Carnegie Mellon University
—
—
—
Search
Search
Search this site only
Information Security Office
Computing Services
Wednesday, September 28, 2016
John Lerchey presents to INI
John Lerchey, the ISO Incident Response coordinator, presents on security to the incoming students at the Information Networking Institute (INI) 2010 orientation.
Request for Comment on ISO Guidance
Wednesday, September 28, 2016
Request for Comment on ISO Guidance
The Information Security Office is kicking off a 2011 refresh of several guidance documents including the Guidelines for Data Classification, Guidelines for Data Protection and the Guidelines for Data Sanitization & Disposal. We are very interested in your feedback and suggestions as we work through this refresh cycle. If you've had the opportunity to leverage this guidance in your work over the last year or you simply have thoughts on how these documents can be matured, please send feedback to the ISO mailbox at iso@andrew.cmu.edu.
Identity Finder 8.1 Now Available
Tuesday, October 27, 2015
Identity Finder 8.1 Now Available
Identity Finder version 8.1 is now available and is compatible with Windows 7+ and Mac OS X 10.9+. Identity Finder is licensed by Carnegie Mellon University to protect sensitive information from Identity Theft. The University offers this software at no cost to faculty, staff and students. Version 8.1 identifies and highlights sensitive data stored in documents, applications, email and browsers.
Data Protection – Self-Assess your Data Security
Monday, October 19, 2015
Data Protection – Self-Assess your Data Security
With more reliance on computer systems to store and process sensitive data, there is always a risk the information may be misused or accessed by unauthorized individuals. University technical staff are tasked to set security controls and ensure that private and restricted institutional data is stored and processed securely.
Protecting Institutional Data
Monday, October 12, 2015
Protecting Institutional Data
Carnegie Mellon University has over 13,200 students and 5000 faculty and staff. With so many employees and students, it is likely people will shift job responsibilities, leave their position or graduate. When these changes occur, access to resources no longer required should be removed. This practice is known as deprovisioning and is key to protecting institutional data. Supervisors should keep a list of job related resources that employees have been authorized to access; and inform system and application managers to deprovision the account when access is no longer authorized.
What is Data Classification?
Friday, October 02, 2015
What is Data Classification?
Data classification organizes institutional data into categories based on level of sensitivity, value and criticality to the University if the data is disclosed, altered or destroyed without authorization. There are designated individuals at Carnegie Mellon with the Data Steward role. These individuals classify institutional data into three categories: public, private and restricted. It is important to know the type of data you interact with to understand your role in its protection.
Security Advisory: A Phish Email Titled “Your Computer will be suspended from CMU network” with an Attachment is Reported
Tuesday, September 22, 2015
Security Advisory: A Phish Email Titled “Your Computer will be suspended from CMU network” with an Attachment is Reported
A phishing email carrying an attachment and titled “Your Computer will be suspended from CMU network” has been reported to Computing Services Help Center. Your computer will NOT be suspended from CMU network. These were simulated phishing emails designed to raise the Carnegie Mellon community’s awareness of phishing and determine our overall susceptibility to such attacks.
Security Alert: Mac OS X Yosemite (10.10.4 0 5) Vulnerable to Exploits
Friday, August 21, 2015
Security Alert: Mac OS X Yosemite (10.10.4 0 5) Vulnerable to Exploits
Critical threats were detected in the Yosemite OS X (versions 10.10.4 - 5) operating system. One of the methods by which attackers use to exploit the operating system is going through untrusted applications from the web. Installing untrusted applications could allow attackers to gain access to the computer without using a password -- allowing them to take full control. The Information Security Office (ISO) recommends that those using the Macintosh operating system enable the Gatekeeper feature (built-in to Yosemite) for protective measures until Apple provides a software update to correct this issue. For more information on What You Need To Do, visit Security Alert: Mac OS X Yosemite (10.10.4 - 5) Vulnerable to Exploits.
Security Alert: An email with subject line "Problem with invoices" carries a malware infected attachment
Friday, June 12, 2015
Security Alert: An email with subject line "Problem with invoices" carries a malware infected attachment
An email with the subject line "Problem with invoices" containing a malware infected attachment named "New.zip" is currently circulating at Carnegie Mellon University. When a recipient opens the .zip attachment and double clicks on the program inside, the malware is executed, infecting the computer system you are using if it is running any version of the Windows operating system. The malware is known to hijack your email credentials (Andrew UserID and password) and then attempt to spread itself by sending email from your system. For more information on What You Need To Do, visit Security Alert: An email subject line "Problem with invoices" carries a malware infected attachment.
