If you are the victim of a security-related issue such as a phishing scam or spam attack:
Security Awareness Training: The Office of Information Security provides security training for departments on campus that deal with Protected Information (PI) and Personally Identifiable Information (PII). To learn more about this training, please visit the OIS website.
Be Aware: IS also developed Be Aware, a student-focused site which discusses security awareness and the effective ways to respond to security threats.
Helpdocs - Protect Your Computer: General information on protecting your computer from malware and malicious actors can be found on OSU's Helpdocs website.
A program (OpenSSL) that manages the secure transmission of data across the Internet was discovered to have a bug. This bug, known as “heartbleed,” could allow attackers to steal the private keys used to encrypt data prior to transmission across the Internet. With the keys, the attacker would be able to decode all of the data, including passwords and personal information entered into a website.
Information Technology personnel at Oregon State University have been aware of the problem since the disclosure of the bug on Monday evening, and have been working hard to identify and patch affected systems. So far, the impact on secure systems at OSU appears to have been minimal—ONID, for example, does not use a version of OpenSSL that is vulnerable to this bug; the main OSU secure webservers were not vulnerable as well. Systems that have been discovered as vulnerable are being patched, and if warranted, new encryption keys are being generated.
Although we have no evidence that any OSU sites have been compromised through this exploit, this bug existed for almost 2 years before being discovered by security researchers. We would encourage you to pay close attention to all your sensitive user accounts across the Internet and follow the recommendation of the owner of those services. Because of the widespread impact, we recommend that you change your OSU passwords, especially if you used the same password at multiple sites.
Warning: We’re starting to see evidence of fraudulent email claiming to be from affected companies asking that you change your password by clicking on a link in the email or replying to the email. Please do not fall prey to these.
If you run a server such as a web or email server or have a Network Attached Storage (NAS) or other device that uses OpenSSL, please follow the instructions at http://heartbleed.com to ensure that your device is secure. A running list of hardware/software vendors impacted by this bug is being maintained here: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&SearchOrder=4.
Additional information on the heartbleed bug can be found here:
CryptoLocker is malicious software that encrypts files on your computer, on an attached USB drive, or on a network share, then displays a screen that demands that you pay a $100-300 ransom within 96 hours to get them back. There is no guaranteed way to recover the files if you do not pay the ransom. DO NOT PAY THE RANSOM.
For additional information about CryptoLocker, including a tool to help prevent this infection on your personally owned computers, please read this document on the OSU Helpdocs website:
Computer networks are a great thing. Like many things that enrich our lives, computer networks are not without risks. This site is here to help keep you safe while on the network.
To start, take a look at the section to the left entitled "Be Aware." This has a series of short articles designed to increase your awareness of the various risks you're likely to see on the Internet, to make you aware of the policies and regulations about using the OSU network and to help you protect yourself and your data from those risks.
Our Links menu is full of things you'll find useful to help combat those risks, as well as provide assistance should you find yourself in trouble.
Finally, we welcome your feedback and suggestions for improving this site. Our "Contact Us" page gives you an easy way to help us make this a useful resource for you.
The Internet has become a part of us.
We surf the web, e-mail our friends, play games, watch movies and listen to music. Most of us carry a bit of it with us everywhere, using our phones to find a good place to eat or to network with friends. It is hard to imagine living without it.
Although it enriches our lives, the Internet contains a growing number of risks.
In this session, we’re going to explore the darker side of the Internet.
|< Be Aware home||Social Engineering >|
Social Engineering, the act of tricking people into divulging confidential information such as passwords or credit card numbers, is prevalent on the Internet.
The most common form of Social Engineering seen today is called Phishing.
Ever receive an e-mail from your bank warning you that your account was overdrawn and that you needed to click on a link to remedy the situation? Or how about a notice from your system administrator that there was a problem with your ONID account that could be resolved if you would please supply your username and password in a response to the e-mail?
Internet con artists are using these various methods to trick you into providing the information needed to steal from you. Phishing isn’t limited to e-mail; there are fake websites out there as well, often designed to take advantage of a misspelling of a common address.
