it-security

Safely working from home

Maintaining a secure working environment at home can be challenging, but with a few simple steps, you can make sure that you are staying safe while working at home.

5 tips to stay safe while working at home

  1. Be careful! Attackers may call you, email, you show up at your door looking to trick you into doing something on your computer. Be extra careful on suspicious requests.
  2. It is important that you only use a University computer to access sensitive data (student data, grades, financial, etc.). If you do not have a University computer/laptop, talk with your system support to enable remote access to your office computer from home.
  3. The University network has many protections that you may not have on your home network, and attackers know this! Make sure that your home wireless router is up to date, has good passwords, and that you know who is connecting to your network.
  4. Make sure your computer is up to date on its patches, is running end-point protection (anti-virus, malware protection, etc.). Some of our automatic computer update processes do not work on “computers at home”, so you may need to manually check your computer for updates.
  5. Do not let other’s use your work computer at home. Access by family members, guests, etc. can be considered a breach of university data.

For more information here are 5 additional steps, recommended by the National Institute of Standards and Technology, to work Securely from home.

Beware Corona Virus Scams

corona virus phishing scamsHope And Fear.

These are the feelings that phishing campaigns prey upon to trick people into giving up information, money, or access.

Right now, multiple campaigns pretending to be from the Center for Disease Control or the World Health Organization are either asking you to click a link for safety instructions, or open an attachment for the same reason. These campaigns are expecting our fear of outbreak and our hope for protection to lower our vigilance in keeping safe and secure internet practices. Both organizations have official pages they communicate from, so if any of us feel that a message may be legitimate, we can check their websites ourselves without needing to click their link or open their attachments.

As always, please forward any suspicious emails to phishing@utulsa.edu.

Thanks, and stay safe out there!

Tax Scams 2020

Hold on to your W-2s and returns because tax season is on the way! As if deductions, exemptions and return distribution wasn’t enough, tax season becomes open season for cybercriminals hunting for sensitive information, credentials and even a direct deposit of your tax returns.

Examples of Tax season phishing scams:

W-2 attachment attack

Attack type: Attachment
Attack objective: Deliver malware
Tax forms – Attachment w/ drive-by link

W-2 phishing attacks come in many shapes and sizes and often strike in January, when employees are waiting to receive their W-2 from their employer. In this phishing email, the attacker baits the victim into clicking a malicious link or downloading a malicious attachment to install malware on their machine.


W-2 business email compromise (BEC) attack

Attack type: BEC
Attack objective: Steal employee or organization information
W-2 Request

example of tax scam email (screenshot)In this W-2 attack, the scammer poses as a manager or executive and targets HR staff to steal the W-2s and personal information of employees. With this BEC attack, the scammer doesn’t need access to a network or business systems. Instead, they only need the victim to reply to the email with the requested information.


Free online access to tax forms

Attack type: Drive by or data entry
Attack objective: Steal employee information or credentials
Tax Form Management Access

Generic offers to access your tax documents are another popular phishing tactic used to redirect victims to a malicious website. These attacks may also redirect the victim to a spoofed login page to steal the victim’s personal information such as their social security number.


Tax preparation software drive by

Attack type: Drive by
Attack objective: Redirect to malicious site
H&R Block – File Your Taxes

example of tax scam email (screenshot)Some scams approach tax season from the opposite direction by impersonating tax preparation software, services or CPAs. These attacks work like most common drive by attacks, but leverage tax season to create urgency with short-term or extravagant offers.


Tax return credential theft

Attack type: Drive by or data entry
Attack objective: Steal employee information or credentials
TurboTax – Return Accepted

In an even more sinister variation to tax preparation scams, some hackers attempt to steal login credentials to access victims’ tax software accounts. Once gaining access, attackers can retrieve personal information and documents or interfere with the victim’s filing process or tax return.


IRS tax notice

Attack type: Attachment, drive by or BEC
Attack objective: Steal employee information or credentials
Tax Notice

example of email tax scam (screenshot)Although the IRS insists it will never contact taxpayers via email, text message or social media, scammers continue to use these tactics to trick victims into clicking malicious links, downloading attachments or even sending payments. Although these attacks peak during tax season, they are frequently used year-round.