Security Advisory: Email Titled "SCAN" Includes a Malware-Infected Attachment
Wednesday, April 01, 2015
Security Advisory: Email Titled "SCAN" Includes a Malware-Infected Attachment
A phishing email titled "SCAN" that includes a malware-infected attachment titled "scan3434.zip" is circulating at Carnegie Mellon University. Once a recipient clicks on the attachment the malware is executed, and the email client is compromised, sending copies of the email (and the attachment) to all contacts. For more information on What You Need To Do, visit Email Titled "SCAN" Includes a Malware-Infected Attachment.
Security Alert: Email Scam Targets CMU Employees for Potential Payroll Theft
Wednesday, February 25, 2015
Security Alert: Email Scam Targets CMU Employees for Potential Payroll Theft
On December 4, 2014 the Information Security Office (ISO) published an information notice titled “Scam Alert: Higher Ed is Target of Direct Deposit Thieves”. This notice can be found on the ISO’s home page at www.cmu.edu/iso. The article warned of phishing email attacks targeting schools for the purpose of stealing credentials and using them to alter the victims’ direct deposit information. On Saturday, February 21, 2015, nearly 200 Carnegie Mellon users received a phishing email that appears to have been designed for this purpose. The email’s subject was, “Your Salary Raise Information”. A link in the message led to a well-crafted copy of Carnegie Mellon’s login page. After providing their login information, victims were redirected to campus web sites. Later, the attacker used a subset of the harvested login information to access Workday. Workday is the system used by employees (including work study and some grad students) for payroll, human resources and time tracking information. While the investigation is ongoing, there is no evidence that any Workday data was modified and known victim accounts, of which there were relatively few, have been secured. Only data accessible to the individual victims’ accounts was ever at risk.
Security Alert: The GHOST Vulnerability Affects Unix and Linux Operating Systems
Tuesday, January 27, 2015
Security Alert: The GHOST Vulnerability Affects Unix and Linux Operating Systems
A weakness called GHOST in the Linux and Unix operating systems C library "glibc" allows attackers to take complete control of a compromised system. The GHOST vulnerability may affect many Unix and Linux systems including but not limited to Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04 & 10.10. For detailed information about this alert and What You Need To Do, please visit The GHOST Vulnerability Affects Unix and Linux Operating Systems.
Scam Alert: Higher Ed is Target of Direct Deposit Thieves
Thursday, December 04, 2014
Scam Alert: Higher Ed is Target of Direct Deposit Thieves
Many schools have experienced email scams that use harvested credentials to alter direct deposit information. These scams typically involve fake emails impersonating Human Resources or other university offices about salary increases, email storage limits, or connections from unexpected IP addresses. The emails include malicious links that when clicked, lead to login pages that are carefully crafted to look the same as the university’s login pages. Once someone provides their login id and password, the attacker uses them to access the victim’s payroll information to redirect direct deposits to a bank account. This is not a hypothetical situation. Faculty and staff at other institutions have lost their paychecks via this scam. While this hasn’t happened at Carnegie Mellon, analysts warn of a continuing trend. Stay alert to scams like these. Confirm with Human Resources, the Information Security Office, or your supervisor before attempting to login if you are suspicious of any email. For more information: http://www.ren-isac.net/alerts/REN-ISAC_ADVISORY_University_Payroll_Theft_20141112_TLPWHITE.pdf
Security Alert: Vulnerability Affecting Browsers ("POODLE")
Wednesday, October 15, 2014
Security Alert: Vulnerability Affecting Browsers ("POODLE")
A vulnerability has been announced for most web browsers that could enable the disclosure of private information during a "secure" web session (https), such as a shopping, banking, enrollment or mail viewing session, where you'd normally expect secure, encrypted traffic. For detailed information about this alert and What You Need To Do, please visit Security Alert: Vulnerability Affecting Browsers ("POODLE").
National CyberSecurity Awareness Month - 2014
Thursday, October 02, 2014
National CyberSecurity Awareness Month - 2014
October is National CyberSecurity Awareness Month! Please join us in the Security 101 Completion Challenge - our goal is to reach a 50% completion rate. Please visit NCSAM: Take Security 101 for more information.
Security Alert: Significant Vulnerability in Internet Explorer v6-11
Monday, April 28, 2014
Security Alert: Significant Vulnerability in Internet Explorer v6-11
A vulnerability has been discovered in Internet Explorer (IE) browser that is being exploited to compromise computers. The campus community should refrain from using IE until Microsoft releases a security update. The Information Security Office will continue to monitor for and block known malicious websites. For detailed information about this alert and What You Need To Do, please visit Security Alert: Significant Vulnerability in Internet Explorer V6-11.