And as technology advances, so does Phishing. We’re now seeing “spear phishing,” a highly targeted attack aimed at the employees of an organization—or the students of a school—and “whaling” which is a targeted phishing attempt aimed at executives of an organization.
Social Engineering doesn’t necessarily require you to be connected to the Internet or to even be using a computer. It is easy enough for someone to call you on the phone pretending to be someone else (such as a computer support person at the university or an employee of your bank) and ask you to provide information. By doing a little research on an organization via their website, an Internet con artist can be quite convincing in pretending to be someone else.
|< Be Aware: The Risks||Malicious Software >|
Malicious Software, or “malware,” comes in several forms.
Viruses are programs, typically small in size, which can copy themselves to infect another computer and are spread by sharing infected media, or files over the network, typically via e-mail, or malicious or hacked web sites.
Worms are a form of malware similar to viruses that spread automatically over a network. Worms take advantage of flaws in programs and can infect a large number of computers in a very short time.
A Trojan Horse or Trojan, like its namesake from The Aeneid, is a program that masquerades as something it isn’t. Trojans frequently carry other malware hidden inside their code: their main purpose is to evade detection by anti-virus programs.
Spyware and Adware are programs that track your activities on the web. They are frequently used to target spam e-mails to a more receptive audience based on their web browsing habits.
A Rootkit is particularly nasty. This malware imbeds itself deep within a computer’s software or hardware making detection extremely difficult. Computers with a rootkit installed are frequently used by attackers to compromise other systems.
Fake Anti-virus Software is one of the newest versions of malware being seen on the Internet. This software falsely reports a malware infection and then tries to con the victim into purchasing a “fix” to remove the infection.
Over the past decade there have been major changes in the quality of malicious software. Early on, viruses were simple scripts—easy to detect and, while often extremely damaging, were very manageable. The most common attacker creating a virus was a “script-kiddie,” a person without formalized training who was modifying other programs to create new viruses. As a result, viruses were often so poorly written that they were unable to run properly.
But, things have changed.
Organized crime has become involved in the generation of malware. Frequently used to steal information needed to commit identity theft, malware has become big business. “Screen scrapers” pass along what is shown on your computer screen to the identity thief. “Key loggers” keep track of everything you type, including passwords and account information.
Gone is the amateur “script-kiddie” creating viruses for thrills, replaced by skilled coders writing applications that create customized malware for the purchaser. One such application, called Zeus, offers different levels of service for a price—automatically generating malware to evade detection or disable those detection programs entirely. How successful they are depends on the price willing to be paid by the attacker.
|< Social Engineering||Black Hat Hackers >|
Often referred to as hackers, a term which also applies to people doing good work on computers, crackers are people who break into computer systems using specialized knowledge and tools.
While often doing this for no other reason than to create mischief, some crackers do break into systems to steal data or to commit other crimes. Crackers take advantage of any insecurity in a system to gain a foothold, including social engineering.
Crackers vary greatly in skill level; neophyte crackers are easily thwarted while the most skilled will, if determined, break into even the most protected systems that are connected to the Internet.
|< Malicious Software||Behavioral Issues >|
The schoolyard bully has found new stomping grounds on the Internet. But the Cyber Bully, a person who posts mean-spirited messages or images about another person with the intent to hurt or embarrass them, has one big advantage—they can remain anonymous.
While you may think that a little name-calling is a normal part of life Cyber Bullies take this to the extreme. Attacks often become viral in nature with the victim having little or no means of recourse. E-mail, text messaging, social media, blogging and websites are the tools of the Cyber Bully and the results have a potential audience in the millions.
Cyber Threats on the other hand are typically more direct. Someone making a cyber threat can either threaten to do harm to themselves, such as threatening to commit suicide, or to others, such as threatening to kill or harm another person. Cyber threats should be taken seriously and reported to the appropriate authorities.
Cyber Predators are the stalkers of the Internet. They seek out others, typically teens and young adults of both sexes, in an attempt to use, control or harm. Social networking sites and forums help cyber predators locate their prey.
So that’s a brief look at the dark side of the Internet. Next, in Be Aware: The Rules, we’ll take a look at the policies and regulations that were created in response to these threats. In Be Aware: Respond, we’ll show you some things to do to protect yourself and your data from these threats.
