Message from the CIO: Changes to Duo Push Authentication

 To the Manhattan University Community,

           In an effort to increase our Cybersecurity posture, Duo will enable Verified Duo Push starting tomorrow, Saturday August 24th, 2024.

Verified Duo Push enables Manhattan University to be more secure in its authentication process. Instead of just hitting the green approve button, it will now ask you for a 4 digit code when you send a Duo Push to your mobile device.

If you have any questions, please send an email to its@manhattan.edu.

Thank you for your time and cooperation in this matter.

Sincerely,

Melvin Lasky
Chief Information Officer
Information Technology Services

Act Fast! Weekly Stipend of $500!

While the clickbait title may seem heartless it is intended to protect you, your loved ones, and our community.

We recently experienced a scam job opportunity email campaign. Do not assume that @gmail.com or @zohomail.com addresses offer job opportunities. The phishing email looked similar to the following.

New Year, Same Old Employment Phishing Campaigns

Happy New Year but let's not wish any good wishes to the phishers.

This morning 2,802 recipients received a phishing email that looked similar to the following.

Hiring Offer That Requires Use of a non-@manhattan.edu Email Address

 

"I assure you" meme regarding how we're not hiring remote student research positions that requires one hour of work for $370/week.

Be aware of a phishing attack offering remote job positions for students that explicitly states that the hiring professor prefers that applicants use their personal email accounts (as opposed to their individual @manhattan.edu email address) or mobile phone for hiring communications.

If you were not scammed, maybe a friend is in the process of being scammed. Talk to your friends about this. Maybe someone you care about will be impacted by this if you do not.

Stay alert -- Employee Benefit Scam

This morning many phishing campaign emails announcing an "employee benefit" were delivered successful to our Gmail-secured inboxes.

The emails are similar to the following

  
From: Leszek Buller <l.buller@uksw.edu.pl>
Subject: 2023 Employees Benefit Program

Dear Employee,

We hope this message finds you in good health and high spirits. We
understand that the past year has been challenging for many, and we want to
extend our support during these difficult times. We are excited to
introduce the 2023 Employees Benefit Program, designed to provide financial
assistance to our valued families and employees.

As part of our ongoing commitment to your well-being, we have established a
program that aims to ease financial burdens and provide some relief. We
have allocated funds to provide *$700* to each family and employee that
meets the designated criteria.

If you or your family have experienced financial hardship and could benefit
from this program, we encourage you to apply. The application process is
now open and will remain so until *November 20, 2023*. To apply, sign in
using the link provided below:

Employees Benefit Program

Sincerely,

*2023-EBP support team*

The hyperlink's URL is an agilecrm.com hosted credential harvesting form. If you happened to share your credentials or if you are unsure if you did, please change your JasperNet password.

Credential harvesting form.

Ongoing "Student Employment" scam

This morning, another gmail.com campaign of "student employment" money mule scam emails occurred.

The emails are similar to the following

How ITS Deals With Phishing Email Campaigns

This afternoon, a phishing email campaign targeted hundreds of Manhattan College individuals. The email resembled the following...

"Vector LMS, Higher Education Edition Online Learning" is not a phishing attack

Between March 2nd 11:45PM and March 3rd 12:30AM, safecolleges.com sent ~1100 emails to our community. These emails are legitimately from a vendor that Human Resources does business with.

Gmail displays a warning banner with a convenient "report phishing" button for most of the safecolleges.com emails.

Do not report these emails as phishing attempts. This email campaign helps the college comply with New York State law regarding sexual harassment.

Payroll Phishing Campaign

A malicious actor is sending paycheck picture attachments via email from a forged email address, payrolldepartment@manhattan.edu. An example email is included below.

These emails are "unauthenticated" by which that means the sending SMTP (email) server is not allowed to send as any @manhattan.edu address. ITS prevents delivery of such emails to ITS managed @manhattan.edu accounts. ITS also uses DMARC to notify all receiving SMTP (email) servers to be as careful as possible with unauthenticated @manhattan.edu emails. Unfortunately, DMARC is just a suggestion and not a command. So unauthenticated @manhattan.edu emails may still be delivered to phishing targets.

From: Payroll Department 
Date: Wed, Mar 1, 2023 at 1:39 PM
Subject: **PAYCHECK**
To: [redacted]


Good Day [redacted],

You are receiving this e-mail because your information has been registered and will be
scheduled for weekly payments directly from the Payroll department. The Paycheck that
covers the expenses for the office supplies you will be working with is attached in this
email. A Sales Representative will be assigned to assist you with the purchase of these
items once the funds are available from this deposit. Immediately proceed to make a mobile
deposit and contact your professor in charge once completed for clearance purposes.
Further Assignments as well as your employment documents will be sent once the supplies
are delivered. Kindly inform your professor letting him know that you have received this
email.