Security Advisory: OpenSSL "Heartbleed Bug" may disclose sensitive information
Thursday, April 10, 2014
Security Advisory: OpenSSL "Heartbleed Bug" may disclose sensitive information
Announced on April 7, 2014, a security vulnerability called Heartbleed allows attackers to collect information that is expected to be encrypted including encryption keys, session cookies, credit card numbers, passwords, and social security numbers. Computing Services Information Security Office (ISO) is actively scanning CMU's network for vulnerable hosts, monitoring for evidence of attack and compromise, and responding to impacted individuals accordingly. University vendors are also being assessed. For detailed information about this advisory and What You Need To Do, please visit Security Advisory: OpenSSL "Heartbleed Bug" may disclose sensitive information.
ISO Releases its 2014 - Security 101 Training Course
Monday, March 31, 2014
ISO Releases its 2014 - Security 101 Training Course
The 2014 - Security 101 training course was developed by Carnegie Mellon's Information Security Office (ISO) to raise awareness about Carnegie Mellon's information security policies and guidelines, data classification, roles and responsibilities, information security risks, and techniques for safeguarding institutional data and information systems. For instruction on how you can access the 2014 - Security 101 course, please visit Security 101 Training and Awareness Program.
Security Advisory: Upgrade Now - Windows XP Support Ends April 8
Thursday, March 20, 2014
Security Advisory: Upgrade Now - Windows XP Support Ends April 8
Microsoft plans to end support for Windows XP on April 8, 2014. There have been a number of advisories from various sources indicating that shortly after the end of support, a rash of malware and exploits will be released targeting the XP operating system. Accordingly, the Information Security Office (ISO) will begin scanning for XP computers on campus or connected to campus services on Thursday, March 20, 2014. For information on the security advisory and on What You Need to Do, please read the entire security advisory message on Upgrade Now - Windows XP Support Ends April 8.
Security Alert: Hewlett Packard (HP) Phone Scam
Tuesday, March 18, 2014
Security Alert: Hewlett Packard (HP) Phone Scam
Several university staff members reported receiving phone calls where individuals asked for their "HP number". When questioned, the caller typically hangs up. While "HP number" is unclear, it is possible that they are looking for the printers IP address, which might provide the scammer with remote access to the printer. For information on the security alert and on What You Need to Do, please read the entire security alert message on Hewlett Packard (HP) Phone Scam.
Lessons from Recent Security Breaches
Tuesday, February 25, 2014
Lessons from Recent Security Breaches
Several recent high profile vulnerabilities and security breaches serve as reminders of the importance of reporting concerns, staying up to date with security patches, remaining vigilant to scams, and other good security practices, both on campus and at home.
Security Advisory: CryptoLocker Malware Restricts Access to Computer Files
Thursday, November 14, 2013
Security Advisory: CryptoLocker Malware Restricts Access to Computer Files
Malware known as CryptoLocker is affecting Windows computers across the Internet and here on campus. Cryptolocker encrypts the infected computer’s documents so that they are no longer usable and then displays a webpage demanding payment to restore them. It can encrypt files located on shared network drives, USBs, external hard drives and even cloud storage drives. For information on the security advisory and on What You Need to Do, please read the entire security advisory message on CryptoLocker Malware Restricts Access to Computer Files.
Focusing on Mobile Device Security during 2013 NCSAM
Friday, October 04, 2013
Focusing on Mobile Device Security during 2013 NCSAM
In observance of 2013 National Cybersecurity Awareness Month, the Information Security Office (ISO) held a Mobile Device Security event onOctober 3rd, 2013 at the UC Rangos from 11:00 a.m. to 5:00 p.m. At the event, mobile carriers, vendors, researchers, the ISO and other University entities exhibited their mobile devices and demonstrated security and privacy configurations, answered questions, provided training material, discussed research reports, and shared security solutions. Information on the event, participating entities, prizes and more is available at Focusing on Mobile Device Security during 2013 National Cybersecurity Awareness Month (NCSAM) .
Oct 3: Join the ISO for Mobile Device Security Day
Tuesday, October 01, 2013
Oct 3: Join the ISO for Mobile Device Security Day
Oct 3: Join the ISO for Mobile Device Security Day - Students
Tuesday, October 01, 2013
Oct 3: Join the ISO for Mobile Device Security Day - Students
Security Alert: Critical Vulnerabilities in Java 6 and 7
Wednesday, April 24, 2013
Security Alert: Critical Vulnerabilities in Java 6 and 7
Multiple new security vulnerabilities have been discovered in Java and are being actively exploited to compromise computers. Oracle has released new versions of Java 6 and 7 to correct these vulnerabilities. All Java users should update to new versions as soon as possible. The Information Security Office will continue to monitor for and block known malicious websites and will also notify users of vulnerable computers on the campus network.