< Black Hat Hackers
Be Aware: The Rules >
In The Risks, we discussed some of the risks of being connected to the Internet. In this session, we’ll discuss some of the regulations and policies that were put in place to protect us from those risks.
It is your responsibility to be aware of and comply with all federal and state laws, as well as the policies of the University. Since failing to comply with these rules could result in the loss of network privileges or even dismissal from the university as a student or employee, we’ll do our best to make you aware of the common situations or scenarios you may encounter as you make use of OSU’s network.
< Risks: Behavioral Issues
Acceptable Use >
The University has a set of rules called the Acceptable Use Policy. This sets out the standard guidelines for behavior on our network. We’d encourage you to read and understand the entire policy. In brief, the Acceptable Use Policy, or AUP, requires us all to be good citizens of the network, or “netizens.” To be a good netizen, you:
You should also be aware that while OSU respects your privacy, your use of university computing resources is not completely private. There are circumstances where there is a legitimate reason for OSU to monitor and record the usage of all computing resources. This can either be done for performance issues, say, in the diagnosis of a technical problem, or as a result of a legal action, such as a court order for information or a legal request for discovery. OSU has the right to monitor your activities on the network if there is reason to believe that there are activities taking place in violation of Federal, State or local law or in violation of University Policy. Finally, some of your files may be deemed to be public records, which would be released if a request is made under public records laws.
|< Be Aware: The Rules||Student Records >|
Both employees and students at Oregon State University need to be aware of the information that is protected by the Family Educational Rights and Privacy Act, more commonly known as FERPA. This federal law protects the privacy of educational records, including:
Those who work with student information covered by FERPA should take special training. A link to that training, which is available to all who are interested, is in the links section to the left under Additional Information.
|< Acceptable Use||Music and Movie Sharing >|
The Digital Millennium Copyright Act, or DMCA, is a federal law that makes it a crime to disseminate, without authorization, copyrighted works on the Internet. It also makes it a crime to circumvent measures that control access to copyrighted works. Digital Rights Management, or DRM, is one such measure that is covered by this law.
Oregon State University takes a strong stand against violations of the DMCA. If you utilize the network to share music, videos and movies without permission, your access to the network may be terminated permanently. You would also be responsible to pay any fines or court fees associated with a violation of the DMCA. More information on the DMCA can be found in the links section of this website under Additional Information.
|< Student Records||Identity Theft Protection >|
In Be Aware: Respond, we’ll discuss some basic measures you can take to protect your computer and your data from risks.
< Music and Movie Sharing
Be Aware: Respond >
You’re now aware that networks, including the Inter
A basic premise of computer security is there’s no way to be 100% safe from all risks, but if you make yourself as secure as you possibly can, a cracker or con man or even a piece of malware will simply move on to an easier target.
|< Rules: Identity Theft Protection||Social Engineering >|
In The Risks, we talked about social engineering. These con men (and women) are simply after information that will help them steal your identity and your assets. Knowing what sort of information they typically look for--and not giving them access to it--is all that it takes to defeat them.
Always be hesitant to give your social security number, even partially, to anyone and don’t be afraid to ask why they need it. Never give it in response to an e-mail, and don’t store social security numbers on your computer.
For more information about when it is appropriate to give your social security number to someone, please follow the Social Security link in our links section to the left.
There are other things like social security numbers you need to protect, like driver’s license, other governmental-issued I.D. numbers and bank account numbers--including credit card information. Keep those items secret: do not store them on your computer or give them to someone that calls you on the phone or sends you an e-mail.
And never give a password to anyone. Ever. Not even to your support personnel, a co-worker, or even your boss.
If you’re not sure an e-mail or a website is legitimate, ask your computer support personnel, such as the Computer Helpdesk or the staff at a computer lab. You won’t bother them--in fact, most enjoy finding bad websites and phishing e-mails so they can put a stop to them.
You can help us stop phishing at Oregon State University. While we block thousands of these attempts daily, some new ones always manage to get through. Information on how to safely get the right information from a phishing e-mail and provide that to the appropriate individuals so they can block it are provided in our links to the left under “Report an Incident.”
|< Be Aware: Respond||Malicious Software >|
Stopping malware requires several actions on your part.
