, or they follow keyboard patterns such as “123456” and “qwerty.” These kinds of patterns are highly predictable and easy to crack. Rather than an obvious pattern for a password, try a short sentence or phrase. You’ll have the upper case and lower case characters that are needed and a password that is much easier to remember. Using an abbreviation for one of the words provides an extra level of complexity that helps keep your password safe. Also, to ensure you password complies with all password requirements of SRSU, simply change one of the letters to a number and one of the letters to a special character and you’re finished. For example, take the phrase, “Change is good!” Applying the rules we just covered, our phrase can be modified to Chg 1s g@@d!, which meets all our password requirements and is easier to remember than kjhdSDj34@nS.

    Multiple Accounts

    Having our email address and password compromised because of a weak or easy to guess password is bad enough. While having your email account compromised isn’t ideal, if you use the same account ID to access your financial institution, social network, and other sites, the potential for impact on your wallet and your reputation can be painful. Many of our accounts today use our email address as the ID for the account. Using the same password heightens the risk for any account using the same ID/password combination. When you have to use your email address for an account ID on another system, always ensure that a different password is used to access that other system.

    Seldom Changed

    The longer an account password is not changed, the longer a compromised password can be used by cyber criminals. Changing an account password on a regular basis limits a hacker’s ability to gain access to your account and “listen in” without you knowing they are there.

    How to Survive

    With all the accounts, for all the systems, and all those passwords, how is one to survive the security requirements and not simply write all the passwords down on a sticky note and paste it to our monitor? The answer is not sticky notes or a piece of paper in your desk drawer or attempting to get around the password requirements of the institution. The answer is a password manager. A password manager is a piece of software that allows you to store the plethora of passwords needed in your life (business and personal), that are all hidden behind a specific account ID and password. These tools give you the ability to record all your passwords in a single, strongly encrypted location. Of course, you still need a password in order to gain access to the password manager, so make sure this system uses a complex password, is not used anywhere else, and is changed with some regularity.

    In the end, all computer security is about mitigating the risk inherent in your devices that are connected to the world around us. There is no way for anyone to be 100% secure. All you can do is lower the risk of being hacked. Complex passwords that are used on only one system, are changed on a regular basis, and are stored in an appropriate password manager lowers your risk.

    Contact the SRSU Helpdesk, LTAC, if you have questions about anything in this article.

    New Phishing Threat Identified by MS-ISAC – DYRE Banking Trojan

    The DIR Security Operations Team has received intelligence from the Multi-State Information Sharing and Analysis Center (MS-ISAC) on a new variation of the DYRE banking Trojan. Over the past 48 hours, there has been increased activity related to infections resulting from successful DYRE phishing attacks on the some state of Texas shared networks. What is important to note is that the tactic for DYRE Trojan delivery has changed at this time. In the past, DYRE delivered the malicious code as an attachment. The new variation uses emails with malicious links instead. Some samples of subject lines in these emails include:

    “Wire transfer receive”
    “Medicines here”
    “Complaint against your company”
    “Payment Advice – advice Ref:[xxxxxx]/CHAPS credits”
    “Company repor” – (note the missing t in “report”)
    “Wire transfer complete”
    “Important – New Outlook Settings”
    “RBS Morning commentary”
    “Cards OnLine E-Statement E-Mail Notification”
    “Voice Message”

    As always, the best prevention is awareness and thoughtfulness when clicking on links in messages. The best advice is simply to not click on links or open attachments if:

    – an email message is from an unknown source
    – you are not expecting the email
    – the email asks for any personal information.

    Question may be directed to the Helpdesk at x.8888.

    Password Managers

    I love my password, but I sure hate my password!  If this is you, don’t feel alone.  Passwords are a tricky thing to get right.  The best passwords are almost impossible to remember and the easy to remember ones are weak.  Sometimes even the tricks of substituting letters and special characters that resemble letters are easy to forget or easy to guess.  A lot of people find that PERFECT reasonably hard to guess password that is easy to remember and use it for EVERYTHING …forever.  There has to be a better way!

    Introducing….password management software (password managers).  According to Wikipedia:  “A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user’s computer, whereas others store data in the cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling and password generation.”

    There are a lot of password managers available and some are better than others.  Feature sets abound, so how do you decide on the one that is right for you?  Let’s look at a few examples:

    • browser based — Most current web browsers have some sort of password manager built in.  When the browser offers to “remember” the password, it stores the login credentials.  Browser based password managers are generally though of as low-security, high risk.  Often they are not encrypted and they don’t require a master password to unlock them.
    • Desktop — desktop/laptop software store passwords (usually encrypted) on a computer hard drive and most often require a master password to unlock them.
    • Cloud — Password manager software stores and retrieves encrypted passwords from online storage.

    Advantages of password managers:

    • Ease of having long, hard to guess passwords that are automatically used or are easy to retrieve.
    • Remember one master password, but use many different passwords
    • No more sticky notes on the monitor!  (well, at least for passwords)
    • shared passwords (rarely a good idea, but sometimes necessary)
    • password escrows so that an organization might retrieve passwords that former employees may have used

    So, you want to use a password manager, but which one?  That is a difficult question.  Many of the most popular products have some similar features, so the secret is to figure out what is important to you and find out which one(s) qualify.  I will leave a bit of research for you by giving you some links from popular web sites with comparisons of password managers:

    PC Magazine



    In conclusion, I think it is important to remind you that running a password manager does NOT mean you should let your guard down.  Use the tools, but never make the mistake of thinking the tool will keep you safe.  Tools such as a good firewall, anti-virus, anti-malware, good passwords or a good password manager are simply that…tools to help.  Nothing beats common sense and being careful.  A good password manager can be a great tool in your online defensive arsenal.