Security Alert: Critical Vulnerabilities in Java 6 and 7
Monday, February 04, 2013
Security Alert: Critical Vulnerabilities in Java 6 and 7
Multiple new security vulnerabilities have been discovered in Java, one of which is being actively exploited to compromise computers. Oracle has released new versions of Java 6 and 7 to correct these vulnerabilities. All Java users should upgrade as soon as possible. The Information Security Office will continue to monitor for and block known malicious websites and will also be monitoring for and notifying users of vulnerable computers on the campus network.
Security Alert: Critical Vulnerability in Internet Explorer 6, 7 & 8
Tuesday, January 15, 2013
Security Alert: Critical Vulnerability in Internet Explorer 6, 7 & 8
A critical vulnerability has been discovered in Internet Explorer that could be exploited to compromise computers. Microsoft has released a security update to correct this vulnerability. All Microsoft Windows users should run Windows Update to ensure this latest security update is installed. The Information Security Office will continue to monitor for and block known malicious websites that are exploiting this vulnerability.
Security Alert: Critical Vulnerability in Java 7 (or 1.7)
Tuesday, January 15, 2013
Security Alert: Critical Vulnerability in Java 7 (or 1.7)
A new critical vulnerability in Java is being actively exploited to compromise computers. Oracle has recently released Java 7 Update 11 to correct the issue. All users of Java 7 should upgrade to Java 7 Update 11 as soon as possible. The Information Security Office will continue to monitor for and block known malicious websites as well as monitoring for and notifying users of vulnerable computers on the campus network.
The ISO Celebrated 2012 National Cyber Security Awareness Month (NCSAM)
Thursday, November 01, 2012
The ISO Celebrated 2012 National Cyber Security Awareness Month (NCSAM)
The Computing Services Information Security Office (ISO) hosted a variety of events including training classes and on-lineresources during the month of October in observance of National Cybersecurity Awareness Month (NCSAM). Visit The ISO Celebrates 2012 National Cybersecurity Awareness Month (NCSAM) for a list of on-line resources.
Security Alert: Update Available for Internet Explorer
Friday, September 21, 2012
Security Alert: Update Available for Internet Explorer
On September 18, Computing Services issued a security alert regarding a critical vulnerability in Internet Explorer versions 6, 7, 8 and 9. Microsoft has released a patch for Internet Explorer. The Information Security Office will continue to monitor for and block known malicious websites. For information on the security alert and on What You Need To Do, please read the entire security alert message onUpdate Available for Internet Explorer.
Security Alert: Attacks Against Internet Explorer
Tuesday, September 18, 2012
Security Alert: Attacks Against Internet Explorer
Microsoft has announced that Internet Explorer versions 6, 7, 8 and 9 are being attacked through an unpatched vulnerability. Internet Explorer 10 on Windows 8 is not affected. Normal Web browsing could allow an attacker to gain control over your computer. The Information Security Office will monitor for and block known malicious websites and will also notify users once Microsoft has released a patch. For information on the security alert and on What You Need To Do, please read the entire security alert message on Attacks Against Internet Explorer.
Security Alert: Update Available for Java version 7 (or 1.7)
Friday, August 31, 2012
Security Alert: Update Available for Java version 7 (or 1.7)
On August 29, 2012 Computing Services notified students, faculty and staff of a critical vulnerability in Java version 7 (or 1.7). Oracle has released a new version of Java 7 that corrects this vulnerability. All users of Java 7 should upgrade to Java 7. Update 7 as soon as possible. For information on the security alert and on What You Need To Do, please read the entire security alert message onUpdate Available for Java version 7 (or 1.7).
Security Alert: Maplesoft Security Breach Leads to Phishing Attacks
Thursday, July 19, 2012
Security Alert: Maplesoft Security Breach Leads to Phishing Attacks
Maplesoft, a provider of mathematics, modeling and simulation software that is licensed by Carnegie Mellon, reported that it was investigating a security breach of its administrative database. As an apparent result of this breach, users of Maplesoft software are being targeted by phishing attacks. One such phishing attack claims that vulnerability has been detected in Maplesoft software and includes an attachment called Maple_Patch.zip. This email instructs the recipient to extract the file using the password MapleSecurityUpdate1707. A variation of this message that has been detected includes a maple-soft.com link instead of proving an attachment. For information on the security breach and the phishing attack and on What You Need To Do, please read the entire security alert message on Maplesoft Security Breach Leads to Phishing Attacks.
