As seen in the news recently, a serious flaw in Apple’s most recent computer operating system (MacOS X High Sierra) allows any person to gain administrative access to the machine without a password. Anyone with physical access to the computer can gain root access simply by typing “root” in the “Users and Groups” section of System Preferences. No password is required. With root access, a malicious person can then operate as an administrator on the computer to download malware, steal any information, add other users, and further compromise the computer. This flaw requires physical access to the computer, but it may also work remotely if Apple Remote Desktop is enabled.
Apple has released a security update that addresses the issue, and it is recommended that all Mac owners with High Sierra (Mac OS X 10.13) install the security update immediately. More details can be found from Apple at https://support.apple.com/en-us/HT208315.
DoIT would also like to remind students, faculty, and staff to secure their devices and be aware of them at all times. Often laptops, cell phones, headphones, bags, and etc. are left unattended in public areas such as the Library, Commons, and classrooms. Even if you are leaving for a few minutes to go to the restroom, that is plenty of time for someone to steal your belongings, or compromise your devices. UMBC police have received reports of laptops stolen while the owner’s back was turned to talk to a friend. You as an individual are the number one source in keeping yourself and your devices safe from cyber attacks, as well as helping keep our campus safe. If you become aware of any malicious activity or have any questions, please report it to security@umbc.edu.
]]>Ok, if you’re like most of us, you don’t lose sleep over the thought of your myUMBC account getting hacked. Fair enough. With midterms, parental expectations, post-graduation job prospects, and the state of the world, we all have plenty to think about. Maybe you use your college email account daily to communicate with professors and other students, or maybe you log in twice per year in order to register for classes. No matter how invaluable this email might be to your academic life, it is probably hard to imagine cyber criminals lurking in dimly lit basements around the world, dreaming of gaining access to your grades on Blackboard. Surely, there must be someone out there who would make a more promising victim than me, right?
You might be surprised. Over the past decade, well over 600 universities reported a data breach. Some of these attacks have proved to be very successful. Many of these attacks were targeted at students, and many consisted of phishing.
In truth, college campuses are target-rich environments for opportunistic scam artists. Universities have networks and machines that contain very sensitive information, with large numbers of users and personal machines “passing through.” Many attacks on campuses work by first hacking a university email account, which students and staff will see as more “trustworthy.” Once one account is compromised, particularly an administrative one, the hacker can use this “trustworthy” account to manipulate other members of the same organization. Criminal activities which use deception in order to exploit individuals and organizations, such as phishing, are collectively referred to as social engineering. One of the simplest ways a hacker can compromise many accounts is to gain access to an under-secured student account, and then use the trusted organizational email to send out phishing emails to a large number of students and staff.
What value do these accounts have? A resourceful criminal would likely know that some people are bound to use the same password for their school account that they use to secure their bank account. Criminals might also attempt to acquire and sell sensitive information, or to lock a valuable hard drive and hold it ransom. Colleges will likely continue to experience phishing attacks and similar threats for the foreseeable future, because these targets will offer hackers an opportunity to make a significant profit with little effort.
So what is being done? Your UMBC account filters out many different spam and unsolicited emails. UMBC’s DoIT (Division of Information Technology) is working everyday to identify and block new spam emails. And as new attacks come to their attention, you will see alerts appear on DoIT myUMBC group page, or receive an email from the police. So what’s our last line of defense, for those attacks that “fall through the cracks,” making it to your inbox? That’s where you come in. By staying well-read on cyber threats, securing your own online presence, and tuning in to campus fraud alerts, you can make UMBC’s network more safe for everyone. Read up on Phishing Red Flags on doit.umbc.edu/security, and more by checking out our MyUMBC Page. my.umbc.edu/groups/bethekey
Oh sweet, Get Out is finally out in theaters! I’ve been waiting for so long for that movie to come out so that I could finally stream it online. Pay for a movie ticket? Ha! Why would I do that when the movie will instantly show up FREE online the very same night it came out. I usually stream new movies from a torrenting site. The website names seem sketchy, and glitch here and there, but for the most part they get the job done.
