Mission Statement
The Information Security Office is committed to lowering the risk profile of the University’s electronic information by implementing industry best practices to protect the confidentiality, integrity, and availability of student, faculty, and staff information. We uphold the University’s compliance obligations by developing information security policies, providing security awareness training, and overseeing the implementation of strategic information security initiatives.
Scam of the Week
When PDFs Become Phish-Delivering Files
In this week's scam, cybercriminals are trying to trick you with PDFs that contain malicious content. You receive an email with a PDF attachment that appears to be from a major organization like Microsoft, DocuSign, or PayPal. The subject of the email seems alarming and makes it appear that you have an issue with your account. If you open the PDF attachment, it contains official logos and professional formatting. It appears legitimate, and the instructions direct you to call a customer service phone number.
But this PDF file is actually a phishing attempt. The phone number is fake, and if you call, a cybercriminal will answer and pretend to be a customer support representative. They will try to trick you into installing malware on your device. They will also try to manipulate you into giving them your user credentials or financial information so that they can solve the “problem” with your account. This type of scam can be very effective because you may be more likely to trust a voice over the phone, especially if they claim that they are trying to help you!
Follow these tips to avoid falling victim to a phishing scam:
- Be suspicious of unexpected emails, especially those containing attachments. You should never open an attachment unless you are sure who sent it.
- Be cautious when contacting an organization using information provided in an email. It's always safer to use the contact information listed on an organization's official website.
- Remember that legitimate organizations rarely send urgent requests through PDF attachments. Cybercriminals will often attempt to create a sense of urgency to trick you into acting impulsively.
Time It Takes a Hacker to Brute Force Your Password in 2023
| Number of Characters | Number Only | Lowercase Letters | Upper and Lower Case Letters | Numbers, Upper and Lowercase Letters | Numbers, Upper and Lowercase Letters, Symbols |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 5 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 7 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 8 | Instantly | Instantly | Instantly | Instantly | 1 sec |
| 9 | Instantly | Instantly | 4 secs | 21 secs | 1 min |
| 10 | Instantly | Instantly | 4 mins | 22 mins | 1 hour |
| 11 | Instantly | 6 secs | 3 hours | 22 hours | 4 days |
| 12 | Instantly | 2 mins | 7 days | 2 months | 8 months |
| 13 | Instantly | 1 hour | 12 months | 10 years | 47 years |
| 14 | Instantly | 1 day | 52 years | 608 years | 3k years |
| 15 | 2 secs | 4 weeks | 2k years | 37k years | 232k years |
| 16 | 15 secs | 2 years | 140k years | 2m years | 16m years |
| 17 | 3 mins | 56 years | 7m years | 144m years | 1bn years |
| 18 | 26 mins | 1k years | 378m years | 8bn years | 79bn years |
Phishing Click Rates Triple in 2024
The Most Dangerous Pop Culture Passwords in 2024
FBI Fraud Alert
Cyber Security Alerts
What is being exploited?
Vulnerability in Windows CryptoAPI that allows malicious executables using a spoofed
code-signing certificate to appear as if it was from a trusted source.
What does this affect?
Attackers can conduct man-in-the-middle attacks and decrypt confidential information
on user connections to spoofed software that appears legitimate.
Which Operating Systems does this affect?
Windows 10, Windows Server 2016, and Windows Server 2019
How to mitigate this?
Apply critical patches to affected systems as soon as possible.
For more information:
CVE-2020-0601
What is being exploited?
Vulnerability in Windows Remote Desktop Gateway (RD Gateway) that allows specially
crafted requests to execute arbitrary code on the target system.
What does this affect?
Attackers can gain access to the target system with full user rights that would allow
them to install programs; view, change, or delete data; or create new users.
Which Operating Systems does this affect?
Windows Server 2012, Windows Server 2016, and Windows Server 2019
How to mitigate this?
Apply critical patches to affected systems as soon as possible.
For more information:
CVE-2020-0609 & CVE-2020-0610
What is being exploited?
Vulnerability in Windows Remote Desktop Client that allows the server to execute arbitrary
code on the target system after an unsuspecting user connects to it.
What does this affect?
Attackers can trick the user into connecting to a compromised server and gain access
to the target system with full user rights that would allow them to install programs;
view, change, or delete data; or create new users.
Which Operating Systems does this affect?
Windows 7, Windows 8, Windows 10, Windows RT, Windows Server 2008, Windows Server
2012, Windows Server 2016, and Windows Server 2019
How to mitigate this?
Apply critical patches to affected systems as soon as possible.
For more information:
CVE-2020-0611
Windows 10 & Windows Server 2016 and newer
1. Search: Check for Updates
2. Click “Check for Updates” then install all updates
Windows 8 and older & Windows Server 2012 and older
1. Navigate: Control Panel > System and Security > Windows Update
2. Click “Check for Updates” then install all updates