Carnegie Mellon University

The following is an ongoing effort to answer common questions posed by students, faculty and staff of the University.  Look below to find answers to common security and privacy questions.  If you have questions you'd like us to answer here, please send email to iso@andrew.cmu.edu.

More in depth answers and guidance may be found in our Guidance section.

It depends. You are right to be concerned. If the email is from an unscrupulous source, then you could be confirming your e-mail and thus get on more unwanted lists. An unscrupulous email may also direct you to a web page that asks you for more information, or possibly downloads malware to your system.

If you are absolutely sure that the unwanted email is from a legitimate company, then the unsubscribe link should be safe to click on. A legitimate company would be one you've done business with before - signing up for a newsletter, ordering something, giving your e-mail at a charity event. NEVER give any password after clicking on an unsubscribe link. If the site wants you to log in before they'll unsubscribe you, type the address of the site directly into your web browser, and log in from there (Ex: Groupon does this).

The CAN-SPAM Act requires companies to provide an opt-out from receiving future email so legitimate businesses provide this feature. Note that many businesses use commercial professional service providers like ConstantContact or MailChimp to send marketing emails on their behalf. Email sent by ConstantContact provides a safeunsubscribe link that should also work as intended.

Investigate the mail filtering options available for your email system and email client. You can create a filtering rule that automatically moves email with specific a sender, subject, or other attributes to a junk folder where you can delete it.

For your Carnegie Mellon email account in particular, check your spam filter settings to make sure you are filtering and discarding spam as identified by the campus email system. See http://www.cmu.edu/computing/email/cyrus/doc-email/mgmt/spam.html.

Mark the unwanted email as spam/junk and let your mail client learn what you consider spam.

Consider unsubscribing. See 'Is it safe to click on unsubscribe links in unwanted email (aka spam)?'

Be judicious when providing your email addresses on websites, at conferences, or on paper forms. Many times you can select/deselect options that will add you to additional distribution lists. Legitimate entities are more likely to honor your settings than unscrupulous ones.

Read the fine print or ask questions before providing your email address to understand whether your email address is likely to be shared and what your options are to opt-out.

Short answer: it's not a good idea.

Longer Answer:

  • There are risks to scanning QR codes. QR codes obscure the destination website, preventing visual inspection of the URL for authenticity checking. As a result, some of your audience may choose to not scan the QR code. (See "Are QR codes safe to scan?"). Make sure you have an alternate method of getting information to your audience.
  • If you decide to use QR codes, make sure to print your QR code directly on your materials. Don't add a QR code sticker to the materials later because it encourages your audience to perform a more risky scan.
  • Don't direct users to a login page. This also encourages your audience to engage in risky on-line behavior.

Short answer: it's not a good idea.

Longer answer:

Some of the security risks associated with scanning QR codes are:

  • You could be redirected to a fake website for the purpose of collecting your access credentials.
  • In an attempt to access promotional information, you may be lured into scanning a malicious QR code found on a website or on a poster at the entrance of a company, college or a shopping mall.
  • A vulnerability in the reader app may grant an attacker full control over your smartphone, including contact information, email, text messaging and any piece of information stored or accessed on the smartphone.

To minimize these risks consider the following if you decide to scan a QR code:

  • Use a QR code reader app that previews the web address before linking to the site. (e.g., Red Laser, Google Goggles and ScanLife).
  • Avoid scanning a QR code from a source you don't know.
  • Avoid scanning QR codes in the form of stickers. QR code stickers can be posted over a legitimate code, on the wall or on brochures to direct you to a malicious web site.
  • Be cautious of a QR code that directs you to a login page. This could be a phishing scam, where you are directed to a fake website designed to harvest your login credentials.
  • Install security protection software. A simple Google search will retrieve a list of security protection software and anti-virus software for various smartphones. After installing an anti-virus software, update and run your smartphone's anti-virus software regularly.
  • Backup your mobile device data regularly. Backing up your phone's data including contact information, pictures, videos and other information ensures the availability of the data in the event of a mobile device loss, theft or data loss.
  • Avoid storing sensitive information on your smartphone. In particular, university members with access to restricted data should avoid storing and handling restricted data on their mobile devices.

The Bitlocker key recovery feature on domain controllers provides a method for decryption in cases where data is needed for business continuity purposes or in the event that a password is forgotten or lost.  Recovery information is stored unencrypted within the domain controller, but with the confidential flag set, only Domain Administrators can access the information.

This use of Bitlocker is safe in cases where the following conditions are met:

  1. There are a limited number of Domain Administrators
  2. Domain privileges are used only when required
  3. Domain Administrator Accounts have Andrew-grade password strength
  4. Domain Administrator Account passwords are changed every 90 days
  5. Clear procedures are in place for approving and documenting service requests for recovery information.

If you are looking at Bitlocker for regulatory compliance purposes, you may want to consider Microsoft Bitlocker Administration and Monitoring (MBAM), available under our enterprise contract (https://technet.microsoft.com/en-us/library/hh826072.aspx?f=255&MSPPError=-2147217396).  MBAM installs an agent on each endpoint and stores recovery information and reporting data in an SQL Server.  The basic OS built-in Bitlocker doesn't produce rich reporting and monitoring but requires fewer resources to setup.

The Bitlocker key recovery feature on domain controllers provides a method for decryption in cases where data is needed for business continuity purposes or in the event that a password is forgotten or lost.  Recovery information is stored unencrypted within the domain controller, but with the confidential flag set, only Domain Administrators can access the information.

This use of Bitlocker is safe in cases where the following conditions are met:

  1. There are a limited number of Domain Administrators
  2. Domain privileges are used only when required
  3. Domain Administrator Accounts have Andrew-grade password strength
  4. Domain Administrator Account passwords are changed every 90 days
  5. Clear procedures are in place for approving and documenting service requests for recovery information.

In the Andrew Domain these conditions are all met.  You would not have direct access to the recovery feature, and would need to work with Andrew Domain Administrators for password recovery.