Security Advisory: Spear Phishing Attacks Targeting Intellectual Property
Tuesday, June 26, 2012
Security Advisory: Spear Phishing Attacks Targeting Intellectual Property
Earlier this month, security analysts discovered a spear phishing campaign targeted at US government contractors and service providers within the industrial control systems community. Carnegie Mellon was one of several universities targeted by these attacks. These particular phishing emails pretended to be from familiar acquaintances. Furthermore, the messages contained a link to what appeared to be a PDF file about staffing changes, but actually downloaded malicious software. If installed, the software provides remote access to the compromised computer. For information on the spear phishing attack and on What You Need To Do, please read the entire security advisory message on Spear Phishing Attacks Targeting Intellectual Property.
Security Advisory: Malicious DVDs Sent Through Mail
Tuesday, June 19, 2012
Security Advisory: Malicious DVDs Sent Through Mail
Several universities have recently reported that members of their user communities have received malicious DVDs through physical mail. The mail indicates that there is a possible security issue and includes a DVD with alleged details on the security issue. In reality, the DVD contains a malware. Reports indicate that this malware is not being recognized by antivirus software. As a general best practice, users should ensure that AutoPlay and AutoRun functionality is disabled on their computers. To learn how to disable AutoPlay and AutoRun on your computer, please read the entire security advisory message onMalicious DVD's Sent Through Mail
Security Alert: LinkedIn and eHarmony Report Stolen Passwords - Reset Account Password
Thursday, June 07, 2012
Security Alert: LinkedIn and eHarmony Report Stolen Passwords - Reset Account Password
LinkedIn, a popular professional networking site, and eHarmony, a popular dating site, confirmed yesterday, June 6, that passwords associated with its accounts were compromised. LinkedIn and eHarmony are both sending users with compromised account passwords an email with instructions on how to reset their passwords. Computing Services urges you to take the following measures regardless of whether your account was compromised. For information on What You Need To Do please read the entire security alert message at Security Alert: LinkedIn and eHarmony Report Stolen Passwords-Reset Account Password.
Security Alert: Don't Fall for this Scam - Phishing Email "IMPORTANT NOTICE!!!"
Friday, April 27, 2012
Security Alert: Don't Fall for this Scam - Phishing Email "IMPORTANT NOTICE!!!"
For all Andrew email account holders, a phishing email with the subject “IMPORTANT NOTICE!!!” claiming to be from "CMU Computing Services Help Center" was delivered to a large number of Carnegie Mellon email accounts today. The message alleges that the user's university email account was reported for numerous spams activities and prompts the user to confirm account ownership by responding to the email with Andrew account credentials. Computing Services staff members will NEVER ask for your password by email, phone or any other method. Please read the entire security alert message on What You Need To Do if you received this phishing email and if you responded already at Security Alert: Don't Fall For This Scam - Phishing Email "IMPORTANT NOTICE!!!"
Action Needed-Security Alert: Run Apple Security Update to Remove Flashbak Malware
Friday, April 13, 2012
Action Needed-Security Alert: Run Apple Security Update to Remove Flashbak Malware
Over the last several days, Carnegie Mellon has seen a rise in MAC OS X computers being infected by malware called "Flashback." As a result, Computing Services is suspending infected computers from the university network. Apple has released a new update that will remove current variations of Flashback and also take additional steps to prevent future Flashback infections. Please read the entire security alert message on how to remove Flashback infection and on What You Need To Do to protect your computer at Security Alert: Action Needed: Run Apple Security Update to Remove Flashback Malware.
Action Needed-Security Alert: Mac Malware Exploits Java Vulnerabilities and Steals Passwords
Wednesday, April 04, 2012
Action Needed-Security Alert: Mac Malware Exploits Java Vulnerabilities and Steals Passwords
Carnegie Mellon is detecting an increased number of infected computers related to new malware called "Flashback." Flashback infects MAC OS X computers by exploiting vulnerabilities in Java. FlashBack steals usernames and passwords for online payment, banking and credit card websites without user interaction. Please read the entire security alert message on What You Need To Do to protect your computer at Security Alert: Mac Malware Exploits Java Vulnerabilities and Steals Passwords.
Action Needed-Security Alert: Run Windows Update Today - Increased Risk in Microsoft Remote Desktop Protocol Vulnerability
Saturday, March 17, 2012
Action Needed-Security Alert: Run Windows Update Today - Increased Risk in Microsoft Remote Desktop Protocol Vulnerability
Due to an increase in malicious activity related to the Microsoft Remote Desktop Protocol (RDP) vulnerability announced on March 13, Computing Services advises that you take certain precautions. Please read the entire security alert message on Action Required to secure your computer at Security Alert: Run Windows Update TODAY - Risk in Microsoft Remote Desktop Protocol Vulnerability.