I invited some of the guys over to my dorm room so that we can watch the movie and pig out. There is usually one torrenting site that I like to use when I’m at home, but I haven’t tried torrenting here at UMBC yet. My wifi seems to be a little better at home, but everything should be fine here. When I went to the torrenting website to find Get Out, there were a lot more ads on there than usual. That was annoying because I had to navigate through them to try to play the movie. After all of that, before I could even play the video, I received a pop-up saying I needed to install Flash Player. I could’ve sworn that I had that installed, but everyone was waiting and so I just downloaded the software.
Well, we never got to watch the movie. I don’t know if it was the torrenting site itself, or the flash player pop-up but my computer started to act completely different. I would move my mouse, and the cursor would lag for a very long time. Any program I would try to open, took equally as long to load. The most noticeable part of the whole thing was my internet browser. Instead of Google being the browser, it was some weird knock-off browser. Also, whatever site I tried to go to, like Facebook or my email, I would be redirected to a pop-up site. Between the constant loading, pop-ups, weird websites, and my computer just running so unusually slow, I knew something was really wrong. Crap….I definitely was infected with malware. Not only did this suck because it would take a lot of money to fix, I had A LOT of sensitive information on this computer. My bank account information, all of my passwords, hot pictures of my girlfriend...EVERYTHING.
And to make things worse….a few hours later my UMBC credentials stopped working for my wifi. I then got an email on my phone from UMBC’s Student Judicial Programs. What now!?
According to SJP, I am being charged for illegal file sharing/copyright infringement on campus wifi. I can either provide evidence to the Conduct Officer showing that I was not responsible, or accept responsibility for violation. Well, I definitely don’t have any evidence that it wasn’t me, so I guess I have to accept responsibility...perfect.
Because I was caught torrenting on campus wifi, I had to pay a $175 fine, and create a poster about copyright violations and peer to peer file sharing. The icing on the cake, was that all of my files were encrypted thanks to the malware, and my computer ended up crashing. All of this, so that I wouldn’t have to pay for a movie ticket. I truly thought torrenting was no big deal, and I was always somewhat aware of the virus risk. Having the malware downloaded onto my computer, and then getting caught for torrenting was the biggest wake up call.
I couldn’t WAIT to finally move into my dorm and start my freshman year of college. Growing up, my parents were so strict. Since I would basically have to write a 15-page paper and presentation to go out with friends, I lived my life vicariously through social media. Facebook, Instagram, Twitter, Pinterest, you name it...I lived a completely different life on the internet. Luckily, UMBC is a whopping 6 hours away from my family home, far enough away to where I’m reachable but I will never have to go home. Freedom!!
My first day of classes was interesting, and the two main concepts drilled in each class were “syllabus” and “Blackboard”. I still had no idea what Blackboard was, but I was told I can access it from my UMBC profile. I sat in Starbucks with a new friend from class, and we both helped each other figure out myUMBC, Gmail, and Blackboard. I considered myself to be pretty internet savvy, so figuring out all of these mediums was a piece of cake.
It was the second week of class and I could already tell that checking my UMBC email would be a chore. I had so many emails from RAs, student organizations, classmates, and professors. I would usually skim through most of them, but then I go an email with the subject “Announcement” from “server@umbc.edu” and that seemed important. I read:
“This e-mail is to notify you the students of University of Maryland, Baltimore County that we will be upgrading our server. We need you to send us the following information in order to keep your account active after the upgrade.
(1) Username:
(2) Password:
Please acknowledge this email upon receipt.
Thank you,
Administrators of University of Maryland, Baltimore County”
Well, I definitely didn’t want my account to become inactive, I do literally everything for school on here. I immediately responded to the email with my UMBC username and password and then deleted my reply. I didn’t want anyone accidentally seeing that email somewhere on my computer and then having my information. Glad that’s taken care of.
