Check out the Recent Quadrangle Article about MC ITS STARS!!!

View the recent quadrangle article about the ITS STARS.

Extortion Emails Did Not Stop

Did you forget our July 2018 extortion email blog post? We didn't. Extortion emails including an old breached password from a non Manhattan College affiliated computer service (e.g., LinkedIn, Tumblr, Adobe, etc.) have been continuing to arrive to Manhattan College community email inboxes demanding money or else the extortionists will release risqué videos.


From September 17th until October 16th, we received 32,474 emails with a subject that began with Your password is. They were aimed at 576 different manhattan.edu accounts and used 977 throwaway email accounts to send the messages.

• Several password best practices to consider: Use a password manager to store a distinct, random password per company you do business with.
• Never use your JasperNet password elsewhere.
• If you know that one of your accounts has been breached, whatever password was used is now compromised and can never be used again.
• Do not use passwords such as Homework2 or password123 and instead use passwords that are longer & are not mostly dictionary words.
• Always reach out to ITS when a dialogue is desired.
  
           Email:  its@manhattan.edu  or  TEL: 718-862-7973

Also consider signing up for password breach alerts. You can use a website such as Have I Been Pwned or a browser-based solution such as Firefox Monitor.


A few popular password managers are on the market. Remember that you can use distinct, random passwords using the following sites: LastPass (free), DashLane (free), or 1Password (30 day free trial). You must make sure that your master password to your password manager is never lost and that you must do regular backups of your password vaults. If you lose your master password, you will not be able to access your password vault.


How to Protect Yourself From Scams Like This:

Step up to Stronger Passwords

I Clicked on a Phishing Scam Email... What now?

Partially reposted from:  10/25/18 Harvested Passwords Used in Email Extortion | AT&T ThreatTraq

IT Services Staff tours Crestron Headquarters

In our effort to meet the demand for high performance technology in our classrooms, Manhattan College IT Services Client Services & Operations (CS&O) team visited the Crestron headquarters in Rockleigh, New Jersey.  Crestron is a leader in classroom technology and their products are found in leading universities around the globe.
Our CS&O staff toured the Crestron headquarters in order to gain more knowledge on how to optimize our current podium units and view new options for Crestron's easy to use tools for our campus classrooms.
Further details on Crestron products.
Feel free to reach out to ITS with any questions or support on the Crestron control units in our classrooms:
its@manhattan.edu      TEL:  718-862-7973

Jamboard Training O'Malley Library Nov 2 & Nov 7

IT Services is presenting Jamboard Training Sessions on the following dates:

• November 2 from 1:00 to 2:00 pm
• November 7 from noon to 1:00 pm

Location:  O’Malley Library Jamboard Room #401

The following topics will be covered:

• Demo a Jamboard and its features 
• Overview of the system of ownership and collaborators
• Using the Tool Set
• Pushing a Jam to the Jamboard
• Ending a Jamboard session

We will be able to address any Jamboard Related questions you may have.

An ITS student worker will be presenting the training.

Jamboards are for student use and a Jamboard is located in:

O'Malley Library Study Room 401 & O'Malley Library Study Room 314

Step Up to Stronger Passwords

Weak and reused passwords continue to be a common entry point for account or identity takeover and network intrusions. Simple steps and tools exist to help your end users achieve unique, strong passwords for their dozens of accounts. Help your community members improve their individual and collective security by sharing the following tips.

A password is often all that stands between you and sensitive data. It’s also often all that stands between a cybercriminal and your account. Below are tips to help you create stronger passwords, manage them more easily, and take one further step to protect against account theft.