Security Alert: Remote Desktop Critical Vulnerability
Tuesday, March 13, 2012
Security Alert: Remote Desktop Critical Vulnerability
Microsoft Windows platforms running the Remote Desktop Protocol (RDP) are susceptible to a vulnerability which could allow an attacker to execute code on the vulnerable system without being authenticated. By default, RDP is not enabled on any Windows operating system and systems that do not have RDP enabled are not at risk. However, all Microsoft Windows users should take action. Microsoft Windows users should run Windows Update and install the latest security updates. Please read the entire security alert message on Action Required to secure your computer at Security Advisory: Remote Desktop Critical Vulnerability.
Security Alert: Phishing Email: "Your [id@andrew.cmu.edu] Account is on Restriction
Tuesday, November 08, 2011
Security Alert: Phishing Email: "Your [id@andrew.cmu.edu] Account is on Restriction
The Computing Services Information Security Office (ISO) received numerous reports from Andrew users today of a phishing email with the subject, "Your [id@andrew.cmu.edu] Account is on Restriction" from a sender address of Administrator <administrator@andrew.cmu.edu>. In response, the ISO blocked the response Web address and further relaying of the phishing messages. Administrators at the originating site have been notified.
The ISO Celebrated National Cyber Security Awareness Month (NCSAM)
Tuesday, November 08, 2011
The ISO Celebrated National Cyber Security Awareness Month (NCSAM)
The Computing Services Information Security Office (ISO) hosted a number of events in observance of National Cyber Security Awareness Month during the month of October. Featured events included classes on using the Identity Finder software and piloting a new security awareness program that will be offered online through the Open Learning Initiative (OLI). Staff members interested in participating in the pilot should contact the Information Security Office at iso@andrew.cmu.edu for the course access code.
Security Advisory: Epsilon Breach Could Increase Spear Phishing Attacks
Friday, April 08, 2011
Security Advisory: Epsilon Breach Could Increase Spear Phishing Attacks
Epsilon, a service provider that manages email communications for many companies, reported last week that it suffered a security breach that exposed names and email addresses for some of its clients' customers. Although Epsilon has indicated that no other personally-identifiable information was put at risk, the compromised information could be used to send spam, phish, or malware-infected email. Most concerning is a type of phishing known as "spear phishing," whereby a phisher exploits a trust relationship to convince you to supply sensitive data like your login ID and password, credit card data, or banking information. Your name, email, and the name of a company that you do business with provide all the ingredients for a successful spear-phishing attack.
Security Advisory: Vendor Breach Results in Browser Updates
Thursday, March 24, 2011
Security Advisory: Vendor Breach Results in Browser Updates
Earlier this week, Comodo, a service provider of Carnegie Mellon, experienced a security breach. According to details published by Comodo, this breach was the result of a compromised username and password that a customer used to access services. As a result of Comodo detection and remediation, this breach does not impact security controls at Carnegie Mellon. While this security breach does not directly impact Carnegie Mellon, it could potentially impact services provided by Google, Microsoft Live, Mozilla, Skype and Yahoo who were all targeted in this breach.
Mid-Semester Security Tips for Faculty and Staff
Tuesday, March 22, 2011
Mid-Semester Security Tips for Faculty and Staff
The Information Security Office would like to remind faculty and staff to follow a few security practices to minimize the risk and impact of computer and account compromises. Please read further for our Mid-Semester Security Tips for information on how to protect confidential information and University computing assets.
Security Reminders for Students
Monday, March 21, 2011
Security Reminders for Students
The Information Security Office welcomes you back from spring break and reminds you of a few important safe computing tips. Please read below to learn how to protect your confidential information and computing assets.
Available now, NCSAM Presentations
Thursday, March 03, 2011
Available now, NCSAM Presentations
During National Cyber Awareness Month (NCSAM) 2010, the ISO invited a number of local experts to present on security issues impacting the university. Mobile Device Privacy is a presentation conducted by Professor Norman Sadeh from the School of Computer Science, on how to protect your privacy when using a mobile device. Another interesting presentation was "How Cyberwar Impacts the University End User" by Timothy Shimeall, a Senior Member of the Technical Staff at the Software Engineering Institute.The presentation defines cyberwar and its effect on Carnegie Mellon community members. For additional video training and presentations, please visit the ISO presentationswebpage.