Always run an antivirus program on your computer. That includes you too, Mac and Linux users. Everyone is susceptible to malware. Oregon State University provides everyone, employees and students, with a high quality antivirus program. Click on the Free Stuff link on the left to get a copy and install it on your computer.
You’ll recall that some malware programs take advantage of flaws in programs to get onto a computer. To overcome this risk, it is vital that you keep all the programs on your system up-to-date.
One of the most common ways to get infected is to do a search and, clicking through the search results, visit a website that is either malicious or contains an infected advertisement. Sometimes it is obvious--the URL just looks wrong--but most of the time, at a glance, you’d never know there was anything wrong with the site. There are tools to help you with this. One such tool, called Web-of-Trust shows good sites with a green circle and bad sites with a red one from your search results. A link is provided in our Free Stuff section.
Now we have to be brutally honest with you here. Even if you do everything that we’ve suggested so far to stop malware, chances are that eventually you will still get infected. There’s simply too much malware out there, and some of it is very, very cleverly designed.
There is another thing you can do to prevent malware from getting onto your computer. It is, by far, the best single thing you can do to prevent your computer from being compromised. What is it?
If you do use an account that has those rights, it is time to start a discussion about getting rid of those rights and adding a second account that has those rights instead. You can then use this account when you need to install programs.
Ah. It may have just dawned on you why this is so important. You need to be an administrator to install certain types of programs, including the worst kinds of malware.
If you happen to use information classified as Protected, you do not have a choice. University policy requires that you do not use an account that has administrative rights for daily activities on your system. Please check with your computer support personnel to make sure you are in compliance with the policy.
We’d encourage everyone, to do this. Students—and employees for your personal machines—do this too. It makes a big difference.
|< Social Engineering||Safe Guarding Against Crackers >|
Aside from using a social engineering technique, or a piece of malware like a keylogger that records everything you type on your computer, one of the first things a cracker will try to do to gain access to your data is to break your password. You can already count on them having your account name--that is really easy to get.
Your password is stored on your computer in a known location. It is encrypted--it is hidden from easy view by using a mathematical algorithm to transform that series of letters, numbers and special characters into gibberish. But it can be guessed. And it can be broken by using software tools.
A good password that you don’t share with anyone makes guessing difficult. Using a software tool requires a powerful computer (or a group of computers working together) but it will, eventually, break even the toughest password.
But how long will it take? That’s where having a longer password helps.
Let’s say you have a fairly complex password, that is, a password that contains both upper and lower case letters, numbers and punctuation characters. If that password is 5 characters in length, a cracking program running on one average computer will take 74 minutes to crack.
Take that up to 6 characters, and the program will take 4 days. That’s still not very long.
8 characters however, will take one computer 58 years.
So you’re probably feeling pretty smug right now. That 8 character password will take you all the way through school and retirement, and then some.
But your average cracker doesn’t just use one computer. He’s been infecting machines all over the world with malware that lets him control them. He has what is known as an army of bots--several hundred, or even thousands of computers, waiting to do his bidding. So while those computer’s owners are all snug in their beds asleep at night, our nefarious cracker is using those systems to crack your 8 character password.
If he’s just getting started, and only has 500 computers available, it will take him only a month and a half to break your password. At 1000 computers, it is only 21 days.
According to a 2006 article in the Washington Post, the average size army of bots available to a cracker is 20,000 computers. Your 8 character password might last a day, if it is really complex. If you're lucky.
To beat that, you need to add length. A 15 character password would take that cracker with his 20,000 computers 35 million years to break.
The thing is, a 15 character password--or even a 20 character password--is actually easy to type and remember--if you think of it not as a single word, but as a passphrase.
I like to use nonsense phrases:
That, including spaces (which count) is 30 characters long (there’s a punctuation mark at the end in case you’re counting). I can make it even tougher to crack by adding a special character or a number in the middle of a word. It is easy to remember--and very quick to type--once you get used to it.
Try a passphrase--it is an easy way to defeat a password stealing cracker.
Another tool you can use to defeat crackers is to enable the built-in firewall on your computer. If you’re an OSU employee, it is very likely that your departmental computing administrator has already enabled this for you. You may also be behind a hardware firewall.