• Always: Use a unique password for each account so one compromised password does not put all of your accounts at risk of takeover.
• Good: A good password is 10 or more characters in length, with a combination of uppercase and lowercase letters, plus numbers and/or symbols — such as pAMPh$3let. Complex passwords can be challenging to remember for even one site, let alone using multiple passwords for multiple sites; strong passwords are also difficult to type on a smartphone keyboard (for an easy password management option, see “best” below).
• Better: A passphrase uses a combination of words to achieve a length of 20 or more characters. That additional length makes its exponentially harder for hackers to crack, yet a passphrase is easier for you to remember and more natural to type. To create a passphrase, generate four or more random words from a dictionary, mix in uppercase letters, and add a number or symbol to make it even stronger — such as rubbishconsiderGREENSwim$3. You’ll still find it challenging to remember multiple passphrases, though, so read on.
• Best: The strongest passwords are created by password managers — software that generates and keeps track of complex and unique passwords for all of your accounts. All you need to remember is one complex password or passphrase to access your password manager. With a password manager, you can look up passwords when you need them, copy and paste from the vault, or use functionality within the software to log you in automatically. Best practice is to add two-step verification to your password manager account. Keep reading!
• Step it up! When you use two-step verification** (a.k.a., two-factor authentication or login approval), a stolen password doesn’t result in a stolen account. Anytime your account is logged into from a new device, you receive an authorization check on your smartphone or other registered device. Without that second piece, a password thief can’t get into your account. It’s the single best way to protect your account from cybercriminals.

**Please note: this option is not available for Manhattan College accounts but should be considered for external (personal) accounts.

How to pick a proper password.

Partially reposted from http://er.educause.edu/blogs/2016/11/may-2017-step-up-to-stronger-passwords

COMPLETE: Horan Hall - Brief Network Outage 10/19 at 2pm

COMPLETE: As of 3:40pm, this generator test has been completed.

Physical Plant will be conducting a generator test in Horan Hall Friday, October 19th at approximately 2pm. 

There will be two brief outages, one while switching to generator power, the other while switching back to main power.

This will not affect the rest of campus.

If you have any questions, please contact ITS at its@manhattan.edu or at extension x-7973. We apologize for this inconvenience. 

Beef up IT Physical Security

Employing good physical security practices is just as important as strong passwords and refusing phishing bait.  Getting the word out to our campus about the importance of a few basic physical security tips can substantially improve Manhattan College's security risk profile.
Below are some tips to raise awareness:

• Prevent tailgating. In the physical security world, tailgating is when an unauthorized person follows someone into a restricted space. Be aware of anyone attempting to slip in behind you when entering an area with restricted access.

• Don't offer piggyback rides. Like tailgating, piggybacking refers to an unauthorized person attempting to gain access to a restricted area by using social engineering techniques to convince the person with access to let them in. Confront unfamiliar faces! If you're uncomfortable confronting them, contact campus safety.
• Put that shredder to work! Make sure to shred documents with any personal, medical, financial, or other sensitive data before throwing away. Organizing campus-wide or smaller-scale shred days can be a fun way to motivate your community to properly dispose of paper waste.
• Be smart about recycling or disposing of old computers and mobile devices. Make sure to properly destroy your computer's hard drive. Use the factory reset option on your mobile devices and erase or remove SIM and SD cards.
• Lock your devices. Protecting your mobile devices and computers with a strong password or PIN provides an additional layer of protection to your data in the event of theft. Set your devices to lock after a short period of inactivity; lock your computer whenever you walk away. If possible, take your mobile devices and/or laptop with you. Don't leave them unattended, even for a minute!
• Lock those doors and drawers. Stepping out of the room? Make sure you lock any drawers containing sensitive information and/or devices and lock the door behind you.
• Encrypt sensitive information. Add an additional layer of protection to your files by using the built-in encryption tools included on your computer's operating system.
• Back up, back up, back up! Keeping only one copy of important files, especially on a location such as your computer's hard drive, is a disaster waiting to happen. Make sure your files will still be accessible in case they're stolen or lost by backing them up on a regular basis to multiple secure storage solutions.
• Don't leave sensitive data in plain sight. Keeping sensitive documents or removable storage media on your desk, passwords taped to your monitor, or other sensitive information in visible locations puts the data at risk to be stolen by those who would do you or your institution harm. Keep it securely locked in your drawer when not in use.
• Put the laptop in your trunk. Need to leave your laptop or other device in your car? Lock it in your trunk (before arriving at your destination). Don't invite criminals to break your car windows by leaving it on the seat.
• Install a remote location tracking app on your mobile device and laptop. If your smartphone, tablet, or laptop is lost or stolen, applications such as Find My iPhone/iPad/Mac or Find My Device (Android) can help you to locate your devices or remotely lock and wipe them.