ISO 2010 National Cyber Security Awareness Month (NCSAM)
Saturday, April 10, 2010
ISO 2010 National Cyber Security Awareness Month (NCSAM)
The following presentations were conducted during the ISO 2010 National Cyber Security Awareness Month (NCSAM) taining events. Please click on the image to view the presentation. Make sure to run Windows Media Player 9 or higher to view the videos.
ISO Sponsors 'Securing Windows' Course May 17-21, 2010
Thursday, January 28, 2010
ISO Sponsors 'Securing Windows' Course May 17-21, 2010
The Information Security Office (ISO) is sponsoring a five-day course, entitled "Securing Windows", conducted by Jason Fossen of the SANS Institute from May 17-21, 2010. A special rate of $950/student is offered for EDU and government entities. For information on the course and pricing, see ISO Sponsors 'Securing Windows' Course May 17-21, 2010
Welcome Back Students
Thursday, January 21, 2010
Welcome Back Students
Happy 2010 New Year! The Information Security Office (ISO) welcomes you back to campus and reminds you of few important safe computing tips below.
New Year Reminders for Faculty and Staff
Thursday, January 21, 2010
New Year Reminders for Faculty and Staff
Happy 2010 New Year! Due to a number of recent information security incidents, the Information Security Office (ISO) would like to remind everyone to contact the ISO via email or phone, when one or more of the concerns listed below occur.
Security Alert: Increased Web-Based Attacks (Windows)
Monday, January 18, 2010
Security Alert: Increased Web-Based Attacks (Windows)
The ISO has received recent reports of campus machines being compromised through seemingly routine web browsing as of January 17, 2010. Please read the entire security alert message and follow the instructions to protect yourself and your computer, at Security Alert - Increased Web-Based Attacks (Windows).
SANS Webcast: Security for Windows 7
Wednesday, November 18, 2009
SANS Webcast: Security for Windows 7
The ISO sponsored a SANS Webcast on November 24, 2009, entitled "Security for Windows 7" at the end of the Departmental Computing Forum (DCF) monthly meeting. The Webcast conducted was by Jason Fossen, the sole author of the SANS institute's week-long Securing Windows Course (SEC505). For information on the Webcast, see SANS Webcast: Security for Windows 7.
Security Alert: Critical Micorsoft October Security Update for Windows Users
Monday, October 19, 2009
Security Alert: Critical Micorsoft October Security Update for Windows Users
Windows computers running Microsoft Windows may be vulnerable to exploits. This vulnerability may allow an unauthorized attacker to take complete control of an affected system that is connected to a network without any end user action.PLEASE UPDATE AND REBOOT ASAP. For What You Need To Do, see Security Alert - Critical Microsoft October Security Update For Windows Users.
Security Alert: Adobe Reader and Acrobat Security Update
Monday, October 19, 2009
Security Alert: Adobe Reader and Acrobat Security Update
Windows, Mac and Linux users running Adobe Reader and Acrobat 9.1.3 and older are vulnerable to exploits. Without security update, an unauthorized attacker may take complete control of an affected system by convincing the user to open a maliciously crafted PDF file. For What You Need To Do, see Security Alert - Adobe Reader and Acrobat Security Update.
Results of Identity Theft Study
Friday, April 10, 2009
Results of Identity Theft Study
Results of Identity Theft Study
Tuesday, March 31, 2009
Results of Identity Theft Study
Security Alert: Adobe Reader & Acrobat Unpatched Vulnerability - Attacks Underway
Thursday, February 26, 2009
Security Alert: Adobe Reader & Acrobat Unpatched Vulnerability - Attacks Underway
Windows, Mac, and Linux users running Adobe Reader or Acrobat are vulnerable to exploits. An unauthorized attacker may take complete control of an affected system by convincing the user to open a maliciously crafted Portable Document Format (PDF) file. For What You Need to Do,until a patch is released and applied , see Security Alert: Adobe Reader & Acrobat Unpatched Vulnerability &#8211; Attacks Underway.
Security Alert: Virus Emails - You've Received A Hallmark E-Card and You have got a new E-Card from your friend
Wednesday, February 25, 2009
Security Alert: Virus Emails - You've Received A Hallmark E-Card and You have got a new E-Card from your friend
Virus emails from "e-cards@hallmark.com or e-cards@americangreetings.com" asking you to open a postcard.zip or similar attachment. PLEASE DO NOT OPEN THE ATTACHMENT! For What You Need to Do, see Security Alert: Virus Emails - You've received A Hallmark E-Card and You have got a new E-Card from your friend.