If you’re a student, or an employee at home, instructions on how to enable the built-in firewall on your computer can be found in our links section to the left.
|< Malicious Software||Behavorial Issues >|
If you’re being bullied by another student at Oregon State University, contact the Student Conduct and
Cyber threats and Cyber predators should be treated seriously. Should you become aware of this activity, or you are a victim of a cyber threat or predator, please contact the Oregon State Police at the Department of Public Safety. Their contact information is included in our Incident Response section.
These are just a few tips to protect yourself, your computer and your data. We’ll be providing more ideas in our Respond section of this website in the near future--be sure to check back with us. If you have any ideas for responding to these types of risks, please share them with us through the “contact us” section of the site.
Thanks and have a safe time on the network.
|< Safe Guarding Against Crackers||Be Aware home|
To read the entire Accepted Use Policy visit: http://fa.oregonstate.edu/gen-manual
To read the full Information Security Policy visit: http://fa.oregonstate.edu/infosec-manual
For more information on FERPA and a tutorial visit: http://oregonstate.edu/registrar/privacy-records
To find the appropriate Records Custodian visit: http://fa.oregonstate.edu/gen-manual
To read more about the Digital Millennium Copyright Act (DMCA) visit: www.copyright.gov/legislation/dmca.pdf
For more information on Oregon's Idenity Theft Protection Act visit: http://dfcs.oregon.gov/id_theft.html
For more information on protecting your Social Security information online visit: http://www.ssa.gov/pubs/10064.html
Below you can find links to the privacy policies of popular social networking sites. Included in those pages are ways to protect your personal information on these sites.
Help us populate this page. If you have a question, please visit our Contact Us page and use the form to submit your question. We'll respond to you, and if the question is about something that will be of interest to others, we will post them here.
Using an account without local admin rights is a good thing! Following this method will allow you to perform all the tasks that you would normally do, but help prevent malicious software from being installed on your computer.
Important: Do not skip steps in this process! You must create an account with local administrative rights before making your everyday use account a standard user.
Use your new administrator account when performing tasks such as installing software or setting up new hardware.
Public Safety: http://fa.oregonstate.edu/publicsafety
Counseling and Physcological Services (CAPS): http://counseling.oregonstate.edu
Forward the email as an attachment to firstname.lastname@example.org.
Visit http://studentlife.oregonstate.edu/studentconduct and follow the steps listed to report an conduct incident.
The Be Aware website, and cyber security at OSU in general, is the product of a group of Information Systems Security Professionals from across campus. Questions about cyber security sent to the following e-mail will be answered by a practicing professional in that area.
Questions or suggestions about this site, or our promotions or contests can also be submitted below.
The Be Aware Team
Information Services seeks to communicate with the OSU community about the changes we make to the IT systems that we manage. Our goal is to manage, maintain, and upgrade systems in a thoughtful way so that we minimize negative impact to services and customers.
Achieving this goal requires that we plan changes carefully, consult with members of the community regarding planned changes, and respond to unplanned changes systematically to ensure minimal downtime.
Change Management is the formal term for defining our policies and processes. Please read about the Change Management & Incident Response Project page for additional background about this initiative.
The Change Advisory Board (CAB) convened in December, 2012 and began drafting appropriate processes for changes and incidents. As basic processes are defined, the CAB will begin performing its function as a change review body even as it continues to define and refine change processes.
These policies apply only to services and systems owned by OSU Information Services.
The Incident Response policy does not apply to Security Incidents, which are covered by the Information Security Manual section 502: Incident Response and Escalation.
These forms are for Information Services staff only. If you need to report an unexpected service interruption, please contact the OSU Computer Helpdesk.
Please avoid overly technical jargon, as your message will not only be sent to the Outages email list but will also show up at the following locations.
In most cases (excepting Emergency changes), you will develop a technical plan and a communications plan for your change prior to filling out this form. Please upload this documentation when submitting this form if you are able.
After you submit this form, the Change Advisory Board (CAB) and Unit Director can help shape the communications plan before any message is received by any customer.
This form is for significant or emergency changes. For other changes, please use one of the links in the IT Changes menu box to the side or below the form.