Physical Security Awareness:

Partially reposted from Educause:  Beef Up Your Physical Security

Computer Lab Software Request Deadline for Spring 2019 is November 9, 2018

If you would like to request an upgrade of a software already installed in the computer labs or if you would like us to install a new software in the computer labs on campus, please fully read through the information on the link provided and fill out the Software Request form here. (click the big green box that says “Request Service”)

Note that software listed here is already scheduled to be installed, it is not necessary to submit requests for software, unless updating to a new version.

Please note that fully completed forms are required for any change to the labs, even for free software. All software installation media and licenses are also required by the due date.

Requests for the Spring 2019 semester should be submitted by November 9, 2018. Requests submitted after the deadline may not be installed in the labs for the Spring 2019 semester. This is because we need time to develop an installation procedure and test the software in the lab environment before deploying the software. We also require a number of weeks to deploy the lab images across campus, which means our solutions need to be complete and tested several weeks prior to classes beginning.

Please submit your Software Request forms ASAP.

RESOLVED: JasperNet SSO Authentication Issue

RESOLVED:

ITS is currently investigating an issue affecting JasperNet SSO authentication.  Users attempting to access JasperNet services may be receiving the following error message:

Windows 7 End of Life Schedule

Every Windows product has a life cycle. The life cycle begins when a product is released and ends when it's no longer supported. Knowing key dates in this life cycle helps you make informed decisions about when to update, upgrade or make other changes to your software. 

Windows 7 Support will end January 14, 2020.

Microsoft Support Reference to determine: Which Windows operating system am I running?

Solution

Manhattan College ITS loads Windows 10 on all ITS supported compatible devices.

Next Steps

If you happen to have a computer with Windows 7 please upgrade your computer before January 14, 2020.  You can contact ITS for assistance.

• Email: its@manhattan.edu
• Call: 718-862-7973

Further details:  Windows 7 End of Life Schedule 

Partially reposted from Which Windows operating system am I running? and Windows lifecycle fact sheet

Jamboard Training O'Malley Library Nov 2 & Nov 7

IT Services is presenting Jamboard Training Sessions on the following dates:

• November 2 from 1:00 to 2:00 pm
• November 7 from noon to 1:00 pm

Location:  O’Malley Library Jamboard Room #401

The following topics will be covered:

• Demo a Jamboard and its features 
• Overview of the system of ownership and collaborators
• Using the Tool Set
• Pushing a Jam to the Jamboard
• Ending a Jamboard session

We will be able to address any Jamboard Related questions you may have.

An ITS student worker will be presenting the training.

Jamboards are for student use and a Jamboard is located in:

O'Malley Library Study Room 401 & O'Malley Library Study Room 314

Phishing: An Introduction

Chances are good that at some point you’ve received a suspicious email urging you to click on a link or open an attachment. This email was most likely an example of the cybercrime known as phishing. This article serves as an introduction to phishing: what it means, how it affects individuals and organizations, and how security awareness and training tools can be used to reduce the threat of these attacks.
What is Phishing?
Phishing is when cybercriminals send malicious emails designed to trick people into falling for a scam. The intent is often to get users to reveal financial information, system credentials, or other sensitive data.