The next couple of days my account seemed weird. Every time I tried to email someone, the reply-to address would be changed to some random email address I’ve never heard of, and the subject was automatically inserted with the same “Announcement” from the email I had received earlier. I began to think that something was definitely wrong. Then like clockwork, I got an email to my personal gmail account from UMBC’s DoIT. My suspicious assumptions were right, my account was hacked. An employee from DoIT informed me (through my personal email) that an email was sent around campus that looked like it was legitimately from UMBC asking for usernames and passwords. Yes, that seemed right. Turns out my responding to that email gave an unknown hacker my credentials to get into my account. I was so shocked. I thought that I was pretty tech savvy. After all, I spent all of my high school life on the internet. I was told I fell for a phishing attempt. What even is that?
I took to Google to learn everything I could about how I was duped into getting my account hacked. Thanks to trusty Wikipedia, I learned that phishing was the fraudulent practice of sending emails from what seems like trustworthy companies to trick people into revealing sensitive information. *Sigh*, that’s exactly what happened to me. The email I received was from a UMBC email, so I automatically assumed it was safe. I trusted this “fake” email enough to give up my username and password.
My next step was to call this DoIT person, and learn how to spot a phishing message. Now that I have learned that not everything that comes from a UMBC email address is safe, I wanted to be able to use this as a learning experience. The first tip I was given was that if an email contains a warning that an account may be suspended, then it is probably fake. I was informed that, UMBC does not do sweeps for inactive accounts. Also, UMBC will never ask a user to enter a password on anywhere other than on a UMBC login page. Another helpful tip given to me, was that if an email contains a false sense of urgency or a very impersonal tone, then it probably isn’t real. That makes a lot of sense, because unless it was a mass email from professors, most emails I received contained my name in the greeting.
The DoIT staff member scrambled my password and sent me instructions to reset it. At least my account was taken care of. It feels so weird knowing that someone hacked my account. They could have potentially seen all of my personal information on myUMBC. But now I know, and from this experience I’ve made ALL of my social media accounts more secure. I’ve also become way more aware and alert about the emails and posts I’m reading, along with what I choose to respond to.
“We have parsed several log records that lead us to believe that your UMBC account credentials may have been compromised. As a precaution, your UMBC account password was scrambled today.
Please go to http://accounts.umbc.edu/ and click on I Forgot my Password. Walk through the steps using your security questions to set your password to something secure that only you know.
Here is UMBC's TSC FAQ page on how to reset your account password: https://wiki.umbc.edu/pages/viewpage.action?pageId=1867942. If you have any issues with reset process, please contact the TSC at 410-455-3838.”
I stared at my computer shocked. Checking my personal email is a habitual task I do in the morning, after checking all of my social media profiles of course. Seeing a “your online order has been shipped” email first thing in the morning is always something I look forward to, but this wasn’t it. At first this email went completely over my head. Credentials...compromised?
I asked the DoIT employee who emailed me, what kind of logs they saw that could possibly mean my “credentials may have been compromised.” I was informed that I had not had a password change in my 3 years of being at UMBC. To be honest, I really didn’t think I needed to change it, but my password only being four characters didn’t help. I was told that my UMBC username and password were stolen by a hacker in Nigeria, and then was used to send out scam emails. How did this all happen right under my nose? Why would anyone care so much as to hack me? I’m just a random college kid living in Catonsville, MD. There is nothing special about me or what I do.
I learned that being a student in general made me an easy target for hacking. My password was weak, and I hadn’t changed it in years. The DoIT staff member explained to me that students have less secure accounts than faculty and staff. Most of the faculty and staff had something called two-factor authentication which made their accounts more secure. Also, as I am a perfect example, many students don’t put forth a lot of effort in making their passwords strong and secure. Because of all of this, it is easy for hackers to figure out a password like mine, and use it to send out spam to other students. Having “UMBC” in my email address makes my account seem trustworthy to other people (especially students). A hacker sending spam out through my UMBC email address is dangerous, for other students will trust what is being sent to them, making them vulnerable to hacking as well.