I have outlined Instructions on how to make a mobile deposit below.

Print out and cut it to a ( check size/shape ) At the back of your check endorse by
writing your 

Full name

Mobile Deposit Only

Your account number

Sign.

Once you are done, you make a mobile deposit on your mobile banking app

Thank You.
Best Wishes,
Payroll Department.



Please do not reply to this email message. It was sent from a notification-only address
that cannot accept incoming emails.


--
Respectfully,
Office of Financial Aid Administration
4513 Manhattan College Parkway
Riverdale, NY 10471
Phone: 718-862-7100
Fax: 718-862-8027
Monday thru Friday
9:00 am to 4:30 pm
manhattan.edu/finaid

Job Opportunity Scam

This afternoon a malicious actor, using a compromised @manhattan.edu account, sent over 2,500 phishing attempts to our organization.

If you received such a message please do not reply to it and do not follow its instructions. If you have already interacted with the malicious actor, do not do so anymore.

Phishing email body announcing a paid position where applicants will be considered on extremely suspicious basis of first-come-first-served. Recipients are instructed to send their full alias, email address and other information to a redacted 713 area code phone number.

Peering into the Email Quarantine

ITS makes use of Gmail's compliance rules (that are defined by our Google Workspace administrators) to automatically quarantine incoming or outgoing emails.

A recent phishing trend is not to use any visible text in the message body and instead use an image contained within a hyperlink that directs to a malicious login page.

Actual phishing image claiming that the recipient's Manhattan University Outlook account's settings need to be updated for Privacy Policy Action compliance. Also the image claims that the user's inbox is limited to 2GB.

Thankfully all of these phishing emails were never delivered to inboxes, spam folders, etc. They matched an existing email compliance rule and were delivered in our organization's email quarantine.

Cybersecurity Group Releases List of Cybersecurity Themes for 2022

Global venture group Team8, which creates and invests in technology and cybersecurity companies, has announced the release of its 2022 Cybersecurity Themes report. This report aims to inform the reader of the factors shaping the future of cybersecurity in the near future. Driven by the impact of the pandemic, the increase in remote work and the increase of cyberattacks, these factors, and solutions associated with them are being pushed by our governments in order to protect our companies and individuals. Cyberattacks have been trending away from individuals and have been targeting larger entities as of late, which has been emphasized in the article.


Important Trends Identified:

• Trend 2 starts by describing the shift in ransomware toward targeting enterprises and whole companies rather than just individuals. Many corporations have physical and digital infrastructure that is at heavy risk, and like in the Colonial Pipeline attack in which ransomware caused a whole pipeline to be shut down, these companies need to heavily invest in cybersecurity.

• Trend 4 explains that there is an increasing trend in private investment in cybersecurity, like in the areas of cloud adoption and remote work, in order to keep a company’s intellectual property safe.

• Trend 7, arguably the most important trend, describes the “shift left” that is happening among cybersecurity software development, in which more security concerns are addressed in the earlier stages of development.

There are several more trends discussed in the article. To read about every trend laid out by Team8 and to see their full research, visit the following link:


https://lp.team8.vc/cyber-trends-report-2022

Phishing Reminder

Everyday is a chance to do good. Or in the case of phishers, to do evil.

Today, ITS detected a phishing email campaign aimed at the Manhattan College community. The phishing email claims to be from the college's "Manhattan Mail Delivery Subsystem." It requests the user to click a phishing link (that displays a manhattan.edu URL but actually directs to an absolutely different domain), login with their credentials and review undelivered email messages.

Phishing login webpage that is aimed at the Manhattan College community.

Everyday the college receives phishing campaigns. This particular campaign is notable due to the branding of the phishing login webpage. Notice the differences between this phishing login webpage and the official login webpage that you typically use. Now consider that the phishers could copy the official login webpage's design.

ITS asks you to be mindful of the URL shown in your browser's location bar when you are prompted for your credentials. This will help us to be less vulnerable to such attacks. Also when you see a link be mindful that the text displayed is not necessarily the URL address used (e.g., http://www.google.com).

You may ask, what should be asked of ITS though. First, ITS (along with our email service) attempts to prevent phishing emails from being delivered successfully. If the phishing emails have been delivered successfully, the phishing emails are quarantined (i.e., clawed away from inboxes, spam folders, etc.). Second, any recipient who interacted with the phishing email is notified and advised to change their password in the case that it was phished. Third, the hosting provider is notified of the abuse as is the sending email address' domain or the host of the sending email server. Lastly, we review our practices with respect to improving our response to future attacks.

