This week’s news of a data breach at eBay follows announcements about data compromises at Adobe, LinkedIn and Target over the last six months, although the data breaches may have begun as early as 2012. In March, Rice’s IT Security Office identified links between external data breaches, stolen NetID credentials, and this year’s significant increase in the number of compromised email accounts used in the distribution of phishing messages.

Like the tides, the ebb and flow of millions of phishing messages across the Internet have become a sort of background noise for everyone with an email address. But in January, a tidal wave of phishing  messages from rice.edu addresses began flooding both internal rice.edu email addresses and external email accounts.

What is Phishing?

When an individual falls for a phishing message, their email account is compromised, and that account begins a new cycle of phishing distribution.  All the contacts in that victim’s address book receive a phishing message which appears to be sent from their colleague, friend or family member.  If those recipients respond, their email account and their contact lists are sucked into the vortex and the process begins again.  Lists of compromised accounts and lists of contacts are posted on public bulletin boards where they are shared among other criminals who scoop up the new lists of potential victims for their own identity scams.

In addition to the tides of individual phishing messages, the big players in the Internet crime world are the hackers who breach a commercial, educational or non-profit database and harvest thousands of user addresses, passwords, birth dates and credit card numbers. Unfortunately, eBay is only the most recent victim of this large-scale break-in.

Why External Breaches Matter to Rice

The most threatening aspect of external database breaches for Rice is the compromise of Rice NetID addresses and passwords.  Many Rice faculty, staff and students use their Rice NetID address AND Rice NetID password on external sites and systems.  When an external system like eBay, Adobe or LinkedIn is breached, the Rice account details are then used to break into Rice resources.  From accessing restricted library journals to sending new phishing messages from Rice email accounts, the threat to Rice’s data and systems is very real.

Even eBay recommends the avoidance of shared passwords across multiple sites or accounts.

“In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too. The same password should never be used across multiple sites or accounts.”
http://www.ebayinc.com/in_the_news/story/ebay-inc-ask-ebay-users-change-passwords

Change Your NetID Password If You Haven’t in the Last Two Years

If you use your Rice NetID email address in external systems, be sure to use a different password than your Rice NetID password.  If you ever used your NetID password in an external system – -including Google, Amazon, Facebook, Adobe, LinkedIn and eBay – – and if you have NOT changed that NetID password at Rice in the last two years, change your NetID password now.

The new MyNetID.rice.edu web site provides an easy way to manage your NetID password, but the Help Desk also assists Rice faculty, staff, students and retirees with their NetID questions.

The Rice email system compares server information in inbound email to blacklists, then blocks mail from known spam senders.

Blacklists are used to prevent spam (junk email messages) from entering an email system. At Rice, several blacklists are utilized to reduce spam traffic in the university’s email system. All Rice employees and students benefit from this blacklist service, but anyone who is concerned about missing important messages can opt out. Before you opt out of the black list spam blockers at Rice, remember that spam and phishing (email identity fraud and theft) messages make up 80-90% of all messages addressed to rice.edu email accounts.

Rice uses blacklists to block inbound spam, but blacklists have also been used to stop Rice email delivery to external addresses in the past. Two Rice email accounts were compromised and used to send heavy streams of spam, resulting in Rice being identified as a spam sender in 2013.  Major email service providers like AOL and Yahoo! blocked all messages sent from Rice.edu addresses until the issue was resolved.  When Rice proved that the issue had been resolved, the email service providers began accepting Rice.edu messages again but getting off a black list takes 2-14 days –depending on the mail provider’s automated blocking period.

At Rice, using a blacklist service means that the sender’s address for every incoming email message is compared to several open-source organizations’ blacklists and messages are accepted or rejected by the Rice email system based on where the message originated.