The term “phishing” came about in the mid-1990s, when hackers began using fraudulent emails to “fish for” information from unsuspecting users. Since these early hackers were often referred to as “phreaks,” the term became known as “phishing,” with a “ph.” Phishing emails try to lure you in and get you to take the bait. And once you’re hooked, you’re in trouble.

Phishing is an example of social engineering: a collection of techniques scam artists use to manipulate human psychology. Social engineering techniques include forgery, misdirection, and lying, all of which can play a part in phishing attacks. On a basic level, phishing emails use social engineering to encourage you to act without thinking things through.

Why Is Phishing a Problem?

Cybercriminals use phishing because it’s easy, cheap, and effective. Email addresses are easy to obtain, and emails are virtually free to send. With little effort and little cost, attackers can quickly gain access to valuable data. Those who fall for phishing scams may end up with malware infections (including ransomware), identity theft, and data loss.

The data cybercriminals go after includes personal information — like financial account data, credit card numbers, and tax and medical records — as well as sensitive business data, like customer names and contact information, proprietary product secrets, and confidential communications.

Cybercriminals also use phishing attacks to gain direct access to email, social media, and other accounts — or to obtain permissions to modify and compromise connected systems, like point of sale terminals and order processing systems. Many of the biggest data breaches — like the headline-grabbing 2013 Target breach — start with a phishing email. Using a seemingly innocent email, cybercriminals can gain a small foothold and build on it.

Cybercriminals use three primary mechanisms within phishing emails to steal your information: malicious web links, malicious attachments, and fraudulent data-entry forms. 
Example of Malicious Web Links:

Links, also known as URLs, are common in emails in general, and also in phishing emails. Malicious links will take you to imposter websites or to sites infected with malicious software, also known as malware. Malicious links can be disguised to look like trusted links, and embedded in logos and other images inside an email.

Here is an example of an email received by users at Cornell University, an American college.  It is a simple message that showed "Help Desk" as the name of the sender (though the email did not originate from the university’s help desk, but the @connect.ust.hk domain). According to Cornell’s IT team, the link embedded in the email took clickers to a page that looked like the Office 365 login page. This phishing email attempted to steal user credentials.

Example of a Malicious Attachment:

These look like legitimate file attachments, but are infected with malware that can compromise your computer and the files on it. In the case of ransomware — a type of malware — all of the files on your PC could become locked and inaccessible. Or, a keystroke logger could be installed to track everything you type, including your passwords. It’s also important to realize that ransomware and malware infections can spread from your PC to other networked devices, such as external hard drives, servers, and even cloud systems.

Here is an example of phishing email text shared by international shipper FedEx on its website. This email encouraged recipients to print out a copy of an attached postal receipt and take it to a FedEx location to get a parcel that could not be delivered. Unfortunately, the attachment contained a virus that infected recipients’ computers. Variations of these types of shipping scams are particularly common during the Christmas shopping season, though they are seen year-round.

Fraudulent Data Entry Forms

These emails prompt you to fill in sensitive information — like user IDs, passwords, credit card data, and phone numbers. Once you submit that information, it can be used by cybercriminals for their personal gain.

The above image is an example of a fake landing page shared on the gov.uk website. After clicking on a link in a phishing email, users would be routed to this fraudulent page that appears to be part of the HMRC tax collection agency. Users are told they are eligible for a refund but must complete the form. This type of personal information can be used by cybercriminals for a number of fraudulent activities, including identity theft.

It’s important to recognize the consequences of falling for a phishing attack, either at home or at work. Here are just a few of the problems that can arise from falling for a phish:

In Your Personal Life

• Money stolen from your bank account
• Fraudulent charges on credit cards
• Tax returns filed in your name
• Loans and mortgages opened in your name
• Lost access to photos, videos, files, etc.
• Fake social media posts made in your accounts.

