Carnegie Mellon University

The following is an ongoing effort to answer common questions posed by students, faculty and staff of the University.  Look below to find answers to common security and privacy questions.  If you have questions you'd like us to answer here, please send email to iso@andrew.cmu.edu.

More in depth answers and guidance may be found in our Guidance section.

It depends. You are right to be concerned. If the email is from an unscrupulous source, then you could be confirming your e-mail and thus get on more unwanted lists. An unscrupulous email may also direct you to a web page that asks you for more information, or possibly downloads malware to your system.

If you are absolutely sure that the unwanted email is from a legitimate company, then the unsubscribe link should be safe to click on. A legitimate company would be one you've done business with before - signing up for a newsletter, ordering something, giving your e-mail at a charity event. NEVER give any password after clicking on an unsubscribe link. If the site wants you to log in before they'll unsubscribe you, type the address of the site directly into your web browser, and log in from there (Ex: Groupon does this).

The CAN-SPAM Act requires companies to provide an opt-out from receiving future email so legitimate businesses provide this feature. Note that many businesses use commercial professional service providers like ConstantContact or MailChimp to send marketing emails on their behalf. Email sent by ConstantContact provides a safeunsubscribe link that should also work as intended.

Investigate the mail filtering options available for your email system and email client. You can create a filtering rule that automatically moves email with specific a sender, subject, or other attributes to a junk folder where you can delete it.

For your Carnegie Mellon email account in particular, check your spam filter settings to make sure you are filtering and discarding spam as identified by the campus email system. See http://www.cmu.edu/computing/services/comm-collab/email-calendar/how-to/spam.html.

Mark the unwanted email as spam/junk and let your mail client learn what you consider spam.

Consider unsubscribing. See 'Is it safe to click on unsubscribe links in unwanted email (aka spam)?'

Be judicious when providing your email addresses on websites, at conferences, or on paper forms. Many times you can select/deselect options that will add you to additional distribution lists. Legitimate entities are more likely to honor your settings than unscrupulous ones.

Read the fine print or ask questions before providing your email address to understand whether your email address is likely to be shared and what your options are to opt-out.

QR codes are a convenient method of quickly driving users to a website or app. With the prevalence of smart devices capable of scanning QR codes, many organizations have used QR codes for marketing and other business purposes. Though utilizing QR codes can easily help users navigate to a specific website or app, there are risks associated for users when scanning QR codes.

Some of the security risks associated with QR codes include:

  • Downloading malware onto your devicE
    In an attempt to access information, you may be lured into scanning a malicious QR code found on a website or poster that may automatically download malware and exploit your device.
  • Account compromise through a phishing website
    You could be redirected to a fake website for the purpose of collecting your access credentials.

When publishing QR codes, the Information Security Office recommends the following best practices to help ensure user safety during QR code scanning.

Best practices for using QR codes

  • Print QR code directly on your materials
    Don’t add a QR code sticker to the materials later because it encourages your audience to perform a risky scan.
  • Avoid directing users to a login page
    This encourages your audience to engage in risky on-line behavior by entering sensitive information.
  • Stay away from using a shortened URL
    When scanning a QR code, a notification pops up so users can view the URL that’s inside the QR code. A shortened URL, such as bit.ly, obscures the true URL destination making it difficult for users to determine if the website is safe.
  • Add an alternative link
    By providing an alternative link to the destination URL, users can go directly to the source and it eliminates any potential risk when scanning QR codes.

QR codes have become increasingly common due to the prevalence of mobile devices. Scanning a QR code will redirect you to a website or an application. Using QR codes can bring convenience, but there are risks associated with scanning QR codes. Following the safety tips below you can help limit the risks when scanning QR codes.

  • Check for signs of tampering
    When scanning QR codes ensure that the original QR Code has not been replaced with a sticker of QR Code image over top. Double-check that the QR code on the material looks original and fits with the design.
  • Avoid providing personal information if directed to a login page
    This could be a phishing scam where you are directed to a fake website designed to steal your login credentials.
  • Backup your mobile device regularly
    Backing up your phone’s data including contact information, pictures, videos, and other information ensures the availability of the data in the event of a mobile device damage, theft, or data loss.
  • Avoid storing sensitive information on your mobile device
    If your device does become compromised your information could be in the hands of a criminal. University members with access to restricted data should avoid storing and handling restricted data on their mobile devices.
  • Disable the “open website automatically” or comparable wording setting in the QR code scanner app
    When this setting is disabled, the scanner app will prompt you to visit the URL and wait for your confirmation before visiting the website. This ensures that you are not unknowingly visiting harmful websites. Download a QR code reader app that previews the web address before linking to the site such as (Red Laser and ScanLife). Built in QR code readers on the iPhone camera app, Samsung Bixby, and Google Lens have this feature turned on by default.

The Bitlocker key recovery feature on domain controllers provides a method for decryption in cases where data is needed for business continuity purposes or in the event that a password is forgotten or lost.  Recovery information is stored unencrypted within the domain controller, but with the confidential flag set, only Domain Administrators can access the information.

This use of Bitlocker is safe in cases where the following conditions are met:

  1. There are a limited number of Domain Administrators
  2. Domain privileges are used only when required
  3. Domain Administrator Accounts have Andrew-grade password strength
  4. Domain Administrator Account passwords are changed every 90 days
  5. Clear procedures are in place for approving and documenting service requests for recovery information.

If you are looking at Bitlocker for regulatory compliance purposes, you may want to consider Microsoft Bitlocker Administration and Monitoring (MBAM), available under our enterprise contract (https://technet.microsoft.com/en-us/library/hh826072.aspx?f=255&MSPPError=-2147217396).  MBAM installs an agent on each endpoint and stores recovery information and reporting data in an SQL Server.  The basic OS built-in Bitlocker doesn't produce rich reporting and monitoring but requires fewer resources to setup.

The Bitlocker key recovery feature on domain controllers provides a method for decryption in cases where data is needed for business continuity purposes or in the event that a password is forgotten or lost.  Recovery information is stored unencrypted within the domain controller, but with the confidential flag set, only Domain Administrators can access the information.

This use of Bitlocker is safe in cases where the following conditions are met:

  1. There are a limited number of Domain Administrators
  2. Domain privileges are used only when required
  3. Domain Administrator Accounts have Andrew-grade password strength
  4. Domain Administrator Account passwords are changed every 90 days
  5. Clear procedures are in place for approving and documenting service requests for recovery information.

In the Andrew Domain these conditions are all met.  You would not have direct access to the recovery feature, and would need to work with Andrew Domain Administrators for password recovery. 

Many services ask for a “recovery e-mail” to help you recover access to your account should you lose it – forget your password, lock yourself out, etc.  If this account is for personal use unrelated to your position at CMU, you should use a personal e-mail address for recovery (there are many free services to create additional e-mail addresses if needed). 

@andrew.cmu.edu e-mail addresses are disabled when you leave the university, and you will not have access to your e-mail once you have graduated, retired, or otherwise left the university. 

If the recovery e-mail is needed for a business purpose, discuss with your manager or team what e-mail address to use – in many cases, it is most advantageous to use a group e-mail for recovery.  Do not use a personal e-mail for recovery for business accounts.