Teach Your Kids to #BeCyberSmart and Own Their Cyber Safety

Kids aged eight to 12 currently spend an average of six hours a day online and face issues like identity theft, cyberbullying and cyber predators. By next year, there will be over 31 billion connected Internet of Things (IoT) devices. This means even more toys that connect to Wi-Fi in your house, more multiplayer games your kids play with internet strangers, increased use of tablets at school and phones on the bus and even more serious security and safety threats.

The best way to fight cybercriminals is through education and that can start at any age. As parents, caregivers, teachers and school administrators, we teach our children to learn how to safely cross a road and who to call in case of an emergency. We must also teach our kids proactive digital privacy and online safety behavior and give them the tools to own their own cyber safety.

Read the full post on StaySafeOnline

Most Marketable Skills for Cybersecurity

Technologist Talk covers which skills are most marketable for IT candidates interested in today’s most in-demand market: cybersecurity. Guest expert and CompTIA CEO Todd Thibodeaux make the case that soft business skills—such as researching, writing, teaching, learning and collaborating—are what set candidates apart from the cybersecurity crowd in the eyes of employers.

Technologist Talk

E15: Why Employers Seeking Cybersecurity Talent Look First for Soft Business Skills


“[A talent for teaching matters in a cybersecurity career because] it’s about passing down the knowledge, sharing what you know, the value of analogy, and story, and examples. Being able to teach in a way that you wouldn’t think is teaching, but it is because you’re looking at that other person’s perspective, and you’re not only thinking about what is it that they should know, but how they can best consume it… In cybersecurity, that’s especially true when talking about complex issues and timely and sensitive things. You have to be clear and concise in your communication.”

– Todd Thibodeaux, President and CEO, CompTIA

October is National Cyber Security Awareness Month

October is National Cyber Security Awareness Month, and to celebrate, the IT Security Team has a variety of Cyber Security events planned for each week.

  • Week 1: IT Security will be hosting an online Cyber Security Lunch and Learn about “IT Security: What do we do?” on Friday, October 4, 2019 from 1:00-2:00 p.m.
  • Week 2: Each day of the week, we will post short videos about passwords and password security on the new IT Security Website.
  • Week 3: On Thursday, we will be posting a video of a cyber-attacker targeting the University of Tulsa, where you can watch the steps they do to get into our stuff.
  • Week 4: The campus community is invited to participate in a Cyber Security Awareness Game, where each day participants will act like hackers and find clues spread around the campus.
  • Week 5: On Thursday at 2:00, we will have a Cyber Security Meeting open to all University employees, with a panel of security professionals ready to answer your questions about Cyber Security.

If you would like to participate in the Cyber Security Awareness Month Events, please email us at cyber@utulsa.edu. All employees are welcome and encouraged to participate!

Update iOS to fix an issue that impacts third-party keyboards

Update to iOS 13.1.1 or iPadOS 13.1.1 to fix an issue that impacts third-party keyboards on your iPhone, iPad, or iPod touch.

Third-party keyboard extensions in iOS can be designed to run entirely standalone, without access to external services, or they can request “full access” to provide additional features through network access. Apple has discovered a bug in iOS 13 and iPadOS that can result in keyboard extensions being granted full access even if you haven’t approved this access.

View the issue details and update your device

Scamming You Through Social Media

“Attempts to scam or fool you can happen over almost any form of communication you use—from Skype, WhatsApp, and Slack to Twitter, Facebook, Snapchat, Instagram, and even gaming apps. Communication over these platforms or channels can feel more informal or trustworthy, which is precisely why attackers are using them to fool others. In addition, with today’s technologies, it has become much easier for any attacker anywhere in the world to pretend to be anything or anyone they want. It is important to remember that any communications that come your way might not be what they seem and that people are not always who they appear to be.”

Read the full article

Privacy Tips for Parents

In today’s world, digitally connected families must think about safety and security both online and offline. Every child is taught basic safety and security, like not talking to strangers and looking both ways before crossing the street. Teaching young people easy-to-learn life lessons for online safety and privacy begins with parents leading the way.

  • Share with care – what you post can last a lifetime
  • Personal information is like money. Value it. Protect it.
  • Post only about others as you would like to have them post about you
  • Own your online presence
  • Remain positively engaged
  • Stay current. Keep pace with new ways to stay safe online

https://staysafeonline.org/get-involved/at-home/privacy-tips-parents/