I never realized how being hacked could make me feel so frightened. Never once before this, did I ever think to worry about cybersecurity. I would of course see some of my Facebook friends have hacked accounts, but it never seemed like that big of a deal to me. Knowing that someone so far away could steal one of my most important credentials...well that felt almost like someone broke into my house. Even though this occurred over the internet, and no one physically robbed me; the scare was all of the same. Another mistake I have made, was using that password for all of my other accounts. What if that hacker had logged into my banking website, or my ICloud? These possibilities were something I had never thought about. Not securing my password, and changing it often was just as bad as leaving my door unlocked at night in a neighborhood that was known for robberies.
I was very appreciative that the security team from DoIT scrambled my password so that I could reset it. As soon as they saw malicious activity coming from my account, they immediately took action to remove the hacker from my account. Knowing that there is an organization at my school that can catch these types of attacks and quickly handle it was relieving.
Now it’s time to get ready for class. Even though it wasn’t an “order has shipped” email I received, it was an email that ended up being very beneficial to me. I learned a lot about being safer online, and now I can share that knowledge with my friends who I know for a fact have “1234” as their password.
College Campuses are a central hub for diversity, intelligence, and advanced technology. Many people no matter what age, strive to go to a good college, and receive the best education. Goals and dreams are achieved during the years people put in at school, but unfortunately hurt can come out of it as well. Over the past decade, universities have found themselves to be a huge target of cybercrime due to the vast amount of sensitive data and expensive research that they possess. Many universities found that student accounts were the main culprit of these attacks, but actual students weren’t doing the hacking. Hackers found ways to identify vulnerabilities in student accounts, and use them to hack and retrieve data and research.
A study completed by student security technicians from the security group of University of Maryland, Baltimore County’s Division of Information Technology, stated that out of a sample size of 500 security tickets, 277 involved compromised accounts. These compromised accounts were further broken into types of cybercrime that were carried out. Out of 277 compromised accounts, 91 were phishing crimes, 36 were spam crimes, 48 were scam crimes, 19 were malware crimes, and 42 were unknown. Interestingly enough, 167 of these UMBC accounts, were student accounts. Students received multiple emails from UMBC accounts a day about a variety of things. Many students trust these emails for the very fact that it comes from a UMBC account. The average student has little knowledge about any cybercrimes that can occur in a University. Information about serious cybercrimes are usually kept within the department that handles such issues, in order to eliminate a scare. However, because of the lack of knowledge students have on cybercrimes, they are most vulnerable to responding to these attacks that come from university accounts.
Say a student receives two advertisement emails. One from an account of the same university, and one from an unknown email alias. Both of these emails contain malicious links. The student, unaware of how easily a university account can also get hacked, deletes the unknown email, and clicks on the link from the university email. Now the student has a virus on their computer because the university email also had a malicious link. Unfortunately, because most students automatically trust emails received from their university accounts, hackers take advantage of that in many ways. Hackers from all around the world target student accounts from multiple universities to enable phishing attempts, send out scam emails, and commit malware crimes.
Creating cyber security awareness at universities, is the most important step towards eliminating the vast amount of cyber crime that victimizes campuses. Cybersecurity and IT departments can do as much as they can to block malicious sites, phishing attempts, and scams; but it is then up to students, faculty, and staff to keep their accounts safe. If students create a strong password, and change it regularly, that can make a big difference in reducing the amount of compromised student accounts. Everyone wants to receive the best education at their university, learning how to stay safe online, is the best way to Be the Key in Cybersecurity.
Students at UMBC have been working hard to prepare for October's Cybersecurity Month!! Look out in the Common's for fun giveaways like t-shirts and cups promoting the month!!
This month's weekly themes are: