An attacker may be able to take complete control of your computer when you visit a maliciously crafted web page with Internet Explorer on Windows. You need to install and run update from Microsoft to safely continue using Internet Explorer.

For What You Need To Do, see Security Alert - Critical Microsoft Security Update MS08-078 for Internet Explorer (Windows).

Thank you for registering and participating in the study: Help Us Protect the Carnegie Mellon Community from Identity Theft. As a final step in the study, please complete the survey available at http://cups.cs.cmu.edu/cups-study/survey.html. The four character code you need to complete the survey has been emailed to you.

As a reminder, the complete consent form is available here.

if you have any questions or comments, please direct them to cups-study@andrew.cmu.edu.

An attacker may be able to take complete control of your computer when you visit a maliciously crafted web page with Internet Explorer on Windows. You may encounter these maliciously crafted web pages when visiting:

• legitimate websites that have been compromised
• unfamiliar sites found through legitimate search engines such as Google or Yahoo
• links received through e-mail and instant messaging

For What You Need To Do, see Security Alert - Restrict Microsoft Internet Explorer Usage (Windows) - Unpatched Vulnerability - Attacks Underway.

Windows, Mac and Linux users running Adobe Reader and Acrobat 8.1.2 and older or Flash player 9.0.124.0 and older are vulnerable to exploits. Without the security upgrade, an authorized attacker may take complete control of an affected system by convincing the user to open a maliciously crafted Portable Document Format (PDF) file or Flash file. The Adobe Reader & Acrobat vulnerabilities are actively being attacked through e-mail and malicious or compromised web sites.

For What You Need To Do, see Security Alert - Adobe Reader & Acrobat 9 and Flash Player 10 Security Update.

Virus emails have recently been sent to Carnegie Mellon email accounts claiming to be from postcards@hallmark.com.  The messages include a postcard.zip or similarly named attachment.  PLEASE DO NOT OPEN THE ATTACHMENT!

For What You Need To Do, see Security Alert - Virus Emails - You've received A Hallmark E-Card!.

As part of our celebration of National Cyber Security Awareness Month, we are conducting a study to investigate how we can most effectively protect Carnegie Mellon community members from scam emails.


Thank you for your interest in this important community service.  REGISTRATION IS CLOSED.

The complete consent form is available here.

Please direct questions to cups-study@andrew.cmu.edu.

Oct 24 Update: Notification emails are being sent to owners of computers missing the update as detected by network scanning (Pittsburgh campus only).  The messages instruct owners to take action and notify Computing Services before the grace period ends.  If the grace period elapses without owners notifying Computing Service of their actions, then network access will be suspended to protect the vulnerable machine and the rest of the campus network.

Windows computers running Microsoft Windows may be vulnerable to exploits. This vulnerability may allow an unauthorized attacker to take complete control of an affected system that is connected to a network without any end user action. PLEASE PATCH AND REBOOT ASAP.

For What You Need To Do, see Security Alert - Critical Microsoft Security Update MS08-067 for Windows Users.

October is National Cyber Security Awareness Month (NCSAM).  Learn about cyber security initiatives from around the University and participate in events and contests hosted by the ISO throughout the month of October.

To Learn More, see National Cyber Security Awareness Month (NCSAM).

Fraud emails have recently been sent to Carnegie Mellon email accounts claiming to be from Carnegie Mellon University <cmu@webmaster.com>.  The fraud messages ask people to reply with their Full Name, User Id, and Password.  PLEASE ENABLE SPAM FILTERING AND DO NOT REPLY!

For What You Need To Do, see Security Alert - Fraud Emails - CARNEGIE MELLON UNIVERSITY INTERNET USE.

Welcome back from the Information Security Office (ISO)!


Follow these three steps to start the semester off SAFELY!

STEP 1:  Think Before You Click!

STEP 2:  Adhere to Copyright & Intellectual Property Laws

STEP 3:  Visit the ISO Website Often

For More Details, see Fall Cyber Security Tips and Reminders.

Fraud emails have recently been sent to Carnegie Mellon email accounts claiming to be from memberservice@andrew.cmu.edu.  The fraud messages ask people to reply with their User ID and Password.  PLEASE ENABLE SPAM FILTERING AND DO NOT REPLY!

For What You Need To Do, see Security Alert - Fraud Emails - andrew.cmu.edu Feature Release: Upgraded Search.

Virus emails have recently been sent to Carnegie Mellon email accounts claiming to be from "postcards@hallmark.com".  The messages include a postcards.zip or similarly named attachment.  PLEASE DO NOT OPEN THE ATTACHMENT!

For What You Need To Do, see Security Alert - Virus Emails - You've received A Hallmark E-Card!.

Computers running older versions of Adobe Flash Player are vulnerable to exploits. Criminals have infiltrated many legitimate websites and are using them to deliver Adobe Flash attacks. The most serious of these vulnerabilities may allow malicious attackers to take complete control of an affected system when you visit an infiltrated or maliciously crafted website. The latest version of Adobe Flash Player is not vulnerable. Update now.

For What You Need To Do, see Security Alert - Widespread Adobe Flash Web Attacks.

Computers running Debian & Ubuntu Linux are vulnerable to exploits.  Users that connect to Debian & Ubuntu Linux servers via SSH are vulnerable.  Users that generated cryptographic material such as SSH keys or SSL certificates on affected systems are also vulnerable.  The most serious of these vulnerabilities may allow malicious attackers to gain unauthorized login access or eavesdrop on encrypted communications.

For What You Need To Do, see Security Alert - Debian & Ubuntu Linux Weak Encryption Keys.

Protect Yourself, Others and the University from Identity Theft with Identity Finder!


Did You Know?

• Your computer might be storing personally identifiable information (PII) such as your Social Security Number, bank account numbers, credit card numbers and passwords without your knowledge
• If your computer or external media is lost, stolen or broken into over the Internet, someone might use it to steal your identity and the identities of anyone who shares your computer or whose personal information you might handle
• If you store sensitive PII for Carnegie Mellon work and your computer or external media is lost or compromised, the University is obligated under PA state law to notify everyone affected by the breach and could potentially be legally liable
• Over eight million Americans have their identities stolen annually and on average victims spend 600 hours clearing their good name -- Federal Trade Commission & Identity Theft Resource Center

For What You Need To Do, see Do Your Part: Prevent Identity Theft.

Computing Services will NEVER send unsolicited attachments in notification e-mail messages. If Computing Services requires that you install a patch, the e-mail message will NOT CONTAIN the patch, but instead direct you to an appropriate download page for the vendor or on www.cmu.edu.

If you are in doubt about a message do not open it! Contact the Help Center to verify the message's authenticity.

Most peer-to-peer file sharing programs (Kazaa, LimeWire, BitTorent, etc.) set your computer to share (allow uploading) downloaded files AND possibly all your personal files to anyone who asks for them. The University of Chicago provides instructions on how to disable this feature for many of the more popular file sharing programs.

NOTE: The instructions on the University of Chicago pages are a guide for what we currently think are feasible workarounds, but ultimate responsibility for your network usage falls to you. Don't lose your network connection (or face a potential lawsuit) for copyright infringement!