Information Security

Patches, password changes thwart Heartbleed bug

A security issue (denoted the ‘Heartbleed bug’) has been identified that affects some University of Lethbridge systems. This issue is serious and compromises a core encryption technology designed to keep your information safe as it crosses the internet. Most often you would see this technology in use when you visit sites that begin with https.heartbleed-bug

A small number of University machines are affected by this issue, most of which are not accessible from the internet.  The two systems representing the greatest risk are the student email system and the mailman (mailing list) administration console.  These systems were fixed on April 9th  and we have no evidence to indicate they were targeted in any attacks.  As a precaution, students and mailing list administrators who are concerned can change their password if they desire.

ITS is working with faculties, departments, and business units to fix the remaining systems.  System Administrators concerned with the integrity of effected systems are encouraged to change administrative/root passwords.  Users inquiring about the integrity of their accounts are advised that changing one’s password is always the best policy.  Instructions to change University of Lethbridge passwords may be found here: https://www.uleth.ca/webtools/account_tools/pswdchng

For more information about the bug go to: http://heartbleed.com/

Technical support personnel outside of ITS are encouraged to contact the Solutions Centre at help@uleth.ca for further information.

Users with questions or concerns can also contact the Solutions Centre at 2490 or help@uleth.ca

 

Tax Scam Season again!

"Dear Taxpayer,"

“Dear Taxpayer,”

Every year around this time we see cyber criminals attempting to steal your personal information by sending false correspondence in the name of the Canadian Revenue Agency (CRA).  A sample scam was recently sent to the IT Security office from a University client – don’t be fooled by what appears to be a legitimate communication.

The bogus email (find the entire message on the Security website here), tells the recipient their $988.44 tax refund for 2014  has been processed, and to click the link to ensure it gets deposited.

Do you see the red flags?

  • Canadian citizens are in the process of filing their 2013 income tax returns – not 2014.
  • The email is addressed to “Dear Tax Payer,” so how could the author know what your refund should be?
  • How many people file and receive their refund BEFORE the end of February? At least in this particular case.
  • If you hover your cursor over the link, it reveals the location it will take you to if you click on it – which is definitely NOT http://www.cra-arc.gc.ca
  • It asks for your social insurance number (SIN). First of all, if they know what your tax refund is, they already have your SIN. Secondly, under NO circumstances will any legitimate business or government agency ask you for personal information.
  • CRA never operates this way – never has, never will.

It’s all very PHISHY! Be suspicious!

To learn how to protect yourself against cyber criminals, check out the online Security Awareness Course.

Community Shredding Event

In an effort to promote the secure destruction of personal information and the prevention of identity theft, the AMA is sponsoring a free event where community members can bring their sensitive documents and electronic storage items (not including hard drives) to be destroyed by a professional shredding service.  The event will be held on Saturday March 23, 2013 from 10am – 2pm at the AMA Lethbridge Centre
located at 120 Scenic Dr. South.  For more information on how to participate, please visit the event website.

Cyber Security – A community effort

Kevin Vadnais, Information Security Analyst, was asked to present on cyber safety to two community groups in November and early December.  A parent preschool group in Coaldale, and the Lethbridge Breakfast Club were brought up to speed on cyber safety and identity protection.

kevin vadnais1 nov30 2012

“They asked me to explain some of the things that would help them become more savvy about internet threats, and to protect their own personal information online.”

Vadnais demonstrated how easily someone can become a victim of identity theft. Within minutes of conducting internet queries and piecing together seemingly unrelated bits of information about one of the audience members, Vadnais had the full name, birthdate, parents’ names, parents’ address, parents’ phone number, along with their children’s information. This eye-opening video shows a similar example.

For more details about Vadnais’ presentations, see the article published by the Lethbridge Herald.

If you have questions about the University’s cyber security program, or would like advice on how to be cyber safe, contact the Solutions Centre at  help@uleth.ca or 403-329-2490.