Welcome Back Students
Tuesday, January 20, 2009
Welcome Back Students
Welcome back and Happy New Year! In order to begin the 2009 spring semester with minimal disruption to your network connectivity while keeping your assets and data protected, Carnegie Mellon University and the Information Security Office would like to remind you of the following safety tips at Welcome Back Students
Welcome Back Faculty and Staff
Tuesday, January 20, 2009
Welcome Back Faculty and Staff
Welcome back and Happy New Year! The ISO would like to extend its appreciation to all faculty and staff members who participated in the Identity Theft study. In order to begin the 2009 spring semester with minimal disruption to your network connectivity while keeping your assets and data protected, Carnegie Mellon University and the Information Security Office would like toremind you of the following safety tips at Welcome Back Faculty and Staff.
New Information Security Policy Approved
Sunday, January 18, 2009
New Information Security Policy Approved
In December, the President's Council approved a new University-wide Information Security Policy. This new policy lays a foundation for protecting all institutional data, replacing the Data and Computer Security Policy that has been in effect since 1990. For information on the new policy and how it will effect business units and colleges, please visit Information Security Policy.
Security Alert: Critical Microsoft Security Update MS08-078 for Internet Explorer (Windows)
Friday, December 19, 2008
Security Alert: Critical Microsoft Security Update MS08-078 for Internet Explorer (Windows)
Final Survey: Help Us Protect the Carnegie Mellon Community from Identity Theft study
Monday, December 15, 2008
Final Survey: Help Us Protect the Carnegie Mellon Community from Identity Theft study
Security Alert: Restrict Microsoft Internet Explorer Usage (Windows) - Unpatched Vulnerability - Attacks Underway
Friday, December 12, 2008
Security Alert: Restrict Microsoft Internet Explorer Usage (Windows) - Unpatched Vulnerability - Attacks Underway
Security Alert: Virus Emails - You've Received A Hallmark E-Card!
Monday, November 17, 2008
Security Alert: Virus Emails - You've Received A Hallmark E-Card!
Security Alert: Adobe Reader & Acrobat 9 and Flash Player 10 Security Update
Monday, November 17, 2008
Security Alert: Adobe Reader & Acrobat 9 and Flash Player 10 Security Update
Volunteers Needed: Help Us Protect the Carnegie Mellon Community from Identity Theft
Thursday, October 30, 2008
Volunteers Needed: Help Us Protect the Carnegie Mellon Community from Identity Theft
Security Alert: Critical Microsoft Security Update MS08-067 for Windows Users
Friday, October 24, 2008
Security Alert: Critical Microsoft Security Update MS08-067 for Windows Users
National Cyber Security Awareness Month (NCSAM)
Wednesday, October 08, 2008
National Cyber Security Awareness Month (NCSAM)
Security Alert: Fraud Emails - CARNEGIE MELLON UNIVERSITY INTERNET USER
Monday, September 29, 2008
Security Alert: Fraud Emails - CARNEGIE MELLON UNIVERSITY INTERNET USER
Fall Cyber Security Tips and Reminders
Thursday, August 28, 2008
Fall Cyber Security Tips and Reminders
Security Alert: Fraud Emails - andrew.cmu.edu Feature Release: Upgraded Search
Friday, August 22, 2008
Security Alert: Fraud Emails - andrew.cmu.edu Feature Release: Upgraded Search
Computing Services & E-mail Attachments
Saturday, August 02, 2008
Computing Services & E-mail Attachments
Disable Peer-to-Peer File Sharing Uploads
Friday, August 01, 2008
Disable Peer-to-Peer File Sharing Uploads
Security Alert: Virus Emails - You've Received A Hallmark E-Card!
Wednesday, July 23, 2008
Security Alert: Virus Emails - You've Received A Hallmark E-Card!
Security Alert - Widespread Adobe Flash Web Attacks
Thursday, May 29, 2008
Security Alert - Widespread Adobe Flash Web Attacks
Security Alert: Debian & Ubuntu Linux Weak Encryption Keys
Friday, May 16, 2008
Security Alert: Debian & Ubuntu Linux Weak Encryption Keys
Do Your Part: Prevent Identity Theft
Tuesday, January 08, 2008
Do Your Part: Prevent Identity Theft
Load more articles
This is an archive of ISO's News, Events and alerts. There may be broken links to external sites.
Helpful Links
Anti-Phishing Phil
Anti-Phishing Phyllis
Computing Recycling Program
Cyber Security Pledge
First Connect
Help Center
ISO Patch-Check
Secure Your Computer
Security 101
Related Groups
Computing Services
Environmental Health & Safety
University Police
Frequently Asked Questions
About
Computing Services Help Center
News
Report Concerns