Updated Cyber Security Requirements

New Cyber Security Requirements

As you surely have seen in the news or in your personal life recently, cyber attacks continue to develop and increase in frequency and complexity.  Many organizations - including major technology and social media companies - are taking additional steps to ensure that the accounts of their employees and customers remain well-protected.  Manhattan College has not been immune to these attacks and associated risks and we are now being required to implement stricter controls for our community members who access institutional data.  Given this new reality, two specific requirements that we must meet are as follows:

• All Employees must complete a yearly Cyber Security training program (More information will be coming about this shortly. This must be completed by January 21st, 2022)

• All Employees must enroll their JasperNet account in Multi-Factor Authentication (MFA or 2SV) (Must be enrolled by January 18th or you will be auto-enrolled)

MFA Support Sessions

ITS will be offering support sessions with members from the Technology Training team for those who will need to enable DUO Multi-Factor Authentication on their JasperNet accounts. Below please find more information about the drop-in training sessions. There is no signup required.

When:

• January: 5th, 12th, 18th, and 19th from 11:00am-2:00pm

Where: MGL 305 (Computer Lab)

Please remember to bring your cell phone to complete the setup.

If you are unable to attend or have any questions please contact its@mahattan.edu and someone from the Training Team will reach out to schedule a separate time and answer any questions you may have.

Critical Java Vulnerability (Log4j)

In a computer program, a logging library's purpose is to record events to a file. These events could be a request for a web page, a user reports a crash, a sensor is reporting a harmful temperature, a chatbot question from a potential consumer, etc. There is a rule in secure programming to never trust user input because the input could be constructed to subvert the program. The idea that a logging library would parse log event data is incredibly stupid and the fact that it is the default behavior of Log4j 2 until the recent version 2.15 release is the basis of the current nightmare incident we are living through.

Technology vulnerabilities are reported using the CVE (Common Vulnerabilities and Exposures) system that is maintained by The MITRE Corporation. So far, three CVEs exist due to the Log4j vulnerability and they are:

• CVE-2021-44228;
• CVE-2021-45046; 
• and, CVE-2021-45105. 

The first CVE, CVE-2021-44228, has earned a perfect ten from CVSS, which is a scoring system to measure the severity of a given vulnerability. Many security experts have jokingly wondered what a perfect ten would be given that other widely deployed software with critical vulnerabilities rarely earn a 9.8. This Log4j situation is no joke, though.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published guidance for the Log4j incident.

Additionally, CISA has established a community sourced GitHub repository.

The Apache Foundation maintains Log4j 2 and publishes the Log4j 2 Change Release History Log.

ITS is tracking the evolving nature of this situation so that our organization is not impacted. If you have any concerns about particular software, services, etc. that you use at the College please email its@manhattan.edu.

New Cyber Security Requirements

As you surely have seen in the news or in your personal life recently, cyber attacks continue to develop and increase in frequency and complexity.  Many organizations - including major technology and social media companies - are taking additional steps to ensure that the accounts of their employees and customers remain well-protected.  Manhattan College has not been immune to these attacks and associated risks and we are now being required to implement stricter controls for our community members who access institutional data.  Given this new reality, two specific requirements that we must meet are as follows:

• All Employees must complete a yearly Cyber Security training program (More information will be coming about this shortly. This must be completed by January 21, 2022)

• All Employees must enroll their JasperNet account in Multi-Factor Authentication (MFA or 2SV) (Must be completed by January 18th, 2022 or you will be auto-enrolled)

Cyber Security Training

ITS is actively working with our insurance provider to develop a yearly Cyber Security training program that must be completed on a yearly basis starting in January 2022.  More information about the cyber security training program will be made available in the new year and must be completed by December 31st each year.  Content for the initial training program will be delivered by our insurance provider, however, we will assess the program throughout the year and provide the opportunity for campus experts to participate in determining and developing the curriculum for following years in alignment with the same requirements of the insurance provider.  ALL employees (including Faculty, Graduate Assistants, and Student Employees) will be required to complete this course yearly.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) - sometimes referred to as Two-Step Verification (2SV) - will be required for all employees going forward and must be implemented no later than January 2022.  While Manhattan College has previously taken a very targeted and calculated approach to require MFA based on a “risk score” (i.e. users that access Banner or other escalated access), we must now require MFA for ALL employees (including Faculty, Graduate Assistants, and Student Employees).  To date, over 670 community members have already enrolled in MFA.  ITS will be contacting community members that still need to enroll in MFA in the coming days to provide instructions and support for enabling MFA by 1/18/2022.

MFA Support Sessions

ITS will be offering support sessions with members from the Technology Training team for those who will need to enable DUO Multi-Factor Authentication on their JasperNet accounts. Below please find more information about the drop-in training sessions. There is no signup required.

When:

• January: 12th, 18th, and 19th (all Wednesday’s) from 11:00am-2:00pm

Where: MGL 305 (Computer Lab)

Please remember to bring your cell phone to complete the setup.

If you are unable to attend or have any questions please contact its@mahattan.edu and someone from the Training Team will reach out to schedule a separate time and answer any questions you may have.