How Blacklists are Used at Rice

1. Open source organizations use databases to track email servers that send spam messages or that are set up (configured) in such a way that they can be hijacked by spammers or used as a front for spam or phishing agents. These organizations publish suspicious server addresses in blacklists.
2. A software application protecting the Rice email system compares the sender address on all incoming email messages to addresses on the blacklists.
3. When an inbound email originates from an email server found on multiple blacklists, Rice refuses to accept the incoming message and returns it to the sender with an explanation of why it was blocked.
4. ALLDEPTS, pres-fac, and other Rice-originated email messages do not go through the blacklist service because the messages originate within the Rice system and not outside of Rice.
5. Spam identification tools such as DSPAM and Spam Assassin continue to rate the content of messages within the Rice system, placing ***SPAM*** tags on messages that have a high probability of containing junk mail. These tools cannot stop the delivery of messages and are not connected to the black list service in any way.

For assistance training your Rice DSPAM tool to more aggressively identify spam, contact the IT Help Desk (713.348.4357 or helpdesk@rice.edu)

Each year around April 15, August 15, and November 15-January 15, Rice email accounts experience a peak in phishing.  Phishing messages attempt to steal personal information like passwords and financial data.  As the 2014 IRS annual tax filing deadline approaches, remember that up to 90% of the mail sent to your rice.edu address is phishing or spam.

Rice IT utilizes several tools and applications to reduce and manage spam sent to rice.edu email addresses.  Blacklists are used to prevent spam from entering the Rice email system.  Spam Assassin tags suspicious messages in the subject line, creating an easy, visual identifier for likely junk mail in an email inbox. DSPAM is an individual filtering tool that can identify likely spam messages and either tag them or hold them in a quarantine area for recipients to view later.  Email filters can also be applied at the local desktop level by individuals.

Spam = junk mail

Spam is junk email.  Like unwanted advertisements or announcements that arrive in postal mail, these unsolicited messages clog delivery systems and increase the number of messages a recipient must sort through in order to find legitimate mail.

Phishing = email fraud

Rice email servers process over a million email messages per day. Between 80% and 90% of that email can be defined as spam or phishing (electronic scams or fraud).  Email scams, commonly called phishing, attempt to elicit personal identity information or money from the recipient.   The sender usually poses as a legitimate-sounding business or organization representative, such as the Help Desk at Rice, or Chase Bank.  They may threaten to close the recipient’s account if the reader does not verify their account or respond in some other way.

Train DSPAM to recognize spam and phishing

DSPAM is an optional spam identification and quarantine or tagging tool. You can use it three different ways: quarantine, tag, or deliver messages.

1. Quarantine suspicious messages – The spam identification tool does not have the capability to prevent delivery of messages to your Rice email account, but it CAN divert many suspicious messages into a quarantine area.  You just need to remember to review the quarantine queue at least once each week to train the tool to recognize more legitimate messages.
2. Tag suspicious messages and deliver them to your inbox – Use this feature to send all messages to your inbox, but tag suspicious messages as a prefix to their subject lines.  These messages will have a subject line that begins with ***SPAM***.
3. Deliver the message as usual but include the X-DSPAM-Result header – All messages are delivered to your inbox as usual.  Suspicious messages will include a special X-DSPAM-Result header.

Instructions for setting up and training DSPAM are found in the Do-It-Yourself pages in docs.rice.edu.  If you are ready to review messages in your quarantine queue, log into DSPAM now.

If spam remains a nuisance, contact the Help Desk (713.348.4357 or helpdesk@rice.edu) for assistance in tuning DSPAM or other filters to more aggressively tag or quarantine suspicious messages.

On April 2, IT launched a campaign to increase awareness of password risks after the IT Security Office correlated a surge in attacks to NetID passwords stolen from external web sites. We asked Rice community members to consider the external web sites where they might have used their Rice NetID password to login. If their NetID had been used in an external web site and they had not changed their NetID password at Rice in the last year, IT asked them to change their NetID password.

Over 1045 NetID passwords have been changed since the announcement went out.  IT will continue the campaign through May, to educate Rice faculty, staff, and students about the risks to Rice that result from using Rice login credentials – NetID email address and/or NetID passwords – on non-Rice web sites and applications.  The awareness campaign will continue through graduation and includes headlines about where not to take your NetID or how not to use your NetID.