60 Seconds to Better Security video

Partially reposted from Wombat Security: Phishing: An Introduction

At Work

• 
  
• Loss of corporate funds
• Exposed personal information of customers and coworkers
• Outsiders access to confidential communications, files, and systems
• Files become locked and inaccessible
• Damage to employer's reputation

Where is Your Student Data Stored and How is it Being Secured?

Best Practices to Guard against Cyber Threats, Especially from Third-Party Vendors

By John Ramsey
National Student Clearinghouse Chief Information Security Officer

The National Student Clearinghouse, EDUCAUSE and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) released today the white paper, “Cybersecurity: Why It Matters to Registrars, Enrollment Managers and Higher Education,” to kick off October as National Cybersecurity Awareness Month.

Registrars and enrollment managers play central roles in an institution’s cybersecurity posture. The choices they make each day directly affect student data security. Yet there can be a disconnect between that data’s primary custodians and the information technology (IT) department that manages the systems on which the information is stored. It is imperative that both the registrar’s office and enrollment management office are in lockstep with the IT department with respect to the institution’s cybersecurity efforts, to guard against cyber threats, especially from third-party vendors.

Also, if administrators are using third-party vendors, where is student data stored and how is it being secured? If registrars and enrollment managers do not know, it’s time to find out. This is the only way they can fulfill their responsibility as a careful steward of student data.

The most important cost to keep in mind is the long-term cost that students face after they have had their personal information stolen, which can translate into lifelong negative effects if their data is used.

The white paper is based on the Clearinghouse’s 25-year record of maintaining the confidentiality and privacy of student records and frequent cybersecurity conversations with registrars, enrollment managers and other institution officials, EDUCAUSE and REN-ISAC’s cybersecurity work over many years, and current best practices expressed in two recent major reports.

To learn about other best practices to guard against cyber threats, especially from third-party vendors, review “Cybersecurity: Why It Matters to Registrars, Enrollment Managers and Higher Education” today for guidance from the Clearinghouse, EDUCAUSE and REN-ISAC.

If administrators are using third-party vendors, where is student data stored and how is it being secured? If registrars and enrollment managers do not know, it’s time to find out.

partially reposted from: National Student Clearinghouse Blog, Oct 1, 2018

Subscribe to the ITS Blog

In addition to keeping you up to date on how technology is changing at Manhattan College, subscribing to the ITS Blog will also give you the most current information on ITS News and any outage updates that are occurring across campus.

Once you subscribe, you will receive an email notification with a link to the new blog post.

Instructions for Subscribing to the ITS blog:

1. Navigate to the ITS Blog
2. Scroll down on the right side until you see:

3. Type your email address and select Submit.

After you have entered your email you will receive new blog posts by email.

New Ways to Create, Edit and Share Your Jams with the Latest Jamboard Update

With this month’s release, Google has added two highly requested features from customers that help you jam from anywhere and give you more control when sharing your work: creating and editing jams from the web and a “View Only” mode.

Create and edit your jams in a web browser

While users have always been able to view a jam from any device, editing and collaborating on a jam has been limited to touch devices (like the physical kiosk, tablets, and smartphones).

Now, you can create and edit your jams on the web too. With the new updates to the Jamboard web experience, everybody on your team can join in and collaborate on a session in their web browser. This means that anybody in the meeting can participate, whether they want to edit a sketch from a laptop or quickly type up sticky notes during a brainstorm.

We’ve found that this makes using and adopting Jamboard much easier for most teams and organizations.

Share and protect your work with View Only mode

Sometimes you want to share something to collaborate, but other times you want to share something that’s complete. Perhaps it’s an early brainstorm that you just want your manager to be able to view, or perhaps you’re a teacher sharing an assignment that you don’t want students to edit or change. With View Only mode, you can share something broadly but set exactly who has edit access.

The feature looks and works similarly to other G Suite apps like Docs, Sheets and Slides, so you have a consistent experience no matter what you’re creating and sharing.

For a full list of new features and improvements from this month’s release, check out the What’s New in Jamboard page in the Help Center.