Phishing Campaign -- $1,499 iCloud Orders

Today multiple gmail.com accounts sent emails to a fraction of our organization. The emails claim that the recipient would be charged $1,499 for their 12TB iCloud storage plan.

This is a good opportunity to announce that October is Cyber Security Awareness month. Best to keep in mind that any email may be a scam and we all are one degree away from criminals.

The most common IT crime still is Business Email Compromise (BEC) even though ransomware is increasing rapidly. It is best to be mindful of how to parse an email address and to do your best to understand who is emailing you.

Email addresses are formed by concatenating a username with the '@' sign and with a domain (e.g., bob@example.com). Sometimes people are confused by the common phishing addresses that use a domain inside the username (e.g., bob.manhattan.edu@example.com). Understand that such email addresses are available to anyone including to criminals.

If you receive a phishing email, you can report it to Gmail if you're using the web interface (not the Gmail mobile app, unfortunately). Google will alert ITS!

Gmail's 'Report phishing' feature is under a vertical ellipsis in the upper-right of an email.

You can also forward the email to its@manhattan.edu. If you are unsure if an email is a phishing email, please forward it to its@manhattan.edu. We can help to determine what is what and if necessary report the email as a phishing attempt to Google.

Cyber Security: What is it?

As we make our way into the future, the world becoming more digital by the day, it is important we are all cyber aware and understand the meaning of cyber security. In an article written by Sharon Shea, cyber security is explained to be “the protection of internet-connected systems such as hardware, software and data from cyberthreats”. Cyber security is broken up into many sections including:

• Data security 

• Network security 

• Cloud security 

All sections are important to the success of a cyber security program.

Cyber security’s importance increases as the number of users, devices and programs continue to increase as well. This forces us to learn the threats that we are being exposed to everyday and how we can prevent them. Some threats include:

• Malware

• Social engineering

• Phishing 

By keeping up with the changing risks, we can make our own changes as simple as enabling a firewall or making complex and unique passwords for your different accounts. There are several tips you can follow including the ones in this blog post. 

With our growing cyber awareness, the need for professionals in the field also grows. Cyber security comes with multiple opportunities to start a career. Some security roles include:

• Security engineers

• Security Architects

• Security Analysts

Many other career paths are available within the field of cyber security and are in demand. The industry is in high demand for professionals who can fulfill such roles. 

The growth of cyber security comes with knowledge we should all be aware of, including the risks, preventative measures, and the job opportunities it opens. Cyber security is taking on the world at an increasing pace. 

Source: Shea, Sharon, et al. “What Is Cybersecurity? Everything You Need to Know.” SearchSecurity, TechTarget, 25 May 2021, searchsecurity.techtarget.com/definition/cybersecurity. 

What is Ransomware & How Can You Protect Yourself From It?

Ransomware is a class of malware that prevents you from accessing your systems or data and demands a sum of money to be paid in return for the decryption key. This has resulted in billions of dollars in losses with over 2 million incidents reported in 2019. These kinds of cyberattacks are getting more complex and are holding organizations hostage until they pay millions in ransom. Ransomware attacks have a new target every 14 seconds and have the ability to shutdown digital operations, steal information, and exploit businesses, essential services, and individuals. 


Below are precautions to protect you against the threat of ransomware:

• Update software and operating systems. Outdated applications and operating systems are the target of most attacks.
  
  
• Never click on links or open attachments in unsolicited emails.
  
  
• Backup data on a regular basis. Keep it on a separate device and store it offline.
  
  
• Restrict permissions to install and run software applications.
  
  
• Enable strong spam filters to prevent phishing emails from reaching you and authenticate inbound email to prevent email spoofing.
  
  
• Scan all incoming and outgoing emails to detect threats.
  
  
• Configure firewalls to block access to known malicious IP addresses.

For more information on Ransomware and how to defend against it please check out these articles: 

• Ransomeware explained: How it works and how to remove it
• Ransomeware Guidance and Resources 

5 Steps to Protecting Your Digital Home

Now that devices like digital door locks, refrigerators and smart assistants have become prevalent in American homes, hackers have a new way to target devices to hack. 

The National Cybersecurity Alliance has written the above poster to shed light on ways to combat this. Extra measures like those listed below are good ways to put an extra blocker on the two primary places of hacker access into our lives.

• Secure Wi-Fi 
  
  
• Dual-Authentication Logins (Like Duo!)
  
  
• Constantly checking for software updates from our hardware and software makers is also crucial since the updates are usually made in direct response to potential vulnerabilities. 
  
  
• Limiting the information being posted on social media regarding your location will impede a hacker’s ability to pinpoint your home to begin hacking

Fore more information and tips on protecting your devices and yourself please check out this digital poster. 

Special thanks to Lisa Juncaj for passing this poster along!