• Don’t take your NetID shopping.
• Don’t get creative with your NetID.
• Don’t link up with your NetID.
• Don’t take your NetID to the movies.
• Don’t get friendly with your NetID.

Have an idea for the campaign?

If you have an idea for the “Don’t – NetID” campaign, please add it to the comments below.

Several news agencies have reported on a serious, recently-discovered vulnerability affecting many websites on the Internet called ‘Heartbleed’.

The vulnerability affects how some websites handle encryption between computers and servers (https connections), allowing attackers to steal private information from the server, potentially including usernames
and passwords.

Rice IT Staff are working to identify and remedy affected servers. At this time none of our critical servers are affected. We have also taken other steps to protect potentially vulnerable hosts at our network border.

Although we do not currently have any indication that any Rice information has been compromised through this vulnerability, it has existed for about two years without being discovered. The IT Security Office recommends that you are cautious when using non-Rice sites used to access sensitive personal information. Questions about their status should be directed to them.

If you have any questions please contact the Help Desk: 713.348.4357 or helpdesk@.

The Visitor Task Force testing software in March.

Visitors add value to the Rice community by filling vital roles. While visitors are important, Rice must also be cognizant of liabilities associated with having them on campus. To manage these liabilities, Rice has adopted a series of formal registration processes and operating procedures to regulate how the university extends privileges to long-term visitors who need a Rice ID card, campus parking sticker, building/lab access, or IT services.

The Rice Visitor Project is a collaboration of multiple departments across the campus, led by Renee Block, Director for Risk Management, and Arnaud Chevallier, Associate Vice Provost for Academic Affairs and Graduate Studies.  Representatives have been working on an acceptable process since 2011.  Under the direction of Paula Sanders and Kevin Kirby, the collaborating departments include OSR, Research Compliance, HR, EH&S, General Counsel, OISS, IT, Administrative Systems, Engineering and Natural Sciences.

After a series of cyber security attacks interrupted legitimate traffic to multiple Rice websites in the spring, IT’s Director for Enterprise Applications, Andrea Martin, worked with the IT Security Office to deflect future acts of aggression.

The security team had already begun watching traffic that approached and entered the Rice network. IT Security Analyst Albert Ball presented their findings in a meeting facilitated by Andrea Martin and Barry Ribbeck, IT’s Director for Systems, Architecture, Infrastructure, and Cloud Initiatives.  Rice community members invited to the presentation included representatives from departments with high traffic websites, such as Development Resources, Public Affairs, and the Glasscock School of Continuing Studies.  The presentation included a same-day snapshot of detected attacks in progress. The detection system can distinguish between outright attacks and the exploitation of a known vulnerability (usually patches in later releases of web browsers, operating systems and software applications, particularly Java).  Pastebin.com is a website used by Anonymous (a group of intrusion application creators) and/or hackers to promote vulnerabilities they have discovered.  Disclosing names and passwords or lists of websites and servers that have been successfully exploited allows other cyber security criminals to attack the same accounts, sites, and servers.

In the presentation, a group of websites hosted on Rice servers was posted on Pastebin only an hour or two prior to the meeting.  All the addresses shown had been hacked or subverted (traffic redirected to another site, say in Poland).  The presentation went on to depict where the current attacks were originating and how.  Multiple sources were combining in a brute force attack on a single Rice address.  In a one day, one week prior to the presentation, Rice had 2,300 attacks and each attack was composed of 300 attempts to reach a Rice address within milliseconds.  According to Ball, “We know these are automated attacks. Obviously, legitimate traffic can’t possibly enter 300 attempts on a single website in a matter of milliseconds. These are the kinds of attacks we can block. We have the ability to block known malicious attacks with a tool used by major corporations.  This resource had been thoroughly vetted and it works.” With the approval of the department representatives, IT began implementing a procedure to block intrusions.